mirror of
https://github.com/DSpace/dspace-angular.git
synced 2025-10-07 01:54:15 +00:00
196 lines
7.7 KiB
TypeScript
196 lines
7.7 KiB
TypeScript
import {Observable, of as observableOf, throwError as observableThrowError} from 'rxjs';
|
|
|
|
import {catchError, filter, map} from 'rxjs/operators';
|
|
import {Injectable, Injector} from '@angular/core';
|
|
import {
|
|
HttpErrorResponse,
|
|
HttpEvent,
|
|
HttpHandler, HttpHeaders,
|
|
HttpInterceptor,
|
|
HttpRequest,
|
|
HttpResponse,
|
|
HttpResponseBase
|
|
} from '@angular/common/http';
|
|
import {find} from 'lodash';
|
|
|
|
import {AppState} from '../../app.reducer';
|
|
import {AuthService} from './auth.service';
|
|
import {AuthStatus} from './models/auth-status.model';
|
|
import {AuthTokenInfo} from './models/auth-token-info.model';
|
|
import {isNotEmpty, isUndefined, isNotNull} from '../../shared/empty.util';
|
|
import {RedirectWhenTokenExpiredAction, RefreshTokenAction} from './auth.actions';
|
|
import {Store} from '@ngrx/store';
|
|
import {Router} from '@angular/router';
|
|
import {AuthError} from './models/auth-error.model';
|
|
|
|
@Injectable()
|
|
export class AuthInterceptor implements HttpInterceptor {
|
|
|
|
// Intercetor is called twice per request,
|
|
// so to prevent RefreshTokenAction is dispatched twice
|
|
// we're creating a refresh token request list
|
|
protected refreshTokenRequestUrls = [];
|
|
|
|
constructor(private inj: Injector, private router: Router, private store: Store<AppState>) {
|
|
}
|
|
|
|
private is405AuthResponse(response: HttpResponseBase): boolean {
|
|
return response.status === 405;
|
|
}
|
|
|
|
private is302Response(response: HttpResponseBase): boolean {
|
|
return response.status === 302;
|
|
}
|
|
|
|
private isUnauthorized(response: HttpResponseBase): boolean {
|
|
// invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons
|
|
return response.status === 401;
|
|
}
|
|
|
|
private isSuccess(response: HttpResponseBase): boolean {
|
|
return (response.status === 200 || response.status === 204);
|
|
}
|
|
|
|
private isAuthRequest(http: HttpRequest<any> | HttpResponseBase): boolean {
|
|
return http && http.url
|
|
&& (http.url.endsWith('/authn/login')
|
|
|| http.url.endsWith('/authn/logout')
|
|
|| http.url.endsWith('/authn/status'));
|
|
}
|
|
|
|
private isLoginResponse(http: HttpRequest<any> | HttpResponseBase): boolean {
|
|
return http.url && http.url.endsWith('/authn/login');
|
|
}
|
|
|
|
private isLogoutResponse(http: HttpRequest<any> | HttpResponseBase): boolean {
|
|
return http.url && http.url.endsWith('/authn/logout');
|
|
}
|
|
|
|
private makeAuthStatusObject(authenticated: boolean, accessToken?: string, error?: string, location?: string): AuthStatus {
|
|
const authStatus = new AuthStatus();
|
|
authStatus.id = null;
|
|
authStatus.okay = true;
|
|
authStatus.ssoLoginUrl = location; // this line was added while developing shibboleth dev
|
|
if (authenticated) {
|
|
authStatus.authenticated = true;
|
|
authStatus.token = new AuthTokenInfo(accessToken);
|
|
} else {
|
|
authStatus.authenticated = false;
|
|
authStatus.error = isNotEmpty(error) ? ((typeof error === 'string') ? JSON.parse(error) : error) : null;
|
|
}
|
|
return authStatus;
|
|
}
|
|
|
|
private getSSOLocationfromHeader(header: HttpHeaders): string {
|
|
console.log('HEADER www-authenticate: ', header.get('www-authenticate'));
|
|
let location = '';
|
|
if (header.get('www-authenticate').startsWith('shibboleth realm')) {
|
|
const strings = header.get('www-authenticate').split(',');
|
|
location = strings[1];
|
|
location = location.replace('location=', '');
|
|
console.log('This should be the location: ', location);
|
|
return location = location.replace('"', '').trim();
|
|
}
|
|
return location;
|
|
}
|
|
|
|
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
|
|
|
|
const authService = this.inj.get(AuthService);
|
|
|
|
const token = authService.getToken();
|
|
let newReq;
|
|
|
|
console.log('intercept() request: ', req);
|
|
|
|
if (authService.isTokenExpired()) {
|
|
authService.setRedirectUrl(this.router.url);
|
|
// The access token is expired
|
|
// Redirect to the login route
|
|
this.store.dispatch(new RedirectWhenTokenExpiredAction('auth.messages.expired'));
|
|
return observableOf(null);
|
|
} else if (!this.isAuthRequest(req) && isNotEmpty(token)) {
|
|
// Intercept a request that is not to the authentication endpoint
|
|
authService.isTokenExpiring().pipe(
|
|
filter((isExpiring) => isExpiring))
|
|
.subscribe(() => {
|
|
// If the current request url is already in the refresh token request list, skip it
|
|
if (isUndefined(find(this.refreshTokenRequestUrls, req.url))) {
|
|
// When a token is about to expire, refresh it
|
|
this.store.dispatch(new RefreshTokenAction(token));
|
|
this.refreshTokenRequestUrls.push(req.url);
|
|
}
|
|
});
|
|
// Get the auth header from the service.
|
|
const Authorization = authService.buildAuthHeader(token);
|
|
// Clone the request to add the new header.
|
|
newReq = req.clone({headers: req.headers.set('authorization', Authorization)});
|
|
} else {
|
|
newReq = req;
|
|
}
|
|
|
|
// Pass on the new request instead of the original request.
|
|
return next.handle(newReq).pipe(
|
|
map((response) => {
|
|
// Intercept a Login/Logout response
|
|
if (response instanceof HttpResponse && this.isSuccess(response) && (this.isLoginResponse(response) || this.isLogoutResponse(response))) {
|
|
// It's a success Login/Logout response
|
|
let authRes: HttpResponse<any>;
|
|
if (this.isLoginResponse(response)) {
|
|
console.log('auth.interceptor passes success login response from backend with token: ', response.headers.get('authorization'));
|
|
// login successfully
|
|
const newToken = response.headers.get('authorization');
|
|
authRes = response.clone({body: this.makeAuthStatusObject(true, newToken)});
|
|
|
|
// clean eventually refresh Requests list
|
|
this.refreshTokenRequestUrls = [];
|
|
} else {
|
|
// logout successfully
|
|
authRes = response.clone({body: this.makeAuthStatusObject(false)});
|
|
}
|
|
return authRes;
|
|
} else {
|
|
return response;
|
|
}
|
|
}),
|
|
catchError((error, caught) => {
|
|
console.log('catchError operator in auth.interceptor was triggered');
|
|
// Intercept an error response
|
|
if (error instanceof HttpErrorResponse) {
|
|
|
|
// Check for 405
|
|
/* if (this.is405AuthResponse(error)) {
|
|
console.log('the caught error is a 405');
|
|
}*/
|
|
|
|
// Checks if is a response from a request to an authentication endpoint
|
|
if (this.isAuthRequest(error)) {
|
|
console.log('catchError isAuthRequest=true');
|
|
// clean eventually refresh Requests list
|
|
this.refreshTokenRequestUrls = [];
|
|
// console.log('error: ', error);
|
|
let location = '';
|
|
if (error.headers.get('www-authenticate') != null) {
|
|
location = this.getSSOLocationfromHeader(error.headers);
|
|
}
|
|
// Create a new HttpResponse and return it, so it can be handle properly by AuthService.
|
|
const authResponse = new HttpResponse({
|
|
body: this.makeAuthStatusObject(false, null, error.error, location),
|
|
headers: error.headers,
|
|
status: error.status,
|
|
statusText: error.statusText,
|
|
url: error.url
|
|
});
|
|
return observableOf(authResponse);
|
|
} else if (this.isUnauthorized(error) && isNotNull(token) && authService.isTokenExpired()) {
|
|
// The access token provided is expired, revoked, malformed, or invalid for other reasons
|
|
// Redirect to the login route
|
|
this.store.dispatch(new RedirectWhenTokenExpiredAction('auth.messages.expired'));
|
|
}
|
|
}
|
|
// Return error response as is.
|
|
return observableThrowError(error);
|
|
})) as any;
|
|
}
|
|
}
|