feat: new UserSession tied to a non-federated ArcGIS Server instance

[jgravois]

the proposed tweak to UserSession would enable developers to build up a UI of their own for users to enter credentials and access secure content from unfederated instances of ArcGIS Server.

import { request } from "@esri/arcgis-rest-request";
import { UserSession } from "@esri/arcgis-rest-auth";

const authentication = new UserSession({
  username: "user1",
  password: "user1",
  server: "https://sampleserver6.arcgisonline.com/arcgis"
});

request('https://sampleserver6.arcgisonline.com/arcgis/rest/services/Wildfire_secure/MapServer', { authentication })
  .then(token)

AFFECTS PACKAGES:
@esri/arcgis-rest-auth

ISSUES CLOSED: #174

[coveralls]

Coverage decreased (-0.1%) to 99.862% when pulling 56d5a24 on f/non-federated into c1c9dd6 on master.

[tomwayson]

Thanks for taking this on @jgravois!

The API you propose makes sense to me, as does the idea of piggy-backing on trusted servers.

My main suggestions is to add more comments to 'splain this so we don't forget later what this is all about.

[tomwayson]

I think I know why you're doing this, but probably a good idea to leave a comment here.

[tomwayson]

Do we always want to send client=referer? Do we need to add that to above call to generateToken() too?

[jgravois]

it was only necessary in the case that i tweaked, but there's no harm in being consistent.

[tomwayson]

Maybe add a comment here to 'splain what this case is?

[tomwayson]

Maybe just return Promise.resolve({ authInfo: response.authInfo });

[jgravois]

💡
👶

[tomwayson]

@jgravois

I believe we'd also need to make further changes if we wanted to support @dbouwman's idea

where the consuming app has the token (from a cookie, localstorage, some other auth flow managed by the app), but not the username/password?

Maybe set the token here?

#423 (diff)

[jgravois]

where the consuming app has the token (from a cookie, localstorage, some other auth flow managed by the app), but not the username/password?

i've added another small tweak to support the use case you mentioned. this is what needs to be provided to invoke it:

const authentication = new UserSession({
  server: "https://sampleserver6.arcgisonline.com/arcgis",
  token: "SOSlV3v1wOOSN75azMS..",
  tokenExpires: new Date(1545415669763)
});

to do:

• get @patrickarlt's blessing
• refactor the trusted server check to compare only root urls
• add a few more tests.

(i'll wait on the first to do the second and third)

[jgravois]

@patrickarlt given that you chimed in on #422 but not this PR i'll assume you aren't fundamentally opposed to providing a mechanism to support making requests to non-federated, authenticated services.

i know you're busy with https://developers.arcgis.com tasks so if i'm wrong even a quick "hold your horses, i haven't had time to look at this yet and i'd like to", sometime this week would be welcome.

[patrickarlt]

@jgravois I realized that you asked about this again ago but it all looks good to me. I figured at some point someone would ask for this, I just didn't want to do it.

[jgravois]

thanks @patrickarlt!

i've rebased and pushed up some more changes to ensure test coverage and tie up the remaining loose ends. i'm happy with this if @tomwayson is.

[codecov]

Codecov Report

Merging #423 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master   #423   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files          94     94           
  Lines        1192   1202   +10     
  Branches      210    216    +6     
=====================================
+ Hits         1192   1202   +10

Impacted Files	Coverage Δ
packages/arcgis-rest-auth/src/UserSession.ts	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bbdac40...fc2f06b. Read the comment docs.