npm - @openstax/ts-utils - Versions diffs - 1.38.3 → 1.39.1 - Mend

@openstax/ts-utils 1.38.3 → 1.39.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/cjs/services/httpMessageVerifier/index.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import { VerifyConfig } from 'http-message-signatures';
 import { JWK } from 'node-jose';
 import { ConfigProviderForConfig } from '../../config';
 type Config = {
+    apiHost: string;
     bypassSignatureVerification: string;
 };
 interface Initializer<C> {

package/dist/cjs/services/httpMessageVerifier/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ exports.createHttpMessageVerifier = void 0;
 const crypto_1 = require("crypto");
 const http_message_signatures_1 = require("http-message-signatures");
 const jwks_rsa_1 = require("jwks-rsa");
+const structured_headers_1 = require("structured-headers");
 const assertions_1 = require("../../assertions");
 const config_1 = require("../../config");
 const errors_1 = require("../../errors");
@@ -12,6 +13,7 @@ const helpers_1 = require("../../misc/helpers");
 const jwks_1 = require("../../misc/jwks");
 const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider) => {
     const config = configProvider[configSpace !== null && configSpace !== void 0 ? configSpace : 'verifier'];
+    const getApiHost = (0, helpers_1.once)(async () => await (0, config_1.resolveConfigValue)(config.apiHost));
     const getBypassSignatureVerification = (0, helpers_1.once)(async () => (await (0, config_1.resolveConfigValue)(config.bypassSignatureVerification)) === 'true');
     return ({ request }) => ({
         verify: async ({ configOverride, signatureAgentVerifier }) => {
@@ -30,9 +32,25 @@ const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider)
             // but we do not bother matching the Signature-Agent names with the Signature names
             // as that would be awkward with the packages we use
             const signatureAgentString = (_a = headers['signature-agent']) !== null && _a !== void 0 ? _a : '';
-            const signatureAgentMatches = [...signatureAgentString.matchAll(/([^=]+)="([^"]+)"/g)];
-            const signatureAgents = signatureAgentMatches.length == 0 ?
-                [signatureAgentString] : [...new Set(signatureAgentMatches.map((match) => match[2]))];
+            let rawValues;
+            // Try parsing as RFC 8941 Item first (e.g., "https://url" or bare token)
+            try {
+                rawValues = [(0, structured_headers_1.parseItem)(signatureAgentString)];
+            }
+            catch {
+                // If item parsing fails, try parsing as a Dictionary (e.g., sig="https://url")
+                rawValues = Array.from((0, structured_headers_1.parseDictionary)(signatureAgentString).values());
+            }
+            // Convert values to strings (handle Token, string, and reject others) and deduplicate
+            const signatureAgents = [...new Set(rawValues.map(([bareItem]) => {
+                    if (bareItem instanceof structured_headers_1.Token) {
+                        return bareItem.toString();
+                    }
+                    return (0, assertions_1.assertString)(bareItem, new errors_1.InvalidRequestError('Signature-Agent values must be strings or tokens'));
+                }))];
+            if (signatureAgents.length === 0) {
+                throw new errors_1.InvalidRequestError('Signature-Agent header is required');
+            }
             const keys = (await Promise.all(signatureAgents.map(async (signatureAgent) => {
                 if (!await signatureAgentVerifier(signatureAgent)) {
                     throw new errors_1.InvalidRequestError('Signature-Agent verification failed');
@@ -44,8 +62,7 @@ const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider)
                 body,
                 headers,
                 method: requestContext.http.method,
-                // Node's request.url is really just the path and querystring
-                url: requestContext.http.path,
+                url: `${await getApiHost()}${requestContext.http.path}${request.rawQueryString ? `?${request.rawQueryString}` : ''}`,
             };
             if (!await http_message_signatures_1.httpbis.verifyMessage({
                 all: true,
@@ -78,14 +95,37 @@ const createHttpMessageVerifier = ({ configSpace, fetcher }) => (configProvider)
             // For example, if a GET request uses configOverride to make content-digest not required
             if (!headers['content-digest'])
                 return true;
-            const match = headers['content-digest'].match(/^(sha-256|sha-512)=:([^:]+):/);
-            if (!match)
+            let contentDigest;
+            try {
+                contentDigest = (0, structured_headers_1.parseDictionary)(headers['content-digest']);
+            }
+            catch {
                 throw new errors_1.InvalidRequestError('Unsupported Content-Digest header format');
-            const contentDigestAlg = match[1];
-            const contentDigestHash = match[2];
-            const calculatedContentDigestHash = (0, crypto_1.createHash)(contentDigestAlg).update((0, assertions_1.assertString)(body)).digest('base64');
-            if (calculatedContentDigestHash !== contentDigestHash.replace(/:/g, '')) {
-                throw new errors_1.InvalidRequestError('Calculated Content-Digest value did not match header');
+            }
+            if (contentDigest.size === 0) {
+                throw new errors_1.InvalidRequestError('Content-Digest header is required');
+            }
+            // Map Content-Digest algorithm names to Node's crypto algorithm names
+            const algorithmMap = {
+                'sha-256': 'sha256',
+                'sha-512': 'sha512',
+            };
+            for (const [algorithm, value] of contentDigest.entries()) {
+                const [bareItem] = value;
+                // Convert ByteSequence to string, or assert it's already a string
+                const hashValue = bareItem instanceof structured_headers_1.ByteSequence
+                    ? bareItem.toBase64()
+                    : (0, assertions_1.assertString)(bareItem, new errors_1.InvalidRequestError('Content-Digest values must be strings'));
+                const cryptoAlgorithm = algorithmMap[algorithm];
+                if (!cryptoAlgorithm) {
+                    throw new errors_1.InvalidRequestError(`Unsupported Content-Digest algorithm: ${algorithm}`);
+                }
+                // Calculate the hash
+                const calculatedHash = (0, crypto_1.createHash)(cryptoAlgorithm).update((0, assertions_1.assertString)(body, new errors_1.InvalidRequestError('Request body is required when Content-Digest is present'))).digest('base64');
+                // Compare with the provided hash
+                if (calculatedHash !== hashValue) {
+                    throw new errors_1.InvalidRequestError(`Calculated Content-Digest value did not match header for algorithm ${algorithm}`);
+                }
             }
             return true;
         },

package/dist/cjs/services/lrsGateway/addStatementDefaultFields.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
-import { User } from '../authProvider';
 import { EagerXapiStatement, UXapiStatement, XapiStatement } from '.';
 export declare const addStatementDefaultFields: (statement: (Pick<XapiStatement, "object" | "verb" | "context" | "result"> & {
     id?: string;
-}) | UXapiStatement, user: User) => EagerXapiStatement;
+}) | UXapiStatement, user: {
+    uuid: string;
+}) => EagerXapiStatement;

package/dist/cjs/services/lrsGateway/attempt-utils.d.ts CHANGED Viewed

@@ -79,7 +79,7 @@ export declare const putAttemptStatement: (gateway: LrsGateway, activity: {
 export declare const createAttemptActivityStatement: (attemptStatement: UXapiStatement, verb: UXapiStatement["verb"], result?: UXapiStatement["result"]) => Pick<UXapiStatement, "object" | "verb" | "context" | "result">;
 export declare const putAttemptActivityStatement: (gateway: LrsGateway, attemptStatement: UXapiStatement, verb: UXapiStatement["verb"], result?: UXapiStatement["result"]) => Promise<import(".").EagerXapiStatement>;
 export declare const createCompletedStatement: (attemptStatement: UXapiStatement, result?: UXapiStatement["result"]) => Pick<UXapiStatement, "object" | "verb" | "context" | "result">;
-export declare const putCompletedStatement: (gateway: LrsGateway, attemptStatement: UXapiStatement, result: UXapiStatement["result"]) => Promise<import(".").EagerXapiStatement>;
+export declare const putCompletedStatement: (gateway: LrsGateway, attemptStatement: UXapiStatement, result: UXapiStatement["result"], user?: string) => Promise<import(".").EagerXapiStatement>;
 export declare const createCompletedPendingScoringStatement: (attemptStatement: UXapiStatement) => Pick<UXapiStatement, "object" | "verb" | "context" | "result">;
 export declare const putCompletedPendingScoringStatement: (gateway: LrsGateway, attemptStatement: UXapiStatement) => Promise<import(".").EagerXapiStatement>;
 export declare const createScoredStatement: (attemptStatement: UXapiStatement, result: UXapiStatement["result"]) => Pick<UXapiStatement, "object" | "verb" | "context" | "result">;

package/dist/cjs/services/lrsGateway/attempt-utils.js CHANGED Viewed

@@ -311,8 +311,8 @@ const createCompletedStatement = (attemptStatement, result) => {
     };
 };
 exports.createCompletedStatement = createCompletedStatement;
-const putCompletedStatement = async (gateway, attemptStatement, result) => {
-    return (await gateway.putXapiStatements([(0, exports.createCompletedStatement)(attemptStatement, result)]))[0];
+const putCompletedStatement = async (gateway, attemptStatement, result, user) => {
+    return (await gateway.putXapiStatements([(0, exports.createCompletedStatement)(attemptStatement, result)], user))[0];
 };
 exports.putCompletedStatement = putCompletedStatement;
 // pending score statement for when the open written response has been graded.

package/dist/cjs/services/lrsGateway/index.d.ts CHANGED Viewed

@@ -84,7 +84,7 @@ export declare const lrsGateway: <C extends string = "lrs">(initializer: Initial
 }) => {
     putXapiStatements: (statements: Array<(Pick<XapiStatement, "object" | "verb" | "context" | "result"> & {
         id?: string;
-    }) | UXapiStatement>) => Promise<EagerXapiStatement[]>;
+    }) | UXapiStatement>, user?: string) => Promise<EagerXapiStatement[]>;
     getXapiStatements: (params: {
         verb?: string;
         activity?: string;

package/dist/cjs/services/lrsGateway/index.js CHANGED Viewed

@@ -56,9 +56,11 @@ const lrsGateway = (initializer) => (configProvider) => {
             status: [502]
         });
         // Note: This method actually uses POST
-        const putXapiStatements = async (statements) => {
-            const user = (0, assertions_1.assertDefined)(await authProvider.getUser(), new errors_1.UnauthorizedError);
-            const statementsWithDefaults = statements.map(statement => (0, addStatementDefaultFields_1.addStatementDefaultFields)(statement, user));
+        const putXapiStatements = async (statements, user) => {
+            const userObj = user
+                ? { uuid: user }
+                : (0, assertions_1.assertDefined)(await authProvider.getUser(), new errors_1.UnauthorizedError);
+            const statementsWithDefaults = statements.map(statement => (0, addStatementDefaultFields_1.addStatementDefaultFields)(statement, userObj));
             const response = await fetcher((await lrsHost()).replace(/\/+$/, '') + '/data/xAPI/statements', {
                 body: JSON.stringify(statementsWithDefaults),
                 headers: {