Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow AEM CLI to obtain site token #2471

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: Allow AEM CLI to obtain site token #2471

wants to merge 6 commits into from

Conversation

andreituicu
Copy link
Collaborator

@andreituicu andreituicu commented Dec 30, 2024

Changes:

  1. Allows Helix CLI to initiate a login process to obtain transient site tokens from Helix Admin
  2. The login process can be initiated in 3 ways from helix-cli:
    2.1. Automatically: the proxy in the CLI notices a 401 or 403 response during navigation and redirects the user to Helix Admin for login. This is done only once per CLI execution.
    2.2. Manually(User Friendly): If for some reason the automatic way didn't work, the user will have the opportunity to initiate the login flow every time a 401 or 403 error page is being displayed, as they include a link.
    2.3. Manually(Forced): going to /.aem/cli/login will immediately start the login flow.
  3. The login process is initiated by redirecting the user to the Helix admin as follows:
    3.1 The path is the site where we want to login on the main branch https://admin.hlx.page/login/{org}/site}/main. The org and site are extracted from the proxied url.
    3.2 There is a query parameter for letting Helix Admin know this is the aem-cli (client_id=aem-cli)
    3.3. There is a redirect uri parameter for letting Helix Admin know where the cli runs and waits for a response (redirect_uri=http://localhost:3000/.aem/cli/login/ack - only the port can vary)
    3.4 There is a state parameter generated by the CLI and returned by Helix Admin as-is, so the CLI can know that the token it received corresponds to a login flow that was initiated by it.
  4. Helix Admin will do the necessary authentication and authorization operations for the end user and if everything is ok:
    4.1 it will send a POST request to the ACK endpoint with the transient site token and the state.
    4.2 redirect the browser to the same ACK endpoint, when the POST request is finished.
  5. The ACK endpoint will receive the token, use it and store it into the .env file only if the state matches what it sent at the beginning of the login flow, otherwise it will discard it.
  6. When the browser is redirected to the ACK endpoint, this will either:
    6.1. redirect to / if everything was successful
    6.2 display an error corresponding to what went wrong during the login flow.
  7. The CLI will additionally verify that .env file is ignored by git and add it to the .gitignore file otherwise, to prevent tokens from being stored in version control.

src/config/config-utils.js Fixed Show fixed Hide fixed
src/config/config-utils.js Fixed Show fixed Hide fixed
src/config/config-utils.js Fixed Show fixed Hide fixed
Copy link

github-actions bot commented Jan 6, 2025

This PR will trigger a minor release when merged.

.withOrg(org)
.withSiteLoginUrl(
// TODO switch to production URL
`https://admin-ci.hlx.page/login/${org}/${site}/main?client_id=aem-cli&redirect_uri=${encodeURIComponent(`http://localhost:${this._httpPort}/.aem/cli/login/ack`)}`,
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to switch to the production admin url, before merging.

src/config/config-utils.js Fixed Show resolved Hide resolved
@andreituicu andreituicu changed the title WIP: feat: Allow AEM CLI to obtain site token feat: Allow AEM CLI to obtain site token Jan 6, 2025
@tripodsan
Copy link
Contributor

Question: Ideally, .env would've been already present in .gitignore from the boilerplate. Created adobe/aem-boilerplate#441, but this will unfortunately not add it to .gitignore retroactively for projects that already copied the boilerplate. Maybe another file under .hlx/ would be more appropriate to store and read the token from?

on the one hand, I think updating gitignore as mentioned in step 7 is enough....
but, otoh, I don't like too much, that .env is modified, as this "belongs" to the user. maybe having a single .hlx-auth-token file be more transparent and less intrusive.

@andreituicu
Copy link
Collaborator Author

andreituicu commented Jan 7, 2025

but, otoh, I don't like too much, that .env is modified, as this "belongs" to the user. maybe having a single .hlx-auth-token file be more transparent and less intrusive.

Sounds good to me, we can put it .hlx, because it's been in .gitignore since the beginning of the boilerplate ( https://github.com/adobe/aem-boilerplate/blame/main/.gitignore#L1C5-L1C5 ) and have .hlx/.hlx-auth-token. Let me give that a try.

The only small concern I have is that .hlx isn't removed from the boilerplate .gitignore, because of the old branding. 🙂

LE: Done in 4ae5777.

`);
}

fs.writeFileSync(tokenFile, JSON.stringify({ siteToken }, null, 2), 'utf8');

Check warning

Code scanning / CodeQL

Network data written to file Medium

Write to file system depends on
Untrusted data
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants