@backstage/plugin-auth-backend 0.16.0 → 0.17.0-next.1

package/CHANGELOG.md

@@ -1,5 +1,46 @@
 # @backstage/plugin-auth-backend
 
+## 0.17.0-next.1
+
+### Minor Changes
+
+- e2dc42e9f0: Google OAuth refresh tokens will now be revoked on logout by calling Google's API
+
+### Patch Changes
+
+- b5c126010c: Auth0 provider now supports optional `connection` and `connectionScope` parameters to configure social identity providers.
+- Updated dependencies
+  - @backstage/catalog-client@1.1.1-next.1
+  - @backstage/backend-common@0.15.2-next.1
+  - @backstage/catalog-model@1.1.2-next.1
+  - @backstage/config@1.0.3-next.1
+  - @backstage/errors@1.1.2-next.1
+  - @backstage/types@1.0.0
+  - @backstage/plugin-auth-node@0.2.6-next.1
+
+## 0.17.0-next.0
+
+### Minor Changes
+
+- 5fa831ce55: CookieConfigurer can optionally return the `SameSite` cookie attribute.
+  CookieConfigurer now requires an additional argument `appOrigin` - the origin URL of the app - which is used to calculate the `SameSite` attribute.
+  defaultCookieConfigurer returns the `SameSite` attribute which defaults to `Lax`. In cases where an auth-backend is running on a different domain than the App, `SameSite=None` is used - but only for secure contexts. This is so that cookies can be included in third-party requests.
+
+  OAuthAdapterOptions has been modified to require additional arguments, `baseUrl`, and `cookieConfigurer`.
+  OAuthAdapter now resolves cookie configuration using its supplied CookieConfigurer for each request to make sure that the proper attributes always are set.
+
+### Patch Changes
+
+- 8c6ec175bf: Fix GitLab provider setup so that it supports GitLab installations with a path in the URL.
+- Updated dependencies
+  - @backstage/catalog-model@1.1.2-next.0
+  - @backstage/catalog-client@1.1.1-next.0
+  - @backstage/backend-common@0.15.2-next.0
+  - @backstage/plugin-auth-node@0.2.6-next.0
+  - @backstage/config@1.0.3-next.0
+  - @backstage/errors@1.1.2-next.0
+  - @backstage/types@1.0.0
+
 ## 0.16.0
 
 ### Minor Changes

package/dist/index.cjs.js

@@ -165,12 +165,17 @@ const verifyNonce = (req, providerId) => {
 };
 const defaultCookieConfigurer = ({
   callbackUrl,
-  providerId
+  providerId,
+  appOrigin
 }) => {
   const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
   const secure = protocol === "https:";
+  let sameSite = "lax";
+  if (new URL(appOrigin).hostname !== domain && secure) {
+    sameSite = "none";
+  }
   const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return { domain, path, secure };
+  return { domain, path, secure, sameSite };
 };
 
 class OAuthEnvironmentHandler {
@@ -286,58 +291,65 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    this.setNonceCookie = (res, nonce) => {
+    this.setNonceCookie = (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
-        path: `${this.options.cookiePath}/handler`
+        ...cookieConfig,
+        path: `${cookieConfig.path}/handler`
       });
     };
-    this.setGrantedScopeCookie = (res, scope) => {
+    this.setGrantedScopeCookie = (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
       });
     };
+    this.getRefreshTokenFromCookie = (req) => {
+      return req.cookies[`${this.options.providerId}-refresh-token`];
+    };
     this.getGrantedScopeFromCookie = (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     };
-    this.setRefreshTokenCookie = (res, refreshToken) => {
+    this.setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
       });
     };
-    this.removeRefreshTokenCookie = (res) => {
+    this.removeRefreshTokenCookie = (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
-        ...this.baseCookieOptions
+        ...this.baseCookieOptions,
+        ...cookieConfig
+      });
+    };
+    this.getCookieConfig = (origin) => {
+      return this.options.cookieConfigurer({
+        providerId: this.options.providerId,
+        baseUrl: this.options.baseUrl,
+        callbackUrl: this.options.callbackUrl,
+        appOrigin: origin != null ? origin : this.options.appOrigin
       });
     };
     this.baseCookieOptions = {
       httpOnly: true,
-      sameSite: "lax",
-      secure: this.options.secure,
-      path: this.options.cookiePath,
-      domain: this.options.cookieDomain
+      sameSite: "lax"
     };
   }
   static fromConfig(config, handlers, options) {
     var _a;
-    const { origin: appOrigin } = new url.URL(config.appUrl);
+    const { appUrl, baseUrl, isOriginAllowed } = config;
+    const { origin: appOrigin } = new url.URL(appUrl);
     const cookieConfigurer = (_a = config.cookieConfigurer) != null ? _a : defaultCookieConfigurer;
-    const cookieConfig = cookieConfigurer({
-      providerId: options.providerId,
-      baseUrl: config.baseUrl,
-      callbackUrl: options.callbackUrl
-    });
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain: cookieConfig.domain,
-      cookiePath: cookieConfig.path,
-      secure: cookieConfig.secure,
-      isOriginAllowed: config.isOriginAllowed
+      baseUrl,
+      cookieConfigurer,
+      isOriginAllowed
     });
   }
   async start(req, res) {
@@ -348,8 +360,9 @@ class OAuthAdapter {
     if (!env) {
       throw new errors.InputError("No env provided in request query parameters");
     }
+    const cookieConfig = this.getCookieConfig(origin);
     const nonce = crypto__default["default"].randomBytes(16).toString("base64");
-    this.setNonceCookie(res, nonce);
+    this.setNonceCookie(res, nonce, cookieConfig);
     const state = { nonce, env, origin };
     if (this.options.persistScopes) {
       state.scope = scope;
@@ -380,12 +393,13 @@ class OAuthAdapter {
       }
       verifyNonce(req, this.options.providerId);
       const { response, refreshToken } = await this.handlers.handler(req);
+      const cookieConfig = this.getCookieConfig(appOrigin);
       if (this.options.persistScopes && state.scope) {
-        this.setGrantedScopeCookie(res, state.scope);
+        this.setGrantedScopeCookie(res, state.scope, cookieConfig);
         response.providerInfo.scope = state.scope;
       }
       if (refreshToken) {
-        this.setRefreshTokenCookie(res, refreshToken);
+        this.setRefreshTokenCookie(res, refreshToken, cookieConfig);
       }
       const identity = await this.populateIdentity(response.backstageIdentity);
       return postMessageResponse(res, appOrigin, {
@@ -404,7 +418,16 @@ class OAuthAdapter {
     if (!ensuresXRequestedWith(req)) {
       throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
-    this.removeRefreshTokenCookie(res);
+    if (this.handlers.logout) {
+      const refreshToken = this.getRefreshTokenFromCookie(req);
+      const revokeRequest = Object.assign(req, {
+        refreshToken
+      });
+      await this.handlers.logout(revokeRequest);
+    }
+    const origin = req.get("origin");
+    const cookieConfig = this.getCookieConfig(origin);
+    this.removeRefreshTokenCookie(res, cookieConfig);
     res.status(200).end();
   }
   async refresh(req, res) {
@@ -418,7 +441,7 @@ class OAuthAdapter {
       );
     }
     try {
-      const refreshToken = req.cookies[`${this.options.providerId}-refresh-token`];
+      const refreshToken = this.getRefreshTokenFromCookie(req);
       if (!refreshToken) {
         throw new errors.InputError("Missing session cookie");
       }
@@ -432,7 +455,9 @@ class OAuthAdapter {
         response.backstageIdentity
       );
       if (newRefreshToken && newRefreshToken !== refreshToken) {
-        this.setRefreshTokenCookie(res, newRefreshToken);
+        const origin = req.get("origin");
+        const cookieConfig = this.getCookieConfig(origin);
+        this.setRefreshTokenCookie(res, newRefreshToken, cookieConfig);
       }
       res.status(200).json({ ...response, backstageIdentity });
     } catch (error) {
@@ -730,6 +755,8 @@ class Auth0AuthProvider {
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
     this.audience = options.audience;
+    this.connection = options.connection;
+    this.connectionScope = options.connectionScope;
     this._strategy = new Auth0Strategy(
       {
         clientID: options.clientId,
@@ -761,12 +788,16 @@ class Auth0AuthProvider {
       prompt: "consent",
       scope: req.scope,
       state: encodeState(req.state),
-      ...this.audience ? { audience: this.audience } : {}
+      ...this.audience ? { audience: this.audience } : {},
+      ...this.connection ? { connection: this.connection } : {},
+      ...this.connectionScope ? { connection_scope: this.connectionScope } : {}
     });
   }
   async handler(req) {
     const { result, privateInfo } = await executeFrameHandlerStrategy(req, this._strategy, {
-      ...this.audience ? { audience: this.audience } : {}
+      ...this.audience ? { audience: this.audience } : {},
+      ...this.connection ? { connection: this.connection } : {},
+      ...this.connectionScope ? { connection_scope: this.connectionScope } : {}
     });
     return {
       response: await this.handleResult(result),
@@ -824,6 +855,8 @@ const auth0 = createAuthProviderIntegration({
       const domain = envConfig.getString("domain");
       const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
       const audience = envConfig.getOptionalString("audience");
+      const connection = envConfig.getOptionalString("connection");
+      const connectionScope = envConfig.getOptionalString("connectionScope");
       const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
       const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile, params }) => ({
         profile: makeProfileInfo(fullProfile, params.id_token)
@@ -837,7 +870,9 @@ const auth0 = createAuthProviderIntegration({
         authHandler,
         signInResolver,
         resolverContext,
-        audience
+        audience,
+        connection,
+        connectionScope
       });
       return OAuthAdapter.fromConfig(globalConfig, provider, {
         providerId,
@@ -1555,7 +1590,10 @@ class GitlabAuthProvider {
         clientID: options.clientId,
         clientSecret: options.clientSecret,
         callbackURL: options.callbackUrl,
-        baseURL: options.baseUrl
+        baseURL: options.baseUrl,
+        authorizationURL: `${options.baseUrl}/oauth/authorize`,
+        tokenURL: `${options.baseUrl}/oauth/token`,
+        profileURL: `${options.baseUrl}/api/v4/user`
       },
       (accessToken, refreshToken, params, fullProfile, done) => {
         done(
@@ -1694,6 +1732,10 @@ class GoogleAuthProvider {
       refreshToken: privateInfo.refreshToken
     };
   }
+  async logout(req) {
+    const oauthClient = new googleAuthLibrary.OAuth2Client();
+    await oauthClient.revokeToken(req.refreshToken);
+  }
   async refresh(req) {
     const { accessToken, refreshToken, params } = await executeRefreshTokenStrategy(
       this.strategy,