@backstage/plugin-auth-backend-module-aws-alb-provider 0.2.0 → 0.2.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # @backstage/plugin-auth-backend-module-aws-alb-provider
 
+## 0.2.1-next.1
+
+### Patch Changes
+
+- 217458a: Updated configuration schema to include the new `allowedDomains` option for the `emailLocalPartMatchingUserEntityName` sign-in resolver.
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.5.3-next.1
+  - @backstage/backend-plugin-api@1.0.1-next.1
+  - @backstage/errors@1.2.4
+  - @backstage/plugin-auth-backend@0.23.1-next.1
+
+## 0.2.1-next.0
+
+### Patch Changes
+
+- 094eaa3: Remove references to in-repo backend-common
+- Updated dependencies
+  - @backstage/plugin-auth-backend@0.23.1-next.0
+  - @backstage/plugin-auth-node@0.5.3-next.0
+  - @backstage/backend-plugin-api@1.0.1-next.0
+  - @backstage/errors@1.2.4
+
 ## 0.2.0
 
 ### Minor Changes

package/dist/authenticator.cjs.js

@@ -0,0 +1,86 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var NodeCache = require('node-cache');
+var helpers = require('./helpers.cjs.js');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var NodeCache__default = /*#__PURE__*/_interopDefaultCompat(NodeCache);
+
+const ALB_JWT_HEADER = "x-amzn-oidc-data";
+const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
+const awsAlbAuthenticator = pluginAuthNode.createProxyAuthenticator({
+  defaultProfileTransform: async (result) => {
+    return {
+      profile: helpers.makeProfileInfo(result.fullProfile, result.accessToken)
+    };
+  },
+  initialize({ config }) {
+    const issuer = config.getString("issuer");
+    const signer = config.getOptionalString("signer");
+    const region = config.getString("region");
+    const keyCache = new NodeCache__default.default({ stdTTL: 3600 });
+    const getKey = helpers.provisionKeyCache(region, keyCache);
+    return { issuer, signer, getKey };
+  },
+  async authenticate({ req }, { issuer, signer, getKey }) {
+    const jwt = req.header(ALB_JWT_HEADER);
+    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
+    if (jwt === void 0) {
+      throw new errors.AuthenticationError(
+        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
+      );
+    }
+    if (accessToken === void 0) {
+      throw new errors.AuthenticationError(
+        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
+      );
+    }
+    try {
+      const verifyResult = await jose.jwtVerify(jwt, getKey);
+      const header = verifyResult.protectedHeader;
+      const claims = verifyResult.payload;
+      if (claims?.iss !== issuer) {
+        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
+      } else if (signer && header?.signer !== signer) {
+        throw new errors.AuthenticationError("Signer mismatch on JWT token");
+      }
+      if (!claims.email) {
+        throw new errors.AuthenticationError(`Missing email in the JWT token`);
+      }
+      const fullProfile = {
+        provider: "unknown",
+        id: claims.sub,
+        displayName: claims.name,
+        username: claims.email.split("@")[0].toLowerCase(),
+        name: {
+          familyName: claims.family_name,
+          givenName: claims.given_name
+        },
+        emails: [{ value: claims.email.toLowerCase() }],
+        photos: [{ value: claims.picture }]
+      };
+      return {
+        result: {
+          fullProfile,
+          accessToken,
+          expiresInSeconds: claims.exp
+        },
+        providerInfo: {
+          accessToken,
+          expiresInSeconds: claims.exp
+        }
+      };
+    } catch (e) {
+      throw new Error(`Exception occurred during JWT processing: ${e}`);
+    }
+  }
+});
+
+exports.ALB_ACCESS_TOKEN_HEADER = ALB_ACCESS_TOKEN_HEADER;
+exports.ALB_JWT_HEADER = ALB_JWT_HEADER;
+exports.awsAlbAuthenticator = awsAlbAuthenticator;
+//# sourceMappingURL=authenticator.cjs.js.map

package/dist/authenticator.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { AwsAlbClaims, AwsAlbProtectedHeader, AwsAlbResult } from './types';\nimport { jwtVerify } from 'jose';\nimport {\n  createProxyAuthenticator,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport NodeCache from 'node-cache';\nimport { makeProfileInfo, provisionKeyCache } from './helpers';\n\nexport const ALB_JWT_HEADER = 'x-amzn-oidc-data';\nexport const ALB_ACCESS_TOKEN_HEADER = 'x-amzn-oidc-accesstoken';\n\n/** @public */\nexport const awsAlbAuthenticator = createProxyAuthenticator({\n  defaultProfileTransform: async (result: AwsAlbResult) => {\n    return {\n      profile: makeProfileInfo(result.fullProfile, result.accessToken),\n    };\n  },\n  initialize({ config }) {\n    const issuer = config.getString('issuer');\n    const signer = config.getOptionalString('signer');\n    const region = config.getString('region');\n    const keyCache = new NodeCache({ stdTTL: 3600 });\n    const getKey = provisionKeyCache(region, keyCache);\n    return { issuer, signer, getKey };\n  },\n  async authenticate({ req }, { issuer, signer, getKey }) {\n    const jwt = req.header(ALB_JWT_HEADER);\n    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);\n\n    if (jwt === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`,\n      );\n    }\n\n    if (accessToken === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`,\n      );\n    }\n\n    try {\n      const verifyResult = await jwtVerify(jwt, getKey);\n      const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;\n      const claims = verifyResult.payload as AwsAlbClaims;\n\n      if (claims?.iss !== issuer) {\n        throw new AuthenticationError('Issuer mismatch on JWT token');\n      } else if (signer && header?.signer !== signer) {\n        throw new AuthenticationError('Signer mismatch on JWT token');\n      }\n\n      if (!claims.email) {\n        throw new AuthenticationError(`Missing email in the JWT token`);\n      }\n\n      const fullProfile: PassportProfile = {\n        provider: 'unknown',\n        id: claims.sub,\n        displayName: claims.name,\n        username: claims.email.split('@')[0].toLowerCase(),\n        name: {\n          familyName: claims.family_name,\n          givenName: claims.given_name,\n        },\n        emails: [{ value: claims.email.toLowerCase() }],\n        photos: [{ value: claims.picture }],\n      };\n\n      return {\n        result: {\n          fullProfile,\n          accessToken: accessToken,\n          expiresInSeconds: claims.exp,\n        },\n        providerInfo: {\n          accessToken: accessToken,\n          expiresInSeconds: claims.exp,\n        },\n      };\n    } catch (e) {\n      throw new Error(`Exception occurred during JWT processing: ${e}`);\n    }\n  },\n});\n"],"names":["createProxyAuthenticator","makeProfileInfo","NodeCache","provisionKeyCache","AuthenticationError","jwtVerify"],"mappings":";;;;;;;;;;;;AA0BO,MAAM,cAAiB,GAAA,mBAAA;AACvB,MAAM,uBAA0B,GAAA,0BAAA;AAGhC,MAAM,sBAAsBA,uCAAyB,CAAA;AAAA,EAC1D,uBAAA,EAAyB,OAAO,MAAyB,KAAA;AACvD,IAAO,OAAA;AAAA,MACL,OAAS,EAAAC,uBAAA,CAAgB,MAAO,CAAA,WAAA,EAAa,OAAO,WAAW,CAAA;AAAA,KACjE,CAAA;AAAA,GACF;AAAA,EACA,UAAA,CAAW,EAAE,MAAA,EAAU,EAAA;AACrB,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA,CAAA;AAChD,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAA,MAAM,WAAW,IAAIC,0BAAA,CAAU,EAAE,MAAA,EAAQ,MAAM,CAAA,CAAA;AAC/C,IAAM,MAAA,MAAA,GAASC,yBAAkB,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AACjD,IAAO,OAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,MAAO,EAAA,CAAA;AAAA,GAClC;AAAA,EACA,MAAM,aAAa,EAAE,GAAA,IAAO,EAAE,MAAA,EAAQ,MAAQ,EAAA,MAAA,EAAU,EAAA;AACtD,IAAM,MAAA,GAAA,GAAM,GAAI,CAAA,MAAA,CAAO,cAAc,CAAA,CAAA;AACrC,IAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AAEtD,IAAA,IAAI,QAAQ,KAAW,CAAA,EAAA;AACrB,MAAA,MAAM,IAAIC,0BAAA;AAAA,QACR,4BAA4B,cAAc,CAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAA,IAAI,gBAAgB,KAAW,CAAA,EAAA;AAC7B,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR,4BAA4B,uBAAuB,CAAA,CAAA;AAAA,OACrD,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAMC,cAAU,CAAA,GAAA,EAAK,MAAM,CAAA,CAAA;AAChD,MAAA,MAAM,SAAS,YAAa,CAAA,eAAA,CAAA;AAC5B,MAAA,MAAM,SAAS,YAAa,CAAA,OAAA,CAAA;AAE5B,MAAI,IAAA,MAAA,EAAQ,QAAQ,MAAQ,EAAA;AAC1B,QAAM,MAAA,IAAID,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OACnD,MAAA,IAAA,MAAA,IAAU,MAAQ,EAAA,MAAA,KAAW,MAAQ,EAAA;AAC9C,QAAM,MAAA,IAAIA,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,QAAM,MAAA,IAAIA,2BAAoB,CAAgC,8BAAA,CAAA,CAAA,CAAA;AAAA,OAChE;AAEA,MAAA,MAAM,WAA+B,GAAA;AAAA,QACnC,QAAU,EAAA,SAAA;AAAA,QACV,IAAI,MAAO,CAAA,GAAA;AAAA,QACX,aAAa,MAAO,CAAA,IAAA;AAAA,QACpB,QAAA,EAAU,OAAO,KAAM,CAAA,KAAA,CAAM,GAAG,CAAE,CAAA,CAAC,EAAE,WAAY,EAAA;AAAA,QACjD,IAAM,EAAA;AAAA,UACJ,YAAY,MAAO,CAAA,WAAA;AAAA,UACnB,WAAW,MAAO,CAAA,UAAA;AAAA,SACpB;AAAA,QACA,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,OAAO,KAAM,CAAA,WAAA,IAAe,CAAA;AAAA,QAC9C,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,SAAS,CAAA;AAAA,OACpC,CAAA;AAEA,MAAO,OAAA;AAAA,QACL,MAAQ,EAAA;AAAA,UACN,WAAA;AAAA,UACA,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,QACA,YAAc,EAAA;AAAA,UACZ,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAA6C,0CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KAClE;AAAA,GACF;AACF,CAAC;;;;;;"}

package/dist/helpers.cjs.js

@@ -0,0 +1,97 @@
+'use strict';
+
+var crypto = require('crypto');
+var jose = require('jose');
+var fetch = require('node-fetch');
+var errors = require('@backstage/errors');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+function _interopNamespaceCompat(e) {
+  if (e && typeof e === 'object' && 'default' in e) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var crypto__namespace = /*#__PURE__*/_interopNamespaceCompat(crypto);
+var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
+
+const makeProfileInfo = (profile, idToken) => {
+  let email = void 0;
+  if (profile.emails && profile.emails.length > 0) {
+    const [firstEmail] = profile.emails;
+    email = firstEmail.value;
+  }
+  let picture = void 0;
+  if (profile.avatarUrl) {
+    picture = profile.avatarUrl;
+  } else if (profile.photos && profile.photos.length > 0) {
+    const [firstPhoto] = profile.photos;
+    picture = firstPhoto.value;
+  }
+  let displayName = profile.displayName ?? profile.username ?? profile.id;
+  if ((!email || !picture || !displayName) && idToken) {
+    try {
+      const decoded = jose.decodeJwt(idToken);
+      if (!email && decoded.email) {
+        email = decoded.email;
+      }
+      if (!picture && decoded.picture) {
+        picture = decoded.picture;
+      }
+      if (!displayName && decoded.name) {
+        displayName = decoded.name;
+      }
+    } catch (e) {
+      throw new Error(`Failed to parse id token and get profile info, ${e}`);
+    }
+  }
+  return {
+    email,
+    picture,
+    displayName
+  };
+};
+const getPublicKeyEndpoint = (region) => {
+  if (region.startsWith("us-gov")) {
+    return `https://s3-${encodeURIComponent(
+      region
+    )}.amazonaws.com/aws-elb-public-keys-prod-${encodeURIComponent(region)}`;
+  }
+  return `https://public-keys.auth.elb.${encodeURIComponent(
+    region
+  )}.amazonaws.com`;
+};
+const provisionKeyCache = (region, keyCache) => {
+  return async (header) => {
+    if (!header.kid) {
+      throw new errors.AuthenticationError("No key id was specified in header");
+    }
+    const optionalCacheKey = keyCache.get(header.kid);
+    if (optionalCacheKey) {
+      return crypto__namespace.createPublicKey(optionalCacheKey);
+    }
+    const keyText = await fetch__default.default(
+      `${getPublicKeyEndpoint(region)}/${encodeURIComponent(header.kid)}`
+    ).then((response) => response.text());
+    const keyValue = crypto__namespace.createPublicKey(keyText);
+    keyCache.set(header.kid, keyValue.export({ format: "pem", type: "spki" }));
+    return keyValue;
+  };
+};
+
+exports.makeProfileInfo = makeProfileInfo;
+exports.provisionKeyCache = provisionKeyCache;
+//# sourceMappingURL=helpers.cjs.js.map

package/dist/helpers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.cjs.js","sources":["../src/helpers.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { KeyObject } from 'crypto';\nimport * as crypto from 'crypto';\nimport { JWTHeaderParameters, decodeJwt } from 'jose';\nimport NodeCache from 'node-cache';\nimport fetch from 'node-fetch';\nimport { PassportProfile, ProfileInfo } from '@backstage/plugin-auth-node';\nimport { AuthenticationError } from '@backstage/errors';\n\nexport const makeProfileInfo = (\n  profile: PassportProfile,\n  idToken?: string,\n): ProfileInfo => {\n  let email: string | undefined = undefined;\n  if (profile.emails && profile.emails.length > 0) {\n    const [firstEmail] = profile.emails;\n    email = firstEmail.value;\n  }\n\n  let picture: string | undefined = undefined;\n  if (profile.avatarUrl) {\n    picture = profile.avatarUrl;\n  } else if (profile.photos && profile.photos.length > 0) {\n    const [firstPhoto] = profile.photos;\n    picture = firstPhoto.value;\n  }\n\n  let displayName: string | undefined =\n    profile.displayName ?? profile.username ?? profile.id;\n\n  if ((!email || !picture || !displayName) && idToken) {\n    try {\n      const decoded: Record<string, string> = decodeJwt(idToken) as {\n        email?: string;\n        picture?: string;\n        name?: string;\n      };\n      if (!email && decoded.email) {\n        email = decoded.email;\n      }\n      if (!picture && decoded.picture) {\n        picture = decoded.picture;\n      }\n      if (!displayName && decoded.name) {\n        displayName = decoded.name;\n      }\n    } catch (e) {\n      throw new Error(`Failed to parse id token and get profile info, ${e}`);\n    }\n  }\n\n  return {\n    email,\n    picture,\n    displayName,\n  };\n};\n\nconst getPublicKeyEndpoint = (region: string) => {\n  if (region.startsWith('us-gov')) {\n    return `https://s3-${encodeURIComponent(\n      region,\n    )}.amazonaws.com/aws-elb-public-keys-prod-${encodeURIComponent(region)}`;\n  }\n\n  return `https://public-keys.auth.elb.${encodeURIComponent(\n    region,\n  )}.amazonaws.com`;\n};\n\nexport const provisionKeyCache = (region: string, keyCache: NodeCache) => {\n  return async (header: JWTHeaderParameters): Promise<KeyObject> => {\n    if (!header.kid) {\n      throw new AuthenticationError('No key id was specified in header');\n    }\n    const optionalCacheKey = keyCache.get<KeyObject>(header.kid);\n    if (optionalCacheKey) {\n      return crypto.createPublicKey(optionalCacheKey);\n    }\n\n    const keyText: string = await fetch(\n      `${getPublicKeyEndpoint(region)}/${encodeURIComponent(header.kid)}`,\n    ).then(response => response.text());\n\n    const keyValue = crypto.createPublicKey(keyText);\n    keyCache.set(header.kid, keyValue.export({ format: 'pem', type: 'spki' }));\n    return keyValue;\n  };\n};\n"],"names":["decodeJwt","AuthenticationError","crypto","fetch"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuBa,MAAA,eAAA,GAAkB,CAC7B,OAAA,EACA,OACgB,KAAA;AAChB,EAAA,IAAI,KAA4B,GAAA,KAAA,CAAA,CAAA;AAChC,EAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,KAAA,GAAQ,UAAW,CAAA,KAAA,CAAA;AAAA,GACrB;AAEA,EAAA,IAAI,OAA8B,GAAA,KAAA,CAAA,CAAA;AAClC,EAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,IAAA,OAAA,GAAU,OAAQ,CAAA,SAAA,CAAA;AAAA,aACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,OAAA,GAAU,UAAW,CAAA,KAAA,CAAA;AAAA,GACvB;AAEA,EAAA,IAAI,WACF,GAAA,OAAA,CAAQ,WAAe,IAAA,OAAA,CAAQ,YAAY,OAAQ,CAAA,EAAA,CAAA;AAErD,EAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,IAAI,IAAA;AACF,MAAM,MAAA,OAAA,GAAkCA,eAAU,OAAO,CAAA,CAAA;AAKzD,MAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,QAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA,CAAA;AAAA,OAClB;AACA,MAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,QAAA,OAAA,GAAU,OAAQ,CAAA,OAAA,CAAA;AAAA,OACpB;AACA,MAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,QAAA,WAAA,GAAc,OAAQ,CAAA,IAAA,CAAA;AAAA,OACxB;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAAkD,+CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KACvE;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,GACF,CAAA;AACF,EAAA;AAEA,MAAM,oBAAA,GAAuB,CAAC,MAAmB,KAAA;AAC/C,EAAI,IAAA,MAAA,CAAO,UAAW,CAAA,QAAQ,CAAG,EAAA;AAC/B,IAAA,OAAO,CAAc,WAAA,EAAA,kBAAA;AAAA,MACnB,MAAA;AAAA,KACD,CAAA,wCAAA,EAA2C,kBAAmB,CAAA,MAAM,CAAC,CAAA,CAAA,CAAA;AAAA,GACxE;AAEA,EAAA,OAAO,CAAgC,6BAAA,EAAA,kBAAA;AAAA,IACrC,MAAA;AAAA,GACD,CAAA,cAAA,CAAA,CAAA;AACH,CAAA,CAAA;AAEa,MAAA,iBAAA,GAAoB,CAAC,MAAA,EAAgB,QAAwB,KAAA;AACxE,EAAA,OAAO,OAAO,MAAoD,KAAA;AAChE,IAAI,IAAA,CAAC,OAAO,GAAK,EAAA;AACf,MAAM,MAAA,IAAIC,2BAAoB,mCAAmC,CAAA,CAAA;AAAA,KACnE;AACA,IAAA,MAAM,gBAAmB,GAAA,QAAA,CAAS,GAAe,CAAA,MAAA,CAAO,GAAG,CAAA,CAAA;AAC3D,IAAA,IAAI,gBAAkB,EAAA;AACpB,MAAO,OAAAC,iBAAA,CAAO,gBAAgB,gBAAgB,CAAA,CAAA;AAAA,KAChD;AAEA,IAAA,MAAM,UAAkB,MAAMC,sBAAA;AAAA,MAC5B,CAAA,EAAG,qBAAqB,MAAM,CAAC,IAAI,kBAAmB,CAAA,MAAA,CAAO,GAAG,CAAC,CAAA,CAAA;AAAA,KACjE,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA,QAAA,CAAS,MAAM,CAAA,CAAA;AAElC,IAAM,MAAA,QAAA,GAAWD,iBAAO,CAAA,eAAA,CAAgB,OAAO,CAAA,CAAA;AAC/C,IAAS,QAAA,CAAA,GAAA,CAAI,MAAO,CAAA,GAAA,EAAK,QAAS,CAAA,MAAA,CAAO,EAAE,MAAA,EAAQ,KAAO,EAAA,IAAA,EAAM,MAAO,EAAC,CAAC,CAAA,CAAA;AACzE,IAAO,OAAA,QAAA,CAAA;AAAA,GACT,CAAA;AACF;;;;;"}

package/dist/index.cjs.js

@@ -2,218 +2,17 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var errors = require('@backstage/errors');
-var jose = require('jose');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var NodeCache = require('node-cache');
-var crypto = require('crypto');
-var fetch = require('node-fetch');
-var backendPluginApi = require('@backstage/backend-plugin-api');
+var authenticator = require('./authenticator.cjs.js');
+var module$1 = require('./module.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
 
-function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
 
-function _interopNamespaceCompat(e) {
-  if (e && typeof e === 'object' && 'default' in e) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
 
-var NodeCache__default = /*#__PURE__*/_interopDefaultCompat(NodeCache);
-var crypto__namespace = /*#__PURE__*/_interopNamespaceCompat(crypto);
-var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
-
-const makeProfileInfo = (profile, idToken) => {
-  let email = void 0;
-  if (profile.emails && profile.emails.length > 0) {
-    const [firstEmail] = profile.emails;
-    email = firstEmail.value;
-  }
-  let picture = void 0;
-  if (profile.avatarUrl) {
-    picture = profile.avatarUrl;
-  } else if (profile.photos && profile.photos.length > 0) {
-    const [firstPhoto] = profile.photos;
-    picture = firstPhoto.value;
-  }
-  let displayName = profile.displayName ?? profile.username ?? profile.id;
-  if ((!email || !picture || !displayName) && idToken) {
-    try {
-      const decoded = jose.decodeJwt(idToken);
-      if (!email && decoded.email) {
-        email = decoded.email;
-      }
-      if (!picture && decoded.picture) {
-        picture = decoded.picture;
-      }
-      if (!displayName && decoded.name) {
-        displayName = decoded.name;
-      }
-    } catch (e) {
-      throw new Error(`Failed to parse id token and get profile info, ${e}`);
-    }
-  }
-  return {
-    email,
-    picture,
-    displayName
-  };
-};
-const getPublicKeyEndpoint = (region) => {
-  if (region.startsWith("us-gov")) {
-    return `https://s3-${encodeURIComponent(
-      region
-    )}.amazonaws.com/aws-elb-public-keys-prod-${encodeURIComponent(region)}`;
-  }
-  return `https://public-keys.auth.elb.${encodeURIComponent(
-    region
-  )}.amazonaws.com`;
-};
-const provisionKeyCache = (region, keyCache) => {
-  return async (header) => {
-    if (!header.kid) {
-      throw new errors.AuthenticationError("No key id was specified in header");
-    }
-    const optionalCacheKey = keyCache.get(header.kid);
-    if (optionalCacheKey) {
-      return crypto__namespace.createPublicKey(optionalCacheKey);
-    }
-    const keyText = await fetch__default.default(
-      `${getPublicKeyEndpoint(region)}/${encodeURIComponent(header.kid)}`
-    ).then((response) => response.text());
-    const keyValue = crypto__namespace.createPublicKey(keyText);
-    keyCache.set(header.kid, keyValue.export({ format: "pem", type: "spki" }));
-    return keyValue;
-  };
-};
-
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-const awsAlbAuthenticator = pluginAuthNode.createProxyAuthenticator({
-  defaultProfileTransform: async (result) => {
-    return {
-      profile: makeProfileInfo(result.fullProfile, result.accessToken)
-    };
-  },
-  initialize({ config }) {
-    const issuer = config.getString("issuer");
-    const signer = config.getOptionalString("signer");
-    const region = config.getString("region");
-    const keyCache = new NodeCache__default.default({ stdTTL: 3600 });
-    const getKey = provisionKeyCache(region, keyCache);
-    return { issuer, signer, getKey };
-  },
-  async authenticate({ req }, { issuer, signer, getKey }) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
-      );
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
-      );
-    }
-    try {
-      const verifyResult = await jose.jwtVerify(jwt, getKey);
-      const header = verifyResult.protectedHeader;
-      const claims = verifyResult.payload;
-      if (claims?.iss !== issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      } else if (signer && header?.signer !== signer) {
-        throw new errors.AuthenticationError("Signer mismatch on JWT token");
-      }
-      if (!claims.email) {
-        throw new errors.AuthenticationError(`Missing email in the JWT token`);
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
-        result: {
-          fullProfile,
-          accessToken,
-          expiresInSeconds: claims.exp
-        },
-        providerInfo: {
-          accessToken,
-          expiresInSeconds: claims.exp
-        }
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
-  }
-});
-
-exports.awsAlbSignInResolvers = void 0;
-((awsAlbSignInResolvers2) => {
-  awsAlbSignInResolvers2.emailMatchingUserEntityProfileEmail = pluginAuthNode.createSignInResolverFactory({
-    create() {
-      return async (info, ctx) => {
-        if (!info.result.fullProfile.emails) {
-          throw new Error(
-            "Login failed, user profile does not contain an email"
-          );
-        }
-        return ctx.signInWithCatalogUser({
-          filter: {
-            kind: ["User"],
-            "spec.profile.email": info.result.fullProfile.emails[0].value
-          }
-        });
-      };
-    }
-  });
-})(exports.awsAlbSignInResolvers || (exports.awsAlbSignInResolvers = {}));
-
-const authModuleAwsAlbProvider = backendPluginApi.createBackendModule({
-  pluginId: "auth",
-  moduleId: "awsAlbProvider",
-  register(reg) {
-    reg.registerInit({
-      deps: {
-        providers: pluginAuthNode.authProvidersExtensionPoint
-      },
-      async init({ providers }) {
-        providers.registerProvider({
-          providerId: "awsalb",
-          factory: pluginAuthNode.createProxyAuthProviderFactory({
-            authenticator: awsAlbAuthenticator,
-            signInResolverFactories: {
-              ...pluginAuthNode.commonSignInResolvers,
-              ...exports.awsAlbSignInResolvers
-            }
-          })
-        });
-      }
-    });
-  }
+exports.awsAlbAuthenticator = authenticator.awsAlbAuthenticator;
+exports.authModuleAwsAlbProvider = module$1.authModuleAwsAlbProvider;
+exports.default = module$1.authModuleAwsAlbProvider;
+Object.defineProperty(exports, "awsAlbSignInResolvers", {
+	enumerable: true,
+	get: function () { return resolvers.awsAlbSignInResolvers; }
 });
-
-exports.authModuleAwsAlbProvider = authModuleAwsAlbProvider;
-exports.awsAlbAuthenticator = awsAlbAuthenticator;
-exports.default = authModuleAwsAlbProvider;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/helpers.ts","../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { KeyObject } from 'crypto';\nimport * as crypto from 'crypto';\nimport { JWTHeaderParameters, decodeJwt } from 'jose';\nimport NodeCache from 'node-cache';\nimport fetch from 'node-fetch';\nimport { PassportProfile, ProfileInfo } from '@backstage/plugin-auth-node';\nimport { AuthenticationError } from '@backstage/errors';\n\nexport const makeProfileInfo = (\n  profile: PassportProfile,\n  idToken?: string,\n): ProfileInfo => {\n  let email: string | undefined = undefined;\n  if (profile.emails && profile.emails.length > 0) {\n    const [firstEmail] = profile.emails;\n    email = firstEmail.value;\n  }\n\n  let picture: string | undefined = undefined;\n  if (profile.avatarUrl) {\n    picture = profile.avatarUrl;\n  } else if (profile.photos && profile.photos.length > 0) {\n    const [firstPhoto] = profile.photos;\n    picture = firstPhoto.value;\n  }\n\n  let displayName: string | undefined =\n    profile.displayName ?? profile.username ?? profile.id;\n\n  if ((!email || !picture || !displayName) && idToken) {\n    try {\n      const decoded: Record<string, string> = decodeJwt(idToken) as {\n        email?: string;\n        picture?: string;\n        name?: string;\n      };\n      if (!email && decoded.email) {\n        email = decoded.email;\n      }\n      if (!picture && decoded.picture) {\n        picture = decoded.picture;\n      }\n      if (!displayName && decoded.name) {\n        displayName = decoded.name;\n      }\n    } catch (e) {\n      throw new Error(`Failed to parse id token and get profile info, ${e}`);\n    }\n  }\n\n  return {\n    email,\n    picture,\n    displayName,\n  };\n};\n\nconst getPublicKeyEndpoint = (region: string) => {\n  if (region.startsWith('us-gov')) {\n    return `https://s3-${encodeURIComponent(\n      region,\n    )}.amazonaws.com/aws-elb-public-keys-prod-${encodeURIComponent(region)}`;\n  }\n\n  return `https://public-keys.auth.elb.${encodeURIComponent(\n    region,\n  )}.amazonaws.com`;\n};\n\nexport const provisionKeyCache = (region: string, keyCache: NodeCache) => {\n  return async (header: JWTHeaderParameters): Promise<KeyObject> => {\n    if (!header.kid) {\n      throw new AuthenticationError('No key id was specified in header');\n    }\n    const optionalCacheKey = keyCache.get<KeyObject>(header.kid);\n    if (optionalCacheKey) {\n      return crypto.createPublicKey(optionalCacheKey);\n    }\n\n    const keyText: string = await fetch(\n      `${getPublicKeyEndpoint(region)}/${encodeURIComponent(header.kid)}`,\n    ).then(response => response.text());\n\n    const keyValue = crypto.createPublicKey(keyText);\n    keyCache.set(header.kid, keyValue.export({ format: 'pem', type: 'spki' }));\n    return keyValue;\n  };\n};\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { AwsAlbClaims, AwsAlbProtectedHeader, AwsAlbResult } from './types';\nimport { jwtVerify } from 'jose';\nimport {\n  createProxyAuthenticator,\n  PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport NodeCache from 'node-cache';\nimport { makeProfileInfo, provisionKeyCache } from './helpers';\n\nexport const ALB_JWT_HEADER = 'x-amzn-oidc-data';\nexport const ALB_ACCESS_TOKEN_HEADER = 'x-amzn-oidc-accesstoken';\n\n/** @public */\nexport const awsAlbAuthenticator = createProxyAuthenticator({\n  defaultProfileTransform: async (result: AwsAlbResult) => {\n    return {\n      profile: makeProfileInfo(result.fullProfile, result.accessToken),\n    };\n  },\n  initialize({ config }) {\n    const issuer = config.getString('issuer');\n    const signer = config.getOptionalString('signer');\n    const region = config.getString('region');\n    const keyCache = new NodeCache({ stdTTL: 3600 });\n    const getKey = provisionKeyCache(region, keyCache);\n    return { issuer, signer, getKey };\n  },\n  async authenticate({ req }, { issuer, signer, getKey }) {\n    const jwt = req.header(ALB_JWT_HEADER);\n    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);\n\n    if (jwt === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`,\n      );\n    }\n\n    if (accessToken === undefined) {\n      throw new AuthenticationError(\n        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`,\n      );\n    }\n\n    try {\n      const verifyResult = await jwtVerify(jwt, getKey);\n      const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;\n      const claims = verifyResult.payload as AwsAlbClaims;\n\n      if (claims?.iss !== issuer) {\n        throw new AuthenticationError('Issuer mismatch on JWT token');\n      } else if (signer && header?.signer !== signer) {\n        throw new AuthenticationError('Signer mismatch on JWT token');\n      }\n\n      if (!claims.email) {\n        throw new AuthenticationError(`Missing email in the JWT token`);\n      }\n\n      const fullProfile: PassportProfile = {\n        provider: 'unknown',\n        id: claims.sub,\n        displayName: claims.name,\n        username: claims.email.split('@')[0].toLowerCase(),\n        name: {\n          familyName: claims.family_name,\n          givenName: claims.given_name,\n        },\n        emails: [{ value: claims.email.toLowerCase() }],\n        photos: [{ value: claims.picture }],\n      };\n\n      return {\n        result: {\n          fullProfile,\n          accessToken: accessToken,\n          expiresInSeconds: claims.exp,\n        },\n        providerInfo: {\n          accessToken: accessToken,\n          expiresInSeconds: claims.exp,\n        },\n      };\n    } catch (e) {\n      throw new Error(`Exception occurred during JWT processing: ${e}`);\n    }\n  },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createSignInResolverFactory,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AwsAlbResult } from './types';\n/**\n * Available sign-in resolvers for the AWS ALB auth provider.\n *\n * @public\n */\nexport namespace awsAlbSignInResolvers {\n  export const emailMatchingUserEntityProfileEmail =\n    createSignInResolverFactory({\n      create() {\n        return async (info: SignInInfo<AwsAlbResult>, ctx) => {\n          if (!info.result.fullProfile.emails) {\n            throw new Error(\n              'Login failed, user profile does not contain an email',\n            );\n          }\n          return ctx.signInWithCatalogUser({\n            filter: {\n              kind: ['User'],\n              'spec.profile.email': info.result.fullProfile.emails[0].value,\n            },\n          });\n        };\n      },\n    });\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { awsAlbAuthenticator } from './authenticator';\nimport { awsAlbSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAwsAlbProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'awsAlbProvider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'awsalb',\n          factory: createProxyAuthProviderFactory({\n            authenticator: awsAlbAuthenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n              ...awsAlbSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["decodeJwt","AuthenticationError","crypto","fetch","createProxyAuthenticator","NodeCache","jwtVerify","awsAlbSignInResolvers","createSignInResolverFactory","createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","commonSignInResolvers"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuBa,MAAA,eAAA,GAAkB,CAC7B,OAAA,EACA,OACgB,KAAA;AAChB,EAAA,IAAI,KAA4B,GAAA,KAAA,CAAA,CAAA;AAChC,EAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,KAAA,GAAQ,UAAW,CAAA,KAAA,CAAA;AAAA,GACrB;AAEA,EAAA,IAAI,OAA8B,GAAA,KAAA,CAAA,CAAA;AAClC,EAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,IAAA,OAAA,GAAU,OAAQ,CAAA,SAAA,CAAA;AAAA,aACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,OAAA,GAAU,UAAW,CAAA,KAAA,CAAA;AAAA,GACvB;AAEA,EAAA,IAAI,WACF,GAAA,OAAA,CAAQ,WAAe,IAAA,OAAA,CAAQ,YAAY,OAAQ,CAAA,EAAA,CAAA;AAErD,EAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,IAAI,IAAA;AACF,MAAM,MAAA,OAAA,GAAkCA,eAAU,OAAO,CAAA,CAAA;AAKzD,MAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,QAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA,CAAA;AAAA,OAClB;AACA,MAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,QAAA,OAAA,GAAU,OAAQ,CAAA,OAAA,CAAA;AAAA,OACpB;AACA,MAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,QAAA,WAAA,GAAc,OAAQ,CAAA,IAAA,CAAA;AAAA,OACxB;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAAkD,+CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KACvE;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,GACF,CAAA;AACF,CAAA,CAAA;AAEA,MAAM,oBAAA,GAAuB,CAAC,MAAmB,KAAA;AAC/C,EAAI,IAAA,MAAA,CAAO,UAAW,CAAA,QAAQ,CAAG,EAAA;AAC/B,IAAA,OAAO,CAAc,WAAA,EAAA,kBAAA;AAAA,MACnB,MAAA;AAAA,KACD,CAAA,wCAAA,EAA2C,kBAAmB,CAAA,MAAM,CAAC,CAAA,CAAA,CAAA;AAAA,GACxE;AAEA,EAAA,OAAO,CAAgC,6BAAA,EAAA,kBAAA;AAAA,IACrC,MAAA;AAAA,GACD,CAAA,cAAA,CAAA,CAAA;AACH,CAAA,CAAA;AAEa,MAAA,iBAAA,GAAoB,CAAC,MAAA,EAAgB,QAAwB,KAAA;AACxE,EAAA,OAAO,OAAO,MAAoD,KAAA;AAChE,IAAI,IAAA,CAAC,OAAO,GAAK,EAAA;AACf,MAAM,MAAA,IAAIC,2BAAoB,mCAAmC,CAAA,CAAA;AAAA,KACnE;AACA,IAAA,MAAM,gBAAmB,GAAA,QAAA,CAAS,GAAe,CAAA,MAAA,CAAO,GAAG,CAAA,CAAA;AAC3D,IAAA,IAAI,gBAAkB,EAAA;AACpB,MAAO,OAAAC,iBAAA,CAAO,gBAAgB,gBAAgB,CAAA,CAAA;AAAA,KAChD;AAEA,IAAA,MAAM,UAAkB,MAAMC,sBAAA;AAAA,MAC5B,CAAA,EAAG,qBAAqB,MAAM,CAAC,IAAI,kBAAmB,CAAA,MAAA,CAAO,GAAG,CAAC,CAAA,CAAA;AAAA,KACjE,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA,QAAA,CAAS,MAAM,CAAA,CAAA;AAElC,IAAM,MAAA,QAAA,GAAWD,iBAAO,CAAA,eAAA,CAAgB,OAAO,CAAA,CAAA;AAC/C,IAAS,QAAA,CAAA,GAAA,CAAI,MAAO,CAAA,GAAA,EAAK,QAAS,CAAA,MAAA,CAAO,EAAE,MAAA,EAAQ,KAAO,EAAA,IAAA,EAAM,MAAO,EAAC,CAAC,CAAA,CAAA;AACzE,IAAO,OAAA,QAAA,CAAA;AAAA,GACT,CAAA;AACF,CAAA;;AC5EO,MAAM,cAAiB,GAAA,kBAAA,CAAA;AACvB,MAAM,uBAA0B,GAAA,yBAAA,CAAA;AAGhC,MAAM,sBAAsBE,uCAAyB,CAAA;AAAA,EAC1D,uBAAA,EAAyB,OAAO,MAAyB,KAAA;AACvD,IAAO,OAAA;AAAA,MACL,OAAS,EAAA,eAAA,CAAgB,MAAO,CAAA,WAAA,EAAa,OAAO,WAAW,CAAA;AAAA,KACjE,CAAA;AAAA,GACF;AAAA,EACA,UAAA,CAAW,EAAE,MAAA,EAAU,EAAA;AACrB,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA,CAAA;AAChD,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAA,MAAM,WAAW,IAAIC,0BAAA,CAAU,EAAE,MAAA,EAAQ,MAAM,CAAA,CAAA;AAC/C,IAAM,MAAA,MAAA,GAAS,iBAAkB,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AACjD,IAAO,OAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,MAAO,EAAA,CAAA;AAAA,GAClC;AAAA,EACA,MAAM,aAAa,EAAE,GAAA,IAAO,EAAE,MAAA,EAAQ,MAAQ,EAAA,MAAA,EAAU,EAAA;AACtD,IAAM,MAAA,GAAA,GAAM,GAAI,CAAA,MAAA,CAAO,cAAc,CAAA,CAAA;AACrC,IAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AAEtD,IAAA,IAAI,QAAQ,KAAW,CAAA,EAAA;AACrB,MAAA,MAAM,IAAIJ,0BAAA;AAAA,QACR,4BAA4B,cAAc,CAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAA,IAAI,gBAAgB,KAAW,CAAA,EAAA;AAC7B,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR,4BAA4B,uBAAuB,CAAA,CAAA;AAAA,OACrD,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAMK,cAAU,CAAA,GAAA,EAAK,MAAM,CAAA,CAAA;AAChD,MAAA,MAAM,SAAS,YAAa,CAAA,eAAA,CAAA;AAC5B,MAAA,MAAM,SAAS,YAAa,CAAA,OAAA,CAAA;AAE5B,MAAI,IAAA,MAAA,EAAQ,QAAQ,MAAQ,EAAA;AAC1B,QAAM,MAAA,IAAIL,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OACnD,MAAA,IAAA,MAAA,IAAU,MAAQ,EAAA,MAAA,KAAW,MAAQ,EAAA;AAC9C,QAAM,MAAA,IAAIA,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,QAAM,MAAA,IAAIA,2BAAoB,CAAgC,8BAAA,CAAA,CAAA,CAAA;AAAA,OAChE;AAEA,MAAA,MAAM,WAA+B,GAAA;AAAA,QACnC,QAAU,EAAA,SAAA;AAAA,QACV,IAAI,MAAO,CAAA,GAAA;AAAA,QACX,aAAa,MAAO,CAAA,IAAA;AAAA,QACpB,QAAA,EAAU,OAAO,KAAM,CAAA,KAAA,CAAM,GAAG,CAAE,CAAA,CAAC,EAAE,WAAY,EAAA;AAAA,QACjD,IAAM,EAAA;AAAA,UACJ,YAAY,MAAO,CAAA,WAAA;AAAA,UACnB,WAAW,MAAO,CAAA,UAAA;AAAA,SACpB;AAAA,QACA,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,OAAO,KAAM,CAAA,WAAA,IAAe,CAAA;AAAA,QAC9C,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,SAAS,CAAA;AAAA,OACpC,CAAA;AAEA,MAAO,OAAA;AAAA,QACL,MAAQ,EAAA;AAAA,UACN,WAAA;AAAA,UACA,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,QACA,YAAc,EAAA;AAAA,UACZ,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAA6C,0CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KAClE;AAAA,GACF;AACF,CAAC;;AC7EgBM,uCAAA;AAAA,CAAV,CAAUA,sBAAV,KAAA;AACE,EAAMA,sBAAAA,CAAA,sCACXC,0CAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAgC,GAAQ,KAAA;AACpD,QAAA,IAAI,CAAC,IAAA,CAAK,MAAO,CAAA,WAAA,CAAY,MAAQ,EAAA;AACnC,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,MAAQ,EAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,YACb,sBAAsB,IAAK,CAAA,MAAA,CAAO,WAAY,CAAA,MAAA,CAAO,CAAC,CAAE,CAAA,KAAA;AAAA,WAC1D;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAlBY,EAAAD,6BAAA,KAAAA,6BAAA,GAAA,EAAA,CAAA,CAAA;;ACDV,MAAM,2BAA2BE,oCAAoB,CAAA;AAAA,EAC1D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,gBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,QAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAA,mBAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGL,6BAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;;"}

package/dist/module.cjs.js

@@ -0,0 +1,33 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var authenticator = require('./authenticator.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
+
+const authModuleAwsAlbProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "awsAlbProvider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: "awsalb",
+          factory: pluginAuthNode.createProxyAuthProviderFactory({
+            authenticator: authenticator.awsAlbAuthenticator,
+            signInResolverFactories: {
+              ...pluginAuthNode.commonSignInResolvers,
+              ...resolvers.awsAlbSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+
+exports.authModuleAwsAlbProvider = authModuleAwsAlbProvider;
+//# sourceMappingURL=module.cjs.js.map

package/dist/module.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.cjs.js","sources":["../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { awsAlbAuthenticator } from './authenticator';\nimport { awsAlbSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAwsAlbProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'awsAlbProvider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        providers.registerProvider({\n          providerId: 'awsalb',\n          factory: createProxyAuthProviderFactory({\n            authenticator: awsAlbAuthenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n              ...awsAlbSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","awsAlbAuthenticator","commonSignInResolvers","awsAlbSignInResolvers"],"mappings":";;;;;;;AAyBO,MAAM,2BAA2BA,oCAAoB,CAAA;AAAA,EAC1D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,gBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,QAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAAC,iCAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGC,+BAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;"}

package/dist/resolvers.cjs.js

@@ -0,0 +1,25 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+exports.awsAlbSignInResolvers = void 0;
+((awsAlbSignInResolvers2) => {
+  awsAlbSignInResolvers2.emailMatchingUserEntityProfileEmail = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        if (!info.result.fullProfile.emails) {
+          throw new Error(
+            "Login failed, user profile does not contain an email"
+          );
+        }
+        return ctx.signInWithCatalogUser({
+          filter: {
+            kind: ["User"],
+            "spec.profile.email": info.result.fullProfile.emails[0].value
+          }
+        });
+      };
+    }
+  });
+})(exports.awsAlbSignInResolvers || (exports.awsAlbSignInResolvers = {}));
+//# sourceMappingURL=resolvers.cjs.js.map

package/dist/resolvers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.cjs.js","sources":["../src/resolvers.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createSignInResolverFactory,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AwsAlbResult } from './types';\n/**\n * Available sign-in resolvers for the AWS ALB auth provider.\n *\n * @public\n */\nexport namespace awsAlbSignInResolvers {\n  export const emailMatchingUserEntityProfileEmail =\n    createSignInResolverFactory({\n      create() {\n        return async (info: SignInInfo<AwsAlbResult>, ctx) => {\n          if (!info.result.fullProfile.emails) {\n            throw new Error(\n              'Login failed, user profile does not contain an email',\n            );\n          }\n          return ctx.signInWithCatalogUser({\n            filter: {\n              kind: ['User'],\n              'spec.profile.email': info.result.fullProfile.emails[0].value,\n            },\n          });\n        };\n      },\n    });\n}\n"],"names":["awsAlbSignInResolvers","createSignInResolverFactory"],"mappings":";;;;AA0BiBA,uCAAA;AAAA,CAAV,CAAUA,sBAAV,KAAA;AACE,EAAMA,sBAAAA,CAAA,sCACXC,0CAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAgC,GAAQ,KAAA;AACpD,QAAA,IAAI,CAAC,IAAA,CAAK,MAAO,CAAA,WAAA,CAAY,MAAQ,EAAA;AACnC,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,MAAQ,EAAA;AAAA,YACN,IAAA,EAAM,CAAC,MAAM,CAAA;AAAA,YACb,sBAAsB,IAAK,CAAA,MAAA,CAAO,WAAY,CAAA,MAAA,CAAO,CAAC,CAAE,CAAA,KAAA;AAAA,WAC1D;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAlBY,EAAAD,6BAAA,KAAAA,6BAAA,GAAA,EAAA,CAAA,CAAA;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend-module-aws-alb-provider",
-  "version": "0.2.0",
+  "version": "0.2.1-next.1",
   "description": "The aws-alb provider module for the Backstage auth backend.",
   "backstage": {
     "role": "backend-plugin-module",
@@ -38,18 +38,18 @@
   },
   "dependencies": {
     "@backstage/backend-common": "^0.25.0",
-    "@backstage/backend-plugin-api": "^1.0.0",
-    "@backstage/errors": "^1.2.4",
-    "@backstage/plugin-auth-backend": "^0.23.0",
-    "@backstage/plugin-auth-node": "^0.5.2",
+    "@backstage/backend-plugin-api": "1.0.1-next.1",
+    "@backstage/errors": "1.2.4",
+    "@backstage/plugin-auth-backend": "0.23.1-next.1",
+    "@backstage/plugin-auth-node": "0.5.3-next.1",
     "jose": "^5.0.0",
     "node-cache": "^5.1.2",
     "node-fetch": "^2.7.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^1.0.0",
-    "@backstage/cli": "^0.27.1",
-    "@backstage/config": "^1.2.0",
+    "@backstage/backend-test-utils": "1.0.1-next.2",
+    "@backstage/cli": "0.28.0-next.2",
+    "@backstage/config": "1.2.0",
     "express": "^4.18.2",
     "msw": "^2.0.8"
   }