@adobe/helix-html-pipeline 3.0.0 → 3.0.1

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [3.0.1](https://github.com/adobe/helix-html-pipeline/compare/v3.0.0...v3.0.1) (2022-06-14)
+
+
+### Bug Fixes
+
+* handle xfh properly and protect forms and json pipeline ([#83](https://github.com/adobe/helix-html-pipeline/issues/83)) ([9c13419](https://github.com/adobe/helix-html-pipeline/commit/9c1341987549fbc721a7d1bce12fe537a6f8c5ba))
+
 # [3.0.0](https://github.com/adobe/helix-html-pipeline/compare/v2.1.2...v3.0.0) (2022-06-14)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/forms-pipe.js

@@ -13,6 +13,7 @@ import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
 import { PipelineResponse } from './PipelineResponse.js';
 import fetchConfigAll from './steps/fetch-config-all.js';
 import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
+import { authenticate } from './steps/authenticate.js';
 
 function error(log, msg, status, response) {
   log.error(msg);
@@ -96,6 +97,10 @@ export async function formsPipe(state, request) {
     },
   });
   await fetchConfigAll(state, request, response);
+  await authenticate(state, request, response);
+  if (response.error) {
+    return response;
+  }
   await setCustomResponseHeaders(state, request, response);
 
   const {

package/src/json-pipe.js

@@ -14,6 +14,7 @@ import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import jsonFilter from './utils/json-filter.js';
 import { extractLastModified, updateLastModified } from './utils/last-modified.js';
+import { authenticate } from './steps/authenticate.js';
 
 /**
  * Runs the default pipeline and returns the response.
@@ -80,6 +81,7 @@ export async function jsonPipe(state, req) {
 
   // Load config-all and set response headers
   await fetchConfigAll(state, req, response);
+  await authenticate(state, req, response);
   await setCustomResponseHeaders(state, req, response);
 
   return response;

package/src/steps/authenticate.js

@@ -37,7 +37,7 @@ export function isAllowed(email = '', allows = []) {
  */
 export async function authenticate(state, req, res) {
   // get auth info
-  const authInfo = await getAuthInfo(state, req, res);
+  const authInfo = await getAuthInfo(state, req);
 
   // check if `.auth` route to validate and exchange token
   if (state.info.path === '/.auth') {
@@ -52,12 +52,17 @@ export async function authenticate(state, req, res) {
 
   // if not authenticated, redirect to login screen
   if (!authInfo.authenticated) {
+    // send 401 for plain requests
+    if (state.info.selector || state.type !== 'html') {
+      state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
+      res.status = 401;
+      res.error = 'unauthorized.';
+      return;
+    }
     authInfo.redirectToLogin(state, req, res);
     return;
   }
 
-  // console.log(authInfo.profile);
-
   // check profile is allowed
   const { allow } = state.config.access;
   const allows = Array.isArray(allow) ? allow : [allow];

package/src/utils/auth.js

@@ -150,7 +150,19 @@ export class AuthInfo {
 
     // determine the location of 'this' document based on the xfh header. so that logins to
     // .page stay on .page. etc. but fallback to the config.host if non set
-    const host = req.headers.get('x-forwarded-host') || state.config.host;
+    let host = req.headers.get('x-forwarded-host');
+    if (host) {
+      host = host.split(',')[0].trim();
+    }
+    if (!host) {
+      host = state.config.host;
+    }
+    if (!host) {
+      log.error('[auth] unable to create login redirect: no xfh or config.host.');
+      res.status = 401;
+      res.error = 'no host information.';
+      return;
+    }
 
     const url = new URL(idp.discovery.authorization_endpoint);