postman-runtime 7.30.0 → 7.31.0

package/lib/authorizer/auth-interface.js

@@ -8,10 +8,11 @@ var _ = require('lodash'),
  * @constructs AuthInterface
  * @param {RequestAuth} auth -
  * @param {Object} protocolProfileBehavior - Protocol profile behaviors
+ * @param {Object} [options] - authorizer options
  * @return {AuthInterface}
  * @throws {Error}
  */
-createAuthInterface = function (auth, protocolProfileBehavior) {
+createAuthInterface = function (auth, protocolProfileBehavior, options) {
     if (!(auth && auth.parameters && auth.parameters())) {
         throw new Error('runtime~createAuthInterface: invalid auth');
     }
@@ -34,12 +35,25 @@ createAuthInterface = function (auth, protocolProfileBehavior) {
             var paramVariable;
 
             if (_.isString(keys)) {
+                // This hacky handling here localizes the impact for refresh token in runtime, we want to avoid
+                // changing the auth handler interface in general and localizing this here allows us to refactor
+                // easily if we decide to move the oauth2 token generation flow into runtime
+                if (keys === 'refreshOAuth2Token') {
+                    return options && options.refreshOAuth2Token;
+                }
+
                 paramVariable = auth.parameters().one(keys);
 
                 return paramVariable && paramVariable.get();
             }
             if (_.isArray(keys)) {
                 return _.transform(keys, function (paramObject, key) {
+                    if (key === 'refreshOAuth2Token') {
+                        paramObject[key] = options && options.refreshOAuth2Token;
+
+                        return paramObject;
+                    }
+
                     paramVariable = auth.parameters().one(key);
                     paramVariable && (paramObject[key] = paramVariable.get());
 
@@ -53,13 +67,14 @@ createAuthInterface = function (auth, protocolProfileBehavior) {
         /**
          * @param {String|Object} key -
          * @param {*} [value] -
+         * @param {Boolean} [system] - Explicitly allow setting a param as a system param
          * @return {AuthInterface}
          * @example
          * set('foo', 'bar')
          * set({foo: 'bar', 'alpha': 'beta'})
          * @throws {Error}
          */
-        set: function (key, value) {
+        set: function (key, value, system) {
             var modifiedParams = {},
                 parameters;
 
@@ -77,6 +92,12 @@ createAuthInterface = function (auth, protocolProfileBehavior) {
             _.forEach(modifiedParams, function (value, key) {
                 var param = parameters.one(key);
 
+                // If we are updating a user param inside runtime, it is now a system param for this execution and
+                // should be marked as such
+                if (system) {
+                    param.system = true;
+                }
+
                 if (!param) {
                     return parameters.add({ key: key, value: value, system: true });
                 }

package/lib/authorizer/index.js

@@ -88,7 +88,8 @@ _.forEach({
     oauth2: require('./oauth2'),
     ntlm: require('./ntlm'),
     apikey: require('./apikey'),
-    edgegrid: require('./edgegrid')
+    edgegrid: require('./edgegrid'),
+    jwt: require('./jwt')
 }, AuthLoader.addHandler);
 
 /**

package/lib/authorizer/jwt.js

@@ -0,0 +1,251 @@
+const _ = require('lodash'),
+    jose = require('jose'),
+
+    // jwt key constants
+    BEARER_AUTH_PREFIX = 'Bearer',
+    QUERY_KEY = 'token',
+    AUTH_KEYS = {
+        ALGORITHM: 'algorithm',
+        HEADER: 'header',
+        HEADER_ALGORITHM: 'alg',
+        PAYLOAD: 'payload',
+        SECRET: 'secret',
+        IS_SECRET_BASE_64_ENCODED: 'isSecretBase64Encoded',
+        PRIVATE_KEY: 'privateKey',
+        ADD_TOKEN_TO: 'addTokenTo',
+        HEADER_PREFIX: 'headerPrefix',
+        QUERY_PARAM_KEY: 'queryParamKey'
+    },
+    ADD_TOKEN_TO_TARGETS = {
+        HEADER: 'header',
+        QUERY_PARAM: 'queryParam'
+    },
+    AUTHORIZATION = 'Authorization',
+    BASE64 = 'base64',
+    ASCII = 'ascii',
+    SPACE = ' ',
+
+    // HS Algorithms
+    HS_ALGORITHMS = {
+        HS256: 'HS256',
+        HS384: 'HS384',
+        HS512: 'HS512'
+    },
+
+    // algorithms supported
+    ALGORITHMS_SUPPORTED = {
+        ...HS_ALGORITHMS,
+        RS256: 'RS256',
+        RS384: 'RS384',
+        RS512: 'RS512',
+        PS256: 'PS256',
+        PS384: 'PS384',
+        PS512: 'PS512',
+        ES256: 'ES256',
+        ES384: 'ES384',
+        ES512: 'ES512'
+    };
+
+/**
+ * add the JWT Token to the request in auth header or query param
+ *
+ * @param {AuthInterface} auth - auth
+ * @param {Request} request - request
+ * @param {string} jwtToken - base64encoded jwt token
+ */
+function addTokenToRequest (auth, request, jwtToken) {
+    const addTokenTo = auth.get(AUTH_KEYS.ADD_TOKEN_TO) || ADD_TOKEN_TO_TARGETS.HEADER,
+        queryParamKey = auth.get(AUTH_KEYS.QUERY_PARAM_KEY) || QUERY_KEY,
+        headerPrefix = auth.get(AUTH_KEYS.HEADER_PREFIX) || BEARER_AUTH_PREFIX;
+
+    if (addTokenTo === ADD_TOKEN_TO_TARGETS.HEADER) {
+        request.removeHeader(AUTHORIZATION, { ignoreCase: true });
+
+        request.addHeader({
+            key: AUTHORIZATION,
+            value: headerPrefix + SPACE + jwtToken,
+            system: true
+        });
+    }
+    else if (addTokenTo === ADD_TOKEN_TO_TARGETS.QUERY_PARAM) {
+        request.url.query.remove(function (query) {
+            return query && query.key === queryParamKey;
+        });
+
+        request.url.query.add({
+            key: queryParamKey,
+            value: jwtToken,
+            system: true
+        });
+    }
+}
+
+/**
+ * Request auth payload structure
+ * request:{
+ *  auth:{
+ *   type:'jwt',
+ *   jwt:{
+ *    algorithm: <string>  - ALGORITHMS_SUPPORTED,
+ *    header:  <JSON string> | JSON Object
+ *    payload: <JSON string> | JSON Object
+ *    secret: <string>  - secret for HS algorithms
+ *    isSecretBase64Encoded: <boolean> - optional property used when <secret> for HS algorithms
+ *                                       is encoded in base64 format
+ *    privateKey: <string> - PEM format private key for RS, PS, ES algorithms
+ *    addTokenTo: <string> - possible values - header | queryParam,
+ *    headerPrefix: <string> - prefix added before jwt token in header - Default Bearer
+ *    queryParamKey: <string> - optional property added when <addTokenTo> set to [queryParam],
+ *   }
+ *  }
+ * }
+ */
+/**
+ * @implements {AuthHandlerInterface}
+ */
+module.exports = {
+    /**
+     * @property {AuthHandlerInterface~AuthManifest}
+     */
+    manifest: {
+        info: {
+            name: 'jwt',
+            version: '1.0.0'
+        },
+        updates: [
+            {
+                property: 'Authorization',
+                type: 'header'
+            },
+            {
+                property: '*',
+                type: 'url.param'
+            }
+        ]
+    },
+
+    /**
+     * Initializes an item (extracts parameters from intermediate requests if any, etc)
+     * before the actual authorization step
+     *
+     * @param {AuthInterface} auth -
+     * @param {Response} response -
+     * @param {AuthHandlerInterface~authInitHookCallback} done -
+     */
+    init: function (auth, response, done) {
+        done();
+    },
+
+    /**
+     * Checks the item, and fetches any parameters that are not already provided.
+     *
+     * @param {AuthInterface} auth -
+     * @param {AuthHandlerInterface~authPreHookCallback} done -
+     */
+    pre: function (auth, done) {
+        return done(null, true);
+    },
+
+    /**
+     * Verifies whether the auth succeeded
+     *
+     * @param {AuthInterface} auth -
+     * @param {Response} response -
+     * @param {AuthHandlerInterface~authPostHookCallback} done -
+     */
+    post: function (auth, response, done) {
+        done(null, true);
+    },
+
+    /**
+     * Signs the request
+     *
+     * @param {AuthInterface} auth -
+     * @param {Request} request -
+     * @param {AuthHandlerInterface~authSignHookCallback} done -
+     */
+    sign: function (auth, request, done) {
+        const algorithm = auth.get(AUTH_KEYS.ALGORITHM),
+            secret = auth.get(AUTH_KEYS.SECRET),
+            privateKey = auth.get(AUTH_KEYS.PRIVATE_KEY),
+            isHsAlgorithm = HS_ALGORITHMS[algorithm];
+
+        // bail out - invalid algorithm
+        if (!ALGORITHMS_SUPPORTED[algorithm]) {
+            return done(new Error('invalid algorithm'));
+        }
+
+        // bail out - secret not a valid string
+        if (isHsAlgorithm && (!secret || !_.isString(secret))) {
+            return done(new Error('Invalid secret key. Enter a valid key.'));
+        }
+
+        // bail out - private key not a valid string
+        if (!isHsAlgorithm && (!privateKey || !_.isString(privateKey))) {
+            return done(new Error('Invalid private key. Enter a valid key.'));
+        }
+
+        try {
+            const rawHeader = auth.get(AUTH_KEYS.HEADER),
+                rawPayload = auth.get(AUTH_KEYS.PAYLOAD);
+
+            let header = rawHeader,
+                payload = rawPayload;
+
+            if (typeof rawHeader === 'string') {
+                const trimmedHeader = rawHeader.trim();
+
+                header = trimmedHeader && JSON.parse(trimmedHeader);
+            }
+
+            // treat root level alg as source of truth.
+            // If header is not set, use empty object.
+            header = header ? { ...header, alg: algorithm } : { alg: algorithm };
+
+            if (typeof rawPayload === 'string') {
+                const trimmedPayload = rawPayload.trim();
+
+                payload = trimmedPayload ? JSON.parse(trimmedPayload) : {};
+            }
+
+            // HS Algorithms use secret for token generation
+            if (isHsAlgorithm) {
+                const isBase64 = auth.get(AUTH_KEYS.IS_SECRET_BASE_64_ENCODED),
+                    rawSecret = isBase64 ? Buffer.from(secret, BASE64).toString(ASCII) : secret;
+
+                new jose.SignJWT(payload)
+                    .setProtectedHeader(header)
+                    .sign(new TextEncoder().encode(rawSecret))
+                    .then((token) => {
+                        addTokenToRequest(auth, request, token);
+
+                        return done();
+                    })
+                    .catch((err) => {
+                        done(err);
+                    });
+            }
+
+            // RS,PS,ES Algorithms use private key for token generation
+            else {
+                jose.importPKCS8(privateKey, algorithm)
+                    .then((signKey) => {
+                        return new jose.SignJWT(payload)
+                            .setProtectedHeader(header)
+                            .sign(signKey);
+                    })
+                    .then((token) => {
+                        addTokenToRequest(auth, request, token);
+
+                        return done();
+                    })
+                    .catch((err) => {
+                        done(err);
+                    });
+            }
+        }
+        catch (err) {
+            done(err);
+        }
+    }
+};

package/lib/authorizer/oauth2.js

@@ -58,7 +58,19 @@ module.exports = {
      * @param {AuthHandlerInterface~authPreHookCallback} done -
      */
     pre: function (auth, done) {
-        done(null, Boolean(auth.get('accessToken')));
+        const id = auth.get('id'),
+            refreshOAuth2Token = auth.get('refreshOAuth2Token');
+
+        if (!(id && _.isFunction(refreshOAuth2Token))) {
+            return done(null, Boolean(auth.get('accessToken')));
+        }
+
+        refreshOAuth2Token(id, (_, accessToken) => {
+            accessToken && auth.set('accessToken', accessToken, true);
+
+            // fallback to existing token
+            done(null, Boolean(auth.get('accessToken')));
+        });
     },
 
     /**

package/lib/requester/browser/request.js

@@ -90,7 +90,7 @@ function forEachAsync (items, fn, cb) {
 // request
 //
 
-function request(originalRequest, options, onStart, callback) {
+function request(originalRequest, options, onStart, onData, callback) {
     var options_onResponse = options.onResponse; // Save this for later.
     var XHR = _.get(options, ['agents', options.url && options.url.protocol.slice(0, -1), 'agentClass']) || XMLHttpRequest;
 
@@ -115,6 +115,7 @@ function request(originalRequest, options, onStart, callback) {
         return callback(new Error("options.uri must be a string"));
 
     options.onStart = onStart
+    options.onData = onData // NOTE: not implemented
     options.callback = callback
     options.method = options.method || 'GET';
     options.headers = _.reduce(options.headers || {}, function (accumulator, value, key) {

package/lib/requester/request-wrapper.js

@@ -68,7 +68,7 @@ var _ = require('lodash'),
 // @todo trigger console warning (using callback) if not enabled.
 requests.enableNodeExtraCACerts();
 
-module.exports = function (request, options, onStart, callback) {
+module.exports = function (request, options, onStart, onData, callback) {
     var req = {};
 
     async.waterfall([
@@ -88,6 +88,9 @@ module.exports = function (request, options, onStart, callback) {
 
         // emit responseStart event
         request.on('response', onStart);
+
+        // emit responseData event
+        request.on('data', onData);
     });
 
     return req;

package/lib/requester/requester.js

@@ -6,8 +6,10 @@ var _ = require('lodash'),
     sdk = require('postman-collection'),
     requests = require('./request-wrapper'),
     dryRun = require('./dry-run'),
+    SSEProcessor = require('./sse-processor'),
 
     RESPONSE_START_EVENT_BASE = 'response.start.',
+    RESPONSE_DATA_EVENT_BASE = 'response.data.',
     RESPONSE_END_EVENT_BASE = 'response.end.',
 
     RESPONSE_START = 'responseStart',
@@ -138,6 +140,10 @@ class Requester extends EventEmitter {
         if (!_.isFinite(this.options.timeout)) {
             this.options.timeout = undefined;
         }
+
+        // Tracks server sent events
+        this.isSSEStream = false;
+        this.sseProcessor = null;
     }
 
     /**
@@ -299,6 +305,24 @@ class Requester extends EventEmitter {
                 };
             },
 
+            onData = function (data) {
+                const emit = (data) => {
+                    self.emit(RESPONSE_DATA_EVENT_BASE + id, data);
+                };
+
+                if (self.isSSEStream) {
+                    if (!self.sseProcessor) {
+                        self.sseProcessor = new SSEProcessor(emit);
+                    }
+
+                    self.sseProcessor.onData(data);
+                }
+                else {
+                    // TODO: Enable emit for regular HTTP requests
+                    // emit(data);
+                }
+            },
+
             /**
              * Helper function to trigger `responseStart` callback and
              * - transform postman-request response instance to SDK Response
@@ -337,6 +361,9 @@ class Requester extends EventEmitter {
                     header: responseHeaders
                 });
 
+                self.isSSEStream = String(sdkResponse.headers.get('content-type'))
+                    .toLowerCase() === 'text/event-stream';
+
                 // prepare history from request debug data
                 history = getExecutionHistory(_.get(response, 'request._debug'));
 
@@ -396,7 +423,7 @@ class Requester extends EventEmitter {
             return onEnd(new Error(ERROR_RESTRICTED_ADDRESS + hostname));
         }
 
-        return requests(request, requestOptions, onStart, function (err, res, resBody, debug) {
+        return requests(request, requestOptions, onStart, onData, function (err, res, resBody, debug) {
             // prepare history from request debug data
             var history = getExecutionHistory(debug),
                 responseTime,

package/lib/requester/sse-processor.js

@@ -0,0 +1,129 @@
+const bom = [239, 187, 191],
+    colon = 58,
+    lineFeed = 10,
+    carriageReturn = 13,
+
+    // Beyond 256KB we could not observe any gain in performance
+    maxBufferAheadAllocation = 1024 * 256;
+
+
+function hasBom (buf) {
+    return bom.every((charCode, index) => {
+        return buf[index] === charCode;
+    });
+}
+
+// Adapted from https://github.com/EventSource/eventsource
+class SSEStream {
+    constructor (emit) {
+        this.emit = emit;
+
+        this.buf = undefined;
+        this.newBuffer = undefined;
+        this.startingPos = 0;
+        this.startingFieldLength = -1;
+        this.newBufferSize = 0;
+        this.bytesUsed = 0;
+        this.discardTrailingNewline = false;
+
+        // Accumulates the event data util a new line is encountered
+        this.eventBuffer = undefined;
+    }
+
+    onData (chunk) {
+        if (!this.buf) {
+            this.buf = chunk;
+            if (hasBom(this.buf)) {
+                this.buf = this.buf.slice(bom.length);
+            }
+
+            this.bytesUsed = this.buf.length;
+        }
+        else {
+            if (chunk.length > this.buf.length - this.bytesUsed) {
+                this.newBufferSize = (this.buf.length * 2) + chunk.length;
+
+                if (this.newBufferSize > maxBufferAheadAllocation) {
+                    this.newBufferSize = this.buf.length + chunk.length + maxBufferAheadAllocation;
+                }
+
+                this.newBuffer = Buffer.alloc(this.newBufferSize);
+                this.buf.copy(this.newBuffer, 0, 0, this.bytesUsed);
+                this.buf = this.newBuffer;
+            }
+
+            chunk.copy(this.buf, this.bytesUsed);
+            this.bytesUsed += chunk.length;
+        }
+
+        let pos = 0,
+            length = this.bytesUsed;
+
+        while (pos < length) {
+            if (this.discardTrailingNewline) {
+                if (this.buf[pos] === lineFeed) {
+                    ++pos;
+                }
+
+                this.discardTrailingNewline = false;
+            }
+
+            let lineLength = -1,
+                fieldLength = this.startingFieldLength,
+                c;
+
+            for (let i = this.startingPos; lineLength < 0 && i < length; ++i) {
+                c = this.buf[i];
+
+                if (c === colon) {
+                    if (fieldLength < 0) {
+                        fieldLength = i - pos;
+                    }
+                }
+                else if (c === carriageReturn) {
+                    this.discardTrailingNewline = true;
+                    lineLength = i - pos;
+                }
+                else if (c === lineFeed) {
+                    lineLength = i - pos;
+                }
+            }
+
+            if (lineLength < 0) {
+                this.startingPos = length - pos;
+                this.startingFieldLength = fieldLength;
+                break;
+            }
+            else {
+                this.startingPos = 0;
+                this.startingFieldLength = -1;
+            }
+
+            // Dispatch event when a new line is encountered
+            if (lineLength === 0) {
+                this.eventBuffer = Buffer.from([...(this.eventBuffer || []), ...Buffer.from([lineFeed])]);
+
+                this.emit(this.eventBuffer);
+                this.eventBuffer = undefined;
+            }
+            else {
+                const bufToCopy = this.buf.slice(pos, pos + lineLength + 1);
+
+                this.eventBuffer = Buffer.from([...(this.eventBuffer || []), ...bufToCopy]);
+            }
+
+            pos += lineLength + 1;
+        }
+
+        if (pos === length) {
+            this.buf = undefined;
+            this.bytesUsed = 0;
+        }
+        else if (pos > 0) {
+            this.buf = this.buf.slice(pos, this.bytesUsed);
+            this.bytesUsed = this.buf.length;
+        }
+    }
+}
+
+module.exports = SSEStream;

package/lib/runner/extensions/event.command.js

@@ -6,7 +6,7 @@ var _ = require('lodash'),
     sdk = require('postman-collection'),
     sandbox = require('postman-sandbox'),
     serialisedError = require('serialised-error'),
-    ToughCookie = require('tough-cookie').Cookie,
+    ToughCookie = require('@postman/tough-cookie').Cookie,
 
     createItemContext = require('../create-item-context'),
 
@@ -328,9 +328,6 @@ module.exports = {
 
                         !Array.isArray(args) && (args = []);
 
-                        // set expected args length to make sure callback is always called
-                        args.length = cookieStore[fnName].length - 1;
-
                         // there's no way cookie store can identify the difference
                         // between regular and programmatic access. So, for now
                         // we check for programmatic access using the cookieJar

package/lib/runner/extensions/http-request.command.js

@@ -13,6 +13,7 @@ var _ = require('lodash'),
     RequesterPool = require('../../requester').RequesterPool,
 
     RESPONSE_START_EVENT_BASE = 'response.start.',
+    RESPONSE_DATA_EVENT_BASE = 'response.data.',
     RESPONSE_END_EVENT_BASE = 'response.end.';
 
 module.exports = {
@@ -25,7 +26,7 @@ module.exports = {
 
     // the http trigger is actually directly triggered by the requester
     // todo - figure out whether we should trigger it from here rather than the requester.
-    triggers: ['beforeRequest', 'request', 'responseStart', 'io'],
+    triggers: ['beforeRequest', 'request', 'responseStart', 'responseData', 'io'],
 
     process: {
         /**
@@ -148,6 +149,9 @@ module.exports = {
 
                     requester.on(RESPONSE_END_EVENT_BASE + requestId, self.triggers.io.bind(self.triggers));
 
+                    requester.on(RESPONSE_DATA_EVENT_BASE + requestId, function (data) {
+                        self.triggers.responseData(context.coords, data);
+                    });
                     // eslint-disable-next-line max-len
                     xhr = requester.request(requestId, item.request, context.protocolProfileBehavior, function (err, res, req, cookies, history) {
                         err = err || null;