@openstax/ts-utils 1.9.1 → 1.11.0

package/dist/esm/config/envConfig.d.ts

@@ -1,4 +1,4 @@
-import { ConfigValueProvider } from '.';
+import type { ConfigValueProvider } from '.';
 /**
  * A list of environment variables that were requested at build time. Used by webpack to
  * capture build-time environment variables values.
@@ -21,4 +21,4 @@ export declare const ENV_BUILD_CONFIGS: string[];
  *
  * @example const config = { configValue: envConfig('environment_variable_name') };
  */
-export declare const envConfig: (name: string, type?: 'build' | 'runtime', defaultValue?: ConfigValueProvider<string> | undefined) => ConfigValueProvider<string>;
+export declare const envConfig: (name: string, type?: "build" | "runtime" | undefined, defaultValue?: ConfigValueProvider<string> | undefined) => ConfigValueProvider<string>;

package/dist/esm/config/envConfig.js

@@ -1,4 +1,4 @@
-import { resolveConfigValue } from '.';
+import { resolveConfigValue } from './resolveConfigValue';
 /**
  * A list of environment variables that were requested at build time. Used by webpack to
  * capture build-time environment variables values.
@@ -21,7 +21,12 @@ export const ENV_BUILD_CONFIGS = [];
  *
  * @example const config = { configValue: envConfig('environment_variable_name') };
  */
-export const envConfig = (name, type = 'build', defaultValue) => {
+export const envConfig = (name, type, defaultValue) => {
+    // this doesn't use a default parameter value because of a:
+    //   "Regular parameters should not come after default parameters."
+    // error that occurs when the defaultValue optional default of `undefined`
+    // gets optimized out, causing a problem in cloudfront functions.
+    type !== null && type !== void 0 ? type : (type = 'build');
     if (type === 'build') {
         ENV_BUILD_CONFIGS.push(name);
     }
@@ -30,8 +35,10 @@ export const envConfig = (name, type = 'build', defaultValue) => {
         // @ts-ignore - hack to get around the way webpack/define works
         // - https://github.com/webpack/webpack/issues/14800
         // - https://github.com/webpack/webpack/issues/5392
-        const envs = { ...process.env, ...(typeof __PROCESS_ENV !== 'undefined' ? __PROCESS_ENV : {}) };
-        if (envs[name] === undefined) {
+        // also, spread operator not supported in cloudfront functions
+        const envs = Object.assign({}, process.env, typeof __PROCESS_ENV !== 'undefined' ? __PROCESS_ENV : {});
+        const value = envs[name];
+        if (value === undefined) {
             if (defaultValue === undefined) {
                 throw new Error(`expected to find environment variable with name: ${name}`);
             }
@@ -40,7 +47,7 @@ export const envConfig = (name, type = 'build', defaultValue) => {
             }
         }
         else {
-            return envs[name];
+            return value;
         }
     };
 };

package/dist/esm/config/resolveConfigValue.d.ts

@@ -1,4 +1,4 @@
-import { ConfigValueProvider } from '.';
+import type { ConfigValueProvider } from '.';
 /**
  * resolves a config value into a string, to be used inside of things that are provided configurations
  */

package/dist/esm/errors/index.js

@@ -10,8 +10,8 @@
  *   error instanceof InvalidRequestError
  *
  */
-const errorIsType = ({ TYPE }) => (e) => e instanceof Error
-    && e.constructor.TYPE === TYPE;
+const errorIsType = (t) => (e) => e instanceof Error
+    && e.constructor.TYPE === t.TYPE;
 /**
  * Returns true if the error is defined in this library
  */

package/dist/esm/services/authProvider/browser.js

@@ -1,5 +1,7 @@
+import { isEqual } from 'lodash';
 import { once } from '../..';
 import { resolveConfigValue } from '../../config';
+import { UnauthorizedError } from '../../errors';
 import { ifDefined } from '../../guards';
 import { unsafePayloadValidator } from '../../routing/helpers';
 import { embeddedAuthProvider, PostMessageTypes } from './utils/embeddedAuthProvider';
@@ -9,14 +11,14 @@ export const browserAuthProvider = ({ window, configSpace }) => (configProvider)
     const accountsBase = once(() => resolveConfigValue(config.accountsBase));
     const queryString = window.location.search;
     const queryKey = 'auth';
-    const authQuery = new URLSearchParams(queryString).get(queryKey);
+    const urlSearchParams = new URLSearchParams(queryString);
+    const authQuery = urlSearchParams.get(queryKey);
     const referrer = window.document.referrer ? new URL(window.document.referrer) : undefined;
     const isEmbedded = window.parent !== window;
     const trustedParent = isEmbedded && referrer && referrer.hostname.match(/^(openstax\.org|((.*)(\.openstax\.org|local|localhost)))$/) ? referrer : undefined;
-    const { embeddedQueryValue, getAuthorizedEmbedUrl } = embeddedAuthProvider(() => getUserData(), { queryKey, window });
-    let userData = {
-        token: [null, embeddedQueryValue].includes(authQuery) ? null : authQuery
-    };
+    const { embeddedQueryKey, embeddedQueryValue, getAuthorizedEmbedUrl } = embeddedAuthProvider(() => getUserData(), { authQuery: { key: queryKey, value: authQuery }, window });
+    const embeddedQuery = urlSearchParams.get(embeddedQueryKey);
+    let userData = { token: authQuery };
     const getAuthToken = async () => {
         return (await getUserData()).token;
     };
@@ -32,6 +34,9 @@ export const browserAuthProvider = ({ window, configSpace }) => (configProvider)
         if (authQuery) {
             url.searchParams.set(queryKey, authQuery);
         }
+        if (embeddedQuery) {
+            url.searchParams.set(embeddedQueryKey, embeddedQuery);
+        }
         return url.href;
     };
     // *note* that this does not actually prevent cookies from being sent on same-origin
@@ -83,10 +88,23 @@ export const browserAuthProvider = ({ window, configSpace }) => (configProvider)
         throw new Error(`Error response from Accounts ${response.status}: ${message}`);
     };
     const getUserData = once(async () => {
-        userData = authQuery === embeddedQueryValue
-            ? await getParentWindowUser()
-            : await getFetchUser();
-        return userData;
+        // For backwards compatibility
+        if (authQuery === 'embedded') {
+            return getParentWindowUser();
+        }
+        // getFetchUser() will throw here if authQuery is not set
+        if (embeddedQuery !== embeddedQueryValue) {
+            return getFetchUser();
+        }
+        const userDataFromParentWindow = await getParentWindowUser();
+        if (!authQuery) {
+            return userDataFromParentWindow;
+        }
+        const userDataFromAuthQuery = await getFetchUser();
+        if (isEqual(userDataFromAuthQuery, userDataFromParentWindow)) {
+            return userDataFromAuthQuery;
+        }
+        throw new UnauthorizedError();
     });
     const getUser = async () => {
         return (await getUserData()).user;

package/dist/esm/services/authProvider/decryption.js

@@ -1,4 +1,5 @@
 import { resolveConfigValue } from '../../config/resolveConfigValue';
+import { SessionExpiredError } from '../../errors';
 import { ifDefined } from '../../guards';
 import { once } from '../../misc/helpers';
 import { decryptAndVerify } from './utils/decryptAndVerify';
@@ -22,7 +23,11 @@ export const decryptionAuthProvider = (initializer) => (configProvider) => {
             if (!token) {
                 return undefined;
             }
-            return decryptAndVerify(token, await encryptionPrivateKey(), await signaturePublicKey());
+            const result = decryptAndVerify(token, await encryptionPrivateKey(), await signaturePublicKey());
+            if ('error' in result && result.error == 'expired token') {
+                throw new SessionExpiredError();
+            }
+            return 'user' in result ? result.user : undefined;
         };
         return {
             getAuthorizedFetchConfig,

package/dist/esm/services/authProvider/utils/decryptAndVerify.d.ts

@@ -1,11 +1,27 @@
-import { User } from '..';
+/// <reference types="node" />
+import type { User } from '..';
+export declare const decryptJwe: (jwe: string, encryptionPrivateKey: Buffer | string) => string | undefined;
+declare type MaybeAccountsSSOToken = {
+    iss?: string;
+    sub?: User | string;
+    aud?: string;
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+};
+export declare const verifyJws: (jws: string, signaturePublicKey: Buffer | string) => MaybeAccountsSSOToken | undefined;
 /**
  * Decrypts and verifies a SSO cookie.
  *
  * @param token the encrypted token
  * @param encryptionPrivateKey the private key used to encrypt the token
  * @param signaturePublicKey the public key used to verify the decrypted token
- * @throws SessionExpiredError if the token is expired
- * @returns User (success) or undefined (failure)
+ * @returns {user: User} (success) or {error: string} (failure)
  */
-export declare const decryptAndVerify: (token: string, encryptionPrivateKey: string, signaturePublicKey: string) => User | undefined;
+export declare const decryptAndVerify: (token: string, encryptionPrivateKey: string, signaturePublicKey: string) => {
+    user: User;
+} | {
+    error: string;
+};
+export {};

package/dist/esm/services/authProvider/utils/decryptAndVerify.js

@@ -1,22 +1,55 @@
-import * as crypto from 'crypto';
-import { TextEncoder } from 'util';
-import jwt from 'jsonwebtoken';
-import { SessionExpiredError } from '../../../errors';
+import { createDecipheriv, verify } from 'crypto';
 import { isPlainObject } from '../../../guards';
-const decrypt = (input, key) => {
-    const splitInput = input.split('.');
-    const aad = new TextEncoder().encode(splitInput[0]);
-    const iv = Buffer.from(splitInput[2], 'base64');
-    const cipherText = Buffer.from(splitInput[3], 'base64');
-    const tag = Buffer.from(splitInput[4], 'base64');
-    const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(key), iv, { authTagLength: 16 });
+export const decryptJwe = (jwe, encryptionPrivateKey) => {
+    const jweParts = jwe.split('.', 6);
+    if (jweParts.length !== 5 || jweParts[1]) {
+        return undefined;
+    } // Invalid/unsupported JWE
+    const header = JSON.parse(Buffer.from(jweParts[0], 'base64url').toString());
+    if (header.alg !== 'dir' || header.enc !== 'A256GCM') {
+        // Unsupported signature/encryption algorithm
+        return undefined;
+    }
+    const aad = Buffer.from(jweParts[0]);
+    const iv = Buffer.from(jweParts[2], 'base64url');
+    const cipherText = Buffer.from(jweParts[3], 'base64url');
+    const authTag = Buffer.from(jweParts[4], 'base64url');
+    // Verify token signature and decrypt
+    const decipher = createDecipheriv('aes-256-gcm', encryptionPrivateKey, iv, { authTagLength: 16 });
     decipher.setAAD(aad, { plaintextLength: cipherText.length });
-    decipher.setAuthTag(tag);
-    const result = Buffer.concat([
-        decipher.update(cipherText),
-        decipher.final(),
-    ]);
-    return result.toString('utf-8');
+    try {
+        decipher.setAuthTag(authTag);
+        return `${decipher.update(cipherText)}${decipher.final()}`;
+    }
+    catch (error) {
+        // Invalid cipherText or authTag
+        return undefined;
+    }
+};
+const issuer = 'OpenStax Accounts';
+const audience = 'OpenStax';
+const clockTolerance = 300; // 5 minutes
+export const verifyJws = (jws, signaturePublicKey) => {
+    const jwsParts = jws.split('.', 4);
+    if (jwsParts.length !== 3) {
+        return undefined;
+    } // Invalid JWS
+    const header = JSON.parse(Buffer.from(jwsParts[0], 'base64url').toString());
+    if (header.alg !== 'RS256' || header.typ !== 'JWT') {
+        return undefined;
+    } // Unsupported JWS
+    const signedContent = Buffer.from(`${jwsParts[0]}.${jwsParts[1]}`);
+    const signature = Buffer.from(jwsParts[2], 'base64url');
+    if (!verify('RSA-SHA256', signedContent, signaturePublicKey, signature)) {
+        return undefined;
+    }
+    const payload = Buffer.from(jwsParts[1], 'base64url').toString();
+    try {
+        return JSON.parse(payload);
+    }
+    catch (error) {
+        return undefined;
+    }
 };
 /**
  * Decrypts and verifies a SSO cookie.
@@ -24,26 +57,29 @@ const decrypt = (input, key) => {
  * @param token the encrypted token
  * @param encryptionPrivateKey the private key used to encrypt the token
  * @param signaturePublicKey the public key used to verify the decrypted token
- * @throws SessionExpiredError if the token is expired
- * @returns User (success) or undefined (failure)
+ * @returns {user: User} (success) or {error: string} (failure)
  */
 export const decryptAndVerify = (token, encryptionPrivateKey, signaturePublicKey) => {
-    try {
-        // Decrypt SSO cookie
-        const plaintext = decrypt(token, encryptionPrivateKey);
-        const payload = jwt.verify(plaintext, signaturePublicKey, {
-            clockTolerance: 300 // 5 minutes
-        });
-        if (!isPlainObject(payload) || !isPlainObject(payload.sub) || !payload.sub.uuid) {
-            return undefined;
-        }
-        // TS is confused because the library types the `sub` as a string
-        return payload.sub;
-    }
-    catch (err) {
-        if (err instanceof jwt.TokenExpiredError) {
-            throw new SessionExpiredError();
-        }
-        return undefined;
+    const timestamp = Math.floor(Date.now() / 1000);
+    const jws = decryptJwe(token, encryptionPrivateKey);
+    if (!jws) {
+        return { error: 'invalid token' };
+    }
+    const payload = verifyJws(jws, signaturePublicKey);
+    // Ensure payload contains all the claims we expect
+    // Normally "sub" would be a string but Accounts uses an object for it instead
+    if (!isPlainObject(payload) ||
+        !isPlainObject(payload.sub) || !payload.sub.uuid ||
+        payload.iss !== issuer ||
+        payload.aud !== audience ||
+        !payload.exp ||
+        !payload.nbf || payload.nbf > timestamp + clockTolerance ||
+        !payload.iat || payload.iat > timestamp + clockTolerance ||
+        !payload.jti) {
+        return { error: 'invalid token' };
+    }
+    if (payload.exp < timestamp - clockTolerance) {
+        return { error: 'expired token' };
     }
+    return { user: payload.sub };
 };

package/dist/esm/services/authProvider/utils/embeddedAuthProvider.d.ts

@@ -9,10 +9,14 @@ export declare enum PostMessageTypes {
     ReceiveUser = "receive-user",
     RequestUser = "request-user"
 }
-export declare const embeddedAuthProvider: (getUserData: UserDataLoader, { queryKey, window }: {
-    queryKey?: string | undefined;
+export declare const embeddedAuthProvider: (getUserData: UserDataLoader, { authQuery, window }: {
+    authQuery?: {
+        key: string;
+        value: string | null;
+    } | undefined;
     window: Window;
 }) => {
+    embeddedQueryKey: string;
     embeddedQueryValue: string;
     getAuthorizedEmbedUrl: (urlString: string, extraParams?: {
         [key: string]: string;

package/dist/esm/services/authProvider/utils/embeddedAuthProvider.js

@@ -4,9 +4,10 @@ export var PostMessageTypes;
     PostMessageTypes["ReceiveUser"] = "receive-user";
     PostMessageTypes["RequestUser"] = "request-user";
 })(PostMessageTypes || (PostMessageTypes = {}));
-export const embeddedAuthProvider = (getUserData, { queryKey = 'auth', window }) => {
+export const embeddedAuthProvider = (getUserData, { authQuery, window }) => {
     const trustedEmbeds = new Set();
-    const embeddedQueryValue = 'embedded';
+    const embeddedQueryKey = 'embedded';
+    const embeddedQueryValue = 'true';
     const messageHandler = event => {
         if (event.data.type === PostMessageTypes.RequestUser && trustedEmbeds.has(event.origin)) {
             getUserData().then(data => {
@@ -19,10 +20,16 @@ export const embeddedAuthProvider = (getUserData, { queryKey = 'auth', window })
         const url = new URL(urlString);
         trustedEmbeds.add(url.origin);
         const params = queryString.parse(url.search);
-        url.search = queryString.stringify({ ...params, ...extraParams, [queryKey]: embeddedQueryValue });
+        url.search = queryString.stringify({
+            ...params,
+            ...extraParams,
+            ...(authQuery && authQuery.value ? { [authQuery.key]: authQuery.value } : {}),
+            [embeddedQueryKey]: embeddedQueryValue
+        });
         return url.href;
     };
     return {
+        embeddedQueryKey,
         embeddedQueryValue,
         getAuthorizedEmbedUrl,
         unmount: () => {

package/dist/esm/services/exercisesGateway/index.js

@@ -25,7 +25,8 @@ export const exercisesGateway = (initializer) => (configProvider) => {
             question.collaborator_solutions = [
                 { solution_type: 'detailed', images: [], content_html: defaultHint }
             ];
-            for (const [index, answer] of question.answers.entries()) {
+            for (let index = 0; index < question.answers.length; index++) {
+                const answer = question.answers[index];
                 answer.correctness = defaultCorrectIndex === index ? '1.0' : '0.0';
                 answer.feedback_html = defaultCorrectIndex === index ? 'This is the good one!' : defaultHint;
             }

package/dist/esm/services/fileServer/index.d.ts

@@ -0,0 +1,17 @@
+/// <reference types="node" />
+export declare type FileValue = {
+    dataType: 'file';
+    mimeType: string;
+    path: string;
+    label: string;
+};
+export declare type FolderValue = {
+    dataType: 'folder';
+    files: FileValue[];
+};
+export declare const isFileValue: (thing: any) => thing is FileValue;
+export declare const isFolderValue: (thing: any) => thing is FolderValue;
+export interface FileServerAdapter {
+    getFileContent: (source: FileValue) => Promise<Buffer>;
+}
+export declare const isFileOrFolder: (thing: any) => thing is FileValue | FolderValue;

package/dist/esm/services/fileServer/index.js

@@ -0,0 +1,13 @@
+import { isPlainObject } from '../../guards';
+export const isFileValue = (thing) => isPlainObject(thing)
+    && Object.keys(thing).every(key => ['dataType', 'path', 'label', 'mimeType'].includes(key))
+    && thing.dataType === 'file'
+    && typeof thing.mimeType === 'string'
+    && typeof thing.path === 'string'
+    && typeof thing.label === 'string';
+export const isFolderValue = (thing) => isPlainObject(thing)
+    && Object.keys(thing).every(key => ['dataType', 'files'].includes(key))
+    && thing.dataType === 'folder'
+    && thing.files instanceof Array
+    && thing.files.every(isFileValue);
+export const isFileOrFolder = (thing) => isFileValue(thing) || isFolderValue(thing);

package/dist/esm/services/fileServer/localFileServer.d.ts

@@ -0,0 +1,13 @@
+import { ConfigProviderForConfig } from '../../config';
+import { FileServerAdapter } from '.';
+export declare type Config = {
+    storagePrefix: string;
+};
+interface Initializer<C> {
+    dataDir: string;
+    configSpace?: C;
+}
+export declare const localFileServer: <C extends string = "local">(initializer: Initializer<C>) => (configProvider: { [key in C]: {
+    storagePrefix: import("../../config").ConfigValueProvider<string>;
+}; }) => FileServerAdapter;
+export {};

package/dist/esm/services/fileServer/localFileServer.js

@@ -0,0 +1,16 @@
+import fs from 'fs';
+import path from 'path';
+import { resolveConfigValue } from '../../config';
+import { ifDefined } from '../../guards';
+export const localFileServer = (initializer) => (configProvider) => {
+    const config = configProvider[ifDefined(initializer.configSpace, 'local')];
+    const storagePrefix = resolveConfigValue(config.storagePrefix);
+    const fileDir = storagePrefix.then((prefix) => path.join(initializer.dataDir, prefix));
+    const getFileContent = async (source) => {
+        const filePath = path.join(await fileDir, source.path);
+        return fs.promises.readFile(filePath);
+    };
+    return {
+        getFileContent,
+    };
+};

package/dist/esm/services/fileServer/s3FileServer.d.ts

@@ -0,0 +1,16 @@
+import { S3Client } from '@aws-sdk/client-s3';
+import { ConfigProviderForConfig } from '../../config';
+import { FileServerAdapter } from '.';
+export declare type Config = {
+    bucketName: string;
+    bucketRegion: string;
+};
+interface Initializer<C> {
+    configSpace?: C;
+    s3Client?: typeof S3Client;
+}
+export declare const s3FileServer: <C extends string = "deployed">(initializer: Initializer<C>) => (configProvider: { [key in C]: {
+    bucketName: import("../../config").ConfigValueProvider<string>;
+    bucketRegion: import("../../config").ConfigValueProvider<string>;
+}; }) => FileServerAdapter;
+export {};

package/dist/esm/services/fileServer/s3FileServer.js

@@ -0,0 +1,21 @@
+import { GetObjectCommand, S3Client } from '@aws-sdk/client-s3';
+import { once } from '../..';
+import { assertDefined } from '../../assertions';
+import { resolveConfigValue } from '../../config';
+import { ifDefined } from '../../guards';
+export const s3FileServer = (initializer) => (configProvider) => {
+    const config = configProvider[ifDefined(initializer.configSpace, 'deployed')];
+    const bucketName = once(() => resolveConfigValue(config.bucketName));
+    const bucketRegion = once(() => resolveConfigValue(config.bucketRegion));
+    const client = ifDefined(initializer.s3Client, S3Client);
+    const s3Service = once(async () => new client({ apiVersion: '2012-08-10', region: await bucketRegion() }));
+    const getFileContent = async (source) => {
+        const bucket = await bucketName();
+        const command = new GetObjectCommand({ Bucket: bucket, Key: source.path });
+        const response = await (await s3Service()).send(command);
+        return Buffer.from(await assertDefined(response.Body, new Error('Invalid Response from s3')).transformToByteArray());
+    };
+    return {
+        getFileContent,
+    };
+};