Merge pull request #20 from solid/cache-host-auth-proto

Cache host auth proto

Author: dan-f

src/api.js

@@ -37,7 +37,7 @@ const responseFromFirstSession = (storage: Storage, authFns: Array<() => Promise
   return authFns[0]()
     .then(session =>
       session
-        ? { session: saveSession(storage, session), fetch: authnFetch(storage) }
+        ? { session: saveSession(storage)(session), fetch: authnFetch(storage) }
         : responseFromFirstSession(storage, authFns.slice(1)))
     .catch(err => {
       console.error(err)

src/api.spec.js

@@ -7,6 +7,7 @@ import rsaPemToJwk from 'rsa-pem-to-jwk'
 import URLSearchParams from 'url-search-params'
 
 import { currentSession, fetch, login, logout } from './api'
+import { saveHost } from './hosts'
 import { getSession, saveSession } from './session'
 import { memStorage } from './storage'
 
@@ -203,8 +204,8 @@ describe('login', () => {
 
 describe('currentSession', () => {
   it('can find the current session if stored', () => {
-    saveSession(window.localStorage, {
-      type: 'WebID-OIDC',
+    saveSession(window.localStorage)({
+      authType: 'WebID-OIDC',
       idp: 'https://localhost',
       webId: 'https://person.me/#me',
       accessToken: 'fake_access_token',
@@ -291,7 +292,8 @@ describe('currentSession', () => {
 describe('logout', () => {
   describe('WebID-TLS', () => {
     it('just removes the current session from the store', () => {
-      saveSession(window.localStorage, {
+      saveSession(window.localStorage)({
+        authType: 'WebID-TLS',
         idp: 'https://localhost',
         webId: 'https://person.me/#me'
       })
@@ -374,8 +376,8 @@ describe('logout', () => {
 
 describe('fetch', () => {
   it('handles 401s from WebID-OIDC resources by resending with credentials', () => {
-    saveSession(window.localStorage, {
-      type: 'WebID-OIDC',
+    saveSession(window.localStorage)({
+      authType: 'WebID-OIDC',
       idp: 'https://localhost',
       webId: 'https://person.me/#me',
       accessToken: 'fake_access_token',
@@ -384,7 +386,7 @@ describe('fetch', () => {
 
     nock('https://third-party.com')
       .get('/protected-resource')
-      .reply(401, '', { 'www-authenticate': 'Bearer scope=openid' })
+      .reply(401, '', { 'www-authenticate': 'Bearer scope="openid webid"' })
       .get('/protected-resource')
       .matchHeader('authorization', 'Bearer abc.def.ghi')
       .reply(200)
@@ -396,8 +398,8 @@ describe('fetch', () => {
   })
 
   it('merges request headers with the authorization header', () => {
-    saveSession(window.localStorage, {
-      type: 'WebID-OIDC',
+    saveSession(window.localStorage)({
+      authType: 'WebID-OIDC',
       idp: 'https://localhost',
       webId: 'https://person.me/#me',
       accessToken: 'fake_access_token',
@@ -406,7 +408,7 @@ describe('fetch', () => {
 
     nock('https://third-party.com')
       .get('/private-resource')
-      .reply(401, '', { 'www-authenticate': 'Bearer scope=openid' })
+      .reply(401, '', { 'www-authenticate': 'Bearer scope="openid webid"' })
       .get('/private-resource')
       .matchHeader('accept', 'text/plain')
       .matchHeader('authorization', 'Bearer abc.def.ghi')
@@ -419,8 +421,8 @@ describe('fetch', () => {
   })
 
   it('does not resend with credentials if the www-authenticate header is missing', () => {
-    saveSession(window.localStorage, {
-      type: 'WebID-OIDC',
+    saveSession(window.localStorage)({
+      authType: 'WebID-OIDC',
       idp: 'https://localhost',
       webId: 'https://person.me/#me',
       accessToken: 'fake_access_token',
@@ -438,8 +440,8 @@ describe('fetch', () => {
   })
 
   it('does not resend with credentials if the www-authenticate header suggests an unknown scheme', () => {
-    saveSession(window.localStorage, {
-      type: 'WebID-OIDC',
+    saveSession(window.localStorage)({
+      authType: 'WebID-OIDC',
       idp: 'https://localhost',
       webId: 'https://person.me/#me',
       accessToken: 'fake_access_token',
@@ -459,7 +461,7 @@ describe('fetch', () => {
   it('does not resend with credentials if there is no session', () => {
     nock('https://third-party.com')
       .get('/protected-resource')
-      .reply(401, '', { 'www-authenticate': 'Bearer scope=openid' })
+      .reply(401, '', { 'www-authenticate': 'Bearer scope="openid webid"' })
 
     return fetch('https://third-party.com/protected-resource')
       .then(resp => {
@@ -481,4 +483,86 @@ describe('fetch', () => {
         expect(body).toEqual('public content')
       })
   })
+
+  it('does not resend with credentials if the requested resources uses plain OIDC', () => {
+    nock('https://third-party.com')
+      .get('/protected-resource')
+      .reply(401, '', { 'www-authenticate': 'Bearer scope="openid"' })
+
+    return fetch('https://third-party.com/protected-resource')
+      .then(resp => {
+        expect(resp.status).toBe(401)
+      })
+  })
+
+  describe('familiar domains with WebID-OIDC', () => {
+    it('just sends one request when the RP is also the IDP', () => {
+      saveSession(window.localStorage)({
+        authType: 'WebID-OIDC',
+        idp: 'https://localhost',
+        webId: 'https://person.me/#me',
+        accessToken: 'fake_access_token',
+        idToken: 'abc.def.ghi'
+      })
+
+      nock('https://localhost')
+        .get('/resource')
+        .matchHeader('authorization', 'Bearer abc.def.ghi')
+        .reply(200)
+
+      return fetch('https://localhost/resource')
+        .then(resp => {
+          expect(resp.status).toBe(200)
+        })
+    })
+
+    it('just sends one request to domains it has already encountered', () => {
+      saveSession(window.localStorage)({
+        authType: 'WebID-OIDC',
+        idp: 'https://localhost',
+        webId: 'https://person.me/#me',
+        accessToken: 'fake_access_token',
+        idToken: 'abc.def.ghi'
+      })
+
+      saveHost(window.localStorage)({
+        url: 'third-party.com',
+        authType: 'WebID-OIDC'
+      })
+
+      nock('https://third-party.com')
+        .get('/resource')
+        .matchHeader('authorization', 'Bearer abc.def.ghi')
+        .reply(200)
+
+      return fetch('https://third-party.com/resource')
+        .then(resp => {
+          expect(resp.status).toBe(200)
+        })
+    })
+
+    it('does not send credentials to a familiar domain when that domain uses a different auth type', () => {
+      saveSession(window.localStorage)({
+        authType: 'WebID-OIDC',
+        idp: 'https://localhost',
+        webId: 'https://person.me/#me',
+        accessToken: 'fake_access_token',
+        idToken: 'abc.def.ghi'
+      })
+
+      saveHost(window.localStorage)({
+        url: 'third-party.com',
+        authType: 'WebID-TLS'
+      })
+
+      nock('https://third-party.com')
+        .get('/resource')
+        .reply(401)
+
+      return fetch('https://third-party.com/resource')
+        .then(resp => {
+          expect(resp.status).toBe(401)
+        })
+    })
+  })
 })

src/authn-fetch.js

@@ -1,34 +1,46 @@
 // @flow
 /* global fetch, RequestInfo, Response */
 import 'isomorphic-fetch'
-import * as authorization from 'auth-header'
 
+import { getHost, updateHostFromResponse } from './hosts'
+import type { session } from './session'
 import { getSession } from './session'
 import type { Storage } from './storage'
+import * as WebIdOidc from './webid-oidc'
 
-export const authnFetch = (storage: Storage): (url: RequestInfo, options?: Object) => Promise<Response> =>
-  (url: RequestInfo, options?: Object) =>
-    fetch(url, options)
-      .then(resp => {
-        if (resp.status === 401 && requiresWebIdOidc(resp.headers.get('www-authenticate'))) {
-          const session = getSession(storage)
-          if (session && session.type === 'WebID-OIDC') {
-            const retryOptions = {
-              ...options,
-              headers: {
-                ...(options && options.headers ? options.headers : {}),
-                authorization: `Bearer ${session.idToken}`
-              }
-            }
-            return fetch(url, retryOptions)
-          }
+export const authnFetch = (storage: Storage) => (url: RequestInfo, options?: Object): Promise<Response> => {
+  const session = getSession(storage)
+  if (session && shouldShareCredentials(storage)(url)) {
+    return fetchWithCredentials(session, url, options)
+  }
+  return fetch(url, options)
+    .then((resp) => {
+      if (resp.status === 401) {
+        updateHostFromResponse(storage)(resp)
+        if (session && shouldShareCredentials(storage)(url)) {
+          return fetchWithCredentials(session, url, options)
         }
-        return resp
-      })
+      }
+      return resp
+    })
+}
+
+const shouldShareCredentials = (storage: Storage) => (url: RequestInfo): boolean => {
+  const session = getSession(storage)
+  if (!session) {
+    return false
+  }
+  const requestHost = getHost(storage)(url)
+  return requestHost != null &&
+    session.authType === requestHost.authType
+}
 
-const requiresWebIdOidc = (wwwAuthHeader: ?string): boolean => {
-  if (!wwwAuthHeader) { return false }
-  const auth = authorization.parse(wwwAuthHeader)
-  return (auth.scheme === 'Bearer') &&
-    auth.params && auth.params.scope === 'openid'
+const fetchWithCredentials = (session: session, url: RequestInfo, options?: Object): Promise<Response> => {
+  switch (session.authType) {
+    case 'WebID-OIDC':
+      return WebIdOidc.fetchWithCredentials(session)(url, options)
+    case 'WebID-TLS':
+    default:
+      return fetch(url, options)
+  }
 }

src/hosts.js

@@ -0,0 +1,62 @@
+// @flow
+/* global RequestInfo, Request, Response, URL */
+import { getSession } from './session'
+import type { Storage } from './storage'
+import { getData, updateStorage } from './storage'
+import type { Auth } from './types'
+import * as WebIdOidc from './webid-oidc'
+import * as WebIdTls from './webid-tls'
+
+export type host =
+  { authType: Auth
+  , url: string
+  }
+
+export const hostNameFromRequestInfo = (url: RequestInfo): string => {
+  const _url = url instanceof URL
+    ? url
+    : url instanceof Request
+      ? new URL(url.url)
+      : new URL(url)
+  return _url.host
+}
+
+export const getHost = (storage: Storage) => (url: RequestInfo): ?host => {
+  const requestHostName = hostNameFromRequestInfo(url)
+  const session = getSession(storage)
+  if (session && hostNameFromRequestInfo(session.idp) === requestHostName) {
+    return { url: requestHostName, authType: session.authType }
+  }
+  const { hosts } = getData(storage)
+  if (!hosts) {
+    return null
+  }
+  return hosts[requestHostName] || null
+}
+
+export const saveHost = (storage: Storage) => ({ url, authType }: host): host => {
+  updateStorage(storage, (data) => ({
+    ...data,
+    hosts: {
+      ...data.hosts,
+      [url]: { authType }
+    }
+  }))
+  return { url, authType }
+}
+
+export const updateHostFromResponse = (storage: Storage) => (resp: Response): void => {
+  let authType
+  if (WebIdOidc.requiresAuth(resp)) {
+    authType = 'WebID-OIDC'
+  } else if (WebIdTls.requiresAuth(resp)) {
+    authType = 'WebID-TLS'
+  } else {
+    authType = null
+  }
+
+  const hostName = hostNameFromRequestInfo(resp.url)
+  if (authType) {
+    saveHost(storage)({ url: hostName, authType })
+  }
+}

src/session.js

@@ -1,15 +1,17 @@
 // @flow
+
 import type { Storage } from './storage'
 import { getData, updateStorage } from './storage'
+import type { WebIdTls, WebIdOidc } from './types'
 
 export type webIdTlsSession =
-  { type: 'WebID-TLS'
+  { authType: WebIdTls
   , idp: string
   , webId: string
   }
 
 export type webIdOidcSession =
-  { type: 'WebID-OIDC'
+  { authType: WebIdOidc
   , idp: string
   , webId: string
   , accessToken: string
@@ -23,7 +25,7 @@ export type session =
 export const getSession = (storage: Storage): ?session =>
   getData(storage).session || null
 
-export const saveSession = (storage: Storage, session: session): session =>
+export const saveSession = (storage: Storage) => (session: session): session =>
   updateStorage(storage, data => ({ ...data, session })).session
 
 export const clearSession = (storage: Storage): void => {

src/types.js

@@ -0,0 +1,12 @@
+// @flow
+
+// Canonical auth protocol names
+export type WebIdOidc =
+  'WebID-OIDC'
+
+export type WebIdTls =
+  'WebID-TLS'
+
+export type Auth =
+  | WebIdOidc
+  | WebIdTls