feat: integrate no-cors into request fn

dbouwman · dbouwman · commit f828babcff77 · 2025-07-18T08:08:59.000-06:00
diff --git a/packages/arcgis-rest-request/src/request.ts b/packages/arcgis-rest-request/src/request.ts
@@ -9,11 +9,18 @@ import {
   IRequestOptions,
   InternalRequestOptions
 } from "./utils/IRequestOptions.js";
+import {
+  isNoCorsDomain,
+  isNoCorsRequestRequired,
+  registerNoCorsDomains,
+  sendNoCorsRequest
+} from "./utils/sendNoCorsRequest.js";
 import { IParams } from "./utils/IParams.js";
 import { warn } from "./utils/warn.js";
 import { IRetryAuthError } from "./utils/retryAuthError.js";
 import { getFetch } from "@esri/arcgis-rest-fetch";
 import { IAuthenticationManager } from "./index.js";
+import { isSameOrigin } from "./utils/isSameOrigin.js";
 
 export const NODEJS_DEFAULT_REFERER_HEADER = `@esri/arcgis-rest-js`;
 
@@ -250,6 +257,11 @@ export function internalRequest(
     credentials: options.credentials || "same-origin"
   };
 
+  // Is this a no-cors domain? if so we need to set credentials to include
+  if (isNoCorsDomain(url)) {
+    fetchOptions.credentials = "include";
+  }
+
   // the /oauth2/platformSelf route will add X-Esri-Auth-Client-Id header
   // and that request needs to send cookies cross domain
   // so we need to set the credentials to "include"
@@ -296,26 +308,55 @@ export function internalRequest(
   // query params are applied.
   const originalUrl = url;
 
-  return (
-    authentication
-      ? authentication.getToken(url).catch((err) => {
-          /**
-           * append original request url and requestOptions
-           * to the error thrown by getToken()
-           * to assist with retrying
-           */
-          err.url = url;
-          err.options = options;
-          /**
-           * if an attempt is made to talk to an unfederated server
-           * first try the request anonymously. if a 'token required'
-           * error is thrown, throw the UNFEDERATED error then.
-           */
-          originalAuthError = err;
-          return Promise.resolve("");
-        })
-      : Promise.resolve("")
-  )
+  // default to false, for nodejs
+  let sameOrigin = false;
+  // if we are in a browser, check if the url is same origin
+  /* istanbul ignore else */
+  if (typeof window !== "undefined") {
+    sameOrigin = isSameOrigin(url);
+  }
+  const requiresNoCors = !sameOrigin && isNoCorsRequestRequired(url);
+
+  // the /oauth2/platformSelf route will add X-Esri-Auth-Client-Id header
+  // and that request needs to send cookies cross domain
+  // so we need to set the credentials to "include"
+  if (
+    options.headers &&
+    options.headers["X-Esri-Auth-Client-Id"] &&
+    url.indexOf("/oauth2/platformSelf") > -1
+  ) {
+    fetchOptions.credentials = "include";
+  }
+
+  // Simple first promise that we may turn into the no-cors request
+  let firstPromise = Promise.resolve();
+  if (requiresNoCors) {
+    // ensure we send cookies on the request after
+    fetchOptions.credentials = "include";
+    firstPromise = sendNoCorsRequest(url);
+  }
+
+  return firstPromise
+    .then(() =>
+      authentication
+        ? authentication.getToken(url).catch((err) => {
+            /**
+             * append original request url and requestOptions
+             * to the error thrown by getToken()
+             * to assist with retrying
+             */
+            err.url = url;
+            err.options = options;
+            /**
+             * if an attempt is made to talk to an unfederated server
+             * first try the request anonymously. if a 'token required'
+             * error is thrown, throw the UNFEDERATED error then.
+             */
+            originalAuthError = err;
+            return Promise.resolve("");
+          })
+        : Promise.resolve("")
+    )
     .then((token) => {
       if (token.length) {
         params.token = token;
@@ -350,7 +391,8 @@ export function internalRequest(
 
         if (
           // This would exceed the maximum length for URLs by 2000 as default or as specified by the consumer and requires POST
-          (options.maxUrlLength && urlWithQueryString.length > options.maxUrlLength) ||
+          (options.maxUrlLength &&
+            urlWithQueryString.length > options.maxUrlLength) ||
           (!options.maxUrlLength && urlWithQueryString.length > 2000) ||
           // Or if the customer requires the token to be hidden and it has not already been hidden in the header (for browsers)
           (params.token && options.hideToken)
@@ -484,6 +526,15 @@ export function internalRequest(
           originalAuthError
         );
 
+        // If this was a portal/self call, and we got authorizedNoCorsDomains back
+        // register them
+        if (data && /\/sharing\/rest\/(accounts|portals)\/self/i.test(url)) {
+          // if we have a list of no-cors domains, register them
+          if (Array.isArray(data.authorizedCrossOriginNoCorsDomains)) {
+            registerNoCorsDomains(data.authorizedCrossOriginNoCorsDomains);
+          }
+        }
+
         if (originalAuthError) {
           /* If the request was made to an unfederated service that
           didn't require authentication, add the base url and a dummy token
diff --git a/packages/arcgis-rest-request/test/request.test.ts b/packages/arcgis-rest-request/test/request.test.ts
@@ -24,6 +24,7 @@ import {
   FIVE_DAYS_FROM_NOW,
   isNode
 } from "../../../scripts/test-helpers.js";
+import { requestConfig } from "../src/requestConfig.js";
 
 describe("request()", () => {
   afterEach(() => {
@@ -830,4 +831,114 @@ describe("request()", () => {
         fail(e);
       });
   });
+
+  describe("no-cors:", () => {
+    beforeEach(() => {
+      // Reset requestConfig before each test
+      requestConfig.pendingNoCorsRequests = {};
+      requestConfig.noCorsDomains = [];
+      requestConfig.crossOriginNoCorsDomains = {};
+    });
+
+    it("should send no-cors request as first promise when needed", (done) => {
+      requestConfig.noCorsDomains = ["https://example.com"];
+      const url = "https://example.com/resource?foo=bar";
+      // actual call
+      fetchMock.post(url, SharingRestInfo);
+      // no-cors request
+      fetchMock.get("https://example.com/resource", { status: 200 });
+
+      request(url)
+        .then(() => {
+          let calls = fetchMock.calls("https://example.com/resource");
+          expect(calls.length).toBe(1);
+
+          // expect the first call to be a no-cors request
+          const [firstUrl, firstOptions] = calls[0];
+          expect(firstUrl).toBe("https://example.com/resource");
+
+          expect(firstOptions.mode).toEqual("no-cors");
+          expect(firstOptions.credentials).toEqual("include");
+
+          // expect the second call to be a normal request
+          calls = fetchMock.calls("https://example.com/resource?foo=bar");
+          expect(calls.length).toBe(1);
+          const [secondUrl, secondOptions] = calls[0];
+          expect(secondUrl).toBe("https://example.com/resource?foo=bar");
+          expect(secondOptions.method).toEqual("POST");
+          expect(secondOptions.credentials).toEqual("include");
+
+          done();
+        })
+        .catch((e) => {
+          fail(e);
+        });
+    });
+
+    it("should skip no-cors request and and include credentials if already sent", (done) => {
+      requestConfig.noCorsDomains = ["https://example.com"];
+      requestConfig.crossOriginNoCorsDomains["https://example.com"] =
+        Date.now();
+      const url = "https://example.com/resource";
+      fetchMock.once(url, SharingRestInfo);
+      // fetchMock.postOnce(url, { status: 200 });
+      request(url)
+        .then(() => {
+          const [lastUrl, lastOptions] = fetchMock.lastCall()!;
+          expect(lastUrl).toBe("https://example.com/resource");
+          expect(lastOptions.credentials).toEqual("include");
+          done();
+        })
+        .catch((e) => {
+          fail(e);
+        });
+    });
+
+    it("should register no-cors domains if present on portal/self response", (done) => {
+      const url =
+        "https://ent.portal.com/portal/sharing/rest/portals/self?f=json";
+      fetchMock.post(url, {
+        authorizedCrossOriginNoCorsDomains: [
+          "https://server.portal.com",
+          "https://ent.portal.com"
+        ]
+      });
+      request(url)
+        .then(() => {
+          const [lastUrl, lastOptions] = fetchMock.lastCall()!;
+          expect(lastUrl).toBe(url);
+          expect(requestConfig.noCorsDomains).toEqual([
+            "https://server.portal.com",
+            "https://ent.portal.com"
+          ]);
+          // it should not initialise the crossOriginNoCorsDomains
+          expect(requestConfig.crossOriginNoCorsDomains).toEqual({});
+
+          done();
+        })
+        .catch((e) => {
+          fail(e);
+        });
+    });
+    it("should work without no-cors domains present on portal/self response", (done) => {
+      const url =
+        "https://ent.portal.com/portal/sharing/rest/portals/self?f=json";
+      fetchMock.post(url, {
+        other: "props"
+      });
+      request(url)
+        .then(() => {
+          const [lastUrl, lastOptions] = fetchMock.lastCall()!;
+          expect(lastUrl).toBe(url);
+          expect(requestConfig.noCorsDomains).toEqual([]);
+          // it should not initialise the crossOriginNoCorsDomains
+          expect(requestConfig.crossOriginNoCorsDomains).toEqual({});
+
+          done();
+        })
+        .catch((e) => {
+          fail(e);
+        });
+    });
+  });
 });
