feat: adds authorization handler

Author: rkodev

packages/abstractions/src/authentication/baseBearerTokenAuthenticationProvider.ts

@@ -26,7 +26,7 @@ export class BaseBearerTokenAuthenticationProvider implements AuthenticationProv
 			request.headers.delete(BaseBearerTokenAuthenticationProvider.authorizationHeaderKey);
 		}
 		if (!request.headers?.has(BaseBearerTokenAuthenticationProvider.authorizationHeaderKey)) {
-			const token = await this.accessTokenProvider.getAuthorizationToken(request.URL, additionalAuthenticationContext);
+			const token = await this.getAccessToken(request.URL, additionalAuthenticationContext);
 			if (!request.headers) {
 				request.headers = new Headers();
 			}
@@ -35,4 +35,8 @@ export class BaseBearerTokenAuthenticationProvider implements AuthenticationProv
 			}
 		}
 	};
+
+	public getAccessToken = async (url?: string, additionalAuthenticationContext?: Record<string, unknown>): Promise<string> => {
+		return await this.accessTokenProvider.getAuthorizationToken(url, additionalAuthenticationContext);
+	};
 }

packages/http/fetch/src/middlewares/authorizationHandler.ts

@@ -0,0 +1,109 @@
+/**
+ * -------------------------------------------------------------------------------------------
+ * Copyright (c) Microsoft Corporation.  All Rights Reserved.  Licensed under the MIT License.
+ * See License in the project root for license information.
+ * -------------------------------------------------------------------------------------------
+ */
+
+import { type RequestOption } from "@microsoft/kiota-abstractions";
+import { Span, trace } from "@opentelemetry/api";
+
+import { getObservabilityOptionsFromRequest } from "../observabilityOptions";
+import type { Middleware } from "./middleware";
+import type { FetchRequestInit } from "../utils/fetchDefinitions";
+import { getRequestHeader, setRequestHeader } from "../utils/headersUtil";
+import { BaseBearerTokenAuthenticationProvider } from "@microsoft/kiota-abstractions/src";
+
+export class AuthorizationHandler implements Middleware {
+	next: Middleware | undefined;
+
+	/**
+	 * A member holding the name of content range header
+	 */
+	private static readonly AUTHORIZATION_HEADER = "Authorization";
+
+	public constructor(private readonly authenticationProvider: BaseBearerTokenAuthenticationProvider) {
+		if (!authenticationProvider) {
+			throw new Error("authenticationProvider cannot be undefined");
+		}
+	}
+
+	public execute(url: string, requestInit: RequestInit, requestOptions?: Record<string, RequestOption>): Promise<Response> {
+		const obsOptions = getObservabilityOptionsFromRequest(requestOptions);
+		if (obsOptions) {
+			return trace.getTracer(obsOptions.getTracerInstrumentationName()).startActiveSpan("authorizationHandler - execute", (span) => {
+				try {
+					span.setAttribute("com.microsoft.kiota.handler.authorization.enable", true);
+					return this.executeInternal(url, requestInit as FetchRequestInit, requestOptions, span);
+				} finally {
+					span.end();
+				}
+			});
+		}
+		return this.executeInternal(url, requestInit as FetchRequestInit, requestOptions, undefined);
+	}
+
+	private async executeInternal(url: string, fetchRequestInit: FetchRequestInit, requestOptions?: Record<string, RequestOption>, span?: Span): Promise<Response> {
+		if (this.authorizationIsPresent(fetchRequestInit)) {
+			span?.setAttribute("com.microsoft.kiota.handler.authorization.token_present", true);
+			return await this.next!.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		}
+
+		const token = await this.authenticateRequest(url);
+		setRequestHeader(fetchRequestInit, AuthorizationHandler.AUTHORIZATION_HEADER, `Bearer ${token}`);
+		const response = await this.next?.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		if (!response) {
+			throw new Error("Response is undefined");
+		}
+		if (response.status !== 401) {
+			return response;
+		}
+		const claims = this.getClaimsFromResponse(response);
+		if (!claims) {
+			return response;
+		}
+		span?.addEvent("com.microsoft.kiota.handler.authorization.challenge_received");
+		const claimsToken = await this.authenticateRequest(url, claims);
+		setRequestHeader(fetchRequestInit, AuthorizationHandler.AUTHORIZATION_HEADER, `Bearer ${claimsToken}`);
+		span?.setAttribute("http.request.resend_count", 1);
+		const retryResponse = await this.next?.execute(url, fetchRequestInit as RequestInit, requestOptions);
+		if (!retryResponse) {
+			throw new Error("Response is undefined");
+		}
+		return retryResponse;
+	}
+
+	private authorizationIsPresent(request: FetchRequestInit | undefined): boolean {
+		if (!request) {
+			return false;
+		}
+		const authorizationHeader = getRequestHeader(request, AuthorizationHandler.AUTHORIZATION_HEADER);
+		return authorizationHeader !== undefined && authorizationHeader !== null;
+	}
+
+	private async authenticateRequest(url: string, claims?: string): Promise<string> {
+		const additionalAuthenticationContext = {} as Record<string, unknown>;
+		if (claims) {
+			additionalAuthenticationContext.claims = claims;
+		}
+		return await this.authenticationProvider.getAccessToken(url, additionalAuthenticationContext);
+	}
+
+	private readonly getClaimsFromResponse = (response: Response, claims?: string) => {
+		if (response.status === 401 && !claims) {
+			// avoid infinite loop, we only retry once
+			// no need to check for the content since it's an array and it doesn't need to be rewound
+			const rawAuthenticateHeader = response.headers.get("WWW-Authenticate");
+			if (rawAuthenticateHeader && /^Bearer /gi.test(rawAuthenticateHeader)) {
+				const rawParameters = rawAuthenticateHeader.replace(/^Bearer /gi, "").split(",");
+				for (const rawParameter of rawParameters) {
+					const trimmedParameter = rawParameter.trim();
+					if (/claims="[^"]+"/gi.test(trimmedParameter)) {
+						return trimmedParameter.replace(/claims="([^"]+)"/gi, "$1");
+					}
+				}
+			}
+		}
+		return undefined;
+	};
+}

packages/http/fetch/test/common/middleware/authorizationHandler.ts

@@ -0,0 +1,44 @@
+import { beforeEach, describe, expect, it } from "vitest";
+import { AuthorizationHandler } from "../../../src/middlewares/authorizationHandler";
+import { DummyFetchHandler } from "./dummyFetchHandler";
+import { AccessTokenProvider, AllowedHostsValidator } from "@microsoft/kiota-abstractions/src";
+
+describe("AuthorizationHandler", () => {
+	let authorizationHandler: AuthorizationHandler;
+	let nextMiddleware: DummyFetchHandler;
+
+	beforeEach(() => {
+		nextMiddleware = new DummyFetchHandler();
+		const validator = new AllowedHostsValidator();
+		const tokenProvider: AccessTokenProvider = {
+			getAuthorizationToken: async () => "New Token",
+			getAllowedHostsValidator: () => validator,
+		};
+		authorizationHandler = new AuthorizationHandler(tokenProvider);
+		authorizationHandler.next = nextMiddleware;
+	});
+
+	it("should not add a header if authorization header exists", async () => {
+		const url = "https://example.com";
+		const requestInit = {
+			headers: {
+				Authorization: "Bearer Existing Token",
+			},
+		};
+		nextMiddleware.setResponses([new Response("ok", { status: 200 })]);
+
+		await authorizationHandler.execute(url, requestInit);
+
+		expect((requestInit.headers as Record<string, string>)["Authorization"]).toBe("Bearer Existing Token");
+	});
+
+	it("should attempt to authenticate when the header does not exist", async () => {
+		const url = "https://example.com";
+		const requestInit = { headers: {} };
+		nextMiddleware.setResponses([new Response("ok", { status: 200 })]);
+
+		await authorizationHandler.execute(url, requestInit);
+
+		expect((requestInit.headers as Record<string, string>)["Authorization"]).toBe("Bearer New Token");
+	});
+});