npm - @adobe/helix-config-storage - Versions diffs - 2.1.7 → 2.2.0 - Mend

@adobe/helix-config-storage 2.1.7 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md +7 -0
package/package.json +1 -1
package/src/config-store.js +64 -3
package/src/config-validator.js +2 -0
package/src/schemas/apikeys.schema.cjs +12 -0
package/src/schemas/apikeys.schema.json +50 -0
package/src/schemas/org.schema.json +3 -0
package/src/schemas/site.schema.json +3 -0
package/validate-json-schemas.sh +1 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,10 @@
+# [2.2.0](https://github.com/adobe/helix-config-storage/compare/v2.1.7...v2.2.0) (2025-04-22)
+### Features
+* support storing api key information ([b4d7de7](https://github.com/adobe/helix-config-storage/commit/b4d7de7ae49105fdd5da4dfda2b2a94ea105cef9))
 ## [2.1.7](https://github.com/adobe/helix-config-storage/compare/v2.1.6...v2.1.7) (2025-04-15)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config-storage",
-  "version": "2.1.7",
+  "version": "2.2.0",
   "description": "Helix Config Storage",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/config-store.js CHANGED Viewed

@@ -11,7 +11,9 @@
  */
 /* eslint-disable no-param-reassign */
 import crypto from 'crypto';
+import { decodeJwt } from 'jose';
 import { HelixStorage } from '@adobe/helix-shared-storage';
+import { sanitizeName } from '@adobe/helix-shared-string';
 import { StatusCodeError } from './status-code-error.js';
 import {
   createToken, createUser,
@@ -43,6 +45,7 @@ const FRAGMENTS_COMMON = {
       name: 'id',
       '.': 'secret',
     },
+    '.allowEmpty': true,
   },
   access: {
     '.': 'object',
@@ -70,6 +73,7 @@ const FRAGMENTS_COMMON = {
       name: 'id',
       '.': 'token',
     },
+    '.allowEmpty': true,
   },
   groups: {
     '.': 'object',
@@ -79,8 +83,15 @@ const FRAGMENTS_COMMON = {
     },
   },
   public: '*',
-  features: '*',
-  limits: '*',
+  features: {
+    '.': '*',
+    '.allowEmpty': true,
+  },
+  limits: {
+    '.': '*',
+    '.allowEmpty': true,
+  },
   robots: 'object',
   events: {
     github: 'object',
@@ -91,6 +102,13 @@ const FRAGMENTS = {
   sites: {
     ...FRAGMENTS_COMMON,
     extends: 'object',
+    apiKeys: {
+      '.': 'apiKeys',
+      '.param': {
+        name: 'id',
+        '.': 'apiKey',
+      },
+    },
   },
   profiles: FRAGMENTS_COMMON,
   org: {
@@ -100,6 +118,15 @@ const FRAGMENTS = {
         name: 'id',
         '.': 'secret',
       },
+      '.allowEmpty': true,
+    },
+    apiKeys: {
+      '.': 'apiKeys',
+      '.param': {
+        name: 'id',
+        '.': 'apiKey',
+      },
+      '.allowEmpty': true,
     },
     tokens: {
       '.': 'tokens',
@@ -107,6 +134,7 @@ const FRAGMENTS = {
         name: 'id',
         '.': 'token',
       },
+      '.allowEmpty': true,
     },
     users: {
       '.': 'users',
@@ -151,6 +179,10 @@ export function getFragmentInfo(type, relPath = '') {
       fragment = '*';
       break;
     }
+    if (typeof next === 'object' && next['.'] === '*') {
+      fragment = next;
+      break;
+    }
     if (!next) {
       next = fragment['.param'];
       if (!next) {
@@ -165,6 +197,7 @@ export function getFragmentInfo(type, relPath = '') {
   } else {
     info.type = fragment['.'];
   }
+  info.allowEmpty = fragment['.allowEmpty'] || false;
   return info;
 }
@@ -530,7 +563,7 @@ export class ConfigStore {
     }
     if (frag) {
       if (!old) {
-        if (this.type === 'profiles' && (frag.type === 'tokens' || frag.type === 'secrets' || frag.name === 'features' || frag.name === 'limits')) {
+        if (this.type === 'profiles' && frag.allowEmpty) {
           old = {};
         } else {
           throw new StatusCodeError(404, 'config not found.');
@@ -561,6 +594,34 @@ export class ConfigStore {
         // don't expose hash in return value
         delete ret.hash;
       }
+      if (frag.type === 'apiKeys') {
+        if (data.jwt) {
+          try {
+            const payload = await decodeJwt(data.jwt);
+            data.id = payload.jti;
+            data.roles = payload.roles;
+            data.subject = payload.sub;
+            data.expiration = new Date(payload.exp * 1000).toISOString();
+            delete data.jwt;
+          } catch (e) {
+            throw new StatusCodeError(400, e.message);
+          }
+        }
+        frag.name = sanitizeName(data.id);
+        frag.type = 'apiKey';
+        frag.relPath.push(frag.name);
+      }
+      if (frag.type === 'apiKey') {
+        if (data.jwt) {
+          throw new StatusCodeError(400, 'jwt not allowed in existing apiKey');
+        }
+        const oldData = deepGetOrCreate(old, frag.relPath, true);
+        data.created = oldData.created || new Date().toISOString();
+        // ensure that the name is equal to the sanitized id
+        if (frag.name !== sanitizeName(data.id)) {
+          throw new StatusCodeError(400, 'apiKey id mismatch');
+        }
+      }
       if (frag.type === 'secrets') {
         // create new secret with random id
         frag.name = crypto.randomBytes(32).toString('base64url');

package/src/config-validator.js CHANGED Viewed

@@ -16,6 +16,7 @@ import { ValidationError } from './ValidationError.js';
 import accessAdminSchema from './schemas/access-admin.schema.cjs';
 import accessSchema from './schemas/access.schema.cjs';
 import accessSiteSchema from './schemas/access-site.schema.cjs';
+import apiKeysSchema from './schemas/apikeys.schema.cjs';
 import cdnSchema from './schemas/cdn.schema.cjs';
 import cdnProdFastlySchema from './schemas/cdn-prod-fastly.schema.cjs';
 import cdnProdCloudflareSchema from './schemas/cdn-prod-cloudflare.schema.cjs';
@@ -53,6 +54,7 @@ export const SCHEMAS = [
   accessAdminSchema,
   accessSchema,
   accessSiteSchema,
+  apiKeysSchema,
   cdnProdAkamaiSchema,
   cdnProdCloudflareSchema,
   cdnProdCloudfrontSchema,

package/src/schemas/apikeys.schema.cjs ADDED Viewed

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./apikeys.schema.json');

package/src/schemas/apikeys.schema.json ADDED Viewed

@@ -0,0 +1,50 @@
+{
+  "$comment": "https://github.com/adobe/helix-config/blob/main/LICENSE.txt",
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://ns.adobe.com/helix/config/apikeys",
+  "title": "ApiKeys",
+  "type": "object",
+  "description": "Stores information about generated admin API keys. The keys listed here have no operational meaning, but are used to track the keys that have been generated.",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_]+$": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9-_/+]+$",
+          "description": "the API token id (jti)"
+        },
+        "created": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "expiration": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "subject": {
+          "type": "string",
+          "description": "the subject of the API token (sub)"
+        },
+        "description": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "id",
+        "subject",
+        "created",
+        "expiration",
+        "roles"
+      ],
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}

package/src/schemas/org.schema.json CHANGED Viewed

@@ -23,6 +23,9 @@
     "secrets": {
       "$ref": "https://ns.adobe.com/helix/config/secrets"
     },
+    "apiKeys": {
+      "$ref": "https://ns.adobe.com/helix/config/apikeys"
+    },
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },

package/src/schemas/site.schema.json CHANGED Viewed

@@ -44,6 +44,9 @@
     "secrets": {
       "$ref": "https://ns.adobe.com/helix/config/secrets"
     },
+    "apiKeys": {
+      "$ref": "https://ns.adobe.com/helix/config/apikeys"
+    },
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },

package/validate-json-schemas.sh CHANGED Viewed

@@ -4,6 +4,7 @@ npx ajv-cli --spec=draft2019 -c ajv-formats compile \
 -s src/schemas/access-admin.schema.json \
 -s src/schemas/access-site.schema.json \
 -s src/schemas/access.schema.json \
+-s src/schemas/apikeys.schema.json \
 -s src/schemas/cdn-prod-akamai.schema.json \
 -s src/schemas/cdn-prod-cloudflare.schema.json \
 -s src/schemas/cdn-prod-cloudfront.schema.json \