adobe · dzehnder · May 7, 2025 · Mar 27, 2025 · Mar 28, 2025 · Mar 28, 2025
diff --git a/docs/index.html b/docs/index.html
diff --git a/docs/openapi/api.yaml b/docs/openapi/api.yaml
@@ -55,6 +55,8 @@ paths:
     $ref: './auth-api.yaml#/google-auth'
   /auth/google/{siteId}/status:
     $ref: './auth-api.yaml#/google-auth-status'
+  /auth/login:
+    $ref: './auth-api.yaml#/login'
   /configurations:
     $ref: './configurations-api.yaml#/configurations'
   /configurations/latest:

diff --git a/docs/openapi/auth-api.yaml b/docs/openapi/auth-api.yaml
@@ -51,3 +51,58 @@ google-auth-status:
       '500':
         $ref: './responses.yaml#/500'
     security: []
+login:
+  post:
+    summary: Authenticate with access token
+    description: |
+      Authenticates a user using an IMS access token and returns session information.
+    operationId: login
+    tags:
+      - auth
+    requestBody:
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            required:
+              - accessToken
+            properties:
+              accessToken:
+                type: string
+                description: The access token to authenticate with
+    responses:
+      '200':
+        description: Login successful
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                sessionToken:
+                  type: string
+                  description: A JWT token signed by the service containing the user profile and tenants.
+      '401':
+        description: Authentication failed
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                error:
+                  type: string
+                  description: Error message
+                  example: "Invalid access token"
+
+      '403':
+        description: Forbidden
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                error:
+                  type: string
+                  description: Error message
+                  example: "Access denied"
+    security: []  # No security required for login endpoint
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -72,7 +72,7 @@
     "@adobe/helix-universal-logger": "3.0.24",
     "@adobe/spacecat-shared-data-access": "2.17.1",
     "@adobe/spacecat-shared-gpt-client": "1.5.9",
-    "@adobe/spacecat-shared-http-utils": "1.10.3",
+    "@adobe/spacecat-shared-http-utils": "1.10.4",
     "@adobe/spacecat-shared-ims-client": "1.7.3",
     "@adobe/spacecat-shared-rum-api-client": "2.23.4",
     "@adobe/spacecat-shared-brand-client": "1.1.6",

diff --git a/src/controllers/audits.js b/src/controllers/audits.js
@@ -11,7 +11,7 @@
  */
 
 import {
-  badRequest,
+  badRequest, forbidden,
   notFound,
   ok,
 } from '@adobe/spacecat-shared-http-utils';
@@ -20,27 +20,36 @@ import {
   isNonEmptyArray,
   isObject,
   isValidUUID,
-  isValidUrl,
+  isValidUrl, isNonEmptyObject,
 } from '@adobe/spacecat-shared-utils';
 import { Config } from '@adobe/spacecat-shared-data-access/src/models/site/config.js';
 
 import { AuditDto } from '../dto/audit.js';
+import AccessControlUtil from '../support/access-control-util.js';
 
 /**
  * Audits controller.
- * @param {DataAccess} dataAccess - Data access.
+ * @param {object} ctx - Context object.
  * @returns {object} Audits controller.
  * @constructor
  */
-function AuditsController(dataAccess) {
-  if (!isObject(dataAccess)) {
+function AuditsController(ctx) {
+  if (!isNonEmptyObject(ctx)) {
+    throw new Error('Context required');
+  }
+
+  const { dataAccess } = ctx;
+
+  if (!isNonEmptyObject(dataAccess)) {
     throw new Error('Data access required');
   }
 
   const {
     Audit, Configuration, LatestAudit, Site,
   } = dataAccess;
 
+  const accessControlUtil = AccessControlUtil.fromContext(ctx);
+
   /**
    * Gets all audits for a given site and audit type. If no audit type is specified,
    * all audits are returned.
@@ -56,6 +65,15 @@ function AuditsController(dataAccess) {
       return badRequest('Site ID required');
     }
 
+    const site = await Site.findById(siteId);
+    if (!site) {
+      return notFound('Site not found');
+    }
+
+    if (!await accessControlUtil.hasAccess(site)) {
+      return forbidden('User does not have access to this site');
+    }
+
     const method = auditType
       ? Audit.allBySiteIdAndAuditType(siteId, auditType, { order })
       : Audit.allBySiteId(siteId, { order });
@@ -65,7 +83,7 @@ function AuditsController(dataAccess) {
   };
 
   /**
-   * Gets all audits for a given site and audit type. Sorts by auditedAt descending.
+   * Gets all audits for a given audit type. Sorts by auditedAt descending.
    * If the url parameter ascending is set to true, sorts by auditedAt ascending.
    *
    * @returns {Promise<Response>} Array of audits response.
@@ -78,6 +96,10 @@ function AuditsController(dataAccess) {
       return badRequest('Audit type required');
     }
 
+    if (!accessControlUtil.hasAdminAccess()) {
+      return forbidden('Admin access required');
+    }
+
     const audits = (await LatestAudit.allByAuditType(auditType, { order }))
       .map((audit) => AuditDto.toAbbreviatedJSON(audit));
 
@@ -95,6 +117,15 @@ function AuditsController(dataAccess) {
       return badRequest('Site ID required');
     }
 
+    const site = await Site.findById(siteId);
+    if (!site) {
+      return notFound('Site not found');
+    }
+
+    if (!await accessControlUtil.hasAccess(site)) {
+      return forbidden('User does not have access to this site');
+    }
+
     const audits = (await LatestAudit.allBySiteId(siteId))
       .map((audit) => AuditDto.toJSON(audit));
 
@@ -117,6 +148,15 @@ function AuditsController(dataAccess) {
       return badRequest('Audit type required');
     }
 
+    const site = await Site.findById(siteId);
+    if (!site) {
+      return notFound('Site not found');
+    }
+
+    if (!await accessControlUtil.hasAccess(site)) {
+      return forbidden('User does not have access to this site');
+    }
+
     const audits = await LatestAudit.allBySiteIdAndAuditType(siteId, auditType);
     if (isNonEmptyArray(audits)) {
       return ok(AuditDto.toJSON(audits[0]));
@@ -167,6 +207,10 @@ function AuditsController(dataAccess) {
       return notFound('Site not found');
     }
 
+    if (!await accessControlUtil.hasAccess(site)) {
+      return forbidden('User does not have access to this site');
+    }
+
     const configuration = await Configuration.findLatest();
     const registeredAudits = configuration.getHandlers();
     if (!registeredAudits[auditType]) {

diff --git a/src/controllers/brands.js b/src/controllers/brands.js
@@ -14,38 +14,45 @@ import {
   badRequest,
   notFound,
   ok,
-  createResponse,
+  createResponse, forbidden,
 } from '@adobe/spacecat-shared-http-utils';
 import {
   hasText,
-  isObject,
+  isNonEmptyObject,
   isValidUUID,
 } from '@adobe/spacecat-shared-utils';
 
 import { ErrorWithStatusCode, getImsUserToken } from '../support/utils.js';
 import {
   STATUS_BAD_REQUEST,
 } from '../utils/constants.js';
+import AccessControlUtil from '../support/access-control-util.js';
 
 const HEADER_ERROR = 'x-error';
 
 /**
  * BrandsController. Provides methods to read brands and brand guidelines.
- * @param {DataAccess} dataAccess - Data access.
+ * @param {object} ctx - Context of the request.
  * @param {Object} env - Environment object.
  * @returns {object} Brands controller.
  * @constructor
  */
-function BrandsController(dataAccess, log, env) {
-  if (!isObject(dataAccess)) {
+function BrandsController(ctx, log, env) {
+  if (!isNonEmptyObject(ctx)) {
+    throw new Error('Context required');
+  }
+  const { dataAccess } = ctx;
+  if (!isNonEmptyObject(dataAccess)) {
     throw new Error('Data access required');
   }
 
-  if (!isObject(env)) {
+  if (!isNonEmptyObject(env)) {
     throw new Error('Environment object required');
   }
   const { Organization, Site } = dataAccess;
 
+  const accessControlUtil = AccessControlUtil.fromContext(ctx);
+
   function createErrorResponse(error) {
     return createResponse({ message: error.message }, error.status, {
       [HEADER_ERROR]: error.message,
@@ -68,6 +75,11 @@ function BrandsController(dataAccess, log, env) {
       if (!organization) {
         return notFound(`Organization not found: ${organizationId}`);
       }
+
+      if (!await accessControlUtil.hasAccess(organization)) {
+        return forbidden('Only users belonging to the organization can view its brands');
+      }
+
       const imsOrgId = organization.getImsOrgId();
       const imsUserToken = getImsUserToken(context);
       const brandClient = BrandClient.createFrom(context);
@@ -120,6 +132,10 @@ function BrandsController(dataAccess, log, env) {
       if (!site) {
         return notFound(`Site not found: ${siteId}`);
       }
+      if (!await accessControlUtil.hasAccess(site)) {
+        return forbidden('Only users belonging to the organization of the site can view its brand guidelines');
+      }
+
       const brandId = site.getConfig()?.getBrandConfig()?.brandId;
       log.info(`Brand ID mapping for site: ${siteId} is ${brandId}`);
       if (!hasText(brandId)) {

diff --git a/src/controllers/configuration.js b/src/controllers/configuration.js
@@ -12,28 +12,39 @@
 
 import {
   badRequest,
+  forbidden,
   notFound,
   ok,
 } from '@adobe/spacecat-shared-http-utils';
 import {
   isInteger,
-  isObject,
+  isNonEmptyObject,
 } from '@adobe/spacecat-shared-utils';
 
 import { ConfigurationDto } from '../dto/configuration.js';
+import AccessControlUtil from '../support/access-control-util.js';
 
-function ConfigurationController(dataAccess) {
-  if (!isObject(dataAccess)) {
+function ConfigurationController(ctx) {
+  if (!isNonEmptyObject(ctx)) {
+    throw new Error('Context required');
+  }
+  const { dataAccess } = ctx;
+  if (!isNonEmptyObject(dataAccess)) {
     throw new Error('Data access required');
   }
 
   const { Configuration } = dataAccess;
 
+  const accessControlUtil = AccessControlUtil.fromContext(ctx);
+
   /**
    * Retrieves all configurations (all versions).
    * @return {Promise<Response>} Array of configurations.
    */
   const getAll = async () => {
+    if (!accessControlUtil.hasAdminAccess()) {
+      return forbidden('Only admins can view configurations');
+    }
     const configurations = (await Configuration.all())
       .map((configuration) => ConfigurationDto.toJSON(configuration));
     return ok(configurations);
@@ -45,6 +56,9 @@ function ConfigurationController(dataAccess) {
    * @return {Promise<Response>} Configuration response.
    */
   const getByVersion = async (context) => {
+    if (!accessControlUtil.hasAdminAccess()) {
+      return forbidden('Only admins can view configurations');
+    }
     const configurationVersion = context.params?.version;
 
     if (!isInteger(configurationVersion)) {
@@ -64,6 +78,9 @@ function ConfigurationController(dataAccess) {
    * @return {Promise<Response>} Configuration response.
    */
   const getLatest = async () => {
+    if (!accessControlUtil.hasAdminAccess()) {
+      return forbidden('Only admins can view configurations');
+    }
     const configuration = await Configuration.findLatest();
     if (!configuration) {
       return notFound('Configuration not found');