@backstage/backend-defaults 0.3.0-next.2 → 0.3.0

package/dist/auth.cjs.js

@@ -0,0 +1,1025 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var helpers = require('./cjs/helpers-D2f1CG0o.cjs.js');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var types = require('@backstage/types');
+var uuid = require('uuid');
+var luxon = require('luxon');
+var fs = require('fs');
+
+class DefaultAuthService {
+  constructor(userTokenHandler, pluginTokenHandler, externalTokenHandler, tokenManager, pluginId, disableDefaultAuthPolicy, pluginKeySource) {
+    this.userTokenHandler = userTokenHandler;
+    this.pluginTokenHandler = pluginTokenHandler;
+    this.externalTokenHandler = externalTokenHandler;
+    this.tokenManager = tokenManager;
+    this.pluginId = pluginId;
+    this.disableDefaultAuthPolicy = disableDefaultAuthPolicy;
+    this.pluginKeySource = pluginKeySource;
+  }
+  async authenticate(token, options) {
+    const pluginResult = await this.pluginTokenHandler.verifyToken(token);
+    if (pluginResult) {
+      if (pluginResult.limitedUserToken) {
+        const userResult2 = await this.userTokenHandler.verifyToken(
+          pluginResult.limitedUserToken
+        );
+        if (!userResult2) {
+          throw new errors.AuthenticationError(
+            "Invalid user token in plugin token obo claim"
+          );
+        }
+        return helpers.createCredentialsWithUserPrincipal(
+          userResult2.userEntityRef,
+          pluginResult.limitedUserToken,
+          this.#getJwtExpiration(pluginResult.limitedUserToken)
+        );
+      }
+      return helpers.createCredentialsWithServicePrincipal(pluginResult.subject);
+    }
+    const userResult = await this.userTokenHandler.verifyToken(token);
+    if (userResult) {
+      if (!options?.allowLimitedAccess && this.userTokenHandler.isLimitedUserToken(token)) {
+        throw new errors.AuthenticationError("Illegal limited user token");
+      }
+      return helpers.createCredentialsWithUserPrincipal(
+        userResult.userEntityRef,
+        token,
+        this.#getJwtExpiration(token)
+      );
+    }
+    const externalResult = await this.externalTokenHandler.verifyToken(token);
+    if (externalResult) {
+      return helpers.createCredentialsWithServicePrincipal(
+        externalResult.subject,
+        void 0,
+        externalResult.accessRestrictions
+      );
+    }
+    throw new errors.AuthenticationError("Illegal token");
+  }
+  isPrincipal(credentials, type) {
+    const principal = credentials.principal;
+    if (type === "unknown") {
+      return true;
+    }
+    if (principal.type !== type) {
+      return false;
+    }
+    return true;
+  }
+  async getNoneCredentials() {
+    return helpers.createCredentialsWithNonePrincipal();
+  }
+  async getOwnServiceCredentials() {
+    return helpers.createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);
+  }
+  async getPluginRequestToken(options) {
+    const { targetPluginId } = options;
+    const internalForward = helpers.toInternalBackstageCredentials(options.onBehalfOf);
+    const { type } = internalForward.principal;
+    if (type === "none" && this.disableDefaultAuthPolicy) {
+      return { token: "" };
+    }
+    const targetSupportsNewAuth = await this.pluginTokenHandler.isTargetPluginSupported(targetPluginId);
+    switch (type) {
+      case "service":
+        if (targetSupportsNewAuth) {
+          return this.pluginTokenHandler.issueToken({
+            pluginId: this.pluginId,
+            targetPluginId
+          });
+        }
+        return this.tokenManager.getToken().catch((error) => {
+          throw new errors.ForwardedError(
+            `Unable to generate legacy token for communication with the '${targetPluginId}' plugin. You will typically encounter this error when attempting to call a plugin that does not exist, or is deployed with an old version of Backstage`,
+            error
+          );
+        });
+      case "user": {
+        const { token } = internalForward;
+        if (!token) {
+          throw new Error("User credentials is unexpectedly missing token");
+        }
+        if (targetSupportsNewAuth) {
+          const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(
+            token
+          );
+          return this.pluginTokenHandler.issueToken({
+            pluginId: this.pluginId,
+            targetPluginId,
+            onBehalfOf
+          });
+        }
+        if (this.userTokenHandler.isLimitedUserToken(token)) {
+          throw new errors.AuthenticationError(
+            `Unable to call '${targetPluginId}' plugin on behalf of user, because the target plugin does not support on-behalf-of tokens or the plugin doesn't exist`
+          );
+        }
+        return { token };
+      }
+      default:
+        throw new errors.AuthenticationError(
+          `Refused to issue service token for credential type '${type}'`
+        );
+    }
+  }
+  async getLimitedUserToken(credentials) {
+    const { token: backstageToken } = helpers.toInternalBackstageCredentials(credentials);
+    if (!backstageToken) {
+      throw new errors.AuthenticationError(
+        "User credentials is unexpectedly missing token"
+      );
+    }
+    return this.userTokenHandler.createLimitedUserToken(backstageToken);
+  }
+  async listPublicServiceKeys() {
+    const { keys } = await this.pluginKeySource.listKeys();
+    return { keys: keys.map(({ key }) => key) };
+  }
+  #getJwtExpiration(token) {
+    const { exp } = jose.decodeJwt(token);
+    if (!exp) {
+      throw new errors.AuthenticationError("User token is missing expiration");
+    }
+    return new Date(exp * 1e3);
+  }
+}
+
+function readAccessRestrictionsFromConfig(externalAccessEntryConfig) {
+  const configs = externalAccessEntryConfig.getOptionalConfigArray("accessRestrictions") ?? [];
+  const result = /* @__PURE__ */ new Map();
+  for (const config of configs) {
+    const validKeys = ["plugin", "permission", "permissionAttribute"];
+    for (const key of config.keys()) {
+      if (!validKeys.includes(key)) {
+        const valid = validKeys.map((k) => `'${k}'`).join(", ");
+        throw new Error(
+          `Invalid key '${key}' in 'accessRestrictions' config, expected one of ${valid}`
+        );
+      }
+    }
+    const pluginId = config.getString("plugin");
+    const permissionNames = readPermissionNames(config);
+    const permissionAttributes = readPermissionAttributes(config);
+    if (result.has(pluginId)) {
+      throw new Error(
+        `Attempted to declare 'accessRestrictions' twice for plugin '${pluginId}', which is not permitted`
+      );
+    }
+    result.set(pluginId, {
+      ...permissionNames ? { permissionNames } : {},
+      ...permissionAttributes ? { permissionAttributes } : {}
+    });
+  }
+  return result.size ? result : void 0;
+}
+function readStringOrStringArrayFromConfig(root, key, validValues) {
+  if (!root.has(key)) {
+    return void 0;
+  }
+  const rawValues = Array.isArray(root.get(key)) ? root.getStringArray(key) : [root.getString(key)];
+  const values = [
+    ...new Set(
+      rawValues.map((v) => v.split(/[ ,]/)).flat().filter(Boolean)
+    )
+  ];
+  if (!values.length) {
+    return void 0;
+  }
+  if (validValues?.length) {
+    for (const value of values) {
+      if (!validValues.includes(value)) {
+        const valid = validValues.map((k) => `'${k}'`).join(", ");
+        throw new Error(
+          `Invalid value '${value}' at '${key}' in 'permissionAttributes' config, valid values are ${valid}`
+        );
+      }
+    }
+  }
+  return values;
+}
+function readPermissionNames(externalAccessEntryConfig) {
+  return readStringOrStringArrayFromConfig(
+    externalAccessEntryConfig,
+    "permission"
+  );
+}
+function readPermissionAttributes(externalAccessEntryConfig) {
+  const config = externalAccessEntryConfig.getOptionalConfig(
+    "permissionAttribute"
+  );
+  if (!config) {
+    return void 0;
+  }
+  const validKeys = ["action"];
+  for (const key of config.keys()) {
+    if (!validKeys.includes(key)) {
+      const valid = validKeys.map((k) => `'${k}'`).join(", ");
+      throw new Error(
+        `Invalid key '${key}' in 'permissionAttribute' config, expected ${valid}`
+      );
+    }
+  }
+  const action = readStringOrStringArrayFromConfig(config, "action", [
+    "create",
+    "read",
+    "update",
+    "delete"
+  ]);
+  const result = {
+    ...action ? { action } : {}
+  };
+  return Object.keys(result).length ? result : void 0;
+}
+
+class LegacyTokenHandler {
+  #entries = new Array();
+  add(config) {
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    this.#doAdd(
+      config.getString("options.secret"),
+      config.getString("options.subject"),
+      allAccessRestrictions
+    );
+  }
+  // used only for the old backend.auth.keys array
+  addOld(config) {
+    this.#doAdd(config.getString("secret"), "external:backstage-plugin");
+  }
+  #doAdd(secret, subject, allAccessRestrictions) {
+    if (!secret.match(/^\S+$/)) {
+      throw new Error("Illegal secret, must be a valid base64 string");
+    } else if (!subject.match(/^\S+$/)) {
+      throw new Error("Illegal subject, must be a set of non-space characters");
+    }
+    let key;
+    try {
+      key = jose.base64url.decode(secret);
+    } catch {
+      throw new Error("Illegal secret, must be a valid base64 string");
+    }
+    if (this.#entries.some((e) => e.key === key)) {
+      throw new Error(
+        "Legacy externalAccess token was declared more than once"
+      );
+    }
+    this.#entries.push({
+      key,
+      result: {
+        subject,
+        allAccessRestrictions
+      }
+    });
+  }
+  async verifyToken(token) {
+    try {
+      const { alg } = jose.decodeProtectedHeader(token);
+      if (alg !== "HS256") {
+        return void 0;
+      }
+      const { sub, aud } = jose.decodeJwt(token);
+      if (sub !== "backstage-server" || aud) {
+        return void 0;
+      }
+    } catch (e) {
+      return void 0;
+    }
+    for (const { key, result } of this.#entries) {
+      try {
+        await jose.jwtVerify(token, key);
+        return result;
+      } catch (e) {
+        if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") {
+          throw e;
+        }
+      }
+    }
+    return void 0;
+  }
+}
+
+const MIN_TOKEN_LENGTH = 8;
+class StaticTokenHandler {
+  #entries = /* @__PURE__ */ new Map();
+  add(config) {
+    const token = config.getString("options.token");
+    const subject = config.getString("options.subject");
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    if (!token.match(/^\S+$/)) {
+      throw new Error("Illegal token, must be a set of non-space characters");
+    } else if (token.length < MIN_TOKEN_LENGTH) {
+      throw new Error(
+        `Illegal token, must be at least ${MIN_TOKEN_LENGTH} characters length`
+      );
+    } else if (!subject.match(/^\S+$/)) {
+      throw new Error("Illegal subject, must be a set of non-space characters");
+    } else if (this.#entries.has(token)) {
+      throw new Error(
+        "Static externalAccess token was declared more than once"
+      );
+    }
+    this.#entries.set(token, { subject, allAccessRestrictions });
+  }
+  async verifyToken(token) {
+    return this.#entries.get(token);
+  }
+}
+
+class JWKSHandler {
+  #entries = [];
+  add(config) {
+    if (!config.getString("options.url").match(/^\S+$/)) {
+      throw new Error(
+        "Illegal JWKS URL, must be a set of non-space characters"
+      );
+    }
+    const algorithms = readStringOrStringArrayFromConfig(
+      config,
+      "options.algorithm"
+    );
+    const issuers = readStringOrStringArrayFromConfig(config, "options.issuer");
+    const audiences = readStringOrStringArrayFromConfig(
+      config,
+      "options.audience"
+    );
+    const subjectPrefix = config.getOptionalString("options.subjectPrefix");
+    const url = new URL(config.getString("options.url"));
+    const jwks = jose.createRemoteJWKSet(url);
+    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
+    this.#entries.push({
+      algorithms,
+      audiences,
+      issuers,
+      jwks,
+      subjectPrefix,
+      url,
+      allAccessRestrictions
+    });
+  }
+  async verifyToken(token) {
+    for (const entry of this.#entries) {
+      try {
+        const {
+          payload: { sub }
+        } = await jose.jwtVerify(token, entry.jwks, {
+          algorithms: entry.algorithms,
+          issuer: entry.issuers,
+          audience: entry.audiences
+        });
+        if (sub) {
+          const prefix = entry.subjectPrefix ? `external:${entry.subjectPrefix}:` : "external:";
+          return {
+            subject: `${prefix}${sub}`,
+            allAccessRestrictions: entry.allAccessRestrictions
+          };
+        }
+      } catch {
+        continue;
+      }
+    }
+    return void 0;
+  }
+}
+
+const NEW_CONFIG_KEY = "backend.auth.externalAccess";
+const OLD_CONFIG_KEY = "backend.auth.keys";
+let loggedDeprecationWarning = false;
+class ExternalTokenHandler {
+  constructor(ownPluginId, handlers) {
+    this.ownPluginId = ownPluginId;
+    this.handlers = handlers;
+  }
+  static create(options) {
+    const { ownPluginId, config, logger } = options;
+    const staticHandler = new StaticTokenHandler();
+    const legacyHandler = new LegacyTokenHandler();
+    const jwksHandler = new JWKSHandler();
+    const handlers = {
+      static: staticHandler,
+      legacy: legacyHandler,
+      jwks: jwksHandler
+    };
+    const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? [];
+    for (const handlerConfig of handlerConfigs) {
+      const type = handlerConfig.getString("type");
+      const handler = handlers[type];
+      if (!handler) {
+        const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", ");
+        throw new Error(
+          `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}`
+        );
+      }
+      handler.add(handlerConfig);
+    }
+    const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? [];
+    if (legacyConfigs.length && !loggedDeprecationWarning) {
+      loggedDeprecationWarning = true;
+      logger.warn(
+        `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth`
+      );
+    }
+    for (const handlerConfig of legacyConfigs) {
+      legacyHandler.addOld(handlerConfig);
+    }
+    return new ExternalTokenHandler(ownPluginId, Object.values(handlers));
+  }
+  async verifyToken(token) {
+    for (const handler of this.handlers) {
+      const result = await handler.verifyToken(token);
+      if (result) {
+        const { allAccessRestrictions, ...rest } = result;
+        if (allAccessRestrictions) {
+          const accessRestrictions = allAccessRestrictions.get(
+            this.ownPluginId
+          );
+          if (!accessRestrictions) {
+            const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", ");
+            throw new errors.NotAllowedError(
+              `This token's access is restricted to plugin(s) ${valid}`
+            );
+          }
+          return {
+            ...rest,
+            accessRestrictions
+          };
+        }
+        return rest;
+      }
+    }
+    return void 0;
+  }
+}
+
+const CLOCK_MARGIN_S = 10;
+class JwksClient {
+  constructor(getEndpoint) {
+    this.getEndpoint = getEndpoint;
+  }
+  #keyStore;
+  #keyStoreUpdated = 0;
+  get getKey() {
+    if (!this.#keyStore) {
+      throw new errors.AuthenticationError(
+        "refreshKeyStore must be called before jwksClient.getKey"
+      );
+    }
+    return this.#keyStore;
+  }
+  /**
+   * If the last keystore refresh is stale, update the keystore URL to the latest
+   */
+  async refreshKeyStore(rawJwtToken) {
+    const payload = await jose.decodeJwt(rawJwtToken);
+    const header = await jose.decodeProtectedHeader(rawJwtToken);
+    let keyStoreHasKey;
+    try {
+      if (this.#keyStore) {
+        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
+        keyStoreHasKey = await this.#keyStore(header, {
+          payload: rawPayload,
+          signature: rawSignature
+        });
+      }
+    } catch (error) {
+      keyStoreHasKey = false;
+    }
+    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.#keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!this.#keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
+      const endpoint = await this.getEndpoint();
+      this.#keyStore = jose.createRemoteJWKSet(endpoint);
+      this.#keyStoreUpdated = Date.now() / 1e3;
+    }
+  }
+}
+
+const SECONDS_IN_MS$2 = 1e3;
+const ALLOWED_PLUGIN_ID_PATTERN = /^[a-z0-9_-]+$/i;
+class PluginTokenHandler {
+  constructor(logger, ownPluginId, keySource, algorithm, keyDurationSeconds, discovery) {
+    this.logger = logger;
+    this.ownPluginId = ownPluginId;
+    this.keySource = keySource;
+    this.algorithm = algorithm;
+    this.keyDurationSeconds = keyDurationSeconds;
+    this.discovery = discovery;
+  }
+  jwksMap = /* @__PURE__ */ new Map();
+  // Tracking state for isTargetPluginSupported
+  supportedTargetPlugins = /* @__PURE__ */ new Set();
+  targetPluginInflightChecks = /* @__PURE__ */ new Map();
+  static create(options) {
+    return new PluginTokenHandler(
+      options.logger,
+      options.ownPluginId,
+      options.keySource,
+      options.algorithm ?? "ES256",
+      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
+      options.discovery
+    );
+  }
+  async verifyToken(token) {
+    try {
+      const { typ } = jose.decodeProtectedHeader(token);
+      if (typ !== pluginAuthNode.tokenTypes.plugin.typParam) {
+        return void 0;
+      }
+    } catch {
+      return void 0;
+    }
+    const pluginId = String(jose.decodeJwt(token).sub);
+    if (!pluginId) {
+      throw new errors.AuthenticationError("Invalid plugin token: missing subject");
+    }
+    if (!ALLOWED_PLUGIN_ID_PATTERN.test(pluginId)) {
+      throw new errors.AuthenticationError(
+        "Invalid plugin token: forbidden subject format"
+      );
+    }
+    const jwksClient = await this.getJwksClient(pluginId);
+    await jwksClient.refreshKeyStore(token);
+    const { payload } = await jose.jwtVerify(
+      token,
+      jwksClient.getKey,
+      {
+        typ: pluginAuthNode.tokenTypes.plugin.typParam,
+        audience: this.ownPluginId,
+        requiredClaims: ["iat", "exp", "sub", "aud"]
+      }
+    ).catch((e) => {
+      throw new errors.AuthenticationError("Invalid plugin token", e);
+    });
+    return { subject: `plugin:${payload.sub}`, limitedUserToken: payload.obo };
+  }
+  async issueToken(options) {
+    const { pluginId, targetPluginId, onBehalfOf } = options;
+    const key = await this.keySource.getPrivateSigningKey();
+    const sub = pluginId;
+    const aud = targetPluginId;
+    const iat = Math.floor(Date.now() / SECONDS_IN_MS$2);
+    const ourExp = iat + this.keyDurationSeconds;
+    const exp = onBehalfOf ? Math.min(
+      ourExp,
+      Math.floor(onBehalfOf.expiresAt.getTime() / SECONDS_IN_MS$2)
+    ) : ourExp;
+    const claims = { sub, aud, iat, exp, obo: onBehalfOf?.token };
+    const token = await new jose.SignJWT(claims).setProtectedHeader({
+      typ: pluginAuthNode.tokenTypes.plugin.typParam,
+      alg: this.algorithm,
+      kid: key.kid
+    }).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return { token };
+  }
+  async isTargetPluginSupported(targetPluginId) {
+    if (this.supportedTargetPlugins.has(targetPluginId)) {
+      return true;
+    }
+    const inFlight = this.targetPluginInflightChecks.get(targetPluginId);
+    if (inFlight) {
+      return inFlight;
+    }
+    const doCheck = async () => {
+      try {
+        const res = await fetch(
+          `${await this.discovery.getBaseUrl(
+            targetPluginId
+          )}/.backstage/auth/v1/jwks.json`
+        );
+        if (res.status === 404) {
+          return false;
+        }
+        if (!res.ok) {
+          throw new Error(`Failed to fetch jwks.json, ${res.status}`);
+        }
+        const data = await res.json();
+        if (!data.keys) {
+          throw new Error(`Invalid jwks.json response, missing keys`);
+        }
+        this.supportedTargetPlugins.add(targetPluginId);
+        return true;
+      } catch (error) {
+        this.logger.error("Unexpected failure for target JWKS check", error);
+        return false;
+      } finally {
+        this.targetPluginInflightChecks.delete(targetPluginId);
+      }
+    };
+    const check = doCheck();
+    this.targetPluginInflightChecks.set(targetPluginId, check);
+    return check;
+  }
+  async getJwksClient(pluginId) {
+    const client = this.jwksMap.get(pluginId);
+    if (client) {
+      return client;
+    }
+    if (!await this.isTargetPluginSupported(pluginId)) {
+      throw new errors.AuthenticationError(
+        `Received a plugin token where the source '${pluginId}' plugin unexpectedly does not have a JWKS endpoint`
+      );
+    }
+    const newClient = new JwksClient(async () => {
+      return new URL(
+        `${await this.discovery.getBaseUrl(
+          pluginId
+        )}/.backstage/auth/v1/jwks.json`
+      );
+    });
+    this.jwksMap.set(pluginId, newClient);
+    return newClient;
+  }
+}
+
+const MIGRATIONS_TABLE = "backstage_backend_public_keys__knex_migrations";
+const TABLE = "backstage_backend_public_keys__keys";
+function applyDatabaseMigrations(knex) {
+  const migrationsDir = backendPluginApi.resolvePackagePath(
+    "@backstage/backend-defaults",
+    "migrations/auth"
+  );
+  return knex.migrate.latest({
+    directory: migrationsDir,
+    tableName: MIGRATIONS_TABLE
+  });
+}
+class DatabaseKeyStore {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
+  }
+  static async create(options) {
+    const { database, logger } = options;
+    const client = await database.getClient();
+    if (!database.migrations?.skip) {
+      await applyDatabaseMigrations(client);
+    }
+    return new DatabaseKeyStore(client, logger);
+  }
+  async addKey(options) {
+    await this.client(TABLE).insert({
+      id: options.key.kid,
+      key: JSON.stringify(options.key),
+      expires_at: options.expiresAt.toISOString()
+    });
+  }
+  async listKeys() {
+    const rows = await this.client(TABLE).select();
+    const keys = rows.map((row) => ({
+      id: row.id,
+      key: JSON.parse(row.key),
+      expiresAt: new Date(row.expires_at)
+    }));
+    const validKeys = [];
+    const expiredKeys = [];
+    for (const key of keys) {
+      if (luxon.DateTime.fromJSDate(key.expiresAt) < luxon.DateTime.local()) {
+        expiredKeys.push(key);
+      } else {
+        validKeys.push(key);
+      }
+    }
+    if (expiredKeys.length > 0) {
+      const kids = expiredKeys.map(({ key }) => key.kid);
+      this.logger.info(
+        `Removing expired plugin service keys, '${kids.join("', '")}'`
+      );
+      this.client(TABLE).delete().whereIn("id", kids).catch((error) => {
+        this.logger.error(
+          "Failed to remove expired plugin service keys",
+          error
+        );
+      });
+    }
+    return { keys: validKeys };
+  }
+}
+
+const SECONDS_IN_MS$1 = 1e3;
+const KEY_EXPIRATION_MARGIN_FACTOR = 3;
+class DatabasePluginKeySource {
+  constructor(keyStore, logger, keyDurationSeconds, algorithm) {
+    this.keyStore = keyStore;
+    this.logger = logger;
+    this.keyDurationSeconds = keyDurationSeconds;
+    this.algorithm = algorithm;
+  }
+  privateKeyPromise;
+  keyExpiry;
+  static async create(options) {
+    const keyStore = await DatabaseKeyStore.create({
+      database: options.database,
+      logger: options.logger
+    });
+    return new DatabasePluginKeySource(
+      keyStore,
+      options.logger,
+      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
+      options.algorithm ?? "ES256"
+    );
+  }
+  async getPrivateSigningKey() {
+    if (this.privateKeyPromise) {
+      if (this.keyExpiry && this.keyExpiry.getTime() > Date.now()) {
+        return this.privateKeyPromise;
+      }
+      this.logger.info(`Signing key has expired, generating new key`);
+      delete this.privateKeyPromise;
+    }
+    this.keyExpiry = new Date(
+      Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1
+    );
+    const promise = (async () => {
+      const kid = uuid.v4();
+      const key = await jose.generateKeyPair(this.algorithm);
+      const publicKey = await jose.exportJWK(key.publicKey);
+      const privateKey = await jose.exportJWK(key.privateKey);
+      publicKey.kid = privateKey.kid = kid;
+      publicKey.alg = privateKey.alg = this.algorithm;
+      this.logger.info(`Created new signing key ${kid}`);
+      await this.keyStore.addKey({
+        id: kid,
+        key: publicKey,
+        expiresAt: new Date(
+          Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1 * KEY_EXPIRATION_MARGIN_FACTOR
+        )
+      });
+      return privateKey;
+    })();
+    this.privateKeyPromise = promise;
+    try {
+      await promise;
+    } catch (error) {
+      this.logger.error(`Failed to generate new signing key, ${error}`);
+      delete this.keyExpiry;
+      delete this.privateKeyPromise;
+    }
+    return promise;
+  }
+  listKeys() {
+    return this.keyStore.listKeys();
+  }
+}
+
+const DEFAULT_ALGORITHM = "ES256";
+const SECONDS_IN_MS = 1e3;
+class StaticConfigPluginKeySource {
+  constructor(keyPairs, keyDurationSeconds) {
+    this.keyPairs = keyPairs;
+    this.keyDurationSeconds = keyDurationSeconds;
+  }
+  static async create(options) {
+    const keyConfigs = options.sourceConfig.getConfigArray("static.keys").map((c) => {
+      const staticKeyConfig = {
+        publicKeyFile: c.getString("publicKeyFile"),
+        privateKeyFile: c.getOptionalString("privateKeyFile"),
+        keyId: c.getString("keyId"),
+        algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
+      };
+      return staticKeyConfig;
+    });
+    const keyPairs = await Promise.all(
+      keyConfigs.map(async (k) => await this.loadKeyPair(k))
+    );
+    if (keyPairs.length < 1) {
+      throw new Error(
+        "At least one key pair must be provided in static.keys, when the static key store type is used"
+      );
+    } else if (!keyPairs[0].privateKey) {
+      throw new Error(
+        "Private key for signing must be provided in the first key pair in static.keys, when the static key store type is used"
+      );
+    }
+    return new StaticConfigPluginKeySource(
+      keyPairs,
+      types.durationToMilliseconds(options.keyDuration) / SECONDS_IN_MS
+    );
+  }
+  async getPrivateSigningKey() {
+    return this.keyPairs[0].privateKey;
+  }
+  async listKeys() {
+    const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
+    return { keys };
+  }
+  static async loadKeyPair(options) {
+    const algorithm = options.algorithm;
+    const keyId = options.keyId;
+    const publicKey = await this.loadPublicKeyFromFile(
+      options.publicKeyFile,
+      keyId,
+      algorithm
+    );
+    const privateKey = options.privateKeyFile ? await this.loadPrivateKeyFromFile(
+      options.privateKeyFile,
+      keyId,
+      algorithm
+    ) : void 0;
+    return { publicKey, privateKey, keyId };
+  }
+  static async loadPublicKeyFromFile(path, keyId, algorithm) {
+    return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
+  }
+  static async loadPrivateKeyFromFile(path, keyId, algorithm) {
+    return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
+  }
+  static async loadKeyFromFile(path, keyId, algorithm, importer) {
+    const content = await fs.promises.readFile(path, { encoding: "utf8", flag: "r" });
+    const key = await importer(content, algorithm);
+    const jwk = await jose.exportJWK(key);
+    jwk.kid = keyId;
+    jwk.alg = algorithm;
+    return jwk;
+  }
+  keyPairToStoredKey(keyPair) {
+    const publicKey = {
+      ...keyPair.publicKey,
+      kid: keyPair.keyId
+    };
+    return {
+      key: publicKey,
+      id: keyPair.keyId,
+      expiresAt: new Date(Date.now() + this.keyDurationSeconds * SECONDS_IN_MS)
+    };
+  }
+}
+
+const CONFIG_ROOT_KEY = "backend.auth.pluginKeyStore";
+async function createPluginKeySource(options) {
+  const keyStoreConfig = options.config.getOptionalConfig(CONFIG_ROOT_KEY);
+  const type = keyStoreConfig?.getOptionalString("type") ?? "database";
+  if (!keyStoreConfig || type === "database") {
+    return DatabasePluginKeySource.create({
+      database: options.database,
+      logger: options.logger,
+      keyDuration: options.keyDuration,
+      algorithm: options.algorithm
+    });
+  } else if (type === "static") {
+    return StaticConfigPluginKeySource.create({
+      sourceConfig: keyStoreConfig,
+      keyDuration: options.keyDuration
+    });
+  }
+  throw new Error(
+    `Unsupported config value ${CONFIG_ROOT_KEY}.type '${type}'; expected one of 'database', 'static'`
+  );
+}
+
+class UserTokenHandler {
+  constructor(jwksClient) {
+    this.jwksClient = jwksClient;
+  }
+  static create(options) {
+    const jwksClient = new JwksClient(async () => {
+      const url = await options.discovery.getBaseUrl("auth");
+      return new URL(`${url}/.well-known/jwks.json`);
+    });
+    return new UserTokenHandler(jwksClient);
+  }
+  async verifyToken(token) {
+    const verifyOpts = this.#getTokenVerificationOptions(token);
+    if (!verifyOpts) {
+      return void 0;
+    }
+    await this.jwksClient.refreshKeyStore(token);
+    const { payload } = await jose.jwtVerify(
+      token,
+      this.jwksClient.getKey,
+      verifyOpts
+    ).catch((e) => {
+      throw new errors.AuthenticationError("Invalid token", e);
+    });
+    const userEntityRef = payload.sub;
+    if (!userEntityRef) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
+    return { userEntityRef };
+  }
+  #getTokenVerificationOptions(token) {
+    try {
+      const { typ } = jose.decodeProtectedHeader(token);
+      if (typ === pluginAuthNode.tokenTypes.user.typParam) {
+        return {
+          requiredClaims: ["iat", "exp", "sub"],
+          typ: pluginAuthNode.tokenTypes.user.typParam
+        };
+      }
+      if (typ === pluginAuthNode.tokenTypes.limitedUser.typParam) {
+        return {
+          requiredClaims: ["iat", "exp", "sub"],
+          typ: pluginAuthNode.tokenTypes.limitedUser.typParam
+        };
+      }
+      const { aud } = jose.decodeJwt(token);
+      if (aud === pluginAuthNode.tokenTypes.user.audClaim) {
+        return {
+          audience: pluginAuthNode.tokenTypes.user.audClaim
+        };
+      }
+    } catch {
+    }
+    return void 0;
+  }
+  createLimitedUserToken(backstageToken) {
+    const [headerRaw, payloadRaw] = backstageToken.split(".");
+    const header = JSON.parse(
+      new TextDecoder().decode(jose.base64url.decode(headerRaw))
+    );
+    const payload = JSON.parse(
+      new TextDecoder().decode(jose.base64url.decode(payloadRaw))
+    );
+    const tokenType = header.typ;
+    if (!tokenType || tokenType === pluginAuthNode.tokenTypes.limitedUser.typParam) {
+      return { token: backstageToken, expiresAt: new Date(payload.exp * 1e3) };
+    }
+    if (tokenType !== pluginAuthNode.tokenTypes.user.typParam) {
+      throw new errors.AuthenticationError(
+        "Failed to create limited user token, invalid token type"
+      );
+    }
+    const limitedUserToken = [
+      jose.base64url.encode(
+        JSON.stringify({
+          typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+          alg: header.alg,
+          kid: header.kid
+        })
+      ),
+      jose.base64url.encode(
+        JSON.stringify({
+          sub: payload.sub,
+          iat: payload.iat,
+          exp: payload.exp
+        })
+      ),
+      payload.uip
+    ].join(".");
+    return { token: limitedUserToken, expiresAt: new Date(payload.exp * 1e3) };
+  }
+  isLimitedUserToken(token) {
+    try {
+      const { typ } = jose.decodeProtectedHeader(token);
+      return typ === pluginAuthNode.tokenTypes.limitedUser.typParam;
+    } catch {
+      return false;
+    }
+  }
+}
+
+const authServiceFactory = backendPluginApi.createServiceFactory({
+  service: backendPluginApi.coreServices.auth,
+  deps: {
+    config: backendPluginApi.coreServices.rootConfig,
+    logger: backendPluginApi.coreServices.rootLogger,
+    discovery: backendPluginApi.coreServices.discovery,
+    plugin: backendPluginApi.coreServices.pluginMetadata,
+    database: backendPluginApi.coreServices.database,
+    // Re-using the token manager makes sure that we use the same generated keys for
+    // development as plugins that have not yet been migrated. It's important that this
+    // keeps working as long as there are plugins that have not been migrated to the
+    // new auth services in the new backend system.
+    tokenManager: backendPluginApi.coreServices.tokenManager
+  },
+  async factory({ config, discovery, plugin, tokenManager, logger, database }) {
+    const disableDefaultAuthPolicy = config.getOptionalBoolean(
+      "backend.auth.dangerouslyDisableDefaultAuthPolicy"
+    ) ?? false;
+    const keyDuration = { hours: 1 };
+    const keySource = await createPluginKeySource({
+      config,
+      database,
+      logger,
+      keyDuration
+    });
+    const userTokens = UserTokenHandler.create({
+      discovery
+    });
+    const pluginTokens = PluginTokenHandler.create({
+      ownPluginId: plugin.getId(),
+      logger,
+      keySource,
+      keyDuration,
+      discovery
+    });
+    const externalTokens = ExternalTokenHandler.create({
+      ownPluginId: plugin.getId(),
+      config,
+      logger
+    });
+    return new DefaultAuthService(
+      userTokens,
+      pluginTokens,
+      externalTokens,
+      tokenManager,
+      plugin.getId(),
+      disableDefaultAuthPolicy,
+      keySource
+    );
+  }
+});
+
+exports.authServiceFactory = authServiceFactory;
+//# sourceMappingURL=auth.cjs.js.map