Merge branch 'main-cris' into task/main-cris/DSC-2309

Author: FrancescoMolinaro

package.json

@@ -1,6 +1,6 @@
 {
   "name": "dspace-angular",
-  "version": "2024.02.01-SNAPSHOT",
+  "version": "2024.02.02-SNAPSHOT",
   "scripts": {
     "ng": "ng",
     "config:watch": "nodemon",

server.ts

@@ -67,6 +67,8 @@ const DIST_FOLDER = join(process.cwd(), 'dist/browser');
 // Set path fir IIIF viewer.
 const IIIF_VIEWER = join(process.cwd(), 'dist/iiif');
 
+const miradorHtml = join(IIIF_VIEWER, '/mirador/index.html');
+
 const indexHtml = join(DIST_FOLDER, 'index.html');
 
 const cookieParser = require('cookie-parser');
@@ -88,8 +90,10 @@ const _window = domino.createWindow(indexHtml);
 // The REST server base URL
 const REST_BASE_URL = environment.rest.ssrBaseUrl || environment.rest.baseUrl;
 
+const IIIF_ALLOWED_ORIGINS = environment.rest.allowedOrigins || [];
+
 // Assign the DOM window and document objects to the global object
-(_window as any).screen = {deviceXDPI: 0, logicalXDPI: 0};
+(_window as any).screen = { deviceXDPI: 0, logicalXDPI: 0 };
 (global as any).window = _window;
 (global as any).document = _window.document;
 (global as any).navigator = _window.navigator;
@@ -211,6 +215,35 @@ export function app() {
   */
   router.use('/iiif', express.static(IIIF_VIEWER, { index: false }));
 
+  /*
+  * Adapt headers to allow embedding of IIIF viewer in authorized pages
+  */
+  server.get('/iiif/mirador/index.html', (req, res) => {
+    const referer = req.headers.referer;
+
+    if (referer && !referer.startsWith('/')) {
+      try {
+        const origin =  new URL(referer).origin;
+        if (IIIF_ALLOWED_ORIGINS.includes(origin)) {
+          console.info('Found allowed origin, setting headers for IIIF viewer');
+          // CORS header
+          res.setHeader('Access-Control-Allow-Origin', origin);
+          // CSP for iframe embedding
+          res.setHeader('Content-Security-Policy', `frame-ancestors ${origin};`);
+          console.info('Headers have been set ', res.getHeader('Access-Control-Allow-Origin'), res.getHeader('Content-Security-Policy'));
+        }
+      } catch (error) {
+        console.error('An error occurred setting security headers in response:', error);
+      }
+    }
+
+    res.sendFile(miradorHtml, (err) => {
+      if (err) {
+        res.status(500).send('Internal Server Error');
+      }
+    });
+  });
+
   /**
    * Checking server status
    */
@@ -283,6 +316,10 @@ function serverSideRender(req, res, next, sendToUser: boolean = true) {
       ],
     })
     .then((html) => {
+      if (res.writableEnded || res.headersSent || res.finished) {
+        return;
+      }
+
       if (hasValue(html)) {
         // Replace REST URL with UI URL
         if (environment.ssr.replaceRestUrl && REST_BASE_URL !== environment.rest.baseUrl) {
@@ -646,10 +683,10 @@ function start() {
  * The callback function to serve client health check requests
  */
 function clientHealthCheck(req, res) {
-    const isServerHealthy = true;
-    if (isServerHealthy) {
-      res.status(200).json({ status: 'UP' });
-    }
+  const isServerHealthy = true;
+  if (isServerHealthy) {
+    res.status(200).json({ status: 'UP' });
+  }
 }
 
 /*
@@ -667,6 +704,8 @@ function healthCheck(req, res) {
       });
     });
 }
+
+
 // Webpack will replace 'require' with '__webpack_require__'
 // '__non_webpack_require__' is a proxy to Node 'require'
 // The below code is to ensure that the server is run only when not requiring the bundle.

src/app/bitstream-page/bitstream-download-redirect.guard.spec.ts

@@ -169,7 +169,7 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to the content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-            expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link');
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link', null, true);
           },
           );
         });
@@ -183,7 +183,7 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to an updated content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers');
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers', null, true);
           });
         });
       }));

src/app/bitstream-page/bitstream-download-redirect.guard.ts

@@ -47,6 +47,7 @@ export const bitstreamDownloadRedirectGuard: CanActivateFn = (
 ): Observable<UrlTree | boolean> => {
 
   const bitstreamId = route.params.id;
+  const accessToken: string = route.queryParams.accessToken;
 
   return bitstreamDataService.findById(bitstreamId, true, false, ...BITSTREAM_PAGE_LINKS_TO_FOLLOW).pipe(
     getFirstCompletedRemoteData(),
@@ -77,16 +78,23 @@ export const bitstreamDownloadRedirectGuard: CanActivateFn = (
     }),
     map(([isAuthorized, isLoggedIn, bitstream, fileLink]: [boolean, boolean, Bitstream, string]) => {
       if (isAuthorized && isLoggedIn && isNotEmpty(fileLink)) {
-        hardRedirectService.redirect(fileLink);
+        hardRedirectService.redirect(fileLink, null, true);
         return false;
-      } else if (isAuthorized && !isLoggedIn) {
-        hardRedirectService.redirect(bitstream._links.content.href);
+      } else if (isAuthorized && !isLoggedIn && !hasValue(accessToken)) {
+        hardRedirectService.redirect(bitstream._links.content.href, null, true);
         return false;
-      } else if (!isAuthorized && isLoggedIn) {
-        return router.createUrlTree([getForbiddenRoute()]);
-      } else if (!isAuthorized && !isLoggedIn) {
-        auth.setRedirectUrl(router.url);
-        return router.createUrlTree(['login']);
+      } else if (!isAuthorized) {
+        // Either we have an access token, or we are logged in, or we are not logged in.
+        // For now, the access token does not care if we are logged in or not.
+        if (hasValue(accessToken)) {
+          hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken, null, true);
+          return false;
+        } else if (isLoggedIn) {
+          return router.createUrlTree([getForbiddenRoute()]);
+        } else if (!isLoggedIn) {
+          auth.setRedirectUrl(router.url);
+          return router.createUrlTree(['login']);
+        }
       }
     }),
   );

src/app/core/auth/server-auth-request.service.ts

@@ -6,6 +6,7 @@ import {
 import { Injectable } from '@angular/core';
 import { Observable } from 'rxjs';
 import { map } from 'rxjs/operators';
+import { RESTURLCombiner } from 'src/app/core/url-combiner/rest-url-combiner';
 
 import { RemoteDataBuildService } from '../cache/builders/remote-data-build.service';
 import { PostRequest } from '../data/request.models';
@@ -42,8 +43,8 @@ export class ServerAuthRequestService extends AuthRequestService {
    * @protected
    */
   protected createShortLivedTokenRequest(href: string): Observable<PostRequest> {
-    // First do a call to the root endpoint in order to get an XSRF token
-    return this.httpClient.get(this.halService.getRootHref(), { observe: 'response' }).pipe(
+    // First do a call to the csrf endpoint in order to get an XSRF token
+    return this.httpClient.get(new RESTURLCombiner('/security/csrf').toString(), { observe: 'response' }).pipe(
       // retrieve the XSRF token from the response header
       map((response: HttpResponse<any>) => response.headers.get(XSRF_RESPONSE_HEADER)),
       map((xsrfToken: string) => {

src/app/core/data/feature-authorization/feature-id.ts

@@ -41,4 +41,5 @@ export enum FeatureID {
   EPersonForgotPassword = 'epersonForgotPassword',
   ShowClaimItem = 'showClaimItem',
   CanCorrectItem = 'canCorrectItem',
+  CanViewInWorkflowSinceStatistics = 'canViewInWorkflowSinceStatistics',
 }

src/app/core/services/hard-redirect.service.ts

@@ -13,8 +13,10 @@ export abstract class HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
+   *    optional to prevent CORS error on redirect
    */
-  abstract redirect(url: string, statusCode?: number);
+  abstract redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean);
 
   /**
    * Get the current route, with query params included

src/app/core/services/server-hard-redirect.service.spec.ts

@@ -8,11 +8,16 @@ describe('ServerHardRedirectService', () => {
   const mockRequest = jasmine.createSpyObj(['get']);
   const mockResponse = jasmine.createSpyObj(['redirect', 'end']);
 
-  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse);
+  const serverResponseService = jasmine.createSpyObj('ServerResponseService', {
+    setHeader: jasmine.createSpy('setHeader'),
+  });
+
+  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse, serverResponseService);
   const origin = 'https://test-host.com:4000';
 
   beforeEach(() => {
     mockRequest.protocol = 'https';
+    mockRequest.path = '/bitstreams/test-uuid/download';
     mockRequest.headers = {
       host: 'test-host.com:4000',
     };
@@ -76,7 +81,7 @@ describe('ServerHardRedirectService', () => {
       ssrBaseUrl: 'https://private-url:4000/server',
       baseUrl: 'https://public-url/server',
     } } };
-    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse);
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
 
     beforeEach(() => {
       service.redirect(redirect);
@@ -88,4 +93,21 @@ describe('ServerHardRedirectService', () => {
     });
   });
 
+  describe('Should add cors header on download path', () => {
+    const redirect = 'https://private-url:4000/server/api/bitstreams/uuid';
+    const environmentWithSSRUrl: any = { ...environment, ...{ ...environment.rest, rest: {
+      ssrBaseUrl: 'https://private-url:4000/server',
+      baseUrl: 'https://public-url/server',
+    } } };
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
+
+    beforeEach(() => {
+      service.redirect(redirect, null, true);
+    });
+
+    it('should set header', () => {
+      expect(serverResponseService.setHeader).toHaveBeenCalled();
+    });
+  });
+
 });

src/app/core/services/server-hard-redirect.service.ts

@@ -17,6 +17,7 @@ import {
 } from '../../../express.tokens';
 import { isNotEmpty } from '../../shared/empty.util';
 import { HardRedirectService } from './hard-redirect.service';
+import { ServerResponseService } from './server-response.service';
 
 /**
  * Service for performing hard redirects within the server app module
@@ -28,6 +29,7 @@ export class ServerHardRedirectService extends HardRedirectService {
     @Inject(APP_CONFIG) protected appConfig: AppConfig,
     @Inject(REQUEST) protected req: Request,
     @Inject(RESPONSE) protected res: Response,
+    private responseService: ServerResponseService,
   ) {
     super();
   }
@@ -39,8 +41,9 @@ export class ServerHardRedirectService extends HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
    */
-  redirect(url: string, statusCode?: number) {
+  redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean) {
     if (url === this.req.url) {
       return;
     }
@@ -70,6 +73,10 @@ export class ServerHardRedirectService extends HardRedirectService {
         status = 302;
       }
 
+      if (shouldSetCorsHeader) {
+        this.setCorsHeader();
+      }
+
       console.info(`Redirecting from ${this.req.url} to ${redirectUrl} with ${status}`);
 
       this.res.redirect(status, redirectUrl);
@@ -96,4 +103,12 @@ export class ServerHardRedirectService extends HardRedirectService {
   getCurrentOrigin(): string {
     return this.req.protocol + '://' + this.req.headers.host;
   }
+
+  /**
+   * Set CORS header to allow embedding of redirected content.
+   * The actual security header will be set by the rest
+   */
+  setCorsHeader() {
+    this.responseService.setHeader('Access-Control-Allow-Origin', '*');
+  }
 }

src/app/item-page/item-page.resolver.ts

@@ -75,10 +75,11 @@ export const itemPageResolver: ResolveFn<RemoteData<Item>> = (
     map((rd: RemoteData<Item>) => {
       store.dispatch(new ResolvedAction(state.url, rd.payload));
       if (rd.hasSucceeded && hasValue(rd.payload)) {
+        const itemRoute = router.parseUrl(getItemPageRoute(rd.payload)).toString();
         // Check if custom url not empty and if the current id parameter is different from the custom url redirect to custom url
         if (hasValue(rd.payload.metadata) && isNotEmpty(rd.payload.metadata['cris.customurl'])) {
           if (route.params.id !== rd.payload.metadata['cris.customurl'][0].value) {
-            const newUrl = state.url.replace(route.params.id, rd.payload.metadata['cris.customurl'][0].value);
+            const newUrl = itemRoute.replace(route.params.id, rd.payload.metadata['cris.customurl'][0].value);
             router.navigateByUrl(newUrl);
           }
         } else {
@@ -88,7 +89,6 @@ export const itemPageResolver: ResolveFn<RemoteData<Item>> = (
           // or semicolons) and thisRoute has been encoded with that function. If we want to compare
           // it with itemRoute, we have to run itemRoute through Angular's version as well to ensure
           // the same characters are encoded the same way.
-          const itemRoute = router.parseUrl(getItemPageRoute(rd.payload)).toString();
 
           if (!thisRoute.startsWith(itemRoute)) {
             const itemId = rd.payload.uuid;