Request-a-copy improvements: Support access by secure link

package.json

@@ -114,6 +114,7 @@
     "@ngrx/store": "^18.1.1",
     "@ngx-translate/core": "^16.0.3",
     "@nicky-lenaers/ngx-scroll-to": "^14.0.0",
+    "altcha": "^0.9.0",
     "angulartics2": "^12.2.0",
     "axios": "^1.7.9",
     "bootstrap": "^5.3",

src/app/app-routing-paths.ts

@@ -35,6 +35,41 @@
   };
 }
 
+/**
+ * Get a bitstream download route with an access token (to provide direct access to a user) added as a query parameter
+ * @param bitstream the bitstream to download
+ * @param accessToken the access token, which should match an access_token in the requestitem table
+ */
+export function getBitstreamDownloadWithAccessTokenRoute(bitstream, accessToken): { routerLink: string, queryParams: any } {
+  const url = new URLCombiner(getBitstreamModuleRoute(), bitstream.uuid, 'download').toString();
+  const options = {
+    routerLink: url,
+    queryParams: {},
+  };
+  // Only add the access token if it is not empty, otherwise keep valid empty query parameters
+  if (hasValue(accessToken)) {
+    options.queryParams = { accessToken: accessToken };
+  }
+  return options;
+}
+/**
+ * Get an access token request route for a user to access approved bitstreams using a supplied access token
+ * @param item_uuid item UUID
+ * @param accessToken access token (generated by backend)
+ */
+export function getAccessTokenRequestRoute(item_uuid, accessToken): { routerLink: string, queryParams: any } {
+  const url = new URLCombiner(getItemModuleRoute(), item_uuid, getAccessByTokenModulePath()).toString();
+  const options = {
+    routerLink: url,
+    queryParams: {
+      accessToken: (hasValue(accessToken) ? accessToken : undefined),
+    },
+  };
+  return options;
+}
+
+export const COAR_NOTIFY_SUPPORT = 'coar-notify-support';
+
 export const HOME_PAGE_PATH = 'home';
 
 export function getHomePageRoute() {
@@ -128,6 +163,11 @@
   return `/${REQUEST_COPY_MODULE_PATH}`;
 }
 
+export const ACCESS_BY_TOKEN_MODULE_PATH = 'access-by-token';
+export function getAccessByTokenModulePath() {
+  return `/${ACCESS_BY_TOKEN_MODULE_PATH}`;
+}
+
 export const HEALTH_PAGE_PATH = 'health';
 
 export const SUBSCRIPTIONS_MODULE_PATH = 'subscriptions';

src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.spec.ts

@@ -73,16 +73,16 @@ describe('BitstreamDownloadPageComponent', () => {
         self: { href: 'bitstream-self-link' },
       },
     });
-
     activatedRoute = {
       data: observableOf({
-        bitstream: createSuccessfulRemoteDataObject(
-          bitstream,
-        ),
+        bitstream: createSuccessfulRemoteDataObject(bitstream),
       }),
       params: observableOf({
         id: 'testid',
       }),
+      queryParams: observableOf({
+        accessToken: undefined,
+      }),
     };
 
     router = jasmine.createSpyObj('router', ['navigateByUrl']);

src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.ts

@@ -11,6 +11,7 @@
 } from '@angular/core';
 import {
   ActivatedRoute,
+  Params,
   Router,
 } from '@angular/router';
 import { TranslateModule } from '@ngx-translate/core';
@@ -83,6 +84,10 @@
   }
 
   ngOnInit(): void {
+    const accessToken$: Observable<string> = this.route.queryParams.pipe(
+      map((queryParams: Params) => queryParams?.accessToken || null),
+      take(1),
+    );
 
     this.bitstreamRD$ = this.route.data.pipe(
       map((data) => data.bitstream));
@@ -96,32 +101,40 @@
       switchMap((bitstream: Bitstream) => {
         const isAuthorized$ = this.authorizationService.isAuthorized(FeatureID.CanDownload, isNotEmpty(bitstream) ? bitstream.self : undefined);
         const isLoggedIn$ = this.auth.isAuthenticated();
-        return observableCombineLatest([isAuthorized$, isLoggedIn$, observableOf(bitstream)]);
+        return observableCombineLatest([isAuthorized$, isLoggedIn$, accessToken$, observableOf(bitstream)]);
       }),
-      filter(([isAuthorized, isLoggedIn, bitstream]: [boolean, boolean, Bitstream]) => hasValue(isAuthorized) && hasValue(isLoggedIn)),
+      filter(([isAuthorized, isLoggedIn, accessToken, bitstream]: [boolean, boolean, string, Bitstream]) => (hasValue(isAuthorized) && hasValue(isLoggedIn)) || hasValue(accessToken)),
       take(1),
-      switchMap(([isAuthorized, isLoggedIn, bitstream]: [boolean, boolean, Bitstream]) => {
+      switchMap(([isAuthorized, isLoggedIn, accessToken, bitstream]: [boolean, boolean, string, Bitstream]) => {
         if (isAuthorized && isLoggedIn) {
           return this.fileService.retrieveFileDownloadLink(bitstream._links.content.href).pipe(
             filter((fileLink) => hasValue(fileLink)),
             take(1),
             map((fileLink) => {
               return [isAuthorized, isLoggedIn, bitstream, fileLink];
             }));
+        } else if (hasValue(accessToken)) {
+          return [[isAuthorized, !isLoggedIn, bitstream, '', accessToken]];
         } else {
           return [[isAuthorized, isLoggedIn, bitstream, '']];
         }
       }),
-    ).subscribe(([isAuthorized, isLoggedIn, bitstream, fileLink]: [boolean, boolean, Bitstream, string]) => {
+    ).subscribe(([isAuthorized, isLoggedIn, bitstream, fileLink, accessToken]: [boolean, boolean, Bitstream, string, string]) => {
       if (isAuthorized && isLoggedIn && isNotEmpty(fileLink)) {
         this.hardRedirectService.redirect(fileLink);
-      } else if (isAuthorized && !isLoggedIn) {
+      } else if (isAuthorized && !isLoggedIn && !hasValue(accessToken)) {
         this.hardRedirectService.redirect(bitstream._links.content.href);
-      } else if (!isAuthorized && isLoggedIn) {
-        this.router.navigateByUrl(getForbiddenRoute(), { skipLocationChange: true });
-      } else if (!isAuthorized && !isLoggedIn) {
-        this.auth.setRedirectUrl(this.router.url);
-        this.router.navigateByUrl('login');
+      } else if (!isAuthorized) {
+        // Either we have an access token, or we are logged in, or we are not logged in.
+        // For now, the access token does not care if we are logged in or not.
+        if (hasValue(accessToken)) {
+          this.hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken);
+        } else if (isLoggedIn) {
+          this.router.navigateByUrl(getForbiddenRoute(), { skipLocationChange: true });
+        } else if (!isLoggedIn) {
+          this.auth.setRedirectUrl(this.router.url);
+          this.router.navigateByUrl('login');
+        }
       }
     });
   }

src/app/core/auth/access-token.resolver.ts

@@ -0,0 +1,62 @@
+import { inject } from '@angular/core';
+import {
+  ResolveFn,
+  Router,
+} from '@angular/router';
+import { Observable } from 'rxjs';
+import {
+  map,
+  tap,
+} from 'rxjs/operators';
+
+import { getForbiddenRoute } from '../../app-routing-paths';
+import { hasValue } from '../../shared/empty.util';
+import { ItemRequestDataService } from '../data/item-request-data.service';
+import { RemoteData } from '../data/remote-data';
+import { redirectOn4xx } from '../shared/authorized.operators';
+import { ItemRequest } from '../shared/item-request.model';
+import {
+  getFirstCompletedRemoteData,
+  getFirstSucceededRemoteDataPayload,
+} from '../shared/operators';
+import { AuthService } from './auth.service';
+
+/**
+ * Resolve an ItemRequest based on the accessToken in the query params
+ * Used in item-page-routes.ts to resolve the item request for all Item page components
+ * @param route
+ * @param state
+ * @param router
+ * @param authService
+ * @param itemRequestDataService
+ */
+export const accessTokenResolver: ResolveFn<ItemRequest> = (
+  route,
+  state,
+  router: Router = inject(Router),
+  authService: AuthService = inject(AuthService),
+  itemRequestDataService: ItemRequestDataService = inject(ItemRequestDataService),
+): Observable<ItemRequest> => {
+  const accessToken = route.queryParams.accessToken;
+  // Set null object if accesstoken is empty
+  if ( !hasValue(accessToken) ) {
+    return null;
+  }
+  // Get the item request from the server
+  return itemRequestDataService.getSanitizedRequestByAccessToken(accessToken).pipe(
+    getFirstCompletedRemoteData(),
+    // Handle authorization errors, not found errors and forbidden errors as normal
+    redirectOn4xx(router, authService),
+    map((rd: RemoteData<ItemRequest>) => rd),
+    // Get payload of the item request
+    getFirstSucceededRemoteDataPayload(),
+    tap(request => {
+      if (!hasValue(request)) {
+        // If the request is not found, redirect to 403 Forbidden
+        router.navigateByUrl(getForbiddenRoute());
+      }
+      // Return the resolved item request object
+      return request;
+    }),
+  );
+};

src/app/core/data/eperson-registration.service.spec.ts

@@ -95,7 +95,7 @@ describe('EpersonRegistrationService', () => {
       const expected = service.registerEmail('test@mail.org', 'afreshcaptchatoken');
       let headers = new HttpHeaders();
       const options: HttpOptions = Object.create({});
-      headers = headers.append('x-recaptcha-token', 'afreshcaptchatoken');
+      headers = headers.append('x-captcha-payload', 'afreshcaptchatoken');
       options.headers = headers;
 
       expect(requestService.send).toHaveBeenCalledWith(new PostRequest('request-id', 'rest-url/registrations', registration, options));

src/app/core/data/eperson-registration.service.ts

@@ -67,7 +67,7 @@ export class EpersonRegistrationService {
   /**
    * Register a new email address
    * @param email
-   * @param captchaToken the value of x-recaptcha-token header
+   * @param captchaToken the value of x-captcha-payload header
    */
   registerEmail(email: string, captchaToken: string = null, type?: string): Observable<RemoteData<Registration>> {
     const registration = new Registration();
@@ -80,7 +80,7 @@ export class EpersonRegistrationService {
     const options: HttpOptions = Object.create({});
     let headers = new HttpHeaders();
     if (captchaToken) {
-      headers = headers.append('x-recaptcha-token', captchaToken);
+      headers = headers.append('x-captcha-payload', captchaToken);
     }
     options.headers = headers;