npm - @adobe/helix-html-pipeline - Versions diffs - 6.10.3 → 6.12.0 - Mend

@adobe/helix-html-pipeline 6.10.3 → 6.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +16 -0
package/package.json +4 -6
package/src/PipelineState.d.ts +1 -30
package/src/PipelineState.js +0 -7
package/src/html-pipe.js +0 -6
package/src/index.d.ts +0 -18
package/src/index.js +0 -1
package/src/json-pipe.js +14 -5
package/src/robots-pipe.js +0 -1
package/src/steps/fetch-404.js +1 -1
package/src/steps/fetch-content.js +9 -1
package/src/steps/set-x-surrogate-key-header.js +1 -0
package/src/auth-pipe.js +0 -46
package/src/steps/authenticate.js +0 -129
package/src/utils/auth-cookie.js +0 -41
package/src/utils/auth.d.ts +0 -86
package/src/utils/auth.js +0 -452
package/src/utils/idp-configs/microsoft.js +0 -35

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,19 @@
+# [6.12.0](https://github.com/adobe/helix-html-pipeline/compare/v6.11.0...v6.12.0) (2024-05-22)
+### Features
+* add contentbusid surrogate key for pipeline responses depending on content resources ([e821162](https://github.com/adobe/helix-html-pipeline/commit/e821162b9afc649fbb53ef550d51fd61b4ccc346))
+* add ref--repo--owner_code surrogate key for pipeline responses depending on codebus resources ([797aad2](https://github.com/adobe/helix-html-pipeline/commit/797aad2a1b34aa7eb95fc9ef57a65b60afed2c76))
+* add ref--repo-owner_code for all code resources ([edaa518](https://github.com/adobe/helix-html-pipeline/commit/edaa518db81259d4c247c6cc8445277f41a3ccfb))
+# [6.11.0](https://github.com/adobe/helix-html-pipeline/compare/v6.10.3...v6.11.0) (2024-05-13)
+### Features
+* remove auth ([#598](https://github.com/adobe/helix-html-pipeline/issues/598)) ([2eed6f4](https://github.com/adobe/helix-html-pipeline/commit/2eed6f4852fc4b74582ab953be79b77c17e3029b))
 ## [6.10.3](https://github.com/adobe/helix-html-pipeline/compare/v6.10.2...v6.10.3) (2024-05-09)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.10.3",
+  "version": "6.12.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -47,14 +47,12 @@
     "@adobe/helix-shared-utils": "3.0.2",
     "@adobe/mdast-util-gridtables": "4.0.4",
     "@adobe/remark-gridtables": "3.0.4",
-    "cookie": "0.6.0",
     "github-slugger": "2.0.0",
-    "hast-util-raw": "9.0.2",
+    "hast-util-raw": "9.0.3",
     "hast-util-select": "6.0.2",
     "hast-util-to-html": "9.0.1",
     "hast-util-to-string": "3.0.0",
     "hastscript": "9.0.0",
-    "jose": "5.2.4",
     "lodash.escape": "4.0.1",
     "mdast-util-to-hast": "13.1.0",
     "mdast-util-to-string": "4.0.0",
@@ -76,7 +74,7 @@
     "@markedjs/html-differ": "4.0.2",
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
-    "@semantic-release/npm": "12.0.0",
+    "@semantic-release/npm": "12.0.1",
     "c8": "9.1.0",
     "eslint": "8.57.0",
     "eslint-import-resolver-exports": "1.0.0-beta.5",
@@ -91,7 +89,7 @@
     "mocha": "10.4.0",
     "mocha-multi-reporters": "1.5.1",
     "mocha-suppress-logs": "0.5.1",
-    "semantic-release": "23.0.8"
+    "semantic-release": "23.1.1"
   },
   "lint-staged": {
     "*.js": "eslint",

package/src/PipelineState.d.ts CHANGED Viewed

@@ -9,7 +9,7 @@
  * OF ANY KIND; either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import {PathInfo, S3Loader, FormsMessageDispatcher, PipelineTimer, AuthEnvLoader } from "./index";
+import {PathInfo, S3Loader, PipelineTimer } from "./index";
 import {PipelineContent} from "./PipelineContent";
 import {PipelineSiteConfig} from "./site-config";
@@ -21,21 +21,9 @@ declare enum PipelineType {
 type Fetch = (url: string|Request, options?: RequestOptions) => Promise<Response>;
-declare interface AccessConfig {
-  allow:(string|string[]);
-  apiKeyId:(string|string[]);
-  require: {
-    repository:(string|string[]);
-  };
-}
 declare interface PipelineOptions {
   log: Console;
   s3Loader: S3Loader;
-  messageDispatcher: FormsMessageDispatcher;
-  authEnvLoader: AuthEnvLoader;
   config: PipelineSiteConfig;
   fetch: Fetch;
   ref: string;
@@ -55,16 +43,8 @@ declare class PipelineState {
   content: PipelineContent;
   contentBusId: string;
   s3Loader: S3Loader;
-  messageDispatcher: FormsMessageDispatcher;
-  authEnvLoader: AuthEnvLoader;
   fetch: Fetch;
-  /**
-   * Returns the external link representation for authentication related redirects and cookies.
-   * This is only used for local testing and is an identity operation in production.
-   */
-  createExternalLocation(value:string): string;
   /**
    * Content bus partition
    * @example 'live'
@@ -122,11 +102,6 @@ declare class PipelineState {
    */
   type: PipelineType;
-  /**
-   * Authentication information
-   */
-  authInfo?: AuthInfo;
   /**
    * the production host
    */
@@ -142,9 +117,5 @@ declare class PipelineState {
    */
   liveHost: string;
-  /**
-   * used for development server to include RSO information in the auth state
-   */
-  authIncludeRSO: boolean;
 }

package/src/PipelineState.js CHANGED Viewed

@@ -40,8 +40,6 @@ export class PipelineState {
       metadata: Modifiers.EMPTY,
       headers: Modifiers.EMPTY,
       s3Loader: opts.s3Loader,
-      messageDispatcher: opts.messageDispatcher,
-      authEnvLoader: opts.authEnvLoader ?? { load: () => {} },
       fetch: opts.fetch,
       timer: opts.timer,
       type: 'html',
@@ -52,9 +50,4 @@ export class PipelineState {
       }
     }
   }
-  // eslint-disable-next-line class-methods-use-this
-  createExternalLocation(value) {
-    return value;
-  }
 }

package/src/html-pipe.js CHANGED Viewed

@@ -10,7 +10,6 @@
  * governing permissions and limitations under the License.
  */
 import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import { authenticate } from './steps/authenticate.js';
 import addHeadingIds from './steps/add-heading-ids.js';
 import createPageBlocks from './steps/create-page-blocks.js';
 import createPictures from './steps/create-pictures.js';
@@ -135,11 +134,6 @@ export async function htmlPipe(state, req) {
       fetchMappedMetadata(state),
     ]);
-    // await requireProject(state, req, res);
-    if (res.error !== 401) {
-      await authenticate(state, req, res);
-    }
     if (res.error) {
       // if content loading produced an error, we're done.
       const level = res.status >= 500 ? 'error' : 'info';

package/src/index.d.ts CHANGED Viewed

@@ -88,29 +88,11 @@ export declare interface S3Loader {
   headObject(bucketId, key): Promise<PipelineResponse>;
 }
-export declare interface AuthEnvLoader {
-  /**
-   * loads (secret) parameters needed for authentication. The parameters are added to the
-   * `state.env` object.
-   * @return {Promise<void>}
-   */
-  load(state:PipelineState):Promise<void>;
-}
 export declare interface DispatchMessageResponse {
   messageId:string,
   requestId:string,
 }
-export declare interface FormsMessageDispatcher {
-  /**
-   * Dispatches the message to the forms queue
-   * @param {object} message
-   */
-  dispatch(message:object): Promise<DispatchMessageResponse>;
-}
 /**
  * Timer
  */

package/src/index.js CHANGED Viewed

@@ -11,7 +11,6 @@
  */
 export * from './html-pipe.js';
 export * from './json-pipe.js';
-export * from './auth-pipe.js';
 export * from './options-pipe.js';
 export * from './robots-pipe.js';
 export * from './sitemap-pipe.js';

package/src/json-pipe.js CHANGED Viewed

@@ -15,7 +15,6 @@ import setCustomResponseHeaders from './steps/set-custom-response-headers.js';
 import { PipelineResponse } from './PipelineResponse.js';
 import jsonFilter from './utils/json-filter.js';
 import { extractLastModified, updateLastModified } from './utils/last-modified.js';
-import { authenticate } from './steps/authenticate.js';
 import { getPathInfo } from './utils/path.js';
 import { PipelineStatusError } from './PipelineStatusError.js';
@@ -62,7 +61,15 @@ async function fetchJsonContent(state, req, res) {
     res.body = '';
     res.headers.delete('content-type');
     res.headers.set('location', redirectLocation);
-    res.headers.set('x-surrogate-key', await computeSurrogateKey(`${contentBusId}${info.path}`));
+    const keys = [];
+    if (state.content.sourceBus === 'content') {
+      keys.push(await computeSurrogateKey(`${contentBusId}${info.path}`));
+      keys.push(contentBusId);
+    } else {
+      keys.push(`${ref}--${repo}--${owner}_code`);
+      keys.push(await computeSurrogateKey(`${ref}--${repo}--${owner}${info.path}`));
+    }
+    res.headers.set('x-surrogate-key', keys.join(' '));
     res.error = 'moved';
     return;
   }
@@ -93,8 +100,12 @@ async function computeSurrogateKeys(state) {
   if (state.info.path === '/config.json') {
     keys.push(await computeSurrogateKey(`${state.site}--${state.org}_config.json`));
   }
-  keys.push(pathKey.replace(/\//g, '_')); // TODO: remove
   keys.push(await computeSurrogateKey(pathKey));
+  if (state.content?.sourceBus === 'content') {
+    keys.push(state.contentBusId);
+  } else {
+    keys.push(`${state.ref}--${state.repo}--${state.owner}_code`);
+  }
   return keys;
 }
@@ -150,8 +161,6 @@ export async function jsonPipe(state, req) {
     state.timer?.update('json-metadata-fetch');
-    await authenticate(state, req, res);
     if (res.status === 404 && state.info.path === '/config.json' && state.config.public) {
       // special handling for public config
       const publicConfig = {

package/src/robots-pipe.js CHANGED Viewed

@@ -120,7 +120,6 @@ async function computeSurrogateKeys(state) {
   const pathKey = `${state.ref}--${state.repo}--${state.owner}${state.info.path}`;
   keys.push(await computeSurrogateKey(`${state.site}--${state.org}_config.json`));
-  keys.push(pathKey.replace(/\//g, '_')); // TODO: remove
   keys.push(await computeSurrogateKey(pathKey));
   return keys;
 }

package/src/steps/fetch-404.js CHANGED Viewed

@@ -38,5 +38,5 @@ export default async function fetch404(state, req, res) {
   // set 404 keys in any case
   const pathKey = await getPathKey(state);
-  res.headers.set('x-surrogate-key', `${pathKey} ${ref}--${repo}--${owner}_404`);
+  res.headers.set('x-surrogate-key', `${pathKey} ${ref}--${repo}--${owner}_404 ${ref}--${repo}--${owner}_code`);
 }

package/src/steps/fetch-content.js CHANGED Viewed

@@ -41,7 +41,15 @@ export default async function fetchContent(state, req, res) {
       redirectLocation += '.plain.html';
     }
     res.headers.set('location', redirectLocation);
-    res.headers.set('x-surrogate-key', await computeSurrogateKey(`${contentBusId}${info.path}`));
+    const keys = [];
+    if (isCode) {
+      keys.push(await computeSurrogateKey(`${ref}--${repo}--${owner}${info.path}`));
+      keys.push(`${ref}--${repo}--${owner}_code`);
+    } else {
+      keys.push(await computeSurrogateKey(`${contentBusId}${info.path}`));
+      keys.push(contentBusId);
+    }
+    res.headers.set('x-surrogate-key', keys.join(' '));
     res.error = 'moved';
     return;
   }

package/src/steps/set-x-surrogate-key-header.js CHANGED Viewed

@@ -49,6 +49,7 @@ export default async function setXSurrogateKeyHeader(state, req, res) {
     hash,
     `${contentBusId}_metadata`,
     `${ref}--${repo}--${owner}_head`,
+    contentBusId,
   ];
   // for folder-mapped resources, we also need to include the surrogate key of the mapped metadata

package/src/auth-pipe.js DELETED Viewed

@@ -1,46 +0,0 @@
-/*
- * Copyright 2021 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
-import { PipelineResponse } from './PipelineResponse.js';
-import { validateAuthState, getRequestHostAndProto, AuthInfo } from './utils/auth.js';
-import { clearAuthCookie } from './utils/auth-cookie.js';
-import idpMicrosoft from './utils/idp-configs/microsoft.js';
-/**
- * Runs the auth pipeline that handles the token exchange. this is separated from the main pipeline
- * since it doesn't need the configuration (yet).
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {PipelineResponse}
- */
-export async function authPipe(ctx, req) {
-  try {
-    await validateAuthState(ctx, req);
-    const authInfo = AuthInfo
-      .Default()
-      // todo: select idp from config
-      .withIdp(idpMicrosoft);
-    return await authInfo.exchangeToken(ctx, req);
-  } catch (e) {
-    const { proto } = getRequestHostAndProto(ctx, req);
-    return new PipelineResponse('', {
-      status: 401,
-      headers: {
-        'cache-control': 'no-store, private, must-revalidate',
-        'content-type': 'text/html; charset=utf-8',
-        'x-error': cleanupHeaderValue(e.message),
-        'set-cookie': clearAuthCookie(proto === 'https'),
-      },
-    });
-  }
-}

package/src/steps/authenticate.js DELETED Viewed

@@ -1,129 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { getAuthInfo, makeAuthError } from '../utils/auth.js';
-/**
- * Checks if the given email is allowed.
- * @param {string} email
- * @param {string[]} allows
- * @returns {boolean}
- */
-export function isAllowed(email = '', allows = []) {
-  /** @type string[] */
-  const [, domain] = email.split('@');
-  if (!domain) {
-    return false;
-  }
-  const wild = `*@${domain}`;
-  return allows.findIndex((a) => a === email || a === wild) >= 0;
-}
-/**
- * Handles authentication
- * @type PipelineStep
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @param {PipelineResponse} res
- * @returns {Promise<void>}
- */
-export async function authenticate(state, req, res) {
-  // get partition relative auth info
-  const access = state.config.access?.[state.partition] || {
-    allow: [],
-    apiKeyId: [],
-  };
-  // if not protected, do nothing
-  if (!access.allow?.length) {
-    return;
-  }
-  // get auth info
-  const authInfo = await getAuthInfo(state, req);
-  // if not authenticated, redirect to login screen
-  if (!authInfo.authenticated) {
-    // send 401 for plain requests
-    if (state.info.selector || state.type !== 'html') {
-      state.log.warn('[auth] unauthorized. redirect to login only for extension less html.');
-      makeAuthError(state, req, res, 'unauthorized');
-      return;
-    }
-    await authInfo.redirectToLogin(state, req, res);
-    return;
-  }
-  const { sub, jti, email } = authInfo.profile;
-  // validate subject, if present
-  if (sub) {
-    const [owner, repo] = sub.split('/');
-    if (owner !== state.owner || (repo !== '*' && repo !== state.repo)) {
-      state.log.warn(`[auth] invalid subject ${sub}: does not match ${state.owner}/${state.repo}`);
-      makeAuthError(state, req, res, 'invalid-subject');
-      return;
-    }
-  }
-  // validate jti
-  if (jti) {
-    if (access.apiKeyId.indexOf(jti) < 0) {
-      state.log.warn(`[auth] invalid jti ${jti}: does not match configured id ${access.apiKeyId}`);
-      makeAuthError(state, req, res, 'invalid-jti');
-    }
-  }
-  // check profile is allowed
-  if (!isAllowed(email, access.allow)) {
-    state.log.warn(`[auth] profile not allowed for ${access.allow}`);
-    makeAuthError(state, req, res, 'forbidden', 403);
-  }
-}
-/**
- * Checks if the given owner repo is allowed
- * @param {string} owner
- * @param {string} repo
- * @param {string[]} allows
- * @returns {boolean}
- */
-export function isOwnerRepoAllowed(owner, repo, allows = []) {
-  if (allows.length === 0) {
-    return true;
-  }
-  return allows
-    .map((ownerRepo) => ownerRepo.split('/'))
-    .findIndex(([o, r]) => owner === o && (repo === r || r === '*')) >= 0;
-}
-/**
- * Checks if the
- * @type PipelineStep
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @param {PipelineResponse} res
- * @returns {Promise<void>}
- */
-// export async function requireProject(state, req, res) {
-//   // if not restricted, do nothing
-//   const ownerRepo = state.config?.access?.require?.repository;
-//   if (!ownerRepo) {
-//     return;
-//   }
-//   const ownerRepos = Array.isArray(ownerRepo) ? ownerRepo : [ownerRepo];
-//   const { log, owner, repo } = state;
-//   if (!isOwnerRepoAllowed(owner, repo, ownerRepos)) {
-//     log.warn(`${owner}/${repo} not allowed for ${ownerRepos}`);
-//     res.status = 403;
-//     res.error = 'forbidden.';
-//   }
-// }

package/src/utils/auth-cookie.js DELETED Viewed

@@ -1,41 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import { parse, serialize } from 'cookie';
-export function clearAuthCookie(secure) {
-  return serialize('hlx-auth-token', '', {
-    path: '/',
-    httpOnly: true,
-    secure,
-    expires: new Date(0),
-    sameSite: secure ? 'none' : 'lax',
-  });
-}
-export function setAuthCookie(idToken, secure) {
-  return serialize('hlx-auth-token', idToken, {
-    path: '/',
-    httpOnly: true,
-    secure,
-    sameSite: secure ? 'none' : 'lax',
-  });
-}
-export function getAuthCookie(req) {
-  // add cookies if not already present
-  if (!req.cookies) {
-    const hdr = req.headers.get('cookie');
-    // eslint-disable-next-line no-param-reassign
-    req.cookies = hdr ? parse(hdr) : {};
-  }
-  return req.cookies['hlx-auth-token'] || '';
-}

package/src/utils/auth.d.ts DELETED Viewed

@@ -1,86 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-import {AdminContext} from "../index";
-/**
- * Path Info
- */
-export declare interface AccessDeniedError extends Error {}
-export declare interface OAuthClientConfig {
-  clientID: string;
-  clientSecret: string;
-}
-export declare interface IDPConfig {
-  name:string;
-  scope:string;
-  mountType:string;
-  client(state: PipelineState):OAuthClientConfig;
-  validateIssuer?(issuer: string): boolean;
-  discoveryUrl:string;
-  loginPrompt:string;
-  discovery:any;
-  routes:AuthRoutes;
-}
-export declare interface UserProfile {
-  email:string;
-  iss:string;
-  aud:string;
-  sub: string;
-  jti: string;
-}
-export declare class AuthInfo {
-  /**
-   * Flag indicating of the request is authenticated
-   */
-  authenticated:boolean;
-  profile?:UserProfile;
-  expired?:boolean;
-  loginHint?:string;
-  idp?:IDPConfig;
-  /**
-   * Flag indicating that the auth cookie is invalid.
-   */
-  cookieInvalid?:boolean;
-  /**
-   * Sets a redirect (302) response to the IDPs login endpoint
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   */
-  async redirectToLogin(state, req, res);
-  /**
-   * Performs a token exchange from the code flow and redirects to the root page
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   */
-  async exchangeToken(state, req, res);
-}

package/src/utils/auth.js DELETED Viewed

@@ -1,452 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-// eslint-disable-next-line max-classes-per-file
-import {
-  createLocalJWKSet,
-  decodeJwt,
-  jwtVerify,
-  SignJWT,
-  importJWK,
-} from 'jose';
-import { clearAuthCookie, getAuthCookie, setAuthCookie } from './auth-cookie.js';
-import idpMicrosoft from './idp-configs/microsoft.js';
-// eslint-disable-next-line import/no-unresolved
-import cryptoImpl from '#crypto';
-import { PipelineResponse } from '../PipelineResponse.js';
-const AUTH_REDIRECT_URL = 'https://login.aem.page/.auth';
-let ADMIN_KEY_PAIR = null;
-export class AccessDeniedError extends Error {
-}
-async function getAdminKeyPair(state) {
-  if (!ADMIN_KEY_PAIR) {
-    ADMIN_KEY_PAIR = {
-      privateKey: await importJWK(JSON.parse(state.env.HLX_ADMIN_IDP_PRIVATE_KEY), 'RS256'),
-      publicKey: JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY),
-    };
-  }
-  return ADMIN_KEY_PAIR;
-}
-/**
- * Signs the given JWT with the admin private key and returns the token.
- * @param {PipelineState} state
- * @param {SignJWT} jwt
- * @returns {Promise<string>}
- */
-async function signJWT(state, jwt) {
-  const { privateKey, publicKey } = await getAdminKeyPair(state);
-  return jwt
-    .setProtectedHeader({
-      alg: 'RS256',
-      kid: publicKey.kid,
-    })
-    .setAudience(state.env.HLX_SITE_APP_AZURE_CLIENT_ID)
-    .setIssuer(publicKey.issuer)
-    .sign(privateKey);
-}
-/**
- * Verifies and decodes the given jwt using the admin public key
- * @param {PipelineState} state
- * @param {string} jwt
- * @param {boolean} lenient
- * @returns {Promise<JWTPayload>}
- */
-async function verifyJwt(state, jwt, lenient = false) {
-  const publicKey = JSON.parse(state.env.HLX_ADMIN_IDP_PUBLIC_KEY);
-  const jwks = createLocalJWKSet({
-    keys: [publicKey],
-  });
-  const { payload } = await jwtVerify(jwt, jwks, {
-    audience: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    issuer: publicKey.issuer,
-    clockTolerance: lenient ? 7 * 24 * 60 * 60 : 0,
-  });
-  return payload;
-}
-/**
- * Decodes the given id_token for the given idp. if `lenient` is `true`, the clock tolerance
- * is set to 1 week. this allows to extract some profile information that can be used as login_hint.
- * @param {PipelineState} state
- * @param {string} idToken
- * @param {boolean} lenient
- * @returns {Promise<JWTPayload>}
- */
-export async function decodeIdToken(state, idToken, lenient = false) {
-  const { log } = state;
-  const payload = await verifyJwt(state, idToken, lenient);
-  // delete from information not needed in the profile
-  ['azp', 'at_hash', 'nonce', 'aio', 'c_hash'].forEach((prop) => delete payload[prop]);
-  // compute ttl
-  payload.ttl = payload.exp - Math.floor(Date.now() / 1000);
-  log.info(`[auth] decoded id_token${lenient ? ' (lenient)' : ''} from ${payload.iss} and validated payload.`);
-  return payload;
-}
-/**
- * Returns the host of the request; falls back to the configured `host`.
- * Note that this is different from the `state.prodHost` calculation in `init-config`,
- * as this prefers the xfh over the config.
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {{proto: (*|string), host: string}} the request host and protocol.
- */
-export function getRequestHostAndProto(state, req) {
-  // determine the location of 'this' document based on the xfh header. so that logins to
-  // .page stay on .page. etc. but fallback to the config.host if non set
-  const xfh = req.headers.get('x-forwarded-host');
-  let host = xfh;
-  if (host) {
-    host = host.split(',')[0].trim();
-  }
-  if (!host) {
-    host = state.prodHost;
-  }
-  // fastly overrides the x-forwarded-proto, so we use x-forwarded-scheme
-  const proto = req.headers.get('x-forwarded-scheme') || req.headers.get('x-forwarded-proto') || 'https';
-  state.log.info(`request host is: ${host} (${proto}) (xfh=${xfh})`);
-  return {
-    host,
-    proto,
-  };
-}
-/**
- * sets the auth error on the response and clears the cookie.
- * @param state
- * @param req
- * @param res
- * @param error
- * @param status
- */
-export function makeAuthError(state, req, res, error, status = 401) {
-  const { proto } = getRequestHostAndProto(state, req);
-  res.status = status;
-  res.error = error;
-  res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
-  res.headers.set('x-error', error);
-}
-/**
- * AuthInfo class
- */
-export class AuthInfo {
-  /**
-   * AuthInfo constructor
-   * @constructor
-   */
-  constructor() {
-    Object.assign(this, {
-      authenticated: false,
-      idp: null,
-      profile: null,
-      loginHint: null,
-      expired: false,
-      idToken: null,
-      cookieInvalid: false,
-    });
-  }
-  /**
-   * Creates the default AuthInfo that is not authenticated.
-   * @returns {AuthInfo}
-   */
-  static Default() {
-    return new AuthInfo()
-      .withAuthenticated(false);
-  }
-  withAuthenticated(value) {
-    this.authenticated = value;
-    return this;
-  }
-  withProfile(profile) {
-    this.profile = profile;
-    return this;
-  }
-  withLoginHint(value) {
-    this.loginHint = value;
-    return this;
-  }
-  withIdp(value) {
-    this.idp = value;
-    return this;
-  }
-  withExpired(value) {
-    this.expired = value;
-    return this;
-  }
-  withCookieInvalid(value) {
-    this.cookieInvalid = value;
-    return this;
-  }
-  withIdToken(value) {
-    this.idToken = value;
-    return this;
-  }
-  /**
-   * Sets a redirect (302) response to the IDPs login endpoint
-   *
-   * @param {PipelineState} state
-   * @param {PipelineRequest} req
-   * @param {PipelineResponse} res
-   * @param {IDPConfig} idp IDP config
-   */
-  async redirectToLogin(state, req, res) {
-    const { log } = state;
-    const { idp } = this;
-    await state.authEnvLoader.load(state);
-    const { clientId, clientSecret } = idp.client(state);
-    if (!clientId || !clientSecret) {
-      log.error('[auth] unable to create login redirect: missing client_id or client_secret');
-      res.status = 401;
-      res.error = 'invalid auth config.';
-      return;
-    }
-    // determine the location of 'this' document based on the xfh header. so that logins to
-    // .page stay on .page. etc. but fallback to the config.host if non set
-    const { host, proto } = getRequestHostAndProto(state, req);
-    if (!host) {
-      log.error('[auth] unable to create login redirect: no xfh or config.host.');
-      makeAuthError(state, req, res, 'no host information.');
-      return;
-    }
-    // create the token state, so stat we know where to redirect back after the token exchange
-    const payload = {
-      url: state.createExternalLocation(`${proto}://${host}${state.info.path}`),
-    };
-    const tokenState = await signJWT(state, new SignJWT(payload));
-    const url = new URL(idp.discovery.authorization_endpoint);
-    url.searchParams.append('client_id', clientId);
-    url.searchParams.append('response_type', 'code');
-    url.searchParams.append('scope', idp.scope);
-    url.searchParams.append('nonce', cryptoImpl.randomUUID());
-    url.searchParams.append('state', tokenState);
-    url.searchParams.append('redirect_uri', AUTH_REDIRECT_URL);
-    url.searchParams.append('prompt', 'select_account');
-    log.info('[auth] redirecting to login page', url.href);
-    res.status = 302;
-    res.body = '';
-    res.headers.set('location', url.href);
-    res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
-    res.headers.set('cache-control', 'no-store, private, must-revalidate');
-    res.error = 'moved';
-  }
-  /**
-   * Performs a token exchange from the code flow and redirects to the root page
-   *
-   * @param {universalContext} ctx
-   * @param {PipelineRequest} req
-   * @return {PipelineResponse} res
-   * @throws {Error} if the token exchange fails
-   */
-  async exchangeToken(ctx, req) {
-    const { log } = ctx;
-    const { idp } = this;
-    const { code } = req.params;
-    if (!code) {
-      log.warn('[auth] code exchange failed: code parameter missing.');
-      throw new Error('code exchange failed.');
-    }
-    const { clientId, clientSecret } = idp.client(ctx);
-    const url = new URL(idp.discovery.token_endpoint);
-    const body = {
-      client_id: clientId,
-      client_secret: clientSecret,
-      code,
-      grant_type: 'authorization_code',
-      redirect_uri: AUTH_REDIRECT_URL,
-    };
-    const { fetch } = ctx;
-    const ret = await fetch(url.href, {
-      method: 'POST',
-      body: new URLSearchParams(body).toString(),
-      headers: {
-        'content-type': 'application/x-www-form-urlencoded',
-      },
-    });
-    if (!ret.ok) {
-      log.warn(`[auth] code exchange failed: ${ret.status}`, await ret.text());
-      throw new Error('code exchange failed.');
-    }
-    const tokenResponse = await ret.json();
-    const { id_token: idToken } = tokenResponse;
-    let payload;
-    try {
-      payload = decodeJwt(idToken);
-    } catch (e) {
-      log.warn(`[auth] id token from ${idp.name} is invalid: ${e.message}`);
-      throw new Error('id token invalid.');
-    }
-    const email = payload.email || payload.preferred_username;
-    if (!email) {
-      log.warn(`[auth] id token from ${idp.name} is missing email or preferred_username`);
-      throw new Error('id token invalid.');
-    }
-    // create new token
-    const jwt = new SignJWT({
-      email,
-      name: payload.name,
-    })
-      .setIssuedAt()
-      .setExpirationTime('12 hours');
-    const authToken = await signJWT(ctx, jwt);
-    // redirect to original page
-    const location = req.params.state.url;
-    log.info('[auth] redirecting to original page with hlx-auth-token cookie:', location);
-    return new PipelineResponse(`please go to <a href="${location}">${location}</a>`, {
-      status: 302,
-      headers: {
-        'content-type': 'text/html; charset=utf-8',
-        'set-cookie': setAuthCookie(authToken, location.startsWith('https://')),
-        'cache-control': 'no-store, private, must-revalidate',
-        location,
-      },
-    });
-  }
-}
-/**
- * Validates the auth state and code either with from query parameter or request header.
- * @param {UniversalContext} ctx
- * @param {PipelineRequest} req
- * @returns {Promise<void>}
- */
-export async function validateAuthState(ctx, req) {
-  const { log } = ctx;
-  // use request headers if present
-  if (req.headers.get('x-hlx-auth-state')) {
-    log.info('[auth] override params.state from header.');
-    req.params.state = req.headers.get('x-hlx-auth-state');
-  }
-  if (req.headers.get('x-hlx-auth-code')) {
-    log.info('[auth] override params.code from header.');
-    req.params.code = req.headers.get('x-hlx-auth-code');
-  }
-  if (!req.params.state) {
-    log.warn('[auth] unable to exchange token: no state.');
-    throw new Error('missing state parameter.');
-  }
-  try {
-    const payload = await verifyJwt(ctx, req.params.state);
-    req.params.state = {
-      url: payload.url,
-    };
-  } catch (e) {
-    log.warn(`[auth] error decoding state parameter: invalid state: ${e.message}`);
-    throw new Error('invalid state parameter.');
-  }
-}
-/**
- * Extracts the authentication info from the cookie or 'authorization' header.
- * Returns {@code null} if missing or invalid.
- *
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
- */
-async function getAuthInfoFromCookieOrHeader(state, req) {
-  const { log } = state;
-  let idToken = getAuthCookie(req);
-  if (!idToken) {
-    log.debug('no auth cookie');
-    const [marker, value] = (req.headers.get('authorization') || '').split(' ');
-    if (marker.toLowerCase() === 'token' && value) {
-      idToken = value.trim();
-    } else {
-      log.debug('no auth header');
-    }
-  }
-  if (idToken) {
-    try {
-      return AuthInfo.Default()
-        .withProfile(await decodeIdToken(state, idToken))
-        .withAuthenticated(true)
-        .withIdToken(idToken);
-    } catch (e) {
-      if (e.code === 'ERR_JWT_EXPIRED') {
-        try {
-          const profile = await decodeIdToken(state, idToken, true);
-          log.warn(`[auth] decoding the id_token failed: ${e.message}, using expired token as hint.`);
-          return AuthInfo.Default()
-            .withExpired(true)
-            .withLoginHint(profile.email);
-        } catch {
-          // ignore
-        }
-      }
-      // wrong token
-      log.warn(`[auth] decoding the id_token failed: ${e.message}.`);
-      return AuthInfo.Default().withCookieInvalid(true);
-    }
-  }
-  log.debug('no id_token');
-  return null;
-}
-/**
- * Computes the authentication info.
- * @param {PipelineState} state
- * @param {PipelineRequest} req
- * @returns {Promise<AuthInfo>} the authentication info or null if the request is not authenticated
- */
-export async function getAuthInfo(state, req) {
-  const { log } = state;
-  const auth = await getAuthInfoFromCookieOrHeader(state, req);
-  if (auth) {
-    if (auth.authenticated) {
-      log.info(`[auth] id-token valid: iss=${auth.profile.iss}`);
-    }
-    if (!auth.idp) {
-      // todo: select idp from config
-      auth.withIdp(idpMicrosoft);
-    }
-    return auth;
-  }
-  return AuthInfo
-    .Default()
-    // todo: select idp from config
-    .withIdp(idpMicrosoft);
-}

package/src/utils/idp-configs/microsoft.js DELETED Viewed

@@ -1,35 +0,0 @@
-/*
- * Copyright 2022 Adobe. All rights reserved.
- * This file is licensed to you under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under
- * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
- * OF ANY KIND, either express or implied. See the License for the specific language
- * governing permissions and limitations under the License.
- */
-export default {
-  name: 'microsoft',
-  mountType: 'onedrive',
-  client: (state) => ({
-    clientId: state.env.HLX_SITE_APP_AZURE_CLIENT_ID,
-    clientSecret: state.env.HLX_SITE_APP_AZURE_CLIENT_SECRET,
-  }),
-  scope: 'openid profile email',
-  // validateIssuer: (iss) => iss.startsWith('https://login.microsoftonline.com/'),
-  discoveryUrl: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
-  // todo: fetch from discovery document
-  discovery: {
-    issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0',
-    request_uri_parameter_supported: false,
-    token_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
-    userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
-    authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
-    device_authorization_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/devicecode',
-    http_logout_supported: true,
-    frontchannel_logout_supported: true,
-    end_session_endpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
-    jwks_uri: 'https://login.microsoftonline.com/common/discovery/v2.0/keys',
-  },
-};