@backstage/plugin-app-backend 0.5.14 → 0.5.15-next.0

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @backstage/plugin-app-backend
 
+## 0.5.15-next.0
+
+### Patch Changes
+
+- ca450be: Added a new `app.disablePublicEntryPoint` config option that allows you to opt out of the automatic public sign-in entry point. When set to `true`, the app backend will skip serving the public entry point to unauthenticated users, even if the app was bundled with an `index-public-experimental` entry point.
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.7.2-next.0
+  - @backstage/backend-plugin-api@1.9.2-next.0
+  - @backstage/plugin-app-node@0.1.46-next.0
+
 ## 0.5.14
 
 ### Patch Changes

package/config.d.ts

@@ -42,5 +42,14 @@ export interface Config {
      * If you disable this, it is recommended to set a `staticFallbackHandler` instead.
      */
     disableStaticFallbackCache?: boolean;
+
+    /**
+     * Disables the public entry point used for unauthenticated sign-in pages.
+     * When the app is bundled with an `index-public-experimental` entry point,
+     * the app backend will automatically serve it to unauthenticated users.
+     * Set this to `true` to skip that behavior and always serve the main
+     * entry point instead.
+     */
+    disablePublicEntryPoint?: boolean;
   };
 }

package/dist/service/router.cjs.js

@@ -61,7 +61,10 @@ async function createRouter(options) {
   const router = Router__default.default();
   router.use(helmet__default.default.frameguard({ action: "deny" }));
   const publicDistDir = node_path.resolve(appDistDir, "public");
-  const enablePublicEntryPoint = await fs__default.default.pathExists(publicDistDir);
+  const disablePublicEntryPoint = config.getOptionalBoolean(
+    "app.disablePublicEntryPoint"
+  );
+  const enablePublicEntryPoint = !disablePublicEntryPoint && await fs__default.default.pathExists(publicDistDir);
   if (enablePublicEntryPoint) {
     logger.info(
       `App is running in protected mode, serving public content from ${publicDistDir}`

package/dist/service/router.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DatabaseService,\n  resolvePackagePath,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport type { AppConfig } from '@backstage/config';\nimport helmet from 'helmet';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport fs from 'fs-extra';\nimport { resolve as resolvePath } from 'node:path';\nimport {\n  createStaticAssetMiddleware,\n  findStaticAssets,\n  StaticAssetsStore,\n} from '../lib/assets';\nimport {\n  CACHE_CONTROL_MAX_CACHE,\n  CACHE_CONTROL_NO_CACHE,\n  CACHE_CONTROL_REVALIDATE_CACHE,\n} from '../lib/headers';\nimport type { ConfigSchema } from '@backstage/config-loader';\nimport {\n  AuthService,\n  HttpAuthService,\n  LoggerService,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError, InputError } from '@backstage/errors';\nimport { injectConfig, readFrontendConfig } from '../lib/config';\n\n// express uses mime v1 while we only have types for mime v2\ntype Mime = { lookup(arg0: string): string };\n\n/**\n * @internal\n */\nexport interface RouterOptions {\n  config: RootConfigService;\n  logger: LoggerService;\n  auth: AuthService;\n  httpAuth: HttpAuthService;\n\n  /**\n   * If a database is provided it will be used to cache previously deployed static assets.\n   *\n   * This is a built-in alternative to using a `staticFallbackHandler`.\n   */\n  database: DatabaseService;\n\n  /**\n   * The name of the app package that content should be served from. The same app package should be\n   * added as a dependency to the backend package in order for it to be accessible at runtime.\n   *\n   * In a typical setup with a single app package this would be set to 'app'.\n   */\n  appPackageName: string;\n\n  /**\n   * A request handler to handle requests for static content that are not present in the app bundle.\n   *\n   * This can be used to avoid issues with clients on older deployment versions trying to access lazy\n   * loaded content that is no longer present. Typically the requests would fall back to a long-term\n   * object store where all recently deployed versions of the app are present.\n   *\n   * Another option is to provide a `database` that will take care of storing the static assets instead.\n   *\n   * If both `database` and `staticFallbackHandler` are provided, the `database` will attempt to serve\n   * static assets first, and if they are not found, the `staticFallbackHandler` will be called.\n   */\n  staticFallbackHandler?: express.Handler;\n\n  /**\n   *\n   * Provides a ConfigSchema.\n   *\n   */\n  schema?: ConfigSchema;\n}\n\n/**\n * @internal\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const {\n    config,\n    logger,\n    appPackageName,\n    staticFallbackHandler,\n    auth,\n    httpAuth,\n    schema,\n  } = options;\n\n  const disableConfigInjection = config.getOptionalBoolean(\n    'app.disableConfigInjection',\n  );\n  const disableStaticFallbackCache = config.getOptionalBoolean(\n    'app.disableStaticFallbackCache',\n  );\n\n  const appDistDir = resolvePackagePath(appPackageName, 'dist');\n  const staticDir = resolvePath(appDistDir, 'static');\n\n  if (!(await fs.pathExists(staticDir))) {\n    if (process.env.NODE_ENV === 'production') {\n      logger.error(\n        `Can't serve static app content from ${staticDir}, directory doesn't exist`,\n      );\n    }\n\n    return Router();\n  }\n\n  logger.info(`Serving static app content from ${appDistDir}`);\n\n  const appConfigs = disableConfigInjection\n    ? undefined\n    : await readFrontendConfig({\n        config,\n        appDistDir,\n        env: process.env,\n        schema,\n      });\n\n  const assetStore = !disableStaticFallbackCache\n    ? await StaticAssetsStore.create({\n        logger,\n        database: options.database,\n      })\n    : undefined;\n\n  const router = Router();\n\n  router.use(helmet.frameguard({ action: 'deny' }));\n\n  const publicDistDir = resolvePath(appDistDir, 'public');\n\n  const enablePublicEntryPoint = await fs.pathExists(publicDistDir);\n\n  if (enablePublicEntryPoint) {\n    logger.info(\n      `App is running in protected mode, serving public content from ${publicDistDir}`,\n    );\n\n    const publicRouter = Router();\n\n    publicRouter.use(async (req, res, next) => {\n      try {\n        const credentials = await httpAuth.credentials(req, {\n          allow: ['user', 'service', 'none'],\n          allowLimitedAccess: true,\n        });\n\n        if (credentials.principal.type === 'none') {\n          next();\n        } else {\n          next('router');\n        }\n      } catch {\n        // If we fail to authenticate, make sure the session cookie is cleared\n        // and continue as unauthenticated. If the user is logged in they will\n        // immediately be redirected back to the protected app via the POST.\n        await httpAuth.issueUserCookie(res, {\n          credentials: await auth.getNoneCredentials(),\n        });\n        next();\n      }\n    });\n\n    publicRouter.post(\n      '*',\n      express.urlencoded({ extended: true }),\n      async (req, res, next) => {\n        if (req.body.type === 'sign-in') {\n          const credentials = await auth.authenticate(req.body.token);\n\n          if (!auth.isPrincipal(credentials, 'user')) {\n            throw new AuthenticationError('Invalid token, not a user');\n          }\n\n          await httpAuth.issueUserCookie(res, {\n            credentials,\n          });\n\n          // Resume as if it was a GET request towards the outer protected router, serving index.html\n          req.method = 'GET';\n          next('router');\n        } else {\n          throw new InputError(\n            'Invalid POST request to app-backend wildcard endpoint',\n          );\n        }\n      },\n    );\n\n    publicRouter.use(\n      await createEntryPointRouter({\n        logger: logger.child({ entry: 'public' }),\n        rootDir: publicDistDir,\n        assetStore: assetStore?.withNamespace('public'),\n        appConfigs, // TODO(Rugvip): We should not be including the full config here\n      }),\n    );\n\n    router.use(publicRouter);\n  }\n\n  router.use(\n    await createEntryPointRouter({\n      logger: logger.child({ entry: 'main' }),\n      rootDir: appDistDir,\n      assetStore,\n      staticFallbackHandler,\n      appConfigs,\n    }),\n  );\n\n  return router;\n}\n\nasync function createEntryPointRouter({\n  logger,\n  rootDir,\n  assetStore,\n  staticFallbackHandler,\n  appConfigs,\n}: {\n  logger: LoggerService;\n  rootDir: string;\n  assetStore?: StaticAssetsStore;\n  staticFallbackHandler?: express.Handler;\n  appConfigs?: AppConfig[];\n}) {\n  const staticDir = resolvePath(rootDir, 'static');\n\n  const injectResult =\n    appConfigs &&\n    (await injectConfig({ appConfigs, logger, rootDir, staticDir }));\n\n  const router = Router();\n\n  // Use a separate router for static content so that a fallback can be provided by backend\n  const staticRouter = Router();\n  staticRouter.use(\n    express.static(staticDir, {\n      setHeaders: (res, path) => {\n        if (injectResult?.injectedPath === path) {\n          res.setHeader('Cache-Control', CACHE_CONTROL_REVALIDATE_CACHE);\n        } else {\n          res.setHeader('Cache-Control', CACHE_CONTROL_MAX_CACHE);\n        }\n      },\n    }),\n  );\n\n  if (assetStore) {\n    const assets = await findStaticAssets(staticDir);\n    await assetStore.storeAssets(assets);\n    // Remove any assets that are older than 7 days\n    await assetStore.trimAssets({ maxAgeSeconds: 60 * 60 * 24 * 7 });\n\n    staticRouter.use(createStaticAssetMiddleware(assetStore));\n  }\n\n  if (staticFallbackHandler) {\n    staticRouter.use(staticFallbackHandler);\n  }\n  staticRouter.use((_req: Request, res: Response) => {\n    res.status(404).end();\n  });\n\n  router.use('/static', staticRouter);\n\n  const rootRouter = Router();\n  rootRouter.use((req, _res, next) => {\n    // Make sure / and /index.html are handled by the HTML5 route below\n    if (req.path === '/' || req.path === '/index.html') {\n      next('router');\n    } else {\n      next();\n    }\n  });\n  rootRouter.use(\n    express.static(rootDir, {\n      setHeaders: (res, path) => {\n        // The Cache-Control header instructs the browser to not cache html files since it might\n        // link to static assets from recently deployed versions.\n        if (\n          (express.static.mime as unknown as Mime).lookup(path) === 'text/html'\n        ) {\n          res.setHeader('Cache-Control', CACHE_CONTROL_NO_CACHE);\n        }\n      },\n    }),\n  );\n  router.use(rootRouter);\n\n  // HTML5 routing\n  router.get('/*', (_req, res) => {\n    if (injectResult?.indexHtmlContent) {\n      res.setHeader('Content-Type', 'text/html; charset=utf-8');\n      res.setHeader('Cache-Control', CACHE_CONTROL_NO_CACHE);\n      res.send(injectResult.indexHtmlContent);\n    } else {\n      res.sendFile(resolvePath(rootDir, 'index.html'), {\n        headers: {\n          // The Cache-Control header instructs the browser to not cache the index.html since it might\n          // link to static assets from recently deployed versions.\n          'cache-control': CACHE_CONTROL_NO_CACHE,\n        },\n      });\n    }\n  });\n\n  return router;\n}\n"],"names":["resolvePackagePath","resolvePath","fs","Router","readFrontendConfig","StaticAssetsStore","helmet","express","AuthenticationError","InputError","injectConfig","CACHE_CONTROL_REVALIDATE_CACHE","CACHE_CONTROL_MAX_CACHE","findStaticAssets","createStaticAssetMiddleware","CACHE_CONTROL_NO_CACHE"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAkGA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,cAAA;AAAA,IACA,qBAAA;AAAA,IACA,IAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,yBAAyB,MAAA,CAAO,kBAAA;AAAA,IACpC;AAAA,GACF;AACA,EAAA,MAAM,6BAA6B,MAAA,CAAO,kBAAA;AAAA,IACxC;AAAA,GACF;AAEA,EAAA,MAAM,UAAA,GAAaA,mCAAA,CAAmB,cAAA,EAAgB,MAAM,CAAA;AAC5D,EAAA,MAAM,SAAA,GAAYC,iBAAA,CAAY,UAAA,EAAY,QAAQ,CAAA;AAElD,EAAA,IAAI,CAAE,MAAMC,mBAAA,CAAG,UAAA,CAAW,SAAS,CAAA,EAAI;AACrC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA,EAAc;AACzC,MAAA,MAAA,CAAO,KAAA;AAAA,QACL,uCAAuC,SAAS,CAAA,yBAAA;AAAA,OAClD;AAAA,IACF;AAEA,IAAA,OAAOC,uBAAA,EAAO;AAAA,EAChB;AAEA,EAAA,MAAA,CAAO,IAAA,CAAK,CAAA,gCAAA,EAAmC,UAAU,CAAA,CAAE,CAAA;AAE3D,EAAA,MAAM,UAAA,GAAa,sBAAA,GACf,MAAA,GACA,MAAMC,qCAAA,CAAmB;AAAA,IACvB,MAAA;AAAA,IACA,UAAA;AAAA,IACA,KAAK,OAAA,CAAQ,GAAA;AAAA,IACb;AAAA,GACD,CAAA;AAEL,EAAA,MAAM,UAAA,GAAa,CAAC,0BAAA,GAChB,MAAMC,oCAAkB,MAAA,CAAO;AAAA,IAC7B,MAAA;AAAA,IACA,UAAU,OAAA,CAAQ;AAAA,GACnB,CAAA,GACD,MAAA;AAEJ,EAAA,MAAM,SAASF,uBAAA,EAAO;AAEtB,EAAA,MAAA,CAAO,IAAIG,uBAAA,CAAO,UAAA,CAAW,EAAE,MAAA,EAAQ,MAAA,EAAQ,CAAC,CAAA;AAEhD,EAAA,MAAM,aAAA,GAAgBL,iBAAA,CAAY,UAAA,EAAY,QAAQ,CAAA;AAEtD,EAAA,MAAM,sBAAA,GAAyB,MAAMC,mBAAA,CAAG,UAAA,CAAW,aAAa,CAAA;AAEhE,EAAA,IAAI,sBAAA,EAAwB;AAC1B,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,iEAAiE,aAAa,CAAA;AAAA,KAChF;AAEA,IAAA,MAAM,eAAeC,uBAAA,EAAO;AAE5B,IAAA,YAAA,CAAa,GAAA,CAAI,OAAO,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACzC,MAAA,IAAI;AACF,QAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,WAAA,CAAY,GAAA,EAAK;AAAA,UAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAA,EAAW,MAAM,CAAA;AAAA,UACjC,kBAAA,EAAoB;AAAA,SACrB,CAAA;AAED,QAAA,IAAI,WAAA,CAAY,SAAA,CAAU,IAAA,KAAS,MAAA,EAAQ;AACzC,UAAA,IAAA,EAAK;AAAA,QACP,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,QACf;AAAA,MACF,CAAA,CAAA,MAAQ;AAIN,QAAA,MAAM,QAAA,CAAS,gBAAgB,GAAA,EAAK;AAAA,UAClC,WAAA,EAAa,MAAM,IAAA,CAAK,kBAAA;AAAmB,SAC5C,CAAA;AACD,QAAA,IAAA,EAAK;AAAA,MACP;AAAA,IACF,CAAC,CAAA;AAED,IAAA,YAAA,CAAa,IAAA;AAAA,MACX,GAAA;AAAA,MACAI,wBAAA,CAAQ,UAAA,CAAW,EAAE,QAAA,EAAU,MAAM,CAAA;AAAA,MACrC,OAAO,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACxB,QAAA,IAAI,GAAA,CAAI,IAAA,CAAK,IAAA,KAAS,SAAA,EAAW;AAC/B,UAAA,MAAM,cAAc,MAAM,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,KAAK,KAAK,CAAA;AAE1D,UAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,EAAG;AAC1C,YAAA,MAAM,IAAIC,2BAAoB,2BAA2B,CAAA;AAAA,UAC3D;AAEA,UAAA,MAAM,QAAA,CAAS,gBAAgB,GAAA,EAAK;AAAA,YAClC;AAAA,WACD,CAAA;AAGD,UAAA,GAAA,CAAI,MAAA,GAAS,KAAA;AACb,UAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,QACf,CAAA,MAAO;AACL,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACF;AAEA,IAAA,YAAA,CAAa,GAAA;AAAA,MACX,MAAM,sBAAA,CAAuB;AAAA,QAC3B,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,KAAA,EAAO,UAAU,CAAA;AAAA,QACxC,OAAA,EAAS,aAAA;AAAA,QACT,UAAA,EAAY,UAAA,EAAY,aAAA,CAAc,QAAQ,CAAA;AAAA,QAC9C;AAAA;AAAA,OACD;AAAA,KACH;AAEA,IAAA,MAAA,CAAO,IAAI,YAAY,CAAA;AAAA,EACzB;AAEA,EAAA,MAAA,CAAO,GAAA;AAAA,IACL,MAAM,sBAAA,CAAuB;AAAA,MAC3B,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,KAAA,EAAO,QAAQ,CAAA;AAAA,MACtC,OAAA,EAAS,UAAA;AAAA,MACT,UAAA;AAAA,MACA,qBAAA;AAAA,MACA;AAAA,KACD;AAAA,GACH;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,eAAe,sBAAA,CAAuB;AAAA,EACpC,MAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,qBAAA;AAAA,EACA;AACF,CAAA,EAMG;AACD,EAAA,MAAM,SAAA,GAAYR,iBAAA,CAAY,OAAA,EAAS,QAAQ,CAAA;AAE/C,EAAA,MAAM,YAAA,GACJ,cACC,MAAMS,yBAAA,CAAa,EAAE,UAAA,EAAY,MAAA,EAAQ,OAAA,EAAS,SAAA,EAAW,CAAA;AAEhE,EAAA,MAAM,SAASP,uBAAA,EAAO;AAGtB,EAAA,MAAM,eAAeA,uBAAA,EAAO;AAC5B,EAAA,YAAA,CAAa,GAAA;AAAA,IACXI,wBAAA,CAAQ,OAAO,SAAA,EAAW;AAAA,MACxB,UAAA,EAAY,CAAC,GAAA,EAAK,IAAA,KAAS;AACzB,QAAA,IAAI,YAAA,EAAc,iBAAiB,IAAA,EAAM;AACvC,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBI,sCAA8B,CAAA;AAAA,QAC/D,CAAA,MAAO;AACL,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBC,+BAAuB,CAAA;AAAA,QACxD;AAAA,MACF;AAAA,KACD;AAAA,GACH;AAEA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,MAAA,GAAS,MAAMC,iCAAA,CAAiB,SAAS,CAAA;AAC/C,IAAA,MAAM,UAAA,CAAW,YAAY,MAAM,CAAA;AAEnC,IAAA,MAAM,UAAA,CAAW,WAAW,EAAE,aAAA,EAAe,KAAK,EAAA,GAAK,EAAA,GAAK,GAAG,CAAA;AAE/D,IAAA,YAAA,CAAa,GAAA,CAAIC,uDAAA,CAA4B,UAAU,CAAC,CAAA;AAAA,EAC1D;AAEA,EAAA,IAAI,qBAAA,EAAuB;AACzB,IAAA,YAAA,CAAa,IAAI,qBAAqB,CAAA;AAAA,EACxC;AACA,EAAA,YAAA,CAAa,GAAA,CAAI,CAAC,IAAA,EAAe,GAAA,KAAkB;AACjD,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,GAAA,EAAI;AAAA,EACtB,CAAC,CAAA;AAED,EAAA,MAAA,CAAO,GAAA,CAAI,WAAW,YAAY,CAAA;AAElC,EAAA,MAAM,aAAaX,uBAAA,EAAO;AAC1B,EAAA,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,EAAK,IAAA,EAAM,IAAA,KAAS;AAElC,IAAA,IAAI,GAAA,CAAI,IAAA,KAAS,GAAA,IAAO,GAAA,CAAI,SAAS,aAAA,EAAe;AAClD,MAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,IACf,CAAA,MAAO;AACL,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACD,EAAA,UAAA,CAAW,GAAA;AAAA,IACTI,wBAAA,CAAQ,OAAO,OAAA,EAAS;AAAA,MACtB,UAAA,EAAY,CAAC,GAAA,EAAK,IAAA,KAAS;AAGzB,QAAA,IACGA,yBAAQ,MAAA,CAAO,IAAA,CAAyB,MAAA,CAAO,IAAI,MAAM,WAAA,EAC1D;AACA,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBQ,8BAAsB,CAAA;AAAA,QACvD;AAAA,MACF;AAAA,KACD;AAAA,GACH;AACA,EAAA,MAAA,CAAO,IAAI,UAAU,CAAA;AAGrB,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,CAAC,IAAA,EAAM,GAAA,KAAQ;AAC9B,IAAA,IAAI,cAAc,gBAAA,EAAkB;AAClC,MAAA,GAAA,CAAI,SAAA,CAAU,gBAAgB,0BAA0B,CAAA;AACxD,MAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBA,8BAAsB,CAAA;AACrD,MAAA,GAAA,CAAI,IAAA,CAAK,aAAa,gBAAgB,CAAA;AAAA,IACxC,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,QAAA,CAASd,iBAAA,CAAY,OAAA,EAAS,YAAY,CAAA,EAAG;AAAA,QAC/C,OAAA,EAAS;AAAA;AAAA;AAAA,UAGP,eAAA,EAAiBc;AAAA;AACnB,OACD,CAAA;AAAA,IACH;AAAA,EACF,CAAC,CAAA;AAED,EAAA,OAAO,MAAA;AACT;;;;"}
+{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DatabaseService,\n  resolvePackagePath,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport type { AppConfig } from '@backstage/config';\nimport helmet from 'helmet';\nimport express, { Request, Response } from 'express';\nimport Router from 'express-promise-router';\nimport fs from 'fs-extra';\nimport { resolve as resolvePath } from 'node:path';\nimport {\n  createStaticAssetMiddleware,\n  findStaticAssets,\n  StaticAssetsStore,\n} from '../lib/assets';\nimport {\n  CACHE_CONTROL_MAX_CACHE,\n  CACHE_CONTROL_NO_CACHE,\n  CACHE_CONTROL_REVALIDATE_CACHE,\n} from '../lib/headers';\nimport type { ConfigSchema } from '@backstage/config-loader';\nimport {\n  AuthService,\n  HttpAuthService,\n  LoggerService,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError, InputError } from '@backstage/errors';\nimport { injectConfig, readFrontendConfig } from '../lib/config';\n\n// express uses mime v1 while we only have types for mime v2\ntype Mime = { lookup(arg0: string): string };\n\n/**\n * @internal\n */\nexport interface RouterOptions {\n  config: RootConfigService;\n  logger: LoggerService;\n  auth: AuthService;\n  httpAuth: HttpAuthService;\n\n  /**\n   * If a database is provided it will be used to cache previously deployed static assets.\n   *\n   * This is a built-in alternative to using a `staticFallbackHandler`.\n   */\n  database: DatabaseService;\n\n  /**\n   * The name of the app package that content should be served from. The same app package should be\n   * added as a dependency to the backend package in order for it to be accessible at runtime.\n   *\n   * In a typical setup with a single app package this would be set to 'app'.\n   */\n  appPackageName: string;\n\n  /**\n   * A request handler to handle requests for static content that are not present in the app bundle.\n   *\n   * This can be used to avoid issues with clients on older deployment versions trying to access lazy\n   * loaded content that is no longer present. Typically the requests would fall back to a long-term\n   * object store where all recently deployed versions of the app are present.\n   *\n   * Another option is to provide a `database` that will take care of storing the static assets instead.\n   *\n   * If both `database` and `staticFallbackHandler` are provided, the `database` will attempt to serve\n   * static assets first, and if they are not found, the `staticFallbackHandler` will be called.\n   */\n  staticFallbackHandler?: express.Handler;\n\n  /**\n   *\n   * Provides a ConfigSchema.\n   *\n   */\n  schema?: ConfigSchema;\n}\n\n/**\n * @internal\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const {\n    config,\n    logger,\n    appPackageName,\n    staticFallbackHandler,\n    auth,\n    httpAuth,\n    schema,\n  } = options;\n\n  const disableConfigInjection = config.getOptionalBoolean(\n    'app.disableConfigInjection',\n  );\n  const disableStaticFallbackCache = config.getOptionalBoolean(\n    'app.disableStaticFallbackCache',\n  );\n\n  const appDistDir = resolvePackagePath(appPackageName, 'dist');\n  const staticDir = resolvePath(appDistDir, 'static');\n\n  if (!(await fs.pathExists(staticDir))) {\n    if (process.env.NODE_ENV === 'production') {\n      logger.error(\n        `Can't serve static app content from ${staticDir}, directory doesn't exist`,\n      );\n    }\n\n    return Router();\n  }\n\n  logger.info(`Serving static app content from ${appDistDir}`);\n\n  const appConfigs = disableConfigInjection\n    ? undefined\n    : await readFrontendConfig({\n        config,\n        appDistDir,\n        env: process.env,\n        schema,\n      });\n\n  const assetStore = !disableStaticFallbackCache\n    ? await StaticAssetsStore.create({\n        logger,\n        database: options.database,\n      })\n    : undefined;\n\n  const router = Router();\n\n  router.use(helmet.frameguard({ action: 'deny' }));\n\n  const publicDistDir = resolvePath(appDistDir, 'public');\n\n  const disablePublicEntryPoint = config.getOptionalBoolean(\n    'app.disablePublicEntryPoint',\n  );\n  const enablePublicEntryPoint =\n    !disablePublicEntryPoint && (await fs.pathExists(publicDistDir));\n\n  if (enablePublicEntryPoint) {\n    logger.info(\n      `App is running in protected mode, serving public content from ${publicDistDir}`,\n    );\n\n    const publicRouter = Router();\n\n    publicRouter.use(async (req, res, next) => {\n      try {\n        const credentials = await httpAuth.credentials(req, {\n          allow: ['user', 'service', 'none'],\n          allowLimitedAccess: true,\n        });\n\n        if (credentials.principal.type === 'none') {\n          next();\n        } else {\n          next('router');\n        }\n      } catch {\n        // If we fail to authenticate, make sure the session cookie is cleared\n        // and continue as unauthenticated. If the user is logged in they will\n        // immediately be redirected back to the protected app via the POST.\n        await httpAuth.issueUserCookie(res, {\n          credentials: await auth.getNoneCredentials(),\n        });\n        next();\n      }\n    });\n\n    publicRouter.post(\n      '*',\n      express.urlencoded({ extended: true }),\n      async (req, res, next) => {\n        if (req.body.type === 'sign-in') {\n          const credentials = await auth.authenticate(req.body.token);\n\n          if (!auth.isPrincipal(credentials, 'user')) {\n            throw new AuthenticationError('Invalid token, not a user');\n          }\n\n          await httpAuth.issueUserCookie(res, {\n            credentials,\n          });\n\n          // Resume as if it was a GET request towards the outer protected router, serving index.html\n          req.method = 'GET';\n          next('router');\n        } else {\n          throw new InputError(\n            'Invalid POST request to app-backend wildcard endpoint',\n          );\n        }\n      },\n    );\n\n    publicRouter.use(\n      await createEntryPointRouter({\n        logger: logger.child({ entry: 'public' }),\n        rootDir: publicDistDir,\n        assetStore: assetStore?.withNamespace('public'),\n        appConfigs, // TODO(Rugvip): We should not be including the full config here\n      }),\n    );\n\n    router.use(publicRouter);\n  }\n\n  router.use(\n    await createEntryPointRouter({\n      logger: logger.child({ entry: 'main' }),\n      rootDir: appDistDir,\n      assetStore,\n      staticFallbackHandler,\n      appConfigs,\n    }),\n  );\n\n  return router;\n}\n\nasync function createEntryPointRouter({\n  logger,\n  rootDir,\n  assetStore,\n  staticFallbackHandler,\n  appConfigs,\n}: {\n  logger: LoggerService;\n  rootDir: string;\n  assetStore?: StaticAssetsStore;\n  staticFallbackHandler?: express.Handler;\n  appConfigs?: AppConfig[];\n}) {\n  const staticDir = resolvePath(rootDir, 'static');\n\n  const injectResult =\n    appConfigs &&\n    (await injectConfig({ appConfigs, logger, rootDir, staticDir }));\n\n  const router = Router();\n\n  // Use a separate router for static content so that a fallback can be provided by backend\n  const staticRouter = Router();\n  staticRouter.use(\n    express.static(staticDir, {\n      setHeaders: (res, path) => {\n        if (injectResult?.injectedPath === path) {\n          res.setHeader('Cache-Control', CACHE_CONTROL_REVALIDATE_CACHE);\n        } else {\n          res.setHeader('Cache-Control', CACHE_CONTROL_MAX_CACHE);\n        }\n      },\n    }),\n  );\n\n  if (assetStore) {\n    const assets = await findStaticAssets(staticDir);\n    await assetStore.storeAssets(assets);\n    // Remove any assets that are older than 7 days\n    await assetStore.trimAssets({ maxAgeSeconds: 60 * 60 * 24 * 7 });\n\n    staticRouter.use(createStaticAssetMiddleware(assetStore));\n  }\n\n  if (staticFallbackHandler) {\n    staticRouter.use(staticFallbackHandler);\n  }\n  staticRouter.use((_req: Request, res: Response) => {\n    res.status(404).end();\n  });\n\n  router.use('/static', staticRouter);\n\n  const rootRouter = Router();\n  rootRouter.use((req, _res, next) => {\n    // Make sure / and /index.html are handled by the HTML5 route below\n    if (req.path === '/' || req.path === '/index.html') {\n      next('router');\n    } else {\n      next();\n    }\n  });\n  rootRouter.use(\n    express.static(rootDir, {\n      setHeaders: (res, path) => {\n        // The Cache-Control header instructs the browser to not cache html files since it might\n        // link to static assets from recently deployed versions.\n        if (\n          (express.static.mime as unknown as Mime).lookup(path) === 'text/html'\n        ) {\n          res.setHeader('Cache-Control', CACHE_CONTROL_NO_CACHE);\n        }\n      },\n    }),\n  );\n  router.use(rootRouter);\n\n  // HTML5 routing\n  router.get('/*', (_req, res) => {\n    if (injectResult?.indexHtmlContent) {\n      res.setHeader('Content-Type', 'text/html; charset=utf-8');\n      res.setHeader('Cache-Control', CACHE_CONTROL_NO_CACHE);\n      res.send(injectResult.indexHtmlContent);\n    } else {\n      res.sendFile(resolvePath(rootDir, 'index.html'), {\n        headers: {\n          // The Cache-Control header instructs the browser to not cache the index.html since it might\n          // link to static assets from recently deployed versions.\n          'cache-control': CACHE_CONTROL_NO_CACHE,\n        },\n      });\n    }\n  });\n\n  return router;\n}\n"],"names":["resolvePackagePath","resolvePath","fs","Router","readFrontendConfig","StaticAssetsStore","helmet","express","AuthenticationError","InputError","injectConfig","CACHE_CONTROL_REVALIDATE_CACHE","CACHE_CONTROL_MAX_CACHE","findStaticAssets","createStaticAssetMiddleware","CACHE_CONTROL_NO_CACHE"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAkGA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,cAAA;AAAA,IACA,qBAAA;AAAA,IACA,IAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,yBAAyB,MAAA,CAAO,kBAAA;AAAA,IACpC;AAAA,GACF;AACA,EAAA,MAAM,6BAA6B,MAAA,CAAO,kBAAA;AAAA,IACxC;AAAA,GACF;AAEA,EAAA,MAAM,UAAA,GAAaA,mCAAA,CAAmB,cAAA,EAAgB,MAAM,CAAA;AAC5D,EAAA,MAAM,SAAA,GAAYC,iBAAA,CAAY,UAAA,EAAY,QAAQ,CAAA;AAElD,EAAA,IAAI,CAAE,MAAMC,mBAAA,CAAG,UAAA,CAAW,SAAS,CAAA,EAAI;AACrC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA,EAAc;AACzC,MAAA,MAAA,CAAO,KAAA;AAAA,QACL,uCAAuC,SAAS,CAAA,yBAAA;AAAA,OAClD;AAAA,IACF;AAEA,IAAA,OAAOC,uBAAA,EAAO;AAAA,EAChB;AAEA,EAAA,MAAA,CAAO,IAAA,CAAK,CAAA,gCAAA,EAAmC,UAAU,CAAA,CAAE,CAAA;AAE3D,EAAA,MAAM,UAAA,GAAa,sBAAA,GACf,MAAA,GACA,MAAMC,qCAAA,CAAmB;AAAA,IACvB,MAAA;AAAA,IACA,UAAA;AAAA,IACA,KAAK,OAAA,CAAQ,GAAA;AAAA,IACb;AAAA,GACD,CAAA;AAEL,EAAA,MAAM,UAAA,GAAa,CAAC,0BAAA,GAChB,MAAMC,oCAAkB,MAAA,CAAO;AAAA,IAC7B,MAAA;AAAA,IACA,UAAU,OAAA,CAAQ;AAAA,GACnB,CAAA,GACD,MAAA;AAEJ,EAAA,MAAM,SAASF,uBAAA,EAAO;AAEtB,EAAA,MAAA,CAAO,IAAIG,uBAAA,CAAO,UAAA,CAAW,EAAE,MAAA,EAAQ,MAAA,EAAQ,CAAC,CAAA;AAEhD,EAAA,MAAM,aAAA,GAAgBL,iBAAA,CAAY,UAAA,EAAY,QAAQ,CAAA;AAEtD,EAAA,MAAM,0BAA0B,MAAA,CAAO,kBAAA;AAAA,IACrC;AAAA,GACF;AACA,EAAA,MAAM,yBACJ,CAAC,uBAAA,IAA4B,MAAMC,mBAAA,CAAG,WAAW,aAAa,CAAA;AAEhE,EAAA,IAAI,sBAAA,EAAwB;AAC1B,IAAA,MAAA,CAAO,IAAA;AAAA,MACL,iEAAiE,aAAa,CAAA;AAAA,KAChF;AAEA,IAAA,MAAM,eAAeC,uBAAA,EAAO;AAE5B,IAAA,YAAA,CAAa,GAAA,CAAI,OAAO,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACzC,MAAA,IAAI;AACF,QAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,WAAA,CAAY,GAAA,EAAK;AAAA,UAClD,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAA,EAAW,MAAM,CAAA;AAAA,UACjC,kBAAA,EAAoB;AAAA,SACrB,CAAA;AAED,QAAA,IAAI,WAAA,CAAY,SAAA,CAAU,IAAA,KAAS,MAAA,EAAQ;AACzC,UAAA,IAAA,EAAK;AAAA,QACP,CAAA,MAAO;AACL,UAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,QACf;AAAA,MACF,CAAA,CAAA,MAAQ;AAIN,QAAA,MAAM,QAAA,CAAS,gBAAgB,GAAA,EAAK;AAAA,UAClC,WAAA,EAAa,MAAM,IAAA,CAAK,kBAAA;AAAmB,SAC5C,CAAA;AACD,QAAA,IAAA,EAAK;AAAA,MACP;AAAA,IACF,CAAC,CAAA;AAED,IAAA,YAAA,CAAa,IAAA;AAAA,MACX,GAAA;AAAA,MACAI,wBAAA,CAAQ,UAAA,CAAW,EAAE,QAAA,EAAU,MAAM,CAAA;AAAA,MACrC,OAAO,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACxB,QAAA,IAAI,GAAA,CAAI,IAAA,CAAK,IAAA,KAAS,SAAA,EAAW;AAC/B,UAAA,MAAM,cAAc,MAAM,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,KAAK,KAAK,CAAA;AAE1D,UAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,EAAG;AAC1C,YAAA,MAAM,IAAIC,2BAAoB,2BAA2B,CAAA;AAAA,UAC3D;AAEA,UAAA,MAAM,QAAA,CAAS,gBAAgB,GAAA,EAAK;AAAA,YAClC;AAAA,WACD,CAAA;AAGD,UAAA,GAAA,CAAI,MAAA,GAAS,KAAA;AACb,UAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,QACf,CAAA,MAAO;AACL,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACF;AAEA,IAAA,YAAA,CAAa,GAAA;AAAA,MACX,MAAM,sBAAA,CAAuB;AAAA,QAC3B,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,KAAA,EAAO,UAAU,CAAA;AAAA,QACxC,OAAA,EAAS,aAAA;AAAA,QACT,UAAA,EAAY,UAAA,EAAY,aAAA,CAAc,QAAQ,CAAA;AAAA,QAC9C;AAAA;AAAA,OACD;AAAA,KACH;AAEA,IAAA,MAAA,CAAO,IAAI,YAAY,CAAA;AAAA,EACzB;AAEA,EAAA,MAAA,CAAO,GAAA;AAAA,IACL,MAAM,sBAAA,CAAuB;AAAA,MAC3B,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,KAAA,EAAO,QAAQ,CAAA;AAAA,MACtC,OAAA,EAAS,UAAA;AAAA,MACT,UAAA;AAAA,MACA,qBAAA;AAAA,MACA;AAAA,KACD;AAAA,GACH;AAEA,EAAA,OAAO,MAAA;AACT;AAEA,eAAe,sBAAA,CAAuB;AAAA,EACpC,MAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,qBAAA;AAAA,EACA;AACF,CAAA,EAMG;AACD,EAAA,MAAM,SAAA,GAAYR,iBAAA,CAAY,OAAA,EAAS,QAAQ,CAAA;AAE/C,EAAA,MAAM,YAAA,GACJ,cACC,MAAMS,yBAAA,CAAa,EAAE,UAAA,EAAY,MAAA,EAAQ,OAAA,EAAS,SAAA,EAAW,CAAA;AAEhE,EAAA,MAAM,SAASP,uBAAA,EAAO;AAGtB,EAAA,MAAM,eAAeA,uBAAA,EAAO;AAC5B,EAAA,YAAA,CAAa,GAAA;AAAA,IACXI,wBAAA,CAAQ,OAAO,SAAA,EAAW;AAAA,MACxB,UAAA,EAAY,CAAC,GAAA,EAAK,IAAA,KAAS;AACzB,QAAA,IAAI,YAAA,EAAc,iBAAiB,IAAA,EAAM;AACvC,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBI,sCAA8B,CAAA;AAAA,QAC/D,CAAA,MAAO;AACL,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBC,+BAAuB,CAAA;AAAA,QACxD;AAAA,MACF;AAAA,KACD;AAAA,GACH;AAEA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,MAAA,GAAS,MAAMC,iCAAA,CAAiB,SAAS,CAAA;AAC/C,IAAA,MAAM,UAAA,CAAW,YAAY,MAAM,CAAA;AAEnC,IAAA,MAAM,UAAA,CAAW,WAAW,EAAE,aAAA,EAAe,KAAK,EAAA,GAAK,EAAA,GAAK,GAAG,CAAA;AAE/D,IAAA,YAAA,CAAa,GAAA,CAAIC,uDAAA,CAA4B,UAAU,CAAC,CAAA;AAAA,EAC1D;AAEA,EAAA,IAAI,qBAAA,EAAuB;AACzB,IAAA,YAAA,CAAa,IAAI,qBAAqB,CAAA;AAAA,EACxC;AACA,EAAA,YAAA,CAAa,GAAA,CAAI,CAAC,IAAA,EAAe,GAAA,KAAkB;AACjD,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,GAAA,EAAI;AAAA,EACtB,CAAC,CAAA;AAED,EAAA,MAAA,CAAO,GAAA,CAAI,WAAW,YAAY,CAAA;AAElC,EAAA,MAAM,aAAaX,uBAAA,EAAO;AAC1B,EAAA,UAAA,CAAW,GAAA,CAAI,CAAC,GAAA,EAAK,IAAA,EAAM,IAAA,KAAS;AAElC,IAAA,IAAI,GAAA,CAAI,IAAA,KAAS,GAAA,IAAO,GAAA,CAAI,SAAS,aAAA,EAAe;AAClD,MAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,IACf,CAAA,MAAO;AACL,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAC,CAAA;AACD,EAAA,UAAA,CAAW,GAAA;AAAA,IACTI,wBAAA,CAAQ,OAAO,OAAA,EAAS;AAAA,MACtB,UAAA,EAAY,CAAC,GAAA,EAAK,IAAA,KAAS;AAGzB,QAAA,IACGA,yBAAQ,MAAA,CAAO,IAAA,CAAyB,MAAA,CAAO,IAAI,MAAM,WAAA,EAC1D;AACA,UAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBQ,8BAAsB,CAAA;AAAA,QACvD;AAAA,MACF;AAAA,KACD;AAAA,GACH;AACA,EAAA,MAAA,CAAO,IAAI,UAAU,CAAA;AAGrB,EAAA,MAAA,CAAO,GAAA,CAAI,IAAA,EAAM,CAAC,IAAA,EAAM,GAAA,KAAQ;AAC9B,IAAA,IAAI,cAAc,gBAAA,EAAkB;AAClC,MAAA,GAAA,CAAI,SAAA,CAAU,gBAAgB,0BAA0B,CAAA;AACxD,MAAA,GAAA,CAAI,SAAA,CAAU,iBAAiBA,8BAAsB,CAAA;AACrD,MAAA,GAAA,CAAI,IAAA,CAAK,aAAa,gBAAgB,CAAA;AAAA,IACxC,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,QAAA,CAASd,iBAAA,CAAY,OAAA,EAAS,YAAY,CAAA,EAAG;AAAA,QAC/C,OAAA,EAAS;AAAA;AAAA;AAAA,UAGP,eAAA,EAAiBc;AAAA;AACnB,OACD,CAAA;AAAA,IACH;AAAA,EACF,CAAC,CAAA;AAED,EAAA,OAAO,MAAA;AACT;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-app-backend",
-  "version": "0.5.14",
+  "version": "0.5.15-next.0",
   "description": "A Backstage backend plugin that serves the Backstage frontend app",
   "backstage": {
     "role": "backend-plugin",
@@ -62,13 +62,13 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.9.1",
-    "@backstage/config": "^1.3.8",
-    "@backstage/config-loader": "^1.10.11",
-    "@backstage/errors": "^1.3.1",
-    "@backstage/plugin-app-node": "^0.1.45",
-    "@backstage/plugin-auth-node": "^0.7.1",
-    "@backstage/types": "^1.2.2",
+    "@backstage/backend-plugin-api": "1.9.2-next.0",
+    "@backstage/config": "1.3.8",
+    "@backstage/config-loader": "1.10.11",
+    "@backstage/errors": "1.3.1",
+    "@backstage/plugin-app-node": "0.1.46-next.0",
+    "@backstage/plugin-auth-node": "0.7.2-next.0",
+    "@backstage/types": "1.2.2",
     "express": "^4.22.0",
     "express-promise-router": "^4.1.0",
     "fs-extra": "^11.2.0",
@@ -79,10 +79,10 @@
     "luxon": "^3.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-app-api": "^1.7.0",
-    "@backstage/backend-defaults": "^0.17.1",
-    "@backstage/backend-test-utils": "^1.11.3",
-    "@backstage/cli": "^0.36.2",
+    "@backstage/backend-app-api": "1.7.1-next.0",
+    "@backstage/backend-defaults": "0.17.2-next.0",
+    "@backstage/backend-test-utils": "1.11.4-next.0",
+    "@backstage/cli": "0.36.3-next.0",
     "@types/express": "^4.17.6",
     "@types/supertest": "^2.0.8",
     "supertest": "^7.0.0"