@backstage/plugin-auth-backend 0.22.5-next.2 → 0.22.6-next.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +59 -0
- package/dist/index.cjs.js +208 -333
- package/dist/index.cjs.js.map +1 -1
- package/package.json +24 -24
package/dist/index.cjs.js
CHANGED
|
@@ -98,45 +98,40 @@ function adaptOAuthSignInResolverToLegacy(resolvers) {
|
|
|
98
98
|
const legacyResolvers = {};
|
|
99
99
|
for (const name of Object.keys(resolvers)) {
|
|
100
100
|
const resolver = resolvers[name];
|
|
101
|
-
legacyResolvers[name] = () => async (input, ctx) =>
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
{
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
tokenType: (_a = input.result.params.token_type) != null ? _a : "bearer",
|
|
114
|
-
refreshToken: input.result.refreshToken
|
|
115
|
-
}
|
|
101
|
+
legacyResolvers[name] = () => async (input, ctx) => resolver(
|
|
102
|
+
{
|
|
103
|
+
profile: input.profile,
|
|
104
|
+
result: {
|
|
105
|
+
fullProfile: input.result.fullProfile,
|
|
106
|
+
session: {
|
|
107
|
+
accessToken: input.result.accessToken,
|
|
108
|
+
expiresInSeconds: input.result.params.expires_in,
|
|
109
|
+
scope: input.result.params.scope,
|
|
110
|
+
idToken: input.result.params.id_token,
|
|
111
|
+
tokenType: input.result.params.token_type ?? "bearer",
|
|
112
|
+
refreshToken: input.result.refreshToken
|
|
116
113
|
}
|
|
117
|
-
}
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
114
|
+
}
|
|
115
|
+
},
|
|
116
|
+
ctx
|
|
117
|
+
);
|
|
121
118
|
}
|
|
122
119
|
return legacyResolvers;
|
|
123
120
|
}
|
|
124
121
|
|
|
125
122
|
function createAuthProviderIntegration(config) {
|
|
126
|
-
var _a;
|
|
127
123
|
return Object.freeze({
|
|
128
124
|
...config,
|
|
129
|
-
resolvers: Object.freeze(
|
|
125
|
+
resolvers: Object.freeze(config.resolvers ?? {})
|
|
130
126
|
});
|
|
131
127
|
}
|
|
132
128
|
|
|
133
129
|
const atlassian = createAuthProviderIntegration({
|
|
134
130
|
create(options) {
|
|
135
|
-
var _a;
|
|
136
131
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
137
132
|
authenticator: pluginAuthBackendModuleAtlassianProvider.atlassianAuthenticator,
|
|
138
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
139
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
133
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
134
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
140
135
|
});
|
|
141
136
|
}
|
|
142
137
|
});
|
|
@@ -159,9 +154,8 @@ const OAuthEnvironmentHandler = pluginAuthNode.OAuthEnvironmentHandler;
|
|
|
159
154
|
const readState = pluginAuthNode.decodeOAuthState;
|
|
160
155
|
const encodeState = pluginAuthNode.encodeOAuthState;
|
|
161
156
|
const verifyNonce = (req, providerId) => {
|
|
162
|
-
var _a, _b;
|
|
163
157
|
const cookieNonce = req.cookies[`${providerId}-nonce`];
|
|
164
|
-
const state = readState(
|
|
158
|
+
const state = readState(req.query.state?.toString() ?? "");
|
|
165
159
|
const stateNonce = state.nonce;
|
|
166
160
|
if (!cookieNonce) {
|
|
167
161
|
throw new Error("Auth response is missing cookie nonce");
|
|
@@ -221,72 +215,21 @@ const ensuresXRequestedWith = (req) => {
|
|
|
221
215
|
|
|
222
216
|
const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
|
|
223
217
|
|
|
224
|
-
var __defProp$9 = Object.defineProperty;
|
|
225
|
-
var __defNormalProp$9 = (obj, key, value) => key in obj ? __defProp$9(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
226
|
-
var __publicField$9 = (obj, key, value) => {
|
|
227
|
-
__defNormalProp$9(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
228
|
-
return value;
|
|
229
|
-
};
|
|
230
218
|
const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
|
|
231
219
|
const TEN_MINUTES_MS = 600 * 1e3;
|
|
232
220
|
class OAuthAdapter {
|
|
233
221
|
constructor(handlers, options) {
|
|
234
222
|
this.handlers = handlers;
|
|
235
223
|
this.options = options;
|
|
236
|
-
__publicField$9(this, "baseCookieOptions");
|
|
237
|
-
__publicField$9(this, "setNonceCookie", (res, nonce, cookieConfig) => {
|
|
238
|
-
res.cookie(`${this.options.providerId}-nonce`, nonce, {
|
|
239
|
-
maxAge: TEN_MINUTES_MS,
|
|
240
|
-
...this.baseCookieOptions,
|
|
241
|
-
...cookieConfig,
|
|
242
|
-
path: `${cookieConfig.path}/handler`
|
|
243
|
-
});
|
|
244
|
-
});
|
|
245
|
-
__publicField$9(this, "setGrantedScopeCookie", (res, scope, cookieConfig) => {
|
|
246
|
-
res.cookie(`${this.options.providerId}-granted-scope`, scope, {
|
|
247
|
-
maxAge: THOUSAND_DAYS_MS,
|
|
248
|
-
...this.baseCookieOptions,
|
|
249
|
-
...cookieConfig
|
|
250
|
-
});
|
|
251
|
-
});
|
|
252
|
-
__publicField$9(this, "getRefreshTokenFromCookie", (req) => {
|
|
253
|
-
return req.cookies[`${this.options.providerId}-refresh-token`];
|
|
254
|
-
});
|
|
255
|
-
__publicField$9(this, "getGrantedScopeFromCookie", (req) => {
|
|
256
|
-
return req.cookies[`${this.options.providerId}-granted-scope`];
|
|
257
|
-
});
|
|
258
|
-
__publicField$9(this, "setRefreshTokenCookie", (res, refreshToken, cookieConfig) => {
|
|
259
|
-
res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
|
|
260
|
-
maxAge: THOUSAND_DAYS_MS,
|
|
261
|
-
...this.baseCookieOptions,
|
|
262
|
-
...cookieConfig
|
|
263
|
-
});
|
|
264
|
-
});
|
|
265
|
-
__publicField$9(this, "removeRefreshTokenCookie", (res, cookieConfig) => {
|
|
266
|
-
res.cookie(`${this.options.providerId}-refresh-token`, "", {
|
|
267
|
-
maxAge: 0,
|
|
268
|
-
...this.baseCookieOptions,
|
|
269
|
-
...cookieConfig
|
|
270
|
-
});
|
|
271
|
-
});
|
|
272
|
-
__publicField$9(this, "getCookieConfig", (origin) => {
|
|
273
|
-
return this.options.cookieConfigurer({
|
|
274
|
-
providerId: this.options.providerId,
|
|
275
|
-
baseUrl: this.options.baseUrl,
|
|
276
|
-
callbackUrl: this.options.callbackUrl,
|
|
277
|
-
appOrigin: origin != null ? origin : this.options.appOrigin
|
|
278
|
-
});
|
|
279
|
-
});
|
|
280
224
|
this.baseCookieOptions = {
|
|
281
225
|
httpOnly: true,
|
|
282
226
|
sameSite: "lax"
|
|
283
227
|
};
|
|
284
228
|
}
|
|
285
229
|
static fromConfig(config, handlers, options) {
|
|
286
|
-
var _a;
|
|
287
230
|
const { appUrl, baseUrl, isOriginAllowed } = config;
|
|
288
231
|
const { origin: appOrigin } = new url.URL(appUrl);
|
|
289
|
-
const cookieConfigurer =
|
|
232
|
+
const cookieConfigurer = config.cookieConfigurer ?? defaultCookieConfigurer;
|
|
290
233
|
return new OAuthAdapter(handlers, {
|
|
291
234
|
...options,
|
|
292
235
|
appOrigin,
|
|
@@ -295,13 +238,13 @@ class OAuthAdapter {
|
|
|
295
238
|
isOriginAllowed
|
|
296
239
|
});
|
|
297
240
|
}
|
|
241
|
+
baseCookieOptions;
|
|
298
242
|
async start(req, res) {
|
|
299
|
-
|
|
300
|
-
const
|
|
301
|
-
const
|
|
302
|
-
const
|
|
303
|
-
const
|
|
304
|
-
const flow = (_f = req.query.flow) == null ? void 0 : _f.toString();
|
|
243
|
+
const scope = req.query.scope?.toString() ?? "";
|
|
244
|
+
const env = req.query.env?.toString();
|
|
245
|
+
const origin = req.query.origin?.toString();
|
|
246
|
+
const redirectUrl = req.query.redirectUrl?.toString();
|
|
247
|
+
const flow = req.query.flow?.toString();
|
|
305
248
|
if (!env) {
|
|
306
249
|
throw new errors.InputError("No env provided in request query parameters");
|
|
307
250
|
}
|
|
@@ -322,10 +265,9 @@ class OAuthAdapter {
|
|
|
322
265
|
res.end();
|
|
323
266
|
}
|
|
324
267
|
async frameHandler(req, res) {
|
|
325
|
-
var _a, _b;
|
|
326
268
|
let appOrigin = this.options.appOrigin;
|
|
327
269
|
try {
|
|
328
|
-
const state = readState(
|
|
270
|
+
const state = readState(req.query.state?.toString() ?? "");
|
|
329
271
|
if (state.origin) {
|
|
330
272
|
try {
|
|
331
273
|
appOrigin = new url.URL(state.origin).origin;
|
|
@@ -386,7 +328,6 @@ class OAuthAdapter {
|
|
|
386
328
|
res.status(200).end();
|
|
387
329
|
}
|
|
388
330
|
async refresh(req, res) {
|
|
389
|
-
var _a, _b;
|
|
390
331
|
if (!ensuresXRequestedWith(req)) {
|
|
391
332
|
throw new errors.AuthenticationError("Invalid X-Requested-With header");
|
|
392
333
|
}
|
|
@@ -400,7 +341,7 @@ class OAuthAdapter {
|
|
|
400
341
|
if (!refreshToken) {
|
|
401
342
|
throw new errors.InputError("Missing session cookie");
|
|
402
343
|
}
|
|
403
|
-
let scope =
|
|
344
|
+
let scope = req.query.scope?.toString() ?? "";
|
|
404
345
|
if (this.options.persistScopes) {
|
|
405
346
|
scope = this.getGrantedScopeFromCookie(req);
|
|
406
347
|
}
|
|
@@ -432,10 +373,52 @@ class OAuthAdapter {
|
|
|
432
373
|
}
|
|
433
374
|
return prepareBackstageIdentityResponse(identity);
|
|
434
375
|
}
|
|
376
|
+
setNonceCookie = (res, nonce, cookieConfig) => {
|
|
377
|
+
res.cookie(`${this.options.providerId}-nonce`, nonce, {
|
|
378
|
+
maxAge: TEN_MINUTES_MS,
|
|
379
|
+
...this.baseCookieOptions,
|
|
380
|
+
...cookieConfig,
|
|
381
|
+
path: `${cookieConfig.path}/handler`
|
|
382
|
+
});
|
|
383
|
+
};
|
|
384
|
+
setGrantedScopeCookie = (res, scope, cookieConfig) => {
|
|
385
|
+
res.cookie(`${this.options.providerId}-granted-scope`, scope, {
|
|
386
|
+
maxAge: THOUSAND_DAYS_MS,
|
|
387
|
+
...this.baseCookieOptions,
|
|
388
|
+
...cookieConfig
|
|
389
|
+
});
|
|
390
|
+
};
|
|
391
|
+
getRefreshTokenFromCookie = (req) => {
|
|
392
|
+
return req.cookies[`${this.options.providerId}-refresh-token`];
|
|
393
|
+
};
|
|
394
|
+
getGrantedScopeFromCookie = (req) => {
|
|
395
|
+
return req.cookies[`${this.options.providerId}-granted-scope`];
|
|
396
|
+
};
|
|
397
|
+
setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
|
|
398
|
+
res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
|
|
399
|
+
maxAge: THOUSAND_DAYS_MS,
|
|
400
|
+
...this.baseCookieOptions,
|
|
401
|
+
...cookieConfig
|
|
402
|
+
});
|
|
403
|
+
};
|
|
404
|
+
removeRefreshTokenCookie = (res, cookieConfig) => {
|
|
405
|
+
res.cookie(`${this.options.providerId}-refresh-token`, "", {
|
|
406
|
+
maxAge: 0,
|
|
407
|
+
...this.baseCookieOptions,
|
|
408
|
+
...cookieConfig
|
|
409
|
+
});
|
|
410
|
+
};
|
|
411
|
+
getCookieConfig = (origin) => {
|
|
412
|
+
return this.options.cookieConfigurer({
|
|
413
|
+
providerId: this.options.providerId,
|
|
414
|
+
baseUrl: this.options.baseUrl,
|
|
415
|
+
callbackUrl: this.options.callbackUrl,
|
|
416
|
+
appOrigin: origin ?? this.options.appOrigin
|
|
417
|
+
});
|
|
418
|
+
};
|
|
435
419
|
}
|
|
436
420
|
|
|
437
421
|
const makeProfileInfo = (profile, idToken) => {
|
|
438
|
-
var _a, _b;
|
|
439
422
|
let email = void 0;
|
|
440
423
|
if (profile.emails && profile.emails.length > 0) {
|
|
441
424
|
const [firstEmail] = profile.emails;
|
|
@@ -448,7 +431,7 @@ const makeProfileInfo = (profile, idToken) => {
|
|
|
448
431
|
const [firstPhoto] = profile.photos;
|
|
449
432
|
picture = firstPhoto.value;
|
|
450
433
|
}
|
|
451
|
-
let displayName =
|
|
434
|
+
let displayName = profile.displayName ?? profile.username ?? profile.id;
|
|
452
435
|
if ((!email || !picture || !displayName) && idToken) {
|
|
453
436
|
try {
|
|
454
437
|
const decoded = jose.decodeJwt(idToken);
|
|
@@ -475,7 +458,7 @@ const executeRedirectStrategy = async (req, providerStrategy, options) => {
|
|
|
475
458
|
return new Promise((resolve) => {
|
|
476
459
|
const strategy = Object.create(providerStrategy);
|
|
477
460
|
strategy.redirect = (url, status) => {
|
|
478
|
-
resolve({ url, status: status
|
|
461
|
+
resolve({ url, status: status ?? void 0 });
|
|
479
462
|
};
|
|
480
463
|
strategy.authenticate(req, { ...options });
|
|
481
464
|
});
|
|
@@ -488,13 +471,11 @@ const executeFrameHandlerStrategy = async (req, providerStrategy, options) => {
|
|
|
488
471
|
resolve({ result, privateInfo });
|
|
489
472
|
};
|
|
490
473
|
strategy.fail = (info) => {
|
|
491
|
-
|
|
492
|
-
reject(new Error(`Authentication rejected, ${(_a = info.message) != null ? _a : ""}`));
|
|
474
|
+
reject(new Error(`Authentication rejected, ${info.message ?? ""}`));
|
|
493
475
|
};
|
|
494
476
|
strategy.error = (error) => {
|
|
495
|
-
var _a;
|
|
496
477
|
let message = `Authentication failed, ${error.message}`;
|
|
497
|
-
if (
|
|
478
|
+
if (error.oauthError?.data) {
|
|
498
479
|
try {
|
|
499
480
|
const errorData = JSON.parse(error.oauthError.data);
|
|
500
481
|
if (errorData.message) {
|
|
@@ -509,7 +490,7 @@ const executeFrameHandlerStrategy = async (req, providerStrategy, options) => {
|
|
|
509
490
|
strategy.redirect = () => {
|
|
510
491
|
reject(new Error("Unexpected redirect"));
|
|
511
492
|
};
|
|
512
|
-
strategy.authenticate(req, { ...options
|
|
493
|
+
strategy.authenticate(req, { ...options ?? {} });
|
|
513
494
|
}
|
|
514
495
|
);
|
|
515
496
|
};
|
|
@@ -567,37 +548,31 @@ const executeFetchUserProfileStrategy = async (providerStrategy, accessToken) =>
|
|
|
567
548
|
});
|
|
568
549
|
};
|
|
569
550
|
|
|
570
|
-
var __defProp$8 = Object.defineProperty;
|
|
571
|
-
var __defNormalProp$8 = (obj, key, value) => key in obj ? __defProp$8(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
572
|
-
var __publicField$8 = (obj, key, value) => {
|
|
573
|
-
__defNormalProp$8(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
574
|
-
return value;
|
|
575
|
-
};
|
|
576
551
|
class Auth0AuthProvider {
|
|
552
|
+
_strategy;
|
|
553
|
+
signInResolver;
|
|
554
|
+
authHandler;
|
|
555
|
+
resolverContext;
|
|
556
|
+
audience;
|
|
557
|
+
connection;
|
|
558
|
+
connectionScope;
|
|
559
|
+
/**
|
|
560
|
+
* Due to passport-auth0 forcing options.state = true,
|
|
561
|
+
* passport-oauth2 requires express-session to be installed
|
|
562
|
+
* so that the 'state' parameter of the oauth2 flow can be stored.
|
|
563
|
+
* This implementation of StateStore matches the NullStore found within
|
|
564
|
+
* passport-oauth2, which is the StateStore implementation used when options.state = false,
|
|
565
|
+
* allowing us to avoid using express-session in order to integrate with auth0.
|
|
566
|
+
*/
|
|
567
|
+
store = {
|
|
568
|
+
store(_req, cb) {
|
|
569
|
+
cb(null, null);
|
|
570
|
+
},
|
|
571
|
+
verify(_req, _state, cb) {
|
|
572
|
+
cb(null, true);
|
|
573
|
+
}
|
|
574
|
+
};
|
|
577
575
|
constructor(options) {
|
|
578
|
-
__publicField$8(this, "_strategy");
|
|
579
|
-
__publicField$8(this, "signInResolver");
|
|
580
|
-
__publicField$8(this, "authHandler");
|
|
581
|
-
__publicField$8(this, "resolverContext");
|
|
582
|
-
__publicField$8(this, "audience");
|
|
583
|
-
__publicField$8(this, "connection");
|
|
584
|
-
__publicField$8(this, "connectionScope");
|
|
585
|
-
/**
|
|
586
|
-
* Due to passport-auth0 forcing options.state = true,
|
|
587
|
-
* passport-oauth2 requires express-session to be installed
|
|
588
|
-
* so that the 'state' parameter of the oauth2 flow can be stored.
|
|
589
|
-
* This implementation of StateStore matches the NullStore found within
|
|
590
|
-
* passport-oauth2, which is the StateStore implementation used when options.state = false,
|
|
591
|
-
* allowing us to avoid using express-session in order to integrate with auth0.
|
|
592
|
-
*/
|
|
593
|
-
__publicField$8(this, "store", {
|
|
594
|
-
store(_req, cb) {
|
|
595
|
-
cb(null, null);
|
|
596
|
-
},
|
|
597
|
-
verify(_req, _state, cb) {
|
|
598
|
-
cb(null, true);
|
|
599
|
-
}
|
|
600
|
-
});
|
|
601
576
|
this.signInResolver = options.signInResolver;
|
|
602
577
|
this.authHandler = options.authHandler;
|
|
603
578
|
this.resolverContext = options.resolverContext;
|
|
@@ -698,7 +673,6 @@ class Auth0AuthProvider {
|
|
|
698
673
|
const auth0 = createAuthProviderIntegration({
|
|
699
674
|
create(options) {
|
|
700
675
|
return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
701
|
-
var _a;
|
|
702
676
|
const clientId = envConfig.getString("clientId");
|
|
703
677
|
const clientSecret = envConfig.getString("clientSecret");
|
|
704
678
|
const domain = envConfig.getString("domain");
|
|
@@ -707,10 +681,10 @@ const auth0 = createAuthProviderIntegration({
|
|
|
707
681
|
const connection = envConfig.getOptionalString("connection");
|
|
708
682
|
const connectionScope = envConfig.getOptionalString("connectionScope");
|
|
709
683
|
const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
710
|
-
const authHandler =
|
|
684
|
+
const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
711
685
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
712
686
|
});
|
|
713
|
-
const signInResolver =
|
|
687
|
+
const signInResolver = options?.signIn?.resolver;
|
|
714
688
|
const provider = new Auth0AuthProvider({
|
|
715
689
|
clientId,
|
|
716
690
|
clientSecret,
|
|
@@ -733,22 +707,20 @@ const auth0 = createAuthProviderIntegration({
|
|
|
733
707
|
|
|
734
708
|
const awsAlb = createAuthProviderIntegration({
|
|
735
709
|
create(options) {
|
|
736
|
-
var _a;
|
|
737
710
|
return pluginAuthNode.createProxyAuthProviderFactory({
|
|
738
711
|
authenticator: pluginAuthBackendModuleAwsAlbProvider.awsAlbAuthenticator,
|
|
739
|
-
profileTransform: options
|
|
740
|
-
signInResolver:
|
|
712
|
+
profileTransform: options?.authHandler,
|
|
713
|
+
signInResolver: options?.signIn?.resolver
|
|
741
714
|
});
|
|
742
715
|
}
|
|
743
716
|
});
|
|
744
717
|
|
|
745
718
|
const bitbucket = createAuthProviderIntegration({
|
|
746
719
|
create(options) {
|
|
747
|
-
var _a;
|
|
748
720
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
749
721
|
authenticator: pluginAuthBackendModuleBitbucketProvider.bitbucketAuthenticator,
|
|
750
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
751
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
722
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
723
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
752
724
|
});
|
|
753
725
|
},
|
|
754
726
|
resolvers: adaptOAuthSignInResolverToLegacy({
|
|
@@ -759,13 +731,12 @@ const bitbucket = createAuthProviderIntegration({
|
|
|
759
731
|
|
|
760
732
|
const cfAccess = createAuthProviderIntegration({
|
|
761
733
|
create(options) {
|
|
762
|
-
var _a;
|
|
763
734
|
return pluginAuthNode.createProxyAuthProviderFactory({
|
|
764
735
|
authenticator: pluginAuthBackendModuleCloudflareAccessProvider.createCloudflareAccessAuthenticator({
|
|
765
736
|
cache: options.cache
|
|
766
737
|
}),
|
|
767
|
-
profileTransform: options
|
|
768
|
-
signInResolver:
|
|
738
|
+
profileTransform: options?.authHandler,
|
|
739
|
+
signInResolver: options?.signIn?.resolver,
|
|
769
740
|
signInResolverFactories: pluginAuthBackendModuleCloudflareAccessProvider.cloudflareAccessSignInResolvers
|
|
770
741
|
});
|
|
771
742
|
},
|
|
@@ -774,20 +745,18 @@ const cfAccess = createAuthProviderIntegration({
|
|
|
774
745
|
|
|
775
746
|
const gcpIap = createAuthProviderIntegration({
|
|
776
747
|
create(options) {
|
|
777
|
-
var _a;
|
|
778
748
|
return pluginAuthNode.createProxyAuthProviderFactory({
|
|
779
749
|
authenticator: pluginAuthBackendModuleGcpIapProvider.gcpIapAuthenticator,
|
|
780
|
-
profileTransform: options
|
|
781
|
-
signInResolver:
|
|
750
|
+
profileTransform: options?.authHandler,
|
|
751
|
+
signInResolver: options?.signIn?.resolver
|
|
782
752
|
});
|
|
783
753
|
}
|
|
784
754
|
});
|
|
785
755
|
|
|
786
756
|
const github = createAuthProviderIntegration({
|
|
787
757
|
create(options) {
|
|
788
|
-
|
|
789
|
-
const
|
|
790
|
-
const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
|
|
758
|
+
const authHandler = options?.authHandler;
|
|
759
|
+
const signInResolver = options?.signIn?.resolver;
|
|
791
760
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
792
761
|
authenticator: pluginAuthBackendModuleGithubProvider.githubAuthenticator,
|
|
793
762
|
profileTransform: authHandler && (async (result, ctx) => authHandler(
|
|
@@ -839,22 +808,20 @@ const github = createAuthProviderIntegration({
|
|
|
839
808
|
|
|
840
809
|
const gitlab = createAuthProviderIntegration({
|
|
841
810
|
create(options) {
|
|
842
|
-
var _a;
|
|
843
811
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
844
812
|
authenticator: pluginAuthBackendModuleGitlabProvider.gitlabAuthenticator,
|
|
845
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
846
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
813
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
814
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
847
815
|
});
|
|
848
816
|
}
|
|
849
817
|
});
|
|
850
818
|
|
|
851
819
|
const google = createAuthProviderIntegration({
|
|
852
820
|
create(options) {
|
|
853
|
-
var _a;
|
|
854
821
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
855
822
|
authenticator: pluginAuthBackendModuleGoogleProvider.googleAuthenticator,
|
|
856
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
857
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
823
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
824
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
858
825
|
});
|
|
859
826
|
},
|
|
860
827
|
resolvers: adaptOAuthSignInResolverToLegacy({
|
|
@@ -866,11 +833,10 @@ const google = createAuthProviderIntegration({
|
|
|
866
833
|
|
|
867
834
|
const microsoft = createAuthProviderIntegration({
|
|
868
835
|
create(options) {
|
|
869
|
-
var _a;
|
|
870
836
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
871
837
|
authenticator: pluginAuthBackendModuleMicrosoftProvider.microsoftAuthenticator,
|
|
872
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
873
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
838
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
839
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
874
840
|
});
|
|
875
841
|
},
|
|
876
842
|
resolvers: adaptOAuthSignInResolverToLegacy({
|
|
@@ -882,22 +848,20 @@ const microsoft = createAuthProviderIntegration({
|
|
|
882
848
|
|
|
883
849
|
const oauth2 = createAuthProviderIntegration({
|
|
884
850
|
create(options) {
|
|
885
|
-
var _a;
|
|
886
851
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
887
852
|
authenticator: pluginAuthBackendModuleOauth2Provider.oauth2Authenticator,
|
|
888
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
889
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
853
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
854
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
890
855
|
});
|
|
891
856
|
}
|
|
892
857
|
});
|
|
893
858
|
|
|
894
859
|
const oauth2Proxy = createAuthProviderIntegration({
|
|
895
860
|
create(options) {
|
|
896
|
-
var _a;
|
|
897
861
|
return pluginAuthNode.createProxyAuthProviderFactory({
|
|
898
862
|
authenticator: pluginAuthBackendModuleOauth2ProxyProvider.oauth2ProxyAuthenticator,
|
|
899
|
-
profileTransform: options
|
|
900
|
-
signInResolver:
|
|
863
|
+
profileTransform: options?.authHandler,
|
|
864
|
+
signInResolver: options?.signIn?.resolver
|
|
901
865
|
});
|
|
902
866
|
}
|
|
903
867
|
});
|
|
@@ -926,9 +890,8 @@ const commonByEmailResolver = async (info, ctx) => {
|
|
|
926
890
|
|
|
927
891
|
const oidc = createAuthProviderIntegration({
|
|
928
892
|
create(options) {
|
|
929
|
-
|
|
930
|
-
const
|
|
931
|
-
const signInResolver = (_a = options == null ? void 0 : options.signIn) == null ? void 0 : _a.resolver;
|
|
893
|
+
const authHandler = options?.authHandler;
|
|
894
|
+
const signInResolver = options?.signIn?.resolver;
|
|
932
895
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
933
896
|
authenticator: pluginAuthBackendModuleOidcProvider.oidcAuthenticator,
|
|
934
897
|
profileTransform: authHandler && ((result, context) => authHandler(result.fullProfile, context)),
|
|
@@ -955,11 +918,10 @@ const oidc = createAuthProviderIntegration({
|
|
|
955
918
|
|
|
956
919
|
const okta = createAuthProviderIntegration({
|
|
957
920
|
create(options) {
|
|
958
|
-
var _a;
|
|
959
921
|
return pluginAuthNode.createOAuthProviderFactory({
|
|
960
922
|
authenticator: pluginAuthBackendModuleOktaProvider.oktaAuthenticator,
|
|
961
|
-
profileTransform: adaptLegacyOAuthHandler(options
|
|
962
|
-
signInResolver: adaptLegacyOAuthSignInResolver(
|
|
923
|
+
profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
|
|
924
|
+
signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
|
|
963
925
|
});
|
|
964
926
|
},
|
|
965
927
|
resolvers: {
|
|
@@ -990,18 +952,12 @@ const okta = createAuthProviderIntegration({
|
|
|
990
952
|
}
|
|
991
953
|
});
|
|
992
954
|
|
|
993
|
-
var __defProp$7 = Object.defineProperty;
|
|
994
|
-
var __defNormalProp$7 = (obj, key, value) => key in obj ? __defProp$7(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
995
|
-
var __publicField$7 = (obj, key, value) => {
|
|
996
|
-
__defNormalProp$7(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
997
|
-
return value;
|
|
998
|
-
};
|
|
999
955
|
class OneLoginProvider {
|
|
956
|
+
_strategy;
|
|
957
|
+
signInResolver;
|
|
958
|
+
authHandler;
|
|
959
|
+
resolverContext;
|
|
1000
960
|
constructor(options) {
|
|
1001
|
-
__publicField$7(this, "_strategy");
|
|
1002
|
-
__publicField$7(this, "signInResolver");
|
|
1003
|
-
__publicField$7(this, "authHandler");
|
|
1004
|
-
__publicField$7(this, "resolverContext");
|
|
1005
961
|
this.signInResolver = options.signInResolver;
|
|
1006
962
|
this.authHandler = options.authHandler;
|
|
1007
963
|
this.resolverContext = options.resolverContext;
|
|
@@ -1089,13 +1045,12 @@ class OneLoginProvider {
|
|
|
1089
1045
|
const onelogin = createAuthProviderIntegration({
|
|
1090
1046
|
create(options) {
|
|
1091
1047
|
return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
1092
|
-
var _a;
|
|
1093
1048
|
const clientId = envConfig.getString("clientId");
|
|
1094
1049
|
const clientSecret = envConfig.getString("clientSecret");
|
|
1095
1050
|
const issuer = envConfig.getString("issuer");
|
|
1096
1051
|
const customCallbackUrl = envConfig.getOptionalString("callbackUrl");
|
|
1097
1052
|
const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1098
|
-
const authHandler =
|
|
1053
|
+
const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile, params }) => ({
|
|
1099
1054
|
profile: makeProfileInfo(fullProfile, params.id_token)
|
|
1100
1055
|
});
|
|
1101
1056
|
const provider = new OneLoginProvider({
|
|
@@ -1104,7 +1059,7 @@ const onelogin = createAuthProviderIntegration({
|
|
|
1104
1059
|
callbackUrl,
|
|
1105
1060
|
issuer,
|
|
1106
1061
|
authHandler,
|
|
1107
|
-
signInResolver:
|
|
1062
|
+
signInResolver: options?.signIn?.resolver,
|
|
1108
1063
|
resolverContext
|
|
1109
1064
|
});
|
|
1110
1065
|
return OAuthAdapter.fromConfig(globalConfig, provider, {
|
|
@@ -1115,19 +1070,13 @@ const onelogin = createAuthProviderIntegration({
|
|
|
1115
1070
|
}
|
|
1116
1071
|
});
|
|
1117
1072
|
|
|
1118
|
-
var __defProp$6 = Object.defineProperty;
|
|
1119
|
-
var __defNormalProp$6 = (obj, key, value) => key in obj ? __defProp$6(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1120
|
-
var __publicField$6 = (obj, key, value) => {
|
|
1121
|
-
__defNormalProp$6(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1122
|
-
return value;
|
|
1123
|
-
};
|
|
1124
1073
|
class SamlAuthProvider {
|
|
1074
|
+
strategy;
|
|
1075
|
+
signInResolver;
|
|
1076
|
+
authHandler;
|
|
1077
|
+
resolverContext;
|
|
1078
|
+
appUrl;
|
|
1125
1079
|
constructor(options) {
|
|
1126
|
-
__publicField$6(this, "strategy");
|
|
1127
|
-
__publicField$6(this, "signInResolver");
|
|
1128
|
-
__publicField$6(this, "authHandler");
|
|
1129
|
-
__publicField$6(this, "resolverContext");
|
|
1130
|
-
__publicField$6(this, "appUrl");
|
|
1131
1080
|
this.appUrl = options.appUrl;
|
|
1132
1081
|
this.signInResolver = options.signInResolver;
|
|
1133
1082
|
this.authHandler = options.authHandler;
|
|
@@ -1181,8 +1130,7 @@ class SamlAuthProvider {
|
|
|
1181
1130
|
const saml = createAuthProviderIntegration({
|
|
1182
1131
|
create(options) {
|
|
1183
1132
|
return ({ providerId, globalConfig, config, resolverContext }) => {
|
|
1184
|
-
|
|
1185
|
-
const authHandler = (options == null ? void 0 : options.authHandler) ? options.authHandler : async ({ fullProfile }) => ({
|
|
1133
|
+
const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile }) => ({
|
|
1186
1134
|
profile: {
|
|
1187
1135
|
email: fullProfile.email,
|
|
1188
1136
|
displayName: fullProfile.displayName
|
|
@@ -1208,7 +1156,7 @@ const saml = createAuthProviderIntegration({
|
|
|
1208
1156
|
wantAssertionsSigned: config.getOptionalBoolean("wantAssertionsSigned"),
|
|
1209
1157
|
appUrl: globalConfig.appUrl,
|
|
1210
1158
|
authHandler,
|
|
1211
|
-
signInResolver:
|
|
1159
|
+
signInResolver: options?.signIn?.resolver,
|
|
1212
1160
|
resolverContext
|
|
1213
1161
|
});
|
|
1214
1162
|
};
|
|
@@ -1231,19 +1179,13 @@ const saml = createAuthProviderIntegration({
|
|
|
1231
1179
|
}
|
|
1232
1180
|
});
|
|
1233
1181
|
|
|
1234
|
-
var __defProp$5 = Object.defineProperty;
|
|
1235
|
-
var __defNormalProp$5 = (obj, key, value) => key in obj ? __defProp$5(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1236
|
-
var __publicField$5 = (obj, key, value) => {
|
|
1237
|
-
__defNormalProp$5(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1238
|
-
return value;
|
|
1239
|
-
};
|
|
1240
1182
|
class BitbucketServerAuthProvider {
|
|
1183
|
+
signInResolver;
|
|
1184
|
+
authHandler;
|
|
1185
|
+
resolverContext;
|
|
1186
|
+
strategy;
|
|
1187
|
+
host;
|
|
1241
1188
|
constructor(options) {
|
|
1242
|
-
__publicField$5(this, "signInResolver");
|
|
1243
|
-
__publicField$5(this, "authHandler");
|
|
1244
|
-
__publicField$5(this, "resolverContext");
|
|
1245
|
-
__publicField$5(this, "strategy");
|
|
1246
|
-
__publicField$5(this, "host");
|
|
1247
1189
|
this.signInResolver = options.signInResolver;
|
|
1248
1190
|
this.authHandler = options.authHandler;
|
|
1249
1191
|
this.resolverContext = options.resolverContext;
|
|
@@ -1372,7 +1314,6 @@ class BitbucketServerAuthProvider {
|
|
|
1372
1314
|
const bitbucketServer = createAuthProviderIntegration({
|
|
1373
1315
|
create(options) {
|
|
1374
1316
|
return ({ providerId, globalConfig, config, resolverContext }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
|
|
1375
|
-
var _a;
|
|
1376
1317
|
const clientId = envConfig.getString("clientId");
|
|
1377
1318
|
const clientSecret = envConfig.getString("clientSecret");
|
|
1378
1319
|
const host = envConfig.getString("host");
|
|
@@ -1380,7 +1321,7 @@ const bitbucketServer = createAuthProviderIntegration({
|
|
|
1380
1321
|
const callbackUrl = customCallbackUrl || `${globalConfig.baseUrl}/${providerId}/handler/frame`;
|
|
1381
1322
|
const authorizationUrl = `https://${host}/rest/oauth2/latest/authorize`;
|
|
1382
1323
|
const tokenUrl = `https://${host}/rest/oauth2/latest/token`;
|
|
1383
|
-
const authHandler =
|
|
1324
|
+
const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile }) => ({
|
|
1384
1325
|
profile: makeProfileInfo(fullProfile)
|
|
1385
1326
|
});
|
|
1386
1327
|
const provider = new BitbucketServerAuthProvider({
|
|
@@ -1391,7 +1332,7 @@ const bitbucketServer = createAuthProviderIntegration({
|
|
|
1391
1332
|
authorizationUrl,
|
|
1392
1333
|
tokenUrl,
|
|
1393
1334
|
authHandler,
|
|
1394
|
-
signInResolver:
|
|
1335
|
+
signInResolver: options?.signIn?.resolver,
|
|
1395
1336
|
resolverContext
|
|
1396
1337
|
});
|
|
1397
1338
|
return OAuthAdapter.fromConfig(globalConfig, provider, {
|
|
@@ -1410,11 +1351,10 @@ const bitbucketServer = createAuthProviderIntegration({
|
|
|
1410
1351
|
|
|
1411
1352
|
const easyAuth = createAuthProviderIntegration({
|
|
1412
1353
|
create(options) {
|
|
1413
|
-
var _a;
|
|
1414
1354
|
return pluginAuthNode.createProxyAuthProviderFactory({
|
|
1415
1355
|
authenticator: pluginAuthBackendModuleAzureEasyauthProvider.azureEasyAuthAuthenticator,
|
|
1416
|
-
profileTransform: options
|
|
1417
|
-
signInResolver:
|
|
1356
|
+
profileTransform: options?.authHandler,
|
|
1357
|
+
signInResolver: options?.signIn?.resolver
|
|
1418
1358
|
});
|
|
1419
1359
|
}
|
|
1420
1360
|
});
|
|
@@ -1457,16 +1397,10 @@ const defaultAuthProviderFactories = {
|
|
|
1457
1397
|
atlassian: atlassian.create()
|
|
1458
1398
|
};
|
|
1459
1399
|
|
|
1460
|
-
var __defProp$4 = Object.defineProperty;
|
|
1461
|
-
var __defNormalProp$4 = (obj, key, value) => key in obj ? __defProp$4(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1462
|
-
var __publicField$4 = (obj, key, value) => {
|
|
1463
|
-
__defNormalProp$4(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1464
|
-
return value;
|
|
1465
|
-
};
|
|
1466
1400
|
class CatalogIdentityClient {
|
|
1401
|
+
catalogApi;
|
|
1402
|
+
auth;
|
|
1467
1403
|
constructor(options) {
|
|
1468
|
-
__publicField$4(this, "catalogApi");
|
|
1469
|
-
__publicField$4(this, "auth");
|
|
1470
1404
|
this.catalogApi = options.catalogApi;
|
|
1471
1405
|
const { auth } = backendCommon.createLegacyAuthAdapters({
|
|
1472
1406
|
auth: options.auth,
|
|
@@ -1519,7 +1453,7 @@ class CatalogIdentityClient {
|
|
|
1519
1453
|
});
|
|
1520
1454
|
return parsedRef;
|
|
1521
1455
|
} catch {
|
|
1522
|
-
logger
|
|
1456
|
+
logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);
|
|
1523
1457
|
return null;
|
|
1524
1458
|
}
|
|
1525
1459
|
}).filter((ref) => ref !== null);
|
|
@@ -1536,27 +1470,23 @@ class CatalogIdentityClient {
|
|
|
1536
1470
|
if (entityRefs.length !== entities.length) {
|
|
1537
1471
|
const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
|
|
1538
1472
|
const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
|
|
1539
|
-
logger
|
|
1473
|
+
logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);
|
|
1540
1474
|
}
|
|
1541
1475
|
const memberOf = entities.flatMap(
|
|
1542
|
-
(e) =>
|
|
1543
|
-
var _a, _b;
|
|
1544
|
-
return (_b = (_a = e.relations) == null ? void 0 : _a.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef)) != null ? _b : [];
|
|
1545
|
-
}
|
|
1476
|
+
(e) => e.relations?.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef) ?? []
|
|
1546
1477
|
);
|
|
1547
1478
|
const newEntityRefs = [
|
|
1548
1479
|
...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
|
|
1549
1480
|
];
|
|
1550
|
-
logger
|
|
1481
|
+
logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);
|
|
1551
1482
|
return newEntityRefs;
|
|
1552
1483
|
}
|
|
1553
1484
|
}
|
|
1554
1485
|
|
|
1555
1486
|
function getDefaultOwnershipEntityRefs(entity) {
|
|
1556
|
-
|
|
1557
|
-
const membershipRefs = (_b = (_a = entity.relations) == null ? void 0 : _a.filter(
|
|
1487
|
+
const membershipRefs = entity.relations?.filter(
|
|
1558
1488
|
(r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")
|
|
1559
|
-
).map((r) => r.targetRef)
|
|
1489
|
+
).map((r) => r.targetRef) ?? [];
|
|
1560
1490
|
return Array.from(/* @__PURE__ */ new Set([catalogModel.stringifyEntityRef(entity), ...membershipRefs]));
|
|
1561
1491
|
}
|
|
1562
1492
|
class CatalogAuthResolverContext {
|
|
@@ -1678,7 +1608,7 @@ function bindProviderRouters(targetRouter, options) {
|
|
|
1678
1608
|
const providersConfig = config.getOptionalConfig("auth.providers");
|
|
1679
1609
|
const isOriginAllowed = createOriginFilter(config);
|
|
1680
1610
|
for (const [providerId, providerFactory] of Object.entries(providers)) {
|
|
1681
|
-
if (providersConfig
|
|
1611
|
+
if (providersConfig?.has(providerId)) {
|
|
1682
1612
|
logger.info(`Configuring auth provider: ${providerId}`);
|
|
1683
1613
|
try {
|
|
1684
1614
|
const provider = providerFactory({
|
|
@@ -1695,7 +1625,7 @@ function bindProviderRouters(targetRouter, options) {
|
|
|
1695
1625
|
logger,
|
|
1696
1626
|
resolverContext: CatalogAuthResolverContext.create({
|
|
1697
1627
|
logger,
|
|
1698
|
-
catalogApi: catalogApi
|
|
1628
|
+
catalogApi: catalogApi ?? new catalogClient.CatalogClient({ discoveryApi: discovery }),
|
|
1699
1629
|
tokenIssuer,
|
|
1700
1630
|
tokenManager,
|
|
1701
1631
|
discovery,
|
|
@@ -1740,15 +1670,14 @@ function bindProviderRouters(targetRouter, options) {
|
|
|
1740
1670
|
}
|
|
1741
1671
|
}
|
|
1742
1672
|
function createOriginFilter(config) {
|
|
1743
|
-
var _a;
|
|
1744
1673
|
const appUrl = config.getString("app.baseUrl");
|
|
1745
1674
|
const { origin: appOrigin } = new URL(appUrl);
|
|
1746
1675
|
const allowedOrigins = config.getOptionalStringArray(
|
|
1747
1676
|
"auth.experimentalExtraAllowedOrigins"
|
|
1748
1677
|
);
|
|
1749
|
-
const allowedOriginPatterns =
|
|
1678
|
+
const allowedOriginPatterns = allowedOrigins?.map(
|
|
1750
1679
|
(pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
|
|
1751
|
-
)
|
|
1680
|
+
) ?? [];
|
|
1752
1681
|
return (origin) => {
|
|
1753
1682
|
if (origin === appOrigin) {
|
|
1754
1683
|
return true;
|
|
@@ -1796,9 +1725,8 @@ function bindOidcRouter(targetRouter, options) {
|
|
|
1796
1725
|
res.status(501).send("Not Implemented");
|
|
1797
1726
|
});
|
|
1798
1727
|
router.get("/v1/userinfo", async (req, res) => {
|
|
1799
|
-
|
|
1800
|
-
const
|
|
1801
|
-
const token = matches == null ? void 0 : matches[1];
|
|
1728
|
+
const matches = req.headers.authorization?.match(/^Bearer[ ]+(\S+)$/i);
|
|
1729
|
+
const token = matches?.[1];
|
|
1802
1730
|
if (!token) {
|
|
1803
1731
|
throw new errors.AuthenticationError("No token provided");
|
|
1804
1732
|
}
|
|
@@ -1823,29 +1751,22 @@ function bindOidcRouter(targetRouter, options) {
|
|
|
1823
1751
|
});
|
|
1824
1752
|
}
|
|
1825
1753
|
|
|
1826
|
-
var __defProp$3 = Object.defineProperty;
|
|
1827
|
-
var __defNormalProp$3 = (obj, key, value) => key in obj ? __defProp$3(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
1828
|
-
var __publicField$3 = (obj, key, value) => {
|
|
1829
|
-
__defNormalProp$3(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
1830
|
-
return value;
|
|
1831
|
-
};
|
|
1832
1754
|
const MS_IN_S$1 = 1e3;
|
|
1833
1755
|
const MAX_TOKEN_LENGTH = 32768;
|
|
1834
1756
|
class TokenFactory {
|
|
1757
|
+
issuer;
|
|
1758
|
+
logger;
|
|
1759
|
+
keyStore;
|
|
1760
|
+
keyDurationSeconds;
|
|
1761
|
+
algorithm;
|
|
1762
|
+
keyExpiry;
|
|
1763
|
+
privateKeyPromise;
|
|
1835
1764
|
constructor(options) {
|
|
1836
|
-
__publicField$3(this, "issuer");
|
|
1837
|
-
__publicField$3(this, "logger");
|
|
1838
|
-
__publicField$3(this, "keyStore");
|
|
1839
|
-
__publicField$3(this, "keyDurationSeconds");
|
|
1840
|
-
__publicField$3(this, "algorithm");
|
|
1841
|
-
__publicField$3(this, "keyExpiry");
|
|
1842
|
-
__publicField$3(this, "privateKeyPromise");
|
|
1843
|
-
var _a;
|
|
1844
1765
|
this.issuer = options.issuer;
|
|
1845
1766
|
this.logger = options.logger;
|
|
1846
1767
|
this.keyStore = options.keyStore;
|
|
1847
1768
|
this.keyDurationSeconds = options.keyDurationSeconds;
|
|
1848
|
-
this.algorithm =
|
|
1769
|
+
this.algorithm = options.algorithm ?? "ES256";
|
|
1849
1770
|
}
|
|
1850
1771
|
async issueToken(params) {
|
|
1851
1772
|
const key = await this.getKey();
|
|
@@ -2012,16 +1933,8 @@ class DatabaseKeyStore {
|
|
|
2012
1933
|
}
|
|
2013
1934
|
}
|
|
2014
1935
|
|
|
2015
|
-
var __defProp$2 = Object.defineProperty;
|
|
2016
|
-
var __defNormalProp$2 = (obj, key, value) => key in obj ? __defProp$2(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2017
|
-
var __publicField$2 = (obj, key, value) => {
|
|
2018
|
-
__defNormalProp$2(obj, key + "" , value);
|
|
2019
|
-
return value;
|
|
2020
|
-
};
|
|
2021
1936
|
class MemoryKeyStore {
|
|
2022
|
-
|
|
2023
|
-
__publicField$2(this, "keys", /* @__PURE__ */ new Map());
|
|
2024
|
-
}
|
|
1937
|
+
keys = /* @__PURE__ */ new Map();
|
|
2025
1938
|
async addKey(key) {
|
|
2026
1939
|
this.keys.set(key.kid, {
|
|
2027
1940
|
createdAt: luxon.DateTime.utc().toJSDate(),
|
|
@@ -2052,12 +1965,12 @@ class FirestoreKeyStore {
|
|
|
2052
1965
|
this.timeout = timeout;
|
|
2053
1966
|
}
|
|
2054
1967
|
static async create(settings) {
|
|
2055
|
-
const { path, timeout, ...firestoreSettings } = settings
|
|
1968
|
+
const { path, timeout, ...firestoreSettings } = settings ?? {};
|
|
2056
1969
|
const database = new firestore.Firestore(firestoreSettings);
|
|
2057
1970
|
return new FirestoreKeyStore(
|
|
2058
1971
|
database,
|
|
2059
|
-
path
|
|
2060
|
-
timeout
|
|
1972
|
+
path ?? DEFAULT_DOCUMENT_PATH,
|
|
1973
|
+
timeout ?? DEFAULT_TIMEOUT_MS
|
|
2061
1974
|
);
|
|
2062
1975
|
}
|
|
2063
1976
|
static async verifyConnection(keyStore, logger) {
|
|
@@ -2069,7 +1982,7 @@ class FirestoreKeyStore {
|
|
|
2069
1982
|
`Failed to connect to database: ${error.message}`
|
|
2070
1983
|
);
|
|
2071
1984
|
}
|
|
2072
|
-
logger
|
|
1985
|
+
logger?.warn(
|
|
2073
1986
|
`Failed to connect to database: ${error.message}`
|
|
2074
1987
|
);
|
|
2075
1988
|
}
|
|
@@ -2125,17 +2038,11 @@ class FirestoreKeyStore {
|
|
|
2125
2038
|
}
|
|
2126
2039
|
}
|
|
2127
2040
|
|
|
2128
|
-
var __defProp$1 = Object.defineProperty;
|
|
2129
|
-
var __defNormalProp$1 = (obj, key, value) => key in obj ? __defProp$1(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2130
|
-
var __publicField$1 = (obj, key, value) => {
|
|
2131
|
-
__defNormalProp$1(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2132
|
-
return value;
|
|
2133
|
-
};
|
|
2134
2041
|
const DEFAULT_ALGORITHM = "ES256";
|
|
2135
2042
|
class StaticKeyStore {
|
|
2043
|
+
keyPairs;
|
|
2044
|
+
createdAt;
|
|
2136
2045
|
constructor(keyPairs) {
|
|
2137
|
-
__publicField$1(this, "keyPairs");
|
|
2138
|
-
__publicField$1(this, "createdAt");
|
|
2139
2046
|
if (keyPairs.length === 0) {
|
|
2140
2047
|
throw new Error("Should provide at least one key pair");
|
|
2141
2048
|
}
|
|
@@ -2144,12 +2051,11 @@ class StaticKeyStore {
|
|
|
2144
2051
|
}
|
|
2145
2052
|
static async fromConfig(config) {
|
|
2146
2053
|
const keyConfigs = config.getConfigArray("auth.keyStore.static.keys").map((c) => {
|
|
2147
|
-
var _a;
|
|
2148
2054
|
const staticKeyConfig = {
|
|
2149
2055
|
publicKeyFile: c.getString("publicKeyFile"),
|
|
2150
2056
|
privateKeyFile: c.getString("privateKeyFile"),
|
|
2151
2057
|
keyId: c.getString("keyId"),
|
|
2152
|
-
algorithm:
|
|
2058
|
+
algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
|
|
2153
2059
|
};
|
|
2154
2060
|
return staticKeyConfig;
|
|
2155
2061
|
});
|
|
@@ -2224,10 +2130,9 @@ class KeyStores {
|
|
|
2224
2130
|
* @returns a KeyStore store
|
|
2225
2131
|
*/
|
|
2226
2132
|
static async fromConfig(config, options) {
|
|
2227
|
-
var _a;
|
|
2228
2133
|
const { logger, database } = options;
|
|
2229
2134
|
const ks = config.getOptionalConfig("auth.keyStore");
|
|
2230
|
-
const provider =
|
|
2135
|
+
const provider = ks?.getOptionalString("provider") ?? "database";
|
|
2231
2136
|
logger.info(`Configuring "${provider}" as KeyStore provider`);
|
|
2232
2137
|
if (provider === "database") {
|
|
2233
2138
|
return new DatabaseKeyStore(await database.get());
|
|
@@ -2236,17 +2141,17 @@ class KeyStores {
|
|
|
2236
2141
|
return new MemoryKeyStore();
|
|
2237
2142
|
}
|
|
2238
2143
|
if (provider === "firestore") {
|
|
2239
|
-
const settings = ks
|
|
2144
|
+
const settings = ks?.getConfig(provider);
|
|
2240
2145
|
const keyStore = await FirestoreKeyStore.create(
|
|
2241
2146
|
lodash.pickBy(
|
|
2242
2147
|
{
|
|
2243
|
-
projectId: settings
|
|
2244
|
-
keyFilename: settings
|
|
2245
|
-
host: settings
|
|
2246
|
-
port: settings
|
|
2247
|
-
ssl: settings
|
|
2248
|
-
path: settings
|
|
2249
|
-
timeout: settings
|
|
2148
|
+
projectId: settings?.getOptionalString("projectId"),
|
|
2149
|
+
keyFilename: settings?.getOptionalString("keyFilename"),
|
|
2150
|
+
host: settings?.getOptionalString("host"),
|
|
2151
|
+
port: settings?.getOptionalNumber("port"),
|
|
2152
|
+
ssl: settings?.getOptionalBoolean("ssl"),
|
|
2153
|
+
path: settings?.getOptionalString("path"),
|
|
2154
|
+
timeout: settings?.getOptionalNumber("timeout")
|
|
2250
2155
|
},
|
|
2251
2156
|
(value) => value !== void 0
|
|
2252
2157
|
)
|
|
@@ -2261,37 +2166,15 @@ class KeyStores {
|
|
|
2261
2166
|
}
|
|
2262
2167
|
}
|
|
2263
2168
|
|
|
2264
|
-
|
|
2265
|
-
if (!member.has(obj))
|
|
2266
|
-
throw TypeError("Cannot " + msg);
|
|
2267
|
-
};
|
|
2268
|
-
var __privateGet = (obj, member, getter) => {
|
|
2269
|
-
__accessCheck(obj, member, "read from private field");
|
|
2270
|
-
return member.get(obj);
|
|
2271
|
-
};
|
|
2272
|
-
var __privateAdd = (obj, member, value) => {
|
|
2273
|
-
if (member.has(obj))
|
|
2274
|
-
throw TypeError("Cannot add the same private member more than once");
|
|
2275
|
-
member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
|
|
2276
|
-
};
|
|
2277
|
-
var __privateSet = (obj, member, value, setter) => {
|
|
2278
|
-
__accessCheck(obj, member, "write to private field");
|
|
2279
|
-
member.set(obj, value);
|
|
2280
|
-
return value;
|
|
2281
|
-
};
|
|
2282
|
-
var _database, _promise;
|
|
2283
|
-
const migrationsDir = backendCommon.resolvePackagePath(
|
|
2169
|
+
const migrationsDir = backendPluginApi.resolvePackagePath(
|
|
2284
2170
|
"@backstage/plugin-auth-backend",
|
|
2285
2171
|
"migrations"
|
|
2286
2172
|
);
|
|
2287
|
-
|
|
2288
|
-
|
|
2289
|
-
|
|
2290
|
-
__privateAdd(this, _promise, void 0);
|
|
2291
|
-
__privateSet(this, _database, database);
|
|
2292
|
-
}
|
|
2173
|
+
class AuthDatabase {
|
|
2174
|
+
#database;
|
|
2175
|
+
#promise;
|
|
2293
2176
|
static create(database) {
|
|
2294
|
-
return new
|
|
2177
|
+
return new AuthDatabase(database);
|
|
2295
2178
|
}
|
|
2296
2179
|
/** @internal */
|
|
2297
2180
|
static forTesting() {
|
|
@@ -2305,28 +2188,26 @@ const _AuthDatabase = class _AuthDatabase {
|
|
|
2305
2188
|
}
|
|
2306
2189
|
});
|
|
2307
2190
|
const database = backendCommon.DatabaseManager.fromConfig(config$1).forPlugin("auth");
|
|
2308
|
-
return new
|
|
2191
|
+
return new AuthDatabase(database);
|
|
2309
2192
|
}
|
|
2310
2193
|
static async runMigrations(knex) {
|
|
2311
2194
|
await knex.migrate.latest({
|
|
2312
2195
|
directory: migrationsDir
|
|
2313
2196
|
});
|
|
2314
2197
|
}
|
|
2198
|
+
constructor(database) {
|
|
2199
|
+
this.#database = database;
|
|
2200
|
+
}
|
|
2315
2201
|
get() {
|
|
2316
|
-
|
|
2317
|
-
|
|
2318
|
-
|
|
2319
|
-
if (!((_a2 = __privateGet(this, _database).migrations) == null ? void 0 : _a2.skip)) {
|
|
2320
|
-
await _AuthDatabase.runMigrations(client);
|
|
2202
|
+
this.#promise ??= this.#database.getClient().then(async (client) => {
|
|
2203
|
+
if (!this.#database.migrations?.skip) {
|
|
2204
|
+
await AuthDatabase.runMigrations(client);
|
|
2321
2205
|
}
|
|
2322
2206
|
return client;
|
|
2323
|
-
})
|
|
2324
|
-
return
|
|
2207
|
+
});
|
|
2208
|
+
return this.#promise;
|
|
2325
2209
|
}
|
|
2326
|
-
}
|
|
2327
|
-
_database = new WeakMap();
|
|
2328
|
-
_promise = new WeakMap();
|
|
2329
|
-
let AuthDatabase = _AuthDatabase;
|
|
2210
|
+
}
|
|
2330
2211
|
|
|
2331
2212
|
const TOKEN_EXP_DEFAULT_S = 3600;
|
|
2332
2213
|
const TOKEN_EXP_MIN_S = 600;
|
|
@@ -2348,19 +2229,13 @@ function readBackstageTokenExpiration(config$1) {
|
|
|
2348
2229
|
return durationS;
|
|
2349
2230
|
}
|
|
2350
2231
|
|
|
2351
|
-
var __defProp = Object.defineProperty;
|
|
2352
|
-
var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
|
|
2353
|
-
var __publicField = (obj, key, value) => {
|
|
2354
|
-
__defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
|
|
2355
|
-
return value;
|
|
2356
|
-
};
|
|
2357
2232
|
const MS_IN_S = 1e3;
|
|
2358
2233
|
class StaticTokenIssuer {
|
|
2234
|
+
issuer;
|
|
2235
|
+
logger;
|
|
2236
|
+
keyStore;
|
|
2237
|
+
sessionExpirationSeconds;
|
|
2359
2238
|
constructor(options, keyStore) {
|
|
2360
|
-
__publicField(this, "issuer");
|
|
2361
|
-
__publicField(this, "logger");
|
|
2362
|
-
__publicField(this, "keyStore");
|
|
2363
|
-
__publicField(this, "sessionExpirationSeconds");
|
|
2364
2239
|
this.issuer = options.issuer;
|
|
2365
2240
|
this.logger = options.logger;
|
|
2366
2241
|
this.sessionExpirationSeconds = options.sessionExpirationSeconds;
|
|
@@ -2380,7 +2255,7 @@ class StaticTokenIssuer {
|
|
|
2380
2255
|
'"sub" claim provided by the auth resolver is not a valid EntityRef.'
|
|
2381
2256
|
);
|
|
2382
2257
|
}
|
|
2383
|
-
this.logger.info(`Issuing token for ${sub}, with entities ${ent
|
|
2258
|
+
this.logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);
|
|
2384
2259
|
if (!key.alg) {
|
|
2385
2260
|
throw new errors.AuthenticationError("No algorithm was provided in the key");
|
|
2386
2261
|
}
|
|
@@ -2434,7 +2309,7 @@ async function createRouter(options) {
|
|
|
2434
2309
|
keyStore,
|
|
2435
2310
|
keyDurationSeconds: backstageTokenExpiration,
|
|
2436
2311
|
logger: logger.child({ component: "token-factory" }),
|
|
2437
|
-
algorithm: tokenFactoryAlgorithm
|
|
2312
|
+
algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm")
|
|
2438
2313
|
});
|
|
2439
2314
|
}
|
|
2440
2315
|
const secret = config.getOptionalString("auth.session.secret");
|