@backstage/plugin-auth-backend 0.0.0-nightly-2022122206 → 0.0.0-nightly-20220210021913

package/CHANGELOG.md

@@ -1,6 +1,40 @@
 # @backstage/plugin-auth-backend
 
-## 0.0.0-nightly-2022122206
+## 0.0.0-nightly-20220210021913
+
+### Minor Changes
+
+- 08fcda13ef: The `callbackUrl` option of `OAuthAdapter` is now required.
+
+### Patch Changes
+
+- 2441d1cf59: chore(deps): bump `knex` from 0.95.6 to 1.0.2
+
+  This also replaces `sqlite3` with `@vscode/sqlite3` 5.0.7
+
+- 3396bc5973: Enabled refresh for the Atlassian provider.
+- 08fcda13ef: Added a new `cookieConfigurer` option to `AuthProviderConfig` that makes it possible to override the default logic for configuring OAuth provider cookies.
+- Updated dependencies
+  - @backstage/backend-common@0.0.0-nightly-20220210021913
+
+## 0.10.0-next.0
+
+### Minor Changes
+
+- 08fcda13ef: The `callbackUrl` option of `OAuthAdapter` is now required.
+
+### Patch Changes
+
+- 2441d1cf59: chore(deps): bump `knex` from 0.95.6 to 1.0.2
+
+  This also replaces `sqlite3` with `@vscode/sqlite3` 5.0.7
+
+- 3396bc5973: Enabled refresh for the Atlassian provider.
+- 08fcda13ef: Added a new `cookieConfigurer` option to `AuthProviderConfig` that makes it possible to override the default logic for configuring OAuth provider cookies.
+- Updated dependencies
+  - @backstage/backend-common@0.10.7-next.0
+
+## 0.9.0
 
 ### Minor Changes
 
@@ -30,7 +64,21 @@
 
 ### Patch Changes
 
+- 9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.
 - 28a5f9d0b1: chore(deps): bump `passport` from 0.4.1 to 0.5.2
+- 5d09bdd1de: Added custom `callbackUrl` support for multiple providers. `v0.8.0` introduced this change for `github`, and now we're adding the same capability to the following providers: `atlassian, auth0, bitbucket, gitlab, google, microsoft, oauth2, oidc, okta, onelogin`.
+- 648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.
+- Updated dependencies
+  - @backstage/backend-common@0.10.6
+
+## 0.9.0-next.1
+
+### Patch Changes
+
+- 9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.
+- 648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.
+- Updated dependencies
+  - @backstage/backend-common@0.10.6-next.0
 
 ## 0.9.0-next.0
 

package/dist/index.cjs.js

@@ -149,15 +149,14 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
-const getCookieConfig = (authUrl, providerId) => {
-  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+const defaultCookieConfigurer = ({
+  callbackUrl,
+  providerId
+}) => {
+  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
   const secure = protocol === "https:";
-  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return {
-    cookieDomain,
-    cookiePath,
-    secure
-  };
+  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return { domain, path, secure };
 };
 
 class OAuthEnvironmentHandler {
@@ -281,58 +280,54 @@ class OAuthAdapter {
     this.setNonceCookie = (res, nonce) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+        ...this.baseCookieOptions,
+        path: `${this.options.cookiePath}/handler`
       });
     };
-    this.setScopesCookie = (res, scope) => {
-      res.cookie(`${this.options.providerId}-scope`, scope, {
-        maxAge: TEN_MINUTES_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: `${this.options.cookiePath}/handler`,
-        httpOnly: true
+    this.setGrantedScopeCookie = (res, scope) => {
+      res.cookie(`${this.options.providerId}-granted-scope`, scope, {
+        maxAge: THOUSAND_DAYS_MS,
+        ...this.baseCookieOptions
       });
     };
-    this.getScopesFromCookie = (req, providerId) => {
-      return req.cookies[`${providerId}-scope`];
+    this.getGrantedScopeFromCookie = (req) => {
+      return req.cookies[`${this.options.providerId}-granted-scope`];
     };
     this.setRefreshTokenCookie = (res, refreshToken) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
     this.removeRefreshTokenCookie = (res) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        secure: this.options.secure,
-        sameSite: "lax",
-        domain: this.options.cookieDomain,
-        path: this.options.cookiePath,
-        httpOnly: true
+        ...this.baseCookieOptions
       });
     };
+    this.baseCookieOptions = {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: this.options.secure,
+      path: this.options.cookiePath,
+      domain: this.options.cookieDomain
+    };
   }
   static fromConfig(config, handlers, options) {
     var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
-    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
+    const cookieConfigurer = (_a = config.cookieConfigurer) != null ? _a : defaultCookieConfigurer;
+    const cookieConfig = cookieConfigurer({
+      providerId: options.providerId,
+      baseUrl: config.baseUrl,
+      callbackUrl: options.callbackUrl
+    });
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain,
-      cookiePath,
-      secure,
+      cookieDomain: cookieConfig.domain,
+      cookiePath: cookieConfig.path,
+      secure: cookieConfig.secure,
       isOriginAllowed: config.isOriginAllowed
     });
   }
@@ -344,12 +339,12 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
-    if (this.options.persistScopes) {
-      this.setScopesCookie(res, scope);
-    }
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
     this.setNonceCookie(res, nonce);
     const state = { nonce, env, origin };
+    if (this.options.persistScopes) {
+      state.scope = scope;
+    }
     const forwardReq = Object.assign(req, { scope, state });
     const { url, status } = await this.handlers.start(forwardReq);
     res.statusCode = status || 302;
@@ -374,9 +369,9 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
-      if (this.options.persistScopes) {
-        const grantedScopes = this.getScopesFromCookie(req, this.options.providerId);
-        response.providerInfo.scope = grantedScopes;
+      if (this.options.persistScopes && state.scope) {
+        this.setGrantedScopeCookie(res, state.scope);
+        response.providerInfo.scope = state.scope;
       }
       if (refreshToken && !this.options.disableRefresh) {
         this.setRefreshTokenCookie(res, refreshToken);
@@ -414,7 +409,10 @@ class OAuthAdapter {
       if (!refreshToken) {
         throw new errors.InputError("Missing session cookie");
       }
-      const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      let scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
+      if (this.options.persistScopes) {
+        scope = this.getGrantedScopeFromCookie(req);
+      }
       const forwardReq = Object.assign(req, { scope, refreshToken });
       const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
       const backstageIdentity = await this.populateIdentity(response.backstageIdentity);
@@ -718,7 +716,8 @@ const createAtlassianProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const scopes = envConfig.getString("scopes");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -736,9 +735,9 @@ const createAtlassianProvider = (options) => {
       tokenIssuer
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
-      disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -854,7 +853,8 @@ const createAuth0Provider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const domain = envConfig.getString("domain");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -877,7 +877,8 @@ const createAuth0Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1128,7 +1129,8 @@ const createBitbucketProvider = (options) => {
     var _a;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1149,11 +1151,14 @@ const createBitbucketProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
 
+const ACCESS_TOKEN_PREFIX = "access-token.";
+const BACKSTAGE_SESSION_EXPIRATION = 3600;
 class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
@@ -1181,21 +1186,43 @@ class GithubAuthProvider {
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy);
+    let refreshToken = privateInfo.refreshToken;
+    if (!refreshToken && !result.params.expires_in) {
+      refreshToken = ACCESS_TOKEN_PREFIX + result.accessToken;
+    }
     return {
       response: await this.handleResult(result),
-      refreshToken: privateInfo.refreshToken
+      refreshToken
     };
   }
   async refresh(req) {
-    const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(this._strategy, req.refreshToken, req.scope);
-    const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken);
+    const { scope, refreshToken } = req;
+    if (refreshToken == null ? void 0 : refreshToken.startsWith(ACCESS_TOKEN_PREFIX)) {
+      const accessToken = refreshToken.slice(ACCESS_TOKEN_PREFIX.length);
+      const fullProfile = await executeFetchUserProfileStrategy(this._strategy, accessToken).catch((error) => {
+        var _a;
+        if (((_a = error.oauthError) == null ? void 0 : _a.statusCode) === 401) {
+          throw new Error("Invalid access token");
+        }
+        throw error;
+      });
+      return {
+        response: await this.handleResult({
+          fullProfile,
+          params: { scope },
+          accessToken
+        }),
+        refreshToken
+      };
+    }
+    const result = await executeRefreshTokenStrategy(this._strategy, refreshToken, scope);
     return {
       response: await this.handleResult({
-        fullProfile,
-        params,
-        accessToken
+        fullProfile: await executeFetchUserProfileStrategy(this._strategy, result.accessToken),
+        params: { ...result.params, scope },
+        accessToken: result.accessToken
       }),
-      refreshToken
+      refreshToken: result.refreshToken
     };
   }
   async handleResult(result) {
@@ -1206,21 +1233,28 @@ class GithubAuthProvider {
     };
     const { profile } = await this.authHandler(result, context);
     const expiresInStr = result.params.expires_in;
-    const response = {
+    let expiresInSeconds = expiresInStr === void 0 ? void 0 : Number(expiresInStr);
+    let backstageIdentity = void 0;
+    if (this.signInResolver) {
+      backstageIdentity = await this.signInResolver({
+        result,
+        profile
+      }, context);
+      if (expiresInSeconds) {
+        expiresInSeconds = Math.min(expiresInSeconds, BACKSTAGE_SESSION_EXPIRATION);
+      } else {
+        expiresInSeconds = BACKSTAGE_SESSION_EXPIRATION;
+      }
+    }
+    return {
+      backstageIdentity,
       providerInfo: {
         accessToken: result.accessToken,
         scope: result.params.scope,
-        expiresInSeconds: expiresInStr === void 0 ? void 0 : Number(expiresInStr)
+        expiresInSeconds
       },
       profile
     };
-    if (this.signInResolver) {
-      response.backstageIdentity = await this.signInResolver({
-        result,
-        profile
-      }, context);
-    }
-    return response;
   }
 }
 const githubDefaultSignInResolver = async (info, ctx) => {
@@ -1392,7 +1426,8 @@ const createGitlabProvider = (options) => {
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getOptionalString("audience");
     const baseUrl = audience || "https://gitlab.com";
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1418,7 +1453,8 @@ const createGitlabProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1547,7 +1583,8 @@ const createGoogleProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -1574,7 +1611,8 @@ const createGoogleProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1706,7 +1744,8 @@ const createMicrosoftProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const tenantId = envConfig.getString("tenantId");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
     const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
     const catalogIdentityClient = new CatalogIdentityClient({
@@ -1737,7 +1776,8 @@ const createMicrosoftProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1851,7 +1891,8 @@ const createOAuth2Provider = (options) => {
     var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const authorizationUrl = envConfig.getString("authorizationUrl");
     const tokenUrl = envConfig.getString("tokenUrl");
     const scope = envConfig.getOptionalString("scope");
@@ -1887,7 +1928,8 @@ const createOAuth2Provider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2426,7 +2468,8 @@ const createOidcProvider = (options) => {
     var _a, _b;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const metadataUrl = envConfig.getString("metadataUrl");
     const tokenSignedResponseAlg = envConfig.getOptionalString("tokenSignedResponseAlg");
     const scope = envConfig.getOptionalString("scope");
@@ -2465,7 +2508,8 @@ const createOidcProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2595,7 +2639,8 @@ const createOktaProvider = (_options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const audience = envConfig.getString("audience");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     if (!audience.startsWith("https://")) {
       throw new Error("URL for 'audience' must start with 'https://'.");
     }
@@ -2626,7 +2671,8 @@ const createOktaProvider = (_options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -2729,7 +2775,8 @@ const createOneLoginProvider = (options) => {
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const issuer = envConfig.getString("issuer");
-    const callbackUrl = `${globalConfig.baseUrl}/${providerId}/handler/frame`;
+    const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
+    const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
     const catalogIdentityClient = new CatalogIdentityClient({
       catalogApi,
       tokenManager
@@ -2752,7 +2799,8 @@ const createOneLoginProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       disableRefresh: false,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -3025,7 +3073,11 @@ async function createRouter(options) {
       try {
         const provider = providerFactory({
           providerId,
-          globalConfig: { baseUrl: authUrl, appUrl, isOriginAllowed },
+          globalConfig: {
+            baseUrl: authUrl,
+            appUrl,
+            isOriginAllowed
+          },
           config: providersConfig.getConfig(providerId),
           logger,
           tokenManager,