@backstage/core-app-api 1.12.3 → 1.12.4

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # @backstage/core-app-api
 
+## 1.12.4
+
+### Patch Changes
+
+- c884b9a: The app is now aware of if it is being served from the `app-backend` with a separate public and protected bundles. When in protected mode the app will now continuously refresh the session cookie, as well as clear the cookie if the user signs out.
+- abfbcfc: Updated dependency `@testing-library/react` to `^15.0.0`.
+- cb1e3b0: Updated dependency `@testing-library/dom` to `^10.0.0`.
+- Updated dependencies
+  - @backstage/core-plugin-api@1.9.2
+  - @backstage/version-bridge@1.0.8
+  - @backstage/config@1.2.0
+  - @backstage/types@1.1.1
+
+## 1.12.4-next.0
+
+### Patch Changes
+
+- c884b9a: The app is now aware of if it is being served from the `app-backend` with a separate public and protected bundles. When in protected mode the app will now continuously refresh the session cookie, as well as clear the cookie if the user signs out.
+- Updated dependencies
+  - @backstage/config@1.2.0
+  - @backstage/core-plugin-api@1.9.1
+  - @backstage/types@1.1.1
+  - @backstage/version-bridge@1.0.7
+
 ## 1.12.3
 
 ### Patch Changes

package/dist/index.esm.js

@@ -2,7 +2,7 @@ import React, { useContext, createContext, useEffect, useState, Children, isVali
 import PropTypes from 'prop-types';
 import { createVersionedContext, createVersionedValueMap, getOrCreateGlobalSingleton } from '@backstage/version-bridge';
 import ObservableImpl from 'zen-observable';
-import { SessionState, FeatureFlagState, AnalyticsContext, useAnalytics, attachComponentData, useApp, useApi, configApiRef, getComponentData, featureFlagsApiRef, appThemeApiRef, identityApiRef, useElementFilter } from '@backstage/core-plugin-api';
+import { SessionState, FeatureFlagState, AnalyticsContext, useAnalytics, attachComponentData, useApp, useApi, configApiRef, getComponentData, featureFlagsApiRef, appThemeApiRef, identityApiRef, errorApiRef, fetchApiRef, discoveryApiRef, useElementFilter } from '@backstage/core-plugin-api';
 import { z } from 'zod';
 import { ConfigReader } from '@backstage/config';
 export { ConfigReader } from '@backstage/config';
@@ -2967,12 +2967,134 @@ const AppContextProvider = ({
   return /* @__PURE__ */ React.createElement(AppContext.Provider, { value: versionedValue, children });
 };
 
+const PLUGIN_ID = "app";
+const CHANNEL_ID = `${PLUGIN_ID}-auth-cookie-expires-at`;
+const MIN_BASE_DELAY_MS = 5 * 6e4;
+const ERROR_BACKOFF_START = 5e3;
+const ERROR_BACKOFF_FACTOR = 2;
+const ERROR_BACKOFF_MAX = 5 * 6e4;
+function startCookieAuthRefresh({
+  discoveryApi,
+  fetchApi,
+  errorApi
+}) {
+  let stopped = false;
+  let timeout;
+  let firstError = true;
+  let errorBackoff = ERROR_BACKOFF_START;
+  const channel = "BroadcastChannel" in window ? new BroadcastChannel(CHANNEL_ID) : void 0;
+  const getDelay = (expiresAt) => {
+    const margin = (1 + 3 * Math.random()) * 6e4;
+    const delay = Math.max(expiresAt - Date.now(), MIN_BASE_DELAY_MS) - margin;
+    return delay;
+  };
+  const refresh = async () => {
+    try {
+      const baseUrl = await discoveryApi.getBaseUrl(PLUGIN_ID);
+      const requestUrl = `${baseUrl}/.backstage/auth/v1/cookie`;
+      const res = await fetchApi.fetch(requestUrl, {
+        credentials: "include"
+      });
+      if (!res.ok) {
+        throw new Error(
+          `Request failed with status ${res.status} ${res.statusText}, see request towards ${requestUrl} for more details`
+        );
+      }
+      const data = await res.json();
+      if (!data.expiresAt) {
+        throw new Error("No expiration date in response");
+      }
+      const expiresAt = Date.parse(data.expiresAt);
+      if (Number.isNaN(expiresAt)) {
+        throw new Error("Invalid expiration date in response");
+      }
+      firstError = true;
+      channel == null ? void 0 : channel.postMessage({
+        action: "COOKIE_REFRESH_SUCCESS",
+        payload: { expiresAt: new Date(expiresAt).toISOString() }
+      });
+      scheduleRefresh(getDelay(expiresAt));
+    } catch (error) {
+      if (firstError) {
+        firstError = false;
+        errorBackoff = ERROR_BACKOFF_START;
+      } else {
+        errorBackoff = Math.min(
+          ERROR_BACKOFF_MAX,
+          errorBackoff * ERROR_BACKOFF_FACTOR
+        );
+        console.error("Session cookie refresh failed", error);
+        errorApi.post(
+          new Error(
+            `Session refresh failed, see developer console for details`
+          )
+        );
+      }
+      scheduleRefresh(errorBackoff);
+    }
+  };
+  const onMessage = (event) => {
+    const { data } = event;
+    if (data === null || typeof data !== "object") {
+      return;
+    }
+    if ("action" in data && data.action === "COOKIE_REFRESH_SUCCESS") {
+      const expiresAt = Date.parse(data.payload.expiresAt);
+      if (Number.isNaN(expiresAt)) {
+        console.warn(
+          "Received invalid expiration from session refresh channel"
+        );
+        return;
+      }
+      scheduleRefresh(getDelay(expiresAt));
+    }
+  };
+  function scheduleRefresh(delayMs) {
+    if (stopped) {
+      return;
+    }
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    timeout = setTimeout(refresh, delayMs);
+  }
+  channel == null ? void 0 : channel.addEventListener("message", onMessage);
+  refresh();
+  return () => {
+    stopped = true;
+    if (timeout) {
+      clearTimeout(timeout);
+    }
+    channel == null ? void 0 : channel.removeEventListener("message", onMessage);
+    channel == null ? void 0 : channel.close();
+  };
+}
+
 var __defProp$2 = Object.defineProperty;
 var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField$2 = (obj, key, value) => {
   __defNormalProp$2(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
+var __accessCheck$3 = (obj, member, msg) => {
+  if (!member.has(obj))
+    throw TypeError("Cannot " + msg);
+};
+var __privateGet$3 = (obj, member, getter) => {
+  __accessCheck$3(obj, member, "read from private field");
+  return getter ? getter.call(obj) : member.get(obj);
+};
+var __privateAdd$3 = (obj, member, value) => {
+  if (member.has(obj))
+    throw TypeError("Cannot add the same private member more than once");
+  member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+};
+var __privateSet$3 = (obj, member, value, setter) => {
+  __accessCheck$3(obj, member, "write to private field");
+  setter ? setter.call(obj, value) : member.set(obj, value);
+  return value;
+};
+var _cookieAuthSignOut;
 function mkError(thing) {
   return new Error(
     `Tried to access IdentityApi ${thing} before app was loaded`
@@ -2990,6 +3112,7 @@ class AppIdentityProxy {
     __publicField$2(this, "resolveTarget", () => {
     });
     __publicField$2(this, "signOutTargetUrl", "/");
+    __privateAdd$3(this, _cookieAuthSignOut, void 0);
     this.waitForTarget = new Promise((resolve) => {
       this.resolveTarget = resolve;
     });
@@ -3047,10 +3170,29 @@ class AppIdentityProxy {
     });
   }
   async signOut() {
+    var _a;
     await this.waitForTarget.then((target) => target.signOut());
+    await ((_a = __privateGet$3(this, _cookieAuthSignOut)) == null ? void 0 : _a.call(this));
     window.location.href = this.signOutTargetUrl;
   }
+  enableCookieAuth(ctx) {
+    if (__privateGet$3(this, _cookieAuthSignOut)) {
+      return;
+    }
+    const stopRefresh = startCookieAuthRefresh(ctx);
+    __privateSet$3(this, _cookieAuthSignOut, async () => {
+      stopRefresh();
+      const appBaseUrl = await ctx.discoveryApi.getBaseUrl("app");
+      try {
+        await ctx.fetchApi.fetch(`${appBaseUrl}/.backstage/auth/v1/cookie`, {
+          method: "DELETE"
+        });
+      } catch {
+      }
+    });
+  }
 }
+_cookieAuthSignOut = new WeakMap();
 
 function resolveTheme(themeId, shouldPreferDark, themes) {
   if (themeId !== void 0) {
@@ -3662,6 +3804,13 @@ function overrideBaseUrlConfigs(inputConfigs) {
   return configs;
 }
 
+function isProtectedApp() {
+  var _a;
+  const element = document.querySelector('meta[name="backstage-app-mode"]');
+  const appMode = (_a = element == null ? void 0 : element.getAttribute("content")) != null ? _a : "public";
+  return appMode === "protected";
+}
+
 var __defProp = Object.defineProperty;
 var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __publicField = (obj, key, value) => {
@@ -3882,7 +4031,23 @@ DEPRECATION WARNING: React Router Beta is deprecated and support for it will be
         }
       }
       const { ThemeProvider = AppThemeProvider, Progress } = this.components;
-      return /* @__PURE__ */ React.createElement(ApiProvider, { apis: this.getApiHolder() }, /* @__PURE__ */ React.createElement(AppContextProvider, { appContext }, /* @__PURE__ */ React.createElement(ThemeProvider, null, /* @__PURE__ */ React.createElement(
+      const apis = this.getApiHolder();
+      if (isProtectedApp()) {
+        const errorApi = apis.get(errorApiRef);
+        const fetchApi = apis.get(fetchApiRef);
+        const discoveryApi = apis.get(discoveryApiRef);
+        if (!errorApi || !fetchApi || !discoveryApi) {
+          throw new Error(
+            "App is running in protected mode but missing required APIs"
+          );
+        }
+        this.appIdentityProxy.enableCookieAuth({
+          errorApi,
+          fetchApi,
+          discoveryApi
+        });
+      }
+      return /* @__PURE__ */ React.createElement(ApiProvider, { apis }, /* @__PURE__ */ React.createElement(AppContextProvider, { appContext }, /* @__PURE__ */ React.createElement(ThemeProvider, null, /* @__PURE__ */ React.createElement(
         RoutingProvider,
         {
           routePaths: routing.paths,