rmorawski/standardnotes-app-web
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

chore: switch api to cookie based sessions - skip e2e (#2854)

Browse Source 
* chore: switch api to cookie based sessions - skip e2e

* chore: fix legacy http service to include api version in requests - skip e2e
This commit is contained in:
Karol Sójko
2024-03-05 09:25:53 +01:00
committed by GitHub
parent f3f5c63185
commit 1d0e8cfc7f
7 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/api/src/Domain/Api/ApiVersion.ts
View File

@@ -1,3 +1,4 @@
export enum ApiVersion { export enum ApiVersion {
v0 = '20200115', v0 = '20200115',
v1 = '20240226',
} }

4
packages/api/src/Domain/Client/Auth/AuthApiService.ts
View File

@@ -50,7 +50,7 @@ export class AuthApiService implements AuthApiServiceInterface {
try { try {
const response = await this.authServer.recoveryKeyParams({ const response = await this.authServer.recoveryKeyParams({
api_version: ApiVersion.v0, api_version: ApiVersion.v1,
code_challenge: dto.codeChallenge, code_challenge: dto.codeChallenge,
recovery_codes: dto.recoveryCodes, recovery_codes: dto.recoveryCodes,
username: dto.username, username: dto.username,
@@ -78,7 +78,7 @@ export class AuthApiService implements AuthApiServiceInterface {
try { try {
const response = await this.authServer.signInWithRecoveryCodes({ const response = await this.authServer.signInWithRecoveryCodes({
api_version: ApiVersion.v0, api_version: ApiVersion.v1,
code_verifier: dto.codeVerifier, code_verifier: dto.codeVerifier,
password: dto.password, password: dto.password,
recovery_codes: dto.recoveryCodes, recovery_codes: dto.recoveryCodes,

6
packages/api/src/Domain/Client/Subscription/SubscriptionApiService.ts
View File

@@ -36,7 +36,7 @@ export class SubscriptionApiService implements SubscriptionApiServiceInterface {
try { try {
const response = await this.subscriptionServer.listInvites({ const response = await this.subscriptionServer.listInvites({
[ApiEndpointParam.ApiVersion]: ApiVersion.v0, [ApiEndpointParam.ApiVersion]: ApiVersion.v1,
}) })
return response return response
@@ -56,7 +56,7 @@ export class SubscriptionApiService implements SubscriptionApiServiceInterface {
try { try {
const response = await this.subscriptionServer.cancelInvite({ const response = await this.subscriptionServer.cancelInvite({
[ApiEndpointParam.ApiVersion]: ApiVersion.v0, [ApiEndpointParam.ApiVersion]: ApiVersion.v1,
inviteUuid, inviteUuid,
}) })
@@ -77,7 +77,7 @@ export class SubscriptionApiService implements SubscriptionApiServiceInterface {
try { try {
const response = await this.subscriptionServer.invite({ const response = await this.subscriptionServer.invite({
[ApiEndpointParam.ApiVersion]: ApiVersion.v0, [ApiEndpointParam.ApiVersion]: ApiVersion.v1,
identifier: inviteeEmail, identifier: inviteeEmail,
}) })

4
packages/api/src/Domain/Client/User/UserApiService.ts
View File

@@ -72,7 +72,7 @@ export class UserApiService implements UserApiServiceInterface {
try { try {
const response = await this.userServer.register({ const response = await this.userServer.register({
[ApiEndpointParam.ApiVersion]: ApiVersion.v0, [ApiEndpointParam.ApiVersion]: ApiVersion.v1,
password: registerDTO.serverPassword, password: registerDTO.serverPassword,
email: registerDTO.email, email: registerDTO.email,
ephemeral: registerDTO.ephemeral, ephemeral: registerDTO.ephemeral,
@@ -92,7 +92,7 @@ export class UserApiService implements UserApiServiceInterface {
try { try {
const response = await this.userServer.update({ const response = await this.userServer.update({
[ApiEndpointParam.ApiVersion]: ApiVersion.v0, [ApiEndpointParam.ApiVersion]: ApiVersion.v1,
user_uuid: updateDTO.userUuid, user_uuid: updateDTO.userUuid,
}) })

17
packages/api/src/Domain/Http/HttpService.ts
View File

@@ -9,9 +9,11 @@ import {
HttpResponse, HttpResponse,
HttpResponseMeta, HttpResponseMeta,
isErrorResponse, isErrorResponse,
ApiEndpointParam,
} from '@standardnotes/responses' } from '@standardnotes/responses'
import { HttpServiceInterface } from './HttpServiceInterface' import { HttpServiceInterface } from './HttpServiceInterface'
import { ApiVersion } from '../Api'
import { Paths } from '../Server/Auth/Paths' import { Paths } from '../Server/Auth/Paths'
import { SessionRefreshResponseBody } from '../Response/Auth/SessionRefreshResponseBody' import { SessionRefreshResponseBody } from '../Response/Auth/SessionRefreshResponseBody'
import { FetchRequestHandler } from './FetchRequestHandler' import { FetchRequestHandler } from './FetchRequestHandler'
@@ -145,6 +147,10 @@ export class HttpService implements HttpServiceInterface {
await sleep(this.__latencySimulatorMs, true) await sleep(this.__latencySimulatorMs, true)
} }
httpRequest.params = httpRequest.params
? this.params(httpRequest.params as Record<string | number | symbol, unknown>)
: undefined
const isRefreshRequest = httpRequest.url === joinPaths(this.host, Paths.v1.refreshSession) const isRefreshRequest = httpRequest.url === joinPaths(this.host, Paths.v1.refreshSession)
if (this.inProgressRefreshSessionPromise && !isRefreshRequest) { if (this.inProgressRefreshSessionPromise && !isRefreshRequest) {
await this.inProgressRefreshSessionPromise await this.inProgressRefreshSessionPromise
@@ -236,4 +242,15 @@ export class HttpService implements HttpServiceInterface {
return true return true
} }
private params(inParams: Record<string | number | symbol, unknown>): HttpRequestParams {
const params = {
...inParams,
...{
[ApiEndpointParam.ApiVersion]: ApiVersion.v1,
},
}
return params
}
} }

2
packages/snjs/lib/Services/Api/ApiService.ts
View File

@@ -81,7 +81,7 @@ import { Strings } from '@Lib/Strings'
import { AnyFeatureDescription } from '@standardnotes/features' import { AnyFeatureDescription } from '@standardnotes/features'
/** Legacy api version field to be specified in params when calling v0 APIs. */ /** Legacy api version field to be specified in params when calling v0 APIs. */
const V0_API_VERSION = '20200115' const V0_API_VERSION = '20240226'
type InvalidSessionObserver = (revoked: boolean) => void type InvalidSessionObserver = (revoked: boolean) => void

21
packages/snjs/mocha/session.test.js
View File

@@ -96,8 +96,15 @@ describe('server session', function () {
// After the above sync request is completed, we obtain the session information. // After the above sync request is completed, we obtain the session information.
const sessionAfterSync = application.legacyApi.getSession() const sessionAfterSync = application.legacyApi.getSession()
expect(sessionBeforeSync.accessToken.value).to.not.equal(sessionAfterSync.accessToken.value) /**
expect(sessionBeforeSync.refreshToken.value).to.not.equal(sessionAfterSync.refreshToken.value) * Access token and refresh token values in the new API version (20240226) represent the session uuid.
* So they should stay the same as they were since we are operating on the same session.
*
* The actual token values are stored in cookies indexed by the session uuid and are not accessible to the client.
*/
expect(sessionBeforeSync.accessToken.value).to.equal(sessionAfterSync.accessToken.value)
expect(sessionBeforeSync.refreshToken.value).to.equal(sessionAfterSync.refreshToken.value)
expect(sessionBeforeSync.accessToken.expiresAt).to.be.lessThan(sessionAfterSync.accessToken.expiresAt) expect(sessionBeforeSync.accessToken.expiresAt).to.be.lessThan(sessionAfterSync.accessToken.expiresAt)
// New token should expire in the future. // New token should expire in the future.
expect(sessionAfterSync.accessToken.expiresAt).to.be.greaterThan(Date.now()) expect(sessionAfterSync.accessToken.expiresAt).to.be.greaterThan(Date.now())
@@ -397,8 +404,8 @@ describe('server session', function () {
const refreshSessionResponse = await application.legacyApi.refreshSession() const refreshSessionResponse = await application.legacyApi.refreshSession()
expect(refreshSessionResponse.status).to.equal(400) expect(refreshSessionResponse.status).to.equal(400)
expect(refreshSessionResponse.data.error.tag).to.equal('expired-refresh-token') expect(refreshSessionResponse.data.error.tag).to.equal('invalid-parameters')
expect(refreshSessionResponse.data.error.message).to.equal('The refresh token has expired.') expect(refreshSessionResponse.data.error.message).to.equal('The provided parameters are not valid.')
/* /*
The access token and refresh token should be expired up to this point. The access token and refresh token should be expired up to this point.
@@ -411,7 +418,11 @@ describe('server session', function () {
expect(syncResponse.data.error.message).to.equal('Invalid login credentials.') expect(syncResponse.data.error.message).to.equal('Invalid login credentials.')
}).timeout(Factory.TwentySecondTimeout) }).timeout(Factory.TwentySecondTimeout)
it('should fail when renewing a session with an invalid refresh token', async function () { /**
* This test is skipped due to the fact that tokens reside now in cookies and are not accessible to the client.
* Thus it is not possible to tamper with the refresh token.
*/
it.skip('should fail when renewing a session with an invalid refresh token', async function () {
await Factory.registerUserToApplication({ await Factory.registerUserToApplication({
application: application, application: application,
email: email, email: email,