feat: new service to service auth wrapper

Author: ravverma

packages/spacecat-shared-http-utils/src/auth/auth-info.js

@@ -88,6 +88,8 @@ export default class AuthInfo {
 
   isS2SAdmin() { return this.profile?.is_s2s_admin; }
 
+  isS2SConsumer() { return this.profile?.is_s2s_consumer; }
+
   hasOrganization(orgId) {
     const [id] = orgId.split('@');
     return this.profile?.tenants?.some(

packages/spacecat-shared-http-utils/src/auth/handlers/jwt.js

@@ -11,54 +11,25 @@
  */
 
 import { hasText } from '@adobe/spacecat-shared-utils';
-import { importSPKI, jwtVerify } from 'jose';
 
 import AbstractHandler from './abstract.js';
 import AuthInfo from '../auth-info.js';
 import { getBearerToken } from './utils/bearer.js';
 import { getCookieValue } from './utils/cookie.js';
+import { loadPublicKey, validateToken } from './utils/token.js';
 
-const ALGORITHM_ES256 = 'ES256';
-export const ISSUER = 'https://spacecat.experiencecloud.live';
+export { ISSUER } from './utils/token.js';
 
 export default class JwtHandler extends AbstractHandler {
   constructor(log) {
     super('jwt', log);
   }
 
-  async #setup(context) {
-    const authPublicKeyB64 = context.env?.AUTH_PUBLIC_KEY_B64;
-
-    if (!hasText(authPublicKeyB64)) {
-      throw new Error('No public key provided');
-    }
-
-    const authPublicKey = Buffer.from(authPublicKeyB64, 'base64').toString('utf-8');
-
-    this.authPublicKey = await importSPKI(authPublicKey, ALGORITHM_ES256);
-  }
-
-  async #validateToken(token) {
-    const verifiedToken = await jwtVerify(
-      token,
-      this.authPublicKey,
-      {
-        algorithms: [ALGORITHM_ES256], // force expected algorithm
-        clockTolerance: 5, // number of seconds to tolerate when checking the nbf and exp claims
-        complete: false, // only return the payload and not headers etc.
-        ignoreExpiration: false, // validate expiration
-        issuer: ISSUER, // validate issuer
-      },
-    );
-
-    verifiedToken.payload.tenants = verifiedToken.payload.tenants || [];
-
-    return verifiedToken.payload;
-  }
-
   async checkAuth(request, context) {
     try {
-      await this.#setup(context);
+      if (!this.authPublicKey) {
+        this.authPublicKey = await loadPublicKey(context);
+      }
 
       const token = getBearerToken(context) ?? getCookieValue(context, 'sessionToken');
 
@@ -67,7 +38,8 @@ export default class JwtHandler extends AbstractHandler {
         return null;
       }
 
-      const payload = await this.#validateToken(token);
+      const payload = await validateToken(token, this.authPublicKey);
+      payload.tenants = payload.tenants || [];
 
       const scopes = payload.is_admin ? [{ name: 'admin' }] : [];
 

packages/spacecat-shared-http-utils/src/auth/handlers/utils/token.js

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { hasText } from '@adobe/spacecat-shared-utils';
+import { importSPKI, jwtVerify } from 'jose';
+
+export const ALGORITHM_ES256 = 'ES256';
+export const ISSUER = 'https://spacecat.experiencecloud.live';
+
+/**
+ * Loads the ES256 public key from the context environment variable AUTH_PUBLIC_KEY_B64.
+ * @param {Object} context - The universal context.
+ * @returns {Promise<CryptoKey>} The imported public key.
+ */
+export async function loadPublicKey(context) {
+  const authPublicKeyB64 = context.env?.AUTH_PUBLIC_KEY_B64;
+  if (!hasText(authPublicKeyB64)) {
+    throw new Error('No public key provided');
+  }
+  const pem = Buffer.from(authPublicKeyB64, 'base64').toString('utf-8');
+  return importSPKI(pem, ALGORITHM_ES256);
+}
+
+/**
+ * Validates a JWT token against the given public key using ES256.
+ * @param {string} token - The raw JWT string.
+ * @param {CryptoKey} publicKey - The public key to verify against.
+ * @returns {Promise<Object>} The verified token payload.
+ */
+export async function validateToken(token, publicKey) {
+  const { payload } = await jwtVerify(token, publicKey, {
+    algorithms: [ALGORITHM_ES256],
+    clockTolerance: 5,
+    complete: false,
+    ignoreExpiration: false,
+    issuer: ISSUER,
+  });
+  return payload;
+}

packages/spacecat-shared-http-utils/src/auth/s2s-wrapper.js

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { Response } from '@adobe/fetch';
+import { hasText, isNonEmptyArray, isObject } from '@adobe/spacecat-shared-utils';
+
+import { getBearerToken } from './handlers/utils/bearer.js';
+import { loadPublicKey, validateToken } from './handlers/utils/token.js';
+
+/**
+ * Matches pre-split request segments against a route pattern with :param segments.
+ * e.g. ['sites', 'abc-123', 'audits'] matches 'GET /sites/:siteId/audits'
+ */
+function matchRoute(method, requestSegments, routeKey) {
+  const spaceIdx = routeKey.indexOf(' ');
+  if (spaceIdx === -1) return false;
+
+  const routeMethod = routeKey.slice(0, spaceIdx);
+  if (routeMethod !== method) return false;
+
+  const routeSegments = routeKey.slice(spaceIdx + 1).split('/').filter(Boolean);
+  if (routeSegments.length !== requestSegments.length) return false;
+
+  return routeSegments.every(
+    (seg, i) => seg.charCodeAt(0) === 58 /* ':' */ || seg === requestSegments[i],
+  );
+}
+
+/**
+ * Looks up the required capability for the current request from the
+ * routeCapabilities map using the method and path from context.pathInfo.
+ */
+function resolveCapability(context, routeCapabilities) {
+  const method = context.pathInfo?.method?.toUpperCase();
+  const path = context.pathInfo?.suffix;
+  if (!method || !path) return null;
+
+  const exactKey = `${method} ${path}`;
+  if (routeCapabilities[exactKey]) return routeCapabilities[exactKey];
+
+  const requestSegments = path.split('/').filter(Boolean);
+  const matchedKey = Object.keys(routeCapabilities)
+    .find((key) => matchRoute(method, requestSegments, key));
+  return matchedKey ? routeCapabilities[matchedKey] : null;
+}
+
+/**
+ * S2S consumer auth wrapper for the helix-shared-wrap `.with()` chain.
+ * Validates a JWT bearer token and, when the token carries the
+ * {@code is_s2s_consumer} claim, resolves the required capability for the
+ * current route from the provided {@code routeCapabilities} map and verifies
+ * the caller holds that capability in {@code tenants[].capabilities}.
+ *
+ * Non-S2S tokens (end-user) pass through untouched.
+ *
+ * @param {Function} fn - The handler to wrap.
+ * @param {{ routeCapabilities: Object<string, string> }} opts - Map of route
+ *   patterns (e.g. 'GET /sites/:siteId') to capability strings (e.g. 'site:read').
+ * @returns {Function} A wrapped handler.
+ */
+export function s2sAuthWrapper(fn, { routeCapabilities } = {}) {
+  let publicKey;
+
+  return async (request, context) => {
+    const { log } = context;
+
+    try {
+      if (!publicKey) {
+        publicKey = await loadPublicKey(context);
+      }
+
+      const token = getBearerToken(context);
+      if (!hasText(token)) {
+        log.debug('[s2s] No bearer token provided');
+        return new Response('Unauthorized', { status: 401 });
+      }
+
+      const payload = await validateToken(token, publicKey);
+
+      if (!payload.is_s2s_consumer) {
+        log.debug('[s2s] Token is not an S2S consumer token, passing through');
+        return fn(request, context);
+      }
+
+      const tenants = payload.tenants || [];
+      const capabilities = tenants.flatMap((tenant) => tenant.capabilities || []);
+
+      if (!isNonEmptyArray(capabilities)) {
+        log.debug('[s2s] S2S consumer token has no capabilities');
+        return new Response('Forbidden', { status: 403 });
+      }
+
+      if (isObject(routeCapabilities)) {
+        const requiredCapability = resolveCapability(context, routeCapabilities);
+        if (!hasText(requiredCapability)) {
+          log.error(`[s2s] Route ${context.pathInfo?.method} ${context.pathInfo?.suffix} is not allowed for S2S consumers`);
+          return new Response('Unauthorized', { status: 401 });
+        }
+        if (!capabilities.includes(requiredCapability)) {
+          log.error(`[s2s] Token is missing required capability: ${requiredCapability}`);
+          return new Response('Forbidden', { status: 403 });
+        }
+      }
+    } catch (e) {
+      log.error(`[s2s] Authentication failed: ${e.message}`);
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    return fn(request, context);
+  };
+}

packages/spacecat-shared-http-utils/src/index.js

@@ -162,6 +162,7 @@ export function internalServerError(message = 'internal server error', headers =
 }
 
 export { authWrapper } from './auth/auth-wrapper.js';
+export { s2sAuthWrapper } from './auth/s2s-wrapper.js';
 export { enrichPathInfo } from './enrich-path-info-wrapper.js';
 export { hashWithSHA256 } from './auth/generate-hash.js';
 

packages/spacecat-shared-http-utils/test/auth/auth-info.test.js

@@ -59,4 +59,26 @@ describe('AuthInfo', () => {
       expect(authInfo.isS2SAdmin()).to.be.false;
     });
   });
+
+  describe('isS2SConsumer', () => {
+    it('should return undefined if profile is not set', () => {
+      const authInfo = new AuthInfo();
+      expect(authInfo.isS2SConsumer()).to.be.undefined;
+    });
+
+    it('should return undefined if is_s2s_consumer is not in profile', () => {
+      const authInfo = new AuthInfo().withProfile({});
+      expect(authInfo.isS2SConsumer()).to.be.undefined;
+    });
+
+    it('should return true if is_s2s_consumer is true', () => {
+      const authInfo = new AuthInfo().withProfile({ is_s2s_consumer: true });
+      expect(authInfo.isS2SConsumer()).to.be.true;
+    });
+
+    it('should return false if is_s2s_consumer is false', () => {
+      const authInfo = new AuthInfo().withProfile({ is_s2s_consumer: false });
+      expect(authInfo.isS2SConsumer()).to.be.false;
+    });
+  });
 });