@adobe/helix-html-pipeline 6.1.2 → 6.3.0

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [6.3.0](https://github.com/adobe/helix-html-pipeline/compare/v6.2.0...v6.3.0) (2024-01-17)
+
+
+### Features
+
+* simplify auth route ([#496](https://github.com/adobe/helix-html-pipeline/issues/496)) ([396aa22](https://github.com/adobe/helix-html-pipeline/commit/396aa22d0e2509d4706ee475d032f094c913f59d))
+
+# [6.2.0](https://github.com/adobe/helix-html-pipeline/compare/v6.1.2...v6.2.0) (2024-01-15)
+
+
+### Features
+
+* use aem page ([#494](https://github.com/adobe/helix-html-pipeline/issues/494)) ([a04453b](https://github.com/adobe/helix-html-pipeline/commit/a04453b57476c3c3dde9d1d270a26ffe83d78523))
+
 ## [6.1.2](https://github.com/adobe/helix-html-pipeline/compare/v6.1.1...v6.1.2) (2024-01-15)
 
 

package/README.md

@@ -8,10 +8,9 @@ This package contains the common code for `helix-pipeline-service` and `helix-cl
 
 ## Status
 [![codecov](https://img.shields.io/codecov/c/github/adobe/helix-html-pipeline.svg)](https://codecov.io/gh/adobe/helix-html-pipeline)
-[![CircleCI](https://img.shields.io/circleci/project/github/adobe/helix-html-pipeline.svg)](https://circleci.com/gh/adobe/helix-html-pipeline)
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/adobe/helix-html-pipeline/main.yaml)
 [![GitHub license](https://img.shields.io/github/license/adobe/helix-html-pipeline.svg)](https://github.com/adobe/helix-html-pipeline/blob/master/LICENSE.txt)
 [![GitHub issues](https://img.shields.io/github/issues/adobe/helix-html-pipeline.svg)](https://github.com/adobe/helix-html-pipeline/issues)
-[![LGTM Code Quality Grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/adobe/helix-html-pipeline.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/adobe/helix-html-pipeline)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
 ## Installation

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.1.2",
+  "version": "6.3.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -16,6 +16,7 @@
     "test": "c8 mocha",
     "lint": "eslint .",
     "semantic-release": "semantic-release",
+    "semantic-release-dry": "semantic-release --dry-run --branches $CI_BRANCH",
     "prepare": "husky install"
   },
   "repository": {

package/src/auth-pipe.js

@@ -10,47 +10,36 @@
  * governing permissions and limitations under the License.
  */
 import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
-import { validateAuthState, getAuthInfo } from './utils/auth.js';
+import { validateAuthState, getRequestHostAndProto, AuthInfo } from './utils/auth.js';
+import { clearAuthCookie } from './utils/auth-cookie.js';
+import idpMicrosoft from './utils/idp-configs/microsoft.js';
 
 /**
  * Runs the auth pipeline that handles the token exchange. this is separated from the main pipeline
- * since it doesn't need the configuration.
+ * since it doesn't need the configuration (yet).
  *
  * @param {PipelineState} state
  * @param {PipelineRequest} req
  * @returns {PipelineResponse}
  */
-export async function authPipe(state, req) {
-  const { log } = state;
-
-  /** @type PipelineResponse */
-  const res = new PipelineResponse('', {
-    headers: {
-      'content-type': 'text/html; charset=utf-8',
-    },
-  });
-
+export async function authPipe(ctx, req) {
   try {
-    await validateAuthState(state, req);
-    const authInfo = await getAuthInfo(state, req);
-    await authInfo.exchangeToken(state, req, res);
-    /* c8 ignore next */
-    const level = res.status >= 500 ? 'error' : 'info';
-    log[level](`pipeline status: ${res.status} ${res.error}`);
-    res.headers.set('x-error', cleanupHeaderValue(res.error));
-    if (res.status < 500) {
-      await setCustomResponseHeaders(state, req, res);
-    }
-    return res;
+    await validateAuthState(ctx, req);
+    const authInfo = AuthInfo
+      .Default()
+      // todo: select idp from config
+      .withIdp(idpMicrosoft);
+    return await authInfo.exchangeToken(ctx, req);
   } catch (e) {
+    const { proto } = getRequestHostAndProto(ctx, req);
     return new PipelineResponse('', {
       status: 401,
       headers: {
         'cache-control': 'no-store, private, must-revalidate',
         'content-type': 'text/html; charset=utf-8',
-        'x-error': e.message,
+        'x-error': cleanupHeaderValue(e.message),
+        'set-cookie': clearAuthCookie(proto === 'https'),
       },
     });
   }

package/src/steps/utils.js

@@ -12,9 +12,9 @@
 
 const AZURE_BLOB_REGEXP = /^https:\/\/hlx\.blob\.core\.windows\.net\/external\//;
 
-const MEDIA_BLOB_REGEXP = /^https:\/\/.*\.hlx3?\.(live|page)\/media_.*/;
+const MEDIA_BLOB_REGEXP = /^https:\/\/.*\.(aem|hlx3?)\.(live|page)\/media_.*/;
 
-const HELIX_URL_REGEXP = /^https:\/\/(?!admin\.|www\.)[^.]+\.hlx3?\.(live|page)\/?.*/;
+const HELIX_URL_REGEXP = /^https:\/\/(?!admin\.|www\.)[^.]+\.(aem|hlx3?)\.(live|page)\/?.*/;
 
 /**
  * Returns the original host name from the request to the outer CDN.

package/src/utils/auth.js

@@ -23,8 +23,9 @@ import idpMicrosoft from './idp-configs/microsoft.js';
 
 // eslint-disable-next-line import/no-unresolved
 import cryptoImpl from '#crypto';
+import { PipelineResponse } from '../PipelineResponse.js';
 
-const AUTH_REDIRECT_URL = 'https://login.hlx.page/.auth';
+const AUTH_REDIRECT_URL = 'https://login.aem.page/.auth';
 
 let ADMIN_KEY_PAIR = null;
 
@@ -59,23 +60,6 @@ async function signJWT(state, jwt) {
     .sign(privateKey);
 }
 
-/**
- * Creates the auth state JWT for redirecting back to the initial page
- * @param {PipelineState} state
- * @param {SignJWT} jwt
- * @returns {Promise<string>}
- */
-async function createStateJWT(state, jwt) {
-  const { privateKey, publicKey } = await getAdminKeyPair(state);
-  return jwt
-    .setProtectedHeader({
-      alg: 'RS256',
-      kid: publicKey.kid,
-    })
-    .setIssuer(publicKey.issuer)
-    .sign(privateKey);
-}
-
 /**
  * Verifies and decodes the given jwt using the admin public key
  * @param {PipelineState} state
@@ -96,23 +80,6 @@ async function verifyJwt(state, jwt, lenient = false) {
   return payload;
 }
 
-/**
- * Verifies and decodes the given state jwt using the admin public key
- * @param {PipelineState} state
- * @param {string} jwt
- * @returns {Promise<JWTPayload>}
- */
-async function verifyStateJwt(state, jwt) {
-  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
-  const jwks = createLocalJWKSet({
-    keys: [publicKey],
-  });
-  const { payload } = await jwtVerify(jwt, jwks, {
-    issuer: publicKey.issuer,
-  });
-  return payload;
-}
-
 /**
  * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
  * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
@@ -144,7 +111,7 @@ export async function decodeIdToken(state, idToken, lenient = false) {
  * @param {PipelineRequest} req
  * @returns {{proto: (*|string), host: string}} the request host and protocol.
  */
-function getRequestHostAndProto(state, req) {
+export function getRequestHostAndProto(state, req) {
   // determine the location of 'this' document based on the xfh header. so that logins to
   // .page stay on .page. etc. but fallback to the config.host if non set
   const xfh = req.headers.get('x-forwarded-host');
@@ -266,7 +233,7 @@ export class AuthInfo {
     }
 
     // determine the location of 'this' document based on the xfh header. so that logins to
-    // .page stay on .page. etc. but fallback to the production host if not set
+    // .page stay on .page. etc. but fallback to the config.host if non set
     const { host, proto } = getRequestHostAndProto(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
@@ -276,17 +243,9 @@ export class AuthInfo {
 
     // create the token state, so stat we know where to redirect back after the token exchange
     const payload = {
-      url: `${proto}://${host}${state.info.path}`,
+      url: state.createExternalLocation(`${proto}://${host}${state.info.path}`),
     };
-    // this is for the development server to remember the org, site, ref and partition
-    // normally, this is not needed as the host is used to determine that information
-    if (state.authIncludeRSO) {
-      payload.org = state.org;
-      payload.site = state.site;
-      payload.ref = state.ref;
-      payload.partition = state.partition;
-    }
-    const tokenState = await createStateJWT(state, new SignJWT(payload));
+    const tokenState = await signJWT(state, new SignJWT(payload));
 
     const url = new URL(idp.discovery.authorization_endpoint);
     url.searchParams.append('client_id', clientId);
@@ -294,7 +253,7 @@ export class AuthInfo {
     url.searchParams.append('scope', idp.scope);
     url.searchParams.append('nonce', cryptoImpl.randomUUID());
     url.searchParams.append('state', tokenState);
-    url.searchParams.append('redirect_uri', state.createExternalLocation(AUTH_REDIRECT_URL));
+    url.searchParams.append('redirect_uri', AUTH_REDIRECT_URL);
     url.searchParams.append('prompt', 'select_account');
 
     log.info('[auth] redirecting to login page', url.href);
@@ -309,53 +268,31 @@ export class AuthInfo {
   /**
    * Performs a token exchange from the code flow and redirects to the root page
    *
-   * @param {PipelineState} state
+   * @param {universalContext} ctx
    * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
+   * @return {PipelineResponse} res
+   * @throws {Error} if the token exchange fails
    */
-  async exchangeToken(state, req, res) {
-    const { log } = state;
+  async exchangeToken(ctx, req) {
+    const { log } = ctx;
     const { idp } = this;
 
     const { code } = req.params;
     if (!code) {
       log.warn('[auth] code exchange failed: code parameter missing.');
-      makeAuthError(state, req, res, 'code exchange failed.');
-      return;
+      throw new Error('code exchange failed.');
     }
 
-    // TODO: exchange token on the login host, set-cookie,
-    //       and then again set-cookie on the request host
-
-    // ensure that the request is made to the target host
-    if (req.params.state?.requestHost) {
-      const { host } = getRequestHostAndProto(state, req);
-      if (host !== req.params.state.requestHost) {
-        const url = new URL(`${req.params.state.requestProto}://${req.params.state.requestHost}/.auth`);
-        url.searchParams.append('state', req.params.rawState);
-        url.searchParams.append('code', req.params.code);
-        const location = state.createExternalLocation(url.href);
-        log.info('[auth] redirecting to initial host', location);
-        res.status = 302;
-        res.body = `please go to <a href="${location}">${location}</a>`;
-        res.headers.set('location', location);
-        res.headers.set('cache-control', 'no-store, private, must-revalidate');
-        res.error = 'moved';
-        return;
-      }
-    }
-
-    await state.authEnvLoader.load(state);
-    const { clientId, clientSecret } = idp.client(state);
+    const { clientId, clientSecret } = idp.client(ctx);
     const url = new URL(idp.discovery.token_endpoint);
     const body = {
       client_id: clientId,
       client_secret: clientSecret,
       code,
       grant_type: 'authorization_code',
-      redirect_uri: state.createExternalLocation(AUTH_REDIRECT_URL),
+      redirect_uri: AUTH_REDIRECT_URL,
     };
-    const { fetch } = state;
+    const { fetch } = ctx;
     const ret = await fetch(url.href, {
       method: 'POST',
       body: new URLSearchParams(body).toString(),
@@ -365,8 +302,7 @@ export class AuthInfo {
     });
     if (!ret.ok) {
       log.warn(`[auth] code exchange failed: ${ret.status}`, await ret.text());
-      makeAuthError(state, req, res, 'code exchange failed.');
-      return;
+      throw new Error('code exchange failed.');
     }
 
     const tokenResponse = await ret.json();
@@ -376,15 +312,13 @@ export class AuthInfo {
       payload = decodeJwt(idToken);
     } catch (e) {
       log.warn(`[auth] id token from ${idp.name} is invalid: ${e.message}`);
-      makeAuthError(state, req, res, 'id token invalid.');
-      return;
+      throw new Error('id token invalid.');
     }
 
     const email = payload.email || payload.preferred_username;
     if (!email) {
       log.warn(`[auth] id token from ${idp.name} is missing email or preferred_username`);
-      makeAuthError(state, req, res, 'id token invalid.');
-      return;
+      throw new Error('id token invalid.');
     }
 
     // create new token
@@ -394,25 +328,31 @@ export class AuthInfo {
     })
       .setIssuedAt()
       .setExpirationTime('12 hours');
-    const authToken = await signJWT(state, jwt);
-
-    // ensure that auth cookie is not cleared again in `index.js`
-    // ctx.attributes.authInfo?.withCookieInvalid(false);
+    const authToken = await signJWT(ctx, jwt);
 
-    const location = state.createExternalLocation(req.params.state.requestPath || '/');
-    log.info('[auth] redirecting to original page with hlx-auth-token cookie: ', location);
-    res.status = 302;
-    res.body = `please go to <a href="${location}">${location}</a>`;
-    res.headers.set('location', location);
-    res.headers.set('content-tye', 'text/plain');
-    res.headers.set('set-cookie', setAuthCookie(authToken, req.params.state.requestProto === 'https'));
-    res.headers.set('cache-control', 'no-store, private, must-revalidate');
-    res.error = 'moved';
+    // redirect to original page
+    const location = req.params.state.url;
+    log.info('[auth] redirecting to original page with hlx-auth-token cookie:', location);
+    return new PipelineResponse(`please go to <a href="${location}">${location}</a>`, {
+      status: 302,
+      headers: {
+        'content-type': 'text/html; charset=utf-8',
+        'set-cookie': setAuthCookie(authToken, location.startsWith('https://')),
+        'cache-control': 'no-store, private, must-revalidate',
+        location,
+      },
+    });
   }
 }
 
-export async function validateAuthState(state, req) {
-  const { log } = state;
+/**
+ * Validates the auth state and code either with from query parameter or request header.
+ * @param {UniversalContext} ctx
+ * @param {PipelineRequest} req
+ * @returns {Promise<void>}
+ */
+export async function validateAuthState(ctx, req) {
+  const { log } = ctx;
   // use request headers if present
   if (req.headers.get('x-hlx-auth-state')) {
     log.info('[auth] override params.state from header.');
@@ -429,21 +369,10 @@ export async function validateAuthState(state, req) {
   }
 
   try {
-    req.params.rawState = req.params.state;
-    const payload = await verifyStateJwt(state, req.params.state);
-    const url = new URL(payload.url);
+    const payload = await verifyJwt(ctx, req.params.state);
     req.params.state = {
-      requestPath: url.pathname,
-      requestHost: url.host,
-      requestProto: url.protocol.replace(/:$/, ''),
+      url: payload.url,
     };
-    // for development server
-    if (payload.org && payload.site && payload.ref && payload.partition) {
-      state.org = payload.org;
-      state.site = payload.site;
-      state.ref = payload.ref;
-      state.partition = payload.partition;
-    }
   } catch (e) {
     log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
     throw new Error('invalid state parameter.');