@adobe/spacecat-shared-http-utils 1.14.2 → 1.14.4

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [@adobe/spacecat-shared-http-utils-v1.14.4](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.3...@adobe/spacecat-shared-http-utils-v1.14.4) (2025-07-12)
+
+
+### Bug Fixes
+
+* **deps:** update external fixes ([#845](https://github.com/adobe/spacecat-shared/issues/845)) ([23bd3a2](https://github.com/adobe/spacecat-shared/commit/23bd3a2235686480cb89d6379276d9ed000baea3))
+
+# [@adobe/spacecat-shared-http-utils-v1.14.3](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.2...@adobe/spacecat-shared-http-utils-v1.14.3) (2025-06-23)
+
+
+### Bug Fixes
+
+* for adobe users admin access to only admin group members ([#796](https://github.com/adobe/spacecat-shared/issues/796)) ([11766d5](https://github.com/adobe/spacecat-shared/commit/11766d5265aee799e9d5b895c565a2c56b556b38))
+
 # [@adobe/spacecat-shared-http-utils-v1.14.2](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.14.1...@adobe/spacecat-shared-http-utils-v1.14.2) (2025-06-16)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-http-utils",
-  "version": "1.14.2",
+  "version": "1.14.4",
   "description": "Shared modules of the Spacecat Services - HTTP Utils",
   "type": "module",
   "engines": {
@@ -41,7 +41,7 @@
   },
   "devDependencies": {
     "@adobe/helix-shared-wrap": "2.0.2",
-    "chai": "5.2.0",
+    "chai": "5.2.1",
     "chai-as-promised": "8.0.1",
     "sinon": "20.0.0"
   }

package/src/auth/handlers/ims.js

@@ -35,6 +35,15 @@ const IGNORED_PROFILE_PROPS = [
   'aa_id',
 ];
 
+const ADMIN_GROUP_IDENT = {
+  '8C6043F15F43B6390A49401A': [ // IMS admin group for stag
+    635541219,
+  ],
+  '908936ED5D35CC220A495CD4': [
+    879529884, // IMS admin group for prod
+    901092291, // IMS admin group for on call engineers
+  ],
+};
 const SERVICE_CODE = 'dx_aem_perf';
 const loadConfig = (context) => {
   try {
@@ -68,6 +77,19 @@ function getTenants(organizations) {
   }));
 }
 
+function isUserASOAdmin(organizations) {
+  if (!organizations) {
+    throw new Error('organizations param is required.');
+  }
+
+  return organizations.some((org) => {
+    const adminGroupsForOrg = ADMIN_GROUP_IDENT[org.orgRef.ident];
+    if (!adminGroupsForOrg) {
+      return false;
+    }
+    return org.groups.some((group) => adminGroupsForOrg.includes(group.ident));
+  });
+}
 /**
  * @deprecated Use JwtHandler instead in the context of IMS login with subsequent JWT exchange.
  */
@@ -135,12 +157,12 @@ export default class AdobeImsHandler extends AbstractHandler {
       const config = loadConfig(context);
       const payload = await this.#validateToken(token, config);
       const imsProfile = await context.imsClient.getImsUserProfile(token);
+      const organizations = await context.imsClient.getImsUserOrganizations(token);
+      const isAdmin = isUserASOAdmin(organizations);
       const scopes = [];
-      if (imsProfile.email?.toLowerCase().endsWith('@adobe.com')) {
+      if (imsProfile.email?.toLowerCase().endsWith('@adobe.com') && isAdmin) {
         scopes.push({ name: 'admin' });
       } else {
-        // for non-adobe users, we need to get the organizations and create the tenants
-        const organizations = await context.imsClient.getImsUserOrganizations(token);
         payload.tenants = getTenants(organizations) || [];
         scopes.push(...payload.tenants.map(
           (tenant) => ({ name: 'user', domains: [tenant.id], subScopes: tenant.subServices }),