aio-cli-plugin-app/src/lib/auth-helper.js at 344095d1df1fd4578243e0a9cf40e73486cd196c · adobe/aio-cli-plugin-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/*
Copyright 2024 Adobe. All rights reserved.
This file is licensed to you under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. You may obtain a copy
of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under
the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
OF ANY KIND, either express or implied. See the License for the specific language
governing permissions and limitations under the License.
*/

const { getToken, context } = require('@adobe/aio-lib-ims')
const { CLI } = require('@adobe/aio-lib-ims/src/context')
const { getCliEnv } = require('@adobe/aio-lib-env')
const aioLogger = require('@adobe/aio-lib-core-logging')('@adobe/aio-cli-plugin-app:auth-helper', { provider: 'debug' })

const DEPLOY_SERVICE_ENDPOINTS = {
  stage: 'https://deploy-service.stg.app-builder.adp.adobe.io',
  prod: 'https://deploy-service.app-builder.adp.adobe.io'
}

/**
 * Retrieves an access token for Adobe I/O CLI authentication.
 * This function handles both CLI and custom contexts, setting up the appropriate
 * authentication context and retrieving the corresponding access token.
 *
 * @async
 * @function getAccessToken
 * @param {object} [options] - Options for token retrieval
 * @param {boolean} [options.useCachedToken=false] - Whether to use a cached token instead of requesting a new one
 * @returns {Promise<{accessToken: string|null, env: string}>} An object containing:
 *   - accessToken: The retrieved access token for authentication, or null if token retrieval failed
 *   - env: The current CLI environment (e.g. 'prod', 'stage')
 * @throws {Error} If token retrieval fails or context setup fails
 */
async function getAccessToken ({ useCachedToken = false } = {}) {
  const env = getCliEnv()
  aioLogger.debug(`Retrieving CLI Token using env=${env}`)

  let contextName = CLI // default
  const currentContext = await context.getCurrent() // potential override
  if (currentContext && currentContext !== CLI) {
    contextName = currentContext
  } else {
    await context.setCli({ 'cli.bare-output': true }, false) // set this globally
  }

  let accessToken = null
  if (useCachedToken) {
    const { data } = await context.get(contextName)
    accessToken = data?.access_token?.token
  } else {
    accessToken = await getToken(contextName)
  }

  return { accessToken, env }
}

/**
 * For use with the openwhisk client js library to send a bearer token instead of basic
 * auth to the openwhisk service. Set this to the auth_handler option when initializing
 */
const bearerAuthHandler = {
  getAuthHeader: async () => {
    const { accessToken } = await getAccessToken()

    return `Bearer ${accessToken}`
  }
}

const setRuntimeApiHostAndAuthHandler = (_config) => {
  const env = getCliEnv()
  let apiEndpoint = DEPLOY_SERVICE_ENDPOINTS[env] ?? DEPLOY_SERVICE_ENDPOINTS.prod
  if (process.env.AIO_DEPLOY_SERVICE_URL) {
    apiEndpoint = process.env.AIO_DEPLOY_SERVICE_URL
  }

  const config = structuredClone(_config)
  const aioConfig = (config && 'runtime' in config) ? config : null
  if (aioConfig) {
    aioConfig.runtime.apihost = `${apiEndpoint}/runtime`
    aioConfig.runtime.auth_handler = bearerAuthHandler
    return aioConfig
  }
  const owConfig = (config && 'ow' in config) ? config : null
  if (owConfig) {
    owConfig.ow.apihost = `${apiEndpoint}/runtime`
    owConfig.ow.auth_handler = bearerAuthHandler
    return owConfig
  }
}

/**
 * Decodes a JWT token and returns its payload as a JavaScript object.
 *
 * @function getTokenData
 * @param {string} token - The JWT token to decode
 * @returns {object} The decoded payload of the JWT token or null if the token is invalid or cannot be decoded
 */
const getTokenData = (token) => {
  if (typeof token !== 'string') {
    aioLogger.error('Invalid token provided to getTokenData :: not a string')
    return null
  }
  const [, payload] = token.split('.', 3)
  if (!payload) {
    aioLogger.error('Invalid token provided to getTokenData :: not a jwt')
    return null
  }
  try {
    const base64 = payload.replace(/-/g, '+').replace(/_/g, '/')
    // add padding if necessary
    const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4)
    const decoded = Buffer.from(padded, 'base64').toString('utf-8')
    return JSON.parse(decoded)
  } catch (e) {
    aioLogger.error('Error decoding token payload in getTokenData ::', e)
    return null
  }
}

module.exports = {
  getAccessToken,
  getTokenData,
  bearerAuthHandler,
  setRuntimeApiHostAndAuthHandler
}