@mimik/api-helper 3.0.1 → 3.0.3

package/README.md

@@ -39,19 +39,19 @@ import { apiSetup, securityLib, getAPIFile, validateSecuritySchemes, extractProp
 <a name="module_api-helper..apiSetup"></a>
 
 ### api-helper~apiSetup(setup, registeredOperations, securityHandlers, extraFormats, config, correlationId) ⇒ <code>Promise.&lt;object&gt;</code>
-Setup the API to be used for a service
+Set up the API to be used for a service
 
 **Kind**: inner method of [<code>api-helper</code>](#module_api-helper)  
-**Returns**: <code>Promise.&lt;object&gt;</code> - The API file itself.  
+**Returns**: <code>Promise.&lt;object&gt;</code> - The initialized OpenAPIBackend instance.  
 **Category**: async  
 **Throws**:
 
-- <code>Promise</code> An error is thrown if the initialization failed.
+- <code>Error</code> Rejects with an error if the initialization failed.
 
 The following scheme names are reserved: `SystemSecurity`, `AdminSecurity`, `UserSecurity`, `PeerSecurity`, `ApiKeySecurity`.
 The following security schemes can be defaulted: `SystemSecurity`, `AdminSecurity`, `UserSecurity`, `ApiKeySecurity`.
 The secOptions in the options property passed when using `init` allows the following operations:
-- introduce a customer security scheme, in this case secOptions contains: { newSecurityScheme: {function}newSecurityHandler },
+- introduce a custom security scheme, in this case secOptions contains: { newSecurityScheme: {function}newSecurityHandler },
 - disable a security scheme that is defined in the swagger API, in this case secOptions contains: { securitySchemeToDisable: { {boolean}notEnabled: true } },
 - overwrite an existing security scheme, in this case secOptions contains: { securitySchemeToOverwrite: {function}newSecurityHandler }.
 If the secOptions is not present either to introduce, disable or overwrite a security scheme that is present in the swagger API file an error is generated.
@@ -64,23 +64,26 @@ The default formats for validation are: `date`, `time`, `date-time`, `byte`, `uu
 | Param | Type | Description |
 | --- | --- | --- |
 | setup | <code>object</code> | Object containing the apiFilename and the existing security schemes in the API definition. |
-| registeredOperations | <code>object</code> | List of the operation to register for the API. |
-| securityHandlers | <code>object</code> | List of the security handlers to add for the service. |
-| extraFormats | <code>object</code> | list of the formats to add for validating properties. |
+| setup.apiFilename | [<code>PATH</code>](#PATH) | Path to the resolved API definition file. |
+| setup.existingSecuritySchemes | <code>Array.&lt;string&gt;</code> | Known security scheme names present in the API definition. |
+| setup.definedSecuritySchemes | <code>Array.&lt;string&gt;</code> | All security scheme names defined in the API definition. |
+| registeredOperations | <code>object</code> | Map of operationId to handler function to register for the API. |
+| securityHandlers | <code>object</code> | Map of security scheme name to handler object to add for the service. |
+| extraFormats | <code>object</code> | Map of format name to format definition for validating properties. Each entry is either an empty object (to use a built-in ajv-formats format) or an object with `type` and `validate` properties (to define a custom format). |
 | config | <code>object</code> | Configuration of the service. |
 | correlationId | [<code>UUID</code>](#UUID) | CorrelationId when logging activities. |
 
 <a name="module_api-helper..getAPIFile"></a>
 
 ### api-helper~getAPIFile(apiFilename, correlationId, options) ⇒ <code>Promise.&lt;object&gt;</code>
-Gets the API file from swaggerhub and stores it in the given PATH location.
+Gets and resolves the API definition, loading from local file, Bitbucket, or SwaggerHub, and stores it in the given PATH location.
 
 **Kind**: inner method of [<code>api-helper</code>](#module_api-helper)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - The API file itself.  
 **Category**: async  
 **Throws**:
 
-- <code>Promise</code> An error is thrown if the apiFilename resolution generates an error or the request to the API provider fails or the file cannot be saved.
+- <code>Error</code> Rejects with an error if the apiFilename resolution generates an error or the request to the API provider fails or the file cannot be saved.
 
 `apiInfo` options has the following format:
 ``` javascript
@@ -105,14 +108,14 @@ Gets the API file from swaggerhub and stores it in the given PATH location.
 <a name="module_api-helper..setupServerFiles"></a>
 
 ### api-helper~setupServerFiles(apiFilename, controllersDirectory, buildDirectory, correlationId, options) ⇒ <code>Promise.&lt;object&gt;</code>
-Setup and validates files for the server
+Sets up and validates files for the server
 
 **Kind**: inner method of [<code>api-helper</code>](#module_api-helper)  
 **Returns**: <code>Promise.&lt;object&gt;</code> - The API file, the API filename, the existing known security schemes and the defined security schemes.  
 **Category**: async  
 **Throws**:
 
-- <code>Promise</code> An error is thrown for many reasons associated with getAPIFile or validateSecuritySchemes or extractProperties.
+- <code>Error</code> Rejects with an error for many reasons associated with getAPIFile or validateSecuritySchemes or extractProperties.
 
 **Requires**: <code>module:@mimik/request-retry</code>, <code>module:@mimik/response-helper</code>, <code>module:@mimik/sumologic-winston-logger</code>, <code>module:fs</code>, <code>module:js-yaml</code>, <code>module:path</code>  
 
@@ -127,16 +130,16 @@ Setup and validates files for the server
 <a name="module_api-helper..securityLib"></a>
 
 ### api-helper~securityLib(config) ⇒ <code>object</code>
-Implement the security flows for the API.
+Implements the security flows for the API.
 
 **Kind**: inner method of [<code>api-helper</code>](#module_api-helper)  
 **Returns**: <code>object</code> - An object containing `SystemSecurity`, `AdminSecurity`, `UserSecurity`, and `ApiKeySecurity` handlers.
 
-This function is used to setup the following security handlers for the API:
-- `SystemSecurity` - used for the system operations, like /system, /onbehalf
-- `AdminSecurity` - used for the admin operations, like /admin,
-- `UserSecurity` - used for the user operations, like /user,
-- `ApiKeySecurity` - used for the API key operations, like /apikey,
+This function is used to set up the following security handlers for the API:
+- `SystemSecurity` - used for system-to-system operations, validates client credentials tokens.
+- `AdminSecurity` - used for admin operations, validates admin/subAdmin client credentials tokens.
+- `UserSecurity` - used for user operations, validates implicit flow tokens.
+- `ApiKeySecurity` - used for API key authenticated operations, validates API keys from headers.
 The security handlers are used to validate the tokens and scopes for the API operations.  
 **Category**: sync  
 **Requires**: <code>module:@mimik/swagger-helper</code>, <code>module:jsonwebtoken</code>  
@@ -155,7 +158,7 @@ Validates the known SecuritySchemes: `SystemSecurity`, `AdminSecurity`, `UserSec
 **Category**: sync  
 **Throws**:
 
-- An error is thrown if a validation fails.
+- <code>Error</code> An error is thrown if a validation fails.
 
 **Requires**: <code>module:@mimik/sumologic-winston-logger</code>, <code>module:@mimik/response-helper</code>  
 
@@ -167,13 +170,13 @@ Validates the known SecuritySchemes: `SystemSecurity`, `AdminSecurity`, `UserSec
 <a name="module_api-helper..extractProperties"></a>
 
 ### api-helper~extractProperties(apiDefinition, controllersDirectory, buildDirectory, correlationId) ⇒ <code>void</code>
-Extracts the properties from API definition and creates a file binding the handler with the controller operations.
+Extracts the properties from API definition and creates a `register.js` file in the build directory binding the handler with the controller operations.
 
 **Kind**: inner method of [<code>api-helper</code>](#module_api-helper)  
 **Category**: sync  
 **Throws**:
 
-- An error is thrown for many reasons, like operationId does not exist in controllers, controller does not exist...
+- <code>Error</code> An error is thrown for many reasons, like operationId does not exist in controllers, controller does not exist...
 
 **Requires**: <code>module:@mimik/response-helper</code>, <code>module:@mimik/sumologic-winston-logger</code>, <code>module:fs</code>  
 

package/index.js

@@ -62,7 +62,7 @@ const API_VERSION_INDEX = 2;
 const POSTFIX_INDEX = 3;
 /**
  *
- * Implement the security flows for the API.
+ * Implements the security flows for the API.
  *
  * @function securityLib
  * @category sync
@@ -71,37 +71,40 @@ const POSTFIX_INDEX = 3;
  * @param {object} config - Configuration of the service.
  * @return {object} An object containing `SystemSecurity`, `AdminSecurity`, `UserSecurity`, and `ApiKeySecurity` handlers.
  *
- * This function is used to setup the following security handlers for the API:
- * - `SystemSecurity` - used for the system operations, like /system, /onbehalf
- * - `AdminSecurity` - used for the admin operations, like /admin,
- * - `UserSecurity` - used for the user operations, like /user,
- * - `ApiKeySecurity` - used for the API key operations, like /apikey,
+ * This function is used to set up the following security handlers for the API:
+ * - `SystemSecurity` - used for system-to-system operations, validates client credentials tokens.
+ * - `AdminSecurity` - used for admin operations, validates admin/subAdmin client credentials tokens.
+ * - `UserSecurity` - used for user operations, validates implicit flow tokens.
+ * - `ApiKeySecurity` - used for API key authenticated operations, validates API keys from headers.
  * The security handlers are used to validate the tokens and scopes for the API operations.
  */
 export { securityLib };
 
 /**
  *
- * Setup the API to be used for a service
+ * Set up the API to be used for a service
  *
  * @function apiSetup
  * @category async
  * @requires @mimik/response-helper
  * @requires @mimik/sumologic-winston-logger
  * @requires openapi-backend
- * @param {object} setup -  Object containing the apiFilename and the existing security schemes in the API definition.
- * @param {object} registeredOperations - List of the operation to register for the API.
- * @param {object} securityHandlers - List of the security handlers to add for the service.
- * @param {object} extraFormats - list of the formats to add for validating properties.
+ * @param {object} setup - Object containing the apiFilename and the existing security schemes in the API definition.
+ * @param {PATH} setup.apiFilename - Path to the resolved API definition file.
+ * @param {Array.<string>} setup.existingSecuritySchemes - Known security scheme names present in the API definition.
+ * @param {Array.<string>} setup.definedSecuritySchemes - All security scheme names defined in the API definition.
+ * @param {object} registeredOperations - Map of operationId to handler function to register for the API.
+ * @param {object} securityHandlers - Map of security scheme name to handler object to add for the service.
+ * @param {object} extraFormats - Map of format name to format definition for validating properties. Each entry is either an empty object (to use a built-in ajv-formats format) or an object with `type` and `validate` properties (to define a custom format).
  * @param {object} config - Configuration of the service.
  * @param {UUID} correlationId - CorrelationId when logging activities.
- * @return {Promise.<object>} The API file itself.
- * @throws {Promise} An error is thrown if the initialization failed.
+ * @return {Promise.<object>} The initialized OpenAPIBackend instance.
+ * @throws {Error} Rejects with an error if the initialization failed.
  *
  * The following scheme names are reserved: `SystemSecurity`, `AdminSecurity`, `UserSecurity`, `PeerSecurity`, `ApiKeySecurity`.
  * The following security schemes can be defaulted: `SystemSecurity`, `AdminSecurity`, `UserSecurity`, `ApiKeySecurity`.
  * The secOptions in the options property passed when using `init` allows the following operations:
- * - introduce a customer security scheme, in this case secOptions contains: { newSecurityScheme: {function}newSecurityHandler },
+ * - introduce a custom security scheme, in this case secOptions contains: { newSecurityScheme: {function}newSecurityHandler },
  * - disable a security scheme that is defined in the swagger API, in this case secOptions contains: { securitySchemeToDisable: { {boolean}notEnabled: true } },
  * - overwrite an existing security scheme, in this case secOptions contains: { securitySchemeToOverwrite: {function}newSecurityHandler }.
  * If the secOptions is not present either to introduce, disable or overwrite a security scheme that is present in the swagger API file an error is generated.
@@ -132,7 +135,7 @@ export const apiSetup = (setup, registeredOperations, securityHandlers, extraFor
   let mode;
 
   api.register(registeredOperations);
-  if (config && (config.nodeEnvironment.toLowerCase() !== LOCAL || config.serverSettings.securitySet === SET_ON)) {
+  if (config.nodeEnvironment.toLowerCase() !== LOCAL || config.serverSettings.securitySet === SET_ON) {
     mode = SECURITY_ON;
   }
   else {
@@ -160,7 +163,7 @@ export const apiSetup = (setup, registeredOperations, securityHandlers, extraFor
     if (unusedSecuritySchemes.length !== EMPTY) throw getRichError('System', 'unused handlers for security schemes', { unusedSecuritySchemes });
 
     remainingSecurities.forEach((securityScheme) => {
-      if (!securityHandlerNames.includes(securityScheme) && !securityHandlers[securityScheme]?.notEnabled) {
+      if (!securityHandlerNames.includes(securityScheme)) {
         throw getRichError('System', 'missing handler for security scheme', { securityScheme });
       }
     });
@@ -173,7 +176,7 @@ export const apiSetup = (setup, registeredOperations, securityHandlers, extraFor
   else if (remainingSecurities.length !== EMPTY) throw getRichError('System', 'missing handlers for security schemes', { missingSecuritySchemes: remainingSecurities });
   return api.init()
     .catch((err) => {
-      throw getRichError('System', 'could not initialize the api', { api }, err);
+      throw getRichError('System', 'could not initialize the api', { apiFilename }, err);
     })
     .then(() => api);
 };
@@ -236,7 +239,7 @@ const buildProviderRequest = (params, apiInfo, apiFilename) => {
 
 /**
  *
- * Gets the API file from swaggerhub and stores it in the given PATH location.
+ * Gets and resolves the API definition, loading from local file, Bitbucket, or SwaggerHub, and stores it in the given PATH location.
  *
  * @function getAPIFile
  * @category async
@@ -246,11 +249,11 @@ const buildProviderRequest = (params, apiInfo, apiFilename) => {
  * @requires fs
  * @requires js-yaml
  * @requires path
- * @param {PATH} apiFilename -  Name of the file where the API file will be stored.
+ * @param {PATH} apiFilename - Name of the file where the API file will be stored.
  * @param {UUID} correlationId - CorrelationId when logging activities.
  * @param {object} options - Options associated with the call. Use to pass `metrics` to `rpRetry` and `apiInfo` to access the api file in the api provider.
  * @return {Promise.<object>} The API file itself.
- * @throws {Promise} An error is thrown if the apiFilename resolution generates an error or the request to the API provider fails or the file cannot be saved.
+ * @throws {Error} Rejects with an error if the apiFilename resolution generates an error or the request to the API provider fails or the file cannot be saved.
  *
  * `apiInfo` options has the following format:
  * ``` javascript
@@ -378,7 +381,7 @@ export const getAPIFile = (apiFilename, correlationId, options) => {
  * @param {object} apiDefinition - JSON object containing the API definition.
  * @param {UUID} correlationId - CorrelationId when logging activities.
  * @return {Array.<string>} An array of the known securitySchemes that are in the API definition.
- * @throws An error is thrown if a validation fails.
+ * @throws {Error} An error is thrown if a validation fails.
  */
 export const validateSecuritySchemes = (apiDefinition, correlationId) => {
   const existingSecuritySchemes = [];
@@ -398,7 +401,7 @@ export const validateSecuritySchemes = (apiDefinition, correlationId) => {
 
 /**
  *
- * Extracts the properties from API definition and creates a file binding the handler with the controller operations.
+ * Extracts the properties from API definition and creates a `register.js` file in the build directory binding the handler with the controller operations.
  *
  * @function extractProperties
  * @category sync
@@ -410,7 +413,7 @@ export const validateSecuritySchemes = (apiDefinition, correlationId) => {
  * @param {PATH} buildDirectory - Directory where the register file will be stored.
  * @param {UUID} correlationId - CorrelationId when logging activities.
  * @return {void}
- * @throws An error is thrown for many reasons, like operationId does not exist in controllers, controller does not exist...
+ * @throws {Error} An error is thrown for many reasons, like operationId does not exist in controllers, controller does not exist...
  */
 export const extractProperties = (apiDefinition, controllersDirectory, buildDirectory, correlationId) => {
   const result = {};
@@ -455,17 +458,19 @@ export const extractProperties = (apiDefinition, controllersDirectory, buildDire
             catch (err) {
               throw getRichError('System', 'file system error', { controllerFilename }, err);
             }
+            let file;
+
             try {
-              const file = fs.readFileSync(controllerFilename, 'utf8');
-              if (!file.includes(`${operation.operationId},`)
-                && !file.includes(`${operation.operationId}:`)
-                && !file.includes(`export ${operation.operationId}`)) { // code must be linted before
-                throw getRichError('System', 'missing operationId in controller file', { controllerFilename, operationId: operation.operationId });
-              }
+              file = fs.readFileSync(controllerFilename, 'utf8');
             }
             catch (err) {
               throw getRichError('System', 'file system error', { controllerFilename, operationId: operation.operationId }, err);
             }
+            if (!file.includes(`${operation.operationId},`)
+              && !file.includes(`${operation.operationId}:`)
+              && !file.includes(`export ${operation.operationId}`)) { // code must be linted before
+              throw getRichError('System', 'missing operationId in controller file', { controllerFilename, operationId: operation.operationId });
+            }
             if (result[controller]) result[controller].push(operation.operationId);
             else result[controller] = [operation.operationId];
           }
@@ -481,7 +486,7 @@ export const extractProperties = (apiDefinition, controllersDirectory, buildDire
 
 /**
  *
- * Setup and validates files for the server
+ * Sets up and validates files for the server
  *
  * @function setupServerFiles
  * @category async
@@ -491,13 +496,13 @@ export const extractProperties = (apiDefinition, controllersDirectory, buildDire
  * @requires fs
  * @requires js-yaml
  * @requires path
- * @param {PATH} apiFilename -  Name of the file where the API file will be stored.
+ * @param {PATH} apiFilename - Name of the file where the API file will be stored.
  * @param {PATH} controllersDirectory - Directory to find the controller files.
  * @param {PATH} buildDirectory - Directory where the register file will be stored.
  * @param {UUID} correlationId - CorrelationId when logging activities.
  * @param {object} options - Options associated with the call. Use to pass `metrics` to `rpRetry` and `apiKey` to access private API.
  * @return {Promise.<object>} The API file, the API filename, the existing known security schemes and the defined security schemes.
- * @throws {Promise} An error is thrown for many reasons associated with getAPIFile or validateSecuritySchemes or extractProperties.
+ * @throws {Error} Rejects with an error for many reasons associated with getAPIFile or validateSecuritySchemes or extractProperties.
  */
 export const setupServerFiles = (apiFilename, controllersDirectory, buildDirectory, correlationId, options) => getAPIFile(apiFilename, correlationId, options)
   .then((apiDefinition) => {

package/lib/baseHandlers.js

@@ -1,14 +1,10 @@
+import { ERROR_CODE } from '@mimik/response-helper';
 import { rejectRequest } from '@mimik/swagger-helper';
 
-const PARAMETER_ERROR = 400;
-const NOT_FOUND_ERROR = 404;
-const UNAUTHORIZED_ERROR = 401;
-const NOT_IMPLEMENTED_ERROR = 501;
-
 const validationFail = (con, req, res) => {
   const error = new Error('Failed schema validation');
 
-  error.statusCode = PARAMETER_ERROR;
+  error.statusCode = ERROR_CODE.PARAMETER;
   error.info = {
     method: req.method,
     path: req.url,
@@ -22,7 +18,7 @@ const notFound = (con, req, res) => {
   const path = req.url;
   const error = new Error(`path ${path} not defined in Swagger specification`);
 
-  error.statusCode = NOT_FOUND_ERROR;
+  error.statusCode = ERROR_CODE.NOT_FOUND;
   error.info = {
     method: req.method,
     path,
@@ -33,7 +29,7 @@ const notFound = (con, req, res) => {
 const unauthorizedHandler = (con, req, res) => {
   let error = new Error('Unauthorized');
 
-  error.statusCode = UNAUTHORIZED_ERROR;
+  error.statusCode = ERROR_CODE.UNAUTHORIZED;
   const schemes = Object.keys(con.security).filter(key => key !== 'authorized');
 
   schemes.forEach((scheme) => {
@@ -50,7 +46,7 @@ const notImplemented = (con, req, res) => {
   const path = req.url;
   const error = new Error(`${method} ${path} defined in Swagger specification, but not implemented`);
 
-  error.statusCode = NOT_IMPLEMENTED_ERROR;
+  error.statusCode = ERROR_CODE.NOT_IMPLEMENTED;
   error.info = {
     method,
     path,
@@ -64,7 +60,7 @@ const methodNotAllowed = (con, req, res) => {
   const path = req.url;
   const error = new Error(`path ${path} defined in Swagger specification, but the method ${method} is not defined`);
 
-  error.statusCode = NOT_IMPLEMENTED_ERROR;
+  error.statusCode = ERROR_CODE.NOT_ALLOWED;
   error.info = {
     method,
     path,
@@ -72,24 +68,10 @@ const methodNotAllowed = (con, req, res) => {
   rejectRequest(error, con, res);
 };
 
-/*
-const postResponseHandler = (con, req, res) => {
-  const valid = con.api.validateResponse(con.response, con.operation);
-  console.log('----->', con.response);
-  console.log('----->', valid);
-  if (valid.errors) {
-    // response validation failed
-    return res.status(502).json({ status: 502, err: valid.errors });
-  }
-  return res.status(200).json(con.response);
-};
-*/
-
 export default {
   validationFail,
   notFound,
   unauthorizedHandler,
   notImplemented,
   methodNotAllowed,
-  // postResponseHandler,
 };

package/lib/common.js

@@ -50,7 +50,7 @@ const CLAIMS_SEPARATOR = ',';
 const BEARERS = ['bearer', 'Bearer'];
 const USER = 'user';
 const CLUSTER = 'cluster';
-const ESLINT_HEAD = '/* eslint sort-imports:"off" */\n';
+const ESLINT_HEAD = '/* eslint sort-imports: off */\n';
 
 export {
   X_ROUTER_CONTROLLER,

package/lib/extract-helper.js

@@ -25,23 +25,18 @@ const saveProperties = (extractResult, buildDirectory, controllersDirectoryName,
   }
   const controllers = Object.keys(extractResult);
   const operationIds = [];
-  let stringToSave = ESLINT_HEAD;
-  let itemToSave;
+  const imports = [];
 
   controllers.forEach((controller) => {
-    itemToSave = '';
-    extractResult[controller].forEach((operationId) => {
-      itemToSave += `  ${operationId},\n`;
+    const items = extractResult[controller].map((operationId) => {
       operationIds.push(operationId);
+      return `  ${operationId},`;
     });
-    stringToSave += `import {\n${itemToSave}} from '../${controllersDirectoryName}/${controller}${EXTENSION}';\n`;
-  });
-  stringToSave += '\nexport {\n';
-  itemToSave = '';
-  operationIds.forEach((operationId) => {
-    itemToSave += `  ${operationId},\n`;
+
+    imports.push(`import {\n${items.join('\n')}\n} from '../${controllersDirectoryName}/${controller}${EXTENSION}';`);
   });
-  stringToSave += `${itemToSave}};\n`;
+  const exportLines = operationIds.map(id => `  ${id},\n`).join('');
+  const stringToSave = `${ESLINT_HEAD}${imports.join('\n')}\n\nexport {\n${exportLines}};\n`;
   logger.info(`creating ${filename}`, { filename }, correlationId);
   try {
     fs.writeFileSync(filename, stringToSave);

package/lib/oauthValidation-helper.js

@@ -28,10 +28,10 @@ const validateApiKey = (securitySchemes, securityType) => {
 
     if (security) {
       if (security.in !== API_KEY_IN) {
-        throw getRichError('System', `apikey security must be in ${API_KEY_IN}`, { securityType, receivedIn: security.in, expectedIn: API_KEY_IN });
+        throw getRichError('System', `API key security must be in ${API_KEY_IN}`, { securityType, receivedIn: security.in, expectedIn: API_KEY_IN });
       }
       if (security.name !== API_KEY_NAME) {
-        throw getRichError('System', `apikey security must be named ${API_KEY_NAME}`, { securityType, receivedName: security.name, expectedName: API_KEY_NAME });
+        throw getRichError('System', `API key security must be named ${API_KEY_NAME}`, { securityType, receivedName: security.name, expectedName: API_KEY_NAME });
       }
       return securityType;
     }

package/lib/securityHandlers.js

@@ -36,14 +36,7 @@ const SCOPE_INDEX = 0;
 const CLAIMS_INDEX = 1;
 const RESOURCE_INDEX = 0;
 
-const getScopes = (conf, securityType) => {
-  let scopes = [];
-
-  conf.operation.security.forEach((security) => {
-    if (security[securityType]) scopes = scopes.concat(security[securityType]);
-  });
-  return scopes;
-};
+const getScopes = (conf, securityType) => conf.operation.security.flatMap(security => security[securityType] || []);
 
 const getError = (message, statusCode) => {
   const error = new Error(message);
@@ -53,15 +46,8 @@ const getError = (message, statusCode) => {
 };
 
 const checkToken = (authToken) => {
-  let token;
+  const token = jwt.decode(authToken);
 
-  try {
-    token = jwt.decode(authToken);
-  }
-  catch (err) {
-    err.statusCode = UNAUTHORIZED_ERROR;
-    throw err;
-  }
   if (!token) {
     throw getError('invalid token', UNAUTHORIZED_ERROR);
   }
@@ -93,17 +79,17 @@ const checkScopes = (tokenScopes, defScopes, definition) => {
   if (!tokenScopes) {
     throw getError('no scope in authorization token', UNAUTHORIZED_ERROR);
   }
-  let claims = [];
+  const claims = [];
   let onBehalf = false;
 
   if (defScopes && defScopes.length !== EMPTY) {
     const currentScopes = tokenScopes.split(SCOPES_SEPARATOR);
     const intersects = [];
-    let resourceIndex = FIRST;
 
     currentScopes.forEach((currentScope) => {
       const analyzedScope = currentScope.split(SCOPE_CLAIMS_SEPARATOR);
       const analyzedResource = analyzedScope[SCOPE_INDEX].split(RESOURCE_SEPARATOR);
+      let resourceIndex = FIRST;
 
       if (analyzedResource[RESOURCE_INDEX] === ON_BEHALF) {
         onBehalf = true;
@@ -129,7 +115,7 @@ const checkScopes = (tokenScopes, defScopes, definition) => {
           if (claimsIntersects.length !== includedClaims.length) {
             throw getError(`incorrect claims included: ${includedClaims.filter(cla => !claimsIntersects.includes(cla))}`, FORBIDDEN_ERROR);
           }
-          claims = claims.concat(claimsIntersects);
+          claims.push(...claimsIntersects);
         }
         intersects.push(analyzedScope[SCOPE_INDEX]);
       }
@@ -141,13 +127,26 @@ const checkScopes = (tokenScopes, defScopes, definition) => {
   return { onBehalf, claims };
 };
 
+const setParam = (req, request, key, value) => {
+  req[key] = value;
+  request[key] = value;
+};
+
+const setParams = (req, request, params) => {
+  Object.keys(params).forEach(key => setParam(req, request, key, params[key]));
+};
+
+const createMockHandler = params => (con, req) => {
+  setParams(req, con.request, params);
+  return true;
+};
+
 export const securityLib = (config) => {
   const verifyTokenClientCredentials = (authToken) => {
     const { server, generic } = config.security;
     const options = {
       audience: (generic.audience === NO_GENERIC) ? server.audience : generic.audience,
       issuer: server.issuer,
-      // subject: `${config.serverSettings.id}@clients`,
     };
 
     try {
@@ -186,19 +185,24 @@ export const securityLib = (config) => {
     }
   };
 
+  const setClientParams = (req, request, token, scopeResult) => {
+    setParam(req, request, TOKEN_PARAMS.claims, scopeResult.claims);
+    if (scopeResult.onBehalf) setParam(req, request, TOKEN_PARAMS.onBehalf, true);
+    if (token.subType) setParam(req, request, TOKEN_PARAMS.tokenType, token.subType);
+    if (token.sub) setParam(req, request, TOKEN_PARAMS.clientId, token.sub);
+    if (token.cust) setParam(req, request, TOKEN_PARAMS.customer, token.cust);
+  };
+
   const AdminSecurity = {
     regular: (con, req) => {
       const authToken = checkHeaders(req.headers);
       const token = checkToken(authToken);
-      const { request } = con;
 
       if (token.subType !== ADMIN && token.subType !== SUB_ADMIN) {
         throw getError('invalid token: wrong type', FORBIDDEN_ERROR);
       }
       if (token.subType === SUB_ADMIN) {
-        if (!token.cust) {
-          throw getError('invalid token: no customer', FORBIDDEN_ERROR);
-        }
+        if (!token.cust) throw getError('invalid token: no customer', FORBIDDEN_ERROR);
       }
       else if (token.sub !== `${config.security.admin.externalId}${CLIENT}`) {
         throw getError(`jwt subject invalid: ${token.sub}`, FORBIDDEN_ERROR);
@@ -206,42 +210,21 @@ export const securityLib = (config) => {
       verifyTokenClientCredentials(authToken);
       const scopeResult = checkScopes(token.scope, getScopes(con, ADMIN_SECURITY), con.api.definition);
 
-      req[TOKEN_PARAMS.claims] = scopeResult.claims;
-      request[TOKEN_PARAMS.claims] = scopeResult.claims;
-      if (token.subType) {
-        req[TOKEN_PARAMS.tokenType] = token.subType;
-        request[TOKEN_PARAMS.tokenType] = token.subType;
-      }
-      if (token.sub) {
-        req[TOKEN_PARAMS.clientId] = token.sub;
-        request[TOKEN_PARAMS.clientId] = token.sub;
-      }
-      if (token.cust) {
-        req[TOKEN_PARAMS.customer] = token.cust;
-        request[TOKEN_PARAMS.customer] = token.cust;
-      }
-      return true;
-    },
-    mock: (con, req) => {
-      const { request } = con;
-
-      req[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      req[TOKEN_PARAMS.tokenType] = ADMIN;
-      req[TOKEN_PARAMS.clientId] = 'dummyClientId';
-      req[TOKEN_PARAMS.customer] = 'dummyCustomer';
-      request[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      request[TOKEN_PARAMS.tokenType] = ADMIN;
-      request[TOKEN_PARAMS.clientId] = 'dummyClientId';
-      request[TOKEN_PARAMS.customer] = 'dummyCustomer';
+      setClientParams(req, con.request, token, scopeResult);
       return true;
     },
+    mock: createMockHandler({
+      [TOKEN_PARAMS.claims]: ['dummyClaims'],
+      [TOKEN_PARAMS.tokenType]: ADMIN,
+      [TOKEN_PARAMS.clientId]: 'dummyClientId',
+      [TOKEN_PARAMS.customer]: 'dummyCustomer',
+    }),
   };
 
   const SystemSecurity = {
     regular: (con, req) => {
       const authToken = checkHeaders(req.headers);
       const token = checkToken(authToken);
-      const { request } = con;
 
       if (token.subType === ADMIN || token.subType === SUB_ADMIN) {
         throw getError('invalid token: wrong type', FORBIDDEN_ERROR);
@@ -249,112 +232,56 @@ export const securityLib = (config) => {
       verifyTokenClientCredentials(authToken);
       const scopeResult = checkScopes(token.scope, getScopes(con, SYSTEM_SECURITY), con.api.definition);
 
-      if (scopeResult.onBehalf) {
-        req[TOKEN_PARAMS.onBehalf] = true;
-        request[TOKEN_PARAMS.onBehalf] = true;
-      }
-      req[TOKEN_PARAMS.claims] = scopeResult.claims;
-      request[TOKEN_PARAMS.claims] = scopeResult.claims;
-      if (token.subType) {
-        req[TOKEN_PARAMS.tokenType] = token.subType;
-        request[TOKEN_PARAMS.tokenType] = token.subType;
-      }
-      if (token.sub) {
-        req[TOKEN_PARAMS.clientId] = token.sub;
-        request[TOKEN_PARAMS.clientId] = token.sub;
-      }
-      if (token.cust) {
-        req[TOKEN_PARAMS.customer] = token.cust;
-        request[TOKEN_PARAMS.customer] = token.cust;
-      }
-      if (token.type === CLUSTER) {
-        req[TOKEN_PARAMS.cluster] = true;
-        request[TOKEN_PARAMS.cluster] = true;
-      }
-      return true;
-    },
-    mock: (con, req) => {
-      const { request } = con;
-
-      req[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      req[TOKEN_PARAMS.tokenType] = 'dummyServiceType';
-      req[TOKEN_PARAMS.clientId] = 'dummyClientId';
-      req[TOKEN_PARAMS.customer] = 'dummyCustomer';
-      request[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      request[TOKEN_PARAMS.tokenType] = 'dummyServiceType';
-      request[TOKEN_PARAMS.clientId] = 'dummyClientId';
-      request[TOKEN_PARAMS.customer] = 'dummyCustomer';
+      setClientParams(req, con.request, token, scopeResult);
+      if (token.type === CLUSTER) setParam(req, con.request, TOKEN_PARAMS.cluster, true);
       return true;
     },
+    mock: createMockHandler({
+      [TOKEN_PARAMS.claims]: ['dummyClaims'],
+      [TOKEN_PARAMS.tokenType]: 'dummyServiceType',
+      [TOKEN_PARAMS.clientId]: 'dummyClientId',
+      [TOKEN_PARAMS.customer]: 'dummyCustomer',
+    }),
   };
 
   const UserSecurity = {
     regular: (con, req) => {
       const authToken = checkHeaders(req.headers);
       const token = checkToken(authToken);
-      const { request } = con;
 
       verifyTokenImplicit(authToken);
       const scopeResult = checkScopes(token.scope, getScopes(con, USER_SECURITY), con.api.definition);
 
-      if (scopeResult.onBehalf) {
-        req[TOKEN_PARAMS.onBehalf] = true;
-        request[TOKEN_PARAMS.onBehalf] = true;
-      }
-      req[TOKEN_PARAMS.claims] = scopeResult.claims;
-      request[TOKEN_PARAMS.claims] = scopeResult.claims;
-      req[TOKEN_PARAMS.tokenType] = USER;
-      request[TOKEN_PARAMS.tokenType] = USER;
-      if (token.sub) {
-        req[TOKEN_PARAMS.userId] = token.sub;
-        request[TOKEN_PARAMS.userId] = token.sub;
-      }
-      if (token.azp) {
-        req[TOKEN_PARAMS.appId] = token.azp;
-        request[TOKEN_PARAMS.appId] = token.azp;
-      }
+      if (scopeResult.onBehalf) setParam(req, con.request, TOKEN_PARAMS.onBehalf, true);
+      setParam(req, con.request, TOKEN_PARAMS.claims, scopeResult.claims);
+      setParam(req, con.request, TOKEN_PARAMS.tokenType, USER);
+      if (token.sub) setParam(req, con.request, TOKEN_PARAMS.userId, token.sub);
+      if (token.azp) setParam(req, con.request, TOKEN_PARAMS.appId, token.azp);
       if (token.may_act && token.may_act.sub) {
-        req[TOKEN_PARAMS.onBehalfId] = token.sub;
-        request[TOKEN_PARAMS.onBehalfId] = token.sub;
-        req[TOKEN_PARAMS.userId] = token.may_act.sub;
-        request[TOKEN_PARAMS.userId] = token.may_act.sub;
+        setParam(req, con.request, TOKEN_PARAMS.onBehalfId, token.sub);
+        setParam(req, con.request, TOKEN_PARAMS.userId, token.may_act.sub);
       }
       return true;
     },
-    mock: (con, req) => {
-      const { request } = con;
-
-      req[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      req[TOKEN_PARAMS.userId] = 'dummyUserId';
-      req[TOKEN_PARAMS.appId] = 'dummyAppId';
-      req[TOKEN_PARAMS.tokenType] = USER;
-      request[TOKEN_PARAMS.claims] = ['dummyClaims'];
-      request[TOKEN_PARAMS.userId] = 'dummyUserId';
-      request[TOKEN_PARAMS.appId] = 'dummyAppId';
-      request[TOKEN_PARAMS.tokenType] = USER;
-      return true;
-    },
+    mock: createMockHandler({
+      [TOKEN_PARAMS.claims]: ['dummyClaims'],
+      [TOKEN_PARAMS.userId]: 'dummyUserId',
+      [TOKEN_PARAMS.appId]: 'dummyAppId',
+      [TOKEN_PARAMS.tokenType]: USER,
+    }),
   };
 
   const ApiKeySecurity = {
     regular: (con, req) => {
       const apiKey = req.headers ? req.headers[API_KEY_NAME.toLowerCase()] : null;
-      const { request } = con;
 
-      if (config.security.apiKeys.includes(apiKey)) {
-        req[API_KEY_NAME] = apiKey;
-        request[API_KEY_NAME] = apiKey;
+      if (config.security.apiKeys && config.security.apiKeys.includes(apiKey)) {
+        setParam(req, con.request, API_KEY_NAME, apiKey);
         return true;
       }
       throw getError('invalid API key', UNAUTHORIZED_ERROR);
     },
-    mock: (con, req) => {
-      const { request } = con;
-
-      req[API_KEY_NAME] = 'dummyApiKey';
-      request[API_KEY_NAME] = 'dummyApiKey';
-      return true;
-    },
+    mock: createMockHandler({ [API_KEY_NAME]: 'dummyApiKey' }),
   };
 
   return {

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "@mimik/api-helper",
-  "version": "3.0.1",
+  "version": "3.0.3",
   "description": "helper for openAPI backend and mimik service",
   "main": "./index.js",
   "type": "module",
+  "exports": "./index.js",
+  "engines": {
+    "node": ">=24.0.0"
+  },
   "scripts": {
     "lint": "eslint . --no-error-on-unmatched-pattern",
     "docs": "jsdoc2md index.js > README.md",
-    "test": "mocha --reporter mochawesome test/ --recursive",
-    "test-ci": "c8 --reporter=lcov --reporter=text npm test",
+    "test": "mocha",
+    "test-ci": "c8 npm test",
     "prepublishOnly": "npm run docs && npm run lint && npm run test-ci",
     "commit-ready": "npm run docs && npm run lint && npm run test-ci"
   },
@@ -19,33 +23,31 @@
   ],
   "author": "mimik technology inc <support@mimik.com> (https://developer.mimik.com/)",
   "license": "MIT",
-  "engines": {
-    "node": ">=24"
-  },
   "repository": {
     "type": "git",
     "url": "https://bitbucket.org/mimiktech/api-helper"
   },
   "dependencies": {
-    "@mimik/request-retry": "^4.0.9",
-    "@mimik/response-helper": "^4.0.10",
-    "@mimik/sumologic-winston-logger": "^2.1.14",
-    "@mimik/swagger-helper": "^5.0.3",
+    "@mimik/request-retry": "^4.0.11",
+    "@mimik/response-helper": "^4.0.11",
+    "@mimik/sumologic-winston-logger": "^2.2.2",
+    "@mimik/swagger-helper": "^5.0.4",
     "ajv-formats": "3.0.1",
     "js-base64": "3.7.8",
     "js-yaml": "4.1.1",
     "jsonwebtoken": "9.0.3",
     "openapi-backend": "5.16.1",
-    "swagger-client": "3.37.0"
+    "swagger-client": "3.37.1"
   },
   "devDependencies": {
-    "@eslint/js": "9.32.0",
-    "@mimik/eslint-plugin-document-env": "^2.0.8",
-    "@stylistic/eslint-plugin": "5.9.0",
+    "@eslint/js": "10.0.1",
+    "@mimik/eslint-plugin-document-env": "^2.0.9",
+    "@mimik/eslint-plugin-logger": "^1.0.3",
+    "@stylistic/eslint-plugin": "5.10.0",
     "c8": "11.0.0",
     "chai": "6.2.2",
-    "eslint": "9.32.0",
-    "eslint-plugin-import": "2.32.0",
+    "eslint": "10.1.0",
+    "eslint-plugin-import-x": "4.16.2",
     "esmock": "2.7.3",
     "globals": "17.4.0",
     "husky": "9.1.7",