procore / js-sdk Goto Github PK

We are currently working on changing CSFR strategy in the scope of https://procoretech.atlassian.net/browse/VM-525
Would it be possible to change csrf token definition method here lib/csrf.ts to take it from cookie? For example like this document.cookie.match('(^|;)\\s*csrf_token\\s*=\\s*([^;]+)') and decode it after like this decodeURIComponent(csrfTokenFromCookie). Else we need to implement it in every hydra client which is using js-sdk library.

G'day!

I'm running into some cors issues using the implicit grant flow described in the docs to talk to the procore api from a SPA client.

I've got the auth going fine, but when I make a request (say to projects) via procore.get(projects(..)),

I get the following

Failed to load https://sandbox.procore.com/vapid/projects: Response to preflight request doesn't pass 
access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' 
which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost' is 
therefore not allowed access.

It is the same on the sandbox and the production api.
It fails on the preflight and doesn't make the actual request.
Is there another header I must include? From what I can tell, it's expecting the response from procore to contain 'Access-Control-Allow-Credentials' : true in the headers.

It works fine with web security disabled as a runtime flag for chrome.

Problem

Currently the response parser calls response.json() to get the body from the Stream. If the response is empty (as is expect for status HTTP 204 No Content) calling .json() will throw the error Unexpected end of JSON input.

Current Workaround

Return empty [] or {} from the offending endpoint.

Proposed solution

We should skip the call to .json() for requests expected to return no data and either return null or {} for the body

https://github.com/procore/js-sdk/blob/master/lib/client.ts#L67

https://stackoverflow.com/questions/37280029/whatwg-fetch-fails-when-json-parsing-an-empty-response-how-can-i-prevent-it

Failed to fetch and parse JSON for endpoint: line item types (cost types) failed at step: Fetch
(node:28395) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): SyntaxError: Unexpected token < in JSON at position 0
(node:28395) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

https://nodesecurity.io/advisories/536

Fix has not been merged into master yet so we need to wait

jprichardson/string.js#217

Attempting to use the sdk with a POST request for a CSV endpoint results in an error due to the immediate conversion of a response to json here:

https://github.com/procore/js-sdk/blob/90304538e483705fd799803761efef3c342dd328/lib/client.ts#L55-L64

It appears that the sdk does not support non-JSON response types. It would be very useful to be able to configure how the sdk handles a given request, instead of assuming we always want to use it for JSON.

Hi,

I am trying to get list of projects from api but it seams in an action parameter is required but I couldn't figure out what are the possible values can be.

const { body } = await procore.get(
      projects({ action: "", qs: { company_id: process.env.COMPANY_ID } }),
    );

Running yarn endpoints more than once seems to add the endpoints to index.ts regardless of whether they are already there leading to an error on yarn compile for duplicate declarations

lib/index.ts(9,21): error TS2300: Duplicate identifier 'projectRoles'.
lib/index.ts(10,21): error TS2300: Duplicate identifier 'me'.
lib/index.ts(11,21): error TS2300: Duplicate identifier 'programs'.
lib/index.ts(12,21): error TS2300: Duplicate identifier 'authentication'.

Is there a sample wrapper for PHP?

I am using Procore SDK to integrate authentication in our app using implicit grant type

here is the code sample call back code never be called

res.redirect(
      authorize(
        {
          clientId: process.env.PROCORE_CLIENT_ID,
          uri: process.env.PROCORE_REDIRECT_URI,
        },
        { apiHostname: 'https://login.procore.com' }
      )
    );
    
    const result = await token(
      {
        id: process.env.PROCORE_CLIENT_ID,
        uri: process.env.PROCORE_REDIRECT_URI,
        code: req.query.code,
      },
      { apiHostname: 'https://login.procore.com' }
    );

but I got this error

Access to fetch at 'https://login.procore.com/oauth/authorize?response_type=code&client_id=MyClientId&redirect_uri=https%3A%2F%2F333f-105-35-1-213.ngrok.io%2Fprocore%2Fcallback' (redirected from 'http://localhost:3000/procore/authProcoreUser') from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled

right now the only allowed content-type is application/json https://github.com/procore/js-sdk/blob/master/lib/client.ts#L50 as the headers aren't overridable, but for multipart/form-data the content-type header needs to not be set since the browser will take care of adding the boundary to the content-type (e.g. multipart/form-data; boundary=----WebKitFormBoundaryfB2NtLKSbqM4j1eJ)