Merge branch 'dspace-cris-2023_02_x' into ux-plus-2023_02_x

# Conflicts:
#	src/app/item-page/mirador-viewer/mirador-viewer.component.spec.ts
#	src/app/item-page/mirador-viewer/mirador-viewer.component.ts

Author: atarix83

server.ts

@@ -65,6 +65,8 @@ const DIST_FOLDER = join(process.cwd(), 'dist/browser');
 // Set path fir IIIF viewer.
 const IIIF_VIEWER = join(process.cwd(), 'dist/iiif');
 
+const miradorHtml = join(IIIF_VIEWER, '/mirador/index.html');
+
 const indexHtml = join(DIST_FOLDER, 'index.html');
 
 const cookieParser = require('cookie-parser');
@@ -86,8 +88,10 @@ const _window = domino.createWindow(indexHtml);
 // The REST server base URL
 const REST_BASE_URL = environment.rest.ssrBaseUrl || environment.rest.baseUrl;
 
+const IIIF_ALLOWED_ORIGINS = environment.rest.allowedOrigins || [];
+
 // Assign the DOM window and document objects to the global object
-(_window as any).screen = {deviceXDPI: 0, logicalXDPI: 0};
+(_window as any).screen = { deviceXDPI: 0, logicalXDPI: 0 };
 (global as any).window = _window;
 (global as any).document = _window.document;
 (global as any).navigator = _window.navigator;
@@ -231,6 +235,35 @@ export function app() {
   */
   router.use('/iiif', express.static(IIIF_VIEWER, { index: false }));
 
+  /*
+  * Adapt headers to allow embedding of IIIF viewer in authorized pages
+  */
+  server.get('/iiif/mirador/index.html', (req, res) => {
+    const referer = req.headers.referer;
+
+    if (referer && !referer.startsWith('/')) {
+      try {
+        const origin =  new URL(referer).origin;
+        if (IIIF_ALLOWED_ORIGINS.includes(origin)) {
+          console.info('Found allowed origin, setting headers for IIIF viewer');
+          // CORS header
+          res.setHeader('Access-Control-Allow-Origin', origin);
+          // CSP for iframe embedding
+          res.setHeader('Content-Security-Policy', `frame-ancestors ${origin};`);
+          console.info('Headers have been set ', res.getHeader('Access-Control-Allow-Origin'), res.getHeader('Content-Security-Policy'));
+        }
+      } catch (error) {
+        console.error('An error occurred setting security headers in response:', error.message);
+      }
+    }
+
+    res.sendFile(miradorHtml, (err) => {
+      if (err) {
+        res.status(500).send('Internal Server Error');
+      }
+    });
+  });
+
   /**
    * Checking server status
    */
@@ -286,6 +319,11 @@ function serverSideRender(req, res, sendToUser: boolean = true) {
     originUrl: environment.ui.baseUrl,
     requestUrl: req.originalUrl,
   }, (err, data) => {
+
+    if (res.writableEnded || res.headersSent || res.finished) {
+      return;
+    }
+
     if (hasNoValue(err) && hasValue(data)) {
       // Replace REST URL with UI URL
         if (environment.universal.replaceRestUrl && REST_BASE_URL !== environment.rest.baseUrl) {
@@ -644,10 +682,10 @@ function start() {
  * The callback function to serve client health check requests
  */
 function clientHealthCheck(req, res) {
-    const isServerHealthy = true;
-    if (isServerHealthy) {
-      res.status(200).json({ status: 'UP' });
-    }
+  const isServerHealthy = true;
+  if (isServerHealthy) {
+    res.status(200).json({ status: 'UP' });
+  }
 }
 
 /*
@@ -665,6 +703,8 @@ function healthCheck(req, res) {
       });
     });
 }
+
+
 // Webpack will replace 'require' with '__webpack_require__'
 // '__non_webpack_require__' is a proxy to Node 'require'
 // The below code is to ensure that the server is run only when not requiring the bundle.

src/app/bitstream-page/bitstream-download-redirect.guard.spec.ts

@@ -162,8 +162,8 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to the content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-              expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link');
-            }
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('bitstream-content-link', null, true);
+          },
           );
         });
       }));
@@ -176,7 +176,7 @@ describe('BitstreamDownloadRedirectGuard', () => {
       it('should redirect to an updated content link', waitForAsync(() => {
         TestBed.runInInjectionContext(() => {
           resolver(route, state).subscribe(() => {
-            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers');
+            expect(hardRedirectService.redirect).toHaveBeenCalledWith('content-url-with-headers', null, true);
           });
         });
       }));

src/app/bitstream-page/bitstream-download-redirect.guard.ts

@@ -35,6 +35,7 @@ export const bitstreamDownloadRedirectGuard: CanActivateFn = (
 ): Observable<UrlTree | boolean> => {
 
   const bitstreamId = route.params.id;
+  const accessToken: string = route.queryParams.accessToken;
 
   return bitstreamDataService.findById(bitstreamId, true, false, ...BITSTREAM_PAGE_LINKS_TO_FOLLOW).pipe(
     getFirstCompletedRemoteData(),
@@ -65,16 +66,23 @@ export const bitstreamDownloadRedirectGuard: CanActivateFn = (
     }),
     map(([isAuthorized, isLoggedIn, bitstream, fileLink]: [boolean, boolean, Bitstream, string]) => {
       if (isAuthorized && isLoggedIn && isNotEmpty(fileLink)) {
-        hardRedirectService.redirect(fileLink);
+        hardRedirectService.redirect(fileLink, null, true);
         return false;
-      } else if (isAuthorized && !isLoggedIn) {
-        hardRedirectService.redirect(bitstream._links.content.href);
+      } else if (isAuthorized && !isLoggedIn && !hasValue(accessToken)) {
+        hardRedirectService.redirect(bitstream._links.content.href, null, true);
         return false;
-      } else if (!isAuthorized && isLoggedIn) {
-        return router.createUrlTree([getForbiddenRoute()]);
-      } else if (!isAuthorized && !isLoggedIn) {
-        auth.setRedirectUrl(router.url);
-        return router.createUrlTree(['login']);
+      } else if (!isAuthorized) {
+        // Either we have an access token, or we are logged in, or we are not logged in.
+        // For now, the access token does not care if we are logged in or not.
+        if (hasValue(accessToken)) {
+          hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken, null, true);
+          return false;
+        } else if (isLoggedIn) {
+          return router.createUrlTree([getForbiddenRoute()]);
+        } else if (!isLoggedIn) {
+          auth.setRedirectUrl(router.url);
+          return router.createUrlTree(['login']);
+        }
       }
     })
   );

src/app/core/auth/server-auth-request.service.ts

@@ -17,6 +17,7 @@ import {
 import { map } from 'rxjs/operators';
 import { Observable } from 'rxjs';
 import { XSRFService } from '../xsrf/xsrf.service';
+import { RESTURLCombiner } from '../url-combiner/rest-url-combiner';
 
 /**
  * Server side version of the service to send authentication requests
@@ -41,8 +42,8 @@ export class ServerAuthRequestService extends AuthRequestService {
    * @protected
    */
   protected createShortLivedTokenRequest(href: string): Observable<PostRequest> {
-    // First do a call to the root endpoint in order to get an XSRF token
-    return this.httpClient.get(this.halService.getRootHref(), { observe: 'response' }).pipe(
+    // First do a call to the csrf endpoint in order to get an XSRF token
+    return this.httpClient.get(new RESTURLCombiner('/security/csrf').toString(), { observe: 'response' }).pipe(
       // retrieve the XSRF token from the response header
       map((response: HttpResponse<any>) => response.headers.get(XSRF_RESPONSE_HEADER)),
       map((xsrfToken: string) => {

src/app/core/data/bitstream-data.service.ts

@@ -174,7 +174,7 @@ export class BitstreamDataService extends IdentifiableDataService<Bitstream> imp
     const searchParams = [];
     searchParams.push(new RequestParam('handle', handle));
     if (hasValue(sequenceId)) {
-      searchParams.push(new RequestParam('sequenceId', sequenceId));
+      searchParams.push(new RequestParam('sequence', sequenceId));
     }
     if (hasValue(filename)) {
       searchParams.push(new RequestParam('filename', filename));

src/app/core/data/feature-authorization/feature-id.ts

@@ -39,4 +39,5 @@ export enum FeatureID {
   EPersonForgotPassword = 'epersonForgotPassword',
   ShowClaimItem = 'showClaimItem',
   CanCorrectItem = 'canCorrectItem',
+  CanViewInWorkflowSinceStatistics = 'canViewInWorkflowSinceStatistics',
 }

src/app/core/services/hard-redirect.service.ts

@@ -13,8 +13,10 @@ export abstract class HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
+   *    optional to prevent CORS error on redirect
    */
-  abstract redirect(url: string, statusCode?: number);
+  abstract redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean);
 
   /**
    * Get the current route, with query params included

src/app/core/services/server-hard-redirect.service.spec.ts

@@ -8,11 +8,16 @@ describe('ServerHardRedirectService', () => {
   const mockRequest = jasmine.createSpyObj(['get']);
   const mockResponse = jasmine.createSpyObj(['redirect', 'end']);
 
-  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse);
+  const serverResponseService = jasmine.createSpyObj('ServerResponseService', {
+    setHeader: jasmine.createSpy('setHeader'),
+  });
+
+  let service: ServerHardRedirectService = new ServerHardRedirectService(environment, mockRequest, mockResponse, serverResponseService);
   const origin = 'https://test-host.com:4000';
 
   beforeEach(() => {
     mockRequest.protocol = 'https';
+    mockRequest.path = '/bitstreams/test-uuid/download';
     mockRequest.headers = {
       host: 'test-host.com:4000',
     };
@@ -76,7 +81,7 @@ describe('ServerHardRedirectService', () => {
       ssrBaseUrl: 'https://private-url:4000/server',
       baseUrl: 'https://public-url/server',
     } } };
-    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse);
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
 
     beforeEach(() => {
       service.redirect(redirect);
@@ -88,4 +93,21 @@ describe('ServerHardRedirectService', () => {
     });
   });
 
+  describe('Should add cors header on download path', () => {
+    const redirect = 'https://private-url:4000/server/api/bitstreams/uuid';
+    const environmentWithSSRUrl: any = { ...environment, ...{ ...environment.rest, rest: {
+      ssrBaseUrl: 'https://private-url:4000/server',
+      baseUrl: 'https://public-url/server',
+    } } };
+    service = new ServerHardRedirectService(environmentWithSSRUrl, mockRequest, mockResponse, serverResponseService);
+
+    beforeEach(() => {
+      service.redirect(redirect, null, true);
+    });
+
+    it('should set header', () => {
+      expect(serverResponseService.setHeader).toHaveBeenCalled();
+    });
+  });
+
 });

src/app/core/services/server-hard-redirect.service.ts

@@ -4,6 +4,7 @@ import { REQUEST, RESPONSE } from '@nguniversal/express-engine/tokens';
 import { HardRedirectService } from './hard-redirect.service';
 import { APP_CONFIG, AppConfig } from '../../../config/app-config.interface';
 import { isNotEmpty } from '../../shared/empty.util';
+import { ServerResponseService } from './server-response.service';
 
 /**
  * Service for performing hard redirects within the server app module
@@ -15,6 +16,7 @@ export class ServerHardRedirectService extends HardRedirectService {
     @Inject(APP_CONFIG) protected appConfig: AppConfig,
     @Inject(REQUEST) protected req: Request,
     @Inject(RESPONSE) protected res: Response,
+    private responseService: ServerResponseService,
   ) {
     super();
   }
@@ -26,8 +28,9 @@ export class ServerHardRedirectService extends HardRedirectService {
    *    the page to redirect to
    * @param statusCode
    *    optional HTTP status code to use for redirect (default = 302, which is a temporary redirect)
+   * @param shouldSetCorsHeader
    */
-  redirect(url: string, statusCode?: number) {
+  redirect(url: string, statusCode?: number, shouldSetCorsHeader?: boolean) {
     if (url === this.req.url) {
       return;
     }
@@ -57,6 +60,10 @@ export class ServerHardRedirectService extends HardRedirectService {
         status = 302;
       }
 
+      if (shouldSetCorsHeader) {
+        this.setCorsHeader();
+      }
+
       console.info(`Redirecting from ${this.req.url} to ${redirectUrl} with ${status}`);
 
       this.res.redirect(status, redirectUrl);
@@ -83,4 +90,12 @@ export class ServerHardRedirectService extends HardRedirectService {
   getCurrentOrigin(): string {
     return this.req.protocol + '://' + this.req.headers.host;
   }
+
+  /**
+   * Set CORS header to allow embedding of redirected content.
+   * The actual security header will be set by the rest
+   */
+  setCorsHeader() {
+    this.responseService.setHeader('Access-Control-Allow-Origin', '*');
+  }
 }

src/app/item-page/mirador-viewer/mirador-viewer.component.html

@@ -1,4 +1,6 @@
 <p class="full-text-op">{{'iiifviewer.fullscreen.notice' | translate}}</p>
 <p *ngIf="!isViewerAvailable" id="viewer-message">{{viewerMessage}}</p>
-<iframe title="Mirador Viewer" allowtransparency="true" *ngIf="isViewerAvailable" [src]="iframeViewerUrl | async" id="mirador-viewer"></iframe>
+<ng-container *ngVar="(iframeViewerUrl | async) as iframeUrl">
+  <iframe title="Mirador Viewer" allowtransparency="true" *ngIf="isViewerAvailable && iframeUrl" [src]="(iframeUrl) | dsSafeUrl" id="mirador-viewer"></iframe>
+</ng-container>