feat: adds authorization handler

Author: rkodev

packages/http/fetch/src/middlewares/authorizationHandler.ts

@@ -0,0 +1,139 @@
+/**
+ * -------------------------------------------------------------------------------------------
+ * Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.
+ * See License in the project root for license information.
+ * -------------------------------------------------------------------------------------------
+ */
+
+import { type RequestOption } from "@microsoft/kiota-abstractions";
+import { Span, trace } from "@opentelemetry/api";
+
+import { getObservabilityOptionsFromRequest } from "../observabilityOptions";
+import type { Middleware } from "./middleware";
+import type { FetchHeadersInit, FetchRequestInit } from "../utils/fetchDefinitions";
+import { getRequestHeader, setRequestHeader } from "../utils/headersUtil";
+import { BaseBearerTokenAuthenticationProvider, Headers, RequestInformation } from "@microsoft/kiota-abstractions/src";
+
+export class AuthorizationHandler implements Middleware {
+	next: Middleware | undefined;
+
+	/**
+	 * A member holding the name of content range header
+	 */
+	private static readonly AUTHORIZATION_HEADER = "Authorization";
+
+	public constructor(private readonly authenticationProvider: BaseBearerTokenAuthenticationProvider) {
+		if (!authenticationProvider) {
+			throw new Error("authenticationProvider cannot be undefined");
+		}
+	}
+
+	public execute(url: string, requestInit: RequestInit, requestOptions?: Record<string, RequestOption>): Promise<Response> {
+		const obsOptions = getObservabilityOptionsFromRequest(requestOptions);
+		if (obsOptions) {
+			return trace.getTracer(obsOptions.getTracerInstrumentationName()).startActiveSpan("authorizationHandler - execute", (span) => {
+				try {
+					span.setAttribute("com.microsoft.kiota.handler.authorization.enable", true);
+					return this.executeInternal(url, requestInit as FetchRequestInit, requestOptions, span);
+				} finally {
+					span.end();
+				}
+			});
+		}
+		return this.executeInternal(url, requestInit as FetchRequestInit, requestOptions, undefined);
+	}
+
+	private async executeInternal(url: string, fetchRequestInit: FetchRequestInit, requestOptions?: Record<string, RequestOption>, span?: Span): Promise<Response> {
+		if (this.authorizationIsPresent(fetchRequestInit)) {
+			span?.setAttribute("com.microsoft.kiota.handler.authorization.token_present", true);
+			return await this.next!.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		}
+
+		const requestInformation = new RequestInformation();
+		requestInformation.URL = url;
+		requestInformation.headers = new Headers();
+		if (fetchRequestInit.headers !== undefined) {
+			const headers = fetchRequestInit.headers as Record<string, string>;
+			for (const key of Object.keys(headers)) {
+				const value = headers[key];
+				requestInformation.headers.add(key, value);
+			}
+		}
+
+		// add all the headers to fetchRequestInit
+		if (!fetchRequestInit.headers) {
+			fetchRequestInit.headers = {};
+		}
+
+		await this.authenticateRequest(requestInformation);
+		this.setAuthorizationHeaderFromRequestInformation(fetchRequestInit, requestInformation);
+		const response = await this.next?.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		if (!response) {
+			throw new Error("Response is undefined");
+		}
+		if (response.status !== 401) {
+			return response;
+		}
+		const claims = this.getClaimsFromResponse(response);
+		if (!claims) {
+			return response;
+		}
+		span?.addEvent("com.microsoft.kiota.handler.authorization.challenge_received");
+		await this.authenticateRequest(requestInformation, claims);
+		this.setAuthorizationHeaderFromRequestInformation(fetchRequestInit, requestInformation);
+		span?.setAttribute("http.request.resend_count", 1);
+		const retryResponse = await this.next?.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		if (!retryResponse) {
+			throw new Error("Response is undefined");
+		}
+		return retryResponse;
+	}
+
+	private setAuthorizationHeaderFromRequestInformation(fetchRequestInit: FetchRequestInit, requestInformation: RequestInformation) {
+		// get header from requestInformation
+		let headerVal: string | undefined;
+		if (requestInformation.headers) {
+			const headerSet = requestInformation.headers.get(AuthorizationHandler.AUTHORIZATION_HEADER);
+			if (headerSet && headerSet.size > 0) {
+				headerVal = headerSet.values().next().value;
+			}
+		}
+		if (headerVal) {
+			setRequestHeader(fetchRequestInit, AuthorizationHandler.AUTHORIZATION_HEADER, headerVal);
+		}
+	}
+
+	private authorizationIsPresent(request: FetchRequestInit | undefined): boolean {
+		if (!request) {
+			return false;
+		}
+		const authorizationHeader = getRequestHeader(request, AuthorizationHandler.AUTHORIZATION_HEADER);
+		return authorizationHeader !== undefined && authorizationHeader !== null;
+	}
+
+	private async authenticateRequest(request: RequestInformation, claims?: string): Promise<void> {
+		const additionalAuthenticationContext = {} as Record<string, unknown>;
+		if (claims) {
+			additionalAuthenticationContext.claims = claims;
+		}
+		await this.authenticationProvider.authenticateRequest(request, additionalAuthenticationContext);
+	}
+
+	private readonly getClaimsFromResponse = (response: Response, claims?: string) => {
+		if (response.status === 401 && !claims) {
+			// avoid infinite loop, we only retry once
+			// no need to check for the content since it's an array and it doesn't need to be rewound
+			const rawAuthenticateHeader = response.headers.get("WWW-Authenticate");
+			if (rawAuthenticateHeader && /^Bearer /gi.test(rawAuthenticateHeader)) {
+				const rawParameters = rawAuthenticateHeader.replace(/^Bearer /gi, "").split(",");
+				for (const rawParameter of rawParameters) {
+					const trimmedParameter = rawParameter.trim();
+					if (/claims="[^"]+"/gi.test(trimmedParameter)) {
+						return trimmedParameter.replace(/claims="([^"]+)"/gi, "$1");
+					}
+				}
+			}
+		}
+		return undefined;
+	};
+}

packages/http/fetch/test/common/middleware/authorizationHandler.ts

@@ -0,0 +1,46 @@
+import { beforeEach, describe, expect, it } from "vitest";
+import { AuthorizationHandler } from "../../../src/middlewares/authorizationHandler";
+import { DummyFetchHandler } from "./dummyFetchHandler";
+import { AccessTokenProvider, AllowedHostsValidator, BaseBearerTokenAuthenticationProvider } from "@microsoft/kiota-abstractions/src";
+import { CompressionHandler } from "../../../src";
+
+describe("AuthorizationHandler", () => {
+	let authorizationHandler: AuthorizationHandler;
+	let nextMiddleware: DummyFetchHandler;
+
+	beforeEach(() => {
+		nextMiddleware = new DummyFetchHandler();
+		const validator = new AllowedHostsValidator();
+		const tokenProvider: AccessTokenProvider = {
+			getAuthorizationToken: async () => "New Token",
+			getAllowedHostsValidator: () => validator,
+		};
+		const provider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
+		authorizationHandler = new AuthorizationHandler(provider);
+		authorizationHandler.next = nextMiddleware;
+	});
+
+	it("should not add a header if authorization header exists", async () => {
+		const url = "https://example.com";
+		const requestInit = {
+			headers: {
+				Authorization: "Bearer Existing Token",
+			},
+		};
+		nextMiddleware.setResponses([new Response("ok", { status: 200 })]);
+
+		await authorizationHandler.execute(url, requestInit);
+
+		expect((requestInit.headers as Record<string, string>)["Authorization"]).toBe("Bearer Existing Token");
+	});
+
+	it("should attempt to authenticate when the header does not exist", async () => {
+		const url = "https://example.com";
+		const requestInit = { headers: {} };
+		nextMiddleware.setResponses([new Response("ok", { status: 200 })]);
+
+		await authorizationHandler.execute(url, requestInit);
+
+		expect((requestInit.headers as Record<string, string>)["Authorization"]).toBe("Bearer New Token");
+	});
+});