@virtualsearchtable/virtualsearchtable 0.0.1-security → 0.1.0

package/.eslintignore

@@ -0,0 +1,2 @@
+**/dist/
+e2e/browser/test-app/

package/.eslintrc.js

@@ -0,0 +1,8 @@
+require("@rushstack/eslint-patch/modern-module-resolution");
+
+module.exports = {
+  extends: ["@inrupt/eslint-config-lib"],
+  rules: {
+    "import/prefer-default-export": "off"
+  }
+}

package/.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+  # We use "/" as the directory, as this repository is managed by npm workspaces,
+  # and that's where the package-lock.json is located
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # The following is required for workspaces to be updated: see https://github.com/dependabot/dependabot-core/issues/5226.
+    versioning-strategy: increase
+    open-pull-requests-limit: 10
+  - package-ecosystem: npm
+    directory: "/eslint-configs/*"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: npm
+    directory: "e2e/browser/test-app"
+    schedule:
+      interval: "weekly"

package/.github/workflows/audit.yml

@@ -0,0 +1,14 @@
+name: Audit
+
+on:
+  push:
+  schedule:
+    - cron: "40 10 * * *"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  audit:
+    uses: ./.github/workflows/reusable-audit.yml
+    secrets:
+      WEBHOOK_E2E_FAILURE: ${{ secrets.WEBHOOK_E2E_FAILURE }}

package/.github/workflows/ci.yml

@@ -0,0 +1,53 @@
+name: CI
+
+on: [push]
+
+env:
+  CI: true
+jobs:
+  lint:
+    uses: ./.github/workflows/reusable-lint.yml
+    with:
+      build: true
+
+  build:
+    runs-on: ${{ matrix.os }}
+    environment:
+      name: ${{ matrix.environment-name }}
+    strategy:
+      fail-fast: true
+      matrix:
+        environment-name: ["ESS PodSpaces"]
+        os: [ubuntu-latest]
+        # Workspaces support was added from npm 7, so Node 14 isn't supported to
+        # build this library.
+        node-version: ["16", "18", "20"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci --workspaces
+      # Running top-level ci should happen after workspaces level, running these
+      # the other way around results in top-level dependencies (namely, lerna)
+      # not being installed.
+      - run: npm ci
+      - run: npm run build
+      - run: npx playwright install --with-deps
+      - run: npm run e2e:test:setup
+      - # Dependabot cannot access secrets, so it doesn't have a token to authenticate to ESS.
+        # We want jobs in this workflow to be gating PRs, so the whole matrix must
+        # run even for dependabot so that the matrixed jobs are skipped, instead
+        # of the whole pipeline.
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        run: npm t
+        env:
+          E2E_DEMO_CLIENT_APP_URL: http://localhost:3001
+          E2E_TEST_USER: ${{ secrets.E2E_TEST_USER }}
+          E2E_TEST_PASSWORD: ${{ secrets.E2E_TEST_PASSWORD }}
+          E2E_TEST_IDP: ${{ secrets.E2E_TEST_IDP }}
+          E2E_TEST_OWNER_CLIENT_ID: ${{ secrets.E2E_TEST_OWNER_CLIENT_ID }}
+          E2E_TEST_OWNER_CLIENT_SECRET: ${{ secrets.E2E_TEST_OWNER_CLIENT_SECRET }}
+          E2E_TEST_ENVIRONMENT: ${{ matrix.environment-name }}

package/.github/workflows/release.yml

@@ -0,0 +1,31 @@
+name: Release
+
+on:
+  pull_request:
+    branches:
+      - main
+    types: [closed]
+
+env:
+  CI: true
+jobs:
+  release-new-version:
+    if: ${{ github.event.pull_request.merged && startsWith(github.head_ref, 'release/') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+          cache: npm
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci --workspaces
+      # Running top-level ci should happen after workspaces level, running these
+      # the other way around results in top-level dependencies (namely, lerna)
+      # not being installed.
+      - run: npm ci
+      - run: npm run build
+      - run: npm run release
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.INRUPT_NPM_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/reusable-audit.yml

@@ -0,0 +1,41 @@
+name: Reusable Audit Workflow
+
+on:
+  workflow_call:
+    secrets:
+      WEBHOOK_E2E_FAILURE:
+        required: true
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+          cache: "npm"
+      # Install dependencies so license-checker actually checks them:
+      - run: npm ci
+      # We check the dependency licenses as part of the audit job, as a
+      # misconfigured or inappropriate dependency license is in the same
+      # category of issues as an npm audit security failure: we consider
+      # bad licenses a vulnerability.
+      - run: npx license-checker --production --failOn "AGPL-1.0-only; AGPL-1.0-or-later; AGPL-3.0-only; AGPL-3.0-or-later; Beerware; CC-BY-NC-1.0; CC-BY-NC-2.0; CC-BY-NC-2.5; CC-BY-NC-3.0; CC-BY-NC-4.0; CC-BY-NC-ND-1.0; CC-BY-NC-ND-2.0; CC-BY-NC-ND-2.5; CC-BY-NC-ND-3.0; CC-BY-NC-ND-4.0; CC-BY-NC-SA-1.0; CC-BY-NC-SA-2.0; CC-BY-NC-SA-2.5; CC-BY-NC-SA-3.0; CC-BY-NC-SA-4.0; CPAL-1.0; EUPL-1.0; EUPL-1.1; EUPL-1.1;  GPL-1.0-only; GPL-1.0-or-later; GPL-2.0-only;  GPL-2.0-or-later; GPL-3.0; GPL-3.0-only; GPL-3.0-or-later; SISSL;  SISSL-1.2; WTFPL"
+      # Run the audit and capture the results
+      - run: npm audit --audit-level=moderate --omit=dev --json true | tee audit.json
+      # Run the audit to check the signatures
+      - run: npm audit signatures
+      - name: Archive audit report
+        uses: actions/upload-artifact@v3
+        continue-on-error: true
+        with:
+          name: audit.json
+          path: audit.json
+      # Publishes a notification to a slack channel:
+      - name: Send a notification that the audit has failed
+        if: failure() && github.event_name == 'schedule'
+        run: "curl -X POST -H Content-type: 'application/json' --data \"{\\\"text\\\":\\\"Automated npm audit --audit-level=moderate failed. View <https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID|the execution log> for more details.\\\"}\" $WEBHOOK_E2E_FAILURE"
+        env:
+          WEBHOOK_E2E_FAILURE: ${{ secrets.WEBHOOK_E2E_FAILURE }}

package/.github/workflows/reusable-lint.yml

@@ -0,0 +1,33 @@
+name: Reusable Lint Workflow
+
+on:
+  workflow_call:
+    inputs:
+      usePackageCheck:
+        required: false
+        default: false
+        type: boolean
+      build:
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "20"
+          cache: "npm"
+      # Check the package.json is correctly formed
+      - if: ${{inputs.usePackageCheck}}
+        run: npx @skypack/package-check
+      # Install dependencies:
+      - run: npm ci --ignore-scripts
+      # Build the package(s)
+      - if: ${{inputs.build}}
+        run: npm run build
+      # Run the linting command:
+      - run: npm run lint

package/CODEOWNERS

@@ -0,0 +1 @@
+* @inrupt/sdk-owners

package/LICENSE.md

@@ -0,0 +1,18 @@
+Copyright 2020 Inrupt Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -1,5 +1,29 @@
-# Security holding package
+# Overview
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+This repository contains the following:
 
-Please refer to www.npmjs.com/advisories?search=%40virtualsearchtable%2Fvirtualsearchtable for more information.
+- ESLint configurations (see [`eslint-configs/README.md`](./eslint-configs/README.md))
+- Shared GitHub Workflows (see `.github/workflows/reusable-*.yml`)
+- Shared E2E test helpers (coming soon!)
+
+## Releasing
+
+First, decide on what type of release to perform, then:
+
+1. Run: `npm run prepare-release`
+
+   Follow the prompt and select the type of release:
+
+   - Patch (1.0.1)
+   - Minor (1.1.0)
+   - Major (2.0.0)
+   - Prepatch (1.0.1-alpha.0)
+   - Preminor (1.1.0-alpha.0)
+   - Premajor (2.0.0-alpha.0)
+
+   After confirming, this will update all the `package.json` versions to that new version number,
+   checkout a new branch `release/<version>` and commit the changed files.
+
+2. Push the branch & create a pull request
+
+3. Merge the pull request, and then let automation do the rest.

package/e2e/browser/test/e2e.playwright.ts

@@ -0,0 +1,67 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+/* eslint-disable jest/no-done-callback */
+
+import { test, expect } from "@inrupt/internal-playwright-helpers";
+
+test("creating and removing empty Containers", async ({ page, auth }) => {
+  await auth.login({ allow: true });
+
+  // The button is only shown once the app is ready.
+  await page.waitForSelector("button[data-testid=createContainer]");
+
+  // A root container should have been found.
+  await expect(page.getByTestId("parentContainerUrl")).toContainText(
+    /https:\/\//,
+  );
+  // No child container should be available yet.
+  await expect(page.getByTestId("childContainerUrl")).toContainText("None");
+
+  await Promise.all([
+    page.waitForRequest((request) => request.method() === "POST"),
+    page.waitForResponse((response) => response.status() === 201),
+    page.click("button[data-testid=createContainer]"),
+  ]);
+
+  // The delete button is only shown once the state has been updated after creation.
+  await page.waitForSelector("button[data-testid=deleteContainer]");
+
+  // The child container should have been created under the parent
+  await expect(
+    page.locator("span[data-testid=childContainerUrl]"),
+  ).toContainText(
+    await page.locator("span[data-testid=childContainerUrl]").allInnerTexts(),
+  );
+
+  await Promise.all([
+    page.waitForRequest((request) => request.method() === "DELETE"),
+    page.waitForResponse((response) => response.status() === 204),
+    page.click("button[data-testid=deleteContainer]"),
+  ]);
+
+  await page.waitForSelector("button[data-testid=createContainer]");
+
+  // The child container should have been deleted.
+  await expect(
+    page.locator("span[data-testid=childContainerUrl]"),
+  ).toContainText("None");
+});

package/e2e/browser/test/globalSetup.ts

@@ -0,0 +1,30 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+import { setupEnv } from "@inrupt/internal-test-env";
+
+async function globalSetup() {
+  setupEnv();
+  // Return the teardown function.
+  return async () => {};
+}
+
+export default globalSetup;

package/e2e/browser/test-app/.eslintrc.js

@@ -0,0 +1,6 @@
+module.exports = {
+  extends: ["../../../.eslintrc.js", "next/core-web-vitals"],
+  parserOptions: {
+    project: "./tsconfig.json",
+  },
+};

package/e2e/browser/test-app/README.md

@@ -0,0 +1,46 @@
+This is a [Next.js](https://nextjs.org/) project bootstrapped with [`create-next-app`](https://github.com/vercel/next.js/tree/canary/packages/create-next-app).
+
+## Getting Started
+
+First, in the root of the project, run:
+
+```bash
+npm run build
+```
+
+Then, on the `test-app` directory, run:
+
+```bash
+npm ci
+```
+
+Then run the development server:
+
+```bash
+npm run dev
+# or
+yarn dev
+```
+
+Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+
+You can start editing the page by modifying `pages/index.tsx`. The page auto-updates as you edit the file.
+
+[API routes](https://nextjs.org/docs/api-routes/introduction) can be accessed on [http://localhost:3000/api/hello](http://localhost:3000/api/hello). This endpoint can be edited in `pages/api/hello.ts`.
+
+The `pages/api` directory is mapped to `/api/*`. Files in this directory are treated as [API routes](https://nextjs.org/docs/api-routes/introduction) instead of React pages.
+
+## Learn More
+
+To learn more about Next.js, take a look at the following resources:
+
+- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
+- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+
+You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js/) - your feedback and contributions are welcome!
+
+## Deploy on Vercel
+
+The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+
+Check out our [Next.js deployment documentation](https://nextjs.org/docs/deployment) for more details.

package/e2e/browser/test-app/components/appContainer/index.tsx

@@ -0,0 +1,109 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+// Disabling the following prevents from having to install before linting from
+// the root.
+// eslint-disable-next-line import/no-unresolved
+import React, { useState, useEffect } from "react";
+import {
+  login,
+  logout,
+  handleIncomingRedirect,
+  getDefaultSession,
+  ISessionInfo,
+} from "@inrupt/solid-client-authn-browser";
+import SolidClient from "../solidClient";
+
+const REDIRECT_URL = window.location.href;
+const APP_NAME = "Solid client browser-based tests app";
+const DEFAULT_ISSUER = "https://login.inrupt.com/";
+
+export default function AppContainer() {
+  const [sessionInfo, setSessionInfo] = useState<ISessionInfo>();
+  const [issuer, setIssuer] = useState<string>(DEFAULT_ISSUER);
+
+  useEffect(() => {
+    handleIncomingRedirect().then(setSessionInfo).catch(console.error);
+  }, []);
+
+  const handleLogin = async () => {
+    try {
+      // Login will redirect the user away so that they can log in the OIDC issuer,
+      // and back to the provided redirect URL (which should be controlled by your app).
+      await login({
+        redirectUrl: REDIRECT_URL,
+        oidcIssuer: issuer,
+        clientName: APP_NAME,
+      });
+    } catch (err) {
+      console.error(err);
+    }
+  };
+
+  const handleLogout = async () => {
+    await logout();
+    setSessionInfo(undefined);
+  };
+
+  return (
+    <>
+      <h1>{APP_NAME}</h1>
+      <p>
+        {sessionInfo?.isLoggedIn
+          ? `Logged in as ${sessionInfo.webId}`
+          : "Not logged in yet"}
+      </p>
+      <form>
+        <input
+          data-testid="identityProviderInput"
+          type="text"
+          value={issuer}
+          onChange={(e) => {
+            setIssuer(e.target.value);
+          }}
+        />
+        <button
+          data-testid="loginButton"
+          onClick={async (e) => {
+            e.preventDefault();
+            await handleLogin();
+          }}
+        >
+          Log In
+        </button>
+        <button
+          data-testid="logoutButton"
+          onClick={async (e) => {
+            e.preventDefault();
+            await handleLogout();
+          }}
+        >
+          Log Out
+        </button>
+      </form>
+      {sessionInfo?.isLoggedIn ? (
+        <SolidClient session={getDefaultSession()} />
+      ) : (
+        <></>
+      )}
+    </>
+  );
+}