feat(API-1896): Update "Get your App token" guide JS snippets

Author: LevFlavien

content/apps/create-app/activate-nodejs.md

@@ -1,38 +1,56 @@
 ```js [activate:NodeJS]
 
-params // data from your request handling
-storage // your own memory system
-
-// Retrieve GET query params from your own framework / http handler
-const { pim_url: pimUrl } = params;
-
-// Retrieve your app's Client ID with your own system
-const clientId = storage.get("CLIENT_ID");
-
-// Set the access scopes, take care of the 254 chars max !
-const scopes = 'read_products write_products'; 
-
-// The activate URL should have the pim_url param
-if (!pimUrl) {
-    // Return a Bad request response via your own framework / http server
-    return response(502, { message: "Bad request" });
+import express from 'express';
+import crypto from 'crypto';
+
+const app = express();
+
+app.get('/activate', (req, res, next) => {
+  try {
+    const clientId = "AKENEO_CLIENT_ID";
+    const scopes = [
+      "read_products",
+      "read_catalog_structure",
+      "read_channel_settings",
+      "read_channel_localization",
+      "read_attribute_options",
+      "read_catalogs",
+      "write_catalogs",
+      "delete_catalogs",
+    ];
+    const session = req.session;
+
+    const pimUrl = req.query.pim_url;
+    if (!pimUrl) {
+      throw new Error(
+        "Can't retrieve PIM url, please restart the authorization process."
+      );
+    }
+
+    // Create a random state for preventing cross-site request forgery
+    const state = crypto.randomBytes(64).toString("hex");
+
+    // Store in the user session the state and the PIM URL
+    session.state = state;
+    session.pim_url = pimUrl;
+
+    // Build the parameters for the Authorization Request
+    // https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      scope: scopes.join(" "),
+      state: state,
+    });
+
+    // Build the url for the Authorization Request using the PIM URL
+    const authorizeUrl =
+      pimUrl + "/connect/apps/v1/authorize?" + params.toString();
+
+    res.redirect(authorizeUrl);
+  } catch (err) {
+    next(err);
+  }
 }
 
-// Store the PIM url value with your own system
-storage.set("PIM_URL", pimUrl);
-
-// Set a new security state secret and store the value with your own system
-const state = require('crypto').randomBytes(32).toString("hex");
-storage.set("APP_STATE", state);
-
-// Construct the PIM authorization url, it will be called on "connect" / "open" button
-const redirect_url = `${pimUrl}/connect/apps/v1/authorize` +
-    `?response_type=code` +
-    `&client_id=${clientId}` +
-    `&scope=${scopes}` +
-    `&state=${state}`
-
-// Set the redirection response with your own framework / http server
-return redirect(redirect_url);
-
 ```

content/apps/create-app/callback-nodejs.md

@@ -1,53 +1,69 @@
 ```js [callback:NodeJS]
 
-params // data from your request handling
-storage // your own memory system
-
-// Retrieve GET query params from your own framework / http handler
-const { code, state } = params;
-
-// Retrieve your app's Client ID with your own logic
-const pimUrl = storage.get("PIM_URL");
-const appState = storage.get("APP_STATE");
-const clientId = storage.get("CLIENT_ID");
-const clientSecret = storage.get("CLIENT_SECRET");
-
-// Control the security state integrity previously defined, to avoid attacks
-if (state !== appState) {
-    return response(403, 
-        {
-            "error": "Forbidden",
-            "error_description": "State integrity failed",
-        }
-    )
-}
+import express from 'express';
+import crypto from 'crypto';
+import fetch from 'node-fetch'; // https://www.npmjs.com/package/node-fetch
+
+const app = express();
+
+app.get('/callback', async (req, res, next) => {
+  try {
+    const appClientSecret = "CLIENT_SECRET";
+    const appClientId = "CLIENT_ID";
+
+    const session = req.session;
+
+    const pimUrl = session.pim_url;
+    const state = req.query.state;
+    const authorizationCode = req.query.code;
+
+    if (!pimUrl) {
+      throw new Error(
+        "Can't retrieve PIM url, please restart the authorization process."
+      );
+    }
+
+    // We check if the received state is the same as in the session, for security.
+    if (!state || state != session.state) {
+      throw new Error("Invalid state");
+    }
 
-// Generate a new challenge code
-// a sha256 concatenation of a code_identifier and the client_secret
-const codeIdentifier = require('crypto').randomBytes(32).toString('hex')
-const codeChallenge = require('crypto')
-    .createHash('sha256')
-    .update(`${codeIdentifier}${clientSecret}`)
-    .digest('hex')
-
-// Send the payload to the PIM instance, ask for an API Token
-fetch
-    .post(`${storage.get('PIM_URL')}/connect/apps/v1/oauth2/token`, {
-        code,
-        grant_type: 'authorization_code',
-        client_id: clientId,
-        code_identifier: codeIdentifier,
-        code_challenge: codeChallenge,
-    })
-    .then(({ data }) => {
-        // Retrieve the fresh token and store it with your own system
-        const { access_token: accessToken } = data   
-        storage.set('API_TOKEN', accessToken)
-        redirect('/')
-    })
-    .catch((data) => {
-        // handle error
-        res.status(400).send(data)
-    })
+    if (!authorizationCode) {
+      throw new Error("Missing authorization code");
+    }
+
+    // Generate code for token request
+    const codeidentifier = crypto.randomBytes(64).toString("hex");
+    const codeChallenge = crypto
+      .createHash("sha256")
+      .update(codeidentifier + appClientSecret)
+      .digest("hex");
+
+    // Build form data to post
+    const accessTokenRequestPayload = new URLSearchParams({
+      grant_type: "authorization_code",
+      code: authorizationCode,
+      client_id: appClientId,
+      code_identifier: codeidentifier,
+      code_challenge: codeChallenge,
+    });
+
+    // Make an authenticated call to the API
+    const accessTokenUrl = pimUrl + "/connect/apps/v1/oauth2/token";
+    const response = await fetch(accessTokenUrl, {
+      method: "post",
+      body: accessTokenRequestPayload,
+      headers: {"Content-Type": "application/x-www-form-urlencoded"},
+    });
+
+    const result = await response.json();
+
+    const accessToken = result.access_token;
+
+    console.log(accessToken);
+  } catch (err) {
+    next(err);
+  }
+}
 
 ```