npm - @geolonia/geonicdb-sdk - Versions diffs - 0.4.0 → 0.6.0 - Mend

@geolonia/geonicdb-sdk 0.4.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/geonicdb.mjs CHANGED Viewed

@@ -314,11 +314,27 @@ function isCacheableMethod(method) {
 // src/sdk/auth.ts
 var _AuthManager = class _AuthManager {
-  constructor(baseUrl, apiKey, tenant, debug = false) {
+  constructor(baseUrl, apiKey, tenant, debug = false, anonymous = false) {
     __publicField(this, "_baseUrl");
     __publicField(this, "_apiKey");
     __publicField(this, "_tenant");
     __publicField(this, "_debug");
+    /**
+     * #1105: anonymous モード。true の場合、トークンを取得せず Authorization
+     * ヘッダ無しで送信する。サーバー側 (`optionalAuth`) で role='anonymous' として
+     * 通り、XACML が認可判定する。
+     *
+     * `_initialAnonymous` はコンストラクタで指定された希望モード (immutable)。
+     * `_anonymous` は現在のモード状態で、`login()` / `setCredentials()` で false
+     * に降り、`logout()` で `_initialAnonymous` の値に戻る。
+     *
+     * トークン有無 (`_token === null`) からは推論しない。`_token` は refresh
+     * 失敗時に null へ落ちるが、ユーザが明示的に `logout()` していない以上、
+     * 次のリクエストを勝手に Authorization ヘッダ無しで送ってはならない
+     * (#1113 review)。
+     */
+    __publicField(this, "_initialAnonymous");
+    __publicField(this, "_anonymous");
     __publicField(this, "_token", null);
     __publicField(this, "_tokenExpiry", 0);
     __publicField(this, "_tokenType", "Bearer");
@@ -339,11 +355,18 @@ var _AuthManager = class _AuthManager {
     __publicField(this, "_emitCacheEvent", null);
     /** In-flight request map keyed by `${METHOD}:${path}` for request deduplication. */
     __publicField(this, "_inFlight", /* @__PURE__ */ new Map());
+    if (anonymous && apiKey) {
+      throw new Error(
+        "GeonicDB SDK: `anonymous: true` cannot be combined with `apiKey`. Anonymous mode skips token acquisition entirely."
+      );
+    }
     this._baseUrl = baseUrl;
     this._apiKey = apiKey;
     this._tenant = tenant;
     this._debug = debug;
-    if (dpopSupported) {
+    this._initialAnonymous = anonymous;
+    this._anonymous = anonymous;
+    if (!anonymous && dpopSupported) {
       this._dpopReady = generateDPoPKeyPair().then((kp) => {
         this._dpopKeyPair = kp;
       }).catch(() => {
@@ -351,6 +374,16 @@ var _AuthManager = class _AuthManager {
       });
     }
   }
+  /**
+   * True when running unauthenticated.
+   *
+   * Returns the explicit mode flag, NOT derived from `_token === null`. After
+   * a refresh failure clears `_token`, the SDK must NOT silently switch to
+   * anonymous; the caller must explicitly `logout()` to revert (#1113 review).
+   */
+  isAnonymous() {
+    return this._anonymous;
+  }
   _log(...args) {
     if (this._debug) console.log("[GeonicDB]", ...args);
   }
@@ -389,6 +422,7 @@ var _AuthManager = class _AuthManager {
       );
     }
     const data = await res.json();
+    this._anonymous = false;
     this._token = data.accessToken;
     this._tokenExpiry = Date.now() + (data.expiresIn - 60) * 1e3;
     this._tokenType = "Bearer";
@@ -403,6 +437,12 @@ var _AuthManager = class _AuthManager {
    */
   setCredentials(opts) {
     if (!opts || !opts.token) throw new Error("token is required");
+    if (this._initialAnonymous && opts.tokenType === "DPoP") {
+      throw new Error(
+        "DPoP credentials cannot be set on an SDK instance constructed with `anonymous: true` (no DPoP key pair is generated for anonymous instances). Use Bearer credentials, or construct the SDK in non-anonymous mode."
+      );
+    }
+    this._anonymous = false;
     this._token = opts.token;
     this._tokenType = opts.tokenType || "Bearer";
     this._tokenExpiry = opts.expiresIn != null ? Date.now() + (opts.expiresIn - 60) * 1e3 : Date.now() + DEFAULT_TOKEN_TTL_SEC * 1e3;
@@ -416,6 +456,7 @@ var _AuthManager = class _AuthManager {
     this._tokenExpiry = 0;
     this._refreshToken = null;
     this._tokenPromise = null;
+    this._anonymous = this._initialAnonymous;
     this._invalidateAuthScopedState();
   }
   /**
@@ -428,7 +469,13 @@ var _AuthManager = class _AuthManager {
     this._cache?.clear();
     this._inFlight.clear();
   }
-  /** Ensure a valid token is available, refreshing or acquiring as needed. */
+  /**
+   * Ensure a valid token is available, refreshing or acquiring as needed.
+   *
+   * #1105: In anonymous mode (no apiKey, no Bearer credentials) this throws
+   * `AuthenticationError`. Callers that may run anonymously should branch on
+   * `isAnonymous()` first instead of calling `ensureToken()` blindly.
+   */
   async ensureToken() {
     if (this._token && Date.now() < this._tokenExpiry) {
       return this._token;
@@ -440,6 +487,16 @@ var _AuthManager = class _AuthManager {
       this._tokenPromise = this._refreshBearerToken();
       return this._tokenPromise;
     }
+    if (this._anonymous) {
+      throw new AuthenticationError(
+        "Anonymous mode: no token available. Call login() or setCredentials() to authenticate."
+      );
+    }
+    if (!this._apiKey) {
+      throw new AuthenticationError(
+        "No authentication method available. Call login() / setCredentials() to authenticate, or construct the SDK with an apiKey."
+      );
+    }
     this._tokenPromise = this._acquireTokenViaPow();
     return this._tokenPromise;
   }
@@ -560,7 +617,7 @@ var _AuthManager = class _AuthManager {
   async request(method, path, body) {
     this._log(method, path);
     if (!this._cache || !isCacheableMethod(method) || body !== void 0) {
-      const token = await this.ensureToken();
+      const token = this.isAnonymous() ? null : await this.ensureToken();
       const res = await this._doAuthenticatedRequest(method, path, body, token);
       this._log(method, path, "\u2192", res.status);
       return res;
@@ -581,14 +638,14 @@ var _AuthManager = class _AuthManager {
   async _cachedRequest(method, path, key) {
     const cache = this._cache;
     if (!cache) {
-      const token2 = await this.ensureToken();
+      const token2 = this.isAnonymous() ? null : await this.ensureToken();
       return this._doAuthenticatedRequest(method, path, void 0, token2);
     }
     const cached = cache.get(key);
     const conditional = {};
     if (cached?.etag) conditional["If-None-Match"] = cached.etag;
     if (cached?.lastModified) conditional["If-Modified-Since"] = cached.lastModified;
-    const token = await this.ensureToken();
+    const token = this.isAnonymous() ? null : await this.ensureToken();
     const res = await this._doAuthenticatedRequest(method, path, void 0, token, 0, conditional);
     this._log(method, path, "\u2192", res.status);
     if (res.status === 304 && cached) {
@@ -629,11 +686,19 @@ var _AuthManager = class _AuthManager {
     return res;
   }
   async _doAuthenticatedRequest(method, path, body, token, retryCount = 0, extraHeaders = {}) {
+    if (this._tokenType === "DPoP" && token !== null) {
+      if (this._dpopReady) await this._dpopReady;
+      if (!this._dpopKeyPair) {
+        throw new AuthenticationError(
+          "DPoP credentials require a generated DPoP key pair, but key generation was unavailable or failed."
+        );
+      }
+    }
     const url = this._baseUrl + path;
-    const isDPoP = this._tokenType === "DPoP" && !!this._dpopKeyPair;
+    const isDPoP = this._tokenType === "DPoP" && !!this._dpopKeyPair && token !== null;
     const bodyStr = body !== void 0 ? JSON.stringify(body) : void 0;
     const doRequest = async (reqToken, dpopNonce) => {
-      const reqIsDPoP = this._tokenType === "DPoP" && !!this._dpopKeyPair;
+      const reqIsDPoP = this._tokenType === "DPoP" && !!this._dpopKeyPair && reqToken !== null;
       const dpopProof = reqIsDPoP ? await createDPoPProof(
         this._dpopKeyPair,
         method,
@@ -642,11 +707,13 @@ var _AuthManager = class _AuthManager {
         dpopNonce
       ) : null;
       const headers = {
-        Authorization: (reqIsDPoP ? "DPoP " : "Bearer ") + reqToken,
         "Content-Type": "application/ld+json",
         Accept: "application/ld+json",
         ...extraHeaders
       };
+      if (reqToken !== null) {
+        headers["Authorization"] = (reqIsDPoP ? "DPoP " : "Bearer ") + reqToken;
+      }
       if (dpopProof) headers["DPoP"] = dpopProof;
       if (this._tenant) headers["Fiware-Service"] = this._tenant;
       return fetch(url, { method, headers, body: bodyStr });
@@ -656,11 +723,12 @@ var _AuthManager = class _AuthManager {
     const previousNonce = this._dpopNonce;
     const newNonce = res.headers.get("DPoP-Nonce");
     if (newNonce) this._dpopNonce = newNonce;
+    const canRetry401 = currentToken !== null;
     if (res.status === 401 && isDPoP && newNonce && newNonce !== previousNonce) {
       res = await doRequest(currentToken, newNonce);
       const rn = res.headers.get("DPoP-Nonce");
       if (rn) this._dpopNonce = rn;
-      if (res.status === 401) {
+      if (res.status === 401 && canRetry401) {
         this._token = null;
         this._tokenPromise = null;
         currentToken = await this.ensureToken();
@@ -668,7 +736,7 @@ var _AuthManager = class _AuthManager {
         const fn = res.headers.get("DPoP-Nonce");
         if (fn) this._dpopNonce = fn;
       }
-    } else if (res.status === 401) {
+    } else if (res.status === 401 && canRetry401) {
       this._token = null;
       this._tokenPromise = null;
       currentToken = await this.ensureToken();
@@ -717,6 +785,13 @@ var WebSocketManager = class {
   }
   /** Establish WebSocket connection (authentication is automatic). */
   async connect() {
+    if (this._auth.isAnonymous()) {
+      const err = new Error(
+        "WebSocket connect() is not supported in anonymous mode. Authenticate via login() or setCredentials() before connect()."
+      );
+      this._emit("error", err);
+      throw err;
+    }
     if (this._reconnectTimer) {
       clearTimeout(this._reconnectTimer);
       this._reconnectTimer = null;
@@ -952,7 +1027,7 @@ var GeonicDB = class extends EventEmitter {
       if (!tenant) tenant = script?.getAttribute?.("data-tenant") || "";
       if (!baseUrl) baseUrl = script?.getAttribute?.("data-base-url") || "";
     }
-    this._auth = new AuthManager(baseUrl, apiKey, tenant, opts.debug);
+    this._auth = new AuthManager(baseUrl, apiKey, tenant, opts.debug, opts.anonymous);
     this._auth.onTokenRefresh = (creds) => {
       this.onTokenRefresh?.(creds);
       this.emit("tokenRefresh", creds);
@@ -968,44 +1043,39 @@ var GeonicDB = class extends EventEmitter {
       tenant,
       (event, data) => {
         this.emit(event, data);
-        if (event === "entityCreated" || event === "entityUpdated" || event === "entityDeleted") {
-          this._invalidateCacheForEntityEvent(data);
-        }
       },
       opts.wsEndpoint
     );
   }
   /**
-   * Drop cache entries that may have been affected by an entity change.
+   * Drop every cached response. Useful in tests and on manual auth changes.
    *
-   * The SDK does not know which lists exactly contain the entity, so the
-   * conservative strategy is to drop all NGSI-LD / NGSIv2 entity-related
-   * paths. ETag re-validation on the next read brings the data back in one
-   * round trip with `If-None-Match`, so this remains efficient even when
-   * over-invalidating.
+   * Emits a `cacheInvalidated` event for each removed entry so listeners can
+   * track explicit flushes (the WebSocket-driven auto-invalidation was removed
+   * in #1060 to preserve the ETag/304 revalidation path; `clearCache()` is now
+   * the only path that emits this event).
    */
-  _invalidateCacheForEntityEvent(event) {
+  clearCache() {
     const cache = this._auth.getCache();
     if (!cache) return;
-    const entityId = event?.entityId;
-    const removed = cache.deleteWhere((key) => {
-      if (key.includes("/ngsi-ld/v1/entities") || key.includes("/v2/entities")) return true;
-      if (entityId && key.includes(entityId)) return true;
-      return false;
-    });
+    const removed = cache.deleteWhere(() => true);
     for (const key of removed) {
       this._auth.emitCacheEvent("cacheInvalidated", { key, path: key.split(":").slice(1).join(":") });
     }
   }
-  /** Drop every cached response. Useful in tests and on manual auth changes. */
-  clearCache() {
-    this._auth.getCache()?.clear();
-  }
   // --- Authentication ---
   /** Login with email and password (Bearer JWT). */
   async login(email, password) {
     return this._auth.login(email, password);
   }
+  /**
+   * Whether the SDK is currently operating in anonymous mode (no token held).
+   * Returns true only when `anonymous: true` was passed to the constructor
+   * AND no credentials have been set via `login()` / `setCredentials()`.
+   */
+  isAnonymous() {
+    return this._auth.isAnonymous();
+  }
   /**
    * Set credentials externally (e.g. from a login API response).
    * When tokenType is 'Bearer' with a refreshToken, DPoP/PoW is bypassed entirely.