@magda/authentication-plugin-sdk 1.2.1-rc.0 → 1.3.0-rc.0

package/README.md

@@ -81,12 +81,13 @@ export declare function createOrGetUserToken(
 ): Promise<UserToken>;
 
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
  * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
 export declare function getAbsoluteUrl(
@@ -94,7 +95,8 @@ export declare function getAbsoluteUrl(
   baseUrl: string,
   optionalQueries?: {
     [key: string]: string;
-  }
+  },
+  allowedUrlHosts?: string[]
 ): string;
 
 export declare function redirectOnSuccess(

package/dist/index.d.ts

@@ -129,17 +129,18 @@ export declare const destroySession: typeof destroySession_2;
 declare function destroySession_2(req: express.Request): Promise<void>;
 
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
  * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
 export declare function getAbsoluteUrl(url: string, baseUrl: string, optionalQueries?: {
     [key: string]: string;
-}): string;
+}, allowedUrlHosts?: string[]): string;
 
 export declare function getSessionId(req: express.Request, secret?: string): string;
 

package/dist/index.js

@@ -10091,7 +10091,7 @@ function defineMethod(obj, name, fn) {
 var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -10171,7 +10171,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     return /^[0-9]+$/.test(value);
   }
 
-  URI.version = '1.19.5';
+  URI.version = '1.19.11';
 
   var p = URI.prototype;
   var hasOwn = Object.prototype.hasOwnProperty;
@@ -10329,6 +10329,9 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     // balanced parens inclusion (), [], {}, <>
     parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
   };
+  URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
+  // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+  URI.ascii_tab_whitespace = /[\u0009\u000A\u000D]+/g
   // http://www.iana.org/assignments/uri-schemes.html
   // http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
   URI.defaultPorts = {
@@ -10584,6 +10587,11 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
         preventInvalidHostname: URI.preventInvalidHostname
       };
     }
+
+    string = string.replace(URI.leading_whitespace_expression, '')
+    // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+    string = string.replace(URI.ascii_tab_whitespace, '')
+
     // [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]
 
     // extract fragment
@@ -10602,6 +10610,11 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
       string = string.substring(0, pos);
     }
 
+    // slashes and backslashes have lost all meaning for the web protocols (https, http, wss, ws)
+    string = string.replace(/^(https?|ftp|wss?)?:+[/\\]*/i, '$1://');
+    // slashes and backslashes have lost all meaning for scheme relative URLs
+    string = string.replace(/^[/\\]{2,}/i, '//');
+
     // extract protocol
     if (string.substring(0, 2) === '//') {
       // relative-scheme
@@ -10616,7 +10629,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
         if (parts.protocol && !parts.protocol.match(URI.protocol_expression)) {
           // : may be within the path
           parts.protocol = undefined;
-        } else if (string.substring(pos + 1, pos + 3) === '//') {
+        } else if (string.substring(pos + 1, pos + 3).replace(/\\/g, '/') === '//') {
           string = string.substring(pos + 3);
 
           // extract "user:pass@host:port"
@@ -10748,7 +10761,10 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
       // no "=" is null according to http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html#collect-url-parameters
       value = v.length ? URI.decodeQuery(v.join('='), escapeQuerySpace) : null;
 
-      if (hasOwn.call(items, name)) {
+      if (name === '__proto__') {
+        // ignore attempt at exploiting JavaScript internals
+        continue;
+      } else if (hasOwn.call(items, name)) {
         if (typeof items[name] === 'string' || items[name] === null) {
           items[name] = [items[name]];
         }
@@ -10841,7 +10857,10 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     var t = '';
     var unique, key, i, length;
     for (key in data) {
-      if (hasOwn.call(data, key)) {
+      if (key === '__proto__') {
+        // ignore attempt at exploiting JavaScript internals
+        continue;
+      } else if (hasOwn.call(data, key)) {
         if (isArray(data[key])) {
           unique = {};
           for (i = 0, length = data[key].length; i < length; i++) {
@@ -12969,7 +12988,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  * IPv6 Support
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -13161,7 +13180,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  * Second Level Domain (SLD) Support
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -29936,31 +29955,35 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const urijs_1 = __importDefault(__webpack_require__(67));
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
  * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
-function getAbsoluteUrl(url, baseUrl, optionalQueries) {
+function getAbsoluteUrl(url, baseUrl, optionalQueries, allowedUrlHosts) {
     const uri = urijs_1.default(url);
-    if (uri.hostname()) {
-        // --- absolute url, return directly
-        return url;
-    }
-    else {
-        if (typeof baseUrl !== "string") {
-            baseUrl = "";
-        }
-        const baseUri = urijs_1.default(baseUrl);
-        const query = uri.search(true);
-        const mergedUri = baseUri.segmentCoded(baseUri.segmentCoded().concat(uri.segmentCoded()));
-        return mergedUri
-            .search(Object.assign(Object.assign({}, (query ? query : {})), (optionalQueries ? optionalQueries : {})))
-            .toString();
-    }
+    const urlHost = uri.host();
+    if (urlHost) {
+        // --- absolute url, return directly only if the urlHost is included by `allowedUrlHosts` (unless `allowedUrlHosts` is not supplied)
+        if (!allowedUrlHosts ||
+            allowedUrlHosts.findIndex((item) => item === urlHost) !== -1) {
+            return url;
+        }
+    }
+    // ignore url host of `host` if any and use `baseUrl` to create the final full url string
+    if (typeof baseUrl !== "string") {
+        baseUrl = "";
+    }
+    const baseUri = urijs_1.default(baseUrl);
+    const query = uri.search(true);
+    const mergedUri = baseUri.segmentCoded(baseUri.segmentCoded().concat(uri.segmentCoded()));
+    return mergedUri
+        .search(Object.assign(Object.assign({}, (query ? query : {})), (optionalQueries ? optionalQueries : {})))
+        .toString();
 }
 exports.default = getAbsoluteUrl;
 //# sourceMappingURL=getAbsoluteUrl.js.map

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@magda/authentication-plugin-sdk",
   "description": "MAGDA Authentication Plugin SDK",
-  "version": "1.2.1-rc.0",
+  "version": "1.3.0-rc.0",
   "scripts": {
     "prebuild": "rimraf dist tsconfig.tsbuildinfo",
     "build": "webpack && api-extractor run -l",
@@ -12,14 +12,14 @@
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "devDependencies": {
-    "@magda/auth-api-client": "^1.2.1-rc.0",
-    "@magda/typescript-common": "^1.2.1-rc.0",
+    "@magda/auth-api-client": "^1.3.0-rc.0",
+    "@magda/typescript-common": "^1.3.0-rc.0",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.15.15",
     "@types/lodash": "^4.14.74",
     "@types/passport": "^1.0.3",
     "@types/pg": "^6.1.41",
-    "@types/urijs": "1.19.13",
+    "@types/urijs": "^1.19.19",
     "ts-loader": "^6.2.1",
     "typescript": "^3.7.2",
     "webpack": "^4.41.2",
@@ -32,7 +32,7 @@
     "express-session": "^1.17.1",
     "lodash": "^4.17.4",
     "pg": "^6.4.0",
-    "urijs": "^1.19.4"
+    "urijs": "^1.19.11"
   },
   "magda": {
     "language": "typescript",