Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 24 additions & 10 deletions src/main/content-api-client.js
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,20 @@ import { buildHttpError } from './http-request-error.js';

const LIST_MAX_PAGES = 50000;

/**
* Builds a 401 error that keeps the {@link DA_UNAUTHORIZED_MESSAGE} prefix
* (session-expiry detection matches on it) while carrying the request,
* `x-error` header, and body detail for diagnosis.
*
* @param {string} method
* @param {string} url
* @param {Response} res
* @returns {Promise<import('./http-request-error.js').HttpRequestError>}
*/
function buildUnauthorizedError(method, url, res) {
return buildHttpError(method, url, res, DA_UNAUTHORIZED_MESSAGE);
}

/**
* HTTP client for da.live admin and api.aem.live (helix6) content APIs.
*/
Expand Down Expand Up @@ -88,7 +102,7 @@ export class ContentApiClient {
}
const res = await this.fetch(url, { headers, cache: 'reload' }); // eslint-disable-line no-await-in-loop
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('GET', url, res); // eslint-disable-line no-await-in-loop
}
if (!res.ok) {
throw await buildHttpError('GET', url, res, `List failed for ${normalized}`); // eslint-disable-line no-await-in-loop
Expand Down Expand Up @@ -120,7 +134,7 @@ export class ContentApiClient {
const url = buildAemApiListUrl(org, repo, normalized);
const res = await this.fetch(url, { headers: this.authHeader, cache: 'reload' });
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('GET', url, res);
}
if (!res.ok) {
throw await buildHttpError('GET', url, res, `List failed for ${normalized}`);
Expand All @@ -147,7 +161,7 @@ export class ContentApiClient {
: buildDaLiveSourceUrl(org, repo, normalized);
const res = await this.fetch(url, { headers: this.authHeader, cache: 'reload' });
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('GET', url, res);
}
if (res.status === 404) {
return null;
Expand Down Expand Up @@ -176,7 +190,7 @@ export class ContentApiClient {
: buildDaLiveSourceUrl(org, repo, normalized);
const res = await this.fetch(url, { headers: this.authHeader, cache: 'reload' });
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('GET', url, res);
}
if (res.status === 404) {
return null;
Expand Down Expand Up @@ -222,7 +236,7 @@ export class ContentApiClient {
body,
});
if (putRes.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('PUT', url, putRes);
}
if (putRes.ok) {
return;
Expand All @@ -235,7 +249,7 @@ export class ContentApiClient {
body: post.body,
});
if (postRes.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('POST', url, postRes);
}
if (postRes.ok) {
return;
Expand Down Expand Up @@ -263,7 +277,7 @@ export class ContentApiClient {
headers: this.authHeader,
});
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('DELETE', url, res);
}
if (!res.ok && res.status !== 404) {
throw await buildHttpError('DELETE', url, res, `Delete failed for ${normalized}`);
Expand All @@ -285,7 +299,7 @@ export class ContentApiClient {
body: JSON.stringify({ paths, forceAsync: true }),
});
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('POST', url, res);
}
if (!res.ok && res.status !== 202) {
throw await buildHttpError('POST', url, res, 'Bulk preview failed');
Expand All @@ -308,7 +322,7 @@ export class ContentApiClient {
body: JSON.stringify({ paths, forceAsync: true }),
});
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('POST', url, res);
}
if (!res.ok && res.status !== 202) {
throw await buildHttpError('POST', url, res, 'Bulk publish failed');
Expand All @@ -328,7 +342,7 @@ export class ContentApiClient {
const url = buildAemApiJobUrl(org, repo, topic, jobName);
const res = await this.fetch(url, { headers: this.authHeader });
if (res.status === 401) {
throw new Error(DA_UNAUTHORIZED_MESSAGE);
throw await buildUnauthorizedError('GET', url, res);
}
if (!res.ok && res.status !== 202) {
throw await buildHttpError('GET', url, res, 'Job status failed');
Expand Down
167 changes: 167 additions & 0 deletions src/main/da-session.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
/*
* Copyright 2026 Adobe. All rights reserved.
* This file is licensed to you under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under
* the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
* OF ANY KIND, either express or implied. See the License for the specific language
* governing permissions and limitations under the License.
*/

import { clearStoredToken, isTokenExpired, loadStoredToken } from './da-auth.js';
import { DA_UNAUTHORIZED_MESSAGE } from './content-api-shared.js';
import { PREVIEW_WEBVIEW_PARTITION } from './content-da-live-auth.js';
import { saveSiteTokens } from './site-token-store.js';

/** Origins that may retain IMS or DA credentials in Electron storage. */
export const DA_AUTH_STORAGE_ORIGINS = [
'https://ims-na1.adobelogin.com',
'https://admin.da.live',
'https://content.da.live',
'https://api.aem.live',
];

/**
* Decodes the payload of an IMS access token (a JWT) without verifying it —
* for diagnostics only.
*
* @param {string} accessToken
* @returns {Record<string, unknown>|null}
*/
export function decodeImsTokenClaims(accessToken) {
try {
const payload = accessToken.split('.')[1];
const claims = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
return claims && typeof claims === 'object' ? claims : null;
} catch {
return null;
}
}

/**
* One-line description of a stored token for error messages and logs:
* which client/user it was minted for and when it was issued/expires.
* Never includes the token value itself.
*
* @param {{ access_token?: string, expires_at?: number|null }|null} stored
* @returns {string}
*/
export function describeTokenDiagnostics(stored) {
if (!stored?.access_token) {
return 'no stored token';
}
const parts = [];
const claims = decodeImsTokenClaims(stored.access_token);
if (claims) {
if (claims.client_id) {
parts.push(`client_id=${claims.client_id}`);
}
if (claims.user_id) {
parts.push(`user=${claims.user_id}`);
}
const createdAt = Number(claims.created_at);
if (createdAt) {
parts.push(`issued ${new Date(createdAt).toISOString()}`);
const expiresIn = Number(claims.expires_in);
if (expiresIn) {
parts.push(`token expires ${new Date(createdAt + expiresIn).toISOString()}`);
}
}
}
if (stored.expires_at) {
parts.push(`stored expiry ${new Date(stored.expires_at).toISOString()}`);
}
return parts.length > 0 ? parts.join(', ') : 'token present but not a decodable JWT';
}

/** @type {import('electron').ClearStorageDataOptions['storages']} */
export const DA_AUTH_STORAGE_TYPES = [
'cookies',
'localstorage',
'cachestorage',
'serviceworkers',
'indexdb',
];

/**
* @param {string} tokenPath
* @returns {Promise<string>}
*/
export async function resolveStoredAccessToken(tokenPath) {
const stored = await loadStoredToken(tokenPath);
if (!stored?.access_token) {
throw new Error(
`${DA_UNAUTHORIZED_MESSAGE} — No DA token file at ${tokenPath}. Sign in to AEM.`,
);
}
if (isTokenExpired(stored)) {
const expiry = stored.expires_at
? new Date(stored.expires_at).toISOString()
: 'expiry not recorded';
throw new Error(
`${DA_UNAUTHORIZED_MESSAGE} — Stored token expired (${expiry}). Sign in again.`,
);
}
return stored.access_token;
}

/**
* Clears cookies and web storage for IMS / DA origins on the default session
* and the given partitions. Without this, a persistent IMS session cookie
* (e.g. in the preview-login partition) silently re-mints tokens for the
* previously signed-in user after a sign-out.
*
* @param {typeof import('electron').session} electronSession
* @param {string[]} [partitions]
*/
export async function clearDaAuthStorage(
electronSession,
partitions = [PREVIEW_WEBVIEW_PARTITION],
) {
const options = {
storages: DA_AUTH_STORAGE_TYPES,
origins: DA_AUTH_STORAGE_ORIGINS,
};
await electronSession.defaultSession.clearStorageData(options);
await Promise.all(partitions.map(
(partition) => electronSession.fromPartition(partition).clearStorageData(options),
));
}

/**
* Removes persisted and in-memory DA credentials: the IMS token file, the
* per-site preview tokens, in-memory token caches, and IMS/DA cookies + web
* storage in Electron sessions.
*
* @param {{
* tokenPath: string,
* siteTokensPath?: string,
* electronSession?: typeof import('electron').session,
* partitions?: string[],
* clearContentAuthCache?: () => void,
* clearPreviewCaches?: () => void,
* resetSiteTokensCache?: () => void,
* }} options
*/
export async function invalidateDaSession({
tokenPath,
siteTokensPath,
electronSession,
partitions,
clearContentAuthCache,
clearPreviewCaches,
resetSiteTokensCache,
}) {
await clearStoredToken(tokenPath);
clearContentAuthCache?.();
resetSiteTokensCache?.();
if (siteTokensPath) {
await saveSiteTokens(siteTokensPath, {});
}
clearPreviewCaches?.();
if (electronSession) {
await clearDaAuthStorage(electronSession, partitions);
}
}
Loading
Loading