Use webapp token instead of plaintext credentials

Author: gjsjohnmurray

src/commands/serverActions.ts

@@ -10,12 +10,13 @@ import {
 import { connectionTarget, terminalWithDocker, currentFile } from "../utils";
 import { mainCommandMenu, mainSourceControlMenu } from "./studio";
 import { AtelierAPI } from "../api";
+import { getCSPToken } from "../utils/getCSPToken";
 
-type ServerAction = { detail: string; id: string; label: string };
+type ServerAction = { detail: string; id: string; label: string; rawLink?: string };
 export async function serverActions(): Promise<void> {
   const { apiTarget, configName: workspaceFolder } = connectionTarget();
   const api = new AtelierAPI(apiTarget);
-  const { active, host = "", ns = "", https, port = 0, pathPrefix, username, password, docker } = api.config;
+  const { active, host = "", ns = "", https, port = 0, pathPrefix, docker } = api.config;
   const explorerCount = (await explorerProvider.getChildren()).length;
   if (!explorerCount && (!docker || host === "")) {
     await vscode.commands.executeCommand("ObjectScriptExplorer.focus");
@@ -70,29 +71,24 @@ export async function serverActions(): Promise<void> {
   const file = currentFile();
   const classname = file && file.name.toLowerCase().endsWith(".cls") ? file.name.slice(0, -4) : "";
   const classnameEncoded = encodeURIComponent(classname);
-  const connInfo = `${host}:${port}[${nsEncoded}]`;
+  const connInfo = `${host}:${port}${pathPrefix}[${nsEncoded}]`;
   const serverUrl = `${https ? "https" : "http"}://${host}:${port}${pathPrefix}`;
-  const portalUrl = `${serverUrl}/csp/sys/UtilHome.csp?$NAMESPACE=${nsEncoded}`;
-  const classRef = `${serverUrl}/csp/documatic/%25CSP.Documatic.cls?LIBRARY=${nsEncoded}${
+  const portalPath = `/csp/sys/UtilHome.csp?$NAMESPACE=${nsEncoded}`;
+  const classRef = `/csp/documatic/%25CSP.Documatic.cls?LIBRARY=${nsEncoded}${
     classname ? "&CLASSNAME=" + classnameEncoded : ""
   }`;
-  const iris = workspaceState.get(workspaceFolder + ":iris", false);
-  const usernameEncoded = encodeURIComponent(username);
-  const passwordEncoded = encodeURIComponent(password);
-  const auth = iris
-    ? `&IRISUsername=${usernameEncoded}&IRISPassword=${passwordEncoded}`
-    : `&CacheUserName=${usernameEncoded}&CachePassword=${passwordEncoded}`;
   let extraLinks = 0;
   for (const title in links) {
-    let link = String(links[title]);
-    if (classname == "" && (link.includes("${classname}") || link.includes("${classnameEncoded}"))) {
+    const rawLink = String(links[title]);
+    // Skip link if it requires a classname and we don't currently have one
+    if (classname == "" && (rawLink.includes("${classname}") || rawLink.includes("${classnameEncoded}"))) {
       continue;
     }
-    link = link
+    const link = rawLink
       .replace("${host}", host)
       .replace("${port}", port.toString())
       .replace("${serverUrl}", serverUrl)
-      .replace("${serverAuth}", auth)
+      .replace("${serverAuth}", "")
       .replace("${ns}", nsEncoded)
       .replace("${namespace}", ns == "%SYS" ? "sys" : nsEncoded.toLowerCase())
       .replace("${classname}", classname)
@@ -101,6 +97,7 @@ export async function serverActions(): Promise<void> {
       id: "extraLink" + extraLinks++,
       label: title,
       detail: link,
+      rawLink,
     });
   }
   if (workspaceState.get(workspaceFolder + ":docker", false)) {
@@ -113,12 +110,12 @@ export async function serverActions(): Promise<void> {
   actions.push({
     id: "openPortal",
     label: "Open Management Portal",
-    detail: portalUrl,
+    detail: serverUrl + portalPath,
   });
   actions.push({
     id: "openClassReference",
     label: "Open Class Reference" + (classname ? ` for ${classname}` : ""),
-    detail: classRef,
+    detail: serverUrl + classRef,
   });
   if (
     !vscode.window.activeTextEditor ||
@@ -141,17 +138,21 @@ export async function serverActions(): Promise<void> {
       placeHolder: `Select action for server: ${connInfo}`,
     })
     .then(connectionActionsHandler)
-    .then((action) => {
+    .then(async (action) => {
       if (!action) {
         return;
       }
       switch (action.id) {
         case "openPortal": {
-          vscode.env.openExternal(vscode.Uri.parse(portalUrl + auth));
+          const token = await getCSPToken(api, portalPath);
+          const urlString = `${serverUrl}${portalPath}&CSPCHD=${token}`;
+          vscode.env.openExternal(vscode.Uri.parse(urlString));
           break;
         }
         case "openClassReference": {
-          vscode.env.openExternal(vscode.Uri.parse(classRef + auth));
+          const token = await getCSPToken(api, classRef);
+          const urlString = `${serverUrl}${classRef}&CSPCHD=${token}`;
+          vscode.env.openExternal(vscode.Uri.parse(urlString));
           break;
         }
         case "openDockerTerminal": {
@@ -167,7 +168,15 @@ export async function serverActions(): Promise<void> {
           break;
         }
         default: {
-          vscode.env.openExternal(vscode.Uri.parse(action.detail));
+          let urlString = action.detail;
+          if (action.rawLink?.startsWith("${serverUrl}")) {
+            const path = vscode.Uri.parse(urlString).path;
+            const token = await getCSPToken(api, path);
+            if (token.length > 0) {
+              urlString += `&CSPCHD=${token}`;
+            }
+          }
+          vscode.env.openExternal(vscode.Uri.parse(urlString));
         }
       }
     });

src/commands/studio.ts

@@ -100,7 +100,7 @@ class StudioActions {
         return vscode.window
           .showWarningMessage(target, { modal: true }, "Yes", "No")
           .then((answer) => (answer === "Yes" ? "1" : answer === "No" ? "0" : "2"));
-      case 2: // Run a CSP page/Template. The Target is the full url to the CSP page/Template
+      case 2: // Run a CSP page/Template. The Target is the full path of CSP page/template on the connected server
         return new Promise((resolve) => {
           let answer = "2";
           const column = vscode.window.activeTextEditor ? vscode.window.activeTextEditor.viewColumn : undefined;
@@ -120,16 +120,19 @@ class StudioActions {
           });
           panel.onDidDispose(() => resolve(answer));
 
+          const config = this.api.config;
           const url = new URL(
-            `${this.api.config.https ? "https" : "http"}://${this.api.config.host}:${this.api.config.port}${target}`
+            `${config.https ? "https" : "http"}://${config.host}:${config.port}${config.pathPrefix}${target}`
           );
-          this.api
-            .actionQuery("select %Atelier_v1_Utils.General_GetCSPToken(?) token", [url.toString()])
-            .then((tokenObj) => {
-              const csptoken = tokenObj.result.content[0].token;
-              url.searchParams.set("CSPCHD", csptoken);
-              url.searchParams.set("Namespace", this.api.config.ns);
-              panel.webview.html = `
+
+          // Do this ourself instead of using our new getCSPToken wrapper function, because that function reuses tokens which causes issues with
+          // webview when server is 2020.1.1 or greater, as session cookie scope is typically Strict, meaning that the webview
+          // cannot store the cookie. Consequence is web sessions may build up (they get a 900 second timeout)
+          this.api.actionQuery("select %Atelier_v1_Utils.General_GetCSPToken(?) token", [target]).then((tokenObj) => {
+            const csptoken = tokenObj.result.content[0].token;
+            url.searchParams.set("CSPCHD", csptoken);
+            url.searchParams.set("Namespace", this.api.config.ns);
+            panel.webview.html = `
               <!DOCTYPE html>
               <html lang="en">
               <head>
@@ -157,7 +160,7 @@ class StudioActions {
               </body>
               </html>
               `;
-            });
+          });
         });
       case 3: // Run an EXE on the client.
         throw new Error("processUserAction: Run EXE (Action=5) not supported");

src/utils/getCSPToken.ts

@@ -0,0 +1,28 @@
+import { AtelierAPI } from "../api";
+
+const allTokens = new Map<string, Map<string, string>>();
+
+// Get or extend CSP token that will give current connected user access to webapp at path
+export async function getCSPToken(api: AtelierAPI, path: string): Promise<string> {
+  // Ignore any queryparams, and null out any page name
+  const parts = path.split("?")[0].split("/");
+  parts.pop();
+  parts.push("");
+  path = parts.join("/");
+
+  // The first key in map-of-maps where we record tokens represents the connection target
+  const { https, host, port, pathPrefix, username } = api.config;
+  const connKey = JSON.stringify({ https, host, port, pathPrefix, username });
+
+  const myTokens = allTokens.get(connKey) || new Map<string, string>();
+  const previousToken = myTokens.get(path) || "";
+  let token = "";
+  return api
+    .actionQuery("select %Atelier_v1_Utils.General_GetCSPToken(?, ?) token", [path, previousToken])
+    .then((tokenObj) => {
+      token = tokenObj.result.content[0].token;
+      myTokens.set(path, token);
+      allTokens.set(connKey, myTokens);
+      return token;
+    });
+}