@backstage/plugin-auth-backend-module-aws-alb-provider 0.2.1 → 0.3.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/dist/authenticator.cjs.js +2 -2
  3. package/dist/authenticator.cjs.js.map +1 -1
  4. package/package.json +8 -8
package/CHANGELOG.md CHANGED
@@ -1,5 +1,19 @@
1
1
  # @backstage/plugin-auth-backend-module-aws-alb-provider
2
2
 
3
+ ## 0.3.0-next.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 75168e3: **BREAKING**: The AWS ALB `fullProfile` will no longer have the its username or email converted to lowercase. This is to ensure unique handling of the users. You may need to update and configure a custom sign-in resolver or profile transform as a result.
8
+
9
+ ### Patch Changes
10
+
11
+ - Updated dependencies
12
+ - @backstage/plugin-auth-backend@0.24.0-next.0
13
+ - @backstage/plugin-auth-node@0.5.4-next.0
14
+ - @backstage/backend-plugin-api@1.0.2-next.0
15
+ - @backstage/errors@1.2.4
16
+
3
17
  ## 0.2.1
4
18
 
5
19
  ### Patch Changes
package/dist/authenticator.cjs.js CHANGED
@@ -55,12 +55,12 @@ const awsAlbAuthenticator = pluginAuthNode.createProxyAuthenticator({
55
55
  provider: "unknown",
56
56
  id: claims.sub,
57
57
  displayName: claims.name,
58
- username: claims.email.split("@")[0].toLowerCase(),
58
+ username: claims.email.split("@")[0],
59
59
  name: {
60
60
  familyName: claims.family_name,
61
61
  givenName: claims.given_name
62
62
  },
63
- emails: [{ value: claims.email.toLowerCase() }],
63
+ emails: [{ value: claims.email }],
64
64
  photos: [{ value: claims.picture }]
65
65
  };
66
66
  return {
package/dist/authenticator.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { AwsAlbClaims, AwsAlbProtectedHeader, AwsAlbResult } from './types';\nimport { jwtVerify } from 'jose';\nimport {\n createProxyAuthenticator,\n PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport NodeCache from 'node-cache';\nimport { makeProfileInfo, provisionKeyCache } from './helpers';\n\nexport const ALB_JWT_HEADER = 'x-amzn-oidc-data';\nexport const ALB_ACCESS_TOKEN_HEADER = 'x-amzn-oidc-accesstoken';\n\n/** @public */\nexport const awsAlbAuthenticator = createProxyAuthenticator({\n defaultProfileTransform: async (result: AwsAlbResult) => {\n return {\n profile: makeProfileInfo(result.fullProfile, result.accessToken),\n };\n },\n initialize({ config }) {\n const issuer = config.getString('issuer');\n const signer = config.getOptionalString('signer');\n const region = config.getString('region');\n const keyCache = new NodeCache({ stdTTL: 3600 });\n const getKey = provisionKeyCache(region, keyCache);\n return { issuer, signer, getKey };\n },\n async authenticate({ req }, { issuer, signer, getKey }) {\n const jwt = req.header(ALB_JWT_HEADER);\n const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);\n\n if (jwt === undefined) {\n throw new AuthenticationError(\n `Missing ALB OIDC header: ${ALB_JWT_HEADER}`,\n );\n }\n\n if (accessToken === undefined) {\n throw new AuthenticationError(\n `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`,\n );\n }\n\n try {\n const verifyResult = await jwtVerify(jwt, getKey);\n const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;\n const claims = verifyResult.payload as AwsAlbClaims;\n\n if (claims?.iss !== issuer) {\n throw new AuthenticationError('Issuer mismatch on JWT token');\n } else if (signer && header?.signer !== signer) {\n throw new AuthenticationError('Signer mismatch on JWT token');\n }\n\n if (!claims.email) {\n throw new AuthenticationError(`Missing email in the JWT token`);\n }\n\n const fullProfile: PassportProfile = {\n provider: 'unknown',\n id: claims.sub,\n displayName: claims.name,\n username: claims.email.split('@')[0].toLowerCase(),\n name: {\n familyName: claims.family_name,\n givenName: claims.given_name,\n },\n emails: [{ value: claims.email.toLowerCase() }],\n photos: [{ value: claims.picture }],\n };\n\n return {\n result: {\n fullProfile,\n accessToken: accessToken,\n expiresInSeconds: claims.exp,\n },\n providerInfo: {\n accessToken: accessToken,\n expiresInSeconds: claims.exp,\n },\n };\n } catch (e) {\n throw new Error(`Exception occurred during JWT processing: ${e}`);\n }\n },\n});\n"],"names":["createProxyAuthenticator","makeProfileInfo","NodeCache","provisionKeyCache","AuthenticationError","jwtVerify"],"mappings":";;;;;;;;;;;;AA0BO,MAAM,cAAiB,GAAA,mBAAA;AACvB,MAAM,uBAA0B,GAAA,0BAAA;AAGhC,MAAM,sBAAsBA,uCAAyB,CAAA;AAAA,EAC1D,uBAAA,EAAyB,OAAO,MAAyB,KAAA;AACvD,IAAO,OAAA;AAAA,MACL,OAAS,EAAAC,uBAAA,CAAgB,MAAO,CAAA,WAAA,EAAa,OAAO,WAAW,CAAA;AAAA,KACjE,CAAA;AAAA,GACF;AAAA,EACA,UAAA,CAAW,EAAE,MAAA,EAAU,EAAA;AACrB,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA,CAAA;AAChD,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAA,MAAM,WAAW,IAAIC,0BAAA,CAAU,EAAE,MAAA,EAAQ,MAAM,CAAA,CAAA;AAC/C,IAAM,MAAA,MAAA,GAASC,yBAAkB,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AACjD,IAAO,OAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,MAAO,EAAA,CAAA;AAAA,GAClC;AAAA,EACA,MAAM,aAAa,EAAE,GAAA,IAAO,EAAE,MAAA,EAAQ,MAAQ,EAAA,MAAA,EAAU,EAAA;AACtD,IAAM,MAAA,GAAA,GAAM,GAAI,CAAA,MAAA,CAAO,cAAc,CAAA,CAAA;AACrC,IAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AAEtD,IAAA,IAAI,QAAQ,KAAW,CAAA,EAAA;AACrB,MAAA,MAAM,IAAIC,0BAAA;AAAA,QACR,4BAA4B,cAAc,CAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAA,IAAI,gBAAgB,KAAW,CAAA,EAAA;AAC7B,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR,4BAA4B,uBAAuB,CAAA,CAAA;AAAA,OACrD,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAMC,cAAU,CAAA,GAAA,EAAK,MAAM,CAAA,CAAA;AAChD,MAAA,MAAM,SAAS,YAAa,CAAA,eAAA,CAAA;AAC5B,MAAA,MAAM,SAAS,YAAa,CAAA,OAAA,CAAA;AAE5B,MAAI,IAAA,MAAA,EAAQ,QAAQ,MAAQ,EAAA;AAC1B,QAAM,MAAA,IAAID,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OACnD,MAAA,IAAA,MAAA,IAAU,MAAQ,EAAA,MAAA,KAAW,MAAQ,EAAA;AAC9C,QAAM,MAAA,IAAIA,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,QAAM,MAAA,IAAIA,2BAAoB,CAAgC,8BAAA,CAAA,CAAA,CAAA;AAAA,OAChE;AAEA,MAAA,MAAM,WAA+B,GAAA;AAAA,QACnC,QAAU,EAAA,SAAA;AAAA,QACV,IAAI,MAAO,CAAA,GAAA;AAAA,QACX,aAAa,MAAO,CAAA,IAAA;AAAA,QACpB,QAAA,EAAU,OAAO,KAAM,CAAA,KAAA,CAAM,GAAG,CAAE,CAAA,CAAC,EAAE,WAAY,EAAA;AAAA,QACjD,IAAM,EAAA;AAAA,UACJ,YAAY,MAAO,CAAA,WAAA;AAAA,UACnB,WAAW,MAAO,CAAA,UAAA;AAAA,SACpB;AAAA,QACA,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,OAAO,KAAM,CAAA,WAAA,IAAe,CAAA;AAAA,QAC9C,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,SAAS,CAAA;AAAA,OACpC,CAAA;AAEA,MAAO,OAAA;AAAA,QACL,MAAQ,EAAA;AAAA,UACN,WAAA;AAAA,UACA,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,QACA,YAAc,EAAA;AAAA,UACZ,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAA6C,0CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KAClE;AAAA,GACF;AACF,CAAC;;;;;;"}
1
+ {"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { AwsAlbClaims, AwsAlbProtectedHeader, AwsAlbResult } from './types';\nimport { jwtVerify } from 'jose';\nimport {\n createProxyAuthenticator,\n PassportProfile,\n} from '@backstage/plugin-auth-node';\nimport NodeCache from 'node-cache';\nimport { makeProfileInfo, provisionKeyCache } from './helpers';\n\nexport const ALB_JWT_HEADER = 'x-amzn-oidc-data';\nexport const ALB_ACCESS_TOKEN_HEADER = 'x-amzn-oidc-accesstoken';\n\n/** @public */\nexport const awsAlbAuthenticator = createProxyAuthenticator({\n defaultProfileTransform: async (result: AwsAlbResult) => {\n return {\n profile: makeProfileInfo(result.fullProfile, result.accessToken),\n };\n },\n initialize({ config }) {\n const issuer = config.getString('issuer');\n const signer = config.getOptionalString('signer');\n const region = config.getString('region');\n const keyCache = new NodeCache({ stdTTL: 3600 });\n const getKey = provisionKeyCache(region, keyCache);\n return { issuer, signer, getKey };\n },\n async authenticate({ req }, { issuer, signer, getKey }) {\n const jwt = req.header(ALB_JWT_HEADER);\n const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);\n\n if (jwt === undefined) {\n throw new AuthenticationError(\n `Missing ALB OIDC header: ${ALB_JWT_HEADER}`,\n );\n }\n\n if (accessToken === undefined) {\n throw new AuthenticationError(\n `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`,\n );\n }\n\n try {\n const verifyResult = await jwtVerify(jwt, getKey);\n const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;\n const claims = verifyResult.payload as AwsAlbClaims;\n\n if (claims?.iss !== issuer) {\n throw new AuthenticationError('Issuer mismatch on JWT token');\n } else if (signer && header?.signer !== signer) {\n throw new AuthenticationError('Signer mismatch on JWT token');\n }\n\n if (!claims.email) {\n throw new AuthenticationError(`Missing email in the JWT token`);\n }\n\n const fullProfile: PassportProfile = {\n provider: 'unknown',\n id: claims.sub,\n displayName: claims.name,\n username: claims.email.split('@')[0],\n name: {\n familyName: claims.family_name,\n givenName: claims.given_name,\n },\n emails: [{ value: claims.email }],\n photos: [{ value: claims.picture }],\n };\n\n return {\n result: {\n fullProfile,\n accessToken: accessToken,\n expiresInSeconds: claims.exp,\n },\n providerInfo: {\n accessToken: accessToken,\n expiresInSeconds: claims.exp,\n },\n };\n } catch (e) {\n throw new Error(`Exception occurred during JWT processing: ${e}`);\n }\n },\n});\n"],"names":["createProxyAuthenticator","makeProfileInfo","NodeCache","provisionKeyCache","AuthenticationError","jwtVerify"],"mappings":";;;;;;;;;;;;AA0BO,MAAM,cAAiB,GAAA,mBAAA;AACvB,MAAM,uBAA0B,GAAA,0BAAA;AAGhC,MAAM,sBAAsBA,uCAAyB,CAAA;AAAA,EAC1D,uBAAA,EAAyB,OAAO,MAAyB,KAAA;AACvD,IAAO,OAAA;AAAA,MACL,OAAS,EAAAC,uBAAA,CAAgB,MAAO,CAAA,WAAA,EAAa,OAAO,WAAW,CAAA;AAAA,KACjE,CAAA;AAAA,GACF;AAAA,EACA,UAAA,CAAW,EAAE,MAAA,EAAU,EAAA;AACrB,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,QAAQ,CAAA,CAAA;AAChD,IAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,IAAA,MAAM,WAAW,IAAIC,0BAAA,CAAU,EAAE,MAAA,EAAQ,MAAM,CAAA,CAAA;AAC/C,IAAM,MAAA,MAAA,GAASC,yBAAkB,CAAA,MAAA,EAAQ,QAAQ,CAAA,CAAA;AACjD,IAAO,OAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,MAAO,EAAA,CAAA;AAAA,GAClC;AAAA,EACA,MAAM,aAAa,EAAE,GAAA,IAAO,EAAE,MAAA,EAAQ,MAAQ,EAAA,MAAA,EAAU,EAAA;AACtD,IAAM,MAAA,GAAA,GAAM,GAAI,CAAA,MAAA,CAAO,cAAc,CAAA,CAAA;AACrC,IAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AAEtD,IAAA,IAAI,QAAQ,KAAW,CAAA,EAAA;AACrB,MAAA,MAAM,IAAIC,0BAAA;AAAA,QACR,4BAA4B,cAAc,CAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAA,IAAI,gBAAgB,KAAW,CAAA,EAAA;AAC7B,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR,4BAA4B,uBAAuB,CAAA,CAAA;AAAA,OACrD,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAMC,cAAU,CAAA,GAAA,EAAK,MAAM,CAAA,CAAA;AAChD,MAAA,MAAM,SAAS,YAAa,CAAA,eAAA,CAAA;AAC5B,MAAA,MAAM,SAAS,YAAa,CAAA,OAAA,CAAA;AAE5B,MAAI,IAAA,MAAA,EAAQ,QAAQ,MAAQ,EAAA;AAC1B,QAAM,MAAA,IAAID,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OACnD,MAAA,IAAA,MAAA,IAAU,MAAQ,EAAA,MAAA,KAAW,MAAQ,EAAA;AAC9C,QAAM,MAAA,IAAIA,2BAAoB,8BAA8B,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,QAAM,MAAA,IAAIA,2BAAoB,CAAgC,8BAAA,CAAA,CAAA,CAAA;AAAA,OAChE;AAEA,MAAA,MAAM,WAA+B,GAAA;AAAA,QACnC,QAAU,EAAA,SAAA;AAAA,QACV,IAAI,MAAO,CAAA,GAAA;AAAA,QACX,aAAa,MAAO,CAAA,IAAA;AAAA,QACpB,UAAU,MAAO,CAAA,KAAA,CAAM,KAAM,CAAA,GAAG,EAAE,CAAC,CAAA;AAAA,QACnC,IAAM,EAAA;AAAA,UACJ,YAAY,MAAO,CAAA,WAAA;AAAA,UACnB,WAAW,MAAO,CAAA,UAAA;AAAA,SACpB;AAAA,QACA,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,OAAO,CAAA;AAAA,QAChC,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,SAAS,CAAA;AAAA,OACpC,CAAA;AAEA,MAAO,OAAA;AAAA,QACL,MAAQ,EAAA;AAAA,UACN,WAAA;AAAA,UACA,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,QACA,YAAc,EAAA;AAAA,UACZ,WAAA;AAAA,UACA,kBAAkB,MAAO,CAAA,GAAA;AAAA,SAC3B;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAA6C,0CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KAClE;AAAA,GACF;AACF,CAAC;;;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/plugin-auth-backend-module-aws-alb-provider",
3
- "version": "0.2.1",
3
+ "version": "0.3.0-next.0",
4
4
  "description": "The aws-alb provider module for the Backstage auth backend.",
5
5
  "backstage": {
6
6
  "role": "backend-plugin-module",
@@ -38,18 +38,18 @@
38
38
  },
39
39
  "dependencies": {
40
40
  "@backstage/backend-common": "^0.25.0",
41
- "@backstage/backend-plugin-api": "^1.0.1",
42
- "@backstage/errors": "^1.2.4",
43
- "@backstage/plugin-auth-backend": "^0.23.1",
44
- "@backstage/plugin-auth-node": "^0.5.3",
41
+ "@backstage/backend-plugin-api": "1.0.2-next.0",
42
+ "@backstage/errors": "1.2.4",
43
+ "@backstage/plugin-auth-backend": "0.24.0-next.0",
44
+ "@backstage/plugin-auth-node": "0.5.4-next.0",
45
45
  "jose": "^5.0.0",
46
46
  "node-cache": "^5.1.2",
47
47
  "node-fetch": "^2.7.0"
48
48
  },
49
49
  "devDependencies": {
50
- "@backstage/backend-test-utils": "^1.0.1",
51
- "@backstage/cli": "^0.28.0",
52
- "@backstage/config": "^1.2.0",
50
+ "@backstage/backend-test-utils": "1.0.3-next.0",
51
+ "@backstage/cli": "0.29.0-next.0",
52
+ "@backstage/config": "1.2.0",
53
53
  "express": "^4.18.2",
54
54
  "msw": "^2.0.8"
55
55
  }