npm - @adobe/helix-html-pipeline - Versions diffs - 6.1.1 → 6.1.2 - Mend

@adobe/helix-html-pipeline 6.1.1 → 6.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,10 @@
+## [6.1.2](https://github.com/adobe/helix-html-pipeline/compare/v6.1.1...v6.1.2) (2024-01-15)
+### Bug Fixes
+* shorten auth state ([#493](https://github.com/adobe/helix-html-pipeline/issues/493)) ([72b3ede](https://github.com/adobe/helix-html-pipeline/commit/72b3ede01a0aee189aa66277407950489b718a2d))
 ## [6.1.1](https://github.com/adobe/helix-html-pipeline/compare/v6.1.0...v6.1.1) (2024-01-13)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.1.1",
+  "version": "6.1.2",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -54,7 +54,7 @@
     "hast-util-to-string": "3.0.0",
     "hastscript": "8.0.0",
     "jose": "5.2.0",
-    "mdast-util-to-hast": "13.0.2",
+    "mdast-util-to-hast": "13.1.0",
     "mdast-util-to-string": "4.0.0",
     "mime": "4.0.1",
     "rehype-format": "5.0.0",
@@ -75,7 +75,7 @@
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "11.0.2",
-    "c8": "9.0.0",
+    "c8": "9.1.0",
     "eslint": "8.56.0",
     "eslint-import-resolver-exports": "1.0.0-beta.5",
     "eslint-plugin-header": "3.1.1",
@@ -83,7 +83,7 @@
     "esmock": "2.6.0",
     "husky": "8.0.3",
     "js-yaml": "4.1.0",
-    "jsdom": "23.1.0",
+    "jsdom": "23.2.0",
     "junit-report-builder": "3.1.0",
     "lint-staged": "15.2.0",
     "mocha": "10.2.0",

package/src/PipelineState.d.ts CHANGED Viewed

@@ -141,5 +141,10 @@ declare class PipelineState {
    * the custom live host if configured via config.cdn.live.host
    */
   liveHost: string;
+  /**
+   * used for development server to include RSO information in the auth state
+   */
+  authIncludeRSO: boolean;
 }

package/src/auth-pipe.js ADDED Viewed

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2021 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
+import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
+import { PipelineResponse } from './PipelineResponse.js';
+import { validateAuthState, getAuthInfo } from './utils/auth.js';
+/**
+ * Runs the auth pipeline that handles the token exchange. this is separated from the main pipeline
+ * since it doesn't need the configuration.
+ *
+ * @param {PipelineState} state
+ * @param {PipelineRequest} req
+ * @returns {PipelineResponse}
+ */
+export async function authPipe(state, req) {
+  const { log } = state;
+  /** @type PipelineResponse */
+  const res = new PipelineResponse('', {
+    headers: {
+      'content-type': 'text/html; charset=utf-8',
+    },
+  });
+  try {
+    await validateAuthState(state, req);
+    const authInfo = await getAuthInfo(state, req);
+    await authInfo.exchangeToken(state, req, res);
+    /* c8 ignore next */
+    const level = res.status >= 500 ? 'error' : 'info';
+    log[level](`pipeline status: ${res.status} ${res.error}`);
+    res.headers.set('x-error', cleanupHeaderValue(res.error));
+    if (res.status < 500) {
+      await setCustomResponseHeaders(state, req, res);
+    }
+    return res;
+  } catch (e) {
+    return new PipelineResponse('', {
+      status: 401,
+      headers: {
+        'cache-control': 'no-store, private, must-revalidate',
+        'content-type': 'text/html; charset=utf-8',
+        'x-error': e.message,
+      },
+    });
+  }
+}

package/src/html-pipe.js CHANGED Viewed

@@ -36,7 +36,6 @@ import tohtml from './steps/stringify-response.js';
 import { PipelineStatusError } from './PipelineStatusError.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import { validatePathInfo } from './utils/path.js';
-import { getAuthInfo } from './utils/auth.js';
 import fetchMappedMetadata from './steps/fetch-mapped-metadata.js';
 /**
@@ -104,20 +103,6 @@ export async function htmlPipe(state, req) {
     },
   });
-  // check if `.auth` route to validate and exchange token
-  if (state.partition === '.auth' || state.info.path === '/.auth') {
-    const authInfo = await getAuthInfo(state, req);
-    await authInfo.exchangeToken(state, req, res);
-    /* c8 ignore next */
-    const level = res.status >= 500 ? 'error' : 'info';
-    log[level](`pipeline status: ${res.status} ${res.error}`);
-    res.headers.set('x-error', cleanupHeaderValue(res.error));
-    if (res.status < 500) {
-      await setCustomResponseHeaders(state, req, res);
-    }
-    return res;
-  }
   try {
     await initConfig(state, req, res);

package/src/index.js CHANGED Viewed

@@ -11,10 +11,10 @@
  */
 export * from './html-pipe.js';
 export * from './json-pipe.js';
+export * from './auth-pipe.js';
 export * from './options-pipe.js';
 export * from './PipelineContent.js';
 export * from './PipelineRequest.js';
 export * from './PipelineResponse.js';
 export * from './PipelineState.js';
 export * from './PipelineStatusError.js';
-export { validateAuthState } from './utils/auth.js';

package/src/utils/auth.js CHANGED Viewed

@@ -31,6 +31,16 @@ let ADMIN_KEY_PAIR = null;
 export class AccessDeniedError extends Error {
 }
+async function getAdminKeyPair(state) {
+  if (!ADMIN_KEY_PAIR) {
+    ADMIN_KEY_PAIR = {
+      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
+      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
+    };
+  }
+  return ADMIN_KEY_PAIR;
+}
 /**
  * Signs the given JWT with the admin private key and returns the token.
  * @param {PipelineState} state
@@ -38,13 +48,7 @@ export class AccessDeniedError extends Error {
  * @returns {Promise<string>}
  */
 async function signJWT(state, jwt) {
-  if (!ADMIN_KEY_PAIR) {
-    ADMIN_KEY_PAIR = {
-      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
-      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
-    };
-  }
-  const { privateKey, publicKey } = ADMIN_KEY_PAIR;
+  const { privateKey, publicKey } = await getAdminKeyPair(state);
   return jwt
     .setProtectedHeader({
       alg: 'RS256',
@@ -55,6 +59,23 @@ async function signJWT(state, jwt) {
     .sign(privateKey);
 }
+/**
+ * Creates the auth state JWT for redirecting back to the initial page
+ * @param {PipelineState} state
+ * @param {SignJWT} jwt
+ * @returns {Promise<string>}
+ */
+async function createStateJWT(state, jwt) {
+  const { privateKey, publicKey } = await getAdminKeyPair(state);
+  return jwt
+    .setProtectedHeader({
+      alg: 'RS256',
+      kid: publicKey.kid,
+    })
+    .setIssuer(publicKey.issuer)
+    .sign(privateKey);
+}
 /**
  * Verifies and decodes the given jwt using the admin public key
  * @param {PipelineState} state
@@ -75,6 +96,23 @@ async function verifyJwt(state, jwt, lenient = false) {
   return payload;
 }
+/**
+ * Verifies and decodes the given state jwt using the admin public key
+ * @param {PipelineState} state
+ * @param {string} jwt
+ * @returns {Promise<JWTPayload>}
+ */
+async function verifyStateJwt(state, jwt) {
+  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
+  const jwks = createLocalJWKSet({
+    keys: [publicKey],
+  });
+  const { payload } = await jwtVerify(jwt, jwks, {
+    issuer: publicKey.issuer,
+  });
+  return payload;
+}
 /**
  * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
  * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
@@ -228,7 +266,7 @@ export class AuthInfo {
     }
     // determine the location of 'this' document based on the xfh header. so that logins to
-    // .page stay on .page. etc. but fallback to the config.host if non set
+    // .page stay on .page. etc. but fallback to the production host if not set
     const { host, proto } = getRequestHostAndProto(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
@@ -236,18 +274,21 @@ export class AuthInfo {
       return;
     }
-    const url = new URL(idp.discovery.authorization_endpoint);
-    const tokenState = await signJWT(state, new SignJWT({
-      ref: state.ref,
-      org: state.org,
-      site: state.site,
-      // this is our own login redirect, i.e. the current document
-      requestPath: state.info.path,
-      requestHost: host,
-      requestProto: proto,
-    }));
+    // create the token state, so stat we know where to redirect back after the token exchange
+    const payload = {
+      url: `${proto}://${host}${state.info.path}`,
+    };
+    // this is for the development server to remember the org, site, ref and partition
+    // normally, this is not needed as the host is used to determine that information
+    if (state.authIncludeRSO) {
+      payload.org = state.org;
+      payload.site = state.site;
+      payload.ref = state.ref;
+      payload.partition = state.partition;
+    }
+    const tokenState = await createStateJWT(state, new SignJWT(payload));
+    const url = new URL(idp.discovery.authorization_endpoint);
     url.searchParams.append('client_id', clientId);
     url.searchParams.append('response_type', 'code');
     url.searchParams.append('scope', idp.scope);
@@ -370,8 +411,8 @@ export class AuthInfo {
   }
 }
-export async function validateAuthState(ctx, req) {
-  const { log } = ctx;
+export async function validateAuthState(state, req) {
+  const { log } = state;
   // use request headers if present
   if (req.headers.get('x-hlx-auth-state')) {
     log.info('[auth] override params.state from header.');
@@ -389,19 +430,24 @@ export async function validateAuthState(ctx, req) {
   try {
     req.params.rawState = req.params.state;
-    req.params.state = await verifyJwt(ctx, req.params.state);
-    delete req.params.state.aud;
-    delete req.params.state.iss;
+    const payload = await verifyStateJwt(state, req.params.state);
+    const url = new URL(payload.url);
+    req.params.state = {
+      requestPath: url.pathname,
+      requestHost: url.host,
+      requestProto: url.protocol.replace(/:$/, ''),
+    };
+    // for development server
+    if (payload.org && payload.site && payload.ref && payload.partition) {
+      state.org = payload.org;
+      state.site = payload.site;
+      state.ref = payload.ref;
+      state.partition = payload.partition;
+    }
   } catch (e) {
     log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
     throw new Error('invalid state parameter.');
   }
-  return {
-    ref: req.params.state.ref,
-    site: req.params.state.site,
-    org: req.params.state.org,
-  };
 }
 /**