@webex/webex-core 3.0.0-beta.34 → 3.0.0-beta.341

package/src/lib/constants.js

@@ -0,0 +1,6 @@
+// Metric to do with WDM registration
+export const METRICS = {
+  JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED: 'JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED',
+  JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH:
+    'JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH',
+};

package/src/lib/credentials/credentials.js

@@ -13,10 +13,11 @@ import {clone, cloneDeep, isObject, isEmpty} from 'lodash';
 import WebexPlugin from '../webex-plugin';
 import {persist, waitForValue} from '../storage/decorators';
 
-import grantErrors from './grant-errors';
-import {filterScope, sortScope} from './scope';
+import grantErrors, {OAuthError} from './grant-errors';
+import {filterScope, diffScopes, sortScope} from './scope';
 import Token from './token';
 import TokenCollection from './token-collection';
+import {METRICS} from '../constants';
 
 /**
  * @class
@@ -48,6 +49,25 @@ const Credentials = WebexPlugin.extend({
         return Boolean(this.supertoken && this.supertoken.canRefresh);
       },
     },
+    isUnverifiedGuest: {
+      deps: ['supertoken'],
+      /**
+       * Returns true if the user is an unverified guest
+       * @returns {boolean}
+       */
+      fn() {
+        let isGuest = false;
+        try {
+          isGuest =
+            JSON.parse(base64.decode(this.supertoken.access_token.split('.')[1])).user_type ===
+            'guest';
+        } catch {
+          /* the non-guest token is formatted differently so catch is expected */
+        }
+
+        return isGuest;
+      },
+    },
   },
 
   props: {
@@ -240,8 +260,15 @@ const Credentials = WebexPlugin.extend({
    */
   downscope(scope) {
     return this.supertoken.downscope(scope).catch((reason) => {
-      this.logger.trace(`credentials: failed to downscope supertoken to ${scope}`, reason);
+      const failReason = reason?.body ?? reason;
+      this.logger.warn(`credentials: failed to downscope supertoken to "${scope}"`, failReason);
       this.logger.trace(`credentials: falling back to supertoken for ${scope}`);
+      this.webex.internal.metrics.submitClientMetrics(METRICS.JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED, {
+        fields: {
+          requestedScope: scope,
+          failReason,
+        },
+      });
 
       return Promise.resolve(new Token({scope, ...this.supertoken.serialize()}), {
         parent: this,
@@ -322,12 +349,12 @@ const Credentials = WebexPlugin.extend({
       }
 
       if (!scope) {
-        scope = filterScope('spark:kms', this.config.scope);
+        scope = filterScope('spark:kms', this.supertoken.scope);
       }
 
       scope = sortScope(scope);
 
-      if (scope === sortScope(this.config.scope)) {
+      if (scope === sortScope(this.supertoken.scope)) {
         return Promise.resolve(this.supertoken);
       }
 
@@ -477,42 +504,10 @@ const Credentials = WebexPlugin.extend({
 
     return supertoken
       .refresh()
-      .then((st) => {
-        // clear refresh timer
-        if (this.refreshTimer) {
-          clearTimeout(this.refreshTimer);
-          this.unset('refreshTimer');
-        }
-        this.supertoken = st;
-
-        return Promise.all(
-          tokens.map((token) =>
-            this.downscope(token.scope)
-              // eslint-disable-next-line max-nested-callbacks
-              .then((t) => {
-                this.logger.info(`credentials: revoking token for ${token.scope}`);
-
-                return token
-                  .revoke()
-                  .catch((err) => {
-                    this.logger.warn('credentials: failed to revoke user token', err);
-                  })
-                  .then(() => {
-                    this.userTokens.remove(token.scope);
-                    this.userTokens.add(t);
-                  });
-              })
-          )
-        );
-      })
-      .then(() => {
-        this.scheduleRefresh(this.supertoken.expires);
-      })
       .catch((error) => {
-        const {InvalidRequestError} = grantErrors;
-
-        if (error instanceof InvalidRequestError) {
-          // Error: The refresh token provided is expired, revoked, malformed, or invalid. Hence emit an event to the client, an opportunity to logout.
+        if (error instanceof OAuthError) {
+          // Error: super token refresh failed with 400 status code.
+          // Hence emit an event to the client, an opportunity to logout.
           this.unset('supertoken');
           while (this.userTokens.models.length) {
             try {
@@ -525,6 +520,53 @@ const Credentials = WebexPlugin.extend({
         }
 
         return Promise.reject(error);
+      })
+      .then((st) => {
+        // clear refresh timer
+        if (this.refreshTimer) {
+          clearTimeout(this.refreshTimer);
+          this.unset('refreshTimer');
+        }
+        this.supertoken = st;
+
+        const invalidScopes = diffScopes(this.config.scope, st.scope);
+
+        if (invalidScopes !== '') {
+          this.logger.warn(
+            `credentials: "${invalidScopes}" scope(s) are invalid because not listed in the supertoken, they will be excluded from user token requests.`
+          );
+          this.webex.internal.metrics.submitClientMetrics(
+            METRICS.JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH,
+            {fields: {invalidScopes}}
+          );
+        }
+
+        return Promise.all(
+          tokens.map((token) => {
+            const tokenScope = filterScope(diffScopes(token.scope, st.scope), token.scope);
+
+            return (
+              this.downscope(tokenScope)
+                // eslint-disable-next-line max-nested-callbacks
+                .then((t) => {
+                  this.logger.info(`credentials: revoking token for ${token.scope}`);
+
+                  return token
+                    .revoke()
+                    .catch((err) => {
+                      this.logger.warn('credentials: failed to revoke user token', err);
+                    })
+                    .then(() => {
+                      this.userTokens.remove(token.scope);
+                      this.userTokens.add(t);
+                    });
+                })
+            );
+          })
+        );
+      })
+      .then(() => {
+        this.scheduleRefresh(this.supertoken.expires);
       });
   },
 

package/src/lib/credentials/scope.js

@@ -2,6 +2,8 @@
  * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.
  */
 
+import {difference} from 'lodash';
+
 /**
  * sorts a list of scopes
  * @param {string} scope
@@ -17,7 +19,7 @@ export function sortScope(scope) {
 
 /**
  * sorts a list of scopes and filters the specified scope
- * @param {string} toFilter
+ * @param {string|string[]} toFilter
  * @param {string} scope
  * @returns {string}
  */
@@ -25,10 +27,25 @@ export function filterScope(toFilter, scope) {
   if (!scope) {
     return '';
   }
+  const toFilterArr = Array.isArray(toFilter) ? toFilter : [toFilter];
 
   return scope
     .split(' ')
-    .filter((item) => item !== toFilter)
+    .filter((item) => !toFilterArr.includes(item))
     .sort()
     .join(' ');
 }
+
+/**
+ * Returns a string containing all items in scopeA that are not in scopeB, or an empty string if there are none.
+ *
+ * @param {string} scopeA
+ * @param {string} scopeB
+ * @returns {string}
+ */
+export function diffScopes(scopeA, scopeB) {
+  const a = scopeA?.split(' ') ?? [];
+  const b = scopeB?.split(' ') ?? [];
+
+  return difference(a, b).sort().join(' ');
+}

package/src/lib/services/interceptors/service.js

@@ -36,11 +36,11 @@ export default class ServiceInterceptor extends Interceptor {
 
     // Destructure commonly referenced namespaces.
     const {services} = this.webex.internal;
-    const {service, resource} = options;
+    const {service, resource, waitForServiceTimeout} = options;
 
     // Attempt to collect the service url.
     return services
-      .waitForService({name: service})
+      .waitForService({name: service, timeout: waitForServiceTimeout})
       .then((serviceUrl) => {
         // Generate the combined service url and resource.
         options.uri = this.generateUri(serviceUrl, resource);

package/src/lib/services/service-catalog.js

@@ -413,6 +413,8 @@ const ServiceCatalog = AmpState.extend({
         resolve();
       }
 
+      const validatedTimeout = typeof timeout === 'number' && timeout >= 0 ? timeout : 60;
+
       const timeoutTimer = setTimeout(
         () =>
           reject(
@@ -420,7 +422,7 @@ const ServiceCatalog = AmpState.extend({
               `services: timeout occured while waiting for '${serviceGroup}' catalog to populate`
             )
           ),
-        timeout ? timeout * 1000 : 60000
+        validatedTimeout * 1000
       );
 
       this.once(serviceGroup, () => {

package/src/lib/services/services.js

@@ -49,6 +49,8 @@ const Services = WebexPlugin.extend({
 
   _serviceUrls: null,
 
+  _hostCatalog: null,
+
   /**
    * Get the registry associated with this webex instance.
    *
@@ -157,6 +159,15 @@ const Services = WebexPlugin.extend({
     this._serviceUrls = {...this._serviceUrls, ...serviceUrls};
   },
 
+  /**
+   * saves the hostCatalog object
+   * @param {Object} hostCatalog
+   * @returns {void}
+   */
+  _updateHostCatalog(hostCatalog) {
+    this._hostCatalog = {...this._hostCatalog, ...hostCatalog};
+  },
+
   /**
    * Update a list of `serviceUrls` to the most current
    * catalog via the defined `discoveryUrl` then returns the current
@@ -720,6 +731,7 @@ const Services = WebexPlugin.extend({
     // update all the service urls in the host catalog
 
     this._updateServiceUrls(serviceHostmap.serviceLinks);
+    this._updateHostCatalog(serviceHostmap.hostCatalog);
 
     return formattedHostmap;
   },

package/src/webex-core.js

@@ -6,7 +6,12 @@ import {EventEmitter} from 'events';
 import util from 'util';
 
 import {proxyEvents, retry, transferEvents} from '@webex/common';
-import {HttpStatusInterceptor, defaults as requestDefaults} from '@webex/http-core';
+import {
+  HttpStatusInterceptor,
+  defaults as requestDefaults,
+  protoprepareFetchOptions as prepareFetchOptions,
+  setTimingsAndFetch as _setTimingsAndFetch,
+} from '@webex/http-core';
 import {defaultsDeep, get, isFunction, isString, last, merge, omit, set, unset} from 'lodash';
 import AmpState from 'ampersand-state';
 import uuid from 'uuid';
@@ -402,6 +407,13 @@ const WebexCore = AmpState.extend({
       interceptors: ints,
     });
 
+    this.prepareFetchOptions = prepareFetchOptions({
+      json: true,
+      interceptors: ints,
+    });
+
+    this.setTimingsAndFetch = _setTimingsAndFetch;
+
     let sessionId = `${get(this, 'config.trackingIdPrefix', 'webex-js-sdk')}_${get(
       this,
       'config.trackingIdBase',

package/test/unit/spec/credentials/credentials.js

@@ -11,6 +11,7 @@ import {inBrowser} from '@webex/common';
 import FakeTimers from '@sinonjs/fake-timers';
 import {skipInBrowser} from '@webex/test-helper-mocha';
 import Logger from '@webex/plugin-logger';
+import Metrics, {config} from '@webex/internal-plugin-metrics';
 
 /* eslint camelcase: [0] */
 
@@ -59,6 +60,34 @@ describe('webex-core', () => {
       });
     });
 
+    describe('#isUnverifiedGuest', () => {
+      let credentials;
+      let webex;
+      beforeEach('generate the webex instance', () => {
+        webex = new MockWebex();
+        credentials = new Credentials(undefined, {parent: webex});
+      });
+
+      it('should have #isUnverifiedGuest', () => {
+        assert.exists(credentials.isUnverifiedGuest);
+      });
+
+      it('should get the user status and return as a boolean', () => {
+        credentials.set('supertoken', 'AT');
+        assert.isFalse(credentials.isUnverifiedGuest);
+      });
+
+      it('should get guest user ', () => {
+        credentials.set('supertoken', 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX3R5cGUiOiJndWVzdCJ9');
+        assert.isTrue(credentials.isUnverifiedGuest);
+      });
+
+      it('should get login user ', () => {
+        credentials.set('supertoken', 'dGhpc2lzbm90YXJlYWx1c2VydG9rZW4=');
+        assert.isFalse(credentials.isUnverifiedGuest);
+      });
+    });
+
     describe('#canAuthorize', () => {
       it('indicates if the current state has enough information to populate an auth header, even if a token refresh or token downscope is required', () => {
         const webex = new MockWebex();
@@ -417,7 +446,11 @@ describe('webex-core', () => {
         });
 
       it('schedules a refreshTimer', () => {
-        const webex = new MockWebex();
+        const webex = new MockWebex({
+          children: {
+            metrics: Metrics,
+          },
+        });
         const supertoken = makeToken(webex, {
           access_token: 'ST',
           refresh_token: 'RT',
@@ -430,6 +463,7 @@ describe('webex-core', () => {
         });
 
         sinon.stub(supertoken, 'refresh').returns(Promise.resolve(supertoken2));
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
         const credentials = new Credentials(supertoken, {parent: webex});
 
         webex.trigger('change:config');
@@ -464,7 +498,19 @@ describe('webex-core', () => {
     });
 
     describe('#getUserToken()', () => {
-      it('resolves with the supertoken if the supertoken matches the requested scopes');
+      it('resolves with the supertoken if the supertoken matches the requested scopes', () => {
+        const webex = new MockWebex();
+        const credentials = new Credentials(undefined, {parent: webex});
+
+        webex.trigger('change:config');
+        const st = makeToken(webex, {access_token: 'ST', scope: 'scope1'});
+
+        credentials.set({
+          supertoken: st,
+        });
+
+        return credentials.getUserToken('scope1').then((result) => assert.deepEqual(result, st));
+      });
 
       it('resolves with the token identified by the specified scopes', () => {
         const webex = new MockWebex();
@@ -492,6 +538,25 @@ describe('webex-core', () => {
         ]);
       });
 
+      it('uses the supertoken.scope instead of the config.scope for downscope', () => {
+        const webex = new MockWebex();
+        const credentials = new Credentials(undefined, {parent: webex});
+
+        webex.trigger('change:config');
+        const st = makeToken(webex, {access_token: 'ST', scope: 'scope1 spark:kms'});
+
+        credentials.set({
+          supertoken: st,
+          scope: 'invalidScope scope1',
+        });
+
+        sinon.stub(credentials, 'downscope').returns(Promise.resolve());
+
+        return credentials.getUserToken().then(() => {
+          assert.calledWith(credentials.downscope, 'scope1');
+        });
+      });
+
       describe('when no matching token is found', () => {
         it('downscopes the supertoken', () => {
           const webex = new MockWebex();
@@ -529,13 +594,13 @@ describe('webex-core', () => {
         it('resolves with a token containing all but the kms scopes', () => {
           const webex = new MockWebex();
 
-          webex.config.credentials.scope = 'scope1 spark:kms';
           const credentials = new Credentials(undefined, {parent: webex});
 
           webex.trigger('change:config');
 
           credentials.supertoken = makeToken(webex, {
             access_token: 'ST',
+            scope: 'scope1 spark:kms',
           });
 
           // const t2 = makeToken(webex, {
@@ -562,9 +627,11 @@ describe('webex-core', () => {
           const webex = new MockWebex({
             children: {
               logger: Logger,
+              metrics: Metrics,
             },
           });
 
+          webex.config.metrics = config.metrics;
           webex.config.credentials.scope = 'scope1 spark:kms';
           const credentials = new Credentials(undefined, {parent: webex});
 
@@ -574,9 +641,11 @@ describe('webex-core', () => {
             access_token: 'ST',
           });
 
-          sinon
-            .stub(credentials.supertoken, 'downscope')
-            .returns(Promise.reject(new Error('downscope failed')));
+          const failReason = 'downscope failed';
+          sinon.stub(credentials.supertoken, 'downscope').returns(Promise.reject(failReason));
+
+          sinon.stub(credentials.logger, 'warn').callsFake(() => {});
+          sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
           const t1 = makeToken(webex, {
             access_token: 'AT1',
@@ -587,14 +656,27 @@ describe('webex-core', () => {
             userTokens: [t1],
           });
 
-          return credentials
-            .getUserToken('scope2')
-            .then((t) => assert.equal(t.access_token, credentials.supertoken.access_token));
+          return credentials.getUserToken('scope2').then((t) => {
+            assert.equal(t.access_token, credentials.supertoken.access_token);
+            assert.calledWith(
+              credentials.logger.warn,
+              'credentials: failed to downscope supertoken to "scope2"'
+            );
+            assert.calledWith(
+              webex.internal.metrics.submitClientMetrics,
+              'JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED',
+              {fields: {failReason, requestedScope: 'scope2'}}
+            );
+          });
         });
       });
 
       it('is blocked while a token refresh is inflight', () => {
-        const webex = new MockWebex();
+        const webex = new MockWebex({
+          children: {
+            metrics: Metrics,
+          },
+        });
 
         webex.config.credentials.scope = 'scope1 spark:kms';
         const credentials = new Credentials(undefined, {parent: webex});
@@ -620,6 +702,7 @@ describe('webex-core', () => {
         const at2 = makeToken(webex, {access_token: 'ST2ATD'});
 
         sinon.stub(supertoken2, 'downscope').returns(Promise.resolve(at2));
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
         return Promise.all([
           credentials.refresh(),
@@ -750,18 +833,24 @@ describe('webex-core', () => {
 
     describe('#refresh()', () => {
       it('refreshes and downscopes the supertoken, and revokes previous tokens', () => {
-        const webex = new MockWebex();
+        const webex = new MockWebex({
+          children: {
+            metrics: Metrics,
+          },
+        });
         const credentials = new Credentials(undefined, {parent: webex});
 
         webex.trigger('change:config');
         const st = makeToken(webex, {
           access_token: 'ST',
           refresh_token: 'RT',
+          scope: 'scope1 scope2',
         });
 
         const st2 = makeToken(webex, {
           access_token: 'ST2',
           refresh_token: 'RT2',
+          scope: 'scope1 scope2',
         });
 
         const t1 = makeToken(webex, {
@@ -778,6 +867,7 @@ describe('webex-core', () => {
         sinon.stub(st, 'refresh').returns(Promise.resolve(st2));
         sinon.stub(t1, 'revoke').returns(Promise.resolve());
         sinon.spy(credentials, 'scheduleRefresh');
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
         credentials.set({
           supertoken: st,
@@ -797,7 +887,11 @@ describe('webex-core', () => {
       });
 
       it('refreshes and downscopes the supertoken even if revocation of previous token fails', () => {
-        const webex = new MockWebex();
+        const webex = new MockWebex({
+          children: {
+            metrics: Metrics,
+          },
+        });
         const credentials = new Credentials(undefined, {parent: webex});
 
         webex.trigger('change:config');
@@ -809,6 +903,7 @@ describe('webex-core', () => {
         const st2 = makeToken(webex, {
           access_token: 'ST2',
           refresh_token: 'RT2',
+          scope: 'scope1 scope2',
         });
 
         const t1 = makeToken(webex, {
@@ -825,6 +920,7 @@ describe('webex-core', () => {
         sinon.stub(st, 'refresh').returns(Promise.resolve(st2));
         sinon.stub(t1, 'revoke').returns(Promise.reject());
         sinon.spy(credentials, 'scheduleRefresh');
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
         credentials.set({
           supertoken: st,
@@ -847,6 +943,7 @@ describe('webex-core', () => {
         const webex = new MockWebex({
           children: {
             logger: Logger,
+            metrics: Metrics,
           },
         });
         const credentials = new Credentials(undefined, {parent: webex});
@@ -855,9 +952,11 @@ describe('webex-core', () => {
         const st = makeToken(webex, {
           access_token: 'ST',
           refresh_token: 'RT',
+          scope: '',
         });
 
         sinon.stub(st, 'refresh').returns(Promise.resolve(makeToken(webex, {access_token: 'ST2'})));
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
         const t1 = makeToken(webex, {
           access_token: 'AT1',
@@ -873,7 +972,7 @@ describe('webex-core', () => {
       });
 
       it('allows #getUserToken() to be revoked, but #getUserToken() promises will not resolve until the suport token has been refreshed', () => {
-        const webex = new MockWebex();
+        const webex = new MockWebex({children: {metrics: Metrics}});
         const credentials = new Credentials(undefined, {parent: webex});
 
         webex.trigger('change:config');
@@ -899,6 +998,7 @@ describe('webex-core', () => {
 
         sinon.stub(st1, 'refresh').returns(Promise.resolve(st2));
         sinon.stub(st2, 'downscope').returns(Promise.resolve(t2));
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
 
         credentials.set({
           supertoken: st1,
@@ -955,6 +1055,61 @@ describe('webex-core', () => {
             assert.calledWith(triggerSpy, sinon.match('client:InvalidRequestError'));
           });
       });
+
+      it('exclude invalid scopes from user token, log and call metrics when fetched supertoken scope mismatch with the configured scope', () => {
+        const webex = new MockWebex({
+          children: {
+            logger: Logger,
+            metrics: Metrics,
+          },
+        });
+        const credentials = new Credentials(undefined, {parent: webex});
+
+        webex.trigger('change:config');
+        const st = makeToken(webex, {
+          access_token: 'ST',
+          refresh_token: 'RT',
+        });
+
+        const st2 = makeToken(webex, {
+          access_token: 'ST2',
+          refresh_token: 'RT2',
+          scope: 'scope1',
+        });
+
+        const userToken = makeToken(webex, {
+          access_token: 'AT1',
+          scope: 'scope1 invalidScope1',
+        });
+
+        credentials.set({
+          supertoken: st,
+          userTokens: [userToken],
+        });
+        const invalidScopes = 'invalidScope1 invalidScope2';
+        credentials.config.scope = `scope1 ${invalidScopes}`;
+
+        sinon.stub(st2, 'downscope').returns(Promise.resolve());
+        sinon.stub(st, 'refresh').returns(Promise.resolve(st2));
+        sinon.spy(credentials, 'downscope');
+        sinon.spy(credentials, 'scheduleRefresh');
+
+        sinon.stub(credentials.logger, 'warn').callsFake(() => {});
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
+
+        return credentials.refresh().then(() => {
+          assert.calledWith(
+            credentials.logger.warn,
+            `credentials: "${invalidScopes}" scope(s) are invalid because not listed in the supertoken, they will be excluded from user token requests.`
+          );
+          assert.calledWith(
+            webex.internal.metrics.submitClientMetrics,
+            'JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH',
+            {fields: {invalidScopes}}
+          );
+          assert.calledWith(credentials.downscope, 'scope1');
+        });
+      });
     });
 
     describe('#scheduleRefresh()', () => {