Support logged in queries

[essential-randomness]

From this discord discussion, where @ nianeyna outlined her research on how to query AO3 using logged in credentials:

"This is the simplified explanation:

• check your cookie store (in this case I guess it would be some value you have the client pass in) for an _otwarchive_session cookie that is not expired
• if you have one, set the 'cookie' header on the request based on its value, and make the request. you may need to follow redirects here to get to the actual page you want.
• if you don't have one, make a GET request to the ao3 login form
• then scrape the authenticity_token and the otwarchive_session cookie from it
• then make a POST request to the ao3 login form with a username and password and the authenticity token, setting the cookie header here as well. again you may need to follow redirects. importantly, you need to shepherd your cookies through all the redirects. actually that's true of the above as well.
• hopefully at this point you will have a valid _otwarchive_session cookie from the response you got from the post request. see step 2"

[nianeyna]

You can do this in the existing implementation by writing a custom fetcher using the fetch-cookie npm package:

import makeFetchCookie from "fetch-cookie";
import parse, { HTMLElement } from "node-html-parser";

const AO3_LOGIN_URL = "https://archiveofourown.org/users/login";
const AO3_SESSION_COOKIE = "_otwarchive_session";

const cookieJar = new makeFetchCookie.toughCookie.CookieJar();
const fetchCookie = makeFetchCookie(fetch, cookieJar);

export default function loginFetcher(username: string, password: string) {
  return async (...params: Parameters<typeof fetch>) => {
    const url = getUrl(params[0]);
    console.log("Checking session cookie");
    const session = (await cookieJar.getCookies(url)).find((cookie) => cookie.key === AO3_SESSION_COOKIE);
    if (!session || session.expires && session.expires <= new Date()) await login(username, password);
    console.log("Making request to url", params[0]);
    return await fetchCookie(...params);
  };
}

async function login(username: string, password: string): Promise<void> {
  console.log("Getting login form");
  const loginForm = await fetchCookie(AO3_LOGIN_URL);
  const token = getAuthenticityToken(parse(await loginForm.text()));
  if (!token) throw new Error("Could not find authenticity token");
  const payload = getLoginPayload(username, password, token);
  const body = new URLSearchParams(payload).toString();
  console.log("Logging in");
  await fetchCookie(AO3_LOGIN_URL, {
    method: "POST",
    headers: {
      "Content-Type": "application/x-www-form-urlencoded",
      "Content-Length": body.length.toString(),
    },
    body,
  });
}

function getAuthenticityToken(element: HTMLElement): string | undefined {
  return element
    .querySelector('form.new_user')
    ?.querySelectorAll('input')
    ?.find(x => x.getAttribute('name') == 'authenticity_token')
    ?.getAttribute('value');
}

function getLoginPayload(username: string, password: string, token: string) {
  const payload = {
    'authenticity_token': token,
    'user[login]': username,
    'user[password]': password,
    'commit': 'Log+in'
  };
  return payload;
}

function getUrl(requestInfo: RequestInfo | URL): URL {
  return typeof requestInfo === 'string' ? new URL(requestInfo) : requestInfo instanceof URL ? requestInfo : new URL(requestInfo.url);
}

(I used node-html-parser to get the authenticity token - it should be trivial to refactor to use cheerio instead if desired)

usage:

import { getWork, setFetcher } from "@bobaboard/ao3.js";
import loginFetcher from "./loginFetcher";

const USERNAME = "***";
const PASSWORD = "***";
const LOCKED_WORK_ID = "{id of locked work}";

console.log("Setting fetcher");
setFetcher(loginFetcher(USERNAME, PASSWORD));

console.log("Fetching locked work");
getWork({ workId: LOCKED_WORK_ID }).then((work) => {
    console.log(JSON.stringify(work, null, 2));
    console.log("Fetching locked work again - should use existing login details");
    getWork({ workId: LOCKED_WORK_ID }).then((work) => {
        console.log(JSON.stringify(work, null, 2));
    });
});

note this implementation doesn't have much in the way of error handling, and also doesn't include rate limit handling etc