npm - @canva/cli - Versions diffs - 1.11.0 → 1.12.0 - Mend

@canva/cli 1.11.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/templates/base/backend/routers/oauth.ts DELETED Viewed

@@ -1,393 +0,0 @@
-import crypto from "crypto";
-import "dotenv/config";
-import debug from "debug";
-import express from "express";
-import basicAuth from "express-basic-auth";
-import { createBearerMiddleware } from "../../utils/backend/bearer_middleware";
-import { JSONFileDatabase } from "../database/database";
-/**
- * Prefix your start command with `DEBUG=express:route:oauth` to enable debug logging
- * for this middleware
- */
-const debugLogger = debug("express:route:oauth");
-/**
- * These are the hard-coded credentials for logging in to this template.
- */
-const USERNAME = "username";
-const PASSWORD = "password";
-const COOKIE_EXPIRY_MS = 5 * 60 * 1000; // 5 minutes
-const TOKEN_EXPIRY_S = 4 * 60 * 60; // 4 hours
-const REFRESH_EXPIRY_S = 30 * 24 * 3600; // 30 days
-const CLIENT_ID = "client_id";
-const CLIENT_SECRET = "client_secret";
-const REDIRECT_URI = "https://www.canva.com/apps/oauth/authorized";
-/**
- * For simplicity, we simply generate random token values and store them in our database
- * for production you may want to use JWTs or other stateless methods.
- */
-interface Token {
-  value: string;
-  expiry: number; // Unix timestamp
-}
-export interface User {
-  id: string;
-  authorizationCode?: Token;
-  accessToken?: Token;
-  refreshToken?: Token;
-}
-interface RedirectUriRecord {
-  redirectUri: string;
-  authorizationCode: string;
-}
-export interface Data {
-  users: User[];
-  redirect_uris: RedirectUriRecord[];
-}
-/**
- * For more information on Authentication, refer to our documentation: {@link https://www.canva.dev/docs/apps/authenticating-users/#types-of-authentication}.
- */
-export const createAuthRouter = () => {
-  /**
-   * Set up a database with a "users" table. In this example code, the
-   * database is simply a JSON file.
-   */
-  const db = new JSONFileDatabase<Data>({ users: [], redirect_uris: [] });
-  const router = express.Router();
-  /**
-   * The urlencoded middleware allows us to parse form data from the request body.
-   * This is required for the OAuth 2.0 Token Exchange endpoint.
-   */
-  router.use(express.urlencoded({ extended: true }));
-  /**
-   * This is the OAuth 2.0 Authorization endpoint
-   * https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
-   *
-   * This endpoint does not implement PKCE, which you would want to do
-   * for production.
-   */
-  router.get(
-    "/auth/authorize",
-    basicAuth({
-      users: { [USERNAME]: PASSWORD },
-      challenge: true,
-    }),
-    async (req, res) => {
-      const redirectUri = decodeURIComponent(
-        req.query.redirect_uri?.toString() ?? REDIRECT_URI,
-      );
-      const clientId = req.query.client_id?.toString();
-      const responseType = req.query.response_type?.toString();
-      const state = req.query.state?.toString();
-      if (!clientId) {
-        return res.status(400).send("Missing required client ID parameter");
-      }
-      if (clientId !== CLIENT_ID) {
-        return res.status(400).send("Invalid client ID");
-      }
-      if (redirectUri !== REDIRECT_URI) {
-        return res.status(400).send(`Invalid redirect URI ${redirectUri}`);
-      }
-      const failureResponse = (error: string) => {
-        const params = new URLSearchParams({
-          error,
-          state: state || "",
-        });
-        res.redirect(302, `${redirectUri}?${params}`);
-      };
-      if (responseType !== "code") {
-        return failureResponse("unsupported_response_type");
-      }
-      // You should implement PKCE to protect against authorization code interception attacks
-      // https://datatracker.ietf.org/doc/html/rfc7636
-      // this is left off for simplicity in this example
-      // Generate a unique authorization code
-      const authorizationCode = crypto.randomUUID();
-      // Load the database
-      const data = await db.read();
-      // Add the user to the database if they aren't there already
-      if (!data.users.find((user) => user.id === USERNAME)) {
-        data.users.push({
-          id: USERNAME,
-          authorizationCode: {
-            value: authorizationCode,
-            expiry: Date.now() + COOKIE_EXPIRY_MS,
-          },
-        });
-      } else {
-        // If the user is there, update the authorization code
-        // In a production system you would allow at least one authorization code
-        // per user per client, but here we simplify and have one per user.
-        data.users = data.users.map((user) => {
-          if (user.id === USERNAME) {
-            return {
-              ...user,
-              authorizationCode: {
-                value: authorizationCode,
-                expiry: Date.now() + COOKIE_EXPIRY_MS,
-              },
-            };
-          }
-          return user;
-        });
-      }
-      if (
-        !data.redirect_uris.find((record) => record.redirectUri === redirectUri)
-      ) {
-        data.redirect_uris.push({ redirectUri, authorizationCode });
-      } else {
-        data.redirect_uris = data.redirect_uris.map((record) => {
-          if (record.redirectUri === redirectUri) {
-            return { ...record, authorizationCode };
-          }
-          return record;
-        });
-      }
-      await db.write(data);
-      res.redirect(
-        302,
-        `${redirectUri}?code=${authorizationCode}&state=${state}`,
-      );
-    },
-  );
-  interface AuthorizationExchangeRequest {
-    grant_type: "authorization_code";
-    code: string;
-    redirect_uri?: string;
-  }
-  interface RefreshTokenExchangeRequest {
-    grant_type: "refresh_token";
-    refresh_token: string;
-  }
-  const failureResponse = (res: express.Response, error: string) => {
-    return res.status(400).send(`{"error": "${error}"}`);
-  };
-  const authorizationCodeExchange = async (
-    res: express.Response,
-    body: AuthorizationExchangeRequest,
-  ) => {
-    const refresh_token = crypto.randomUUID();
-    const access_token = crypto.randomUUID();
-    const code = body.code?.toString();
-    if (!code) {
-      return failureResponse(res, "invalid_request");
-    }
-    // Load the database
-    const data = await db.read();
-    const lastRedirectUrl = data.redirect_uris.find(
-      (record) => record.authorizationCode === code,
-    )?.redirectUri;
-    // The specification requires that if the redirect uri was present in the authorization request,
-    // it must be included and the same in the token exchange request
-    if (lastRedirectUrl !== body.redirect_uri?.toString()) {
-      return failureResponse(res, "invalid_request");
-    }
-    // Find the user who was issued this authorization code
-    const user = data.users.find(
-      (user) => user.authorizationCode?.value === code,
-    );
-    if (!user || !user.authorizationCode) {
-      return failureResponse(res, "invalid_grant");
-    }
-    if (user.authorizationCode.expiry < Date.now()) {
-      return failureResponse(res, "invalid_grant");
-    }
-    // Update the user with the new access token and refresh token
-    // and clear out their authorization code. Authorization codes
-    // are single use, so attempting to use the old one will now fail
-    data.users = data.users.map((user) => {
-      if (user.id === USERNAME) {
-        return {
-          ...user,
-          authorizationCode: undefined,
-          accessToken: {
-            value: access_token,
-            expiry: Date.now() + TOKEN_EXPIRY_S * 1000,
-          },
-          refreshToken: {
-            value: refresh_token,
-            expiry: Date.now() + REFRESH_EXPIRY_S * 1000,
-          },
-        };
-      }
-      return user;
-    });
-    await db.write(data);
-    return res.status(200).send(
-      JSON.stringify({
-        access_token,
-        refresh_token,
-        token_type: "bearer",
-        expires_in: TOKEN_EXPIRY_S,
-      }),
-    );
-  };
-  const refreshTokenExchange = async (
-    res: express.Response,
-    body: RefreshTokenExchangeRequest,
-  ) => {
-    const refresh_token = crypto.randomUUID();
-    const access_token = crypto.randomUUID();
-    const old_refresh_token = body.refresh_token?.toString();
-    if (!old_refresh_token) {
-      return failureResponse(res, "invalid_request");
-    }
-    // Find the user who was issued this refresh token
-    const data = await db.read();
-    const user = data.users.find(
-      (user) => user.refreshToken?.value === old_refresh_token,
-    );
-    if (!user) {
-      return failureResponse(res, "invalid_grant");
-    }
-    // Update the user with the new refresh token
-    // refresh tokens are single use, so attempting
-    // to use the old one will now fail
-    data.users = data.users.map((u) => {
-      if (u.id === user.id) {
-        return {
-          ...u,
-          accessToken: {
-            value: access_token,
-            expiry: Date.now() + TOKEN_EXPIRY_S * 1000,
-          },
-          refreshToken: {
-            value: refresh_token,
-            expiry: Date.now() + REFRESH_EXPIRY_S * 1000,
-          },
-        };
-      }
-      return u;
-    });
-    await db.write(data);
-    return res.status(200).send(
-      JSON.stringify({
-        access_token,
-        refresh_token,
-        token_type: "bearer",
-        expires_in: TOKEN_EXPIRY_S,
-      }),
-    );
-  };
-  /**
-   * This endpoint is the Oauth 2.0 Token endpoint
-   * https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
-   * It serves both exchanging authorization codes for access tokens (and refresh tokens), and
-   * exchanging refresh tokens for new access tokens (and refresh tokens)
-   */
-  router.post(
-    "/auth/token",
-    basicAuth({
-      users: { [CLIENT_ID]: CLIENT_SECRET },
-      challenge: false,
-    }),
-    async (req, res) => {
-      const body = (await req.body) as
-        | AuthorizationExchangeRequest
-        | RefreshTokenExchangeRequest;
-      const grantType = body.grant_type?.toString();
-      if (!grantType) {
-        return failureResponse(res, "invalid_request");
-      }
-      if (grantType !== "authorization_code" && grantType !== "refresh_token") {
-        return failureResponse(res, "unsupported_grant_type");
-      }
-      if (grantType === "refresh_token") {
-        refreshTokenExchange(res, body as RefreshTokenExchangeRequest);
-      }
-      return authorizationCodeExchange(
-        res,
-        body as AuthorizationExchangeRequest,
-      );
-    },
-  );
-  /**
-   * TODO: Add this middleware to all routes that will receive requests from
-   * your app.
-   */
-  const bearerMiddleware = createBearerMiddleware(
-    async (access_token: string): Promise<string | undefined> => {
-      const data = await db.read();
-      const user = data.users.find(
-        (user) => user.accessToken?.value === access_token,
-      );
-      debugLogger(
-        `User found: ${user?.id}, expires ${user?.accessToken?.expiry} compare ${Date.now()}`,
-      );
-      const isAuthenticated =
-        user && user.accessToken && user.accessToken?.expiry > Date.now();
-      if (!isAuthenticated) {
-        return;
-      }
-      return user.id;
-    },
-  );
-  /**
-   * All routes that start with /api will be protected by bearer authentication
-   */
-  router.use("/api", bearerMiddleware);
-  /**
-   * This endpoint checks if a user is authenticated.
-   */
-  router.post("/api/authentication/status", async (req, res) => {
-    // Check if the user is authenticated
-    const isAuthenticated = !!req["user_id"];
-    // Return the authentication status
-    res.send({
-      isAuthenticated,
-    });
-  });
-  return router;
-};

package/templates/base/utils/backend/bearer_middleware/bearer_middleware.ts DELETED Viewed

@@ -1,99 +0,0 @@
-/* eslint-disable no-console */
-import debug from "debug";
-import type { NextFunction, Request, Response } from "express";
-/**
- * Prefix your start command with `DEBUG=express:middleware:bearer` to enable debug logging
- * for this middleware
- */
-const debugLogger = debug("express:middleware:bearer");
-/**
- * Augment the Express request context to include the appId/userId/brandId fields decoded
- * from the JWT.
- */
-declare module "express-serve-static-core" {
-  export interface Request {
-    user_id: string;
-  }
-}
-const sendUnauthorizedResponse = (res: Response, message?: string) =>
-  res.status(401).json({ error: "unauthorized", message });
-/**
- * An Express.js middleware verifying a Bearer token.
- * This middleware extracts the token from the `Authorization` header.
- *
- * @param getTokenFromRequest - A function that extracts a token from the request. If a token isn't found, throw a `JWTAuthorizationError`.
- * @returns An Express.js middleware for verifying and decoding JWTs.
- */
-export function createBearerMiddleware(
-  tokenToUser: (access_token: string) => Promise<string | undefined>,
-  getTokenFromRequest: GetTokenFromRequest = getTokenFromHttpHeader,
-): (req: Request, res: Response, next: NextFunction) => void {
-  return async (req, res, next) => {
-    try {
-      debugLogger(`processing token for '${req.url}'`);
-      const token = await getTokenFromRequest(req);
-      const user = await tokenToUser(token);
-      if (!user) {
-        throw new AuthorizationError("Token is invalid");
-      }
-      req["user_id"] = user;
-      return next();
-    } catch (e) {
-      if (e instanceof AuthorizationError) {
-        return sendUnauthorizedResponse(res, e.message);
-      }
-      return next(e);
-    }
-  };
-}
-export type GetTokenFromRequest = (req: Request) => Promise<string> | string;
-export const getTokenFromHttpHeader: GetTokenFromRequest = (
-  req: Request,
-): string => {
-  // The names of a HTTP header bearing the JWT, and a scheme
-  const headerName = "Authorization";
-  const schemeName = "Bearer";
-  const header = req.header(headerName);
-  if (!header) {
-    throw new AuthorizationError(`Missing the "${headerName}" header`);
-  }
-  if (!header.match(new RegExp(`^${schemeName}\\s+[^\\s]+$`, "i"))) {
-    console.trace(
-      `jwtMiddleware: failed to match token in "${headerName}" header`,
-    );
-    throw new AuthorizationError(
-      `Missing a "${schemeName}" token in the "${headerName}" header`,
-    );
-  }
-  const token = header.replace(new RegExp(`^${schemeName}\\s+`, "i"), "");
-  return token;
-};
-/**
- * A class representing JWT validation errors in the JWT middleware.
- * The error message provided to the constructor will be forwarded to the
- * API consumer trying to access a JWT-protected endpoint.
- * @private
- */
-export class AuthorizationError extends Error {
-  constructor(message: string) {
-    super(message);
-    Object.setPrototypeOf(this, AuthorizationError.prototype);
-  }
-}

package/templates/base/utils/backend/bearer_middleware/index.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- export { createBearerMiddleware } from "./bearer_middleware";

package/templates/base/utils/backend/bearer_middleware/tests/bearer_middleware.tests.ts DELETED Viewed

@@ -1,192 +0,0 @@
-/* eslint-disable @typescript-eslint/no-require-imports */
-import type { NextFunction, Request, Response } from "express";
-import type {
-  createBearerMiddleware,
-  GetTokenFromRequest,
-} from "../bearer_middleware";
-type Middleware = (req: Request, res: Response, next: NextFunction) => void;
-describe("createBearerMiddleware", () => {
-  let fakeGetTokenFromRequest: jest.MockedFn<GetTokenFromRequest>;
-  let verify: jest.MockedFn<(token: string) => Promise<string | undefined>>;
-  let req: Request;
-  let res: Response;
-  let next: jest.MockedFn<() => void>;
-  let AuthorizationError: typeof Error;
-  let createBearerMiddlewareFn: typeof createBearerMiddleware;
-  let bearerMiddleware: Middleware;
-  beforeEach(() => {
-    jest.resetAllMocks();
-    jest.resetModules();
-    fakeGetTokenFromRequest = jest.fn();
-    verify = jest.fn();
-    const middlewareModule = require("../bearer_middleware");
-    createBearerMiddlewareFn = middlewareModule.createBearerMiddleware;
-    AuthorizationError = middlewareModule.AuthorizationError;
-  });
-  describe("When called", () => {
-    beforeEach(() => {
-      req = {
-        header: (_name: string) => undefined,
-      } as Request;
-      res = {
-        status: jest.fn().mockReturnThis(),
-        json: jest.fn().mockReturnThis(),
-        send: jest.fn().mockReturnThis(),
-      } as unknown as Response;
-      next = jest.fn();
-      bearerMiddleware = createBearerMiddlewareFn(
-        verify,
-        fakeGetTokenFromRequest,
-      );
-    });
-    describe("When `getTokenFromRequest` throws an exception ('Fake error')", () => {
-      beforeEach(() => {
-        fakeGetTokenFromRequest.mockRejectedValue(
-          new AuthorizationError("Fake error"),
-        );
-      });
-      it(`Does not call next() and returns HTTP 401 with error = "unauthorized" and message = "Fake error"`, async () => {
-        expect.assertions(8);
-        expect(fakeGetTokenFromRequest).not.toHaveBeenCalled();
-        await bearerMiddleware(req, res, next);
-        expect(fakeGetTokenFromRequest).toHaveBeenCalledTimes(1);
-        expect(fakeGetTokenFromRequest).toHaveBeenLastCalledWith(req);
-        expect(res.status).toHaveBeenCalledTimes(1);
-        expect(res.status).toHaveBeenLastCalledWith(401);
-        expect(res.json).toHaveBeenCalledTimes(1);
-        expect(res.json).toHaveBeenLastCalledWith({
-          error: "unauthorized",
-          message: "Fake error",
-        });
-        expect(next).not.toHaveBeenCalled();
-      });
-    });
-    describe("When the middleware cannot verify the token", () => {
-      beforeEach(() => {
-        fakeGetTokenFromRequest.mockReturnValue("TOKEN");
-        verify.mockImplementation(() => Promise.resolve(undefined));
-      });
-      it(`Does not call next() and returns HTTP 401 with error = "unauthorized" and message = "Token is invalid"`, async () => {
-        expect.assertions(5);
-        await bearerMiddleware(req, res, next);
-        expect(res.status).toHaveBeenCalledTimes(1);
-        expect(res.status).toHaveBeenLastCalledWith(401);
-        expect(res.json).toHaveBeenCalledTimes(1);
-        expect(res.json).toHaveBeenLastCalledWith({
-          error: "unauthorized",
-          message: "Token is invalid",
-        });
-        expect(next).not.toHaveBeenCalled();
-      });
-    });
-  });
-});
-describe("getTokenFromHttpHeader", () => {
-  let getHeader: jest.MockedFn<(name: string) => string | undefined>;
-  let req: Request;
-  let getTokenFromHttpHeader: (req: Request) => string;
-  let AuthorizationError: typeof Error;
-  beforeEach(() => {
-    getHeader = jest.fn();
-    req = {
-      header: (name: string) => getHeader(name),
-    } as Request;
-    const bearerMiddlewareModule = require("../bearer_middleware");
-    getTokenFromHttpHeader = bearerMiddlewareModule.getTokenFromHttpHeader;
-    AuthorizationError = bearerMiddlewareModule.AuthorizationError;
-  });
-  describe("When the 'Authorization' header is missing", () => {
-    beforeEach(() => {
-      getHeader.mockReturnValue(undefined);
-    });
-    it(`Throws a AuthorizationError with message = 'Missing the "Authorization" header'`, async () => {
-      expect.assertions(3);
-      expect(() => getTokenFromHttpHeader(req)).toThrow(
-        new AuthorizationError('Missing the "Authorization" header'),
-      );
-      expect(getHeader).toHaveBeenCalledTimes(1);
-      expect(getHeader).toHaveBeenLastCalledWith("Authorization");
-    });
-  });
-  describe("When the 'Authorization' header doesn't have a Bearer scheme", () => {
-    beforeEach(() => {
-      getHeader.mockReturnValue("Beerer FAKE_TOKEN");
-    });
-    it(`Throws a AuthorizationError with message = 'Missing a "Bearer" token in the "Authorization" header''`, async () => {
-      expect.assertions(3);
-      expect(() => getTokenFromHttpHeader(req)).toThrow(
-        new AuthorizationError(
-          'Missing a "Bearer" token in the "Authorization" header',
-        ),
-      );
-      expect(getHeader).toHaveBeenCalledTimes(1);
-      expect(getHeader).toHaveBeenLastCalledWith("Authorization");
-    });
-  });
-  describe("When the 'Authorization' Bearer scheme header doesn't have a token", () => {
-    beforeEach(() => {
-      getHeader.mockReturnValue("Bearer ");
-    });
-    it(`Throws a AuthorizationError with message = 'Missing a "Bearer" token in the "Authorization" header'`, async () => {
-      expect.assertions(3);
-      expect(() => getTokenFromHttpHeader(req)).toThrow(
-        new AuthorizationError(
-          'Missing a "Bearer" token in the "Authorization" header',
-        ),
-      );
-      expect(getHeader).toHaveBeenCalledTimes(1);
-      expect(getHeader).toHaveBeenLastCalledWith("Authorization");
-    });
-  });
-  describe("When the 'Authorization' Bearer scheme header has a token", () => {
-    beforeEach(() => {
-      getHeader.mockReturnValue("Bearer TOKEN");
-    });
-    it(`Returns the token`, async () => {
-      expect.assertions(3);
-      expect(getTokenFromHttpHeader(req)).toEqual("TOKEN");
-      expect(getHeader).toHaveBeenCalledTimes(1);
-      expect(getHeader).toHaveBeenLastCalledWith("Authorization");
-    });
-  });
-});