@adobe/helix-html-pipeline 6.1.0 → 6.1.2

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [6.1.2](https://github.com/adobe/helix-html-pipeline/compare/v6.1.1...v6.1.2) (2024-01-15)
+
+
+### Bug Fixes
+
+* shorten auth state ([#493](https://github.com/adobe/helix-html-pipeline/issues/493)) ([72b3ede](https://github.com/adobe/helix-html-pipeline/commit/72b3ede01a0aee189aa66277407950489b718a2d))
+
+## [6.1.1](https://github.com/adobe/helix-html-pipeline/compare/v6.1.0...v6.1.1) (2024-01-13)
+
+
+### Bug Fixes
+
+* handle /.auth path ([#490](https://github.com/adobe/helix-html-pipeline/issues/490)) ([ce2d761](https://github.com/adobe/helix-html-pipeline/commit/ce2d7617b6abd138a5f58ffb2788e698396191fc))
+
 # [6.1.0](https://github.com/adobe/helix-html-pipeline/compare/v6.0.1...v6.1.0) (2024-01-13)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.1.0",
+  "version": "6.1.2",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -54,7 +54,7 @@
     "hast-util-to-string": "3.0.0",
     "hastscript": "8.0.0",
     "jose": "5.2.0",
-    "mdast-util-to-hast": "13.0.2",
+    "mdast-util-to-hast": "13.1.0",
     "mdast-util-to-string": "4.0.0",
     "mime": "4.0.1",
     "rehype-format": "5.0.0",
@@ -75,7 +75,7 @@
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "11.0.2",
-    "c8": "9.0.0",
+    "c8": "9.1.0",
     "eslint": "8.56.0",
     "eslint-import-resolver-exports": "1.0.0-beta.5",
     "eslint-plugin-header": "3.1.1",
@@ -83,7 +83,7 @@
     "esmock": "2.6.0",
     "husky": "8.0.3",
     "js-yaml": "4.1.0",
-    "jsdom": "23.1.0",
+    "jsdom": "23.2.0",
     "junit-report-builder": "3.1.0",
     "lint-staged": "15.2.0",
     "mocha": "10.2.0",

package/src/PipelineState.d.ts

@@ -141,5 +141,10 @@ declare class PipelineState {
    * the custom live host if configured via config.cdn.live.host
    */
   liveHost: string;
+
+  /**
+   * used for development server to include RSO information in the auth state
+   */
+  authIncludeRSO: boolean;
 }
 

package/src/auth-pipe.js

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2021 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
+import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
+import { PipelineResponse } from './PipelineResponse.js';
+import { validateAuthState, getAuthInfo } from './utils/auth.js';
+
+/**
+ * Runs the auth pipeline that handles the token exchange. this is separated from the main pipeline
+ * since it doesn't need the configuration.
+ *
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @returns {PipelineResponse}
+ */
+export async function authPipe(state, req) {
+  const { log } = state;
+
+  /** @type PipelineResponse */
+  const res = new PipelineResponse('', {
+    headers: {
+      'content-type': 'text/html; charset=utf-8',
+    },
+  });
+
+  try {
+    await validateAuthState(state, req);
+    const authInfo = await getAuthInfo(state, req);
+    await authInfo.exchangeToken(state, req, res);
+    /* c8 ignore next */
+    const level = res.status >= 500 ? 'error' : 'info';
+    log[level](`pipeline status: ${res.status} ${res.error}`);
+    res.headers.set('x-error', cleanupHeaderValue(res.error));
+    if (res.status < 500) {
+      await setCustomResponseHeaders(state, req, res);
+    }
+    return res;
+  } catch (e) {
+    return new PipelineResponse('', {
+      status: 401,
+      headers: {
+        'cache-control': 'no-store, private, must-revalidate',
+        'content-type': 'text/html; charset=utf-8',
+        'x-error': e.message,
+      },
+    });
+  }
+}

package/src/html-pipe.js

@@ -36,7 +36,6 @@ import tohtml from './steps/stringify-response.js';
 import { PipelineStatusError } from './PipelineStatusError.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import { validatePathInfo } from './utils/path.js';
-import { getAuthInfo } from './utils/auth.js';
 import fetchMappedMetadata from './steps/fetch-mapped-metadata.js';
 
 /**
@@ -104,20 +103,6 @@ export async function htmlPipe(state, req) {
     },
   });
 
-  // check if `.auth` route to validate and exchange token
-  if (state.partition === '.auth') {
-    const authInfo = await getAuthInfo(state, req);
-    await authInfo.exchangeToken(state, req, res);
-    /* c8 ignore next */
-    const level = res.status >= 500 ? 'error' : 'info';
-    log[level](`pipeline status: ${res.status} ${res.error}`);
-    res.headers.set('x-error', cleanupHeaderValue(res.error));
-    if (res.status < 500) {
-      await setCustomResponseHeaders(state, req, res);
-    }
-    return res;
-  }
-
   try {
     await initConfig(state, req, res);
 

package/src/index.js

@@ -11,10 +11,10 @@
  */
 export * from './html-pipe.js';
 export * from './json-pipe.js';
+export * from './auth-pipe.js';
 export * from './options-pipe.js';
 export * from './PipelineContent.js';
 export * from './PipelineRequest.js';
 export * from './PipelineResponse.js';
 export * from './PipelineState.js';
 export * from './PipelineStatusError.js';
-export { validateAuthState } from './utils/auth.js';

package/src/utils/auth.js

@@ -31,6 +31,16 @@ let ADMIN_KEY_PAIR = null;
 export class AccessDeniedError extends Error {
 }
 
+async function getAdminKeyPair(state) {
+  if (!ADMIN_KEY_PAIR) {
+    ADMIN_KEY_PAIR = {
+      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
+      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
+    };
+  }
+  return ADMIN_KEY_PAIR;
+}
+
 /**
  * Signs the given JWT with the admin private key and returns the token.
  * @param {PipelineState} state
@@ -38,13 +48,7 @@ export class AccessDeniedError extends Error {
  * @returns {Promise<string>}
  */
 async function signJWT(state, jwt) {
-  if (!ADMIN_KEY_PAIR) {
-    ADMIN_KEY_PAIR = {
-      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
-      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
-    };
-  }
-  const { privateKey, publicKey } = ADMIN_KEY_PAIR;
+  const { privateKey, publicKey } = await getAdminKeyPair(state);
   return jwt
     .setProtectedHeader({
       alg: 'RS256',
@@ -55,6 +59,23 @@ async function signJWT(state, jwt) {
     .sign(privateKey);
 }
 
+/**
+ * Creates the auth state JWT for redirecting back to the initial page
+ * @param {PipelineState} state
+ * @param {SignJWT} jwt
+ * @returns {Promise<string>}
+ */
+async function createStateJWT(state, jwt) {
+  const { privateKey, publicKey } = await getAdminKeyPair(state);
+  return jwt
+    .setProtectedHeader({
+      alg: 'RS256',
+      kid: publicKey.kid,
+    })
+    .setIssuer(publicKey.issuer)
+    .sign(privateKey);
+}
+
 /**
  * Verifies and decodes the given jwt using the admin public key
  * @param {PipelineState} state
@@ -75,6 +96,23 @@ async function verifyJwt(state, jwt, lenient = false) {
   return payload;
 }
 
+/**
+ * Verifies and decodes the given state jwt using the admin public key
+ * @param {PipelineState} state
+ * @param {string} jwt
+ * @returns {Promise<JWTPayload>}
+ */
+async function verifyStateJwt(state, jwt) {
+  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
+  const jwks = createLocalJWKSet({
+    keys: [publicKey],
+  });
+  const { payload } = await jwtVerify(jwt, jwks, {
+    issuer: publicKey.issuer,
+  });
+  return payload;
+}
+
 /**
  * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
  * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
@@ -228,7 +266,7 @@ export class AuthInfo {
     }
 
     // determine the location of 'this' document based on the xfh header. so that logins to
-    // .page stay on .page. etc. but fallback to the config.host if non set
+    // .page stay on .page. etc. but fallback to the production host if not set
     const { host, proto } = getRequestHostAndProto(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
@@ -236,18 +274,21 @@ export class AuthInfo {
       return;
     }
 
-    const url = new URL(idp.discovery.authorization_endpoint);
-
-    const tokenState = await signJWT(state, new SignJWT({
-      ref: state.ref,
-      org: state.org,
-      site: state.site,
-      // this is our own login redirect, i.e. the current document
-      requestPath: state.info.path,
-      requestHost: host,
-      requestProto: proto,
-    }));
+    // create the token state, so stat we know where to redirect back after the token exchange
+    const payload = {
+      url: `${proto}://${host}${state.info.path}`,
+    };
+    // this is for the development server to remember the org, site, ref and partition
+    // normally, this is not needed as the host is used to determine that information
+    if (state.authIncludeRSO) {
+      payload.org = state.org;
+      payload.site = state.site;
+      payload.ref = state.ref;
+      payload.partition = state.partition;
+    }
+    const tokenState = await createStateJWT(state, new SignJWT(payload));
 
+    const url = new URL(idp.discovery.authorization_endpoint);
     url.searchParams.append('client_id', clientId);
     url.searchParams.append('response_type', 'code');
     url.searchParams.append('scope', idp.scope);
@@ -370,8 +411,8 @@ export class AuthInfo {
   }
 }
 
-export async function validateAuthState(ctx, req) {
-  const { log } = ctx;
+export async function validateAuthState(state, req) {
+  const { log } = state;
   // use request headers if present
   if (req.headers.get('x-hlx-auth-state')) {
     log.info('[auth] override params.state from header.');
@@ -389,19 +430,24 @@ export async function validateAuthState(ctx, req) {
 
   try {
     req.params.rawState = req.params.state;
-    req.params.state = await verifyJwt(ctx, req.params.state);
-    delete req.params.state.aud;
-    delete req.params.state.iss;
+    const payload = await verifyStateJwt(state, req.params.state);
+    const url = new URL(payload.url);
+    req.params.state = {
+      requestPath: url.pathname,
+      requestHost: url.host,
+      requestProto: url.protocol.replace(/:$/, ''),
+    };
+    // for development server
+    if (payload.org && payload.site && payload.ref && payload.partition) {
+      state.org = payload.org;
+      state.site = payload.site;
+      state.ref = payload.ref;
+      state.partition = payload.partition;
+    }
   } catch (e) {
     log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
     throw new Error('invalid state parameter.');
   }
-
-  return {
-    ref: req.params.state.ref,
-    site: req.params.state.site,
-    org: req.params.state.org,
-  };
 }
 
 /**