@webex/webex-core 3.0.0-bnr.5 → 3.0.0

package/package.json

@@ -1,6 +1,5 @@
 {
   "name": "@webex/webex-core",
-  "version": "3.0.0-bnr.5",
   "description": "Plugin handling for Cisco Webex",
   "license": "MIT",
   "contributors": [
@@ -30,32 +29,49 @@
     ]
   },
   "devDependencies": {
+    "@babel/core": "^7.17.10",
     "@sinonjs/fake-timers": "^6.0.1",
-    "@webex/test-helper-chai": "3.0.0-bnr.5",
-    "@webex/test-helper-make-local-url": "3.0.0-bnr.5",
-    "@webex/test-helper-mocha": "3.0.0-bnr.5",
-    "@webex/test-helper-mock-webex": "3.0.0-bnr.5",
-    "@webex/test-helper-refresh-callback": "3.0.0-bnr.5",
-    "@webex/test-helper-test-users": "3.0.0-bnr.5",
+    "@webex/babel-config-legacy": "0.0.0",
+    "@webex/eslint-config-legacy": "0.0.0",
+    "@webex/jest-config-legacy": "0.0.0",
+    "@webex/legacy-tools": "0.0.0",
+    "@webex/test-helper-chai": "3.0.0",
+    "@webex/test-helper-make-local-url": "3.0.0",
+    "@webex/test-helper-mocha": "3.0.0",
+    "@webex/test-helper-mock-webex": "3.0.0",
+    "@webex/test-helper-refresh-callback": "3.0.0",
+    "@webex/test-helper-test-users": "3.0.0",
     "chai": "^4.3.4",
     "chai-as-promised": "^7.1.1",
+    "eslint": "^8.24.0",
+    "prettier": "^2.7.1",
     "sinon": "^9.2.4"
   },
   "dependencies": {
-    "@webex/common": "3.0.0-bnr.5",
-    "@webex/common-timers": "3.0.0-bnr.5",
-    "@webex/http-core": "3.0.0-bnr.5",
-    "@webex/internal-plugin-device": "3.0.0-bnr.5",
-    "@webex/plugin-logger": "3.0.0-bnr.5",
-    "@webex/storage-adapter-spec": "3.0.0-bnr.5",
-    "@webex/webex-core": "3.0.0-bnr.5",
+    "@webex/common": "3.0.0",
+    "@webex/common-timers": "3.0.0",
+    "@webex/http-core": "3.0.0",
+    "@webex/internal-plugin-device": "3.0.0",
+    "@webex/plugin-logger": "3.0.0",
+    "@webex/storage-adapter-spec": "3.0.0",
     "ampersand-collection": "^2.0.2",
     "ampersand-events": "^2.0.2",
     "ampersand-state": "^5.0.3",
     "core-decorators": "^0.20.0",
     "crypto-js": "^4.1.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.21",
     "uuid": "^3.3.2"
-  }
-}
+  },
+  "scripts": {
+    "build": "yarn build:src",
+    "build:src": "webex-legacy-tools build -dest \"./dist\" -src \"./src\" -js -ts -maps",
+    "deploy:npm": "yarn npm publish",
+    "test": "yarn test:style && yarn test:unit && yarn test:integration && yarn test:browser",
+    "test:browser": "webex-legacy-tools test --integration --runner karma",
+    "test:integration": "webex-legacy-tools test --integration --runner mocha",
+    "test:style": "eslint ./src/**/*.*",
+    "test:unit": "webex-legacy-tools test --unit --runner jest"
+  },
+  "version": "3.0.0"
+}

package/process

@@ -0,0 +1 @@
+module.exports = {browser: true};

package/src/lib/constants.js

@@ -0,0 +1,6 @@
+// Metric to do with WDM registration
+export const METRICS = {
+  JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED: 'JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED',
+  JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH:
+    'JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH',
+};

package/src/lib/credentials/credentials.js

@@ -13,10 +13,11 @@ import {clone, cloneDeep, isObject, isEmpty} from 'lodash';
 import WebexPlugin from '../webex-plugin';
 import {persist, waitForValue} from '../storage/decorators';
 
-import grantErrors from './grant-errors';
-import {filterScope, sortScope} from './scope';
+import grantErrors, {OAuthError} from './grant-errors';
+import {filterScope, diffScopes, sortScope} from './scope';
 import Token from './token';
 import TokenCollection from './token-collection';
+import {METRICS} from '../constants';
 
 /**
  * @class
@@ -48,6 +49,25 @@ const Credentials = WebexPlugin.extend({
         return Boolean(this.supertoken && this.supertoken.canRefresh);
       },
     },
+    isUnverifiedGuest: {
+      deps: ['supertoken'],
+      /**
+       * Returns true if the user is an unverified guest
+       * @returns {boolean}
+       */
+      fn() {
+        let isGuest = false;
+        try {
+          isGuest =
+            JSON.parse(base64.decode(this.supertoken.access_token.split('.')[1])).user_type ===
+            'guest';
+        } catch {
+          /* the non-guest token is formatted differently so catch is expected */
+        }
+
+        return isGuest;
+      },
+    },
   },
 
   props: {
@@ -240,8 +260,15 @@ const Credentials = WebexPlugin.extend({
    */
   downscope(scope) {
     return this.supertoken.downscope(scope).catch((reason) => {
-      this.logger.trace(`credentials: failed to downscope supertoken to ${scope}`, reason);
+      const failReason = reason?.body ?? reason;
+      this.logger.warn(`credentials: failed to downscope supertoken to "${scope}"`, failReason);
       this.logger.trace(`credentials: falling back to supertoken for ${scope}`);
+      this.webex.internal.metrics.submitClientMetrics(METRICS.JS_SDK_CREDENTIALS_DOWNSCOPE_FAILED, {
+        fields: {
+          requestedScope: scope,
+          failReason,
+        },
+      });
 
       return Promise.resolve(new Token({scope, ...this.supertoken.serialize()}), {
         parent: this,
@@ -322,12 +349,12 @@ const Credentials = WebexPlugin.extend({
       }
 
       if (!scope) {
-        scope = filterScope('spark:kms', this.config.scope);
+        scope = filterScope('spark:kms', this.supertoken.scope);
       }
 
       scope = sortScope(scope);
 
-      if (scope === sortScope(this.config.scope)) {
+      if (scope === sortScope(this.supertoken.scope)) {
         return Promise.resolve(this.supertoken);
       }
 
@@ -477,42 +504,10 @@ const Credentials = WebexPlugin.extend({
 
     return supertoken
       .refresh()
-      .then((st) => {
-        // clear refresh timer
-        if (this.refreshTimer) {
-          clearTimeout(this.refreshTimer);
-          this.unset('refreshTimer');
-        }
-        this.supertoken = st;
-
-        return Promise.all(
-          tokens.map((token) =>
-            this.downscope(token.scope)
-              // eslint-disable-next-line max-nested-callbacks
-              .then((t) => {
-                this.logger.info(`credentials: revoking token for ${token.scope}`);
-
-                return token
-                  .revoke()
-                  .catch((err) => {
-                    this.logger.warn('credentials: failed to revoke user token', err);
-                  })
-                  .then(() => {
-                    this.userTokens.remove(token.scope);
-                    this.userTokens.add(t);
-                  });
-              })
-          )
-        );
-      })
-      .then(() => {
-        this.scheduleRefresh(this.supertoken.expires);
-      })
       .catch((error) => {
-        const {InvalidRequestError} = grantErrors;
-
-        if (error instanceof InvalidRequestError) {
-          // Error: The refresh token provided is expired, revoked, malformed, or invalid. Hence emit an event to the client, an opportunity to logout.
+        if (error instanceof OAuthError) {
+          // Error: super token refresh failed with 400 status code.
+          // Hence emit an event to the client, an opportunity to logout.
           this.unset('supertoken');
           while (this.userTokens.models.length) {
             try {
@@ -525,6 +520,53 @@ const Credentials = WebexPlugin.extend({
         }
 
         return Promise.reject(error);
+      })
+      .then((st) => {
+        // clear refresh timer
+        if (this.refreshTimer) {
+          clearTimeout(this.refreshTimer);
+          this.unset('refreshTimer');
+        }
+        this.supertoken = st;
+
+        const invalidScopes = diffScopes(this.config.scope, st.scope);
+
+        if (invalidScopes !== '') {
+          this.logger.warn(
+            `credentials: "${invalidScopes}" scope(s) are invalid because not listed in the supertoken, they will be excluded from user token requests.`
+          );
+          this.webex.internal.metrics.submitClientMetrics(
+            METRICS.JS_SDK_CREDENTIALS_TOKEN_REFRESH_SCOPE_MISMATCH,
+            {fields: {invalidScopes}}
+          );
+        }
+
+        return Promise.all(
+          tokens.map((token) => {
+            const tokenScope = filterScope(diffScopes(token.scope, st.scope), token.scope);
+
+            return (
+              this.downscope(tokenScope)
+                // eslint-disable-next-line max-nested-callbacks
+                .then((t) => {
+                  this.logger.info(`credentials: revoking token for ${token.scope}`);
+
+                  return token
+                    .revoke()
+                    .catch((err) => {
+                      this.logger.warn('credentials: failed to revoke user token', err);
+                    })
+                    .then(() => {
+                      this.userTokens.remove(token.scope);
+                      this.userTokens.add(t);
+                    });
+                })
+            );
+          })
+        );
+      })
+      .then(() => {
+        this.scheduleRefresh(this.supertoken.expires);
       });
   },
 

package/src/lib/credentials/scope.js

@@ -2,6 +2,10 @@
  * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.
  */
 
+import {difference} from 'lodash';
+
+const SCOPE_SEPARATOR = ' ';
+
 /**
  * sorts a list of scopes
  * @param {string} scope
@@ -12,12 +16,12 @@ export function sortScope(scope) {
     return '';
   }
 
-  return scope.split(' ').sort().join(' ');
+  return scope.split(SCOPE_SEPARATOR).sort().join(SCOPE_SEPARATOR);
 }
 
 /**
  * sorts a list of scopes and filters the specified scope
- * @param {string} toFilter
+ * @param {string|string[]} toFilter
  * @param {string} scope
  * @returns {string}
  */
@@ -25,10 +29,25 @@ export function filterScope(toFilter, scope) {
   if (!scope) {
     return '';
   }
+  const toFilterArr = Array.isArray(toFilter) ? toFilter : [toFilter];
 
   return scope
-    .split(' ')
-    .filter((item) => item !== toFilter)
+    .split(SCOPE_SEPARATOR)
+    .filter((item) => !toFilterArr.includes(item))
     .sort()
-    .join(' ');
+    .join(SCOPE_SEPARATOR);
+}
+
+/**
+ * Returns a string containing all items in scopeA that are not in scopeB, or an empty string if there are none.
+ *
+ * @param {string} scopeA
+ * @param {string} scopeB
+ * @returns {string}
+ */
+export function diffScopes(scopeA, scopeB) {
+  const a = scopeA?.split(SCOPE_SEPARATOR) ?? [];
+  const b = scopeB?.split(SCOPE_SEPARATOR) ?? [];
+
+  return difference(a, b).sort().join(SCOPE_SEPARATOR);
 }

package/src/lib/credentials/token.js

@@ -9,7 +9,7 @@ import {safeSetTimeout} from '@webex/common-timers';
 import WebexHttpError from '../webex-http-error';
 import WebexPlugin from '../webex-plugin';
 
-import {sortScope} from './scope';
+import {sortScope, diffScopes} from './scope';
 import grantErrors, {OAuthError} from './grant-errors';
 
 /* eslint-disable camelcase */
@@ -259,6 +259,14 @@ const Token = WebexPlugin.extend({
       return Promise.reject(new Error('cannot downscope access token'));
     }
 
+    if (diffScopes(scope, this.config.scope) !== '') {
+      return Promise.reject(
+        new Error(
+          `new scope (${scope}) is not subset of the available scopes (${this.config.scope})`
+        )
+      );
+    }
+
     // Since we're going to use scope as the index in our token collection, it's
     // important scopes are always deterministically specified.
     if (scope) {

package/src/lib/services/interceptors/server-error.js

@@ -3,7 +3,7 @@
  */
 
 import {Interceptor} from '@webex/http-core';
-import {WebexHttpError} from '@webex/webex-core';
+import WebexHttpError from '../../webex-http-error';
 /**
  * Changes server url when it fails
  */

package/src/lib/services/interceptors/service.js

@@ -36,11 +36,11 @@ export default class ServiceInterceptor extends Interceptor {
 
     // Destructure commonly referenced namespaces.
     const {services} = this.webex.internal;
-    const {service, resource} = options;
+    const {service, resource, waitForServiceTimeout} = options;
 
     // Attempt to collect the service url.
     return services
-      .waitForService({name: service})
+      .waitForService({name: service, timeout: waitForServiceTimeout})
       .then((serviceUrl) => {
         // Generate the combined service url and resource.
         options.uri = this.generateUri(serviceUrl, resource);

package/src/lib/services/service-catalog.js

@@ -413,6 +413,8 @@ const ServiceCatalog = AmpState.extend({
         resolve();
       }
 
+      const validatedTimeout = typeof timeout === 'number' && timeout >= 0 ? timeout : 60;
+
       const timeoutTimer = setTimeout(
         () =>
           reject(
@@ -420,7 +422,7 @@ const ServiceCatalog = AmpState.extend({
               `services: timeout occured while waiting for '${serviceGroup}' catalog to populate`
             )
           ),
-        timeout ? timeout * 1000 : 60000
+        validatedTimeout * 1000
       );
 
       this.once(serviceGroup, () => {

package/src/lib/services/services.js

@@ -12,6 +12,15 @@ import fedRampServices from './service-fed-ramp';
 
 const trailingSlashes = /(?:^\/)|(?:\/$)/;
 
+// The default cluster when one is not provided (usually as 'US' from hydra)
+export const DEFAULT_CLUSTER = 'urn:TEAM:us-east-2_a';
+// The default service name for convo (currently identityLookup due to some weird CSB issue)
+export const DEFAULT_CLUSTER_SERVICE = 'identityLookup';
+
+const CLUSTER_SERVICE = process.env.WEBEX_CONVERSATION_CLUSTER_SERVICE || DEFAULT_CLUSTER_SERVICE;
+const DEFAULT_CLUSTER_IDENTIFIER =
+  process.env.WEBEX_CONVERSATION_DEFAULT_CLUSTER || `${DEFAULT_CLUSTER}:${CLUSTER_SERVICE}`;
+
 /* eslint-disable no-underscore-dangle */
 /**
  * @class
@@ -49,6 +58,8 @@ const Services = WebexPlugin.extend({
 
   _serviceUrls: null,
 
+  _hostCatalog: null,
+
   /**
    * Get the registry associated with this webex instance.
    *
@@ -157,6 +168,15 @@ const Services = WebexPlugin.extend({
     this._serviceUrls = {...this._serviceUrls, ...serviceUrls};
   },
 
+  /**
+   * saves the hostCatalog object
+   * @param {Object} hostCatalog
+   * @returns {void}
+   */
+  _updateHostCatalog(hostCatalog) {
+    this._hostCatalog = {...this._hostCatalog, ...hostCatalog};
+  },
+
   /**
    * Update a list of `serviceUrls` to the most current
    * catalog via the defined `discoveryUrl` then returns the current
@@ -662,6 +682,7 @@ const Services = WebexPlugin.extend({
    * @returns {object}
    */
   _formatReceivedHostmap(serviceHostmap) {
+    this._updateHostCatalog(serviceHostmap.hostCatalog);
     // map the host catalog items to a formatted hostmap
     const formattedHostmap = Object.keys(serviceHostmap.hostCatalog).reduce((accumulator, key) => {
       if (serviceHostmap.hostCatalog[key].length === 0) {
@@ -720,6 +741,7 @@ const Services = WebexPlugin.extend({
     // update all the service urls in the host catalog
 
     this._updateServiceUrls(serviceHostmap.serviceLinks);
+    this._updateHostCatalog(serviceHostmap.hostCatalog);
 
     return formattedHostmap;
   },
@@ -752,6 +774,30 @@ const Services = WebexPlugin.extend({
     return catalog.findServiceFromClusterId(params);
   },
 
+  /**
+   * @param {String} cluster the cluster containing the id
+   * @param {UUID} [id] the id of the conversation.
+   *  If empty, just return the base URL.
+   * @returns {String} url of the service
+   */
+  getServiceUrlFromClusterId({cluster = 'us'} = {}) {
+    let clusterId = cluster === 'us' ? DEFAULT_CLUSTER_IDENTIFIER : cluster;
+
+    // Determine if cluster has service name (non-US clusters from hydra do not)
+    if (clusterId.split(':').length < 4) {
+      // Add Service to cluster identifier
+      clusterId = `${cluster}:${CLUSTER_SERVICE}`;
+    }
+
+    const {url} = this.getServiceFromClusterId({clusterId}) || {};
+
+    if (!url) {
+      throw Error(`Could not find service for cluster [${cluster}]`);
+    }
+
+    return url;
+  },
+
   /**
    * Get a service object from a service url if the service url exists in the
    * catalog.

package/src/webex-core.js

@@ -6,7 +6,12 @@ import {EventEmitter} from 'events';
 import util from 'util';
 
 import {proxyEvents, retry, transferEvents} from '@webex/common';
-import {HttpStatusInterceptor, defaults as requestDefaults} from '@webex/http-core';
+import {
+  HttpStatusInterceptor,
+  defaults as requestDefaults,
+  protoprepareFetchOptions as prepareFetchOptions,
+  setTimingsAndFetch as _setTimingsAndFetch,
+} from '@webex/http-core';
 import {defaultsDeep, get, isFunction, isString, last, merge, omit, set, unset} from 'lodash';
 import AmpState from 'ampersand-state';
 import uuid from 'uuid';
@@ -402,6 +407,13 @@ const WebexCore = AmpState.extend({
       interceptors: ints,
     });
 
+    this.prepareFetchOptions = prepareFetchOptions({
+      json: true,
+      interceptors: ints,
+    });
+
+    this.setTimingsAndFetch = _setTimingsAndFetch;
+
     let sessionId = `${get(this, 'config.trackingIdPrefix', 'webex-js-sdk')}_${get(
       this,
       'config.trackingIdBase',

package/test/integration/spec/credentials/credentials.js

@@ -110,12 +110,15 @@ describe('webex-core', () => {
         });
       });
 
-      browserOnly(it)('throws without a refresh callback', () => {
+      browserOnly(it)('throws without a refresh callback', async () => {
         const webex = new WebexCore({
           credentials: user.token,
         });
-
-        return assert.isRejected(webex.credentials.refresh());
+        await webex.credentials.refresh().then(() => {
+          assert(false, 'resolved, should have thrown');
+        }).catch((err) => {
+          assert(false);
+        });
       });
 
       browserOnly(it)('refreshes with a refresh callback', () => {

package/test/integration/spec/unit-browser/auth.js

@@ -0,0 +1,93 @@
+/*!
+ * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.
+ */
+
+/* eslint-disable camelcase */
+
+import chai from 'chai';
+import chaiAsPromised from 'chai-as-promised';
+import sinon from 'sinon';
+import {browserOnly, nodeOnly} from '@webex/test-helper-mocha';
+import Logger from '@webex/plugin-logger';
+import MockWebex from '@webex/test-helper-mock-webex';
+import {AuthInterceptor, config, Credentials, WebexHttpError, Token} from '@webex/webex-core';
+import {cloneDeep, merge} from 'lodash';
+import Metrics from '@webex/internal-plugin-metrics';
+
+const {assert} = chai;
+
+chai.use(chaiAsPromised);
+sinon.assert.expose(chai.assert, {prefix: ''});
+
+describe('webex-core', () => {
+  describe('Interceptors', () => {
+    describe('AuthInterceptor', () => {
+      let interceptor, webex;
+
+      beforeEach(() => {
+        webex = new MockWebex({
+          children: {
+            credentials: Credentials,
+            logger: Logger,
+            metrics: Metrics,
+          },
+          config: merge(cloneDeep(config), {credentials: {client_secret: 'fake'}}),
+        });
+
+        webex.credentials.supertoken = new Token(
+          {
+            access_token: 'ST1',
+            token_type: 'Bearer',
+          },
+          {parent: webex}
+        );
+
+        interceptor = Reflect.apply(AuthInterceptor.create, webex, []);
+        sinon.stub(webex.internal.metrics, 'submitClientMetrics').callsFake(() => {});
+      });
+
+
+      describe('#onResponseError()', () => {
+        describe('when the server responds with 401', () => {
+          browserOnly(it)('refreshes the access token and replays the request', () => {
+            webex.config.credentials.refreshCallback = sinon.stub().returns(
+              Promise.resolve({
+                access_token: 'ST2',
+              })
+            );
+
+            webex.credentials.supertoken = new Token(
+              {
+                access_token: 'ST1',
+                refresh_token: 'RT1',
+              },
+              {parent: webex}
+            );
+
+            const err = new WebexHttpError.Unauthorized({
+              statusCode: 401,
+              options: {
+                headers: {
+                  trackingid: 'blarg',
+                },
+                uri: `${config.services.discovery.hydra}/ping`,
+              },
+              body: {
+                error: 'fake error',
+              },
+            });
+
+            assert.notCalled(webex.request);
+
+            return interceptor.onResponseError(err.options, err).then(() => {
+              // once for replay
+              assert.calledOnce(webex.request);
+              assert.equal(webex.credentials.supertoken.access_token, 'ST2');
+              assert.equal(webex.request.args[0][0].replayCount, 1);
+            });
+          });
+      });
+    });
+  });
+});
+});