@api-client/core 0.18.12 → 0.18.13

package/src/runtime/http-engine/connections/DigestAuthHandler.ts

@@ -0,0 +1,238 @@
+import crypto from 'node:crypto'
+import { type Logger, type ILogObj } from '../../../lib/logging/index.js'
+
+export interface DigestChallenge {
+  realm: string
+  nonce: string
+  qop?: string
+  algorithm?: string
+  opaque?: string
+  stale?: string
+  domain?: string
+}
+
+export interface DigestResponse {
+  username: string
+  realm: string
+  nonce: string
+  uri: string
+  response: string
+  qop?: string
+  nc?: string
+  cnonce?: string
+  algorithm?: string
+  opaque?: string
+}
+
+/**
+ * Handles HTTP Digest authentication according to RFC 2617
+ */
+export class DigestAuthHandler {
+  private logger: Logger<ILogObj>
+  private username: string
+  private password: string
+  private nc = 1
+  private cnonce: string
+
+  constructor(username: string, password: string, logger: Logger<ILogObj>) {
+    this.username = username
+    this.password = password
+    this.logger = logger
+    this.cnonce = this.generateCnonce()
+  }
+
+  /**
+   * Parse a WWW-Authenticate or Proxy-Authenticate header
+   */
+  parseChallenge(authenticateHeader: string): DigestChallenge {
+    const challenge: DigestChallenge = { realm: '', nonce: '' }
+
+    // Extract the method (Digest)
+    const methodMatch = authenticateHeader.match(/^(\w+)/)
+    if (!methodMatch || methodMatch[1].toLowerCase() !== 'digest') {
+      throw new Error('Not a Digest authentication challenge')
+    }
+
+    // Parse key-value pairs (both quoted and unquoted)
+    const paramRegex = /(\w+)=(?:"([^"]*)"|([^,\s]+))/g
+    let match
+    while ((match = paramRegex.exec(authenticateHeader)) !== null) {
+      const [, key, quotedValue, unquotedValue] = match
+      const value = quotedValue !== undefined ? quotedValue : unquotedValue
+
+      switch (key.toLowerCase()) {
+        case 'realm':
+          challenge.realm = value
+          break
+        case 'nonce':
+          challenge.nonce = value
+          break
+        case 'qop':
+          challenge.qop = value
+          break
+        case 'algorithm':
+          challenge.algorithm = value
+          break
+        case 'opaque':
+          challenge.opaque = value
+          break
+        case 'stale':
+          challenge.stale = value
+          break
+        case 'domain':
+          challenge.domain = value
+          break
+      }
+    }
+
+    // Validate required fields
+    if (!challenge.realm || !challenge.nonce) {
+      throw new Error('Invalid Digest challenge: missing realm or nonce')
+    }
+
+    this.logger.debug('Parsed Digest challenge:', challenge)
+    return challenge
+  }
+
+  /**
+   * Generate a Digest authentication response
+   */
+  generateResponse(challenge: DigestChallenge, method: string, uri: string): string {
+    const algorithm = challenge.algorithm?.toLowerCase() || 'md5'
+    const qop = challenge.qop?.toLowerCase()
+
+    // Generate HA1 = MD5(username:realm:password)
+    const ha1 = this.calculateHA1(challenge.realm, algorithm)
+
+    // Generate HA2 = MD5(method:uri)
+    const ha2 = this.calculateHA2(method, uri, algorithm)
+
+    let response: string
+
+    if (qop) {
+      // With quality of protection
+      const nc = this.formatNC(this.nc)
+      const cnonce = this.cnonce
+
+      if (qop === 'auth') {
+        // response = MD5(HA1:nonce:nc:cnonce:qop:HA2)
+        const responseInput = `${ha1}:${challenge.nonce}:${nc}:${cnonce}:${qop}:${ha2}`
+        response = crypto.createHash(algorithm).update(responseInput).digest('hex')
+      } else {
+        throw new Error(`Unsupported qop value: ${qop}`)
+      }
+    } else {
+      // Without quality of protection
+      // response = MD5(HA1:nonce:HA2)
+      const responseInput = `${ha1}:${challenge.nonce}:${ha2}`
+      response = crypto.createHash(algorithm).update(responseInput).digest('hex')
+    }
+
+    // Build the response header
+    const responseParams: DigestResponse = {
+      username: this.username,
+      realm: challenge.realm,
+      nonce: challenge.nonce,
+      uri,
+      response,
+    }
+
+    if (challenge.algorithm) {
+      responseParams.algorithm = challenge.algorithm
+    }
+
+    if (challenge.opaque) {
+      responseParams.opaque = challenge.opaque
+    }
+
+    if (qop) {
+      responseParams.qop = qop
+      responseParams.nc = this.formatNC(this.nc)
+      responseParams.cnonce = this.cnonce
+    }
+
+    const responseHeader = this.buildResponseHeader(responseParams)
+    this.logger.debug('Generated Digest response:', responseHeader)
+
+    // Increment nonce count for next request
+    this.nc++
+
+    return responseHeader
+  }
+
+  /**
+   * Calculate HA1 = MD5(username:realm:password)
+   */
+  private calculateHA1(realm: string, algorithm: string): string {
+    const input = `${this.username}:${realm}:${this.password}`
+    return crypto.createHash(algorithm).update(input).digest('hex')
+  }
+
+  /**
+   * Calculate HA2 = MD5(method:uri)
+   */
+  private calculateHA2(method: string, uri: string, algorithm: string): string {
+    const input = `${method}:${uri}`
+    return crypto.createHash(algorithm).update(input).digest('hex')
+  }
+
+  /**
+   * Generate a client nonce
+   */
+  private generateCnonce(): string {
+    return crypto.randomBytes(16).toString('hex')
+  }
+
+  /**
+   * Format nonce count as 8-digit hex string
+   */
+  private formatNC(nc: number): string {
+    return nc.toString(16).padStart(8, '0')
+  }
+
+  /**
+   * Build the Authorization header string
+   */
+  private buildResponseHeader(params: DigestResponse): string {
+    const parts: string[] = ['Digest']
+
+    // Add required parameters
+    parts.push(`username="${params.username}"`)
+    parts.push(`realm="${params.realm}"`)
+    parts.push(`nonce="${params.nonce}"`)
+    parts.push(`uri="${params.uri}"`)
+    parts.push(`response="${params.response}"`)
+
+    // Add optional parameters
+    if (params.algorithm) {
+      parts.push(`algorithm="${params.algorithm}"`)
+    }
+
+    if (params.opaque) {
+      parts.push(`opaque="${params.opaque}"`)
+    }
+
+    if (params.qop) {
+      parts.push(`qop="${params.qop}"`)
+      parts.push(`nc="${params.nc}"`)
+      parts.push(`cnonce="${params.cnonce}"`)
+    }
+
+    return parts.join(', ')
+  }
+
+  /**
+   * Reset the nonce count (useful for new sessions)
+   */
+  reset(): void {
+    this.nc = 1
+    this.cnonce = this.generateCnonce()
+  }
+
+  /**
+   * Check if a challenge is stale
+   */
+  isStale(challenge: DigestChallenge): boolean {
+    return challenge.stale === 'true'
+  }
+}

package/src/runtime/http-engine/connections/DirectConnection.ts

@@ -0,0 +1,134 @@
+import net from 'net'
+import tls from 'tls'
+import { ConnectionOptions } from './ConnectionManager.js'
+import type { HttpCertificate } from '../../../models/ClientCertificate.js'
+import { addClientCertificate, checkServerIdentity } from '../certificates/index.js'
+import { type Logger, type ILogObj } from '../../../lib/logging/index.js'
+import type { RequestStats } from '../CoreEngine.js'
+
+/**
+ * Handles direct HTTP and HTTPS connections
+ */
+export class DirectConnection {
+  private options: ConnectionOptions
+
+  constructor(options: ConnectionOptions) {
+    this.options = options
+  }
+
+  /**
+   * Establish a connection to the target host
+   */
+  async connect(): Promise<net.Socket> {
+    const { host, port, timeout, validateCertificates, certificates, logger, stats } = this.options
+
+    let socket: net.Socket
+    // Check if this is an HTTPS connection based on port or protocol
+    const isHttps = port === 443 || port === 8443 || this.options.protocol === 'https:'
+    if (isHttps) {
+      socket = await this.createTlsConnection(host, port, validateCertificates, certificates, logger, stats)
+    } else {
+      socket = await this.createTcpConnection(host, port, logger, stats)
+    }
+
+    if (timeout && timeout > 0) {
+      socket.setTimeout(timeout)
+    }
+
+    return socket
+  }
+
+  /**
+   * Create a TCP connection for HTTP
+   */
+  private createTcpConnection(
+    host: string,
+    port: number,
+    logger: Logger<ILogObj>,
+    stats: RequestStats
+  ): Promise<net.Socket> {
+    logger.debug(`Opening HTTP connection to ${host} on port ${port}`)
+    return new Promise((resolve, reject) => {
+      stats.connectionTime = Date.now()
+      const isIp = net.isIP(host)
+      if (isIp) {
+        stats.lookupTime = Date.now()
+      }
+
+      const client = net.createConnection(port, host, () => {
+        stats.connectedTime = Date.now()
+        logger.debug('HTTP connection established.')
+        resolve(client)
+      })
+
+      client.pause()
+      if (!isIp) {
+        client.once('lookup', () => {
+          stats.lookupTime = Date.now()
+        })
+      }
+      client.once('error', (err: Error) => reject(err))
+    })
+  }
+
+  /**
+   * Create a TLS connection for HTTPS
+   */
+  private createTlsConnection(
+    host: string,
+    port: number,
+    validateCertificates: boolean | undefined,
+    certificates: HttpCertificate[] | undefined,
+    logger: Logger<ILogObj>,
+    stats: RequestStats
+  ): Promise<tls.TLSSocket> {
+    logger.debug('Opening an SSL connection...')
+    const options: tls.ConnectionOptions = {}
+    const isIp = net.isIP(host)
+
+    if (!isIp) {
+      options.servername = host
+    }
+
+    if (validateCertificates) {
+      options.checkServerIdentity = (hostname: string, cert: tls.PeerCertificate) => checkServerIdentity(hostname, cert)
+    } else {
+      options.rejectUnauthorized = false
+      options.checkServerIdentity = (): Error | undefined => {
+        return undefined
+      }
+    }
+
+    // Add client certificates if provided
+    if (Array.isArray(certificates)) {
+      certificates.forEach((cert) => addClientCertificate(cert, options))
+    }
+
+    return new Promise((resolve, reject) => {
+      const time = Date.now()
+      stats.connectionTime = time
+      if (isIp) {
+        stats.lookupTime = time
+      }
+
+      const client = tls.connect(port, host, options, () => {
+        logger.debug('SSL connection established.')
+        const connectTime = Date.now()
+        stats.connectedTime = connectTime
+        stats.secureStartTime = connectTime
+        resolve(client)
+      })
+
+      client.pause()
+      client.once('error', (e: Error) => reject(e))
+      if (!isIp) {
+        client.once('lookup', () => {
+          stats.lookupTime = Date.now()
+        })
+      }
+      client.once('secureConnect', () => {
+        stats.secureConnectedTime = Date.now()
+      })
+    })
+  }
+}

package/src/runtime/http-engine/connections/ProxyAuthHandler.ts

@@ -0,0 +1,179 @@
+import { SerializableError } from '../../../models/SerializableError.js'
+import { type Logger, type ILogObj } from '../../../lib/logging/index.js'
+import { DigestAuthHandler } from './DigestAuthHandler.js'
+
+export interface ProxyAuthOptions {
+  proxyUsername?: string
+  proxyPassword?: string
+  /**
+   * The type of proxy authentication to use.
+   */
+  proxyAuthorization?: 'Basic'
+  logger: Logger<ILogObj>
+}
+
+export interface ProxyAuthChallenge {
+  method: string
+  realm?: string
+  nonce?: string
+  qop?: string
+  algorithm?: string
+}
+
+/**
+ * Handles proxy authentication challenges and responses
+ */
+export class ProxyAuthHandler {
+  private options: ProxyAuthOptions
+  private authState: 'none' | 'challenged' | 'authenticated' = 'none'
+  private challenge?: ProxyAuthChallenge
+  private digestHandler?: DigestAuthHandler
+
+  constructor(options: ProxyAuthOptions) {
+    this.options = options
+    if (options.proxyUsername && options.proxyPassword) {
+      this.digestHandler = new DigestAuthHandler(options.proxyUsername, options.proxyPassword, options.logger)
+    }
+  }
+
+  /**
+   * Check if we have proxy credentials configured
+   */
+  hasCredentials(): boolean {
+    const { proxyUsername, proxyPassword, proxyAuthorization } = this.options
+    return !!(proxyUsername && proxyPassword) || !!proxyAuthorization
+  }
+
+  /**
+   * Generate the initial proxy authorization header
+   */
+  generateAuthHeader(): string | undefined {
+    const { proxyUsername, proxyPassword, proxyAuthorization } = this.options
+
+    if (!proxyUsername || !proxyPassword) {
+      return undefined
+    }
+
+    if (!proxyAuthorization || proxyAuthorization === 'Basic') {
+      // Basic authentication
+      const token = Buffer.from(`${proxyUsername}:${proxyPassword}`).toString('base64')
+      return `Basic ${token}`
+    }
+
+    if (proxyAuthorization === 'Digest') {
+      // For Digest auth, we need a challenge first
+      if (this.authState === 'none') {
+        // Initial request without auth header
+        return undefined
+      }
+      return this.generateDigestResponse()
+    }
+
+    throw new SerializableError(`Unsupported proxy authorization type: ${proxyAuthorization}`)
+  }
+
+  /**
+   * Handle a proxy authentication challenge
+   */
+  handleChallenge(authenticateHeader: string): string | undefined {
+    this.authState = 'challenged'
+    this.challenge = this.parseChallenge(authenticateHeader)
+    this.options.logger.debug('Received proxy authentication challenge:', this.challenge)
+
+    if (this.challenge?.method === 'Basic') {
+      // For Basic auth, we can respond immediately
+      return this.generateAuthHeader()
+    } else if (this.challenge?.method === 'Digest') {
+      // For Digest auth, we need to generate a proper response
+      return this.generateDigestResponse()
+    }
+
+    throw new SerializableError(`Unsupported proxy authentication method: ${this.challenge?.method}`)
+  }
+
+  /**
+   * Parse the WWW-Authenticate or Proxy-Authenticate header
+   */
+  private parseChallenge(authenticateHeader: string): ProxyAuthChallenge {
+    const challenge: ProxyAuthChallenge = { method: '' }
+
+    // Extract the method (Basic, Digest, etc.)
+    const methodMatch = authenticateHeader.match(/^(\w+)/)
+    if (methodMatch) {
+      challenge.method = methodMatch[1]
+    }
+
+    // Parse key-value pairs
+    const paramRegex = /(\w+)="([^"]*)"/g
+    let match
+    while ((match = paramRegex.exec(authenticateHeader)) !== null) {
+      const [, key, value] = match
+      switch (key.toLowerCase()) {
+        case 'realm':
+          challenge.realm = value
+          break
+        case 'nonce':
+          challenge.nonce = value
+          break
+        case 'qop':
+          challenge.qop = value
+          break
+        case 'algorithm':
+          challenge.algorithm = value
+          break
+      }
+    }
+
+    return challenge
+  }
+
+  /**
+   * Generate a Digest authentication response
+   */
+  private generateDigestResponse(): string | undefined {
+    if (!this.digestHandler || !this.challenge) {
+      return undefined
+    }
+
+    try {
+      // Parse the full Digest challenge
+      const digestChallenge = this.digestHandler.parseChallenge(
+        `Digest realm="${this.challenge.realm}", nonce="${this.challenge.nonce}"${
+          this.challenge.qop ? `, qop="${this.challenge.qop}"` : ''
+        }${this.challenge.algorithm ? `, algorithm="${this.challenge.algorithm}"` : ''}`
+      )
+
+      // Generate the response for CONNECT method
+      const response = this.digestHandler.generateResponse(digestChallenge, 'CONNECT', '/')
+      return response
+    } catch (error) {
+      this.options.logger.error('Failed to generate Digest response:', error)
+      throw new SerializableError(`Digest authentication failed: ${(error as Error).message}`, 127)
+    }
+  }
+
+  /**
+   * Check if authentication was successful
+   */
+  isAuthenticated(): boolean {
+    return this.authState === 'authenticated'
+  }
+
+  /**
+   * Mark authentication as successful
+   */
+  markAuthenticated(): void {
+    this.authState = 'authenticated'
+  }
+
+  /**
+   * Reset authentication state
+   */
+  reset(): void {
+    this.authState = 'none'
+    this.challenge = undefined
+    if (this.digestHandler) {
+      this.digestHandler.reset()
+    }
+  }
+}

package/src/runtime/http-engine/connections/ProxyConnection.ts

@@ -0,0 +1,55 @@
+import net from 'net'
+import { URL } from 'url'
+import { ProxyConnectionOptions } from './ConnectionManager.js'
+import { DirectConnection } from './DirectConnection.js'
+import { SerializableError } from '../../../models/SerializableError.js'
+
+/**
+ * Handles HTTP requests through a proxy server
+ */
+export class ProxyConnection {
+  private options: ProxyConnectionOptions
+
+  constructor(options: ProxyConnectionOptions) {
+    this.options = options
+  }
+
+  /**
+   * Establish a connection to the proxy server
+   */
+  async connect(): Promise<net.Socket> {
+    const { proxy, proxyIsSsl, logger } = this.options
+
+    logger.debug('Proxying an HTTP request...')
+
+    if (!proxy) {
+      throw new Error('No proxy configuration found.')
+    }
+
+    let proxyUrl = proxy
+    if (proxyIsSsl && !proxyUrl.startsWith('https:')) {
+      proxyUrl = `https://${proxyUrl}`
+    } else if (!proxyIsSsl && !proxyUrl.startsWith('http:')) {
+      proxyUrl = `http://${proxyUrl}`
+    }
+
+    const proxyUri = new URL(proxyUrl)
+    const port = Number(proxyUri.port || (proxyIsSsl ? 443 : 80))
+    const host = proxyUri.hostname
+
+    // Create a direct connection to the proxy
+    const directConnection = new DirectConnection({
+      ...this.options,
+      host,
+      port,
+      protocol: proxyIsSsl ? 'https:' : 'http:',
+    })
+
+    try {
+      return await directConnection.connect()
+    } catch (error) {
+      const err = error as Error & { code?: string }
+      throw new SerializableError(`Failed to connect to proxy: ${err.message}`, err.code ? Number(err.code) : 112)
+    }
+  }
+}