chore(release): 0.0.74

fix: csp updates

.gitignore

@@ -11,3 +11,4 @@ sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json

CHANGELOG.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.0.74](https://github.com/sasjs/server/compare/v0.0.73...v0.0.74) (2022-05-12)
+
+
+### Bug Fixes
+
+* csp updates ([7cfa239](https://github.com/sasjs/server/commit/7cfa2398e12c5e515d27c896f36ff91604c2124d))
+
+### [0.0.73](https://github.com/sasjs/server/compare/v0.0.72...v0.0.73) (2022-05-10)
+
+
+### Bug Fixes
+
+* helmet config on http mode ([b0fdaaa](https://github.com/sasjs/server/commit/b0fdaaaa79e3135699c51effac0388d8ec5ab23b))
+
+### [0.0.72](https://github.com/sasjs/server/compare/v0.0.71...v0.0.72) (2022-05-09)
+
+### [0.0.71](https://github.com/sasjs/server/compare/v0.0.70...v0.0.71) (2022-05-07)
+
+
+### Bug Fixes
+
+* added more cookies to req ([4a8e32d](https://github.com/sasjs/server/commit/4a8e32dd20b540b6dc92d749fad90d6c7fc69376))
+* bumping core ([c0b57b9](https://github.com/sasjs/server/commit/c0b57b9e76d6db33fc64a68556a8be979dd69e40))
+* reqHeadrs.txt will contain headers to access APIs ([636301e](https://github.com/sasjs/server/commit/636301e664416fb085f704d83deb7f39ee0a91a7))
+
+### [0.0.70](https://github.com/sasjs/server/compare/v0.0.69...v0.0.70) (2022-05-06)
+
+
+### Features
+
+* CSP_DISABLE env option ([dd3acce](https://github.com/sasjs/server/commit/dd3acce3935e7cfc0b2c44a401314306915a3a10))
+
 ### [0.0.69](https://github.com/sasjs/server/compare/v0.0.68...v0.0.69) (2022-05-02)
 
 

README.md

@@ -48,15 +48,22 @@ When launching the app, it will make use of specific environment variables. Thes
 Example contents of a `.env` file:
 
 ```
-# options: [desktop|server] default: `desktop`
+#
+## Core Settings
+#
+
+
+# MODE options: [desktop|server] default: `desktop`
+# Desktop mode is single user and designed for workstation use
+# Server mode is multi-user and suitable for intranet / internet use
 MODE=
 
-# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
-# If enabled, be sure to also configure the WHITELIST of third party servers.
-CORS=
+# Path to SAS executable (sas.exe / sas.sh)
+SAS_PATH=/path/to/sas/executable.exe
 
-# options: <http://localhost:3000 https://abc.com ...> space separated urls
-WHITELIST=
+# Path to working directory
+# This location is for SAS WORK, staged files, DRIVE, configuration etc
+DRIVE_PATH=/tmp
 
 # options: [http|https] default: http
 PROTOCOL=
@@ -65,16 +72,22 @@ PROTOCOL=
 PORT=
 
 
-# optional
-# for MODE: `desktop`, prompts user
-# for MODE: `server` gets value from api/package.json `configuration.sasPath`
-SAS_PATH=/path/to/sas/executable.exe
+#
+## Additional SAS Options
+#
 
 
-# optional
-# for MODE: `desktop`, prompts user
-# for MODE: `server` defaults to /tmp
-DRIVE_PATH=/tmp
+# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
+# Any options set here are automatically applied in the SAS session
+# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
+# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
+SAS_OPTIONS= -NOXCMD
+SASV9_OPTIONS= -NOXCMD
+
+
+#
+## Additional Web Server Options
+#
 
 # ENV variables required for PROTOCOL: `https`
 PRIVATE_KEY=privkey.pem
@@ -87,13 +100,30 @@ AUTH_CODE_SECRET=<secret>
 SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 
-# SAS Options
-# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
-# Any options set here are automatically applied in the SAS session
-# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
-# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
-SAS_OPTIONS= -NOXCMD
-SASV9_OPTIONS= -NOXCMD
+# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
+# If enabled, be sure to also configure the WHITELIST of third party servers.
+CORS=
+
+# options: <http://localhost:3000 https://abc.com ...> space separated urls
+WHITELIST=
+
+# HELMET Cross Origin Embedder Policy
+# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
+# options: [true|false] default: true
+# Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
+HELMET_COEP=
+
+# HELMET Content Security Policy
+# Path to a json file containing HELMET `contentSecurityPolicy` directives
+# Docs: https://helmetjs.github.io/#reference
+#
+# Example config:
+# {
+#   "img-src": ["'self'", "data:"],
+#   "script-src": ["'self'", "'unsafe-inline'"],
+#   "script-src-attr": ["'self'", "'unsafe-inline'"]
+# }
+HELMET_CSP_CONFIG_PATH=./csp.config.json
 
 ```
 

api/.env.example

@@ -8,6 +8,9 @@ FULL_CHAIN=fullchain.pem
 
 PORT=[5000] default value is 5000
 
+HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
+HELMET_COEP=[true|false] if omitted HELMET default will be used
+
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>

api/csp.config.example.json

@@ -0,0 +1,5 @@
+{
+  "img-src": ["'self'", "data:"],
+  "script-src": ["'self'", "'unsafe-inline'"],
+  "script-src-attr": ["'self'", "'unsafe-inline'"]
+}

api/package-lock.json

@@ -8,7 +8,7 @@
       "name": "api",
       "version": "0.0.2",
       "dependencies": {
-        "@sasjs/core": "^4.19.0",
+        "@sasjs/core": "^4.23.1",
         "@sasjs/utils": "2.42.1",
         "bcryptjs": "^2.4.3",
         "connect-mongo": "^4.6.0",
@@ -1385,9 +1385,9 @@
       }
     },
     "node_modules/@sasjs/core": {
-      "version": "4.19.0",
-      "resolved": "https://registry.npmjs.org/@sasjs/core/-/core-4.19.0.tgz",
-      "integrity": "sha512-vG2YHJveQUQqN0YBhapXb8y+Qp4OniHzRedlqKRxyL0Pc+kwXx5co4Vo+dcOI5/MX0p+8oERP2aCR77s4FEUJg=="
+      "version": "4.23.1",
+      "resolved": "https://registry.npmjs.org/@sasjs/core/-/core-4.23.1.tgz",
+      "integrity": "sha512-9d6yEPJRRvPLMUkpyaiQ62SXNMMyt2l815jxWgFjnVOxKeUQv9TPyZqZ0FpmWdVe6EY8dv8GLlyaBpOLDnY6Vg=="
     },
     "node_modules/@sasjs/utils": {
       "version": "2.42.1",
@@ -11358,9 +11358,9 @@
       }
     },
     "@sasjs/core": {
-      "version": "4.19.0",
-      "resolved": "https://registry.npmjs.org/@sasjs/core/-/core-4.19.0.tgz",
-      "integrity": "sha512-vG2YHJveQUQqN0YBhapXb8y+Qp4OniHzRedlqKRxyL0Pc+kwXx5co4Vo+dcOI5/MX0p+8oERP2aCR77s4FEUJg=="
+      "version": "4.23.1",
+      "resolved": "https://registry.npmjs.org/@sasjs/core/-/core-4.23.1.tgz",
+      "integrity": "sha512-9d6yEPJRRvPLMUkpyaiQ62SXNMMyt2l815jxWgFjnVOxKeUQv9TPyZqZ0FpmWdVe6EY8dv8GLlyaBpOLDnY6Vg=="
     },
     "@sasjs/utils": {
       "version": "2.42.1",

api/package.json

@@ -47,7 +47,7 @@
   },
   "author": "4GL Ltd",
   "dependencies": {
-    "@sasjs/core": "^4.19.0",
+    "@sasjs/core": "^4.23.1",
     "@sasjs/utils": "2.42.1",
     "bcryptjs": "^2.4.3",
     "connect-mongo": "^4.6.0",

api/src/app.ts

@@ -17,6 +17,7 @@ import {
   setProcessVariables,
   setupFolders
 } from './utils'
+import { getEnvCSPDirectives } from './utils/parseHelmetConfig'
 
 dotenv.config()
 
@@ -25,7 +26,8 @@ const app = express()
 app.use(cookieParser())
 app.use(morgan('tiny'))
 
-const { MODE, CORS, WHITELIST, PROTOCOL } = process.env
+const { MODE, CORS, WHITELIST, PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } =
+  process.env
 
 export const cookieOptions = {
   secure: PROTOCOL === 'https',
@@ -33,6 +35,13 @@ export const cookieOptions = {
   maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 
+const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+  HELMET_CSP_CONFIG_PATH
+)
+const coepFlag =
+  HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
+if (PROTOCOL === 'http') cspConfigJson['upgrade-insecure-requests'] = null
+
 /***********************************
  *         CSRF Protection         *
  ***********************************/
@@ -46,9 +55,10 @@ app.use(
     contentSecurityPolicy: {
       directives: {
         ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-        'script-src': ["'self'", "'unsafe-inline'"]
+        ...cspConfigJson
       }
-    }
+    },
+    crossOriginEmbedderPolicy: coepFlag
   })
 )
 

api/src/controllers/code.ts

@@ -3,7 +3,7 @@ import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
 import { ExecuteReturnJson, ExecutionController } from './internal'
 import { PreProgramVars } from '../types'
 import { ExecuteReturnJsonResponse } from '.'
-import { parseLogToArray } from '../utils'
+import { getPreProgramVariables, parseLogToArray } from '../utils'
 
 interface ExecuteSASCodePayload {
   /**
@@ -56,16 +56,3 @@ const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
     }
   }
 }
-
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
-  }
-}

api/src/controllers/internal/Execution.ts

@@ -75,12 +75,12 @@ export class ExecutionController {
     const logPath = path.join(session.path, 'log.log')
     const headersPath = path.join(session.path, 'stpsrv_header.txt')
     const weboutPath = path.join(session.path, 'webout.txt')
-    const tokenFile = path.join(session.path, 'accessToken.txt')
+    const tokenFile = path.join(session.path, 'reqHeaders.txt')
 
     await createFile(weboutPath, '')
     await createFile(
       tokenFile,
-      preProgramVariables?.accessToken ?? 'accessToken'
+      preProgramVariables?.httpHeaders.join('\n') ?? ''
     )
 
     const varStatments = Object.keys(vars).reduce(

api/src/controllers/stp.ts

@@ -17,8 +17,8 @@ import {
   ExecutionController,
   ExecutionVars
 } from './internal'
-import { PreProgramVars } from '../types'
 import {
+  getPreProgramVariables,
   getTmpFilesFolderPath,
   HTTPHeaders,
   isDebugOn,
@@ -210,16 +210,3 @@ const executeReturnJson = async (
     }
   }
 }
-
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
-  }
-}

api/src/types/PreProgramVars.ts

@@ -3,5 +3,5 @@ export interface PreProgramVars {
   userId: number
   displayName: string
   serverUrl: string
-  accessToken: string
+  httpHeaders: string[]
 }

api/src/utils/getPreProgramVariables.ts

@@ -0,0 +1,29 @@
+import { PreProgramVars } from '../types'
+
+export const getPreProgramVariables = (req: any): PreProgramVars => {
+  const host = req.get('host')
+  const protocol = req.protocol + '://'
+  const { user, accessToken } = req
+  const csrfToken = req.headers['x-xsrf-token']
+  const sessionId = req.cookies['connect.sid']
+  const { _csrf } = req.cookies
+
+  const httpHeaders: string[] = []
+
+  if (accessToken) httpHeaders.push(`Authorization: Bearer ${accessToken}`)
+  if (csrfToken) httpHeaders.push(`x-xsrf-token: ${csrfToken}`)
+
+  const cookies: string[] = []
+  if (sessionId) cookies.push(`connect.sid=${sessionId}`)
+  if (_csrf) cookies.push(`_csrf=${_csrf}`)
+
+  if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)
+
+  return {
+    username: user.username,
+    userId: user.userId,
+    displayName: user.displayName,
+    serverUrl: protocol + host,
+    httpHeaders
+  }
+}

api/src/utils/index.ts

@@ -8,6 +8,7 @@ export * from './generateAuthCode'
 export * from './generateRefreshToken'
 export * from './getCertificates'
 export * from './getDesktopFields'
+export * from './getPreProgramVariables'
 export * from './isDebugOn'
 export * from './parseLogToArray'
 export * from './removeTokensInDB'

api/src/utils/parseHelmetConfig.ts

@@ -0,0 +1,35 @@
+import path from 'path'
+import fs from 'fs'
+
+export const getEnvCSPDirectives = (
+  HELMET_CSP_CONFIG_PATH: string | undefined
+) => {
+  let cspConfigJson = {
+    'img-src': ["'self'", 'data:'],
+    'script-src': ["'self'", "'unsafe-inline'"],
+    'script-src-attr': ["'self'", "'unsafe-inline'"]
+  }
+
+  if (
+    typeof HELMET_CSP_CONFIG_PATH === 'string' &&
+    HELMET_CSP_CONFIG_PATH.length > 0
+  ) {
+    const cspConfigPath = path.join(process.cwd(), HELMET_CSP_CONFIG_PATH)
+
+    try {
+      let file = fs.readFileSync(cspConfigPath).toString()
+
+      try {
+        cspConfigJson = JSON.parse(file)
+      } catch (e) {
+        console.error(
+          'Parsing Content Security Policy JSON config failed. Make sure it is valid json'
+        )
+      }
+    } catch (e) {
+      console.error('Error reading HELMET CSP config file', e)
+    }
+  }
+
+  return cspConfigJson
+}

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "server",
-  "version": "0.0.69",
+  "version": "0.0.74",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "server",
-      "version": "0.0.69",
+      "version": "0.0.74",
       "devDependencies": {
         "prettier": "^2.3.1",
         "standard-version": "^9.3.2"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "server",
-  "version": "0.0.69",
+  "version": "0.0.74",
   "description": "NodeJS wrapper for calling the SAS binary executable",
   "repository": "https://github.com/sasjs/server",
   "scripts": {

restClient/session.rest

@@ -1,2 +1,3 @@
-### Get current user's info via access token
+### Get current user's info via session ID
 GET http://localhost:5000/SASjsApi/session
+cookie: connect.sid=s:G2DeFdKuWhnmTOsTHmTWrxAXPx2P6TLD.JyNLxfACC1w3NlFQFfL5chyxtrqbPYmS6iButRc1goE

web/package-lock.json

@@ -21,6 +21,7 @@
         "@types/node": "^12.20.28",
         "@types/react": "^17.0.27",
         "axios": "^0.24.0",
+        "monaco-editor": "^0.33.0",
         "monaco-editor-webpack-plugin": "^7.0.1",
         "react": "^17.0.2",
         "react-dom": "^17.0.2",
@@ -8422,8 +8423,7 @@
     "node_modules/monaco-editor": {
       "version": "0.33.0",
       "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.33.0.tgz",
-      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw==",
-      "peer": true
+      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw=="
     },
     "node_modules/monaco-editor-webpack-plugin": {
       "version": "7.0.1",
@@ -17505,8 +17505,7 @@
     "monaco-editor": {
       "version": "0.33.0",
       "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.33.0.tgz",
-      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw==",
-      "peer": true
+      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw=="
     },
     "monaco-editor-webpack-plugin": {
       "version": "7.0.1",

web/package.json

@@ -20,6 +20,7 @@
     "@types/node": "^12.20.28",
     "@types/react": "^17.0.27",
     "axios": "^0.24.0",
+    "monaco-editor": "^0.33.0",
     "monaco-editor-webpack-plugin": "^7.0.1",
     "react": "^17.0.2",
     "react-dom": "^17.0.2",