feat: implement fetch middleware for network requests, API key middleware, and http origin middleware

Author: zone117x

packages/auth/src/profile.ts

@@ -1,5 +1,4 @@
 import { resolveZoneFileToProfile } from '@stacks/profile';
-import { fetchPrivate } from '@stacks/common';
 import { StacksMainnet, StacksNetwork, StacksNetworkName } from '@stacks/network';
 
 export interface ProfileLookupOptions {
@@ -31,13 +30,13 @@ export function lookupProfile(lookupOptions: ProfileLookupOptions): Promise<Reco
   let lookupPromise;
   if (options.zoneFileLookupURL) {
     const url = `${options.zoneFileLookupURL.replace(/\/$/, '')}/${options.username}`;
-    lookupPromise = fetchPrivate(url).then(response => response.json());
+    lookupPromise = network.fetchFn(url).then(response => response.json());
   } else {
     lookupPromise = network.getNameInfo(options.username);
   }
   return lookupPromise.then((responseJSON: any) => {
     if (responseJSON.hasOwnProperty('zonefile') && responseJSON.hasOwnProperty('address')) {
-      return resolveZoneFileToProfile(responseJSON.zonefile, responseJSON.address);
+      return resolveZoneFileToProfile(responseJSON.zonefile, responseJSON.address, network.fetchFn);
     } else {
       throw new Error(
         'Invalid zonefile lookup response: did not contain `address`' + ' or `zonefile` field'

packages/auth/src/provider.ts

@@ -1,6 +1,6 @@
 import * as queryString from 'query-string';
 import { decodeToken } from 'jsontokens';
-import { BLOCKSTACK_HANDLER, getGlobalObject, fetchPrivate } from '@stacks/common';
+import { BLOCKSTACK_HANDLER, getGlobalObject, getDefaultFetchFn, FetchFn } from '@stacks/common';
 
 /**
  * Retrieves the authentication request from the query string
@@ -36,7 +36,10 @@ export function getAuthRequestFromURL() {
  * @private
  * @ignore
  */
-export async function fetchAppManifest(authRequest: string): Promise<any> {
+export async function fetchAppManifest(
+  authRequest: string,
+  fetchFn: FetchFn = getDefaultFetchFn()
+): Promise<any> {
   if (!authRequest) {
     throw new Error('Invalid auth request');
   }
@@ -47,7 +50,7 @@ export async function fetchAppManifest(authRequest: string): Promise<any> {
   const manifestURI = payload.manifest_uri as string;
   try {
     // Logger.debug(`Fetching manifest from ${manifestURI}`)
-    const response = await fetchPrivate(manifestURI);
+    const response = await fetchFn(manifestURI);
     const responseText = await response.text();
     const responseJSON = JSON.parse(responseText);
     return { ...responseJSON, manifestURI };

packages/auth/src/userSession.ts

@@ -1,5 +1,5 @@
 // @ts-ignore
-import { Buffer } from '@stacks/common';
+import { Buffer, FetchFn, getDefaultFetchFn } from '@stacks/common';
 import { AppConfig } from './appConfig';
 import { SessionOptions } from './sessionData';
 import { InstanceDataStore, LocalStorageStore, SessionDataStore } from './sessionStore';
@@ -15,7 +15,6 @@ import {
 import { getAddressFromDID } from './dids';
 import {
   BLOCKSTACK_DEFAULT_GAIA_HUB_URL,
-  fetchPrivate,
   getGlobalObject,
   InvalidStateError,
   isLaterVersion,
@@ -214,7 +213,8 @@ export class UserSession {
    * if handling the sign in request fails or there was no pending sign in request.
    */
   async handlePendingSignIn(
-    authResponseToken: string = this.getAuthResponseToken()
+    authResponseToken: string = this.getAuthResponseToken(),
+    fetchFn: FetchFn = getDefaultFetchFn()
   ): Promise<UserData> {
     const sessionData = this.store.getSessionData();
 
@@ -312,7 +312,7 @@ export class UserSession {
     };
     const profileURL = tokenPayload.profile_url as string;
     if (!userData.profile && profileURL) {
-      const response = await fetchPrivate(profileURL);
+      const response = await fetchFn(profileURL);
       if (!response.ok) {
         // return blank profile if we fail to fetch
         userData.profile = Object.assign({}, DEFAULT_PROFILE);

packages/cli/src/network.ts

@@ -1,11 +1,11 @@
 import blockstack from 'blockstack';
 import * as bitcoin from 'bitcoinjs-lib';
 import BN from 'bn.js';
-import fetch from 'node-fetch';
 
 import { CLI_CONFIG_TYPE } from './argparse';
 
 import { BlockstackNetwork } from 'blockstack/lib/network';
+import { FetchFn, getDefaultFetchFn } from '@stacks/common';
 
 export interface CLI_NETWORK_OPTS {
   consensusHash: string | null;
@@ -187,15 +187,16 @@ export class CLINetworkAdapter {
   getNamespaceBurnAddress(
     namespace: string,
     useCLI: boolean = true,
-    receiveFeesPeriod: number = -1
+    receiveFeesPeriod: number = -1,
+    fetchFn: FetchFn = getDefaultFetchFn()
   ): Promise<string> {
     // override with CLI option
     if (this.namespaceBurnAddress && useCLI) {
       return new Promise((resolve: any) => resolve(this.namespaceBurnAddress));
     }
 
     return Promise.all([
-      fetch(`${this.legacyNetwork.blockstackAPIUrl}/v1/namespaces/${namespace}`),
+      fetchFn(`${this.legacyNetwork.blockstackAPIUrl}/v1/namespaces/${namespace}`),
       this.legacyNetwork.getBlockHeight(),
     ])
       .then(([resp, blockHeight]: [any, number]) => {
@@ -245,10 +246,10 @@ export class CLINetworkAdapter {
     });
   }
 
-  getBlockchainNameRecord(name: string): Promise<any> {
+  getBlockchainNameRecord(name: string, fetchFn: FetchFn = getDefaultFetchFn()): Promise<any> {
     // TODO: send to blockstack.js
     const url = `${this.legacyNetwork.blockstackAPIUrl}/v1/blockchains/bitcoin/names/${name}`;
-    return fetch(url)
+    return fetchFn(url)
       .then(resp => {
         if (resp.status !== 200) {
           throw new Error(`Bad response status: ${resp.status}`);
@@ -268,10 +269,14 @@ export class CLINetworkAdapter {
       });
   }
 
-  getNameHistory(name: string, page: number): Promise<Record<string, any[]>> {
+  getNameHistory(
+    name: string,
+    page: number,
+    fetchFn: FetchFn = getDefaultFetchFn()
+  ): Promise<Record<string, any[]>> {
     // TODO: send to blockstack.js
     const url = `${this.legacyNetwork.blockstackAPIUrl}/v1/names/${name}/history?page=${page}`;
-    return fetch(url)
+    return fetchFn(url)
       .then(resp => {
         if (resp.status !== 200) {
           throw new Error(`Bad response status: ${resp.status}`);

packages/common/src/fetchUtil.ts

@@ -1,26 +1,188 @@
 import 'cross-fetch/polyfill';
 
-/** @ignore */
-export async function fetchPrivate(input: RequestInfo, init?: RequestInit): Promise<Response> {
-  const defaultFetchOpts: RequestInit = {
-    referrer: 'no-referrer',
-    referrerPolicy: 'no-referrer',
+export type FetchFn = (url: string, init?: RequestInit) => Promise<Response>;
+
+export interface RequestContext {
+  fetch: FetchFn;
+  url: string;
+  init: RequestInit;
+}
+
+export interface ResponseContext {
+  fetch: FetchFn;
+  url: string;
+  init: RequestInit;
+  response: Response;
+}
+
+export interface FetchParams {
+  url: string;
+  init: RequestInit;
+}
+
+export interface FetchMiddleware {
+  pre?: (context: RequestContext) => PromiseLike<FetchParams | void> | FetchParams | void;
+  post?: (context: ResponseContext) => Promise<Response | void> | Response | void;
+}
+
+// TODO: make the value a promise so that multiple re-auth requests are not running in parallel
+// TODO: make the storage interface configurable
+// in-memory session auth data, keyed by the endpoint host
+const sessionAuthData = new Map<string, { authKey: string }>();
+
+export interface ApiSessionAuthMiddlewareOpts {
+  /** The middleware / API key header will only be added to requests matching this host. */
+  host?: RegExp | string;
+  /** The http header name used for specifying the API key value. */
+  httpHeader?: string;
+  authPath: string;
+  authRequestMetadata: Record<string, string>;
+}
+
+export function getApiSessionAuthMiddleware({
+  host = /(.*)api(.*)\.stacks\.co$/i,
+  httpHeader = 'x-api-key',
+  authPath = '/request_key',
+  authRequestMetadata = {},
+}: ApiSessionAuthMiddlewareOpts): FetchMiddleware {
+  const authMiddleware: FetchMiddleware = {
+    pre: context => {
+      const reqUrl = new URL(context.url);
+      let hostMatches = false;
+      if (typeof host === 'string') {
+        hostMatches = host === reqUrl.host;
+      } else {
+        hostMatches = !!host.exec(reqUrl.host);
+      }
+      const authData = sessionAuthData.get(reqUrl.host);
+      if (hostMatches && authData) {
+        const headers = new Headers(context.init.headers);
+        headers.set(httpHeader, authData.authKey);
+        context.init.headers = headers;
+      }
+    },
+    post: async context => {
+      const reqUrl = new URL(context.url);
+      let hostMatches = false;
+      if (typeof host === 'string') {
+        hostMatches = host === reqUrl.host;
+      } else {
+        hostMatches = !!host.exec(reqUrl.host);
+      }
+      // if request is for configured host, and response was `401 Unauthorized`,
+      // then request auth key and retry request.
+      if (hostMatches && context.response.status === 401) {
+        const authEndpoint = new URL(reqUrl.origin);
+        authEndpoint.pathname = authPath;
+        const authReq = await context.fetch(authEndpoint.toString(), {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+          },
+          body: JSON.stringify(authRequestMetadata),
+        });
+        const authResponseBody = await authReq.text();
+        if (authReq.ok) {
+          const authResp: { api_key: string } = JSON.parse(authResponseBody);
+          sessionAuthData.set(reqUrl.host, { authKey: authResp.api_key });
+          return context.fetch(context.url, context.init);
+        } else {
+          throw new Error(`Error fetching API auth key: ${authReq.status}: ${authResponseBody}`);
+        }
+      } else {
+        return context.response;
+      }
+    },
+  };
+  return authMiddleware;
+}
+
+export interface ApiKeyMiddlewareOpts {
+  /** The middleware / API key header will only be added to requests matching this host. */
+  host?: RegExp | string;
+  /** The http header name used for specifying the API key value. */
+  httpHeader?: string;
+  /** The API key string to specify as an http header value. */
+  apiKey: string;
+}
+
+export function createApiKeyMiddleware({
+  apiKey,
+  host = /(.*)api(.*)\.stacks\.co$/i,
+  httpHeader = 'x-api-key',
+}: ApiKeyMiddlewareOpts): FetchMiddleware {
+  return {
+    pre: context => {
+      const reqUrl = new URL(context.url);
+      let hostMatches = false;
+      if (typeof host === 'string') {
+        hostMatches = host === reqUrl.host;
+      } else {
+        hostMatches = !!host.exec(reqUrl.host);
+      }
+      if (hostMatches) {
+        const headers = new Headers(context.init.headers);
+        headers.set(httpHeader, apiKey);
+        context.init.headers = headers;
+      }
+    },
   };
-  const fetchOpts = Object.assign(defaultFetchOpts, init);
-  const fetchResult = await fetch(input, fetchOpts);
-  return fetchResult;
-}
-
-export async function soFetch(
-  fetchLib: typeof fetch,
-  input: RequestInfo,
-  init?: RequestInit
-): Promise<Response> {
-  const defaultFetchOpts: RequestInit = {
-    referrer: 'no-referrer',
-    referrerPolicy: 'no-referrer',
+}
+
+function getDefaultMiddleware(): FetchMiddleware[] {
+  const setOriginMiddleware: FetchMiddleware = {
+    pre: context => {
+      // Send only the origin in the Referer header. For example, a document
+      // at https://example.com/page.html will send the referrer https://example.com/
+      context.init.referrerPolicy = 'origin';
+    },
+  };
+  return [setOriginMiddleware];
+}
+
+export function getDefaultFetchFn(fetchLib: FetchFn, ...middleware: FetchMiddleware[]): FetchFn;
+export function getDefaultFetchFn(...middleware: FetchMiddleware[]): FetchFn;
+export function getDefaultFetchFn(...args: any[]): FetchFn {
+  let fetchLib: FetchFn = fetch;
+  let middlewareOpt: FetchMiddleware[] = [];
+  if (args.length > 0) {
+    if (typeof args[0] === 'function') {
+      fetchLib = args.shift();
+    }
+  }
+  if (args.length > 0) {
+    middlewareOpt = args;
+  }
+  const middlewares = [...getDefaultMiddleware(), ...middlewareOpt];
+  const fetchFn = async (url: string, init?: RequestInit | undefined): Promise<Response> => {
+    let fetchParams = { url, init: init || {} };
+    for (const middleware of middlewares) {
+      if (middleware.pre) {
+        const result = await Promise.resolve(
+          middleware.pre({
+            fetch: fetchLib,
+            ...fetchParams,
+          })
+        );
+        fetchParams = result ?? fetchParams;
+      }
+    }
+    let response = await fetchLib(fetchParams.url, fetchParams.init);
+    for (const middleware of middlewares) {
+      if (middleware.post) {
+        const result = await Promise.resolve(
+          middleware.post({
+            fetch: fetchLib,
+            url: fetchParams.url,
+            init: fetchParams.init,
+            response: response.clone(),
+          })
+        );
+        response = result ?? response;
+      }
+    }
+    return response;
   };
-  const fetchOpts = Object.assign(defaultFetchOpts, init);
-  const fetchResult = await fetchLib(input, fetchOpts);
-  return fetchResult;
+  return fetchFn;
 }

packages/keychain/src/identity.ts

@@ -1,4 +1,5 @@
 import { makeAuthResponse } from '@stacks/auth';
+import { FetchFn, getDefaultFetchFn } from '@stacks/common';
 import { getPublicKeyFromPrivate, publicKeyToAddress } from '@stacks/encryption';
 import { bip32 } from 'bitcoinjs-lib';
 import { Identity as IdentifyInterface, Profile } from './common';
@@ -129,9 +130,9 @@ export class Identity implements IdentifyInterface {
     return `${gaiaUrl}${this.address}/profile.json`;
   }
 
-  async fetchNames() {
+  async fetchNames(fetchFn: FetchFn = getDefaultFetchFn()) {
     const getNamesUrl = `https://stacks-node-api.stacks.co/v1/addresses/bitcoin/${this.address}`;
-    const res = await fetch(getNamesUrl);
+    const res = await fetchFn(getNamesUrl);
     const data = await res.json();
     const { names }: { names: string[] } = data;
     return names;