@apptimate/core-lib 1.1.0 → 1.3.0

package/src/utils/apiProxy.ts

@@ -0,0 +1,155 @@
+import { cookie } from "../constants/storageKeys";
+import { decode } from "./commonService";
+
+const HOP_BY_HOP_HEADERS = new Set([
+    "connection",
+    "content-length",
+    "content-encoding",
+    "keep-alive",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+]);
+
+function parseCookieHeader(header: string | null): Record<string, string> {
+    if (!header) {
+        return {};
+    }
+
+    return header.split(";").reduce<Record<string, string>>((acc, part) => {
+        const [rawName, ...valueParts] = part.trim().split("=");
+        if (!rawName) {
+            return acc;
+        }
+
+        acc[rawName] = decodeURIComponent(valueParts.join("=") || "");
+        return acc;
+    }, {});
+}
+
+function getCookieValue(cookies: Record<string, string>, name: string): string | null {
+    return cookies[name] ?? null;
+}
+
+function getAccessToken(cookies: Record<string, string>): string | null {
+    const cookieNames = [
+        cookie.access_token.encrypted ? cookie.access_token.secretName : cookie.access_token.name,
+        cookie.access_token.name,
+        cookie.access_token.secretName,
+    ];
+
+    for (const name of cookieNames) {
+        const value = getCookieValue(cookies, name);
+        if (!value) {
+            continue;
+        }
+
+        return cookie.access_token.encrypted ? decode(value) : value;
+    }
+
+    return null;
+}
+
+function buildCookieHeader(name: string, options?: { httpOnly?: boolean }): string {
+    const parts = [
+        `${name}=`,
+        "Path=/",
+        "Max-Age=0",
+        "Expires=Thu, 01 Jan 1970 00:00:00 GMT",
+        "SameSite=Lax",
+    ];
+
+    if (options?.httpOnly) {
+        parts.push("HttpOnly");
+    }
+
+    if (process.env.NODE_ENV === "production") {
+        parts.push("Secure");
+    }
+
+    return parts.join("; ");
+}
+
+export function createSessionLogoutResponse(): Response {
+    const headers = new Headers({ "content-type": "application/json" });
+    headers.append("set-cookie", buildCookieHeader(cookie.access_token.name, { httpOnly: true }));
+    headers.append("set-cookie", buildCookieHeader(cookie.access_token.secretName, { httpOnly: true }));
+    headers.append("set-cookie", buildCookieHeader("selected_organization_id"));
+
+    return new Response(JSON.stringify({ cleared: true }), {
+        status: 200,
+        headers,
+    });
+}
+
+export async function forwardApiProxyRequest(request: Request, pathSegments: string[]): Promise<Response> {
+    const apiBaseUrl = process.env.NEXT_PUBLIC_API_URL;
+
+    if (!apiBaseUrl) {
+        return new Response(JSON.stringify({
+            is_success: false,
+            message: "NEXT_PUBLIC_API_URL is not configured.",
+            result: null,
+            system_code: "api_proxy_not_configured",
+        }), {
+            status: 500,
+            headers: { "content-type": "application/json" },
+        });
+    }
+
+    const incomingUrl = new URL(request.url);
+    const upstreamPath = pathSegments.join("/");
+    const upstreamUrl = new URL(upstreamPath, `${apiBaseUrl.replace(/\/$/, "")}/`);
+    upstreamUrl.search = incomingUrl.search;
+
+    const cookies = parseCookieHeader(request.headers.get("cookie"));
+    const token = getAccessToken(cookies);
+    const selectedOrganizationId = getCookieValue(cookies, "selected_organization_id");
+
+    const headers = new Headers();
+    const accept = request.headers.get("accept");
+    const contentType = request.headers.get("content-type");
+    const organizationId = request.headers.get("x-organization-id") ?? selectedOrganizationId;
+
+    if (accept) {
+        headers.set("accept", accept);
+    }
+
+    if (contentType) {
+        headers.set("content-type", contentType);
+    }
+
+    if (organizationId) {
+        headers.set("x-organization-id", organizationId);
+    }
+
+    if (token) {
+        headers.set("authorization", `Bearer ${token}`);
+    }
+
+    const hasBody = !["GET", "HEAD"].includes(request.method.toUpperCase());
+    const body = hasBody ? await request.arrayBuffer() : undefined;
+
+    const upstreamResponse = await fetch(upstreamUrl.toString(), {
+        method: request.method,
+        headers,
+        body,
+        cache: "no-store",
+        redirect: "manual",
+    });
+
+    const responseHeaders = new Headers();
+    upstreamResponse.headers.forEach((value, key) => {
+        if (!HOP_BY_HOP_HEADERS.has(key.toLowerCase())) {
+            responseHeaders.set(key, value);
+        }
+    });
+
+    return new Response(upstreamResponse.body, {
+        status: upstreamResponse.status,
+        headers: responseHeaders,
+    });
+}

package/src/utils/httpClient.ts

@@ -1,19 +1,21 @@
 import { IApiResponse } from "../common/interfaces/ICommon";
-import Cookies from 'js-cookie';
-import { cookie } from '../constants/storageKeys';
-import { decrypt, replacePlaceholders } from './commonService';
 
 /**
  * Handles 401 Unauthorized responses globally.
- * Clears the auth cookie and localStorage, then redirects to the login page.
+ * Clears the server-managed session and app-owned local state, then redirects
+ * to the login page.
  */
 export function handleUnauthorized(): void {
-    // Clear auth cookie explicitly to avoid clearing cookies from other apps on localhost
-    const cookieName = replacePlaceholders(
-        cookie.access_token.encrypted ? cookie.access_token.secretName : cookie.access_token.name,
-        {}
-    );
-    Cookies.remove(cookieName, { path: '/' });
+    // Best-effort server-side cookie clear for HttpOnly auth cookies.
+    if (typeof window !== 'undefined') {
+        fetch('/api/session/logout', {
+            method: 'POST',
+            credentials: 'same-origin',
+            keepalive: true,
+        }).catch(() => {
+            // Ignore logout cleanup failures and proceed with client-side reset.
+        });
+    }
 
     // Clear only app-owned localStorage keys instead of wiping the entire origin
     if (typeof window !== 'undefined') {
@@ -49,6 +51,25 @@ export interface ClientResponse<T = any> {
     responseData: IApiResponse<T>;
 }
 
+function buildBrowserProxyUrl(rawUrl: string): string {
+    if (typeof window === 'undefined') {
+        return rawUrl;
+    }
+
+    try {
+        const parsedUrl = new URL(rawUrl, window.location.origin);
+
+        if (parsedUrl.origin === window.location.origin) {
+            return parsedUrl.toString();
+        }
+
+        const proxyPath = parsedUrl.pathname.replace(/^\/+/, '');
+        return `/api/proxy/${proxyPath}${parsedUrl.search}`;
+    } catch {
+        return rawUrl;
+    }
+}
+
 export async function sendRequest<T = any>({ url, method, data, params, headers, signal }: RequestOptions): Promise<ClientResponse<T>> {
     const defaultHeaders: Record<string, string> = {
         'Accept': 'application/json',
@@ -69,24 +90,10 @@ export async function sendRequest<T = any>({ url, method, data, params, headers,
         }
     }
 
-    // Automatically add Authorization header on the client side
+    // Client-side requests are routed through a same-origin proxy so the
+    // browser never needs direct access to the bearer token.
     if (typeof window !== 'undefined') {
-        const name = replacePlaceholders(
-            cookie.access_token.encrypted ? cookie.access_token.secretName : cookie.access_token.name,
-            {}
-        );
-        const tokenValue = Cookies.get(name);
-
-        if (tokenValue) {
-            try {
-                const token = cookie.access_token.encrypted ? decrypt(tokenValue) : tokenValue;
-                if (token) {
-                    defaultHeaders['Authorization'] = `Bearer ${token}`;
-                }
-            } catch (error) {
-                console.error("Failed to process auth token:", error);
-            }
-        }
+        finalUrl = buildBrowserProxyUrl(finalUrl);
 
         // Automatically inject selected organization ID into every request
         try {