From 9c11ab3ddc93afc58ee9a8d1dd8df2b9079efd78 Mon Sep 17 00:00:00 2001 From: Brandon Wang Date: Thu, 15 Jan 2026 10:42:31 -0600 Subject: [PATCH 1/5] need to remove code_challenge from post endpoint --- package-lock.json | 17 ++++++++++++++++- package.json | 3 ++- src/auth.test.ts | 2 -- src/auth.ts | 22 ++-------------------- 4 files changed, 20 insertions(+), 24 deletions(-) diff --git a/package-lock.json b/package-lock.json index 5ec32aa..b29f5f4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,8 @@ "babel-jest": "^27.5.1", "cms-bluebutton-sdk": "^1.0.5", "moment": "^2.29.4", - "typedoc": "^0.23.0" + "typedoc": "^0.23.0", + "yarn": "^1.22.22" }, "devDependencies": { "@rollup/plugin-commonjs": "^28.0.3", @@ -7131,6 +7132,20 @@ "node": ">=10" } }, + "node_modules/yarn": { + "version": "1.22.22", + "resolved": "https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz", + "integrity": "sha512-prL3kGtyG7o9Z9Sv8IPfBNrWTDmXB4Qbes8A9rEzt6wkJV8mUvoirjU0Mp3GGAU06Y0XQyA3/2/RQFVuK7MTfg==", + "hasInstallScript": true, + "license": "BSD-2-Clause", + "bin": { + "yarn": "bin/yarn.js", + "yarnpkg": "bin/yarn.js" + }, + "engines": { + "node": ">=4.0.0" + } + }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/package.json b/package.json index fe84b1b..0a66380 100644 --- a/package.json +++ b/package.json @@ -70,6 +70,7 @@ "babel-jest": "^27.5.1", "cms-bluebutton-sdk": "^1.0.5", "moment": "^2.29.4", - "typedoc": "^0.23.0" + "typedoc": "^0.23.0", + "yarn": "^1.22.22" } } diff --git a/src/auth.test.ts b/src/auth.test.ts index 7219928..d60fc0f 100644 --- a/src/auth.test.ts +++ b/src/auth.test.ts @@ -58,8 +58,6 @@ test("expect auth method generateTokenPostData() function", () => { client_id: "foo", client_secret: "bar", code: "test-code", - code_challenge: AuthData.codeChallenge, - code_verifier: AuthData.verifier, grant_type: "authorization_code", redirect_uri: "http://localhost/callback/", }; diff --git a/src/auth.ts b/src/auth.ts index a85cf10..836345d 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -39,11 +39,9 @@ function generateRandomState(): string { } /** - * Complex type holding PKCE verifier, code challenge, and state + * Complex type holding state */ export type AuthData = { - codeChallenge: string; - verifier: string; state: string; }; @@ -53,15 +51,11 @@ export type TokenPostData = { code?: string; grant_type: string; redirect_uri: string; - code_verifier: string; - code_challenge: string; }; export function generateAuthData(): AuthData { const PkceData = generatePkceData(); return { - codeChallenge: PkceData.codeChallenge, - verifier: PkceData.verifier, state: generateRandomState(), }; } @@ -74,11 +68,9 @@ export function generateAuthorizeUrl( bb: BlueButton, AuthData: AuthData ): string { - const pkceParams = `code_challenge_method=S256&code_challenge=${AuthData.codeChallenge}`; - return `${getAuthorizationUrl(bb)}?client_id=${bb.clientId}&redirect_uri=${ bb.callbackUrl - }&state=${AuthData.state}&response_type=code&${pkceParams}`; + }&state=${AuthData.state}&response_type=code`; } // Generates post data for call to access token URL @@ -93,8 +85,6 @@ export function generateTokenPostData( code: callbackCode, grant_type: "authorization_code", redirect_uri: bb.callbackUrl, - code_verifier: authData.verifier, - code_challenge: authData.codeChallenge, }; } @@ -112,14 +102,6 @@ function validateCallbackRequestQueryParams( if (!callbackCode) { throw new Error(Errors.CALLBACK_ACCESS_CODE_MISSING); } - - if (!callbackState) { - throw new Error(Errors.CALLBACK_STATE_MISSING); - } - - if (callbackState != authData.state) { - throw new Error(Errors.CALLBACK_STATE_DOES_NOT_MATCH); - } } export function getAccessTokenUrl(bb: BlueButton): string { From e45b5003a832be767e161b447337a6b734d411ae Mon Sep 17 00:00:00 2001 From: Brandon Wang Date: Fri, 16 Jan 2026 17:09:32 -0600 Subject: [PATCH 2/5] including v3 changes and updated local run info --- README-sdk-dev.md | 73 ++++++++++++++++++++++++++++++++++------------- src/auth.test.ts | 1 + src/auth.ts | 20 +++++++++++-- 3 files changed, 72 insertions(+), 22 deletions(-) diff --git a/README-sdk-dev.md b/README-sdk-dev.md index 69057ee..40da9ac 100644 --- a/README-sdk-dev.md +++ b/README-sdk-dev.md @@ -12,7 +12,6 @@ It is intended for BB2 team members or others performing SDK development work. npm recommends install node using nvm (node version manager), for install instruction, check out: https://github.com/nvm-sh/nvm - ``` check nvm version: nvm -v @@ -102,6 +101,7 @@ cd my_proj yarn init ... ``` + Setting npm config global settings will make subsequently created pacakge projects 'private'. Note that publishing package 'private' is a npm option that requires payment. @@ -110,31 +110,64 @@ Note that publishing package 'private' is a npm option that requires payment. 1. Consuming from npm registry: - ``` - mkdir my_proj - cd my_proj - yarn init - yarn add cms-bluebutton-sdk + ``` + mkdir my_proj + cd my_proj + yarn init + yarn add cms-bluebutton-sdk - continue adding other dependencies, e.g. express, ts-node, etc., ... + continue adding other dependencies, e.g. express, ts-node, etc., ... - yarn add express @types/express ts-node - yarn add - ``` + yarn add express @types/express ts-node + yarn add + ``` 2. Consuming from a local SDK repository (as a good test before publishing): - After built and generated typescript types (needed if to be consumed by typescript project), the sdk can be consumed by other projects as shown by below example: + After built and generated typescript types (needed if to be consumed by typescript project), the sdk can be consumed by other projects as shown by below example: + + ``` + mkdir my_proj + cd my_proj + yarn init + yarn add + + continue adding other dependencies, e.g. express, ts-node, etc., ... + + yarn add express @types/express ts-node + yarn add + ``` + +3. Consuming from the sample client + + This process should definitely be reworked for a better dev experience. Currently there are a lot of manual steps. + + Build the project using the instructions above: + + yarn build + yarn build:types + + The yarn build:types is to create the index.d.ts, which is used for type checking throughout the project. While during startup, it may not error out, there + can be issues during runtime. It is to ensure that the types of everything used in the project are consistent. + + Copy each file from the dist folder after the build. You will have: + + cms-bluebutton-sdk.cjs.js + cms-bluebutton-sdk.esm.js + cms-bluebutton-sdk.umd.js + index.d.ts + + The three files are used so that the sdk can be used in a variety of projects, such as a module or in a browser. + + In the sample-client, you will then create a folder within the server folder location. Name the folder something like node-sdk. + Copy the entire contents of the dist folder into the newly created node-sdk folder. + Put the .js files into a new dist folder within the node-sdk folder. - ``` - mkdir my_proj - cd my_proj - yarn init - yarn add + Back in this repo (cms-bb2-node-sdk) copy the package.json into the sample client's node-sdk folder. + This entire process is to allow the sdk to be locally referenced while inside the Docker container. Ideally, there would be a more elegant way to do this. - continue adding other dependencies, e.g. express, ts-node, etc., ... + Within the sample client in the server folder, there is another package.json (Note: NOT the one in node-sdk) This package.json will have - yarn add express @types/express ts-node - yarn add - ``` + "cms-bluebutton-sdk": "^{version}", + Replace the version with "file:node-sdk" to use the locally created node-sdk folder from previous steps. This will allow you to see changes to this repo. diff --git a/src/auth.test.ts b/src/auth.test.ts index d60fc0f..2eebdd8 100644 --- a/src/auth.test.ts +++ b/src/auth.test.ts @@ -58,6 +58,7 @@ test("expect auth method generateTokenPostData() function", () => { client_id: "foo", client_secret: "bar", code: "test-code", + code_verifier: AuthData.verifier, grant_type: "authorization_code", redirect_uri: "http://localhost/callback/", }; diff --git a/src/auth.ts b/src/auth.ts index 836345d..6caec62 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -39,9 +39,11 @@ function generateRandomState(): string { } /** - * Complex type holding state + * Complex type holding PKCE verifier, code challenge, and state */ export type AuthData = { + codeChallenge: string; + verifier: string; state: string; }; @@ -51,11 +53,14 @@ export type TokenPostData = { code?: string; grant_type: string; redirect_uri: string; + code_verifier: string; }; export function generateAuthData(): AuthData { const PkceData = generatePkceData(); return { + codeChallenge: PkceData.codeChallenge, + verifier: PkceData.verifier, state: generateRandomState(), }; } @@ -68,9 +73,11 @@ export function generateAuthorizeUrl( bb: BlueButton, AuthData: AuthData ): string { + const pkceParams = `code_challenge_method=S256&code_challenge=${AuthData.codeChallenge}`; + return `${getAuthorizationUrl(bb)}?client_id=${bb.clientId}&redirect_uri=${ bb.callbackUrl - }&state=${AuthData.state}&response_type=code`; + }&state=${AuthData.state}&response_type=code&${pkceParams}`; } // Generates post data for call to access token URL @@ -85,6 +92,7 @@ export function generateTokenPostData( code: callbackCode, grant_type: "authorization_code", redirect_uri: bb.callbackUrl, + code_verifier: authData.verifier, }; } @@ -102,6 +110,14 @@ function validateCallbackRequestQueryParams( if (!callbackCode) { throw new Error(Errors.CALLBACK_ACCESS_CODE_MISSING); } + + if (!callbackState) { + throw new Error(Errors.CALLBACK_STATE_MISSING); + } + + if (callbackState != authData.state) { + throw new Error(Errors.CALLBACK_STATE_DOES_NOT_MATCH); + } } export function getAccessTokenUrl(bb: BlueButton): string { From 5a41b65142c8904f806cede289ec72bf86f48e6a Mon Sep 17 00:00:00 2001 From: Brandon Wang Date: Wed, 21 Jan 2026 14:44:56 -0600 Subject: [PATCH 3/5] adding more info for local development --- README-sdk-dev.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README-sdk-dev.md b/README-sdk-dev.md index 40da9ac..26237f7 100644 --- a/README-sdk-dev.md +++ b/README-sdk-dev.md @@ -144,8 +144,10 @@ Note that publishing package 'private' is a npm option that requires payment. Build the project using the instructions above: + ``` yarn build yarn build:types + ``` The yarn build:types is to create the index.d.ts, which is used for type checking throughout the project. While during startup, it may not error out, there can be issues during runtime. It is to ensure that the types of everything used in the project are consistent. @@ -162,10 +164,22 @@ Note that publishing package 'private' is a npm option that requires payment. In the sample-client, you will then create a folder within the server folder location. Name the folder something like node-sdk. Copy the entire contents of the dist folder into the newly created node-sdk folder. Put the .js files into a new dist folder within the node-sdk folder. - Back in this repo (cms-bb2-node-sdk) copy the package.json into the sample client's node-sdk folder. This entire process is to allow the sdk to be locally referenced while inside the Docker container. Ideally, there would be a more elegant way to do this. + The folder structure will look like this: + + ``` + server + └───node-sdk + │ │ index.d.ts + │ │ package.json (THIS IS THE ONE FROM THIS SDK REPO) + │ └───dist + │ │ cms-bluebutton-sdk.umd.js + │ │ ms-bluebutton-sdk.esm.js + │ │ cms-bluebutton-sdk.cjs.js + ``` + Within the sample client in the server folder, there is another package.json (Note: NOT the one in node-sdk) This package.json will have "cms-bluebutton-sdk": "^{version}", From 0c19361e16e664df033a8ef56cdad8b0f51066b8 Mon Sep 17 00:00:00 2001 From: bwang-icf Date: Wed, 21 Jan 2026 15:15:04 -0600 Subject: [PATCH 4/5] Update README-sdk-dev.md Co-authored-by: jimmyfagan <90421499+jimmyfagan@users.noreply.github.com> --- README-sdk-dev.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-sdk-dev.md b/README-sdk-dev.md index 26237f7..9dac70f 100644 --- a/README-sdk-dev.md +++ b/README-sdk-dev.md @@ -142,7 +142,7 @@ Note that publishing package 'private' is a npm option that requires payment. This process should definitely be reworked for a better dev experience. Currently there are a lot of manual steps. - Build the project using the instructions above: + Build the project using the instructions below: ``` yarn build From 567c0baaeb8b585ae3e8950b801a34767511548e Mon Sep 17 00:00:00 2001 From: Brandon Wang Date: Thu, 22 Jan 2026 13:07:33 -0600 Subject: [PATCH 5/5] removing yarn --- package-lock.json | 17 +---------------- package.json | 3 +-- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/package-lock.json b/package-lock.json index b29f5f4..5ec32aa 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,8 +14,7 @@ "babel-jest": "^27.5.1", "cms-bluebutton-sdk": "^1.0.5", "moment": "^2.29.4", - "typedoc": "^0.23.0", - "yarn": "^1.22.22" + "typedoc": "^0.23.0" }, "devDependencies": { "@rollup/plugin-commonjs": "^28.0.3", @@ -7132,20 +7131,6 @@ "node": ">=10" } }, - "node_modules/yarn": { - "version": "1.22.22", - "resolved": "https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz", - "integrity": "sha512-prL3kGtyG7o9Z9Sv8IPfBNrWTDmXB4Qbes8A9rEzt6wkJV8mUvoirjU0Mp3GGAU06Y0XQyA3/2/RQFVuK7MTfg==", - "hasInstallScript": true, - "license": "BSD-2-Clause", - "bin": { - "yarn": "bin/yarn.js", - "yarnpkg": "bin/yarn.js" - }, - "engines": { - "node": ">=4.0.0" - } - }, "node_modules/yn": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz", diff --git a/package.json b/package.json index 0a66380..fe84b1b 100644 --- a/package.json +++ b/package.json @@ -70,7 +70,6 @@ "babel-jest": "^27.5.1", "cms-bluebutton-sdk": "^1.0.5", "moment": "^2.29.4", - "typedoc": "^0.23.0", - "yarn": "^1.22.22" + "typedoc": "^0.23.0" } }