UNPKG

@azure/cosmos/dist-esm/src/auth.js

Version:

4.04 kBJavaScriptView Raw

1// Copyright (c) Microsoft Corporation.
2// Licensed under the MIT license.
3import { generateHeaders } from "./utils/headers";
4import { Constants, getResourceIdFromPath, ResourceType, trimSlashFromLeftAndRight, } from "./common";
5/**
* @hidden
*/
8export async function setAuthorizationHeader(clientOptions, verb, path, resourceId, resourceType, headers) {
  if (clientOptions.permissionFeed) {
      clientOptions.resourceTokens = {};
      for (const permission of clientOptions.permissionFeed) {
          const id = getResourceIdFromPath(permission.resource);
          if (!id) {
              throw new Error(`authorization error: ${id} \
                        is an invalid resourceId in permissionFeed`);
          }
          clientOptions.resourceTokens[id] = permission._token; // TODO: any
      }
  }
  if (clientOptions.key) {
      await setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, clientOptions.key);
  }
  else if (clientOptions.resourceTokens) {
      headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(getAuthorizationTokenUsingResourceTokens(clientOptions.resourceTokens, path, resourceId));
  }
  else if (clientOptions.tokenProvider) {
      headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(await clientOptions.tokenProvider({ verb, path, resourceId, resourceType, headers }));
  }
29}
30/**
* The default function for setting header token using the masterKey
* @hidden
*/
34export async function setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, masterKey) {
  // TODO This should live in cosmos-sign
  if (resourceType === ResourceType.offer) {
      resourceId = resourceId && resourceId.toLowerCase();
  }
  headers = Object.assign(headers, await generateHeaders(masterKey, verb, resourceType, resourceId));
40}
41/**
* @hidden
*/
44// TODO: Resource tokens
45export function getAuthorizationTokenUsingResourceTokens(resourceTokens, path, resourceId) {
  if (resourceTokens && Object.keys(resourceTokens).length > 0) {
      // For database account access(through getDatabaseAccount API), path and resourceId are "",
      // so in this case we return the first token to be used for creating the auth header as the
      // service will accept any token in this case
      if (!path && !resourceId) {
          return resourceTokens[Object.keys(resourceTokens)[0]];
      }
      // If we have exact resource token for the path use it
      if (resourceId && resourceTokens[resourceId]) {
          return resourceTokens[resourceId];
      }
      // minimum valid path /dbs
      if (!path || path.length < 4) {
          // TODO: This should throw an error
          return null;
      }
      path = trimSlashFromLeftAndRight(path);
      const pathSegments = (path && path.split("/")) || [];
      // Item path
      if (pathSegments.length === 6) {
          // Look for a container token matching the item path
          const containerPath = pathSegments.slice(0, 4).map(decodeURIComponent).join("/");
          if (resourceTokens[containerPath]) {
              return resourceTokens[containerPath];
          }
      }
      // TODO remove in v4: This is legacy behavior that lets someone use a resource token pointing ONLY at an ID
      // It was used when _rid was exposed by the SDK, but now that we are using user provided ids it is not needed
      // However removing it now would be a breaking change
      // if it's an incomplete path like /dbs/db1/colls/, start from the parent resource
      let index = pathSegments.length % 2 === 0 ? pathSegments.length - 1 : pathSegments.length - 2;
      for (; index > 0; index -= 2) {
          const id = decodeURI(pathSegments[index]);
          if (resourceTokens[id]) {
              return resourceTokens[id];
          }
      }
  }
  // TODO: This should throw an error
  return null;
86}
87//# sourceMappingURL=auth.js.map
\No newline at end of file

1	`// Copyright (c) Microsoft Corporation.`
2	`// Licensed under the MIT license.`
3	`import { generateHeaders } from "./utils/headers";`
4	`import { Constants, getResourceIdFromPath, ResourceType, trimSlashFromLeftAndRight, } from "./common";`
5	`/**`
6	`* @hidden`
7	`*/`
8	`export async function setAuthorizationHeader(clientOptions, verb, path, resourceId, resourceType, headers) {`
9	`if (clientOptions.permissionFeed) {`
10	`clientOptions.resourceTokens = {};`
11	`for (const permission of clientOptions.permissionFeed) {`
12	`const id = getResourceIdFromPath(permission.resource);`
13	`if (!id) {`
14	throw new Error(`authorization error: ${id} \
15	is an invalid resourceId in permissionFeed`);
16	`}`
17	`clientOptions.resourceTokens[id] = permission._token; // TODO: any`
18	`}`
19	`}`
20	`if (clientOptions.key) {`
21	`await setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, clientOptions.key);`
22	`}`
23	`else if (clientOptions.resourceTokens) {`
24	`headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(getAuthorizationTokenUsingResourceTokens(clientOptions.resourceTokens, path, resourceId));`
25	`}`
26	`else if (clientOptions.tokenProvider) {`
27	`headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(await clientOptions.tokenProvider({ verb, path, resourceId, resourceType, headers }));`
28	`}`
29	`}`
30	`/**`
31	`* The default function for setting header token using the masterKey`
32	`* @hidden`
33	`*/`
34	`export async function setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, masterKey) {`
35	`// TODO This should live in cosmos-sign`
36	`if (resourceType === ResourceType.offer) {`
37	`resourceId = resourceId && resourceId.toLowerCase();`
38	`}`
39	`headers = Object.assign(headers, await generateHeaders(masterKey, verb, resourceType, resourceId));`
40	`}`
41	`/**`
42	`* @hidden`
43	`*/`
44	`// TODO: Resource tokens`
45	`export function getAuthorizationTokenUsingResourceTokens(resourceTokens, path, resourceId) {`
46	`if (resourceTokens && Object.keys(resourceTokens).length > 0) {`
47	`// For database account access(through getDatabaseAccount API), path and resourceId are "",`
48	`// so in this case we return the first token to be used for creating the auth header as the`
49	`// service will accept any token in this case`
50	`if (!path && !resourceId) {`
51	`return resourceTokens[Object.keys(resourceTokens)[0]];`
52	`}`
53	`// If we have exact resource token for the path use it`
54	`if (resourceId && resourceTokens[resourceId]) {`
55	`return resourceTokens[resourceId];`
56	`}`
57	`// minimum valid path /dbs`
58	`if (!path \|\| path.length < 4) {`
59	`// TODO: This should throw an error`
60	`return null;`
61	`}`
62	`path = trimSlashFromLeftAndRight(path);`
63	`const pathSegments = (path && path.split("/")) \|\| [];`
64	`// Item path`
65	`if (pathSegments.length === 6) {`
66	`// Look for a container token matching the item path`
67	`const containerPath = pathSegments.slice(0, 4).map(decodeURIComponent).join("/");`
68	`if (resourceTokens[containerPath]) {`
69	`return resourceTokens[containerPath];`
70	`}`
71	`}`
72	`// TODO remove in v4: This is legacy behavior that lets someone use a resource token pointing ONLY at an ID`
73	`// It was used when _rid was exposed by the SDK, but now that we are using user provided ids it is not needed`
74	`// However removing it now would be a breaking change`
75	`// if it's an incomplete path like /dbs/db1/colls/, start from the parent resource`
76	`let index = pathSegments.length % 2 === 0 ? pathSegments.length - 1 : pathSegments.length - 2;`
77	`for (; index > 0; index -= 2) {`
78	`const id = decodeURI(pathSegments[index]);`
79	`if (resourceTokens[id]) {`
80	`return resourceTokens[id];`
81	`}`
82	`}`
83	`}`
84	`// TODO: This should throw an error`
85	`return null;`
86	`}`
87	`//# sourceMappingURL=auth.js.map`
\	No newline at end of file