@backstage/plugin-auth-backend 0.16.0-next.3 → 0.17.0-next.0

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # @backstage/plugin-auth-backend
 
+## 0.17.0-next.0
+
+### Minor Changes
+
+- 5fa831ce55: CookieConfigurer can optionally return the `SameSite` cookie attribute.
+  CookieConfigurer now requires an additional argument `appOrigin` - the origin URL of the app - which is used to calculate the `SameSite` attribute.
+  defaultCookieConfigurer returns the `SameSite` attribute which defaults to `Lax`. In cases where an auth-backend is running on a different domain than the App, `SameSite=None` is used - but only for secure contexts. This is so that cookies can be included in third-party requests.
+
+  OAuthAdapterOptions has been modified to require additional arguments, `baseUrl`, and `cookieConfigurer`.
+  OAuthAdapter now resolves cookie configuration using its supplied CookieConfigurer for each request to make sure that the proper attributes always are set.
+
+### Patch Changes
+
+- 8c6ec175bf: Fix GitLab provider setup so that it supports GitLab installations with a path in the URL.
+- Updated dependencies
+  - @backstage/catalog-model@1.1.2-next.0
+  - @backstage/catalog-client@1.1.1-next.0
+  - @backstage/backend-common@0.15.2-next.0
+  - @backstage/plugin-auth-node@0.2.6-next.0
+  - @backstage/config@1.0.3-next.0
+  - @backstage/errors@1.1.2-next.0
+  - @backstage/types@1.0.0
+
+## 0.16.0
+
+### Minor Changes
+
+- 2fc41ebf07: Removed the previously deprecated class `AtlassianAuthProvider`. Please use `providers.atlassian.create(...)` instead.
+- a291688bc5: Renamed the `RedirectInfo` type to `OAuthStartResponse`
+- 8600855fbf: The auth0 integration is updated to use the `passport-auth0` library. The configuration under `auth.providers.auth0.\*` now supports an optional `audience` parameter; providing that allows you to connect to the correct API to get permissions, access tokens, and full profile information.
+
+  [What is an Audience](https://community.auth0.com/t/what-is-the-audience/71414)
+
+### Patch Changes
+
+- 5b011fb2e6: Allow adding misc claims to JWT
+- d669d89206: Minor API signatures cleanup
+- 667d917488: Updated dependency `msw` to `^0.47.0`.
+- 87ec2ba4d6: Updated dependency `msw` to `^0.46.0`.
+- bf5e9030eb: Updated dependency `msw` to `^0.45.0`.
+- e1ebaeb332: Cloudflare Access Provider: Add JWT to CloudflareAccessResult
+- Updated dependencies
+  - @backstage/backend-common@0.15.1
+  - @backstage/plugin-auth-node@0.2.5
+  - @backstage/catalog-client@1.1.0
+  - @backstage/catalog-model@1.1.1
+  - @backstage/config@1.0.2
+  - @backstage/errors@1.1.1
+
 ## 0.16.0-next.3
 
 ### Minor Changes

package/dist/index.cjs.js

@@ -165,12 +165,17 @@ const verifyNonce = (req, providerId) => {
 };
 const defaultCookieConfigurer = ({
   callbackUrl,
-  providerId
+  providerId,
+  appOrigin
 }) => {
   const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
   const secure = protocol === "https:";
+  let sameSite = "lax";
+  if (new URL(appOrigin).hostname !== domain && secure) {
+    sameSite = "none";
+  }
   const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return { domain, path, secure };
+  return { domain, path, secure, sameSite };
 };
 
 class OAuthEnvironmentHandler {
@@ -286,58 +291,62 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    this.setNonceCookie = (res, nonce) => {
+    this.setNonceCookie = (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
-        path: `${this.options.cookiePath}/handler`
+        ...cookieConfig,
+        path: `${cookieConfig.path}/handler`
       });
     };
-    this.setGrantedScopeCookie = (res, scope) => {
+    this.setGrantedScopeCookie = (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
       });
     };
     this.getGrantedScopeFromCookie = (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     };
-    this.setRefreshTokenCookie = (res, refreshToken) => {
+    this.setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
       });
     };
-    this.removeRefreshTokenCookie = (res) => {
+    this.removeRefreshTokenCookie = (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
+      });
+    };
+    this.getCookieConfig = (origin) => {
+      return this.options.cookieConfigurer({
+        providerId: this.options.providerId,
+        baseUrl: this.options.baseUrl,
+        callbackUrl: this.options.callbackUrl,
+        appOrigin: origin != null ? origin : this.options.appOrigin
       });
     };
     this.baseCookieOptions = {
       httpOnly: true,
-      sameSite: "lax",
-      secure: this.options.secure,
-      path: this.options.cookiePath,
-      domain: this.options.cookieDomain
+      sameSite: "lax"
     };
   }
   static fromConfig(config, handlers, options) {
     var _a;
-    const { origin: appOrigin } = new url.URL(config.appUrl);
+    const { appUrl, baseUrl, isOriginAllowed } = config;
+    const { origin: appOrigin } = new url.URL(appUrl);
     const cookieConfigurer = (_a = config.cookieConfigurer) != null ? _a : defaultCookieConfigurer;
-    const cookieConfig = cookieConfigurer({
-      providerId: options.providerId,
-      baseUrl: config.baseUrl,
-      callbackUrl: options.callbackUrl
-    });
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain: cookieConfig.domain,
-      cookiePath: cookieConfig.path,
-      secure: cookieConfig.secure,
-      isOriginAllowed: config.isOriginAllowed
+      baseUrl,
+      cookieConfigurer,
+      isOriginAllowed
     });
   }
   async start(req, res) {
@@ -348,8 +357,9 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
+    const cookieConfig = this.getCookieConfig(origin);
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
-    this.setNonceCookie(res, nonce);
+    this.setNonceCookie(res, nonce, cookieConfig);
     const state = { nonce, env, origin };
     if (this.options.persistScopes) {
       state.scope = scope;
@@ -380,12 +390,13 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
+      const cookieConfig = this.getCookieConfig(appOrigin);
       if (this.options.persistScopes && state.scope) {
-        this.setGrantedScopeCookie(res, state.scope);
+        this.setGrantedScopeCookie(res, state.scope, cookieConfig);
         response.providerInfo.scope = state.scope;
       }
       if (refreshToken) {
-        this.setRefreshTokenCookie(res, refreshToken);
+        this.setRefreshTokenCookie(res, refreshToken, cookieConfig);
       }
       const identity = await this.populateIdentity(response.backstageIdentity);
       return postMessageResponse(res, appOrigin, {
@@ -404,7 +415,9 @@ class OAuthAdapter {
     if (!ensuresXRequestedWith(req)) {
       throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
-    this.removeRefreshTokenCookie(res);
+    const origin = req.get("origin");
+    const cookieConfig = this.getCookieConfig(origin);
+    this.removeRefreshTokenCookie(res, cookieConfig);
     res.status(200).end();
   }
   async refresh(req, res) {
@@ -432,7 +445,9 @@ class OAuthAdapter {
         response.backstageIdentity
       );
       if (newRefreshToken && newRefreshToken !== refreshToken) {
-        this.setRefreshTokenCookie(res, newRefreshToken);
+        const origin = req.get("origin");
+        const cookieConfig = this.getCookieConfig(origin);
+        this.setRefreshTokenCookie(res, newRefreshToken, cookieConfig);
       }
       res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
@@ -1555,7 +1570,10 @@ class GitlabAuthProvider {
         clientID: options.clientId,
         clientSecret: options.clientSecret,
         callbackURL: options.callbackUrl,
-        baseURL: options.baseUrl
+        baseURL: options.baseUrl,
+        authorizationURL: `${options.baseUrl}/oauth/authorize`,
+        tokenURL: `${options.baseUrl}/oauth/token`,
+        profileURL: `${options.baseUrl}/api/v4/user`
       },
       (accessToken, refreshToken, params, fullProfile, done) => {
         done(
@@ -2724,8 +2742,7 @@ class TokenFactory {
   async issueToken(params) {
     const key = await this.getKey();
     const iss = this.issuer;
-    const sub = params.claims.sub;
-    const ent = params.claims.ent;
+    const { sub, ent, ...additionalClaims } = params.claims;
     const aud = "backstage";
     const iat = Math.floor(Date.now() / MS_IN_S);
     const exp = iat + this.keyDurationSeconds;
@@ -2740,7 +2757,7 @@ class TokenFactory {
     if (!key.alg) {
       throw new errors.AuthenticationError("No algorithm was provided in the key");
     }
-    return new jose.SignJWT({ iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
   }
   async listPublicKeys() {
     const { items: keys } = await this.keyStore.listKeys();