@backstage/plugin-auth-backend 0.17.1-next.0 → 0.17.1

package/CHANGELOG.md

@@ -1,5 +1,38 @@
 # @backstage/plugin-auth-backend
 
+## 0.17.1
+
+### Patch Changes
+
+- 0d6837ca4e: Fix wrong GitHub callback URL documentation
+- cbe11d1e23: Tweak README
+- 89d705e806: Add support for custom JWT header name in GCP IAP auth.
+- abaed9770e: Improve logging
+- d80833fe0c: Inject optional `CatalogApi` into auth-backend `createRouter` function. This will enable developers to use customized `CatalogApi` when creating the router.
+- Updated dependencies
+  - @backstage/backend-common@0.16.0
+  - @backstage/catalog-model@1.1.3
+  - @backstage/plugin-auth-node@0.2.7
+  - @backstage/types@1.0.1
+  - @backstage/catalog-client@1.1.2
+  - @backstage/config@1.0.4
+  - @backstage/errors@1.1.3
+
+## 0.17.1-next.1
+
+### Patch Changes
+
+- 0d6837ca4e: Fix wrong GitHub callback URL documentation
+- abaed9770e: Improve logging
+- Updated dependencies
+  - @backstage/backend-common@0.16.0-next.1
+  - @backstage/plugin-auth-node@0.2.7-next.1
+  - @backstage/catalog-client@1.1.2-next.0
+  - @backstage/catalog-model@1.1.3-next.0
+  - @backstage/config@1.0.4-next.0
+  - @backstage/errors@1.1.3-next.0
+  - @backstage/types@1.0.1-next.0
+
 ## 0.17.1-next.0
 
 ### Patch Changes

package/README.md

@@ -34,8 +34,8 @@ Follow this link, [Create new OAuth App](https://github.com/settings/application
 1. Set Application Name to `backstage-dev` or something along those lines.
 1. You can set the Homepage URL to whatever you want to.
 1. The Authorization Callback URL should match the redirect URI set in Backstage.
-   1. Set this to `http://localhost:7007/api/auth/github` for local development.
-   1. Set this to `http://{APP_FQDN}:{APP_BACKEND_PORT}/api/auth/github` for non-local deployments.
+   1. Set this to `http://localhost:7007/api/auth/github/handler/frame` for local development.
+   1. Set this to `http://{APP_FQDN}:{APP_BACKEND_PORT}/api/auth/github/handler/frame` for non-local deployments.
 
 ```bash
 export AUTH_GITHUB_CLIENT_ID=x

package/dist/index.cjs.js

@@ -1316,8 +1316,6 @@ const cfAccess = createAuthProviderIntegration({
   }
 });
 
-const IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
-
 function createTokenValidator(audience, mockClient) {
   const client = mockClient != null ? mockClient : new googleAuthLibrary.OAuth2Client();
   return async function tokenValidator(token) {
@@ -1337,9 +1335,7 @@ function createTokenValidator(audience, mockClient) {
 }
 async function parseRequestToken(jwtToken, tokenValidator) {
   if (typeof jwtToken !== "string" || !jwtToken) {
-    throw new errors.AuthenticationError(
-      `Missing Google IAP header: ${IAP_JWT_HEADER}`
-    );
+    throw new errors.AuthenticationError("Missing Google IAP header");
   }
   let payload;
   try {
@@ -1364,12 +1360,15 @@ const defaultAuthHandler$1 = async ({
   iapToken
 }) => ({ profile: { email: iapToken.email } });
 
+const DEFAULT_IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+
 class GcpIapProvider {
   constructor(options) {
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
     this.tokenValidator = options.tokenValidator;
     this.resolverContext = options.resolverContext;
+    this.jwtHeader = (options == null ? void 0 : options.jwtHeader) || DEFAULT_IAP_JWT_HEADER;
   }
   async start() {
   }
@@ -1377,7 +1376,7 @@ class GcpIapProvider {
   }
   async refresh(req, res) {
     const result = await parseRequestToken(
-      req.header(IAP_JWT_HEADER),
+      req.header(this.jwtHeader),
       this.tokenValidator
     );
     const { profile } = await this.authHandler(result, this.resolverContext);
@@ -1398,6 +1397,7 @@ const gcpIap = createAuthProviderIntegration({
     return ({ config, resolverContext }) => {
       var _a;
       const audience = config.getString("audience");
+      const jwtHeader = config.getOptionalString("jwtHeader");
       const authHandler = (_a = options.authHandler) != null ? _a : defaultAuthHandler$1;
       const signInResolver = options.signIn.resolver;
       const tokenValidator = createTokenValidator(audience);
@@ -1405,7 +1405,8 @@ const gcpIap = createAuthProviderIntegration({
         authHandler,
         signInResolver,
         tokenValidator,
-        resolverContext
+        resolverContext,
+        jwtHeader
       });
     };
   }
@@ -3176,7 +3177,8 @@ async function createRouter(options) {
     database,
     tokenManager,
     tokenFactoryAlgorithm,
-    providerFactories
+    providerFactories,
+    catalogApi
   } = options;
   const router = Router__default["default"]();
   const appUrl = config.getString("app.baseUrl");
@@ -3190,7 +3192,6 @@ async function createRouter(options) {
     logger: logger.child({ component: "token-factory" }),
     algorithm: tokenFactoryAlgorithm
   });
-  const catalogApi = new catalogClient.CatalogClient({ discoveryApi: discovery });
   const secret = config.getOptionalString("auth.session.secret");
   if (secret) {
     router.use(cookieParser__default["default"](secret));
@@ -3221,7 +3222,7 @@ async function createRouter(options) {
     allProviderFactories
   )) {
     if (configuredProviders.includes(providerId)) {
-      logger.info(`Configuring provider, ${providerId}`);
+      logger.info(`Configuring auth provider: ${providerId}`);
       try {
         const provider = providerFactory({
           providerId,
@@ -3234,7 +3235,7 @@ async function createRouter(options) {
           logger,
           resolverContext: CatalogAuthResolverContext.create({
             logger,
-            catalogApi,
+            catalogApi: catalogApi != null ? catalogApi : new catalogClient.CatalogClient({ discoveryApi: discovery }),
             tokenIssuer,
             tokenManager
           })