@adobe/helix-config 2.7.1 → 2.9.0

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [2.9.0](https://github.com/adobe/helix-config/compare/v2.8.0...v2.9.0) (2024-04-25)
+
+
+### Features
+
+* add token support ([d8e25f5](https://github.com/adobe/helix-config/commit/d8e25f58ae8b083f9fa2970d84e5ab6f03c26372)), closes [#42](https://github.com/adobe/helix-config/issues/42)
+
+# [2.8.0](https://github.com/adobe/helix-config/compare/v2.7.1...v2.8.0) (2024-04-24)
+
+
+### Features
+
+* add support for robots.txt ([#57](https://github.com/adobe/helix-config/issues/57)) ([dedfec3](https://github.com/adobe/helix-config/commit/dedfec38c0ff97953b71ea3d71a4547f981eb56d)), closes [#56](https://github.com/adobe/helix-config/issues/56)
+
 ## [2.7.1](https://github.com/adobe/helix-config/compare/v2.7.0...v2.7.1) (2024-04-24)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config",
-  "version": "2.7.1",
+  "version": "2.9.0",
   "description": "Helix Config",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/config-legacy.js

@@ -66,6 +66,19 @@ async function fetchConfigAll(ctx, contentBusId, partition) {
   return res.json();
 }
 
+/**
+ * Retrieves the robots.txt from the code-bus
+ * @param {ConfigContext} ctx the context
+ * @param {string} owner
+ * @param {string} repo
+ * @returns {Promise<string|null>} the robots.txt
+ */
+export async function fetchRobotsTxt(ctx, owner, repo) {
+  const key = `${owner}/${repo}/main/robots.txt`;
+  const res = await ctx.loader.getObject(HELIX_CODE_BUS, key);
+  return res.body;
+}
+
 /**
  * Loads the content from a helix 4 project.
  * @param {ConfigContext} ctx
@@ -131,6 +144,12 @@ export async function resolveLegacyConfig(ctx, rso, scope) {
     if (configAllLive?.metadata) {
       config.metadata.live = configAllLive.metadata;
     }
+    const robots = await fetchRobotsTxt(ctx, rso.org, rso.site);
+    if (robots) {
+      config.robots = {
+        txt: robots,
+      };
+    }
   }
   return config;
 }

package/src/config-view.js

@@ -18,7 +18,7 @@ import {
   SCOPE_DELIVERY,
   SCOPE_RAW,
 } from './ConfigContext.js';
-import { resolveLegacyConfig } from './config-legacy.js';
+import { resolveLegacyConfig, fetchRobotsTxt } from './config-legacy.js';
 
 /**
  * @typedef Config
@@ -72,12 +72,26 @@ export function canonicalArrayString(root, partition, prop) {
 /**
  * Returns the normalized access configuration for the give partition.
  */
-export function getAccessConfig(access, partition) {
-  return {
+export function getAccessConfig(config, partition) {
+  const { access, tokens = {} } = config;
+  const apiKeyId = toArray(access[partition]?.apiKeyId ?? access.apiKeyId);
+  const cfg = {
     allow: toArray(access[partition]?.allow ?? access.allow),
-    apiKeyId: toArray(access[partition]?.apiKeyId ?? access.apiKeyId),
+    apiKeyId,
+    tokenHash: apiKeyId.map((id) => tokens[id]?.hash).filter((hash) => !!hash),
     clientCertDN: toArray(access[partition]?.clientCertDN ?? access.clientCertDN),
   };
+  // if an allow is defined but no apiKeyId, create a fake one so that auth is still
+  // enforced. later we can remove the allow and the apiKeyId in favor of the tokenHash
+  if (cfg.allow.length && !cfg.apiKeyId.length) {
+    cfg.apiKeyId.push('fake');
+  }
+  // if an apiKeyId is defined but no tokenHash, create a fake one so that auth is still
+  // enforced.
+  if (cfg.apiKeyId.length && !cfg.tokenHash.length) {
+    cfg.tokenHash.push('n/a');
+  }
+  return cfg;
 }
 
 /**
@@ -167,6 +181,12 @@ async function resolveConfig(ctx, rso, scope) {
       preview: await loadMetadata(ctx, config, 'preview'),
       live: await loadMetadata(ctx, config, 'live'),
     };
+    if (!config.robots) {
+      const txt = await fetchRobotsTxt(ctx, config.code.owner, config.code.repo);
+      if (txt) {
+        config.robots = { txt };
+      }
+    }
   }
   if (scope === SCOPE_PIPELINE || scope === SCOPE_DELIVERY) {
     config.head = await loadHeadHtml(ctx, config, rso.ref);
@@ -205,8 +225,8 @@ export async function getConfigResponse(ctx, opts) {
     // normalize access config
     const { admin = {} } = config.access;
     config.access = {
-      preview: getAccessConfig(config.access, 'preview'),
-      live: getAccessConfig(config.access, 'live'),
+      preview: getAccessConfig(config, 'preview'),
+      live: getAccessConfig(config, 'live'),
       // access.require.repository ?
     };
     if (opts.scope === SCOPE_ADMIN || opts.scope === SCOPE_RAW) {
@@ -235,13 +255,20 @@ export async function getConfigResponse(ctx, opts) {
         'x-hlx-auth-allow-preview': canonicalArrayString(config.access, 'preview', 'allow'),
         'x-hlx-auth-apikey-preview': canonicalArrayString(config.access, 'preview', 'apiKeyId'),
         'x-hlx-auth-clientdn-preview': canonicalArrayString(config.access, 'preview', 'clientCertDN'),
+        'x-hlx-auth-hash-preview': canonicalArrayString(config.access, 'preview', 'tokenHash'),
         'x-hlx-auth-allow-live': canonicalArrayString(config.access, 'live', 'allow'),
         'x-hlx-auth-apikey-live': canonicalArrayString(config.access, 'live', 'apiKeyId'),
         'x-hlx-auth-clientdn-live': canonicalArrayString(config.access, 'live', 'clientCertDN'),
+        'x-hlx-auth-hash-live': canonicalArrayString(config.access, 'live', 'tokenHash'),
       },
     });
   }
 
+  // delete token hashes
+  delete config.tokens;
+  delete config.access?.preview?.tokenHash;
+  delete config.access?.live?.tokenHash;
+
   if (opts.scope === SCOPE_ADMIN) {
     const adminConfig = {
       ...rso,
@@ -254,6 +281,7 @@ export async function getConfigResponse(ctx, opts) {
       },
     };
     delete adminConfig.public;
+    delete adminConfig.robots;
     return new PipelineResponse(JSON.stringify(adminConfig, null, 2), {
       headers: {
         'content-type': 'application/json',
@@ -281,13 +309,13 @@ export async function getConfigResponse(ctx, opts) {
       repo: config.code.repo,
       ...rso,
       contentBusId: config.content.contentBusId,
-      access: config.access,
       headers: config.headers,
       head: config.head,
       metadata: config.metadata,
       cdn: config.cdn,
       folders: config.folders,
       public: config.public,
+      robots: config.robots,
     };
     return new PipelineResponse(JSON.stringify(pipelineConfig, null, 2), {
       headers: {

package/src/schemas/access-site.schema.json

@@ -15,15 +15,8 @@
   "title": "Site Access Config",
   "type": "object",
   "properties": {
-    "allow": {
-      "description": "The email glob of the users that are allowed.",
-      "type": "array",
-      "items": {
-        "type": "string"
-      }
-    },
     "apiKeyId": {
-      "description": "IDs of the api keys that are allowed.",
+      "description": "IDs of the api keys (tokens) that are allowed.",
       "type": "array",
       "items": {
         "type": "string"

package/src/schemas/profile.schema.json

@@ -46,6 +46,12 @@
     },
     "metadata": {
       "$ref": "https://ns.adobe.com/helix/config/metadata-source"
+    },
+    "robots": {
+      "$ref": "https://ns.adobe.com/helix/config/robots"
+    },
+    "tokens": {
+      "$ref": "https://ns.adobe.com/helix/config/tokens"
     }
   },
   "required": [

package/src/schemas/robots.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./robots.schema.json');

package/src/schemas/robots.schema.json

@@ -0,0 +1,23 @@
+{
+  "meta:license": [
+    "Copyright 2024 Adobe. All rights reserved.",
+    "This file is licensed to you under the Apache License, Version 2.0 (the \"License\");",
+    "you may not use this file except in compliance with the License. You may obtain a copy",
+    "of the License at http://www.apache.org/licenses/LICENSE-2.0",
+    "",
+    "Unless required by applicable law or agreed to in writing, software distributed under",
+    "the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS",
+    "OF ANY KIND, either express or implied. See the License for the specific language",
+    "governing permissions and limitations under the License."
+  ],
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://ns.adobe.com/helix/config/robots",
+  "type": "object",
+  "title": "robots",
+  "properties": {
+    "txt": {
+      "type": "string"
+    }
+  },
+  "additionalProperties": false
+}

package/src/schemas/site.schema.json

@@ -51,6 +51,12 @@
     },
     "metadata": {
       "$ref": "https://ns.adobe.com/helix/config/metadata-source"
+    },
+    "robots": {
+      "$ref": "https://ns.adobe.com/helix/config/robots"
+    },
+    "tokens": {
+      "$ref": "https://ns.adobe.com/helix/config/tokens"
     }
   },
   "required": [

package/src/schemas/tokens.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./tokens.schema.json');

package/src/schemas/tokens.schema.json

@@ -0,0 +1,38 @@
+{
+  "meta:license": [
+    "Copyright 2024 Adobe. All rights reserved.",
+    "This file is licensed to you under the Apache License, Version 2.0 (the \"License\");",
+    "you may not use this file except in compliance with the License. You may obtain a copy",
+    "of the License at http://www.apache.org/licenses/LICENSE-2.0",
+    "",
+    "Unless required by applicable law or agreed to in writing, software distributed under",
+    "the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS",
+    "OF ANY KIND, either express or implied. See the License for the specific language",
+    "governing permissions and limitations under the License."
+  ],
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://ns.adobe.com/helix/config/tokens",
+  "title": "tokens",
+  "type": "object",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_=]+$": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9-_=]+$"
+        },
+        "hash": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9-_=]+$"
+        },
+        "created": {
+          "type": "string",
+          "format": "date-time"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}

package/src/storage/config-store.js

@@ -9,9 +9,11 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
+/* eslint-disable no-param-reassign */
 import { HelixStorage } from './storage.js';
 import { StatusCodeError } from './status-code-error.js';
 import {
+  createToken,
   jsonGet,
   jsonPut,
   updateCodeSource,
@@ -19,26 +21,111 @@ import {
 } from './utils.js';
 import { validate } from './config-validator.js';
 
-const FRAGMENTS = {
-  sites: {
-    content: 'object',
-    code: 'object',
-    folders: 'object',
-    headers: 'object',
-    metadata: 'object',
-    sidekick: 'object',
-    cdn: 'object',
-    'cdn/prod': 'object',
-    'cdn/preview': 'object',
-    'cdn/live': 'object',
-    access: 'object',
-    'access/admin': 'object',
-    'access/preview': 'object',
-    'access/live': 'object',
-    public: 'object',
+const FRAGMENTS_COMMON = {
+  content: 'object',
+  code: 'object',
+  folders: 'object',
+  headers: 'object',
+  metadata: 'object',
+  sidekick: 'object',
+  cdn: {
+    '.': 'object',
+    prod: 'object',
+    preview: 'object',
+    live: 'object',
+  },
+  access: {
+    '.': 'object',
+    admin: 'object',
+    preview: 'object',
+    live: 'object',
+  },
+  public: 'object',
+  robots: 'object',
+  tokens: {
+    '.': 'tokens',
+    '.param': {
+      name: 'id',
+      '.': 'token',
+    },
   },
 };
 
+const FRAGMENTS = {
+  sites: FRAGMENTS_COMMON,
+  profiles: FRAGMENTS_COMMON,
+};
+
+export function getFragmentInfo(type, relPath) {
+  if (!relPath) {
+    return null;
+  }
+  const parts = relPath.split('/');
+  let fragment = FRAGMENTS[type];
+  const info = {
+    relPath,
+  };
+  for (const part of parts) {
+    let next = fragment[part];
+    if (!next) {
+      next = fragment['.param'];
+      if (!next) {
+        throw new StatusCodeError(400, 'invalid object path.');
+      }
+      info[next.name] = part;
+    }
+    fragment = next;
+  }
+  if (typeof fragment === 'string') {
+    info.type = fragment;
+  } else {
+    info.type = fragment['.'];
+  }
+  return info;
+}
+
+/**
+ * Redact / transform the token config
+ * @param token
+ */
+function redactToken(token) {
+  return {
+    id: token.id,
+    created: token.created,
+  };
+}
+
+/**
+ * Redact / transform the tokens config
+ * @param tokens
+ */
+function redactTokens(tokens) {
+  return Object.values(tokens).map(redactToken);
+}
+
+/**
+ * redact information from the config
+ * @param {object} config
+ * @param {object} frag
+ */
+function redact(config, frag) {
+  if (!config) {
+    return config;
+  }
+  let ret = config;
+  if (frag?.type === 'tokens') {
+    ret = redactTokens(config);
+  }
+  if (frag?.type === 'token') {
+    ret = redactToken(config);
+  }
+  if (ret.tokens) {
+    // eslint-disable-next-line no-param-reassign
+    ret.tokens = redactTokens(ret.tokens);
+  }
+  return ret;
+}
+
 /**
  * General purpose config store.
  */
@@ -85,42 +172,54 @@ export class ConfigStore {
       return null;
     }
     let obj = JSON.parse(buf);
-    if (relPath) {
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
-      obj = jsonGet(obj, relPath);
+    const frag = getFragmentInfo(this.type, relPath);
+    if (frag) {
+      obj = jsonGet(obj, frag.relPath);
     }
-    return obj;
+    return redact(obj, frag);
   }
 
   async update(ctx, data, relPath = '') {
     const storage = HelixStorage.fromContext(ctx).configBus();
     const buf = await storage.get(this.key);
     const old = buf ? JSON.parse(buf) : null;
-    if (relPath) {
+    const frag = getFragmentInfo(this.type, relPath);
+    let config = data;
+    let ret = null;
+    if (frag) {
       if (!old) {
         throw new StatusCodeError(404, 'config not found.');
       }
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
       if (relPath === 'code') {
         updateCodeSource(ctx, data);
       } else if (relPath === 'content') {
         updateContentSource(ctx, data);
+      } else if (frag.type === 'token') {
+        // don't allow to update individual token
+        throw new StatusCodeError(400, 'invalid object path.');
+      } else if (frag.type === 'tokens') {
+        // create new token
+        const token = createToken(this.org);
+        data = {
+          ...token,
+        };
+        // don't store token value in the config
+        delete data.value;
+        relPath = `tokens/${token.id}`;
+        frag.type = 'token';
+        ret = token;
+        // don't expose hash in return value
+        delete ret.hash;
       }
-      // eslint-disable-next-line no-param-reassign
-      data = jsonPut(JSON.parse(buf), relPath, data);
+      config = jsonPut(old, relPath, data);
     } else {
-      updateContentSource(ctx, data.content);
-      updateCodeSource(ctx, data.code);
+      updateContentSource(ctx, config.content);
+      updateCodeSource(ctx, config.code);
     }
-    await validate(data, this.type);
-    await storage.put(this.key, JSON.stringify(data), 'application/json');
-    await this.purge(ctx, old, data);
+    await validate(config, this.type);
+    await storage.put(this.key, JSON.stringify(config), 'application/json');
+    await this.purge(ctx, buf ? JSON.parse(buf) : null, config);
+    return ret ?? redact(data, frag);
   }
 
   async remove(ctx, relPath) {
@@ -129,11 +228,8 @@ export class ConfigStore {
     if (!buf) {
       throw new StatusCodeError(404, 'config not found.');
     }
-    if (relPath) {
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
+    const frag = getFragmentInfo(this.type, relPath);
+    if (frag) {
       const data = jsonPut(JSON.parse(buf), relPath, null);
       await validate(data, this.type);
       await storage.put(this.key, JSON.stringify(data), 'application/json');

package/src/storage/config-validator.js

@@ -26,8 +26,10 @@ import markupSchema from '../schemas/content-source-markup.schema.cjs';
 import metadataSchema from '../schemas/metadata-source.schema.cjs';
 import onedriveSchema from '../schemas/content-source-onedrive.schema.cjs';
 import profileSchema from '../schemas/profile.schema.cjs';
+import robotsSchema from '../schemas/robots.schema.cjs';
 import sidekickSchema from '../schemas/sidekick.schema.cjs';
 import siteSchema from '../schemas/site.schema.cjs';
+import tokensSchema from '../schemas/tokens.schema.cjs';
 
 const SCHEMAS = [
   accessSchema,
@@ -43,8 +45,10 @@ const SCHEMAS = [
   metadataSchema,
   onedriveSchema,
   profileSchema,
+  robotsSchema,
   sidekickSchema,
   siteSchema,
+  tokensSchema,
 ];
 
 const SCHEMA_TYPES = {

package/src/storage/utils.js

@@ -111,3 +111,26 @@ export function updateCodeSource(ctx, code) {
   }
   return modified;
 }
+
+/**
+ * Creates a random token and hashes it with the given key
+ * @param {string} key
+ * @returns {object} the token
+ */
+export function createToken(key) {
+  const secret = crypto.randomBytes(32).toString('base64url');
+  const value = `hlx_${secret}`;
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(value, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const id = crypto.createHash('sha256').update(hash).digest().toString('base64url');
+  const created = new Date().toISOString();
+  return {
+    id,
+    value,
+    hash,
+    created,
+  };
+}

package/types/profile-config.d.ts

@@ -31,6 +31,8 @@ export interface HelixProfileConfig {
   access?: Access;
   sidekick?: SidekickConfig;
   metadata?: Metadata;
+  robots?: Robots;
+  tokens?: Tokens;
 }
 /**
  * Defines the content bus location and source.
@@ -222,11 +224,7 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * The email glob of the users that are allowed.
-   */
-  allow?: string[];
-  /**
-   * IDs of the api keys that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
   apiKeyId?: string[];
   /**
@@ -247,3 +245,17 @@ export interface SidekickPlugin {
 export interface Metadata {
   source?: [] | [string];
 }
+export interface Robots {
+  txt?: string;
+}
+export interface Tokens {
+  /**
+   * This interface was referenced by `Tokens`'s JSON-Schema definition
+   * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+   */
+  [k: string]: {
+    id?: string;
+    hash?: string;
+    created?: string;
+  };
+}

package/types/site-config.d.ts

@@ -34,6 +34,8 @@ export interface HelixSiteConfig {
   access?: Access;
   sidekick?: SidekickConfig;
   metadata?: Metadata;
+  robots?: Robots;
+  tokens?: Tokens;
 }
 /**
  * Defines the content bus location and source.
@@ -225,11 +227,7 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * The email glob of the users that are allowed.
-   */
-  allow?: string[];
-  /**
-   * IDs of the api keys that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
   apiKeyId?: string[];
   /**
@@ -250,3 +248,17 @@ export interface SidekickPlugin {
 export interface Metadata {
   source?: [] | [string];
 }
+export interface Robots {
+  txt?: string;
+}
+export interface Tokens {
+  /**
+   * This interface was referenced by `Tokens`'s JSON-Schema definition
+   * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+   */
+  [k: string]: {
+    id?: string;
+    hash?: string;
+    created?: string;
+  };
+}