Merge pull request #105 from sasjs/file-upload-csrf

fix(jes-job-execution): prevent file upload requests failing with invalid CSRF token
2025-12-11 09:24:35 +00:00 · 2020-09-23 08:04:18 +01:00
parent 33ce592379 95f3ebd51d
commit c1bab07b08
5 changed files with 53 additions and 19 deletions
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,17 @@
+## Issue
+
+Link any related issue(s) in this section.
+
+## Intent
+
+What this PR intends to achieve.
+
+## Implementation
+
+What code changes have been made to achieve the intent.
+
+## Checks
+
+- [ ] Code is formatted correctly (`npm run lint:fix`).
+- [ ] All unit tests are passing (`npm test`).
+- [ ] All `sasjs-tests` are passing (instructions available [here](https://github.com/sasjs/adapter/blob/master/sasjs-tests/README.md)).
--- a/sasjs-tests/package-lock.json
+++ b/sasjs-tests/package-lock.json
@@ -1357,9 +1357,9 @@
      "integrity": "sha512-shAmDyaQC4H92APFoIaVDHCx5bStIocgvbwQyxPRrbUY20V1EYTbSDchWbuwlMG3V17cprZhA6+78JfB+3DTPw=="
    },
    "@sasjs/adapter": {
-      "version": "1.3.13",
-      "resolved": "https://registry.npmjs.org/@sasjs/adapter/-/adapter-1.3.13.tgz",
-      "integrity": "sha512-dWcDxgY3FB7Yx1I5dPpeQeyJDu4lezhIFrjn6lbdwRhV15aqOt4l9o9qZP+VbgOXqyi9gN0Y+p+vs2chBDFQqg==",
+      "version": "1.12.0",
+      "resolved": "https://registry.npmjs.org/@sasjs/adapter/-/adapter-1.12.0.tgz",
+      "integrity": "sha512-0uGQH9ynomWzdBaEujEtcR38q6V7LCgG0mrb1Wellv6cC/IHD3j6WfeZZAgtiMPeOSJjbCDBOlVnzC2TlBqJFw==",
      "requires": {
        "es6-promise": "^4.2.8",
        "form-data": "^3.0.0",
--- a/sasjs-tests/package.json
+++ b/sasjs-tests/package.json
@@ -4,7 +4,7 @@
  "homepage": ".",
  "private": true,
  "dependencies": {
-    "@sasjs/adapter": "^1.3.13",
+    "@sasjs/adapter": "^1.12.0",
    "@sasjs/test-framework": "^1.4.0",
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.5.0",
--- a/sasjs-tests/src/testSuites/RequestData.ts
+++ b/sasjs-tests/src/testSuites/RequestData.ts
@@ -88,7 +88,7 @@ export const sendArrTests = (adapter: SASjs): TestSuite => ({
        return adapter.request("common/sendArr", data).catch((e) => e);
      },
      assertion: (error: any) => {
-        return !!error && !!error.MESSAGE;
+        return !!error && !!error.body && !!error.body.message;
      }
    },
    {
@@ -185,7 +185,7 @@ export const sendObjTests = (adapter: SASjs): TestSuite => ({
        };
        return adapter.request("common/sendObj", invalidData).catch((e) => e);
      },
-      assertion: (error: any) => !!error && !!error.MESSAGE
+      assertion: (error: any) => !!error && !!error.body && !!error.body.message
    },
    {
      title: "Single string value",
@@ -219,7 +219,7 @@ export const sendObjTests = (adapter: SASjs): TestSuite => ({
          .catch((e) => e);
      },
      assertion: (error: any) => {
-        return !!error && !!error.MESSAGE;
+        return !!error && !!error.body && !!error.body.message;
      }
    },
    {
--- a/src/SASViyaApiClient.ts
+++ b/src/SASViyaApiClient.ts
@@ -36,6 +36,7 @@ export class SASViyaApiClient {
  }

  private csrfToken: CsrfToken | null = null
+  private fileUploadCsrfToken: CsrfToken | null = null
  private sessionManager = new SessionManager(
    this.serverUrl,
    this.contextName,
@@ -1335,7 +1336,9 @@ export class SASViyaApiClient {

      const uploadResponse = await this.request<any>(
        `${this.serverUrl}/files/files#rawUpload`,
-        createFileRequest
+        createFileRequest,
+        'json',
+        'fileUpload'
      )

      uploadedFiles.push({ tableName, file: uploadResponse.result })
@@ -1490,22 +1493,36 @@ export class SASViyaApiClient {
    this.setCsrfToken(csrfToken)
  }

+  setFileUploadCsrfToken = (csrfToken: CsrfToken) => {
+    this.fileUploadCsrfToken = csrfToken
+  }
+
  private async request<T>(
    url: string,
    options: RequestInit,
-    contentType: 'text' | 'json' = 'json'
+    contentType: 'text' | 'json' = 'json',
+    type: 'fileUpload' | 'other' = 'other'
  ) {
-    if (this.csrfToken) {
-      options.headers = {
-        ...options.headers,
-        [this.csrfToken.headerName]: this.csrfToken.value
+    const callback =
+      type === 'fileUpload'
+        ? this.setFileUploadCsrfToken
+        : this.setCsrfTokenLocal
+
+    if (type === 'other') {
+      if (this.csrfToken) {
+        options.headers = {
+          ...options.headers,
+          [this.csrfToken.headerName]: this.csrfToken.value
+        }
+      }
+    } else {
+      if (this.fileUploadCsrfToken) {
+        options.headers = {
+          ...options.headers,
+          [this.fileUploadCsrfToken.headerName]: this.fileUploadCsrfToken.value
+        }
      }
    }
-    return await makeRequest<T>(
-      url,
-      options,
-      this.setCsrfTokenLocal,
-      contentType
-    )
+    return await makeRequest<T>(url, options, callback, contentType)
  }
 }