From ec3d967a80483439b30e4ac0c96584983f298b8a Mon Sep 17 00:00:00 2001
From: Andrei Tuicu <tuicu@adobe.com>
Date: Mon, 6 Jan 2025 13:32:24 +0200
Subject: [PATCH] feat: Allow AEM CLI to obtain site token

---
 package-lock.json          | 10 ++++++++++
 package.json               |  1 +
 src/config/config-utils.js | 25 +++++++++++++++++++++++--
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index bcf1ea74..08ccca74 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -32,6 +32,7 @@
         "ignore": "6.0.2",
         "ini": "5.0.0",
         "isomorphic-git": "1.27.2",
+        "jose": "5.9.6",
         "livereload-js": "4.0.2",
         "node-fetch": "3.3.2",
         "open": "10.1.0",
@@ -6264,6 +6265,15 @@
         "node": ">= 0.6.0"
       }
     },
+    "node_modules/jose": {
+      "version": "5.9.6",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz",
+      "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/js-tokens": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
diff --git a/package.json b/package.json
index 2cceeb5f..6fed96b2 100644
--- a/package.json
+++ b/package.json
@@ -61,6 +61,7 @@
     "ignore": "6.0.2",
     "ini": "5.0.0",
     "isomorphic-git": "1.27.2",
+    "jose": "5.9.6",
     "livereload-js": "4.0.2",
     "node-fetch": "3.3.2",
     "open": "10.1.0",
diff --git a/src/config/config-utils.js b/src/config/config-utils.js
index 43b9b009..c99c0617 100644
--- a/src/config/config-utils.js
+++ b/src/config/config-utils.js
@@ -12,6 +12,7 @@
 import chalk from 'chalk-template';
 import fs from 'fs';
 import semver from 'semver';
+import { decodeJwt } from 'jose';
 import GitUtils from '../git-utils.js';
 import pkgJson from '../package.cjs';
 
@@ -43,10 +44,30 @@ export async function writeSiteTokenToDotEnv(siteToken) {
     return;
   }
 
+  /*
+   don't allow writing arbitrary data to the file system.
+   validate and write only valid site tokens to the .env file
+  */
+  if (siteToken.startsWith('hlxtst_')) {
+    try {
+      decodeJwt(siteToken.substring(7));
+    } catch (e) {
+      process.stdout.write(chalk`
+{redBright Error:} The provided site token is not a valid JWT, it will not be written to your .env file.
+`);
+      return;
+    }
+  } else {
+    process.stdout.write(chalk`
+{redBright Error:} The provided site token is not a recognised token format, it will not be written to your .env file.
+`);
+    return;
+  }
+
   const envFile = fs.openSync('.env', 'a+');
   try {
     if (!(await validateDotEnv(process.cwd()))) {
-      fs.appendFileSync('.gitignore', '\n.env\n', 'utf8');
+      fs.appendFileSync('.gitignore', '\r\n.env\r\n', 'utf8');
       process.stdout.write(chalk`
 {redBright Warning:} Added your {cyan '.env'} file to .gitignore, because it now contains your site token.
 Please make sure the site token is not stored in the git repository.
@@ -57,7 +78,7 @@ Please make sure the site token is not stored in the git repository.
     if (env.includes('AEM_SITE_TOKEN')) {
       env = env.replace(/AEM_SITE_TOKEN=.*/, `AEM_SITE_TOKEN=${siteToken}`);
     } else {
-      env += `\nAEM_SITE_TOKEN=${siteToken}\n`;
+      env += `\r\nAEM_SITE_TOKEN=${siteToken}\r\n`;
     }
 
     fs.ftruncateSync(envFile);