@backstage/plugin-auth-backend 0.20.4-next.0 → 0.20.4-next.1

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # @backstage/plugin-auth-backend
 
+## 0.20.4-next.1
+
+### Patch Changes
+
+- 23a98f8: Migrated the AWS ALB auth provider to new `@backstage/plugin-auth-backend-module-aws-alb-provider` module package.
+- Updated dependencies
+  - @backstage/catalog-model@1.4.4-next.0
+  - @backstage/catalog-client@1.6.0-next.1
+  - @backstage/backend-plugin-api@0.6.10-next.1
+  - @backstage/backend-common@0.21.0-next.1
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.0-next.0
+  - @backstage/config@1.1.1
+  - @backstage/errors@1.2.3
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.1.2-next.1
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.4-next.1
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.5-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.1.7-next.1
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.2-next.1
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.1.0-next.1
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.3-next.1
+  - @backstage/plugin-auth-node@0.4.4-next.1
+  - @backstage/plugin-catalog-node@1.6.2-next.1
+
 ## 0.20.4-next.0
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -14,10 +14,10 @@ var crypto = require('crypto');
 var url = require('url');
 var errors = require('@backstage/errors');
 var jwtDecoder = require('jwt-decode');
+var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
+var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var fetch = require('node-fetch');
-var NodeCache = require('node-cache');
 var jose = require('jose');
-var passportBitbucketOauth2 = require('passport-bitbucket-oauth2');
 var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
 var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
 var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
@@ -46,33 +46,13 @@ var config = require('@backstage/config');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n["default"] = e;
-  return Object.freeze(n);
-}
-
 var express__default = /*#__PURE__*/_interopDefaultLegacy(express);
 var Router__default = /*#__PURE__*/_interopDefaultLegacy(Router);
 var cookieParser__default = /*#__PURE__*/_interopDefaultLegacy(cookieParser);
 var Auth0InternalStrategy__default = /*#__PURE__*/_interopDefaultLegacy(Auth0InternalStrategy);
 var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
-var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
 var jwtDecoder__default = /*#__PURE__*/_interopDefaultLegacy(jwtDecoder);
 var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
-var NodeCache__default = /*#__PURE__*/_interopDefaultLegacy(NodeCache);
 var session__default = /*#__PURE__*/_interopDefaultLegacy(session);
 var connectSessionKnex__default = /*#__PURE__*/_interopDefaultLegacy(connectSessionKnex);
 var passport__default = /*#__PURE__*/_interopDefaultLegacy(passport);
@@ -240,10 +220,10 @@ const ensuresXRequestedWith = (req) => {
 
 const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
 
-var __defProp$d = Object.defineProperty;
-var __defNormalProp$d = (obj, key, value) => key in obj ? __defProp$d(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$d = (obj, key, value) => {
-  __defNormalProp$d(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$c = Object.defineProperty;
+var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$c = (obj, key, value) => {
+  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
@@ -252,8 +232,8 @@ class OAuthAdapter {
   constructor(handlers, options) {
     this.handlers = handlers;
     this.options = options;
-    __publicField$d(this, "baseCookieOptions");
-    __publicField$d(this, "setNonceCookie", (res, nonce, cookieConfig) => {
+    __publicField$c(this, "baseCookieOptions");
+    __publicField$c(this, "setNonceCookie", (res, nonce, cookieConfig) => {
       res.cookie(`${this.options.providerId}-nonce`, nonce, {
         maxAge: TEN_MINUTES_MS,
         ...this.baseCookieOptions,
@@ -261,34 +241,34 @@ class OAuthAdapter {
         path: `${cookieConfig.path}/handler`
       });
     });
-    __publicField$d(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
+    __publicField$c(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
       res.cookie(`${this.options.providerId}-granted-scope`, scope, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "getRefreshTokenFromCookie", (req) => {
+    __publicField$c(this, "getRefreshTokenFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-refresh-token`];
     });
-    __publicField$d(this, "getGrantedScopeFromCookie", (req) => {
+    __publicField$c(this, "getGrantedScopeFromCookie", (req) => {
       return req.cookies[`${this.options.providerId}-granted-scope`];
     });
-    __publicField$d(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
+    __publicField$c(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
         maxAge: THOUSAND_DAYS_MS,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
+    __publicField$c(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
       res.cookie(`${this.options.providerId}-refresh-token`, "", {
         maxAge: 0,
         ...this.baseCookieOptions,
         ...cookieConfig
       });
     });
-    __publicField$d(this, "getCookieConfig", (origin) => {
+    __publicField$c(this, "getCookieConfig", (origin) => {
       return this.options.cookieConfigurer({
         providerId: this.options.providerId,
         baseUrl: this.options.baseUrl,
@@ -586,21 +566,21 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
   });
 };
 
-var __defProp$c = Object.defineProperty;
-var __defNormalProp$c = (obj, key, value) => key in obj ? __defProp$c(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$c = (obj, key, value) => {
-  __defNormalProp$c(obj, typeof key !== "symbol" ? key + "" : key, value);
+var __defProp$b = Object.defineProperty;
+var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField$b = (obj, key, value) => {
+  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
   return value;
 };
 class Auth0AuthProvider {
   constructor(options) {
-    __publicField$c(this, "_strategy");
-    __publicField$c(this, "signInResolver");
-    __publicField$c(this, "authHandler");
-    __publicField$c(this, "resolverContext");
-    __publicField$c(this, "audience");
-    __publicField$c(this, "connection");
-    __publicField$c(this, "connectionScope");
+    __publicField$b(this, "_strategy");
+    __publicField$b(this, "signInResolver");
+    __publicField$b(this, "authHandler");
+    __publicField$b(this, "resolverContext");
+    __publicField$b(this, "audience");
+    __publicField$b(this, "connection");
+    __publicField$b(this, "connectionScope");
     /**
      * Due to passport-auth0 forcing options.state = true,
      * passport-oauth2 requires express-session to be installed
@@ -609,7 +589,7 @@ class Auth0AuthProvider {
      * passport-oauth2, which is the StateStore implementation used when options.state = false,
      * allowing us to avoid using express-session in order to integrate with auth0.
      */
-    __publicField$c(this, "store", {
+    __publicField$b(this, "store", {
       store(_req, cb) {
         cb(null, null);
       },
@@ -750,147 +730,14 @@ const auth0 = createAuthProviderIntegration({
   }
 });
 
-var __defProp$b = Object.defineProperty;
-var __defNormalProp$b = (obj, key, value) => key in obj ? __defProp$b(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __publicField$b = (obj, key, value) => {
-  __defNormalProp$b(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
-const ALB_JWT_HEADER = "x-amzn-oidc-data";
-const ALB_ACCESS_TOKEN_HEADER = "x-amzn-oidc-accesstoken";
-class AwsAlbAuthProvider {
-  constructor(options) {
-    __publicField$b(this, "region");
-    __publicField$b(this, "issuer");
-    __publicField$b(this, "resolverContext");
-    __publicField$b(this, "keyCache");
-    __publicField$b(this, "authHandler");
-    __publicField$b(this, "signInResolver");
-    __publicField$b(this, "getKey", async (header) => {
-      if (!header.kid) {
-        throw new errors.AuthenticationError("No key id was specified in header");
-      }
-      const optionalCacheKey = this.keyCache.get(header.kid);
-      if (optionalCacheKey) {
-        return crypto__namespace.createPublicKey(optionalCacheKey);
-      }
-      const keyText = await fetch__default["default"](
-        `https://public-keys.auth.elb.${encodeURIComponent(
-          this.region
-        )}.amazonaws.com/${encodeURIComponent(header.kid)}`
-      ).then((response) => response.text());
-      const keyValue = crypto__namespace.createPublicKey(keyText);
-      this.keyCache.set(
-        header.kid,
-        keyValue.export({ format: "pem", type: "spki" })
-      );
-      return keyValue;
-    });
-    this.region = options.region;
-    this.issuer = options.issuer;
-    this.authHandler = options.authHandler;
-    this.signInResolver = options.signInResolver;
-    this.resolverContext = options.resolverContext;
-    this.keyCache = new NodeCache__default["default"]({ stdTTL: 3600 });
-  }
-  frameHandler() {
-    return Promise.resolve(void 0);
-  }
-  async refresh(req, res) {
-    try {
-      const result = await this.getResult(req);
-      const response = await this.handleResult(result);
-      res.json(response);
-    } catch (e) {
-      throw new errors.AuthenticationError(
-        "Exception occurred during AWS ALB token refresh",
-        e
-      );
-    }
-  }
-  start() {
-    return Promise.resolve(void 0);
-  }
-  async getResult(req) {
-    const jwt = req.header(ALB_JWT_HEADER);
-    const accessToken = req.header(ALB_ACCESS_TOKEN_HEADER);
-    if (jwt === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_JWT_HEADER}`
-      );
-    }
-    if (accessToken === void 0) {
-      throw new errors.AuthenticationError(
-        `Missing ALB OIDC header: ${ALB_ACCESS_TOKEN_HEADER}`
-      );
-    }
-    try {
-      const verifyResult = await jose.jwtVerify(jwt, this.getKey);
-      const claims = verifyResult.payload;
-      if (this.issuer && claims.iss !== this.issuer) {
-        throw new errors.AuthenticationError("Issuer mismatch on JWT token");
-      }
-      const fullProfile = {
-        provider: "unknown",
-        id: claims.sub,
-        displayName: claims.name,
-        username: claims.email.split("@")[0].toLowerCase(),
-        name: {
-          familyName: claims.family_name,
-          givenName: claims.given_name
-        },
-        emails: [{ value: claims.email.toLowerCase() }],
-        photos: [{ value: claims.picture }]
-      };
-      return {
-        fullProfile,
-        expiresInSeconds: claims.exp,
-        accessToken
-      };
-    } catch (e) {
-      throw new Error(`Exception occurred during JWT processing: ${e}`);
-    }
-  }
-  async handleResult(result) {
-    const { profile } = await this.authHandler(result, this.resolverContext);
-    const backstageIdentity = await this.signInResolver(
-      {
-        result,
-        profile
-      },
-      this.resolverContext
-    );
-    return {
-      providerInfo: {
-        accessToken: result.accessToken,
-        expiresInSeconds: result.expiresInSeconds
-      },
-      backstageIdentity: prepareBackstageIdentityResponse(backstageIdentity),
-      profile
-    };
-  }
-}
 const awsAlb = createAuthProviderIntegration({
   create(options) {
-    return ({ config, resolverContext }) => {
-      const region = config.getString("region");
-      const issuer = config.getOptionalString("iss");
-      if ((options == null ? void 0 : options.signIn.resolver) === void 0) {
-        throw new Error(
-          "SignInResolver is required to use this authentication provider"
-        );
-      }
-      const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
-        profile: makeProfileInfo(fullProfile)
-      });
-      return new AwsAlbAuthProvider({
-        region,
-        issuer,
-        signInResolver: options == null ? void 0 : options.signIn.resolver,
-        authHandler,
-        resolverContext
-      });
-    };
+    var _a;
+    return pluginAuthNode.createProxyAuthProviderFactory({
+      authenticator: pluginAuthBackendModuleAwsAlbProvider.awsAlbAuthenticator,
+      profileTransform: options == null ? void 0 : options.authHandler,
+      signInResolver: (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver
+    });
   }
 });