launchdarkly-js-sdk-common 5.0.2 → 5.1.0

package/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to the `launchdarkly-js-sdk-common` package will be documented in this file. Changes that affect the dependent SDKs such as `launchdarkly-js-client-sdk` should also be logged in those projects, in the next release that uses the updated version of this package. This project adheres to [Semantic Versioning](http://semver.org).
 
+## [5.0.3] - 2023-03-21
+### Changed:
+- Update `LDContext` to allow for key to be optional. This is used when making an anonymous context with a generated key.
+
+## [5.0.2] - 2023-02-15
+### Changed:
+- Removed usage of optional chaining (`?.`) to improve compatibility with projects which are using older transpilation tooling.
+
 ## [5.0.1] - 2023-01-10
 ### Changed:
 - Updated all types in `typings.d.ts` to be exported. This is to ensure that those types are included in generated documentation of dependent SDKs.

package/CODEOWNERS

@@ -0,0 +1,2 @@
+# Repository Maintainers
+* @launchdarkly/team-sdk

package/README.md

@@ -4,7 +4,7 @@
 
 ## LaunchDarkly overview
 
-[LaunchDarkly](https://www.launchdarkly.com) is a feature management platform that serves over 100 billion feature flags daily to help teams build better software, faster. [Get started](https://docs.launchdarkly.com/home/getting-started) using LaunchDarkly today!
+[LaunchDarkly](https://www.launchdarkly.com) is a feature management platform that serves trillions of feature flags daily to help teams build better software, faster. [Get started](https://docs.launchdarkly.com/home/getting-started) using LaunchDarkly today!
 
 [![Twitter Follow](https://img.shields.io/twitter/follow/launchdarkly.svg?style=social&label=Follow&maxAge=2592000)](https://twitter.com/intent/follow?screen_name=launchdarkly)
 
@@ -27,7 +27,7 @@ We encourage pull requests and other contributions from the community. Check out
     * Gradually roll out a feature to an increasing percentage of users, and track the effect that the feature has on key metrics (for instance, how likely is a user to complete a purchase if they have feature A versus feature B?).
     * Turn off a feature that you realize is causing performance problems in production, without needing to re-deploy, or even restart the application with a changed configuration file.
     * Grant access to certain features based on user attributes, like payment plan (eg: users on the ‘gold’ plan get access to more features than users in the ‘silver’ plan). Disable parts of your application to facilitate maintenance, without taking everything offline.
-* LaunchDarkly provides feature flag SDKs for a wide variety of languages and technologies. Check out [our documentation](https://docs.launchdarkly.com/sdk) for a complete list.
+* LaunchDarkly provides feature flag SDKs for a wide variety of languages and technologies. Read [our documentation](https://docs.launchdarkly.com/sdk) for a complete list.
 * Explore LaunchDarkly
     * [launchdarkly.com](https://www.launchdarkly.com/ "LaunchDarkly Main Website") for more information
     * [docs.launchdarkly.com](https://docs.launchdarkly.com/  "LaunchDarkly Documentation") for our documentation and SDK reference guides

package/SECURITY.md

@@ -0,0 +1,5 @@
+# Reporting and Fixing Security Issues
+
+Please report all security issues to the LaunchDarkly security team by submitting a bug bounty report to our [HackerOne program](https://hackerone.com/launchdarkly?type=team). LaunchDarkly will triage and address all valid security issues following the response targets defined in our program policy. Valid security issues may be eligible for a bounty.
+
+Please do not open issues or pull requests for security issues. This makes the problem immediately visible to everyone, including potentially malicious actors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "launchdarkly-js-sdk-common",
-  "version": "5.0.2",
+  "version": "5.1.0",
   "description": "LaunchDarkly SDK for JavaScript - common code",
   "author": "LaunchDarkly <team@launchdarkly.com>",
   "license": "Apache-2.0",
@@ -28,6 +28,7 @@
     "@babel/runtime": "7.6.3",
     "@rollup/plugin-replace": "^2.2.0",
     "@types/jest": "^27.4.1",
+    "@types/node": "12.12.6",
     "babel-eslint": "^10.1.0",
     "babel-jest": "^25.1.0",
     "cross-env": "^5.1.4",

package/src/ContextFilter.js

@@ -16,23 +16,27 @@ function ContextFilter(config) {
    * @param {Object} context
    * @returns {string[]} A list of the attributes to filter.
    */
-  const getAttributesToFilter = context =>
-    (allAttributesPrivate
+  const getAttributesToFilter = (context, redactAnonymous) =>
+    (allAttributesPrivate || (redactAnonymous && context.anonymous)
       ? Object.keys(context)
       : [...privateAttributes, ...((context._meta && context._meta.privateAttributes) || [])]
     ).filter(attr => !protectedAttributes.some(protectedAttr => AttributeReference.compare(attr, protectedAttr)));
 
   /**
    * @param {Object} context
+   * @param {boolean} redactAnonymous
    * @returns {Object} A copy of the context with private attributes removed,
    * and the redactedAttributes meta populated.
    */
-  const filterSingleKind = context => {
+  const filterSingleKind = (context, redactAnonymous) => {
     if (typeof context !== 'object' || context === null || Array.isArray(context)) {
       return undefined;
     }
 
-    const { cloned, excluded } = AttributeReference.cloneExcluding(context, getAttributesToFilter(context));
+    const { cloned, excluded } = AttributeReference.cloneExcluding(
+      context,
+      getAttributesToFilter(context, redactAnonymous)
+    );
     cloned.key = String(cloned.key);
     if (excluded.length) {
       if (!cloned._meta) {
@@ -57,10 +61,11 @@ function ContextFilter(config) {
 
   /**
    * @param {Object} context
+   * @param {boolean} redactAnonymous
    * @returns {Object} A copy of the context with the private attributes removed,
    * and the redactedAttributes meta populated for each sub-context.
    */
-  const filterMultiKind = context => {
+  const filterMultiKind = (context, redactAnonymous) => {
     const filtered = {
       kind: context.kind,
     };
@@ -68,7 +73,7 @@ function ContextFilter(config) {
 
     for (const contextKey of contextKeys) {
       if (contextKey !== 'kind') {
-        const filteredContext = filterSingleKind(context[contextKey]);
+        const filteredContext = filterSingleKind(context[contextKey], redactAnonymous);
         if (filteredContext) {
           filtered[contextKey] = filteredContext;
         }
@@ -121,13 +126,13 @@ function ContextFilter(config) {
     return filtered;
   };
 
-  filter.filter = context => {
+  filter.filter = (context, redactAnonymous = false) => {
     if (context.kind === undefined || context.kind === null) {
-      return filterSingleKind(legacyToSingleKind(context));
+      return filterSingleKind(legacyToSingleKind(context), redactAnonymous);
     } else if (context.kind === 'multi') {
-      return filterMultiKind(context);
+      return filterMultiKind(context, redactAnonymous);
     } else {
-      return filterSingleKind(context);
+      return filterSingleKind(context, redactAnonymous);
     }
   };
 

package/src/EventProcessor.js

@@ -50,6 +50,9 @@ function EventProcessor(
     if (e.kind === 'identify') {
       // identify events always have an inline context
       ret.context = contextFilter.filter(e.context);
+    } else if (e.kind === 'feature') {
+      // feature events always have an inline context
+      ret.context = contextFilter.filter(e.context, true);
     } else {
       ret.contextKeys = getContextKeysFromEvent(e);
       delete ret['context'];
@@ -136,8 +139,7 @@ function EventProcessor(
     }
     queue = [];
     logger.debug(messages.debugPostingEvents(eventsToSend.length));
-    return eventSender.sendEvents(eventsToSend, mainEventsUrl).then(responses => {
-      const responseInfo = responses && responses[0];
+    return eventSender.sendEvents(eventsToSend, mainEventsUrl).then(responseInfo => {
       if (responseInfo) {
         if (responseInfo.serverTime) {
           lastKnownPastTime = responseInfo.serverTime;

package/src/EventSender.js

@@ -3,12 +3,8 @@ const utils = require('./utils');
 const { v1: uuidv1 } = require('uuid');
 const { getLDHeaders, transformHeaders } = require('./headers');
 
-const MAX_URL_LENGTH = 2000;
-
 function EventSender(platform, environmentId, options) {
-  const imageUrlPath = '/a/' + environmentId + '.gif';
   const baseHeaders = utils.extend({ 'Content-Type': 'application/json' }, getLDHeaders(platform, options));
-  const httpFallbackPing = platform.httpFallbackPing; // this will be set for us if we're in the browser SDK
   const sender = {};
 
   function getResponseInfo(result) {
@@ -23,7 +19,11 @@ function EventSender(platform, environmentId, options) {
     return ret;
   }
 
-  sender.sendChunk = (events, url, isDiagnostic, usePost) => {
+  sender.sendEvents = (events, url, isDiagnostic) => {
+    if (!platform.httpRequest) {
+      return Promise.resolve();
+    }
+
     const jsonBody = JSON.stringify(events);
     const payloadId = isDiagnostic ? null : uuidv1();
 
@@ -55,31 +55,7 @@ function EventSender(platform, environmentId, options) {
         });
     }
 
-    if (usePost) {
-      return doPostRequest(true).catch(() => {});
-    } else {
-      httpFallbackPing && httpFallbackPing(url + imageUrlPath + '?d=' + utils.base64URLEncode(jsonBody));
-      return Promise.resolve(); // we don't wait for this request to complete, it's just a one-way ping
-    }
-  };
-
-  sender.sendEvents = function(events, url, isDiagnostic) {
-    if (!platform.httpRequest) {
-      return Promise.resolve();
-    }
-    const canPost = platform.httpAllowsPost();
-    let chunks;
-    if (canPost) {
-      // no need to break up events into chunks if we can send a POST
-      chunks = [events];
-    } else {
-      chunks = utils.chunkEventsForUrl(MAX_URL_LENGTH - url.length, events);
-    }
-    const results = [];
-    for (let i = 0; i < chunks.length; i++) {
-      results.push(sender.sendChunk(chunks[i], url, isDiagnostic, canPost));
-    }
-    return Promise.all(results);
+    return doPostRequest(true).catch(() => {});
   };
 
   return sender;

package/src/__tests__/ContextFilter-test.js

@@ -283,6 +283,11 @@ describe('when handling single kind contexts', () => {
     expect(uf.filter(anonymousContext)).toEqual(contextWithAllAttrsHidden);
   });
 
+  it('all attributes are redacted when anonymous', () => {
+    const uf = ContextFilter({});
+    expect(uf.filter(anonymousContext, true)).toEqual(contextWithAllAttrsHidden);
+  });
+
   it('converts non-boolean anonymous to boolean.', () => {
     const uf = ContextFilter({});
     expect(uf.filter({ kind: 'user', key: 'user', anonymous: 'string' })).toEqual({
@@ -330,6 +335,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       name: 'alphabet',
+      anonymous: true,
       letters: ['a', 'b', 'c'],
       order: 3,
       object: {
@@ -342,6 +348,25 @@ describe('when handling mult-kind contexts', () => {
     },
   };
 
+  const orgAndUserContextWithAnonymousRedaction = {
+    kind: 'multi',
+    organization: {
+      key: 'LD',
+      rocks: true,
+      name: 'name',
+      department: {
+        name: 'sdk',
+      },
+    },
+    user: {
+      key: 'abc',
+      anonymous: true,
+      _meta: {
+        redactedAttributes: ['/letters', '/name', '/object', '/order'],
+      },
+    },
+  };
+
   const orgAndUserContextAllPrivate = {
     kind: 'multi',
     organization: {
@@ -352,6 +377,7 @@ describe('when handling mult-kind contexts', () => {
     },
     user: {
       key: 'abc',
+      anonymous: true,
       _meta: {
         redactedAttributes: ['/letters', '/name', '/object', '/order'],
       },
@@ -373,6 +399,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       order: 3,
+      anonymous: true,
       object: {
         a: 'a',
       },
@@ -395,6 +422,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       name: 'alphabet',
+      anonymous: true,
       order: 3,
       object: {
         a: 'a',
@@ -415,6 +443,11 @@ describe('when handling mult-kind contexts', () => {
     expect(uf.filter(orgAndUserContext)).toEqual(orgAndUserContextAllPrivate);
   });
 
+  it('it should remove attributes from all anonymous contexts', () => {
+    const uf = ContextFilter({});
+    expect(uf.filter(orgAndUserContext, true)).toEqual(orgAndUserContextWithAnonymousRedaction);
+  });
+
   it('it should apply private attributes from the context to the context.', () => {
     const uf = ContextFilter({});
     expect(uf.filter(orgAndUserContext)).toEqual(orgAndUserContextIncludedPrivate);

package/src/__tests__/EventProcessor-test.js

@@ -75,7 +75,7 @@ describe.each([
     expect(e.value).toEqual(source.value);
     expect(e.default).toEqual(source.default);
     expect(e.reason).toEqual(source.reason);
-    checkUserInline(e, source, inlineUser);
+    expect(e.context).toEqual(inlineUser);
   }
 
   function checkCustomEvent(e, source) {
@@ -136,7 +136,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(2);
-      checkFeatureEvent(output[0], event, false);
+      checkFeatureEvent(output[0], event, false, eventContext);
       checkSummaryEvent(output[1]);
     });
   });
@@ -159,7 +159,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(2);
-      checkFeatureEvent(output[0], event, false);
+      checkFeatureEvent(output[0], event, false, eventContext);
       checkSummaryEvent(output[1]);
     });
   });
@@ -236,7 +236,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(3);
-      checkFeatureEvent(output[0], e, false);
+      checkFeatureEvent(output[0], e, false, { ...context, kind: context.kind || 'user' });
       checkFeatureEvent(output[1], e, true, { ...context, kind: context.kind || 'user' });
       checkSummaryEvent(output[2]);
     });

package/src/__tests__/EventSender-test.js

@@ -1,8 +1,6 @@
 import EventSender from '../EventSender';
 import * as utils from '../utils';
 
-import * as base64 from 'base64-js';
-
 import { respond, networkError } from './mockHttp';
 import * as stubPlatform from './stubPlatform';
 
@@ -20,74 +18,6 @@ describe('EventSender', () => {
     platform = stubPlatform.defaults();
   });
 
-  function fakeImageCreator() {
-    const ret = function(url) {
-      ret.urls.push(url);
-    };
-    ret.urls = [];
-    return ret;
-  }
-
-  function base64URLDecode(str) {
-    let s = str;
-    while (s.length % 4 !== 0) {
-      s = s + '=';
-    }
-    s = s.replace(/_/g, '/').replace(/-/g, '+');
-    const decodedBytes = base64.toByteArray(s);
-    const decodedStr = String.fromCharCode.apply(String, decodedBytes);
-    return decodeURIComponent(escape(decodedStr));
-  }
-
-  function decodeOutputFromUrl(url, baseUrl) {
-    const prefix = baseUrl + '/a/' + envId + '.gif?d=';
-    if (!url.startsWith(prefix)) {
-      throw 'URL "' + url + '" did not have expected prefix "' + prefix + '"';
-    }
-    return JSON.parse(base64URLDecode(url.substring(prefix.length)));
-  }
-
-  describe('using image endpoint when CORS is not available', () => {
-    it('should encode events in a single chunk if they fit', async () => {
-      const server = platform.testing.http.newServer();
-      const imageCreator = fakeImageCreator();
-      const platformWithoutCors = { ...platform, httpAllowsPost: () => false, httpFallbackPing: imageCreator };
-      const sender = EventSender(platformWithoutCors, envId);
-      const event1 = { kind: 'identify', key: 'userKey1' };
-      const event2 = { kind: 'identify', key: 'userKey2' };
-      const events = [event1, event2];
-
-      await sender.sendEvents(events, server.url);
-
-      const urls = imageCreator.urls;
-      expect(urls.length).toEqual(1);
-      expect(decodeOutputFromUrl(urls[0], server.url)).toEqual(events);
-
-      expect(server.requests.length()).toEqual(0);
-    });
-
-    it('should send events in multiple chunks if necessary', async () => {
-      const server = platform.testing.http.newServer();
-      const imageCreator = fakeImageCreator();
-      const platformWithoutCors = { ...platform, httpAllowsPost: () => false, httpFallbackPing: imageCreator };
-      const sender = EventSender(platformWithoutCors, envId);
-      const events = [];
-      for (let i = 0; i < 80; i++) {
-        events.push({ kind: 'identify', key: 'thisIsALongUserKey' + i });
-      }
-
-      await sender.sendEvents(events, server.url);
-
-      const urls = imageCreator.urls;
-      expect(urls.length).toEqual(3);
-      expect(decodeOutputFromUrl(urls[0], server.url)).toEqual(events.slice(0, 31));
-      expect(decodeOutputFromUrl(urls[1], server.url)).toEqual(events.slice(31, 61));
-      expect(decodeOutputFromUrl(urls[2], server.url)).toEqual(events.slice(61, 80));
-
-      expect(server.requests.length()).toEqual(0);
-    });
-  });
-
   describe('using POST when CORS is available', () => {
     it('should send all events in request body', async () => {
       const server = platform.testing.http.newServer();
@@ -239,6 +169,20 @@ describe('EventSender', () => {
     });
   });
 
+  describe('verify sendEvents response format', () => {
+    it('includes date header', async () => {
+      const options = { sendLDHeaders: true };
+      const server = platform.testing.http.newServer();
+      server.byDefault(respond(202, { date: 'Wed, 21 Oct 2015 07:28:00 GMT' }, '{}'));
+
+      const sender = EventSender(platform, envId, options);
+      const event = { kind: 'identify', key: 'userKey' };
+      const responseInfo = await sender.sendEvents([event], server.url);
+
+      expect(responseInfo.serverTime).toEqual(1445412480000);
+    });
+  });
+
   describe('When HTTP requests are not available at all', () => {
     it('should silently discard events', async () => {
       const server = platform.testing.http.newServer();

package/src/__tests__/stubPlatform.js

@@ -13,8 +13,6 @@ import { MockHttpState } from './mockHttp';
 // httpRequest?: (method, url, headers, body, sync) => requestProperties
 //   requestProperties.promise: Promise     // resolves to { status, header: (name) => value, body } or rejects for a network error
 //   requestProperties.cancel?: () => void  // provided if it's possible to cancel requests in this implementation
-// httpAllowsPost: boolean        // true if we can do cross-origin POST requests
-// httpFallbackPing?: (url) => {} // method for doing an HTTP GET without awaiting the result (i.e. browser image mechanism)
 // getCurrentUrl: () => string    // returns null if we're not in a browser
 // isDoNotTrack: () => boolean
 // localStorage: {
@@ -45,8 +43,6 @@ export function defaults() {
     httpRequest: mockHttpState.doRequest,
     diagnosticSdkData: { name: 'stub-sdk' },
     diagnosticPlatformData: { name: 'stub-platform' },
-    httpAllowsPost: () => true,
-    httpAllowsSync: () => true,
     getCurrentUrl: () => currentUrl,
     isDoNotTrack: () => doNotTrack,
     eventSourceFactory: (url, options) => {

package/src/__tests__/testUtils.js

@@ -62,7 +62,7 @@ export function MockEventSender() {
     calls,
     sendEvents: (events, url) => {
       calls.add({ events, url });
-      return Promise.resolve([{ serverTime, status }]);
+      return Promise.resolve({ serverTime, status });
     },
     setServerTime: time => {
       serverTime = time;

package/src/__tests__/utils-test.js

@@ -1,4 +1,4 @@
-import { appendUrlPath, base64URLEncode, chunkEventsForUrl, getLDUserAgentString, wrapPromiseCallback } from '../utils';
+import { appendUrlPath, getLDUserAgentString, wrapPromiseCallback } from '../utils';
 
 import * as stubPlatform from './stubPlatform';
 
@@ -63,15 +63,4 @@ describe('utils', () => {
       expect(ua).toEqual('stubClient/7.8.9');
     });
   });
-
-  describe('chunkEventsForUrl', () => {
-    it('should properly chunk the list of events', () => {
-      const context = { key: 'foo', kind: 'user' };
-      const event = { kind: 'identify', key: context.key };
-      const eventLength = base64URLEncode(JSON.stringify(event)).length;
-      const events = [event, event, event, event, event];
-      const chunks = chunkEventsForUrl(eventLength * 2, events);
-      expect(chunks).toEqual([[event, event], [event, event], [event]]);
-    });
-  });
 });

package/src/utils.js

@@ -112,46 +112,6 @@ function transformVersionedValuesToValues(flagsState) {
   return ret;
 }
 
-/**
- * Returns an array of event groups each of which can be safely URL-encoded
- * without hitting the safe maximum URL length of certain browsers.
- *
- * @param {number} maxLength maximum URL length targeted
- * @param {Array[Object}]} events queue of events to divide
- * @returns Array[Array[Object]]
- */
-function chunkEventsForUrl(maxLength, events) {
-  const allEvents = events.slice(0);
-  const allChunks = [];
-  let remainingSpace = maxLength;
-  let chunk;
-
-  while (allEvents.length > 0) {
-    chunk = [];
-
-    while (remainingSpace > 0) {
-      const event = allEvents.shift();
-      if (!event) {
-        break;
-      }
-      remainingSpace = remainingSpace - base64URLEncode(JSON.stringify(event)).length;
-      // If we are over the max size, put this one back on the queue
-      // to try in the next round, unless this event alone is larger
-      // than the limit, in which case, screw it, and try it anyway.
-      if (remainingSpace < 0 && chunk.length > 0) {
-        allEvents.unshift(event);
-      } else {
-        chunk.push(event);
-      }
-    }
-
-    remainingSpace = maxLength;
-    allChunks.push(chunk);
-  }
-
-  return allChunks;
-}
-
 function getLDUserAgentString(platform) {
   const version = platform.version || '?';
   return platform.userAgent + '/' + version;
@@ -188,7 +148,6 @@ module.exports = {
   appendUrlPath,
   base64URLEncode,
   btoa,
-  chunkEventsForUrl,
   clone,
   deepEquals,
   extend,

package/typings.d.ts

@@ -345,8 +345,9 @@ declare module 'launchdarkly-js-sdk-common' {
 
     /**
      * A unique string identifying a context.
+     * This value must be set unless the context is anonymous.
      */
-    key: string;
+    key?: string;
 
     /**
      * The context's name.
@@ -847,14 +848,14 @@ declare module 'launchdarkly-js-sdk-common' {
     off(key: string, callback: (...args: any[]) => void, context?: any): void;
 
     /**
-     * Track page events to use in goals or A/B tests.
+     * Track page events to use in metrics (goals) or Experimentation.
      *
      * LaunchDarkly automatically tracks pageviews and clicks that are specified in the
-     * Goals section of their dashboard. This can be used to track custom goals or other
-     * events that do not currently have goals.
+     * Metrics section of their dashboard. This can be used to track custom metrics or other
+     * events that do not currently have metrics.
      *
      * @param key
-     *   The name of the event, which may correspond to a goal in A/B tests.
+     *   The name of the event, which may correspond to a metric in experiments.
      * @param data
      *   Additional information to associate with the event.
      * @param metricValue