npm - @backstage/plugin-auth-backend - Versions diffs - 0.15.0-next.3 → 0.15.0 - Mend

@backstage/plugin-auth-backend 0.15.0-next.3 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,37 @@
 # @backstage/plugin-auth-backend
+## 0.15.0
+### Minor Changes
+- 9d4040777e: **BREAKING**: Removed all directly exported auth provider factories, option types, and sign-in resolvers. For example: `AwsAlbProviderOptions`, `bitbucketUserIdSignInResolver`, `createGithubProvider`. These are all still accessible via the `providers` export. For example, use `providers.github.create()` rather than `createGithubProvider()`, and `providers.bitbucket.resolvers.userIdMatchingUserEntityAnnotation()` rather than `bitbucketUserIdSignInResolver`.
+  **BREAKING**: Removed the exported `AuthProviderFactoryOptions` type as well as the deprecated option fields of the `AuthProviderFactory` callback. This includes the `tokenManager`, `tokenIssuer`, `discovery`, and `catalogApi` fields. Existing usage of these should be replaced with the new utilities in the `resolverContext` field. The deprecated `TokenIssuer` type is now also removed, since it is no longer used.
+  **BREAKING**: Removed `getEntityClaims`, use `getDefaultOwnershipEntityRefs` instead.
+  **DEPRECATION**: Deprecated `AtlassianAuthProvider` as it was unintentionally exported.
+- fe8e025af5: Allowed post method on /refresh path
+### Patch Changes
+- 3cedfd8365: add Cloudflare Access auth provider to auth-backend
+- f2cf79d62e: Added an option for the auth backend router to select the algorithm for the JWT token signing keys
+- 8e03db907a: Auth provider now also export createAuthProviderIntegration
+- a70869e775: Updated dependency `msw` to `^0.43.0`.
+- 4e9a90e307: Updated dependency `luxon` to `^3.0.0`.
+- 8006d0f9bf: Updated dependency `msw` to `^0.44.0`.
+- 679b32172e: Updated dependency `knex` to `^2.0.0`.
+- 859346bfbb: Updated dependency `google-auth-library` to `^8.0.0`.
+- 3a014730dc: Add new config option for okta auth server and IDP
+- Updated dependencies
+  - @backstage/backend-common@0.14.1
+  - @backstage/catalog-model@1.1.0
+  - @backstage/catalog-client@1.0.4
+  - @backstage/plugin-auth-node@0.2.3
+  - @backstage/errors@1.1.0
 ## 0.15.0-next.3
 ### Minor Changes

package/config.d.ts CHANGED Viewed

@@ -116,6 +116,9 @@ export interface Config {
         issuer?: string;
         region: string;
       };
+      cfaccess?: {
+        teamName: string;
+      };
     };
   };
 }

package/dist/index.cjs.js CHANGED Viewed

@@ -995,6 +995,143 @@ const bitbucket = createAuthProviderIntegration({
   }
 });
+const commonByEmailLocalPartResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  const [localPart] = profile.email.split("@");
+  return ctx.signInWithCatalogUser({
+    entityRef: { name: localPart }
+  });
+};
+const commonByEmailResolver = async (info, ctx) => {
+  const { profile } = info;
+  if (!profile.email) {
+    throw new Error("Login failed, user profile does not contain an email");
+  }
+  return ctx.signInWithCatalogUser({
+    filter: {
+      "spec.profile.email": profile.email
+    }
+  });
+};
+const CF_JWT_HEADER = "cf-access-jwt-assertion";
+const COOKIE_AUTH_NAME = "CF_Authorization";
+const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
+class CloudflareAccessAuthProvider {
+  constructor(options) {
+    this.teamName = options.teamName;
+    this.authHandler = options.authHandler;
+    this.signInResolver = options.signInResolver;
+    this.resolverContext = options.resolverContext;
+    this.jwtKeySet = jose.createRemoteJWKSet(new URL(`https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/certs`));
+    this.cache = options.cache;
+  }
+  frameHandler() {
+    return Promise.resolve();
+  }
+  async refresh(req, res) {
+    const result = await this.getResult(req);
+    const response = await this.handleResult(result);
+    res.json(response);
+  }
+  start() {
+    return Promise.resolve();
+  }
+  async getIdentityProfile(jwt) {
+    const headers = new fetch.Headers();
+    headers.set(CF_JWT_HEADER, jwt);
+    headers.set("cookie", `${COOKIE_AUTH_NAME}=${jwt}`);
+    try {
+      const res = await fetch__default["default"](`https://${this.teamName}.cloudflareaccess.com/cdn-cgi/access/get-identity`, { headers });
+      if (!res.ok) {
+        throw errors.ResponseError.fromResponse(res);
+      }
+      const cfIdentity = await res.json();
+      return cfIdentity;
+    } catch (err) {
+      throw new errors.ForwardedError("getIdentityProfile failed", err);
+    }
+  }
+  async getResult(req) {
+    var _a, _b;
+    let jwt = req.header(CF_JWT_HEADER);
+    if (!jwt) {
+      jwt = req.cookies.CF_Authorization;
+    }
+    if (!jwt) {
+      throw new errors.AuthenticationError(`Missing ${CF_JWT_HEADER} from Cloudflare Access`);
+    }
+    const verifyResult = await jose.jwtVerify(jwt, this.jwtKeySet, {
+      issuer: `https://${this.teamName}.cloudflareaccess.com`
+    });
+    const sub = verifyResult.payload.sub;
+    const cfAccessResultStr = await ((_a = this.cache) == null ? void 0 : _a.get(`${CACHE_PREFIX}/${sub}`));
+    if (typeof cfAccessResultStr === "string") {
+      return JSON.parse(cfAccessResultStr);
+    }
+    const claims = verifyResult.payload;
+    try {
+      const cfIdentity = await this.getIdentityProfile(jwt);
+      const cfAccessResult = {
+        claims,
+        cfIdentity,
+        expiresInSeconds: claims.exp - claims.iat
+      };
+      (_b = this.cache) == null ? void 0 : _b.set(`${CACHE_PREFIX}/${sub}`, JSON.stringify(cfAccessResult));
+      return cfAccessResult;
+    } catch (err) {
+      throw new errors.ForwardedError("Failed to populate access identity information", err);
+    }
+  }
+  async handleResult(result) {
+    const { profile } = await this.authHandler(result, this.resolverContext);
+    const backstageIdentity = await this.signInResolver({
+      result,
+      profile
+    }, this.resolverContext);
+    return {
+      providerInfo: {
+        expiresInSeconds: result.expiresInSeconds,
+        claims: result.claims,
+        cfAccessIdentityProfile: result.cfIdentity
+      },
+      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
+      profile
+    };
+  }
+}
+const cfAccess = createAuthProviderIntegration({
+  create(options) {
+    return ({ config, resolverContext }) => {
+      const teamName = config.getString("teamName");
+      if (!options.signIn.resolver) {
+        throw new Error("SignInResolver is required to use this authentication provider");
+      }
+      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ claims, cfIdentity }) => {
+        return {
+          profile: {
+            email: claims.email,
+            displayName: cfIdentity.name
+          }
+        };
+      };
+      return new CloudflareAccessAuthProvider({
+        teamName,
+        signInResolver: options == null ? void 0 : options.signIn.resolver,
+        authHandler,
+        resolverContext,
+        ...options.cache && { cache: options.cache }
+      });
+    };
+  },
+  resolvers: {
+    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver
+  }
+});
 const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 function createTokenValidator(audience, mockClient) {
@@ -1314,28 +1451,6 @@ const gitlab = createAuthProviderIntegration({
   }
 });
-const commonByEmailLocalPartResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  const [localPart] = profile.email.split("@");
-  return ctx.signInWithCatalogUser({
-    entityRef: { name: localPart }
-  });
-};
-const commonByEmailResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  return ctx.signInWithCatalogUser({
-    filter: {
-      "spec.profile.email": profile.email
-    }
-  });
-};
 class GoogleAuthProvider {
   constructor(options) {
     this.authHandler = options.authHandler;
@@ -2221,6 +2336,7 @@ const providers = Object.freeze({
   auth0,
   awsAlb,
   bitbucket,
+  cfAccess,
   gcpIap,
   github,
   gitlab,