npm - @magda/authentication-plugin-sdk - Versions diffs - 2.0.0-alpha.1 → 2.0.0-alpha.2 - Mend

@magda/authentication-plugin-sdk 2.0.0-alpha.1 → 2.0.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -81,12 +81,13 @@ export declare function createOrGetUserToken(
 ): Promise<UserToken>;
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
  * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
 export declare function getAbsoluteUrl(
@@ -94,7 +95,8 @@ export declare function getAbsoluteUrl(
   baseUrl: string,
   optionalQueries?: {
     [key: string]: string;
-  }
+  },
+  allowedUrlHosts?: string[]
 ): string;
 export declare function redirectOnSuccess(

package/dist/index.d.ts CHANGED Viewed

@@ -129,18 +129,18 @@ export declare const destroySession: typeof destroySession_2;
 declare function destroySession_2(req: express.Request): Promise<void>;
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
- * @param {{ [key: string]: any }} [optionalQueries] optional extra query parameters to add to the result url.
- * All values supplied will be converted into string before encoded into the url.
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
+ * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
 export declare function getAbsoluteUrl(url: string, baseUrl: string, optionalQueries?: {
-    [key: string]: any;
-}): string;
+    [key: string]: string;
+}, allowedUrlHosts?: string[]): string;
 export declare function getSessionId(req: express.Request, secret?: string): string;

package/dist/index.js CHANGED Viewed

@@ -9237,7 +9237,7 @@ function defineMethod(obj, name, fn) {
 var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -9317,7 +9317,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     return /^[0-9]+$/.test(value);
   }
-  URI.version = '1.19.5';
+  URI.version = '1.19.11';
   var p = URI.prototype;
   var hasOwn = Object.prototype.hasOwnProperty;
@@ -9475,6 +9475,9 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     // balanced parens inclusion (), [], {}, <>
     parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
   };
+  URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
+  // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+  URI.ascii_tab_whitespace = /[\u0009\u000A\u000D]+/g
   // http://www.iana.org/assignments/uri-schemes.html
   // http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
   URI.defaultPorts = {
@@ -9730,6 +9733,11 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
         preventInvalidHostname: URI.preventInvalidHostname
       };
     }
+    string = string.replace(URI.leading_whitespace_expression, '')
+    // https://infra.spec.whatwg.org/#ascii-tab-or-newline
+    string = string.replace(URI.ascii_tab_whitespace, '')
     // [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]
     // extract fragment
@@ -9748,6 +9756,11 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
       string = string.substring(0, pos);
     }
+    // slashes and backslashes have lost all meaning for the web protocols (https, http, wss, ws)
+    string = string.replace(/^(https?|ftp|wss?)?:+[/\\]*/i, '$1://');
+    // slashes and backslashes have lost all meaning for scheme relative URLs
+    string = string.replace(/^[/\\]{2,}/i, '//');
     // extract protocol
     if (string.substring(0, 2) === '//') {
       // relative-scheme
@@ -9762,7 +9775,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
         if (parts.protocol && !parts.protocol.match(URI.protocol_expression)) {
           // : may be within the path
           parts.protocol = undefined;
-        } else if (string.substring(pos + 1, pos + 3) === '//') {
+        } else if (string.substring(pos + 1, pos + 3).replace(/\\/g, '/') === '//') {
           string = string.substring(pos + 3);
           // extract "user:pass@host:port"
@@ -9894,7 +9907,10 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
       // no "=" is null according to http://dvcs.w3.org/hg/url/raw-file/tip/Overview.html#collect-url-parameters
       value = v.length ? URI.decodeQuery(v.join('='), escapeQuerySpace) : null;
-      if (hasOwn.call(items, name)) {
+      if (name === '__proto__') {
+        // ignore attempt at exploiting JavaScript internals
+        continue;
+      } else if (hasOwn.call(items, name)) {
         if (typeof items[name] === 'string' || items[name] === null) {
           items[name] = [items[name]];
         }
@@ -9987,7 +10003,10 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_ARRAY__, __WEBPACK_AMD_
     var t = '';
     var unique, key, i, length;
     for (key in data) {
-      if (hasOwn.call(data, key)) {
+      if (key === '__proto__') {
+        // ignore attempt at exploiting JavaScript internals
+        continue;
+      } else if (hasOwn.call(data, key)) {
         if (isArray(data[key])) {
           unique = {};
           for (i = 0, length = data[key].length; i < length; i++) {
@@ -12115,7 +12134,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  * IPv6 Support
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -12307,7 +12326,7 @@ var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_RESULT__;/*!
  * URI.js - Mutating URLs
  * Second Level Domain (SLD) Support
  *
- * Version: 1.19.5
+ * Version: 1.19.11
  *
  * Author: Rodney Rehm
  * Web: http://medialize.github.io/URI.js/
@@ -26628,32 +26647,35 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const urijs_1 = __importDefault(__webpack_require__(61));
 /**
- * Join `url` with `baseUrl` if `url` is not an absolute url
+ * Join `url` with `baseUrl` if `url` is not an absolute (full) url string
  *
  * @export
- * @param {string} url
- * @param {string} baseUrl
- * @param {{ [key: string]: any }} [optionalQueries] optional extra query parameters to add to the result url.
- * All values supplied will be converted into string before encoded into the url.
+ * @param {string} url A full url string or a url path string (/a/b/c).
+ * @param {string} baseUrl A baseUrl used to generate a full url when a url path string is supplied via the `url` parameter.
+ * @param {{ [key: string]: string }} [optionalQueries]
+ * @param {string[]} [allowedUrlHosts] Optional; when specify, the host of `url` parameter will only be used if it is included by this list.
  * @returns
  */
-function getAbsoluteUrl(url, baseUrl, optionalQueries) {
+function getAbsoluteUrl(url, baseUrl, optionalQueries, allowedUrlHosts) {
     const uri = urijs_1.default(url);
-    if (uri.hostname()) {
-        // --- absolute url, return directly
-        return url;
-    }
-    else {
-        if (typeof baseUrl !== "string") {
-            baseUrl = "";
-        }
-        const baseUri = urijs_1.default(baseUrl);
-        const query = uri.search(true);
-        const mergedUri = baseUri.segmentCoded(baseUri.segmentCoded().concat(uri.segmentCoded()));
-        return mergedUri
-            .search(Object.assign(Object.assign({}, (query ? query : {})), (optionalQueries ? optionalQueries : {})))
-            .toString();
-    }
+    const urlHost = uri.host();
+    if (urlHost) {
+        // --- absolute url, return directly only if the urlHost is included by `allowedUrlHosts` (unless `allowedUrlHosts` is not supplied)
+        if (!allowedUrlHosts ||
+            allowedUrlHosts.findIndex((item) => item === urlHost) !== -1) {
+            return url;
+        }
+    }
+    // ignore url host of `host` if any and use `baseUrl` to create the final full url string
+    if (typeof baseUrl !== "string") {
+        baseUrl = "";
+    }
+    const baseUri = urijs_1.default(baseUrl);
+    const query = uri.search(true);
+    const mergedUri = baseUri.segmentCoded(baseUri.segmentCoded().concat(uri.segmentCoded()));
+    return mergedUri
+        .search(Object.assign(Object.assign({}, (query ? query : {})), (optionalQueries ? optionalQueries : {})))
+        .toString();
 }
 exports.default = getAbsoluteUrl;
 //# sourceMappingURL=getAbsoluteUrl.js.map

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@magda/authentication-plugin-sdk",
   "description": "MAGDA Authentication Plugin SDK",
-  "version": "2.0.0-alpha.1",
+  "version": "2.0.0-alpha.2",
   "scripts": {
     "prebuild": "rimraf dist tsconfig.tsbuildinfo",
     "build": "webpack && api-extractor run -l",
@@ -12,14 +12,14 @@
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "devDependencies": {
-    "@magda/auth-api-client": "^2.0.0-alpha.1",
-    "@magda/typescript-common": "^2.0.0-alpha.1",
+    "@magda/auth-api-client": "^2.0.0-alpha.2",
+    "@magda/typescript-common": "^2.0.0-alpha.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.15.15",
     "@types/lodash": "^4.14.74",
     "@types/passport": "^1.0.3",
-    "@types/pg": "^6.1.41",
-    "@types/urijs": "1.19.13",
+    "@types/pg": "^7.14.4",
+    "@types/urijs": "^1.19.19",
     "ts-loader": "^6.2.1",
     "typescript": "^3.7.2",
     "webpack": "^4.41.2",
@@ -31,8 +31,8 @@
     "express": "^4.17.1",
     "express-session": "^1.17.1",
     "lodash": "^4.17.4",
-    "pg": "^6.4.0",
-    "urijs": "^1.19.4"
+    "pg": "^7.18.2",
+    "urijs": "^1.19.11"
   },
   "magda": {
     "language": "typescript",