@adobe/helix-html-pipeline 2.1.2 → 3.0.2

package/CHANGELOG.md

@@ -1,3 +1,29 @@
+## [3.0.2](https://github.com/adobe/helix-html-pipeline/compare/v3.0.1...v3.0.2) (2022-06-16)
+
+
+### Bug Fixes
+
+* make crypto.randomUUID() portable ([d40ba5a](https://github.com/adobe/helix-html-pipeline/commit/d40ba5ab67c764726d923061d4844e5adb162c86))
+
+## [3.0.1](https://github.com/adobe/helix-html-pipeline/compare/v3.0.0...v3.0.1) (2022-06-14)
+
+
+### Bug Fixes
+
+* handle xfh properly and protect forms and json pipeline ([#83](https://github.com/adobe/helix-html-pipeline/issues/83)) ([9c13419](https://github.com/adobe/helix-html-pipeline/commit/9c1341987549fbc721a7d1bce12fe537a6f8c5ba))
+
+# [3.0.0](https://github.com/adobe/helix-html-pipeline/compare/v2.1.2...v3.0.0) (2022-06-14)
+
+
+### Features
+
+* add site access control ([#80](https://github.com/adobe/helix-html-pipeline/issues/80)) ([2109d90](https://github.com/adobe/helix-html-pipeline/commit/2109d90a932b75a9de6996da2854d349613541b9))
+
+
+### BREAKING CHANGES
+
+* PipelineState now need to implement fetch() and createExternalLocation()
+
 ## [2.1.2](https://github.com/adobe/helix-html-pipeline/compare/v2.1.1...v2.1.2) (2022-06-04)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "2.1.2",
+  "version": "3.0.2",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -35,12 +35,14 @@
   "dependencies": {
     "@adobe/helix-markdown-support": "3.1.6",
     "@adobe/helix-shared-utils": "2.0.11",
+    "cookie": "0.5.0",
     "github-slugger": "1.4.0",
     "hast-util-raw": "7.2.1",
     "hast-util-select": "5.0.2",
     "hast-util-to-html": "8.0.3",
     "hast-util-to-string": "2.0.0",
     "hastscript": "7.0.2",
+    "jose": "4.8.1",
     "mdast-util-gfm-footnote": "1.0.1",
     "mdast-util-gfm-strikethrough": "1.0.1",
     "mdast-util-gfm-table": "1.0.4",
@@ -82,11 +84,11 @@
     "jsdoc-to-markdown": "7.1.1",
     "jsdom": "19.0.0",
     "junit-report-builder": "3.0.0",
-    "lint-staged": "12.5.0",
+    "lint-staged": "13.0.1",
     "mocha": "10.0.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",
-    "semantic-release": "19.0.2"
+    "semantic-release": "19.0.3"
   },
   "lint-staged": {
     "*.js": "eslint",

package/src/PipelineRequest.d.ts

@@ -23,4 +23,5 @@ declare class PipelineRequest {
   method: string;
   headers: Map<string, string>;
   body: string;
+  params: object;
 }

package/src/PipelineRequest.js

@@ -15,6 +15,31 @@
  * @class PipelineRequest
  */
 export class PipelineRequest {
+  /**
+   * request url
+   */
+  url;
+
+  /**
+   * uppercase request method
+   */
+  method;
+
+  /**
+   * request body
+   */
+  body;
+
+  /**
+   * request headers
+   */
+  headers;
+
+  /**
+   * request params;
+   */
+  params;
+
   /**
    * Creates the pipeline request
    * @param {URL|string} url
@@ -25,12 +50,12 @@ export class PipelineRequest {
     if (typeof headers.get !== 'function') {
       headers = new Map(Object.entries(init.headers));
     }
-
     Object.assign(this, {
       url: url instanceof URL ? url : new URL(url),
       method: init.method ?? 'GET',
       body: init.body,
       headers,
     });
+    this.params = Object.fromEntries(this.url.searchParams.entries());
   }
 }

package/src/PipelineState.d.ts

@@ -19,9 +19,16 @@ declare enum PipelineType {
   form = 'form',
 }
 
+type Fetch = (url: string|Request, options?: RequestOptions) => Promise<Response>;
+
+declare interface AccessConfig {
+  allow:(string|string[]);
+}
+
 declare interface HelixConfigAll {
   host:string;
   routes:RegExp[];
+  access?:AccessConfig;
   [string]:any;
 }
 
@@ -29,6 +36,7 @@ declare interface PipelineOptions {
   log: Console;
   s3Loader: S3Loader;
   messageDispatcher: FormsMessageDispatcher;
+  fetch: Fetch;
   owner: string;
   repo: string;
   ref: string;
@@ -46,6 +54,13 @@ declare class PipelineState {
   contentBusId: string;
   s3Loader: S3Loader;
   messageDispatcher: FormsMessageDispatcher;
+  fetch: Fetch;
+
+  /**
+   * Returns the external link representation for authentication related redirects and cookies.
+   * This is only used for local testing and is an identity operation in production.
+   */
+  createExternalLocation(value:string): string;
 
   /**
    * Content bus partition
@@ -98,5 +113,10 @@ declare class PipelineState {
    * pipeline type. 'html', 'json', 'forms'
    */
   type: PipelineType;
+
+  /**
+   * Authentication information
+   */
+  authInfo?: AuthInfo;
 }
 

package/src/PipelineState.js

@@ -40,8 +40,15 @@ export class PipelineState {
       config: {},
       s3Loader: opts.s3Loader,
       messageDispatcher: opts.messageDispatcher,
+      fetch: opts.fetch,
       timer: opts.timer,
       type: 'html',
+      authInfo: undefined,
     });
   }
+
+  // eslint-disable-next-line class-methods-use-this
+  createExternalLocation(value) {
+    return value;
+  }
 }

package/src/forms-pipe.js

@@ -13,6 +13,7 @@ import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
 import { PipelineResponse } from './PipelineResponse.js';
 import fetchConfigAll from './steps/fetch-config-all.js';
 import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
+import { authenticate } from './steps/authenticate.js';
 
 function error(log, msg, status, response) {
   log.error(msg);
@@ -96,6 +97,10 @@ export async function formsPipe(state, request) {
     },
   });
   await fetchConfigAll(state, request, response);
+  await authenticate(state, request, response);
+  if (response.error) {
+    return response;
+  }
   await setCustomResponseHeaders(state, request, response);
 
   const {

package/src/html-pipe.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
+import { authenticate } from './steps/authenticate.js';
 import addHeadingIds from './steps/add-heading-ids.js';
 import createPageBlocks from './steps/create-page-blocks.js';
 import createPictures from './steps/create-pictures.js';
@@ -35,6 +36,7 @@ import tohtml from './steps/stringify-response.js';
 import { PipelineStatusError } from './PipelineStatusError.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import { validatePathInfo } from './utils/path.js';
+import { initAuthRoute } from './utils/auth.js';
 
 /**
  * Runs the default pipeline and returns the response.
@@ -62,6 +64,19 @@ export async function htmlPipe(state, req) {
     },
   });
 
+  // check if .auth request
+  if (state.partition === '.auth' || state.info.path === '/.auth') {
+    if (!initAuthRoute(state, req, res)) {
+      return res;
+    }
+  }
+
+  if (!state.contentBusId) {
+    res.status = 400;
+    res.headers.set('x-error', 'contentBusId missing');
+    return res;
+  }
+
   try { // fetch config first, since we need to compute the content-bus-id from the fstab ...
     state.timer?.update('config-fetch');
     await fetchConfig(state, req, res);
@@ -76,9 +91,12 @@ export async function htmlPipe(state, req) {
       fetchContent(state, req, res),
     ]);
 
+    await authenticate(state, req, res);
+
     if (res.error) {
       // if content loading produced an error, we're done.
-      log.error(`error running pipeline: ${res.status} ${res.error}`);
+      const level = res.status >= 500 ? 'error' : 'info';
+      log[level](`pipeline status: ${res.status} ${res.error}`);
       res.headers.set('x-error', cleanupHeaderValue(res.error));
       return res;
     }
@@ -116,7 +134,9 @@ export async function htmlPipe(state, req) {
     } else {
       res.status = 500;
     }
-    log.error(`error running pipeline: ${res.status} ${res.error}`, e);
+
+    const level = res.status >= 500 ? 'error' : 'info';
+    log[level](`pipeline status: ${res.status} ${res.error}`, e);
     res.headers.set('x-error', cleanupHeaderValue(res.error));
 
     // turn any URL errors into a 400, since they are user input

package/src/json-pipe.js

@@ -14,6 +14,7 @@ import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import jsonFilter from './utils/json-filter.js';
 import { extractLastModified, updateLastModified } from './utils/last-modified.js';
+import { authenticate } from './steps/authenticate.js';
 
 /**
  * Runs the default pipeline and returns the response.
@@ -80,6 +81,7 @@ export async function jsonPipe(state, req) {
 
   // Load config-all and set response headers
   await fetchConfigAll(state, req, response);
+  await authenticate(state, req, response);
   await setCustomResponseHeaders(state, req, response);
 
   return response;

package/src/steps/authenticate.js

@@ -0,0 +1,83 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { getAuthInfo } from '../utils/auth.js';
+
+/**
+ * Checks if the given email is allowed.
+ * @param {string} email
+ * @param {string[]} allows
+ * @returns {boolean}
+ */
+export function isAllowed(email = '', allows = []) {
+  /** @type string[] */
+  const [, domain] = email.split('@');
+  if (!domain) {
+    return false;
+  }
+  const wild = `*@${domain}`;
+  return allows.findIndex((a) => a === email || a === wild) >= 0;
+}
+
+/**
+ * Handles authentication
+ * @type PipelineStep
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @param {PipelineResponse} res
+ * @returns {Promise<void>}
+ */
+export async function authenticate(state, req, res) {
+  // get auth info
+  const authInfo = await getAuthInfo(state, req);
+
+  // check if `.auth` route to validate and exchange token
+  if (state.info.path === '/.auth') {
+    await authInfo.exchangeToken(state, req, res);
+    return;
+  }
+
+  // if not protected, do nothing
+  if (!state.config?.access?.allow) {
+    return;
+  }
+
+  // if not authenticated, redirect to login screen
+  if (!authInfo.authenticated) {
+    // send 401 for plain requests
+    if (state.info.selector || state.type !== 'html') {
+      state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
+      res.status = 401;
+      res.error = 'unauthorized.';
+      return;
+    }
+    authInfo.redirectToLogin(state, req, res);
+    return;
+  }
+
+  // check profile is allowed
+  const { allow } = state.config.access;
+  const allows = Array.isArray(allow) ? allow : [allow];
+  if (!isAllowed(authInfo.profile.email || authInfo.profile.preferred_username, allows)) {
+    state.log.warn(`[auth] profile not allowed for ${allows}`);
+    res.status = 403;
+    res.error = 'forbidden.';
+  }
+
+  // set some response headers
+  res.headers.set('x-hlx-auth-allow', allows.join(','));
+  if (authInfo.profile) {
+    res.headers.set('x-hlx-auth-iss', authInfo.profile.iss);
+    res.headers.set('x-hlx-auth-kid', authInfo.profile.kid);
+    res.headers.set('x-hlx-auth-aud', authInfo.profile.aud);
+    res.headers.set('x-hlx-auth-jwk', JSON.stringify(authInfo.profile.jwk));
+  }
+}

package/src/steps/fetch-content.js

@@ -23,6 +23,9 @@ export default async function fetchContent(state, req, res) {
   const {
     log, contentBusId, info, partition, owner, repo, ref,
   } = state;
+  if (info.resourcePath === '/.auth') {
+    return;
+  }
 
   const isCode = state.content.sourceBus === 'code';
   const key = isCode

package/src/utils/auth-cookie.js

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { parse, serialize } from 'cookie';
+
+export function clearAuthCookie() {
+  return serialize('hlx-auth-token', '', {
+    path: '/',
+    httpOnly: true,
+    secure: true,
+    expires: new Date(0),
+    sameSite: 'lax',
+  });
+}
+
+export function setAuthCookie(idToken) {
+  return serialize('hlx-auth-token', idToken, {
+    path: '/',
+    httpOnly: true,
+    secure: true,
+    sameSite: 'lax',
+  });
+}
+
+export function getAuthCookie(req) {
+  // add cookies if not already present
+  if (!req.cookies) {
+    const hdr = req.headers.get('cookie');
+    // eslint-disable-next-line no-param-reassign
+    req.cookies = hdr ? parse(hdr) : {};
+  }
+  return req.cookies['hlx-auth-token'] || '';
+}

package/src/utils/auth.d.ts

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+
+import {AdminContext} from "../index";
+
+/**
+ * Path Info
+ */
+export declare interface AccessDeniedError extends Error {}
+
+export declare interface OAuthClientConfig {
+  clientID: string;
+  clientSecret: string;
+}
+
+export declare interface IDPConfig {
+  name:string;
+  scope:string;
+  mountType:string;
+  client(state: PipelineState):OAuthClientConfig;
+  validateIssuer?(issuer: string): boolean;
+  discoveryUrl:string;
+  loginPrompt:string;
+  discovery:any;
+  routes:AuthRoutes;
+}
+
+export declare interface UserProfile {
+  email:string;
+  // hlx_hash:string;
+  // picture:string;
+  iss:string;
+}
+
+export declare class AuthInfo {
+  /**
+   * Flag indicating of the request is authenticated
+   */
+  authenticated:boolean;
+
+  profile?:UserProfile;
+
+  expired?:boolean;
+
+  loginHint?:string;
+
+  idp?:IDPConfig;
+
+  /**
+   * Flag indicating that the auth cookie is invalid.
+   */
+  cookieInvalid?:boolean;
+
+  /**
+   * Sets a redirect (302) response to the IDPs login endpoint
+   *
+   * @param {PipelineState} state
+   * @param {PipelineRequest} req
+   * @param {PipelineResponse} res
+   */
+  redirectToLogin(state, req, res);
+
+  /**
+   * Performs a token exchange from the code flow and redirects to the root page
+   *
+   * @param {PipelineState} state
+   * @param {PipelineRequest} req
+   * @param {PipelineResponse} res
+   */
+  async exchangeToken(state, req, res);
+}

package/src/utils/auth.js

@@ -0,0 +1,400 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+// eslint-disable-next-line max-classes-per-file
+import {
+  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT,
+} from 'jose';
+import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
+
+import idpMicrosoft from './idp-configs/microsoft.js';
+
+let cryptoImpl;
+import('crypto')
+  .then((crypto) => {
+    cryptoImpl = crypto;
+  })
+  /* c8 ignore next 3 */
+  .catch(() => {
+    // eslint-disable-next-line no-undef
+    cryptoImpl = crypto;
+  });
+
+export const IDPS = [
+  idpMicrosoft,
+];
+
+const AUTH_REDIRECT_URL = 'https://login.hlx.page/.auth';
+
+export class AccessDeniedError extends Error {
+}
+
+/**
+ * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
+ * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
+ * @param {PipelineState} state
+ * @param {IDPConfig} idp
+ * @param {string} idToken
+ * @param {boolean} lenient
+ * @returns {Promise<JWTPayload>}
+ */
+export async function decodeIdToken(state, idp, idToken, lenient = false) {
+  const { log } = state;
+  const jwks = idp.discovery.jwks
+    ? createLocalJWKSet(idp.discovery.jwks)
+    : /* c8 ignore next */ createRemoteJWKSet(new URL(idp.discovery.jwks_uri));
+
+  const { payload, key, protectedHeader } = await jwtVerify(idToken, jwks, {
+    audience: idp.client(state).clientId,
+    clockTolerance: lenient ? 7 * 24 * 60 * 60 : 0,
+  });
+
+  // delete from information not needed in the profile
+  ['azp', 'sub', 'at_hash', 'nonce', 'aio', 'c_hash'].forEach((prop) => delete payload[prop]);
+
+  // compute ttl
+  payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
+
+  // export the public key
+  payload.jwk = key.export({
+    type: 'pkcs1',
+    format: 'jwk',
+  });
+  payload.kid = protectedHeader.kid;
+
+  log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
+  return payload;
+}
+
+/**
+ * AuthInfo class
+ */
+export class AuthInfo {
+  /**
+   * AuthInfo constructor
+   * @constructor
+   */
+  constructor() {
+    Object.assign(this, {
+      authenticated: false,
+      idp: null,
+      profile: null,
+      loginHint: null,
+      expired: false,
+      idToken: null,
+      cookieInvalid: false,
+    });
+  }
+
+  /**
+   * Creates the default AuthInfo that is not authenticated.
+   * @returns {AuthInfo}
+   */
+  static Default() {
+    return new AuthInfo()
+      .withAuthenticated(false);
+  }
+
+  withAuthenticated(value) {
+    this.authenticated = value;
+    return this;
+  }
+
+  withProfile(profile) {
+    this.profile = profile;
+    return this;
+  }
+
+  withLoginHint(value) {
+    this.loginHint = value;
+    return this;
+  }
+
+  withIdp(value) {
+    this.idp = value;
+    return this;
+  }
+
+  withExpired(value) {
+    this.expired = value;
+    return this;
+  }
+
+  withCookieInvalid(value) {
+    this.cookieInvalid = value;
+    return this;
+  }
+
+  withIdToken(value) {
+    this.idToken = value;
+    return this;
+  }
+
+  /**
+   * Sets a redirect (302) response to the IDPs login endpoint
+   *
+   * @param {PipelineState} state
+   * @param {PipelineRequest} req
+   * @param {PipelineResponse} res
+   * @param {IDPConfig} idp IDP config
+   */
+  redirectToLogin(state, req, res) {
+    const { log } = state;
+    const { idp } = this;
+
+    const { clientId, clientSecret } = idp.client(state);
+    if (!clientId || !clientSecret) {
+      log.error('[auth] unable to create login redirect: missing client_id or client_secret');
+      res.status = 500;
+      res.error = 'invalid auth config.';
+      return;
+    }
+
+    // determine the location of 'this' document based on the xfh header. so that logins to
+    // .page stay on .page. etc. but fallback to the config.host if non set
+    let host = req.headers.get('x-forwarded-host');
+    if (host) {
+      host = host.split(',')[0].trim();
+    }
+    if (!host) {
+      host = state.config.host;
+    }
+    if (!host) {
+      log.error('[auth] unable to create login redirect: no xfh or config.host.');
+      res.status = 401;
+      res.error = 'no host information.';
+      return;
+    }
+
+    const url = new URL(idp.discovery.authorization_endpoint);
+
+    // todo: properly sign to avoid CSRF
+    const tokenState = new UnsecuredJWT({
+      owner: state.owner,
+      repo: state.repo,
+      contentBusId: state.contentBusId,
+      // this is our own login redirect, i.e. the current document
+      requestPath: state.info.path,
+      requestHost: host,
+    }).encode();
+
+    url.searchParams.append('client_id', clientId);
+    url.searchParams.append('response_type', 'code');
+    url.searchParams.append('scope', idp.scope);
+    url.searchParams.append('nonce', cryptoImpl.randomUUID());
+    url.searchParams.append('state', tokenState);
+    url.searchParams.append('redirect_uri', state.createExternalLocation(AUTH_REDIRECT_URL));
+    url.searchParams.append('prompt', 'select_account');
+
+    log.info('[auth] redirecting to login page', url.href);
+    res.status = 302;
+    res.body = '';
+    res.headers.set('location', url.href);
+    res.headers.set('set-cookie', clearAuthCookie());
+    res.headers.set('cache-control', 'no-store, private, must-revalidate');
+    res.error = 'moved';
+  }
+
+  /**
+   * Performs a token exchange from the code flow and redirects to the root page
+   *
+   * @param {PipelineState} state
+   * @param {PipelineRequest} req
+   * @param {PipelineResponse} res
+   */
+  async exchangeToken(state, req, res) {
+    const { log } = state;
+    const { idp } = this;
+
+    const { code } = req.params;
+    if (!code) {
+      log.warn('[auth] code exchange failed: code parameter missing.');
+      res.status = 401;
+      res.error = 'code exchange failed.';
+      return;
+    }
+
+    // ensure that the request is made to the target host
+    if (req.params.state?.requestHost) {
+      const host = req.headers.get('x-forwarded-host') || state.config.host;
+      if (host !== req.params.state.requestHost) {
+        const url = new URL(`https://${req.params.state.requestHost}/.auth`);
+        url.searchParams.append('state', req.params.rawState);
+        url.searchParams.append('code', req.params.code);
+        const location = state.createExternalLocation(url.href);
+        log.info('[auth] redirecting to initial host', location);
+        res.status = 302;
+        res.body = `please go to <a href="${location}">${location}</a>`;
+        res.headers.set('location', location);
+        res.headers.set('cache-control', 'no-store, private, must-revalidate');
+        res.error = 'moved';
+        return;
+      }
+    }
+
+    const { clientId, clientSecret } = idp.client(state);
+    const url = new URL(idp.discovery.token_endpoint);
+    const body = {
+      client_id: clientId,
+      client_secret: clientSecret,
+      code,
+      grant_type: 'authorization_code',
+      redirect_uri: state.createExternalLocation(AUTH_REDIRECT_URL),
+    };
+    const ret = await state.fetch(url.href, {
+      method: 'POST',
+      body: new URLSearchParams(body).toString(),
+      headers: {
+        'content-type': 'application/x-www-form-urlencoded',
+      },
+    });
+    if (!ret.ok) {
+      log.warn(`[auth] code exchange failed: ${ret.status}`, await ret.text());
+      res.status = 401;
+      res.error = 'code exchange failed.';
+      return;
+    }
+
+    const tokenResponse = await ret.json();
+    const { id_token: idToken } = tokenResponse;
+    try {
+      await decodeIdToken(state, idp, idToken);
+    } catch (e) {
+      log.warn(`[auth] id token from ${idp.name} is invalid: ${e.message}`);
+      res.status = 401;
+      res.error = 'id token invalid.';
+      return;
+    }
+
+    // ensure that auth cookie is not cleared again in `index.js`
+    // ctx.attributes.authInfo?.withCookieInvalid(false);
+
+    const location = state.createExternalLocation(req.params.state.requestPath || '/');
+    log.info('[auth] redirecting to home page with id_token cookie', location);
+    res.status = 302;
+    res.body = `please go to <a href="${location}">${location}</a>`;
+    res.headers.set('location', location);
+    res.headers.set('content-tye', 'text/plain');
+    res.headers.set('set-cookie', setAuthCookie(idToken));
+    res.headers.set('cache-control', 'no-store, private, must-revalidate');
+    res.error = 'moved';
+  }
+}
+
+export function initAuthRoute(state, req, res) {
+  const { log } = state;
+
+  // use request headers if present
+  if (req.headers.get('x-hlx-auth-state')) {
+    log.info('[auth] override params.state from header.');
+    req.params.state = req.headers.get('x-hlx-auth-state');
+  }
+  if (req.headers.get('x-hlx-auth-code')) {
+    log.info('[auth] override params.code from header.');
+    req.params.code = req.headers.get('x-hlx-auth-code');
+  }
+
+  if (!req.params.state) {
+    log.warn('[auth] unable to exchange token: no state.');
+    res.status = 401;
+    res.headers.set('x-error', 'missing state parameter.');
+    return false;
+  }
+
+  try {
+    req.params.rawState = req.params.state;
+    req.params.state = decodeJwt(req.params.state);
+  } catch (e) {
+    log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
+    res.status = 401;
+    res.headers.set('x-error', 'missing state parameter.');
+    return false;
+  }
+
+  // fixup pipeline state
+  state.owner = req.params.state.owner;
+  state.repo = req.params.state.repo;
+  state.ref = 'main';
+  state.contentBusId = req.params.state.contentBusId;
+  state.partition = 'preview';
+  state.info.path = '/.auth';
+  return true;
+}
+
+/**
+ * Extracts the authentication info from the cookie. Returns {@code null} if missing or invalid.
+ *
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
+ */
+async function getAuthInfoFromCookie(state, req) {
+  const { log } = state;
+  const idToken = getAuthCookie(req);
+  if (idToken) {
+    let idp;
+    try {
+      const { iss } = decodeJwt(idToken);
+      if (!iss) {
+        log.warn('[auth] missing \'iss\' claim in id_token.');
+        return AuthInfo.Default().withCookieInvalid(true);
+      }
+      idp = IDPS.find((i) => i.validateIssuer(iss));
+      if (!idp) {
+        log.warn(`[auth] no IDP found for: ${iss}`);
+        return AuthInfo.Default().withCookieInvalid(true);
+      }
+      return AuthInfo.Default()
+        .withProfile(await decodeIdToken(state, idp, idToken))
+        .withAuthenticated(true)
+        .withIdp(idp)
+        .withIdToken(idToken);
+    } catch (e) {
+      if (e.code === 'ERR_JWT_EXPIRED' && idp) {
+        try {
+          const profile = await decodeIdToken(state, idp, idToken, true);
+          log.warn(`[auth] decoding the id_token failed: ${e.message}, using expired token as hint.`);
+          return AuthInfo.Default()
+            .withExpired(true)
+            .withIdp(idp)
+            .withLoginHint(profile.email);
+        } catch {
+          // ignore
+        }
+      }
+      // wrong token
+      log.warn(`[auth] decoding the id_token failed: ${e.message}.`);
+      return AuthInfo.Default().withCookieInvalid(true);
+    }
+  }
+  return null;
+}
+
+/**
+ * Computes the authentication info.
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
+ */
+export async function getAuthInfo(state, req) {
+  const { log } = state;
+  const auth = await getAuthInfoFromCookie(state, req);
+  if (auth) {
+    if (auth.authenticated) {
+      log.info(`[auth] id-token valid: iss=${auth.profile.iss}`);
+    }
+    return auth;
+  }
+  return AuthInfo
+    .Default()
+    // todo: select idp from config
+    .withIdp(idpMicrosoft);
+}

package/src/utils/idp-configs/microsoft.js

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+export default {
+  name: 'microsoft',
+  mountType: 'onedrive',
+  client: () => ({
+    clientId: process.env.HLX_SITE_APP_AZURE_CLIENT_ID,
+    clientSecret: process.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
+  }),
+  scope: 'openid profile email',
+  validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),
+  discoveryUrl: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
+  // todo: fetch from discovery document
+  discovery: {
+    issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
+    request_uri_parameter_supported: false,
+    token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+    userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
+    authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+    device_authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/devicecode',
+    http_logout_supported: true,
+    frontchannel_logout_supported: true,
+    end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
+    jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
+  },
+};