@adobe/spacecat-shared-http-utils 1.4.0 → 1.5.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [@adobe/spacecat-shared-http-utils-v1.5.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.4.0...@adobe/spacecat-shared-http-utils-v1.5.0) (2024-08-09)
+
+
+### Features
+
+* Introduce scoped API keys ([#312](https://github.com/adobe/spacecat-shared/issues/312)) ([449d273](https://github.com/adobe/spacecat-shared/commit/449d2736154d7e92fb4a3d1f9f290e15e665aa5e))
+
 # [@adobe/spacecat-shared-http-utils-v1.4.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.3.5...@adobe/spacecat-shared-http-utils-v1.4.0) (2024-07-30)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-http-utils",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Shared modules of the Spacecat Services - HTTP Utils",
   "type": "module",
   "main": "src/index.js",
@@ -31,6 +31,7 @@
   "dependencies": {
     "@adobe/fetch": "4.1.8",
     "@adobe/spacecat-shared-utils": "1.19.1",
+    "@adobe/spacecat-shared-data-access": "1.39.0",
     "jose": "5.6.3"
   },
   "devDependencies": {

package/src/auth/auth-info.js

@@ -18,6 +18,7 @@ export default class AuthInfo {
     Object.assign(this, {
       authenticated: false,
       profile: null,
+      scopes: [],
     });
   }
 
@@ -50,4 +51,32 @@ export default class AuthInfo {
     this.type = value;
     return this;
   }
+
+  /**
+   * Set the reason that authentication has failed.
+   * @param {string} reason - The reason for auth failure
+   * @return {AuthInfo} The auth info object
+   */
+  withReason(reason) {
+    this.reason = reason;
+    return this;
+  }
+
+  /**
+   * Set the scopes that this auth info instance has access to.
+   * @param {Array<{name: string, domains?: Array<string>}>} scopes - The array of scope objects
+   * @return {AuthInfo} The auth info object
+   */
+  withScopes(scopes) {
+    this.scopes = scopes;
+    return this;
+  }
+
+  getScopes() { return this.scopes; }
+
+  getProfile() { return this.profile; }
+
+  getReason() { return this.reason; }
+
+  isAuthenticated() { return this.authenticated; }
 }

package/src/auth/auth-wrapper.js

@@ -12,7 +12,9 @@
 
 import { Response } from '@adobe/fetch';
 
+import { isObject } from '@adobe/spacecat-shared-utils';
 import AuthenticationManager from './authentication-manager.js';
+import { checkScopes } from './check-scopes.js';
 
 const ANONYMOUS_ENDPOINTS = [
   'GET /slack/events',
@@ -28,8 +30,8 @@ export function authWrapper(fn, opts = {}) {
     const route = `${method.toUpperCase()} ${suffix}`;
 
     if (ANONYMOUS_ENDPOINTS.includes(route)
-      || route.startsWith('POST /hooks/site-detection/')
-      || method.toUpperCase() === 'OPTIONS') {
+        || route.startsWith('POST /hooks/site-detection/')
+        || method.toUpperCase() === 'OPTIONS') {
       return fn(request, context);
     }
 
@@ -43,7 +45,15 @@ export function authWrapper(fn, opts = {}) {
     }
 
     try {
-      await authenticationManager.authenticate(request, context);
+      const authInfo = await authenticationManager.authenticate(request, context);
+
+      // Add a helper function to the context for checking scoped API keys.
+      // authInfo is available at context.attributes.authInfo.
+      if (!isObject(context.auth)) {
+        context.auth = {
+          checkScopes: (scopes) => checkScopes(scopes, authInfo, log),
+        };
+      }
     } catch (error) {
       return new Response('Unauthorized', { status: 401 });
     }

package/src/auth/check-scopes.js

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { isObject } from '@adobe/spacecat-shared-utils';
+
+/**
+ * Check if the given AuthInfo has the requested scopes. Throws an error if any scopes are missing.
+ * @param {Array<string>} scopes - The scopes required for the request
+ * @param {AuthInfo} authInfo - Authentication state for the current request
+ * @param {Logger} log - Logger
+ */
+export function checkScopes(scopes, authInfo, log) {
+  if (!isObject(authInfo)) {
+    throw new Error('Auth info is required');
+  }
+
+  // Check that each required scope is present in authInfo
+  const missingScopes = [];
+  const authInfoScopeNames = authInfo.getScopes().map((scopeObject) => scopeObject.name);
+  scopes.forEach((scope) => {
+    if (!authInfoScopeNames.includes(scope)) {
+      missingScopes.push(scope);
+    }
+  });
+
+  if (missingScopes.length > 0) {
+    log.error(`API key with ID: ${authInfo.getProfile()?.api_key_id} does not have required scopes. It's missing: ${missingScopes.join(',')}`);
+    throw new Error(`API key is missing the [${missingScopes.join(',')}] scope(s) required for this resource`);
+  }
+
+  // Otherwise: all good
+}

package/src/auth/generate-hash.js

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import crypto from 'crypto';
+
+export function hashWithSHA256(input) {
+  return crypto.createHash('sha256').update(input).digest('hex');
+}

package/src/auth/handlers/scoped-api-key.js

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { hasText, isIsoDate } from '@adobe/spacecat-shared-utils';
+import AbstractHandler from './abstract.js';
+import { hashWithSHA256 } from '../generate-hash.js';
+import AuthInfo from '../auth-info.js';
+
+/**
+ * Handler to support API keys which include scope details. These API keys are stored in the data
+ * layer and require context.dataAccess in order to authenticate each request.
+ */
+export default class ScopedApiKeyHandler extends AbstractHandler {
+  constructor(log) {
+    super('scopedApiKey', log);
+  }
+
+  async checkAuth(request, context) {
+    const { dataAccess, pathInfo: { headers = {} } } = context;
+    if (!dataAccess) {
+      throw new Error('Data access is required');
+    }
+
+    const apiKeyFromHeader = headers['x-api-key'];
+    if (!hasText(apiKeyFromHeader)) {
+      return null;
+    }
+
+    // Keys are stored by their hash, so we need to hash the key to look it up
+    const hashedKey = hashWithSHA256(apiKeyFromHeader);
+    const apiKeyEntity = await dataAccess.getApiKeyByHashedKey(hashedKey);
+
+    if (!apiKeyEntity) {
+      this.log(`No API key entity found in the data layer for the provided API key: ${apiKeyFromHeader}`, 'error');
+      return null;
+    }
+
+    // We have an API key entity, and need to check if it's still valid
+    const authInfo = new AuthInfo()
+      .withProfile(apiKeyEntity) // Include the API key entity as the profile
+      .withType(this.name);
+
+    // Verify that the api key has not expired or been revoked
+    const now = new Date().toISOString();
+    if (isIsoDate(apiKeyEntity.getExpiresAt()) && apiKeyEntity.getExpiresAt() < now) {
+      this.log(`API key has expired. Name: ${apiKeyEntity.getName()}, id: ${apiKeyEntity.getId()}`, 'error');
+      return authInfo.withReason('API key has expired');
+    }
+
+    if (isIsoDate(apiKeyEntity.getRevokedAt()) && apiKeyEntity.getRevokedAt() < now) {
+      this.log(`API key has been revoked. Name: ${apiKeyEntity.getName()} id: ${apiKeyEntity.getId()}`, 'error');
+      return authInfo.withReason('API key has been revoked');
+    }
+
+    // API key is valid: return auth info with scope details from the API key entity
+    return authInfo
+      .withAuthenticated(true)
+      .withScopes(apiKeyEntity.getScopes());
+  }
+}

package/src/index.d.ts

@@ -24,3 +24,8 @@ export declare function notFound(message?: string, headers?: object): Response;
 export declare function internalServerError(message?: string, headers?: object): Response;
 
 export declare function found(location: string): Response;
+
+/**
+ * Utility functions
+ */
+export function hashWithSHA256(input: string): string;

package/src/index.js

@@ -89,5 +89,6 @@ export function internalServerError(message = 'internal server error', headers =
 
 export { authWrapper } from './auth/auth-wrapper.js';
 export { enrichPathInfo } from './enrich-path-info-wrapper.js';
+export { hashWithSHA256 } from './auth/generate-hash.js';
 
 export { AdobeImsHandler, LegacyApiKeyHandler };