We're updating the issue view to help you get more done. 

Move access token out of URL

Description

Currently, the access_token (bearer token) is passed to the server as a URL query parameter. This isn't quite best practice as access/bearer tokens end up in the URL which intermediaries can grab.

These tokens instead should be placed in the HTTP header of each call:

1 Authorization: Bearer <access_token>

Acceptance criteria:

  • Bearer tokens (access tokens) are no longer in the URL as a query parameter, instead they are passed in the HTTP header.

Check that:

  • Headers are usable through Swagger in each service

  • UI does not send access token through URLs (except download in new windoew - pdfs)

  • inter service communication still working

Environment

None

Status

Assignee

Paweł Gesek

Reporter

Josh Zamor

Labels

None

Story Points

5

Time tracking

16h

Components

Sprint

None

Fix versions

Priority

Critical