@adobe/helix-html-pipeline 3.0.1 → 3.1.1

package/CHANGELOG.md

@@ -1,3 +1,24 @@
+## [3.1.1](https://github.com/adobe/helix-html-pipeline/compare/v3.1.0...v3.1.1) (2022-07-09)
+
+
+### Bug Fixes
+
+* **deps:** update dependency mdast-util-to-hast to v12.1.2 ([1c863bc](https://github.com/adobe/helix-html-pipeline/commit/1c863bcb06ef8af8ac3c6367121fa3a71aad38f5))
+
+# [3.1.0](https://github.com/adobe/helix-html-pipeline/compare/v3.0.2...v3.1.0) (2022-06-24)
+
+
+### Features
+
+* improve authentication implementation ([#90](https://github.com/adobe/helix-html-pipeline/issues/90)) ([def347c](https://github.com/adobe/helix-html-pipeline/commit/def347cd0d4860d2804d71be6b702a6be30d6095)), closes [#85](https://github.com/adobe/helix-html-pipeline/issues/85)
+
+## [3.0.2](https://github.com/adobe/helix-html-pipeline/compare/v3.0.1...v3.0.2) (2022-06-16)
+
+
+### Bug Fixes
+
+* make crypto.randomUUID() portable ([d40ba5a](https://github.com/adobe/helix-html-pipeline/commit/d40ba5ab67c764726d923061d4844e5adb162c86))
+
 ## [3.0.1](https://github.com/adobe/helix-html-pipeline/compare/v3.0.0...v3.0.1) (2022-06-14)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.0.1",
+  "version": "3.1.1",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -42,12 +42,12 @@
     "hast-util-to-html": "8.0.3",
     "hast-util-to-string": "2.0.0",
     "hastscript": "7.0.2",
-    "jose": "4.8.1",
+    "jose": "4.8.3",
     "mdast-util-gfm-footnote": "1.0.1",
     "mdast-util-gfm-strikethrough": "1.0.1",
     "mdast-util-gfm-table": "1.0.4",
     "mdast-util-gfm-task-list-item": "1.0.1",
-    "mdast-util-to-hast": "12.1.1",
+    "mdast-util-to-hast": "12.1.2",
     "mdast-util-to-string": "3.1.0",
     "micromark-extension-gfm-footnote": "1.0.4",
     "micromark-extension-gfm-strikethrough": "1.0.4",
@@ -75,16 +75,16 @@
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "9.0.1",
     "c8": "7.11.3",
-    "eslint": "8.17.0",
+    "eslint": "8.19.0",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
     "esmock": "1.7.5",
     "husky": "8.0.1",
     "js-yaml": "4.1.0",
     "jsdoc-to-markdown": "7.1.1",
-    "jsdom": "19.0.0",
+    "jsdom": "20.0.0",
     "junit-report-builder": "3.0.0",
-    "lint-staged": "13.0.1",
+    "lint-staged": "13.0.3",
     "mocha": "10.0.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",

package/src/PipelineState.d.ts

@@ -44,11 +44,13 @@ declare interface PipelineOptions {
   path: string;
   contentBusId: string;
   timer: PipelineTimer;
+  env: object;
 }
 
 declare class PipelineState {
   constructor(opts: PipelineOptions);
   log: Console;
+  env: object;
   info: PathInfo;
   content: PipelineContent;
   contentBusId: string;

package/src/PipelineState.js

@@ -26,6 +26,7 @@ export class PipelineState {
   constructor(opts) {
     Object.assign(this, {
       log: opts.log ?? console,
+      env: opts.env,
       info: getPathInfo(opts.path),
       content: new PipelineContent(),
       // todo: compute content-bus id from fstab

package/src/steps/authenticate.js

@@ -78,6 +78,6 @@ export async function authenticate(state, req, res) {
     res.headers.set('x-hlx-auth-iss', authInfo.profile.iss);
     res.headers.set('x-hlx-auth-kid', authInfo.profile.kid);
     res.headers.set('x-hlx-auth-aud', authInfo.profile.aud);
-    res.headers.set('x-hlx-auth-jwk', JSON.stringify(authInfo.profile.jwk));
+    res.headers.set('x-hlx-auth-key', authInfo.profile.pem);
   }
 }

package/src/utils/auth.js

@@ -10,14 +10,24 @@
  * governing permissions and limitations under the License.
  */
 // eslint-disable-next-line max-classes-per-file
-import crypto from 'crypto';
 import {
-  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT,
+  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT, exportSPKI,
 } from 'jose';
 import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
 
 import idpMicrosoft from './idp-configs/microsoft.js';
 
+let cryptoImpl;
+import('crypto')
+  .then((crypto) => {
+    cryptoImpl = crypto;
+  })
+  /* c8 ignore next 3 */
+  .catch(() => {
+    // eslint-disable-next-line no-undef
+    cryptoImpl = crypto;
+  });
+
 export const IDPS = [
   idpMicrosoft,
 ];
@@ -54,16 +64,38 @@ export async function decodeIdToken(state, idp, idToken, lenient = false) {
   payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
 
   // export the public key
-  payload.jwk = key.export({
-    type: 'pkcs1',
-    format: 'jwk',
-  });
+  payload.pem = await exportSPKI(key);
+  // and encode it base64 url
+  payload.pem = Buffer.from(payload.pem, 'utf-8').toString('base64url');
   payload.kid = protectedHeader.kid;
 
   log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
   return payload;
 }
 
+/**
+ * Returns the host of the request; falls back to the configured `host`.
+ * Note that this is different from the `config.host` calculation in `fetch-config-all`,
+ * as this prefers the xfh over the config.
+ *
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @return {string}
+ */
+function getRequestHost(state, req) {
+  // determine the location of 'this' document based on the xfh header. so that logins to
+  // .page stay on .page. etc. but fallback to the config.host if non set
+  let host = req.headers.get('x-forwarded-host');
+  if (host) {
+    host = host.split(',')[0].trim();
+  }
+  if (!host) {
+    host = state.config.host;
+  }
+  state.log.info(`request host is: ${host}`);
+  return host;
+}
+
 /**
  * AuthInfo class
  */
@@ -150,13 +182,7 @@ export class AuthInfo {
 
     // determine the location of 'this' document based on the xfh header. so that logins to
     // .page stay on .page. etc. but fallback to the config.host if non set
-    let host = req.headers.get('x-forwarded-host');
-    if (host) {
-      host = host.split(',')[0].trim();
-    }
-    if (!host) {
-      host = state.config.host;
-    }
+    const host = getRequestHost(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
       res.status = 401;
@@ -179,7 +205,7 @@ export class AuthInfo {
     url.searchParams.append('client_id', clientId);
     url.searchParams.append('response_type', 'code');
     url.searchParams.append('scope', idp.scope);
-    url.searchParams.append('nonce', crypto.randomUUID());
+    url.searchParams.append('nonce', cryptoImpl.randomUUID());
     url.searchParams.append('state', tokenState);
     url.searchParams.append('redirect_uri', state.createExternalLocation(AUTH_REDIRECT_URL));
     url.searchParams.append('prompt', 'select_account');
@@ -214,7 +240,7 @@ export class AuthInfo {
 
     // ensure that the request is made to the target host
     if (req.params.state?.requestHost) {
-      const host = req.headers.get('x-forwarded-host') || state.config.host;
+      const host = getRequestHost(state, req);
       if (host !== req.params.state.requestHost) {
         const url = new URL(`https://${req.params.state.requestHost}/.auth`);
         url.searchParams.append('state', req.params.rawState);
@@ -320,15 +346,25 @@ export function initAuthRoute(state, req, res) {
 }
 
 /**
- * Extracts the authentication info from the cookie. Returns {@code null} if missing or invalid.
+ * Extracts the authentication info from the cookie or 'authorization' header.
+ * Returns {@code null} if missing or invalid.
  *
  * @param {PipelineState} state
  * @param {PipelineRequest} req
  * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
  */
-async function getAuthInfoFromCookie(state, req) {
+async function getAuthInfoFromCookieOrHeader(state, req) {
   const { log } = state;
-  const idToken = getAuthCookie(req);
+  let idToken = getAuthCookie(req);
+  if (!idToken) {
+    log.info('no auth cookie');
+    const [marker, value] = (req.headers.get('authorization') || '').split(' ');
+    if (marker.toLowerCase() === 'token' && value) {
+      idToken = value.trim();
+    } else {
+      log.info('no auth header');
+    }
+  }
   if (idToken) {
     let idp;
     try {
@@ -365,6 +401,7 @@ async function getAuthInfoFromCookie(state, req) {
       return AuthInfo.Default().withCookieInvalid(true);
     }
   }
+  log.info('no id_token');
   return null;
 }
 
@@ -376,7 +413,7 @@ async function getAuthInfoFromCookie(state, req) {
  */
 export async function getAuthInfo(state, req) {
   const { log } = state;
-  const auth = await getAuthInfoFromCookie(state, req);
+  const auth = await getAuthInfoFromCookieOrHeader(state, req);
   if (auth) {
     if (auth.authenticated) {
       log.info(`[auth] id-token valid: iss=${auth.profile.iss}`);

package/src/utils/idp-configs/microsoft.js

@@ -12,9 +12,9 @@
 export default {
   name: 'microsoft',
   mountType: 'onedrive',
-  client: () => ({
-    clientId: process.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    clientSecret: process.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
+  client: (state) => ({
+    clientId: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
+    clientSecret: state.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
   }),
   scope: 'openid profile email',
   validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),