@backstage/plugin-auth-backend 0.13.1-next.0 → 0.14.0

package/dist/index.d.ts

@@ -7,6 +7,7 @@ import { Config } from '@backstage/config';
 import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
 import { UserEntity, Entity } from '@backstage/catalog-model';
+import { IncomingHttpHeaders } from 'http';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
 
@@ -472,7 +473,6 @@ declare class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {
 declare type Options = {
     providerId: string;
     secure: boolean;
-    disableRefresh?: boolean;
     persistScopes?: boolean;
     cookieDomain: string;
     cookiePath: string;
@@ -485,7 +485,7 @@ declare type Options = {
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
     private readonly options;
-    static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'disableRefresh' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
+    static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
     private readonly baseCookieOptions;
     constructor(handlers: OAuthHandlers, options: Options);
     start(req: express.Request, res: express.Response): Promise<void>;
@@ -973,15 +973,38 @@ declare const createOAuth2Provider: (options?: {
  *
  * @public
  */
-declare type OAuth2ProxyResult<JWTPayload> = {
+declare type OAuth2ProxyResult<JWTPayload = {}> = {
     /**
-     * Parsed and decoded JWT payload.
+     * The parsed payload of the `accessToken`. The token is only parsed, not verified.
+     *
+     * @deprecated Access through the `headers` instead. This will be removed in a future release.
      */
     fullProfile: JWTPayload;
     /**
-     * Raw JWT token
+     * The token received via the X-OAUTH2-PROXY-ID-TOKEN header. Will be an empty string
+     * if the header is not set. Note the this is typically an OpenID Connect token.
+     *
+     * @deprecated Access through the `headers` instead. This will be removed in a future release.
      */
     accessToken: string;
+    /**
+     * The headers of the incoming request from the OAuth2 proxy. This will include
+     * both the headers set by the client as well as the ones added by the OAuth2 proxy.
+     * You should only trust the headers that are injected by the OAuth2 proxy.
+     *
+     * Useful headers to use to complete the sign-in are for example `x-forwarded-user`
+     * and `x-forwarded-email`. See the OAuth2 proxy documentation for more information
+     * about the available headers and how to enable them. In particular it is possible
+     * to forward access and identity tokens, which can be user for additional verification
+     * and lookups.
+     */
+    headers: IncomingHttpHeaders;
+    /**
+     * Provides convenient access to the request headers.
+     *
+     * This call is simply forwarded to `req.get(name)`.
+     */
+    getHeader(name: string): string | undefined;
 };
 /**
  * @public
@@ -1009,8 +1032,12 @@ declare type Oauth2ProxyProviderOptions<JWTPayload> = {
 declare const createOauth2ProxyProvider: (options: {
     /**
      * Configure an auth handler to generate a profile for the user.
+     *
+     * The default implementation uses the value of the `X-Forwarded-Preferred-Username`
+     * header as the display name, falling back to `X-Forwarded-User`, and the value of
+     * the `X-Forwarded-Email` header as the email address.
      */
-    authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+    authHandler?: AuthHandler<OAuth2ProxyResult<unknown>> | undefined;
     /**
      * Configure sign-in for this provider, without it the provider can not be used to sign users in.
      */
@@ -1377,7 +1404,7 @@ declare const providers: Readonly<{
     }>;
     oauth2Proxy: Readonly<{
         create: (options: {
-            authHandler: AuthHandler<OAuth2ProxyResult<unknown>>;
+            authHandler?: AuthHandler<OAuth2ProxyResult<unknown>> | undefined;
             signIn: {
                 resolver: SignInResolver<OAuth2ProxyResult<unknown>>;
             };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.13.1-next.0",
+  "version": "0.14.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -33,12 +33,12 @@
     "clean": "backstage-cli package clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.13.3-next.0",
-    "@backstage/catalog-client": "^1.0.1",
-    "@backstage/catalog-model": "^1.0.1",
-    "@backstage/config": "^1.0.0",
+    "@backstage/backend-common": "^0.13.3",
+    "@backstage/catalog-client": "^1.0.2",
+    "@backstage/catalog-model": "^1.0.2",
+    "@backstage/config": "^1.0.1",
     "@backstage/errors": "^1.0.0",
-    "@backstage/plugin-auth-node": "^0.2.1-next.0",
+    "@backstage/plugin-auth-node": "^0.2.1",
     "@backstage/types": "^1.0.0",
     "@google-cloud/firestore": "^5.0.2",
     "@types/express": "^4.17.6",
@@ -76,8 +76,8 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.1.24-next.0",
-    "@backstage/cli": "^0.17.1-next.0",
+    "@backstage/backend-test-utils": "^0.1.24",
+    "@backstage/cli": "^0.17.1",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",
@@ -97,5 +97,5 @@
     "config.d.ts"
   ],
   "configSchema": "config.d.ts",
-  "gitHead": "88ee375f5ee44b7a7917297785ddf88691fe3381"
+  "gitHead": "96323f280ba32ee526c5b151cda42260aee927c9"
 }