npm - @backstage/plugin-auth-backend-module-oauth2-proxy-provider - Versions diffs - 0.0.0-nightly-20231129021646 - Mend

@backstage/plugin-auth-backend-module-oauth2-proxy-provider 0.0.0-nightly-20231129021646

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,29 @@
+# @backstage/plugin-auth-backend-module-oauth2-proxy-provider
+## 0.0.0-nightly-20231129021646
+### Minor Changes
+- 271aa12: Release of `oauth2-proxy-provider` plugin
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.0.0-nightly-20231129021646
+  - @backstage/plugin-auth-node@0.0.0-nightly-20231129021646
+  - @backstage/backend-plugin-api@0.0.0-nightly-20231129021646
+  - @backstage/errors@1.2.3
+## 0.1.0-next.0
+### Minor Changes
+- 271aa12c7c: Release of `oauth2-proxy-provider` plugin
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.20.0-next.1
+  - @backstage/backend-plugin-api@0.6.8-next.1
+  - @backstage/errors@1.2.3
+  - @backstage/plugin-auth-node@0.4.2-next.1

package/README.md ADDED Viewed

@@ -0,0 +1,5 @@
+# @backstage/plugin-auth-backend-module-oauth2-proxy-provider
+The oauth2-proxy-provider backend module for the auth plugin.
+_This plugin was created through the Backstage CLI_

package/dist/index.cjs.js ADDED Viewed

@@ -0,0 +1,89 @@
+'use strict';
+Object.defineProperty(exports, '__esModule', { value: true });
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var errors = require('@backstage/errors');
+var jose = require('jose');
+const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+const oauth2ProxyAuthenticator = pluginAuthNode.createProxyAuthenticator({
+  defaultProfileTransform: async (result) => {
+    return {
+      profile: {
+        email: result.getHeader("x-forwarded-email"),
+        displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
+      }
+    };
+  },
+  async initialize() {
+  },
+  async authenticate({ req }) {
+    try {
+      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
+      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
+      const decodedJWT = jwt && jose.decodeJwt(jwt);
+      const result = {
+        fullProfile: decodedJWT || {},
+        accessToken: jwt || "",
+        headers: req.headers,
+        getHeader(name) {
+          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
+            throw new Error("Access Set-Cookie via the headers object instead");
+          }
+          return req.get(name);
+        }
+      };
+      return { result };
+    } catch (e) {
+      throw new errors.AuthenticationError("Authentication failed", e);
+    }
+  }
+});
+var oauth2ProxySignInResolvers;
+((oauth2ProxySignInResolvers2) => {
+  oauth2ProxySignInResolvers2.forwardedUserMatchingUserEntityName = pluginAuthNode.createSignInResolverFactory({
+    create() {
+      return async (info, ctx) => {
+        const name = info.result.getHeader("x-forwarded-user");
+        if (!name) {
+          throw new Error("Request did not contain a user");
+        }
+        return ctx.signInWithCatalogUser({
+          entityRef: { name }
+        });
+      };
+    }
+  });
+})(oauth2ProxySignInResolvers || (oauth2ProxySignInResolvers = {}));
+const authModuleOauth2ProxyProvider = backendPluginApi.createBackendModule({
+  pluginId: "auth",
+  moduleId: "oauth2ProxyProvider",
+  register(reg) {
+    reg.registerInit({
+      deps: {
+        providers: pluginAuthNode.authProvidersExtensionPoint
+      },
+      async init({ providers }) {
+        providers.registerProvider({
+          providerId: "oauth2ProxyProvider",
+          factory: pluginAuthNode.createProxyAuthProviderFactory({
+            authenticator: oauth2ProxyAuthenticator,
+            signInResolverFactories: {
+              ...pluginAuthNode.commonSignInResolvers,
+              ...oauth2ProxySignInResolvers
+            }
+          })
+        });
+      }
+    });
+  }
+});
+exports.OAUTH2_PROXY_JWT_HEADER = OAUTH2_PROXY_JWT_HEADER;
+exports.authModuleOauth2ProxyProvider = authModuleOauth2ProxyProvider;
+exports.oauth2ProxyAuthenticator = oauth2ProxyAuthenticator;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.cjs.js","sources":["../src/authenticator.ts","../src/resolvers.ts","../src/module.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n createProxyAuthenticator,\n getBearerTokenFromAuthorizationHeader,\n} from '@backstage/plugin-auth-node';\nimport { decodeJwt } from 'jose';\nimport { OAuth2ProxyResult } from './types';\n\n/**\n * NOTE: This may come in handy if you're doing work on this provider:\n * plugins/auth-backend/examples/docker-compose.oauth2-proxy.yaml\n *\n * @public\n */\nexport const OAUTH2_PROXY_JWT_HEADER = 'X-OAUTH2-PROXY-ID-TOKEN';\n\n/** @public */\nexport const oauth2ProxyAuthenticator = createProxyAuthenticator<\n unknown,\n OAuth2ProxyResult\n>({\n defaultProfileTransform: async (result: OAuth2ProxyResult) => {\n return {\n profile: {\n email: result.getHeader('x-forwarded-email'),\n displayName:\n result.getHeader('x-forwarded-preferred-username') ||\n result.getHeader('x-forwarded-user'),\n },\n };\n },\n async initialize() {},\n async authenticate({ req }) {\n try {\n const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);\n const jwt = getBearerTokenFromAuthorizationHeader(authHeader);\n const decodedJWT = jwt && decodeJwt(jwt);\n\n const result = {\n fullProfile: decodedJWT || {},\n accessToken: jwt || '',\n headers: req.headers,\n getHeader(name: string) {\n if (name.toLocaleLowerCase('en-US') === 'set-cookie') {\n throw new Error('Access Set-Cookie via the headers object instead');\n }\n return req.get(name);\n },\n };\n return { result };\n } catch (e) {\n throw new AuthenticationError('Authentication failed', e);\n }\n },\n});\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n createSignInResolverFactory,\n SignInInfo,\n} from '@backstage/plugin-auth-node';\nimport { OAuth2ProxyResult } from './types';\n\n/**\n * @public\n */\nexport namespace oauth2ProxySignInResolvers {\n export const forwardedUserMatchingUserEntityName =\n createSignInResolverFactory({\n create() {\n return async (info: SignInInfo<OAuth2ProxyResult>, ctx) => {\n const name = info.result.getHeader('x-forwarded-user');\n if (!name) {\n throw new Error('Request did not contain a user');\n }\n return ctx.signInWithCatalogUser({\n entityRef: { name },\n });\n };\n },\n });\n}\n","/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createBackendModule } from '@backstage/backend-plugin-api';\nimport {\n authProvidersExtensionPoint,\n createProxyAuthProviderFactory,\n commonSignInResolvers,\n} from '@backstage/plugin-auth-node';\nimport { oauth2ProxyAuthenticator } from './authenticator';\nimport { oauth2ProxySignInResolvers } from './resolvers';\n\n/** @public */\nexport const authModuleOauth2ProxyProvider = createBackendModule({\n pluginId: 'auth',\n moduleId: 'oauth2ProxyProvider',\n register(reg) {\n reg.registerInit({\n deps: {\n providers: authProvidersExtensionPoint,\n },\n async init({ providers }) {\n providers.registerProvider({\n providerId: 'oauth2ProxyProvider',\n factory: createProxyAuthProviderFactory({\n authenticator: oauth2ProxyAuthenticator,\n signInResolverFactories: {\n ...commonSignInResolvers,\n ...oauth2ProxySignInResolvers,\n },\n }),\n });\n },\n });\n },\n});\n"],"names":["createProxyAuthenticator","getBearerTokenFromAuthorizationHeader","decodeJwt","AuthenticationError","oauth2ProxySignInResolvers","createSignInResolverFactory","createBackendModule","authProvidersExtensionPoint","createProxyAuthProviderFactory","commonSignInResolvers"],"mappings":";;;;;;;;;AA8BO,MAAM,uBAA0B,GAAA,0BAAA;AAGhC,MAAM,2BAA2BA,uCAGtC,CAAA;AAAA,EACA,uBAAA,EAAyB,OAAO,MAA8B,KAAA;AAC5D,IAAO,OAAA;AAAA,MACL,OAAS,EAAA;AAAA,QACP,KAAA,EAAO,MAAO,CAAA,SAAA,CAAU,mBAAmB,CAAA;AAAA,QAC3C,aACE,MAAO,CAAA,SAAA,CAAU,gCAAgC,CACjD,IAAA,MAAA,CAAO,UAAU,kBAAkB,CAAA;AAAA,OACvC;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EACA,MAAM,UAAa,GAAA;AAAA,GAAC;AAAA,EACpB,MAAM,YAAA,CAAa,EAAE,GAAA,EAAO,EAAA;AAC1B,IAAI,IAAA;AACF,MAAM,MAAA,UAAA,GAAa,GAAI,CAAA,MAAA,CAAO,uBAAuB,CAAA,CAAA;AACrD,MAAM,MAAA,GAAA,GAAMC,qDAAsC,UAAU,CAAA,CAAA;AAC5D,MAAM,MAAA,UAAA,GAAa,GAAO,IAAAC,cAAA,CAAU,GAAG,CAAA,CAAA;AAEvC,MAAA,MAAM,MAAS,GAAA;AAAA,QACb,WAAA,EAAa,cAAc,EAAC;AAAA,QAC5B,aAAa,GAAO,IAAA,EAAA;AAAA,QACpB,SAAS,GAAI,CAAA,OAAA;AAAA,QACb,UAAU,IAAc,EAAA;AACtB,UAAA,IAAI,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAA,KAAM,YAAc,EAAA;AACpD,YAAM,MAAA,IAAI,MAAM,kDAAkD,CAAA,CAAA;AAAA,WACpE;AACA,UAAO,OAAA,GAAA,CAAI,IAAI,IAAI,CAAA,CAAA;AAAA,SACrB;AAAA,OACF,CAAA;AACA,MAAA,OAAO,EAAE,MAAO,EAAA,CAAA;AAAA,aACT,CAAG,EAAA;AACV,MAAM,MAAA,IAAIC,0BAAoB,CAAA,uBAAA,EAAyB,CAAC,CAAA,CAAA;AAAA,KAC1D;AAAA,GACF;AACF,CAAC;;AC7CgB,IAAA,0BAAA,CAAA;AAAA,CAAV,CAAUC,2BAAV,KAAA;AACE,EAAMA,2BAAAA,CAAA,sCACXC,0CAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAqC,GAAQ,KAAA;AACzD,QAAA,MAAM,IAAO,GAAA,IAAA,CAAK,MAAO,CAAA,SAAA,CAAU,kBAAkB,CAAA,CAAA;AACrD,QAAA,IAAI,CAAC,IAAM,EAAA;AACT,UAAM,MAAA,IAAI,MAAM,gCAAgC,CAAA,CAAA;AAAA,SAClD;AACA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,SAAA,EAAW,EAAE,IAAK,EAAA;AAAA,SACnB,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAdY,EAAA,0BAAA,KAAA,0BAAA,GAAA,EAAA,CAAA,CAAA;;ACCV,MAAM,gCAAgCC,oCAAoB,CAAA;AAAA,EAC/D,QAAU,EAAA,MAAA;AAAA,EACV,QAAU,EAAA,qBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,SAAW,EAAAC,0CAAA;AAAA,OACb;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,SAAA,EAAa,EAAA;AACxB,QAAA,SAAA,CAAU,gBAAiB,CAAA;AAAA,UACzB,UAAY,EAAA,qBAAA;AAAA,UACZ,SAASC,6CAA+B,CAAA;AAAA,YACtC,aAAe,EAAA,wBAAA;AAAA,YACf,uBAAyB,EAAA;AAAA,cACvB,GAAGC,oCAAA;AAAA,cACH,GAAG,0BAAA;AAAA,aACL;AAAA,WACD,CAAA;AAAA,SACF,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC;;;;;;"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,59 @@
+/// <reference types="node" />
+import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
+import * as _backstage_plugin_auth_node from '@backstage/plugin-auth-node';
+import { IncomingHttpHeaders } from 'http';
+/** @public */
+declare const authModuleOauth2ProxyProvider: () => _backstage_backend_plugin_api.BackendFeature;
+/**
+ * JWT header extraction result, containing the raw value and the parsed JWT
+ * payload.
+ *
+ * @public
+ */
+type OAuth2ProxyResult<JWTPayload = {}> = {
+    /**
+     * The parsed payload of the `accessToken`. The token is only parsed, not verified.
+     *
+     * @deprecated Access through the `headers` instead. This will be removed in a future release.
+     */
+    fullProfile: JWTPayload;
+    /**
+     * The token received via the X-OAUTH2-PROXY-ID-TOKEN header. Will be an empty string
+     * if the header is not set. Note the this is typically an OpenID Connect token.
+     *
+     * @deprecated Access through the `headers` instead. This will be removed in a future release.
+     */
+    accessToken: string;
+    /**
+     * The headers of the incoming request from the OAuth2 proxy. This will include
+     * both the headers set by the client as well as the ones added by the OAuth2 proxy.
+     * You should only trust the headers that are injected by the OAuth2 proxy.
+     *
+     * Useful headers to use to complete the sign-in are for example `x-forwarded-user`
+     * and `x-forwarded-email`. See the OAuth2 proxy documentation for more information
+     * about the available headers and how to enable them. In particular it is possible
+     * to forward access and identity tokens, which can be user for additional verification
+     * and lookups.
+     */
+    headers: IncomingHttpHeaders;
+    /**
+     * Provides convenient access to the request headers.
+     *
+     * This call is simply forwarded to `req.get(name)`.
+     */
+    getHeader(name: string): string | undefined;
+};
+/**
+ * NOTE: This may come in handy if you're doing work on this provider:
+ * plugins/auth-backend/examples/docker-compose.oauth2-proxy.yaml
+ *
+ * @public
+ */
+declare const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
+/** @public */
+declare const oauth2ProxyAuthenticator: _backstage_plugin_auth_node.ProxyAuthenticator<unknown, OAuth2ProxyResult>;
+export { OAUTH2_PROXY_JWT_HEADER, OAuth2ProxyResult, authModuleOauth2ProxyProvider, oauth2ProxyAuthenticator };

package/package.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "@backstage/plugin-auth-backend-module-oauth2-proxy-provider",
+  "description": "The oauth2-proxy-provider backend module for the auth plugin.",
+  "version": "0.0.0-nightly-20231129021646",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "backstage": {
+    "role": "backend-plugin-module"
+  },
+  "scripts": {
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "clean": "backstage-cli package clean",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.0.0-nightly-20231129021646",
+    "@backstage/backend-plugin-api": "^0.0.0-nightly-20231129021646",
+    "@backstage/errors": "^1.2.3",
+    "@backstage/plugin-auth-node": "^0.0.0-nightly-20231129021646",
+    "jose": "^4.6.0"
+  },
+  "devDependencies": {
+    "@backstage/backend-test-utils": "^0.0.0-nightly-20231129021646",
+    "@backstage/cli": "^0.0.0-nightly-20231129021646"
+  },
+  "files": [
+    "dist"
+  ]
+}