Bug 197

Summary: Support for passing credentials with all HTTP requests
Product: Orthanc Reporter: Thibault Nélis <tn>
Component: Stone of OrthancAssignee: Sébastien Jodogne <s.jodogne>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: ---    
Version: unspecified   
Hardware: All   
OS: All   

Description Thibault Nélis 2021-03-24 17:54:05 CET 
When embedding the viewer in some way or another, letting the parent application provide credentials for the viewer (for use with its own requests) may be necessary when the server performs access control.

Suggestion: Such concerns may arguably be out-of-scope for a viewer, in which case it might be easier and more flexible (especially given the wide variety of mechanisms used to provide credentials in HTTP) to allow the parent application to provide the fetch function or XMLHttpRequest constructor function (whichever is used eventually) during initialization of the viewer instead of the viewer using the global one. That way an application can hook into the process in any way it wants (including adding HTTP headers such as the Authorization header for credentials) in a way that is completely transparent and future-proof for the viewer.
Comment 1 Sébastien Jodogne 2021-05-10 11:55:42 CEST 
This is implemented by the following changeset (will be part of 2.0 release of the Stone Web viewer):
https://hg.orthanc-server.com/orthanc-stone/rev/28755e42c007

For instance, if the user opens the Stone Web viewer using the following URL:

http://.../index.html?study=<StudyInstanceUID1>&token=Hello

Then each request to the DICOMweb server will set the HTTP header: "Authorization: Bearer Hello".

Note that it is actually *not* possible to directly expose the XMLHttpRequest objects in JavaScript, as such objects are internally created by the C "Fetch" API of WebAssembly:
https://emscripten.org/docs/api_reference/fetch.html