From 27e0e1670741877d9591cbd9ad692775474c6da2 Mon Sep 17 00:00:00 2001
From: richard-dds <richard-ctr@friends.dds.mil>
Date: Mon, 19 Aug 2019 16:28:49 -0400
Subject: [PATCH] Require auth on upload-token

---
 atst/domain/auth.py            | 1 -
 atst/routes/task_orders/new.py | 1 -
 js/components/upload_input.js  | 2 +-
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/atst/domain/auth.py b/atst/domain/auth.py
index 0f216c5f..0f99af09 100644
--- a/atst/domain/auth.py
+++ b/atst/domain/auth.py
@@ -13,7 +13,6 @@ UNPROTECTED_ROUTES = [
     "atst.helpdocs",
     "static",
     "atst.about",
-    "atst.upload_token",
 ]
 
 
diff --git a/atst/routes/task_orders/new.py b/atst/routes/task_orders/new.py
index 0bb14e9e..2ea48a41 100644
--- a/atst/routes/task_orders/new.py
+++ b/atst/routes/task_orders/new.py
@@ -4,7 +4,6 @@ from flask import (
     render_template,
     request as http_request,
     url_for,
-    current_app,
 )
 
 from . import task_orders_bp
diff --git a/js/components/upload_input.js b/js/components/upload_input.js
index 530d3e59..3f443353 100644
--- a/js/components/upload_input.js
+++ b/js/components/upload_input.js
@@ -104,7 +104,7 @@ export default {
       this.sizeError = false
     },
     getUploader: async function() {
-      return fetch('/upload-token')
+      return fetch('/upload-token', { credentials: "include" })
         .then(response => response.json())
         .then(({ token }) => buildUploader(token))
     },