@adobe/helix-html-pipeline 3.0.0 → 3.1.0

package/CHANGELOG.md

@@ -1,3 +1,24 @@
+# [3.1.0](https://github.com/adobe/helix-html-pipeline/compare/v3.0.2...v3.1.0) (2022-06-24)
+
+
+### Features
+
+* improve authentication implementation ([#90](https://github.com/adobe/helix-html-pipeline/issues/90)) ([def347c](https://github.com/adobe/helix-html-pipeline/commit/def347cd0d4860d2804d71be6b702a6be30d6095)), closes [#85](https://github.com/adobe/helix-html-pipeline/issues/85)
+
+## [3.0.2](https://github.com/adobe/helix-html-pipeline/compare/v3.0.1...v3.0.2) (2022-06-16)
+
+
+### Bug Fixes
+
+* make crypto.randomUUID() portable ([d40ba5a](https://github.com/adobe/helix-html-pipeline/commit/d40ba5ab67c764726d923061d4844e5adb162c86))
+
+## [3.0.1](https://github.com/adobe/helix-html-pipeline/compare/v3.0.0...v3.0.1) (2022-06-14)
+
+
+### Bug Fixes
+
+* handle xfh properly and protect forms and json pipeline ([#83](https://github.com/adobe/helix-html-pipeline/issues/83)) ([9c13419](https://github.com/adobe/helix-html-pipeline/commit/9c1341987549fbc721a7d1bce12fe537a6f8c5ba))
+
 # [3.0.0](https://github.com/adobe/helix-html-pipeline/compare/v2.1.2...v3.0.0) (2022-06-14)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -75,16 +75,16 @@
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "9.0.1",
     "c8": "7.11.3",
-    "eslint": "8.17.0",
+    "eslint": "8.18.0",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
     "esmock": "1.7.5",
     "husky": "8.0.1",
     "js-yaml": "4.1.0",
     "jsdoc-to-markdown": "7.1.1",
-    "jsdom": "19.0.0",
+    "jsdom": "20.0.0",
     "junit-report-builder": "3.0.0",
-    "lint-staged": "13.0.1",
+    "lint-staged": "13.0.2",
     "mocha": "10.0.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",

package/src/PipelineState.d.ts

@@ -44,11 +44,13 @@ declare interface PipelineOptions {
   path: string;
   contentBusId: string;
   timer: PipelineTimer;
+  env: object;
 }
 
 declare class PipelineState {
   constructor(opts: PipelineOptions);
   log: Console;
+  env: object;
   info: PathInfo;
   content: PipelineContent;
   contentBusId: string;

package/src/PipelineState.js

@@ -26,6 +26,7 @@ export class PipelineState {
   constructor(opts) {
     Object.assign(this, {
       log: opts.log ?? console,
+      env: opts.env,
       info: getPathInfo(opts.path),
       content: new PipelineContent(),
       // todo: compute content-bus id from fstab

package/src/forms-pipe.js

@@ -13,6 +13,7 @@ import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
 import { PipelineResponse } from './PipelineResponse.js';
 import fetchConfigAll from './steps/fetch-config-all.js';
 import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
+import { authenticate } from './steps/authenticate.js';
 
 function error(log, msg, status, response) {
   log.error(msg);
@@ -96,6 +97,10 @@ export async function formsPipe(state, request) {
     },
   });
   await fetchConfigAll(state, request, response);
+  await authenticate(state, request, response);
+  if (response.error) {
+    return response;
+  }
   await setCustomResponseHeaders(state, request, response);
 
   const {

package/src/json-pipe.js

@@ -14,6 +14,7 @@ import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import jsonFilter from './utils/json-filter.js';
 import { extractLastModified, updateLastModified } from './utils/last-modified.js';
+import { authenticate } from './steps/authenticate.js';
 
 /**
  * Runs the default pipeline and returns the response.
@@ -80,6 +81,7 @@ export async function jsonPipe(state, req) {
 
   // Load config-all and set response headers
   await fetchConfigAll(state, req, response);
+  await authenticate(state, req, response);
   await setCustomResponseHeaders(state, req, response);
 
   return response;

package/src/steps/authenticate.js

@@ -37,7 +37,7 @@ export function isAllowed(email = '', allows = []) {
  */
 export async function authenticate(state, req, res) {
   // get auth info
-  const authInfo = await getAuthInfo(state, req, res);
+  const authInfo = await getAuthInfo(state, req);
 
   // check if `.auth` route to validate and exchange token
   if (state.info.path === '/.auth') {
@@ -52,12 +52,17 @@ export async function authenticate(state, req, res) {
 
   // if not authenticated, redirect to login screen
   if (!authInfo.authenticated) {
+    // send 401 for plain requests
+    if (state.info.selector || state.type !== 'html') {
+      state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
+      res.status = 401;
+      res.error = 'unauthorized.';
+      return;
+    }
     authInfo.redirectToLogin(state, req, res);
     return;
   }
 
-  // console.log(authInfo.profile);
-
   // check profile is allowed
   const { allow } = state.config.access;
   const allows = Array.isArray(allow) ? allow : [allow];
@@ -73,6 +78,6 @@ export async function authenticate(state, req, res) {
     res.headers.set('x-hlx-auth-iss', authInfo.profile.iss);
     res.headers.set('x-hlx-auth-kid', authInfo.profile.kid);
     res.headers.set('x-hlx-auth-aud', authInfo.profile.aud);
-    res.headers.set('x-hlx-auth-jwk', JSON.stringify(authInfo.profile.jwk));
+    res.headers.set('x-hlx-auth-key', authInfo.profile.pem);
   }
 }

package/src/utils/auth.js

@@ -10,14 +10,24 @@
  * governing permissions and limitations under the License.
  */
 // eslint-disable-next-line max-classes-per-file
-import crypto from 'crypto';
 import {
-  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT,
+  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT, exportSPKI,
 } from 'jose';
 import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
 
 import idpMicrosoft from './idp-configs/microsoft.js';
 
+let cryptoImpl;
+import('crypto')
+  .then((crypto) => {
+    cryptoImpl = crypto;
+  })
+  /* c8 ignore next 3 */
+  .catch(() => {
+    // eslint-disable-next-line no-undef
+    cryptoImpl = crypto;
+  });
+
 export const IDPS = [
   idpMicrosoft,
 ];
@@ -54,16 +64,38 @@ export async function decodeIdToken(state, idp, idToken, lenient = false) {
   payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
 
   // export the public key
-  payload.jwk = key.export({
-    type: 'pkcs1',
-    format: 'jwk',
-  });
+  payload.pem = await exportSPKI(key);
+  // and encode it base64 url
+  payload.pem = Buffer.from(payload.pem, 'utf-8').toString('base64url');
   payload.kid = protectedHeader.kid;
 
   log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
   return payload;
 }
 
+/**
+ * Returns the host of the request; falls back to the configured `host`.
+ * Note that this is different from the `config.host` calculation in `fetch-config-all`,
+ * as this prefers the xfh over the config.
+ *
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @return {string}
+ */
+function getRequestHost(state, req) {
+  // determine the location of 'this' document based on the xfh header. so that logins to
+  // .page stay on .page. etc. but fallback to the config.host if non set
+  let host = req.headers.get('x-forwarded-host');
+  if (host) {
+    host = host.split(',')[0].trim();
+  }
+  if (!host) {
+    host = state.config.host;
+  }
+  state.log.info(`request host is: ${host}`);
+  return host;
+}
+
 /**
  * AuthInfo class
  */
@@ -150,7 +182,13 @@ export class AuthInfo {
 
     // determine the location of 'this' document based on the xfh header. so that logins to
     // .page stay on .page. etc. but fallback to the config.host if non set
-    const host = req.headers.get('x-forwarded-host') || state.config.host;
+    const host = getRequestHost(state, req);
+    if (!host) {
+      log.error('[auth] unable to create login redirect: no xfh or config.host.');
+      res.status = 401;
+      res.error = 'no host information.';
+      return;
+    }
 
     const url = new URL(idp.discovery.authorization_endpoint);
 
@@ -167,7 +205,7 @@ export class AuthInfo {
     url.searchParams.append('client_id', clientId);
     url.searchParams.append('response_type', 'code');
     url.searchParams.append('scope', idp.scope);
-    url.searchParams.append('nonce', crypto.randomUUID());
+    url.searchParams.append('nonce', cryptoImpl.randomUUID());
     url.searchParams.append('state', tokenState);
     url.searchParams.append('redirect_uri', state.createExternalLocation(AUTH_REDIRECT_URL));
     url.searchParams.append('prompt', 'select_account');
@@ -202,7 +240,7 @@ export class AuthInfo {
 
     // ensure that the request is made to the target host
     if (req.params.state?.requestHost) {
-      const host = req.headers.get('x-forwarded-host') || state.config.host;
+      const host = getRequestHost(state, req);
       if (host !== req.params.state.requestHost) {
         const url = new URL(`https://${req.params.state.requestHost}/.auth`);
         url.searchParams.append('state', req.params.rawState);
@@ -308,15 +346,25 @@ export function initAuthRoute(state, req, res) {
 }
 
 /**
- * Extracts the authentication info from the cookie. Returns {@code null} if missing or invalid.
+ * Extracts the authentication info from the cookie or 'authorization' header.
+ * Returns {@code null} if missing or invalid.
  *
  * @param {PipelineState} state
  * @param {PipelineRequest} req
  * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
  */
-async function getAuthInfoFromCookie(state, req) {
+async function getAuthInfoFromCookieOrHeader(state, req) {
   const { log } = state;
-  const idToken = getAuthCookie(req);
+  let idToken = getAuthCookie(req);
+  if (!idToken) {
+    log.info('no auth cookie');
+    const [marker, value] = (req.headers.get('authorization') || '').split(' ');
+    if (marker.toLowerCase() === 'token' && value) {
+      idToken = value.trim();
+    } else {
+      log.info('no auth header');
+    }
+  }
   if (idToken) {
     let idp;
     try {
@@ -353,6 +401,7 @@ async function getAuthInfoFromCookie(state, req) {
       return AuthInfo.Default().withCookieInvalid(true);
     }
   }
+  log.info('no id_token');
   return null;
 }
 
@@ -364,7 +413,7 @@ async function getAuthInfoFromCookie(state, req) {
  */
 export async function getAuthInfo(state, req) {
   const { log } = state;
-  const auth = await getAuthInfoFromCookie(state, req);
+  const auth = await getAuthInfoFromCookieOrHeader(state, req);
   if (auth) {
     if (auth.authenticated) {
       log.info(`[auth] id-token valid: iss=${auth.profile.iss}`);

package/src/utils/idp-configs/microsoft.js

@@ -12,9 +12,9 @@
 export default {
   name: 'microsoft',
   mountType: 'onedrive',
-  client: () => ({
-    clientId: process.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    clientSecret: process.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
+  client: (state) => ({
+    clientId: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
+    clientSecret: state.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
   }),
   scope: 'openid profile email',
   validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),