feat: auth route (#80)

* feat: refactor

* chore: fix tests

* chore: fix postdeploy test

* fix: tweak catalog handler

* chore: fix test

* chore: fix test

* chore: fix test

* fix: various fixes

* feat: auth route

* fix: assert perms for catalog routes

* chore: fix tests

* chore: add tests

* chore: fix test

* chore: fix postdeploy test

* chore: fix postdeploy test

Author: maxakuru

.github/workflows/main.yaml

@@ -48,6 +48,8 @@ jobs:
         run: npm run deploy:ci
       - name: Post-Deployment Integration Test
         run: npm run test-postdeploy
+        env:
+          SUPERUSER_KEY: ${{ secrets.SUPERUSER_KEY }}
       - name: Semantic Release (Dry Run)
         run: npm run semantic-release-dry
         env:

src/index.js

@@ -23,13 +23,20 @@ async function parseData(req) {
   }
   if (['POST', 'PUT', 'PATCH'].includes(req.method)) {
     const text = await req.text();
-    try {
-      return JSON.parse(text);
-    } catch {
-      return text;
+    if (text.trim().length) {
+      try {
+        return JSON.parse(text);
+      } catch {
+        return text;
+      }
+    }
+
+    const params = new URL(req.url).searchParams;
+    if (params.size) {
+      return Object.fromEntries(params.entries());
     }
   }
-  return null;
+  return {};
 }
 
 /**

src/routes/auth/fetch.js

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { assertAuthorization } from '../../utils/auth.js';
+import { errorResponse } from '../../utils/http.js';
+
+/**
+ * @param {Context} ctx
+ */
+export default async function fetch(ctx) {
+  const { config } = ctx;
+
+  await assertAuthorization(ctx);
+
+  const token = await ctx.env.KEYS.get(config.siteKey);
+  if (!token) {
+    return errorResponse(404);
+  }
+
+  return new Response(JSON.stringify({ token }), {
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+}

src/routes/auth/handler.js

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { errorResponse } from '../../utils/http.js';
+import fetch from './fetch.js';
+import update from './update.js';
+import rotate from './rotate.js';
+
+/**
+ * @type {Record<string, Record<string, (ctx: Context, req: Request) => Promise<Response>>>}
+ */
+const handlers = {
+  token: {
+    GET: fetch,
+    PUT: update,
+    POST: rotate,
+  },
+};
+
+/**
+ * @param {Context} ctx
+ * @param {Request} req
+ * @returns {Promise<Response>}
+ */
+export default async function handler(ctx, req) {
+  const {
+    info: { method },
+    url: { pathname },
+  } = ctx;
+  const [subRoute] = pathname.split('/').filter(Boolean).slice(['org', 'site', 'route'].length);
+
+  const fn = handlers[subRoute]?.[method];
+  if (!fn) {
+    return errorResponse(404);
+  }
+  return fn(ctx, req);
+}

src/routes/auth/rotate.js

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { assertAuthorization } from '../../utils/auth.js';
+import { errorResponse } from '../../utils/http.js';
+import { updateToken } from './update.js';
+
+/**
+ * @param {Context} ctx
+ */
+export default async function rotate(ctx) {
+  const { data } = ctx;
+  if (data.token) {
+    return errorResponse(400, 'token can not be provided on rotate');
+  }
+
+  await assertAuthorization(ctx);
+
+  const token = await updateToken(ctx);
+  return new Response(JSON.stringify({ token }), {
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+}

src/routes/auth/update.js

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { assertAuthorization } from '../../utils/auth.js';
+import { errorResponse, errorWithResponse } from '../../utils/http.js';
+
+const generateToken = () => crypto.randomUUID().toUpperCase();
+
+/**
+ *
+ * @param {Context} ctx
+ * @param {string} [token]
+ * @returns {Promise<string>}
+ */
+export async function updateToken(ctx, token = generateToken()) {
+  const { config } = ctx;
+  try {
+    await ctx.env.KEYS.put(config.siteKey, token);
+  } catch (e) {
+    ctx.log.error('failed to update token', e);
+    throw errorWithResponse(503, 'failed to update token');
+  }
+  return token;
+}
+
+/**
+ * @param {Context} ctx
+ */
+export default async function update(ctx) {
+  const { data } = ctx;
+  if (!data.token || typeof data.token !== 'string') {
+    return errorResponse(400, 'missing or invalid token');
+  }
+
+  await assertAuthorization(ctx);
+
+  const token = await updateToken(ctx, data.token);
+  return new Response(JSON.stringify({ token }), {
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+}

src/routes/catalog/remove.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 
+import { assertAuthorization } from '../../utils/auth.js';
 import { errorResponse, errorWithResponse } from '../../utils/http.js';
 import StorageClient from './StorageClient.js';
 
@@ -30,6 +31,8 @@ export default async function remove(ctx) {
     throw errorWithResponse(400, 'Helix API key is required to delete or unpublish products.');
   }
 
+  await assertAuthorization(ctx);
+
   const storage = StorageClient.fromContext(ctx);
   const deleteResults = await storage.deleteProducts([sku]);
 

src/routes/catalog/update.js

@@ -13,6 +13,7 @@
 import { assertValidProduct, hasUppercase } from '../../utils/product.js';
 import { errorResponse } from '../../utils/http.js';
 import StorageClient from './StorageClient.js';
+import { assertAuthorization } from '../../utils/auth.js';
 
 /**
  * Handles a PUT request to update a product.
@@ -40,6 +41,8 @@ export default async function update(ctx) {
 
   assertValidProduct(product);
 
+  await assertAuthorization(ctx);
+
   const storage = StorageClient.fromContext(ctx);
   const saveResults = await storage.saveProducts([product]);
 

src/routes/config/handler.js

@@ -13,6 +13,7 @@
 import { errorResponse } from '../../utils/http.js';
 import { assertAuthorization } from '../../utils/auth.js';
 import { validate } from '../../utils/validation.js';
+import { updateToken } from '../auth/update.js';
 import ConfigSchema from '../../schemas/Config.js';
 
 /**
@@ -46,7 +47,14 @@ export default async function configHandler(ctx) {
   }
 
   // valid, persist it
+  const exists = (await ctx.env.CONFIGS.list({ prefix: ctx.config.siteKey })).keys.length > 0;
   await ctx.env.CONFIGS.put(ctx.config.siteKey, JSON.stringify(json));
+
+  // add key
+  if (!exists) {
+    await updateToken(ctx);
+  }
+
   return new Response(JSON.stringify(json), {
     status: 200,
     headers: {

src/routes/index.js

@@ -13,7 +13,7 @@
 import content from './content/handler.js';
 import catalog from './catalog/handler.js';
 import config from './config/handler.js';
-import { errorResponse } from '../utils/http.js';
+import auth from './auth/handler.js';
 
 /**
  * @type {Record<string, (ctx: Context, request: Request) => Promise<Response>>}
@@ -22,6 +22,5 @@ export default {
   content,
   catalog,
   config,
-  // eslint-disable-next-line no-unused-vars
-  graphql: async (ctx) => errorResponse(501, 'not implemented'),
+  auth,
 };

src/schemas/Config.js

@@ -44,6 +44,7 @@ const ConfigEntry = {
     offerVariantURLTemplate: { type: 'string' },
     liveSearchEnabled: { type: 'boolean' },
     attributeOverrides: AttributeOverrides,
+    catalogSource: { type: 'string', enum: ['helix', 'magento'] },
     imageRoleOrder: {
       type: 'array',
       items: { type: 'string' },

src/types.d.ts

@@ -34,7 +34,7 @@ declare global {
     /**
      * Override "escape hatch" for json-ld
      */
-    jsonld?: any;
+    jsonld?: string;
 
     /**
      * Additional data that can be retrieved via .json API
@@ -204,6 +204,7 @@ declare global {
   export interface Env {
     VERSION: string;
     ENVIRONMENT: string;
+    SUPERUSER_KEY: string;
 
     // KV namespaces
     CONFIGS: KVNamespace<string>;

src/utils/auth.js

@@ -16,20 +16,20 @@ import { errorWithResponse } from './http.js';
  * @param {Context} ctx
  */
 export async function assertAuthorization(ctx) {
-  let actual;
+  let actual = ctx.attributes.key;
   if (typeof ctx.attributes.key === 'undefined') {
     ctx.attributes.key = ctx.info.headers.authorization?.slice('Bearer '.length);
     actual = ctx.attributes.key;
   }
-  if (!actual) {
-    throw errorWithResponse(403, 'invalid key');
-  }
-
   if (actual === ctx.env.SUPERUSER_KEY) {
-    ctx.log.info('acting as superuser');
+    ctx.log.debug('acting as superuser');
     return;
   }
 
+  if (!actual) {
+    throw errorWithResponse(403, 'invalid key');
+  }
+
   const expected = await ctx.env.KEYS.get(ctx.config.siteKey);
   if (!expected) {
     throw errorWithResponse(403, 'no key found for site');

src/utils/http.js

@@ -48,7 +48,7 @@ export class ResponseError extends Error {
 
 /**
  * @param {number} status - The HTTP status code.
- * @param {string} xError - The error message.
+ * @param {string} [xError] - The error message.
  * @param {string|Record<string,unknown>} [body=''] - The response body.
  * @returns {Response} - A response object.
  */

test/fixtures/context.js

@@ -29,11 +29,21 @@ export const DEFAULT_CONTEXT = (
 ) => ({
   url: new URL(`${baseUrl}${path}`),
   log: console,
+  // @ts-ignore
+  config: {
+    siteKey: 'org--site',
+  },
   ...overrides,
   attributes: {
+    key: 'test-key',
     ...(overrides.attributes ?? {}),
   },
   env: {
+    SUPERUSER_KEY: 'su-test-key',
+    KEYS: {
+      // @ts-ignore
+      get: async () => 'test-key',
+    },
     CONFIGS: {
       // @ts-ignore
       get: async (id) => configMap[id],
@@ -45,6 +55,17 @@ export const DEFAULT_CONTEXT = (
     headers: {},
     ...(overrides.info ?? {}),
   },
+  data: typeof overrides.data === 'string' ? overrides.data : {
+    ...(overrides.data ?? {}),
+  },
+});
+
+export const SUPERUSER_CONTEXT = (overrides = {}) => DEFAULT_CONTEXT({
+  ...overrides,
+  attributes: {
+    key: 'su-test-key',
+    ...(overrides.attributes ?? {}),
+  },
 });
 
 /**