@adobe/helix-config 2.9.0 → 2.10.1

package/.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [2.10.1](https://github.com/adobe/helix-config/compare/v2.10.0...v2.10.1) (2024-04-26)
+
+
+### Bug Fixes
+
+* consistent return from update ([bce73a1](https://github.com/adobe/helix-config/commit/bce73a1b423397afa751c15bd67ecad164bc05e1))
+
+# [2.10.0](https://github.com/adobe/helix-config/compare/v2.9.0...v2.10.0) (2024-04-26)
+
+
+### Features
+
+* add support to migrate jwt api keys ([#59](https://github.com/adobe/helix-config/issues/59)) ([04adf04](https://github.com/adobe/helix-config/commit/04adf04c975ee38840a56f81aac8a1609959298a))
+
 # [2.9.0](https://github.com/adobe/helix-config/compare/v2.8.0...v2.9.0) (2024-04-25)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config",
-  "version": "2.9.0",
+  "version": "2.10.1",
   "description": "Helix Config",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -15,7 +15,7 @@
     "docs:types": "node ./test/dev/generate-types.js",
     "semantic-release": "semantic-release",
     "semantic-release-dry": "semantic-release --dry-run --branches $CI_BRANCH",
-    "prepare": "husky install"
+    "prepare": "husky"
   },
   "repository": {
     "type": "git",
@@ -68,6 +68,7 @@
     "@smithy/node-http-handler": "2.5.0",
     "ajv": "8.12.0",
     "ajv-formats": "3.0.1",
+    "jose": "5.2.4",
     "mime": "4.0.1"
   }
 }

package/src/config-view.js

@@ -78,7 +78,11 @@ export function getAccessConfig(config, partition) {
   const cfg = {
     allow: toArray(access[partition]?.allow ?? access.allow),
     apiKeyId,
-    tokenHash: apiKeyId.map((id) => tokens[id]?.hash).filter((hash) => !!hash),
+    tokenHash: apiKeyId
+      // token ids are always stored in base64url format, but legacy apiKeyIds are not
+      .map((jti) => jti.replaceAll('/', '_').replaceAll('+', '-'))
+      .map((id) => tokens[id]?.hash)
+      .filter((hash) => !!hash),
     clientCertDN: toArray(access[partition]?.clientCertDN ?? access.clientCertDN),
   };
   // if an allow is defined but no apiKeyId, create a fake one so that auth is still

package/src/storage/config-store.js

@@ -10,12 +10,14 @@
  * governing permissions and limitations under the License.
  */
 /* eslint-disable no-param-reassign */
+import { isDeepStrictEqual } from 'util';
 import { HelixStorage } from './storage.js';
 import { StatusCodeError } from './status-code-error.js';
 import {
   createToken,
   jsonGet,
   jsonPut,
+  migrateToken,
   updateCodeSource,
   updateContentSource,
 } from './utils.js';
@@ -185,7 +187,15 @@ export class ConfigStore {
     const old = buf ? JSON.parse(buf) : null;
     const frag = getFragmentInfo(this.type, relPath);
     let config = data;
+    // set config to null if empty object
+    if (isDeepStrictEqual(config, {})) {
+      config = null;
+    }
+
     let ret = null;
+    if (!config && frag?.type !== 'tokens') {
+      throw new StatusCodeError(400, 'no config in body.');
+    }
     if (frag) {
       if (!old) {
         throw new StatusCodeError(404, 'config not found.');
@@ -198,14 +208,21 @@ export class ConfigStore {
         // don't allow to update individual token
         throw new StatusCodeError(400, 'invalid object path.');
       } else if (frag.type === 'tokens') {
-        // create new token
-        const token = createToken(this.org);
+        // TODO: remove support after all helix4 projects are migrated
+        let token;
+        if (data.jwt) {
+          token = await migrateToken(this.org, data.jwt);
+        } else {
+          // create new token
+          token = createToken(this.org);
+        }
+
         data = {
           ...token,
         };
         // don't store token value in the config
         delete data.value;
-        relPath = `tokens/${token.id}`;
+        relPath = ['tokens', token.id];
         frag.type = 'token';
         ret = token;
         // don't expose hash in return value

package/src/storage/utils.js

@@ -12,13 +12,15 @@
 /* eslint-disable no-param-reassign */
 import crypto from 'crypto';
 import { GitUrl } from '@adobe/helix-shared-git';
+import { decodeJwt } from 'jose';
+import { StatusCodeError } from './status-code-error.js';
 
 export function jsonGet(obj, path) {
   return path.split('/').reduce((o, p) => o[p], obj);
 }
 
 export function jsonPut(obj, path, value) {
-  const parts = path.split('/');
+  const parts = Array.isArray(path) ? path : path.split('/');
   const last = parts.pop();
   const parent = parts.reduce((o, p) => {
     if (!(p in o)) {
@@ -134,3 +136,37 @@ export function createToken(key) {
     created,
   };
 }
+
+/**
+ * migrates an existing jwt token
+ * @param key
+ * @param jwt
+ * @returns {Promise<object>}
+ */
+export async function migrateToken(key, jwt) {
+  let payload;
+  try {
+    payload = await decodeJwt(jwt);
+  } catch (e) {
+    throw new StatusCodeError(400, `unable to migrate jwt: ${e.message}`);
+  }
+  const { jti } = payload;
+  if (!jti) {
+    throw new StatusCodeError(400, 'unable to migrate jwt: missing jti claim.');
+  }
+  const id = jti
+    .replaceAll('/', '_')
+    .replaceAll('+', '-');
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(jwt, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const created = new Date().toISOString();
+  return {
+    id,
+    value: jwt,
+    hash,
+    created,
+  };
+}