@txstate-mws/sveltekit-utils 1.2.8 → 1.3.0

package/dist/api.d.ts

@@ -47,6 +47,7 @@ export declare class APIBase {
         body?: any;
         query?: APIBaseQueryPayload;
         inlineValidation?: boolean;
+        keepalive?: boolean;
     }): Promise<ReturnType>;
     uploadWithProgress(path: string, formData: FormData, progress: APIBaseProgressFn): Promise<any>;
     get<ReturnType = any>(path: string, query?: APIBaseQueryPayload): Promise<ReturnType>;
@@ -109,8 +110,11 @@ export declare class APIBase {
          */
         progress?: APIBaseProgressFn;
     }): Promise<ReturnType>;
+    protected lastAnalyticsSent: number;
     protected analyticsQueue: InteractionEvent[];
+    protected analyticsTimer: ReturnType<typeof setTimeout> | undefined;
     recordInteraction(evt: Optional<InteractionEvent, 'screen'>): void;
+    sendBatchedAnalytics(): Promise<void>;
     /**
      * Due to the mechanics of sveltekit, this function cannot be fully automatic and must
      * be called in your global +layout.svelte

package/dist/api.js

@@ -76,6 +76,13 @@ export class APIBase {
         else {
             this.token ??= sessionStorage.getItem('token') ?? undefined;
         }
+        if (typeof document !== 'undefined') {
+            document.addEventListener("visibilitychange", () => {
+                if (document.visibilityState === "hidden") {
+                    this.sendBatchedAnalytics().catch(console.error);
+                }
+            });
+        }
         this.ready();
     }
     stringifyQuery(query) {
@@ -95,6 +102,7 @@ export class APIBase {
         try {
             const resp = await this.fetch(this.apiBase + path + this.stringifyQuery(opts?.query), {
                 method,
+                keepalive: opts?.keepalive,
                 headers: {
                     Authorization: `Bearer ${this.token ?? ''}`,
                     Accept: 'application/json',
@@ -261,16 +269,28 @@ export class APIBase {
         }
         return gqlresponse.data;
     }
+    lastAnalyticsSent = new Date().getTime();
     analyticsQueue = [];
+    analyticsTimer;
     recordInteraction(evt) {
         evt.screen ??= get(page).route.id;
         this.analyticsQueue.push(evt);
-        setTimeout(() => {
-            const events = [...this.analyticsQueue];
-            this.analyticsQueue.length = 0;
-            if (events.length)
-                this.post('/analytics', events).catch((e) => console.error(e));
-        }, 2000);
+        clearTimeout(this.analyticsTimer);
+        // If the last analytics was sent more than 2 seconds ago, send immediately
+        if (new Date().getTime() - this.lastAnalyticsSent > 2000)
+            this.sendBatchedAnalytics().catch(console.error);
+        // Otherwise, collect more analytics for up to 2 seconds
+        else
+            this.analyticsTimer = setTimeout(() => this.sendBatchedAnalytics().catch(console.error), 2000);
+    }
+    async sendBatchedAnalytics() {
+        const events = [...this.analyticsQueue];
+        this.analyticsQueue.length = 0;
+        if (events.length) {
+            this.lastAnalyticsSent = new Date().getTime();
+            // keepalive true means the request will not be cancelled even if the user navigates away
+            await this.request('/analytics', 'POST', { body: events, keepalive: true });
+        }
     }
     /**
      * Due to the mechanics of sveltekit, this function cannot be fully automatic and must

package/dist/unifiedauth.d.ts

@@ -21,5 +21,45 @@ export declare const unifiedAuth: {
     loginRedirect(api: APIBase, currentUrl: string): URL;
     logout(api: APIBase): void;
     requireAuth(api: APIBase, input: LoadEvent): void;
+    /**
+     * Start impersonating a user. This will store the current token and replace it with
+     * an impersonation token obtained from Unified Auth.
+     *
+     * The impersonation token will expire in 1 hour.
+     */
+    impersonate(api: APIBase, netid: string): Promise<void>;
+    /**
+     * Exit impersonation and restore the original token.
+     */
+    exitImpersonation(api: APIBase): void;
+    /**
+     * Check if the current token is an impersonation token.
+     * Returns { isImpersonating: false } if not impersonating.
+     * Returns { isImpersonating: true, impersonatedUser: string, impersonatedBy: string } if impersonating.
+     */
+    getImpersonationStatus(api: APIBase): {
+        isImpersonating: false;
+    } | {
+        isImpersonating: true;
+        impersonatedUser: string;
+        impersonatedBy: string;
+    };
+    /**
+     * Check if the current user is authorized to impersonate anyone.
+     * Results are cached to avoid repeated requests.
+     *
+     * @param api The API instance
+     * @returns A promise that resolves to true if authorized to impersonate, false otherwise
+     */
+    mayImpersonateAny(api: APIBase): Promise<boolean>;
+    /**
+     * Check if the current user is authorized to impersonate a specific user.
+     * Results are cached to avoid repeated requests.
+     *
+     * @param api The API instance
+     * @param netid The netid to check authorization for
+     * @returns A promise that resolves to true if authorized, false otherwise
+     */
+    mayImpersonate(api: APIBase, netid: string): Promise<boolean>;
 };
 export {};

package/dist/unifiedauth.js

@@ -1,5 +1,52 @@
 import { redirect } from '@sveltejs/kit';
-import { isBlank } from 'txstate-utils';
+import { isBlank, Cache } from 'txstate-utils';
+import { decodeJwt } from 'jose';
+const mayImpersonateAnyCache = new Cache(async (api) => {
+    if (isBlank(api.token))
+        return false;
+    const authUrl = new URL(api.authRedirect);
+    const mayImpersonateUrl = new URL('/mayImpersonate', authUrl.origin);
+    try {
+        const resp = await fetch(mayImpersonateUrl, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${api.token}`,
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({})
+        });
+        if (!resp.ok)
+            return false;
+        const { authorized } = await resp.json();
+        return !!authorized;
+    }
+    catch {
+        return false;
+    }
+});
+const mayImpersonateNetidCache = new Cache(async (api, netid) => {
+    if (isBlank(api.token))
+        return false;
+    const authUrl = new URL(api.authRedirect);
+    const mayImpersonateUrl = new URL('/mayImpersonate', authUrl.origin);
+    try {
+        const resp = await fetch(mayImpersonateUrl, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${api.token}`,
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({ netid })
+        });
+        if (!resp.ok)
+            return false;
+        const { authorized } = await resp.json();
+        return !!authorized;
+    }
+    catch {
+        return false;
+    }
+});
 export const unifiedAuth = {
     /**
      * Your root +layout.ts' load function should call this method to ensure that it
@@ -32,16 +79,108 @@ export const unifiedAuth = {
     logout(api) {
         if (isBlank(api.token))
             return;
+        // If impersonating, use the original token for logout
+        const originalToken = sessionStorage.getItem('originalToken');
+        const token = originalToken ?? api.token;
         const authRedirect = new URL(api.authRedirect);
         authRedirect.pathname = [...authRedirect.pathname.split('/').slice(0, -1), 'logout'].join('/');
-        authRedirect.searchParams.set('unifiedJwt', api.token);
+        authRedirect.searchParams.set('unifiedJwt', token);
         api.token = undefined;
         sessionStorage.removeItem('token');
+        sessionStorage.removeItem('originalToken');
         window.location.href = authRedirect.toString();
     },
     requireAuth(api, input) {
         if (!api.token) {
             throw redirect(302, this.loginRedirect(api, input.url.toString()));
         }
+    },
+    /**
+     * Start impersonating a user. This will store the current token and replace it with
+     * an impersonation token obtained from Unified Auth.
+     *
+     * The impersonation token will expire in 1 hour.
+     */
+    async impersonate(api, netid) {
+        if (isBlank(api.token))
+            throw new Error('Must be authenticated to impersonate.');
+        // Store original token before impersonating
+        const originalToken = api.token;
+        sessionStorage.setItem('originalToken', originalToken);
+        // Get impersonation token from unified-auth
+        const authUrl = new URL(api.authRedirect);
+        const impersonateUrl = new URL('/impersonate', authUrl.origin);
+        const resp = await fetch(impersonateUrl, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${originalToken}`,
+                'Content-Type': 'application/json'
+            },
+            body: JSON.stringify({ netid })
+        });
+        if (!resp.ok) {
+            const error = await resp.text();
+            throw new Error(`Failed to impersonate: ${error}`);
+        }
+        const { token } = await resp.json();
+        // Replace current token with impersonation token
+        api.token = token;
+        sessionStorage.setItem('token', token);
+    },
+    /**
+     * Exit impersonation and restore the original token.
+     */
+    exitImpersonation(api) {
+        const originalToken = sessionStorage.getItem('originalToken');
+        if (!originalToken) {
+            throw new Error('No original token found. Not currently impersonating.');
+        }
+        api.token = originalToken;
+        sessionStorage.setItem('token', originalToken);
+        sessionStorage.removeItem('originalToken');
+    },
+    /**
+     * Check if the current token is an impersonation token.
+     * Returns { isImpersonating: false } if not impersonating.
+     * Returns { isImpersonating: true, impersonatedUser: string, impersonatedBy: string } if impersonating.
+     */
+    getImpersonationStatus(api) {
+        if (isBlank(api.token))
+            return { isImpersonating: false };
+        try {
+            const payload = decodeJwt(api.token);
+            if (payload.act && payload.act.sub) {
+                return {
+                    isImpersonating: true,
+                    impersonatedUser: payload.sub,
+                    impersonatedBy: payload.act.sub
+                };
+            }
+        }
+        catch (e) {
+            // Invalid token, treat as not impersonating
+        }
+        return { isImpersonating: false };
+    },
+    /**
+     * Check if the current user is authorized to impersonate anyone.
+     * Results are cached to avoid repeated requests.
+     *
+     * @param api The API instance
+     * @returns A promise that resolves to true if authorized to impersonate, false otherwise
+     */
+    async mayImpersonateAny(api) {
+        return await mayImpersonateAnyCache.get(api);
+    },
+    /**
+     * Check if the current user is authorized to impersonate a specific user.
+     * Results are cached to avoid repeated requests.
+     *
+     * @param api The API instance
+     * @param netid The netid to check authorization for
+     * @returns A promise that resolves to true if authorized, false otherwise
+     */
+    async mayImpersonate(api, netid) {
+        return await mayImpersonateNetidCache.get(api, netid);
     }
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@txstate-mws/sveltekit-utils",
-  "version": "1.2.8",
+  "version": "1.3.0",
   "description": "Shared library for code that is specifically tied to sveltekit in addition to svelte.",
   "type": "module",
   "exports": {
@@ -16,6 +16,7 @@
     "@txstate-mws/fastify-shared": "^1.0.4",
     "@txstate-mws/svelte-components": "^1.6.1",
     "@txstate-mws/svelte-forms": "^1.5.8",
+    "jose": "^5.0.0",
     "txstate-utils": "^1.8.15"
   },
   "devDependencies": {