@backstage/backend-defaults 0.5.1-next.1 → 0.5.1-next.2

package/dist/auth.cjs.js

@@ -1,1002 +1,8 @@
 'use strict';
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
-var errors = require('@backstage/errors');
-var jose = require('jose');
-var helpers = require('./cjs/helpers-D2f1CG0o.cjs.js');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var types = require('@backstage/types');
-var uuid = require('uuid');
-var luxon = require('luxon');
-var fs = require('fs');
+var authServiceFactory = require('./entrypoints/auth/authServiceFactory.cjs.js');
 
-class DefaultAuthService {
-  constructor(userTokenHandler, pluginTokenHandler, externalTokenHandler, pluginId, disableDefaultAuthPolicy, pluginKeySource) {
-    this.userTokenHandler = userTokenHandler;
-    this.pluginTokenHandler = pluginTokenHandler;
-    this.externalTokenHandler = externalTokenHandler;
-    this.pluginId = pluginId;
-    this.disableDefaultAuthPolicy = disableDefaultAuthPolicy;
-    this.pluginKeySource = pluginKeySource;
-  }
-  async authenticate(token, options) {
-    const pluginResult = await this.pluginTokenHandler.verifyToken(token);
-    if (pluginResult) {
-      if (pluginResult.limitedUserToken) {
-        const userResult2 = await this.userTokenHandler.verifyToken(
-          pluginResult.limitedUserToken
-        );
-        if (!userResult2) {
-          throw new errors.AuthenticationError(
-            "Invalid user token in plugin token obo claim"
-          );
-        }
-        return helpers.createCredentialsWithUserPrincipal(
-          userResult2.userEntityRef,
-          pluginResult.limitedUserToken,
-          this.#getJwtExpiration(pluginResult.limitedUserToken)
-        );
-      }
-      return helpers.createCredentialsWithServicePrincipal(pluginResult.subject);
-    }
-    const userResult = await this.userTokenHandler.verifyToken(token);
-    if (userResult) {
-      if (!options?.allowLimitedAccess && this.userTokenHandler.isLimitedUserToken(token)) {
-        throw new errors.AuthenticationError("Illegal limited user token");
-      }
-      return helpers.createCredentialsWithUserPrincipal(
-        userResult.userEntityRef,
-        token,
-        this.#getJwtExpiration(token)
-      );
-    }
-    const externalResult = await this.externalTokenHandler.verifyToken(token);
-    if (externalResult) {
-      return helpers.createCredentialsWithServicePrincipal(
-        externalResult.subject,
-        void 0,
-        externalResult.accessRestrictions
-      );
-    }
-    throw new errors.AuthenticationError("Illegal token");
-  }
-  isPrincipal(credentials, type) {
-    const principal = credentials.principal;
-    if (type === "unknown") {
-      return true;
-    }
-    if (principal.type !== type) {
-      return false;
-    }
-    return true;
-  }
-  async getNoneCredentials() {
-    return helpers.createCredentialsWithNonePrincipal();
-  }
-  async getOwnServiceCredentials() {
-    return helpers.createCredentialsWithServicePrincipal(`plugin:${this.pluginId}`);
-  }
-  async getPluginRequestToken(options) {
-    const { targetPluginId } = options;
-    const internalForward = helpers.toInternalBackstageCredentials(options.onBehalfOf);
-    const { type } = internalForward.principal;
-    if (type === "none" && this.disableDefaultAuthPolicy) {
-      return { token: "" };
-    }
-    switch (type) {
-      // TODO: Check whether the principal is ourselves
-      case "service":
-        return this.pluginTokenHandler.issueToken({
-          pluginId: this.pluginId,
-          targetPluginId
-        });
-      case "user": {
-        const { token } = internalForward;
-        if (!token) {
-          throw new Error("User credentials is unexpectedly missing token");
-        }
-        const onBehalfOf = await this.userTokenHandler.createLimitedUserToken(
-          token
-        );
-        return this.pluginTokenHandler.issueToken({
-          pluginId: this.pluginId,
-          targetPluginId,
-          onBehalfOf
-        });
-      }
-      default:
-        throw new errors.AuthenticationError(
-          `Refused to issue service token for credential type '${type}'`
-        );
-    }
-  }
-  async getLimitedUserToken(credentials) {
-    const { token: backstageToken } = helpers.toInternalBackstageCredentials(credentials);
-    if (!backstageToken) {
-      throw new errors.AuthenticationError(
-        "User credentials is unexpectedly missing token"
-      );
-    }
-    return this.userTokenHandler.createLimitedUserToken(backstageToken);
-  }
-  async listPublicServiceKeys() {
-    const { keys } = await this.pluginKeySource.listKeys();
-    return { keys: keys.map(({ key }) => key) };
-  }
-  #getJwtExpiration(token) {
-    const { exp } = jose.decodeJwt(token);
-    if (!exp) {
-      throw new errors.AuthenticationError("User token is missing expiration");
-    }
-    return new Date(exp * 1e3);
-  }
-}
 
-function readAccessRestrictionsFromConfig(externalAccessEntryConfig) {
-  const configs = externalAccessEntryConfig.getOptionalConfigArray("accessRestrictions") ?? [];
-  const result = /* @__PURE__ */ new Map();
-  for (const config of configs) {
-    const validKeys = ["plugin", "permission", "permissionAttribute"];
-    for (const key of config.keys()) {
-      if (!validKeys.includes(key)) {
-        const valid = validKeys.map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Invalid key '${key}' in 'accessRestrictions' config, expected one of ${valid}`
-        );
-      }
-    }
-    const pluginId = config.getString("plugin");
-    const permissionNames = readPermissionNames(config);
-    const permissionAttributes = readPermissionAttributes(config);
-    if (result.has(pluginId)) {
-      throw new Error(
-        `Attempted to declare 'accessRestrictions' twice for plugin '${pluginId}', which is not permitted`
-      );
-    }
-    result.set(pluginId, {
-      ...permissionNames ? { permissionNames } : {},
-      ...permissionAttributes ? { permissionAttributes } : {}
-    });
-  }
-  return result.size ? result : void 0;
-}
-function readStringOrStringArrayFromConfig(root, key, validValues) {
-  if (!root.has(key)) {
-    return void 0;
-  }
-  const rawValues = Array.isArray(root.get(key)) ? root.getStringArray(key) : [root.getString(key)];
-  const values = [
-    ...new Set(
-      rawValues.map((v) => v.split(/[ ,]/)).flat().filter(Boolean)
-    )
-  ];
-  if (!values.length) {
-    return void 0;
-  }
-  if (validValues?.length) {
-    for (const value of values) {
-      if (!validValues.includes(value)) {
-        const valid = validValues.map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Invalid value '${value}' at '${key}' in 'permissionAttributes' config, valid values are ${valid}`
-        );
-      }
-    }
-  }
-  return values;
-}
-function readPermissionNames(externalAccessEntryConfig) {
-  return readStringOrStringArrayFromConfig(
-    externalAccessEntryConfig,
-    "permission"
-  );
-}
-function readPermissionAttributes(externalAccessEntryConfig) {
-  const config = externalAccessEntryConfig.getOptionalConfig(
-    "permissionAttribute"
-  );
-  if (!config) {
-    return void 0;
-  }
-  const validKeys = ["action"];
-  for (const key of config.keys()) {
-    if (!validKeys.includes(key)) {
-      const valid = validKeys.map((k) => `'${k}'`).join(", ");
-      throw new Error(
-        `Invalid key '${key}' in 'permissionAttribute' config, expected ${valid}`
-      );
-    }
-  }
-  const action = readStringOrStringArrayFromConfig(config, "action", [
-    "create",
-    "read",
-    "update",
-    "delete"
-  ]);
-  const result = {
-    ...action ? { action } : {}
-  };
-  return Object.keys(result).length ? result : void 0;
-}
 
-class LegacyTokenHandler {
-  #entries = new Array();
-  add(config) {
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#doAdd(
-      config.getString("options.secret"),
-      config.getString("options.subject"),
-      allAccessRestrictions
-    );
-  }
-  // used only for the old backend.auth.keys array
-  addOld(config) {
-    this.#doAdd(config.getString("secret"), "external:backstage-plugin");
-  }
-  #doAdd(secret, subject, allAccessRestrictions) {
-    if (!secret.match(/^\S+$/)) {
-      throw new Error("Illegal secret, must be a valid base64 string");
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    }
-    let key;
-    try {
-      key = jose.base64url.decode(secret);
-    } catch {
-      throw new Error("Illegal secret, must be a valid base64 string");
-    }
-    if (this.#entries.some((e) => e.key === key)) {
-      throw new Error(
-        "Legacy externalAccess token was declared more than once"
-      );
-    }
-    this.#entries.push({
-      key,
-      result: {
-        subject,
-        allAccessRestrictions
-      }
-    });
-  }
-  async verifyToken(token) {
-    try {
-      const { alg } = jose.decodeProtectedHeader(token);
-      if (alg !== "HS256") {
-        return void 0;
-      }
-      const { sub, aud } = jose.decodeJwt(token);
-      if (sub !== "backstage-server" || aud) {
-        return void 0;
-      }
-    } catch (e) {
-      return void 0;
-    }
-    for (const { key, result } of this.#entries) {
-      try {
-        await jose.jwtVerify(token, key);
-        return result;
-      } catch (e) {
-        if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") {
-          throw e;
-        }
-      }
-    }
-    return void 0;
-  }
-}
-
-const MIN_TOKEN_LENGTH = 8;
-class StaticTokenHandler {
-  #entries = /* @__PURE__ */ new Map();
-  add(config) {
-    const token = config.getString("options.token");
-    const subject = config.getString("options.subject");
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    if (!token.match(/^\S+$/)) {
-      throw new Error("Illegal token, must be a set of non-space characters");
-    } else if (token.length < MIN_TOKEN_LENGTH) {
-      throw new Error(
-        `Illegal token, must be at least ${MIN_TOKEN_LENGTH} characters length`
-      );
-    } else if (!subject.match(/^\S+$/)) {
-      throw new Error("Illegal subject, must be a set of non-space characters");
-    } else if (this.#entries.has(token)) {
-      throw new Error(
-        "Static externalAccess token was declared more than once"
-      );
-    }
-    this.#entries.set(token, { subject, allAccessRestrictions });
-  }
-  async verifyToken(token) {
-    return this.#entries.get(token);
-  }
-}
-
-class JWKSHandler {
-  #entries = [];
-  add(config) {
-    if (!config.getString("options.url").match(/^\S+$/)) {
-      throw new Error(
-        "Illegal JWKS URL, must be a set of non-space characters"
-      );
-    }
-    const algorithms = readStringOrStringArrayFromConfig(
-      config,
-      "options.algorithm"
-    );
-    const issuers = readStringOrStringArrayFromConfig(config, "options.issuer");
-    const audiences = readStringOrStringArrayFromConfig(
-      config,
-      "options.audience"
-    );
-    const subjectPrefix = config.getOptionalString("options.subjectPrefix");
-    const url = new URL(config.getString("options.url"));
-    const jwks = jose.createRemoteJWKSet(url);
-    const allAccessRestrictions = readAccessRestrictionsFromConfig(config);
-    this.#entries.push({
-      algorithms,
-      audiences,
-      issuers,
-      jwks,
-      subjectPrefix,
-      url,
-      allAccessRestrictions
-    });
-  }
-  async verifyToken(token) {
-    for (const entry of this.#entries) {
-      try {
-        const {
-          payload: { sub }
-        } = await jose.jwtVerify(token, entry.jwks, {
-          algorithms: entry.algorithms,
-          issuer: entry.issuers,
-          audience: entry.audiences
-        });
-        if (sub) {
-          const prefix = entry.subjectPrefix ? `external:${entry.subjectPrefix}:` : "external:";
-          return {
-            subject: `${prefix}${sub}`,
-            allAccessRestrictions: entry.allAccessRestrictions
-          };
-        }
-      } catch {
-        continue;
-      }
-    }
-    return void 0;
-  }
-}
-
-const NEW_CONFIG_KEY = "backend.auth.externalAccess";
-const OLD_CONFIG_KEY = "backend.auth.keys";
-let loggedDeprecationWarning = false;
-class ExternalTokenHandler {
-  constructor(ownPluginId, handlers) {
-    this.ownPluginId = ownPluginId;
-    this.handlers = handlers;
-  }
-  static create(options) {
-    const { ownPluginId, config, logger } = options;
-    const staticHandler = new StaticTokenHandler();
-    const legacyHandler = new LegacyTokenHandler();
-    const jwksHandler = new JWKSHandler();
-    const handlers = {
-      static: staticHandler,
-      legacy: legacyHandler,
-      jwks: jwksHandler
-    };
-    const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? [];
-    for (const handlerConfig of handlerConfigs) {
-      const type = handlerConfig.getString("type");
-      const handler = handlers[type];
-      if (!handler) {
-        const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", ");
-        throw new Error(
-          `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}`
-        );
-      }
-      handler.add(handlerConfig);
-    }
-    const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? [];
-    if (legacyConfigs.length && !loggedDeprecationWarning) {
-      loggedDeprecationWarning = true;
-      logger.warn(
-        `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth`
-      );
-    }
-    for (const handlerConfig of legacyConfigs) {
-      legacyHandler.addOld(handlerConfig);
-    }
-    return new ExternalTokenHandler(ownPluginId, Object.values(handlers));
-  }
-  async verifyToken(token) {
-    for (const handler of this.handlers) {
-      const result = await handler.verifyToken(token);
-      if (result) {
-        const { allAccessRestrictions, ...rest } = result;
-        if (allAccessRestrictions) {
-          const accessRestrictions = allAccessRestrictions.get(
-            this.ownPluginId
-          );
-          if (!accessRestrictions) {
-            const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", ");
-            throw new errors.NotAllowedError(
-              `This token's access is restricted to plugin(s) ${valid}`
-            );
-          }
-          return {
-            ...rest,
-            accessRestrictions
-          };
-        }
-        return rest;
-      }
-    }
-    return void 0;
-  }
-}
-
-const CLOCK_MARGIN_S = 10;
-class JwksClient {
-  constructor(getEndpoint) {
-    this.getEndpoint = getEndpoint;
-  }
-  #keyStore;
-  #keyStoreUpdated = 0;
-  get getKey() {
-    if (!this.#keyStore) {
-      throw new errors.AuthenticationError(
-        "refreshKeyStore must be called before jwksClient.getKey"
-      );
-    }
-    return this.#keyStore;
-  }
-  /**
-   * If the last keystore refresh is stale, update the keystore URL to the latest
-   */
-  async refreshKeyStore(rawJwtToken) {
-    const payload = await jose.decodeJwt(rawJwtToken);
-    const header = await jose.decodeProtectedHeader(rawJwtToken);
-    let keyStoreHasKey;
-    try {
-      if (this.#keyStore) {
-        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
-        keyStoreHasKey = await this.#keyStore(header, {
-          payload: rawPayload,
-          signature: rawSignature
-        });
-      }
-    } catch (error) {
-      keyStoreHasKey = false;
-    }
-    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.#keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!this.#keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
-      const endpoint = await this.getEndpoint();
-      this.#keyStore = jose.createRemoteJWKSet(endpoint);
-      this.#keyStoreUpdated = Date.now() / 1e3;
-    }
-  }
-}
-
-const SECONDS_IN_MS$2 = 1e3;
-const ALLOWED_PLUGIN_ID_PATTERN = /^[a-z0-9_-]+$/i;
-class PluginTokenHandler {
-  constructor(logger, ownPluginId, keySource, algorithm, keyDurationSeconds, discovery) {
-    this.logger = logger;
-    this.ownPluginId = ownPluginId;
-    this.keySource = keySource;
-    this.algorithm = algorithm;
-    this.keyDurationSeconds = keyDurationSeconds;
-    this.discovery = discovery;
-  }
-  jwksMap = /* @__PURE__ */ new Map();
-  // Tracking state for isTargetPluginSupported
-  supportedTargetPlugins = /* @__PURE__ */ new Set();
-  targetPluginInflightChecks = /* @__PURE__ */ new Map();
-  static create(options) {
-    return new PluginTokenHandler(
-      options.logger,
-      options.ownPluginId,
-      options.keySource,
-      options.algorithm ?? "ES256",
-      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
-      options.discovery
-    );
-  }
-  async verifyToken(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ !== pluginAuthNode.tokenTypes.plugin.typParam) {
-        return void 0;
-      }
-    } catch {
-      return void 0;
-    }
-    const pluginId = String(jose.decodeJwt(token).sub);
-    if (!pluginId) {
-      throw new errors.AuthenticationError("Invalid plugin token: missing subject");
-    }
-    if (!ALLOWED_PLUGIN_ID_PATTERN.test(pluginId)) {
-      throw new errors.AuthenticationError(
-        "Invalid plugin token: forbidden subject format"
-      );
-    }
-    const jwksClient = await this.getJwksClient(pluginId);
-    await jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      jwksClient.getKey,
-      {
-        typ: pluginAuthNode.tokenTypes.plugin.typParam,
-        audience: this.ownPluginId,
-        requiredClaims: ["iat", "exp", "sub", "aud"]
-      }
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid plugin token", e);
-    });
-    return { subject: `plugin:${payload.sub}`, limitedUserToken: payload.obo };
-  }
-  async issueToken(options) {
-    const { pluginId, targetPluginId, onBehalfOf } = options;
-    const key = await this.keySource.getPrivateSigningKey();
-    const sub = pluginId;
-    const aud = targetPluginId;
-    const iat = Math.floor(Date.now() / SECONDS_IN_MS$2);
-    const ourExp = iat + this.keyDurationSeconds;
-    const exp = onBehalfOf ? Math.min(
-      ourExp,
-      Math.floor(onBehalfOf.expiresAt.getTime() / SECONDS_IN_MS$2)
-    ) : ourExp;
-    const claims = { sub, aud, iat, exp, obo: onBehalfOf?.token };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.plugin.typParam,
-      alg: this.algorithm,
-      kid: key.kid
-    }).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
-    return { token };
-  }
-  async isTargetPluginSupported(targetPluginId) {
-    if (this.supportedTargetPlugins.has(targetPluginId)) {
-      return true;
-    }
-    const inFlight = this.targetPluginInflightChecks.get(targetPluginId);
-    if (inFlight) {
-      return inFlight;
-    }
-    const doCheck = async () => {
-      try {
-        const res = await fetch(
-          `${await this.discovery.getBaseUrl(
-            targetPluginId
-          )}/.backstage/auth/v1/jwks.json`
-        );
-        if (res.status === 404) {
-          return false;
-        }
-        if (!res.ok) {
-          throw new Error(`Failed to fetch jwks.json, ${res.status}`);
-        }
-        const data = await res.json();
-        if (!data.keys) {
-          throw new Error(`Invalid jwks.json response, missing keys`);
-        }
-        this.supportedTargetPlugins.add(targetPluginId);
-        return true;
-      } catch (error) {
-        this.logger.error("Unexpected failure for target JWKS check", error);
-        return false;
-      } finally {
-        this.targetPluginInflightChecks.delete(targetPluginId);
-      }
-    };
-    const check = doCheck();
-    this.targetPluginInflightChecks.set(targetPluginId, check);
-    return check;
-  }
-  async getJwksClient(pluginId) {
-    const client = this.jwksMap.get(pluginId);
-    if (client) {
-      return client;
-    }
-    if (!await this.isTargetPluginSupported(pluginId)) {
-      throw new errors.AuthenticationError(
-        `Received a plugin token where the source '${pluginId}' plugin unexpectedly does not have a JWKS endpoint. The target plugin needs to be migrated to be installed in an app using the new backend system.`
-      );
-    }
-    const newClient = new JwksClient(async () => {
-      return new URL(
-        `${await this.discovery.getBaseUrl(
-          pluginId
-        )}/.backstage/auth/v1/jwks.json`
-      );
-    });
-    this.jwksMap.set(pluginId, newClient);
-    return newClient;
-  }
-}
-
-const MIGRATIONS_TABLE = "backstage_backend_public_keys__knex_migrations";
-const TABLE = "backstage_backend_public_keys__keys";
-function applyDatabaseMigrations(knex) {
-  const migrationsDir = backendPluginApi.resolvePackagePath(
-    "@backstage/backend-defaults",
-    "migrations/auth"
-  );
-  return knex.migrate.latest({
-    directory: migrationsDir,
-    tableName: MIGRATIONS_TABLE
-  });
-}
-class DatabaseKeyStore {
-  constructor(client, logger) {
-    this.client = client;
-    this.logger = logger;
-  }
-  static async create(options) {
-    const { database, logger } = options;
-    const client = await database.getClient();
-    if (!database.migrations?.skip) {
-      await applyDatabaseMigrations(client);
-    }
-    return new DatabaseKeyStore(client, logger);
-  }
-  async addKey(options) {
-    await this.client(TABLE).insert({
-      id: options.key.kid,
-      key: JSON.stringify(options.key),
-      expires_at: options.expiresAt.toISOString()
-    });
-  }
-  async listKeys() {
-    const rows = await this.client(TABLE).select();
-    const keys = rows.map((row) => ({
-      id: row.id,
-      key: JSON.parse(row.key),
-      expiresAt: new Date(row.expires_at)
-    }));
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      if (luxon.DateTime.fromJSDate(key.expiresAt) < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(
-        `Removing expired plugin service keys, '${kids.join("', '")}'`
-      );
-      this.client(TABLE).delete().whereIn("id", kids).catch((error) => {
-        this.logger.error(
-          "Failed to remove expired plugin service keys",
-          error
-        );
-      });
-    }
-    return { keys: validKeys };
-  }
-}
-
-const SECONDS_IN_MS$1 = 1e3;
-const KEY_EXPIRATION_MARGIN_FACTOR = 3;
-class DatabasePluginKeySource {
-  constructor(keyStore, logger, keyDurationSeconds, algorithm) {
-    this.keyStore = keyStore;
-    this.logger = logger;
-    this.keyDurationSeconds = keyDurationSeconds;
-    this.algorithm = algorithm;
-  }
-  privateKeyPromise;
-  keyExpiry;
-  static async create(options) {
-    const keyStore = await DatabaseKeyStore.create({
-      database: options.database,
-      logger: options.logger
-    });
-    return new DatabasePluginKeySource(
-      keyStore,
-      options.logger,
-      Math.round(types.durationToMilliseconds(options.keyDuration) / 1e3),
-      options.algorithm ?? "ES256"
-    );
-  }
-  async getPrivateSigningKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && this.keyExpiry.getTime() > Date.now()) {
-        return this.privateKeyPromise;
-      }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = new Date(
-      Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1
-    );
-    const promise = (async () => {
-      const kid = uuid.v4();
-      const key = await jose.generateKeyPair(this.algorithm);
-      const publicKey = await jose.exportJWK(key.publicKey);
-      const privateKey = await jose.exportJWK(key.privateKey);
-      publicKey.kid = privateKey.kid = kid;
-      publicKey.alg = privateKey.alg = this.algorithm;
-      this.logger.info(`Created new signing key ${kid}`);
-      await this.keyStore.addKey({
-        id: kid,
-        key: publicKey,
-        expiresAt: new Date(
-          Date.now() + this.keyDurationSeconds * SECONDS_IN_MS$1 * KEY_EXPIRATION_MARGIN_FACTOR
-        )
-      });
-      return privateKey;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
-    }
-    return promise;
-  }
-  listKeys() {
-    return this.keyStore.listKeys();
-  }
-}
-
-const DEFAULT_ALGORITHM = "ES256";
-const SECONDS_IN_MS = 1e3;
-class StaticConfigPluginKeySource {
-  constructor(keyPairs, keyDurationSeconds) {
-    this.keyPairs = keyPairs;
-    this.keyDurationSeconds = keyDurationSeconds;
-  }
-  static async create(options) {
-    const keyConfigs = options.sourceConfig.getConfigArray("static.keys").map((c) => {
-      const staticKeyConfig = {
-        publicKeyFile: c.getString("publicKeyFile"),
-        privateKeyFile: c.getOptionalString("privateKeyFile"),
-        keyId: c.getString("keyId"),
-        algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
-      };
-      return staticKeyConfig;
-    });
-    const keyPairs = await Promise.all(
-      keyConfigs.map(async (k) => await this.loadKeyPair(k))
-    );
-    if (keyPairs.length < 1) {
-      throw new Error(
-        "At least one key pair must be provided in static.keys, when the static key store type is used"
-      );
-    } else if (!keyPairs[0].privateKey) {
-      throw new Error(
-        "Private key for signing must be provided in the first key pair in static.keys, when the static key store type is used"
-      );
-    }
-    return new StaticConfigPluginKeySource(
-      keyPairs,
-      types.durationToMilliseconds(options.keyDuration) / SECONDS_IN_MS
-    );
-  }
-  async getPrivateSigningKey() {
-    return this.keyPairs[0].privateKey;
-  }
-  async listKeys() {
-    const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
-    return { keys };
-  }
-  static async loadKeyPair(options) {
-    const algorithm = options.algorithm;
-    const keyId = options.keyId;
-    const publicKey = await this.loadPublicKeyFromFile(
-      options.publicKeyFile,
-      keyId,
-      algorithm
-    );
-    const privateKey = options.privateKeyFile ? await this.loadPrivateKeyFromFile(
-      options.privateKeyFile,
-      keyId,
-      algorithm
-    ) : void 0;
-    return { publicKey, privateKey, keyId };
-  }
-  static async loadPublicKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
-  }
-  static async loadPrivateKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
-  }
-  static async loadKeyFromFile(path, keyId, algorithm, importer) {
-    const content = await fs.promises.readFile(path, { encoding: "utf8", flag: "r" });
-    const key = await importer(content, algorithm);
-    const jwk = await jose.exportJWK(key);
-    jwk.kid = keyId;
-    jwk.alg = algorithm;
-    return jwk;
-  }
-  keyPairToStoredKey(keyPair) {
-    const publicKey = {
-      ...keyPair.publicKey,
-      kid: keyPair.keyId
-    };
-    return {
-      key: publicKey,
-      id: keyPair.keyId,
-      expiresAt: new Date(Date.now() + this.keyDurationSeconds * SECONDS_IN_MS)
-    };
-  }
-}
-
-const CONFIG_ROOT_KEY = "backend.auth.pluginKeyStore";
-async function createPluginKeySource(options) {
-  const keyStoreConfig = options.config.getOptionalConfig(CONFIG_ROOT_KEY);
-  const type = keyStoreConfig?.getOptionalString("type") ?? "database";
-  if (!keyStoreConfig || type === "database") {
-    return DatabasePluginKeySource.create({
-      database: options.database,
-      logger: options.logger,
-      keyDuration: options.keyDuration,
-      algorithm: options.algorithm
-    });
-  } else if (type === "static") {
-    return StaticConfigPluginKeySource.create({
-      sourceConfig: keyStoreConfig,
-      keyDuration: options.keyDuration
-    });
-  }
-  throw new Error(
-    `Unsupported config value ${CONFIG_ROOT_KEY}.type '${type}'; expected one of 'database', 'static'`
-  );
-}
-
-class UserTokenHandler {
-  constructor(jwksClient) {
-    this.jwksClient = jwksClient;
-  }
-  static create(options) {
-    const jwksClient = new JwksClient(async () => {
-      const url = await options.discovery.getBaseUrl("auth");
-      return new URL(`${url}/.well-known/jwks.json`);
-    });
-    return new UserTokenHandler(jwksClient);
-  }
-  async verifyToken(token) {
-    const verifyOpts = this.#getTokenVerificationOptions(token);
-    if (!verifyOpts) {
-      return void 0;
-    }
-    await this.jwksClient.refreshKeyStore(token);
-    const { payload } = await jose.jwtVerify(
-      token,
-      this.jwksClient.getKey,
-      verifyOpts
-    ).catch((e) => {
-      throw new errors.AuthenticationError("Invalid token", e);
-    });
-    const userEntityRef = payload.sub;
-    if (!userEntityRef) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    return { userEntityRef };
-  }
-  #getTokenVerificationOptions(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      if (typ === pluginAuthNode.tokenTypes.user.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.user.typParam
-        };
-      }
-      if (typ === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-        return {
-          requiredClaims: ["iat", "exp", "sub"],
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam
-        };
-      }
-      const { aud } = jose.decodeJwt(token);
-      if (aud === pluginAuthNode.tokenTypes.user.audClaim) {
-        return {
-          audience: pluginAuthNode.tokenTypes.user.audClaim
-        };
-      }
-    } catch {
-    }
-    return void 0;
-  }
-  createLimitedUserToken(backstageToken) {
-    const [headerRaw, payloadRaw] = backstageToken.split(".");
-    const header = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(headerRaw))
-    );
-    const payload = JSON.parse(
-      new TextDecoder().decode(jose.base64url.decode(payloadRaw))
-    );
-    const tokenType = header.typ;
-    if (!tokenType || tokenType === pluginAuthNode.tokenTypes.limitedUser.typParam) {
-      return { token: backstageToken, expiresAt: new Date(payload.exp * 1e3) };
-    }
-    if (tokenType !== pluginAuthNode.tokenTypes.user.typParam) {
-      throw new errors.AuthenticationError(
-        "Failed to create limited user token, invalid token type"
-      );
-    }
-    const limitedUserToken = [
-      jose.base64url.encode(
-        JSON.stringify({
-          typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-          alg: header.alg,
-          kid: header.kid
-        })
-      ),
-      jose.base64url.encode(
-        JSON.stringify({
-          sub: payload.sub,
-          iat: payload.iat,
-          exp: payload.exp
-        })
-      ),
-      payload.uip
-    ].join(".");
-    return { token: limitedUserToken, expiresAt: new Date(payload.exp * 1e3) };
-  }
-  isLimitedUserToken(token) {
-    try {
-      const { typ } = jose.decodeProtectedHeader(token);
-      return typ === pluginAuthNode.tokenTypes.limitedUser.typParam;
-    } catch {
-      return false;
-    }
-  }
-}
-
-const authServiceFactory = backendPluginApi.createServiceFactory({
-  service: backendPluginApi.coreServices.auth,
-  deps: {
-    config: backendPluginApi.coreServices.rootConfig,
-    logger: backendPluginApi.coreServices.rootLogger,
-    discovery: backendPluginApi.coreServices.discovery,
-    plugin: backendPluginApi.coreServices.pluginMetadata,
-    database: backendPluginApi.coreServices.database
-  },
-  async factory({ config, discovery, plugin, logger, database }) {
-    const disableDefaultAuthPolicy = config.getOptionalBoolean(
-      "backend.auth.dangerouslyDisableDefaultAuthPolicy"
-    ) ?? false;
-    const keyDuration = { hours: 1 };
-    const keySource = await createPluginKeySource({
-      config,
-      database,
-      logger,
-      keyDuration
-    });
-    const userTokens = UserTokenHandler.create({
-      discovery
-    });
-    const pluginTokens = PluginTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      logger,
-      keySource,
-      keyDuration,
-      discovery
-    });
-    const externalTokens = ExternalTokenHandler.create({
-      ownPluginId: plugin.getId(),
-      config,
-      logger
-    });
-    return new DefaultAuthService(
-      userTokens,
-      pluginTokens,
-      externalTokens,
-      plugin.getId(),
-      disableDefaultAuthPolicy,
-      keySource
-    );
-  }
-});
-
-exports.authServiceFactory = authServiceFactory;
+exports.authServiceFactory = authServiceFactory.authServiceFactory;
 //# sourceMappingURL=auth.cjs.js.map