Consolidate app tokens from /sign and /auth/get-user-app-tokenΒ #1435
Description
Right now when an app is launched on Puter, it may get an "app under user" token (a token authenticating the client-side Puter app running in a specific user's session). If the app was opened with files, /sign will provide the readURL and writeURL strings for each of the the files as well as the app under user token; otherwise, /auth/get-user-app-token will be called to get the token.
Having multiple endpoints to obtain a token is not ideal for the following reasons:
- violates DRY principle, causing unnecessary maintenance burden
- is a security liability, because attack surface is larger
Apps should always get tokens from AuthService's API endpoint at /auth/get-user-app-token. /sign should only sign files/directories. These should be requested concurrently to avoid multiplying round-trip latency during app opens.
launch_app is implemented here. This gets called directly in some places in the code for "gui" (Puter's desktop), or by the launchApp method of ExecService. ExecService registers an IPC handler for IPC.js so it's usually invoked because of a cross-document message from puter.ui.launchApp() in puter.js.