@api-client/core 0.6.2 → 0.6.5

package/src/authorization/lib/SecurityProcessor.ts

@@ -0,0 +1,141 @@
+import { IBasicAuthorization, IBearerAuthorization, IOAuth2Authorization, IOidcAuthorization, IOidcTokenInfo } from "../../models/Authorization.js";
+import { IRequestAuthorization, RequestAuthorization } from "../../models/RequestAuthorization.js";
+import { IHttpRequest } from "../../models/HttpRequest.js";
+import { Headers } from '../../lib/headers/Headers.js';
+import { UrlProcessor } from "../../lib/parsers/UrlProcessor.js";
+import { UrlEncoder } from "../../lib/parsers/UrlEncoder.js";
+import { hasBuffer } from '../../Platform.js';
+import {
+  normalizeType,
+  METHOD_BASIC,
+  METHOD_BEARER,
+  METHOD_OAUTH2,
+  METHOD_OIDC,
+} from "./Utils.js";
+
+export interface IAuthApplyOptions {
+  /**
+   * When set it won't change the originating authorization objects.
+   * By default it sets the authorization's `enabled` property to `false` after applying the 
+   * value to the request.
+   */
+  immutable?: boolean;
+}
+
+export class SecurityProcessor {
+  /**
+   * Applies authorization configuration to the request object.
+   */
+  static applyAuthorization(request: IHttpRequest, authorization: (IRequestAuthorization | RequestAuthorization)[], opts: IAuthApplyOptions = {}): void {
+    if (!Array.isArray(authorization) || !authorization.length) {
+      return;
+    }
+
+    for (const auth of authorization) {
+      if (!auth.enabled || !auth.config) {
+        continue;
+      }
+
+      switch (normalizeType(auth.type)) {
+        case METHOD_BASIC:
+          SecurityProcessor.applyBasicAuth(request, auth.config as IBasicAuthorization);
+          if (!opts.immutable) {
+            auth.enabled = false;
+          }
+          break;
+        case METHOD_OAUTH2:
+          SecurityProcessor.applyOAuth2(request, auth.config as IOAuth2Authorization);
+          if (!opts.immutable) {
+            auth.enabled = false;
+          }
+          break;
+        case METHOD_OIDC:
+          SecurityProcessor.applyOpenId(request, auth.config as IOidcAuthorization);
+          if (!opts.immutable) {
+            auth.enabled = false;
+          }
+          break;
+        case METHOD_BEARER:
+          SecurityProcessor.applyBearer(request, auth.config as IBearerAuthorization);
+          if (!opts.immutable) {
+            auth.enabled = false;
+          }
+          break;
+        default:
+      }
+    }
+  }
+
+  /**
+   * Injects basic auth header into the request headers.
+   */
+  static applyBasicAuth(request: IHttpRequest, config: IBasicAuthorization): void {
+    const { username, password } = config;
+    if (!username) {
+      return;
+    }
+    const hash = `${username}:${password || ''}`;
+    const value = hasBuffer ? Buffer.from(hash).toString('base64') : btoa(hash);
+
+    const headers = new Headers(request.headers || '');
+    headers.append('authorization', `Basic ${value}`);
+    request.headers = headers.toString();
+  }
+
+  /**
+   * Injects oauth 2 auth header into the request headers.
+   */
+  static applyOAuth2(request: IHttpRequest, config: IOAuth2Authorization): void {
+    const { accessToken, tokenType = 'Bearer', deliveryMethod = 'header', deliveryName = 'authorization' } = config;
+    if (!accessToken) {
+      return;
+    }
+    const value = `${tokenType} ${accessToken}`;
+    if (deliveryMethod === 'header') {
+      const headers = new Headers(request.headers || '');
+      headers.append(deliveryName, value);
+      request.headers = headers.toString();
+    } else if (deliveryMethod === 'query') {
+      const { url } = request;
+      try {
+        const parser = new UrlProcessor(url);
+        parser.search.append(UrlEncoder.encodeQueryString(deliveryName, true), UrlEncoder.encodeQueryString(value, true));
+        request.url = parser.toString();
+      } catch (e) {
+        // ...
+      }
+    }
+  }
+
+  /**
+   * Injects OpenID Connect auth header into the request headers.
+   */
+  static applyOpenId(request: IHttpRequest, config: IOidcAuthorization): void {
+    const { accessToken, tokens, tokenInUse } = config;
+    if (accessToken) {
+      SecurityProcessor.applyOAuth2(request, config);
+    } else if (Array.isArray(tokens) && typeof tokenInUse === 'number') {
+      const data = tokens[tokenInUse] as IOidcTokenInfo;
+      if (data && data.accessToken) {
+        const copy = { ...config };
+        copy.accessToken = data.accessToken;
+        SecurityProcessor.applyOAuth2(request, copy);
+      }
+    }
+  }
+
+  /**
+   * Injects bearer auth header into the request headers.
+   */
+  static applyBearer(request: IHttpRequest, config: IBearerAuthorization): void {
+    const { token } = config;
+    if (!token) {
+      return;
+    }
+    const value = `Bearer ${token}`;
+
+    const headers = new Headers(request.headers || '');
+    headers.append('authorization', value);
+    request.headers = headers.toString();
+  }
+}

package/src/authorization/lib/Utils.ts

@@ -0,0 +1,89 @@
+/**
+ * Normalizes type name to a string identifier.
+ * It casts input to a string and lowercase it.
+ * @param type Type value
+ * @return Normalized value.
+ */
+export const normalizeType = (type?: string): string => String(type).toLowerCase();
+
+export const METHOD_BASIC = "basic";
+export const METHOD_BEARER = "bearer";
+export const METHOD_NTLM = "ntlm";
+export const METHOD_DIGEST = "digest";
+export const METHOD_OAUTH2 = "oauth 2";
+export const METHOD_OIDC = "open id";
+export const METHOD_CC = 'client certificate';
+export const CUSTOM_CREDENTIALS = "Custom credentials";
+
+/**
+ * @param value The value to validate
+ * @returns True if the redirect URI can be considered valid.
+ */
+export function validateRedirectUri(value: unknown): boolean {
+  let result = true;
+  if (!value || typeof value !== 'string') {
+    result = false;
+  }
+  // the redirect URI can have any value, especially for installed apps which 
+  // may use custom schemes. We do very basic sanity check for any script content 
+  // validation to make sure we are not passing any script.
+  if (result && String(value).startsWith('javascript:')) {
+    result = false;
+  }
+  return result;
+}
+
+/**
+ * Generates client nonce for Digest authorization.
+ *
+ * @return Generated client nonce.
+ */
+export function generateCnonce(): string {
+  const characters = 'abcdef0123456789';
+  let token = '';
+  for (let i = 0; i < 16; i++) {
+    const randNum = Math.round(Math.random() * characters.length);
+    token += characters.substring(randNum, 1);
+  }
+  return token;
+}
+
+/**
+ * Generates `state` parameter for the OAuth2 call.
+ *
+ * @return Generated state string.
+ */
+export function generateState(): string {
+  let text = '';
+  const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+  for (let i = 0; i < 6; i++) {
+    text += possible.charAt(Math.floor(Math.random() * possible.length));
+  }
+  return text;
+}
+
+/**
+ * When defined and the `url` is a relative path staring with `/` then it
+ * adds base URI to the path and returns concatenated value.
+ *
+ * @param url The URL to process
+ * @param baseUri Base URI to use.
+ * @returns Final URL value.
+ */
+export function readUrlValue(url?: string, baseUri?: string): string {
+  if (!url) {
+    return '';
+  }
+  const result = String(url);
+  if (!baseUri) {
+    return result;
+  }
+  if (result[0] === '/') {
+    let uri = baseUri;
+    if (uri[uri.length - 1] === '/') {
+      uri = uri.substring(0, uri.length - 1);
+    }
+    return `${uri}${result}`;
+  }
+  return result;
+}

package/src/lib/transformers/PayloadSerializer.ts

@@ -1,4 +1,4 @@
-import { blobToDataUrl } from './Utils.js';
+import { hasBlob, hasBuffer, hasFormData } from '../../Platform.js';
 
 export type PayloadTypes = 'string' | 'file' | 'blob' | 'buffer' | 'arraybuffer' | 'formdata' | 'x-www-form-urlencoded';
 export type DeserializedPayload = string | Blob | File | FormData | Buffer | ArrayBuffer | undefined;
@@ -6,30 +6,55 @@ export const SupportedPayloadTypes: PayloadTypes[] = ['string', 'file', 'blob',
 
 export interface IMultipartBody {
   /**
-   * When true a this entry represent a file part
+   * Whether the parameter is enabled. Default to true.
    */
-  isFile: boolean;
+  enabled?: boolean;
   /**
    * The name of the filed
    */
   name: string;
   /**
-   * Converted value
+   * Converted value.
+   * When the part value was a string this is a string.
+   * When the previous value was a Blob or a Buffer, this will be a serialized payload.
+   */
+  value: string | ISafePayload;
+  /**
+   * Aside from the `value` which is used to process the Payload, the purpose of this field to to keep
+   * the entered by the user string value for the "blob" item. This is primarily handled by the UI
+   * and ignored by the HTTP Engine.
+   */
+  blobText?: string;
+  /**
+   * When `true` this entry represent a file part
+   * @deprecated This is only used for the compatibility with ARC. This information is encoded in the `value`.
    */
-  value: string;
+  isFile?: boolean;
   /**
    * A content type entered by the user to the text part of the text part input.
    * This can only be set when `isFile` is false.
+   * @deprecated This is only used for the compatibility with ARC. This information is encoded in the `value`.
    */
   type?: string;
   /**
    * The original file name used with the part
+   * @deprecated This is only used for the compatibility with ARC. This information is encoded in the `value`.
    */
   fileName?: string;
+}
+
+export interface IBlobMeta {
   /**
-   * Whether the parameter is enabled. Default to true.
+   * The blob's mime type.
    */
-  enabled?: boolean;
+  mime: string;
+}
+
+export interface IFileMeta extends IBlobMeta {
+  /**
+   * The file name.
+   */
+  name: string;
 }
 
 /**
@@ -43,13 +68,17 @@ export interface ISafePayload {
    * The type od the originating payload object.
    */
   type: PayloadTypes;
+  /**
+   * The payload contents. The data type depends on the `type`.
+   */
   data: string | number[] | IMultipartBody[];
   /**
    * Optionally the original mime type of the payload.
    * This is used with files.
    */
-  mime?: string;
+  meta?: IBlobMeta | IFileMeta;
 }
+
 /**
  * The request payload. When not a string then it has to go through a 
  * transformation from a store safe object to the original data object.
@@ -59,10 +88,6 @@ export interface ISafePayload {
  */
 export type Payload = string | ISafePayload;
 
-export const hasFormData: boolean = typeof FormData === 'function';
-export const hasBlob: boolean = typeof Blob === 'function';
-export const hasBuffer: boolean = typeof Buffer === 'function';
-
 export class PayloadSerializer {
   /**
    * Checked whether the passed payload can be safely stored in the data store.
@@ -84,6 +109,17 @@ export class PayloadSerializer {
     return false;
   }
 
+  /**
+   * Tests whether the given input should be processed by the `serialize()`.
+   */
+  static needsSerialization(input: unknown): boolean {
+    const typedSerialized = input as ISafePayload;
+    if (typedSerialized.type && SupportedPayloadTypes.includes(typedSerialized.type)) {
+      return false;
+    }
+    return true;
+  }
+
   /**
    * Transforms the payload into a data store safe object.
    */
@@ -100,6 +136,10 @@ export class PayloadSerializer {
     // if (typeof payload === 'string') {
     //   return payload;
     // }
+
+    if (hasBlob && payload instanceof File) {
+      return PayloadSerializer.stringifyFile(payload);
+    }
     if (hasBlob && payload instanceof Blob) {
       return PayloadSerializer.stringifyBlob(payload);
     }
@@ -111,7 +151,7 @@ export class PayloadSerializer {
     }
     if (hasFormData && payload instanceof FormData) {
       try {
-        const result = await PayloadSerializer.stringifyFormData((payload as unknown) as Iterable<(string | File)[]>);
+        const result = await PayloadSerializer.stringifyFormData(payload);
         return result;
       } catch (e: unknown) {
         console.warn(`Unable to transform FormData: ${(e as Error).message}`);
@@ -121,18 +161,38 @@ export class PayloadSerializer {
   }
 
   /**
-   * Converts blob data to base64 string.
+   * Stringifies a file object.
+   */
+  static async stringifyFile(file: File): Promise<ISafePayload> {
+    const buffer = await file.arrayBuffer();
+    const view = new Uint8Array(buffer);
+    const meta: IFileMeta = {
+      mime: file.type,
+      name: file.name,
+    };
+    const result: ISafePayload = {
+      type: 'file',
+      data: [...view],
+      meta,
+    };
+    return result;
+  }
+
+  /**
+   * Stringifies a blob object.
    *
-   * @param blob File or blob object to be translated to string
-   * @return Promise resolved to a base64 string data from the file.
+   * @param blob Blob object to be translated to string
    */
   static async stringifyBlob(blob: Blob): Promise<ISafePayload> {
-    const typedFile = blob as File;
-    const data = await blobToDataUrl(blob);
+    const buffer = await blob.arrayBuffer();
+    const view = new Uint8Array(buffer);
+    const meta: IBlobMeta = {
+      mime: blob.type,
+    };
     const result: ISafePayload = {
       type: 'blob',
-      data,
-      mime: typedFile.type,
+      data: [...view],
+      meta,
     };
     return result;
   }
@@ -160,14 +220,11 @@ export class PayloadSerializer {
    * @returns The buffer metadata or undefined if the passed argument is not an ArrayBuffer.
    */
   static stringifyArrayBuffer(payload: ArrayBuffer): ISafePayload | undefined {
-    if (payload.byteLength) {
-      const view = new Uint8Array(payload);
-      return {
-        type: 'arraybuffer',
-        data: Array.from(view),
-      };
-    }
-    return undefined;
+    const view = new Uint8Array(payload);
+    return {
+      type: 'arraybuffer',
+      data: Array.from(view),
+    };
   }
 
   /**
@@ -176,9 +233,11 @@ export class PayloadSerializer {
    * @param payload A `FormData` object
    * @return A promise resolved to a datastore safe entries.
    */
-  static async stringifyFormData(payload: Iterable<(string | File)[]>): Promise<ISafePayload> {
+  static async stringifyFormData(payload: FormData): Promise<ISafePayload> {
+    // TS apparently doesn't know that FormData is iterable.
+    const iterable = (payload as unknown) as Iterable<(string | File)[]>;
     const promises: Promise<IMultipartBody>[] = [];
-    for (const part of payload) {
+    for (const part of iterable) {
       promises.push(PayloadSerializer.serializeFormDataEntry(part[0] as string, part[1]));
     }
     const items = await Promise.all(promises);
@@ -195,33 +254,27 @@ export class PayloadSerializer {
    * @param file The part value
    * @returns Transformed FormData part to a datastore safe entry.
    */
-  static async serializeFormDataEntry(name: string, file: string | File): Promise<IMultipartBody> {
+  static async serializeFormDataEntry(name: string, file: string | File | Blob): Promise<IMultipartBody> {
     if (typeof file === 'string') {
-      // when adding an item to the FormData object without 3rd parameter of the append function
-      // then  the value is a string.
       return {
-        isFile: false,
         name,
         value: file,
         enabled: true,
       };
     }
-
-    const value = await blobToDataUrl(file);
+    let value: ISafePayload;
+    // API Client adds the "blob" when adding a text value with a mime type.
+    // This is recognized by the UI to restore the entry as the text and not a file.
+    if (file instanceof File && file.name !== 'blob') {
+      value = await PayloadSerializer.stringifyFile(file);
+    } else {
+      value = await PayloadSerializer.stringifyBlob(file);
+    }
     const part: IMultipartBody = {
-      isFile: false,
       name,
       value,
       enabled: true,
     };
-    if (file.name === 'blob') {
-      // API Client adds the "blob" filename when the content type is set on the editor.
-      // otherwise it wouldn't be possible to set the content type value.
-      part.type = file.type;
-    } else {
-      part.isFile = true;
-      part.fileName = file.name;
-    }
     return part;
   }
 
@@ -240,8 +293,8 @@ export class PayloadSerializer {
       // We mostly gonna return a Buffer here.
       switch (payload.type) {
         case 'string': return payload.data as string;
-        case 'file':
-        case 'blob': return PayloadSerializer.deserializeBlobBuffer(payload.data as string);
+        case 'file': return PayloadSerializer.deserializeFileBuffer(payload);
+        case 'blob': return PayloadSerializer.deserializeBlobBuffer(payload);
         case 'buffer': return PayloadSerializer.deserializeBuffer(payload.data as number[]);
         case 'arraybuffer': return PayloadSerializer.deserializeArrayBufferBuffer(payload.data as number[]);
         case 'formdata': return undefined;
@@ -250,9 +303,9 @@ export class PayloadSerializer {
     }
     switch (payload.type) {
       case 'string': return payload.data as string;
-      case 'file':
-      case 'blob': return PayloadSerializer.deserializeBlob(payload.data as string);
-      case 'buffer': return PayloadSerializer.deserializeBuffer(payload.data as number[]);
+      case 'file': return PayloadSerializer.deserializeFile(payload);
+      case 'blob': return PayloadSerializer.deserializeBlob(payload);
+      case 'buffer': return PayloadSerializer.deserializeArrayBuffer(payload.data as number[]);
       case 'arraybuffer': return PayloadSerializer.deserializeArrayBuffer(payload.data as number[]);
       case 'formdata': return PayloadSerializer.deserializeFormData(payload.data as IMultipartBody[]);
       default: return undefined;
@@ -260,12 +313,47 @@ export class PayloadSerializer {
   }
 
   /**
-   * Converts data-url string to blob
+   * Deserializes previously serialized file object.
+   * 
+   * @param payload The serialized payload with a file.
+   */
+  static deserializeFile(payload: ISafePayload): File {
+    const data = payload.data as number[];
+    const meta = payload.meta as IFileMeta;
+    const { mime, name } = meta;
+    const { buffer } = new Uint8Array(data);
+    return new File([buffer], name, {
+      type: mime,
+    });
+  }
+
+  /**
+   * Deserializes previously serialized blob object.
+   * 
+   * In previous versions of ARC the data was a string as data URL. In API client this is a buffer.
    *
+   * @param payload The serialized payload.
+   * @return Restored blob value
+   */
+  static deserializeBlob(payload: ISafePayload): Blob | undefined {
+    if (typeof payload.data === 'string') {
+      return this.deserializeBlobLegacy(payload.data);
+    }
+    const data = payload.data as number[];
+    const meta = payload.meta as IBlobMeta;
+    const { mime } = meta;
+    const { buffer } = new Uint8Array(data);
+    return new Blob([buffer], { type: mime });
+  }
+
+  /**
+   * The old implementation of the blob deserializer.
+   * 
+   * @deprecated
    * @param dataUrl Data url from blob value.
    * @return Restored blob value
    */
-  static deserializeBlob(dataUrl: string): Blob | undefined {
+  static deserializeBlobLegacy(dataUrl: string): Blob | undefined {
     const arr = dataUrl.split(',');
     const matchedMime = arr[0].match(/:(.*?);/);
     if (!matchedMime) {
@@ -282,12 +370,40 @@ export class PayloadSerializer {
   }
 
   /**
-   * Converts data-url string to blob
+   * Converts previously serialized File to a Buffer.
+   *
+   * @param payload The serialized payload.
+   * @return Restored File value as Buffer
+   */
+  static deserializeFileBuffer(payload: ISafePayload): Buffer {
+    const data = payload.data as number[];
+    const ab = this.deserializeArrayBuffer(data);
+    return Buffer.from(ab);
+  }
+
+  /**
+   * Converts data-url string to buffer
    *
+   * @param payload The serialized payload.
+   * @return Restored blob value
+   */
+  static deserializeBlobBuffer(payload: ISafePayload): Buffer {
+    if (typeof payload.data === 'string') {
+      return this.deserializeBlobBufferLegacy(payload.data);
+    }
+    const data = payload.data as number[];
+    const ab = this.deserializeArrayBuffer(data);
+    return Buffer.from(ab);
+  }
+
+  /**
+   * Converts data-url string to buffer
+   *
+   * @deprecated
    * @param dataUrl Data url from blob value.
    * @return Restored blob value
    */
-  static deserializeBlobBuffer(dataUrl: string): Buffer {
+  static deserializeBlobBufferLegacy(dataUrl: string): Buffer {
     const arr = dataUrl.split(',');
     const value = arr[1];
     return Buffer.from(value, 'base64url');
@@ -334,26 +450,54 @@ export class PayloadSerializer {
     if (!Array.isArray(parts) || !parts.length) {
       return fd;
     }
-    parts.forEach((part) => {
-      const { isFile, name, value, type, fileName, enabled } = part;
-      if (enabled === false) {
-        return;
+    parts.forEach(part => this.deserializeFormDataPart(fd, part));
+    return fd;
+  }
+
+  private static deserializeFormDataPart(form: FormData, part: IMultipartBody): void {
+    if (part.enabled === false) {
+      return;
+    }
+    // the compatibility with old ARC.
+    if (typeof part.isFile === 'boolean') {
+      this.deserializeFormDataLegacy(form, part);
+      return;
+    }
+    const { name, value } = part;
+    if (typeof value === 'string') {
+      form.append(name, value);
+      return;
+    }
+    if (value.type === 'string') {
+      form.append(name, value.data as string);
+      return;
+    }
+    if (value.type === 'file') {
+      const file = this.deserializeFile(value);
+      form.append(name, file);
+      return;
+    }
+    const blob = this.deserializeBlob(value) as Blob;
+    form.append(name, blob);
+  }
+
+  /**
+   * @deprecated This is only for compatibility with ARC.
+   */
+  private static deserializeFormDataLegacy(form: FormData, part: IMultipartBody): void {
+    let blob;
+    if (part.isFile) {
+      blob = PayloadSerializer.deserializeBlobLegacy(part.value as string);
+      if (blob) {
+        form.append(part.name, blob, part.fileName);
       }
-      let blob;
-      if (isFile) {
-        blob = PayloadSerializer.deserializeBlob(value);
-        if (blob) {
-          fd.append(name, blob, fileName);
-        }
-      } else if (type) {
-        blob = PayloadSerializer.deserializeBlob(value);
-        if (blob) {
-          fd.append(name, blob, 'blob');
-        }
-      } else {
-        fd.append(name, value);
+    } else if (part.type) {
+      blob = PayloadSerializer.deserializeBlobLegacy(part.value as string);
+      if (blob) {
+        form.append(part.name, blob, 'blob');
       }
-    });
-    return fd;
+    } else {
+      form.append(part.name, part.value as string);
+    }
   }
 }

package/src/models/RequestUiMeta.ts

@@ -1,5 +1,5 @@
 import { IProperty, Property } from './Property.js';
-import { IMultipartBody } from '../lib/transformers/PayloadSerializer.js';
+import { IMultipartBody, ISafePayload } from '../lib/transformers/PayloadSerializer.js';
 import { RequestUiMeta as LegacyRequestUiMeta } from './legacy/request/ArcRequest.js';
 
 export const Kind = 'Core#RequestUiMeta';
@@ -70,7 +70,7 @@ export interface IBodyMetaModel {
   /**
    * Generated view model.
    */
-  viewModel: (IProperty | IMultipartBody | IRawBody)[];
+  viewModel: (IProperty | ISafePayload | IMultipartBody | IRawBody)[];
 }
 
 /**

package/src/models/SerializablePayload.ts

@@ -1,4 +1,5 @@
-import { PayloadSerializer, Payload, DeserializedPayload, hasBuffer } from '../lib/transformers/PayloadSerializer.js';
+import { PayloadSerializer, Payload, DeserializedPayload } from '../lib/transformers/PayloadSerializer.js';
+import { hasBuffer } from '../Platform.js';
 
 export class SerializablePayload {
   /**