@adobe/helix-html-pipeline 5.1.3 → 5.2.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [5.2.0](https://github.com/adobe/helix-html-pipeline/compare/v5.1.3...v5.2.0) (2023-11-15)
+
+
+### Features
+
+* implement partition specific auth ([#456](https://github.com/adobe/helix-html-pipeline/issues/456)) ([89fa4f1](https://github.com/adobe/helix-html-pipeline/commit/89fa4f1a7a8ddaecad3659f6eaa37416a4452744)), closes [#274](https://github.com/adobe/helix-html-pipeline/issues/274)
+
 ## [5.1.3](https://github.com/adobe/helix-html-pipeline/compare/v5.1.2...v5.1.3) (2023-11-11)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "5.1.3",
+  "version": "5.2.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/steps/authenticate.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 import { getAuthInfo, makeAuthError } from '../utils/auth.js';
+import { toArray } from './utils.js';
 
 /**
  * Checks if the given email is allowed.
@@ -27,6 +28,26 @@ export function isAllowed(email = '', allows = []) {
   return allows.findIndex((a) => a === email || a === wild) >= 0;
 }
 
+/**
+ * Returns the normalized access configuration for the current partition.
+ * @param state
+ * @return {{}}
+ */
+export function getAccessConfig(state) {
+  const { access } = state.config;
+  if (!access) {
+    return {
+      allow: [],
+      apiKeyId: [],
+    };
+  }
+  const { partition } = state;
+  return {
+    allow: toArray(access[partition]?.allow ?? access.allow),
+    apiKeyId: toArray(access[partition]?.apiKeyId ?? access.apiKeyId),
+  };
+}
+
 /**
  * Handles authentication
  * @type PipelineStep
@@ -43,8 +64,11 @@ export async function authenticate(state, req, res) {
     return;
   }
 
+  // get partition relative auth info
+  const access = getAccessConfig(state);
+
   // if not protected, do nothing
-  if (!state.config?.access?.allow) {
+  if (!access.allow.length) {
     return;
   }
 
@@ -77,20 +101,15 @@ export async function authenticate(state, req, res) {
 
   // validate jti
   if (jti) {
-    const ids = Array.isArray(state.config.access.apiKeyId)
-      ? state.config.access.apiKeyId
-      : [state.config.access.apiKeyId];
-    if (ids.indexOf(jti) < 0) {
-      state.log.warn(`[auth] invalid jti ${jti}: does not match configured id ${state.config.access.apiKeyId}`);
+    if (access.apiKeyId.indexOf(jti) < 0) {
+      state.log.warn(`[auth] invalid jti ${jti}: does not match configured id ${access.apiKeyId}`);
       makeAuthError(state, req, res, 'invalid-jti');
     }
   }
 
   // check profile is allowed
-  const { allow } = state.config.access;
-  const allows = Array.isArray(allow) ? allow : [allow];
-  if (!isAllowed(email, allows)) {
-    state.log.warn(`[auth] profile not allowed for ${allows}`);
+  if (!isAllowed(email, access.allow)) {
+    state.log.warn(`[auth] profile not allowed for ${access.allow}`);
     makeAuthError(state, req, res, 'forbidden', 403);
   }
 }

package/src/steps/utils.js

@@ -216,3 +216,10 @@ export function rewriteUrl(state, url) {
 
   return url;
 }
+
+export function toArray(v) {
+  if (!v) {
+    return [];
+  }
+  return Array.isArray(v) ? v : [v];
+}

package/src/utils/json-filter.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 import { PipelineStatusError } from '../PipelineStatusError.js';
+import { toArray } from '../steps/utils.js';
 
 const TYPE_KEY = ':type';
 
@@ -78,7 +79,7 @@ export default function jsonFilter(state, res, query) {
   }
 
   state.timer?.update('json-filter');
-  const requestedSheets = Array.isArray(sheet) ? sheet : [sheet];
+  const requestedSheets = toArray(sheet);
   if (requestedSheets.length === 0 && 'default' in json) {
     requestedSheets.push('default');
   }