@backstage/backend-app-api 0.2.5-next.0 → 0.3.0-next.1

package/dist/index.cjs.js

@@ -2,32 +2,575 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
+var http = require('http');
+var https = require('https');
+var stoppableServer = require('stoppable');
+var fs = require('fs-extra');
+var path = require('path');
+var forge = require('node-forge');
+var cors = require('cors');
+var helmet = require('helmet');
+var morgan = require('morgan');
+var compression = require('compression');
+var minimatch = require('minimatch');
 var errors = require('@backstage/errors');
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var express = require('express');
 var backendCommon = require('@backstage/backend-common');
 var pluginPermissionNode = require('@backstage/plugin-permission-node');
 var backendTasks = require('@backstage/backend-tasks');
-var Router = require('express-promise-router');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n["default"] = e;
+  return Object.freeze(n);
+}
 
-var __accessCheck$3 = (obj, member, msg) => {
+var http__namespace = /*#__PURE__*/_interopNamespace(http);
+var https__namespace = /*#__PURE__*/_interopNamespace(https);
+var stoppableServer__default = /*#__PURE__*/_interopDefaultLegacy(stoppableServer);
+var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
+var forge__default = /*#__PURE__*/_interopDefaultLegacy(forge);
+var cors__default = /*#__PURE__*/_interopDefaultLegacy(cors);
+var helmet__default = /*#__PURE__*/_interopDefaultLegacy(helmet);
+var morgan__default = /*#__PURE__*/_interopDefaultLegacy(morgan);
+var compression__default = /*#__PURE__*/_interopDefaultLegacy(compression);
+var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
+
+const DEFAULT_PORT = 7007;
+const DEFAULT_HOST = "";
+function readHttpServerOptions(config) {
+  return {
+    listen: readHttpListenOptions(config),
+    https: readHttpsOptions(config)
+  };
+}
+function readHttpListenOptions(config) {
+  var _a, _b;
+  const listen = config == null ? void 0 : config.getOptional("listen");
+  if (typeof listen === "string") {
+    const parts = String(listen).split(":");
+    const port = parseInt(parts[parts.length - 1], 10);
+    if (!isNaN(port)) {
+      if (parts.length === 1) {
+        return { port, host: DEFAULT_HOST };
+      }
+      if (parts.length === 2) {
+        return { host: parts[0], port };
+      }
+    }
+    throw new Error(
+      `Unable to parse listen address ${listen}, expected <port> or <host>:<port>`
+    );
+  }
+  const host = (_a = config == null ? void 0 : config.getOptional("listen.host")) != null ? _a : DEFAULT_HOST;
+  if (typeof host !== "string") {
+    config == null ? void 0 : config.getOptionalString("listen.host");
+    throw new Error("unreachable");
+  }
+  return {
+    port: (_b = config == null ? void 0 : config.getOptionalNumber("listen.port")) != null ? _b : DEFAULT_PORT,
+    host
+  };
+}
+function readHttpsOptions(config) {
+  const https = config == null ? void 0 : config.getOptional("https");
+  if (https === true) {
+    const baseUrl = config.getString("baseUrl");
+    let hostname;
+    try {
+      hostname = new URL(baseUrl).hostname;
+    } catch (error) {
+      throw new Error(`Invalid baseUrl "${baseUrl}"`);
+    }
+    return { certificate: { type: "generated", hostname } };
+  }
+  const cc = config == null ? void 0 : config.getOptionalConfig("https");
+  if (!cc) {
+    return void 0;
+  }
+  return {
+    certificate: {
+      type: "plain",
+      cert: cc.getString("certificate.cert"),
+      key: cc.getString("certificate.key")
+    }
+  };
+}
+
+const FIVE_DAYS_IN_MS = 5 * 24 * 60 * 60 * 1e3;
+const IP_HOSTNAME_REGEX = /:|^\d+\.\d+\.\d+\.\d+$/;
+async function getGeneratedCertificate(hostname, logger) {
+  const hasModules = await fs__default["default"].pathExists("node_modules");
+  let certPath;
+  if (hasModules) {
+    certPath = path.resolve(
+      "node_modules/.cache/backstage-backend/dev-cert.pem"
+    );
+    await fs__default["default"].ensureDir(path.dirname(certPath));
+  } else {
+    certPath = path.resolve(".dev-cert.pem");
+  }
+  if (await fs__default["default"].pathExists(certPath)) {
+    try {
+      const cert = await fs__default["default"].readFile(certPath);
+      const crt = forge__default["default"].pki.certificateFromPem(cert.toString());
+      const remainingMs = crt.validity.notAfter.getTime() - Date.now();
+      if (remainingMs > FIVE_DAYS_IN_MS) {
+        logger.info("Using existing self-signed certificate");
+        return {
+          key: cert,
+          cert
+        };
+      }
+    } catch (error) {
+      logger.warn(`Unable to use existing self-signed certificate, ${error}`);
+    }
+  }
+  logger.info("Generating new self-signed certificate");
+  const newCert = await generateCertificate(hostname);
+  await fs__default["default"].writeFile(certPath, newCert.cert + newCert.key, "utf8");
+  return newCert;
+}
+async function generateCertificate(hostname) {
+  const attributes = [
+    {
+      name: "commonName",
+      value: "dev-cert"
+    }
+  ];
+  const sans = [
+    {
+      type: 2,
+      // DNS
+      value: "localhost"
+    },
+    {
+      type: 2,
+      value: "localhost.localdomain"
+    },
+    {
+      type: 2,
+      value: "[::1]"
+    },
+    {
+      type: 7,
+      // IP
+      ip: "127.0.0.1"
+    },
+    {
+      type: 7,
+      ip: "fe80::1"
+    }
+  ];
+  if (!sans.find(({ value, ip }) => value === hostname || ip === hostname)) {
+    sans.push(
+      IP_HOSTNAME_REGEX.test(hostname) ? {
+        type: 7,
+        ip: hostname
+      } : {
+        type: 2,
+        value: hostname
+      }
+    );
+  }
+  const params = {
+    algorithm: "sha256",
+    keySize: 2048,
+    days: 30,
+    extensions: [
+      {
+        name: "keyUsage",
+        keyCertSign: true,
+        digitalSignature: true,
+        nonRepudiation: true,
+        keyEncipherment: true,
+        dataEncipherment: true
+      },
+      {
+        name: "extKeyUsage",
+        serverAuth: true,
+        clientAuth: true,
+        codeSigning: true,
+        timeStamping: true
+      },
+      {
+        name: "subjectAltName",
+        altNames: sans
+      }
+    ]
+  };
+  return new Promise(
+    (resolve, reject) => require("selfsigned").generate(
+      attributes,
+      params,
+      (err, bundle) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve({ key: bundle.private, cert: bundle.cert });
+        }
+      }
+    )
+  );
+}
+
+async function createHttpServer(listener, options, deps) {
+  const server = await createServer(listener, options, deps);
+  const stopper = stoppableServer__default["default"](server, 0);
+  const stopServer = stopper.stop.bind(stopper);
+  return Object.assign(server, {
+    start() {
+      return new Promise((resolve, reject) => {
+        const handleStartupError = (error) => {
+          server.close();
+          reject(error);
+        };
+        server.on("error", handleStartupError);
+        const { host, port } = options.listen;
+        server.listen(port, host, () => {
+          server.off("error", handleStartupError);
+          deps.logger.info(`Listening on ${host}:${port}`);
+          resolve();
+        });
+      });
+    },
+    stop() {
+      return new Promise((resolve, reject) => {
+        stopServer((error) => {
+          if (error) {
+            reject(error);
+          } else {
+            resolve();
+          }
+        });
+      });
+    },
+    port() {
+      const address = server.address();
+      if (typeof address === "string" || address === null) {
+        throw new Error(`Unexpected server address '${address}'`);
+      }
+      return address.port;
+    }
+  });
+}
+async function createServer(listener, options, deps) {
+  if (options.https) {
+    const { certificate } = options.https;
+    if (certificate.type === "generated") {
+      const credentials = await getGeneratedCertificate(
+        certificate.hostname,
+        deps.logger
+      );
+      return https__namespace.createServer(credentials, listener);
+    }
+    return https__namespace.createServer(certificate, listener);
+  }
+  return http__namespace.createServer(listener);
+}
+
+function readHelmetOptions(config) {
+  const cspOptions = readCspDirectives(config);
+  return {
+    contentSecurityPolicy: {
+      useDefaults: false,
+      directives: applyCspDirectives(cspOptions)
+    },
+    // These are all disabled in order to maintain backwards compatibility
+    // when bumping helmet v5. We can't enable these by default because
+    // there is no way for users to configure them.
+    // TODO(Rugvip): We should give control of this setup to consumers
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    originAgentCluster: false
+  };
+}
+function readCspDirectives(config) {
+  const cc = config == null ? void 0 : config.getOptionalConfig("csp");
+  if (!cc) {
+    return void 0;
+  }
+  const result = {};
+  for (const key of cc.keys()) {
+    if (cc.get(key) === false) {
+      result[key] = false;
+    } else {
+      result[key] = cc.getStringArray(key);
+    }
+  }
+  return result;
+}
+function applyCspDirectives(directives) {
+  const result = helmet__default["default"].contentSecurityPolicy.getDefaultDirectives();
+  result["script-src"] = ["'self'", "'unsafe-eval'"];
+  delete result["form-action"];
+  if (directives) {
+    for (const [key, value] of Object.entries(directives)) {
+      if (value === false) {
+        delete result[key];
+      } else {
+        result[key] = value;
+      }
+    }
+  }
+  return result;
+}
+
+function readCorsOptions(config) {
+  const cc = config == null ? void 0 : config.getOptionalConfig("cors");
+  if (!cc) {
+    return { origin: false };
+  }
+  return {
+    origin: createCorsOriginMatcher(readStringArray(cc, "origin")),
+    methods: readStringArray(cc, "methods"),
+    allowedHeaders: readStringArray(cc, "allowedHeaders"),
+    exposedHeaders: readStringArray(cc, "exposedHeaders"),
+    credentials: cc.getOptionalBoolean("credentials"),
+    maxAge: cc.getOptionalNumber("maxAge"),
+    preflightContinue: cc.getOptionalBoolean("preflightContinue"),
+    optionsSuccessStatus: cc.getOptionalNumber("optionsSuccessStatus")
+  };
+}
+function readStringArray(config, key) {
+  const value = config.getOptional(key);
+  if (typeof value === "string") {
+    return [value];
+  } else if (!value) {
+    return void 0;
+  }
+  return config.getStringArray(key);
+}
+function createCorsOriginMatcher(allowedOriginPatterns) {
+  if (!allowedOriginPatterns) {
+    return void 0;
+  }
+  const allowedOriginMatchers = allowedOriginPatterns.map(
+    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
+  );
+  return (origin, callback) => {
+    return callback(
+      null,
+      allowedOriginMatchers.some((pattern) => pattern.match(origin != null ? origin : ""))
+    );
+  };
+}
+
+var __accessCheck$5 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$3 = (obj, member, getter) => {
-  __accessCheck$3(obj, member, "read from private field");
+var __privateGet$5 = (obj, member, getter) => {
+  __accessCheck$5(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$3 = (obj, member, value) => {
+var __privateAdd$5 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$3 = (obj, member, value, setter) => {
-  __accessCheck$3(obj, member, "write to private field");
+var __privateSet$5 = (obj, member, value, setter) => {
+  __accessCheck$5(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _config, _logger;
+const _MiddlewareFactory = class {
+  constructor(options) {
+    __privateAdd$5(this, _config, void 0);
+    __privateAdd$5(this, _logger, void 0);
+    __privateSet$5(this, _config, options.config);
+    __privateSet$5(this, _logger, options.logger);
+  }
+  /**
+   * Creates a new {@link MiddlewareFactory}.
+   */
+  static create(options) {
+    return new _MiddlewareFactory(options);
+  }
+  /**
+   * Returns a middleware that unconditionally produces a 404 error response.
+   *
+   * @remarks
+   *
+   * Typically you want to place this middleware at the end of the chain, such
+   * that it's the last one attempted after no other routes matched.
+   *
+   * @returns An Express request handler
+   */
+  notFound() {
+    return (_req, res) => {
+      res.status(404).end();
+    };
+  }
+  /**
+   * Returns the compression middleware.
+   *
+   * @remarks
+   *
+   * The middleware will attempt to compress response bodies for all requests
+   * that traverse through the middleware.
+   */
+  compression() {
+    return compression__default["default"]();
+  }
+  /**
+   * Returns a request logging middleware.
+   *
+   * @remarks
+   *
+   * Typically you want to place this middleware at the start of the chain, such
+   * that it always logs requests whether they are "caught" by handlers farther
+   * down or not.
+   *
+   * @returns An Express request handler
+   */
+  logging() {
+    const logger = __privateGet$5(this, _logger).child({
+      type: "incomingRequest"
+    });
+    return morgan__default["default"]("combined", {
+      stream: {
+        write(message) {
+          logger.info(message.trimEnd());
+        }
+      }
+    });
+  }
+  /**
+   * Returns a middleware that implements the helmet library.
+   *
+   * @remarks
+   *
+   * This middleware applies security policies to incoming requests and outgoing
+   * responses. It is configured using config keys such as `backend.csp`.
+   *
+   * @see {@link https://helmetjs.github.io/}
+   *
+   * @returns An Express request handler
+   */
+  helmet() {
+    return helmet__default["default"](readHelmetOptions(__privateGet$5(this, _config).getOptionalConfig("backend")));
+  }
+  /**
+   * Returns a middleware that implements the cors library.
+   *
+   * @remarks
+   *
+   * This middleware handles CORS. It is configured using the config key
+   * `backend.cors`.
+   *
+   * @see {@link https://github.com/expressjs/cors}
+   *
+   * @returns An Express request handler
+   */
+  cors() {
+    return cors__default["default"](readCorsOptions(__privateGet$5(this, _config).getOptionalConfig("backend")));
+  }
+  /**
+   * Express middleware to handle errors during request processing.
+   *
+   * @remarks
+   *
+   * This is commonly the very last middleware in the chain.
+   *
+   * Its primary purpose is not to do translation of business logic exceptions,
+   * but rather to be a global catch-all for uncaught "fatal" errors that are
+   * expected to result in a 500 error. However, it also does handle some common
+   * error types (such as http-error exceptions, and the well-known error types
+   * in the `@backstage/errors` package) and returns the enclosed status code
+   * accordingly.
+   *
+   * It will also produce a response body with a serialized form of the error,
+   * unless a previous handler already did send a body. See
+   * {@link @backstage/errors#ErrorResponseBody} for the response shape used.
+   *
+   * @returns An Express error request handler
+   */
+  error(options = {}) {
+    var _a;
+    const showStackTraces = (_a = options.showStackTraces) != null ? _a : process.env.NODE_ENV === "development";
+    const logger = __privateGet$5(this, _logger).child({
+      type: "errorHandler"
+    });
+    return (error, req, res, next) => {
+      const statusCode = getStatusCode(error);
+      if (options.logAllErrors || statusCode >= 500) {
+        logger.error(`Request failed with status ${statusCode}`, error);
+      }
+      if (res.headersSent) {
+        next(error);
+        return;
+      }
+      const body = {
+        error: errors.serializeError(error, { includeStack: showStackTraces }),
+        request: { method: req.method, url: req.url },
+        response: { statusCode }
+      };
+      res.status(statusCode).json(body);
+    };
+  }
+};
+let MiddlewareFactory = _MiddlewareFactory;
+_config = new WeakMap();
+_logger = new WeakMap();
+function getStatusCode(error) {
+  const knownStatusCodeFields = ["statusCode", "status"];
+  for (const field of knownStatusCodeFields) {
+    const statusCode = error[field];
+    if (typeof statusCode === "number" && (statusCode | 0) === statusCode && // is whole integer
+    statusCode >= 100 && statusCode <= 599) {
+      return statusCode;
+    }
+  }
+  switch (error.name) {
+    case errors.NotModifiedError.name:
+      return 304;
+    case errors.InputError.name:
+      return 400;
+    case errors.AuthenticationError.name:
+      return 401;
+    case errors.NotAllowedError.name:
+      return 403;
+    case errors.NotFoundError.name:
+      return 404;
+    case errors.ConflictError.name:
+      return 409;
+  }
+  return 500;
+}
+
+var __accessCheck$4 = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet$4 = (obj, member, getter) => {
+  __accessCheck$4(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd$4 = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet$4 = (obj, member, value, setter) => {
+  __accessCheck$4(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
@@ -36,26 +579,27 @@ const CALLBACKS = ["SIGTERM", "SIGINT", "beforeExit"];
 class BackendLifecycleImpl {
   constructor(logger) {
     this.logger = logger;
-    __privateAdd$3(this, _isCalled, false);
-    __privateAdd$3(this, _shutdownTasks, []);
+    __privateAdd$4(this, _isCalled, false);
+    __privateAdd$4(this, _shutdownTasks, []);
     CALLBACKS.map((signal) => process.on(signal, () => this.shutdown()));
   }
   addShutdownHook(options) {
-    __privateGet$3(this, _shutdownTasks).push(options);
+    __privateGet$4(this, _shutdownTasks).push(options);
   }
   async shutdown() {
-    if (__privateGet$3(this, _isCalled)) {
+    if (__privateGet$4(this, _isCalled)) {
       return;
     }
-    __privateSet$3(this, _isCalled, true);
-    this.logger.info(`Running ${__privateGet$3(this, _shutdownTasks).length} shutdown tasks...`);
+    __privateSet$4(this, _isCalled, true);
+    this.logger.info(`Running ${__privateGet$4(this, _shutdownTasks).length} shutdown tasks...`);
     await Promise.all(
-      __privateGet$3(this, _shutdownTasks).map(async (hook) => {
+      __privateGet$4(this, _shutdownTasks).map(async (hook) => {
+        const { logger = this.logger } = hook;
         try {
           await hook.fn();
-          this.logger.info(`Shutdown hook succeeded`, hook.labels);
+          logger.info(`Shutdown hook succeeded`);
         } catch (error) {
-          this.logger.error(`Shutdown hook failed, ${error}`, hook.labels);
+          logger.error(`Shutdown hook failed, ${error}`);
         }
       })
     );
@@ -69,61 +613,61 @@ const rootLifecycleFactory = backendPluginApi.createServiceFactory({
     logger: backendPluginApi.coreServices.rootLogger
   },
   async factory({ logger }) {
-    return new BackendLifecycleImpl(backendPluginApi.loggerToWinstonLogger(logger));
+    return new BackendLifecycleImpl(logger);
   }
 });
 
-var __accessCheck$2 = (obj, member, msg) => {
+var __accessCheck$3 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$2 = (obj, member, getter) => {
-  __accessCheck$2(obj, member, "read from private field");
+var __privateGet$3 = (obj, member, getter) => {
+  __accessCheck$3(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$2 = (obj, member, value) => {
+var __privateAdd$3 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$2 = (obj, member, value, setter) => {
-  __accessCheck$2(obj, member, "write to private field");
+var __privateSet$3 = (obj, member, value, setter) => {
+  __accessCheck$3(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
-var __privateMethod$1 = (obj, member, method) => {
-  __accessCheck$2(obj, member, "access private method");
+var __privateMethod$2 = (obj, member, method) => {
+  __accessCheck$3(obj, member, "access private method");
   return method;
 };
 var _started, _features, _registerInits, _extensionPoints, _serviceHolder, _getInitDeps, getInitDeps_fn, _resolveInitOrder, resolveInitOrder_fn;
 class BackendInitializer {
   constructor(serviceHolder) {
-    __privateAdd$2(this, _getInitDeps);
-    __privateAdd$2(this, _resolveInitOrder);
-    __privateAdd$2(this, _started, false);
-    __privateAdd$2(this, _features, /* @__PURE__ */ new Map());
-    __privateAdd$2(this, _registerInits, new Array());
-    __privateAdd$2(this, _extensionPoints, /* @__PURE__ */ new Map());
-    __privateAdd$2(this, _serviceHolder, void 0);
-    __privateSet$2(this, _serviceHolder, serviceHolder);
+    __privateAdd$3(this, _getInitDeps);
+    __privateAdd$3(this, _resolveInitOrder);
+    __privateAdd$3(this, _started, false);
+    __privateAdd$3(this, _features, /* @__PURE__ */ new Map());
+    __privateAdd$3(this, _registerInits, new Array());
+    __privateAdd$3(this, _extensionPoints, /* @__PURE__ */ new Map());
+    __privateAdd$3(this, _serviceHolder, void 0);
+    __privateSet$3(this, _serviceHolder, serviceHolder);
   }
   add(feature, options) {
-    if (__privateGet$2(this, _started)) {
+    if (__privateGet$3(this, _started)) {
       throw new Error("feature can not be added after the backend has started");
     }
-    __privateGet$2(this, _features).set(feature, options);
+    __privateGet$3(this, _features).set(feature, options);
   }
   async start() {
-    if (__privateGet$2(this, _started)) {
+    if (__privateGet$3(this, _started)) {
       throw new Error("Backend has already started");
     }
-    __privateSet$2(this, _started, true);
-    for (const ref of __privateGet$2(this, _serviceHolder).getServiceRefs()) {
+    __privateSet$3(this, _started, true);
+    for (const ref of __privateGet$3(this, _serviceHolder).getServiceRefs()) {
       if (ref.scope === "root") {
-        await __privateGet$2(this, _serviceHolder).get(ref, "root");
+        await __privateGet$3(this, _serviceHolder).get(ref, "root");
       }
     }
-    for (const [feature] of __privateGet$2(this, _features)) {
+    for (const [feature] of __privateGet$3(this, _features)) {
       const provides = /* @__PURE__ */ new Set();
       let registerInit = void 0;
       feature.register({
@@ -131,10 +675,10 @@ class BackendInitializer {
           if (registerInit) {
             throw new Error("registerExtensionPoint called after registerInit");
           }
-          if (__privateGet$2(this, _extensionPoints).has(extensionPointRef)) {
+          if (__privateGet$3(this, _extensionPoints).has(extensionPointRef)) {
             throw new Error(`API ${extensionPointRef.id} already registered`);
           }
-          __privateGet$2(this, _extensionPoints).set(extensionPointRef, impl);
+          __privateGet$3(this, _extensionPoints).set(extensionPointRef, impl);
           provides.add(extensionPointRef);
         },
         registerInit: (registerOptions) => {
@@ -155,19 +699,19 @@ class BackendInitializer {
           `registerInit was not called by register in ${feature.id}`
         );
       }
-      __privateGet$2(this, _registerInits).push(registerInit);
+      __privateGet$3(this, _registerInits).push(registerInit);
     }
-    const orderedRegisterResults = __privateMethod$1(this, _resolveInitOrder, resolveInitOrder_fn).call(this, __privateGet$2(this, _registerInits));
+    const orderedRegisterResults = __privateMethod$2(this, _resolveInitOrder, resolveInitOrder_fn).call(this, __privateGet$3(this, _registerInits));
     for (const registerInit of orderedRegisterResults) {
-      const deps = await __privateMethod$1(this, _getInitDeps, getInitDeps_fn).call(this, registerInit.deps, registerInit.id);
+      const deps = await __privateMethod$2(this, _getInitDeps, getInitDeps_fn).call(this, registerInit.deps, registerInit.id);
       await registerInit.init(deps);
     }
   }
   async stop() {
-    if (!__privateGet$2(this, _started)) {
+    if (!__privateGet$3(this, _started)) {
       return;
     }
-    const lifecycleService = await __privateGet$2(this, _serviceHolder).get(
+    const lifecycleService = await __privateGet$3(this, _serviceHolder).get(
       backendPluginApi.coreServices.rootLifecycle,
       "root"
     );
@@ -188,13 +732,13 @@ getInitDeps_fn = async function(deps, pluginId) {
   const result = /* @__PURE__ */ new Map();
   const missingRefs = /* @__PURE__ */ new Set();
   for (const [name, ref] of Object.entries(deps)) {
-    const extensionPoint = __privateGet$2(this, _extensionPoints).get(
+    const extensionPoint = __privateGet$3(this, _extensionPoints).get(
       ref
     );
     if (extensionPoint) {
       result.set(name, extensionPoint);
     } else {
-      const impl = await __privateGet$2(this, _serviceHolder).get(
+      const impl = await __privateGet$3(this, _serviceHolder).get(
         ref,
         pluginId
       );
@@ -238,59 +782,51 @@ resolveInitOrder_fn = function(registerInits) {
   return orderedRegisterInits;
 };
 
-var __accessCheck$1 = (obj, member, msg) => {
+var __accessCheck$2 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet$1 = (obj, member, getter) => {
-  __accessCheck$1(obj, member, "read from private field");
+var __privateGet$2 = (obj, member, getter) => {
+  __accessCheck$2(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd$1 = (obj, member, value) => {
+var __privateAdd$2 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet$1 = (obj, member, value, setter) => {
-  __accessCheck$1(obj, member, "write to private field");
+var __privateSet$2 = (obj, member, value, setter) => {
+  __accessCheck$2(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
-var __privateMethod = (obj, member, method) => {
-  __accessCheck$1(obj, member, "access private method");
+var __privateMethod$1 = (obj, member, method) => {
+  __accessCheck$2(obj, member, "access private method");
   return method;
 };
 var _providedFactories, _loadedDefaultFactories, _implementations, _resolveFactory, resolveFactory_fn, _separateMapForTheRootService, _checkForMissingDeps, checkForMissingDeps_fn;
 class ServiceRegistry {
   constructor(factories) {
-    __privateAdd$1(this, _resolveFactory);
-    __privateAdd$1(this, _checkForMissingDeps);
-    __privateAdd$1(this, _providedFactories, void 0);
-    __privateAdd$1(this, _loadedDefaultFactories, void 0);
-    __privateAdd$1(this, _implementations, void 0);
-    __privateAdd$1(this, _separateMapForTheRootService, /* @__PURE__ */ new Map());
-    __privateSet$1(this, _providedFactories, new Map(
-      factories.map((f) => {
-        if (typeof f === "function") {
-          const cf = f();
-          return [cf.service.id, cf];
-        }
-        return [f.service.id, f];
-      })
-    ));
-    __privateSet$1(this, _loadedDefaultFactories, /* @__PURE__ */ new Map());
-    __privateSet$1(this, _implementations, /* @__PURE__ */ new Map());
+    __privateAdd$2(this, _resolveFactory);
+    __privateAdd$2(this, _checkForMissingDeps);
+    __privateAdd$2(this, _providedFactories, void 0);
+    __privateAdd$2(this, _loadedDefaultFactories, void 0);
+    __privateAdd$2(this, _implementations, void 0);
+    __privateAdd$2(this, _separateMapForTheRootService, /* @__PURE__ */ new Map());
+    __privateSet$2(this, _providedFactories, new Map(factories.map((f) => [f.service.id, f])));
+    __privateSet$2(this, _loadedDefaultFactories, /* @__PURE__ */ new Map());
+    __privateSet$2(this, _implementations, /* @__PURE__ */ new Map());
   }
   getServiceRefs() {
-    return Array.from(__privateGet$1(this, _providedFactories).values()).map((f) => f.service);
+    return Array.from(__privateGet$2(this, _providedFactories).values()).map((f) => f.service);
   }
   get(ref, pluginId) {
     var _a;
-    return (_a = __privateMethod(this, _resolveFactory, resolveFactory_fn).call(this, ref, pluginId)) == null ? void 0 : _a.then((factory) => {
+    return (_a = __privateMethod$1(this, _resolveFactory, resolveFactory_fn).call(this, ref, pluginId)) == null ? void 0 : _a.then((factory) => {
       if (factory.scope === "root") {
-        let existing = __privateGet$1(this, _separateMapForTheRootService).get(factory);
+        let existing = __privateGet$2(this, _separateMapForTheRootService).get(factory);
         if (!existing) {
-          __privateMethod(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
+          __privateMethod$1(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
           const rootDeps = new Array();
           for (const [name, serviceRef] of Object.entries(factory.deps)) {
             if (serviceRef.scope !== "root") {
@@ -304,13 +840,13 @@ class ServiceRegistry {
           existing = Promise.all(rootDeps).then(
             (entries) => factory.factory(Object.fromEntries(entries))
           );
-          __privateGet$1(this, _separateMapForTheRootService).set(factory, existing);
+          __privateGet$2(this, _separateMapForTheRootService).set(factory, existing);
         }
         return existing;
       }
-      let implementation = __privateGet$1(this, _implementations).get(factory);
+      let implementation = __privateGet$2(this, _implementations).get(factory);
       if (!implementation) {
-        __privateMethod(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
+        __privateMethod$1(this, _checkForMissingDeps, checkForMissingDeps_fn).call(this, factory, pluginId);
         const rootDeps = new Array();
         for (const [name, serviceRef] of Object.entries(factory.deps)) {
           if (serviceRef.scope === "root") {
@@ -327,7 +863,7 @@ class ServiceRegistry {
           }),
           byPlugin: /* @__PURE__ */ new Map()
         };
-        __privateGet$1(this, _implementations).set(factory, implementation);
+        __privateGet$2(this, _implementations).set(factory, implementation);
       }
       let result = implementation.byPlugin.get(pluginId);
       if (!result) {
@@ -369,18 +905,18 @@ resolveFactory_fn = function(ref, pluginId) {
       })
     });
   }
-  let resolvedFactory = __privateGet$1(this, _providedFactories).get(ref.id);
+  let resolvedFactory = __privateGet$2(this, _providedFactories).get(ref.id);
   const { __defaultFactory: defaultFactory } = ref;
   if (!resolvedFactory && !defaultFactory) {
     return void 0;
   }
   if (!resolvedFactory) {
-    let loadedFactory = __privateGet$1(this, _loadedDefaultFactories).get(defaultFactory);
+    let loadedFactory = __privateGet$2(this, _loadedDefaultFactories).get(defaultFactory);
     if (!loadedFactory) {
       loadedFactory = Promise.resolve().then(() => defaultFactory(ref)).then(
         (f) => typeof f === "function" ? f() : f
       );
-      __privateGet$1(this, _loadedDefaultFactories).set(defaultFactory, loadedFactory);
+      __privateGet$2(this, _loadedDefaultFactories).set(defaultFactory, loadedFactory);
     }
     resolvedFactory = loadedFactory.catch((error) => {
       throw new Error(
@@ -399,7 +935,7 @@ checkForMissingDeps_fn = function(factory, pluginId) {
     if (ref.id === backendPluginApi.coreServices.pluginMetadata.id) {
       return false;
     }
-    if (__privateGet$1(this, _providedFactories).get(ref.id)) {
+    if (__privateGet$2(this, _providedFactories).get(ref.id)) {
       return false;
     }
     return !ref.__defaultFactory;
@@ -412,51 +948,220 @@ checkForMissingDeps_fn = function(factory, pluginId) {
   }
 };
 
-var __accessCheck = (obj, member, msg) => {
+var __accessCheck$1 = (obj, member, msg) => {
   if (!member.has(obj))
     throw TypeError("Cannot " + msg);
 };
-var __privateGet = (obj, member, getter) => {
-  __accessCheck(obj, member, "read from private field");
+var __privateGet$1 = (obj, member, getter) => {
+  __accessCheck$1(obj, member, "read from private field");
   return getter ? getter.call(obj) : member.get(obj);
 };
-var __privateAdd = (obj, member, value) => {
+var __privateAdd$1 = (obj, member, value) => {
   if (member.has(obj))
     throw TypeError("Cannot add the same private member more than once");
   member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
 };
-var __privateSet = (obj, member, value, setter) => {
-  __accessCheck(obj, member, "write to private field");
+var __privateSet$1 = (obj, member, value, setter) => {
+  __accessCheck$1(obj, member, "write to private field");
   setter ? setter.call(obj, value) : member.set(obj, value);
   return value;
 };
 var _services, _initializer;
 class BackstageBackend {
   constructor(apiFactories) {
-    __privateAdd(this, _services, void 0);
-    __privateAdd(this, _initializer, void 0);
-    __privateSet(this, _services, new ServiceRegistry(apiFactories));
-    __privateSet(this, _initializer, new BackendInitializer(__privateGet(this, _services)));
+    __privateAdd$1(this, _services, void 0);
+    __privateAdd$1(this, _initializer, void 0);
+    __privateSet$1(this, _services, new ServiceRegistry(apiFactories));
+    __privateSet$1(this, _initializer, new BackendInitializer(__privateGet$1(this, _services)));
   }
   add(feature) {
-    __privateGet(this, _initializer).add(feature);
+    __privateGet$1(this, _initializer).add(feature);
   }
   async start() {
-    await __privateGet(this, _initializer).start();
+    await __privateGet$1(this, _initializer).start();
   }
   async stop() {
-    await __privateGet(this, _initializer).stop();
+    await __privateGet$1(this, _initializer).stop();
   }
 }
 _services = new WeakMap();
 _initializer = new WeakMap();
 
 function createSpecializedBackend(options) {
-  return new BackstageBackend(
-    options.services.map((s) => typeof s === "function" ? s() : s)
+  const services = options.services.map(
+    (sf) => typeof sf === "function" ? sf() : sf
   );
+  const exists = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  for (const { service } of services) {
+    if (exists.has(service.id)) {
+      duplicates.add(service.id);
+    } else {
+      exists.add(service.id);
+    }
+  }
+  if (duplicates.size > 0) {
+    const ids = Array.from(duplicates).join(", ");
+    throw new Error(`Duplicate service implementations provided for ${ids}`);
+  }
+  if (exists.has(backendPluginApi.coreServices.pluginMetadata.id)) {
+    throw new Error(
+      `The ${backendPluginApi.coreServices.pluginMetadata.id} service cannot be overridden`
+    );
+  }
+  return new BackstageBackend(services);
 }
 
+const httpRouterFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.httpRouter,
+  deps: {
+    plugin: backendPluginApi.coreServices.pluginMetadata,
+    rootHttpRouter: backendPluginApi.coreServices.rootHttpRouter
+  },
+  async factory({ rootHttpRouter }, options) {
+    var _a;
+    const getPath = (_a = options == null ? void 0 : options.getPath) != null ? _a : (id) => `/api/${id}`;
+    return async ({ plugin }) => {
+      const path = getPath(plugin.getId());
+      return {
+        use(handler) {
+          rootHttpRouter.use(path, handler);
+        }
+      };
+    };
+  }
+});
+
+var __accessCheck = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet = (obj, member, getter) => {
+  __accessCheck(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet = (obj, member, value, setter) => {
+  __accessCheck(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var __privateMethod = (obj, member, method) => {
+  __accessCheck(obj, member, "access private method");
+  return method;
+};
+var _indexPath, _router, _namedRoutes, _indexRouter, _existingPaths, _findConflictingPath, findConflictingPath_fn;
+function normalizePath(path) {
+  return path.replace(/\/*$/, "/");
+}
+class RestrictedIndexedRouter {
+  constructor(indexPath) {
+    __privateAdd(this, _findConflictingPath);
+    __privateAdd(this, _indexPath, void 0);
+    __privateAdd(this, _router, express.Router());
+    __privateAdd(this, _namedRoutes, express.Router());
+    __privateAdd(this, _indexRouter, express.Router());
+    __privateAdd(this, _existingPaths, new Array());
+    __privateSet(this, _indexPath, indexPath);
+    __privateGet(this, _router).use(__privateGet(this, _namedRoutes));
+    __privateGet(this, _router).use(__privateGet(this, _indexRouter));
+  }
+  use(path, handler) {
+    if (path.match(/^[/\s]*$/)) {
+      throw new Error(`Root router path may not be empty`);
+    }
+    const conflictingPath = __privateMethod(this, _findConflictingPath, findConflictingPath_fn).call(this, path);
+    if (conflictingPath) {
+      throw new Error(
+        `Path ${path} conflicts with the existing path ${conflictingPath}`
+      );
+    }
+    __privateGet(this, _existingPaths).push(path);
+    __privateGet(this, _namedRoutes).use(path, handler);
+    if (__privateGet(this, _indexPath) === path) {
+      __privateGet(this, _indexRouter).use(handler);
+    }
+  }
+  handler() {
+    return __privateGet(this, _router);
+  }
+}
+_indexPath = new WeakMap();
+_router = new WeakMap();
+_namedRoutes = new WeakMap();
+_indexRouter = new WeakMap();
+_existingPaths = new WeakMap();
+_findConflictingPath = new WeakSet();
+findConflictingPath_fn = function(newPath) {
+  const normalizedNewPath = normalizePath(newPath);
+  for (const path of __privateGet(this, _existingPaths)) {
+    const normalizedPath = normalizePath(path);
+    if (normalizedPath.startsWith(normalizedNewPath)) {
+      return path;
+    }
+    if (normalizedNewPath.startsWith(normalizedPath)) {
+      return path;
+    }
+  }
+  return void 0;
+};
+
+function defaultConfigure({
+  app,
+  routes,
+  middleware
+}) {
+  app.use(middleware.helmet());
+  app.use(middleware.cors());
+  app.use(middleware.compression());
+  app.use(middleware.logging());
+  app.use(routes);
+  app.use(middleware.notFound());
+  app.use(middleware.error());
+}
+const rootHttpRouterFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.rootHttpRouter,
+  deps: {
+    config: backendPluginApi.coreServices.config,
+    rootLogger: backendPluginApi.coreServices.rootLogger,
+    lifecycle: backendPluginApi.coreServices.rootLifecycle
+  },
+  async factory({ config, rootLogger, lifecycle }, {
+    indexPath,
+    configure = defaultConfigure
+  } = {}) {
+    const router = new RestrictedIndexedRouter(indexPath != null ? indexPath : "/api/app");
+    const logger = rootLogger.child({ service: "rootHttpRouter" });
+    const app = express__default["default"]();
+    const middleware = MiddlewareFactory.create({ config, logger });
+    configure({
+      app,
+      routes: router.handler(),
+      middleware,
+      config,
+      logger,
+      lifecycle
+    });
+    const server = await createHttpServer(
+      app,
+      readHttpServerOptions(config.getOptionalConfig("backend")),
+      { logger }
+    );
+    lifecycle.addShutdownHook({
+      async fn() {
+        await server.stop();
+      },
+      logger
+    });
+    await server.start();
+    return router;
+  }
+});
+
 const cacheFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.cache,
   deps: {
@@ -479,7 +1184,7 @@ const configFactory = backendPluginApi.createServiceFactory({
   async factory({ logger }) {
     const config = await backendCommon.loadBackendConfig({
       argv: process.argv,
-      logger: backendPluginApi.loggerToWinstonLogger(logger)
+      logger: backendCommon.loggerToWinstonLogger(logger)
     });
     return config;
   }
@@ -520,7 +1225,7 @@ const loggerFactory = backendPluginApi.createServiceFactory({
   },
   async factory({ rootLogger }) {
     return async ({ plugin }) => {
-      return rootLogger.child({ pluginId: plugin.getId() });
+      return rootLogger.child({ plugin: plugin.getId() });
     };
   }
 });
@@ -596,7 +1301,7 @@ const tokenManagerFactory = backendPluginApi.createServiceFactory({
   async factory() {
     return async ({ config, logger }) => {
       return backendCommon.ServerTokenManager.fromConfig(config, {
-        logger: backendPluginApi.loggerToWinstonLogger(logger)
+        logger: backendCommon.loggerToWinstonLogger(logger)
       });
     };
   }
@@ -612,54 +1317,28 @@ const urlReaderFactory = backendPluginApi.createServiceFactory({
     return async ({ config, logger }) => {
       return backendCommon.UrlReaders.default({
         config,
-        logger: backendPluginApi.loggerToWinstonLogger(logger)
+        logger: backendCommon.loggerToWinstonLogger(logger)
       });
     };
   }
 });
 
-const httpRouterFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.httpRouter,
-  deps: {
-    config: backendPluginApi.coreServices.config,
-    plugin: backendPluginApi.coreServices.pluginMetadata
-  },
-  async factory({ config }, options) {
-    var _a;
-    const defaultPluginId = (_a = options == null ? void 0 : options.indexPlugin) != null ? _a : "app";
-    const apiRouter = Router__default["default"]();
-    const rootRouter = Router__default["default"]();
-    const service = backendCommon.createServiceBuilder(module).loadConfig(config).addRouter("/api", apiRouter).addRouter("", rootRouter);
-    await service.start();
-    return async ({ plugin }) => {
-      const pluginId = plugin.getId();
-      return {
-        use(handler) {
-          if (pluginId === defaultPluginId) {
-            rootRouter.use(handler);
-          } else {
-            apiRouter.use(`/${pluginId}`, handler);
-          }
-        }
-      };
-    };
-  }
-});
-
 const lifecycleFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.lifecycle,
   deps: {
+    logger: backendPluginApi.coreServices.logger,
     rootLifecycle: backendPluginApi.coreServices.rootLifecycle,
     pluginMetadata: backendPluginApi.coreServices.pluginMetadata
   },
   async factory({ rootLifecycle }) {
-    return async ({ pluginMetadata }) => {
+    return async ({ logger, pluginMetadata }) => {
       const plugin = pluginMetadata.getId();
       return {
         addShutdownHook(options) {
+          var _a, _b;
           rootLifecycle.addShutdownHook({
             ...options,
-            labels: { ...options == null ? void 0 : options.labels, plugin }
+            logger: (_b = (_a = options.logger) == null ? void 0 : _a.child({ plugin })) != null ? _b : logger
           });
         }
       };
@@ -667,8 +1346,10 @@ const lifecycleFactory = backendPluginApi.createServiceFactory({
   }
 });
 
+exports.MiddlewareFactory = MiddlewareFactory;
 exports.cacheFactory = cacheFactory;
 exports.configFactory = configFactory;
+exports.createHttpServer = createHttpServer;
 exports.createSpecializedBackend = createSpecializedBackend;
 exports.databaseFactory = databaseFactory;
 exports.discoveryFactory = discoveryFactory;
@@ -676,6 +1357,10 @@ exports.httpRouterFactory = httpRouterFactory;
 exports.lifecycleFactory = lifecycleFactory;
 exports.loggerFactory = loggerFactory;
 exports.permissionsFactory = permissionsFactory;
+exports.readCorsOptions = readCorsOptions;
+exports.readHelmetOptions = readHelmetOptions;
+exports.readHttpServerOptions = readHttpServerOptions;
+exports.rootHttpRouterFactory = rootHttpRouterFactory;
 exports.rootLifecycleFactory = rootLifecycleFactory;
 exports.rootLoggerFactory = rootLoggerFactory;
 exports.schedulerFactory = schedulerFactory;