| ERROR | [] | ' + + '' + htmlEncode(this.message) + ' |
| ERROR | -[] | -${Lib.htmlEncode(message)} |
-
| ERROR | -[] | -${htmlEncode(message)} |
-
${Lib.htmlEncode(body)}`;
- res.type("html");
- }
-
- if (logTime) {
- console.log(
- ("Reverse Proxy: ".bold + fhirRequest.url + " -> ").cyan +
- String((Date.now() - logTime) + "ms").yellow.bold
- );
- }
-
- res.send(body);
- });
-
-};
diff --git a/src/simple-proxy.js b/src/simple-proxy.js
index a30eb3a4..6e506ab3 100644
--- a/src/simple-proxy.js
+++ b/src/simple-proxy.js
@@ -1,27 +1,144 @@
-// @ts-check
const Url = require("url");
const request = require("request");
const jwt = require("jsonwebtoken");
const replStream = require("replacestream");
const config = require("./config");
-const patientMap = require("./patient-compartment");
+const debug = require('util').debuglog("proxy");
const Lib = require("./lib");
+const OperationOutcome = require("./OperationOutcome");
+const replaceAll = require("replaceall");
+
+////** @type {any} */
+const assert = Lib.assert;
+
+const RE_RESOURCE_SLASH_ID = new RegExp(
+ "([A-Z][A-Za-z]+)" + // resource type
+ "(\\/([^_][^\\/?]+))" + // resource id
+ "(\\/?(\\?(.*))?)?" // suffix (query)
+);
+
+
+/**
+ * Given a conformance statement (as JSON string), replaces the auth URIs with
+ * new ones that point to our proxy server. Also add the rest.security.service
+ * field.
+ * @param {String} bodyText A conformance statement as JSON string
+ * @param {String} baseUrl The baseUrl of our server
+ * @returns {Object|null} Returns the modified JSON object or null in case of error
+ */
+function augmentConformance(bodyText, baseUrl) {
+ let json = JSON.parse(bodyText);
+
+ json.rest[0].security.extension = [{
+ "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
+ "extension": [
+ {
+ "url": "authorize",
+ "valueUri": Lib.buildUrlPath(baseUrl, "/auth/authorize")
+ },
+ {
+ "url": "token",
+ "valueUri": Lib.buildUrlPath(baseUrl, "/auth/token")
+ },
+ {
+ "url": "introspect",
+ "valueUri": Lib.buildUrlPath(baseUrl, "/auth/introspect")
+ }
+ ]
+ }];
+
+ json.rest[0].security.service = [
+ {
+ "coding": [
+ {
+ "system": "http://hl7.org/fhir/restful-security-service",
+ "code": "SMART-on-FHIR",
+ "display": "SMART-on-FHIR"
+ }
+ ],
+ "text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
+ }
+ ]
+
+ return json;
+}
+
+function adjustResponseUrls(bodyText, fhirUrl, requestUrl, fhirBaseUrl, requestBaseUrl) {
+ bodyText = replaceAll(fhirUrl, requestUrl, bodyText);
+ bodyText = replaceAll(fhirUrl.replace(",", "%2C"), requestUrl, bodyText); // allow non-encoded commas
+ bodyText = replaceAll("/fhir", requestBaseUrl, bodyText);
+ return bodyText;
+}
+
+function adjustUrl(url) {
+ return url.replace(RE_RESOURCE_SLASH_ID, (
+ resourceAndId,
+ resource,
+ slashAndId,
+ id,
+ suffix,
+ slashAndQuery,
+ query
+ ) => resource + "?" + (query ? query + "&" : "") + "_id=" + id);
+}
+
+function handleMetadataRequest(req, res, fhirServer)
+{
+ // set everything to JSON since we don't currently support XML and block XML
+ // requests at a middleware layer
+ let fhirRequest = {
+ headers: {
+ "content-type": "application/json",
+ "accept" : req.params.fhir_release.toUpperCase() == "R2" ? "application/json+fhir" : "application/fhir+json"
+ },
+ method: req.method,
+ url: Lib.buildUrlPath(fhirServer, adjustUrl(req.url))
+ }
-require("colors");
+ if (process.env.NODE_ENV != "test") {
+ debug(fhirRequest.url, fhirRequest);
+ }
+ request(fhirRequest, function(error, response, body) {
+ if (error) {
+ return res.send(JSON.stringify(error, null, 4));
+ }
+ res.status(response.statusCode);
+ response.headers['content-type'] && res.type(response.headers['content-type']);
+
+ // adjust urls in the fhir response so future requests will hit the proxy
+ if (body) {
+ let requestUrl = Lib.buildUrlPath(config.baseUrl, req.originalUrl);
+ let requestBaseUrl = Lib.buildUrlPath(config.baseUrl, req.baseUrl)
+ body = adjustResponseUrls(body, fhirRequest.url, requestUrl, fhirServer, requestBaseUrl);
+ }
-module.exports = (req, res) => {
+ // special handler for metadata requests - inject the SMART information
+ if (response.statusCode == 200 && body.indexOf("fhirVersion") != -1) {
+ let baseUrl = Lib.buildUrlPath(config.baseUrl, req.baseUrl.replace("/fhir", ""));
+ let secure = req.secure || req.headers["x-forwarded-proto"] == "https";
+ baseUrl = baseUrl.replace(/^https?/, secure ? "https" : "http");
+ body = augmentConformance(body, baseUrl);
+ if (!body) {
+ res.status(404);
+ body = new OperationOutcome("Error reading server metadata")
+ }
+ }
- // We cannot handle the conformance here!
- if (req.url.match(/^\/metadata/)) {
- return require("./reverse-proxy")(req, res);
- }
+ body = (typeof body == "string" ? body : JSON.stringify(body, null, 4));
- let logTime = Lib.bool(process.env.LOG_TIMES) ? Date.now() : null;
+ res.send(body);
+ });
+
+}
+/**
+ * @param {import("express").Request} req
+ */
+function validateToken(req) {
let token = null;
- // Validate token ----------------------------------------------------------
+ // Validate token ---------------------------------------------------------
if (req.headers.authorization) {
// require a valid auth token if there is an auth token
@@ -31,16 +148,22 @@ module.exports = (req, res) => {
config.jwtSecret
);
} catch (e) {
- return res.status(401).send(
- `${e.name || "Error"}: ${e.message || "Invalid token"}`
- );
+ throw new Lib.HTTPError(401, "Invalid token: " + e.message)
}
- // Simulated errors
- if (token.sim_error) {
- return res.status(401).send(token.sim_error);
- }
+ assert.http(token, 400, "Invalid token")
+ assert.http(typeof token == "object", 400, "Invalid token")
+
+ // @ts-ignore
+ assert.http(!token.sim_error, 401, token.sim_error);
}
+}
+
+/**
+ * @param {import("express").Request} req
+ * @param {import("express").Response} res
+ */
+module.exports = (req, res) => {
// Validate FHIR Version ---------------------------------------------------
let fhirVersion = req.params.fhir_release.toUpperCase();
@@ -61,6 +184,14 @@ module.exports = (req, res) => {
});
}
+ // We cannot handle the conformance here!
+ if (req.url.match(/^\/metadata/)) {
+ return handleMetadataRequest(req, res, fhirServer);
+ }
+
+ validateToken(req);
+
+
// Build the FHIR request options ------------------------------------------
let fhirRequestOptions = {
method: req.method,
@@ -70,24 +201,8 @@ module.exports = (req, res) => {
const isBinary = fhirRequestOptions.url.pathname.indexOf("/Binary/") === 0;
- // if applicable, apply patient scope to GET requests, largely for
- // performance reasons. Full scope support can't be implemented in a proxy
- // because it would require "or" conditions in FHIR API calls (ie ),
- // but should do better than this!
- if (req.method == "GET") {
- let scope = (token && token.scope ) || req.headers["x-scope"];
- let patient = (token && token.patient) || req.headers["x-patient"];
- if (scope && patient && scope.indexOf("user/") == -1) {
- let resourceType = req.url.slice(1);
- let prop = patientMap[fhirVersionLower] && patientMap[fhirVersionLower][resourceType];
- if (prop) {
- fhirRequestOptions.url.query[prop] = patient;
- }
- }
- }
-
// Add the body in case of POST or PUT -------------------------------------
- if (req.method === "POST" || req.method === "PUT") {
+ if (req.method === "POST" || req.method === "PUT" || req.method === "PATCH") {
fhirRequestOptions.body = req.body;
}
@@ -103,13 +218,8 @@ module.exports = (req, res) => {
"application/fhir+json";
}
- if (fhirRequestOptions.headers.hasOwnProperty("host")) {
- delete fhirRequestOptions.headers.host;
- }
-
- if (fhirRequestOptions.headers.hasOwnProperty("authorization")) {
- delete fhirRequestOptions.headers.authorization;
- }
+ delete fhirRequestOptions.headers.host;
+ delete fhirRequestOptions.headers.authorization;
// remove custom headers
for (let name in fhirRequestOptions.headers) {
diff --git a/test/api.js b/test/api.js
index 34922ca1..6ec1e54c 100644
--- a/test/api.js
+++ b/test/api.js
@@ -205,7 +205,7 @@ before(async () => {
after(closeServer);
-describe("Global Routes", () => {
+describe("Global stuff", () => {
it('index responds with html', () => {
return request(app)
@@ -225,6 +225,62 @@ describe("Global Routes", () => {
expect(res.body.keys.length).to.be.greaterThan(0)
});
});
+
+ it('/public_key hosts the public key as pem', () => {
+ return request(app)
+ .get('/public_key')
+ .expect('Content-Type', /text/)
+ .expect(200)
+ .expect(/-----BEGIN PUBLIC KEY-----/)
+ });
+
+ it ("/env.js", () => {
+ return request(app)
+ .get('/env.js')
+ .expect('Content-Type', /javascript/)
+ .expect(200)
+ .expect(/var ENV = \{/)
+ })
+
+ it("rejects xml", async () => {
+ await request(app)
+ .get("/")
+ .set("content-type", "application/xml")
+ .expect(400, /XML format is not supported/)
+ })
+
+ describe("/launcher", () => {
+ it("requires launch_uri", async () => {
+ await request(app)
+ .get('/launcher')
+ .expect('Content-Type', /text/)
+ .expect(400, "launch_uri is required")
+ })
+
+ it("requires absolute launch_uri", async () => {
+ await request(app)
+ .get('/launcher')
+ .query({ launch_uri: "./test" })
+ .expect('Content-Type', /text/)
+ .expect(400, "Invalid launch_uri parameter")
+ })
+
+ it("validates the fhir_ver param", async () => {
+ await request(app)
+ .get('/launcher')
+ .query({ launch_uri: "http://test.dev", fhir_ver: 33 })
+ .expect('Content-Type', /text/)
+ .expect(400, "Invalid or missing fhir_ver parameter. It can only be '2', '3' or '4'.")
+ })
+
+ it("works", async () => {
+ await request(app)
+ .get('/launcher')
+ .query({ launch_uri: "http://test.dev", fhir_ver: 3 })
+ .expect("location", /^http\:\/\/test\.dev\?iss=.+/)
+ .expect(302)
+ })
+ })
describe('RSA Generator', () => {
@@ -275,6 +331,7 @@ describe("Global Routes", () => {
})
});
});
+
});
for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
@@ -282,6 +339,15 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
const SMART = getSmartApi(FHIR_VERSION);
describe(`FHIR server ${FHIR_VERSION}`, () => {
+
+ it("Catches body parse errors", async () => {
+ await request(app)
+ .post(buildUrl({ fhir: FHIR_VERSION, path: "fhir" }).pathname)
+ .type("json")
+ .send('{"a":1,"b":}')
+ .expect(400)
+ .expect(/OperationOutcome/)
+ })
it('can render the patient picker', () => {
return request(app)
@@ -304,17 +370,37 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.expect(200)
});
+ it ("renders .well-known/smart-configuration", async () => {
+ return request(app)
+ .get(buildUrl({ fhir: FHIR_VERSION, path: ".well-known/smart-configuration" }).pathname)
+ .expect('Content-Type', /json/)
+ .expect(200)
+ })
+
describe('Proxy', function() {
this.timeout(10000);
+
+ it("rejects unknown fhir versions", async () => {
+ await request(app)
+ .get(buildUrl({ fhir: FHIR_VERSION + 2, path: "/fhir/Patient"}).pathname)
+ .expect(400, /FHIR server r\d2 not found/)
+ })
it('fhir/metadata responds with html in browsers', () => {
return request(app)
.get(buildUrl({ fhir: FHIR_VERSION, path: "fhir/metadata" }).pathname)
.set('Accept', 'text/html')
- .expect('Content-Type', /^text\/html/)
+ .expect('content-type', /application\/(fhir\+json|json\+fhir|json)/)
.expect(200)
});
+ it('removes custom headers', () => {
+ return request(app)
+ .get(buildUrl({ fhir: FHIR_VERSION, path: "fhir/Patient" }).pathname)
+ .set('x-custom', 'whatever')
+ .expect(res => expect(res.header['x-custom']).to.equal(undefined))
+ });
+
it ("Validates the FHIR version", () => {
return request(app)
.get(buildUrl({ fhir: "r300", path: "fhir/metadata" }).pathname)
@@ -325,10 +411,10 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
it ("If auth token is sent - validates it", () => {
return request(app)
- .get(buildUrl({ fhir: FHIR_VERSION, path: "fhir/metadata" }).pathname)
+ .get(buildUrl({ fhir: FHIR_VERSION, path: "fhir/Patient" }).pathname)
.set("authorization", "Bearer whatever")
.expect('Content-Type', /text/)
- .expect("JsonWebTokenError: jwt malformed")
+ .expect(/Invalid token\: /)
.expect(401)
});
@@ -467,13 +553,6 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
});
});
- it("rejects invalid authorization tokens", async () => {
- await request(app)
- .get(buildUrl({ fhir: FHIR_VERSION, path: "/fhir/Patient" }).pathname)
- .set("authorization", "bearer invalid-token")
- .expect(401, /JsonWebTokenError/);
- })
-
it ("Can simulate custom token errors", async () => {
const token = jwt.sign({ sim_error: "test error" }, config.jwtSecret)
await request(app)
@@ -506,49 +585,30 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
};
const authErrors = {
- "auth_invalid_client_id" : "sim_invalid_client_id",
- "auth_invalid_redirect_uri": "sim_invalid_redirect_uri",
- "auth_invalid_scope" : "sim_invalid_scope"
+ "auth_invalid_client_id" : /error_description=Simulated\+invalid\+client_id\+parameter\+error/,
+ "auth_invalid_scope" : /error_description=Simulated\+invalid\+scope\+error/
}
- const requiredAuthorizeParams = [
- "redirect_uri",
- "response_type",
- // "client_id",
- // "scope",
- // "state"
- ]
-
- // checks for required params
- // -------------------------------------------------------------
- for (const name of requiredAuthorizeParams) {
-
- // If redirect_uri is missing we reply with 400 (tested below)
- // If anything else is missing we redirect and pass an error param
- if (name !== "redirect_uri") {
- it(`requires "${name}" param`, () => {
- const query = { ...fullQuery };
- delete query[name]
+ it(`requires "response_type" param`, () => {
+ const query = { ...fullQuery };
+ delete query.response_type
+ return request(app)
+ .get(url.pathname)
+ .query(query)
+ .expect(302)
+ .expect("location", /error_description=Missing\+response_type\+parameter/)
+ .expect("location", /state=x/)
+ });
- return request(app)
- .get(url.pathname)
- .query(query)
- .expect(302)
- .expect(function(res) {
- const loc = res.get("location");
- if (!loc || loc.indexOf(`error=missing_parameter`) == -1) {
- throw new Error(`No error passed to the redirect ${loc}`)
- }
- })
- .expect(function(res) {
- const loc = res.get("location");
- if (!loc || loc.indexOf("state=x") == -1) {
- throw new Error(`No state passed to the redirect ${loc}`)
- }
- });
- });
- }
- }
+ it(`requires "redirect_uri" param`, () => {
+ const query = { ...fullQuery };
+ delete query.redirect_uri
+ return request(app)
+ .get(url.pathname)
+ .query(query)
+ .expect(400)
+ .expect({ error: "invalid_request", error_description: "Missing redirect_uri parameter" })
+ });
// validates the redirect_uri parameter
// -------------------------------------------------------------
@@ -556,11 +616,28 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
return request(app)
.get(url.pathname)
.query({ ...fullQuery, redirect_uri: "x" })
- .expect(/^Invalid redirect_uri parameter/)
+ .expect({ error: "invalid_request", error_description: "Invalid redirect_uri parameter 'x' (must be full URL)" })
.expect(400);
});
- // simulated errors
+ it (`can simulate invalid_redirect_uri error`, () => {
+
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ sim: {
+ auth_error: "auth_invalid_redirect_uri"
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(fullQuery)
+ .expect(400)
+ .expect({error:"invalid_request",error_description:"Simulated invalid redirect_uri parameter error"})
+ });
+
+ // other simulated errors
// -------------------------------------------------------------
Object.keys(authErrors).forEach(errorName => {
it (`can simulate "${errorName}" error via sim`, () => {
@@ -577,15 +654,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.get(url.pathname)
.query(fullQuery)
.expect(302)
- .expect(function(res) {
- const loc = res.get("location");
- if (!loc || loc.indexOf(`error=${authErrors[errorName]}`) == -1) {
- throw new Error(`No error passed to the redirect ${loc}`)
- }
- if (!loc || loc.indexOf("state=x") == -1) {
- throw new Error(`No state passed to the redirect ${loc}`)
- }
- });
+ .expect("location", authErrors[errorName])
});
it (`can simulate "${errorName}" error via launch param`, () => {
@@ -605,15 +674,16 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.get(url.pathname)
.query(url.searchParams.toString())
.expect(302)
- .expect(function(res) {
- const loc = res.get("location");
- if (!loc || loc.indexOf(`error=${authErrors[errorName]}`) == -1) {
- throw new Error(`No error passed to the redirect ${loc}`)
- }
- if (!loc || loc.indexOf("state=x") == -1) {
- throw new Error(`No state passed to the redirect ${loc}`)
- }
- });
+ .expect("location", authErrors[errorName])
+ // .expect(function(res) {
+ // const loc = res.get("location");
+ // if (!loc || loc.indexOf(`error=${authErrors[errorName]}`) == -1) {
+ // throw new Error(`No error passed to the redirect ${loc}`)
+ // }
+ // if (!loc || loc.indexOf("state=x") == -1) {
+ // throw new Error(`No state passed to the redirect ${loc}`)
+ // }
+ // });
});
})
@@ -624,16 +694,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.get(url.pathname)
.query({ ...fullQuery, aud: "whatever" })
.expect(302)
- .expect(function(res) {
- const loc = res.get("location");
- if (!loc) {
- throw new Error(`No redirect`)
- }
- let url = Url.parse(loc, true);
- if (url.query.error != "bad_audience") {
- throw new Error(`Wrong redirect ${loc}`)
- }
- });
+ .expect("location", /error_description=Bad\+audience\+value/)
});
// can show encounter picker
@@ -687,11 +748,136 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
launch: { launch_pt: 1 }
});
});
+
+ it ("shows patient picker if needed", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "launch",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`,
+ launch: {
+ launch_ehr: 1
+ }
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(302)
+ .expect("location", /\/picker\?/)
+ });
+
+ it ("shows patient picker if needed", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "launch",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`,
+ launch: {
+ launch_ehr: 1
+ }
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(302)
+ .expect("location", /\/picker\?/)
+ });
+
+ it ("shows patient picker if multiple patients are pre-selected", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "launch/patient",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`,
+ launch: {
+ launch_prov: 1
+ }
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(302)
+ .expect("location", /\/picker\?/)
+ });
+
+ it ("shows patient picker if needed in CDS launch", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "launch/patient",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`,
+ launch: {
+ launch_cds: 1
+ }
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(302)
+ .expect("location", /\/picker\?/)
+ });
+
+ it ("does not show patient picker if scopes do not require it", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "whatever",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(res => expect(!res.header.location || !res.header.location.match(/\/picker\?/)).to.equal(true))
+ });
+
+ it ("shows provider login screen if needed", () => {
+ const url = buildUrl({
+ fhir: FHIR_VERSION,
+ path: "/auth/authorize",
+ query: {
+ ...fullQuery,
+ scope: "launch openid profile",
+ aud: config.baseUrl + `/v/${FHIR_VERSION}/fhir`,
+ launch: {
+ patient: "X",
+ encounter: "x",
+ launch_ehr: 1
+ }
+ }
+ });
+
+ return request(app)
+ .get(url.pathname)
+ .query(url.searchParams.toString())
+ .expect(302)
+ .expect("location", /\/login\?/)
+ });
+
})
describe('token', function() {
- it("can simulate sim_expired_refresh_token", async () => {
+ it("can simulate expired refresh tokens", async () => {
const { code } = await SMART.getAuthCode({
scope: "offline_access",
@@ -718,8 +904,8 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.post(buildUrl({ fhir: FHIR_VERSION, path: "auth/token" }).pathname)
.type("form")
.send({ grant_type: "refresh_token", refresh_token: tokenResponse.refresh_token })
- .expect('Content-Type', /text/)
- .expect(401, config.errors.sim_expired_refresh_token);
+ .expect('Content-Type', /json/)
+ .expect(403, {error:"invalid_grant",error_description:"Expired refresh token"});
});
it("provides id_token", async () => {
@@ -785,7 +971,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
auth_error: "auth_invalid_client_secret",
refresh_token: token
})
- .expect("Simulated invalid client secret error")
+ .expect({error:"invalid_client",error_description:"Simulated invalid client secret error"})
.expect(401);
});
@@ -798,7 +984,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
grant_type: "refresh_token",
refresh_token: token
})
- .expect("The authorization header 'Basic' cannot be empty")
+ .expect({error:"invalid_request",error_description:"The authorization header 'Basic' cannot be empty"})
.expect(401);
});
@@ -811,11 +997,11 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
grant_type: "refresh_token",
refresh_token: token
})
- .expect(/^Bad authorization header/)
+ .expect({ error: "invalid_request", error_description:"Bad authorization header 'Basic bXktYXB': The decoded header must contain '{client_id}:{client_secret}'" })
.expect(401);
});
- it ("can simulate sim_invalid_token", () => {
+ it ("can simulate invalid token errors", () => {
return request(app)
.post(buildUrl({ fhir: FHIR_VERSION, path: "/auth/token" }).pathname)
.type('form')
@@ -824,7 +1010,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
grant_type: "authorization_code",
code: jwt.sign({ auth_error:"token_invalid_token" }, config.jwtSecret)
})
- .expect("Simulated invalid token error")
+ .expect({ error: "invalid_client", error_description: "Invalid token!" })
.expect(401);
});
})
@@ -844,6 +1030,41 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
})
})
+ it("requires authorization", async () => {
+ await request(app)
+ .post(buildUrl({ fhir: FHIR_VERSION, path: "auth/introspect" }).pathname)
+ .expect(401, "Authorization is required")
+ })
+
+ it("rejects invalid token", async () => {
+ await request(app)
+ .post(buildUrl({ fhir: FHIR_VERSION, path: "auth/introspect" }).pathname)
+ .set('Authorization', `Bearer invalidToken`)
+ .expect(401)
+ })
+
+ it("requires token in the payload", async () => {
+ const { code } = await SMART.getAuthCode({
+ scope: "offline_access",
+ launch: {
+ launch_pt : 1,
+ skip_login: 1,
+ skip_auth : 1,
+ patient : "abc",
+ encounter : "bcd",
+ }
+ });
+
+ const { access_token } = await SMART.getAccessToken(code);
+
+ await request(app)
+ .post(buildUrl({ fhir: FHIR_VERSION, path: "auth/introspect" }).pathname)
+ .set('Authorization', `Bearer ${access_token}`)
+ .set('Accept', 'application/json')
+ .set('Content-Type', 'application/x-www-form-urlencoded')
+ .expect(400, "No token provided")
+ })
+
it("can introspect an access token", async () => {
const { code } = await SMART.getAuthCode({
scope: "offline_access",
@@ -962,7 +1183,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
return request(app)
.post(buildUrl({ fhir: FHIR_VERSION, path: "/auth/register" }).pathname)
.send({})
- .expect(401, "Invalid request content-type header (must be 'application/x-www-form-urlencoded')")
+ .expect(400, { error: "invalid_request", error_description: "Invalid request content-type header (must be 'application/x-www-form-urlencoded')" })
});
it ("requires 'iss' parameter", () => {
@@ -970,7 +1191,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.post(buildUrl({ fhir: FHIR_VERSION, path: "/auth/register" }).pathname)
.type("form")
.send({})
- .expect(400, "Missing iss parameter")
+ .expect(400, { error: "invalid_request", error_description: 'Missing parameter "iss"' })
});
it ("requires 'pub_key' parameter", () => {
@@ -978,7 +1199,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.post(buildUrl({ fhir: FHIR_VERSION, path: "/auth/register" }).pathname)
.type("form")
.send({ iss: "whatever" })
- .expect(400, "Missing pub_key parameter")
+ .expect(400, { error: "invalid_request", error_description: 'Missing parameter "pub_key"' })
});
it ("validates the 'dur' parameter", () => {
@@ -988,7 +1209,7 @@ for(const FHIR_VERSION in TESTED_FHIR_SERVERS) {
.post(buildUrl({ fhir: FHIR_VERSION, path: "/auth/register" }).pathname)
.type("form")
.send({ iss: "whatever", pub_key: "abc", dur })
- .expect(400, "Invalid dur parameter");
+ .expect(400, { error: "invalid_request", error_description: 'Invalid parameter "dur"' });
})
)
});
diff --git a/test/unit.js b/test/unit.js
new file mode 100644
index 00000000..1a228e25
--- /dev/null
+++ b/test/unit.js
@@ -0,0 +1,55 @@
+// const request = require('supertest');
+// const jwt = require("jsonwebtoken");
+// const Url = require("url");
+// const jwkToPem = require("jwk-to-pem");
+// const crypto = require("crypto");
+const { expect } = require("chai");
+// const app = require("../src/index.js");
+// const config = require("../src/config");
+// const Codec = require("../static/codec.js");
+const Lib = require("../src/lib");
+
+
+
+it('whitelist throws if no match and no default value', () => {
+ expect(() => Lib.whitelist([1,2,3], 4)).to.throw(
+ 'The value "4" is not allowed. Must be one of 1, 2, 3.'
+ )
+})
+
+it('whitelist returns the default value if no match', () => {
+ expect(Lib.whitelist([1,2,3], 4, 5)).to.equal(5)
+})
+
+it('whitelist returns the value if match', () => {
+ expect(Lib.whitelist([1,2,3], 2)).to.equal(2)
+})
+
+it('assert formats messages', () => {
+ expect(() => Lib.assert(false, "a %s b %d c", 2, 3)).to.throw(/a 2 b 3 c/)
+})
+
+it('assert formats messages via function', () => {
+ expect(() => Lib.assert(() => { throw new Error("test-error") }, "a %s b")).to.throw(/a test-error b/)
+})
+
+it('assert.http works via function', () => {
+ expect(() => Lib.assert.http(() => { throw new Error("test-error") }, 403, "a %s b")).to.throw(Lib.HTTPError, "test-error")
+})
+
+it ('assert.fail works with Error', () => {
+ expect(() => Lib.assert.fail(new Error("test-error"))).to.throw("test-error")
+})
+
+it ('assert.fail works with HTTPError', () => {
+ expect(() => Lib.assert.fail(new Lib.HTTPError(405, "test-error"))).to.throw(Lib.HTTPError, "test-error")
+})
+
+it ('assert.fail works with OperationOutcome', () => {
+ expect(() => Lib.assert.fail({ type: "OperationOutcome", code: 404, msg: "test-error", error: "test" })).to.throw(/test-error/)
+})
+
+it ('assert.fail throws HTTPError by default', () => {
+ expect(() => Lib.assert.fail({ code: 404, msg: "test-error", error: "test" })).to.throw(Lib.HTTPError, "test-error")
+})
+