Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@looker/sdk
Advanced tools
The Looker SDK for TypeScript/JavaScript works with Node and browser run-times. The SDK provides a convenient way to communicate with a Looker server's APIs.
This package supports using the Looker SDK in the browser. The @looker/sdk-node package depends on this package (@looker/sdk) and @looker/sdk-rtl.
The SDK uses a plug-in architecture (also known as dependency injection) for initializing and supports run-time specific transports (like NodeTransport
and BrowserTransport
) and different approaches for managing API authentication (like NodeSession
, BrowserSession
, ProxySession
, and CorsSession
).
Please report any issues encountered, and indicate the SDK language in the report.
The Looker Browser SDK can be used in a browser application in 3 steps:
Using yarn
:
yarn add @looker/sdk @looker/sdk-rtl
Using npm
:
npm install @looker/sdk @looker/sdk-rtl
Some other dependencies may be required for your project to build and run correctly.
yarn install @types/readable-stream @types/request @types/request-promise-native -D
The Looker TypeScript SDK has different packages to prevent node dependencies being linked into browser usage of the SDK (the node dependencies are not available in the browser and can cause compilation errors). There are three packages for the Typescript SDK available on npm:
@looker/sdk-rtl
- contains a run time library needed to invoke the Looker API methods. Referencing the @looker/sdk
as a dependency should automatically pull this package in.@looker/sdk
- contains the Looker API methods.@looker/sdk-node
- contains the dependencies needed to run the Looker SDK in a node environment. Do NOT include this package if you are using the Looker SDK in a browser. You MUST include this package if you are using node
or ts-node
.All requests to the Looker API server require an access token. For browser implementations, authentication is typically achieved via OAuth as described in cors.md
or a Proxy Server.
Authenticating for the browser takes more setup than authenticating for use with a Node application.
The stand-alone version of the Looker API Explorer uses OAuth and the BrowserSDK
to get an authentication token for Looker API requests.
RunItSDK shows how to override readConfig()
to get SDK configuration values.
RunItSDK tests support debugging the flow of RunItSDK
.
The OAuthScene React component receives the OAuth response from the Looker server and logs the user in to retrieve the API authentication token.
Looker's OAuth support makes it possible to build a Looker SDK application that only requires the browser. If a browser application can use a proxy server instead, or already uses an existing backend server, it may be simpler to use a proxy for authentication/
The looker.ini
configuration file and environment variables are never used in the Browser runtime.
Please use API 4.0. API 3.1 is deprecated and has been removed in Looker v23.18+.
LookerBrowserSDK.init40()
and Looker40SDK()
initialize the API 4.1 implementation of the SDK.
CORS support allows the Looker API to be used directly in the browser application running on a different domain than the Looker server. Because all API endpoints require authentication except for Login
, a proxy server can be used to retrieve the API authentication token and provide it to the browser session.
ProxySession
is the SDK class specifically designed to streamline proxy session creation. The source code example below shows how to override the authenticate
method for use in a CORS request scenario.
getProxyToken()
is the call to the proxy server's API that returns the API auth token to useif (this.isAuthenticated()
branch
By writing your own getProxyToken()
visible to this class, any proxied authentication workflow is supported.
export class EmbedSession extends ProxySession {
constructor(public settings: IApiSettings, transport?: ITransport) {
super(settings, transport)
}
async authenticate(props: any) {
// get the auth token from the proxy server
const token = await getProxyToken()
if (token) {
// Assign the token, which will track its expiration time automatically
this.activeToken.setToken(token)
}
if (this.isAuthenticated()) {
// Session is authenticated
// set CORS mode (in this scenario)
props.mode = 'cors'
// remove any credentials attribute that may have been set
// because the BrowserTransport defaults to having `same-origin` for credentials
delete props['credentials']
// replace the headers argument with required values
// Note: using new Headers() to construct the headers breaks CORS for the Looker API. Don't know why yet
props.headers = {
Authorization: `Bearer ${token.access_token}`,
'x-looker-appid': agentTag,
}
}
return props
}
}
Looker's open source repository of SDK Examples has more example scripts and applications that show how to use the Looker SDK.
Any script or configuration file used to provide credentials to your Looker SDK instance needs to be secured.
FAQs
Looker SDK
The npm package @looker/sdk receives a total of 25,273 weekly downloads. As such, @looker/sdk popularity was classified as popular.
We found that @looker/sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.