@webex/webex-core 3.0.0-beta.4 → 3.0.0-beta.400

package/src/lib/credentials/credentials.js

@@ -6,52 +6,40 @@ import querystring from 'querystring';
 import url from 'url';
 
 import jwt from 'jsonwebtoken';
-import {
-  base64,
-  makeStateDataType,
-  oneFlight,
-  tap,
-  whileInFlight
-} from '@webex/common';
+import {base64, makeStateDataType, oneFlight, tap, whileInFlight} from '@webex/common';
 import {safeSetTimeout} from '@webex/common-timers';
 import {clone, cloneDeep, isObject, isEmpty} from 'lodash';
 
 import WebexPlugin from '../webex-plugin';
 import {persist, waitForValue} from '../storage/decorators';
 
-import grantErrors from './grant-errors';
-import {filterScope, sortScope} from './scope';
+import grantErrors, {OAuthError} from './grant-errors';
+import {filterScope, diffScopes, sortScope} from './scope';
 import Token from './token';
 import TokenCollection from './token-collection';
+import {METRICS} from '../constants';
 
 /**
  * @class
  */
 const Credentials = WebexPlugin.extend({
   collections: {
-    userTokens: TokenCollection
+    userTokens: TokenCollection,
   },
 
   dataTypes: {
-    token: makeStateDataType(Token, 'token').dataType
+    token: makeStateDataType(Token, 'token').dataType,
   },
 
   derived: {
     canAuthorize: {
-      deps: [
-        'supertoken',
-        'supertoken.canAuthorize',
-        'canRefresh'
-      ],
+      deps: ['supertoken', 'supertoken.canAuthorize', 'canRefresh'],
       fn() {
-        return Boolean(this.supertoken && this.supertoken.canAuthorize || this.canRefresh);
-      }
+        return Boolean((this.supertoken && this.supertoken.canAuthorize) || this.canRefresh);
+      },
     },
     canRefresh: {
-      deps: [
-        'supertoken',
-        'supertoken.canRefresh'
-      ],
+      deps: ['supertoken', 'supertoken.canRefresh'],
       fn() {
         // If we're operating in JWT mode, we have to delegate to the consumer
         if (this.config.jwtRefreshCallback) {
@@ -59,12 +47,31 @@ const Credentials = WebexPlugin.extend({
         }
 
         return Boolean(this.supertoken && this.supertoken.canRefresh);
-      }
-    }
+      },
+    },
+    isUnverifiedGuest: {
+      deps: ['supertoken'],
+      /**
+       * Returns true if the user is an unverified guest
+       * @returns {boolean}
+       */
+      fn() {
+        let isGuest = false;
+        try {
+          isGuest =
+            JSON.parse(base64.decode(this.supertoken.access_token.split('.')[1])).user_type ===
+            'guest';
+        } catch {
+          /* the non-guest token is formatted differently so catch is expected */
+        }
+
+        return isGuest;
+      },
+    },
   },
 
   props: {
-    supertoken: makeStateDataType(Token, 'token').prop
+    supertoken: makeStateDataType(Token, 'token').prop,
   },
 
   namespace: 'Credentials',
@@ -72,7 +79,7 @@ const Credentials = WebexPlugin.extend({
   session: {
     isRefreshing: {
       default: false,
-      type: 'boolean'
+      type: 'boolean',
     },
     /**
      * Becomes `true` once the {@link loaded} event fires.
@@ -83,12 +90,12 @@ const Credentials = WebexPlugin.extend({
      */
     ready: {
       default: false,
-      type: 'boolean'
+      type: 'boolean',
     },
     refreshTimer: {
       default: undefined,
-      type: 'any'
-    }
+      type: 'any',
+    },
   },
 
   /**
@@ -120,8 +127,7 @@ const Credentials = WebexPlugin.extend({
     if (options.state) {
       if (!isEmpty(options.state)) {
         options.state = base64.toBase64Url(JSON.stringify(options.state));
-      }
-      else {
+      } else {
         delete options.state;
       }
     }
@@ -137,27 +143,21 @@ const Credentials = WebexPlugin.extend({
    * @returns {string} - The OrgId.
    */
   getOrgId() {
-    this.logger.info(
-      'credentials: attempting to retrieve the OrgId from token'
-    );
+    this.logger.info('credentials: attempting to retrieve the OrgId from token');
 
     try {
       // Attempt to extract a client-authenticated token's OrgId.
       this.logger.info('credentials: trying to extract OrgId from JWT');
 
       return this.extractOrgIdFromJWT(this.supertoken.access_token);
-    }
-    catch (e) {
+    } catch (e) {
       // Attempt to extract a user token's OrgId.
       this.logger.info('credentials: could not extract OrgId from JWT');
-      this.logger.info(
-        'credentials: attempting to extract OrgId from user token'
-      );
+      this.logger.info('credentials: attempting to extract OrgId from user token');
 
       try {
         return this.extractOrgIdFromUserToken(this.supertoken?.access_token);
-      }
-      catch (f) {
+      } catch (f) {
         this.logger.info('credentials: could not extract OrgId from user token');
         throw f;
       }
@@ -218,10 +218,11 @@ const Credentials = WebexPlugin.extend({
    * @returns {[type]}
    */
   buildLogoutUrl(options = {}) {
-    return `${this.config.logoutUrl}?${querystring.stringify(Object.assign({
+    return `${this.config.logoutUrl}?${querystring.stringify({
       cisService: this.config.service,
-      goto: this.config.redirect_uri
-    }, options))}`;
+      goto: this.config.redirect_uri,
+      ...options,
+    })}`;
   },
 
   /**
@@ -233,7 +234,7 @@ const Credentials = WebexPlugin.extend({
    * @returns {number}
    */
   calcRefreshTimeout(expiration) {
-    return Math.floor((Math.floor(Math.random() * 4) + 6) / 10 * expiration);
+    return Math.floor(((Math.floor(Math.random() * 4) + 6) / 10) * expiration);
   },
 
   constructor(...args) {
@@ -258,13 +259,21 @@ const Credentials = WebexPlugin.extend({
    * @returns {Promise<Token>}
    */
   downscope(scope) {
-    return this.supertoken.downscope(scope)
-      .catch((reason) => {
-        this.logger.trace(`credentials: failed to downscope supertoken to ${scope}`, reason);
-        this.logger.trace(`credentials: falling back to supertoken for ${scope}`);
+    return this.supertoken.downscope(scope).catch((reason) => {
+      const failReason = reason?.body ?? reason;
+      this.logger.warn(`credentials: failed to downscope supertoken to "${scope}"`, failReason);
+      this.logger.trace(`credentials: falling back to supertoken for ${scope}`);
+      this.webex.internal.metrics.submitClientMetrics(METRICS.JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED, {
+        fields: {
+          requestedScope: scope,
+          failReason,
+        },
+      });
 
-        return Promise.resolve(new Token(Object.assign({scope}, this.supertoken.serialize())), {parent: this});
+      return Promise.resolve(new Token({scope, ...this.supertoken.serialize()}), {
+        parent: this,
       });
+    });
   },
 
   /**
@@ -279,23 +288,24 @@ const Credentials = WebexPlugin.extend({
   getClientToken(options = {}) {
     this.logger.info('credentials: requesting client credentials grant');
 
-    return this.webex.request({
-      /* eslint-disable camelcase */
-      method: 'POST',
-      uri: options.uri || this.config.tokenUrl,
-      form: {
-        grant_type: 'client_credentials',
-        scope: options.scope || 'webexsquare:admin',
-        self_contained_token: true
-      },
-      auth: {
-        user: this.config.client_id,
-        pass: this.config.client_secret,
-        sendImmediately: true
-      },
-      shouldRefreshAccessToken: false
-      /* eslint-enable camelcase */
-    })
+    return this.webex
+      .request({
+        /* eslint-disable camelcase */
+        method: 'POST',
+        uri: options.uri || this.config.tokenUrl,
+        form: {
+          grant_type: 'client_credentials',
+          scope: options.scope || 'webexsquare:admin',
+          self_contained_token: true,
+        },
+        auth: {
+          user: this.config.client_id,
+          pass: this.config.client_secret,
+          sendImmediately: true,
+        },
+        shouldRefreshAccessToken: false,
+        /* eslint-enable camelcase */
+      })
       .then((res) => new Token(res.body, {parent: this}))
       .catch((res) => {
         if (res.statusCode !== 400) {
@@ -320,41 +330,44 @@ const Credentials = WebexPlugin.extend({
    * @returns {Promise<Token>}
    */
   getUserToken(scope) {
-    return Promise.resolve(!this.isRefreshing || new Promise((resolve) => {
-      this.logger.info('credentials: token refresh inflight; delaying getUserToken until refresh completes');
-      this.once('change:isRefreshing', () => {
-        this.logger.info('credentials: token refresh complete; reinvoking getUserToken');
-        resolve();
-      });
-    }))
-      .then(() => {
-        if (!this.canAuthorize) {
-          this.logger.info('credentials: cannot produce an access token from current state');
-
-          return Promise.reject(new Error('Current state cannot produce an access token'));
-        }
+    return Promise.resolve(
+      !this.isRefreshing ||
+        new Promise((resolve) => {
+          this.logger.info(
+            'credentials: token refresh inflight; delaying getUserToken until refresh completes'
+          );
+          this.once('change:isRefreshing', () => {
+            this.logger.info('credentials: token refresh complete; reinvoking getUserToken');
+            resolve();
+          });
+        })
+    ).then(() => {
+      if (!this.canAuthorize) {
+        this.logger.info('credentials: cannot produce an access token from current state');
+
+        return Promise.reject(new Error('Current state cannot produce an access token'));
+      }
 
-        if (!scope) {
-          scope = filterScope('spark:kms', this.config.scope);
-        }
+      if (!scope) {
+        scope = filterScope('spark:kms', this.supertoken.scope);
+      }
 
-        scope = sortScope(scope);
+      scope = sortScope(scope);
 
-        if (scope === sortScope(this.config.scope)) {
-          return Promise.resolve(this.supertoken);
-        }
+      if (scope === sortScope(this.supertoken.scope)) {
+        return Promise.resolve(this.supertoken);
+      }
 
-        const token = this.userTokens.get(scope);
+      const token = this.userTokens.get(scope);
 
-        // we should also check for the token.access_token since token object does
-        // not get cleared on unsetting while logging out.
-        if (!token || !token.access_token) {
-          return this.downscope(scope)
-            .then(tap((t) => this.userTokens.add(t)));
-        }
+      // we should also check for the token.access_token since token object does
+      // not get cleared on unsetting while logging out.
+      if (!token || !token.access_token) {
+        return this.downscope(scope).then(tap((t) => this.userTokens.add(t)));
+      }
 
-        return Promise.resolve(token);
-      });
+      return Promise.resolve(token);
+    });
   },
 
   @persist('@')
@@ -380,8 +393,7 @@ const Credentials = WebexPlugin.extend({
       if (attrs.authorization) {
         if (attrs.authorization.supertoken) {
           this.supertoken = attrs.authorization.supertoken;
-        }
-        else {
+        } else {
           this.supertoken = attrs.authorization;
         }
       }
@@ -434,16 +446,14 @@ const Credentials = WebexPlugin.extend({
 
     try {
       this.unset('supertoken');
-    }
-    catch (err) {
+    } catch (err) {
       this.logger.warn('credentials: failed to clear supertoken', err);
     }
 
     while (this.userTokens.models.length) {
       try {
         this.userTokens.remove(this.userTokens.models[0]);
-      }
-      catch (err) {
+      } catch (err) {
         this.logger.warn('credentials: failed to remove user token', err);
       }
     }
@@ -480,52 +490,29 @@ const Credentials = WebexPlugin.extend({
     // while I like #2 from a code simplicity standpoint, the third-party DX
     // isn't great
     if (this.config.jwtRefreshCallback) {
-      return this.config.jwtRefreshCallback(this.webex)
-        .then((jwt) => this.webex.authorization.requestAccessTokenFromJwt({jwt}));
+      return (
+        this.config
+          .jwtRefreshCallback(this.webex)
+          // eslint-disable-next-line no-shadow
+          .then((jwt) => this.webex.authorization.requestAccessTokenFromJwt({jwt}))
+      );
     }
 
     if (this.webex.internal.services) {
       this.webex.internal.services.updateCredentialsConfig();
     }
 
-    return supertoken.refresh()
-      .then((st) => {
-        // clear refresh timer
-        if (this.refreshTimer) {
-          clearTimeout(this.refreshTimer);
-          this.unset('refreshTimer');
-        }
-        this.supertoken = st;
-
-        return Promise.all(tokens.map((token) => this.downscope(token.scope)
-          // eslint-disable-next-line max-nested-callbacks
-          .then((t) => {
-            this.logger.info(`credentials: revoking token for ${token.scope}`);
-
-            return token.revoke()
-              .catch((err) => {
-                this.logger.warn('credentials: failed to revoke user token', err);
-              })
-              .then(() => {
-                this.userTokens.remove(token.scope);
-                this.userTokens.add(t);
-              });
-          })));
-      })
-      .then(() => {
-        this.scheduleRefresh(this.supertoken.expires);
-      })
+    return supertoken
+      .refresh()
       .catch((error) => {
-        const {InvalidRequestError} = grantErrors;
-
-        if (error instanceof InvalidRequestError) {
-          // Error: The refresh token provided is expired, revoked, malformed, or invalid. Hence emit an event to the client, an opportunity to logout.
+        if (error instanceof OAuthError) {
+          // Error: super token refresh failed with 400 status code.
+          // Hence emit an event to the client, an opportunity to logout.
           this.unset('supertoken');
           while (this.userTokens.models.length) {
             try {
               this.userTokens.remove(this.userTokens.models[0]);
-            }
-            catch (err) {
+            } catch (err) {
               this.logger.warn('credentials: failed to remove user token', err);
             }
           }
@@ -533,6 +520,53 @@ const Credentials = WebexPlugin.extend({
         }
 
         return Promise.reject(error);
+      })
+      .then((st) => {
+        // clear refresh timer
+        if (this.refreshTimer) {
+          clearTimeout(this.refreshTimer);
+          this.unset('refreshTimer');
+        }
+        this.supertoken = st;
+
+        const invalidScopes = diffScopes(this.config.scope, st.scope);
+
+        if (invalidScopes !== '') {
+          this.logger.warn(
+            `credentials: "${invalidScopes}" scope(s) are invalid because not listed in the supertoken, they will be excluded from user token requests.`
+          );
+          this.webex.internal.metrics.submitClientMetrics(
+            METRICS.JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH,
+            {fields: {invalidScopes}}
+          );
+        }
+
+        return Promise.all(
+          tokens.map((token) => {
+            const tokenScope = filterScope(diffScopes(token.scope, st.scope), token.scope);
+
+            return (
+              this.downscope(tokenScope)
+                // eslint-disable-next-line max-nested-callbacks
+                .then((t) => {
+                  this.logger.info(`credentials: revoking token for ${token.scope}`);
+
+                  return token
+                    .revoke()
+                    .catch((err) => {
+                      this.logger.warn('credentials: failed to revoke user token', err);
+                    })
+                    .then(() => {
+                      this.userTokens.remove(token.scope);
+                      this.userTokens.add(t);
+                    });
+                })
+            );
+          })
+        );
+      })
+      .then(() => {
+        this.scheduleRefresh(this.supertoken.expires);
       });
   },
 
@@ -551,12 +585,10 @@ const Credentials = WebexPlugin.extend({
       const timeoutLength = this.calcRefreshTimeout(expiresIn);
 
       this.refreshTimer = safeSetTimeout(() => this.refresh(), timeoutLength);
-    }
-    else {
+    } else {
       this.refresh();
     }
-  }
-
+  },
 });
 
 export default Credentials;

package/src/lib/credentials/grant-errors.js

@@ -21,20 +21,20 @@ export class OAuthError extends Exception {
     Object.defineProperties(this, {
       error: {
         enumerable: true,
-        value: body.error
+        value: body.error,
       },
       errorDescription: {
         enumerable: true,
-        value: body.error_description
+        value: body.error_description,
       },
       errorUri: {
         enumerable: true,
-        value: body.error_uri
+        value: body.error_uri,
       },
       res: {
         enumerable: false,
-        value: res
-      }
+        value: res,
+      },
     });
 
     return this.errorDescription;
@@ -70,7 +70,6 @@ class UnsupportGrantTypeError extends OAuthError {}
  */
 class InvalidScopeError extends OAuthError {}
 
-
 const errors = {
   OAuthError,
   InvalidRequestError,
@@ -87,7 +86,7 @@ const errors = {
   invalid_scope: InvalidScopeError,
   select(errorString) {
     return errors[errorString] || OAuthError;
-  }
+  },
 };
 
 export default errors;

package/src/lib/credentials/index.js

@@ -7,10 +7,7 @@ import {registerPlugin} from '../../webex-core';
 import Credentials from './credentials';
 
 registerPlugin('credentials', Credentials, {
-  proxies: [
-    'canAuthorize',
-    'canRefresh'
-  ]
+  proxies: ['canAuthorize', 'canRefresh'],
 });
 
 export {default as Credentials} from './credentials';

package/src/lib/credentials/scope.js

@@ -2,6 +2,10 @@
  * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.
  */
 
+import {difference} from 'lodash';
+
+const SCOPE_SEPARATOR = ' ';
+
 /**
  * sorts a list of scopes
  * @param {string} scope
@@ -12,15 +16,12 @@ export function sortScope(scope) {
     return '';
   }
 
-  return scope
-    .split(' ')
-    .sort()
-    .join(' ');
+  return scope.split(SCOPE_SEPARATOR).sort().join(SCOPE_SEPARATOR);
 }
 
 /**
  * sorts a list of scopes and filters the specified scope
- * @param {string} toFilter
+ * @param {string|string[]} toFilter
  * @param {string} scope
  * @returns {string}
  */
@@ -28,10 +29,25 @@ export function filterScope(toFilter, scope) {
   if (!scope) {
     return '';
   }
+  const toFilterArr = Array.isArray(toFilter) ? toFilter : [toFilter];
 
   return scope
-    .split(' ')
-    .filter((item) => item !== toFilter)
+    .split(SCOPE_SEPARATOR)
+    .filter((item) => !toFilterArr.includes(item))
     .sort()
-    .join(' ');
+    .join(SCOPE_SEPARATOR);
+}
+
+/**
+ * Returns a string containing all items in scopeA that are not in scopeB, or an empty string if there are none.
+ *
+ * @param {string} scopeA
+ * @param {string} scopeB
+ * @returns {string}
+ */
+export function diffScopes(scopeA, scopeB) {
+  const a = scopeA?.split(SCOPE_SEPARATOR) ?? [];
+  const b = scopeB?.split(SCOPE_SEPARATOR) ?? [];
+
+  return difference(a, b).sort().join(SCOPE_SEPARATOR);
 }

package/src/lib/credentials/token-collection.js

@@ -11,7 +11,7 @@ const TokenCollection = AmpCollection.extend({
 
   model: Token,
 
-  namespace: 'Credentials'
+  namespace: 'Credentials',
 });
 
 export default TokenCollection;