launchdarkly-js-sdk-common 5.0.3 → 5.2.0

package/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to the `launchdarkly-js-sdk-common` package will be documented in this file. Changes that affect the dependent SDKs such as `launchdarkly-js-client-sdk` should also be logged in those projects, in the next release that uses the updated version of this package. This project adheres to [Semantic Versioning](http://semver.org).
 
+## [5.1.0] - 2024-03-19
+### Changed:
+- Redact anonymous attributes within feature events
+- Always inline contexts for feature events
+
+### Fixed:
+- Pin dev version of node to compatible types.
+
+### Removed:
+- HTTP fallback ping
+
+## [5.0.3] - 2023-03-21
+### Changed:
+- Update `LDContext` to allow for key to be optional. This is used when making an anonymous context with a generated key.
+
 ## [5.0.2] - 2023-02-15
 ### Changed:
 - Removed usage of optional chaining (`?.`) to improve compatibility with projects which are using older transpilation tooling.

package/CODEOWNERS

@@ -0,0 +1,2 @@
+# Repository Maintainers
+* @launchdarkly/team-sdk

package/README.md

@@ -4,7 +4,7 @@
 
 ## LaunchDarkly overview
 
-[LaunchDarkly](https://www.launchdarkly.com) is a feature management platform that serves over 100 billion feature flags daily to help teams build better software, faster. [Get started](https://docs.launchdarkly.com/home/getting-started) using LaunchDarkly today!
+[LaunchDarkly](https://www.launchdarkly.com) is a feature management platform that serves trillions of feature flags daily to help teams build better software, faster. [Get started](https://docs.launchdarkly.com/home/getting-started) using LaunchDarkly today!
 
 [![Twitter Follow](https://img.shields.io/twitter/follow/launchdarkly.svg?style=social&label=Follow&maxAge=2592000)](https://twitter.com/intent/follow?screen_name=launchdarkly)
 
@@ -27,7 +27,7 @@ We encourage pull requests and other contributions from the community. Check out
     * Gradually roll out a feature to an increasing percentage of users, and track the effect that the feature has on key metrics (for instance, how likely is a user to complete a purchase if they have feature A versus feature B?).
     * Turn off a feature that you realize is causing performance problems in production, without needing to re-deploy, or even restart the application with a changed configuration file.
     * Grant access to certain features based on user attributes, like payment plan (eg: users on the ‘gold’ plan get access to more features than users in the ‘silver’ plan). Disable parts of your application to facilitate maintenance, without taking everything offline.
-* LaunchDarkly provides feature flag SDKs for a wide variety of languages and technologies. Check out [our documentation](https://docs.launchdarkly.com/sdk) for a complete list.
+* LaunchDarkly provides feature flag SDKs for a wide variety of languages and technologies. Read [our documentation](https://docs.launchdarkly.com/sdk) for a complete list.
 * Explore LaunchDarkly
     * [launchdarkly.com](https://www.launchdarkly.com/ "LaunchDarkly Main Website") for more information
     * [docs.launchdarkly.com](https://docs.launchdarkly.com/  "LaunchDarkly Documentation") for our documentation and SDK reference guides

package/SECURITY.md

@@ -0,0 +1,5 @@
+# Reporting and Fixing Security Issues
+
+Please report all security issues to the LaunchDarkly security team by submitting a bug bounty report to our [HackerOne program](https://hackerone.com/launchdarkly?type=team). LaunchDarkly will triage and address all valid security issues following the response targets defined in our program policy. Valid security issues may be eligible for a bounty.
+
+Please do not open issues or pull requests for security issues. This makes the problem immediately visible to everyone, including potentially malicious actors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "launchdarkly-js-sdk-common",
-  "version": "5.0.3",
+  "version": "5.2.0",
   "description": "LaunchDarkly SDK for JavaScript - common code",
   "author": "LaunchDarkly <team@launchdarkly.com>",
   "license": "Apache-2.0",
@@ -28,6 +28,7 @@
     "@babel/runtime": "7.6.3",
     "@rollup/plugin-replace": "^2.2.0",
     "@types/jest": "^27.4.1",
+    "@types/node": "12.12.6",
     "babel-eslint": "^10.1.0",
     "babel-jest": "^25.1.0",
     "cross-env": "^5.1.4",
@@ -37,10 +38,10 @@
     "eslint-formatter-pretty": "^1.3.0",
     "eslint-plugin-babel": "^5.0.0",
     "eslint-plugin-prettier": "^2.6.0",
-    "jest": "^25.5.4",
+    "jest": "^26.6.3",
     "jsdom": "^11.11.0",
     "launchdarkly-js-test-helpers": "1.1.0",
-    "prettier": "1.11.1",
+    "prettier": "1.19.1",
     "readline-sync": "^1.4.9",
     "typescript": "~4.4.4"
   },

package/src/ContextFilter.js

@@ -16,23 +16,27 @@ function ContextFilter(config) {
    * @param {Object} context
    * @returns {string[]} A list of the attributes to filter.
    */
-  const getAttributesToFilter = context =>
-    (allAttributesPrivate
+  const getAttributesToFilter = (context, redactAnonymous) =>
+    (allAttributesPrivate || (redactAnonymous && context.anonymous)
       ? Object.keys(context)
       : [...privateAttributes, ...((context._meta && context._meta.privateAttributes) || [])]
     ).filter(attr => !protectedAttributes.some(protectedAttr => AttributeReference.compare(attr, protectedAttr)));
 
   /**
    * @param {Object} context
+   * @param {boolean} redactAnonymous
    * @returns {Object} A copy of the context with private attributes removed,
    * and the redactedAttributes meta populated.
    */
-  const filterSingleKind = context => {
+  const filterSingleKind = (context, redactAnonymous) => {
     if (typeof context !== 'object' || context === null || Array.isArray(context)) {
       return undefined;
     }
 
-    const { cloned, excluded } = AttributeReference.cloneExcluding(context, getAttributesToFilter(context));
+    const { cloned, excluded } = AttributeReference.cloneExcluding(
+      context,
+      getAttributesToFilter(context, redactAnonymous)
+    );
     cloned.key = String(cloned.key);
     if (excluded.length) {
       if (!cloned._meta) {
@@ -57,10 +61,11 @@ function ContextFilter(config) {
 
   /**
    * @param {Object} context
+   * @param {boolean} redactAnonymous
    * @returns {Object} A copy of the context with the private attributes removed,
    * and the redactedAttributes meta populated for each sub-context.
    */
-  const filterMultiKind = context => {
+  const filterMultiKind = (context, redactAnonymous) => {
     const filtered = {
       kind: context.kind,
     };
@@ -68,7 +73,7 @@ function ContextFilter(config) {
 
     for (const contextKey of contextKeys) {
       if (contextKey !== 'kind') {
-        const filteredContext = filterSingleKind(context[contextKey]);
+        const filteredContext = filterSingleKind(context[contextKey], redactAnonymous);
         if (filteredContext) {
           filtered[contextKey] = filteredContext;
         }
@@ -113,21 +118,21 @@ function ContextFilter(config) {
       filtered._meta = filtered._meta || {};
       // If any private attributes started with '/' we need to convert them to references, otherwise the '/' will
       // cause the literal to incorrectly be treated as a reference.
-      filtered._meta.privateAttributes = user.privateAttributeNames.map(
-        literal => (literal.startsWith('/') ? AttributeReference.literalToReference(literal) : literal)
+      filtered._meta.privateAttributes = user.privateAttributeNames.map(literal =>
+        literal.startsWith('/') ? AttributeReference.literalToReference(literal) : literal
       );
     }
 
     return filtered;
   };
 
-  filter.filter = context => {
+  filter.filter = (context, redactAnonymous = false) => {
     if (context.kind === undefined || context.kind === null) {
-      return filterSingleKind(legacyToSingleKind(context));
+      return filterSingleKind(legacyToSingleKind(context), redactAnonymous);
     } else if (context.kind === 'multi') {
-      return filterMultiKind(context);
+      return filterMultiKind(context, redactAnonymous);
     } else {
-      return filterSingleKind(context);
+      return filterSingleKind(context, redactAnonymous);
     }
   };
 

package/src/EventProcessor.js

@@ -50,6 +50,9 @@ function EventProcessor(
     if (e.kind === 'identify') {
       // identify events always have an inline context
       ret.context = contextFilter.filter(e.context);
+    } else if (e.kind === 'feature') {
+      // feature events always have an inline context
+      ret.context = contextFilter.filter(e.context, true);
     } else {
       ret.contextKeys = getContextKeysFromEvent(e);
       delete ret['context'];
@@ -136,8 +139,7 @@ function EventProcessor(
     }
     queue = [];
     logger.debug(messages.debugPostingEvents(eventsToSend.length));
-    return eventSender.sendEvents(eventsToSend, mainEventsUrl).then(responses => {
-      const responseInfo = responses && responses[0];
+    return eventSender.sendEvents(eventsToSend, mainEventsUrl).then(responseInfo => {
       if (responseInfo) {
         if (responseInfo.serverTime) {
           lastKnownPastTime = responseInfo.serverTime;

package/src/EventSender.js

@@ -3,12 +3,8 @@ const utils = require('./utils');
 const { v1: uuidv1 } = require('uuid');
 const { getLDHeaders, transformHeaders } = require('./headers');
 
-const MAX_URL_LENGTH = 2000;
-
 function EventSender(platform, environmentId, options) {
-  const imageUrlPath = '/a/' + environmentId + '.gif';
   const baseHeaders = utils.extend({ 'Content-Type': 'application/json' }, getLDHeaders(platform, options));
-  const httpFallbackPing = platform.httpFallbackPing; // this will be set for us if we're in the browser SDK
   const sender = {};
 
   function getResponseInfo(result) {
@@ -23,7 +19,11 @@ function EventSender(platform, environmentId, options) {
     return ret;
   }
 
-  sender.sendChunk = (events, url, isDiagnostic, usePost) => {
+  sender.sendEvents = (events, url, isDiagnostic) => {
+    if (!platform.httpRequest) {
+      return Promise.resolve();
+    }
+
     const jsonBody = JSON.stringify(events);
     const payloadId = isDiagnostic ? null : uuidv1();
 
@@ -55,31 +55,7 @@ function EventSender(platform, environmentId, options) {
         });
     }
 
-    if (usePost) {
-      return doPostRequest(true).catch(() => {});
-    } else {
-      httpFallbackPing && httpFallbackPing(url + imageUrlPath + '?d=' + utils.base64URLEncode(jsonBody));
-      return Promise.resolve(); // we don't wait for this request to complete, it's just a one-way ping
-    }
-  };
-
-  sender.sendEvents = function(events, url, isDiagnostic) {
-    if (!platform.httpRequest) {
-      return Promise.resolve();
-    }
-    const canPost = platform.httpAllowsPost();
-    let chunks;
-    if (canPost) {
-      // no need to break up events into chunks if we can send a POST
-      chunks = [events];
-    } else {
-      chunks = utils.chunkEventsForUrl(MAX_URL_LENGTH - url.length, events);
-    }
-    const results = [];
-    for (let i = 0; i < chunks.length; i++) {
-      results.push(sender.sendChunk(chunks[i], url, isDiagnostic, canPost));
-    }
-    return Promise.all(results);
+    return doPostRequest(true).catch(() => {});
   };
 
   return sender;

package/src/__tests__/ContextFilter-test.js

@@ -283,6 +283,11 @@ describe('when handling single kind contexts', () => {
     expect(uf.filter(anonymousContext)).toEqual(contextWithAllAttrsHidden);
   });
 
+  it('all attributes are redacted when anonymous', () => {
+    const uf = ContextFilter({});
+    expect(uf.filter(anonymousContext, true)).toEqual(contextWithAllAttrsHidden);
+  });
+
   it('converts non-boolean anonymous to boolean.', () => {
     const uf = ContextFilter({});
     expect(uf.filter({ kind: 'user', key: 'user', anonymous: 'string' })).toEqual({
@@ -330,6 +335,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       name: 'alphabet',
+      anonymous: true,
       letters: ['a', 'b', 'c'],
       order: 3,
       object: {
@@ -342,6 +348,25 @@ describe('when handling mult-kind contexts', () => {
     },
   };
 
+  const orgAndUserContextWithAnonymousRedaction = {
+    kind: 'multi',
+    organization: {
+      key: 'LD',
+      rocks: true,
+      name: 'name',
+      department: {
+        name: 'sdk',
+      },
+    },
+    user: {
+      key: 'abc',
+      anonymous: true,
+      _meta: {
+        redactedAttributes: ['/letters', '/name', '/object', '/order'],
+      },
+    },
+  };
+
   const orgAndUserContextAllPrivate = {
     kind: 'multi',
     organization: {
@@ -352,6 +377,7 @@ describe('when handling mult-kind contexts', () => {
     },
     user: {
       key: 'abc',
+      anonymous: true,
       _meta: {
         redactedAttributes: ['/letters', '/name', '/object', '/order'],
       },
@@ -373,6 +399,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       order: 3,
+      anonymous: true,
       object: {
         a: 'a',
       },
@@ -395,6 +422,7 @@ describe('when handling mult-kind contexts', () => {
     user: {
       key: 'abc',
       name: 'alphabet',
+      anonymous: true,
       order: 3,
       object: {
         a: 'a',
@@ -415,6 +443,11 @@ describe('when handling mult-kind contexts', () => {
     expect(uf.filter(orgAndUserContext)).toEqual(orgAndUserContextAllPrivate);
   });
 
+  it('it should remove attributes from all anonymous contexts', () => {
+    const uf = ContextFilter({});
+    expect(uf.filter(orgAndUserContext, true)).toEqual(orgAndUserContextWithAnonymousRedaction);
+  });
+
   it('it should apply private attributes from the context to the context.', () => {
     const uf = ContextFilter({});
     expect(uf.filter(orgAndUserContext)).toEqual(orgAndUserContextIncludedPrivate);

package/src/__tests__/EventProcessor-test.js

@@ -10,7 +10,10 @@ import { MockEventSender } from './testUtils';
 // tests; here, we use a mock EventSender.
 
 describe.each([
-  [{ key: 'userKey', name: 'Red' }, { key: 'userKey', kind: 'user', _meta: { redactedAttributes: ['/name'] } }],
+  [
+    { key: 'userKey', name: 'Red' },
+    { key: 'userKey', kind: 'user', _meta: { redactedAttributes: ['/name'] } },
+  ],
   [
     { kind: 'user', key: 'userKey', name: 'Red' },
     { key: 'userKey', kind: 'user', _meta: { redactedAttributes: ['/name'] } },
@@ -75,7 +78,7 @@ describe.each([
     expect(e.value).toEqual(source.value);
     expect(e.default).toEqual(source.default);
     expect(e.reason).toEqual(source.reason);
-    checkUserInline(e, source, inlineUser);
+    expect(e.context).toEqual(inlineUser);
   }
 
   function checkCustomEvent(e, source) {
@@ -136,7 +139,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(2);
-      checkFeatureEvent(output[0], event, false);
+      checkFeatureEvent(output[0], event, false, eventContext);
       checkSummaryEvent(output[1]);
     });
   });
@@ -159,7 +162,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(2);
-      checkFeatureEvent(output[0], event, false);
+      checkFeatureEvent(output[0], event, false, eventContext);
       checkSummaryEvent(output[1]);
     });
   });
@@ -236,7 +239,7 @@ describe.each([
       expect(mockEventSender.calls.length()).toEqual(1);
       const output = (await mockEventSender.calls.take()).events;
       expect(output.length).toEqual(3);
-      checkFeatureEvent(output[0], e, false);
+      checkFeatureEvent(output[0], e, false, { ...context, kind: context.kind || 'user' });
       checkFeatureEvent(output[1], e, true, { ...context, kind: context.kind || 'user' });
       checkSummaryEvent(output[2]);
     });

package/src/__tests__/EventSender-test.js

@@ -1,8 +1,6 @@
 import EventSender from '../EventSender';
 import * as utils from '../utils';
 
-import * as base64 from 'base64-js';
-
 import { respond, networkError } from './mockHttp';
 import * as stubPlatform from './stubPlatform';
 
@@ -20,74 +18,6 @@ describe('EventSender', () => {
     platform = stubPlatform.defaults();
   });
 
-  function fakeImageCreator() {
-    const ret = function(url) {
-      ret.urls.push(url);
-    };
-    ret.urls = [];
-    return ret;
-  }
-
-  function base64URLDecode(str) {
-    let s = str;
-    while (s.length % 4 !== 0) {
-      s = s + '=';
-    }
-    s = s.replace(/_/g, '/').replace(/-/g, '+');
-    const decodedBytes = base64.toByteArray(s);
-    const decodedStr = String.fromCharCode.apply(String, decodedBytes);
-    return decodeURIComponent(escape(decodedStr));
-  }
-
-  function decodeOutputFromUrl(url, baseUrl) {
-    const prefix = baseUrl + '/a/' + envId + '.gif?d=';
-    if (!url.startsWith(prefix)) {
-      throw 'URL "' + url + '" did not have expected prefix "' + prefix + '"';
-    }
-    return JSON.parse(base64URLDecode(url.substring(prefix.length)));
-  }
-
-  describe('using image endpoint when CORS is not available', () => {
-    it('should encode events in a single chunk if they fit', async () => {
-      const server = platform.testing.http.newServer();
-      const imageCreator = fakeImageCreator();
-      const platformWithoutCors = { ...platform, httpAllowsPost: () => false, httpFallbackPing: imageCreator };
-      const sender = EventSender(platformWithoutCors, envId);
-      const event1 = { kind: 'identify', key: 'userKey1' };
-      const event2 = { kind: 'identify', key: 'userKey2' };
-      const events = [event1, event2];
-
-      await sender.sendEvents(events, server.url);
-
-      const urls = imageCreator.urls;
-      expect(urls.length).toEqual(1);
-      expect(decodeOutputFromUrl(urls[0], server.url)).toEqual(events);
-
-      expect(server.requests.length()).toEqual(0);
-    });
-
-    it('should send events in multiple chunks if necessary', async () => {
-      const server = platform.testing.http.newServer();
-      const imageCreator = fakeImageCreator();
-      const platformWithoutCors = { ...platform, httpAllowsPost: () => false, httpFallbackPing: imageCreator };
-      const sender = EventSender(platformWithoutCors, envId);
-      const events = [];
-      for (let i = 0; i < 80; i++) {
-        events.push({ kind: 'identify', key: 'thisIsALongUserKey' + i });
-      }
-
-      await sender.sendEvents(events, server.url);
-
-      const urls = imageCreator.urls;
-      expect(urls.length).toEqual(3);
-      expect(decodeOutputFromUrl(urls[0], server.url)).toEqual(events.slice(0, 31));
-      expect(decodeOutputFromUrl(urls[1], server.url)).toEqual(events.slice(31, 61));
-      expect(decodeOutputFromUrl(urls[2], server.url)).toEqual(events.slice(61, 80));
-
-      expect(server.requests.length()).toEqual(0);
-    });
-  });
-
   describe('using POST when CORS is available', () => {
     it('should send all events in request body', async () => {
       const server = platform.testing.http.newServer();
@@ -239,6 +169,20 @@ describe('EventSender', () => {
     });
   });
 
+  describe('verify sendEvents response format', () => {
+    it('includes date header', async () => {
+      const options = { sendLDHeaders: true };
+      const server = platform.testing.http.newServer();
+      server.byDefault(respond(202, { date: 'Wed, 21 Oct 2015 07:28:00 GMT' }, '{}'));
+
+      const sender = EventSender(platform, envId, options);
+      const event = { kind: 'identify', key: 'userKey' };
+      const responseInfo = await sender.sendEvents([event], server.url);
+
+      expect(responseInfo.serverTime).toEqual(1445412480000);
+    });
+  });
+
   describe('When HTTP requests are not available at all', () => {
     it('should silently discard events', async () => {
       const server = platform.testing.http.newServer();

package/src/__tests__/EventSummarizer-test.js

@@ -99,7 +99,10 @@ describe('EventSummarizer', () => {
       key1: {
         contextKinds: ['user'],
         default: 111,
-        counters: [{ variation: 0, value: 100, version: 11, count: 1 }, { value: 111, version: 11, count: 2 }],
+        counters: [
+          { variation: 0, value: 100, version: 11, count: 1 },
+          { value: 111, version: 11, count: 2 },
+        ],
       },
     };
     expect(data.features).toEqual(expectedFeatures);