@adobe/helix-onedrive-support 6.2.0 → 7.0.0

package/.github/workflows/semantic-release.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, '[skip ci]')"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Use Node.js 14.x
         uses: actions/setup-node@v3
         with:

package/CHANGELOG.md

@@ -1,3 +1,31 @@
+# [7.0.0](https://github.com/adobe/helix-onedrive-support/compare/v6.2.2...v7.0.0) (2022-03-23)
+
+
+### Features
+
+* add transparent tenant resolution ([dc59dbf](https://github.com/adobe/helix-onedrive-support/commit/dc59dbfc53d767593b82c845c753da3885560852))
+
+
+### BREAKING CHANGES
+
+* API slightly refactored
+- authorityUrl is now method: `getAuthorityIUrl`
+- new method: `setAccessToken`
+
+## [6.2.2](https://github.com/adobe/helix-onedrive-support/compare/v6.2.1...v6.2.2) (2022-03-20)
+
+
+### Bug Fixes
+
+* **deps:** update dependency @adobe/helix-fetch to v3.0.7 ([15f9380](https://github.com/adobe/helix-onedrive-support/commit/15f9380b04d28a68b1e39be38c8c913a0cf48fec))
+
+## [6.2.1](https://github.com/adobe/helix-onedrive-support/compare/v6.2.0...v6.2.1) (2022-03-16)
+
+
+### Bug Fixes
+
+* use http1 for ms access ([#251](https://github.com/adobe/helix-onedrive-support/issues/251)) ([c91a629](https://github.com/adobe/helix-onedrive-support/commit/c91a629fa8c18c0dcdb2a0d21a225de940db05ea)), closes [#250](https://github.com/adobe/helix-onedrive-support/issues/250)
+
 # [6.2.0](https://github.com/adobe/helix-onedrive-support/compare/v6.1.5...v6.2.0) (2022-03-01)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-onedrive-support",
-  "version": "6.2.0",
+  "version": "7.0.0",
   "description": "Helix OneDrive Support",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -23,8 +23,9 @@
   },
   "homepage": "https://github.com/adobe/helix-onedrive-support#readme",
   "dependencies": {
-    "@adobe/helix-fetch": "3.0.6",
-    "adal-node": "https://github.com/adobe-rnd/azure-activedirectory-library-for-nodejs.git#adobe"
+    "@adobe/helix-fetch": "3.0.7",
+    "adal-node": "https://github.com/adobe-rnd/azure-activedirectory-library-for-nodejs.git#adobe",
+    "jose": "4.6.0"
   },
   "devDependencies": {
     "@adobe/eslint-config-helix": "1.3.2",
@@ -35,13 +36,13 @@
     "commitizen": "4.2.4",
     "cz-conventional-changelog": "3.3.0",
     "dotenv": "16.0.0",
-    "eslint": "8.10.0",
+    "eslint": "8.11.0",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.25.4",
     "jsdoc-to-markdown": "7.1.1",
     "junit-report-builder": "3.0.0",
-    "lint-staged": "12.3.4",
-    "mocha": "9.2.1",
+    "lint-staged": "12.3.7",
+    "mocha": "9.2.2",
     "mocha-multi-reporters": "1.5.1",
     "nock": "13.2.4",
     "nyc": "15.1.0",

package/src/OneDrive.d.ts

@@ -25,6 +25,7 @@ export declare interface OneDriveOptions {
   refreshToken?: string;
   log?: Logger;
   tenant?: string;
+  resource?: string;
   username?: string;
   password?: string;
 
@@ -44,6 +45,18 @@ export declare interface OneDriveOptions {
    * Note that the cache is only used, if the `noShareLinkCache` flag is `falsy`
    */
   shareLinkCache?: Map<string, DriveItem>,
+
+  /**
+   * Disables the cache for the tenant lookup.
+   * @default process.env.HELIX_ONEDRIVE_NO_TENANT_CACHE
+   */
+  noTenantCache?: boolean;
+
+  /**
+   * Map to use for the tenant lookup cache. If empty, a module-global cache will be used.
+   * Note that the cache is only used, if the `noTenantCache` flag is `falsy`
+   */
+  tenantCache?: Map<string, DriveItem>,
 }
 
 export declare interface GraphResult {
@@ -145,7 +158,7 @@ export declare class OneDrive extends EventEmitter {
   /**
    * the authority url for login.
    */
-  authorityUrl: string;
+  getAuthorityUrl(): string;
 
   /**
    * Adds entries to the token cache
@@ -161,6 +174,14 @@ export declare class OneDrive extends EventEmitter {
    */
   login(onCode: Function): Promise<TokenResponse>;
 
+  /**
+   * Sets the access token to use for all requests. if the token is a valid JWT token,
+   * its `tid` claim is used a tenant (if no tenant is already set).
+   *
+   * @param {string} bearerToken
+   */
+  setAccessToken(bearerToken);
+
   getAccessToken(autoRefresh: boolean): Promise<TokenResponse>;
 
   createLoginUrl(): string;

package/src/OneDrive.js

@@ -13,8 +13,9 @@
 // eslint-disable-next-line max-classes-per-file
 const EventEmitter = require('events');
 const { promisify } = require('util');
+const jose = require('jose');
 const { AuthenticationContext, MemoryCache } = require('adal-node');
-const fetchAPI = require('@adobe/helix-fetch');
+const { fetch, reset } = require('@adobe/helix-fetch').keepAliveNoCache({ userAgent: 'helix-fetch' });
 
 const Workbook = require('./Workbook.js');
 const StatusCodeError = require('./StatusCodeError.js');
@@ -22,17 +23,9 @@ const { driveItemFromURL, driveItemToURL } = require('./utils.js');
 const { splitByExtension, sanitize, editDistance } = require('./fuzzy-helper.js');
 const SharePointSite = require('./SharePointSite.js');
 
-const { fetch, reset } = process.env.HELIX_FETCH_FORCE_HTTP1
-  ? fetchAPI.context({
-    alpnProtocols: [fetchAPI.ALPN_HTTP1_1],
-    userAgent: 'helix-fetch', // static user agent for test recordings
-  })
-  /* istanbul ignore next */
-  : fetchAPI;
-
 const AZ_AUTHORITY_HOST_URL = 'https://login.windows.net';
 const AZ_DEFAULT_RESOURCE = 'https://graph.microsoft.com'; // '00000002-0000-0000-c000-000000000000'; ??
-const AZ_DEFAULT_TENANT = 'common';
+const AZ_COMMON_TENANT = 'common';
 
 /**
  * the maximum subscription time in milliseconds
@@ -45,27 +38,23 @@ const MAX_SUBSCRIPTION_EXPIRATION_TIME = 4230 * 60 * 1000;
 
 /**
  * map that caches share item data. key is a sharing url, the value a drive item.
- * @type {Map<string, *>}
+ * @type {Map<string, string>}
  * @private
  */
 const globalShareLinkCache = new Map();
 
+/**
+ * map that caches the tenant ids
+ * @type {Map<string, string>}
+ */
+const globalTenantCache = new Map();
+
 /**
  * Helper class that facilitates accessing one drive.
  */
 class OneDrive extends EventEmitter {
   /**
    * @param {OneDriveOptions} opts Options
-   * @param {string}  opts.clientId The client id of the app
-   * @param {string}  [opts.clientSecret] The client secret of the app
-   * @param {string}  [opts.refreshToken] The refresh token.
-   * @param {string}  [opts.accessToken] The access token.
-   * @param {string}  [opts.username] Username for username/password authentication.
-   * @param {string}  [opts.password] Password for username/password authentication.
-   * @param {number}  [opts.expiresOn] Expiration time.
-   * @param {Logger}  [opts.log] A logger.
-   * @param {boolean} [opts.localAuthCache] Whether to use local auth cache
-   * @param {string}  [opts.resource] Azure resource to authenticate against. defaults to MS Graph.
    */
   constructor(opts) {
     super(opts);
@@ -75,53 +64,109 @@ class OneDrive extends EventEmitter {
     this.username = opts.username || '';
     this.password = opts.password || '';
     this._log = opts.log || console;
-    this.tenant = opts.tenant || AZ_DEFAULT_TENANT;
+    this.tenant = opts.tenant;
     this.resource = opts.resource || AZ_DEFAULT_RESOURCE;
+    this.localAuthCache = opts.localAuthCache;
 
     if (!opts.noShareLinkCache && !process.env.HELIX_ONEDRIVE_NO_SHARE_LINK_CACHE) {
+      /** @type {Map<string, string>} */
       this.shareLinkCache = opts.shareLinkCache || globalShareLinkCache;
     }
+    if (!opts.noTenantCache && !process.env.HELIX_ONEDRIVE_NO_TENANT_CACHE) {
+      /** @type {Map<string, string>} */
+      this.tenantCache = opts.tenantCache || globalTenantCache;
+    }
 
     if (!this.clientId) {
       throw new Error('Missing clientId.');
     }
-    this.authContext = new AuthenticationContext(
-      this.authorityUrl,
-      undefined,
-      opts.localAuthCache ? new MemoryCache() : undefined,
-    );
-    [
-      'acquireUserCode',
-      'acquireToken',
-      'acquireTokenWithDeviceCode',
-      'acquireTokenWithRefreshToken',
-      'acquireTokenWithUsernamePassword',
-      'acquireTokenWithClientCredentials',
-    ].forEach((m) => {
-      this.authContext[m] = promisify(this.authContext[m].bind(this.authContext));
-    });
-    const { cache } = this.authContext;
-    if (opts.localAuthCache) {
-      const originalAdd = cache.add;
-      cache.add = (entries, cb) => {
-        originalAdd.call(cache, entries, (...args) => {
-          // eslint-disable-next-line no-underscore-dangle
-          this.emit('tokens', cache._entries);
-          cb(...args);
-        });
-      };
-      const originalRemove = cache.remove;
-      cache.remove = (entries, cb) => {
-        originalRemove.call(cache, entries, (...args) => {
-          // eslint-disable-next-line no-underscore-dangle
-          this.emit('tokens', cache._entries);
-          cb(...args);
-        });
-      };
-    }
-    cache.add.promise = promisify(cache.add.bind(cache));
-    cache.remove.promise = promisify(cache.remove.bind(cache));
-    cache.find.promise = promisify(cache.find.bind(cache));
+  }
+
+  /**
+   * Return the auth context
+   * @returns {AuthenticationContext}
+   */
+  async getAuthContext() {
+    if (!this.authContext) {
+      this.authContext = new AuthenticationContext(
+        this.getAuthorityUrl(),
+        undefined,
+        this.localAuthCache ? new MemoryCache() : undefined,
+      );
+      [
+        'acquireUserCode',
+        'acquireToken',
+        'acquireTokenWithDeviceCode',
+        'acquireTokenWithRefreshToken',
+        'acquireTokenWithUsernamePassword',
+        'acquireTokenWithClientCredentials',
+      ].forEach((m) => {
+        this.authContext[m] = promisify(this.authContext[m].bind(this.authContext));
+      });
+      const { cache } = this.authContext;
+      if (this.localAuthCache) {
+        const originalAdd = cache.add;
+        cache.add = (entries, cb) => {
+          originalAdd.call(cache, entries, (...args) => {
+            // eslint-disable-next-line no-underscore-dangle
+            this.emit('tokens', cache._entries);
+            cb(...args);
+          });
+        };
+        const originalRemove = cache.remove;
+        cache.remove = (entries, cb) => {
+          originalRemove.call(cache, entries, (...args) => {
+            // eslint-disable-next-line no-underscore-dangle
+            this.emit('tokens', cache._entries);
+            cb(...args);
+          });
+        };
+      }
+      cache.add.promise = promisify(cache.add.bind(cache));
+      cache.remove.promise = promisify(cache.remove.bind(cache));
+      cache.find.promise = promisify(cache.find.bind(cache));
+    }
+    return this.authContext;
+  }
+
+  async resolveTenant(tenantHost) {
+    const { log } = this;
+    const configUrl = `https://login.windows.net/${tenantHost}.onmicrosoft.com/.well-known/openid-configuration`;
+    const res = await fetch(configUrl);
+    if (!res.ok) {
+      log.info(`error fetching openid-configuration for ${tenantHost}: ${res.status}. Fallback to 'common'`);
+      return AZ_COMMON_TENANT;
+    }
+
+    const { issuer } = await res.json();
+    if (!issuer) {
+      log.info(`unable to extract tenant from openid-configuration for ${tenantHost}: no 'issuer'. Fallback to 'common'`);
+      return AZ_COMMON_TENANT;
+    }
+
+    // eslint-disable-next-line prefer-destructuring
+    const tenant = new URL(issuer).pathname.split('/')[1];
+    log.info(`fetched tenant information from for ${tenantHost}: ${tenant}`);
+    return tenant;
+  }
+
+  async initTenantFromShareLink(sharingUrl) {
+    if (this.tenant) {
+      return;
+    }
+    const { log } = this;
+    const [tenantHost] = new URL(sharingUrl).hostname.split('.');
+
+    if (this.tenantCache) {
+      this.tenant = this.tenantCache.get(tenantHost);
+    }
+    if (!this.tenant) {
+      this.tenant = await this.resolveTenant(tenantHost);
+      if (this.tenantCache) {
+        this.tenantCache.set(tenantHost, this.tenant);
+      }
+    }
+    log.info(`using tenant ${this.tenant} for ${tenantHost} from ${sharingUrl}`);
   }
 
   /**
@@ -138,7 +183,10 @@ class OneDrive extends EventEmitter {
     return this._log;
   }
 
-  get authorityUrl() {
+  getAuthorityUrl() {
+    if (!this.tenant) {
+      throw new Error('unable to compute authority url. no tenant.');
+    }
     return `${AZ_AUTHORITY_HOST_URL}/${this.tenant}`;
   }
 
@@ -147,7 +195,7 @@ class OneDrive extends EventEmitter {
    */
   get authenticated() {
     // eslint-disable-next-line no-underscore-dangle
-    return this.authContext.cache._entries.length > 0;
+    return this.authContext?.cache._entries.length > 0;
   }
 
   /**
@@ -156,7 +204,7 @@ class OneDrive extends EventEmitter {
    * @return this;
    */
   async loadTokenCache(entries) {
-    return this.authContext.cache.add.promise(entries);
+    return (await this.getAuthContext()).cache.add.promise(entries);
   }
 
   /**
@@ -166,7 +214,8 @@ class OneDrive extends EventEmitter {
    * @returns {Promise<TokenResponse>}
    */
   async login(onCode) {
-    const { log, authContext: context } = this;
+    const { log } = this;
+    const context = await this.getAuthContext();
 
     let code;
     try {
@@ -190,9 +239,35 @@ class OneDrive extends EventEmitter {
   }
 
   /**
+   * Sets the access token to use for all requests. if the token is a valid JWT token,
+   * its `tid` claim is used a tenant (if no tenant is already set).
+   *
+   * @param {string} bearerToken
    */
-  async getAccessToken() {
-    const { log, authContext: context } = this;
+  setAccessToken(bearerToken) {
+    const { log } = this;
+    this.accessToken = {
+      accessToken: bearerToken,
+    };
+    if (!this.tenant) {
+      try {
+        const { tid } = jose.decodeJwt(bearerToken);
+        if (tid) {
+          log.info(`using tenant from access token: ${tid}`);
+          this.tenant = tid;
+        }
+      } catch (e) {
+        log.warn(`unable to decode access token: ${e.message}`);
+      }
+    }
+    this.accessToken.tenantId = this.tenant;
+  }
+
+  /**
+   */
+  async fetchAccessToken() {
+    const { log } = this;
+    const context = await this.getAuthContext();
     try {
       return await context.acquireToken(this.resource, this.username, this.clientId);
     } catch (e) {
@@ -239,10 +314,17 @@ class OneDrive extends EventEmitter {
     }
   }
 
+  async getAccessToken() {
+    if (!this.accessToken) {
+      this.accessToken = await this.fetchAccessToken();
+    }
+    return this.accessToken;
+  }
+
   /**
    */
   createLoginUrl(redirectUri, state) {
-    return `${this.authorityUrl}/oauth2/authorize?response_type=code&scope=/.default&client_id=${this.clientId}&redirect_uri=${redirectUri}&state=${state}&resource=${this.resource}`;
+    return `${this.getAuthorityUrl()}/oauth2/authorize?response_type=code&scope=/.default&client_id=${this.clientId}&redirect_uri=${redirectUri}&state=${state}&resource=${this.resource}`;
   }
 
   async augmentAndCacheResponse(response) {
@@ -267,7 +349,8 @@ class OneDrive extends EventEmitter {
   /**
    */
   async acquireToken(redirectUri, code) {
-    const { log, authContext: context } = this;
+    const { log } = this;
+    const context = await this.getAuthContext();
     try {
       const resp = await context.acquireTokenWithAuthorizationCode(
         code,
@@ -350,6 +433,7 @@ class OneDrive extends EventEmitter {
   /**
    */
   async resolveShareLink(sharingUrl) {
+    await this.initTenantFromShareLink(sharingUrl);
     const link = OneDrive.encodeSharingUrl(sharingUrl);
     this.log.debug(`resolving sharelink ${sharingUrl} (${link})`);
     try {
@@ -376,6 +460,7 @@ class OneDrive extends EventEmitter {
     if (driveItem) {
       return driveItem;
     }
+    await this.initTenantFromShareLink(sharingUrl);
     if (this.shareLinkCache) {
       driveItem = this.shareLinkCache.get(sharingUrl);
     }

package/src/SharePointSite.js

@@ -10,18 +10,9 @@
  * governing permissions and limitations under the License.
  */
 
-const fetchAPI = require('@adobe/helix-fetch');
+const { fetch } = require('@adobe/helix-fetch').keepAliveNoCache({ userAgent: 'helix-fetch' });
 const StatusCodeError = require('./StatusCodeError.js');
 
-/* istanbul ignore next */
-const { fetch } = process.env.HELIX_FETCH_FORCE_HTTP1
-  ? fetchAPI.context({
-    alpnProtocols: [fetchAPI.ALPN_HTTP1_1],
-    userAgent: 'helix-fetch', // static user agent for test recordings
-  })
-  /* istanbul ignore next */
-  : fetchAPI;
-
 /**
  * Helper class accessing folders and files using the SharePoint V1 API.
  */