@backstage/plugin-auth-backend-module-azure-easyauth-provider 0.2.1-next.0 → 0.2.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @backstage/plugin-auth-backend-module-azure-easyauth-provider
 
+## 0.2.1-next.1
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.5.3-next.1
+  - @backstage/backend-plugin-api@1.0.1-next.1
+  - @backstage/catalog-model@1.7.0
+  - @backstage/errors@1.2.4
+
 ## 0.2.1-next.0
 
 ### Patch Changes

package/dist/authenticator.cjs.js

@@ -0,0 +1,59 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var jose = require('jose');
+
+const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
+const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
+const azureEasyAuthAuthenticator = pluginAuthNode.createProxyAuthenticator({
+  defaultProfileTransform: async (result) => {
+    return {
+      profile: {
+        displayName: result.fullProfile.displayName,
+        email: result.fullProfile.emails?.[0].value,
+        picture: result.fullProfile.photos?.[0].value
+      }
+    };
+  },
+  initialize() {
+  },
+  async authenticate({ req }) {
+    const result = await getResult(req);
+    return {
+      result,
+      providerInfo: {
+        accessToken: result.accessToken
+      }
+    };
+  }
+});
+async function getResult(req) {
+  const idToken = req.header(ID_TOKEN_HEADER);
+  const accessToken = req.header(ACCESS_TOKEN_HEADER);
+  if (idToken === void 0) {
+    throw new errors.AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);
+  }
+  return {
+    fullProfile: idTokenToProfile(idToken),
+    accessToken
+  };
+}
+function idTokenToProfile(idToken) {
+  const claims = jose.decodeJwt(idToken);
+  if (claims.ver !== "2.0") {
+    throw new Error("id_token is not version 2.0 ");
+  }
+  return {
+    id: claims.oid,
+    displayName: claims.name,
+    provider: "easyauth",
+    emails: [{ value: claims.email }],
+    username: claims.preferred_username
+  };
+}
+
+exports.ACCESS_TOKEN_HEADER = ACCESS_TOKEN_HEADER;
+exports.ID_TOKEN_HEADER = ID_TOKEN_HEADER;
+exports.azureEasyAuthAuthenticator = azureEasyAuthAuthenticator;
+//# sourceMappingURL=authenticator.cjs.js.map

package/dist/authenticator.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authenticator.cjs.js","sources":["../src/authenticator.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { createProxyAuthenticator } from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\nimport { Request } from 'express';\nimport { Profile } from 'passport';\nimport { decodeJwt } from 'jose';\n\nexport const ID_TOKEN_HEADER = 'x-ms-token-aad-id-token';\nexport const ACCESS_TOKEN_HEADER = 'x-ms-token-aad-access-token';\n\n/** @public */\nexport const azureEasyAuthAuthenticator = createProxyAuthenticator({\n  defaultProfileTransform: async (result: AzureEasyAuthResult) => {\n    return {\n      profile: {\n        displayName: result.fullProfile.displayName,\n        email: result.fullProfile.emails?.[0].value,\n        picture: result.fullProfile.photos?.[0].value,\n      },\n    };\n  },\n  initialize() {},\n  async authenticate({ req }) {\n    const result = await getResult(req);\n    return {\n      result,\n      providerInfo: {\n        accessToken: result.accessToken,\n      },\n    };\n  },\n});\n\nasync function getResult(req: Request): Promise<AzureEasyAuthResult> {\n  const idToken = req.header(ID_TOKEN_HEADER);\n  const accessToken = req.header(ACCESS_TOKEN_HEADER);\n  if (idToken === undefined) {\n    throw new AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);\n  }\n\n  return {\n    fullProfile: idTokenToProfile(idToken),\n    accessToken: accessToken,\n  };\n}\n\nfunction idTokenToProfile(idToken: string) {\n  const claims = decodeJwt(idToken);\n\n  if (claims.ver !== '2.0') {\n    throw new Error('id_token is not version 2.0 ');\n  }\n\n  return {\n    id: claims.oid,\n    displayName: claims.name,\n    provider: 'easyauth',\n    emails: [{ value: claims.email }],\n    username: claims.preferred_username,\n  } as Profile;\n}\n"],"names":["createProxyAuthenticator","AuthenticationError","decodeJwt"],"mappings":";;;;;;AAuBO,MAAM,eAAkB,GAAA,0BAAA;AACxB,MAAM,mBAAsB,GAAA,8BAAA;AAG5B,MAAM,6BAA6BA,uCAAyB,CAAA;AAAA,EACjE,uBAAA,EAAyB,OAAO,MAAgC,KAAA;AAC9D,IAAO,OAAA;AAAA,MACL,OAAS,EAAA;AAAA,QACP,WAAA,EAAa,OAAO,WAAY,CAAA,WAAA;AAAA,QAChC,KAAO,EAAA,MAAA,CAAO,WAAY,CAAA,MAAA,GAAS,CAAC,CAAE,CAAA,KAAA;AAAA,QACtC,OAAS,EAAA,MAAA,CAAO,WAAY,CAAA,MAAA,GAAS,CAAC,CAAE,CAAA,KAAA;AAAA,OAC1C;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EACA,UAAa,GAAA;AAAA,GAAC;AAAA,EACd,MAAM,YAAA,CAAa,EAAE,GAAA,EAAO,EAAA;AAC1B,IAAM,MAAA,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA,CAAA;AAClC,IAAO,OAAA;AAAA,MACL,MAAA;AAAA,MACA,YAAc,EAAA;AAAA,QACZ,aAAa,MAAO,CAAA,WAAA;AAAA,OACtB;AAAA,KACF,CAAA;AAAA,GACF;AACF,CAAC,EAAA;AAED,eAAe,UAAU,GAA4C,EAAA;AACnE,EAAM,MAAA,OAAA,GAAU,GAAI,CAAA,MAAA,CAAO,eAAe,CAAA,CAAA;AAC1C,EAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA;AAClD,EAAA,IAAI,YAAY,KAAW,CAAA,EAAA;AACzB,IAAA,MAAM,IAAIC,0BAAA,CAAoB,CAAW,QAAA,EAAA,eAAe,CAAS,OAAA,CAAA,CAAA,CAAA;AAAA,GACnE;AAEA,EAAO,OAAA;AAAA,IACL,WAAA,EAAa,iBAAiB,OAAO,CAAA;AAAA,IACrC,WAAA;AAAA,GACF,CAAA;AACF,CAAA;AAEA,SAAS,iBAAiB,OAAiB,EAAA;AACzC,EAAM,MAAA,MAAA,GAASC,eAAU,OAAO,CAAA,CAAA;AAEhC,EAAI,IAAA,MAAA,CAAO,QAAQ,KAAO,EAAA;AACxB,IAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,GAChD;AAEA,EAAO,OAAA;AAAA,IACL,IAAI,MAAO,CAAA,GAAA;AAAA,IACX,aAAa,MAAO,CAAA,IAAA;AAAA,IACpB,QAAU,EAAA,UAAA;AAAA,IACV,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,OAAO,CAAA;AAAA,IAChC,UAAU,MAAO,CAAA,kBAAA;AAAA,GACnB,CAAA;AACF;;;;;;"}

package/dist/index.cjs.js

@@ -2,120 +2,16 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var errors = require('@backstage/errors');
-var jose = require('jose');
+var module$1 = require('./module.cjs.js');
+var authenticator = require('./authenticator.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
 
-const ID_TOKEN_HEADER = "x-ms-token-aad-id-token";
-const ACCESS_TOKEN_HEADER = "x-ms-token-aad-access-token";
-const azureEasyAuthAuthenticator = pluginAuthNode.createProxyAuthenticator({
-  defaultProfileTransform: async (result) => {
-    return {
-      profile: {
-        displayName: result.fullProfile.displayName,
-        email: result.fullProfile.emails?.[0].value,
-        picture: result.fullProfile.photos?.[0].value
-      }
-    };
-  },
-  initialize() {
-  },
-  async authenticate({ req }) {
-    const result = await getResult(req);
-    return {
-      result,
-      providerInfo: {
-        accessToken: result.accessToken
-      }
-    };
-  }
-});
-async function getResult(req) {
-  const idToken = req.header(ID_TOKEN_HEADER);
-  const accessToken = req.header(ACCESS_TOKEN_HEADER);
-  if (idToken === void 0) {
-    throw new errors.AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);
-  }
-  return {
-    fullProfile: idTokenToProfile(idToken),
-    accessToken
-  };
-}
-function idTokenToProfile(idToken) {
-  const claims = jose.decodeJwt(idToken);
-  if (claims.ver !== "2.0") {
-    throw new Error("id_token is not version 2.0 ");
-  }
-  return {
-    id: claims.oid,
-    displayName: claims.name,
-    provider: "easyauth",
-    emails: [{ value: claims.email }],
-    username: claims.preferred_username
-  };
-}
 
-exports.azureEasyAuthSignInResolvers = void 0;
-((azureEasyAuthSignInResolvers2) => {
-  azureEasyAuthSignInResolvers2.idMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory({
-    create() {
-      return async (info, ctx) => {
-        const {
-          fullProfile: { id }
-        } = info.result;
-        if (!id) {
-          throw new Error("User profile contained no id");
-        }
-        return await ctx.signInWithCatalogUser({
-          annotations: {
-            "graph.microsoft.com/user-id": id
-          }
-        });
-      };
-    }
-  });
-})(exports.azureEasyAuthSignInResolvers || (exports.azureEasyAuthSignInResolvers = {}));
 
-const authModuleAzureEasyAuthProvider = backendPluginApi.createBackendModule({
-  pluginId: "auth",
-  moduleId: "azure-easyauth-provider",
-  register(reg) {
-    reg.registerInit({
-      deps: {
-        providers: pluginAuthNode.authProvidersExtensionPoint
-      },
-      async init({ providers }) {
-        validateAppServiceConfiguration(process.env);
-        providers.registerProvider({
-          providerId: "azureEasyAuth",
-          factory: pluginAuthNode.createProxyAuthProviderFactory({
-            authenticator: azureEasyAuthAuthenticator,
-            signInResolverFactories: {
-              ...pluginAuthNode.commonSignInResolvers,
-              ...exports.azureEasyAuthSignInResolvers
-            }
-          })
-        });
-      }
-    });
-  }
+exports.default = module$1.authModuleAzureEasyAuthProvider;
+exports.azureEasyAuthAuthenticator = authenticator.azureEasyAuthAuthenticator;
+Object.defineProperty(exports, "azureEasyAuthSignInResolvers", {
+	enumerable: true,
+	get: function () { return resolvers.azureEasyAuthSignInResolvers; }
 });
-function validateAppServiceConfiguration(env) {
-  if (env.WEBSITE_SKU === void 0) {
-    throw new Error("Backstage is not running on Azure App Services");
-  }
-  if (env.WEBSITE_AUTH_ENABLED?.toLocaleLowerCase("en-US") !== "true") {
-    throw new Error("Azure App Services does not have authentication enabled");
-  }
-  if (env.WEBSITE_AUTH_DEFAULT_PROVIDER?.toLocaleLowerCase("en-US") !== "azureactivedirectory") {
-    throw new Error("Authentication provider is not Entra ID");
-  }
-  if (env.WEBSITE_AUTH_TOKEN_STORE?.toLocaleLowerCase("en-US") !== "true") {
-    throw new Error("Token Store is not enabled");
-  }
-}
-
-exports.azureEasyAuthAuthenticator = azureEasyAuthAuthenticator;
-exports.default = authModuleAzureEasyAuthProvider;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport { createProxyAuthenticator } from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\nimport { Request } from 'express';\nimport { Profile } from 'passport';\nimport { decodeJwt } from 'jose';\n\nexport const ID_TOKEN_HEADER = 'x-ms-token-aad-id-token';\nexport const ACCESS_TOKEN_HEADER = 'x-ms-token-aad-access-token';\n\n/** @public */\nexport const azureEasyAuthAuthenticator = createProxyAuthenticator({\n  defaultProfileTransform: async (result: AzureEasyAuthResult) => {\n    return {\n      profile: {\n        displayName: result.fullProfile.displayName,\n        email: result.fullProfile.emails?.[0].value,\n        picture: result.fullProfile.photos?.[0].value,\n      },\n    };\n  },\n  initialize() {},\n  async authenticate({ req }) {\n    const result = await getResult(req);\n    return {\n      result,\n      providerInfo: {\n        accessToken: result.accessToken,\n      },\n    };\n  },\n});\n\nasync function getResult(req: Request): Promise<AzureEasyAuthResult> {\n  const idToken = req.header(ID_TOKEN_HEADER);\n  const accessToken = req.header(ACCESS_TOKEN_HEADER);\n  if (idToken === undefined) {\n    throw new AuthenticationError(`Missing ${ID_TOKEN_HEADER} header`);\n  }\n\n  return {\n    fullProfile: idTokenToProfile(idToken),\n    accessToken: accessToken,\n  };\n}\n\nfunction idTokenToProfile(idToken: string) {\n  const claims = decodeJwt(idToken);\n\n  if (claims.ver !== '2.0') {\n    throw new Error('id_token is not version 2.0 ');\n  }\n\n  return {\n    id: claims.oid,\n    displayName: claims.name,\n    provider: 'easyauth',\n    emails: [{ value: claims.email }],\n    username: claims.preferred_username,\n  } as Profile;\n}\n","/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createSignInResolverFactory,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\n\n/** @public */\nexport namespace azureEasyAuthSignInResolvers {\n  export const idMatchingUserEntityAnnotation = createSignInResolverFactory({\n    create() {\n      return async (info: SignInInfo<AzureEasyAuthResult>, ctx) => {\n        const {\n          fullProfile: { id },\n        } = info.result;\n\n        if (!id) {\n          throw new Error('User profile contained no id');\n        }\n\n        return await ctx.signInWithCatalogUser({\n          annotations: {\n            'graph.microsoft.com/user-id': id,\n          },\n        });\n      };\n    },\n  });\n}\n","/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { azureEasyAuthAuthenticator } from './authenticator';\nimport { azureEasyAuthSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAzureEasyAuthProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'azure-easyauth-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        validateAppServiceConfiguration(process.env);\n        providers.registerProvider({\n          providerId: 'azureEasyAuth',\n          factory: createProxyAuthProviderFactory({\n            authenticator: azureEasyAuthAuthenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n              ...azureEasyAuthSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n\nfunction validateAppServiceConfiguration(env: NodeJS.ProcessEnv) {\n  // Based on https://github.com/AzureAD/microsoft-identity-web/blob/f7403779d1a91f4a3fec0ed0993bd82f50f299e1/src/Microsoft.Identity.Web/AppServicesAuth/AppServicesAuthenticationInformation.cs#L38-L59\n  //\n  // It's critical to validate we're really running in a correctly configured Azure App Services,\n  // As we rely on App Services to manage & validate the ID and Access Token headers\n  // Without that, this users can be trivially impersonated.\n  if (env.WEBSITE_SKU === undefined) {\n    throw new Error('Backstage is not running on Azure App Services');\n  }\n  if (env.WEBSITE_AUTH_ENABLED?.toLocaleLowerCase('en-US') !== 'true') {\n    throw new Error('Azure App Services does not have authentication enabled');\n  }\n  if (\n    env.WEBSITE_AUTH_DEFAULT_PROVIDER?.toLocaleLowerCase('en-US') !==\n    'azureactivedirectory'\n  ) {\n    throw new Error('Authentication provider is not Entra ID');\n  }\n  if (env.WEBSITE_AUTH_TOKEN_STORE?.toLocaleLowerCase('en-US') !== 'true') {\n    throw new Error('Token Store is not enabled');\n  }\n}\n"],"names":["createProxyAuthenticator","AuthenticationError","decodeJwt","azureEasyAuthSignInResolvers","createSignInResolverFactory","createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","commonSignInResolvers"],"mappings":";;;;;;;;;AAuBO,MAAM,eAAkB,GAAA,yBAAA,CAAA;AACxB,MAAM,mBAAsB,GAAA,6BAAA,CAAA;AAG5B,MAAM,6BAA6BA,uCAAyB,CAAA;AAAA,EACjE,uBAAA,EAAyB,OAAO,MAAgC,KAAA;AAC9D,IAAO,OAAA;AAAA,MACL,OAAS,EAAA;AAAA,QACP,WAAA,EAAa,OAAO,WAAY,CAAA,WAAA;AAAA,QAChC,KAAO,EAAA,MAAA,CAAO,WAAY,CAAA,MAAA,GAAS,CAAC,CAAE,CAAA,KAAA;AAAA,QACtC,OAAS,EAAA,MAAA,CAAO,WAAY,CAAA,MAAA,GAAS,CAAC,CAAE,CAAA,KAAA;AAAA,OAC1C;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EACA,UAAa,GAAA;AAAA,GAAC;AAAA,EACd,MAAM,YAAA,CAAa,EAAE,GAAA,EAAO,EAAA;AAC1B,IAAM,MAAA,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA,CAAA;AAClC,IAAO,OAAA;AAAA,MACL,MAAA;AAAA,MACA,YAAc,EAAA;AAAA,QACZ,aAAa,MAAO,CAAA,WAAA;AAAA,OACtB;AAAA,KACF,CAAA;AAAA,GACF;AACF,CAAC,EAAA;AAED,eAAe,UAAU,GAA4C,EAAA;AACnE,EAAM,MAAA,OAAA,GAAU,GAAI,CAAA,MAAA,CAAO,eAAe,CAAA,CAAA;AAC1C,EAAM,MAAA,WAAA,GAAc,GAAI,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA;AAClD,EAAA,IAAI,YAAY,KAAW,CAAA,EAAA;AACzB,IAAA,MAAM,IAAIC,0BAAA,CAAoB,CAAW,QAAA,EAAA,eAAe,CAAS,OAAA,CAAA,CAAA,CAAA;AAAA,GACnE;AAEA,EAAO,OAAA;AAAA,IACL,WAAA,EAAa,iBAAiB,OAAO,CAAA;AAAA,IACrC,WAAA;AAAA,GACF,CAAA;AACF,CAAA;AAEA,SAAS,iBAAiB,OAAiB,EAAA;AACzC,EAAM,MAAA,MAAA,GAASC,eAAU,OAAO,CAAA,CAAA;AAEhC,EAAI,IAAA,MAAA,CAAO,QAAQ,KAAO,EAAA;AACxB,IAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,GAChD;AAEA,EAAO,OAAA;AAAA,IACL,IAAI,MAAO,CAAA,GAAA;AAAA,IACX,aAAa,MAAO,CAAA,IAAA;AAAA,IACpB,QAAU,EAAA,UAAA;AAAA,IACV,QAAQ,CAAC,EAAE,KAAO,EAAA,MAAA,CAAO,OAAO,CAAA;AAAA,IAChC,UAAU,MAAO,CAAA,kBAAA;AAAA,GACnB,CAAA;AACF;;ACrDiBC,8CAAA;AAAA,CAAV,CAAUA,6BAAV,KAAA;AACE,EAAMA,6BAAAA,CAAA,iCAAiCC,0CAA4B,CAAA;AAAA,IACxE,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAuC,GAAQ,KAAA;AAC3D,QAAM,MAAA;AAAA,UACJ,WAAA,EAAa,EAAE,EAAG,EAAA;AAAA,YAChB,IAAK,CAAA,MAAA,CAAA;AAET,QAAA,IAAI,CAAC,EAAI,EAAA;AACP,UAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,SAChD;AAEA,QAAO,OAAA,MAAM,IAAI,qBAAsB,CAAA;AAAA,UACrC,WAAa,EAAA;AAAA,YACX,6BAA+B,EAAA,EAAA;AAAA,WACjC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAnBc,EAAAD,oCAAA,KAAAA,oCAAA,GAAA,EAAA,CAAA,CAAA;;ACGV,MAAM,kCAAkCE,oCAAoB,CAAA;AAAA,EACjE,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,yBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,+BAAA,CAAgC,QAAQ,GAAG,CAAA,CAAA;AAC3C,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,eAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAA,0BAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGL,oCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC,EAAA;AAED,SAAS,gCAAgC,GAAwB,EAAA;AAM/D,EAAI,IAAA,GAAA,CAAI,gBAAgB,KAAW,CAAA,EAAA;AACjC,IAAM,MAAA,IAAI,MAAM,gDAAgD,CAAA,CAAA;AAAA,GAClE;AACA,EAAA,IAAI,GAAI,CAAA,oBAAA,EAAsB,iBAAkB,CAAA,OAAO,MAAM,MAAQ,EAAA;AACnE,IAAM,MAAA,IAAI,MAAM,yDAAyD,CAAA,CAAA;AAAA,GAC3E;AACA,EAAA,IACE,GAAI,CAAA,6BAAA,EAA+B,iBAAkB,CAAA,OAAO,MAC5D,sBACA,EAAA;AACA,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA,CAAA;AAAA,GAC3D;AACA,EAAA,IAAI,GAAI,CAAA,wBAAA,EAA0B,iBAAkB,CAAA,OAAO,MAAM,MAAQ,EAAA;AACvE,IAAM,MAAA,IAAI,MAAM,4BAA4B,CAAA,CAAA;AAAA,GAC9C;AACF;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;;;;;"}

package/dist/module.cjs.js

@@ -0,0 +1,48 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var authenticator = require('./authenticator.cjs.js');
+var resolvers = require('./resolvers.cjs.js');
+
+const authModuleAzureEasyAuthProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "azure-easyauth-provider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        validateAppServiceConfiguration(process.env);
+        providers.registerProvider({
+          providerId: "azureEasyAuth",
+          factory: pluginAuthNode.createProxyAuthProviderFactory({
+            authenticator: authenticator.azureEasyAuthAuthenticator,
+            signInResolverFactories: {
+              ...pluginAuthNode.commonSignInResolvers,
+              ...resolvers.azureEasyAuthSignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+function validateAppServiceConfiguration(env) {
+  if (env.WEBSITE_SKU === void 0) {
+    throw new Error("Backstage is not running on Azure App Services");
+  }
+  if (env.WEBSITE_AUTH_ENABLED?.toLocaleLowerCase("en-US") !== "true") {
+    throw new Error("Azure App Services does not have authentication enabled");
+  }
+  if (env.WEBSITE_AUTH_DEFAULT_PROVIDER?.toLocaleLowerCase("en-US") !== "azureactivedirectory") {
+    throw new Error("Authentication provider is not Entra ID");
+  }
+  if (env.WEBSITE_AUTH_TOKEN_STORE?.toLocaleLowerCase("en-US") !== "true") {
+    throw new Error("Token Store is not enabled");
+  }
+}
+
+exports.authModuleAzureEasyAuthProvider = authModuleAzureEasyAuthProvider;
+//# sourceMappingURL=module.cjs.js.map

package/dist/module.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.cjs.js","sources":["../src/module.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n  authProvidersExtensionPoint,\n  commonSignInResolvers,\n  createProxyAuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { azureEasyAuthAuthenticator } from './authenticator';\nimport { azureEasyAuthSignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleAzureEasyAuthProvider = createBackendModule({\n  pluginId: 'auth',\n  moduleId: 'azure-easyauth-provider',\n  register(reg) {\n    reg.registerInit({\n      deps: {\n        providers: authProvidersExtensionPoint,\n      },\n      async init({ providers }) {\n        validateAppServiceConfiguration(process.env);\n        providers.registerProvider({\n          providerId: 'azureEasyAuth',\n          factory: createProxyAuthProviderFactory({\n            authenticator: azureEasyAuthAuthenticator,\n            signInResolverFactories: {\n              ...commonSignInResolvers,\n              ...azureEasyAuthSignInResolvers,\n            },\n          }),\n        });\n      },\n    });\n  },\n});\n\nfunction validateAppServiceConfiguration(env: NodeJS.ProcessEnv) {\n  // Based on https://github.com/AzureAD/microsoft-identity-web/blob/f7403779d1a91f4a3fec0ed0993bd82f50f299e1/src/Microsoft.Identity.Web/AppServicesAuth/AppServicesAuthenticationInformation.cs#L38-L59\n  //\n  // It's critical to validate we're really running in a correctly configured Azure App Services,\n  // As we rely on App Services to manage & validate the ID and Access Token headers\n  // Without that, this users can be trivially impersonated.\n  if (env.WEBSITE_SKU === undefined) {\n    throw new Error('Backstage is not running on Azure App Services');\n  }\n  if (env.WEBSITE_AUTH_ENABLED?.toLocaleLowerCase('en-US') !== 'true') {\n    throw new Error('Azure App Services does not have authentication enabled');\n  }\n  if (\n    env.WEBSITE_AUTH_DEFAULT_PROVIDER?.toLocaleLowerCase('en-US') !==\n    'azureactivedirectory'\n  ) {\n    throw new Error('Authentication provider is not Entra ID');\n  }\n  if (env.WEBSITE_AUTH_TOKEN_STORE?.toLocaleLowerCase('en-US') !== 'true') {\n    throw new Error('Token Store is not enabled');\n  }\n}\n"],"names":["createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","azureEasyAuthAuthenticator","commonSignInResolvers","azureEasyAuthSignInResolvers"],"mappings":";;;;;;;AA0BO,MAAM,kCAAkCA,oCAAoB,CAAA;AAAA,EACjE,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,yBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,+BAAA,CAAgC,QAAQ,GAAG,CAAA,CAAA;AAC3C,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,eAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAAC,wCAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAGC,sCAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC,EAAA;AAED,SAAS,gCAAgC,GAAwB,EAAA;AAM/D,EAAI,IAAA,GAAA,CAAI,gBAAgB,KAAW,CAAA,EAAA;AACjC,IAAM,MAAA,IAAI,MAAM,gDAAgD,CAAA,CAAA;AAAA,GAClE;AACA,EAAA,IAAI,GAAI,CAAA,oBAAA,EAAsB,iBAAkB,CAAA,OAAO,MAAM,MAAQ,EAAA;AACnE,IAAM,MAAA,IAAI,MAAM,yDAAyD,CAAA,CAAA;AAAA,GAC3E;AACA,EAAA,IACE,GAAI,CAAA,6BAAA,EAA+B,iBAAkB,CAAA,OAAO,MAC5D,sBACA,EAAA;AACA,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA,CAAA;AAAA,GAC3D;AACA,EAAA,IAAI,GAAI,CAAA,wBAAA,EAA0B,iBAAkB,CAAA,OAAO,MAAM,MAAQ,EAAA;AACvE,IAAM,MAAA,IAAI,MAAM,4BAA4B,CAAA,CAAA;AAAA,GAC9C;AACF;;;;"}

package/dist/resolvers.cjs.js

@@ -0,0 +1,25 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+exports.azureEasyAuthSignInResolvers = void 0;
+((azureEasyAuthSignInResolvers2) => {
+  azureEasyAuthSignInResolvers2.idMatchingUserEntityAnnotation = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        const {
+          fullProfile: { id }
+        } = info.result;
+        if (!id) {
+          throw new Error("User profile contained no id");
+        }
+        return await ctx.signInWithCatalogUser({
+          annotations: {
+            "graph.microsoft.com/user-id": id
+          }
+        });
+      };
+    }
+  });
+})(exports.azureEasyAuthSignInResolvers || (exports.azureEasyAuthSignInResolvers = {}));
+//# sourceMappingURL=resolvers.cjs.js.map

package/dist/resolvers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.cjs.js","sources":["../src/resolvers.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  createSignInResolverFactory,\n  SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { AzureEasyAuthResult } from './types';\n\n/** @public */\nexport namespace azureEasyAuthSignInResolvers {\n  export const idMatchingUserEntityAnnotation = createSignInResolverFactory({\n    create() {\n      return async (info: SignInInfo<AzureEasyAuthResult>, ctx) => {\n        const {\n          fullProfile: { id },\n        } = info.result;\n\n        if (!id) {\n          throw new Error('User profile contained no id');\n        }\n\n        return await ctx.signInWithCatalogUser({\n          annotations: {\n            'graph.microsoft.com/user-id': id,\n          },\n        });\n      };\n    },\n  });\n}\n"],"names":["azureEasyAuthSignInResolvers","createSignInResolverFactory"],"mappings":";;;;AAuBiBA,8CAAA;AAAA,CAAV,CAAUA,6BAAV,KAAA;AACE,EAAMA,6BAAAA,CAAA,iCAAiCC,0CAA4B,CAAA;AAAA,IACxE,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAuC,GAAQ,KAAA;AAC3D,QAAM,MAAA;AAAA,UACJ,WAAA,EAAa,EAAE,EAAG,EAAA;AAAA,YAChB,IAAK,CAAA,MAAA,CAAA;AAET,QAAA,IAAI,CAAC,EAAI,EAAA;AACP,UAAM,MAAA,IAAI,MAAM,8BAA8B,CAAA,CAAA;AAAA,SAChD;AAEA,QAAO,OAAA,MAAM,IAAI,qBAAsB,CAAA;AAAA,UACrC,WAAa,EAAA;AAAA,YACX,6BAA+B,EAAA,EAAA;AAAA,WACjC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAnBc,EAAAD,oCAAA,KAAAA,oCAAA,GAAA,EAAA,CAAA,CAAA;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend-module-azure-easyauth-provider",
-  "version": "0.2.1-next.0",
+  "version": "0.2.1-next.1",
   "description": "The azure-easyauth-provider backend module for the auth plugin.",
   "backstage": {
     "role": "backend-plugin-module",
@@ -33,18 +33,18 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.0.1-next.0",
-    "@backstage/catalog-model": "^1.7.0",
-    "@backstage/errors": "^1.2.4",
-    "@backstage/plugin-auth-node": "^0.5.3-next.0",
+    "@backstage/backend-plugin-api": "1.0.1-next.1",
+    "@backstage/catalog-model": "1.7.0",
+    "@backstage/errors": "1.2.4",
+    "@backstage/plugin-auth-node": "0.5.3-next.1",
     "@types/passport": "^1.0.16",
     "express": "^4.19.2",
     "jose": "^5.0.0",
     "passport": "^0.7.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^1.0.1-next.0",
-    "@backstage/cli": "^0.28.0-next.0",
-    "@backstage/plugin-auth-backend": "^0.23.1-next.0"
+    "@backstage/backend-test-utils": "1.0.1-next.2",
+    "@backstage/cli": "0.28.0-next.2",
+    "@backstage/plugin-auth-backend": "0.23.1-next.1"
   }
 }