Add copy to clipboard buttons to display token page

[vojtechszocs]

This PR modifies the token display page for quicker access to token data.

• HTTP GET now renders the tokenTemplate directly, i.e. without HTTP POST "Display Token" form submit.
• Each snippet now includes a "Show" and "Copy" button.

Click "Show" to reveal the snippet. Click "Copy" to copy the snippet to clipboard.

JavaScript code is using standard Clipboard API which should be supported by all modern browsers.

[spadgett]

/lgtm

Thanks @vojtechszocs 👍

/hold
for @everettraven to review

[vojtechszocs]

/retest

[everettraven]

This seems fine to me. I don't think I have approval permissions. Will likely need @ibihim for approval.

/lgtm

[ibihim]

Maybe this is my old school JS, but isn't it better to have something like this namespaced approach:

  var openshift = openshift || {};
  openshift.commands = openshift.commands || {};
  openshift.commands.login = '...';
  openshift.commands.apiCall = '...';

or a IIFE that is completely isolated?

[vojtechszocs]

Before this PR, the token request page had no JavaScript so I'm not sure if using the openshift variable to namespace the commands is really needed.

I wanted to keep the changes at minimum so I went with a single commands variable to hold the strings to copy.

var commands = { foo: 'x' };

is functionally the same as

var commands = {};
commands.foo = 'x';

As for IIFE, these are typically used to avoid pollution of the global object namespace but I don't think we need them in our case.

The idea is to define some global object to store the strings to be referenced by the copy button's onclick handler.

[ibihim]

I still think that it is always worth to introduce best practices, but nevertheless, this isn't a thing that I would keep blocking the PR.

[ibihim]

Shouldn't we add some feedback for the user, like changing the button text to "Copied!" or so?

[vojtechszocs]

This would add more complexity, which is something I wanted to avoid.

The page template is missing standard HTML structure, including <!doctype html>, <head>, <body> etc. which cause browsers to render this page it in "quirks" mode.

I could try to add some custom-styled "Copied!" feedback text upon clicking the button, but do we really need it?

[ibihim]

Implemented.

[ibihim]

https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/writeText

Isn't it best practice to handle the error somehow?

[vojtechszocs]

We just call the clipboard.writeText function without handling the resulting Promise.

This function is async and resolves when the clipboard's contents have been updated. If we had a "Copied!" feedback text implemented, we'd be handing the Promise, but currently we don't need that.

I'm not sure we need an explicit error handler here, unless we want to implement the feedback text, could be something like "Failed to copy the snippet to clipboard, see browser logs for details" or similar.

In practice, clipboard.writeText function could fail if the page was forbidden to copy text to clipboard via setting page permissions, e.g. for Chromium based browsers [1]:

Writing requires either the clipboard-write permission or transient activation.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API#security_considerations

[spadgett]

@vojtechszocs Maybe just throw up an alert on an error? Something like...? "Copy to clipboard failed. Select the content to copy it manually."

In practice, I'd expect clipboard write to almost never fail.

[ibihim]

Implemented

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@vojtechszocs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ibihim]

I wish there would have been a more detailed explanation why it is fine to get rid of the intermediate CSRF step, but after bouncing my head for an hour on this topic, the worst thing I could imagine is that a disgruntled Alice could sneak in her tokens on your page.

[ibihim]

I will approve once @everettraven lgtm'ed it... or @liouk

[everettraven]

I'm concerned about us making a breaking change to the acceptable requests here - because it is out there, and has been out there for a while, I would not be surprised if there is some kind of end user workflow that depends on sending a properly formed POST request to display the token.

Additionally, do we have any kind of testing in place for UX/UI related changes we can update / put in place here?

If there is not existing testing infrastructure here it isn't the end of the world, but if it exists we should make sure the UX changes are appropriately tested.

[everettraven]

This seems like a breaking change - is there a particular reason we are making this change?

[spadgett]

We can't remove this. This was there to prevent cross-site request forgery.

/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven, vojtechszocs
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment