From 4e689233a5177f2ab181e2f80bf038ce1d58874b Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Wed, 7 Feb 2024 08:59:32 +0000
Subject: [PATCH] Merge pull request #16956 from overleaf/jpa-anon-access-token

[web] read anonymous access token header from joinProject endpoint only

GitOrigin-RevId: 4f8f60c23dc93cc2b02a429bd5492d8a931ae284
---
 .../web/app/src/Features/Editor/EditorHttpController.js    | 3 +--
 .../web/app/src/Features/TokenAccess/TokenAccessHandler.js | 7 +++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/services/web/app/src/Features/Editor/EditorHttpController.js b/services/web/app/src/Features/Editor/EditorHttpController.js
index 1ad5ebbd08..2fb9e354af 100644
--- a/services/web/app/src/Features/Editor/EditorHttpController.js
+++ b/services/web/app/src/Features/Editor/EditorHttpController.js
@@ -8,7 +8,6 @@ const CollaboratorsGetter = require('../Collaborators/CollaboratorsGetter')
 const CollaboratorsInviteHandler = require('../Collaborators/CollaboratorsInviteHandler')
 const CollaboratorsHandler = require('../Collaborators/CollaboratorsHandler')
 const PrivilegeLevels = require('../Authorization/PrivilegeLevels')
-const TokenAccessHandler = require('../TokenAccess/TokenAccessHandler')
 const SessionManager = require('../Authentication/SessionManager')
 const Errors = require('../Errors/Errors')
 const DocstoreManager = require('../Docstore/DocstoreManager')
@@ -178,7 +177,7 @@ async function _buildJoinProjectView(req, projectId, userId) {
     await CollaboratorsGetter.promises.getInvitedMembersWithPrivilegeLevels(
       projectId
     )
-  const token = TokenAccessHandler.getRequestToken(req, projectId)
+  const token = req.headers['x-sl-anonymous-access-token']
   const privilegeLevel =
     await AuthorizationManager.promises.getPrivilegeLevelForProject(
       userId,
diff --git a/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js b/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
index 23477c3614..a1d54afd0c 100644
--- a/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
+++ b/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
@@ -213,10 +213,9 @@ const TokenAccessHandler = {
 
   getRequestToken(req, projectId) {
     const token =
-      (req.session &&
-        req.session.anonTokenAccess &&
-        req.session.anonTokenAccess[projectId.toString()]) ||
-      req.headers['x-sl-anonymous-access-token']
+      req.session &&
+      req.session.anonTokenAccess &&
+      req.session.anonTokenAccess[projectId.toString()]
     return token
   },