box-node-sdk 1.29.1 → 1.33.0

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## 1.33.0 [2020-06-25]
+
+- Add path parameter sanitization ([#505](https://github.com/box/box-node-sdk/pull/505))
+- Add support for all streams for uploading files ([#519](https://github.com/box/box-node-sdk/pull/519))
+
+## 1.32.0 [2020-04-01]
+
+- Temporarily removed Node 4 and Node 5 builds from Travis, due to tests not passing.  Will investigate, going forward ([#495](https://github.com/box/box-node-sdk/pull/495)).
+- Fixed an issue where an error is thrown during a retry when a response is not returned by the previous call  ([#477](https://github.com/box/box-node-sdk/pull/477)).
+- Added the ability to [query](./docs/metadata.md#query) Box items based on their metadata ([#487](https://github.com/box/box-node-sdk/pull/487)).
+
+## 1.31.0 [2020-02-13]
+
+- Fixed Authentication Request Retries
+- Added marker-based paging for users endpoints
+- Added `getNextMarker()` to PagingIterator to get the next marker
+
+## 1.30.0 [2019-11-21]
+
+- Deprecated Batch API methods
+- Added support for [token exchange](./lib/box-client.js#L495) using shared links
+
 ## 1.29.1 [2019-08-22]
 
 - Fixed an issue where JWT authentication requests could fail after being rate limited

package/lib/api-request.js

@@ -15,7 +15,8 @@ var assert = require('assert'),
 	request = require('request'),
 	EventEmitter = require('events').EventEmitter,
 	Config = require('./util/config'),
-	httpStatusCodes = require('http-status');
+	httpStatusCodes = require('http-status'),
+	getRetryTimeout = require('./util/exponential-backoff');
 
 // ------------------------------------------------------------------------------
 // Typedefs and Callbacks
@@ -94,9 +95,6 @@ var retryableStatusCodes = {};
 retryableStatusCodes[httpStatusCodes.REQUEST_TIMEOUT] = true;
 retryableStatusCodes[httpStatusCodes.TOO_MANY_REQUESTS] = true;
 
-// Retry intervals are between 50% and 150% of the exponentially increasing base amount
-const RETRY_RANDOMIZATION_FACTOR = 0.5;
-
 /**
  * Returns true if the response info indicates a temporary/transient error.
  *
@@ -157,21 +155,6 @@ function cleanSensitiveHeaders(requestObj) {
 	}
 }
 
-/**
- * Calculate the exponential backoff time with randomized jitter
- * @param {int} numRetries Which retry number this one will be
- * @param {int} baseInterval The base retry interval set in config
- * @returns {int} The number of milliseconds after which to retry
- */
-function getRetryTimeout(numRetries, baseInterval) {
-
-	var minRandomization = 1 - RETRY_RANDOMIZATION_FACTOR;
-	var maxRandomization = 1 + RETRY_RANDOMIZATION_FACTOR;
-	var randomization = (Math.random() * (maxRandomization - minRandomization)) + minRandomization;
-	var exponential = Math.pow(2, numRetries - 1);
-	return Math.ceil(exponential * baseInterval * randomization);
-}
-
 // ------------------------------------------------------------------------------
 // Public
 // ------------------------------------------------------------------------------
@@ -241,7 +224,6 @@ APIRequest.prototype.getResponseStream = function() {
  * @private
  */
 APIRequest.prototype._handleResponse = function(err, response) {
-
 	// Clean sensitive headers here to prevent the user from accidentily using/logging them in prod
 	cleanSensitiveHeaders(this.request);
 
@@ -264,8 +246,12 @@ APIRequest.prototype._handleResponse = function(err, response) {
 		// Have the SDK emit the error response
 		this.eventBus.emit('response', err);
 
-		// If our APIRequest instance is retryable, attempt a retry. Otherwise, finish and propagate the error.
-		if (this.isRetryable) {
+		var isJWT = false;
+		if (this.config.request.hasOwnProperty('form') && this.config.request.form.hasOwnProperty('grant_type') && this.config.request.form.grant_type === 'urn:ietf:params:oauth:grant-type:jwt-bearer') {
+			isJWT = true;
+		}
+		// If our APIRequest instance is retryable, attempt a retry. Otherwise, finish and propagate the error. Doesn't retry when the request is for JWT authentication, since that is handled in retryJWTGrant.
+		if (this.isRetryable && !isJWT) {
 			this._retry(err);
 		} else {
 			this._finish(err);
@@ -318,6 +304,8 @@ APIRequest.prototype._retry = function(err) {
 				this._finish(err);
 				return;
 			}
+		} else if (err.hasOwnProperty('response') && err.response.hasOwnProperty('headers') && err.response.headers.hasOwnProperty('retry-after')) {
+			retryTimeout = err.response.headers['retry-after'] * 1000;
 		} else {
 			retryTimeout = getRetryTimeout(this.numRetries, this.config.retryIntervalMS);
 		}

package/lib/box-client.js

@@ -492,6 +492,7 @@ BoxClient.prototype.revokeTokens = function(callback) {
  * @param {string} [resource] The absolute URL of an API resource to scope the new token to
  * @param {Object} [options] - Optional parameters
  * @param {ActorParams} [options.actor] - Optional actor parameters for creating annotator tokens with Token Auth client
+ * @param {SharedLinkParams} [options.sharedLink] - Optional shared link parameters for creating tokens using shared links
  * @param {Function} [callback] Called with the new token
  * @returns {Promise<TokenInfo>} A promise resolving to the exchanged token info
  */
@@ -611,16 +612,27 @@ BoxClient.prototype.upload = function(path, params, formData, callback) {
 /**
  * Puts the client into batch mode, which will queue calls instead of
  * immediately making the API request.
+ *
+ * DEPRECATED: Batch API is not supported and should not be used; make calls in parallel instead.
+ *
  * @returns {BoxClient} Current client object
  */
-BoxClient.prototype.batch = function() {
-
+BoxClient.prototype.batch = util.deprecate(function() {
+	/* eslint-disable no-invalid-this */
 	this._batch = [];
 	return this;
-};
-
-BoxClient.prototype.batchExec = function(callback) {
+	/* eslint-enable no-invalid-this */
+}, 'Batch API is not supported and should not be used; make calls in parallel instead.');
 
+/**
+ * Executes a batch of requests.
+ *
+ * DEPRECATED: Batch API is not supported and should not be used; make calls in parallel instead.
+ *
+ * @returns {Promise<Object>} Promise resolving to the collection of batch responses
+ */
+BoxClient.prototype.batchExec = util.deprecate(function(callback) {
+	/* eslint-disable no-invalid-this */
 	if (!this._batch) {
 		return Promise.reject(new Error('Must start a batch before executing'))
 			.asCallback(callback);
@@ -651,7 +663,8 @@ BoxClient.prototype.batchExec = function(callback) {
 			throw err;
 		})
 		.asCallback(callback);
-};
+	/* eslint-enable no-invalid-this */
+}, 'Batch API is not supported and should not be used; make calls in parallel instead.');
 
 /**
  * Build the 'BoxApi' Header used for authenticating access to a shared item

package/lib/managers/enterprise.js

@@ -84,6 +84,8 @@ Enterprise.prototype.userRoles = Object.freeze({
  * @param {Object} [options] - Optional parameters, can be left null in most cases
  * @param {string} [options.filter_term] - Filter the results to only users starting with the filter_term in either the name or the login
  * @param {int} [options.limit=100] - The number of records to return
+ * @param {boolean} [options.usemarker=false] - Whether or not to use marker-based pagination
+ * @param {string} [options.marker=''] - The marker for the page at which to start. Default is the first page
  * @param {int} [options.offset=0] - The record at which to start
  * @param {EnterpriseUserType} [options.user_type=managed] - The type of user to search for
  * @param {Function} [callback] - Passed the list of users if successful, error otherwise

package/lib/managers/files.js

@@ -78,10 +78,11 @@ function createFileMetadataFormData(parentFolderID, filename, options) {
 /**
  * Returns the multipart form value for file upload content.
  * @param {string|Buffer|Stream} content - the content of the file being uploaded
+ * @param {Object} options - options for the content
  * @returns {Object} - the form value expected by the API for the 'content' key
  * @private
  */
-function createFileContentFormData(content) {
+function createFileContentFormData(content, options) {
 	// The upload API appears to look for a form field that contains a filename
 	// property and assume that this form field contains the file content. Thus,
 	// the value of name does not actually matter (as long as it does not conflict
@@ -90,7 +91,7 @@ function createFileContentFormData(content) {
 	// filename specified in the metadata form field instead.
 	return {
 		value: content,
-		options: { filename: 'unused' }
+		options: Object.assign({ filename: 'unused' }, options)
 	};
 }
 
@@ -601,6 +602,7 @@ Files.prototype.promoteVersion = function(fileID, versionID, callback) {
  * @param {Object} [options] - Optional parameters
  * @param {string} [options.content_created_at] - RFC 3339 timestamp when the file was created
  * @param {string} [options.content_modified_at] - RFC 3339 timestamp when the file was last modified
+ * @param {int} [options.content_length] - Optional length of the content. Required if content is a read stream of any type other than fs stream.
  * @param {Function} [callback] - called with data about the upload if successful, or an error if the
  * upload failed
  * @returns {Promise<Object>} A promise resolving to the uploaded file
@@ -613,10 +615,17 @@ Files.prototype.uploadFile = function(parentFolderID, filename, content, options
 		options = {};
 	}
 
+	var formOptions = {};
+	if (options && options.hasOwnProperty('content_length')) {
+		formOptions.knownLength = options.content_length;
+		// Delete content_length from options so it's not added to the attributes of the form
+		delete options.content_length;
+	}
+
 	var apiPath = urlPath(BASE_PATH, '/content'),
 		multipartFormData = {
 			attributes: createFileMetadataFormData(parentFolderID, filename, options),
-			content: createFileContentFormData(content)
+			content: createFileContentFormData(content, formOptions)
 		};
 
 	return this.client.wrapWithDefaultHandler(this.client.upload)(apiPath, null, multipartFormData, callback);
@@ -635,6 +644,7 @@ Files.prototype.uploadFile = function(parentFolderID, filename, content, options
  * @param {Object} [options] - Optional parameters
  * @param {string} [options.content_modified_at] - RFC 3339 timestamp when the file was last modified
  * @param {string} [options.name] - A new name for the file
+ * @param {int} [options.content_length] - Optional length of the content. Required if content is a read stream of any type other than fs stream.
  * @param {Function} [callback] - called with data about the upload if successful, or an error if the
  * upload failed
  * @returns {Promise<Object>} A promise resolving to the uploaded file
@@ -650,11 +660,18 @@ Files.prototype.uploadNewFileVersion = function(fileID, content, options, callba
 	var apiPath = urlPath(BASE_PATH, fileID, '/content'),
 		multipartFormData = {};
 
+
+	var formOptions = {};
 	if (options) {
+		if (options.hasOwnProperty('content_length')) {
+			formOptions.knownLength = options.content_length;
+			// Delete content_length from options so it's not added to the attributes of the form
+			delete options.content_length;
+		}
 		multipartFormData.attributes = JSON.stringify(options);
 	}
 
-	multipartFormData.content = createFileContentFormData(content);
+	multipartFormData.content = createFileContentFormData(content, formOptions);
 
 	return this.client.wrapWithDefaultHandler(this.client.upload)(apiPath, null, multipartFormData, callback);
 };

package/lib/managers/folders.js

@@ -61,7 +61,7 @@ Folders.prototype.get = function(folderID, options, callback) {
  * @param {string} folderID - Box ID of the folder being requested
  * @param {Object} [options] - Additional options for the request. Can be left null in most cases.
  * @param {Function} [callback] - Passed the folder information if it was acquired successfully
- * @returns {Promise<Object>} A prmoise resolving to the collection of the items in the folder
+ * @returns {Promise<Object>} A promise resolving to the collection of the items in the folder
  */
 Folders.prototype.getItems = function(folderID, options, callback) {
 	var params = {

package/lib/managers/metadata.js

@@ -28,7 +28,8 @@
 // -----------------------------------------------------------------------------
 // Requirements
 // -----------------------------------------------------------------------------
-var urlPath = require('../util/url-path');
+var urlPath = require('../util/url-path'),
+	merge = require('merge-options');
 
 // -----------------------------------------------------------------------------
 // Private
@@ -38,7 +39,8 @@ var PROPERTIES_TEMPLATE = 'properties',
 	SCHEMA_SUBRESOURCE = 'schema',
 	ENTERPRISE_SCOPE = 'enterprise',
 	GLOBAL_SCOPE = 'global',
-	CASCADE_POLICIES_PATH = '/metadata_cascade_policies';
+	CASCADE_POLICIES_PATH = '/metadata_cascade_policies',
+	QUERY_PATH = '/metadata_queries/execute_read';
 
 // -----------------------------------------------------------------------------
 // Public
@@ -178,7 +180,7 @@ Metadata.prototype = {
 	 * @param {Object[]} operations - The operations to perform
 	 * @param {Function} [callback] - Passed the updated template if successful, error otherwise
 	 * @returns {Promise<Object>} A promise resolving to the updated template
-	 * @see {@link https://docs.box.com/reference#update-metadata-schema}
+	 * @see {@link https://developer.box.com/en/reference/put-metadata-templates-id-id-schema/}
 	 */
 	updateTemplate(scope, template, operations, callback) {
 
@@ -200,7 +202,7 @@ Metadata.prototype = {
 	 * @param {string} template - The template to delete
 	 * @param {Function} [callback] - Passed empty response body if successful, err otherwise
 	 * @returns {Promise<void>} A promise resolving to nothing
-	 * @see {@link https://docs.box.com/reference#delete-metadata-schema}
+	 * @see {@link https://developer.box.com/en/reference/delete-metadata-templates-id-id-schema/}
 	 */
 	deleteTemplate(scope, template, callback) {
 
@@ -313,6 +315,31 @@ Metadata.prototype = {
 			};
 
 		return this.client.wrapWithDefaultHandler(this.client.post)(apiPath, params, callback);
+	},
+
+	/**
+	 * Query Box items by their metadata
+	 *
+	 * API Endpoint: '/metadata_queries/execute_read'
+	 * Method: POST
+	 *
+	 * @param {string} from - The template used in the query. Must be in the form scope.templateKey
+	 * @param {string} ancestorFolderId - The folder_id to which to restrain the query
+	 * @param {Object} options - Query options
+	 * @param {Function} [callback] - Passed a collection of items and their associated metadata
+	 * @returns {Promise<void>} Promise resolving to a collection of items and their associated metadata
+	 */
+	query(from, ancestorFolderId, options, callback) {
+		var body = {
+			from,
+			ancestor_folder_id: ancestorFolderId
+		};
+
+		var params = {
+			body: merge(body, options)
+		};
+
+		return this.client.wrapWithDefaultHandler(this.client.post)(QUERY_PATH, params, callback);
 	}
 };
 

package/lib/managers/webhooks.js

@@ -31,7 +31,7 @@ const MAX_MESSAGE_AGE = 10 * 60; // 10 minutes
 
 /**
  * Compute the message signature
- * @see {@Link https://docs.box.com/reference#signatures}
+ * @see {@Link https://developer.box.com/en/guides/webhooks/handle/setup-signatures/}
  *
  * @param {string} body - The request body of the webhook message
  * @param {Object} headers - The request headers of the webhook message
@@ -63,7 +63,7 @@ function computeSignature(body, headers, signatureKey) {
 
 /**
  * Validate the message signature
- * @see {@Link https://docs.box.com/reference#signatures}
+ * @see {@Link https://developer.box.com/en/guides/webhooks/handle/verify-signatures/}
  *
  * @param {string} body - The request body of the webhook message
  * @param {Object} headers - The request headers of the webhook message

package/lib/token-manager.js

@@ -18,6 +18,12 @@
  *                         server requesting the tokens.
  */
 
+/**
+ * Parameters for creating a token using a Box shared link via token exchange
+ * @typedef {Object} SharedLinkParams
+ * @property {string} url Shared link URL
+ */
+
 /**
  * Parameters for creating an actor token via token exchange
  * @typedef {Object} ActorParams
@@ -47,12 +53,12 @@
   */
 function isJWTAuthErrorRetryable(err) {
 
-	return err.authExpired
-		&& err.response.headers.date
-		&& (
-			err.response.body.error_description.indexOf('exp') > -1
-				|| err.response.body.error_description.indexOf('jti') > -1
-		);
+	if (err.authExpired && err.response.headers.date && (err.response.body.error_description.indexOf('exp') > -1 || err.response.body.error_description.indexOf('jti') > -1)) {
+		return true;
+	} else if (err.statusCode === 429 || err.statusCode >= 500) {
+		return true;
+	}
+	return false;
 }
 
 // ------------------------------------------------------------------------------
@@ -62,7 +68,8 @@ var errors = require('./util/errors'),
 	jwt = require('jsonwebtoken'),
 	uuid = require('uuid'),
 	httpStatusCodes = require('http-status'),
-	Promise = require('bluebird');
+	Promise = require('bluebird'),
+	getRetryTimeout = require('./util/exponential-backoff');
 
 // ------------------------------------------------------------------------------
 // Constants
@@ -94,6 +101,9 @@ var tokenPaths = {
 	REVOKE: '/revoke'
 };
 
+// Timer used to track elapsed time starting with executing an async request and ending with emitting the response.
+var asyncRequestTimer;
+
 // The XFF header label - Used to give the API better information for uploads, rate-limiting, etc.
 const HEADER_XFF = 'X-Forwarded-For';
 const ACCESS_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:access_token';
@@ -339,7 +349,6 @@ TokenManager.prototype = {
 		try {
 			assertion = jwt.sign(claims, keyParams, jwtOptions);
 		} catch (jwtErr) {
-
 			return Promise.reject(jwtErr);
 		}
 
@@ -347,29 +356,85 @@ TokenManager.prototype = {
 			grant_type: grantTypes.JWT,
 			assertion
 		};
+		// Start the request timer immediately before executing the async request
+		asyncRequestTimer = process.hrtime();
 		return this.getTokens(params, options)
-			.catch(err => {
-
-				// When a client's clock is out of sync with Box API servers, they'll get an error about the exp claim
-				// In these cases, we can attempt to retry the grant request with a new exp claim calculated frem the
-				// Date header sent by the server
-				if (isJWTAuthErrorRetryable(err)) {
-
-					var serverTime = Math.floor(Date.parse(err.response.headers.date) / 1000);
-					claims.exp = serverTime + this.config.appAuth.expirationTime;
-					jwtOptions.jwtid = uuid.v4();
+			.catch(err => this.retryJWTGrant(claims, jwtOptions, keyParams, params, options, err, 0));
+	},
 
-					try {
-						params.assertion = jwt.sign(claims, keyParams, jwtOptions);
-					} catch (jwtErr) {
-						throw jwtErr;
+	/**
+	 * Attempt a retry if possible and create a new JTI claim. If the request hasn't exceeded it's maximum number of retries,
+	 * re-execute the request (after the retry interval). Otherwise, propagate a new error.
+	 *
+	 * @param {Object} claims - JTI claims object
+	 * @param {Object} [jwtOptions] - JWT options for the signature
+	 * @param {Object} keyParams - Key JWT parameters object that contains the private key and the passphrase
+	 * @param {Object} params - Should contain all params expected by Box OAuth2 token endpoint
+	 * @param {TokenRequestOptions} [options] - Sets optional behavior for the token grant
+	 * @param {Error} error - Error from the previous JWT request
+	 * @param {int} numRetries - Number of retries attempted
+	 * @returns {Promise<TokenInfo>} Promise resolving to the token info
+	 */
+	// eslint-disable-next-line max-params
+	retryJWTGrant(claims, jwtOptions, keyParams, params, options, error, numRetries) {
+		if (numRetries < this.config.numMaxRetries && isJWTAuthErrorRetryable(error)) {
+			var retryTimeout;
+			numRetries += 1;
+			// If the retry strategy is defined, then use it to determine the time (in ms) until the next retry or to
+			// propagate an error to the user.
+			if (this.config.retryStrategy) {
+				// Get the total elapsed time so far since the request was executed
+				var totalElapsedTime = process.hrtime(asyncRequestTimer);
+				var totalElapsedTimeMS = (totalElapsedTime[0] * 1000) + (totalElapsedTime[1] / 1000000);
+				var retryOptions = {
+					error,
+					numRetryAttempts: numRetries,
+					numMaxRetries: this.config.numMaxRetries,
+					retryIntervalMS: this.config.retryIntervalMS,
+					totalElapsedTimeMS
+				};
+
+				retryTimeout = this.config.retryStrategy(retryOptions);
+
+				// If the retry strategy doesn't return a number/time in ms, then propagate the response error to the user.
+				// However, if the retry strategy returns its own error, this will be propagated to the user instead.
+				if (typeof retryTimeout !== 'number') {
+					if (retryTimeout instanceof Error) {
+						error = retryTimeout;
 					}
-
-					return this.getTokens(params, options);
+					throw error;
 				}
+			} else if (error.hasOwnProperty('response') && error.response.hasOwnProperty('headers') && error.response.headers.hasOwnProperty('retry-after')) {
+				retryTimeout = error.response.headers['retry-after'] * 1000;
+			} else {
+				retryTimeout = getRetryTimeout(numRetries, this.config.retryIntervalMS);
+			}
+
+			var time = Math.floor(Date.now() / 1000);
+			if (error.response.headers.date) {
+				time = Math.floor(Date.parse(error.response.headers.date) / 1000);
+			}
+			// Add length of retry timeout to current expiration time to calculate the expiration time for the JTI claim.
+			claims.exp = time + this.config.appAuth.expirationTime + (retryTimeout / 1000);
+			jwtOptions.jwtid = uuid.v4();
+
+			try {
+				params.assertion = jwt.sign(claims, keyParams, jwtOptions);
+			} catch (jwtErr) {
+				throw jwtErr;
+			}
 
-				throw err;
+			return Promise.delay(retryTimeout).then(() => {
+				// Start the request timer immediately before executing the async request
+				asyncRequestTimer = process.hrtime();
+				return this.getTokens(params, options)
+					.catch(err => this.retryJWTGrant(claims, jwtOptions, keyParams, params, options, err, numRetries));
 			});
+		} else if (numRetries >= this.config.numMaxRetries) {
+			error.maxRetriesExceeded = true;
+		}
+
+		throw error;
 	},
 
 	/**
@@ -382,6 +447,7 @@ TokenManager.prototype = {
 	 * @param {Object} [options] - Optional parameters
 	 * @param {TokenRequestOptions} [options.tokenRequestOptions] - Sets optional behavior for the token grant
 	 * @param {ActorParams} [options.actor] - Optional actor parameters for creating annotator tokens
+	 * @param {SharedLinkParams} [options.sharedLink] - Optional shared link parameters for creating tokens using shared links
 	 * @returns {Promise<TokenInfo>} Promise resolving to the new token info
 	 */
 	exchangeToken(accessToken, scopes, resource, options) {
@@ -396,6 +462,10 @@ TokenManager.prototype = {
 			params.resource = resource;
 		}
 
+		if (options && options.sharedLink) {
+			params.box_shared_link = options.sharedLink.url;
+		}
+
 		if (options && options.actor) {
 
 			var payload = {

package/lib/util/exponential-backoff.js

@@ -0,0 +1,29 @@
+/**
+ * @fileoverview Calculate exponential backoff time
+ */
+
+'use strict';
+
+// ------------------------------------------------------------------------------
+// Private
+// ------------------------------------------------------------------------------
+
+// Retry intervals are between 50% and 150% of the exponentially increasing base amount
+const RETRY_RANDOMIZATION_FACTOR = 0.5;
+
+/**
+ * Calculate the exponential backoff time with randomized jitter
+ * @param {int} numRetries Which retry number this one will be
+ * @param {int} baseInterval The base retry interval set in config
+ * @returns {int} The number of milliseconds after which to retry
+ */
+function getRetryTimeout(numRetries, baseInterval) {
+
+	var minRandomization = 1 - RETRY_RANDOMIZATION_FACTOR;
+	var maxRandomization = 1 + RETRY_RANDOMIZATION_FACTOR;
+	var randomization = (Math.random() * (maxRandomization - minRandomization)) + minRandomization;
+	var exponential = Math.pow(2, numRetries - 1);
+	return Math.ceil(exponential * baseInterval * randomization);
+}
+
+module.exports = getRetryTimeout;

package/lib/util/paging-iterator.js

@@ -58,11 +58,11 @@ class PagingIterator {
 	 * @returns {boolean} Whether the response is iterable
 	 */
 	static isIterable(response) {
-		var isGetRequest = (response.request && response.request.method === 'GET'),
+		var isGetOrPostRequest = (response.request && (response.request.method === 'GET' || response.request.method === 'POST')),
 			hasEntries = (response.body && Array.isArray(response.body.entries)),
 			notEventStream = (response.body && !response.body.next_stream_position);
 
-		return Boolean(isGetRequest && hasEntries && notEventStream);
+		return Boolean(isGetOrPostRequest && hasEntries && notEventStream);
 	}
 
 	/**
@@ -80,7 +80,6 @@ class PagingIterator {
 
 
 		var data = response.body;
-
 		if (Number.isSafeInteger(data.offset)) {
 			this.nextField = PAGING_MODES.OFFSET;
 			this.nextValue = data.offset;
@@ -102,6 +101,13 @@ class PagingIterator {
 			headers: response.request.headers,
 			qs: querystring.parse(response.request.uri.query)
 		};
+		if (response.request.body) {
+			if (Object.prototype.toString.call(response.request.body) === '[object Object]') {
+				this.options.body = response.request.body;
+			} else {
+				this.options.body = JSON.parse(response.request.body);
+			}
+		}
 
 		// querystring.parse() makes everything a string, ensure numeric params are the correct type
 		if (this.options.qs.limit) {
@@ -112,7 +118,12 @@ class PagingIterator {
 		}
 
 		delete this.options.headers.Authorization;
-		this.fetch = client.get.bind(client, href);
+		if (response.request.method === 'GET') {
+			this.fetch = client.get.bind(client, href);
+		}
+		if (response.request.method === 'POST') {
+			this.fetch = client.post.bind(client, href);
+		}
 		this.buffer = response.body.entries;
 		this.queue = new PromiseQueue(1, Infinity);
 		this._updatePaging(response);
@@ -146,8 +157,13 @@ class PagingIterator {
 				this.done = true;
 			}
 		}
-
-		this.options.qs[this.nextField] = this.nextValue;
+		if (response.request.method === 'GET') {
+			this.options.qs[this.nextField] = this.nextValue;
+		} else if (response.request.method === 'POST') {
+			this.options.body[this.nextField] = this.nextValue;
+			let bodyString = JSON.stringify(this.options.body);
+			this.options.headers['content-length'] = bodyString.length;
+		}
 	}
 
 	/**
@@ -215,6 +231,14 @@ class PagingIterator {
 
 		return this.queue.add(this._getData.bind(this));
 	}
+
+	/**
+	 * Fetch the next marker
+	 * @returns {string|int} String that is the next marker or int that is the next offset
+	 */
+	getNextMarker() {
+		return this.nextValue;
+	}
 }
 
 module.exports = PagingIterator;

package/lib/util/url-path.js

@@ -8,6 +8,8 @@
 // Private
 // ------------------------------------------------------------------------------
 
+// Pattern to check for relative paths
+var PATTERN = /\/\.+/;
 /**
  * remove leading & trailing slashes from some string. This is useful for
  * removing slashes from the path segments that are actually a part of the
@@ -39,7 +41,14 @@ function trimSlashes(segment) {
  */
 module.exports = function urlPath(/* arguments*/) {
 	var args = Array.prototype.slice.call(arguments);
-	var path = args.map(x => String(x)).map(x => trimSlashes(x))
+	var path = args.map(x => String(x))
+		.map(x => {
+			var trimmedX = trimSlashes(x);
+			if (PATTERN.test(trimmedX)) {
+				throw new Error(`An invalid path parameter exists in ${trimmedX}. Relative path parameters cannot be passed.`);
+			}
+			return trimmedX;
+		})
 		.map(x => encodeURIComponent(x))
 		.join('/');
 	return `/${path}`;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "box-node-sdk",
   "author": "Box <oss@box.com>",
-  "version": "1.29.1",
+  "version": "1.33.0",
   "description": "Official SDK for Box Plaform APIs",
   "license": "Apache-2.0",
   "repository": {
@@ -32,33 +32,35 @@
     "major": "node Makefile.js major"
   },
   "dependencies": {
-    "bluebird": "^3.5.0",
-    "http-status": "^1.1.0",
-    "jsonwebtoken": "^8.2.1",
+    "bluebird": "^3.7.1",
+    "http-status": "^1.4.1",
+    "jsonwebtoken": "^8.5.1",
     "merge-options": "^1.0.1",
     "promise-queue": "^2.2.3",
-    "request": "^2.87.0",
+    "request": "^2.88.0",
     "url-template": "^2.0.8",
-    "uuid": "^3.0.0"
+    "uuid": "^3.3.3"
   },
   "devDependencies": {
-    "chai": "^4.1.1",
-    "coveralls": "^3.0.2",
-    "eslint": "^4.13.0",
-    "eslint-plugin-node": "^6.0.0",
-    "eslint-plugin-promise": "^3.6.0",
-    "eslint-plugin-unicorn": "^4.0.2",
+    "chai": "^4.2.0",
+    "coveralls": "^3.0.8",
+    "eslint": "^4.19.1",
+    "eslint-plugin-node": "^6.0.1",
+    "eslint-plugin-promise": "^3.8.0",
+    "eslint-plugin-unicorn": "^4.0.3",
     "istanbul": "^0.4.3",
-    "jsdoc": "^3.5.5",
+    "jsdoc": "^3.6.3",
     "jsonlint2": "^1.7.1",
-    "leche": "^2.2.2",
-    "mocha": "^5.0.1",
+    "leche": "^2.3.0",
+    "mocha": "^5.2.0",
     "mockery": "^2.1.0",
-    "nock": "^9.0.13",
-    "nyc": "^11.4.1",
-    "shelljs": "^0.8.1",
+    "nock": "^9.6.1",
+    "np": "^5.1.3",
+    "npm-upgrade": "^2.0.3",
+    "nyc": "^11.9.0",
+    "shelljs": "^0.8.3",
     "shelljs-nodecli": "^0.1.1",
-    "sinon": "^7.2.4"
+    "sinon": "^7.5.0"
   },
   "files": [
     "config",