Experience Workspace

[hannessolo]

https://ew--da-live--adobe.aem.live/drafts/hhertach/canvas?nx=ew-shell#/hannessolo/author-kit/demo

adobe/da-nx#428

[aem-code-sync]

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch.
In case there are problems, just click the checkbox below to rerun the respective action.

• Re-sync branch

Commits

• b4f0aea ✅ (latest)
• 90402e2 ✅
• 47dddb7 ✅
• 59f0849 ✅
• 483cf30 ✅
• cdb3ea5 ✅
• 9d380d3 ✅
• 1118c3e ✅
• 9e5cdc7 ✅
• 9225552 ✅
• 9abda74 ✅
• 4a2316f ✅
• 2aec05e ✅
• 33686c3 ✅
• 0910640 ✅
• 1cbd4ec ✅
• 91aead2 ✅
• 4f864e0 ✅
• da7975a ✅
• 58d0fad ✅
• cc67e27 ✅
• 2b6a6a1 ✅
• 9cf9ae8 ✅

[mhaack]

Code review

Found 2 issues:

1. No WebSocket auth-failure handler for 4401/4403 in canvas prose.js — the new WebsocketProvider is created with no connection-close listener. PRs Refresh stale IMS access token on collab WebSocket auth failures #937 and fix: block y-websocket auto-reconnect during async IMS refresh #943 landed exactly this fix in blocks/edit/prose/index.js: stop auto-reconnect (shouldConnect = false) and refresh the IMS token on a 4401 close code, bail entirely on 4403. Without it, an expired token during a canvas editing session will silently enter an infinite reconnect loop with no user feedback or recovery.

da-live/blocks/canvas/ew-editor-doc/prose.js

Lines 84 to 96 in 90402e2

	if (typeof getToken === 'function') {
	const t = getToken();
	if (t) wsOpts.params = { Authorization: `Bearer ${t}` };
	}
	const canWrite = permissions.some((permission) => permission === 'write');
	const wsProvider = new WebsocketProvider(server, roomName, ydoc, wsOpts);
	wsProvider.maxBackoffTime = 30000;
	addSyncedListener(wsProvider, canWrite, setEditable);
	registerErrorHandler(ydoc);

2. IMS access token sent to extension iframes with targetOrigin = '*' — iframe-protocol.js posts { ready: true, project, context: project, token } using '*' as the target origin. Any page that ends up loaded in that iframe position (including one navigated to a different origin) will receive the bearer token. The WYSIWYG iframe path in the same PR correctly derives the origin via new URL(iframe.src).origin and uses that instead.

da-live/blocks/canvas/ew-panel-extensions/iframe-protocol.js

Lines 77 to 84 in 90402e2

	if (!iframe.contentWindow) return;
	iframe.contentWindow.postMessage(
	{ ready: true, project, context: project, token },
	'*',
	[channel.port2],
	);
	}, 750);

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[mhaack]

Next to the Claude review comment this LGTM, lets get the V1 in.

[mhaack]

Isn't this something we can reuse from the todays editor?

[hannessolo]

Re: claude review:

Issue 1 is fixed.

Issue 2 we won't fix here, as it's also an issue with the "old" editor's extension loading implementation.