@adobe/spacecat-shared-http-utils 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/package.json +2 -1
  3. package/src/auth/auth-info.js +29 -0
  4. package/src/auth/auth-wrapper.js +13 -3
  5. package/src/auth/check-scopes.js +41 -0
  6. package/src/auth/generate-hash.js +16 -0
  7. package/src/auth/handlers/scoped-api-key.js +69 -0
  8. package/src/index.d.ts +5 -0
  9. package/src/index.js +3 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,17 @@
1
+ # [@adobe/spacecat-shared-http-utils-v1.6.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.5.0...@adobe/spacecat-shared-http-utils-v1.6.0) (2024-08-14)
2
+
3
+
4
+ ### Features
5
+
6
+ * export ScopedApiKeyHandler ([#323](https://github.com/adobe/spacecat-shared/issues/323)) ([778e19c](https://github.com/adobe/spacecat-shared/commit/778e19c490c7ed63f600afe4ae025356f47218fd))
7
+
8
+ # [@adobe/spacecat-shared-http-utils-v1.5.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.4.0...@adobe/spacecat-shared-http-utils-v1.5.0) (2024-08-09)
9
+
10
+
11
+ ### Features
12
+
13
+ * Introduce scoped API keys ([#312](https://github.com/adobe/spacecat-shared/issues/312)) ([449d273](https://github.com/adobe/spacecat-shared/commit/449d2736154d7e92fb4a3d1f9f290e15e665aa5e))
14
+
1
15
  # [@adobe/spacecat-shared-http-utils-v1.4.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.3.5...@adobe/spacecat-shared-http-utils-v1.4.0) (2024-07-30)
2
16
 
3
17
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@adobe/spacecat-shared-http-utils",
3
- "version": "1.4.0",
3
+ "version": "1.6.0",
4
4
  "description": "Shared modules of the Spacecat Services - HTTP Utils",
5
5
  "type": "module",
6
6
  "main": "src/index.js",
@@ -31,6 +31,7 @@
31
31
  "dependencies": {
32
32
  "@adobe/fetch": "4.1.8",
33
33
  "@adobe/spacecat-shared-utils": "1.19.1",
34
+ "@adobe/spacecat-shared-data-access": "1.39.0",
34
35
  "jose": "5.6.3"
35
36
  },
36
37
  "devDependencies": {
package/src/auth/auth-info.js CHANGED
@@ -18,6 +18,7 @@ export default class AuthInfo {
18
18
  Object.assign(this, {
19
19
  authenticated: false,
20
20
  profile: null,
21
+ scopes: [],
21
22
  });
22
23
  }
23
24
 
@@ -50,4 +51,32 @@ export default class AuthInfo {
50
51
  this.type = value;
51
52
  return this;
52
53
  }
54
+
55
+ /**
56
+ * Set the reason that authentication has failed.
57
+ * @param {string} reason - The reason for auth failure
58
+ * @return {AuthInfo} The auth info object
59
+ */
60
+ withReason(reason) {
61
+ this.reason = reason;
62
+ return this;
63
+ }
64
+
65
+ /**
66
+ * Set the scopes that this auth info instance has access to.
67
+ * @param {Array<{name: string, domains?: Array<string>}>} scopes - The array of scope objects
68
+ * @return {AuthInfo} The auth info object
69
+ */
70
+ withScopes(scopes) {
71
+ this.scopes = scopes;
72
+ return this;
73
+ }
74
+
75
+ getScopes() { return this.scopes; }
76
+
77
+ getProfile() { return this.profile; }
78
+
79
+ getReason() { return this.reason; }
80
+
81
+ isAuthenticated() { return this.authenticated; }
53
82
  }
package/src/auth/auth-wrapper.js CHANGED
@@ -12,7 +12,9 @@
12
12
 
13
13
  import { Response } from '@adobe/fetch';
14
14
 
15
+ import { isObject } from '@adobe/spacecat-shared-utils';
15
16
  import AuthenticationManager from './authentication-manager.js';
17
+ import { checkScopes } from './check-scopes.js';
16
18
 
17
19
  const ANONYMOUS_ENDPOINTS = [
18
20
  'GET /slack/events',
@@ -28,8 +30,8 @@ export function authWrapper(fn, opts = {}) {
28
30
  const route = `${method.toUpperCase()} ${suffix}`;
29
31
 
30
32
  if (ANONYMOUS_ENDPOINTS.includes(route)
31
- || route.startsWith('POST /hooks/site-detection/')
32
- || method.toUpperCase() === 'OPTIONS') {
33
+ || route.startsWith('POST /hooks/site-detection/')
34
+ || method.toUpperCase() === 'OPTIONS') {
33
35
  return fn(request, context);
34
36
  }
35
37
 
@@ -43,7 +45,15 @@ export function authWrapper(fn, opts = {}) {
43
45
  }
44
46
 
45
47
  try {
46
- await authenticationManager.authenticate(request, context);
48
+ const authInfo = await authenticationManager.authenticate(request, context);
49
+
50
+ // Add a helper function to the context for checking scoped API keys.
51
+ // authInfo is available at context.attributes.authInfo.
52
+ if (!isObject(context.auth)) {
53
+ context.auth = {
54
+ checkScopes: (scopes) => checkScopes(scopes, authInfo, log),
55
+ };
56
+ }
47
57
  } catch (error) {
48
58
  return new Response('Unauthorized', { status: 401 });
49
59
  }
package/src/auth/check-scopes.js ADDED
@@ -0,0 +1,41 @@
1
+ /*
2
+ * Copyright 2024 Adobe. All rights reserved.
3
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
4
+ * you may not use this file except in compliance with the License. You may obtain a copy
5
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
6
+ *
7
+ * Unless required by applicable law or agreed to in writing, software distributed under
8
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
9
+ * OF ANY KIND, either express or implied. See the License for the specific language
10
+ * governing permissions and limitations under the License.
11
+ */
12
+
13
+ import { isObject } from '@adobe/spacecat-shared-utils';
14
+
15
+ /**
16
+ * Check if the given AuthInfo has the requested scopes. Throws an error if any scopes are missing.
17
+ * @param {Array<string>} scopes - The scopes required for the request
18
+ * @param {AuthInfo} authInfo - Authentication state for the current request
19
+ * @param {Logger} log - Logger
20
+ */
21
+ export function checkScopes(scopes, authInfo, log) {
22
+ if (!isObject(authInfo)) {
23
+ throw new Error('Auth info is required');
24
+ }
25
+
26
+ // Check that each required scope is present in authInfo
27
+ const missingScopes = [];
28
+ const authInfoScopeNames = authInfo.getScopes().map((scopeObject) => scopeObject.name);
29
+ scopes.forEach((scope) => {
30
+ if (!authInfoScopeNames.includes(scope)) {
31
+ missingScopes.push(scope);
32
+ }
33
+ });
34
+
35
+ if (missingScopes.length > 0) {
36
+ log.error(`API key with ID: ${authInfo.getProfile()?.api_key_id} does not have required scopes. It's missing: ${missingScopes.join(',')}`);
37
+ throw new Error(`API key is missing the [${missingScopes.join(',')}] scope(s) required for this resource`);
38
+ }
39
+
40
+ // Otherwise: all good
41
+ }
package/src/auth/generate-hash.js ADDED
@@ -0,0 +1,16 @@
1
+ /*
2
+ * Copyright 2024 Adobe. All rights reserved.
3
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
4
+ * you may not use this file except in compliance with the License. You may obtain a copy
5
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
6
+ *
7
+ * Unless required by applicable law or agreed to in writing, software distributed under
8
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
9
+ * OF ANY KIND, either express or implied. See the License for the specific language
10
+ * governing permissions and limitations under the License.
11
+ */
12
+ import crypto from 'crypto';
13
+
14
+ export function hashWithSHA256(input) {
15
+ return crypto.createHash('sha256').update(input).digest('hex');
16
+ }
package/src/auth/handlers/scoped-api-key.js ADDED
@@ -0,0 +1,69 @@
1
+ /*
2
+ * Copyright 2024 Adobe. All rights reserved.
3
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
4
+ * you may not use this file except in compliance with the License. You may obtain a copy
5
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
6
+ *
7
+ * Unless required by applicable law or agreed to in writing, software distributed under
8
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
9
+ * OF ANY KIND, either express or implied. See the License for the specific language
10
+ * governing permissions and limitations under the License.
11
+ */
12
+
13
+ import { hasText, isIsoDate } from '@adobe/spacecat-shared-utils';
14
+ import AbstractHandler from './abstract.js';
15
+ import { hashWithSHA256 } from '../generate-hash.js';
16
+ import AuthInfo from '../auth-info.js';
17
+
18
+ /**
19
+ * Handler to support API keys which include scope details. These API keys are stored in the data
20
+ * layer and require context.dataAccess in order to authenticate each request.
21
+ */
22
+ export default class ScopedApiKeyHandler extends AbstractHandler {
23
+ constructor(log) {
24
+ super('scopedApiKey', log);
25
+ }
26
+
27
+ async checkAuth(request, context) {
28
+ const { dataAccess, pathInfo: { headers = {} } } = context;
29
+ if (!dataAccess) {
30
+ throw new Error('Data access is required');
31
+ }
32
+
33
+ const apiKeyFromHeader = headers['x-api-key'];
34
+ if (!hasText(apiKeyFromHeader)) {
35
+ return null;
36
+ }
37
+
38
+ // Keys are stored by their hash, so we need to hash the key to look it up
39
+ const hashedKey = hashWithSHA256(apiKeyFromHeader);
40
+ const apiKeyEntity = await dataAccess.getApiKeyByHashedKey(hashedKey);
41
+
42
+ if (!apiKeyEntity) {
43
+ this.log(`No API key entity found in the data layer for the provided API key: ${apiKeyFromHeader}`, 'error');
44
+ return null;
45
+ }
46
+
47
+ // We have an API key entity, and need to check if it's still valid
48
+ const authInfo = new AuthInfo()
49
+ .withProfile(apiKeyEntity) // Include the API key entity as the profile
50
+ .withType(this.name);
51
+
52
+ // Verify that the api key has not expired or been revoked
53
+ const now = new Date().toISOString();
54
+ if (isIsoDate(apiKeyEntity.getExpiresAt()) && apiKeyEntity.getExpiresAt() < now) {
55
+ this.log(`API key has expired. Name: ${apiKeyEntity.getName()}, id: ${apiKeyEntity.getId()}`, 'error');
56
+ return authInfo.withReason('API key has expired');
57
+ }
58
+
59
+ if (isIsoDate(apiKeyEntity.getRevokedAt()) && apiKeyEntity.getRevokedAt() < now) {
60
+ this.log(`API key has been revoked. Name: ${apiKeyEntity.getName()} id: ${apiKeyEntity.getId()}`, 'error');
61
+ return authInfo.withReason('API key has been revoked');
62
+ }
63
+
64
+ // API key is valid: return auth info with scope details from the API key entity
65
+ return authInfo
66
+ .withAuthenticated(true)
67
+ .withScopes(apiKeyEntity.getScopes());
68
+ }
69
+ }
package/src/index.d.ts CHANGED
@@ -24,3 +24,8 @@ export declare function notFound(message?: string, headers?: object): Response;
24
24
  export declare function internalServerError(message?: string, headers?: object): Response;
25
25
 
26
26
  export declare function found(location: string): Response;
27
+
28
+ /**
29
+ * Utility functions
30
+ */
31
+ export function hashWithSHA256(input: string): string;
package/src/index.js CHANGED
@@ -14,6 +14,7 @@ import { Response } from '@adobe/fetch';
14
14
 
15
15
  import LegacyApiKeyHandler from './auth/handlers/legacy-api-key.js';
16
16
  import AdobeImsHandler from './auth/handlers/ims.js';
17
+ import ScopedApiKeyHandler from './auth/handlers/scoped-api-key.js';
17
18
 
18
19
  const HEADER_CONTENT_TYPE = 'content-type';
19
20
  const HEADER_ERROR = 'x-error';
@@ -89,5 +90,6 @@ export function internalServerError(message = 'internal server error', headers =
89
90
 
90
91
  export { authWrapper } from './auth/auth-wrapper.js';
91
92
  export { enrichPathInfo } from './enrich-path-info-wrapper.js';
93
+ export { hashWithSHA256 } from './auth/generate-hash.js';
92
94
 
93
- export { AdobeImsHandler, LegacyApiKeyHandler };
95
+ export { AdobeImsHandler, ScopedApiKeyHandler, LegacyApiKeyHandler };