chore: specified domain for cookie

## [0.21.7](https://github.com/sasjs/server/compare/v0.21.6...v0.21.7) (2022-09-30)

### Bug Fixes

* csrf package is changed to pillarjs-csrf ([fe3e508](fe3e5088f8))

CHANGELOG.md

@@ -1,3 +1,46 @@
+## [0.21.7](https://github.com/sasjs/server/compare/v0.21.6...v0.21.7) (2022-09-30)
+
+
+### Bug Fixes
+
+* csrf package is changed to pillarjs-csrf ([fe3e508](https://github.com/sasjs/server/commit/fe3e5088f8dfff50042ec8e8aac9ba5ba1394deb))
+
+## [0.21.6](https://github.com/sasjs/server/compare/v0.21.5...v0.21.6) (2022-09-23)
+
+
+### Bug Fixes
+
+* in getTokensFromDB handle the scenario when tokens are expired ([40f95f9](https://github.com/sasjs/server/commit/40f95f9072c8685910138d88fd2410f8704fc975))
+
+## [0.21.5](https://github.com/sasjs/server/compare/v0.21.4...v0.21.5) (2022-09-22)
+
+
+### Bug Fixes
+
+* made files extensions case insensitive ([2496043](https://github.com/sasjs/server/commit/249604384e42be4c12c88c70a7dff90fc1917a8f))
+
+## [0.21.4](https://github.com/sasjs/server/compare/v0.21.3...v0.21.4) (2022-09-21)
+
+
+### Bug Fixes
+
+* removing single quotes from _program value ([a0e7875](https://github.com/sasjs/server/commit/a0e7875ae61cbb6e7d3995d2e36e7300b0daec86))
+
+## [0.21.3](https://github.com/sasjs/server/compare/v0.21.2...v0.21.3) (2022-09-21)
+
+
+### Bug Fixes
+
+* return same tokens if not expired ([330c020](https://github.com/sasjs/server/commit/330c020933f1080261b38f07d6b627f6d7c62446))
+
+## [0.21.2](https://github.com/sasjs/server/compare/v0.21.1...v0.21.2) (2022-09-20)
+
+
+### Bug Fixes
+
+* default content-type for sas programs should be text/plain ([9977c9d](https://github.com/sasjs/server/commit/9977c9d161947b11d45ab2513f99a5320a3f5a06))
+* **studio:** inject program path to code before sending for execution ([edc2e2a](https://github.com/sasjs/server/commit/edc2e2a302ccea4985f3d6b83ef8c23620ab82b6))
+
 ## [0.21.1](https://github.com/sasjs/server/compare/v0.21.0...v0.21.1) (2022-09-19)
 
 

api/.env.example

@@ -1,5 +1,6 @@
 MODE=[desktop|server] default considered as desktop
 CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
+ALLOWED_DOMAINS=<space separated urls, each starting with protocol `http` or `https`>
 WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
 
 PROTOCOL=[http|https] default considered as http

api/package-lock.json

@@ -14,7 +14,6 @@
         "connect-mongo": "^4.6.0",
         "cookie-parser": "^1.4.6",
         "cors": "^2.8.5",
-        "csurf": "^1.11.0",
         "express": "^4.17.1",
         "express-session": "^1.17.2",
         "helmet": "^5.0.2",
@@ -37,7 +36,6 @@
         "@types/bcryptjs": "^2.4.2",
         "@types/cookie-parser": "^1.4.2",
         "@types/cors": "^2.8.12",
-        "@types/csurf": "^1.11.2",
         "@types/express": "^4.17.12",
         "@types/express-session": "^1.17.4",
         "@types/jest": "^26.0.24",
@@ -50,6 +48,7 @@
         "@types/swagger-ui-express": "^4.1.3",
         "@types/unzipper": "^0.10.5",
         "adm-zip": "^0.5.9",
+        "csrf": "^3.1.0",
         "dotenv": "^10.0.0",
         "http-headers-validation": "^0.0.1",
         "jest": "^27.0.6",
@@ -1833,15 +1832,6 @@
       "integrity": "sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw==",
       "dev": true
     },
-    "node_modules/@types/csurf": {
-      "version": "1.11.2",
-      "resolved": "https://registry.npmjs.org/@types/csurf/-/csurf-1.11.2.tgz",
-      "integrity": "sha512-9bc98EnwmC1S0aSJiA8rWwXtgXtXHHOQOsGHptImxFgqm6CeH+mIOunHRg6+/eg2tlmDMX3tY7XrWxo2M/nUNQ==",
-      "dev": true,
-      "dependencies": {
-        "@types/express-serve-static-core": "*"
-      }
-    },
     "node_modules/@types/express": {
       "version": "4.17.12",
       "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.12.tgz",
@@ -3336,6 +3326,7 @@
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
       "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
+      "dev": true,
       "dependencies": {
         "rndm": "1.2.0",
         "tsscmp": "1.0.6",
@@ -3369,40 +3360,6 @@
       "integrity": "sha512-b0tGHbfegbhPJpxpiBPU2sCkigAqtM9O121le6bbOlgyV+NyGyCmVfJ6QW9eRjz8CpNfWEOYBIMIGRYkLwsIYg==",
       "dev": true
     },
-    "node_modules/csurf": {
-      "version": "1.11.0",
-      "resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
-      "integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
-      "dependencies": {
-        "cookie": "0.4.0",
-        "cookie-signature": "1.0.6",
-        "csrf": "3.1.0",
-        "http-errors": "~1.7.3"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/csurf/node_modules/http-errors": {
-      "version": "1.7.3",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
-      "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
-      "dependencies": {
-        "depd": "~1.1.2",
-        "inherits": "2.0.4",
-        "setprototypeof": "1.1.1",
-        "statuses": ">= 1.5.0 < 2",
-        "toidentifier": "1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/csurf/node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
-    },
     "node_modules/csv-stringify": {
       "version": "5.6.5",
       "resolved": "https://registry.npmjs.org/csv-stringify/-/csv-stringify-5.6.5.tgz",
@@ -8377,7 +8334,8 @@
     "node_modules/rndm": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
-      "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
+      "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w=",
+      "dev": true
     },
     "node_modules/rotating-file-stream": {
       "version": "3.0.4",
@@ -9389,6 +9347,7 @@
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
       "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
+      "dev": true,
       "engines": {
         "node": ">=0.6.x"
       }
@@ -11361,15 +11320,6 @@
       "integrity": "sha512-vt+kDhq/M2ayberEtJcIN/hxXy1Pk+59g2FV/ZQceeaTyCtCucjL2Q7FXlFjtWn4n15KCr1NE2lNNFhp0lEThw==",
       "dev": true
     },
-    "@types/csurf": {
-      "version": "1.11.2",
-      "resolved": "https://registry.npmjs.org/@types/csurf/-/csurf-1.11.2.tgz",
-      "integrity": "sha512-9bc98EnwmC1S0aSJiA8rWwXtgXtXHHOQOsGHptImxFgqm6CeH+mIOunHRg6+/eg2tlmDMX3tY7XrWxo2M/nUNQ==",
-      "dev": true,
-      "requires": {
-        "@types/express-serve-static-core": "*"
-      }
-    },
     "@types/express": {
       "version": "4.17.12",
       "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.12.tgz",
@@ -12584,6 +12534,7 @@
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/csrf/-/csrf-3.1.0.tgz",
       "integrity": "sha512-uTqEnCvWRk042asU6JtapDTcJeeailFy4ydOQS28bj1hcLnYRiqi8SsD2jS412AY1I/4qdOwWZun774iqywf9w==",
+      "dev": true,
       "requires": {
         "rndm": "1.2.0",
         "tsscmp": "1.0.6",
@@ -12613,36 +12564,6 @@
         }
       }
     },
-    "csurf": {
-      "version": "1.11.0",
-      "resolved": "https://registry.npmjs.org/csurf/-/csurf-1.11.0.tgz",
-      "integrity": "sha512-UCtehyEExKTxgiu8UHdGvHj4tnpE/Qctue03Giq5gPgMQ9cg/ciod5blZQ5a4uCEenNQjxyGuzygLdKUmee/bQ==",
-      "requires": {
-        "cookie": "0.4.0",
-        "cookie-signature": "1.0.6",
-        "csrf": "3.1.0",
-        "http-errors": "~1.7.3"
-      },
-      "dependencies": {
-        "http-errors": {
-          "version": "1.7.3",
-          "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-1.7.3.tgz",
-          "integrity": "sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==",
-          "requires": {
-            "depd": "~1.1.2",
-            "inherits": "2.0.4",
-            "setprototypeof": "1.1.1",
-            "statuses": ">= 1.5.0 < 2",
-            "toidentifier": "1.0.0"
-          }
-        },
-        "inherits": {
-          "version": "2.0.4",
-          "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-          "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
-        }
-      }
-    },
     "csv-stringify": {
       "version": "5.6.5",
       "resolved": "https://registry.npmjs.org/csv-stringify/-/csv-stringify-5.6.5.tgz",
@@ -16379,7 +16300,8 @@
     "rndm": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/rndm/-/rndm-1.2.0.tgz",
-      "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w="
+      "integrity": "sha1-8z/pz7Urv9UgqhgyO8ZdsRCht2w=",
+      "dev": true
     },
     "rotating-file-stream": {
       "version": "3.0.4",
@@ -17134,7 +17056,8 @@
     "tsscmp": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/tsscmp/-/tsscmp-1.0.6.tgz",
-      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA=="
+      "integrity": "sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==",
+      "dev": true
     },
     "tunnel-agent": {
       "version": "0.6.0",

api/package.json

@@ -53,7 +53,6 @@
     "connect-mongo": "^4.6.0",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
-    "csurf": "^1.11.0",
     "express": "^4.17.1",
     "express-session": "^1.17.2",
     "helmet": "^5.0.2",
@@ -73,7 +72,6 @@
     "@types/bcryptjs": "^2.4.2",
     "@types/cookie-parser": "^1.4.2",
     "@types/cors": "^2.8.12",
-    "@types/csurf": "^1.11.2",
     "@types/express": "^4.17.12",
     "@types/express-session": "^1.17.4",
     "@types/jest": "^26.0.24",
@@ -86,6 +84,7 @@
     "@types/swagger-ui-express": "^4.1.3",
     "@types/unzipper": "^0.10.5",
     "adm-zip": "^0.5.9",
+    "csrf": "^3.1.0",
     "dotenv": "^10.0.0",
     "http-headers-validation": "^0.0.1",
     "jest": "^27.0.6",

api/public/swagger.yaml

@@ -660,10 +660,10 @@ paths:
                                 anyOf:
                                     - {type: string}
                                     - {type: string, format: byte}
-            description: 'Execute SAS code.'
-            summary: 'Run SAS Code and returns log'
+            description: 'Execute Code on the Specified Runtime'
+            summary: 'Run Code and Return Webout Content and Log'
             tags:
-                - CODE
+                - Code
             security:
                 -
                     bearerAuth: []
@@ -1658,8 +1658,8 @@ paths:
                                 anyOf:
                                     - {type: string}
                                     - {type: string, format: byte}
-            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
-            summary: 'Execute a Stored Program, returns raw _webout content.'
+            description: "Trigger a Stored Program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
+            summary: 'Execute a Stored Program, returns _webout and (optionally) log.'
             tags:
                 - STP
             security:
@@ -1667,7 +1667,7 @@ paths:
                     bearerAuth: []
             parameters:
                 -
-                    description: 'Location of SAS or JS code'
+                    description: 'Location of code in SASjs Drive'
                     in: query
                     name: _program
                     required: true
@@ -1685,8 +1685,8 @@ paths:
                                 anyOf:
                                     - {type: string}
                                     - {type: string, format: byte}
-            description: "Trigger a SAS or JS program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms\n\nThe response will be a JSON object with the following root attributes:\nlog, webout, headers.\n\nThe webout attribute will be nested JSON ONLY if the response-header\ncontains a content-type of application/json AND it is valid JSON.\nOtherwise it will be a stringified version of the webout content."
-            summary: 'Execute a Stored Program, return a JSON object'
+            description: "Trigger a Stored Program using the _program URL parameter.\n\nAccepts URL parameters and file uploads.  For more details, see docs:\n\nhttps://server.sasjs.io/storedprograms"
+            summary: 'Execute a Stored Program, returns _webout and (optionally) log.'
             tags:
                 - STP
             security:
@@ -1694,7 +1694,7 @@ paths:
                     bearerAuth: []
             parameters:
                 -
-                    description: 'Location of SAS or JS code'
+                    description: 'Location of code in SASjs Drive'
                     in: query
                     name: _program
                     required: false
@@ -1798,7 +1798,7 @@ tags:
         name: Client
         description: 'Operations about clients'
     -
-        name: CODE
+        name: Code
         description: 'Execution of code (various runtimes are supported)'
     -
         name: Drive

api/src/app-modules/configureCors.ts

@@ -3,10 +3,21 @@ import cors from 'cors'
 import { CorsType } from '../utils'
 
 export const configureCors = (app: Express) => {
+  const { CORS } = process.env
+
+  if (CORS === CorsType.ENABLED) {
+    const whiteList = getWhiteListed()
+
+    console.log('All CORS Requests are enabled for:', whiteList)
+    app.use(cors({ credentials: true, origin: whiteList }))
+  }
+}
+
+export const getWhiteListed = (): string[] => {
+  const whiteList: string[] = []
   const { CORS, WHITELIST } = process.env
 
   if (CORS === CorsType.ENABLED) {
-    const whiteList: string[] = []
     WHITELIST?.split(' ')
       ?.filter((url) => !!url)
       .forEach((url) => {
@@ -14,8 +25,6 @@ export const configureCors = (app: Express) => {
           // removing trailing slash of URLs listing for CORS
           whiteList.push(url.replace(/\/$/, ''))
       })
-
-    console.log('All CORS Requests are enabled for:', whiteList)
-    app.use(cors({ credentials: true, origin: whiteList }))
   }
+  return whiteList
 }

api/src/app-modules/configureDomains.ts

@@ -0,0 +1,29 @@
+import { Express } from 'express'
+import { checkDomain } from '../middlewares'
+import { getWhiteListed } from './configureCors'
+
+export const configureDomains = (app: Express) => {
+  // const domains: string[] = []
+  const domains = new Set<string>()
+  const { ALLOWED_DOMAINS } = process.env
+
+  const allowedDomains = ALLOWED_DOMAINS?.trim().split(' ') ?? []
+
+  const whiteListed = getWhiteListed()
+
+  const combinedUrls = [...allowedDomains, ...whiteListed]
+  combinedUrls
+    .filter((domainName) => !!domainName)
+    .forEach((url) => {
+      try {
+        const domain = new URL(url)
+        domains.add(domain.hostname)
+      } catch (_) {}
+    })
+
+  if (domains.size) {
+    process.allowedDomains = [...domains]
+    console.log('Allowed Domain(s):', process.allowedDomains)
+    app.use(checkDomain)
+  }
+}

api/src/app-modules/configureExpressSession.ts

@@ -1,10 +1,9 @@
-import { Express } from 'express'
+import { Express, CookieOptions } from 'express'
 import mongoose from 'mongoose'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
 
-import { ModeType } from '../utils'
-import { cookieOptions } from '../app'
+import { ModeType, ProtocolType } from '../utils'
 
 export const configureExpressSession = (app: Express) => {
   const { MODE } = process.env
@@ -19,6 +18,15 @@ export const configureExpressSession = (app: Express) => {
       })
     }
 
+    const { PROTOCOL } = process.env
+    const cookieOptions: CookieOptions = {
+      secure: PROTOCOL === ProtocolType.HTTPS,
+      httpOnly: true,
+      sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      domain: 'sas.4gl.io'
+    }
+
     app.use(
       session({
         secret: process.secrets.SESSION_SECRET,

api/src/app-modules/index.ts

@@ -1,4 +1,5 @@
 export * from './configureCors'
+export * from './configureDomains'
 export * from './configureExpressSession'
 export * from './configureLogger'
 export * from './configureSecurity'

api/src/app.ts

@@ -1,6 +1,5 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
-import csrf, { CookieOptions } from 'csurf'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 
@@ -9,7 +8,6 @@ import {
   getWebBuildFolder,
   instantiateLogger,
   loadAppStreamConfig,
-  ProtocolType,
   ReturnCode,
   setProcessVariables,
   setupFolders,
@@ -17,6 +15,7 @@ import {
 } from './utils'
 import {
   configureCors,
+  configureDomains,
   configureExpressSession,
   configureLogger,
   configureSecurity
@@ -30,24 +29,7 @@ if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
 
 const app = express()
 
-const { PROTOCOL } = process.env
-
-export const cookieOptions: CookieOptions = {
-  secure: PROTOCOL === ProtocolType.HTTPS,
-  httpOnly: true,
-  sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
-  maxAge: 24 * 60 * 60 * 1000 // 24 hours
-}
-
-/***********************************
- *         CSRF Protection         *
- ***********************************/
-export const csrfProtection = csrf({ cookie: cookieOptions })
-
 const onError: ErrorRequestHandler = (err, req, res, next) => {
-  if (err.code === 'EBADCSRFTOKEN')
-    return res.status(400).send('Invalid CSRF token!')
-
   console.error(err.stack)
   res.status(500).send('Something broke!')
 }
@@ -67,6 +49,11 @@ export default setProcessVariables().then(async () => {
    ***********************************/
   configureCors(app)
 
+  /***********************************
+   *         Allowed Domains         *
+   ***********************************/
+  configureDomains(app)
+
   /***********************************
    *         DB Connection &          *
    *        Express Sessions          *

api/src/controllers/auth.ts

@@ -4,6 +4,7 @@ import { InfoJWT } from '../types'
 import {
   generateAccessToken,
   generateRefreshToken,
+  getTokensFromDB,
   removeTokensInDB,
   saveTokensInDB
 } from '../utils'
@@ -73,6 +74,15 @@ const token = async (data: any): Promise<TokenResponse> => {
 
   AuthController.deleteCode(userInfo.userId, clientId)
 
+  // get tokens from DB
+  const existingTokens = await getTokensFromDB(userInfo.userId, clientId)
+  if (existingTokens) {
+    return {
+      accessToken: existingTokens.accessToken,
+      refreshToken: existingTokens.refreshToken
+    }
+  }
+
   const accessToken = generateAccessToken(userInfo)
   const refreshToken = generateRefreshToken(userInfo)
 

api/src/controllers/code.ts

@@ -24,11 +24,11 @@ interface ExecuteCodePayload {
 
 @Security('bearerAuth')
 @Route('SASjsApi/code')
-@Tags('CODE')
+@Tags('Code')
 export class CodeController {
   /**
-   * Execute SAS code.
-   * @summary Run SAS Code and returns log
+   * Execute Code on the Specified Runtime
+   * @summary Run Code and Return Webout Content and Log
    */
   @Post('/execute')
   public async executeCode(

api/src/controllers/internal/Session.ts

@@ -92,6 +92,9 @@ export class SASSessionController extends SessionController {
       path: sessionFolder
     }
 
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+    await createFile(headersPath, 'Content-type: text/plain')
+
     // we do not want to leave sessions running forever
     // we clean them up after a predefined period, if unused
     this.scheduleSessionDestroy(session)
@@ -170,7 +173,7 @@ ${autoExecContent}`
     session.ready = true
   }
 
-  public async deleteSession(session: Session) {
+  private async deleteSession(session: Session) {
     // remove the temporary files, to avoid buildup
     await deleteFolder(session.path)
 

api/src/controllers/stp.ts

@@ -23,14 +23,14 @@ interface ExecutePostRequestPayload {
 @Tags('STP')
 export class STPController {
   /**
-   * Trigger a SAS or JS program using the _program URL parameter.
+   * Trigger a Stored Program using the _program URL parameter.
    *
    * Accepts URL parameters and file uploads.  For more details, see docs:
    *
    * https://server.sasjs.io/storedprograms
    *
-   * @summary Execute a Stored Program, returns raw _webout content.
-   * @param _program Location of SAS or JS code
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of code in SASjs Drive
    * @example _program "/Projects/myApp/some/program"
    */
   @Get('/execute')
@@ -43,21 +43,15 @@ export class STPController {
   }
 
   /**
-   * Trigger a SAS or JS program using the _program URL parameter.
+   * Trigger a Stored Program using the _program URL parameter.
    *
    * Accepts URL parameters and file uploads.  For more details, see docs:
    *
    * https://server.sasjs.io/storedprograms
    *
-   * The response will be a JSON object with the following root attributes:
-   * log, webout, headers.
    *
-   * The webout attribute will be nested JSON ONLY if the response-header
-   * contains a content-type of application/json AND it is valid JSON.
-   * Otherwise it will be a stringified version of the webout content.
-   *
-   * @summary Execute a Stored Program, return a JSON object
-   * @param _program Location of SAS or JS code
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of code in SASjs Drive
    * @example _program "/Projects/myApp/some/program"
    */
   @Post('/execute')

api/src/middlewares/authenticateToken.ts

@@ -1,6 +1,6 @@
 import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
-import { csrfProtection } from '../app'
+import { csrfProtection } from './'
 import {
   fetchLatestAutoExec,
   ModeType,

api/src/middlewares/authorize.ts

@@ -10,9 +10,7 @@ import { getPath, isPublicRoute } from '../utils'
 export const authorize: RequestHandler = async (req, res, next) => {
   const { user } = req
 
-  if (!user) {
-    return res.sendStatus(401)
-  }
+  if (!user) return res.sendStatus(401)
 
   // no need to check for permissions when user is admin
   if (user.isAdmin) return next()

api/src/middlewares/checkDomain.ts

@@ -0,0 +1,17 @@
+import { RequestHandler } from 'express'
+
+export const checkDomain: RequestHandler = (req, res, next) => {
+  const { allowedDomains } = process
+
+  // pass if no allowed domain is specified
+  if (!allowedDomains.length) return next()
+
+  if (allowedDomains.includes(req.hostname)) return next()
+
+  console.log('allowedDomains', allowedDomains)
+  console.log('hostname not allowed', req.hostname)
+  res.writeHead(404, {
+    'Content-Type': 'text/plain'
+  })
+  return res.end('Not found')
+}

api/src/middlewares/csrfProtection.ts

@@ -0,0 +1,32 @@
+import { RequestHandler } from 'express'
+import csrf from 'csrf'
+
+const csrfTokens = new csrf()
+const secret = csrfTokens.secretSync()
+
+export const generateCSRFToken = () => csrfTokens.create(secret)
+
+export const csrfProtection: RequestHandler = (req, res, next) => {
+  if (req.method === 'GET') return next()
+
+  // Reads the token from the following locations, in order:
+  // req.body.csrf_token - typically generated by the body-parser module.
+  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
+  // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
+  // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
+  // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
+  // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
+
+  const token =
+    req.body?.csrf_token ||
+    req.query?.csrf_token ||
+    req.headers['csrf-token'] ||
+    req.headers['xsrf-token'] ||
+    req.headers['x-csrf-token'] ||
+    req.headers['x-xsrf-token']
+
+  if (!csrfTokens.verify(secret, token)) {
+    return res.status(400).send('Invalid CSRF token!')
+  }
+  next()
+}

api/src/middlewares/index.ts

@@ -1,5 +1,7 @@
 export * from './authenticateToken'
+export * from './authorize'
+export * from './checkDomain'
+export * from './csrfProtection'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
-export * from './authorize'

api/src/routes/api/auth.ts

@@ -7,7 +7,7 @@ import {
   authenticateRefreshToken
 } from '../../middlewares'
 
-import { authorizeValidation, tokenValidation } from '../../utils'
+import { tokenValidation } from '../../utils'
 import { InfoJWT } from '../../types'
 
 const authRouter = express.Router()

api/src/routes/api/spec/web.spec.ts

@@ -49,10 +49,9 @@ describe('web', () => {
 
   describe('SASLogon/login', () => {
     let csrfToken: string
-    let cookies: string
 
     beforeAll(async () => {
-      ;({ csrfToken, cookies } = await getCSRF(app))
+      ;({ csrfToken } = await getCSRF(app))
     })
 
     afterEach(async () => {
@@ -66,7 +65,6 @@ describe('web', () => {
 
       const res = await request(app)
         .post('/SASLogon/login')
-        .set('Cookie', cookies)
         .set('x-xsrf-token', csrfToken)
         .send({
           username: user.username,
@@ -82,15 +80,45 @@ describe('web', () => {
         isAdmin: user.isAdmin
       })
     })
+
+    it('should respond with Bad Request if CSRF Token is not present', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if CSRF Token is invalid', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', 'INVALID_CSRF_TOKEN')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
   })
 
   describe('SASLogon/authorize', () => {
     let csrfToken: string
-    let cookies: string
     let authCookies: string
 
     beforeAll(async () => {
-      ;({ csrfToken, cookies } = await getCSRF(app))
+      ;({ csrfToken } = await getCSRF(app))
 
       await userController.createUser(user)
 
@@ -99,12 +127,7 @@ describe('web', () => {
         password: user.password
       }
 
-      ;({ cookies: authCookies } = await performLogin(
-        app,
-        credentials,
-        cookies,
-        csrfToken
-      ))
+      ;({ authCookies } = await performLogin(app, credentials, csrfToken))
     })
 
     afterAll(async () => {
@@ -116,17 +139,28 @@ describe('web', () => {
     it('should respond with authorization code', async () => {
       const res = await request(app)
         .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('Cookie', [authCookies].join('; '))
         .set('x-xsrf-token', csrfToken)
         .send({ clientId })
 
       expect(res.body).toHaveProperty('code')
     })
 
+    it('should respond with Bad Request if CSRF Token is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .send({ clientId })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+
     it('should respond with Bad Request if clientId is missing', async () => {
       const res = await request(app)
         .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('Cookie', [authCookies].join('; '))
         .set('x-xsrf-token', csrfToken)
         .send({})
         .expect(400)
@@ -138,7 +172,7 @@ describe('web', () => {
     it('should respond with Forbidden if clientId is incorrect', async () => {
       const res = await request(app)
         .post('/SASLogon/authorize')
-        .set('Cookie', [authCookies, cookies].join('; '))
+        .set('Cookie', [authCookies].join('; '))
         .set('x-xsrf-token', csrfToken)
         .send({
           clientId: 'WrongClientID'
@@ -153,27 +187,22 @@ describe('web', () => {
 
 const getCSRF = async (app: Express) => {
   // make request to get CSRF
-  const { header, text } = await request(app).get('/')
-  const cookies = header['set-cookie'].join()
+  const { text } = await request(app).get('/')
 
-  const csrfToken = extractCSRF(text)
-  return { csrfToken, cookies }
+  return { csrfToken: extractCSRF(text) }
 }
 
 const performLogin = async (
   app: Express,
   credentials: { username: string; password: string },
-  cookies: string,
   csrfToken: string
 ) => {
   const { header } = await request(app)
     .post('/SASLogon/login')
-    .set('Cookie', cookies)
     .set('x-xsrf-token', csrfToken)
     .send(credentials)
 
-  const newCookies: string = header['set-cookie'].join()
-  return { cookies: newCookies }
+  return { authCookies: header['set-cookie'].join() }
 }
 
 const extractCSRF = (text: string) =>

api/src/routes/appStream/index.ts

@@ -1,6 +1,6 @@
 import path from 'path'
 import express, { Request } from 'express'
-import { authenticateAccessToken } from '../../middlewares'
+import { authenticateAccessToken, generateCSRFToken } from '../../middlewares'
 import { folderExists } from '@sasjs/utils'
 
 import { addEntryToAppStreamConfig, getFilesFolder } from '../../utils'
@@ -13,7 +13,7 @@ const router = express.Router()
 router.get('/', authenticateAccessToken, async (req, res) => {
   const content = appStreamHtml(process.appStreamConfig)
 
-  res.cookie('XSRF-TOKEN', req.csrfToken())
+  res.cookie('XSRF-TOKEN', generateCSRFToken())
 
   return res.send(content)
 })

api/src/routes/setupRoutes.ts

@@ -4,7 +4,7 @@ import webRouter from './web'
 import apiRouter from './api'
 import appStreamRouter from './appStream'
 
-import { csrfProtection } from '../app'
+import { csrfProtection } from '../middlewares'
 
 export const setupRoutes = (app: Express) => {
   app.use('/SASjsApi', apiRouter)

api/src/routes/web/sas9-web.ts

@@ -1,4 +1,5 @@
 import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers'
 import { MockSas9Controller } from '../../controllers/mock-sas9'
 
@@ -15,7 +16,7 @@ sas9WebRouter.get('/', async (req, res) => {
   } catch (_) {
     response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
     const injectedContent = response?.replace(
       '</head>',
       `${codeToInject}</head>`

api/src/routes/web/sasviya-web.ts

@@ -1,4 +1,5 @@
 import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
 
 const sasViyaWebRouter = express.Router()
@@ -11,7 +12,7 @@ sasViyaWebRouter.get('/', async (req, res) => {
   } catch (_) {
     response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
     const injectedContent = response?.replace(
       '</head>',
       `${codeToInject}</head>`

api/src/routes/web/web.ts

@@ -1,4 +1,5 @@
 import express from 'express'
+import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
 import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'
@@ -13,7 +14,7 @@ webRouter.get('/', async (req, res) => {
   } catch (_) {
     response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
     const injectedContent = response?.replace(
       '</head>',
       `${codeToInject}</head>`

api/src/types/system/process.d.ts

@@ -12,5 +12,6 @@ declare namespace NodeJS {
     logger: import('@sasjs/utils/logger').Logger
     runTimes: import('../../utils').RunTimeType[]
     secrets: import('../../model/Configuration').ConfigurationType
+    allowedDomains: string[]
   }
 }

api/src/utils/getPreProgramVariables.ts

@@ -7,7 +7,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
   const { user, accessToken } = req
   const csrfToken = req.headers['x-xsrf-token'] || req.cookies['XSRF-TOKEN']
   const sessionId = req.cookies['connect.sid']
-  const { _csrf } = req.cookies
 
   const httpHeaders: string[] = []
 
@@ -16,7 +15,6 @@ export const getPreProgramVariables = (req: Request): PreProgramVars => {
 
   const cookies: string[] = []
   if (sessionId) cookies.push(`connect.sid=${sessionId}`)
-  if (_csrf) cookies.push(`_csrf=${_csrf}`)
 
   if (cookies.length) httpHeaders.push(`cookie: ${cookies.join('; ')}`)
 

api/src/utils/getRunTimeAndFilePath.ts

@@ -4,7 +4,7 @@ import { getFilesFolder } from './file'
 import { RunTimeType } from '.'
 
 export const getRunTimeAndFilePath = async (programPath: string) => {
-  const ext = path.extname(programPath)
+  const ext = path.extname(programPath).toLowerCase()
   // If programPath (_program) is provided with a ".sas", ".js", ".py" or ".r" extension
   // we should use that extension to determine the appropriate runTime
   if (ext && Object.values(RunTimeType).includes(ext.slice(1) as RunTimeType)) {

api/src/utils/getTokensFromDB.ts

@@ -0,0 +1,55 @@
+import jwt from 'jsonwebtoken'
+import User from '../model/User'
+
+const isValidToken = async (
+  token: string,
+  key: string,
+  userId: number,
+  clientId: string
+) => {
+  const promise = new Promise<boolean>((resolve, reject) =>
+    jwt.verify(token, key, (err, decoded) => {
+      if (err) return reject(false)
+
+      if (decoded?.userId === userId && decoded?.clientId === clientId) {
+        return resolve(true)
+      }
+
+      return reject(false)
+    })
+  )
+
+  return await promise.then(() => true).catch(() => false)
+}
+
+export const getTokensFromDB = async (userId: number, clientId: string) => {
+  const user = await User.findOne({ id: userId })
+  if (!user) return
+
+  const currentTokenObj = user.tokens.find(
+    (tokenObj: any) => tokenObj.clientId === clientId
+  )
+
+  if (currentTokenObj) {
+    const accessToken = currentTokenObj.accessToken
+    const refreshToken = currentTokenObj.refreshToken
+
+    const isValidAccessToken = await isValidToken(
+      accessToken,
+      process.secrets.ACCESS_TOKEN_SECRET,
+      userId,
+      clientId
+    )
+
+    const isValidRefreshToken = await isValidToken(
+      refreshToken,
+      process.secrets.REFRESH_TOKEN_SECRET,
+      userId,
+      clientId
+    )
+
+    if (isValidAccessToken && isValidRefreshToken) {
+      return { accessToken, refreshToken }
+    }
+  }
+}

api/src/utils/index.ts

@@ -14,6 +14,7 @@ export * from './getDesktopFields'
 export * from './getPreProgramVariables'
 export * from './getRunTimeAndFilePath'
 export * from './getServerUrl'
+export * from './getTokensFromDB'
 export * from './instantiateLogger'
 export * from './isDebugOn'
 export * from './isPublicRoute'

api/src/utils/verifyEnvVariables.ts

@@ -252,7 +252,7 @@ const verifyRUN_TIMES = (): string[] => {
   return errors
 }
 
-const verifyExecutablePaths = () => {
+const verifyExecutablePaths = (): string[] => {
   const errors: string[] = []
   const { RUN_TIMES, SAS_PATH, NODE_PATH, PYTHON_PATH, R_PATH, MODE } =
     process.env

api/tsconfig.json

@@ -1,6 +1,6 @@
 {
   "compilerOptions": {
-    "target": "es5",
+    "target": "ES6",
     "module": "commonjs",
     "rootDir": "./",
     "outDir": "./build",

api/tsoa.json

@@ -20,7 +20,7 @@
         "description": "Operations about clients"
       },
       {
-        "name": "CODE",
+        "name": "Code",
         "description": "Execution of code (various runtimes are supported)"
       },
       {

web/package.json

@@ -3,8 +3,8 @@
   "version": "0.1.0",
   "private": true,
   "scripts": {
-    "start": "webpack-dev-server --config webpack.dev.ts --hot",
-    "build": "webpack --config webpack.prod.ts"
+    "start": "vite serve --port 3000",
+    "build": "vite build"
   },
   "dependencies": {
     "@emotion/react": "^11.4.1",
@@ -30,38 +30,21 @@
     "react-toastify": "^9.0.1"
   },
   "devDependencies": {
-    "@babel/core": "^7.16.0",
-    "@babel/node": "^7.16.0",
-    "@babel/plugin-proposal-class-properties": "^7.16.0",
-    "@babel/preset-env": "^7.16.4",
-    "@babel/preset-react": "^7.16.0",
-    "@babel/preset-typescript": "^7.16.0",
-    "@types/dotenv-webpack": "^7.0.3",
-    "@types/prismjs": "^1.16.6",
     "@types/react": "^17.0.37",
     "@types/react-copy-to-clipboard": "^5.0.2",
     "@types/react-dom": "^17.0.11",
     "@types/react-router-dom": "^5.3.1",
-    "babel-loader": "^8.2.3",
-    "babel-plugin-prismjs": "^2.1.0",
-    "copy-webpack-plugin": "^10.0.0",
-    "css-loader": "^6.5.1",
-    "dotenv-webpack": "^7.1.0",
+    "@vitejs/plugin-react": "^2.1.0",
     "eslint": "^8.5.0",
     "eslint-config-react-app": "^7.0.0",
-    "eslint-webpack-plugin": "^3.1.1",
-    "file-loader": "^6.2.0",
-    "html-webpack-plugin": "5.5.0",
     "path": "0.12.7",
     "prettier": "^2.4.1",
     "sass": "^1.44.0",
-    "sass-loader": "^12.3.0",
-    "style-loader": "^3.3.1",
-    "ts-loader": "^9.2.6",
     "typescript": "^4.5.2",
-    "webpack": "5.64.3",
-    "webpack-cli": "^4.9.2",
-    "webpack-dev-server": "4.7.4"
+    "vite": "^3.1.4",
+    "vite-plugin-env-compatible": "^1.1.1",
+    "vite-plugin-html": "^3.2.0",
+    "vite-plugin-monaco-editor": "^1.1.0"
   },
   "eslintConfig": {
     "extends": [

web/src/containers/Studio/internal/helper.ts

@@ -1,3 +1,5 @@
+import { RunTimeType } from '../../../context/appContext'
+
 export const getLanguageFromExtension = (extension: string) => {
   if (extension === 'js') return 'javascript'
 
@@ -12,3 +14,26 @@ export const getSelection = (editor: any) => {
   const selection = editor?.getModel().getValueInRange(editor?.getSelection())
   return selection ?? ''
 }
+
+export const programPathInjection = (
+  code: string,
+  path: string,
+  runtime: RunTimeType
+) => {
+  if (path) {
+    if (runtime === RunTimeType.JS) {
+      return `const _PROGRAM = '${path}';\n${code}`
+    }
+    if (runtime === RunTimeType.PY) {
+      return `_PROGRAM = '${path}';\n${code}`
+    }
+    if (runtime === RunTimeType.R) {
+      return `._PROGRAM = '${path}';\n${code}`
+    }
+    if (runtime === RunTimeType.SAS) {
+      return `%let _program = ${path};\n${code}`
+    }
+  }
+
+  return code
+}

web/src/containers/Studio/internal/hooks/useEditor.ts

@@ -10,7 +10,7 @@ import {
 } from 'react'
 import { DiffEditorDidMount, EditorDidMount, monaco } from 'react-monaco-editor'
 import { SelectChangeEvent } from '@mui/material'
-import { getSelection } from '../helper'
+import { getSelection, programPathInjection } from '../helper'
 import { AppContext, RunTimeType } from '../../../../context/appContext'
 import { AlertSeverityType } from '../../../../components/snackbar'
 import {
@@ -151,7 +151,14 @@ const useEditor = ({
   const runCode = (code: string) => {
     setIsLoading(true)
     axios
-      .post(`/SASjsApi/code/execute`, { code, runTime: selectedRunTime })
+      .post(`/SASjsApi/code/execute`, {
+        code: programPathInjection(
+          code,
+          selectedFilePath,
+          selectedRunTime as RunTimeType
+        ),
+        runTime: selectedRunTime
+      })
       .then((res: any) => {
         setWebout(res.data.split(SASJS_LOGS_SEPARATOR)[0] ?? '')
         setLog(res.data.split(SASJS_LOGS_SEPARATOR)[1] ?? '')
@@ -229,7 +236,9 @@ const useEditor = ({
   useEffect(() => {
     if (selectedFilePath) {
       setIsLoading(true)
-      setSelectedFileExtension(selectedFilePath.split('.').pop() ?? '')
+      setSelectedFileExtension(
+        selectedFilePath.split('.').pop()?.toLowerCase() ?? ''
+      )
       axios
         .get(`/SASjsApi/drive/file?_filePath=${selectedFilePath}`)
         .then((res: any) => {
@@ -263,8 +272,8 @@ const useEditor = ({
   }, [fileContent, selectedFilePath])
 
   useEffect(() => {
-    if (runTimes.includes(selectedFileExtension))
-      setSelectedRunTime(selectedFileExtension)
+    const fileExtension = selectedFileExtension.toLowerCase()
+    if (runTimes.includes(fileExtension)) setSelectedRunTime(fileExtension)
   }, [selectedFileExtension, runTimes])
 
   return {

web/src/index.html

@@ -35,5 +35,6 @@
       To begin the development, run `npm start` or `yarn start`.
       To create a production bundle, use `npm run build` or `yarn build`.
     -->
+    <script type="module" src="/src/index.tsx"></script>
   </body>
 </html>

web/vite.config.js

@@ -0,0 +1,17 @@
+import { defineConfig } from 'vite'
+import react from '@vitejs/plugin-react'
+import { createHtmlPlugin } from 'vite-plugin-html'
+import envCompatible from 'vite-plugin-env-compatible'
+
+export default defineConfig({
+  build: {
+    outDir: './build'
+  },
+  plugins: [
+    react(),
+    createHtmlPlugin({
+      template: './src/index.html'
+    }),
+    envCompatible({ prefix: '' })
+  ]
+})