Add a hideToken option to avoid sending the token via querystring

+ Company security scanning does not allow sending tokens via GET anymore + Sending the token via the request header does not work because map services do not allow the preflight request
Esri · Oct 11, 2023 · dc48f3c · dc48f3c
1 parent adf006c
commit dc48f3c
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 4 deletions.
diff --git a/spec/RequestSpec.js b/spec/RequestSpec.js
@@ -48,6 +48,38 @@ describe('L.esri request helpers', function () {
     requests[0].respond(200, { 'Content-Type': 'text/plain; charset=utf-8' }, JSON.stringify(sampleResponse));
   });
 
+  it('should not switch from a GET request if hideToken option is on, but no token is present', function (done) {
+    L.esri.get.CORS('http://services.arcgisonline.com/ArcGIS/rest/info', {}, function (error, response) {
+      expect(this.foo).to.equal('bar');
+      expect(response).to.deep.equal(sampleResponse);
+      done();
+    }, {
+      foo: 'bar',
+      options: { hideToken: true }
+    });
+
+    expect(requests[0].url).to.equal('http://services.arcgisonline.com/ArcGIS/rest/info?f=json');
+    expect(requests[0].method).to.equal('GET');
+    requests[0].respond(200, { 'Content-Type': 'text/plain; charset=utf-8' }, JSON.stringify(sampleResponse));
+  });
+
+  it('should be able to switch from a GET request to POST if token is present and hideToken option is on', function (done) {
+    L.esri.get.CORS('http://services.arcgisonline.com/ArcGIS/rest/info', { token: 'foo' }, function (error, response) {
+      expect(this.foo).to.equal('bar');
+      expect(response).to.deep.equal(sampleResponse);
+      done();
+    }, {
+      foo: 'bar',
+      options: { hideToken: true }
+    });
+
+    expect(requests[0].url).to.equal('http://services.arcgisonline.com/ArcGIS/rest/info');
+    expect(requests[0].method).to.equal('POST');
+    expect(requests[0].requestBody).to.contain('f=json');
+    expect(requests[0].requestBody).to.contain('token=foo');
+    requests[0].respond(200, { 'Content-Type': 'text/plain; charset=utf-8' }, JSON.stringify(sampleResponse));
+  });
+
   it('should be able to make a GET request with CORS and credentials', function (done) {
     L.esri.get.CORS('http://services.arcgisonline.com/ArcGIS/rest/info', {}, function (error, response) {
       expect(this.foo).to.equal('bar');
@@ -119,6 +151,19 @@ describe('L.esri request helpers', function () {
 
     expect(requests[0].url).to.contain('token=foo');
     expect(requests[0].withCredentials).to.equal(false);
+    expect(requests[0].method).to.be.equal('GET');
+    requests[0].respond(200, { 'Content-Type': 'text/plain; charset=utf-8' }, JSON.stringify(sampleResponse));
+  });
+
+  it('should make a POST request with a token if hideToken option is on', function (done) {
+    L.esri.request('http://services.arcgisonline.com/ArcGIS/rest/info', { token: 'foo' }, function (error, response) {
+      expect(response).to.deep.equal(sampleResponse);
+      done();
+    }, { options: { hideToken: true } });
+
+    expect(requests[0].requestBody).to.contain('token=foo');
+    expect(requests[0].withCredentials).to.equal(false);
+    expect(requests[0].method).to.be.equal('POST');
     requests[0].respond(200, { 'Content-Type': 'text/plain; charset=utf-8' }, JSON.stringify(sampleResponse));
   });
 

diff --git a/src/Request.js b/src/Request.js
@@ -98,6 +98,10 @@ function xmlHttpPost (url, params, callback, context) {
 }
 
 function xmlHttpGet (url, params, callback, context) {
+  if (hideTokenNeeded(params, context)) {
+    return xmlHttpPost(url, params, callback, context);
+  }
+
   var httpRequest = createRequest(callback, context);
   httpRequest.open('GET', url + '?' + serialize(params), true);
 
@@ -114,16 +118,20 @@ function xmlHttpGet (url, params, callback, context) {
   return httpRequest;
 }
 
+function hideTokenNeeded (params, context) {
+  return context?.options?.hideToken && params?.token;
+}
+
 // AJAX handlers for CORS (modern browsers) or JSONP (older browsers)
 export function request (url, params, callback, context) {
   var paramString = serialize(params);
   var httpRequest = createRequest(callback, context);
   var requestLength = (url + '?' + paramString).length;
 
   // ie10/11 require the request be opened before a timeout is applied
-  if (requestLength <= 2000 && Support.cors) {
+  if (requestLength <= 2000 && Support.cors && !hideTokenNeeded(params, context)) {
     httpRequest.open('GET', url + '?' + paramString);
-  } else if (requestLength > 2000 && Support.cors) {
+  } else if ((requestLength > 2000 || hideTokenNeeded(params, context)) && Support.cors) {
     httpRequest.open('POST', url);
     httpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
   }
@@ -138,11 +146,11 @@ export function request (url, params, callback, context) {
   }
 
   // request is less than 2000 characters and the browser supports CORS, make GET request with XMLHttpRequest
-  if (requestLength <= 2000 && Support.cors) {
+  if (requestLength <= 2000 && Support.cors && !hideTokenNeeded(params, context)) {
     httpRequest.send(null);
 
   // request is more than 2000 characters and the browser supports CORS, make POST request with XMLHttpRequest
-  } else if (requestLength > 2000 && Support.cors) {
+  } else if ((requestLength > 2000 || hideTokenNeeded(params, context)) && Support.cors) {
     httpRequest.send(paramString);
 
   // request is less  than 2000 characters and the browser does not support CORS, make a JSONP request