@adobe/spacecat-shared-http-utils 1.14.0 → 1.14.1

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [@adobe/spacecat-shared-http-utils-v1.14.1](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.0...@adobe/spacecat-shared-http-utils-v1.14.1) (2025-06-06)
+
+
+### Bug Fixes
+
+* trigger a release for non-adobe users tenant isolation ([#789](https://github.com/adobe/spacecat-shared/issues/789)) ([92f5aa2](https://github.com/adobe/spacecat-shared/commit/92f5aa2cb65ffe1e1f19ef35f94f1f5016a49979))
+
 # [@adobe/spacecat-shared-http-utils-v1.14.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.13.2...@adobe/spacecat-shared-http-utils-v1.14.0) (2025-05-27)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-http-utils",
-  "version": "1.14.0",
+  "version": "1.14.1",
   "description": "Shared modules of the Spacecat Services - HTTP Utils",
   "type": "module",
   "engines": {
@@ -12,6 +12,7 @@
   "scripts": {
     "test": "c8 mocha --spec=test/**/*.test.js",
     "lint": "eslint .",
+    "lint:fix": "eslint --fix .",
     "clean": "rm -rf package-lock.json node_modules"
   },
   "mocha": {

package/src/auth/handlers/ims.js

@@ -10,16 +10,14 @@
  * governing permissions and limitations under the License.
  */
 
-import { hasText } from '@adobe/spacecat-shared-utils';
+import { hasText, isNonEmptyArray } from '@adobe/spacecat-shared-utils';
 import {
   createLocalJWKSet,
   createRemoteJWKSet,
   decodeJwt,
   jwtVerify,
 } from 'jose';
-
 import { getBearerToken } from './utils/bearer.js';
-
 import AbstractHandler from './abstract.js';
 import AuthInfo from '../auth-info.js';
 
@@ -37,6 +35,7 @@ const IGNORED_PROFILE_PROPS = [
   'aa_id',
 ];
 
+const SERVICE_CODE = 'dx_aem_perf';
 const loadConfig = (context) => {
   try {
     const config = JSON.parse(context.env.AUTH_HANDLER_IMS);
@@ -57,6 +56,18 @@ const transformProfile = (payload) => {
   return profile;
 };
 
+function getTenants(organizations) {
+  if (!isNonEmptyArray(organizations)) {
+    return [];
+  }
+
+  return organizations.map((org) => ({
+    id: org.orgRef.ident,
+    name: org.orgName,
+    subServices: [`${SERVICE_CODE}_auto_suggest`, `${SERVICE_CODE}_auto_fix`],
+  }));
+}
+
 /**
  * @deprecated Use JwtHandler instead in the context of IMS login with subsequent JWT exchange.
  */
@@ -115,16 +126,33 @@ export default class AdobeImsHandler extends AbstractHandler {
       return null;
     }
 
+    if (!context.imsClient) {
+      this.log('No IMS client available in context', 'error');
+      return null;
+    }
+
     try {
       const config = loadConfig(context);
       const payload = await this.#validateToken(token, config);
+      const imsProfile = await context.imsClient.getImsUserProfile(token);
+      const scopes = [];
+      if (imsProfile.email?.endsWith('@adobe.com')) {
+        scopes.push({ name: 'admin' });
+      } else {
+        // for non-adobe users, we need to get the organizations and create the tenants
+        const organizations = await context.imsClient.getImsUserOrganizations(token);
+        payload.tenants = getTenants(organizations) || [];
+        scopes.push(...payload.tenants.map(
+          (tenant) => ({ name: 'user', domains: [tenant.id], subScopes: tenant.subServices }),
+        ));
+      }
       const profile = transformProfile(payload);
 
       return new AuthInfo()
         .withType(this.name)
         .withAuthenticated(true)
         .withProfile(profile)
-        .withScopes([{ name: 'admin' }]);
+        .withScopes(scopes);
     } catch (e) {
       this.log(`Failed to validate token: ${e.message}`, 'error');
     }