feat: introduce ims authorization

docs/openapi/api.yaml

@@ -55,6 +55,8 @@ paths:
     $ref: './auth-api.yaml#/google-auth'
   /auth/google/{siteId}/status:
     $ref: './auth-api.yaml#/google-auth-status'
+  /auth/login:
+    $ref: './auth-api.yaml#/login'
   /configurations:
     $ref: './configurations-api.yaml#/configurations'
   /configurations/latest:

docs/openapi/auth-api.yaml

@@ -51,3 +51,46 @@ google-auth-status:
       '500':
         $ref: './responses.yaml#/500'
     security: []
+login:
+  post:
+    summary: Authenticate with access token
+    description: |
+      Authenticates a user using an IMS access token and returns session information.
+    operationId: login
+    tags:
+      - auth
+    requestBody:
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            required:
+              - accessToken
+            properties:
+              accessToken:
+                type: string
+                description: The access token to authenticate with
+    responses:
+      '200':
+        description: Login successful
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                sessionToken:
+                  type: string
+                  description: A JWT token signed by the service containing the user profile and tenants.
+      '401':
+        description: Authentication failed
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                error:
+                  type: string
+                  description: Error message
+                  example: "Invalid access token"
+    security: []  # No security required for login endpoint

package.json

@@ -70,12 +70,12 @@
     "@adobe/helix-shared-wrap": "2.0.2",
     "@adobe/helix-status": "10.1.5",
     "@adobe/helix-universal-logger": "3.0.24",
+    "@adobe/spacecat-shared-brand-client": "1.0.2",
     "@adobe/spacecat-shared-data-access": "2.13.1",
     "@adobe/spacecat-shared-gpt-client": "1.5.4",
-    "@adobe/spacecat-shared-http-utils": "1.9.12",
+    "@adobe/spacecat-shared-http-utils": "https://gitpkg.vercel.app/adobe/spacecat-shared/packages/spacecat-shared-http-utils?fix-auth-handling",
     "@adobe/spacecat-shared-ims-client": "1.5.9",
     "@adobe/spacecat-shared-rum-api-client": "2.22.0",
-    "@adobe/spacecat-shared-brand-client": "1.0.2",
     "@adobe/spacecat-shared-slack-client": "1.5.8",
     "@adobe/spacecat-shared-utils": "1.35.0",
     "@aws-sdk/client-s3": "3.758.0",
@@ -105,7 +105,7 @@
     "@adobe/helix-universal-devserver": "1.1.93",
     "@adobe/semantic-release-coralogix": "1.1.35",
     "@adobe/semantic-release-skms-cmr": "1.1.5",
-    "@redocly/cli": "1.33.0",
+    "@redocly/cli": "1.34.0",
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/exec": "7.0.3",
     "@semantic-release/git": "10.0.1",

src/controllers/organizations.js

@@ -15,7 +15,7 @@ import {
   badRequest,
   noContent,
   notFound,
-  ok,
+  ok, forbidden,
 } from '@adobe/spacecat-shared-http-utils';
 import {
   hasText,
@@ -26,6 +26,7 @@ import {
 
 import { OrganizationDto } from '../dto/organization.js';
 import { SiteDto } from '../dto/site.js';
+import { isAdmin, userBelongsToOrg } from '../utils/authentication.js';
 
 /**
  * Organizations controller. Provides methods to create, read, update and delete organizations.
@@ -51,6 +52,10 @@ function OrganizationsController(dataAccess, env) {
    * @return {Promise<Response>} Organization response.
    */
   const createOrganization = async (context) => {
+    if (!isAdmin(context)) {
+      return forbidden('Only admins can create new Organizations');
+    }
+
     try {
       const organization = await Organization.create(context.data);
       return createResponse(OrganizationDto.toJSON(organization), 201);
@@ -63,7 +68,11 @@ function OrganizationsController(dataAccess, env) {
    * Gets all organizations.
    * @returns {Promise<Response>} Array of organizations response.
    */
-  const getAll = async () => {
+  const getAll = async (context) => {
+    if (!isAdmin(context)) {
+      return forbidden('Only admins can view all Organizations');
+    }
+
     const organizations = (await Organization.all())
       .map((organization) => OrganizationDto.toJSON(organization));
     return ok(organizations);
@@ -76,6 +85,10 @@ function OrganizationsController(dataAccess, env) {
    * @throws {Error} If organization ID is not provided.
    */
   const getByID = async (context) => {
+    if (!userBelongsToOrg(context)) {
+      return forbidden('Only users belonging to the organization can view it');
+    }
+
     const organizationId = context.params?.organizationId;
 
     if (!isValidUUID(organizationId)) {

src/controllers/suggestions.js

@@ -11,7 +11,7 @@
  */
 import {
   badRequest,
-  createResponse,
+  createResponse, forbidden,
   noContent,
   notFound,
   ok,
@@ -27,6 +27,7 @@ import {
 import { ValidationError, Suggestion as SuggestionModel } from '@adobe/spacecat-shared-data-access';
 import { SuggestionDto } from '../dto/suggestion.js';
 import { sendAutofixMessage } from '../support/utils.js';
+import { userHasSubService } from '../utils/authentication.js';
 
 /**
  * Suggestions controller.
@@ -388,6 +389,9 @@ function SuggestionsController(dataAccess, sqs, env) {
     return createResponse(fullResponse, 207);
   };
   const autofixSuggestions = async (context) => {
+    if (!userHasSubService(context, 'autofix')) {
+      return forbidden('User does not have autofix sub-service');
+    }
     const siteId = context.params?.siteId;
     const opportunityId = context.params?.opportunityId;
 

src/index.js

@@ -25,6 +25,7 @@ import {
   LegacyApiKeyHandler,
   ScopedApiKeyHandler,
   AdobeImsHandler,
+  JwtHandler,
 } from '@adobe/spacecat-shared-http-utils';
 import { imsClientWrapper } from '@adobe/spacecat-shared-ims-client';
 import {
@@ -136,7 +137,9 @@ async function run(request, context) {
 const { WORKSPACE_EXTERNAL } = SLACK_TARGETS;
 
 export const main = wrap(run)
-  .with(authWrapper, { authHandlers: [LegacyApiKeyHandler, ScopedApiKeyHandler, AdobeImsHandler] })
+  .with(authWrapper, {
+    authHandlers: [LegacyApiKeyHandler, ScopedApiKeyHandler, AdobeImsHandler, JwtHandler],
+  })
   .with(dataAccess)
   .with(bodyData)
   .with(multipartFormData)

src/utils/authentication.js

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2025 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+const SERVICE_CODE = 'dx_aem_perf';
+
+export const isAdmin = (context) => {
+  const { attributes: { authInfo: { scopes } } } = context;
+  return scopes.some((scope) => scope.name === 'admin');
+};
+
+export const userBelongsToOrg = (context) => {
+  const {
+    attributes: { authInfo: { profile } },
+    params: { organizationId },
+  } = context;
+  return profile.id === organizationId || isAdmin(context);
+};
+
+export const userHasSubService = (context, subservice) => {
+  const { attributes: { authInfo: { scopes } } } = context;
+  return scopes.some(
+    (scope) => scope.name === 'user' && scope.subScopes.includes(`${SERVICE_CODE}_${subservice}`),
+  );
+};