server, driver: fixes #1288, handle basic auth at the network level, attach authorization headers to requests matching remote origin (#1290)

* server, driver: fixes #1288, handle basic auth at the network level, attach authorization headers to requests matching remote origin

* server, driver: fixes failing tests

* driver: fix tests, move around order of ops

* driver: try cypress promise

* server, driver: increase timeouts, don't disable background networking

Author: brian-mann

packages/driver/src/cy/commands/navigation.coffee

@@ -257,7 +257,11 @@ module.exports = (Commands, Cypress, cy, state, config) ->
     fn()
 
   requestUrl = (url, options = {}) ->
-    Cypress.backend("resolve:url", url, _.pick(options, "failOnStatusCode"))
+    Cypress.backend(
+      "resolve:url",
+      url,
+      _.pick(options, "failOnStatusCode", "auth")
+    )
     .then (resp = {}) ->
       switch
         ## if we didn't even get an OK response
@@ -456,6 +460,7 @@ module.exports = (Commands, Cypress, cy, state, config) ->
         $utils.throwErrByPath("visit.invalid_1st_arg")
 
       _.defaults(options, {
+        auth: null
         failOnStatusCode: true
         log: true
         timeout: config("pageLoadTimeout")
@@ -538,9 +543,14 @@ module.exports = (Commands, Cypress, cy, state, config) ->
 
         remote = $Location.create(remoteUrl ? url)
 
+        ## reset auth options if we have them
+        if a = remote.authObj
+          options.auth = a
+
         ## store the existing hash now since
         ## we'll need to apply it later
         existingHash = remote.hash ? ""
+        existingAuth = remote.auth ? ""
 
         if previousDomainVisited and remote.originPolicy isnt existing.originPolicy
           ## if we've already visited a new superDomain
@@ -562,7 +572,11 @@ module.exports = (Commands, Cypress, cy, state, config) ->
           ## before telling our backend to resolve this url
           url = url.replace(existingHash, "")
 
-        requestUrl(url, _.pick(options, "failOnStatusCode"))
+        if existingAuth
+          ## strip out the existing url if we have one
+          url = url.replace(existingAuth + "@", "")
+
+        requestUrl(url, options)
         .then (resp = {}) =>
           {url, originalUrl, cookies, redirects, filePath} = resp
 

packages/driver/src/cypress/location.coffee

@@ -27,6 +27,18 @@ class $Location
   constructor: (remote) ->
     @remote = new UrlParse remote
 
+  getAuth: ->
+    @remote.auth
+
+  getAuthObj: ->
+    if a = @remote.auth
+      [ username, password ] = a.split(":")
+      return {
+        username
+
+        password
+      }
+
   getHash: ->
     @remote.hash
 
@@ -103,6 +115,8 @@ class $Location
 
   getObject: ->
     {
+      auth: @getAuth()
+      authObj: @getAuthObj()
       hash: @getHash()
       href: @getHref()
       host: @getHost()

packages/driver/test/cypress/integration/commands/location_spec.coffee

@@ -245,8 +245,7 @@ describe "src/cy/commands/location", ->
   context "#location", ->
     it "returns the location object", ->
       cy.location().then (loc) ->
-        keys = _.keys loc
-        expect(keys).to.deep.eq ["hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "originPolicy", "superDomain", "toString"]
+        expect(loc).to.have.keys ["auth", "authObj", "hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "originPolicy", "superDomain", "toString"]
 
     it "returns a specific key from location object", ->
       cy.location("href").then (href) ->
@@ -380,4 +379,4 @@ describe "src/cy/commands/location", ->
 
           expect(_.keys(consoleProps)).to.deep.eq ["Command", "Yielded"]
           expect(consoleProps.Command).to.eq "location"
-          expect(_.keys(consoleProps.Yielded)).to.deep.eq ["hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "originPolicy", "superDomain", "toString"]
+          expect(_.keys(consoleProps.Yielded)).to.deep.eq ["auth", "authObj", "hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "originPolicy", "superDomain", "toString"]

packages/driver/test/cypress/integration/commands/navigation_spec.coffee

@@ -513,6 +513,27 @@ describe "src/cy/commands/navigation", ->
         .visit("localhost:3500/status-404", { failOnStatusCode: false })
         .visit("localhost:3500/status-500", { failOnStatusCode: false })
 
+    it "strips username + password out of the url when provided", ->
+      backend = cy.spy(Cypress, "backend")
+
+      cy
+        .visit("http://cypress:password123@localhost:3500/timeout")
+        .then ->
+          expect(backend).to.be.calledWith("resolve:url", "http://localhost:3500/timeout")
+
+    it "passes auth options", ->
+      backend = cy.spy(Cypress, "backend")
+
+      auth = {
+        username: "cypress"
+        password: "password123"
+      }
+
+      cy
+        .visit("http://localhost:3500/timeout", { auth })
+        .then ->
+          expect(backend).to.be.calledWithMatch("resolve:url", "http://localhost:3500/timeout", { auth })
+
     describe "when only hashes are changing", ->
       it "short circuits the visit if the page will not refresh", ->
         count = 0

packages/driver/test/cypress/integration/cypress/location_spec.coffee

@@ -17,13 +17,30 @@ urls = {
   heroku:   "https://example.herokuapp.com"
   herokuSub:"https://foo.example.herokuapp.com"
   unknown:  "http://what.is.so.unknown"
+  auth:     "http://cypress:password123@localhost:8080/foo"
 }
 
 describe "src/cypress/location", ->
   beforeEach ->
     @setup = (remote) =>
       new Location(urls[remote])
 
+  context "#getAuth", ->
+    it "returns string with username + password", ->
+      str = @setup("auth").getAuth()
+      expect(str).to.eq("cypress:password123")
+
+  context "#getAuthObj", ->
+    it "returns an object with username and password", ->
+      obj = @setup("auth").getAuthObj()
+      expect(obj).to.deep.eq({
+        username: "cypress"
+        password: "password123"
+      })
+
+    it "returns undefined when no username or password", ->
+      expect(@setup("app").getAuthObj()).to.be.undefined
+
   context "#getHash", ->
     it "returns the hash fragment prepended with #", ->
       str = @setup("app").getHash()
@@ -159,7 +176,7 @@ describe "src/cypress/location", ->
   context ".create", ->
     it "returns an object literal", ->
       obj = Location.create(urls.cypress, urls.signin)
-      keys = ["hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "toString", "originPolicy", "superDomain"]
+      keys = ["auth", "authObj", "hash", "href", "host", "hostname", "origin", "pathname", "port", "protocol", "search", "toString", "originPolicy", "superDomain"]
       expect(obj).to.have.keys(keys)
 
     it "can invoke toString function", ->

packages/driver/test/cypress/integration/issues/573_spec.coffee

@@ -1,4 +1,49 @@
+run = ->
+  cy.window()
+  .then { timeout: 60000 }, (win) ->
+    new Cypress.Promise (resolve) ->
+      i = win.document.createElement("iframe")
+      i.onload = resolve
+      i.src = "/basic_auth"
+      win.document.body.appendChild(i)
+  .get("iframe").should ($iframe) ->
+    expect($iframe.contents().text()).to.include("basic auth worked")
+  .window().then { timeout: 60000 }, (win) ->
+    new Cypress.Promise (resolve, reject) ->
+      xhr = new win.XMLHttpRequest()
+      xhr.open("GET", "/basic_auth")
+      xhr.onload = ->
+        try
+          expect(@responseText).to.include("basic auth worked")
+          resolve(win)
+        catch err
+          reject(err)
+      xhr.send()
+  .then { timeout: 60000 }, (win) ->
+    new Cypress.Promise (resolve, reject) ->
+      ## ensure other origins do not have auth headers attached
+      xhr = new win.XMLHttpRequest()
+      xhr.open("GET", "http://localhost:3501/basic_auth")
+      xhr.onload = ->
+        try
+          expect(@status).to.eq(401)
+          resolve(win)
+        catch err
+          reject(err)
+      xhr.send()
+
+# cy.visit("http://admin:[email protected]/basic_auth")
+
 describe "basic auth", ->
-  it "can visit", ->
+  it "can visit with username/pw in url", ->
     cy.visit("http://cypress:password123@localhost:3500/basic_auth")
-    # cy.visit("http://admin:[email protected]/basic_auth")
+    run()
+
+  it "can visit with auth options", ->
+    cy.visit("http://localhost:3500/basic_auth", {
+      auth: {
+        username: "cypress"
+        password: "password123"
+      }
+    })
+    run()

packages/server/lib/browsers/chrome.coffee

@@ -41,17 +41,17 @@ defaultArgs = [
   "--enable-automation"
   "--disable-infobars"
 
-  ## needed for https://github.com/cypress-io/cypress/issues/573
-  ## list of flags here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/runtime_enabled_features.json5
-  "--disable-blink-features=BlockCredentialedSubresources"
-
   ## the following come frome chromedriver
   ## https://code.google.com/p/chromium/codesearch#chromium/src/chrome/test/chromedriver/chrome_launcher.cc&sq=package:chromium&l=70
   "--metrics-recording-only"
   "--disable-prompt-on-repost"
   "--disable-hang-monitor"
   "--disable-sync"
-  "--disable-background-networking"
+  ## this flag is causing throttling of XHR callbacks for
+  ## as much as 30 seconds. If you VNC in and open dev tools or
+  ## click on a button, it'll "instantly" work. with this
+  ## option enabled, it will time out some of our tests in circle
+  # "--disable-background-networking"
   "--disable-web-resources"
   "--safebrowsing-disable-auto-update"
   "--safebrowsing-disable-download-protection"

packages/server/lib/controllers/proxy.coffee

@@ -266,6 +266,13 @@ module.exports = {
       else
         opts.url = remoteUrl
 
+      ## if we have auth headers and this request matches our origin policy
+      if (a = remoteState.auth) and resMatchesOriginPolicy()
+        ## and no existing Authentication headers
+        if not req.headers["authorization"]
+          base64 = new Buffer(a.username + ":" + a.password).toString("base64")
+          req.headers["authorization"] = "Basic #{base64}"
+
       rq = request.create(opts)
 
       rq.on("error", endWithResponseErr)

packages/server/lib/server.coffee

@@ -278,6 +278,7 @@ class Server
     # }
 
     props = _.extend({},  {
+      auth:       @_remoteAuth
       props:      @_remoteProps
       origin:     @_remoteOrigin
       strategy:   @_remoteStrategy
@@ -294,6 +295,12 @@ class Server
     @_request.send(headers, automationRequest, options)
 
   _onResolveUrl: (urlStr, headers, automationRequest, options = {}) ->
+    debug("resolving visit", {
+      url: urlStr
+      headers
+      options
+    })
+
     request = @_request
 
     handlingLocalFile = false
@@ -327,7 +334,7 @@ class Server
 
           @_remoteVisitingUrl = true
 
-          @_onDomainSet(urlStr)
+          @_onDomainSet(urlStr, options)
 
           ## TODO: instead of joining remoteOrigin here
           ## we can simply join our fileServer origin
@@ -396,7 +403,7 @@ class Server
               if isOk and isHtml
                 ## reset the domain to the new url if we're not
                 ## handling a local file
-                @_onDomainSet(newUrl) if not handlingLocalFile
+                @_onDomainSet(newUrl, options) if not handlingLocalFile
 
                 buffers.set({
                   url: newUrl
@@ -415,6 +422,7 @@ class Server
           .pipe(stream.PassThrough())
 
         restorePreviousState = =>
+          @_remoteAuth         = previousState.auth
           @_remoteProps        = previousState.props
           @_remoteOrigin       = previousState.origin
           @_remoteStrategy     = previousState.strategy
@@ -425,6 +433,7 @@ class Server
         request.sendStream(headers, automationRequest, {
           ## turn off gzip since we need to eventually
           ## rewrite these contents
+          auth: options.auth
           gzip: false
           url: urlFile ? urlStr
           headers: {
@@ -445,9 +454,13 @@ class Server
         .then(handleReqStream)
         .catch(error)
 
-  _onDomainSet: (fullyQualifiedUrl) ->
-    l = (type, url) ->
-      debug("Setting %s %s", type, url)
+  _onDomainSet: (fullyQualifiedUrl, options = {}) ->
+    l = (type, val) ->
+      debug("Setting", type, val)
+
+    @_remoteAuth = options.auth
+
+    l("remoteAuth", @_remoteAuth)
 
     ## if this isn't a fully qualified url
     ## or if this came to us as <root> in our tests

packages/server/test/integration/http_requests_spec.coffee

@@ -1673,6 +1673,59 @@ describe "Routes", ->
               "Content-Type": "text/css"
             })
 
+      it "attaches auth headers when matches origin", ->
+        username = "u"
+        password = "p"
+
+        base64 = new Buffer(username + ":" + password).toString("base64")
+
+        @server._remoteAuth = {
+          username
+          password
+        }
+
+        nock("http://localhost:8080")
+        .get("/index")
+        .matchHeader("authorization", "Basic #{base64}")
+        .reply(200, "")
+
+        @rp("http://localhost:8080/index")
+        .then (res) ->
+          expect(res.statusCode).to.eq(200)
+
+      it "does not attach auth headers when not matching origin", ->
+        nock("http://localhost:8080", {
+          badheaders: ['authorization']
+        })
+        .get("/index")
+        .reply(200, "")
+
+        @rp("http://localhost:8080/index")
+        .then (res) ->
+          expect(res.statusCode).to.eq(200)
+
+      it "does not modify existing auth headers when matching origin", ->
+        existing = "Basic asdf"
+
+        @server._remoteAuth = {
+          username: "u"
+          password: "p"
+        }
+
+        nock("http://localhost:8080")
+        .get("/index")
+        .matchHeader("authorization", existing)
+        .reply(200, "")
+
+        @rp({
+          url: "http://localhost:8080/index"
+          headers: {
+            "Authorization": existing
+          }
+        })
+        .then (res) ->
+          expect(res.statusCode).to.eq(200)
+
     context "images", ->
       beforeEach ->
         Fixtures.scaffold()