Merged in task/dspace-cris-2023_02_x/IIIF-188 (pull request DSpace#3122)

[IIIF-188] configure headers adaptions for allowed origins on IIIF viewer

Approved-by: Giuseppe Digilio

Author: FrancescoMolinaro

server.ts

@@ -65,6 +65,8 @@ const DIST_FOLDER = join(process.cwd(), 'dist/browser');
 // Set path fir IIIF viewer.
 const IIIF_VIEWER = join(process.cwd(), 'dist/iiif');
 
+const miradorHtml = join(IIIF_VIEWER, '/mirador/index.html');
+
 const indexHtml = join(DIST_FOLDER, 'index.html');
 
 const cookieParser = require('cookie-parser');
@@ -86,8 +88,10 @@ const _window = domino.createWindow(indexHtml);
 // The REST server base URL
 const REST_BASE_URL = environment.rest.ssrBaseUrl || environment.rest.baseUrl;
 
+const IIIF_ALLOWED_ORIGINS = environment.rest.allowedOrigins || [];
+
 // Assign the DOM window and document objects to the global object
-(_window as any).screen = {deviceXDPI: 0, logicalXDPI: 0};
+(_window as any).screen = { deviceXDPI: 0, logicalXDPI: 0 };
 (global as any).window = _window;
 (global as any).document = _window.document;
 (global as any).navigator = _window.navigator;
@@ -231,6 +235,35 @@ export function app() {
   */
   router.use('/iiif', express.static(IIIF_VIEWER, { index: false }));
 
+  /*
+  * Adapt headers to allow embedding of IIIF viewer in authorized pages
+  */
+  server.get('/iiif/mirador/index.html', (req, res) => {
+    const referer = req.headers.referer;
+
+    if (referer && !referer.startsWith('/')) {
+      try {
+        const origin =  new URL(referer).origin;
+        if (IIIF_ALLOWED_ORIGINS.includes(origin)) {
+          console.info('Found allowed origin, setting headers for IIIF viewer');
+          // CORS header
+          res.setHeader('Access-Control-Allow-Origin', origin);
+          // CSP for iframe embedding
+          res.setHeader('Content-Security-Policy', `frame-ancestors ${origin};`);
+          console.info('Headers have been set ', res.getHeader('Access-Control-Allow-Origin'), res.getHeader('Content-Security-Policy'));
+        }
+      } catch (error) {
+        console.error('An error occurred setting security headers in response:', error.message);
+      }
+    }
+
+    res.sendFile(miradorHtml, (err) => {
+      if (err) {
+        res.status(500).send('Internal Server Error');
+      }
+    });
+  });
+
   /**
    * Checking server status
    */
@@ -286,6 +319,11 @@ function serverSideRender(req, res, sendToUser: boolean = true) {
     originUrl: environment.ui.baseUrl,
     requestUrl: req.originalUrl,
   }, (err, data) => {
+
+    if (res.writableEnded || res.headersSent || res.finished) {
+      return;
+    }
+
     if (hasNoValue(err) && hasValue(data)) {
       // Replace REST URL with UI URL
         if (environment.universal.replaceRestUrl && REST_BASE_URL !== environment.rest.baseUrl) {
@@ -644,10 +682,10 @@ function start() {
  * The callback function to serve client health check requests
  */
 function clientHealthCheck(req, res) {
-    const isServerHealthy = true;
-    if (isServerHealthy) {
-      res.status(200).json({ status: 'UP' });
-    }
+  const isServerHealthy = true;
+  if (isServerHealthy) {
+    res.status(200).json({ status: 'UP' });
+  }
 }
 
 /*
@@ -665,6 +703,8 @@ function healthCheck(req, res) {
       });
     });
 }
+
+
 // Webpack will replace 'require' with '__webpack_require__'
 // '__non_webpack_require__' is a proxy to Node 'require'
 // The below code is to ensure that the server is run only when not requiring the bundle.

src/app/bitstream-page/bitstream-download-redirect.guard.spec.ts

@@ -162,8 +162,8 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to the content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-              expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link');
-            }
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link', null, true);
+          },
           );
         });
       }));
@@ -176,7 +176,7 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to an updated content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers');
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers', null, true);
           });
         });
       }));

src/app/bitstream-page/bitstream-download-redirect.guard.ts

@@ -66,16 +66,16 @@ export const bitstreamDownloadRedirectGuard: CanActivateFn = (
     }),
     map(([isAuthorized, isLoggedIn, bitstream, fileLink]: [boolean, boolean, Bitstream, string]) => {
       if (isAuthorized && isLoggedIn && isNotEmpty(fileLink)) {
-        hardRedirectService.redirect(fileLink);
+        hardRedirectService.redirect(fileLink, null, true);
         return false;
       } else if (isAuthorized && !isLoggedIn && !hasValue(accessToken)) {
-        hardRedirectService.redirect(bitstream._links.content.href);
+        hardRedirectService.redirect(bitstream._links.content.href, null, true);
         return false;
       } else if (!isAuthorized) {
         // Either we have an access token, or we are logged in, or we are not logged in.
         // For now, the access token does not care if we are logged in or not.
         if (hasValue(accessToken)) {
-          hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken);
+          hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken, null, true);
           return false;
         } else if (isLoggedIn) {
           return router.createUrlTree([getForbiddenRoute()]);

src/app/core/services/hard-redirect.service.ts

@@ -13,8 +13,10 @@ export abstract class HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
+   *    optional to prevent CORS error on redirect
    */
-  abstract redirect(url: string, statusCode?: number);
+  abstract redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean);
 
   /**
    * Get the current route, with query params included

src/app/core/services/server-hard-redirect.service.spec.ts

@@ -8,11 +8,16 @@ describe('ServerHardRedirectService', () => {
   const mockRequest = jasmine.createSpyObj(['get']);
   const mockResponse = jasmine.createSpyObj(['redirect', 'end']);
 
-  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse);
+  const serverResponseService = jasmine.createSpyObj('ServerResponseService', {
+    setHeader: jasmine.createSpy('setHeader'),
+  });
+
+  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse, serverResponseService);
   const origin = 'https://test-host.com:4000';
 
   beforeEach(() => {
     mockRequest.protocol = 'https';
+    mockRequest.path = '/bitstreams/test-uuid/download';
     mockRequest.headers = {
       host: 'test-host.com:4000',
     };
@@ -76,7 +81,7 @@ describe('ServerHardRedirectService', () => {
       ssrBaseUrl: 'https://private-url:4000/server',
       baseUrl: 'https://public-url/server',
     } } };
-    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse);
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
 
     beforeEach(() => {
       service.redirect(redirect);
@@ -88,4 +93,21 @@ describe('ServerHardRedirectService', () => {
     });
   });
 
+  describe('Should add cors header on download path', () => {
+    const redirect = 'https://private-url:4000/server/api/bitstreams/uuid';
+    const environmentWithSSRUrl: any = { ...environment, ...{ ...environment.rest, rest: {
+      ssrBaseUrl: 'https://private-url:4000/server',
+      baseUrl: 'https://public-url/server',
+    } } };
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
+
+    beforeEach(() => {
+      service.redirect(redirect, null, true);
+    });
+
+    it('should set header', () => {
+      expect(serverResponseService.setHeader).toHaveBeenCalled();
+    });
+  });
+
 });

src/app/core/services/server-hard-redirect.service.ts

@@ -4,6 +4,7 @@ import { REQUEST, RESPONSE } from '@nguniversal/express-engine/tokens';
 import { HardRedirectService } from './hard-redirect.service';
 import { APP_CONFIG, AppConfig } from '../../../config/app-config.interface';
 import { isNotEmpty } from '../../shared/empty.util';
+import { ServerResponseService } from './server-response.service';
 
 /**
  * Service for performing hard redirects within the server app module
@@ -15,6 +16,7 @@ export class ServerHardRedirectService extends HardRedirectService {
     @Inject(APP_CONFIG) protected appConfig: AppConfig,
     @Inject(REQUEST) protected req: Request,
     @Inject(RESPONSE) protected res: Response,
+    private responseService: ServerResponseService,
   ) {
     super();
   }
@@ -26,8 +28,9 @@ export class ServerHardRedirectService extends HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
    */
-  redirect(url: string, statusCode?: number) {
+  redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean) {
     if (url === this.req.url) {
       return;
     }
@@ -57,6 +60,10 @@ export class ServerHardRedirectService extends HardRedirectService {
         status = 302;
       }
 
+      if (shouldSetCorsHeader) {
+        this.setCorsHeader();
+      }
+
       console.info(`Redirecting from ${this.req.url} to ${redirectUrl} with ${status}`);
 
       this.res.redirect(status, redirectUrl);
@@ -83,4 +90,12 @@ export class ServerHardRedirectService extends HardRedirectService {
   getCurrentOrigin(): string {
     return this.req.protocol + '://' + this.req.headers.host;
   }
+
+  /**
+   * Set CORS header to allow embedding of redirected content.
+   * The actual security header will be set by the rest
+   */
+  setCorsHeader() {
+    this.responseService.setHeader('Access-Control-Allow-Origin', '*');
+  }
 }

src/config/server-config.interface.ts

@@ -10,4 +10,5 @@ export class ServerConfig implements Config {
   // This boolean will be automatically set on server startup based on whether "baseUrl" and "ssrBaseUrl"
   // have different values.
   public hasSsrBaseUrl?: boolean;
+  public allowedOrigins?: string[];
 }