chore(release): 0.3.8 [skip ci]

## [0.3.8](https://github.com/sasjs/server/compare/v0.3.7...v0.3.8) (2022-06-13)

### Bug Fixes

* execution controller better error handling ([8a617a7](8a617a73ae))
* execution controller error details ([3fa2a7e](3fa2a7e2e3))

.github/CONTRIBUTING.md

@@ -2,25 +2,22 @@
 
 Contributions are very welcome!  Feel free to raise an issue or start a discussion, for help in getting started.
 
+The app can be deployed using Docker or NodeJS.
 
 ## Configuration
 
-Configuration is made in the `configuration` section of `package.json`:
+Configuration is made using `.env` files (per [README.md](https://github.com/sasjs/server#env-var-configuration) settings), _except_ for one case, when running in NodeJS in production - in which case the path to the SAS executable is made in the `configuration` section of `package.json`.
 
-- Provide path to SAS9 executable.
+The `.env` file should be created in the location(s) below.  Each folder contains a `.env.example` file that may be adjusted and renamed.
+
+* `.env` - the root .env file is used only for Docker deploys.
+* `api/.env` - this is the primary file used in NodeJS deploys
+* `web/.env` - this file is only necessary in NodeJS when running `web` and `api` seperately (on different ports).
 
 
-### Using dockers:
+## Using Docker
 
-There is `.env.example` file present at root of the project. [for Production]
-
-There is `.env.example` file present at `./api` of the project. [for Development]
-
-There is `.env.example` file present at `./web` of the project. [for Development]
-
-Remember to provide enviornment variables.
-
-#### Development
+### Docker Development Mode
 
 Command to run docker for development:
 
@@ -38,7 +35,7 @@ It will build following images if running first time:
 - `mongo-seed-clients` - will be populating client data specified in _./mongo-seed/clients/client.json_
 
 
-#### Production
+### Docker Production Mode
 
 Command to run docker for production:
 
@@ -54,47 +51,45 @@ It will build following images if running first time:
 - `mongo-seed-users` - will be populating user data specified in _./mongo-seed/users/user.json_
 - `mongo-seed-clients` - will be populating client data specified in _./mongo-seed/clients/client.json_
 
-### Using node:
+## Using NodeJS:
 
-#### Development (running api and web seperately):
+Be sure to use v16 or above, and to set your environment variables in the relevant `.env` file(s) - else defaults will be used.
 
-##### API
+### NodeJS Development Mode
 
-Navigate to `./api`
-There is `.env.example` file present at `./api` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
+SASjs Server is split between an API server (serving REST requests) and a WEB Server (everything else).  These can be run together, or on seperate ports.
+
+### NodeJS Dev - Single Port
+
+Here the environment variables should be configured under `api.env`.  Then:
 
 ```
+cd ./web && npm i && npm build
+cd ../api && npm i && npm start
+```
+
+### NodeJS Dev - Seperate Ports
+
+Set the backend variables in `api/.env` and the frontend variables in `web/.env`. Then:
+
+#### API server
+```
+cd api
 npm install
 npm start
 ```
 
-##### Web
-
-Navigate to `./web`
-There is `.env.example` file present at `./web` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
+#### Web Server 
 
 ```
+cd web
 npm install
 npm start
 ```
 
-#### Development (running only api server and have web build served):
+#### NodeJS Production Mode
 
-##### API server also serving Web build files
-
-There is `.env.example` file present at `./api` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
-
-```
-cd ./web && npm i && npm build && cd ../
-cd ./api && npm i && npm start
-```
-
-#### Production
-
-##### API & WEB
+Update the `.env` file in the *api* folder.  Then:
 
 ```
 npm run server
@@ -105,7 +100,7 @@ This will install/build `web` and install `api`, then start prod server.
 
 ## Executables
 
-Command to generate executables
+In order to generate the final executables:
 
 ```
 cd ./web && npm i && npm build && cd ../
@@ -113,3 +108,7 @@ cd ./api && npm i && npm run exe
 ```
 
 This will install/build web app and install/create executables of sasjs server at root `./executables`
+
+## Releases
+
+To cut a release, run `npm run release` on the main branch, then push the tags (per the console log link)

.github/workflows/build.yml

@@ -54,6 +54,7 @@ jobs:
           ACCESS_TOKEN_SECRET: ${{secrets.ACCESS_TOKEN_SECRET}}
           REFRESH_TOKEN_SECRET: ${{secrets.REFRESH_TOKEN_SECRET}}
           AUTH_CODE_SECRET: ${{secrets.AUTH_CODE_SECRET}}
+          SESSION_SECRET: ${{secrets.SESSION_SECRET}}
 
       - name: Build Package
         working-directory: ./api

.github/workflows/release.yml

@@ -2,16 +2,26 @@ name: SASjs Server Executable Release
 
 on:
   push:
-    tags:
-      - 'v*.*.*'
+    branches:
+      - main
 
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [lts/*]
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+
       - name: Install Dependencies WEB
         working-directory: ./web
         run: npm ci
@@ -39,10 +49,11 @@ jobs:
           zip macos.zip api-macos
           zip windows.zip api-win.exe
 
+      - name: Install Semantic Release and plugins
+        run: |
+          npm i
+          npm i -g semantic-release
+
       - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            ./executables/linux.zip
-            ./executables/macos.zip
-            ./executables/windows.zip
+        run: |
+          GITHUB_TOKEN=${{ secrets.GH_TOKEN }} semantic-release

.gitignore

@@ -4,6 +4,7 @@ node_modules/
 .DS_Store
 .env*
 sas/
+sasjs_root/
 tmp/
 build/
 sasjsbuild/
@@ -11,3 +12,4 @@ sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json

.releaserc

@@ -0,0 +1,43 @@
+{
+  "branches": [
+    "main"
+  ],
+  "plugins": [
+    "@semantic-release/commit-analyzer",
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/changelog",
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md"
+        ]
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "assets": [
+          {
+            "path": "./executables/linux.zip",
+            "label": "Linux Executable Binary"
+          },
+          {
+            "path": "./executables/macos.zip",
+            "label": "Macos Executable Binary"
+          },
+          {
+            "path": "./executables/windows.zip",
+            "label": "Windows Executable Binary"
+          }
+        ]
+      }
+    ],
+    [
+      "@semantic-release/exec",
+      {
+        "publishCmd": "echo 'publish command'"
+      }
+    ]
+  ]
+}

CHANGELOG.md

@@ -1,6 +1,375 @@
-# Changelog
+## [0.3.8](https://github.com/sasjs/server/compare/v0.3.7...v0.3.8) (2022-06-13)
 
-All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+### Bug Fixes
+
+* execution controller better error handling ([8a617a7](https://github.com/sasjs/server/commit/8a617a73ae63233332f5788c90f173d6cd5e1283))
+* execution controller error details ([3fa2a7e](https://github.com/sasjs/server/commit/3fa2a7e2e32f90050f6b09e30ce3ef725eb0b15f))
+
+## [0.3.7](https://github.com/sasjs/server/compare/v0.3.6...v0.3.7) (2022-06-08)
+
+
+### Bug Fixes
+
+* **appstream:** redirect to relative + nested resource should be accessed ([5ab35b0](https://github.com/sasjs/server/commit/5ab35b02c4417132dddb5a800982f31d0d50ef66))
+
+## [0.3.6](https://github.com/sasjs/server/compare/v0.3.5...v0.3.6) (2022-06-02)
+
+
+### Bug Fixes
+
+* **appstream:** should serve only new files for same app stream name with new deployment ([e6d1989](https://github.com/sasjs/server/commit/e6d1989847761fbe562d7861ffa0ee542839b125))
+
+## [0.3.5](https://github.com/sasjs/server/compare/v0.3.4...v0.3.5) (2022-05-30)
+
+
+### Bug Fixes
+
+* bumping sasjs/core library ([61815f8](https://github.com/sasjs/server/commit/61815f8ae18be132e17c199cd8e3afbcc2fa0b60))
+
+## [0.3.4](https://github.com/sasjs/server/compare/v0.3.3...v0.3.4) (2022-05-30)
+
+
+### Bug Fixes
+
+* **web:** system username for DESKTOP mode ([a8ba378](https://github.com/sasjs/server/commit/a8ba378fd1ff374ba025a96fdfae5c6c36954465))
+
+## [0.3.3](https://github.com/sasjs/server/compare/v0.3.2...v0.3.3) (2022-05-30)
+
+
+### Bug Fixes
+
+* usage of autoexec API in DESKTOP mode ([12d424a](https://github.com/sasjs/server/commit/12d424acce8108a6f53aefbac01fddcdc5efb48f))
+
+## [0.3.2](https://github.com/sasjs/server/compare/v0.3.1...v0.3.2) (2022-05-27)
+
+
+### Bug Fixes
+
+* **web:** ability to use get/patch User API in desktop mode. ([2c259fe](https://github.com/sasjs/server/commit/2c259fe1de95d84e6929e311aaa6b895e66b42a3))
+
+## [0.3.1](https://github.com/sasjs/server/compare/v0.3.0...v0.3.1) (2022-05-26)
+
+
+### Bug Fixes
+
+* **api:** username should be lowercase ([5ad6ee5](https://github.com/sasjs/server/commit/5ad6ee5e0f5d7d6faa45b72215f1d9d55cfc37db))
+* **web:** reduced width for autoexec input ([7d11cc7](https://github.com/sasjs/server/commit/7d11cc79161e5a07f6c5392d742ef6b9d8658071))
+
+# [0.3.0](https://github.com/sasjs/server/compare/v0.2.0...v0.3.0) (2022-05-25)
+
+
+### Features
+
+* **web:** added profile + edit + autoexec changes ([c275db1](https://github.com/sasjs/server/commit/c275db184e874f0ee3a4f08f2592cfacf1e90742))
+
+# [0.2.0](https://github.com/sasjs/server/compare/v0.1.0...v0.2.0) (2022-05-25)
+
+
+### Bug Fixes
+
+* **autoexec:** usage in case of desktop from file ([79dc2db](https://github.com/sasjs/server/commit/79dc2dba23dc48ec218a973119392a45cb3856b5))
+
+
+### Features
+
+* **api:** added autoexec + major type setting changes ([2a7223a](https://github.com/sasjs/server/commit/2a7223ad7d6b8f3d4682447fd25d9426a7c79ac3))
+
+# [0.1.0](https://github.com/sasjs/server/compare/v0.0.77...v0.1.0) (2022-05-23)
+
+
+### Bug Fixes
+
+* issue174 + issue175 + issue146 ([80b33c7](https://github.com/sasjs/server/commit/80b33c7a18c1b7727316ffeca71658346733e935))
+* **web:** click to copy + notification ([f37f8e9](https://github.com/sasjs/server/commit/f37f8e95d1a85e00ceca2413dbb5e1f3f3f72255))
+
+
+### Features
+
+* **env:** added new env variable LOG_FORMAT_MORGAN ([53bf68a](https://github.com/sasjs/server/commit/53bf68a6aff44bb7b2f40d40d6554809253a01a8))
+
+## [0.0.77](https://github.com/sasjs/server/compare/v0.0.76...v0.0.77) (2022-05-16)
+
+
+### Bug Fixes
+
+* **release:** Github workflow without npm token ([c017d13](https://github.com/sasjs/server/commit/c017d13061d21aeacd0690367992d12ca57a115b))
+
+### [0.0.76](https://github.com/sasjs/server/compare/v0.0.75...v0.0.76) (2022-05-16)
+
+
+### Bug Fixes
+
+* get csrf token from cookie if not present in header ([f89389b](https://github.com/sasjs/server/commit/f89389bbc6f1f8f7060db2bdeb89746cbd60f533))
+
+### [0.0.75](https://github.com/sasjs/server/compare/v0.0.69...v0.0.75) (2022-05-12)
+
+
+### Features
+
+* CSP_DISABLE env option ([dd3acce](https://github.com/sasjs/server/commit/dd3acce3935e7cfc0b2c44a401314306915a3a10))
+
+
+### Bug Fixes
+
+* added more cookies to req ([4a8e32d](https://github.com/sasjs/server/commit/4a8e32dd20b540b6dc92d749fad90d6c7fc69376))
+* bumping core ([c0b57b9](https://github.com/sasjs/server/commit/c0b57b9e76d6db33fc64a68556a8be979dd69e40))
+* csp updates ([7cfa239](https://github.com/sasjs/server/commit/7cfa2398e12c5e515d27c896f36ff91604c2124d))
+* helmet config on http mode ([b0fdaaa](https://github.com/sasjs/server/commit/b0fdaaaa79e3135699c51effac0388d8ec5ab23b))
+* moved getAuthCode from api to web routes ([b40de8f](https://github.com/sasjs/server/commit/b40de8fa6a5aa763ed25a6fe6a381e483e0ab824))
+* reqHeadrs.txt will contain headers to access APIs ([636301e](https://github.com/sasjs/server/commit/636301e664416fb085f704d83deb7f39ee0a91a7))
+* **web:** seperate container for auth code ([5888f04](https://github.com/sasjs/server/commit/5888f04e08a32c6d2c7bcfcbc3a1d32425bff3b3))
+
+### [0.0.74](https://github.com/sasjs/server/compare/v0.0.73...v0.0.74) (2022-05-12)
+
+
+### Bug Fixes
+
+* csp updates ([7cfa239](https://github.com/sasjs/server/commit/7cfa2398e12c5e515d27c896f36ff91604c2124d))
+
+### [0.0.73](https://github.com/sasjs/server/compare/v0.0.72...v0.0.73) (2022-05-10)
+
+
+### Bug Fixes
+
+* helmet config on http mode ([b0fdaaa](https://github.com/sasjs/server/commit/b0fdaaaa79e3135699c51effac0388d8ec5ab23b))
+
+### [0.0.72](https://github.com/sasjs/server/compare/v0.0.71...v0.0.72) (2022-05-09)
+
+### [0.0.71](https://github.com/sasjs/server/compare/v0.0.70...v0.0.71) (2022-05-07)
+
+
+### Bug Fixes
+
+* added more cookies to req ([4a8e32d](https://github.com/sasjs/server/commit/4a8e32dd20b540b6dc92d749fad90d6c7fc69376))
+* bumping core ([c0b57b9](https://github.com/sasjs/server/commit/c0b57b9e76d6db33fc64a68556a8be979dd69e40))
+* reqHeadrs.txt will contain headers to access APIs ([636301e](https://github.com/sasjs/server/commit/636301e664416fb085f704d83deb7f39ee0a91a7))
+
+### [0.0.70](https://github.com/sasjs/server/compare/v0.0.69...v0.0.70) (2022-05-06)
+
+
+### Features
+
+* CSP_DISABLE env option ([dd3acce](https://github.com/sasjs/server/commit/dd3acce3935e7cfc0b2c44a401314306915a3a10))
+
+### [0.0.69](https://github.com/sasjs/server/compare/v0.0.68...v0.0.69) (2022-05-02)
+
+
+### Bug Fixes
+
+* **upload:** appStream uses CSRF + Session authentication ([1f89279](https://github.com/sasjs/server/commit/1f8927926405887f3d134c0a1dd6452ffa33876e))
+
+### [0.0.68](https://github.com/sasjs/server/compare/v0.0.67...v0.0.68) (2022-05-02)
+
+
+### Bug Fixes
+
+* using monaco editor locally ([2548c82](https://github.com/sasjs/server/commit/2548c82dfe1149e62a570a00546dddd9e30049b1))
+
+### [0.0.67](https://github.com/sasjs/server/compare/v0.0.66...v0.0.67) (2022-05-01)
+
+### [0.0.66](https://github.com/sasjs/server/compare/v0.0.64...v0.0.66) (2022-05-01)
+
+
+### Bug Fixes
+
+* added swagger ui init file manually ([e2a97fc](https://github.com/sasjs/server/commit/e2a97fcb7c54a57a7ca118677cfce93fe9430d8f))
+* consume swagger api with CSRF ([5aaac24](https://github.com/sasjs/server/commit/5aaac24080362d6ce0c5d1157798a9343f40ae2a))
+
+### [0.0.65](https://github.com/sasjs/server/compare/v0.0.64...v0.0.65) (2022-05-01)
+
+
+### Bug Fixes
+
+* consume swagger api with CSRF ([5aaac24](https://github.com/sasjs/server/commit/5aaac24080362d6ce0c5d1157798a9343f40ae2a))
+
+### [0.0.64](https://github.com/sasjs/server/compare/v0.0.63...v0.0.64) (2022-04-30)
+
+
+### Bug Fixes
+
+* removed fileExists for serving web ([7b39cc0](https://github.com/sasjs/server/commit/7b39cc06d358f5ffecb87955040c4eb0fcc7469e))
+
+### [0.0.63](https://github.com/sasjs/server/compare/v0.0.62...v0.0.63) (2022-04-30)
+
+### [0.0.62](https://github.com/sasjs/server/compare/v0.0.61...v0.0.62) (2022-04-30)
+
+### [0.0.61](https://github.com/sasjs/server/compare/v0.0.59...v0.0.61) (2022-04-30)
+
+
+### Bug Fixes
+
+* added CSRF check for granting access via session authentication ([b060ad1](https://github.com/sasjs/server/commit/b060ad1b8e0bbc61c20dc25be553bba4cc4d2716))
+* setting CSRF Token for only rendering SPA ([b4b60c6](https://github.com/sasjs/server/commit/b4b60c69cf67a42f4797f7f1afe68b7a5eec2998))
+
+### [0.0.60](https://github.com/sasjs/server/compare/v0.0.59...v0.0.60) (2022-04-30)
+
+
+### Bug Fixes
+
+* added CSRF check for granting access via session authentication ([b060ad1](https://github.com/sasjs/server/commit/b060ad1b8e0bbc61c20dc25be553bba4cc4d2716))
+* setting CSRF Token for only rendering SPA ([b4b60c6](https://github.com/sasjs/server/commit/b4b60c69cf67a42f4797f7f1afe68b7a5eec2998))
+
+### [0.0.59](https://github.com/sasjs/server/compare/v0.0.58...v0.0.59) (2022-04-29)
+
+
+### Features
+
+* enabled csrf tokens for web component ([e462aeb](https://github.com/sasjs/server/commit/e462aebdc01f3c0068ed0074473a2063412dcf45))
+* enabled session based authentication for web ([5da93f3](https://github.com/sasjs/server/commit/5da93f318aad10b1c67032a467191e4dbb99f411))
+
+
+### Bug Fixes
+
+* fetch client from DB for each request ([4ad8c81](https://github.com/sasjs/server/commit/4ad8c81e4927c1a82220ec015a781b095c8e859e))
+* **web:** show display name instead of username ([e57443f](https://github.com/sasjs/server/commit/e57443f1ed662a022494bb93d79c3d2f10a2d082))
+
+### [0.0.58](https://github.com/sasjs/server/compare/v0.0.57...v0.0.58) (2022-04-24)
+
+
+### Bug Fixes
+
+* bumping core library to get latest user management macros ([4862071](https://github.com/sasjs/server/commit/486207128da58fc4866bd0919c1bed2bd98097ea))
+* missing dependency ([d09876c](https://github.com/sasjs/server/commit/d09876c05f89166eec20064f7aa7ed5b867be081))
+
+### [0.0.57](https://github.com/sasjs/server/compare/v0.0.56...v0.0.57) (2022-04-21)
+
+
+### Features
+
+* create AppContext ([84ee743](https://github.com/sasjs/server/commit/84ee743eae16e87eaa91969393bebf01e2d15a44))
+
+### [0.0.56](https://github.com/sasjs/server/compare/v0.0.55...v0.0.56) (2022-04-20)
+
+
+### Bug Fixes
+
+* shortening min length of username.  Closes [#61](https://github.com/sasjs/server/issues/61) ([f02996f](https://github.com/sasjs/server/commit/f02996facf1019ec4022ccfbc99c1d0137074e1b))
+
+### [0.0.55](https://github.com/sasjs/server/compare/v0.0.53...v0.0.55) (2022-04-20)
+
+
+### Bug Fixes
+
+* added db seed at server startup ([2e63831](https://github.com/sasjs/server/commit/2e63831b90c7457e0e322719ebb1193fd6181cc3))
+* drive path in server mode ([c4cea4a](https://github.com/sasjs/server/commit/c4cea4a12b7eda4daeed995f41c0b10bcea79871))
+
+### [0.0.54](https://github.com/sasjs/server/compare/v0.0.53...v0.0.54) (2022-04-19)
+
+
+### Bug Fixes
+
+* added db seed at server startup ([2e63831](https://github.com/sasjs/server/commit/2e63831b90c7457e0e322719ebb1193fd6181cc3))
+
+### [0.0.53](https://github.com/sasjs/server/compare/v0.0.49...v0.0.53) (2022-04-19)
+
+
+### Features
+
+* add api for getting server info ([9fb5f1f](https://github.com/sasjs/server/commit/9fb5f1f8e7d4e2d767cc1ff7285c99514834cf32))
+* **appstream:** Upload an app from appStream page ([74ba65f](https://github.com/sasjs/server/commit/74ba65f9f330bf8c98c12a9c66bb60773d5a7b77))
+* run button running man, sub menu added ([68e84b0](https://github.com/sasjs/server/commit/68e84b0994a3fa6ff56b07635c637c6e3a57bfda))
+* running code with CTRL+ENTER ([b93a0da](https://github.com/sasjs/server/commit/b93a0da3a380926c87548b69309b2d0c1b7e617f))
+
+
+### Bug Fixes
+
+* provide clientId to web component ([db70b1c](https://github.com/sasjs/server/commit/db70b1ce555df6b29fb09c0c960d38b911c97b1b))
+* session death time has to be a valid string number ([23db7e7](https://github.com/sasjs/server/commit/23db7e7b7df2f22bbf7ce16865f83091624d8047))
+* web component added tooltip for webout in studio ([61080d4](https://github.com/sasjs/server/commit/61080d4694859306049346d2e3174f27bb6dac16))
+* web component UI fix for studio scrolling ([f257602](https://github.com/sasjs/server/commit/f25760283492140cc1f14e51ed27673ec28baaf3))
+
+### [0.0.52](https://github.com/sasjs/server/compare/v0.0.51...v0.0.52) (2022-04-17)
+
+
+### Features
+
+* add api for getting server info ([9fb5f1f](https://github.com/sasjs/server/commit/9fb5f1f8e7d4e2d767cc1ff7285c99514834cf32))
+
+### [0.0.51](https://github.com/sasjs/server/compare/v0.0.50...v0.0.51) (2022-04-15)
+
+
+### Features
+
+* run button running man, sub menu added ([68e84b0](https://github.com/sasjs/server/commit/68e84b0994a3fa6ff56b07635c637c6e3a57bfda))
+* running code with CTRL+ENTER ([b93a0da](https://github.com/sasjs/server/commit/b93a0da3a380926c87548b69309b2d0c1b7e617f))
+
+### [0.0.50](https://github.com/sasjs/server/compare/v0.0.49...v0.0.50) (2022-04-07)
+
+
+### Features
+
+* **appstream:** Upload an app from appStream page ([74ba65f](https://github.com/sasjs/server/commit/74ba65f9f330bf8c98c12a9c66bb60773d5a7b77))
+
+
+### Bug Fixes
+
+* session death time has to be a valid string number ([23db7e7](https://github.com/sasjs/server/commit/23db7e7b7df2f22bbf7ce16865f83091624d8047))
+* web component added tooltip for webout in studio ([61080d4](https://github.com/sasjs/server/commit/61080d4694859306049346d2e3174f27bb6dac16))
+* web component UI fix for studio scrolling ([f257602](https://github.com/sasjs/server/commit/f25760283492140cc1f14e51ed27673ec28baaf3))
+
+### [0.0.49](https://github.com/sasjs/server/compare/v0.0.48...v0.0.49) (2022-04-02)
+
+
+### Bug Fixes
+
+* **stp:** read file in non-binary mode if debug one ([527f70e](https://github.com/sasjs/server/commit/527f70e90dd7369766e375ac2d6fc38b2a114d11))
+
+### [0.0.48](https://github.com/sasjs/server/compare/v0.0.47...v0.0.48) (2022-04-02)
+
+
+### Features
+
+* **deploy:** new route added for deploy with build.json ([18d0604](https://github.com/sasjs/server/commit/18d0604bdd0b20ad468f9345474b4de034ee3a67))
+
+
+### Bug Fixes
+
+* remove uploaded build.json from temp folder in all cases ([9d167ab](https://github.com/sasjs/server/commit/9d167abe2adb743bca161862b4561bf573182c00))
+* **stp:** return log+webout for debug on ([3ff6f5e](https://github.com/sasjs/server/commit/3ff6f5e86581cd2ac23bbe0b8e2c367fbea890ed))
+
+### [0.0.47](https://github.com/sasjs/server/compare/v0.0.46...v0.0.47) (2022-03-29)
+
+
+### Bug Fixes
+
+* **web:** updated STUDIO log and webout ([f700561](https://github.com/sasjs/server/commit/f700561e1a8d06c18ca2bdbe4605d7ab34f7a761))
+
+### [0.0.46](https://github.com/sasjs/server/compare/v0.0.45...v0.0.46) (2022-03-29)
+
+
+### Features
+
+* **drive:** GET folder contents API added ([0ac9e4a](https://github.com/sasjs/server/commit/0ac9e4af7d67c4431053e80eb2384bf5bdc3f8b3))
+
+### [0.0.45](https://github.com/sasjs/server/compare/v0.0.43...v0.0.45) (2022-03-29)
+
+
+### Bug Fixes
+
+* DELETE req cannot have body ([0a5aece](https://github.com/sasjs/server/commit/0a5aeceab560b022197d0c30c3da7f091b261b1e))
+* increased req body size ([6dc39c0](https://github.com/sasjs/server/commit/6dc39c0d91ac13d6d9b8c0a2240446bfc45bdd7f))
+* proving a PRINT destination during SAS invocation. ([7f4201b](https://github.com/sasjs/server/commit/7f4201ba855743144fa6d3efac2b11e816d4696e)), closes [#111](https://github.com/sasjs/server/issues/111)
+* **session:** increased session + bug fixed ([117a53c](https://github.com/sasjs/server/commit/117a53ceeadf487a6326384ae11c10e98646631f))
+* **stp:** use same session from file upload ([dd56a95](https://github.com/sasjs/server/commit/dd56a95314f0b61480489118734e45877e1745ef))
+
+### [0.0.44](https://github.com/sasjs/server/compare/v0.0.43...v0.0.44) (2022-03-29)
+
+
+### Bug Fixes
+
+* DELETE req cannot have body ([0a5aece](https://github.com/sasjs/server/commit/0a5aeceab560b022197d0c30c3da7f091b261b1e))
+* increased req body size ([6dc39c0](https://github.com/sasjs/server/commit/6dc39c0d91ac13d6d9b8c0a2240446bfc45bdd7f))
+* **session:** increased session + bug fixed ([117a53c](https://github.com/sasjs/server/commit/117a53ceeadf487a6326384ae11c10e98646631f))
+* **stp:** use same session from file upload ([dd56a95](https://github.com/sasjs/server/commit/dd56a95314f0b61480489118734e45877e1745ef))
+
+### [0.0.43](https://github.com/sasjs/server/compare/v0.0.42...v0.0.43) (2022-03-23)
+
+
+### Bug Fixes
+
+* **deploy:** user can deploy to same appName with different/same appLoc ([9ace33d](https://github.com/sasjs/server/commit/9ace33d7830a9def42d741c23b46090afe0c5510))
+* fallback logo on AppStream ([5655311](https://github.com/sasjs/server/commit/5655311b9663225823c192b39a03f39d17dda730))
 
 ### [0.0.42](https://github.com/sasjs/server/compare/v0.0.41...v0.0.42) (2022-03-23)
 

README.md

@@ -48,22 +48,46 @@ When launching the app, it will make use of specific environment variables. Thes
 Example contents of a `.env` file:
 
 ```
-MODE=desktop # options: [desktop|server] default: `desktop`
-CORS=disable # options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
-WHITELIST= # options: <http://localhost:3000 https://abc.com ...> space separated urls
-PROTOCOL=http # options: [http|https] default: http
-PORT=5000 # default: 5000
+#
+## Core Settings
+#
 
-# optional
-# for MODE: `desktop`, prompts user
-# for MODE: `server` gets value from api/package.json `configuration.sasPath`
+
+# MODE options: [desktop|server] default: `desktop`
+# Desktop mode is single user and designed for workstation use
+# Server mode is multi-user and suitable for intranet / internet use
+MODE=
+
+# Path to SAS executable (sas.exe / sas.sh)
 SAS_PATH=/path/to/sas/executable.exe
 
+# Path to working directory
+# This location is for SAS WORK, staged files, DRIVE, configuration etc
+SASJS_ROOT=./sasjs_root
 
-# optional
-# for MODE: `desktop`, prompts user
-# for MODE: `server` defaults to /tmp
-DRIVE_PATH=/tmp
+# options: [http|https] default: http
+PROTOCOL=
+
+# default: 5000
+PORT=
+
+
+#
+## Additional SAS Options
+#
+
+
+# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
+# Any options set here are automatically applied in the SAS session
+# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
+# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
+SAS_OPTIONS= -NOXCMD
+SASV9_OPTIONS= -NOXCMD
+
+
+#
+## Additional Web Server Options
+#
 
 # ENV variables required for PROTOCOL: `https`
 PRIVATE_KEY=privkey.pem
@@ -73,17 +97,61 @@ FULL_CHAIN=fullchain.pem
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>
+SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
+
+# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
+# If enabled, be sure to also configure the WHITELIST of third party servers.
+CORS=
+
+# options: <http://localhost:3000 https://abc.com ...> space separated urls
+WHITELIST=
+
+# HELMET Cross Origin Embedder Policy
+# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
+# options: [true|false] default: true
+# Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
+HELMET_COEP=
+
+# HELMET Content Security Policy
+# Path to a json file containing HELMET `contentSecurityPolicy` directives
+# Docs: https://helmetjs.github.io/#reference
+#
+# Example config:
+# {
+#   "img-src": ["'self'", "data:"],
+#   "script-src": ["'self'", "'unsafe-inline'"],
+#   "script-src-attr": ["'self'", "'unsafe-inline'"]
+# }
+HELMET_CSP_CONFIG_PATH=./csp.config.json
+
+# LOG_FORMAT_MORGAN options: [combined|common|dev|short|tiny] default: `common`
+# Docs: https://www.npmjs.com/package/morgan#predefined-formats
+LOG_FORMAT_MORGAN=
+
 ```
 
 ## Persisting the Session
 
-Normally the server process will stop when your terminal dies. To keep it going you can use the npm package [pm2](https://www.npmjs.com/package/pm2) (`npm install pm2@latest -g`) as follows:
+Normally the server process will stop when your terminal dies. To keep it going you can use the following suggested approaches:
+
+1. Linux Background Job
+2. NPM package `pm2`
+
+### Background Job
+
+Trigger the command using NOHUP, redirecting the output commands, eg `nohup ./api-linux > server.log 2>&1 &`.
+
+You can now see the job running using the `jobs` command. To ensure that it will still run when your terminal is closed, execute the `disown` command. To kill it later, use the `kill -9 <pid>` command. You can see your sessions using `top -u <userid>`. Type `c` to see the commands being run against each pid.
+
+### PM2
+
+Install the npm package [pm2](https://www.npmjs.com/package/pm2) (`npm install pm2@latest -g`) and execute, eg as follows:
 
 ```bash
 export SAS_PATH=/opt/sas9/SASHome/SASFoundation/9.4/sasexe/sas
 export PORT=5001
-export DRIVE_PATH=./tmp
+export SASJS_ROOT=./sasjs_root
 
 pm2 start api-linux
 ```
@@ -112,7 +180,7 @@ Instead of `app_name` you can pass:
 
 ## Server Version
 
-The following credentials can be used for the initial connection to SASjs/server. It is recommended to change these on first use.
+The following credentials can be used for the initial connection to SASjs/server. It is highly recommended to change these on first use.
 
 - CLIENTID: `clientID1`
 - USERNAME: `secretuser`

api/.env.example

@@ -1,14 +1,23 @@
 MODE=[desktop|server] default considered as desktop
 CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
 WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
+
 PROTOCOL=[http|https] default considered as http
 PRIVATE_KEY=privkey.pem
 FULL_CHAIN=fullchain.pem
+
 PORT=[5000] default value is 5000
+
+HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
+HELMET_COEP=[true|false] if omitted HELMET default will be used
+
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>
+SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
-DRIVE_PATH=./tmp
+SASJS_ROOT=./sasjs_root
+
+LOG_FORMAT_MORGAN=common

api/csp.config.example.json

@@ -0,0 +1,5 @@
+{
+  "img-src": ["'self'", "data:"],
+  "script-src": ["'self'", "'unsafe-inline'"],
+  "script-src-attr": ["'self'", "'unsafe-inline'"]
+}

api/package.json

@@ -8,6 +8,7 @@
     "prestart": "npm run initial",
     "prebuild": "npm run initial",
     "start": "nodemon ./src/server.ts",
+    "start:prod": "node ./build/src/server.js",
     "build": "rimraf build && tsc",
     "postbuild": "npm run copy:files",
     "swagger": "tsoa spec",
@@ -46,25 +47,32 @@
   },
   "author": "4GL Ltd",
   "dependencies": {
-    "@sasjs/core": "4.9.0",
-    "@sasjs/utils": "2.36.2",
+    "@sasjs/core": "^4.27.3",
+    "@sasjs/utils": "2.42.1",
     "bcryptjs": "^2.4.3",
+    "connect-mongo": "^4.6.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
+    "csurf": "^1.11.0",
     "express": "^4.17.1",
+    "express-session": "^1.17.2",
+    "helmet": "^5.0.2",
     "joi": "^17.4.2",
     "jsonwebtoken": "^8.5.1",
     "mongoose": "^6.0.12",
     "mongoose-sequence": "^5.3.1",
     "morgan": "^1.10.0",
     "multer": "^1.4.3",
-    "swagger-ui-express": "^4.1.6"
+    "swagger-ui-express": "4.3.0",
+    "url": "^0.10.3"
   },
   "devDependencies": {
     "@types/bcryptjs": "^2.4.2",
     "@types/cookie-parser": "^1.4.2",
     "@types/cors": "^2.8.12",
+    "@types/csurf": "^1.11.2",
     "@types/express": "^4.17.12",
+    "@types/express-session": "^1.17.4",
     "@types/jest": "^26.0.24",
     "@types/jsonwebtoken": "^8.5.5",
     "@types/mongoose-sequence": "^3.0.6",
@@ -78,7 +86,7 @@
     "jest": "^27.0.6",
     "mongodb-memory-server": "^8.0.0",
     "nodemon": "^2.0.7",
-    "pkg": "5.5.2",
+    "pkg": "5.6.0",
     "prettier": "^2.3.1",
     "rimraf": "^3.0.2",
     "supertest": "^6.1.3",
@@ -87,12 +95,9 @@
     "tsoa": "3.14.1",
     "typescript": "^4.3.2"
   },
-  "configuration": {
-    "sasPath": "/opt/sas/sas9/SASHome/SASFoundation/9.4/sas"
-  },
   "nodemonConfig": {
     "ignore": [
-      "tmp/**/*"
+      "sasjs_root/**/*"
     ]
   }
 }

api/public/SASjsApi/swagger-ui-init.js

@@ -0,0 +1,50 @@
+window.onload = function () {
+  // Build a system
+  var url = window.location.search.match(/url=([^&]+)/)
+  if (url && url.length > 1) {
+    url = decodeURIComponent(url[1])
+  } else {
+    url = window.location.origin
+  }
+  var options = {
+    customOptions: {
+      url: '/swagger.yaml',
+      requestInterceptor: function (request) {
+        request.credentials = 'include'
+        var cookie = document.cookie
+        var startIndex = cookie.indexOf('XSRF-TOKEN')
+        var csrf = cookie.slice(startIndex + 11).split('; ')[0]
+        request.headers['X-XSRF-TOKEN'] = csrf
+        return request
+      }
+    }
+  }
+  url = options.swaggerUrl || url
+  var urls = options.swaggerUrls
+  var customOptions = options.customOptions
+  var spec1 = options.swaggerDoc
+  var swaggerOptions = {
+    spec: spec1,
+    url: url,
+    urls: urls,
+    dom_id: '#swagger-ui',
+    deepLinking: true,
+    presets: [SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset],
+    plugins: [SwaggerUIBundle.plugins.DownloadUrl],
+    layout: 'StandaloneLayout'
+  }
+  for (var attrname in customOptions) {
+    swaggerOptions[attrname] = customOptions[attrname]
+  }
+  var ui = SwaggerUIBundle(swaggerOptions)
+
+  if (customOptions.oauth) {
+    ui.initOAuth(customOptions.oauth)
+  }
+
+  if (customOptions.authAction) {
+    ui.authActions.authorize(customOptions.authAction)
+  }
+
+  window.ui = ui
+}

api/public/app-streams-script.js

@@ -0,0 +1,49 @@
+const inputElement = document.getElementById('fileId')
+
+document.getElementById('uploadButton').addEventListener('click', function () {
+  inputElement.click()
+})
+
+inputElement.addEventListener(
+  'change',
+  function () {
+    const fileList = this.files /* now you can work with the file list */
+
+    updateFileUploadMessage('Requesting ...')
+
+    const file = fileList[0]
+    const formData = new FormData()
+
+    formData.append('file', file)
+
+    axios
+      .post('/SASjsApi/drive/deploy/upload', formData)
+      .then((res) => res.data)
+      .then((data) => {
+        return (
+          data.message +
+          '\nstreamServiceName: ' +
+          data.streamServiceName +
+          '\nrefreshing page once alert box closes.'
+        )
+      })
+      .then((message) => {
+        alert(message)
+        location.reload()
+      })
+      .catch((error) => {
+        alert(error.response.data)
+        resetFileUpload()
+        updateFileUploadMessage('Upload New App')
+      })
+  },
+  false
+)
+
+function updateFileUploadMessage(message) {
+  document.getElementById('uploadMessage').innerHTML = message
+}
+
+function resetFileUpload() {
+  inputElement.value = null
+}

api/public/swagger.yaml

@@ -5,36 +5,6 @@ components:
     requestBodies: {}
     responses: {}
     schemas:
-        AuthorizeResponse:
-            properties:
-                code:
-                    type: string
-                    description: 'Authorization code'
-                    example: someRandomCryptoString
-            required:
-                - code
-            type: object
-            additionalProperties: false
-        AuthorizePayload:
-            properties:
-                username:
-                    type: string
-                    description: 'Username for user'
-                    example: secretuser
-                password:
-                    type: string
-                    description: 'Password for user'
-                    example: secretpassword
-                clientId:
-                    type: string
-                    description: 'Client ID'
-                    example: clientID1
-            required:
-                - username
-                - password
-                - clientId
-            type: object
-            additionalProperties: false
         TokenResponse:
             properties:
                 accessToken:
@@ -77,6 +47,41 @@ components:
                 - userId
             type: object
             additionalProperties: false
+        LoginPayload:
+            properties:
+                username:
+                    type: string
+                    description: 'Username for user'
+                    example: secretuser
+                password:
+                    type: string
+                    description: 'Password for user'
+                    example: secretpassword
+            required:
+                - username
+                - password
+            type: object
+            additionalProperties: false
+        AuthorizeResponse:
+            properties:
+                code:
+                    type: string
+                    description: 'Authorization code'
+                    example: someRandomCryptoString
+            required:
+                - code
+            type: object
+            additionalProperties: false
+        AuthorizePayload:
+            properties:
+                clientId:
+                    type: string
+                    description: 'Client ID'
+                    example: clientID1
+            required:
+                - clientId
+            type: object
+            additionalProperties: false
         ClientPayload:
             properties:
                 clientId:
@@ -318,6 +323,8 @@ components:
                     type: boolean
                 isAdmin:
                     type: boolean
+                autoExec:
+                    type: string
             required:
                 - id
                 - displayName
@@ -347,6 +354,10 @@ components:
                     type: boolean
                     description: 'Account should be active or not, defaults to true'
                     example: 'true'
+                autoExec:
+                    type: string
+                    description: 'User-specific auto-exec code'
+                    example: ""
             required:
                 - displayName
                 - username
@@ -410,6 +421,25 @@ components:
                 - description
             type: object
             additionalProperties: false
+        InfoResponse:
+            properties:
+                mode:
+                    type: string
+                cors:
+                    type: string
+                whiteList:
+                    items:
+                        type: string
+                    type: array
+                protocol:
+                    type: string
+            required:
+                - mode
+                - cors
+                - whiteList
+                - protocol
+            type: object
+            additionalProperties: false
         ExecuteReturnJsonPayload:
             properties:
                 _program:
@@ -431,30 +461,6 @@ info:
         name: '4GL Ltd'
 openapi: 3.0.0
 paths:
-    /SASjsApi/auth/authorize:
-        post:
-            operationId: Authorize
-            responses:
-                '200':
-                    description: Ok
-                    content:
-                        application/json:
-                            schema:
-                                $ref: '#/components/schemas/AuthorizeResponse'
-                            examples:
-                                'Example 1':
-                                    value: {code: someRandomCryptoString}
-            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
-            tags:
-                - Auth
-            security: []
-            parameters: []
-            requestBody:
-                required: true
-                content:
-                    application/json:
-                        schema:
-                            $ref: '#/components/schemas/AuthorizePayload'
     /SASjsApi/auth/token:
         post:
             operationId: Token
@@ -512,6 +518,86 @@ paths:
                 -
                     bearerAuth: []
             parameters: []
+    /:
+        get:
+            operationId: Home
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                type: string
+            summary: 'Render index.html'
+            tags:
+                - Web
+            security: []
+            parameters: []
+    /SASLogon/login:
+        post:
+            operationId: Login
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                properties:
+                                    user: {properties: {displayName: {type: string}, username: {type: string}, id: {type: number, format: double}}, required: [displayName, username, id], type: object}
+                                    loggedIn: {type: boolean}
+                                required:
+                                    - user
+                                    - loggedIn
+                                type: object
+            summary: 'Accept a valid username/password'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/LoginPayload'
+    /SASLogon/authorize:
+        post:
+            operationId: Authorize
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/AuthorizeResponse'
+                            examples:
+                                'Example 1':
+                                    value: {code: someRandomCryptoString}
+            summary: 'Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE'
+            tags:
+                - Web
+            security: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    application/json:
+                        schema:
+                            $ref: '#/components/schemas/AuthorizePayload'
+    /logout:
+        get:
+            operationId: Logout
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema: {}
+            summary: 'Accept a valid username/password'
+            tags:
+                - Web
+            security: []
+            parameters: []
     /SASjsApi/client:
         post:
             operationId: CreateClient
@@ -606,13 +692,62 @@ paths:
                     application/json:
                         schema:
                             $ref: '#/components/schemas/DeployPayload'
+    /SASjsApi/drive/deploy/upload:
+        post:
+            operationId: DeployUpload
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/DeployResponse'
+                            examples:
+                                'Example 1':
+                                    value: {status: success, message: 'Files deployed successfully to @sasjs/server.'}
+                '400':
+                    description: 'Invalid Format'
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/DeployResponse'
+                            examples:
+                                'Example 1':
+                                    value: {status: failure, message: 'Provided not supported data format.'}
+                '500':
+                    description: 'Execution Error'
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/DeployResponse'
+                            examples:
+                                'Example 1':
+                                    value: {status: failure, message: 'Deployment failed!'}
+            summary: 'Creates/updates files within SASjs Drive using uploaded JSON file.'
+            tags:
+                - Drive
+            security:
+                -
+                    bearerAuth: []
+            parameters: []
+            requestBody:
+                required: true
+                content:
+                    multipart/form-data:
+                        schema:
+                            type: object
+                            properties:
+                                file:
+                                    type: string
+                                    format: binary
+                            required:
+                                - file
     /SASjsApi/drive/file:
         get:
             operationId: GetFile
             responses:
                 '204':
                     description: 'No content'
-            description: "It's optional to either provide `_filePath` in url as query parameter\nOr provide `filePath` in body as form field.\nBut it's required to provide else API will respond with Bad Request."
             summary: 'Get file from SASjs Drive'
             tags:
                 - Drive
@@ -623,19 +758,10 @@ paths:
                 -
                     in: query
                     name: _filePath
-                    required: false
+                    required: true
                     schema:
                         type: string
                     example: /Public/somefolder/some.file
-            requestBody:
-                required: false
-                content:
-                    multipart/form-data:
-                        schema:
-                            type: object
-                            properties:
-                                filePath:
-                                    type: string
         delete:
             operationId: DeleteFile
             responses:
@@ -649,7 +775,6 @@ paths:
                                 required:
                                     - status
                                 type: object
-            description: "It's optional to either provide `_filePath` in url as query parameter\nOr provide `filePath` in body as form field.\nBut it's required to provide else API will respond with Bad Request."
             summary: 'Delete file from SASjs Drive'
             tags:
                 - Drive
@@ -660,19 +785,10 @@ paths:
                 -
                     in: query
                     name: _filePath
-                    required: false
+                    required: true
                     schema:
                         type: string
                     example: /Public/somefolder/some.file
-            requestBody:
-                required: false
-                content:
-                    multipart/form-data:
-                        schema:
-                            type: object
-                            properties:
-                                filePath:
-                                    type: string
         post:
             operationId: SaveFile
             responses:
@@ -775,6 +891,36 @@ paths:
                                     type: string
                             required:
                                 - file
+    /SASjsApi/drive/folder:
+        get:
+            operationId: GetFolder
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                properties:
+                                    folders: {items: {type: string}, type: array}
+                                    files: {items: {type: string}, type: array}
+                                required:
+                                    - folders
+                                    - files
+                                type: object
+            summary: 'Get folder contents from SASjs Drive'
+            tags:
+                - Drive
+            security:
+                -
+                    bearerAuth: []
+            parameters:
+                -
+                    in: query
+                    name: _folderPath
+                    required: false
+                    schema:
+                        type: string
+                    example: /Public/somefolder
     /SASjsApi/drive/filetree:
         get:
             operationId: GetFileTree
@@ -849,6 +995,7 @@ paths:
                         application/json:
                             schema:
                                 $ref: '#/components/schemas/UserDetailsResponse'
+            description: 'Only Admin or user itself will get user autoExec code.'
             summary: 'Get user properties - such as group memberships, userName, displayName.'
             tags:
                 - User
@@ -1098,6 +1245,24 @@ paths:
                         format: double
                         type: number
                     example: '6789'
+    /SASjsApi/info:
+        get:
+            operationId: Info
+            responses:
+                '200':
+                    description: Ok
+                    content:
+                        application/json:
+                            schema:
+                                $ref: '#/components/schemas/InfoResponse'
+                            examples:
+                                'Example 1':
+                                    value: {mode: desktop, cors: enable, whiteList: ['http://example.com', 'http://example2.com'], protocol: http}
+            summary: 'Get server info (mode, cors, whiteList, protocol).'
+            tags:
+                - Info
+            security: []
+            parameters: []
     /SASjsApi/session:
         get:
             operationId: Session
@@ -1184,6 +1349,9 @@ servers:
     -
         url: /
 tags:
+    -
+        name: Info
+        description: 'Get Server Info'
     -
         name: Session
         description: 'Get Session information'
@@ -1208,3 +1376,6 @@ tags:
     -
         name: CODE
         description: 'Operations on SAS code'
+    -
+        name: Web
+        description: 'Operations on Web'

api/scripts/compileSysInit.ts

@@ -1,5 +1,6 @@
 import path from 'path'
 import {
+  CompileTree,
   createFile,
   loadDependenciesFile,
   readFile,
@@ -18,7 +19,8 @@ const compiledSystemInit = async (systemInit: string) =>
     macroFolders: [],
     buildSourceFolder: '',
     binaryFolders: [],
-    macroCorePath
+    macroCorePath,
+    compileTree: new CompileTree('') // dummy compileTree
   }))
 
 const createSysInitFile = async () => {

api/scripts/systemInit.sas

@@ -5,23 +5,12 @@
   _before_ any user-provided content.
 
   A number of useful CORE macros are also compiled below, so that they can be
-  available "out of the box".
+  available by default for Stored Programs.
+
+  Note that the full CORE library is available to sessions in SASjs Studio.
 
   <h4> SAS Macros </h4>
-  @li mcf_stpsrv_header.sas
-  @li mf_getuser.sas
-  @li mf_getvarlist.sas
-  @li mf_mkdir.sas
-  @li mf_nobs.sas
-  @li mf_uid.sas
   @li mfs_httpheader.sas
-  @li mp_dirlist.sas
-  @li mp_ds2ddl.sas
-  @li mp_ds2md.sas
-  @li mp_getdbml.sas
-  @li mp_init.sas
-  @li mp_makedata.sas
-  @li mp_zip.sas
-
+  @li ms_webout.sas
 **/
 

api/src/app.ts

@@ -1,48 +1,142 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
+import csrf from 'csurf'
+import session from 'express-session'
+import MongoStore from 'connect-mongo'
 import morgan from 'morgan'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 import cors from 'cors'
+import helmet from 'helmet'
 
 import {
   connectDB,
   copySASjsCore,
-  getWebBuildFolderPath,
+  CorsType,
+  getWebBuildFolder,
+  HelmetCoepType,
+  instantiateLogger,
   loadAppStreamConfig,
-  sasJSCoreMacros,
-  setProcessVariables
+  ModeType,
+  ProtocolType,
+  ReturnCode,
+  setProcessVariables,
+  setupFolders,
+  verifyEnvVariables
 } from './utils'
+import { getEnvCSPDirectives } from './utils/parseHelmetConfig'
 
 dotenv.config()
 
+instantiateLogger()
+
+if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
+
 const app = express()
 
-const { MODE, CORS, WHITELIST } = process.env
+app.use(cookieParser())
 
-if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
-  const whiteList: string[] = []
-  WHITELIST?.split(' ')?.forEach((url) => {
-    if (url.startsWith('http'))
-      // removing trailing slash of URLs listing for CORS
-      whiteList.push(url.replace(/\/$/, ''))
+const {
+  MODE,
+  CORS,
+  WHITELIST,
+  PROTOCOL,
+  HELMET_CSP_CONFIG_PATH,
+  HELMET_COEP,
+  LOG_FORMAT_MORGAN
+} = process.env
+
+app.use(morgan(LOG_FORMAT_MORGAN as string))
+
+export const cookieOptions = {
+  secure: PROTOCOL === ProtocolType.HTTPS,
+  httpOnly: true,
+  maxAge: 24 * 60 * 60 * 1000 // 24 hours
+}
+
+const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+  HELMET_CSP_CONFIG_PATH
+)
+if (PROTOCOL === ProtocolType.HTTP)
+  cspConfigJson['upgrade-insecure-requests'] = null
+
+/***********************************
+ *         CSRF Protection         *
+ ***********************************/
+export const csrfProtection = csrf({ cookie: cookieOptions })
+
+/***********************************
+ *   Handle security and origin    *
+ ***********************************/
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+        ...cspConfigJson
+      }
+    },
+    crossOriginEmbedderPolicy: HELMET_COEP === HelmetCoepType.TRUE
   })
+)
+
+/***********************************
+ *         Enabling CORS           *
+ ***********************************/
+if (CORS === CorsType.ENABLED) {
+  const whiteList: string[] = []
+  WHITELIST?.split(' ')
+    ?.filter((url) => !!url)
+    .forEach((url) => {
+      if (url.startsWith('http'))
+        // removing trailing slash of URLs listing for CORS
+        whiteList.push(url.replace(/\/$/, ''))
+    })
 
   console.log('All CORS Requests are enabled for:', whiteList)
   app.use(cors({ credentials: true, origin: whiteList }))
 }
 
-app.use(cookieParser())
-app.use(morgan('tiny'))
-app.use(express.json({ limit: '50mb' }))
+/***********************************
+ *         DB Connection &          *
+ *        Express Sessions          *
+ *        With Mongo Store          *
+ ***********************************/
+if (MODE === ModeType.Server) {
+  let store: MongoStore | undefined
+
+  // NOTE: when exporting app.js as agent for supertest
+  // we should exclude connecting to the real database
+  if (process.env.NODE_ENV !== 'test') {
+    const clientPromise = connectDB().then((conn) => conn!.getClient() as any)
+
+    store = MongoStore.create({ clientPromise, collectionName: 'sessions' })
+  }
+
+  app.use(
+    session({
+      secret: process.env.SESSION_SECRET as string,
+      saveUninitialized: false, // don't create session until something stored
+      resave: false, //don't save session if unmodified
+      store,
+      cookie: cookieOptions
+    })
+  )
+}
+
+app.use(express.json({ limit: '100mb' }))
 app.use(express.static(path.join(__dirname, '../public')))
 
 const onError: ErrorRequestHandler = (err, req, res, next) => {
+  if (err.code === 'EBADCSRFTOKEN')
+    return res.status(400).send('Invalid CSRF token!')
+
   console.error(err.stack)
   res.status(500).send('Something broke!')
 }
 
 export default setProcessVariables().then(async () => {
+  await setupFolders()
   await copySASjsCore()
 
   // loading these modules after setting up variables due to
@@ -54,10 +148,9 @@ export default setProcessVariables().then(async () => {
 
   // should be served after setting up web route
   // index.html needs to be injected with some js script.
-  app.use(express.static(getWebBuildFolderPath()))
+  app.use(express.static(getWebBuildFolder()))
 
   app.use(onError)
 
-  await connectDB()
   return app
 })

api/src/controllers/auth.ts

@@ -1,10 +1,8 @@
 import { Security, Route, Tags, Example, Post, Body, Query, Hidden } from 'tsoa'
 import jwt from 'jsonwebtoken'
-import User from '../model/User'
 import { InfoJWT } from '../types'
 import {
   generateAccessToken,
-  generateAuthCode,
   generateRefreshToken,
   removeTokensInDB,
   saveTokensInDB
@@ -24,20 +22,6 @@ export class AuthController {
   static deleteCode = (userId: number, clientId: string) =>
     delete AuthController.authCodes[userId][clientId]
 
-  /**
-   * @summary Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE
-   *
-   */
-  @Example<AuthorizeResponse>({
-    code: 'someRandomCryptoString'
-  })
-  @Post('/authorize')
-  public async authorize(
-    @Body() body: AuthorizePayload
-  ): Promise<AuthorizeResponse> {
-    return authorize(body)
-  }
-
   /**
    * @summary Accepts client/auth code and returns access/refresh tokens
    *
@@ -78,30 +62,6 @@ export class AuthController {
   }
 }
 
-const authorize = async (data: any): Promise<AuthorizeResponse> => {
-  const { username, password, clientId } = data
-
-  // Authenticate User
-  const user = await User.findOne({ username })
-  if (!user) throw new Error('Username is not found.')
-
-  const validPass = user.comparePassword(password)
-  if (!validPass) throw new Error('Invalid password.')
-
-  // generate authorization code against clientId
-  const userInfo: InfoJWT = {
-    clientId,
-    userId: user.id
-  }
-  const code = AuthController.saveCode(
-    user.id,
-    clientId,
-    generateAuthCode(userInfo)
-  )
-
-  return { code }
-}
-
 const token = async (data: any): Promise<TokenResponse> => {
   const { clientId, code } = data
 
@@ -139,32 +99,6 @@ const logout = async (userInfo: InfoJWT) => {
   await removeTokensInDB(userInfo.userId, userInfo.clientId)
 }
 
-interface AuthorizePayload {
-  /**
-   * Username for user
-   * @example "secretuser"
-   */
-  username: string
-  /**
-   * Password for user
-   * @example "secretpassword"
-   */
-  password: string
-  /**
-   * Client ID
-   * @example "clientID1"
-   */
-  clientId: string
-}
-
-interface AuthorizeResponse {
-  /**
-   * Authorization code
-   * @example "someRandomCryptoString"
-   */
-  code: string
-}
-
 interface TokenPayload {
   /**
    * Client ID

api/src/controllers/code.ts

@@ -1,9 +1,13 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
 import { ExecuteReturnJson, ExecutionController } from './internal'
-import { PreProgramVars } from '../types'
 import { ExecuteReturnJsonResponse } from '.'
-import { parseLogToArray } from '../utils'
+import {
+  getPreProgramVariables,
+  getUserAutoExec,
+  ModeType,
+  parseLogToArray
+} from '../utils'
 
 interface ExecuteSASCodePayload {
   /**
@@ -30,14 +34,23 @@ export class CodeController {
   }
 }
 
-const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
+const executeSASCode = async (
+  req: express.Request,
+  { code }: ExecuteSASCodePayload
+) => {
+  const { user } = req
+  const userAutoExec =
+    process.env.MODE === ModeType.Server
+      ? user?.autoExec
+      : await getUserAutoExec()
+
   try {
     const { webout, log, httpHeaders } =
       (await new ExecutionController().executeProgram(
         code,
         getPreProgramVariables(req),
         { ...req.query, _debug: 131 },
-        undefined,
+        { userAutoExec },
         true
       )) as ExecuteReturnJson
 
@@ -56,16 +69,3 @@ const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
     }
   }
 }
-
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
-  }
-}

api/src/controllers/drive.ts

@@ -14,18 +14,25 @@ import {
   Patch,
   UploadedFile,
   FormField,
-  Delete
+  Delete,
+  Hidden
 } from 'tsoa'
 import {
   fileExists,
   moveFile,
   createFolder,
-  deleteFile as deleteFileOnSystem
+  deleteFile as deleteFileOnSystem,
+  folderExists,
+  listFilesInFolder,
+  listSubFoldersInFolder,
+  isFolder,
+  FileTree,
+  isFileTree
 } from '@sasjs/utils'
 import { createFileTree, ExecutionController, getTreeExample } from './internal'
 
-import { FileTree, isFileTree, TreeNode } from '../types'
-import { getTmpFilesFolderPath } from '../utils'
+import { TreeNode } from '../types'
+import { getFilesFolder } from '../utils'
 
 interface DeployPayload {
   appLoc: string
@@ -89,9 +96,21 @@ export class DriveController {
   }
 
   /**
-   * It's optional to either provide `_filePath` in url as query parameter
-   * Or provide `filePath` in body as form field.
-   * But it's required to provide else API will respond with Bad Request.
+   * @summary Creates/updates files within SASjs Drive using uploaded JSON file.
+   *
+   */
+  @Example<DeployResponse>(successDeployResponse)
+  @Response<DeployResponse>(400, 'Invalid Format', invalidDeployFormatResponse)
+  @Response<DeployResponse>(500, 'Execution Error', execDeployErrorResponse)
+  @Post('/deploy/upload')
+  public async deployUpload(
+    @UploadedFile() file: Express.Multer.File, // passing here for API docs
+    @Query() @Hidden() body?: DeployPayload // Hidden decorator has be optional
+  ): Promise<DeployResponse> {
+    return deploy(body!)
+  }
+
+  /**
    *
    * @summary Get file from SASjs Drive
    * @query _filePath Location of SAS program
@@ -100,28 +119,31 @@ export class DriveController {
   @Get('/file')
   public async getFile(
     @Request() request: express.Request,
-
-    @Query() _filePath?: string,
-    @FormField() filePath?: string
+    @Query() _filePath: string
   ) {
-    return getFile(request, (_filePath ?? filePath)!)
+    return getFile(request, _filePath)
+  }
+
+  /**
+   *
+   * @summary Get folder contents from SASjs Drive
+   * @query _folderPath Location of SAS program
+   * @example _folderPath "/Public/somefolder"
+   */
+  @Get('/folder')
+  public async getFolder(@Query() _folderPath?: string) {
+    return getFolder(_folderPath)
   }
 
   /**
-   * It's optional to either provide `_filePath` in url as query parameter
-   * Or provide `filePath` in body as form field.
-   * But it's required to provide else API will respond with Bad Request.
    *
    * @summary Delete file from SASjs Drive
    * @query _filePath Location of SAS program
    * @example _filePath "/Public/somefolder/some.file"
    */
   @Delete('/file')
-  public async deleteFile(
-    @Query() _filePath?: string,
-    @FormField() filePath?: string
-  ) {
-    return deleteFile((_filePath ?? filePath)!)
+  public async deleteFile(@Query() _filePath: string) {
+    return deleteFile(_filePath)
   }
 
   /**
@@ -192,12 +214,12 @@ const getFileTree = () => {
 }
 
 const deploy = async (data: DeployPayload) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const appLocParts = data.appLoc.replace(/^\//, '').split('/')
 
   const appLocPath = path
-    .join(getTmpFilesFolderPath(), ...appLocParts)
+    .join(getFilesFolder(), ...appLocParts)
     .replace(new RegExp('/', 'g'), path.sep)
 
   if (!appLocPath.includes(driveFilesPath)) {
@@ -216,10 +238,10 @@ const deploy = async (data: DeployPayload) => {
 }
 
 const getFile = async (req: express.Request, filePath: string) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const filePathFull = path
-    .join(getTmpFilesFolderPath(), filePath)
+    .join(getFilesFolder(), filePath)
     .replace(new RegExp('/', 'g'), path.sep)
 
   if (!filePathFull.includes(driveFilesPath)) {
@@ -227,7 +249,7 @@ const getFile = async (req: express.Request, filePath: string) => {
   }
 
   if (!(await fileExists(filePathFull))) {
-    throw new Error('File does not exist.')
+    throw new Error("File doesn't exist.")
   }
 
   const extension = path.extname(filePathFull).toLowerCase()
@@ -238,11 +260,41 @@ const getFile = async (req: express.Request, filePath: string) => {
   req.res?.sendFile(path.resolve(filePathFull))
 }
 
+const getFolder = async (folderPath?: string) => {
+  const driveFilesPath = getFilesFolder()
+
+  if (folderPath) {
+    const folderPathFull = path
+      .join(getFilesFolder(), folderPath)
+      .replace(new RegExp('/', 'g'), path.sep)
+
+    if (!folderPathFull.includes(driveFilesPath)) {
+      throw new Error('Cannot get folder outside drive.')
+    }
+
+    if (!(await folderExists(folderPathFull))) {
+      throw new Error("Folder doesn't exist.")
+    }
+
+    if (!(await isFolder(folderPathFull))) {
+      throw new Error('Not a Folder.')
+    }
+
+    const files: string[] = await listFilesInFolder(folderPathFull)
+    const folders: string[] = await listSubFoldersInFolder(folderPathFull)
+    return { files, folders }
+  }
+
+  const files: string[] = await listFilesInFolder(driveFilesPath)
+  const folders: string[] = await listSubFoldersInFolder(driveFilesPath)
+  return { files, folders }
+}
+
 const deleteFile = async (filePath: string) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const filePathFull = path
-    .join(getTmpFilesFolderPath(), filePath)
+    .join(getFilesFolder(), filePath)
     .replace(new RegExp('/', 'g'), path.sep)
 
   if (!filePathFull.includes(driveFilesPath)) {
@@ -262,7 +314,7 @@ const saveFile = async (
   filePath: string,
   multerFile: Express.Multer.File
 ): Promise<GetFileResponse> => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const filePathFull = path
     .join(driveFilesPath, filePath)
@@ -287,7 +339,7 @@ const updateFile = async (
   filePath: string,
   multerFile: Express.Multer.File
 ): Promise<GetFileResponse> => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const filePathFull = path
     .join(driveFilesPath, filePath)
@@ -305,9 +357,3 @@ const updateFile = async (
 
   return { status: 'success' }
 }
-
-const validateFilePath = async (filePath: string) => {
-  if (!(await fileExists(filePath))) {
-    throw 'DriveController: File does not exists.'
-  }
-}

api/src/controllers/index.ts

@@ -3,6 +3,8 @@ export * from './client'
 export * from './code'
 export * from './drive'
 export * from './group'
+export * from './info'
 export * from './session'
 export * from './stp'
 export * from './user'
+export * from './web'

api/src/controllers/info.ts

@@ -0,0 +1,36 @@
+import { Route, Tags, Example, Get } from 'tsoa'
+
+export interface InfoResponse {
+  mode: string
+  cors: string
+  whiteList: string[]
+  protocol: string
+}
+
+@Route('SASjsApi/info')
+@Tags('Info')
+export class InfoController {
+  /**
+   * @summary Get server info (mode, cors, whiteList, protocol).
+   *
+   */
+  @Example<InfoResponse>({
+    mode: 'desktop',
+    cors: 'enable',
+    whiteList: ['http://example.com', 'http://example2.com'],
+    protocol: 'http'
+  })
+  @Get('/')
+  public info(): InfoResponse {
+    const response = {
+      mode: process.env.MODE ?? 'desktop',
+      cors:
+        process.env.CORS ||
+        (process.env.MODE === 'server' ? 'disable' : 'enable'),
+      whiteList:
+        process.env.WHITELIST?.split(' ')?.filter((url) => !!url) ?? [],
+      protocol: process.env.PROTOCOL ?? 'http'
+    }
+    return response
+  }
+}

api/src/controllers/internal/Execution.ts

@@ -8,12 +8,12 @@ import {
   moveFile,
   readFileBinary
 } from '@sasjs/utils'
-import { PreProgramVars, TreeNode } from '../../types'
+import { PreProgramVars, Session, TreeNode } from '../../types'
 import {
   extractHeaders,
   generateFileUploadSasCode,
-  getTmpFilesFolderPath,
-  getTmpMacrosPath,
+  getFilesFolder,
+  getMacrosFolder,
   HTTPHeaders,
   isDebugOn
 } from '../../utils'
@@ -39,10 +39,11 @@ export class ExecutionController {
     preProgramVariables: PreProgramVars,
     vars: ExecutionVars,
     otherArgs?: any,
-    returnJson?: boolean
+    returnJson?: boolean,
+    session?: Session
   ) {
     if (!(await fileExists(programPath)))
-      throw 'ExecutionController: SAS file does not exist.'
+      throw `The Stored Program at (${vars._program}) does not exist, or you do not have permission to view it.`
 
     const program = await readFile(programPath)
 
@@ -51,7 +52,8 @@ export class ExecutionController {
       preProgramVariables,
       vars,
       otherArgs,
-      returnJson
+      returnJson,
+      session
     )
   }
 
@@ -60,23 +62,25 @@ export class ExecutionController {
     preProgramVariables: PreProgramVars,
     vars: ExecutionVars,
     otherArgs?: any,
-    returnJson?: boolean
+    returnJson?: boolean,
+    sessionByFileUpload?: Session
   ): Promise<ExecuteReturnRaw | ExecuteReturnJson> {
     const sessionController = getSessionController()
 
-    const session = await sessionController.getSession()
+    const session =
+      sessionByFileUpload ?? (await sessionController.getSession())
     session.inUse = true
     session.consumed = true
 
     const logPath = path.join(session.path, 'log.log')
     const headersPath = path.join(session.path, 'stpsrv_header.txt')
     const weboutPath = path.join(session.path, 'webout.txt')
-    const tokenFile = path.join(session.path, 'accessToken.txt')
+    const tokenFile = path.join(session.path, 'reqHeaders.txt')
 
     await createFile(weboutPath, '')
     await createFile(
       tokenFile,
-      preProgramVariables?.accessToken ?? 'accessToken'
+      preProgramVariables?.httpHeaders.join('\n') ?? ''
     )
 
     const varStatments = Object.keys(vars).reduce(
@@ -106,7 +110,7 @@ export class ExecutionController {
 `
 
     program = `
-options insert=(SASAUTOS="${getTmpMacrosPath()}");
+options insert=(SASAUTOS="${getMacrosFolder()}");
 
 /* runtime vars */
 ${varStatments}
@@ -115,6 +119,10 @@ filename _webout "${weboutPath}" mod;
 /* dynamic user-provided vars */
 ${preProgramVarStatments}
 
+/* user autoexec starts */
+${otherArgs?.userAutoExec ?? ''}
+/* user autoexec ends */
+
 /* actual job code */
 ${program}`
 
@@ -153,7 +161,9 @@ ${program}`
       : ''
     const httpHeaders: HTTPHeaders = extractHeaders(headersContent)
     const fileResponse: boolean =
-      httpHeaders.hasOwnProperty('content-type') && !returnJson
+      httpHeaders.hasOwnProperty('content-type') &&
+      !returnJson && // not a POST Request
+      !isDebugOn(vars) // Debug is not enabled
 
     const webout = (await fileExists(weboutPath))
       ? fileResponse
@@ -174,11 +184,10 @@ ${program}`
 
     return {
       httpHeaders,
-      result: fileResponse
-        ? webout
-        : isDebugOn(vars) || session.crashed
-        ? `<html><body>${webout}<div style="text-align:left"><hr /><h2>SAS Log</h2><pre>${log}</pre></div></body></html>`
-        : webout
+      result:
+        isDebugOn(vars) || session.crashed
+          ? `<html><body>${webout}<div style="text-align:left"><hr /><h2>SAS Log</h2><pre>${log}</pre></div></body></html>`
+          : webout
     }
   }
 
@@ -186,7 +195,7 @@ ${program}`
     const root: TreeNode = {
       name: 'files',
       relativePath: '',
-      absolutePath: getTmpFilesFolderPath(),
+      absolutePath: getFilesFolder(),
       children: []
     }
 

api/src/controllers/internal/FileUploadController.ts

@@ -1,14 +1,15 @@
+import { Request, RequestHandler } from 'express'
 import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
 import { getSessionController } from '.'
 
 export class FileUploadController {
   private storage = multer.diskStorage({
-    destination: function (req: any, file: any, cb: any) {
+    destination: function (req: Request, file: any, cb: any) {
       //Sending the intercepted files to the sessions subfolder
-      cb(null, req.sasSession.path)
+      cb(null, req.sasSession?.path)
     },
-    filename: function (req: any, file: any, cb: any) {
+    filename: function (req: Request, file: any, cb: any) {
       //req_file prefix + unique hash added to sas request files
       cb(null, `req_file_${uuidv4().replace(/-/gm, '')}`)
     }
@@ -18,12 +19,14 @@ export class FileUploadController {
 
   //It will intercept request and generate unique uuid to be used as a subfolder name
   //that will store the files uploaded
-  public preUploadMiddleware = async (req: any, res: any, next: any) => {
+  public preUploadMiddleware: RequestHandler = async (req, res, next) => {
     let session
 
     const sessionController = getSessionController()
     session = await sessionController.getSession()
-    session.inUse = true
+    // marking consumed true, so that it's not available
+    // as readySession for any other request
+    session.consumed = true
 
     req.sasSession = session
 

api/src/controllers/internal/Session.ts

@@ -3,7 +3,7 @@ import { Session } from '../../types'
 import { promisify } from 'util'
 import { execFile } from 'child_process'
 import {
-  getTmpSessionsFolderPath,
+  getSessionsFolder,
   generateUniqueFileName,
   sysInitCompiledPath
 } from '../../utils'
@@ -12,8 +12,7 @@ import {
   createFile,
   fileExists,
   generateTimestamp,
-  readFile,
-  moveFile
+  readFile
 } from '@sasjs/utils'
 
 const execFilePromise = promisify(execFile)
@@ -31,16 +30,17 @@ export class SessionController {
       ? readySessions[0]
       : await this.createSession()
 
-    if (readySessions.length < 2) this.createSession()
+    if (readySessions.length < 3) this.createSession()
 
     return session
   }
 
   private async createSession(): Promise<Session> {
     const sessionId = generateUniqueFileName(generateTimestamp())
-    const sessionFolder = path.join(getTmpSessionsFolderPath(), sessionId)
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)
 
     const creationTimeStamp = sessionId.split('-').pop() as string
+    // death time of session is 15 mins from creation
     const deathTimeStamp = (
       parseInt(creationTimeStamp) +
       15 * 60 * 1000 -
@@ -87,6 +87,8 @@ ${autoExecContent}`
       codePath,
       '-LOG',
       path.join(session.path, 'log.log'),
+      '-PRINT',
+      path.join(session.path, 'output.lst'),
       '-WORK',
       session.path,
       '-AUTOEXEC',
@@ -138,7 +140,9 @@ ${autoExecContent}`
   private scheduleSessionDestroy(session: Session) {
     setTimeout(async () => {
       if (session.inUse) {
-        session.deathTimeStamp = session.deathTimeStamp + 1000 * 10
+        // adding 10 more minutes
+        const newDeathTimeStamp = parseInt(session.deathTimeStamp) + 10 * 1000
+        session.deathTimeStamp = newDeathTimeStamp.toString()
 
         this.scheduleSessionDestroy(session)
       } else {

api/src/controllers/internal/deploy.ts

@@ -1,13 +1,15 @@
 import path from 'path'
+import { getFilesFolder } from '../../utils/file'
 import {
-  MemberType,
+  createFolder,
+  createFile,
+  asyncForEach,
   FolderMember,
   ServiceMember,
-  FileTree,
-  FileMember
-} from '../../types'
-import { getTmpFilesFolderPath } from '../../utils/file'
-import { createFolder, createFile, asyncForEach } from '@sasjs/utils'
+  FileMember,
+  MemberType,
+  FileTree
+} from '@sasjs/utils'
 
 // REFACTOR: export FileTreeCpntroller
 export const createFileTree = async (
@@ -15,7 +17,7 @@ export const createFileTree = async (
   parentFolders: string[] = []
 ) => {
   const destinationPath = path.join(
-    getTmpFilesFolderPath(),
+    getFilesFolder(),
     path.join(...parentFolders)
   )
 

api/src/controllers/session.ts

@@ -23,8 +23,8 @@ export class SessionController {
   }
 }
 
-const session = (req: any) => ({
-  id: req.user.id,
-  username: req.user.username,
-  displayName: req.user.displayName
+const session = (req: express.Request) => ({
+  id: req.user!.userId,
+  username: req.user!.username,
+  displayName: req.user!.displayName
 })

api/src/controllers/stp.ts

@@ -17,15 +17,16 @@ import {
   ExecutionController,
   ExecutionVars
 } from './internal'
-import { PreProgramVars } from '../types'
 import {
-  getTmpFilesFolderPath,
+  getPreProgramVariables,
+  getFilesFolder,
   HTTPHeaders,
   isDebugOn,
   LogLine,
   makeFilesNamesMap,
   parseLogToArray
 } from '../utils'
+import { MulterFile } from '../types/Upload'
 
 interface ExecuteReturnJsonPayload {
   /**
@@ -132,7 +133,7 @@ const executeReturnRaw = async (
   const query = req.query as ExecutionVars
   const sasCodePath =
     path
-      .join(getTmpFilesFolderPath(), _program)
+      .join(getFilesFolder(), _program)
       .replace(new RegExp('/', 'g'), path.sep) + '.sas'
 
   try {
@@ -143,9 +144,8 @@ const executeReturnRaw = async (
         query
       )) as ExecuteReturnRaw
 
-    // Should over-ride response header for
-    // debug on GET request to see entire log
-    // rendering on browser.
+    // Should over-ride response header for debug
+    // on GET request to see entire log rendering on browser.
     if (isDebugOn(query)) {
       httpHeaders['content-type'] = 'text/plain'
     }
@@ -168,15 +168,17 @@ const executeReturnRaw = async (
 }
 
 const executeReturnJson = async (
-  req: any,
+  req: express.Request,
   _program: string
 ): Promise<ExecuteReturnJsonResponse> => {
   const sasCodePath =
     path
-      .join(getTmpFilesFolderPath(), _program)
+      .join(getFilesFolder(), _program)
       .replace(new RegExp('/', 'g'), path.sep) + '.sas'
 
-  const filesNamesMap = req.files?.length ? makeFilesNamesMap(req.files) : null
+  const filesNamesMap = req.files?.length
+    ? makeFilesNamesMap(req.files as MulterFile[])
+    : null
 
   try {
     const { webout, log, httpHeaders } =
@@ -185,7 +187,8 @@ const executeReturnJson = async (
         getPreProgramVariables(req),
         { ...req.query, ...req.body },
         { filesNamesMap: filesNamesMap },
-        true
+        true,
+        req.sasSession
       )) as ExecuteReturnJson
 
     let weboutRes: string | IRecordOfAny = webout
@@ -210,16 +213,3 @@ const executeReturnJson = async (
     }
   }
 }
-
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
-  }
-}

api/src/controllers/user.ts

@@ -1,3 +1,4 @@
+import express from 'express'
 import {
   Security,
   Route,
@@ -10,10 +11,13 @@ import {
   Patch,
   Delete,
   Body,
-  Hidden
+  Hidden,
+  Request
 } from 'tsoa'
+import { desktopUser } from '../middlewares'
 
 import User, { UserPayload } from '../model/User'
+import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
 
 export interface UserResponse {
   id: number
@@ -27,6 +31,7 @@ interface UserDetailsResponse {
   username: string
   isActive: boolean
   isAdmin: boolean
+  autoExec?: string
 }
 
 @Security('bearerAuth')
@@ -73,13 +78,23 @@ export class UserController {
   }
 
   /**
+   * Only Admin or user itself will get user autoExec code.
    * @summary Get user properties - such as group memberships, userName, displayName.
    * @param userId The user's identifier
    * @example userId 1234
    */
   @Get('{userId}')
-  public async getUser(@Path() userId: number): Promise<UserDetailsResponse> {
-    return getUser(userId)
+  public async getUser(
+    @Request() req: express.Request,
+    @Path() userId: number
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
+
+    const { user } = req
+    const getAutoExec = user!.isAdmin || user!.userId == userId
+    return getUser(userId, getAutoExec)
   }
 
   /**
@@ -99,6 +114,11 @@ export class UserController {
     @Path() userId: number,
     @Body() body: UserPayload
   ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop)
+      return updateDesktopAutoExec(body.autoExec ?? '')
+
     return updateUser(userId, body)
   }
 
@@ -123,7 +143,7 @@ const getAllUsers = async (): Promise<UserResponse[]> =>
     .exec()
 
 const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
 
   // Checking if user is already in the database
   const usernameExist = await User.findOne({ username })
@@ -138,7 +158,8 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
     username,
     password: hashPassword,
     isAdmin,
-    isActive
+    isActive,
+    autoExec
   })
 
   const savedUser = await user.save()
@@ -148,38 +169,50 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
     displayName: savedUser.displayName,
     username: savedUser.username,
     isActive: savedUser.isActive,
-    isAdmin: savedUser.isAdmin
+    isAdmin: savedUser.isAdmin,
+    autoExec: savedUser.autoExec
   }
 }
 
-const getUser = async (id: number): Promise<UserDetailsResponse> => {
+const getUser = async (
+  id: number,
+  getAutoExec: boolean
+): Promise<UserDetailsResponse> => {
   const user = await User.findOne({ id })
-    .select({
-      _id: 0,
-      id: 1,
-      username: 1,
-      displayName: 1,
-      isAdmin: 1,
-      isActive: 1
-    })
-    .exec()
+
   if (!user) throw new Error('User is not found.')
 
-  return user
+  return {
+    id: user.id,
+    displayName: user.displayName,
+    username: user.username,
+    isActive: user.isActive,
+    isAdmin: user.isAdmin,
+    autoExec: getAutoExec ? user.autoExec ?? '' : undefined
+  }
+}
+
+const getDesktopAutoExec = async () => {
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec: await getUserAutoExec()
+  }
 }
 
 const updateUser = async (
   id: number,
-  data: UserPayload
+  data: Partial<UserPayload>
 ): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
 
-  const params: any = { displayName, isAdmin, isActive }
+  const params: any = { displayName, isAdmin, isActive, autoExec }
 
   if (username) {
     // Checking if user is already in the database
     const usernameExist = await User.findOne({ username })
-    if (usernameExist?.id != id) throw new Error('Username already exists.')
+    if (usernameExist && usernameExist.id != id)
+      throw new Error('Username already exists.')
     params.username = username
   }
 
@@ -189,18 +222,26 @@ const updateUser = async (
   }
 
   const updatedUser = await User.findOneAndUpdate({ id }, params, { new: true })
-    .select({
-      _id: 0,
-      id: 1,
-      username: 1,
-      displayName: 1,
-      isAdmin: 1,
-      isActive: 1
-    })
-    .exec()
-  if (!updatedUser) throw new Error('Unable to update user')
 
-  return updatedUser
+  if (!updatedUser) throw new Error(`Unable to find user with id: ${id}`)
+
+  return {
+    id: updatedUser.id,
+    username: updatedUser.username,
+    displayName: updatedUser.displayName,
+    isAdmin: updatedUser.isAdmin,
+    isActive: updatedUser.isActive,
+    autoExec: updatedUser.autoExec
+  }
+}
+
+const updateDesktopAutoExec = async (autoExec: string) => {
+  await updateUserAutoExec(autoExec)
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec
+  }
 }
 
 const deleteUser = async (

api/src/controllers/web.ts

@@ -0,0 +1,158 @@
+import path from 'path'
+import express from 'express'
+import { Request, Route, Tags, Post, Body, Get, Example } from 'tsoa'
+import { readFile } from '@sasjs/utils'
+
+import User from '../model/User'
+import Client from '../model/Client'
+import { getWebBuildFolder, generateAuthCode } from '../utils'
+import { InfoJWT } from '../types'
+import { AuthController } from './auth'
+
+@Route('/')
+@Tags('Web')
+export class WebController {
+  /**
+   * @summary Render index.html
+   *
+   */
+  @Get('/')
+  public async home() {
+    return home()
+  }
+
+  /**
+   * @summary Accept a valid username/password
+   *
+   */
+  @Post('/SASLogon/login')
+  public async login(
+    @Request() req: express.Request,
+    @Body() body: LoginPayload
+  ) {
+    return login(req, body)
+  }
+
+  /**
+   * @summary Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE
+   *
+   */
+  @Example<AuthorizeResponse>({
+    code: 'someRandomCryptoString'
+  })
+  @Post('/SASLogon/authorize')
+  public async authorize(
+    @Request() req: express.Request,
+    @Body() body: AuthorizePayload
+  ): Promise<AuthorizeResponse> {
+    return authorize(req, body.clientId)
+  }
+
+  /**
+   * @summary Accept a valid username/password
+   *
+   */
+  @Get('/logout')
+  public async logout(@Request() req: express.Request) {
+    return new Promise((resolve) => {
+      req.session.destroy(() => {
+        resolve(true)
+      })
+    })
+  }
+}
+
+const home = async () => {
+  const indexHtmlPath = path.join(getWebBuildFolder(), 'index.html')
+
+  // Attention! Cannot use fileExists here,
+  // due to limitation after building executable
+  const content = await readFile(indexHtmlPath)
+
+  return content
+}
+
+const login = async (
+  req: express.Request,
+  { username, password }: LoginPayload
+) => {
+  // Authenticate User
+  const user = await User.findOne({ username })
+  if (!user) throw new Error('Username is not found.')
+
+  const validPass = user.comparePassword(password)
+  if (!validPass) throw new Error('Invalid password.')
+
+  req.session.loggedIn = true
+  req.session.user = {
+    userId: user.id,
+    clientId: 'web_app',
+    username: user.username,
+    displayName: user.displayName,
+    isAdmin: user.isAdmin,
+    isActive: user.isActive,
+    autoExec: user.autoExec
+  }
+
+  return {
+    loggedIn: true,
+    user: {
+      id: user.id,
+      username: user.username,
+      displayName: user.displayName
+    }
+  }
+}
+
+const authorize = async (
+  req: express.Request,
+  clientId: string
+): Promise<AuthorizeResponse> => {
+  const userId = req.session.user?.userId
+  if (!userId) throw new Error('Invalid userId.')
+
+  const client = await Client.findOne({ clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  // generate authorization code against clientId
+  const userInfo: InfoJWT = {
+    clientId,
+    userId
+  }
+  const code = AuthController.saveCode(
+    userId,
+    clientId,
+    generateAuthCode(userInfo)
+  )
+
+  return { code }
+}
+
+interface LoginPayload {
+  /**
+   * Username for user
+   * @example "secretuser"
+   */
+  username: string
+  /**
+   * Password for user
+   * @example "secretpassword"
+   */
+  password: string
+}
+
+interface AuthorizePayload {
+  /**
+   * Client ID
+   * @example "clientID1"
+   */
+  clientId: string
+}
+
+interface AuthorizeResponse {
+  /**
+   * Authorization code
+   * @example "someRandomCryptoString"
+   */
+  code: string
+}

api/src/middlewares/authenticateToken.ts

@@ -1,7 +1,36 @@
+import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
-import { verifyTokenInDB } from '../utils'
+import { csrfProtection } from '../app'
+import { fetchLatestAutoExec, ModeType, verifyTokenInDB } from '../utils'
+import { desktopUser } from './desktop'
+
+export const authenticateAccessToken: RequestHandler = async (
+  req,
+  res,
+  next
+) => {
+  const { MODE } = process.env
+  if (MODE === ModeType.Desktop) {
+    req.user = desktopUser
+    return next()
+  }
+
+  // if request is coming from web and has valid session
+  // it can be validated.
+  if (req.session?.loggedIn) {
+    if (req.session.user) {
+      const user = await fetchLatestAutoExec(req.session.user)
+
+      if (user) {
+        if (user.isActive) {
+          req.user = user
+          return csrfProtection(req, res, next)
+        } else return res.sendStatus(401)
+      }
+    }
+    return res.sendStatus(401)
+  }
 
-export const authenticateAccessToken = (req: any, res: any, next: any) => {
   authenticateToken(
     req,
     res,
@@ -11,7 +40,7 @@ export const authenticateAccessToken = (req: any, res: any, next: any) => {
   )
 }
 
-export const authenticateRefreshToken = (req: any, res: any, next: any) => {
+export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
   authenticateToken(
     req,
     res,
@@ -22,16 +51,16 @@ export const authenticateRefreshToken = (req: any, res: any, next: any) => {
 }
 
 const authenticateToken = (
-  req: any,
-  res: any,
-  next: any,
+  req: Request,
+  res: Response,
+  next: NextFunction,
   key: string,
   tokenType: 'accessToken' | 'refreshToken'
 ) => {
   const { MODE } = process.env
   if (MODE?.trim() !== 'server') {
     req.user = {
-      userId: '1234',
+      userId: 1234,
       clientId: 'desktopModeClientId',
       username: 'desktopModeUsername',
       displayName: 'desktopModeDisplayName',
@@ -43,9 +72,7 @@ const authenticateToken = (
   }
 
   const authHeader = req.headers['authorization']
-  const token =
-    authHeader?.split(' ')[1] ??
-    (tokenType === 'accessToken' ? req.cookies.accessToken : '')
+  const token = authHeader?.split(' ')[1]
   if (!token) return res.sendStatus(401)
 
   jwt.verify(token, key, async (err: any, data: any) => {

api/src/middlewares/desktop.ts

@@ -1,18 +1,37 @@
-export const desktopRestrict = (req: any, res: any, next: any) => {
+import { RequestHandler, Request } from 'express'
+import { userInfo } from 'os'
+import { RequestUser } from '../types'
+import { ModeType } from '../utils'
+
+const regexUser = /^\/SASjsApi\/user\/[0-9]*$/ // /SASjsApi/user/1
+
+const allowedInDesktopMode: { [key: string]: RegExp[] } = {
+  GET: [regexUser],
+  PATCH: [regexUser]
+}
+
+const reqAllowedInDesktopMode = (request: Request): boolean => {
+  const { method, originalUrl: url } = request
+
+  return !!allowedInDesktopMode[method]?.find((urlRegex) => urlRegex.test(url))
+}
+
+export const desktopRestrict: RequestHandler = (req, res, next) => {
   const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
-    return res.status(403).send('Not Allowed while in Desktop Mode.')
+
+  if (MODE === ModeType.Desktop) {
+    if (!reqAllowedInDesktopMode(req))
+      return res.status(403).send('Not Allowed while in Desktop Mode.')
+  }
 
   next()
 }
-export const desktopUsername = (req: any, res: any, next: any) => {
-  const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
-    return res.status(200).send({
-      userId: 12345,
-      username: 'DESKTOPusername',
-      displayName: 'DESKTOP User'
-    })
 
-  next()
+export const desktopUser: RequestUser = {
+  userId: 12345,
+  clientId: 'desktop_app',
+  username: userInfo().username,
+  displayName: userInfo().username,
+  isAdmin: true,
+  isActive: true
 }

api/src/middlewares/multer.ts

@@ -1,13 +1,13 @@
 import path from 'path'
 import { Request } from 'express'
 import multer, { FileFilterCallback, Options } from 'multer'
-import { blockFileRegex, getTmpUploadsPath } from '../utils'
+import { blockFileRegex, getUploadsFolder } from '../utils'
 
 const fieldNameSize = 300
-const fileSize = 10485760 // 10 MB
+const fileSize = 104857600 // 100 MB
 
 const storage = multer.diskStorage({
-  destination: getTmpUploadsPath(),
+  destination: getUploadsFolder(),
   filename: function (
     _req: Request,
     file: Express.Multer.File,

api/src/middlewares/verifyAdmin.ts

@@ -1,4 +1,6 @@
-export const verifyAdmin = (req: any, res: any, next: any) => {
+import { RequestHandler } from 'express'
+
+export const verifyAdmin: RequestHandler = (req, res, next) => {
   const { MODE } = process.env
   if (MODE?.trim() !== 'server') return next()
 

api/src/middlewares/verifyAdminIfNeeded.ts

@@ -1,8 +1,10 @@
-export const verifyAdminIfNeeded = (req: any, res: any, next: any) => {
+import { RequestHandler } from 'express'
+
+export const verifyAdminIfNeeded: RequestHandler = (req, res, next) => {
   const { user } = req
   const userId = parseInt(req.params.userId)
 
-  if (!user.isAdmin && user.userId !== userId) {
+  if (!user?.isAdmin && user?.userId !== userId) {
     return res.status(401).send('Admin account required')
   }
   next()

api/src/model/User.ts

@@ -27,12 +27,18 @@ export interface UserPayload {
    * @example "true"
    */
   isActive?: boolean
+  /**
+   * User-specific auto-exec code
+   * @example ""
+   */
+  autoExec?: string
 }
 
 interface IUserDocument extends UserPayload, Document {
   id: number
   isAdmin: boolean
   isActive: boolean
+  autoExec: string
   groups: Schema.Types.ObjectId[]
   tokens: [{ [key: string]: string }]
 }
@@ -66,6 +72,9 @@ const userSchema = new Schema<IUserDocument>({
     type: Boolean,
     default: true
   },
+  autoExec: {
+    type: String
+  },
   groups: [{ type: Schema.Types.ObjectId, ref: 'Group' }],
   tokens: [
     {

api/src/routes/api/auth.ts

@@ -1,46 +1,24 @@
 import express from 'express'
 
 import { AuthController } from '../../controllers/'
-import Client from '../../model/Client'
 
 import {
   authenticateAccessToken,
   authenticateRefreshToken
 } from '../../middlewares'
 
-import {
-  authorizeValidation,
-  getDesktopFields,
-  tokenValidation
-} from '../../utils'
+import { authorizeValidation, tokenValidation } from '../../utils'
 import { InfoJWT } from '../../types'
 
 const authRouter = express.Router()
+const controller = new AuthController()
 
-const clientIDs = new Set()
-
-export const populateClients = async () => {
-  const result = await Client.find()
-  clientIDs.clear()
-  result.forEach((r) => {
-    clientIDs.add(r.clientId)
-  })
-}
-
-authRouter.post('/authorize', async (req, res) => {
-  const { error, value: body } = authorizeValidation(req.body)
+authRouter.post('/token', async (req, res) => {
+  const { error, value: body } = tokenValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)
 
-  const { clientId } = body
-
-  // Verify client ID
-  if (!clientIDs.has(clientId)) {
-    return res.status(403).send('Invalid clientId.')
-  }
-
-  const controller = new AuthController()
   try {
-    const response = await controller.authorize(body)
+    const response = await controller.token(body)
 
     res.send(response)
   } catch (err: any) {
@@ -48,25 +26,12 @@ authRouter.post('/authorize', async (req, res) => {
   }
 })
 
-authRouter.post('/token', async (req, res) => {
-  const { error, value: body } = tokenValidation(req.body)
-  if (error) return res.status(400).send(error.details[0].message)
-
-  const controller = new AuthController()
-  try {
-    const response = await controller.token(body)
-    const { accessToken } = response
-
-    res.cookie('accessToken', accessToken).send(response)
-  } catch (err: any) {
-    res.status(403).send(err.toString())
+authRouter.post('/refresh', authenticateRefreshToken, async (req, res) => {
+  const userInfo: InfoJWT = {
+    userId: req.user!.userId!,
+    clientId: req.user!.clientId!
   }
-})
 
-authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
-  const userInfo: InfoJWT = req.user
-
-  const controller = new AuthController()
   try {
     const response = await controller.refresh(userInfo)
 
@@ -76,10 +41,12 @@ authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
   }
 })
 
-authRouter.delete('/logout', authenticateAccessToken, async (req: any, res) => {
-  const userInfo: InfoJWT = req.user
+authRouter.delete('/logout', authenticateAccessToken, async (req, res) => {
+  const userInfo: InfoJWT = {
+    userId: req.user!.userId!,
+    clientId: req.user!.clientId!
+  }
 
-  const controller = new AuthController()
   try {
     await controller.logout(userInfo)
   } catch (e) {}

api/src/routes/api/drive.ts

@@ -1,5 +1,5 @@
 import express from 'express'
-import { deleteFile } from '@sasjs/utils'
+import { deleteFile, readFile } from '@sasjs/utils'
 
 import { publishAppStream } from '../appStream'
 
@@ -8,7 +8,8 @@ import { DriveController } from '../../controllers/'
 import {
   deployValidation,
   fileBodyValidation,
-  fileParamValidation
+  fileParamValidation,
+  folderParamValidation
 } from '../../utils'
 
 const controller = new DriveController()
@@ -42,14 +43,74 @@ driveRouter.post('/deploy', async (req, res) => {
   }
 })
 
+driveRouter.post(
+  '/deploy/upload',
+  (...arg) => multerSingle('file', arg),
+  async (req, res) => {
+    if (!req.file) return res.status(400).send('"file" is not present.')
+
+    const fileContent = await readFile(req.file.path)
+
+    let jsonContent
+    try {
+      jsonContent = JSON.parse(fileContent)
+    } catch (err) {
+      deleteFile(req.file.path)
+      return res.status(400).send('File containing invalid JSON content.')
+    }
+
+    const { error, value: body } = deployValidation(jsonContent)
+    if (error) {
+      deleteFile(req.file.path)
+      return res.status(400).send(error.details[0].message)
+    }
+
+    try {
+      const response = await controller.deployUpload(req.file, body)
+
+      if (body.streamWebFolder) {
+        const { streamServiceName } = await publishAppStream(
+          body.appLoc,
+          body.streamWebFolder,
+          body.streamServiceName,
+          body.streamLogo
+        )
+        response.streamServiceName = streamServiceName
+      }
+
+      res.send(response)
+    } catch (err: any) {
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err)
+    } finally {
+      deleteFile(req.file.path)
+    }
+  }
+)
+
 driveRouter.get('/file', async (req, res) => {
   const { error: errQ, value: query } = fileParamValidation(req.query)
-  const { error: errB, value: body } = fileBodyValidation(req.body)
 
-  if (errQ && errB) return res.status(400).send(errQ.details[0].message)
+  if (errQ) return res.status(400).send(errQ.details[0].message)
 
   try {
-    await controller.getFile(req, query._filePath, body.filePath)
+    await controller.getFile(req, query._filePath)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+driveRouter.get('/folder', async (req, res) => {
+  const { error: errQ, value: query } = folderParamValidation(req.query)
+
+  if (errQ) return res.status(400).send(errQ.details[0].message)
+
+  try {
+    const response = await controller.getFolder(query._folderPath)
+    res.send(response)
   } catch (err: any) {
     res.status(403).send(err.toString())
   }
@@ -57,12 +118,11 @@ driveRouter.get('/file', async (req, res) => {
 
 driveRouter.delete('/file', async (req, res) => {
   const { error: errQ, value: query } = fileParamValidation(req.query)
-  const { error: errB, value: body } = fileBodyValidation(req.body)
 
-  if (errQ && errB) return res.status(400).send(errQ.details[0].message)
+  if (errQ) return res.status(400).send(errQ.details[0].message)
 
   try {
-    const response = await controller.deleteFile(query._filePath, body.filePath)
+    const response = await controller.deleteFile(query._filePath)
     res.send(response)
   } catch (err: any) {
     res.status(403).send(err.toString())

api/src/routes/api/group.ts

@@ -33,12 +33,12 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
   }
 })
 
-groupRouter.get('/:groupId', authenticateAccessToken, async (req: any, res) => {
+groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
   const { groupId } = req.params
 
   const controller = new GroupController()
   try {
-    const response = await controller.getGroup(groupId)
+    const response = await controller.getGroup(parseInt(groupId))
     res.send(response)
   } catch (err: any) {
     res.status(403).send(err.toString())
@@ -49,12 +49,15 @@ groupRouter.post(
   '/:groupId/:userId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId, userId } = req.params
 
     const controller = new GroupController()
     try {
-      const response = await controller.addUserToGroup(groupId, userId)
+      const response = await controller.addUserToGroup(
+        parseInt(groupId),
+        parseInt(userId)
+      )
       res.send(response)
     } catch (err: any) {
       res.status(403).send(err.toString())
@@ -66,12 +69,15 @@ groupRouter.delete(
   '/:groupId/:userId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId, userId } = req.params
 
     const controller = new GroupController()
     try {
-      const response = await controller.removeUserFromGroup(groupId, userId)
+      const response = await controller.removeUserFromGroup(
+        parseInt(groupId),
+        parseInt(userId)
+      )
       res.send(response)
     } catch (err: any) {
       res.status(403).send(err.toString())
@@ -83,12 +89,12 @@ groupRouter.delete(
   '/:groupId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId } = req.params
 
     const controller = new GroupController()
     try {
-      await controller.deleteGroup(groupId)
+      await controller.deleteGroup(parseInt(groupId))
       res.status(200).send('Group Deleted!')
     } catch (err: any) {
       res.status(403).send(err.toString())

api/src/routes/api/index.ts

@@ -5,10 +5,10 @@ import swaggerUi from 'swagger-ui-express'
 import {
   authenticateAccessToken,
   desktopRestrict,
-  desktopUsername,
   verifyAdmin
 } from '../../middlewares'
 
+import infoRouter from './info'
 import driveRouter from './drive'
 import stpRouter from './stp'
 import codeRouter from './code'
@@ -20,7 +20,8 @@ import sessionRouter from './session'
 
 const router = express.Router()
 
-router.use('/session', desktopUsername, authenticateAccessToken, sessionRouter)
+router.use('/info', infoRouter)
+router.use('/session', authenticateAccessToken, sessionRouter)
 router.use('/auth', desktopRestrict, authRouter)
 router.use(
   '/client',
@@ -34,12 +35,22 @@ router.use('/group', desktopRestrict, groupRouter)
 router.use('/stp', authenticateAccessToken, stpRouter)
 router.use('/code', authenticateAccessToken, codeRouter)
 router.use('/user', desktopRestrict, userRouter)
+
 router.use(
   '/',
   swaggerUi.serve,
   swaggerUi.setup(undefined, {
     swaggerOptions: {
-      url: '/swagger.yaml'
+      url: '/swagger.yaml',
+      requestInterceptor: (request: any) => {
+        request.credentials = 'include'
+
+        const cookie = document.cookie
+        const startIndex = cookie.indexOf('XSRF-TOKEN')
+        const csrf = cookie.slice(startIndex + 11).split('; ')[0]
+        request.headers['X-XSRF-TOKEN'] = csrf
+        return request
+      }
     }
   })
 )

api/src/routes/api/info.ts

@@ -0,0 +1,16 @@
+import express from 'express'
+import { InfoController } from '../../controllers'
+
+const infoRouter = express.Router()
+
+infoRouter.get('/', async (req, res) => {
+  const controller = new InfoController()
+  try {
+    const response = controller.info()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+export default infoRouter

api/src/routes/api/spec/auth.spec.ts

@@ -8,7 +8,6 @@ import {
   ClientController,
   AuthController
 } from '../../../controllers/'
-import { populateClients } from '../auth'
 import { InfoJWT } from '../../../types'
 import {
   generateAccessToken,
@@ -18,11 +17,6 @@ import {
   verifyTokenInDB
 } from '../../../utils'
 
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
-
 const clientId = 'someclientID'
 const clientSecret = 'someclientSecret'
 const user = {
@@ -35,16 +29,18 @@ const user = {
 }
 
 describe('auth', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   const userController = new UserController()
   const clientController = new ClientController()
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
     await clientController.createClient({ clientId, clientSecret })
-    await populateClients()
   })
 
   afterAll(async () => {
@@ -53,114 +49,6 @@ describe('auth', () => {
     await mongoServer.stop()
   })
 
-  describe('authorize', () => {
-    afterEach(async () => {
-      const collections = mongoose.connection.collections
-      const collection = collections['users']
-      await collection.deleteMany({})
-    })
-
-    it('should respond with authorization code', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId
-        })
-        .expect(200)
-
-      expect(res.body).toHaveProperty('code')
-    })
-
-    it('should respond with Bad Request if username is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          password: user.password,
-          clientId
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"username" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Bad Request if password is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          clientId
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"password" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Bad Request if clientId is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"clientId" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if username is incorrect', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Error: Username is not found.')
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if password is incorrect', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: 'WrongPassword',
-          clientId
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Error: Invalid password.')
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if clientId is incorrect', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId: 'WrongClientID'
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Invalid clientId.')
-      expect(res.body).toEqual({})
-    })
-  })
-
   describe('token', () => {
     const userInfo: InfoJWT = {
       clientId,

api/src/routes/api/spec/client.spec.ts

@@ -6,11 +6,6 @@ import appPromise from '../../../app'
 import { UserController, ClientController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
-
 const client = {
   clientId: 'someclientID',
   clientSecret: 'someclientSecret'
@@ -28,12 +23,15 @@ const newClient = {
 }
 
 describe('client', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   const userController = new UserController()
   const clientController = new ClientController()
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
   })

api/src/routes/api/spec/drive.spec.ts

@@ -10,30 +10,28 @@ import {
   readFile,
   deleteFolder,
   generateTimestamp,
-  copy
+  copy,
+  createFolder,
+  createFile,
+  ServiceMember,
+  FolderMember
 } from '@sasjs/utils'
 import * as fileUtilModules from '../../../utils/file'
 
 const timestamp = generateTimestamp()
 const tmpFolder = path.join(process.cwd(), `tmp-${timestamp}`)
 jest
-  .spyOn(fileUtilModules, 'getTmpFolderPath')
+  .spyOn(fileUtilModules, 'getSasjsRootFolder')
   .mockImplementation(() => tmpFolder)
 jest
-  .spyOn(fileUtilModules, 'getTmpUploadsPath')
+  .spyOn(fileUtilModules, 'getUploadsFolder')
   .mockImplementation(() => path.join(tmpFolder, 'uploads'))
 
 import appPromise from '../../../app'
 import { UserController } from '../../../controllers/'
 import { getTreeExample } from '../../../controllers/internal'
-import { FolderMember, ServiceMember } from '../../../types'
 import { generateAccessToken, saveTokensInDB } from '../../../utils/'
-const { getTmpFilesFolderPath } = fileUtilModules
-
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
+const { getFilesFolder } = fileUtilModules
 
 const clientId = 'someclientID'
 const user = {
@@ -44,7 +42,8 @@ const user = {
   isActive: true
 }
 
-describe('files', () => {
+describe('drive', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   const controller = new UserController()
@@ -52,6 +51,8 @@ describe('files', () => {
   let accessToken: string
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
 
@@ -69,6 +70,7 @@ describe('files', () => {
     await mongoServer.stop()
     await deleteFolder(tmpFolder)
   })
+
   describe('deploy', () => {
     const shouldFailAssertion = async (payload: any) => {
       const res = await request(app)
@@ -155,10 +157,10 @@ describe('files', () => {
       expect(res.text).toEqual(
         '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
       )
-      await expect(folderExists(getTmpFilesFolderPath())).resolves.toEqual(true)
+      await expect(folderExists(getFilesFolder())).resolves.toEqual(true)
 
       const testJobFolder = path.join(
-        getTmpFilesFolderPath(),
+        getFilesFolder(),
         'public',
         'jobs',
         'extract'
@@ -172,17 +174,123 @@ describe('files', () => {
 
       await expect(readFile(testJobFile)).resolves.toEqual(exampleService.code)
 
-      await deleteFolder(getTmpFilesFolderPath())
+      await deleteFolder(path.join(getFilesFolder(), 'public'))
+    })
+  })
+
+  describe('folder', () => {
+    describe('get', () => {
+      const getFolderApi = '/SASjsApi/drive/folder'
+
+      it('should get root SAS folder on drive', async () => {
+        const res = await request(app)
+          .get(getFolderApi)
+          .auth(accessToken, { type: 'bearer' })
+
+        expect(res.statusCode).toEqual(200)
+        expect(res.body).toEqual({ files: [], folders: [] })
+      })
+
+      it('should get a SAS folder on drive having _folderPath as query param', async () => {
+        const pathToDrive = fileUtilModules.getFilesFolder()
+
+        const dirLevel1 = 'level1'
+        const dirLevel2 = 'level2'
+        const fileLevel1 = 'file1'
+        const fileLevel2 = 'file2'
+
+        await createFolder(path.join(pathToDrive, dirLevel1, dirLevel2))
+        await createFile(
+          path.join(pathToDrive, dirLevel1, fileLevel1),
+          'some file content'
+        )
+        await createFile(
+          path.join(pathToDrive, dirLevel1, dirLevel2, fileLevel2),
+          'some file content'
+        )
+
+        const res1 = await request(app)
+          .get(getFolderApi)
+          .query({ _folderPath: '/' })
+          .auth(accessToken, { type: 'bearer' })
+
+        expect(res1.statusCode).toEqual(200)
+        expect(res1.body).toEqual({ files: [], folders: [dirLevel1] })
+
+        const res2 = await request(app)
+          .get(getFolderApi)
+          .query({ _folderPath: dirLevel1 })
+          .auth(accessToken, { type: 'bearer' })
+
+        expect(res2.statusCode).toEqual(200)
+        expect(res2.body).toEqual({ files: [fileLevel1], folders: [dirLevel2] })
+
+        const res3 = await request(app)
+          .get(getFolderApi)
+          .query({ _folderPath: `${dirLevel1}/${dirLevel2}` })
+          .auth(accessToken, { type: 'bearer' })
+
+        expect(res3.statusCode).toEqual(200)
+        expect(res3.body).toEqual({ files: [fileLevel2], folders: [] })
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app).get(getFolderApi).expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if folder is not present', async () => {
+        const res = await request(app)
+          .get(getFolderApi)
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _folderPath: `/my/path/code-${generateTimestamp()}` })
+          .expect(403)
+
+        expect(res.text).toEqual(`Error: Folder doesn't exist.`)
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if folderPath outside Drive', async () => {
+        const res = await request(app)
+          .get(getFolderApi)
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _folderPath: '/../path/code.sas' })
+          .expect(403)
+
+        expect(res.text).toEqual('Error: Cannot get folder outside drive.')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if folderPath is of a file', async () => {
+        const fileToCopyPath = path.join(__dirname, 'files', 'sample.sas')
+        const filePath = '/my/path/code.sas'
+
+        const pathToCopy = path.join(fileUtilModules.getFilesFolder(), filePath)
+        await copy(fileToCopyPath, pathToCopy)
+
+        const res = await request(app)
+          .get(getFolderApi)
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _folderPath: filePath })
+          .expect(403)
+
+        expect(res.text).toEqual('Error: Not a Folder.')
+        expect(res.body).toEqual({})
+      })
     })
   })
 
   describe('file', () => {
     describe('create', () => {
       it('should create a SAS file on drive having filePath as form field', async () => {
+        const pathToUpload = `/my/path/code-1.sas`
+
         const res = await request(app)
           .post('/SASjsApi/drive/file')
           .auth(accessToken, { type: 'bearer' })
-          .field('filePath', '/my/path/code.sas')
+          .field('filePath', pathToUpload)
           .attach('file', path.join(__dirname, 'files', 'sample.sas'))
 
         expect(res.statusCode).toEqual(200)
@@ -192,10 +300,12 @@ describe('files', () => {
       })
 
       it('should create a SAS file on drive having _filePath as query param', async () => {
+        const pathToUpload = `/my/path/code-2.sas`
+
         const res = await request(app)
           .post('/SASjsApi/drive/file')
           .auth(accessToken, { type: 'bearer' })
-          .query({ _filePath: '/my/path/code1.sas' })
+          .query({ _filePath: pathToUpload })
           .attach('file', path.join(__dirname, 'files', 'sample.sas'))
 
         expect(res.statusCode).toEqual(200)
@@ -217,10 +327,10 @@ describe('files', () => {
 
       it('should respond with Forbidden if file is already present', async () => {
         const fileToAttachPath = path.join(__dirname, 'files', 'sample.sas')
-        const pathToUpload = '/my/path/code.sas'
+        const pathToUpload = `/my/path/code-${generateTimestamp()}.sas`
 
         const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
           pathToUpload
         )
         await copy(fileToAttachPath, pathToCopy)
@@ -310,7 +420,7 @@ describe('files', () => {
       it('should respond with Bad Request if attached file exceeds file limit', async () => {
         const pathToUpload = '/my/path/code.sas'
 
-        const attachedFile = Buffer.from('.'.repeat(20 * 1024 * 1024))
+        const attachedFile = Buffer.from('.'.repeat(110 * 1024 * 1024)) // 110mb
 
         const res = await request(app)
           .post('/SASjsApi/drive/file')
@@ -320,7 +430,7 @@ describe('files', () => {
           .expect(400)
 
         expect(res.text).toEqual(
-          'File size is over limit. File limit is: 10 MB'
+          'File size is over limit. File limit is: 100 MB'
         )
         expect(res.body).toEqual({})
       })
@@ -332,7 +442,7 @@ describe('files', () => {
         const pathToUpload = '/my/path/code.sas'
 
         const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
           pathToUpload
         )
         await copy(fileToAttachPath, pathToCopy)
@@ -354,7 +464,7 @@ describe('files', () => {
         const pathToUpload = '/my/path/code.sas'
 
         const pathToCopy = path.join(
-          fileUtilModules.getTmpFilesFolderPath(),
+          fileUtilModules.getFilesFolder(),
           pathToUpload
         )
         await copy(fileToAttachPath, pathToCopy)
@@ -386,7 +496,7 @@ describe('files', () => {
         const res = await request(app)
           .patch('/SASjsApi/drive/file')
           .auth(accessToken, { type: 'bearer' })
-          .field('filePath', `/my/path/code-${generateTimestamp()}.sas`)
+          .field('filePath', `/my/path/code-3.sas`)
           .attach('file', path.join(__dirname, 'files', 'sample.sas'))
           .expect(403)
 
@@ -427,9 +537,9 @@ describe('files', () => {
         const pathToUpload = '/my/path/code.exe'
 
         const res = await request(app)
-          .patch(`/SASjsApi/drive/file?_filePath=${pathToUpload}`)
+          .patch('/SASjsApi/drive/file')
           .auth(accessToken, { type: 'bearer' })
-          // .field('filePath', pathToUpload)
+          .query({ _filePath: pathToUpload })
           .attach('file', fileToAttachPath)
           .expect(400)
 
@@ -468,7 +578,7 @@ describe('files', () => {
       it('should respond with Bad Request if attached file exceeds file limit', async () => {
         const pathToUpload = '/my/path/code.sas'
 
-        const attachedFile = Buffer.from('.'.repeat(20 * 1024 * 1024))
+        const attachedFile = Buffer.from('.'.repeat(110 * 1024 * 1024)) // 110mb
 
         const res = await request(app)
           .patch('/SASjsApi/drive/file')
@@ -478,11 +588,81 @@ describe('files', () => {
           .expect(400)
 
         expect(res.text).toEqual(
-          'File size is over limit. File limit is: 10 MB'
+          'File size is over limit. File limit is: 100 MB'
         )
         expect(res.body).toEqual({})
       })
     })
+
+    describe('get', () => {
+      it('should get a SAS file on drive having _filePath as query param', async () => {
+        const fileToCopyPath = path.join(__dirname, 'files', 'sample.sas')
+        const fileToCopyContent = await readFile(fileToCopyPath)
+        const filePath = '/my/path/code.sas'
+
+        const pathToCopy = path.join(fileUtilModules.getFilesFolder(), filePath)
+        await copy(fileToCopyPath, pathToCopy)
+
+        const res = await request(app)
+          .get('/SASjsApi/drive/file')
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _filePath: filePath })
+
+        expect(res.statusCode).toEqual(200)
+        expect(res.body).toEqual({})
+        expect(res.text).toEqual(fileToCopyContent)
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app).get('/SASjsApi/drive/file').expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if file is not present', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/drive/file')
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _filePath: `/my/path/code-4.sas` })
+          .expect(403)
+
+        expect(res.text).toEqual(`Error: File doesn't exist.`)
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Forbidden if filePath outside Drive', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/drive/file')
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _filePath: '/../path/code.sas' })
+          .expect(403)
+
+        expect(res.text).toEqual('Error: Cannot get file outside drive.')
+        expect(res.body).toEqual({})
+      })
+
+      it("should respond with Bad Request if filePath doesn't has correct extension", async () => {
+        const res = await request(app)
+          .patch('/SASjsApi/drive/file')
+          .auth(accessToken, { type: 'bearer' })
+          .query({ _filePath: '/my/path/code.exe' })
+          .expect(400)
+
+        expect(res.text).toEqual('Invalid file extension')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Bad Request if filePath is missing', async () => {
+        const res = await request(app)
+          .post('/SASjsApi/drive/file')
+          .auth(accessToken, { type: 'bearer' })
+          .expect(400)
+
+        expect(res.text).toEqual(`"_filePath" is required`)
+        expect(res.body).toEqual({})
+      })
+    })
   })
 })
 

api/src/routes/api/spec/group.spec.ts

@@ -6,11 +6,6 @@ import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
-
 const clientId = 'someclientID'
 const adminUser = {
   displayName: 'Test Admin',
@@ -36,11 +31,14 @@ const userController = new UserController()
 const groupController = new GroupController()
 
 describe('group', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   let adminAccessToken: string
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
 

api/src/routes/api/spec/info.spec.ts

@@ -0,0 +1,20 @@
+import { Express } from 'express'
+import request from 'supertest'
+import appPromise from '../../../app'
+
+describe('Info', () => {
+  let app: Express
+
+  beforeAll(async () => {
+    app = await appPromise
+  })
+
+  it('should should return configured information of the server instance', async () => {
+    const res = await request(app).get('/SASjsApi/info').expect(200)
+
+    expect(res.body.mode).toEqual('server')
+    expect(res.body.cors).toEqual('disable')
+    expect(res.body.whiteList).toEqual([])
+    expect(res.body.protocol).toEqual('http')
+  })
+})

api/src/routes/api/spec/user.spec.ts

@@ -6,34 +6,33 @@ import appPromise from '../../../app'
 import { UserController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
 
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
-
 const clientId = 'someclientID'
 const adminUser = {
   displayName: 'Test Admin',
-  username: 'testAdminUsername',
+  username: 'testadminusername',
   password: '12345678',
   isAdmin: true,
   isActive: true
 }
 const user = {
   displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
   password: '87654321',
   isAdmin: false,
-  isActive: true
+  isActive: true,
+  autoExec: 'some sas code for auto exec;'
 }
 
 const controller = new UserController()
 
 describe('user', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
   })
@@ -66,6 +65,21 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+    })
+
+    it('should respond with new user having username as lowercase', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...user, username: user.username.toUpperCase() })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
     })
 
     it('should respond with Unauthorized if access token is not present', async () => {
@@ -244,7 +258,7 @@ describe('user', () => {
       const dbUser1 = await controller.createUser(user)
       const dbUser2 = await controller.createUser({
         ...user,
-        username: 'randomUser'
+        username: 'randomuser'
       })
 
       const res = await request(app)
@@ -362,7 +376,25 @@ describe('user', () => {
       await deleteAllUsers()
     })
 
-    it('should respond with user', async () => {
+    it('should respond with user autoExec when same user requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+      const accessToken = await generateAndSaveToken(userId)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+    })
+
+    it('should respond with user autoExec when admin user requests', async () => {
       const dbUser = await controller.createUser(user)
       const userId = dbUser.id
 
@@ -376,6 +408,7 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
     })
 
     it('should respond with user when access token is not of an admin account', async () => {
@@ -397,6 +430,7 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toBeUndefined()
     })
 
     it('should respond with Unauthorized if access token is not present', async () => {

api/src/routes/api/spec/web.spec.ts

@@ -0,0 +1,182 @@
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import { UserController, ClientController } from '../../../controllers/'
+
+const clientId = 'someclientID'
+const clientSecret = 'someclientSecret'
+const user = {
+  id: 1234,
+  displayName: 'Test User',
+  username: 'testusername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+describe('web', () => {
+  let app: Express
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const userController = new UserController()
+  const clientController = new ClientController()
+
+  beforeAll(async () => {
+    app = await appPromise
+
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+    await clientController.createClient({ clientId, clientSecret })
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('home', () => {
+    it('should respond with CSRF Token', async () => {
+      await request(app)
+        .get('/')
+        .expect(
+          'set-cookie',
+          /_csrf=.*; Max-Age=86400000; Path=\/; HttpOnly,XSRF-TOKEN=.*; Path=\//
+        )
+    })
+  })
+
+  describe('SASLogon/login', () => {
+    let csrfToken: string
+    let cookies: string
+
+    beforeAll(async () => {
+      ;({ csrfToken, cookies } = await getCSRF(app))
+    })
+
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with successful login', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('Cookie', cookies)
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(200)
+
+      expect(res.body.loggedIn).toBeTruthy()
+      expect(res.body.user).toEqual({
+        id: expect.any(Number),
+        username: user.username,
+        displayName: user.displayName
+      })
+    })
+  })
+
+  describe('SASLogon/authorize', () => {
+    let csrfToken: string
+    let cookies: string
+    let authCookies: string
+
+    beforeAll(async () => {
+      ;({ csrfToken, cookies } = await getCSRF(app))
+
+      await userController.createUser(user)
+
+      const credentials = {
+        username: user.username,
+        password: user.password
+      }
+
+      ;({ cookies: authCookies } = await performLogin(
+        app,
+        credentials,
+        cookies,
+        csrfToken
+      ))
+    })
+
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with authorization code', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({ clientId })
+
+      expect(res.body).toHaveProperty('code')
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({})
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is incorrect', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          clientId: 'WrongClientID'
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid clientId.')
+      expect(res.body).toEqual({})
+    })
+  })
+})
+
+const getCSRF = async (app: Express) => {
+  // make request to get CSRF
+  const { header } = await request(app).get('/')
+  const cookies = header['set-cookie'].join()
+
+  const csrfToken = extractCSRF(cookies)
+  return { csrfToken, cookies }
+}
+
+const performLogin = async (
+  app: Express,
+  credentials: { username: string; password: string },
+  cookies: string,
+  csrfToken: string
+) => {
+  const { header } = await request(app)
+    .post('/SASLogon/login')
+    .set('Cookie', cookies)
+    .set('x-xsrf-token', csrfToken)
+    .send(credentials)
+
+  const newCookies: string = header['set-cookie'].join()
+  return { cookies: newCookies }
+}
+
+const extractCSRF = (cookies: string) =>
+  /_csrf=(.*); Max-Age=86400000; Path=\/; HttpOnly,XSRF-TOKEN=(.*); Path=\//.exec(
+    cookies
+  )![2]

api/src/routes/api/stp.ts

@@ -34,7 +34,7 @@ stpRouter.post(
   '/execute',
   fileUploadController.preUploadMiddleware,
   fileUploadController.getMulterUploadObject().any(),
-  async (req: any, res: any) => {
+  async (req, res: any) => {
     const { error: errQ, value: query } = executeProgramRawValidation(req.query)
     const { error: errB, value: body } = executeProgramRawValidation(req.body)
 
@@ -47,10 +47,11 @@ stpRouter.post(
         query?._program
       )
 
-      if (response instanceof Buffer) {
-        res.writeHead(200, (req as any).sasHeaders)
-        return res.end(response)
-      }
+      // TODO: investigate if this code is required
+      // if (response instanceof Buffer) {
+      //   res.writeHead(200, (req as any).sasHeaders)
+      //   return res.end(response)
+      // }
 
       res.send(response)
     } catch (err: any) {

api/src/routes/api/user.ts

@@ -36,12 +36,12 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
   }
 })
 
-userRouter.get('/:userId', authenticateAccessToken, async (req: any, res) => {
+userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
   const { userId } = req.params
 
   const controller = new UserController()
   try {
-    const response = await controller.getUser(userId)
+    const response = await controller.getUser(req, parseInt(userId))
     res.send(response)
   } catch (err: any) {
     res.status(403).send(err.toString())
@@ -52,17 +52,17 @@ userRouter.patch(
   '/:userId',
   authenticateAccessToken,
   verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
     const { user } = req
     const { userId } = req.params
 
     // only an admin can update `isActive` and `isAdmin` fields
-    const { error, value: body } = updateUserValidation(req.body, user.isAdmin)
+    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
     if (error) return res.status(400).send(error.details[0].message)
 
     const controller = new UserController()
     try {
-      const response = await controller.updateUser(userId, body)
+      const response = await controller.updateUser(parseInt(userId), body)
       res.send(response)
     } catch (err: any) {
       res.status(403).send(err.toString())
@@ -74,17 +74,17 @@ userRouter.delete(
   '/:userId',
   authenticateAccessToken,
   verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
     const { user } = req
     const { userId } = req.params
 
     // only an admin can delete user without providing password
-    const { error, value: data } = deleteUserValidation(req.body, user.isAdmin)
+    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
     if (error) return res.status(400).send(error.details[0].message)
 
     const controller = new UserController()
     try {
-      await controller.deleteUser(userId, data, user.isAdmin)
+      await controller.deleteUser(parseInt(userId), data, user!.isAdmin)
       res.status(200).send('Account Deleted!')
     } catch (err: any) {
       res.status(403).send(err.toString())

api/src/routes/appStream/appStreamHtml.ts

@@ -1,27 +1,5 @@
 import { AppStreamConfig } from '../../types'
-
-const style = `<style>
-* {
-  font-family: 'Roboto', sans-serif;
-}
-.app-container {
-  display: flex;
-  flex-wrap: wrap;
-  align-items: baseline;
-  justify-content: center;
-}
-.app-container .app {
-  width: 150px;
-  margin: 10px;
-  overflow: hidden;
-  border-radius: 10px 10px 0 0;
-  text-align: center;
-}
-.app-container .app img{
-  width: 100%;
-  margin-bottom: 10px;
-}
-</style>`
+import { style } from './style'
 
 const defaultAppLogo = '/sasjs-logo.svg'
 
@@ -31,7 +9,10 @@ const singleAppStreamHtml = (
   logo?: string
 ) =>
   ` <a class="app" href="${streamServiceName}" title="${appLoc}">
-      <img src="${logo ? streamServiceName + '/' + logo : defaultAppLogo}" />
+      <img
+        src="${logo ? streamServiceName + '/' + logo : defaultAppLogo}"
+        onerror="this.src = '${defaultAppLogo}';"
+      />
       ${streamServiceName}
     </a>`
 
@@ -49,6 +30,15 @@ export const appStreamHtml = (appStreamConfig: AppStreamConfig) => `
           singleAppStreamHtml(streamServiceName, entry.appLoc, entry.streamLogo)
         )
         .join('')}
+        <a class="app" title="Upload build.json">
+          <input id="fileId" type="file" hidden />
+          <button id="uploadButton" style="margin-bottom: 5px; cursor: pointer">
+            <img src="/plus.png" />
+          </button>
+          <span id="uploadMessage">Upload New App</span>
+        </a>
     </div>
+    <script src="/axios.min.js"></script>
+    <script src="/app-streams-script.js"></script>
   </body>
 </html>`

api/src/routes/appStream/index.ts

@@ -1,15 +1,19 @@
 import path from 'path'
-import express from 'express'
+import express, { Request } from 'express'
 import { folderExists } from '@sasjs/utils'
 
-import { addEntryToAppStreamConfig, getTmpFilesFolderPath } from '../../utils'
+import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
 import { appStreamHtml } from './appStreamHtml'
 
+const appStreams: { [key: string]: string } = {}
+
 const router = express.Router()
 
-router.get('/', async (_, res) => {
+router.get('/', async (req, res) => {
   const content = appStreamHtml(process.appStreamConfig)
 
+  res.cookie('XSRF-TOKEN', req.csrfToken())
+
   return res.send(content)
 })
 
@@ -20,7 +24,7 @@ export const publishAppStream = async (
   streamLogo?: string,
   addEntryToFile: boolean = true
 ) => {
-  const driveFilesPath = getTmpFilesFolderPath()
+  const driveFilesPath = getFilesFolder()
 
   const appLocParts = appLoc.replace(/^\//, '')?.split('/')
   const appLocPath = path.join(driveFilesPath, ...appLocParts)
@@ -40,20 +44,9 @@ export const publishAppStream = async (
 
     if (!streamServiceName) {
       streamServiceName = `AppStreamName${appCount + 1}`
-    } else {
-      const alreadyDeployed = process.appStreamConfig[streamServiceName]
-      if (alreadyDeployed) {
-        if (alreadyDeployed.appLoc === appLoc) {
-          // redeploying to same streamServiceName
-        } else {
-          // trying to deploy to another existing streamServiceName
-          // assign new streamServiceName
-          streamServiceName = `${streamServiceName}-${appCount + 1}`
-        }
-      }
     }
 
-    router.use(`/${streamServiceName}`, express.static(pathToDeployment))
+    appStreams[streamServiceName] = pathToDeployment
 
     addEntryToAppStreamConfig(
       streamServiceName,
@@ -63,7 +56,7 @@ export const publishAppStream = async (
       addEntryToFile
     )
 
-    const sasJsPort = process.env.PORT ?? 5000
+    const sasJsPort = process.env.PORT || 5000
     console.log(
       'Serving Stream App: ',
       `http://localhost:${sasJsPort}/AppStream/${streamServiceName}`
@@ -73,4 +66,26 @@ export const publishAppStream = async (
   return {}
 }
 
+router.get(`/*`, function (req: Request, res, next) {
+  const reqPath = req.path.replace(/^\//, '')
+
+  // Redirecting to url with trailing slash for appStream base URL only
+  if (reqPath.split('/').length === 1 && !reqPath.endsWith('/'))
+    // navigating to same url with slash at start
+    return res.redirect(301, `${reqPath}/`)
+
+  const appStream = reqPath.split('/')[0]
+  const appStreamFilesPath = appStreams[appStream]
+  if (appStreamFilesPath) {
+    // resourcePath is without appStream base path
+    const resourcePath = reqPath.split('/').slice(1).join('/') || 'index.html'
+
+    req.url = resourcePath
+
+    return express.static(appStreamFilesPath)(req, res, next)
+  }
+
+  return res.send("There's no App Stream available here.")
+})
+
 export default router

api/src/routes/appStream/style.ts

@@ -0,0 +1,22 @@
+export const style = `<style>
+* {
+  font-family: 'Roboto', sans-serif;
+}
+.app-container {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: baseline;
+  justify-content: center;
+}
+.app-container .app {
+  width: 150px;
+  margin: 10px;
+  overflow: hidden;
+  text-align: center;
+}
+.app-container .app img{
+  width: 100%;
+  margin-bottom: 10px;
+  border-radius: 10px;
+}
+</style>`

api/src/routes/setupRoutes.ts

@@ -4,13 +4,16 @@ import webRouter from './web'
 import apiRouter from './api'
 import appStreamRouter from './appStream'
 
+import { csrfProtection } from '../app'
+
 export const setupRoutes = (app: Express) => {
-  app.use('/', webRouter)
   app.use('/SASjsApi', apiRouter)
 
-  app.use('/AppStream', function (req, res, next) {
+  app.use('/AppStream', csrfProtection, function (req, res, next) {
     // this needs to be a function to hook on
     // whatever the current router is
     appStreamRouter(req, res, next)
   })
+
+  app.use('/', csrfProtection, webRouter)
 }

api/src/routes/web/web.ts

@@ -1,34 +1,60 @@
-import { readFile } from '@sasjs/utils'
 import express from 'express'
-import path from 'path'
-import { getWebBuildFolderPath } from '../../utils'
+import { WebController } from '../../controllers/web'
+import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
+import { authorizeValidation, loginWebValidation } from '../../utils'
 
 const webRouter = express.Router()
+const controller = new WebController()
 
-const codeToInject = `
-<script>
-  localStorage.setItem('accessToken', JSON.stringify('accessToken'))
-  localStorage.setItem('refreshToken', JSON.stringify('refreshToken'))
-</script>`
-
-webRouter.get('/', async (_, res) => {
-  let content: string
+webRouter.get('/', async (req, res) => {
+  let response
   try {
-    const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
-    content = await readFile(indexHtmlPath)
+    response = await controller.home()
   } catch (_) {
-    return res.send('Web Build is not present')
+    response = 'Web Build is not present'
+  } finally {
+    res.cookie('XSRF-TOKEN', req.csrfToken())
+
+    return res.send(response)
   }
+})
 
-  const { MODE } = process.env
-  if (MODE?.trim() !== 'server') {
-    const injectedContent = content.replace('</head>', `${codeToInject}</head>`)
+webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
+  const { error, value: body } = loginWebValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
 
-    res.setHeader('Content-Type', 'text/html')
-    return res.send(injectedContent)
+  try {
+    const response = await controller.login(req, body)
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
   }
+})
 
-  return res.send(content)
+webRouter.post(
+  '/SASLogon/authorize',
+  desktopRestrict,
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: body } = authorizeValidation(req.body)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    try {
+      const response = await controller.authorize(req, body)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+webRouter.get('/logout', desktopRestrict, async (req, res) => {
+  try {
+    await controller.logout(req)
+    res.status(200).send('OK!')
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
 })
 
 export default webRouter

api/src/server.ts

@@ -4,8 +4,8 @@ import appPromise from './app'
 import { getCertificates } from './utils'
 
 appPromise.then(async (app) => {
-  const protocol = process.env.PROTOCOL ?? 'http'
-  const sasJsPort = process.env.PORT ?? 5000
+  const protocol = process.env.PROTOCOL || 'http'
+  const sasJsPort = process.env.PORT || 5000
 
   console.log('PROTOCOL: ', protocol)
 

api/src/types/FileTree.ts

@@ -1,62 +0,0 @@
-export enum MemberType {
-  service = 'service',
-  file = 'file',
-  folder = 'folder'
-}
-
-export interface ServiceMember {
-  name: string
-  type: MemberType.service
-  code: string
-}
-
-export interface FileMember {
-  name: string
-  type: MemberType.file
-  code: string
-}
-
-export interface FolderMember {
-  name: string
-  type: MemberType.folder
-  members: (FolderMember | ServiceMember | FileMember)[]
-}
-export interface FileTree {
-  members: (FolderMember | ServiceMember | FileMember)[]
-}
-
-export const isFileTree = (arg: any): arg is FileTree =>
-  arg &&
-  arg.members &&
-  Array.isArray(arg.members) &&
-  arg.members.filter(
-    (member: ServiceMember | FileMember | FolderMember) =>
-      !isServiceMember(member, '-') &&
-      !isFileMember(member, '-') &&
-      !isFolderMember(member, '-')
-  ).length === 0
-
-const isServiceMember = (arg: any, pre: string): arg is ServiceMember =>
-  arg &&
-  typeof arg.name === 'string' &&
-  arg.type === MemberType.service &&
-  typeof arg.code === 'string'
-
-const isFileMember = (arg: any, pre: string): arg is ServiceMember =>
-  arg &&
-  typeof arg.name === 'string' &&
-  arg.type === MemberType.file &&
-  typeof arg.code === 'string'
-
-const isFolderMember = (arg: any, pre: string): arg is FolderMember =>
-  arg &&
-  typeof arg.name === 'string' &&
-  arg.type === MemberType.folder &&
-  arg.members &&
-  Array.isArray(arg.members) &&
-  arg.members.filter(
-    (member: FolderMember | ServiceMember) =>
-      !isServiceMember(member, pre + '-') &&
-      !isFileMember(member, pre + '-') &&
-      !isFolderMember(member, pre + '-')
-  ).length === 0

api/src/types/PreProgramVars.ts

@@ -3,5 +3,5 @@ export interface PreProgramVars {
   userId: number
   displayName: string
   serverUrl: string
-  accessToken: string
+  httpHeaders: string[]
 }

api/src/types/Process.d.ts

@@ -1,8 +0,0 @@
-declare namespace NodeJS {
-  export interface Process {
-    sasLoc: string
-    driveLoc: string
-    sessionController?: import('../controllers/internal').SessionController
-    appStreamConfig: import('./').AppStreamConfig
-  }
-}

api/src/types/Request.ts

@@ -1,17 +0,0 @@
-import { MacroVars } from '@sasjs/utils'
-
-export interface ExecutionQuery {
-  _program: string
-  macroVars?: MacroVars
-  _debug?: number
-}
-
-export interface FileQuery {
-  filePath: string
-}
-
-export const isExecutionQuery = (arg: any): arg is ExecutionQuery =>
-  arg && !Array.isArray(arg) && typeof arg._program === 'string'
-
-export const isFileQuery = (arg: any): arg is FileQuery =>
-  arg && !Array.isArray(arg) && typeof arg.filePath === 'string'

api/src/types/RequestUser.ts

@@ -0,0 +1,9 @@
+export interface RequestUser {
+  userId: number
+  clientId: string
+  username: string
+  displayName: string
+  isAdmin: boolean
+  isActive: boolean
+  autoExec?: string
+}

api/src/types/index.ts

@@ -1,9 +1,8 @@
 // TODO: uppercase types
 export * from './AppStreamConfig'
 export * from './Execution'
-export * from './FileTree'
 export * from './InfoJWT'
 export * from './PreProgramVars'
-export * from './Request'
 export * from './Session'
 export * from './TreeNode'
+export * from './RequestUser'

api/src/types/system/express-session.d.ts

@@ -0,0 +1,7 @@
+import express from 'express'
+declare module 'express-session' {
+  interface SessionData {
+    loggedIn: boolean
+    user: import('../').RequestUser
+  }
+}

api/src/types/system/express.d.ts

@@ -0,0 +1,7 @@
+declare namespace Express {
+  export interface Request {
+    accessToken?: string
+    user?: import('../').RequestUser
+    sasSession?: import('../').Session
+  }
+}

api/src/types/system/global.d.ts

@@ -0,0 +1 @@
+import 'jest-extended'

api/src/types/system/process.d.ts

@@ -0,0 +1,9 @@
+declare namespace NodeJS {
+  export interface Process {
+    sasLoc: string
+    driveLoc: string
+    sessionController?: import('../../controllers/internal').SessionController
+    appStreamConfig: import('../').AppStreamConfig
+    logger: import('@sasjs/utils/logger').Logger
+  }
+}

api/src/utils/appStreamConfig.ts

@@ -2,10 +2,12 @@ import { createFile, fileExists, readFile } from '@sasjs/utils'
 import { publishAppStream } from '../routes/appStream'
 import { AppStreamConfig } from '../types'
 
-import { getTmpAppStreamConfigPath } from './file'
+import { getAppStreamConfigPath } from './file'
 
 export const loadAppStreamConfig = async () => {
-  const appStreamConfigPath = getTmpAppStreamConfigPath()
+  if (process.env.NODE_ENV === 'test') return
+
+  const appStreamConfigPath = getAppStreamConfigPath()
 
   const content = (await fileExists(appStreamConfigPath))
     ? await readFile(appStreamConfigPath)
@@ -61,7 +63,7 @@ export const removeEntryFromAppStreamConfig = (streamServiceName: string) => {
 }
 
 const saveAppStreamConfig = async () => {
-  const appStreamConfigPath = getTmpAppStreamConfigPath()
+  const appStreamConfigPath = getAppStreamConfigPath()
 
   try {
     await createFile(

api/src/utils/connectDB.ts

@@ -1,25 +1,15 @@
 import mongoose from 'mongoose'
-import { populateClients } from '../routes/api/auth'
+import { seedDB } from './seedDB'
 
 export const connectDB = async () => {
-  // NOTE: when exporting app.js as agent for supertest
-  // we should exclude connecting to the real database
-  if (process.env.NODE_ENV === 'test') {
-    return
-  } else {
-    const { MODE } = process.env
-
-    if (MODE?.trim() !== 'server') {
-      console.log('Running in Destop Mode, no DB to connect.')
-      return
-    }
-
-    mongoose.connect(process.env.DB_CONNECT as string, async (err) => {
-      if (err) throw err
-
-      console.log('Connected to db!')
-
-      await populateClients()
-    })
+  try {
+    await mongoose.connect(process.env.DB_CONNECT as string)
+  } catch (err) {
+    throw new Error('Unable to connect to DB!')
   }
+
+  console.log('Connected to DB!')
+  await seedDB()
+
+  return mongoose.connection
 }

api/src/utils/copySASjsCore.ts

@@ -7,12 +7,14 @@ import {
   readFile
 } from '@sasjs/utils'
 
-import { getTmpMacrosPath, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
+import { getMacrosFolder, sasJSCoreMacros, sasJSCoreMacrosInfo } from '.'
 
 export const copySASjsCore = async () => {
+  if (process.env.NODE_ENV === 'test') return
+
   console.log('Copying Macros from container to drive(tmp).')
 
-  const macrosDrivePath = getTmpMacrosPath()
+  const macrosDrivePath = getMacrosFolder()
 
   await deleteFolder(macrosDrivePath)
   await createFolder(macrosDrivePath)

api/src/utils/desktopAutoExec.ts

@@ -0,0 +1,8 @@
+import { createFile, readFile } from '@sasjs/utils'
+import { getDesktopUserAutoExecPath } from './file'
+
+export const getUserAutoExec = async (): Promise<string> =>
+  readFile(getDesktopUserAutoExecPath())
+
+export const updateUserAutoExec = async (autoExecContent: string) =>
+  createFile(getDesktopUserAutoExecPath(), autoExecContent)

api/src/utils/file.ts

@@ -1,4 +1,5 @@
 import path from 'path'
+import { homedir } from 'os'
 
 export const apiRoot = path.join(__dirname, '..', '..')
 export const codebaseRoot = path.join(apiRoot, '..')
@@ -9,30 +10,33 @@ export const sysInitCompiledPath = path.join(
 )
 
 export const sasJSCoreMacros = path.join(apiRoot, 'sasjscore')
-export const sasJSCoreMacrosInfo = path.join(apiRoot, 'sasjscore', '.macrolist')
+export const sasJSCoreMacrosInfo = path.join(sasJSCoreMacros, '.macrolist')
 
-export const getWebBuildFolderPath = () =>
-  path.join(codebaseRoot, 'web', 'build')
+export const getWebBuildFolder = () => path.join(codebaseRoot, 'web', 'build')
 
-export const getTmpFolderPath = () => process.driveLoc
+export const getSasjsHomeFolder = () => path.join(homedir(), '.sasjs-server')
 
-export const getTmpAppStreamConfigPath = () =>
-  path.join(getTmpFolderPath(), 'appStreamConfig.json')
+export const getDesktopUserAutoExecPath = () =>
+  path.join(getSasjsHomeFolder(), 'user-autoexec.sas')
 
-export const getTmpMacrosPath = () => path.join(getTmpFolderPath(), 'sasjscore')
+export const getSasjsRootFolder = () => process.driveLoc
 
-export const getTmpUploadsPath = () => path.join(getTmpFolderPath(), 'uploads')
+export const getAppStreamConfigPath = () =>
+  path.join(getSasjsRootFolder(), 'appStreamConfig.json')
 
-export const getTmpFilesFolderPath = () =>
-  path.join(getTmpFolderPath(), 'files')
+export const getMacrosFolder = () =>
+  path.join(getSasjsRootFolder(), 'sasjscore')
 
-export const getTmpLogFolderPath = () => path.join(getTmpFolderPath(), 'logs')
+export const getUploadsFolder = () => path.join(getSasjsRootFolder(), 'uploads')
 
-export const getTmpWeboutFolderPath = () =>
-  path.join(getTmpFolderPath(), 'webouts')
+export const getFilesFolder = () => path.join(getSasjsRootFolder(), 'files')
 
-export const getTmpSessionsFolderPath = () =>
-  path.join(getTmpFolderPath(), 'sessions')
+export const getLogFolder = () => path.join(getSasjsRootFolder(), 'logs')
+
+export const getWeboutFolder = () => path.join(getSasjsRootFolder(), 'webouts')
+
+export const getSessionsFolder = () =>
+  path.join(getSasjsRootFolder(), 'sessions')
 
 export const generateUniqueFileName = (fileName: string, extension = '') =>
   [

api/src/utils/getDesktopFields.ts

@@ -5,12 +5,12 @@ import { createFolder, fileExists, folderExists } from '@sasjs/utils'
 const isWindows = () => process.platform === 'win32'
 
 export const getDesktopFields = async () => {
-  const { SAS_PATH, DRIVE_PATH } = process.env
+  const { SAS_PATH } = process.env
 
   const sasLoc = SAS_PATH ?? (await getSASLocation())
-  const driveLoc = DRIVE_PATH ?? (await getDriveLocation())
+  // const driveLoc = DRIVE_PATH ?? (await getDriveLocation())
 
-  return { sasLoc, driveLoc }
+  return { sasLoc }
 }
 
 const getDriveLocation = async (): Promise<string> => {

api/src/utils/getPreProgramVariables.ts

@@ -0,0 +1,30 @@
+import { Request } from 'express'
+import { PreProgramVars } from '../types'
+
+export const getPreProgramVariables = (req: Request): PreProgramVars => {
+  const host = req.get('host')
+  const protocol = req.protocol + '://'
+  const { user, accessToken } = req
+  const csrfToken = req.headers['x-xsrf-token'] || req.cookies['XSRF-TOKEN']
+  const sessionId = req.cookies['connect.sid']
+  const { _csrf } = req.cookies
+
+  const httpHeaders: string[] = []
+
+  if (accessToken) httpHeaders.push(`Authorization: Bearer ${accessToken}`)
+  if (csrfToken) httpHeaders.push(`x-xsrf-token: ${csrfToken}`)
+
+  const cookies: string[] = []
+  if (sessionId) cookies.push(`connect.sid=${sessionId}`)
+  if (_csrf) cookies.push(`_csrf=${_csrf}`)
+
+  if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)
+
+  return {
+    username: user!.username,
+    userId: user!.userId,
+    displayName: user!.displayName,
+    serverUrl: protocol + host,
+    httpHeaders
+  }
+}

api/src/utils/getServerUrl.ts

@@ -0,0 +1,15 @@
+import express from 'express'
+import url from 'url'
+
+export const getFullUrl = (req: express.Request) =>
+  url.format({
+    protocol: req.protocol,
+    host: req.get('host'),
+    pathname: req.originalUrl
+  })
+
+export const getServerUrl = (req: express.Request) =>
+  url.format({
+    protocol: req.protocol,
+    host: req.get('x-forwarded-host') || req.get('host')
+  })

api/src/utils/index.ts

@@ -1,6 +1,7 @@
 export * from './appStreamConfig'
 export * from './connectDB'
 export * from './copySASjsCore'
+export * from './desktopAutoExec'
 export * from './extractHeaders'
 export * from './file'
 export * from './generateAccessToken'
@@ -8,12 +9,17 @@ export * from './generateAuthCode'
 export * from './generateRefreshToken'
 export * from './getCertificates'
 export * from './getDesktopFields'
+export * from './getPreProgramVariables'
+export * from './getServerUrl'
+export * from './instantiateLogger'
 export * from './isDebugOn'
 export * from './parseLogToArray'
 export * from './removeTokensInDB'
 export * from './saveTokensInDB'
+export * from './seedDB'
 export * from './setProcessVariables'
-export * from './sleep'
+export * from './setupFolders'
 export * from './upload'
 export * from './validation'
+export * from './verifyEnvVariables'
 export * from './verifyTokenInDB'

api/src/utils/instantiateLogger.ts

@@ -0,0 +1,7 @@
+import { LogLevel, Logger } from '@sasjs/utils/logger'
+
+export const instantiateLogger = () => {
+  const logLevel = (process.env.LOG_LEVEL || LogLevel.Info) as LogLevel
+  const logger = new Logger(logLevel)
+  process.logger = logger
+}

api/src/utils/parseHelmetConfig.ts

@@ -0,0 +1,35 @@
+import path from 'path'
+import fs from 'fs'
+
+export const getEnvCSPDirectives = (
+  HELMET_CSP_CONFIG_PATH: string | undefined
+) => {
+  let cspConfigJson = {
+    'img-src': ["'self'", 'data:'],
+    'script-src': ["'self'", "'unsafe-inline'"],
+    'script-src-attr': ["'self'", "'unsafe-inline'"]
+  }
+
+  if (
+    typeof HELMET_CSP_CONFIG_PATH === 'string' &&
+    HELMET_CSP_CONFIG_PATH.length > 0
+  ) {
+    const cspConfigPath = path.join(process.cwd(), HELMET_CSP_CONFIG_PATH)
+
+    try {
+      let file = fs.readFileSync(cspConfigPath).toString()
+
+      try {
+        cspConfigJson = JSON.parse(file)
+      } catch (e) {
+        console.error(
+          'Parsing Content Security Policy JSON config failed. Make sure it is valid json'
+        )
+      }
+    } catch (e) {
+      console.error('Error reading HELMET CSP config file', e)
+    }
+  }
+
+  return cspConfigJson
+}

api/src/utils/seedDB.ts

@@ -0,0 +1,35 @@
+import Client from '../model/Client'
+import User from '../model/User'
+
+const CLIENT = {
+  clientId: 'clientID1',
+  clientSecret: 'clientSecret'
+}
+const ADMIN_USER = {
+  id: 1,
+  displayName: 'Super Admin',
+  username: 'secretuser',
+  password: '$2a$10$hKvcVEZdhEQZCcxt6npazO6mY4jJkrzWvfQ5stdBZi8VTTwVMCVXO',
+  isAdmin: true,
+  isActive: true
+}
+
+export const seedDB = async () => {
+  // Checking if client is already in the database
+  const clientExist = await Client.findOne({ clientId: CLIENT.clientId })
+  if (!clientExist) {
+    const client = new Client(CLIENT)
+    await client.save()
+
+    console.log(`DB Seed - client created: ${CLIENT.clientId}`)
+  }
+
+  // Checking if user is already in the database
+  const usernameExist = await User.findOne({ username: ADMIN_USER.username })
+  if (!usernameExist) {
+    const user = new User(ADMIN_USER)
+    await user.save()
+
+    console.log(`DB Seed - admin account created: ${ADMIN_USER.username}`)
+  }
+}

api/src/utils/setProcessVariables.ts

@@ -1,31 +1,29 @@
 import path from 'path'
-import { getRealPath } from '@sasjs/utils'
+import { createFolder, getAbsolutePath, getRealPath } from '@sasjs/utils'
 
-import { configuration } from '../../package.json'
-import { getDesktopFields } from '.'
+import { getDesktopFields, ModeType } from '.'
 
 export const setProcessVariables = async () => {
   if (process.env.NODE_ENV === 'test') {
-    process.driveLoc = path.join(process.cwd(), 'tmp')
+    process.driveLoc = path.join(process.cwd(), 'sasjs_root')
     return
   }
 
   const { MODE } = process.env
 
-  if (MODE?.trim() !== 'server') {
-    const { sasLoc, driveLoc } = await getDesktopFields()
+  if (MODE === ModeType.Server) {
+    process.sasLoc = process.env.SAS_PATH as string
+  } else {
+    const { sasLoc } = await getDesktopFields()
 
     process.sasLoc = sasLoc
-    process.driveLoc = driveLoc
-  } else {
-    const { SAS_PATH, DRIVE_PATH } = process.env
-
-    process.sasLoc = SAS_PATH ?? configuration.sasPath
-    process.driveLoc = getRealPath(
-      path.join(process.cwd(), DRIVE_PATH ?? 'tmp')
-    )
   }
 
+  const { SASJS_ROOT } = process.env
+  const absPath = getAbsolutePath(SASJS_ROOT ?? 'sasjs_root', process.cwd())
+  await createFolder(absPath)
+  process.driveLoc = getRealPath(absPath)
+
   console.log('sasLoc: ', process.sasLoc)
   console.log('sasDrive: ', process.driveLoc)
 }

api/src/utils/setupFolders.ts

@@ -0,0 +1,14 @@
+import { createFile, createFolder, fileExists } from '@sasjs/utils'
+import { getDesktopUserAutoExecPath, getFilesFolder } from './file'
+import { ModeType } from './verifyEnvVariables'
+
+export const setupFolders = async () => {
+  const drivePath = getFilesFolder()
+  await createFolder(drivePath)
+
+  if (process.env.MODE === ModeType.Desktop) {
+    if (!(await fileExists(getDesktopUserAutoExecPath()))) {
+      await createFile(getDesktopUserAutoExecPath(), '')
+    }
+  }
+}

api/src/utils/sleep.ts

@@ -1,3 +0,0 @@
-export const sleep = async (delay: number) => {
-  await new Promise((resolve) => setTimeout(resolve, delay))
-}

api/src/utils/validation.ts

@@ -1,14 +1,18 @@
 import Joi from 'joi'
 
-const usernameSchema = Joi.string().alphanum().min(6).max(20)
+const usernameSchema = Joi.string().lowercase().alphanum().min(3).max(16)
 const passwordSchema = Joi.string().min(6).max(1024)
 
 export const blockFileRegex = /\.(exe|sh|htaccess)$/i
 
-export const authorizeValidation = (data: any): Joi.ValidationResult =>
+export const loginWebValidation = (data: any): Joi.ValidationResult =>
   Joi.object({
     username: usernameSchema.required(),
-    password: passwordSchema.required(),
+    password: passwordSchema.required()
+  }).validate(data)
+
+export const authorizeValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
     clientId: Joi.string().required()
   }).validate(data)
 
@@ -31,7 +35,8 @@ export const registerUserValidation = (data: any): Joi.ValidationResult =>
     username: usernameSchema.required(),
     password: passwordSchema.required(),
     isAdmin: Joi.boolean(),
-    isActive: Joi.boolean()
+    isActive: Joi.boolean(),
+    autoExec: Joi.string().allow('')
   }).validate(data)
 
 export const deleteUserValidation = (
@@ -53,7 +58,8 @@ export const updateUserValidation = (
   const validationChecks: any = {
     displayName: Joi.string().min(6),
     username: usernameSchema,
-    password: passwordSchema
+    password: passwordSchema,
+    autoExec: Joi.string().allow('')
   }
   if (isAdmin) {
     validationChecks.isAdmin = Joi.boolean()
@@ -98,6 +104,11 @@ export const fileParamValidation = (data: any): Joi.ValidationResult =>
     _filePath: filePathSchema
   }).validate(data)
 
+export const folderParamValidation = (data: any): Joi.ValidationResult =>
+  Joi.object({
+    _folderPath: Joi.string()
+  }).validate(data)
+
 export const runSASValidation = (data: any): Joi.ValidationResult =>
   Joi.object({
     code: Joi.string().required()

api/src/utils/verifyEnvVariables.ts

@@ -0,0 +1,211 @@
+export enum ModeType {
+  Server = 'server',
+  Desktop = 'desktop'
+}
+
+export enum ProtocolType {
+  HTTP = 'http',
+  HTTPS = 'https'
+}
+
+export enum CorsType {
+  ENABLED = 'enable',
+  DISABLED = 'disable'
+}
+
+export enum HelmetCoepType {
+  TRUE = 'true',
+  FALSE = 'false'
+}
+
+export enum LOG_FORMAT_MORGANType {
+  Combined = 'combined',
+  Common = 'common',
+  Dev = 'dev',
+  Short = 'short',
+  tiny = 'tiny'
+}
+
+export enum ReturnCode {
+  Success,
+  InvalidEnv
+}
+
+export const verifyEnvVariables = (): ReturnCode => {
+  const errors: string[] = []
+
+  errors.push(...verifyMODE())
+
+  errors.push(...verifyPROTOCOL())
+
+  errors.push(...verifyPORT())
+
+  errors.push(...verifyCORS())
+
+  errors.push(...verifyHELMET_COEP())
+
+  errors.push(...verifyLOG_FORMAT_MORGAN())
+
+  if (errors.length) {
+    process.logger?.error(
+      `Invalid environment variable(s) provided: \n${errors.join('\n')}`
+    )
+    return ReturnCode.InvalidEnv
+  }
+
+  return ReturnCode.Success
+}
+
+const verifyMODE = (): string[] => {
+  const errors: string[] = []
+  const { MODE } = process.env
+
+  if (MODE) {
+    const modeTypes = Object.values(ModeType)
+    if (!modeTypes.includes(MODE as ModeType))
+      errors.push(`- MODE '${MODE}'\n - valid options ${modeTypes}`)
+  } else {
+    process.env.MODE = DEFAULTS.MODE
+  }
+
+  if (process.env.MODE === ModeType.Server) {
+    const {
+      ACCESS_TOKEN_SECRET,
+      REFRESH_TOKEN_SECRET,
+      AUTH_CODE_SECRET,
+      SESSION_SECRET,
+      DB_CONNECT
+    } = process.env
+
+    if (!ACCESS_TOKEN_SECRET)
+      errors.push(
+        `- ACCESS_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!REFRESH_TOKEN_SECRET)
+      errors.push(
+        `- REFRESH_TOKEN_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!AUTH_CODE_SECRET)
+      errors.push(
+        `- AUTH_CODE_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (!SESSION_SECRET)
+      errors.push(
+        `- SESSION_SECRET is required for PROTOCOL '${ModeType.Server}'`
+      )
+
+    if (process.env.NODE_ENV !== 'test')
+      if (!DB_CONNECT)
+        errors.push(
+          `- DB_CONNECT is required for PROTOCOL '${ModeType.Server}'`
+        )
+  }
+
+  return errors
+}
+
+const verifyPROTOCOL = (): string[] => {
+  const errors: string[] = []
+  const { PROTOCOL } = process.env
+
+  if (PROTOCOL) {
+    const protocolTypes = Object.values(ProtocolType)
+    if (!protocolTypes.includes(PROTOCOL as ProtocolType))
+      errors.push(`- PROTOCOL '${PROTOCOL}'\n - valid options ${protocolTypes}`)
+  } else {
+    process.env.PROTOCOL = DEFAULTS.PROTOCOL
+  }
+
+  if (process.env.PROTOCOL === ProtocolType.HTTPS) {
+    const { PRIVATE_KEY, FULL_CHAIN } = process.env
+
+    if (!PRIVATE_KEY)
+      errors.push(
+        `- PRIVATE_KEY is required for PROTOCOL '${ProtocolType.HTTPS}'`
+      )
+
+    if (!FULL_CHAIN)
+      errors.push(
+        `- FULL_CHAIN is required for PROTOCOL '${ProtocolType.HTTPS}'`
+      )
+  }
+
+  return errors
+}
+
+const verifyCORS = (): string[] => {
+  const errors: string[] = []
+  const { CORS } = process.env
+
+  if (CORS) {
+    const corsTypes = Object.values(CorsType)
+    if (!corsTypes.includes(CORS as CorsType))
+      errors.push(`- CORS '${CORS}'\n - valid options ${corsTypes}`)
+  } else {
+    const { MODE } = process.env
+    process.env.CORS =
+      MODE === ModeType.Server ? CorsType.DISABLED : CorsType.ENABLED
+  }
+
+  return errors
+}
+
+const verifyPORT = (): string[] => {
+  const errors: string[] = []
+  const { PORT } = process.env
+
+  if (PORT) {
+    if (Number.isNaN(parseInt(PORT)))
+      errors.push(`- PORT '${PORT}'\n - should be a valid number`)
+  } else {
+    process.env.PORT = DEFAULTS.PORT
+  }
+  return errors
+}
+
+const verifyHELMET_COEP = (): string[] => {
+  const errors: string[] = []
+  const { HELMET_COEP } = process.env
+
+  if (HELMET_COEP) {
+    const helmetCoepTypes = Object.values(HelmetCoepType)
+    if (!helmetCoepTypes.includes(HELMET_COEP as HelmetCoepType))
+      errors.push(
+        `- HELMET_COEP '${HELMET_COEP}'\n - valid options ${helmetCoepTypes}`
+      )
+    HELMET_COEP
+  } else {
+    process.env.HELMET_COEP = DEFAULTS.HELMET_COEP
+  }
+  return errors
+}
+
+const verifyLOG_FORMAT_MORGAN = (): string[] => {
+  const errors: string[] = []
+  const { LOG_FORMAT_MORGAN } = process.env
+
+  if (LOG_FORMAT_MORGAN) {
+    const logFormatMorganTypes = Object.values(LOG_FORMAT_MORGANType)
+    if (
+      !logFormatMorganTypes.includes(LOG_FORMAT_MORGAN as LOG_FORMAT_MORGANType)
+    )
+      errors.push(
+        `- LOG_FORMAT_MORGAN '${LOG_FORMAT_MORGAN}'\n - valid options ${logFormatMorganTypes}`
+      )
+    LOG_FORMAT_MORGAN
+  } else {
+    process.env.LOG_FORMAT_MORGAN = DEFAULTS.LOG_FORMAT_MORGAN
+  }
+  return errors
+}
+
+const DEFAULTS = {
+  MODE: ModeType.Desktop,
+  PROTOCOL: ProtocolType.HTTP,
+  PORT: '5000',
+  HELMET_COEP: HelmetCoepType.TRUE,
+  LOG_FORMAT_MORGAN: LOG_FORMAT_MORGANType.Common
+}

api/src/utils/verifyTokenInDB.ts

@@ -1,11 +1,30 @@
 import User from '../model/User'
+import { RequestUser } from '../types'
+
+export const fetchLatestAutoExec = async (
+  reqUser: RequestUser
+): Promise<RequestUser | undefined> => {
+  const dbUser = await User.findOne({ id: reqUser.userId })
+
+  if (!dbUser) return undefined
+
+  return {
+    userId: reqUser.userId,
+    clientId: reqUser.clientId,
+    username: dbUser.username,
+    displayName: dbUser.displayName,
+    isAdmin: dbUser.isAdmin,
+    isActive: dbUser.isActive,
+    autoExec: dbUser.autoExec
+  }
+}
 
 export const verifyTokenInDB = async (
   userId: number,
   clientId: string,
   token: string,
   tokenType: 'accessToken' | 'refreshToken'
-) => {
+): Promise<RequestUser | undefined> => {
   const dbUser = await User.findOne({ id: userId })
 
   if (!dbUser) return undefined
@@ -21,7 +40,8 @@ export const verifyTokenInDB = async (
         username: dbUser.username,
         displayName: dbUser.displayName,
         isAdmin: dbUser.isAdmin,
-        isActive: dbUser.isActive
+        isActive: dbUser.isActive,
+        autoExec: dbUser.autoExec
       }
     : undefined
 }

api/tsoa.json

@@ -11,6 +11,10 @@
       }
     },
     "tags": [
+      {
+        "name": "Info",
+        "description": "Get Server Info"
+      },
       {
         "name": "Session",
         "description": "Get Session information"
@@ -42,6 +46,10 @@
       {
         "name": "CODE",
         "description": "Operations on SAS code"
+      },
+      {
+        "name": "Web",
+        "description": "Operations on Web"
       }
     ],
     "yaml": true,

package.json

@@ -1,13 +1,12 @@
 {
   "name": "server",
-  "version": "0.0.42",
+  "version": "0.0.76",
   "description": "NodeJS wrapper for calling the SAS binary executable",
   "repository": "https://github.com/sasjs/server",
   "scripts": {
     "server": "npm run server:prepare && npm run server:start",
-    "server:prepare": "cd web && npm ci && npm run build && cd ../api && npm ci && cd ..",
-    "server:start": "cd api && npm run start",
-    "release": "standard-version",
+    "server:prepare": "cd web && npm ci && npm run build && cd ../api && npm ci && npm run build && cd ..",
+    "server:start": "cd api && npm run start:prod",
     "lint-api:fix": "npx prettier --write \"api/src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
     "lint-api": "npx prettier --check \"api/src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
     "lint-web:fix": "npx prettier --write \"web/src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
@@ -16,7 +15,9 @@
     "lint:fix": "npm run lint-api:fix && npm run lint-web:fix"
   },
   "devDependencies": {
-    "prettier": "^2.3.1",
-    "standard-version": "^9.3.2"
+    "@semantic-release/changelog": "^6.0.1",
+    "@semantic-release/exec": "^6.0.3",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^8.0.4"
   }
 }

restClient/drive.rest

@@ -1,3 +1,6 @@
+### Get contents of folder
+GET http://localhost:5000/SASjsApi/drive/folder?_path=/Public/app/react-seed-app/services/web
+
 ###
 POST http://localhost:5000/SASjsApi/drive/deploy
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJjbGllbnRJRDEiLCJ1c2VybmFtZSI6InVzZXJuYW1lMSIsImlzYWRtaW4iOmZhbHNlLCJpc2FjdGl2ZSI6dHJ1ZSwiaWF0IjoxNjM1ODA0MDc2LCJleHAiOjE2MzU4OTA0NzZ9.Cx1F54ILgAUtnkit0Wg1K1YVO2RdNjOnTKdPhUtDm5I

restClient/session.rest

@@ -1,2 +1,3 @@
-### Get current user's info via access token
+### Get current user's info via session ID
 GET http://localhost:5000/SASjsApi/session
+cookie: connect.sid=s:G2DeFdKuWhnmTOsTHmTWrxAXPx2P6TLD.JyNLxfACC1w3NlFQFfL5chyxtrqbPYmS6iButRc1goE

web/.env.example

@@ -1,2 +1 @@
-PORT_API=[place sasjs server port] default value is 5000
-CLIENT_ID=<place clientId here>
+PORT_API=[place sasjs server port] default value is 5000

web/package.json

@@ -9,7 +9,6 @@
   "dependencies": {
     "@emotion/react": "^11.4.1",
     "@emotion/styled": "^11.3.0",
-    "@monaco-editor/react": "^4.3.1",
     "@mui/icons-material": "^5.0.3",
     "@mui/lab": "^5.0.0-alpha.50",
     "@mui/material": "^5.0.3",
@@ -21,9 +20,14 @@
     "@types/node": "^12.20.28",
     "@types/react": "^17.0.27",
     "axios": "^0.24.0",
+    "monaco-editor": "^0.33.0",
+    "monaco-editor-webpack-plugin": "^7.0.1",
     "react": "^17.0.2",
+    "react-copy-to-clipboard": "^5.1.0",
     "react-dom": "^17.0.2",
-    "react-router-dom": "^5.3.0"
+    "react-monaco-editor": "^0.48.0",
+    "react-router-dom": "^5.3.0",
+    "react-toastify": "^9.0.1"
   },
   "devDependencies": {
     "@babel/core": "^7.16.0",
@@ -35,6 +39,7 @@
     "@types/dotenv-webpack": "^7.0.3",
     "@types/prismjs": "^1.16.6",
     "@types/react": "^17.0.37",
+    "@types/react-copy-to-clipboard": "^5.0.2",
     "@types/react-dom": "^17.0.11",
     "@types/react-router-dom": "^5.3.1",
     "babel-loader": "^8.2.3",

web/src/App.tsx

@@ -1,4 +1,4 @@
-import React from 'react'
+import React, { useContext } from 'react'
 import { Route, HashRouter, Switch } from 'react-router-dom'
 import { ThemeProvider } from '@mui/material/styles'
 import { theme } from './theme'
@@ -8,23 +8,23 @@ import Header from './components/header'
 import Home from './components/home'
 import Drive from './containers/Drive'
 import Studio from './containers/Studio'
+import Settings from './containers/Settings'
 
-import useTokens from './components/useTokens'
+import { AppContext } from './context/appContext'
+import AuthCode from './containers/AuthCode'
+import { ToastContainer } from 'react-toastify'
 
 function App() {
-  const { tokens, setTokens } = useTokens()
+  const appContext = useContext(AppContext)
 
-  if (!tokens) {
+  if (!appContext.loggedIn) {
     return (
       <ThemeProvider theme={theme}>
         <HashRouter>
           <Header />
           <Switch>
-            <Route exact path="/SASjsLogon">
-              <Login getCodeOnly />
-            </Route>
             <Route path="/">
-              <Login setTokens={setTokens} />
+              <Login />
             </Route>
           </Switch>
         </HashRouter>
@@ -46,10 +46,14 @@ function App() {
           <Route exact path="/SASjsStudio">
             <Studio />
           </Route>
+          <Route exact path="/SASjsSettings">
+            <Settings />
+          </Route>
           <Route exact path="/SASjsLogon">
-            <Login getCodeOnly />
+            <AuthCode />
           </Route>
         </Switch>
+        <ToastContainer />
       </HashRouter>
     </ThemeProvider>
   )

web/src/components/header.tsx

@@ -1,26 +1,63 @@
-import React, { useState } from 'react'
+import React, { useState, useEffect, useContext } from 'react'
 import { Link, useHistory, useLocation } from 'react-router-dom'
 
-import AppBar from '@mui/material/AppBar'
-import Toolbar from '@mui/material/Toolbar'
-import Tabs from '@mui/material/Tabs'
-import Tab from '@mui/material/Tab'
-import Button from '@mui/material/Button'
+import {
+  AppBar,
+  Toolbar,
+  Tabs,
+  Tab,
+  Button,
+  Menu,
+  MenuItem
+} from '@mui/material'
 import OpenInNewIcon from '@mui/icons-material/OpenInNew'
+import SettingsIcon from '@mui/icons-material/Settings'
+
+import Username from './username'
+import { AppContext } from '../context/appContext'
 
 const NODE_ENV = process.env.NODE_ENV
 const PORT_API = process.env.PORT_API
 const baseUrl =
   NODE_ENV === 'development' ? `http://localhost:${PORT_API ?? 5000}` : ''
 
+const validTabs = ['/', '/SASjsDrive', '/SASjsStudio']
+
 const Header = (props: any) => {
   const history = useHistory()
   const { pathname } = useLocation()
-  const [tabValue, setTabValue] = useState(pathname)
+  const appContext = useContext(AppContext)
+  const [tabValue, setTabValue] = useState(
+    validTabs.includes(pathname) ? pathname : '/'
+  )
+  const [anchorEl, setAnchorEl] = useState<
+    (EventTarget & HTMLButtonElement) | null
+  >(null)
+
+  useEffect(() => {
+    setTabValue(validTabs.includes(pathname) ? pathname : '/')
+  }, [pathname])
+
+  const handleMenu = (
+    event: React.MouseEvent<HTMLButtonElement, MouseEvent>
+  ) => {
+    setAnchorEl(event.currentTarget)
+  }
+
+  const handleClose = () => {
+    setAnchorEl(null)
+  }
 
   const handleTabChange = (event: React.SyntheticEvent, value: string) => {
     setTabValue(value)
   }
+
+  const handleLogout = () => {
+    if (appContext.logout) {
+      handleClose()
+      appContext.logout()
+    }
+  }
   return (
     <AppBar
       position="fixed"
@@ -28,10 +65,10 @@ const Header = (props: any) => {
     >
       <Toolbar variant="dense">
         <img
-          src="logo-white.png"
+          src="logo.png"
           alt="logo"
           style={{
-            width: '50px',
+            width: '35px',
             cursor: 'pointer',
             marginRight: '25px'
           }}
@@ -81,6 +118,51 @@ const Header = (props: any) => {
         >
           App Stream
         </Button>
+        <div
+          style={{
+            display: 'flex',
+            flexGrow: 1,
+            justifyContent: 'flex-end'
+          }}
+        >
+          <Username
+            username={appContext.displayName || appContext.username}
+            onClickHandler={handleMenu}
+          />
+          <Menu
+            id="menu-appbar"
+            anchorEl={anchorEl}
+            anchorOrigin={{
+              vertical: 'bottom',
+              horizontal: 'center'
+            }}
+            keepMounted
+            transformOrigin={{
+              vertical: 'top',
+              horizontal: 'center'
+            }}
+            open={!!anchorEl}
+            onClose={handleClose}
+          >
+            <MenuItem sx={{ justifyContent: 'center' }}>
+              <Button
+                component={Link}
+                to="/SASjsSettings"
+                onClick={handleClose}
+                variant="contained"
+                color="primary"
+                startIcon={<SettingsIcon />}
+              >
+                Settings
+              </Button>
+            </MenuItem>
+            <MenuItem onClick={handleLogout} sx={{ justifyContent: 'center' }}>
+              <Button variant="contained" color="primary">
+                Logout
+              </Button>
+            </MenuItem>
+          </Menu>
+        </div>
       </Toolbar>
     </AppBar>
   )

web/src/components/login.tsx

@@ -1,96 +1,39 @@
-import React, { useState } from 'react'
-import { useLocation } from 'react-router-dom'
+import axios from 'axios'
+import React, { useState, useContext } from 'react'
 import PropTypes from 'prop-types'
 
-import { CssBaseline, Box, TextField, Button, Typography } from '@mui/material'
+import { CssBaseline, Box, TextField, Button } from '@mui/material'
+import { AppContext } from '../context/appContext'
 
-const headers = {
-  Accept: 'application/json',
-  'Content-Type': 'application/json'
-}
-const NODE_ENV = process.env.NODE_ENV
-const PORT_API = process.env.PORT_API
-const baseUrl =
-  NODE_ENV === 'development' ? `http://localhost:${PORT_API ?? 5000}` : ''
+const login = async (payload: { username: string; password: string }) =>
+  axios.post('/SASLogon/login', payload).then((res) => res.data)
 
-const getAuthCode = async (credentials: any) => {
-  return fetch(`${baseUrl}/SASjsApi/auth/authorize`, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify(credentials)
-  }).then(async (response) => {
-    const resText = await response.text()
-    if (response.status !== 200) throw resText
-
-    return JSON.parse(resText)
-  })
-}
-const getTokens = async (payload: any) => {
-  return fetch(`${baseUrl}/SASjsApi/auth/token`, {
-    method: 'POST',
-    headers,
-    body: JSON.stringify(payload)
-  }).then((data) => data.json())
-}
-
-const Login = ({ setTokens, getCodeOnly }: any) => {
-  const location = useLocation()
-  const [username, setUserName] = useState('')
+const Login = () => {
+  const appContext = useContext(AppContext)
+  const [username, setUsername] = useState('')
   const [password, setPassword] = useState('')
   const [errorMessage, setErrorMessage] = useState('')
-  let error: boolean
-  const [displayCode, setDisplayCode] = useState(null)
 
   const handleSubmit = async (e: any) => {
-    error = false
     setErrorMessage('')
     e.preventDefault()
-    let clientId = process.env.CLIENT_ID
 
-    if (getCodeOnly) {
-      const params = new URLSearchParams(location.search)
-      const responseType = params.get('response_type')
-      if (responseType === 'code')
-        clientId = params.get('client_id') ?? undefined
-    }
-
-    const { code } = await getAuthCode({
-      clientId,
+    const { loggedIn, user } = await login({
       username,
       password
-    }).catch((err: string) => {
-      error = true
-      setErrorMessage(err)
+    }).catch((err: any) => {
+      setErrorMessage(err.response.data)
       return {}
     })
 
-    if (!error) {
-      if (getCodeOnly) return setDisplayCode(code)
-
-      const { accessToken, refreshToken } = await getTokens({
-        clientId,
-        code
-      })
-
-      setTokens(accessToken, refreshToken)
+    if (loggedIn) {
+      appContext.setUserId?.(user.id)
+      appContext.setUsername?.(user.username)
+      appContext.setDisplayName?.(user.displayName)
+      appContext.setLoggedIn?.(loggedIn)
     }
   }
 
-  if (displayCode) {
-    return (
-      <Box className="main">
-        <CssBaseline />
-        <br />
-        <h2>Authorization Code</h2>
-        <Typography m={2} p={3} style={{ overflowWrap: 'anywhere' }}>
-          {displayCode}
-        </Typography>
-
-        <br />
-      </Box>
-    )
-  }
-
   return (
     <Box
       className="main"
@@ -103,19 +46,12 @@ const Login = ({ setTokens, getCodeOnly }: any) => {
       <CssBaseline />
       <br />
       <h2 style={{ width: 'auto' }}>Welcome to SASjs Server!</h2>
-      {getCodeOnly && (
-        <p style={{ width: 'auto' }}>
-          Provide credentials to get authorization code.
-        </p>
-      )}
-      <br />
-
       <TextField
         id="username"
         label="Username"
         type="text"
         variant="outlined"
-        onChange={(e: any) => setUserName(e.target.value)}
+        onChange={(e: any) => setUsername(e.target.value)}
         required
       />
       <TextField
@@ -127,7 +63,11 @@ const Login = ({ setTokens, getCodeOnly }: any) => {
         required
       />
       {errorMessage && <span>{errorMessage}</span>}
-      <Button type="submit" variant="outlined">
+      <Button
+        type="submit"
+        variant="outlined"
+        disabled={!appContext.setLoggedIn}
+      >
         Submit
       </Button>
     </Box>
@@ -135,7 +75,6 @@ const Login = ({ setTokens, getCodeOnly }: any) => {
 }
 
 Login.propTypes = {
-  setTokens: PropTypes.func,
   getCodeOnly: PropTypes.bool
 }