@backstage/plugin-auth-backend 0.22.6-next.3 → 0.22.7

package/CHANGELOG.md

@@ -1,5 +1,73 @@
 # @backstage/plugin-auth-backend
 
+## 0.22.7
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.23.1
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.12
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.2.1
+  - @backstage/plugin-auth-node@0.4.15
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.2.1
+  - @backstage/plugin-auth-backend-module-bitbucket-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-cloudflare-access-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.17
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.17
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.15
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.2.1
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.13
+  - @backstage/plugin-auth-backend-module-onelogin-provider@0.1.1
+  - @backstage/backend-plugin-api@0.6.20
+  - @backstage/catalog-client@1.6.5
+  - @backstage/catalog-model@1.5.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+  - @backstage/plugin-auth-backend-module-azure-easyauth-provider@0.1.3
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.15
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.17
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.13
+  - @backstage/plugin-catalog-node@1.12.2
+
+## 0.22.6
+
+### Patch Changes
+
+- 3e823d3: Limited user tokens will no longer include the `ent` field in its payload. Ownership claims will now be fetched from the user info service.
+
+  NOTE: Limited tokens issued prior to this change will no longer be valid. Users may have to clear their browser cookies in order to refresh their auth tokens.
+
+- 8869b8e: Updated local development setup.
+- 78a0b08: Internal refactor to handle `BackendFeature` contract change.
+- d44a20a: Added additional plugin metadata to `package.json`.
+- 3e1bb15: Updated to use the new `@backstage/plugin-auth-backend-module-onelogin-provider` implementation
+- Updated dependencies
+  - @backstage/backend-common@0.23.0
+  - @backstage/plugin-auth-backend-module-onelogin-provider@0.1.0
+  - @backstage/backend-plugin-api@0.6.19
+  - @backstage/plugin-auth-node@0.4.14
+  - @backstage/plugin-auth-backend-module-cloudflare-access-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-azure-easyauth-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-oauth2-proxy-provider@0.1.12
+  - @backstage/plugin-auth-backend-module-atlassian-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-bitbucket-provider@0.1.2
+  - @backstage/plugin-auth-backend-module-microsoft-provider@0.1.14
+  - @backstage/plugin-auth-backend-module-aws-alb-provider@0.1.11
+  - @backstage/plugin-auth-backend-module-gcp-iap-provider@0.2.14
+  - @backstage/plugin-auth-backend-module-github-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-gitlab-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-google-provider@0.1.16
+  - @backstage/plugin-auth-backend-module-oauth2-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-oidc-provider@0.2.0
+  - @backstage/plugin-auth-backend-module-okta-provider@0.0.12
+  - @backstage/plugin-catalog-node@1.12.1
+  - @backstage/catalog-client@1.6.5
+  - @backstage/catalog-model@1.5.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+
 ## 0.22.6-next.3
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -35,10 +35,10 @@ var catalogClient = require('@backstage/catalog-client');
 var minimatch = require('minimatch');
 var catalogModel = require('@backstage/catalog-model');
 var backendCommon = require('@backstage/backend-common');
+var lodash = require('lodash');
 var luxon = require('luxon');
 var uuid = require('uuid');
 var firestore = require('@google-cloud/firestore');
-var lodash = require('lodash');
 var fs = require('fs');
 var session = require('express-session');
 var connectSessionKnex = require('connect-session-knex');
@@ -1579,7 +1579,7 @@ function createOriginFilter(config) {
 }
 
 function bindOidcRouter(targetRouter, options) {
-  const { baseUrl, auth, tokenIssuer } = options;
+  const { baseUrl, auth, tokenIssuer, userInfoDatabaseHandler } = options;
   const router = Router__default.default();
   targetRouter.use(router);
   const config = {
@@ -1630,16 +1630,16 @@ function bindOidcRouter(targetRouter, options) {
         "Userinfo endpoint must be called with a token that represents a user principal"
       );
     }
-    const { sub: userEntityRef, ent: ownershipEntityRefs = [] } = jose.decodeJwt(token);
+    const { sub: userEntityRef } = jose.decodeJwt(token);
     if (typeof userEntityRef !== "string") {
       throw new Error("Invalid user token, user entity ref must be a string");
     }
-    if (!Array.isArray(ownershipEntityRefs) || ownershipEntityRefs.some((ref) => typeof ref !== "string")) {
-      throw new Error(
-        "Invalid user token, ownership entity refs must be an array of strings"
-      );
+    const userInfo = await userInfoDatabaseHandler.getUserInfo(userEntityRef);
+    if (!userInfo) {
+      res.status(404).send("User info not found");
+      return;
     }
-    res.json({ sub: userEntityRef, ent: ownershipEntityRefs });
+    res.json(userInfo);
   });
 }
 
@@ -1651,6 +1651,7 @@ class TokenFactory {
   keyStore;
   keyDurationSeconds;
   algorithm;
+  userInfoDatabaseHandler;
   keyExpiry;
   privateKeyPromise;
   constructor(options) {
@@ -1659,6 +1660,7 @@ class TokenFactory {
     this.keyStore = options.keyStore;
     this.keyDurationSeconds = options.keyDurationSeconds;
     this.algorithm = options.algorithm ?? "ES256";
+    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getKey();
@@ -1685,7 +1687,7 @@ class TokenFactory {
         alg: key.alg,
         kid: key.kid
       },
-      payload: { sub, ent, iat, exp },
+      payload: { sub, iat, exp },
       key: signingKey
     });
     const claims = {
@@ -1710,6 +1712,9 @@ class TokenFactory {
         )}'`
       );
     }
+    await this.userInfoDatabaseHandler.addUserInfo({
+      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
+    });
     return token;
   }
   // This will be called by other services that want to verify ID tokens.
@@ -1780,7 +1785,6 @@ class TokenFactory {
     };
     const payload = {
       sub: options.payload.sub,
-      ent: options.payload.ent,
       iat: options.payload.iat,
       exp: options.payload.exp
     };
@@ -1791,7 +1795,7 @@ class TokenFactory {
   }
 }
 
-const TABLE = "signing_keys";
+const TABLE$1 = "signing_keys";
 const parseDate = (date) => {
   const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
   if (!parsedDate.isValid) {
@@ -1806,13 +1810,13 @@ class DatabaseKeyStore {
     this.client = client;
   }
   async addKey(key) {
-    await this.client(TABLE).insert({
+    await this.client(TABLE$1).insert({
       kid: key.kid,
       key: JSON.stringify(key)
     });
   }
   async listKeys() {
-    const rows = await this.client(TABLE).select();
+    const rows = await this.client(TABLE$1).select();
     return {
       items: rows.map((row) => ({
         key: JSON.parse(row.key),
@@ -1821,7 +1825,7 @@ class DatabaseKeyStore {
     };
   }
   async removeKeys(kids) {
-    await this.client(TABLE).delete().whereIn("kid", kids);
+    await this.client(TABLE$1).delete().whereIn("kid", kids);
   }
 }
 
@@ -2058,6 +2062,30 @@ class KeyStores {
   }
 }
 
+const TABLE = "user_info";
+class UserInfoDatabaseHandler {
+  constructor(client) {
+    this.client = client;
+  }
+  async addUserInfo(userInfo) {
+    await this.client(TABLE).insert({
+      user_entity_ref: userInfo.claims.sub,
+      user_info: JSON.stringify(userInfo),
+      exp: luxon.DateTime.fromSeconds(userInfo.claims.exp, {
+        zone: "utc"
+      }).toSQL({ includeOffset: false })
+    }).onConflict("user_entity_ref").merge();
+  }
+  async getUserInfo(userEntityRef) {
+    const info = await this.client(TABLE).where({ user_entity_ref: userEntityRef }).first();
+    if (!info) {
+      return void 0;
+    }
+    const userInfo = JSON.parse(info.user_info);
+    return userInfo;
+  }
+}
+
 const migrationsDir = backendPluginApi.resolvePackagePath(
   "@backstage/plugin-auth-backend",
   "migrations"
@@ -2185,6 +2213,9 @@ async function createRouter(options) {
     logger,
     database: authDb
   });
+  const userInfoDatabaseHandler = new UserInfoDatabaseHandler(
+    await authDb.get()
+  );
   let tokenIssuer;
   if (keyStore instanceof StaticKeyStore) {
     tokenIssuer = new StaticTokenIssuer(
@@ -2201,7 +2232,8 @@ async function createRouter(options) {
       keyStore,
       keyDurationSeconds: backstageTokenExpiration,
       logger: logger.child({ component: "token-factory" }),
-      algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm")
+      algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm"),
+      userInfoDatabaseHandler
     });
   }
   const secret = config.getOptionalString("auth.session.secret");
@@ -2244,7 +2276,8 @@ async function createRouter(options) {
   bindOidcRouter(router, {
     auth,
     tokenIssuer,
-    baseUrl: authUrl
+    baseUrl: authUrl,
+    userInfoDatabaseHandler
   });
   router.use("/:provider/", (req) => {
     const { provider } = req.params;