Refresh session without recreating the editor

[pacitu]

We are integrating only office with our micro-service app and hence all calls go thorough our gateway and have to be authenticated ( there is also multi-tenancy ). Since our frontend uses session cookies we can't use that when receiving calls from only office, instead we generate a token and add it to the urls we pass in the only office config ( i.e callbackUrl: "https://app/notify?access_token=xyz" ). So this token is valid for some time and we need to be able to refresh it when its about to expire.

My question is it possible to do that without recreating the editor with new configuration, basically it boils down to replacing the editorConfig.callbackUrl and document.url at runtime. If not what is the recommended why to work through a gateway reverse proxy with authentication?

My current best solution is a blocking pop-up that the session is about to expire and then recreating the editor with fresh configuration, but if we can do it behind the scenes would be superb.

[pacitu]

Another question from my side, as we generate keys and they are used for caching on the side of only office. Whats the appropriate algorithms for key generation, as we want a tenant to never see files from other tenants and also to be able to open for editing previous versions of files. Currently we're going with sip hash as 64 bit hash function which can produce smaller than 20 symbols hashes for that purpose. And as we want to be able to open previous file versions for editing we are forced to change the hashes for older versions as soon as a new version pops up, so we use the tenantId, the document MD5 hash and the latest available version as params to generate key, but I feel this is more complicated than it should be.

Any suggestions on how is this done better?

[Maxim]

Hello pacitu!

Any suggestions on how is this done better?

"The document url can be used as the key but without the special characters and the length is limited to 20 symbols." this is our requirement. You can generate key combining tenantId, document MD5 hash and the latest available version and this hash will be unique.

without recreating the editor with new configuration

As to this i can say that it is not good idea. Call to callback can be for a long time, so the temporary link is not suitable. Limited by the authorization key in the link, too, may not be safe enough, because the link is passed through the client's browser.
We suggest to use handler without your authorization, but using JWT signature verification