@adobe/helix-html-pipeline 3.11.20 → 4.0.0

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+# [4.0.0](https://github.com/adobe/helix-html-pipeline/compare/v3.11.20...v4.0.0) (2023-07-11)
+
+
+### Features
+
+* use global auth ([dfc0e06](https://github.com/adobe/helix-html-pipeline/commit/dfc0e060239ae5fb14473904568de1ac041a8271)), closes [#324](https://github.com/adobe/helix-html-pipeline/issues/324) [#285](https://github.com/adobe/helix-html-pipeline/issues/285) [#286](https://github.com/adobe/helix-html-pipeline/issues/286) [#287](https://github.com/adobe/helix-html-pipeline/issues/287)
+
+
+### BREAKING CHANGES
+
+* former x-auth-* headers are no longer returned thus also needs new .hlx.live logic
+
 ## [3.11.20](https://github.com/adobe/helix-html-pipeline/compare/v3.11.19...v3.11.20) (2023-07-11)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.11.20",
+  "version": "4.0.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/PipelineState.d.ts

@@ -9,7 +9,7 @@
  * OF ANY KIND; either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import {PathInfo, S3Loader, FormsMessageDispatcher, PipelineTimer} from "./index";
+import {PathInfo, S3Loader, FormsMessageDispatcher, PipelineTimer, AuthEnvLoader } from "./index";
 import {PipelineContent} from "./PipelineContent";
 import {Modifiers} from './utils/modifiers';
 
@@ -24,6 +24,8 @@ type Fetch = (url: string|Request, options?: RequestOptions) => Promise<Response
 declare interface AccessConfig {
   allow:(string|string[]);
 
+  apiKeyId:(string|string[]);
+
   require: {
     repository:(string|string[]);
   };
@@ -40,6 +42,7 @@ declare interface PipelineOptions {
   log: Console;
   s3Loader: S3Loader;
   messageDispatcher: FormsMessageDispatcher;
+  authEnvLoader: AuthEnvLoader;
   fetch: Fetch;
   owner: string;
   repo: string;
@@ -59,6 +62,7 @@ declare class PipelineState {
   contentBusId: string;
   s3Loader: S3Loader;
   messageDispatcher: FormsMessageDispatcher;
+  authEnvLoader: AuthEnvLoader;
   fetch: Fetch;
 
   /**

package/src/PipelineState.js

@@ -39,6 +39,7 @@ export class PipelineState {
       config: {},
       s3Loader: opts.s3Loader,
       messageDispatcher: opts.messageDispatcher,
+      authEnvLoader: opts.authEnvLoader ?? { load: () => {} },
       fetch: opts.fetch,
       timer: opts.timer,
       type: 'html',

package/src/html-pipe.js

@@ -82,7 +82,7 @@ export async function htmlPipe(state, req) {
 
   // check if .auth request
   if (state.partition === '.auth' || state.info.path === '/.auth') {
-    if (!initAuthRoute(state, req, res)) {
+    if (!await initAuthRoute(state, req, res)) {
       return res;
     }
   }
@@ -118,7 +118,7 @@ export async function htmlPipe(state, req) {
     ]);
 
     await requireProject(state, req, res);
-    if (!res.error) {
+    if (res.error !== 401) {
       await authenticate(state, req, res);
     }
 

package/src/index.d.ts

@@ -88,6 +88,16 @@ declare interface S3Loader {
   headObject(bucketId, key): Promise<PipelineResponse>;
 }
 
+declare interface AuthEnvLoader {
+
+  /**
+   * loads (secret) parameters needed for authentication. The parameters are added to the
+   * `state.env` object.
+   * @return {Promise<void>}
+   */
+  load(state:PipelineState):Promise<void>;
+}
+
 declare interface DispatchMessageResponse {
   messageId:string,
   requestId:string,

package/src/steps/authenticate.js

@@ -9,7 +9,7 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import { getAuthInfo } from '../utils/auth.js';
+import { getAuthInfo, makeAuthError } from '../utils/auth.js';
 
 /**
  * Checks if the given email is allowed.
@@ -36,11 +36,9 @@ export function isAllowed(email = '', allows = []) {
  * @returns {Promise<void>}
  */
 export async function authenticate(state, req, res) {
-  // get auth info
-  const authInfo = await getAuthInfo(state, req);
-
   // check if `.auth` route to validate and exchange token
   if (state.info.path === '/.auth') {
+    const authInfo = await getAuthInfo(state, req);
     await authInfo.exchangeToken(state, req, res);
     return;
   }
@@ -50,41 +48,55 @@ export async function authenticate(state, req, res) {
     return;
   }
 
+  // get auth info
+  const authInfo = await getAuthInfo(state, req);
+
   // if not authenticated, redirect to login screen
   if (!authInfo.authenticated) {
     // send 401 for plain requests
     if (state.info.selector || state.type !== 'html') {
       state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
-      res.status = 401;
-      res.error = 'unauthorized.';
+      makeAuthError(state, req, res, 'unauthorized');
       return;
     }
-    authInfo.redirectToLogin(state, req, res);
+    await authInfo.redirectToLogin(state, req, res);
     return;
   }
 
+  const { sub, jti, email } = authInfo.profile;
+
+  // validate subject, if present
+  if (sub) {
+    const [owner, repo] = sub.split('/');
+    if (owner !== state.owner || (repo !== '*' && repo !== state.repo)) {
+      state.log.warn(`[auth] invalid subject ${sub}: does not match ${state.owner}/${state.repo}`);
+      makeAuthError(state, req, res, 'invalid-subject');
+      return;
+    }
+  }
+
+  // validate jti
+  if (jti) {
+    const ids = Array.isArray(state.config.access.apiKeyId)
+      ? state.config.access.apiKeyId
+      : [state.config.access.apiKeyId];
+    if (ids.indexOf(jti) < 0) {
+      state.log.warn(`[auth] invalid jti ${jti}: does not match configured id ${state.config.access.apiKeyId}`);
+      makeAuthError(state, req, res, 'invalid-jti');
+    }
+  }
+
   // check profile is allowed
   const { allow } = state.config.access;
   const allows = Array.isArray(allow) ? allow : [allow];
-  if (!isAllowed(authInfo.profile.email || authInfo.profile.preferred_username, allows)) {
+  if (!isAllowed(email, allows)) {
     state.log.warn(`[auth] profile not allowed for ${allows}`);
-    res.status = 403;
-    res.error = 'forbidden.';
-  }
-
-  // set some response headers for deferred edge authentication
-  // AdobePatentID="P11443-US"
-  res.headers.set('x-hlx-auth-allow', allows.join(','));
-  if (authInfo.profile) {
-    res.headers.set('x-hlx-auth-iss', authInfo.profile.iss);
-    res.headers.set('x-hlx-auth-kid', authInfo.profile.kid);
-    res.headers.set('x-hlx-auth-aud', authInfo.profile.aud);
-    res.headers.set('x-hlx-auth-key', authInfo.profile.pem);
+    makeAuthError(state, req, res, 'forbidden', 403);
   }
 }
 
 /**
- * Checks if the given owner repo is alloed
+ * Checks if the given owner repo is allowed
  * @param {string} owner
  * @param {string} repo
  * @param {string[]} allows

package/src/utils/auth.d.ts

@@ -37,9 +37,14 @@ export declare interface IDPConfig {
 
 export declare interface UserProfile {
   email:string;
-  // hlx_hash:string;
-  // picture:string;
+
   iss:string;
+
+  aud:string;
+
+  sub: string;
+
+  jti: string;
 }
 
 export declare class AuthInfo {
@@ -68,7 +73,7 @@ export declare class AuthInfo {
    * @param {PipelineRequest} req
    * @param {PipelineResponse} res
    */
-  redirectToLogin(state, req, res);
+  async redirectToLogin(state, req, res);
 
   /**
    * Performs a token exchange from the code flow and redirects to the root page

package/src/utils/auth.js

@@ -11,65 +11,88 @@
  */
 // eslint-disable-next-line max-classes-per-file
 import {
-  createLocalJWKSet, createRemoteJWKSet, decodeJwt, jwtVerify, UnsecuredJWT, exportSPKI,
+  createLocalJWKSet,
+  decodeJwt,
+  jwtVerify,
+  SignJWT,
+  importJWK,
 } from 'jose';
 import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
 
 import idpMicrosoft from './idp-configs/microsoft.js';
-import idpAdmin from './idp-configs/admin.js';
 
 // eslint-disable-next-line import/no-unresolved
 import cryptoImpl from '#crypto';
 
-export const IDPS = [
-  idpMicrosoft,
-  idpAdmin,
-];
-
 const AUTH_REDIRECT_URL = 'https://login.hlx.page/.auth';
 
+let ADMIN_KEY_PAIR = null;
+
 export class AccessDeniedError extends Error {
 }
 
+/**
+ * Signs the given JWT with the admin private key and returns the token.
+ * @param {PipelineState} state
+ * @param {SignJWT} jwt
+ * @returns {Promise<string>}
+ */
+async function signJWT(state, jwt) {
+  if (!ADMIN_KEY_PAIR) {
+    ADMIN_KEY_PAIR = {
+      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
+      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
+    };
+  }
+  const { privateKey, publicKey } = ADMIN_KEY_PAIR;
+  return jwt
+    .setProtectedHeader({
+      alg: 'RS256',
+      kid: publicKey.kid,
+    })
+    .setAudience(state.env.HLX_SITE_APP_AZURE_CLIENT_ID)
+    .setIssuer(publicKey.issuer)
+    .sign(privateKey);
+}
+
+/**
+ * Verifies and decodes the given jwt using the admin public key
+ * @param {PipelineState} state
+ * @param {string} jwt
+ * @param {boolean} lenient
+ * @returns {Promise<JWTPayload>}
+ */
+async function verifyJwt(state, jwt, lenient = false) {
+  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
+  const jwks = createLocalJWKSet({
+    keys: [publicKey],
+  });
+  const { payload } = await jwtVerify(jwt, jwks, {
+    audience: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
+    issuer: publicKey.issuer,
+    clockTolerance: lenient ? 7 * 24 * 60 * 60 : 0,
+  });
+  return payload;
+}
+
 /**
  * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
  * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
  * @param {PipelineState} state
- * @param {IDPConfig} idp
  * @param {string} idToken
  * @param {boolean} lenient
  * @returns {Promise<JWTPayload>}
  */
-export async function decodeIdToken(state, idp, idToken, lenient = false) {
+export async function decodeIdToken(state, idToken, lenient = false) {
   const { log } = state;
-  const jwks = idp.discovery.jwks
-    ? createLocalJWKSet(idp.discovery.jwks)
-    : /* c8 ignore next */ createRemoteJWKSet(new URL(idp.discovery.jwks_uri));
-
-  const { payload, key, protectedHeader } = await jwtVerify(idToken, jwks, {
-    audience: idp.client(state).clientId,
-    clockTolerance: lenient ? 7 * 24 * 60 * 60 : 0,
-  });
+  const payload = await verifyJwt(state, idToken, lenient);
 
   // delete from information not needed in the profile
-  ['azp', 'sub', 'at_hash', 'nonce', 'aio', 'c_hash'].forEach((prop) => delete payload[prop]);
+  ['azp', 'at_hash', 'nonce', 'aio', 'c_hash'].forEach((prop) => delete payload[prop]);
 
   // compute ttl
   payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
 
-  // export the public key
-  payload.pem = await exportSPKI(key);
-  // and encode it base64 url
-  /* c8 ignore next 3 */
-  if (typeof Buffer === 'undefined') {
-    // non-node runtime
-    payload.pem = btoa(payload.pem);
-  } else {
-    // node runtime
-    payload.pem = Buffer.from(payload.pem, 'utf-8').toString('base64url');
-  }
-  payload.kid = protectedHeader.kid;
-
   log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
   return payload;
 }
@@ -102,6 +125,22 @@ function getRequestHostAndProto(state, req) {
   };
 }
 
+/**
+ * sets the auth error on the response and clears the cookie.
+ * @param state
+ * @param req
+ * @param res
+ * @param error
+ * @param status
+ */
+export function makeAuthError(state, req, res, error, status = 401) {
+  const { proto } = getRequestHostAndProto(state, req);
+  res.status = status;
+  res.error = error;
+  res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
+  res.headers.set('x-error', error);
+}
+
 /**
  * AuthInfo class
  */
@@ -174,10 +213,11 @@ export class AuthInfo {
    * @param {PipelineResponse} res
    * @param {IDPConfig} idp IDP config
    */
-  redirectToLogin(state, req, res) {
+  async redirectToLogin(state, req, res) {
     const { log } = state;
     const { idp } = this;
 
+    await state.authEnvLoader.load(state);
     const { clientId, clientSecret } = idp.client(state);
     if (!clientId || !clientSecret) {
       log.error('[auth] unable to create login redirect: missing client_id or client_secret');
@@ -191,23 +231,20 @@ export class AuthInfo {
     const { host, proto } = getRequestHostAndProto(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
-      res.status = 401;
-      res.error = 'no host information.';
+      makeAuthError(state, req, res, 'no host information.');
       return;
     }
 
     const url = new URL(idp.discovery.authorization_endpoint);
 
-    // todo: properly sign to avoid CSRF
-    const tokenState = new UnsecuredJWT({
+    const tokenState = await signJWT(state, new SignJWT({
       owner: state.owner,
       repo: state.repo,
-      contentBusId: state.contentBusId,
       // this is our own login redirect, i.e. the current document
       requestPath: state.info.path,
       requestHost: host,
       requestProto: proto,
-    }).encode();
+    }));
 
     url.searchParams.append('client_id', clientId);
     url.searchParams.append('response_type', 'code');
@@ -240,11 +277,13 @@ export class AuthInfo {
     const { code } = req.params;
     if (!code) {
       log.warn('[auth] code exchange failed: code parameter missing.');
-      res.status = 401;
-      res.error = 'code exchange failed.';
+      makeAuthError(state, req, res, 'code exchange failed.');
       return;
     }
 
+    // TODO: exchange token on the login host, set-cookie,
+    //       and then again set-cookie on the request host
+
     // ensure that the request is made to the target host
     if (req.params.state?.requestHost) {
       const { host } = getRequestHostAndProto(state, req);
@@ -263,6 +302,7 @@ export class AuthInfo {
       }
     }
 
+    await state.authEnvLoader.load(state);
     const { clientId, clientSecret } = idp.client(state);
     const url = new URL(idp.discovery.token_endpoint);
     const body = {
@@ -282,22 +322,37 @@ export class AuthInfo {
     });
     if (!ret.ok) {
       log.warn(`[auth] code exchange failed: ${ret.status}`, await ret.text());
-      res.status = 401;
-      res.error = 'code exchange failed.';
+      makeAuthError(state, req, res, 'code exchange failed.');
       return;
     }
 
     const tokenResponse = await ret.json();
     const { id_token: idToken } = tokenResponse;
+    let payload;
     try {
-      await decodeIdToken(state, idp, idToken);
+      payload = decodeJwt(idToken);
     } catch (e) {
       log.warn(`[auth] id token from ${idp.name} is invalid: ${e.message}`);
-      res.status = 401;
-      res.error = 'id token invalid.';
+      makeAuthError(state, req, res, 'id token invalid.');
       return;
     }
 
+    const email = payload.email || payload.preferred_username;
+    if (!email) {
+      log.warn(`[auth] id token from ${idp.name} is missing email or preferred_username`);
+      makeAuthError(state, req, res, 'id token invalid.');
+      return;
+    }
+
+    // create new token
+    const jwt = new SignJWT({
+      email,
+      name: payload.name,
+    })
+      .setIssuedAt()
+      .setExpirationTime('12 hours');
+    const authToken = await signJWT(state, jwt);
+
     // ensure that auth cookie is not cleared again in `index.js`
     // ctx.attributes.authInfo?.withCookieInvalid(false);
 
@@ -307,13 +362,13 @@ export class AuthInfo {
     res.body = `please go to <a href="${location}">${location}</a>`;
     res.headers.set('location', location);
     res.headers.set('content-tye', 'text/plain');
-    res.headers.set('set-cookie', setAuthCookie(idToken, req.params.state.requestProto === 'https'));
+    res.headers.set('set-cookie', setAuthCookie(authToken, req.params.state.requestProto === 'https'));
     res.headers.set('cache-control', 'no-store, private, must-revalidate');
     res.error = 'moved';
   }
 }
 
-export function initAuthRoute(state, req, res) {
+export async function initAuthRoute(state, req, res) {
   const { log } = state;
 
   // use request headers if present
@@ -328,18 +383,18 @@ export function initAuthRoute(state, req, res) {
 
   if (!req.params.state) {
     log.warn('[auth] unable to exchange token: no state.');
-    res.status = 401;
-    res.headers.set('x-error', 'missing state parameter.');
+    makeAuthError(state, req, res, 'missing state parameter.');
     return false;
   }
 
   try {
     req.params.rawState = req.params.state;
-    req.params.state = decodeJwt(req.params.state);
+    req.params.state = await verifyJwt(state, req.params.state);
+    delete req.params.state.aud;
+    delete req.params.state.iss;
   } catch (e) {
     log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
-    res.status = 401;
-    res.headers.set('x-error', 'missing state parameter.');
+    makeAuthError(state, req, res, 'missing state parameter.');
     return false;
   }
 
@@ -347,7 +402,6 @@ export function initAuthRoute(state, req, res) {
   state.owner = req.params.state.owner;
   state.repo = req.params.state.repo;
   state.ref = 'main';
-  state.contentBusId = req.params.state.contentBusId;
   state.partition = 'preview';
   state.info.path = '/.auth';
   return true;
@@ -374,31 +428,18 @@ async function getAuthInfoFromCookieOrHeader(state, req) {
     }
   }
   if (idToken) {
-    let idp;
     try {
-      const { iss } = decodeJwt(idToken);
-      if (!iss) {
-        log.warn('[auth] missing \'iss\' claim in id_token.');
-        return AuthInfo.Default().withCookieInvalid(true);
-      }
-      idp = IDPS.find((i) => i.validateIssuer(iss));
-      if (!idp) {
-        log.warn(`[auth] no IDP found for: ${iss}`);
-        return AuthInfo.Default().withCookieInvalid(true);
-      }
       return AuthInfo.Default()
-        .withProfile(await decodeIdToken(state, idp, idToken))
+        .withProfile(await decodeIdToken(state, idToken))
         .withAuthenticated(true)
-        .withIdp(idp)
         .withIdToken(idToken);
     } catch (e) {
-      if (e.code === 'ERR_JWT_EXPIRED' && idp) {
+      if (e.code === 'ERR_JWT_EXPIRED') {
         try {
-          const profile = await decodeIdToken(state, idp, idToken, true);
+          const profile = await decodeIdToken(state, idToken, true);
           log.warn(`[auth] decoding the id_token failed: ${e.message}, using expired token as hint.`);
           return AuthInfo.Default()
             .withExpired(true)
-            .withIdp(idp)
             .withLoginHint(profile.email);
         } catch {
           // ignore

package/src/utils/idp-configs/microsoft.js

@@ -17,7 +17,7 @@ export default {
     clientSecret: state.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
   }),
   scope: 'openid profile email',
-  validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),
+  // validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),
   discoveryUrl: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
   // todo: fetch from discovery document
   discovery: {

package/src/utils/idp-configs/admin.js

@@ -1,25 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-
-/**
- * virtual idp config for the admin service
- */
-export default {
-  name: 'admin',
-  client: (state) => ({
-    clientId: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-  }),
-  validateIssuer: (iss) => iss === 'https://admin.hlx.page/',
-  discovery: {
-    jwks_uri: 'https://admin.hlx.page/auth/discovery/keys',
-  },
-};