UNPKG

@itwin/itwins-client

Version:

iTwins client for the iTwin platform

github.com/iTwin/itwins-client

iTwin/itwins-client

427 lines 16.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
/** * Type guard to validate if an object is a valid Error structure * @param error - Unknown object to validate * @returns True if the object is a valid Error type */ function isValidError(error) { if (typeof error !== "object" || error === null) { return false; } const obj = error; return typeof obj.code === "string" && typeof obj.message === "string"; } /** * Type guard to validate if response data contains an error * @param data - Unknown response data to validate * @returns True if the data contains a valid Error object */ function isErrorResponse(data) { if (typeof data !== "object" || data === null) { return false; } const obj = data; return "error" in obj && isValidError(obj.error); } /** * Base client class providing common functionality for iTwins API requests. * Handles authentication, request configuration, and query string building, and error validation. */ export class BaseBentleyAPIClient { /** * The max redirects for iTwins API endpoints. * The max redirects can be customized via the constructor parameter or automatically * modified based on the IMJS_MAX_REDIRECTS environment variable. * * @readonly */ _maxRedirects = 5; /** * Creates a new BaseClient instance for API operations * @param maxRedirects - Optional custom max redirects, defaults to 5 * * @example * ```typescript * // Use default max redirects * const client = new BaseClient(); * * // Use custom max redirects * const client = new BaseClient(10); * ``` */ constructor(maxRedirects) { if (maxRedirects !== undefined) { this._maxRedirects = maxRedirects; } else { this._maxRedirects = globalThis.IMJS_MAX_REDIRECTS ?? 5; } } /** * Sends a generic API request with type safety and response validation. * Handles authentication, error responses, and data extraction automatically. * Error responses follow APIM standards for consistent error handling. * * @param accessToken - The client access token for authentication * @param method - The HTTP method type (GET, POST, DELETE, etc.) * @param url - The complete URL of the request endpoint * @param data - Optional payload data for the request body * @param headers - Optional additional request headers * @returns Promise that resolves to the parsed API response with type safety */ async sendGenericAPIRequest(accessToken, method, url, data, headers, allowRedirects = false) { try { const requestOptions = this.createRequestOptions(accessToken, method, url, data, headers); const response = await fetch(requestOptions.url, { method: requestOptions.method, headers: requestOptions.headers, body: requestOptions.body, redirect: 'manual', }); // Browser fetch returns an opaque redirect when redirect is set to manual if (response.type === "opaqueredirect") { if (!allowRedirects) { return { status: 403, error: { code: "RedirectsNotAllowed", message: "Redirects are not allowed for this request.", }, }; } return await this.followRedirectWithFetchFollow(requestOptions); } // Handle 302 redirects with auth header forwarding if (response.status === 302) { if (!allowRedirects) { return { status: 403, error: { code: "RedirectsNotAllowed", message: "Redirects are not allowed for this request.", }, }; } return await this.followRedirect(response, accessToken, method, data, headers); } // Process non-redirect response return await this.processResponse(response); } catch { return this.createInternalServerError(); } } /** * Follows redirects using the fetch default 'follow' behavior. * Used for environments where manual redirect returns opaque responses. * * @param requestOptions - The original request options * @returns Promise that resolves to the final API response */ async followRedirectWithFetchFollow(requestOptions) { try { const response = await fetch(requestOptions.url, { method: requestOptions.method, headers: requestOptions.headers, body: requestOptions.body, redirect: "follow", }); if (response.redirected) { try { this.validateRedirectUrlSecurity(response.url); } catch (error) { return { status: 502, error: { code: "InvalidRedirectUrl", message: error instanceof Error ? error.message : "Invalid redirect URL", }, }; } } return await this.processResponse(response); } catch { return this.createInternalServerError(); } } /** * Handles 302 redirect responses by validating and following the redirect. * * @param response - The 302 redirect response * @param accessToken - The client access token * @param method - The HTTP method * @param data - Optional request payload * @param headers - Optional request headers (will be forwarded to redirect) * @param redirectCount - Current redirect depth * @returns Promise that resolves to the final API response */ async followRedirect(response, accessToken, method, data, headers, redirectCount = 0) { // Verify redirect is valid and safe to follow const verificationResult = this.checkRedirectValidity(response, redirectCount); if (verificationResult.error) { return verificationResult.error; } const redirectUrl = verificationResult.redirectUrl; try { const requestOptions = this.createRequestOptions(accessToken, method, redirectUrl, data, headers); const redirectResponse = await fetch(requestOptions.url, { method: requestOptions.method, headers: requestOptions.headers, body: requestOptions.body, redirect: 'manual', }); // Handle subsequent 302 redirects if (redirectResponse.status === 302) { return await this.followRedirect(redirectResponse, accessToken, method, data, headers, redirectCount + 1); } // Process final response return await this.processResponse(redirectResponse); } catch { return this.createInternalServerError(); } } /** * Processes a non-redirect HTTP response. * * @param response - The HTTP response to process * @returns Promise that resolves to a typed API response */ async processResponse(response) { const responseData = response.status !== 204 ? await response.json() : undefined; if (!response.ok) { if (isErrorResponse(responseData)) { return { status: response.status, error: responseData.error, }; } throw new Error("An error occurred while processing the request"); } return { status: response.status, data: responseData === undefined || responseData === "" ? undefined : responseData, }; } /** * Creates a generic internal server error response. * * @returns A 500 error response for internal exceptions */ createInternalServerError() { return { status: 500, error: { code: "InternalServerError", message: "An internal exception happened while calling iTwins Service", }, }; } /** * Verifies that a redirect response is valid and safe to follow. * Performs three critical validations: * 1. Checks redirect count to prevent infinite loops * 2. Ensures Location header is present * 3. Validates redirect URL for security * * @param response - The 302 redirect response to verify * @param redirectCount - Current redirect depth * @returns Verification result with either error or validated redirect URL */ checkRedirectValidity(response, redirectCount) { // Check redirect limit to prevent infinite loops if (redirectCount >= this._maxRedirects) { return { error: { status: 508, error: { code: "TooManyRedirects", message: `Maximum redirect limit (${this._maxRedirects}) exceeded. Possible redirect loop detected.`, }, }, redirectUrl: "", }; } // Extract and validate redirect URL const redirectUrl = response.headers.get('location'); if (!redirectUrl) { return { error: { status: 502, error: { code: "InvalidRedirect", message: "302 redirect response missing Location header", }, }, redirectUrl: "", }; } // Validate redirect URL for security try { this.validateRedirectUrlSecurity(redirectUrl); } catch (error) { return { error: { status: 502, error: { code: "InvalidRedirectUrl", message: error instanceof Error ? error.message : "Invalid redirect URL", }, }, redirectUrl: "", }; } // All validations passed return { redirectUrl }; } /** * Validates that a redirect URL is secure and targets a trusted APIM Bentley domain. * * This method enforces security requirements for following HTTP redirects: * - URL must use HTTPS protocol (not HTTP) * - Domain must be a Bentley-owned domain (*api.bentley.com) * * @param url - The redirect URL to validate * @returns True if the URL is valid and safe to follow * @throws Error if the URL is invalid, uses HTTP, or targets an untrusted domain * * @remarks * This validation is critical for security when following 302 redirects in federated * architecture scenarios. It prevents redirect attacks that could leak authentication * credentials to malicious domains. * * @example * ```typescript * // Valid URLs * this.validateRedirectUrl("https://api.bentley.com/resource"); * // Invalid URLs (will throw) * this.validateRedirectUrl("https://evil-tuna.com/phishing/"); // Non-Bentley domain * this.validateRedirectUrl("https://bentley.com.evil.com/fake"); // Domain spoofing attempt * ``` */ validateRedirectUrlSecurity(url) { let parsedUrl; try { parsedUrl = new URL(url); } catch { throw new Error(`Invalid redirect URL: malformed URL "${url}"`); } // Require HTTPS protocol for security if (parsedUrl.protocol !== "https:") { throw new Error(`Invalid redirect URL: HTTPS required, but URL uses "${parsedUrl.protocol}" protocol. URL: ${url}`); } // Validate domain is a Bentley-owned domain (specific whitelist) const hostname = parsedUrl.hostname.toLowerCase(); const allowedDomains = [ "api.bentley.com", ]; const isBentleyDomain = allowedDomains.some(domain => hostname === domain || hostname.endsWith(`-${domain}`)); if (!isBentleyDomain) { throw new Error(`Invalid redirect URL: domain "${hostname}" is not a trusted Bentley domain. Only api.bentley.com and its subdomains are allowed.`); } return true; } /** * Creates request configuration options with authentication headers. * Validates required parameters and sets up proper content type for JSON requests. * * @param accessTokenString - The client access token string for authorization * @param method - The HTTP method type (GET, POST, DELETE, etc.) * @param url - The complete URL of the request endpoint * @param data - Optional payload data to be JSON stringified for the request body * @param headers - Optional additional request headers to include * @returns RequestConfig object with method, URL, body, and headers configured * @throws Will throw an error if access token or URL are missing/invalid */ createRequestOptions(accessTokenString, method, url, data, headers = {}) { if (!accessTokenString) { throw new Error("Access token is required"); } if (!url) { throw new Error("URL is required"); } let body; if (!(data instanceof Blob)) { body = JSON.stringify(data); } else { body = data; } return { method, url, body, headers: { ...headers, authorization: accessTokenString, "content-type": headers.contentType || headers["content-type"] ? headers.contentType || headers["content-type"] : "application/json", }, }; } /** * Builds a query string to be appended to a URL from query arguments * @param parameterMapping - Parameter mapping configuration that maps object properties to query parameter names * @param queryArg - Object containing queryable properties for filtering * @returns Query string with parameters applied, ready to append to a URL * * @example * ```typescript * const queryString = this.getQueryStringArg( * ITwinsAccess.ITWINS_QUERY_PARAM_MAPPING, * { * search: "Building A", * top: 10, * subClass: "Asset" * } * ); * // Returns: "$search=Building%20A&$top=10&subClass=Asset" * ``` */ getQueryStringArg(parameterMapping, queryArg) { if (!queryArg) return ""; const params = this.buildQueryParams(queryArg, parameterMapping); return params.join("&"); } /** * Helper method to build query parameter array from mapping. * Uses exhaustive parameter mapping to ensure type safety and prevent missing parameters. * Automatically handles URL encoding and filters out excluded parameters. * * @param queryArg - Object containing queryable properties * @param mapping - Parameter mapping configuration that maps object properties to query parameter names * @returns Array of formatted query parameter strings ready for URL construction * * @example * ```typescript * const params = this.buildQueryParams( * { search: "Building A", top: 10 }, * { search: "$search", top: "$top" } * ); * // Returns: ["$search=Building%20A", "$top=10"] * ``` */ buildQueryParams(queryArg, mapping) { const params = []; // Type assertion constrains paramKey to actual property names and mappedValue to the specific strings from the mapping // Narrows from set of all strings to only valid keys/values for (const [paramKey, mappedValue] of Object.entries(mapping)) { if (mappedValue === "") continue; const queryArgValue = queryArg[paramKey]; if (queryArgValue !== undefined && queryArgValue !== null) { const stringValue = String(queryArgValue); params.push(`${mappedValue}=${encodeURIComponent(stringValue)}`); } } return params; } } //# sourceMappingURL=BaseBentleyAPIClient.js.map