@adobe/spacecat-shared-http-utils 1.9.12 → 1.10.1

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [@adobe/spacecat-shared-http-utils-v1.10.1](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.10.0...@adobe/spacecat-shared-http-utils-v1.10.1) (2025-04-01)
+
+
+### Bug Fixes
+
+* **deps:** update external major (major) ([#674](https://github.com/adobe/spacecat-shared/issues/674)) ([285b37d](https://github.com/adobe/spacecat-shared/commit/285b37de9df42adb6a23694bcc699608e3b5b8fe))
+
+# [@adobe/spacecat-shared-http-utils-v1.10.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.9.12...@adobe/spacecat-shared-http-utils-v1.10.0) (2025-03-20)
+
+
+### Features
+
+* jwt auth handler (WIP) ([#669](https://github.com/adobe/spacecat-shared/issues/669)) ([f3c8d84](https://github.com/adobe/spacecat-shared/commit/f3c8d84a724e9664cac995fe67af7af65800b16f))
+
 # [@adobe/spacecat-shared-http-utils-v1.9.12](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.9.11...@adobe/spacecat-shared-http-utils-v1.9.12) (2025-03-04)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-http-utils",
-  "version": "1.9.12",
+  "version": "1.10.1",
   "description": "Shared modules of the Spacecat Services - HTTP Utils",
   "type": "module",
   "engines": {
@@ -42,6 +42,6 @@
     "@adobe/helix-shared-wrap": "2.0.2",
     "chai": "5.2.0",
     "chai-as-promised": "8.0.1",
-    "sinon": "19.0.2"
+    "sinon": "20.0.0"
   }
 }

package/src/auth/handlers/ims.js

@@ -20,6 +20,7 @@ import {
 
 import configProd from './config/ims.js';
 import configDev from './config/ims-stg.js';
+import { getBearerToken } from './utils/bearer.js';
 
 import AbstractHandler from './abstract.js';
 import AuthInfo from '../auth-info.js';
@@ -46,16 +47,6 @@ const loadConfig = (context) => {
   return isDev ? configDev : configProd;
 };
 
-const getBearerToken = (context) => {
-  const authorizationHeader = context.pathInfo?.headers?.authorization || '';
-
-  if (!authorizationHeader.startsWith('Bearer ')) {
-    return null;
-  }
-
-  return authorizationHeader.replace('Bearer ', '');
-};
-
 const transformProfile = (payload) => {
   const profile = { ...payload };
 
@@ -65,6 +56,9 @@ const transformProfile = (payload) => {
   return profile;
 };
 
+/**
+ * @deprecated Use JwtHandler instead in the context of IMS login with subsequent JWT exchange.
+ */
 export default class AdobeImsHandler extends AbstractHandler {
   constructor(log) {
     super('ims', log);
@@ -83,9 +77,9 @@ export default class AdobeImsHandler extends AbstractHandler {
   }
 
   async #validateToken(token, config) {
-    const decoded = await decodeJwt(token);
-    if (config.name !== decoded.as) {
-      throw new Error(`Token not issued by expected idp: ${config.name} != ${decoded.as}`);
+    const claims = await decodeJwt(token);
+    if (config.name !== claims.as) {
+      throw new Error(`Token not issued by expected idp: ${config.name} != ${claims.as}`);
     }
 
     const jwks = await this.#getJwksUri(config);

package/src/auth/handlers/jwt.js

@@ -0,0 +1,83 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { hasText } from '@adobe/spacecat-shared-utils';
+import { importSPKI, jwtVerify } from 'jose';
+
+import AbstractHandler from './abstract.js';
+import AuthInfo from '../auth-info.js';
+import { getBearerToken } from './utils/bearer.js';
+
+const ALGORITHM_ES256 = 'ES256';
+export const ISSUER = 'https://spacecat.experiencecloud.live';
+
+export default class JwtHandler extends AbstractHandler {
+  constructor(log) {
+    super('jwt', log);
+  }
+
+  async #setup(context) {
+    const authPublicKey = context.env?.AUTH_PUBLIC_KEY;
+
+    if (!hasText(authPublicKey)) {
+      throw new Error('No public key provided');
+    }
+
+    this.authPublicKey = await importSPKI(authPublicKey, ALGORITHM_ES256);
+  }
+
+  async #validateToken(token) {
+    const verifiedToken = await jwtVerify(
+      token,
+      this.authPublicKey,
+      {
+        algorithms: [ALGORITHM_ES256], // force expected algorithm
+        clockTolerance: 5, // number of seconds to tolerate when checking the nbf and exp claims
+        complete: false, // only return the payload and not headers etc.
+        ignoreExpiration: false, // validate expiration
+        issuer: ISSUER, // validate issuer
+      },
+    );
+
+    return verifiedToken.payload;
+  }
+
+  async checkAuth(request, context) {
+    const authInfo = new AuthInfo()
+      .withType(this.name)
+      .withAuthenticated(false);
+
+    try {
+      await this.#setup(context);
+
+      const token = getBearerToken(context);
+
+      if (!hasText(token)) {
+        this.log('No bearer token provided', 'debug');
+        authInfo.withReason('No bearer token provided');
+        return authInfo;
+      }
+
+      const payload = await this.#validateToken(token);
+
+      return new AuthInfo()
+        .withType(this.name)
+        .withAuthenticated(true)
+        .withProfile(payload);
+    } catch (e) {
+      this.log(`Failed to validate token: ${e.message}`, 'error');
+      authInfo.withReason(e.message);
+    }
+
+    return authInfo;
+  }
+}

package/src/auth/handlers/utils/bearer.js

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+export const getBearerToken = (context) => {
+  const authorizationHeader = context.pathInfo?.headers?.authorization || '';
+
+  if (!authorizationHeader.startsWith('Bearer ')) {
+    return null;
+  }
+
+  return authorizationHeader.replace('Bearer ', '');
+};

package/src/auth/readme.md

@@ -80,3 +80,45 @@ export default class ExampleHandler extends AbstractHandler {
   }
 }
 ```
+
+## Provided Authentication Handlers
+
+### JWT Handler
+
+The JWT (JSON Web Token) handler provides authentication using ES256-signed JSON Web Tokens. It validates tokens against a provided public key and ensures they're properly signed and not expired.
+
+#### How It Works
+
+1. The handler extracts the bearer token from the request
+2. It validates the token using a public key (from the `AUTH_PUBLIC_KEY` environment variable)
+3. It verifies:
+   - The token is signed with the ES256 algorithm
+   - The token is not expired
+   - The token has the correct issuer (https://spacecat.experiencecloud.live)
+4. On successful validation, it returns the token payload as the user profile
+
+#### Configuration
+
+To use the JWT handler, you need to:
+
+1. Set the `AUTH_PUBLIC_KEY` environment variable with your SPKI-formatted public key
+2. Add the handler to your auth wrapper configuration
+
+```javascript
+import { wrap } from '@adobe/helix-shared-wrap';
+import auth from './auth-wrapper.js';
+import JwtHandler from './handlers/jwt.js';
+
+export const main = wrap(run)
+  .with(auth, { authHandlers: [JwtHandler] });
+```
+
+#### Token Requirements
+
+JWT tokens must:
+- Be signed with the ES256 algorithm
+- Include standard claims (exp, iat, iss)
+- Use the issuer: `https://spacecat.experiencecloud.live`
+- Be provided as a Bearer token in the Authorization header
+
+Any additional claims in the JWT payload will be available in the `authInfo.profile` object after authentication.