@backstage/plugin-auth-backend 0.20.1-next.0 → 0.20.1-next.2

package/CHANGELOG.md

@@ -1,5 +1,55 @@
 # @backstage/plugin-auth-backend
 
+## 0.20.1-next.2
+
+### Patch Changes
+
+- 783797a: fix static token issuer not being able to initialize
+- a62764b: Updated dependency `passport` to `^0.7.0`.
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.0-next.1
+  - @backstage/plugin-catalog-node@1.6.0-next.2
+  - @backstage/backend-common@0.20.0-next.2
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.0-next.2
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.5-next.2
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.5-next.2
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.1-next.2
+  - @backstage/plugin-auth-node@0.4.2-next.2
+  - @backstage/catalog-client@1.5.0-next.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.2-next.2
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.5-next.2
+  - @backstage/backend-plugin-api@0.6.8-next.2
+  - @backstage/catalog-model@1.4.3
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.5-next.2
+
+## 0.20.1-next.1
+
+### Patch Changes
+
+- 7ac25759a5: `oauth2-proxy` auth implementation has been moved to `@backstage/plugin-auth-backend-module-oauth2-proxy-provider`
+- bcbbf8e042: Updated dependency `@google-cloud/firestore` to `^7.0.0`.
+- Updated dependencies
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.0-next.0
+  - @backstage/catalog-client@1.5.0-next.0
+  - @backstage/backend-common@0.20.0-next.1
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.0-next.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.1-next.1
+  - @backstage/backend-plugin-api@0.6.8-next.1
+  - @backstage/catalog-model@1.4.3
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.2-next.1
+  - @backstage/plugin-auth-node@0.4.2-next.1
+  - @backstage/plugin-catalog-node@1.5.1-next.1
+
 ## 0.20.1-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -24,6 +24,7 @@ var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-back
 var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
 var passportMicrosoft = require('passport-microsoft');
 var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
+var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth-backend-module-oauth2-proxy-provider');
 var openidClient = require('openid-client');
 var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
 var passportOneloginOauth = require('passport-onelogin-oauth');
@@ -239,10 +240,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$g = Object.defineProperty;
-var __defNormalProp$g = (obj, key, value) => key in obj ? __defProp$g(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$g = (obj, key, value) => {
-  __defNormalProp$g(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$f = Object.defineProperty;
+var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$f = (obj, key, value) => {
+  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -251,8 +252,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$g(this, "baseCookieOptions");
-    __publicField$g(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$f(this, "baseCookieOptions");
+    __publicField$f(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -260,34 +261,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$g(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$f(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$g(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$f(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$g(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$f(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$g(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$f(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$g(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$f(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$g(this, "getCookieConfig", (origin) => {
+    __publicField$f(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -585,21 +586,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-var __defProp$f = Object.defineProperty;
-var __defNormalProp$f = (obj, key, value) => key in obj ? __defProp$f(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$f = (obj, key, value) => {
-  __defNormalProp$f(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$e = Object.defineProperty;
+var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$e = (obj, key, value) => {
+  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$f(this, "_strategy");
-    __publicField$f(this, "signInResolver");
-    __publicField$f(this, "authHandler");
-    __publicField$f(this, "resolverContext");
-    __publicField$f(this, "audience");
-    __publicField$f(this, "connection");
-    __publicField$f(this, "connectionScope");
+    __publicField$e(this, "_strategy");
+    __publicField$e(this, "signInResolver");
+    __publicField$e(this, "authHandler");
+    __publicField$e(this, "resolverContext");
+    __publicField$e(this, "audience");
+    __publicField$e(this, "connection");
+    __publicField$e(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -608,7 +609,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$f(this, "store", {
+    __publicField$e(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -749,23 +750,23 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$e = Object.defineProperty;
-var __defNormalProp$e = (obj, key, value) => key in obj ? __defProp$e(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$e = (obj, key, value) => {
-  __defNormalProp$e(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$d = Object.defineProperty;
+var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$d = (obj, key, value) => {
+  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const ALB_JWT_HEADER = "x-amzn-oidc-data";
 const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
 class AwsAlbAuthProvider {
   constructor(options) {
-    __publicField$e(this, "region");
-    __publicField$e(this, "issuer");
-    __publicField$e(this, "resolverContext");
-    __publicField$e(this, "keyCache");
-    __publicField$e(this, "authHandler");
-    __publicField$e(this, "signInResolver");
-    __publicField$e(this, "getKey", async (header) => {
+    __publicField$d(this, "region");
+    __publicField$d(this, "issuer");
+    __publicField$d(this, "resolverContext");
+    __publicField$d(this, "keyCache");
+    __publicField$d(this, "authHandler");
+    __publicField$d(this, "signInResolver");
+    __publicField$d(this, "getKey", async (header) => {
       if (!header.kid) {
         throw new errors.AuthenticationError("No key id was specified in header");
       }
@@ -893,18 +894,18 @@ const awsAlb = createAuthProviderIntegration({
   }
 });
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class BitbucketAuthProvider {
   constructor(options) {
-    __publicField$d(this, "_strategy");
-    __publicField$d(this, "signInResolver");
-    __publicField$d(this, "authHandler");
-    __publicField$d(this, "resolverContext");
+    __publicField$c(this, "_strategy");
+    __publicField$c(this, "signInResolver");
+    __publicField$c(this, "authHandler");
+    __publicField$c(this, "resolverContext");
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
     this.resolverContext = options.resolverContext;
@@ -1072,10 +1073,10 @@ const commonByEmailResolver = async (info, ctx) => {
   });
 };
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const CF_JWT_HEADER = "cf-access-jwt-assertion";
@@ -1083,12 +1084,12 @@ const COOKIE_AUTH_NAME = "CF_Authorization";
 const CACHE_PREFIX = "providers/cloudflare-access/profile-v1";
 class CloudflareAccessAuthProvider {
   constructor(options) {
-    __publicField$c(this, "teamName");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "jwtKeySet");
-    __publicField$c(this, "cache");
+    __publicField$b(this, "teamName");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "jwtKeySet");
+    __publicField$b(this, "cache");
     this.teamName = options.teamName;
     this.authHandler = options.authHandler;
     this.signInResolver = options.signInResolver;
@@ -1320,20 +1321,20 @@ const google = createAuthProviderIntegration({
 
 const BACKSTAGE_SESSION_EXPIRATION = 3600;
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$a = Object.defineProperty;
+var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$a = (obj, key, value) => {
+  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class MicrosoftAuthProvider {
   constructor(options) {
-    __publicField$b(this, "_strategy");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "logger");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "skipUserProfile", (accessToken) => {
+    __publicField$a(this, "_strategy");
+    __publicField$a(this, "signInResolver");
+    __publicField$a(this, "authHandler");
+    __publicField$a(this, "logger");
+    __publicField$a(this, "resolverContext");
+    __publicField$a(this, "skipUserProfile", (accessToken) => {
       const { aud, scp } = jose.decodeJwt(accessToken);
       const hasGraphReadScope = aud === "00000003-0000-0000-c000-000000000000" && scp.split(" ").map((s) => s.toLowerCase()).includes("user.read");
       return !hasGraphReadScope;
@@ -1509,89 +1510,14 @@ const oauth2 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$a = Object.defineProperty;
-var __defNormalProp$a = (obj, key, value) => key in obj ? __defProp$a(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$a = (obj, key, value) => {
-  __defNormalProp$a(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const OAUTH2_PROXY_JWT_HEADER = "X-OAUTH2-PROXY-ID-TOKEN";
-class Oauth2ProxyAuthProvider {
-  constructor(options) {
-    __publicField$a(this, "resolverContext");
-    __publicField$a(this, "signInResolver");
-    __publicField$a(this, "authHandler");
-    this.resolverContext = options.resolverContext;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const authHeader = req.header(OAUTH2_PROXY_JWT_HEADER);
-      const jwt = pluginAuthNode.getBearerTokenFromAuthorizationHeader(authHeader);
-      const decodedJWT = jwt && jose.decodeJwt(jwt);
-      const result = {
-        fullProfile: decodedJWT || {},
-        accessToken: jwt || "",
-        headers: req.headers,
-        getHeader(name) {
-          if (name.toLocaleLowerCase("en-US") === "set-cookie") {
-            throw new Error("Access Set-Cookie via the headers object instead");
-          }
-          return req.get(name);
-        }
-      };
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      throw new errors.AuthenticationError("Refresh failed", e);
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageSignInResult = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(
-        backstageSignInResult
-      ),
-      profile
-    };
-  }
-}
-async function defaultAuthHandler(result) {
-  return {
-    profile: {
-      email: result.getHeader("x-forwarded-email"),
-      displayName: result.getHeader("x-forwarded-preferred-username") || result.getHeader("x-forwarded-user")
-    }
-  };
-}
 const oauth2Proxy = createAuthProviderIntegration({
   create(options) {
-    return ({ resolverContext }) => {
-      const signInResolver = options.signIn.resolver;
-      const authHandler = options.authHandler;
-      return new Oauth2ProxyAuthProvider({
-        resolverContext,
-        signInResolver,
-        authHandler: authHandler != null ? authHandler : defaultAuthHandler
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleOauth2ProxyProvider.oauth2ProxyAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });
 
@@ -2764,7 +2690,7 @@ class KeyStores {
       return keyStore;
     }
     if (provider === "static") {
-      await StaticKeyStore.fromConfig(config);
+      return await StaticKeyStore.fromConfig(config);
     }
     throw new Error(`Unknown KeyStore provider: ${provider}`);
   }