@adobe/helix-html-pipeline 6.10.3 → 6.12.0

package/CHANGELOG.md

@@ -1,3 +1,19 @@
+# [6.12.0](https://github.com/adobe/helix-html-pipeline/compare/v6.11.0...v6.12.0) (2024-05-22)
+
+
+### Features
+
+* add contentbusid surrogate key for pipeline responses depending on content resources ([e821162](https://github.com/adobe/helix-html-pipeline/commit/e821162b9afc649fbb53ef550d51fd61b4ccc346))
+* add ref--repo--owner_code surrogate key for pipeline responses depending on codebus resources ([797aad2](https://github.com/adobe/helix-html-pipeline/commit/797aad2a1b34aa7eb95fc9ef57a65b60afed2c76))
+* add ref--repo-owner_code for all code resources ([edaa518](https://github.com/adobe/helix-html-pipeline/commit/edaa518db81259d4c247c6cc8445277f41a3ccfb))
+
+# [6.11.0](https://github.com/adobe/helix-html-pipeline/compare/v6.10.3...v6.11.0) (2024-05-13)
+
+
+### Features
+
+* remove auth ([#598](https://github.com/adobe/helix-html-pipeline/issues/598)) ([2eed6f4](https://github.com/adobe/helix-html-pipeline/commit/2eed6f4852fc4b74582ab953be79b77c17e3029b))
+
 ## [6.10.3](https://github.com/adobe/helix-html-pipeline/compare/v6.10.2...v6.10.3) (2024-05-09)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.10.3",
+  "version": "6.12.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -47,14 +47,12 @@
     "@adobe/helix-shared-utils": "3.0.2",
     "@adobe/mdast-util-gridtables": "4.0.4",
     "@adobe/remark-gridtables": "3.0.4",
-    "cookie": "0.6.0",
     "github-slugger": "2.0.0",
-    "hast-util-raw": "9.0.2",
+    "hast-util-raw": "9.0.3",
     "hast-util-select": "6.0.2",
     "hast-util-to-html": "9.0.1",
     "hast-util-to-string": "3.0.0",
     "hastscript": "9.0.0",
-    "jose": "5.2.4",
     "lodash.escape": "4.0.1",
     "mdast-util-to-hast": "13.1.0",
     "mdast-util-to-string": "4.0.0",
@@ -76,7 +74,7 @@
     "@markedjs/html-differ": "4.0.2",
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
-    "@semantic-release/npm": "12.0.0",
+    "@semantic-release/npm": "12.0.1",
     "c8": "9.1.0",
     "eslint": "8.57.0",
     "eslint-import-resolver-exports": "1.0.0-beta.5",
@@ -91,7 +89,7 @@
     "mocha": "10.4.0",
     "mocha-multi-reporters": "1.5.1",
     "mocha-suppress-logs": "0.5.1",
-    "semantic-release": "23.0.8"
+    "semantic-release": "23.1.1"
   },
   "lint-staged": {
     "*.js": "eslint",

package/src/PipelineState.d.ts

@@ -9,7 +9,7 @@
  * OF ANY KIND; either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import {PathInfo, S3Loader, FormsMessageDispatcher, PipelineTimer, AuthEnvLoader } from "./index";
+import {PathInfo, S3Loader, PipelineTimer } from "./index";
 import {PipelineContent} from "./PipelineContent";
 import {PipelineSiteConfig} from "./site-config";
 
@@ -21,21 +21,9 @@ declare enum PipelineType {
 
 type Fetch = (url: string|Request, options?: RequestOptions) => Promise<Response>;
 
-declare interface AccessConfig {
-  allow:(string|string[]);
-
-  apiKeyId:(string|string[]);
-
-  require: {
-    repository:(string|string[]);
-  };
-}
-
 declare interface PipelineOptions {
   log: Console;
   s3Loader: S3Loader;
-  messageDispatcher: FormsMessageDispatcher;
-  authEnvLoader: AuthEnvLoader;
   config: PipelineSiteConfig;
   fetch: Fetch;
   ref: string;
@@ -55,16 +43,8 @@ declare class PipelineState {
   content: PipelineContent;
   contentBusId: string;
   s3Loader: S3Loader;
-  messageDispatcher: FormsMessageDispatcher;
-  authEnvLoader: AuthEnvLoader;
   fetch: Fetch;
 
-  /**
-   * Returns the external link representation for authentication related redirects and cookies.
-   * This is only used for local testing and is an identity operation in production.
-   */
-  createExternalLocation(value:string): string;
-
   /**
    * Content bus partition
    * @example 'live'
@@ -122,11 +102,6 @@ declare class PipelineState {
    */
   type: PipelineType;
 
-  /**
-   * Authentication information
-   */
-  authInfo?: AuthInfo;
-
   /**
    * the production host
    */
@@ -142,9 +117,5 @@ declare class PipelineState {
    */
   liveHost: string;
 
-  /**
-   * used for development server to include RSO information in the auth state
-   */
-  authIncludeRSO: boolean;
 }
 

package/src/PipelineState.js

@@ -40,8 +40,6 @@ export class PipelineState {
       metadata: Modifiers.EMPTY,
       headers: Modifiers.EMPTY,
       s3Loader: opts.s3Loader,
-      messageDispatcher: opts.messageDispatcher,
-      authEnvLoader: opts.authEnvLoader ?? { load: () => {} },
       fetch: opts.fetch,
       timer: opts.timer,
       type: 'html',
@@ -52,9 +50,4 @@ export class PipelineState {
       }
     }
   }
-
-  // eslint-disable-next-line class-methods-use-this
-  createExternalLocation(value) {
-    return value;
-  }
 }

package/src/html-pipe.js

@@ -10,7 +10,6 @@
  * governing permissions and limitations under the License.
  */
 import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import { authenticate } from './steps/authenticate.js';
 import addHeadingIds from './steps/add-heading-ids.js';
 import createPageBlocks from './steps/create-page-blocks.js';
 import createPictures from './steps/create-pictures.js';
@@ -135,11 +134,6 @@ export async function htmlPipe(state, req) {
       fetchMappedMetadata(state),
     ]);
 
-    // await requireProject(state, req, res);
-    if (res.error !== 401) {
-      await authenticate(state, req, res);
-    }
-
     if (res.error) {
       // if content loading produced an error, we're done.
       const level = res.status >= 500 ? 'error' : 'info';

package/src/index.d.ts

@@ -88,29 +88,11 @@ export declare interface S3Loader {
   headObject(bucketId, key): Promise<PipelineResponse>;
 }
 
-export declare interface AuthEnvLoader {
-
-  /**
-   * loads (secret) parameters needed for authentication. The parameters are added to the
-   * `state.env` object.
-   * @return {Promise<void>}
-   */
-  load(state:PipelineState):Promise<void>;
-}
-
 export declare interface DispatchMessageResponse {
   messageId:string,
   requestId:string,
 }
 
-export declare interface FormsMessageDispatcher {
-  /**
-   * Dispatches the message to the forms queue
-   * @param {object} message
-   */
-  dispatch(message:object): Promise<DispatchMessageResponse>;
-}
-
 /**
  * Timer
  */

package/src/index.js

@@ -11,7 +11,6 @@
  */
 export * from './html-pipe.js';
 export * from './json-pipe.js';
-export * from './auth-pipe.js';
 export * from './options-pipe.js';
 export * from './robots-pipe.js';
 export * from './sitemap-pipe.js';

package/src/json-pipe.js

@@ -15,7 +15,6 @@ import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import jsonFilter from './utils/json-filter.js';
 import { extractLastModified, updateLastModified } from './utils/last-modified.js';
-import { authenticate } from './steps/authenticate.js';
 import { getPathInfo } from './utils/path.js';
 import { PipelineStatusError } from './PipelineStatusError.js';
 
@@ -62,7 +61,15 @@ async function fetchJsonContent(state, req, res) {
     res.body = '';
     res.headers.delete('content-type');
     res.headers.set('location', redirectLocation);
-    res.headers.set('x-surrogate-key', await computeSurrogateKey(`${contentBusId}${info.path}`));
+    const keys = [];
+    if (state.content.sourceBus === 'content') {
+      keys.push(await computeSurrogateKey(`${contentBusId}${info.path}`));
+      keys.push(contentBusId);
+    } else {
+      keys.push(`${ref}--${repo}--${owner}_code`);
+      keys.push(await computeSurrogateKey(`${ref}--${repo}--${owner}${info.path}`));
+    }
+    res.headers.set('x-surrogate-key', keys.join(' '));
     res.error = 'moved';
     return;
   }
@@ -93,8 +100,12 @@ async function computeSurrogateKeys(state) {
   if (state.info.path === '/config.json') {
     keys.push(await computeSurrogateKey(`${state.site}--${state.org}_config.json`));
   }
-  keys.push(pathKey.replace(/\//g, '_')); // TODO: remove
   keys.push(await computeSurrogateKey(pathKey));
+  if (state.content?.sourceBus === 'content') {
+    keys.push(state.contentBusId);
+  } else {
+    keys.push(`${state.ref}--${state.repo}--${state.owner}_code`);
+  }
   return keys;
 }
 
@@ -150,8 +161,6 @@ export async function jsonPipe(state, req) {
 
     state.timer?.update('json-metadata-fetch');
 
-    await authenticate(state, req, res);
-
     if (res.status === 404 && state.info.path === '/config.json' && state.config.public) {
       // special handling for public config
       const publicConfig = {

package/src/robots-pipe.js

@@ -120,7 +120,6 @@ async function computeSurrogateKeys(state) {
 
   const pathKey = `${state.ref}--${state.repo}--${state.owner}${state.info.path}`;
   keys.push(await computeSurrogateKey(`${state.site}--${state.org}_config.json`));
-  keys.push(pathKey.replace(/\//g, '_')); // TODO: remove
   keys.push(await computeSurrogateKey(pathKey));
   return keys;
 }

package/src/steps/fetch-404.js

@@ -38,5 +38,5 @@ export default async function fetch404(state, req, res) {
 
   // set 404 keys in any case
   const pathKey = await getPathKey(state);
-  res.headers.set('x-surrogate-key', `${pathKey} ${ref}--${repo}--${owner}_404`);
+  res.headers.set('x-surrogate-key', `${pathKey} ${ref}--${repo}--${owner}_404 ${ref}--${repo}--${owner}_code`);
 }

package/src/steps/fetch-content.js

@@ -41,7 +41,15 @@ export default async function fetchContent(state, req, res) {
       redirectLocation += '.plain.html';
     }
     res.headers.set('location', redirectLocation);
-    res.headers.set('x-surrogate-key', await computeSurrogateKey(`${contentBusId}${info.path}`));
+    const keys = [];
+    if (isCode) {
+      keys.push(await computeSurrogateKey(`${ref}--${repo}--${owner}${info.path}`));
+      keys.push(`${ref}--${repo}--${owner}_code`);
+    } else {
+      keys.push(await computeSurrogateKey(`${contentBusId}${info.path}`));
+      keys.push(contentBusId);
+    }
+    res.headers.set('x-surrogate-key', keys.join(' '));
     res.error = 'moved';
     return;
   }

package/src/steps/set-x-surrogate-key-header.js

@@ -49,6 +49,7 @@ export default async function setXSurrogateKeyHeader(state, req, res) {
     hash,
     `${contentBusId}_metadata`,
     `${ref}--${repo}--${owner}_head`,
+    contentBusId,
   ];
 
   // for folder-mapped resources, we also need to include the surrogate key of the mapped metadata

package/src/auth-pipe.js

@@ -1,46 +0,0 @@
-/*
- * Copyright 2021 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import { PipelineResponse } from './PipelineResponse.js';
-import { validateAuthState, getRequestHostAndProto, AuthInfo } from './utils/auth.js';
-import { clearAuthCookie } from './utils/auth-cookie.js';
-import idpMicrosoft from './utils/idp-configs/microsoft.js';
-
-/**
- * Runs the auth pipeline that handles the token exchange. this is separated from the main pipeline
- * since it doesn't need the configuration (yet).
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {PipelineResponse}
- */
-export async function authPipe(ctx, req) {
-  try {
-    await validateAuthState(ctx, req);
-    const authInfo = AuthInfo
-      .Default()
-      // todo: select idp from config
-      .withIdp(idpMicrosoft);
-    return await authInfo.exchangeToken(ctx, req);
-  } catch (e) {
-    const { proto } = getRequestHostAndProto(ctx, req);
-    return new PipelineResponse('', {
-      status: 401,
-      headers: {
-        'cache-control': 'no-store, private, must-revalidate',
-        'content-type': 'text/html; charset=utf-8',
-        'x-error': cleanupHeaderValue(e.message),
-        'set-cookie': clearAuthCookie(proto === 'https'),
-      },
-    });
-  }
-}

package/src/steps/authenticate.js

@@ -1,129 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { getAuthInfo, makeAuthError } from '../utils/auth.js';
-
-/**
- * Checks if the given email is allowed.
- * @param {string} email
- * @param {string[]} allows
- * @returns {boolean}
- */
-export function isAllowed(email = '', allows = []) {
-  /** @type string[] */
-  const [, domain] = email.split('@');
-  if (!domain) {
-    return false;
-  }
-  const wild = `*@${domain}`;
-  return allows.findIndex((a) => a === email || a === wild) >= 0;
-}
-
-/**
- * Handles authentication
- * @type PipelineStep
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @param {PipelineResponse} res
- * @returns {Promise<void>}
- */
-export async function authenticate(state, req, res) {
-  // get partition relative auth info
-  const access = state.config.access?.[state.partition] || {
-    allow: [],
-    apiKeyId: [],
-  };
-
-  // if not protected, do nothing
-  if (!access.allow?.length) {
-    return;
-  }
-
-  // get auth info
-  const authInfo = await getAuthInfo(state, req);
-
-  // if not authenticated, redirect to login screen
-  if (!authInfo.authenticated) {
-    // send 401 for plain requests
-    if (state.info.selector || state.type !== 'html') {
-      state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
-      makeAuthError(state, req, res, 'unauthorized');
-      return;
-    }
-    await authInfo.redirectToLogin(state, req, res);
-    return;
-  }
-
-  const { sub, jti, email } = authInfo.profile;
-
-  // validate subject, if present
-  if (sub) {
-    const [owner, repo] = sub.split('/');
-    if (owner !== state.owner || (repo !== '*' && repo !== state.repo)) {
-      state.log.warn(`[auth] invalid subject ${sub}: does not match ${state.owner}/${state.repo}`);
-      makeAuthError(state, req, res, 'invalid-subject');
-      return;
-    }
-  }
-
-  // validate jti
-  if (jti) {
-    if (access.apiKeyId.indexOf(jti) < 0) {
-      state.log.warn(`[auth] invalid jti ${jti}: does not match configured id ${access.apiKeyId}`);
-      makeAuthError(state, req, res, 'invalid-jti');
-    }
-  }
-
-  // check profile is allowed
-  if (!isAllowed(email, access.allow)) {
-    state.log.warn(`[auth] profile not allowed for ${access.allow}`);
-    makeAuthError(state, req, res, 'forbidden', 403);
-  }
-}
-
-/**
- * Checks if the given owner repo is allowed
- * @param {string} owner
- * @param {string} repo
- * @param {string[]} allows
- * @returns {boolean}
- */
-export function isOwnerRepoAllowed(owner, repo, allows = []) {
-  if (allows.length === 0) {
-    return true;
-  }
-  return allows
-    .map((ownerRepo) => ownerRepo.split('/'))
-    .findIndex(([o, r]) => owner === o && (repo === r || r === '*')) >= 0;
-}
-
-/**
- * Checks if the
- * @type PipelineStep
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @param {PipelineResponse} res
- * @returns {Promise<void>}
- */
-// export async function requireProject(state, req, res) {
-//   // if not restricted, do nothing
-//   const ownerRepo = state.config?.access?.require?.repository;
-//   if (!ownerRepo) {
-//     return;
-//   }
-//   const ownerRepos = Array.isArray(ownerRepo) ? ownerRepo : [ownerRepo];
-//   const { log, owner, repo } = state;
-//   if (!isOwnerRepoAllowed(owner, repo, ownerRepos)) {
-//     log.warn(`${owner}/${repo} not allowed for ${ownerRepos}`);
-//     res.status = 403;
-//     res.error = 'forbidden.';
-//   }
-// }

package/src/utils/auth-cookie.js

@@ -1,41 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { parse, serialize } from 'cookie';
-
-export function clearAuthCookie(secure) {
-  return serialize('hlx-auth-token', '', {
-    path: '/',
-    httpOnly: true,
-    secure,
-    expires: new Date(0),
-    sameSite: secure ? 'none' : 'lax',
-  });
-}
-
-export function setAuthCookie(idToken, secure) {
-  return serialize('hlx-auth-token', idToken, {
-    path: '/',
-    httpOnly: true,
-    secure,
-    sameSite: secure ? 'none' : 'lax',
-  });
-}
-
-export function getAuthCookie(req) {
-  // add cookies if not already present
-  if (!req.cookies) {
-    const hdr = req.headers.get('cookie');
-    // eslint-disable-next-line no-param-reassign
-    req.cookies = hdr ? parse(hdr) : {};
-  }
-  return req.cookies['hlx-auth-token'] || '';
-}

package/src/utils/auth.d.ts

@@ -1,86 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-
-
-import {AdminContext} from "../index";
-
-/**
- * Path Info
- */
-export declare interface AccessDeniedError extends Error {}
-
-export declare interface OAuthClientConfig {
-  clientID: string;
-  clientSecret: string;
-}
-
-export declare interface IDPConfig {
-  name:string;
-  scope:string;
-  mountType:string;
-  client(state: PipelineState):OAuthClientConfig;
-  validateIssuer?(issuer: string): boolean;
-  discoveryUrl:string;
-  loginPrompt:string;
-  discovery:any;
-  routes:AuthRoutes;
-}
-
-export declare interface UserProfile {
-  email:string;
-
-  iss:string;
-
-  aud:string;
-
-  sub: string;
-
-  jti: string;
-}
-
-export declare class AuthInfo {
-  /**
-   * Flag indicating of the request is authenticated
-   */
-  authenticated:boolean;
-
-  profile?:UserProfile;
-
-  expired?:boolean;
-
-  loginHint?:string;
-
-  idp?:IDPConfig;
-
-  /**
-   * Flag indicating that the auth cookie is invalid.
-   */
-  cookieInvalid?:boolean;
-
-  /**
-   * Sets a redirect (302) response to the IDPs login endpoint
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   */
-  async redirectToLogin(state, req, res);
-
-  /**
-   * Performs a token exchange from the code flow and redirects to the root page
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   */
-  async exchangeToken(state, req, res);
-}

package/src/utils/auth.js

@@ -1,452 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-// eslint-disable-next-line max-classes-per-file
-import {
-  createLocalJWKSet,
-  decodeJwt,
-  jwtVerify,
-  SignJWT,
-  importJWK,
-} from 'jose';
-import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
-
-import idpMicrosoft from './idp-configs/microsoft.js';
-
-// eslint-disable-next-line import/no-unresolved
-import cryptoImpl from '#crypto';
-import { PipelineResponse } from '../PipelineResponse.js';
-
-const AUTH_REDIRECT_URL = 'https://login.aem.page/.auth';
-
-let ADMIN_KEY_PAIR = null;
-
-export class AccessDeniedError extends Error {
-}
-
-async function getAdminKeyPair(state) {
-  if (!ADMIN_KEY_PAIR) {
-    ADMIN_KEY_PAIR = {
-      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
-      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
-    };
-  }
-  return ADMIN_KEY_PAIR;
-}
-
-/**
- * Signs the given JWT with the admin private key and returns the token.
- * @param {PipelineState} state
- * @param {SignJWT} jwt
- * @returns {Promise<string>}
- */
-async function signJWT(state, jwt) {
-  const { privateKey, publicKey } = await getAdminKeyPair(state);
-  return jwt
-    .setProtectedHeader({
-      alg: 'RS256',
-      kid: publicKey.kid,
-    })
-    .setAudience(state.env.HLX_SITE_APP_AZURE_CLIENT_ID)
-    .setIssuer(publicKey.issuer)
-    .sign(privateKey);
-}
-
-/**
- * Verifies and decodes the given jwt using the admin public key
- * @param {PipelineState} state
- * @param {string} jwt
- * @param {boolean} lenient
- * @returns {Promise<JWTPayload>}
- */
-async function verifyJwt(state, jwt, lenient = false) {
-  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
-  const jwks = createLocalJWKSet({
-    keys: [publicKey],
-  });
-  const { payload } = await jwtVerify(jwt, jwks, {
-    audience: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    issuer: publicKey.issuer,
-    clockTolerance: lenient ? 7 * 24 * 60 * 60 : 0,
-  });
-  return payload;
-}
-
-/**
- * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
- * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
- * @param {PipelineState} state
- * @param {string} idToken
- * @param {boolean} lenient
- * @returns {Promise<JWTPayload>}
- */
-export async function decodeIdToken(state, idToken, lenient = false) {
-  const { log } = state;
-  const payload = await verifyJwt(state, idToken, lenient);
-
-  // delete from information not needed in the profile
-  ['azp', 'at_hash', 'nonce', 'aio', 'c_hash'].forEach((prop) => delete payload[prop]);
-
-  // compute ttl
-  payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
-
-  log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
-  return payload;
-}
-
-/**
- * Returns the host of the request; falls back to the configured `host`.
- * Note that this is different from the `state.prodHost` calculation in `init-config`,
- * as this prefers the xfh over the config.
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {{proto: (*|string), host: string}} the request host and protocol.
- */
-export function getRequestHostAndProto(state, req) {
-  // determine the location of 'this' document based on the xfh header. so that logins to
-  // .page stay on .page. etc. but fallback to the config.host if non set
-  const xfh = req.headers.get('x-forwarded-host');
-  let host = xfh;
-  if (host) {
-    host = host.split(',')[0].trim();
-  }
-  if (!host) {
-    host = state.prodHost;
-  }
-  // fastly overrides the x-forwarded-proto, so we use x-forwarded-scheme
-  const proto = req.headers.get('x-forwarded-scheme') || req.headers.get('x-forwarded-proto') || 'https';
-  state.log.info(`request host is: ${host} (${proto}) (xfh=${xfh})`);
-  return {
-    host,
-    proto,
-  };
-}
-
-/**
- * sets the auth error on the response and clears the cookie.
- * @param state
- * @param req
- * @param res
- * @param error
- * @param status
- */
-export function makeAuthError(state, req, res, error, status = 401) {
-  const { proto } = getRequestHostAndProto(state, req);
-  res.status = status;
-  res.error = error;
-  res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
-  res.headers.set('x-error', error);
-}
-
-/**
- * AuthInfo class
- */
-export class AuthInfo {
-  /**
-   * AuthInfo constructor
-   * @constructor
-   */
-  constructor() {
-    Object.assign(this, {
-      authenticated: false,
-      idp: null,
-      profile: null,
-      loginHint: null,
-      expired: false,
-      idToken: null,
-      cookieInvalid: false,
-    });
-  }
-
-  /**
-   * Creates the default AuthInfo that is not authenticated.
-   * @returns {AuthInfo}
-   */
-  static Default() {
-    return new AuthInfo()
-      .withAuthenticated(false);
-  }
-
-  withAuthenticated(value) {
-    this.authenticated = value;
-    return this;
-  }
-
-  withProfile(profile) {
-    this.profile = profile;
-    return this;
-  }
-
-  withLoginHint(value) {
-    this.loginHint = value;
-    return this;
-  }
-
-  withIdp(value) {
-    this.idp = value;
-    return this;
-  }
-
-  withExpired(value) {
-    this.expired = value;
-    return this;
-  }
-
-  withCookieInvalid(value) {
-    this.cookieInvalid = value;
-    return this;
-  }
-
-  withIdToken(value) {
-    this.idToken = value;
-    return this;
-  }
-
-  /**
-   * Sets a redirect (302) response to the IDPs login endpoint
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   * @param {IDPConfig} idp IDP config
-   */
-  async redirectToLogin(state, req, res) {
-    const { log } = state;
-    const { idp } = this;
-
-    await state.authEnvLoader.load(state);
-    const { clientId, clientSecret } = idp.client(state);
-    if (!clientId || !clientSecret) {
-      log.error('[auth] unable to create login redirect: missing client_id or client_secret');
-      res.status = 401;
-      res.error = 'invalid auth config.';
-      return;
-    }
-
-    // determine the location of 'this' document based on the xfh header. so that logins to
-    // .page stay on .page. etc. but fallback to the config.host if non set
-    const { host, proto } = getRequestHostAndProto(state, req);
-    if (!host) {
-      log.error('[auth] unable to create login redirect: no xfh or config.host.');
-      makeAuthError(state, req, res, 'no host information.');
-      return;
-    }
-
-    // create the token state, so stat we know where to redirect back after the token exchange
-    const payload = {
-      url: state.createExternalLocation(`${proto}://${host}${state.info.path}`),
-    };
-    const tokenState = await signJWT(state, new SignJWT(payload));
-
-    const url = new URL(idp.discovery.authorization_endpoint);
-    url.searchParams.append('client_id', clientId);
-    url.searchParams.append('response_type', 'code');
-    url.searchParams.append('scope', idp.scope);
-    url.searchParams.append('nonce', cryptoImpl.randomUUID());
-    url.searchParams.append('state', tokenState);
-    url.searchParams.append('redirect_uri', AUTH_REDIRECT_URL);
-    url.searchParams.append('prompt', 'select_account');
-
-    log.info('[auth] redirecting to login page', url.href);
-    res.status = 302;
-    res.body = '';
-    res.headers.set('location', url.href);
-    res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
-    res.headers.set('cache-control', 'no-store, private, must-revalidate');
-    res.error = 'moved';
-  }
-
-  /**
-   * Performs a token exchange from the code flow and redirects to the root page
-   *
-   * @param {universalContext} ctx
-   * @param {PipelineRequest} req
-   * @return {PipelineResponse} res
-   * @throws {Error} if the token exchange fails
-   */
-  async exchangeToken(ctx, req) {
-    const { log } = ctx;
-    const { idp } = this;
-
-    const { code } = req.params;
-    if (!code) {
-      log.warn('[auth] code exchange failed: code parameter missing.');
-      throw new Error('code exchange failed.');
-    }
-
-    const { clientId, clientSecret } = idp.client(ctx);
-    const url = new URL(idp.discovery.token_endpoint);
-    const body = {
-      client_id: clientId,
-      client_secret: clientSecret,
-      code,
-      grant_type: 'authorization_code',
-      redirect_uri: AUTH_REDIRECT_URL,
-    };
-    const { fetch } = ctx;
-    const ret = await fetch(url.href, {
-      method: 'POST',
-      body: new URLSearchParams(body).toString(),
-      headers: {
-        'content-type': 'application/x-www-form-urlencoded',
-      },
-    });
-    if (!ret.ok) {
-      log.warn(`[auth] code exchange failed: ${ret.status}`, await ret.text());
-      throw new Error('code exchange failed.');
-    }
-
-    const tokenResponse = await ret.json();
-    const { id_token: idToken } = tokenResponse;
-    let payload;
-    try {
-      payload = decodeJwt(idToken);
-    } catch (e) {
-      log.warn(`[auth] id token from ${idp.name} is invalid: ${e.message}`);
-      throw new Error('id token invalid.');
-    }
-
-    const email = payload.email || payload.preferred_username;
-    if (!email) {
-      log.warn(`[auth] id token from ${idp.name} is missing email or preferred_username`);
-      throw new Error('id token invalid.');
-    }
-
-    // create new token
-    const jwt = new SignJWT({
-      email,
-      name: payload.name,
-    })
-      .setIssuedAt()
-      .setExpirationTime('12 hours');
-    const authToken = await signJWT(ctx, jwt);
-
-    // redirect to original page
-    const location = req.params.state.url;
-    log.info('[auth] redirecting to original page with hlx-auth-token cookie:', location);
-    return new PipelineResponse(`please go to <a href="${location}">${location}</a>`, {
-      status: 302,
-      headers: {
-        'content-type': 'text/html; charset=utf-8',
-        'set-cookie': setAuthCookie(authToken, location.startsWith('https://')),
-        'cache-control': 'no-store, private, must-revalidate',
-        location,
-      },
-    });
-  }
-}
-
-/**
- * Validates the auth state and code either with from query parameter or request header.
- * @param {UniversalContext} ctx
- * @param {PipelineRequest} req
- * @returns {Promise<void>}
- */
-export async function validateAuthState(ctx, req) {
-  const { log } = ctx;
-  // use request headers if present
-  if (req.headers.get('x-hlx-auth-state')) {
-    log.info('[auth] override params.state from header.');
-    req.params.state = req.headers.get('x-hlx-auth-state');
-  }
-  if (req.headers.get('x-hlx-auth-code')) {
-    log.info('[auth] override params.code from header.');
-    req.params.code = req.headers.get('x-hlx-auth-code');
-  }
-
-  if (!req.params.state) {
-    log.warn('[auth] unable to exchange token: no state.');
-    throw new Error('missing state parameter.');
-  }
-
-  try {
-    const payload = await verifyJwt(ctx, req.params.state);
-    req.params.state = {
-      url: payload.url,
-    };
-  } catch (e) {
-    log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
-    throw new Error('invalid state parameter.');
-  }
-}
-
-/**
- * Extracts the authentication info from the cookie or 'authorization' header.
- * Returns {@code null} if missing or invalid.
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
- */
-async function getAuthInfoFromCookieOrHeader(state, req) {
-  const { log } = state;
-  let idToken = getAuthCookie(req);
-  if (!idToken) {
-    log.debug('no auth cookie');
-    const [marker, value] = (req.headers.get('authorization') || '').split(' ');
-    if (marker.toLowerCase() === 'token' && value) {
-      idToken = value.trim();
-    } else {
-      log.debug('no auth header');
-    }
-  }
-  if (idToken) {
-    try {
-      return AuthInfo.Default()
-        .withProfile(await decodeIdToken(state, idToken))
-        .withAuthenticated(true)
-        .withIdToken(idToken);
-    } catch (e) {
-      if (e.code === 'ERR_JWT_EXPIRED') {
-        try {
-          const profile = await decodeIdToken(state, idToken, true);
-          log.warn(`[auth] decoding the id_token failed: ${e.message}, using expired token as hint.`);
-          return AuthInfo.Default()
-            .withExpired(true)
-            .withLoginHint(profile.email);
-        } catch {
-          // ignore
-        }
-      }
-      // wrong token
-      log.warn(`[auth] decoding the id_token failed: ${e.message}.`);
-      return AuthInfo.Default().withCookieInvalid(true);
-    }
-  }
-  log.debug('no id_token');
-  return null;
-}
-
-/**
- * Computes the authentication info.
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
- */
-export async function getAuthInfo(state, req) {
-  const { log } = state;
-  const auth = await getAuthInfoFromCookieOrHeader(state, req);
-  if (auth) {
-    if (auth.authenticated) {
-      log.info(`[auth] id-token valid: iss=${auth.profile.iss}`);
-    }
-    if (!auth.idp) {
-      // todo: select idp from config
-      auth.withIdp(idpMicrosoft);
-    }
-    return auth;
-  }
-  return AuthInfo
-    .Default()
-    // todo: select idp from config
-    .withIdp(idpMicrosoft);
-}

package/src/utils/idp-configs/microsoft.js

@@ -1,35 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-export default {
-  name: 'microsoft',
-  mountType: 'onedrive',
-  client: (state) => ({
-    clientId: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    clientSecret: state.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
-  }),
-  scope: 'openid profile email',
-  // validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),
-  discoveryUrl: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
-  // todo: fetch from discovery document
-  discovery: {
-    issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
-    request_uri_parameter_supported: false,
-    token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
-    userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
-    authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
-    device_authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/devicecode',
-    http_logout_supported: true,
-    frontchannel_logout_supported: true,
-    end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
-    jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
-  },
-};