@backstage/core-app-api 0.5.0-next.0 → 0.5.0

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @backstage/core-app-api
 
+## 0.5.0
+
+### Minor Changes
+
+- ceebe25391: Removed deprecated `SignInResult` type, which was replaced with the new `onSignInSuccess` callback.
+
+### Patch Changes
+
+- fb565073ec: Add an `allowUrl` callback option to `FetchMiddlewares.injectIdentityAuth`
+- f050eec2c0: Added validation during the application startup that detects if there are any plugins present that have not had their required external routes bound. Failing the validation will cause a hard crash as it is a programmer error. It lets you detect early on that there are dangling routes, rather than having them cause an error later on.
+- Updated dependencies
+  - @backstage/core-plugin-api@0.6.0
+  - @backstage/config@0.1.13
+
 ## 0.5.0-next.0
 
 ### Minor Changes

package/dist/index.d.ts

@@ -510,14 +510,16 @@ declare class FetchMiddlewares {
      *
      * The header injection only happens on allowlisted URLs. Per default, if the
      * `config` option is passed in, the `backend.baseUrl` is allowlisted, unless
-     * the `urlPrefixAllowlist` option is passed in, in which case it takes
-     * precedence. If you pass in neither config nor an allowlist, the middleware
-     * will have no effect.
+     * the `urlPrefixAllowlist` or `allowUrl` options are passed in, in which case
+     * they take precedence. If you pass in neither config nor an
+     * allowlist/callback, the middleware will have no effect since effectively no
+     * request will match the (nonexistent) rules.
      */
     static injectIdentityAuth(options: {
         identityApi: IdentityApi;
         config?: Config;
         urlPrefixAllowlist?: string[];
+        allowUrl?: (url: string) => boolean;
         header?: {
             name: string;
             value: (backstageToken: string) => string;

package/dist/index.esm.js

@@ -1497,29 +1497,24 @@ function createFetchApi(options) {
 }
 
 class IdentityAuthInjectorFetchMiddleware {
-  constructor(identityApi, urlPrefixAllowlist, headerName, headerValue) {
+  constructor(identityApi, allowUrl, headerName, headerValue) {
     this.identityApi = identityApi;
-    this.urlPrefixAllowlist = urlPrefixAllowlist;
+    this.allowUrl = allowUrl;
     this.headerName = headerName;
     this.headerValue = headerValue;
   }
   static create(options) {
     var _a, _b;
-    const allowlist = [];
-    if (options.urlPrefixAllowlist) {
-      allowlist.push(...options.urlPrefixAllowlist);
-    } else if (options.config) {
-      allowlist.push(options.config.getString("backend.baseUrl"));
-    }
+    const matcher = buildMatcher(options);
     const headerName = ((_a = options.header) == null ? void 0 : _a.name) || "authorization";
     const headerValue = ((_b = options.header) == null ? void 0 : _b.value) || ((token) => `Bearer ${token}`);
-    return new IdentityAuthInjectorFetchMiddleware(options.identityApi, allowlist.map((prefix) => prefix.replace(/\/$/, "")), headerName, headerValue);
+    return new IdentityAuthInjectorFetchMiddleware(options.identityApi, matcher, headerName, headerValue);
   }
   apply(next) {
     return async (input, init) => {
       const request = new Request(input, init);
       const { token } = await this.identityApi.getCredentials();
-      if (request.headers.get(this.headerName) || !this.urlPrefixAllowlist.some((prefix) => request.url === prefix || request.url.startsWith(`${prefix}/`)) || typeof token !== "string" || !token) {
+      if (request.headers.get(this.headerName) || typeof token !== "string" || !token || !this.allowUrl(request.url)) {
         return next(input, init);
       }
       request.headers.set(this.headerName, this.headerValue(token));
@@ -1527,6 +1522,20 @@ class IdentityAuthInjectorFetchMiddleware {
     };
   }
 }
+function buildMatcher(options) {
+  if (options.allowUrl) {
+    return options.allowUrl;
+  } else if (options.urlPrefixAllowlist) {
+    return buildPrefixMatcher(options.urlPrefixAllowlist);
+  } else if (options.config) {
+    return buildPrefixMatcher([options.config.getString("backend.baseUrl")]);
+  }
+  return () => false;
+}
+function buildPrefixMatcher(prefixes) {
+  const trimmedPrefixes = prefixes.map((prefix) => prefix.replace(/\/$/, ""));
+  return (url) => trimmedPrefixes.some((prefix) => url === prefix || url.startsWith(`${prefix}/`));
+}
 
 function join(left, right) {
   if (!right || right === "/") {
@@ -2138,7 +2147,7 @@ const RouteTracker = ({ tree }) => {
   }));
 };
 
-function validateRoutes(routePaths, routeParents) {
+function validateRouteParameters(routePaths, routeParents) {
   const notLeafRoutes = new Set(routeParents.values());
   notLeafRoutes.delete(void 0);
   for (const route of routeParents.keys()) {
@@ -2167,6 +2176,21 @@ function validateRoutes(routePaths, routeParents) {
     }
   }
 }
+function validateRouteBindings(routeBindings, plugins) {
+  for (const plugin of plugins) {
+    if (!plugin.externalRoutes) {
+      continue;
+    }
+    for (const [name, externalRouteRef] of Object.entries(plugin.externalRoutes)) {
+      if (externalRouteRef.optional) {
+        continue;
+      }
+      if (!routeBindings.has(externalRouteRef)) {
+        throw new Error(`External route '${name}' of the '${plugin.getId()}' plugin must be bound to a target route. See https://backstage.io/link?bind-routes for details.`);
+      }
+    }
+  }
+}
 
 const AppContext = createVersionedContext("app-context");
 const AppContextProvider = ({
@@ -2361,7 +2385,7 @@ class ApiRegistry {
   }
 }
 
-function generateBoundRoutes(bindRoutes) {
+function resolveRouteBindings(bindRoutes) {
   const result = /* @__PURE__ */ new Map();
   if (bindRoutes) {
     const bind = (externalRoutes, targetRoutes) => {
@@ -2382,6 +2406,7 @@ function generateBoundRoutes(bindRoutes) {
   }
   return result;
 }
+
 function getBasePath(configApi) {
   var _a;
   let { pathname } = new URL((_a = configApi.getOptionalString("app.baseUrl")) != null ? _a : "/", "http://dummy.dev");
@@ -2453,9 +2478,16 @@ class AppManager {
   }
   getProvider() {
     const appContext = new AppContextImpl(this);
+    let routesHaveBeenValidated = false;
     const Provider = ({ children }) => {
       const appThemeApi = useMemo(() => AppThemeSelector.createWithStorage(this.themes), []);
-      const { routePaths, routeParents, routeObjects, featureFlags } = useMemo(() => {
+      const {
+        routePaths,
+        routeParents,
+        routeObjects,
+        featureFlags,
+        routeBindings
+      } = useMemo(() => {
         const result = traverseElementTree({
           root: children,
           discoverers: [childDiscoverer, routeElementDiscoverer],
@@ -2467,12 +2499,19 @@ class AppManager {
             featureFlags: featureFlagCollector
           }
         });
-        validateRoutes(result.routePaths, result.routeParents);
         result.collectedPlugins.forEach((plugin) => this.plugins.add(plugin));
         this.verifyPlugins(this.plugins);
         this.getApiHolder();
-        return result;
+        return {
+          ...result,
+          routeBindings: resolveRouteBindings(this.bindRoutes)
+        };
       }, [children]);
+      if (!routesHaveBeenValidated) {
+        routesHaveBeenValidated = true;
+        validateRouteParameters(routePaths, routeParents);
+        validateRouteBindings(routeBindings, this.plugins);
+      }
       const loadedConfig = useConfigLoader(this.configLoader, this.components, appThemeApi);
       const hasConfigApi = "api" in loadedConfig;
       if (hasConfigApi) {
@@ -2518,7 +2557,7 @@ class AppManager {
         routePaths,
         routeParents,
         routeObjects,
-        routeBindings: generateBoundRoutes(this.bindRoutes),
+        routeBindings,
         basePath: getBasePath(loadedConfig.api)
       }, children))));
     };