@adobe/spacecat-shared-http-utils 1.14.2 → 1.14.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/package.json +1 -1
- package/src/auth/handlers/ims.js +25 -3
package/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# [@adobe/spacecat-shared-http-utils-v1.14.3](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.2...@adobe/spacecat-shared-http-utils-v1.14.3) (2025-06-23)
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
### Bug Fixes
|
|
5
|
+
|
|
6
|
+
* for adobe users admin access to only admin group members ([#796](https://github.com/adobe/spacecat-shared/issues/796)) ([11766d5](https://github.com/adobe/spacecat-shared/commit/11766d5265aee799e9d5b895c565a2c56b556b38))
|
|
7
|
+
|
|
1
8
|
# [@adobe/spacecat-shared-http-utils-v1.14.2](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.1...@adobe/spacecat-shared-http-utils-v1.14.2) (2025-06-16)
|
|
2
9
|
|
|
3
10
|
|
package/package.json
CHANGED
package/src/auth/handlers/ims.js
CHANGED
|
@@ -35,6 +35,15 @@ const IGNORED_PROFILE_PROPS = [
|
|
|
35
35
|
'aa_id',
|
|
36
36
|
];
|
|
37
37
|
|
|
38
|
+
const ADMIN_GROUP_IDENT = {
|
|
39
|
+
'8C6043F15F43B6390A49401A': [ // IMS admin group for stag
|
|
40
|
+
635541219,
|
|
41
|
+
],
|
|
42
|
+
'908936ED5D35CC220A495CD4': [
|
|
43
|
+
879529884, // IMS admin group for prod
|
|
44
|
+
901092291, // IMS admin group for on call engineers
|
|
45
|
+
],
|
|
46
|
+
};
|
|
38
47
|
const SERVICE_CODE = 'dx_aem_perf';
|
|
39
48
|
const loadConfig = (context) => {
|
|
40
49
|
try {
|
|
@@ -68,6 +77,19 @@ function getTenants(organizations) {
|
|
|
68
77
|
}));
|
|
69
78
|
}
|
|
70
79
|
|
|
80
|
+
function isUserASOAdmin(organizations) {
|
|
81
|
+
if (!organizations) {
|
|
82
|
+
throw new Error('organizations param is required.');
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
return organizations.some((org) => {
|
|
86
|
+
const adminGroupsForOrg = ADMIN_GROUP_IDENT[org.orgRef.ident];
|
|
87
|
+
if (!adminGroupsForOrg) {
|
|
88
|
+
return false;
|
|
89
|
+
}
|
|
90
|
+
return org.groups.some((group) => adminGroupsForOrg.includes(group.ident));
|
|
91
|
+
});
|
|
92
|
+
}
|
|
71
93
|
/**
|
|
72
94
|
* @deprecated Use JwtHandler instead in the context of IMS login with subsequent JWT exchange.
|
|
73
95
|
*/
|
|
@@ -135,12 +157,12 @@ export default class AdobeImsHandler extends AbstractHandler {
|
|
|
135
157
|
const config = loadConfig(context);
|
|
136
158
|
const payload = await this.#validateToken(token, config);
|
|
137
159
|
const imsProfile = await context.imsClient.getImsUserProfile(token);
|
|
160
|
+
const organizations = await context.imsClient.getImsUserOrganizations(token);
|
|
161
|
+
const isAdmin = isUserASOAdmin(organizations);
|
|
138
162
|
const scopes = [];
|
|
139
|
-
if (imsProfile.email?.toLowerCase().endsWith('@adobe.com')) {
|
|
163
|
+
if (imsProfile.email?.toLowerCase().endsWith('@adobe.com') && isAdmin) {
|
|
140
164
|
scopes.push({ name: 'admin' });
|
|
141
165
|
} else {
|
|
142
|
-
// for non-adobe users, we need to get the organizations and create the tenants
|
|
143
|
-
const organizations = await context.imsClient.getImsUserOrganizations(token);
|
|
144
166
|
payload.tenants = getTenants(organizations) || [];
|
|
145
167
|
scopes.push(...payload.tenants.map(
|
|
146
168
|
(tenant) => ({ name: 'user', domains: [tenant.id], subScopes: tenant.subServices }),
|