npm - @backstage/backend-app-api - Versions diffs - 0.6.3-next.0 → 0.7.0 - Mend

@backstage/backend-app-api 0.6.3-next.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +70 -0
package/alpha/package.json +1 -1
package/config.d.ts +100 -0
package/dist/index.cjs.js +1017 -274
package/dist/index.cjs.js.map +1 -1
package/dist/index.d.ts +2 -2
package/migrations/20240327104803_public_keys.js +50 -0
package/package.json +19 -14

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,75 @@
 # @backstage/backend-app-api
+## 0.7.0
+### Minor Changes
+- 3256f14: **BREAKING**: Modules are no longer loaded unless the plugin that they extend is present.
+### Patch Changes
+- 10327fb: Deprecate the `getPath` option for the `httpRouterServiceFactory` and more generally the ability to configure plugin API paths to be anything else than `/api/:pluginId/`. Requests towards `/api/*` that do not match an installed plugin will also no longer be handled by the index router, typically instead returning a 404.
+- 2c50516: Fix auth cookie issuance for split backend deployments by preferring to set it against the request target host instead of origin
+- 7e584d6: Fixed a bug where expired cookies would not be refreshed.
+- 1a20b12: Make the auth service create and validate dedicated OBO tokens, containing the user identity proof.
+- 00fca28: Implemented support for external access using both the legacy token form and static tokens.
+- d5a1fe1: Replaced winston logger with `LoggerService`
+- bce0879: Service-to-service authentication has been improved.
+  Each plugin now has the capability to generate its own signing keys for token issuance. The generated public keys are stored in a database, and they are made accessible through a newly created endpoint: `/.backstage/auth/v1/jwks.json`.
+  `AuthService` can now issue tokens with a reduced scope using the `getPluginRequestToken` method. This improvement enables plugins to identify the plugin originating the request.
+- 54f2ac8: Added `initialization` option to `createServiceFactory` which defines the initialization strategy for the service. The default strategy mimics the current behavior where plugin scoped services are initialized lazily by default and root scoped services are initialized eagerly.
+- 56f81b5: Improved error message thrown by `AuthService` when requesting a token for plugins that don't support the new authentication tokens.
+- 25ea3d2: Minor internal restructuring
+- d62bc51: Add support for limited user tokens by using user identity proof provided by the auth backend.
+- c884b9a: Automatically creates a get and delete cookie endpoint when a `user-cookie` policy is added.
+- Updated dependencies
+  - @backstage/backend-common@0.21.7
+  - @backstage/config-loader@1.8.0
+  - @backstage/plugin-permission-node@0.7.28
+  - @backstage/backend-plugin-api@0.6.17
+  - @backstage/backend-tasks@0.5.22
+  - @backstage/plugin-auth-node@0.4.12
+  - @backstage/cli-node@0.2.5
+  - @backstage/cli-common@0.1.13
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+## 0.7.0-next.1
+### Minor Changes
+- 3256f14: **BREAKING**: Modules are no longer loaded unless the plugin that they extend is present.
+### Patch Changes
+- 10327fb: Deprecate the `getPath` option for the `httpRouterServiceFactory` and more generally the ability to configure plugin API paths to be anything else than `/api/:pluginId/`. Requests towards `/api/*` that do not match an installed plugin will also no longer be handled by the index router, typically instead returning a 404.
+- 1a20b12: Make the auth service create and validate dedicated OBO tokens, containing the user identity proof.
+- bce0879: Service-to-service authentication has been improved.
+  Each plugin now has the capability to generate its own signing keys for token issuance. The generated public keys are stored in a database, and they are made accessible through a newly created endpoint: `/.backstage/auth/v1/jwks.json`.
+  `AuthService` can now issue tokens with a reduced scope using the `getPluginRequestToken` method. This improvement enables plugins to identify the plugin originating the request.
+- 54f2ac8: Added `initialization` option to `createServiceFactory` which defines the initialization strategy for the service. The default strategy mimics the current behavior where plugin scoped services are initialized lazily by default and root scoped services are initialized eagerly.
+- d62bc51: Add support for limited user tokens by using user identity proof provided by the auth backend.
+- c884b9a: Automatically creates a get and delete cookie endpoint when a `user-cookie` policy is added.
+- Updated dependencies
+  - @backstage/backend-common@0.21.7-next.1
+  - @backstage/backend-plugin-api@0.6.17-next.1
+  - @backstage/plugin-auth-node@0.4.12-next.1
+  - @backstage/backend-tasks@0.5.22-next.1
+  - @backstage/plugin-permission-node@0.7.28-next.1
+  - @backstage/cli-common@0.1.13
+  - @backstage/cli-node@0.2.4
+  - @backstage/config@1.2.0
+  - @backstage/config-loader@1.8.0-next.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
 ## 0.6.3-next.0
 ### Patch Changes

package/alpha/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/backend-app-api",
-  "version": "0.6.3-next.0",
+  "version": "0.7.0",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/config.d.ts CHANGED Viewed

@@ -32,6 +32,106 @@ export interface Config {
        * unless you configure credentials for service calls.
        */
       dangerouslyDisableDefaultAuthPolicy?: boolean;
+      /**
+       * Configures methods of external access, ie ways for callers outside of
+       * the Backstage ecosystem to get authorized for access to APIs that do
+       * not permit unauthorized access.
+       */
+      externalAccess: Array<
+        | {
+            /**
+             * This is the legacy service-to-service access method, where a set
+             * of static keys were shared among plugins and used for symmetric
+             * signing and verification. These correspond to the old
+             * `backend.auth.keys` set and retain their behavior for backwards
+             * compatibility. Please migrate to other access methods when
+             * possible.
+             *
+             * Callers generate JWT tokens with the following payload:
+             *
+             * ```json
+             * {
+             *   "sub": "backstage-plugin",
+             *   "exp": <epoch seconds one hour in the future>
+             * }
+             * ```
+             *
+             * And sign them with HS256, using the base64 decoded secret. The
+             * tokens are then passed along with requests in the Authorization
+             * header:
+             *
+             * ```
+             * Authorization: Bearer eyJhbGciOiJIUzI...
+             * ```
+             */
+            type: 'legacy';
+            options: {
+              /**
+               * Any set of base64 encoded random bytes to be used as both the
+               * signing and verification key. Should be sufficiently long so as
+               * not to be easy to guess by brute force.
+               *
+               * Can be generated eg using
+               *
+               * ```sh
+               * node -p 'require("crypto").randomBytes(24).toString("base64")'
+               * ```
+               *
+               * @visibility secret
+               */
+              secret: string;
+              /**
+               * Sets the subject of the principal, when matching this token.
+               * Useful for debugging and tracking purposes.
+               */
+              subject: string;
+            };
+          }
+        | {
+            /**
+             * This access method consists of random static tokens that can be
+             * handed out to callers.
+             *
+             * The tokens are then passed along verbatim with requests in the
+             * Authorization header:
+             *
+             * ```
+             * Authorization: Bearer eZv5o+fW3KnR3kVabMW4ZcDNLPl8nmMW
+             * ```
+             */
+            type: 'static';
+            options: {
+              /**
+               * A raw token that can be any string, but for security reasons
+               * should be sufficiently long so as not to be easy to guess by
+               * brute force.
+               *
+               * Can be generated eg using
+               *
+               * ```sh
+               * node -p 'require("crypto").randomBytes(24).toString("base64")'
+               * ```
+               *
+               * Since the tokens can be any string, you are free to add
+               * additional identifying data to them if you like. For example,
+               * adding a `freben-local-dev-` prefix for debugging purposes to a
+               * token that you know will be handed out for use as a personal
+               * access token during development.
+               *
+               * @visibility secret
+               */
+              token: string;
+              /**
+               * Sets the subject of the principal, when matching this token.
+               * Useful for debugging and tracking purposes.
+               */
+              subject: string;
+            };
+          }
+      >;
     };
   };