@adobe/spacecat-shared-utils 1.115.0 → 1.115.1

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [@adobe/spacecat-shared-utils-v1.115.1](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-utils-v1.115.0...@adobe/spacecat-shared-utils-v1.115.1) (2026-05-06)
+
+### Bug Fixes
+
+* **utils:** include subpath in resolveCustomerSecretsName to prevent credential collisions ([#1577](https://github.com/adobe/spacecat-shared/issues/1577)) ([db95707](https://github.com/adobe/spacecat-shared/commit/db95707796c53d0fbe22c4fc40fed9ab271dd59c))
+
 ## [@adobe/spacecat-shared-utils-v1.115.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-utils-v1.114.0...@adobe/spacecat-shared-utils-v1.115.0) (2026-05-04)
 
 ### Features

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-utils",
-  "version": "1.115.0",
+  "version": "1.115.1",
   "description": "Shared modules of the Spacecat Services - utils",
   "type": "module",
   "exports": {

package/src/helpers.js

@@ -39,18 +39,60 @@ export function resolveSecretsName(opts, ctx, defaultPath) {
 
 /**
  * Resolves the name of the customer secrets based on the baseURL.
- * @param {string} baseURL - The base URL to resolve the customer secrets name from.
+ *
+ * The hostname (per RFC 1035, case-insensitive) and each URL path segment are
+ * percent-decoded and individually sanitized: runs of non-alphanumeric characters
+ * are replaced with a single `_`, leading/trailing `_` are trimmed, and the
+ * result is lowercased. Segments that reduce to empty after sanitization are
+ * dropped. Sanitized parts are joined with `__` as the path-segment delimiter.
+ *
+ * The `__` delimiter cannot appear inside a sanitized segment (any run of
+ * non-alphanumeric characters, including `__`, collapses to a single `_`),
+ * so URLs that differ in path structure (different number of segments, or
+ * segments with different alphanumeric content) produce distinct keys. Note
+ * that path segments differing only in punctuation (e.g. `us-kings` vs
+ * `us_kings`) produce the same sanitized segment and therefore the same key;
+ * this is an inherent limitation of lossy sanitization.
+ *
+ * Key format: /helix-deploy/spacecat-services/customer-secrets/<host>[__<seg>...]/<version>
+ *
+ * Examples:
+ *   https://nba.com           -> .../nba_com/<version>
+ *   https://nba.com/kings     -> .../nba_com__kings/<version>
+ *   https://nba.com/us/kings  -> .../nba_com__us__kings/<version>
+ *
+ * @param {string} baseURL - The base URL (must be http(s) with a hostname).
  * @param {Object} ctx - The context object containing the function version.
  * @returns {string} - The resolved secret name.
+ * @since next - key now includes URL path segments; prior versions used hostname
+ *   only, causing subpath sites on the same domain to share a secret. LLMO-4186.
  */
 export function resolveCustomerSecretsName(baseURL, ctx) {
   const basePath = '/helix-deploy/spacecat-services/customer-secrets';
-  let customer;
+  let url;
   try {
-    customer = new URL(baseURL).host.replace(/[^a-zA-Z0-9]/g, '_').toLowerCase();
+    url = new URL(baseURL);
   } catch {
     throw new Error('Invalid baseURL: must be a valid URL');
   }
+  if (!url.hostname || !['http:', 'https:'].includes(url.protocol)) {
+    throw new Error('Invalid baseURL: must be an http(s) URL with a hostname');
+  }
+  const sanitize = (s) => s.replace(/[^a-zA-Z0-9]+/g, '_').replace(/^_+|_+$/g, '').toLowerCase();
+  const host = sanitize(url.hostname);
+  if (!host) {
+    throw new Error('Invalid baseURL: hostname reduces to empty after sanitization');
+  }
+  const segments = url.pathname.split('/').filter(Boolean)
+    .map((seg) => {
+      let decoded = seg;
+      try {
+        decoded = decodeURIComponent(seg);
+      } catch { /* keep raw on percent-encoded sequences that are not valid UTF-8 */ }
+      return sanitize(decoded);
+    })
+    .filter(Boolean);
+  const customer = segments.length > 0 ? `${host}__${segments.join('__')}` : host;
   return resolveSecretsName({}, ctx, `${basePath}/${customer}`);
 }