chore: updates Globus registration to better match refactor and uses alternate approach for scope/token discovery.

Author: jbottigliero

package.json

@@ -219,11 +219,17 @@
       "neuroglancer/datasource/dvid:disabled": "./src/util/false.ts",
       "default": "./src/datasource/dvid/register_credentials_provider.ts"
     },
+    "#datasource/globus/register_default": {
+      "neuroglancer/datasource/globus:enabled": "./src/datasource/globus/register_default.ts",
+      "neuroglancer/datasource:none_by_default": "./src/util/false.ts",
+      "neuroglancer/datasource/globus:disabled": "./src/util/false.ts",
+      "default": "./src/datasource/globus/register_default.ts"
+    },
     "#datasource/globus/register_credentials_provider": {
       "neuroglancer/python": "./src/util/false.ts",
       "neuroglancer/datasource/globus:enabled": "./src/datasource/globus/register_credentials_provider.ts",
       "neuroglancer/datasource:none_by_default": "./src/util/false.ts",
-      "neuroglancer/datasource/globus:disabled": "./src/datasource/globus/register_credentials_provider.ts",
+      "neuroglancer/datasource/globus:disabled": "./src/util/false.ts",
       "default": "./src/datasource/globus/register_credentials_provider.ts"
     },
     "#datasource/graphene/backend": {

src/datasource/enabled_frontend_modules.ts

@@ -6,6 +6,7 @@ import "#datasource/brainmaps/register_credentials_provider";
 import "#datasource/deepzoom/register_default";
 import "#datasource/dvid/register_default";
 import "#datasource/dvid/register_credentials_provider";
+import "#datasource/globus/register_default";
 import "#datasource/globus/register_credentials_provider";
 import "#datasource/graphene/register_default";
 import "#datasource/n5/register_default";

src/datasource/globus/credentials_provider.ts

@@ -4,7 +4,6 @@ import {
 } from "#src/credentials_provider/index.js";
 import type { OAuth2Credentials } from "#src/credentials_provider/oauth2.js";
 import { StatusMessage } from "#src/status.js";
-import { uncancelableToken } from "#src/util/cancellation.js";
 import { HttpError } from "#src/util/http_request.js";
 import {
   generateCodeChallenge,
@@ -17,17 +16,13 @@ const GLOBUS_AUTH_HOST = "https://auth.globus.org";
 const REDIRECT_URI = new URL("./globus_oauth2_redirect.html", import.meta.url)
   .href;
 
-function getRequiredScopes(endpoint: string) {
-  return `https://auth.globus.org/scopes/${endpoint}/https`;
-}
-
 function getGlobusAuthorizeURL({
-  endpoint,
+  scope,
   clientId,
   code_challenge,
   state,
 }: {
-  endpoint: string;
+  scope: string[];
   clientId: string;
   code_challenge: string;
   state: string;
@@ -39,7 +34,7 @@ function getGlobusAuthorizeURL({
   url.searchParams.set("code_challenge", code_challenge);
   url.searchParams.set("code_challenge_method", "S256");
   url.searchParams.set("state", state);
-  url.searchParams.set("scope", getRequiredScopes(endpoint));
+  url.searchParams.set("scope", scope.join(" "));
   return url.toString();
 }
 
@@ -84,7 +79,7 @@ function getStorage() {
 
 async function waitForAuth(
   clientId: string,
-  gcsHttpsHost: string,
+  globusConnectServerDomain: string,
 ): Promise<OAuth2Credentials> {
   const status = new StatusMessage(/*delay=*/ false, /*modal=*/ true);
 
@@ -97,44 +92,35 @@ async function waitForAuth(
 
     frag.appendChild(title);
 
-    let identifier = getStorage().domainMappings?.[gcsHttpsHost];
-
     const link = document.createElement("button");
     link.textContent = "Log in to Globus";
-    link.disabled = true;
-
-    if (!identifier) {
-      const label = document.createElement("label");
-      label.textContent = "Globus Collection UUID";
-      label.style.display = "block";
-      label.style.margin = ".5em 0";
-      frag.appendChild(label);
-      const endpoint = document.createElement("input");
-      endpoint.style.width = "100%";
-      endpoint.style.margin = ".5em 0";
-      endpoint.type = "text";
-      endpoint.placeholder = "a17d7fac-ce06-4ede-8318-ad8dc98edd69";
-      endpoint.addEventListener("input", async (e) => {
-        identifier = (e.target as HTMLInputElement).value;
-        link.disabled = !identifier;
-      });
-      frag.appendChild(endpoint);
-    } else {
-      link.disabled = false;
-    }
 
     link.addEventListener("click", async (event) => {
       event.preventDefault();
-      if (!identifier) {
-        status.setText("You must provide a Globus Collection UUID.");
-        return;
-      }
+      /**
+       * We make a request to the Globus Connect Server domain **even though we _know_ we're
+       * unauthorized** to get the required consents for the resource.
+       */
+      console.log(globusConnectServerDomain);
+      const authorizationIntrospectionRequest = await fetch(
+        globusConnectServerDomain,
+        {
+          method: "GET",
+          headers: {
+            "X-Requested-With": "XMLHttpRequest",
+          },
+        },
+      );
+
+      const { authorization_parameters } =
+        await authorizationIntrospectionRequest.json();
+
       const verifier = generateCodeVerifier();
       const state = getRandomHexString();
       const challenge = await generateCodeChallenge(verifier);
       const url = getGlobusAuthorizeURL({
         clientId,
-        endpoint: identifier,
+        scope: authorization_parameters.required_scopes,
         code_challenge: challenge,
         state,
       });
@@ -154,7 +140,6 @@ async function waitForAuth(
       const token = await waitForPKCEResponseMessage({
         source,
         state,
-        cancellationToken: uncancelableToken,
         tokenExchangeCallback: async (code) => {
           const response = await fetch(
             getGlobusTokenURL({ clientId, code, code_verifier: verifier }),
@@ -195,7 +180,7 @@ async function waitForAuth(
       };
       storage.domainMappings = {
         ...storage.domainMappings,
-        [gcsHttpsHost]: rawToken.resource_server,
+        [globusConnectServerDomain]: rawToken.resource_server,
       };
 
       localStorage.setItem("globus", JSON.stringify(storage));
@@ -215,30 +200,35 @@ async function waitForAuth(
 export class GlobusCredentialsProvider extends CredentialsProvider<OAuth2Credentials> {
   constructor(
     public clientId: string,
-    public gcsHttpsHost: string,
+    public assetUrl: URL,
   ) {
     super();
   }
   get = makeCredentialsGetter(async () => {
-    const resourceServer = getStorage().domainMappings?.[this.gcsHttpsHost];
+    const globusConnectServerDomain = this.assetUrl.origin;
+
+    const resourceServer =
+      getStorage().domainMappings?.[globusConnectServerDomain];
     const token = resourceServer
       ? getStorage().authorizations?.[resourceServer]
       : undefined;
+
     if (!token) {
-      return await waitForAuth(this.clientId, this.gcsHttpsHost);
+      return await waitForAuth(this.clientId, globusConnectServerDomain);
     }
-    const response = await fetch(`${this.gcsHttpsHost}`, {
+    const response = await fetch(this.assetUrl, {
       method: "HEAD",
       headers: {
         "X-Requested-With": "XMLHttpRequest",
         Authorization: `${token?.tokenType} ${token?.accessToken}`,
       },
     });
+
     switch (response.status) {
       case 200:
         return token;
       case 401:
-        return await waitForAuth(this.clientId, this.gcsHttpsHost);
+        return await waitForAuth(this.clientId, globusConnectServerDomain);
       default:
         throw HttpError.fromResponse(response);
     }

src/datasource/globus/register_credentials_provider.ts

@@ -1,4 +1,4 @@
-import { defaultCredentialsManager } from "#src/credentials_provider/default_manager.js";
+import { registerDefaultCredentialsProvider } from "#src/credentials_provider/default_manager.js";
 import { GlobusCredentialsProvider } from "#src/datasource/globus/credentials_provider.js";
 
 export declare const GLOBUS_CLIENT_ID: string | undefined;
@@ -8,7 +8,7 @@ export function isGlobusEnabled() {
 }
 
 if (typeof GLOBUS_CLIENT_ID !== "undefined") {
-  defaultCredentialsManager.register(
+  registerDefaultCredentialsProvider(
     "globus",
     (serverUrl) => new GlobusCredentialsProvider(GLOBUS_CLIENT_ID, serverUrl),
   );

src/datasource/globus/register_default.ts

@@ -0,0 +1,76 @@
+/**
+ * @license
+ * Copyright 2024 Google Inc.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import type {
+  CredentialsManager,
+  CredentialsProvider,
+} from "#src/credentials_provider/index.js";
+import type { OAuth2Credentials } from "#src/credentials_provider/oauth2.js";
+import { fetchOkWithOAuth2CredentialsAdapter } from "#src/credentials_provider/oauth2.js";
+import { isGlobusEnabled } from "#src/datasource/globus/register_credentials_provider.js";
+import type { BaseKvStoreProvider } from "#src/kvstore/context.js";
+import { HttpKvStore } from "#src/kvstore/http/index.js";
+import type { SharedKvStoreContextBase } from "#src/kvstore/register.js";
+import { frontendBackendIsomorphicKvStoreProviderRegistry } from "#src/kvstore/register.js";
+import { getBaseHttpUrlAndPath } from "#src/kvstore/url.js";
+
+function getGlobusCredentialsProvider(
+  credentialsManager: CredentialsManager,
+  url: string,
+): CredentialsProvider<OAuth2Credentials> {
+  return credentialsManager.getCredentialsProvider("globus", new URL(url));
+}
+
+const SCHEME_PREFIX = "globus+";
+
+function globusProvider(
+  scheme: string,
+  context: SharedKvStoreContextBase,
+): BaseKvStoreProvider {
+  return {
+    scheme: SCHEME_PREFIX + scheme,
+    description: `Globus Connect Server via ${scheme}`,
+    getKvStore(url) {
+      const httpUrl = url.url.substring(SCHEME_PREFIX.length);
+      const credentialsProvider = getGlobusCredentialsProvider(
+        context.credentialsManager,
+        httpUrl,
+      );
+      try {
+        const { baseUrl, path } = getBaseHttpUrlAndPath(httpUrl);
+        return {
+          store: new HttpKvStore(
+            context.chunkManager.memoize,
+            baseUrl,
+            SCHEME_PREFIX + baseUrl,
+            fetchOkWithOAuth2CredentialsAdapter(credentialsProvider),
+          ),
+          path,
+        };
+      } catch (e) {
+        throw new Error(`Invalid URL ${JSON.stringify(url.url)}`, {
+          cause: e,
+        });
+      }
+    },
+  };
+}
+
+if (isGlobusEnabled()) {
+  frontendBackendIsomorphicKvStoreProviderRegistry.registerBaseKvStoreProvider(
+    (context) => globusProvider("https", context),
+  );
+}

src/util/pkce.ts

@@ -1,5 +1,4 @@
 import type { OAuth2Credentials } from "#src/credentials_provider/oauth2.js";
-import { type CancellationToken, CANCELED } from "#src/util/cancellation.js";
 import { RefCounted } from "#src/util/disposable.js";
 import {
   verifyObject,
@@ -63,12 +62,10 @@ export async function generateCodeChallenge(verifier: string) {
 export async function waitForPKCEResponseMessage({
   source,
   state,
-  cancellationToken,
   tokenExchangeCallback,
 }: {
   source: Window;
   state: string;
-  cancellationToken: CancellationToken;
   /**
    * Callback to exchange the received code for OAuth2 credentials.
    * This will be called when a valid message (`code` and origin match) is received from the `source`.
@@ -78,7 +75,6 @@ export async function waitForPKCEResponseMessage({
   const context = new RefCounted();
   try {
     return await new Promise((resolve, reject) => {
-      context.registerDisposer(cancellationToken.add(() => reject(CANCELED)));
       context.registerEventListener(
         window,
         "message",