Hi all,
So… I’ve been furiously rewriting Node-on-FHIR to use the latest Meteor v3, and have been working through our OAuth and UDAP implementations, making steady and good progress. I’ve recently hit a snag with HTTP headers, that I could use some help with. Here’s an abbreviated version of the code block I’m currently migrating:
import { WebApp } from "meteor/webapp";
import { fetch, Headers } from 'meteor/fetch';
import jwt from 'jsonwebtoken';
WebApp.handlers.post("/oauth/token", async (req, res) => {
console.log("POST /oauth/token");
saveToInboundTrafficLog(req);
res.setHeader('Content-type', 'application/json');
res.setHeader("Access-Control-Allow-Origin", "*");
let authorizedClient = await OAuthClients.findOneAsync({ authorization_code: get(req.query, 'code') });
console.log('authorizedClient', authorizedClient);
if (authorizedClient) {
let updatedAuthorizedClient = cloneDeep(authorizedClient);
updatedAuthorizedClient.access_token = Random.id();
updatedAuthorizedClient.access_token_created_at = new Date();
await OAuthClients.updateAsync({ _id: updatedAuthorizedClient._id }, { $set: updatedAuthorizedClient });
let returnPayload = {
code: 200,
data: {
"access_token": updatedAuthorizedClient.access_token,
"token_type": "Bearer",
"scope": "openid fhirUser launch offline_access user/*.cruds",
"expires_in": get(Meteor, 'settings.private.fhir.tokenTimeout', 86400)
}
};
jwt.verify(client_assertion, softwareStatementPem, { algorithms: ['RS256'] }, (error, verifiedJwt) => {
if (error) {
Object.assign(returnPayload, { code: 400, data: { "error": "invalid_request", "description": "decoded payload did not contain an iss", "udap_testscript_step": "IIB4a3" } });
if (!res.headersSent){
res.status(400).json(returnPayload.data).end();
}
} else {
if (!res.headersSent){
res.setHeader('content-type', 'application/json').status(200).json(returnPayload.data).end();
}
}
});
} else {
console.log('No client found with that authorization code');
if (!res.headersSent){
res.status(400).json(returnPayload).end();
}
}
});
My problem is that the routes consistently return application/json; charset=utf-8 for all routes, no matter how many variants of res.setHeader that I try. I know there is a time and place when the charset=utf-8 is needed; and many applications may feel its necessary. However, it’s out of spec for the specific interface that we’re currently implementing, so I’ve got to get rid of it for specific server routes.
I’ve been disabling express middleware, as well as have been disabling any packages I can think of that might have middleware in them. But I’m exhausting the obvious places to look.
Any ideas? I’m stoked to be this far along. If I can solve this one last issue, I should be able to get over the finish line and get our OAuth server live on the Meteor v3.