@backstage/plugin-auth-backend 0.23.1-next.0 → 0.23.1

package/dist/index.cjs.js

@@ -2,1985 +2,35 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
-var alpha = require('@backstage/plugin-catalog-node/alpha');
-var express = require('express');
-var Router = require('express-promise-router');
-var cookieParser = require('cookie-parser');
-var pluginAuthBackendModuleAtlassianProvider = require('@backstage/plugin-auth-backend-module-atlassian-provider');
-var pluginAuthBackendModuleAuth0Provider = require('@backstage/plugin-auth-backend-module-auth0-provider');
-var pluginAuthBackendModuleAwsAlbProvider = require('@backstage/plugin-auth-backend-module-aws-alb-provider');
-var pluginAuthBackendModuleBitbucketProvider = require('@backstage/plugin-auth-backend-module-bitbucket-provider');
-var pluginAuthBackendModuleCloudflareAccessProvider = require('@backstage/plugin-auth-backend-module-cloudflare-access-provider');
-var pluginAuthBackendModuleGcpIapProvider = require('@backstage/plugin-auth-backend-module-gcp-iap-provider');
-var pluginAuthBackendModuleGithubProvider = require('@backstage/plugin-auth-backend-module-github-provider');
-var pluginAuthBackendModuleGitlabProvider = require('@backstage/plugin-auth-backend-module-gitlab-provider');
-var pluginAuthBackendModuleGoogleProvider = require('@backstage/plugin-auth-backend-module-google-provider');
-var pluginAuthBackendModuleMicrosoftProvider = require('@backstage/plugin-auth-backend-module-microsoft-provider');
-var pluginAuthBackendModuleOauth2Provider = require('@backstage/plugin-auth-backend-module-oauth2-provider');
-var pluginAuthBackendModuleOauth2ProxyProvider = require('@backstage/plugin-auth-backend-module-oauth2-proxy-provider');
-var pluginAuthBackendModuleOidcProvider = require('@backstage/plugin-auth-backend-module-oidc-provider');
-var pluginAuthBackendModuleOktaProvider = require('@backstage/plugin-auth-backend-module-okta-provider');
-var pluginAuthBackendModuleOneloginProvider = require('@backstage/plugin-auth-backend-module-onelogin-provider');
-var passportSaml = require('@node-saml/passport-saml');
-var jose = require('jose');
-var crypto = require('crypto');
-var errors = require('@backstage/errors');
-var pluginAuthBackendModuleBitbucketServerProvider = require('@backstage/plugin-auth-backend-module-bitbucket-server-provider');
-var pluginAuthBackendModuleAzureEasyauthProvider = require('@backstage/plugin-auth-backend-module-azure-easyauth-provider');
-var catalogClient = require('@backstage/catalog-client');
-var minimatch = require('minimatch');
-var catalogModel = require('@backstage/catalog-model');
-var backendCommon = require('@backstage/backend-common');
-var lodash = require('lodash');
-var luxon = require('luxon');
-var uuid = require('uuid');
-var firestore = require('@google-cloud/firestore');
-var fs = require('fs');
-var session = require('express-session');
-var connectSessionKnex = require('connect-session-knex');
-var passport = require('passport');
-var config = require('@backstage/config');
-var types = require('@backstage/types');
-var url = require('url');
-
-function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
-
-var express__default = /*#__PURE__*/_interopDefaultCompat(express);
-var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
-var cookieParser__default = /*#__PURE__*/_interopDefaultCompat(cookieParser);
-var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
-var session__default = /*#__PURE__*/_interopDefaultCompat(session);
-var connectSessionKnex__default = /*#__PURE__*/_interopDefaultCompat(connectSessionKnex);
-var passport__default = /*#__PURE__*/_interopDefaultCompat(passport);
-
-function adaptLegacyOAuthHandler(authHandler) {
-  return authHandler && (async (result, ctx) => authHandler(
-    {
-      fullProfile: result.fullProfile,
-      accessToken: result.session.accessToken,
-      params: {
-        scope: result.session.scope,
-        id_token: result.session.idToken,
-        token_type: result.session.tokenType,
-        expires_in: result.session.expiresInSeconds
-      }
-    },
-    ctx
-  ));
-}
-
-function adaptLegacyOAuthSignInResolver(signInResolver) {
-  return signInResolver && (async (input, ctx) => signInResolver(
-    {
-      profile: input.profile,
-      result: {
-        fullProfile: input.result.fullProfile,
-        accessToken: input.result.session.accessToken,
-        refreshToken: input.result.session.refreshToken,
-        params: {
-          scope: input.result.session.scope,
-          id_token: input.result.session.idToken,
-          token_type: input.result.session.tokenType,
-          expires_in: input.result.session.expiresInSeconds
-        }
-      }
-    },
-    ctx
-  ));
-}
-
-function adaptOAuthSignInResolverToLegacy(resolvers) {
-  const legacyResolvers = {};
-  for (const name of Object.keys(resolvers)) {
-    const resolver = resolvers[name];
-    legacyResolvers[name] = () => async (input, ctx) => resolver(
-      {
-        profile: input.profile,
-        result: {
-          fullProfile: input.result.fullProfile,
-          session: {
-            accessToken: input.result.accessToken,
-            expiresInSeconds: input.result.params.expires_in,
-            scope: input.result.params.scope,
-            idToken: input.result.params.id_token,
-            tokenType: input.result.params.token_type ?? "bearer",
-            refreshToken: input.result.refreshToken
-          }
-        }
-      },
-      ctx
-    );
-  }
-  return legacyResolvers;
-}
-
-function createAuthProviderIntegration(config) {
-  return Object.freeze({
-    ...config,
-    resolvers: Object.freeze(config.resolvers ?? {})
-  });
-}
-
-const atlassian = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleAtlassianProvider.atlassianAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  }
-});
-
-const auth0 = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleAuth0Provider.auth0Authenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  }
-});
-
-const awsAlb = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleAwsAlbProvider.awsAlbAuthenticator,
-      profileTransform: options?.authHandler,
-      signInResolver: options?.signIn?.resolver
-    });
-  }
-});
-
-const bitbucket = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleBitbucketProvider.bitbucketAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  },
-  resolvers: adaptOAuthSignInResolverToLegacy({
-    userIdMatchingUserEntityAnnotation: pluginAuthBackendModuleBitbucketProvider.bitbucketSignInResolvers.userIdMatchingUserEntityAnnotation(),
-    usernameMatchingUserEntityAnnotation: pluginAuthBackendModuleBitbucketProvider.bitbucketSignInResolvers.usernameMatchingUserEntityAnnotation()
-  })
-});
-
-const cfAccess = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleCloudflareAccessProvider.createCloudflareAccessAuthenticator({
-        cache: options.cache
-      }),
-      profileTransform: options?.authHandler,
-      signInResolver: options?.signIn?.resolver,
-      signInResolverFactories: pluginAuthBackendModuleCloudflareAccessProvider.cloudflareAccessSignInResolvers
-    });
-  },
-  resolvers: pluginAuthBackendModuleCloudflareAccessProvider.cloudflareAccessSignInResolvers
-});
-
-const gcpIap = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGcpIapProvider.gcpIapAuthenticator,
-      profileTransform: options?.authHandler,
-      signInResolver: options?.signIn?.resolver
-    });
-  }
-});
-
-const github = createAuthProviderIntegration({
-  create(options) {
-    const authHandler = options?.authHandler;
-    const signInResolver = options?.signIn?.resolver;
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGithubProvider.githubAuthenticator,
-      profileTransform: authHandler && (async (result, ctx) => authHandler(
-        {
-          fullProfile: result.fullProfile,
-          accessToken: result.session.accessToken,
-          params: {
-            scope: result.session.scope,
-            expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
-            refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
-          }
-        },
-        ctx
-      )),
-      signInResolver: signInResolver && (async ({ profile, result }, ctx) => signInResolver(
-        {
-          profile,
-          result: {
-            fullProfile: result.fullProfile,
-            accessToken: result.session.accessToken,
-            refreshToken: result.session.refreshToken,
-            params: {
-              scope: result.session.scope,
-              expires_in: result.session.expiresInSeconds ? String(result.session.expiresInSeconds) : "",
-              refresh_token_expires_in: result.session.refreshTokenExpiresInSeconds ? String(result.session.refreshTokenExpiresInSeconds) : ""
-            }
-          }
-        },
-        ctx
-      ))
-    });
-  },
-  resolvers: {
-    /**
-     * Looks up the user by matching their GitHub username to the entity name.
-     */
-    usernameMatchingUserEntityName: () => {
-      return async (info, ctx) => {
-        const { fullProfile } = info.result;
-        const userId = fullProfile.username;
-        if (!userId) {
-          throw new Error(`GitHub user profile does not contain a username`);
-        }
-        return ctx.signInWithCatalogUser({ entityRef: { name: userId } });
-      };
-    }
-  }
-});
-
-const gitlab = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGitlabProvider.gitlabAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  }
-});
-
-const google = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleGoogleProvider.googleAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  },
-  resolvers: adaptOAuthSignInResolverToLegacy({
-    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
-    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
-    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleGoogleProvider.googleSignInResolvers.emailMatchingUserEntityAnnotation()
-  })
-});
-
-const microsoft = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleMicrosoftProvider.microsoftAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  },
-  resolvers: adaptOAuthSignInResolverToLegacy({
-    emailLocalPartMatchingUserEntityName: pluginAuthNode.commonSignInResolvers.emailLocalPartMatchingUserEntityName(),
-    emailMatchingUserEntityProfileEmail: pluginAuthNode.commonSignInResolvers.emailMatchingUserEntityProfileEmail(),
-    emailMatchingUserEntityAnnotation: pluginAuthBackendModuleMicrosoftProvider.microsoftSignInResolvers.emailMatchingUserEntityAnnotation(),
-    userIdMatchingUserEntityAnnotation: pluginAuthBackendModuleMicrosoftProvider.microsoftSignInResolvers.userIdMatchingUserEntityAnnotation()
-  })
-});
-
-const oauth2 = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleOauth2Provider.oauth2Authenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  }
-});
-
-const oauth2Proxy = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleOauth2ProxyProvider.oauth2ProxyAuthenticator,
-      profileTransform: options?.authHandler,
-      signInResolver: options?.signIn?.resolver
-    });
-  }
-});
-
-const commonByEmailLocalPartResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  const [localPart] = profile.email.split("@");
-  return ctx.signInWithCatalogUser({
-    entityRef: { name: localPart }
-  });
-};
-const commonByEmailResolver = async (info, ctx) => {
-  const { profile } = info;
-  if (!profile.email) {
-    throw new Error("Login failed, user profile does not contain an email");
-  }
-  return ctx.signInWithCatalogUser({
-    filter: {
-      "spec.profile.email": profile.email
-    }
-  });
-};
-
-const oidc = createAuthProviderIntegration({
-  create(options) {
-    const authHandler = options?.authHandler;
-    const signInResolver = options?.signIn?.resolver;
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleOidcProvider.oidcAuthenticator,
-      profileTransform: authHandler && ((result, context) => authHandler(result.fullProfile, context)),
-      signInResolver: signInResolver && ((info, context) => signInResolver(
-        {
-          result: info.result.fullProfile,
-          profile: info.profile
-        },
-        context
-      ))
-    });
-  },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email local part to the entity name.
-     */
-    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver
-  }
-});
-
-const okta = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleOktaProvider.oktaAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email local part to the entity name.
-     */
-    emailLocalPartMatchingUserEntityName: () => commonByEmailLocalPartResolver,
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => commonByEmailResolver,
-    /**
-     * Looks up the user by matching their email to the `okta.com/email` annotation.
-     */
-    emailMatchingUserEntityAnnotation() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error("Okta profile contained no email");
-        }
-        return ctx.signInWithCatalogUser({
-          annotations: {
-            "okta.com/email": profile.email
-          }
-        });
-      };
-    }
-  }
-});
-
-const onelogin = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleOneloginProvider.oneLoginAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  }
-});
-
-const executeRedirectStrategy = async (req, providerStrategy, options) => {
-  return new Promise((resolve) => {
-    const strategy = Object.create(providerStrategy);
-    strategy.redirect = (url, status) => {
-      resolve({ url, status: status ?? void 0 });
-    };
-    strategy.authenticate(req, { ...options });
-  });
-};
-const executeFrameHandlerStrategy = async (req, providerStrategy, options) => {
-  return new Promise(
-    (resolve, reject) => {
-      const strategy = Object.create(providerStrategy);
-      strategy.success = (result, privateInfo) => {
-        resolve({ result, privateInfo });
-      };
-      strategy.fail = (info) => {
-        reject(new Error(`Authentication rejected, ${info.message ?? ""}`));
-      };
-      strategy.error = (error) => {
-        let message = `Authentication failed, ${error.message}`;
-        if (error.oauthError?.data) {
-          try {
-            const errorData = JSON.parse(error.oauthError.data);
-            if (errorData.message) {
-              message += ` - ${errorData.message}`;
-            }
-          } catch (parseError) {
-            message += ` - ${error.oauthError}`;
-          }
-        }
-        reject(new Error(message));
-      };
-      strategy.redirect = () => {
-        reject(new Error("Unexpected redirect"));
-      };
-      strategy.authenticate(req, { ...{} });
-    }
-  );
-};
-
-const safelyEncodeURIComponent = (value) => {
-  return encodeURIComponent(value).replace(/'/g, "%27");
-};
-const postMessageResponse = (res, appOrigin, response) => {
-  const jsonData = JSON.stringify(response);
-  const base64Data = safelyEncodeURIComponent(jsonData);
-  const base64Origin = safelyEncodeURIComponent(appOrigin);
-  const script = `
-    var authResponse = decodeURIComponent('${base64Data}');
-    var origin = decodeURIComponent('${base64Origin}');
-    var originInfo = {'type': 'config_info', 'targetOrigin': origin};
-    (window.opener || window.parent).postMessage(originInfo, '*');
-    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);
-    setTimeout(() => {
-      window.close();
-    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
-  `;
-  const hash = crypto__default.default.createHash("sha256").update(script).digest("base64");
-  res.setHeader("Content-Type", "text/html");
-  res.setHeader("X-Frame-Options", "sameorigin");
-  res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
-  res.end(`<html><body><script>${script}<\/script></body></html>`);
-};
-const ensuresXRequestedWith = (req) => {
-  const requiredHeader = req.header("X-Requested-With");
-  if (!requiredHeader || requiredHeader !== "XMLHttpRequest") {
-    return false;
-  }
-  return true;
-};
-
-const prepareBackstageIdentityResponse = pluginAuthNode.prepareBackstageIdentityResponse;
-
-class SamlAuthProvider {
-  strategy;
-  signInResolver;
-  authHandler;
-  resolverContext;
-  appUrl;
-  constructor(options) {
-    this.appUrl = options.appUrl;
-    this.signInResolver = options.signInResolver;
-    this.authHandler = options.authHandler;
-    this.resolverContext = options.resolverContext;
-    const verifier = (profile, done) => {
-      done(null, { fullProfile: profile });
-    };
-    this.strategy = new passportSaml.Strategy(options, verifier, verifier);
-  }
-  async start(req, res) {
-    const { url } = await executeRedirectStrategy(req, this.strategy, {});
-    res.redirect(url);
-  }
-  async frameHandler(req, res) {
-    try {
-      const { result } = await executeFrameHandlerStrategy(
-        req,
-        this.strategy
-      );
-      const { profile } = await this.authHandler(result, this.resolverContext);
-      const response = {
-        profile,
-        providerInfo: {}
-      };
-      if (this.signInResolver) {
-        const signInResponse = await this.signInResolver(
-          {
-            result,
-            profile
-          },
-          this.resolverContext
-        );
-        response.backstageIdentity = prepareBackstageIdentityResponse(signInResponse);
-      }
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        response
-      });
-    } catch (error) {
-      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-      return postMessageResponse(res, this.appUrl, {
-        type: "authorization_response",
-        error: { name, message }
-      });
-    }
-  }
-  async logout(_req, res) {
-    res.end();
-  }
-}
-const saml = createAuthProviderIntegration({
-  create(options) {
-    return ({ providerId, globalConfig, config, resolverContext }) => {
-      const authHandler = options?.authHandler ? options.authHandler : async ({ fullProfile }) => ({
-        profile: {
-          email: fullProfile.email,
-          displayName: fullProfile.displayName
-        }
-      });
-      return new SamlAuthProvider({
-        callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
-        entryPoint: config.getString("entryPoint"),
-        logoutUrl: config.getOptionalString("logoutUrl"),
-        audience: config.getString("audience"),
-        issuer: config.getString("issuer"),
-        idpCert: config.getString("cert"),
-        privateKey: config.getOptionalString("privateKey"),
-        authnContext: config.getOptionalStringArray("authnContext"),
-        identifierFormat: config.getOptionalString("identifierFormat"),
-        decryptionPvk: config.getOptionalString("decryptionPvk"),
-        signatureAlgorithm: config.getOptionalString("signatureAlgorithm"),
-        digestAlgorithm: config.getOptionalString("digestAlgorithm"),
-        acceptedClockSkewMs: config.getOptionalNumber("acceptedClockSkewMs"),
-        wantAuthnResponseSigned: config.getOptionalBoolean(
-          "wantAuthnResponseSigned"
-        ),
-        wantAssertionsSigned: config.getOptionalBoolean("wantAssertionsSigned"),
-        appUrl: globalConfig.appUrl,
-        authHandler,
-        signInResolver: options?.signIn?.resolver,
-        resolverContext
-      });
-    };
-  },
-  resolvers: {
-    /**
-     * Looks up the user by matching their nameID to the entity name.
-     */
-    nameIdMatchingUserEntityName() {
-      return async (info, ctx) => {
-        const id = info.result.fullProfile.nameID;
-        if (!id) {
-          throw new errors.AuthenticationError("No nameID found in SAML response");
-        }
-        return ctx.signInWithCatalogUser({
-          entityRef: { name: id }
-        });
-      };
-    }
-  }
-});
-
-const bitbucketServer = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createOAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleBitbucketServerProvider.bitbucketServerAuthenticator,
-      profileTransform: adaptLegacyOAuthHandler(options?.authHandler),
-      signInResolver: adaptLegacyOAuthSignInResolver(options?.signIn?.resolver)
-    });
-  },
-  resolvers: {
-    /**
-     * Looks up the user by matching their email to the entity email.
-     */
-    emailMatchingUserEntityProfileEmail: () => {
-      const resolver = pluginAuthBackendModuleBitbucketServerProvider.bitbucketServerSignInResolvers.emailMatchingUserEntityProfileEmail();
-      return async (info, ctx) => {
-        return resolver(
-          {
-            profile: info.profile,
-            result: {
-              fullProfile: info.result.fullProfile,
-              session: {
-                accessToken: info.result.accessToken,
-                tokenType: info.result.params.token_type ?? "bearer",
-                scope: info.result.params.scope,
-                expiresInSeconds: info.result.params.expires_in,
-                refreshToken: info.result.refreshToken
-              }
-            }
-          },
-          ctx
-        );
-      };
-    }
-  }
-});
-
-const easyAuth = createAuthProviderIntegration({
-  create(options) {
-    return pluginAuthNode.createProxyAuthProviderFactory({
-      authenticator: pluginAuthBackendModuleAzureEasyauthProvider.azureEasyAuthAuthenticator,
-      profileTransform: options?.authHandler,
-      signInResolver: options?.signIn?.resolver
-    });
-  }
-});
-
-const providers = Object.freeze({
-  atlassian,
-  auth0,
-  awsAlb,
-  bitbucket,
-  bitbucketServer,
-  cfAccess,
-  gcpIap,
-  github,
-  gitlab,
-  google,
-  microsoft,
-  oauth2,
-  oauth2Proxy,
-  oidc,
-  okta,
-  onelogin,
-  saml,
-  easyAuth
-});
-const defaultAuthProviderFactories = {
-  google: google.create(),
-  github: github.create(),
-  gitlab: gitlab.create(),
-  saml: saml.create(),
-  okta: okta.create(),
-  auth0: auth0.create(),
-  microsoft: microsoft.create(),
-  easyAuth: easyAuth.create(),
-  oauth2: oauth2.create(),
-  oidc: oidc.create(),
-  onelogin: onelogin.create(),
-  awsalb: awsAlb.create(),
-  bitbucket: bitbucket.create(),
-  bitbucketServer: bitbucketServer.create(),
-  atlassian: atlassian.create()
-};
-
-class CatalogIdentityClient {
-  catalogApi;
-  auth;
-  constructor(options) {
-    this.catalogApi = options.catalogApi;
-    const { auth } = backendCommon.createLegacyAuthAdapters({
-      auth: options.auth,
-      httpAuth: options.httpAuth,
-      discovery: options.discovery,
-      tokenManager: options.tokenManager
-    });
-    this.auth = auth;
-  }
-  /**
-   * Looks up a single user using a query.
-   *
-   * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
-   */
-  async findUser(query) {
-    const filter = {
-      kind: "user"
-    };
-    for (const [key, value] of Object.entries(query.annotations)) {
-      filter[`metadata.annotations.${key}`] = value;
-    }
-    const { token } = await this.auth.getPluginRequestToken({
-      onBehalfOf: await this.auth.getOwnServiceCredentials(),
-      targetPluginId: "catalog"
-    });
-    const { items } = await this.catalogApi.getEntities({ filter }, { token });
-    if (items.length !== 1) {
-      if (items.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      } else {
-        throw new errors.NotFoundError("User not found");
-      }
-    }
-    return items[0];
-  }
-  /**
-   * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
-   * to be used within a `signInResolver` where additional entity claims might be provided, but
-   * group membership and transient group membership lean on imported catalog relations.
-   *
-   * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
-   */
-  async resolveCatalogMembership(query) {
-    const { entityRefs, logger } = query;
-    const resolvedEntityRefs = entityRefs.map((ref) => {
-      try {
-        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
-          defaultKind: "user",
-          defaultNamespace: "default"
-        });
-        return parsedRef;
-      } catch {
-        logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);
-        return null;
-      }
-    }).filter((ref) => ref !== null);
-    const filter = resolvedEntityRefs.map((ref) => ({
-      kind: ref.kind,
-      "metadata.namespace": ref.namespace,
-      "metadata.name": ref.name
-    }));
-    const { token } = await this.auth.getPluginRequestToken({
-      onBehalfOf: await this.auth.getOwnServiceCredentials(),
-      targetPluginId: "catalog"
-    });
-    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
-    if (entityRefs.length !== entities.length) {
-      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
-      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
-      logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);
-    }
-    const memberOf = entities.flatMap(
-      (e) => e.relations?.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef) ?? []
-    );
-    const newEntityRefs = [
-      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
-    ];
-    logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);
-    return newEntityRefs;
-  }
-}
-
-function getDefaultOwnershipEntityRefs(entity) {
-  const membershipRefs = entity.relations?.filter(
-    (r) => r.type === catalogModel.RELATION_MEMBER_OF && r.targetRef.startsWith("group:")
-  ).map((r) => r.targetRef) ?? [];
-  return Array.from(/* @__PURE__ */ new Set([catalogModel.stringifyEntityRef(entity), ...membershipRefs]));
-}
-class CatalogAuthResolverContext {
-  constructor(logger, tokenIssuer, catalogIdentityClient, catalogApi, auth, ownershipResolver) {
-    this.logger = logger;
-    this.tokenIssuer = tokenIssuer;
-    this.catalogIdentityClient = catalogIdentityClient;
-    this.catalogApi = catalogApi;
-    this.auth = auth;
-    this.ownershipResolver = ownershipResolver;
-  }
-  static create(options) {
-    const catalogIdentityClient = new CatalogIdentityClient({
-      catalogApi: options.catalogApi,
-      tokenManager: options.tokenManager,
-      discovery: options.discovery,
-      auth: options.auth,
-      httpAuth: options.httpAuth
-    });
-    return new CatalogAuthResolverContext(
-      options.logger,
-      options.tokenIssuer,
-      catalogIdentityClient,
-      options.catalogApi,
-      options.auth,
-      options.ownershipResolver
-    );
-  }
-  async issueToken(params) {
-    const token = await this.tokenIssuer.issueToken(params);
-    return { token };
-  }
-  async findCatalogUser(query) {
-    let result = void 0;
-    const { token } = await this.auth.getPluginRequestToken({
-      onBehalfOf: await this.auth.getOwnServiceCredentials(),
-      targetPluginId: "catalog"
-    });
-    if ("entityRef" in query) {
-      const entityRef = catalogModel.parseEntityRef(query.entityRef, {
-        defaultKind: "User",
-        defaultNamespace: catalogModel.DEFAULT_NAMESPACE
-      });
-      result = await this.catalogApi.getEntityByRef(entityRef, { token });
-    } else if ("annotations" in query) {
-      const filter = {
-        kind: "user"
-      };
-      for (const [key, value] of Object.entries(query.annotations)) {
-        filter[`metadata.annotations.${key}`] = value;
-      }
-      const res = await this.catalogApi.getEntities({ filter }, { token });
-      result = res.items;
-    } else if ("filter" in query) {
-      const filter = [query.filter].flat().map((value) => {
-        if (!Object.keys(value).some(
-          (key) => key.toLocaleLowerCase("en-US") === "kind"
-        )) {
-          return {
-            ...value,
-            kind: "user"
-          };
-        }
-        return value;
-      });
-      const res = await this.catalogApi.getEntities(
-        { filter },
-        { token }
-      );
-      result = res.items;
-    } else {
-      throw new errors.InputError("Invalid user lookup query");
-    }
-    if (Array.isArray(result)) {
-      if (result.length > 1) {
-        throw new errors.ConflictError("User lookup resulted in multiple matches");
-      }
-      result = result[0];
-    }
-    if (!result) {
-      throw new errors.NotFoundError("User not found");
-    }
-    return { entity: result };
-  }
-  async signInWithCatalogUser(query) {
-    const { entity } = await this.findCatalogUser(query);
-    let ent;
-    if (this.ownershipResolver) {
-      const { ownershipEntityRefs } = await this.ownershipResolver.resolveOwnershipEntityRefs(entity);
-      ent = ownershipEntityRefs;
-    } else {
-      ent = getDefaultOwnershipEntityRefs(entity);
-    }
-    const token = await this.tokenIssuer.issueToken({
-      claims: {
-        sub: catalogModel.stringifyEntityRef(entity),
-        ent
-      }
-    });
-    return { token };
-  }
-}
-
-function bindProviderRouters(targetRouter, options) {
-  const {
-    providers,
-    appUrl,
-    baseUrl,
-    config,
-    logger,
-    discovery,
-    auth,
-    httpAuth,
-    tokenManager,
-    tokenIssuer,
-    catalogApi,
-    ownershipResolver
-  } = options;
-  const providersConfig = config.getOptionalConfig("auth.providers");
-  const isOriginAllowed = createOriginFilter(config);
-  for (const [providerId, providerFactory] of Object.entries(providers)) {
-    if (providersConfig?.has(providerId)) {
-      logger.info(`Configuring auth provider: ${providerId}`);
-      try {
-        const provider = providerFactory({
-          providerId,
-          appUrl,
-          baseUrl,
-          isOriginAllowed,
-          globalConfig: {
-            baseUrl,
-            appUrl,
-            isOriginAllowed
-          },
-          config: providersConfig.getConfig(providerId),
-          logger,
-          resolverContext: CatalogAuthResolverContext.create({
-            logger,
-            catalogApi: catalogApi ?? new catalogClient.CatalogClient({ discoveryApi: discovery }),
-            tokenIssuer,
-            tokenManager,
-            discovery,
-            auth,
-            httpAuth,
-            ownershipResolver
-          })
-        });
-        const r = Router__default.default();
-        r.get("/start", provider.start.bind(provider));
-        r.get("/handler/frame", provider.frameHandler.bind(provider));
-        r.post("/handler/frame", provider.frameHandler.bind(provider));
-        if (provider.logout) {
-          r.post("/logout", provider.logout.bind(provider));
-        }
-        if (provider.refresh) {
-          r.get("/refresh", provider.refresh.bind(provider));
-          r.post("/refresh", provider.refresh.bind(provider));
-        }
-        targetRouter.use(`/${providerId}`, r);
-      } catch (e) {
-        errors.assertError(e);
-        if (process.env.NODE_ENV !== "development") {
-          throw new Error(
-            `Failed to initialize ${providerId} auth provider, ${e.message}`
-          );
-        }
-        logger.warn(`Skipping ${providerId} auth provider, ${e.message}`);
-        targetRouter.use(`/${providerId}`, () => {
-          throw new errors.NotFoundError(
-            `Auth provider registered for '${providerId}' is misconfigured. This could mean the configs under auth.providers.${providerId} are missing or the environment variables used are not defined. Check the auth backend plugin logs when the backend starts to see more details.`
-          );
-        });
-      }
-    } else {
-      targetRouter.use(`/${providerId}`, () => {
-        throw new errors.NotFoundError(
-          `No auth provider registered for '${providerId}'`
-        );
-      });
-    }
-  }
-}
-function createOriginFilter(config) {
-  const appUrl = config.getString("app.baseUrl");
-  const { origin: appOrigin } = new URL(appUrl);
-  const allowedOrigins = config.getOptionalStringArray(
-    "auth.experimentalExtraAllowedOrigins"
-  );
-  const allowedOriginPatterns = allowedOrigins?.map(
-    (pattern) => new minimatch.Minimatch(pattern, { nocase: true, noglobstar: true })
-  ) ?? [];
-  return (origin) => {
-    if (origin === appOrigin) {
-      return true;
-    }
-    return allowedOriginPatterns.some((pattern) => pattern.match(origin));
-  };
-}
-
-function bindOidcRouter(targetRouter, options) {
-  const { baseUrl, auth, tokenIssuer, userInfoDatabaseHandler } = options;
-  const router = Router__default.default();
-  targetRouter.use(router);
-  const config = {
-    issuer: baseUrl,
-    token_endpoint: `${baseUrl}/v1/token`,
-    userinfo_endpoint: `${baseUrl}/v1/userinfo`,
-    jwks_uri: `${baseUrl}/.well-known/jwks.json`,
-    response_types_supported: ["id_token"],
-    subject_types_supported: ["public"],
-    id_token_signing_alg_values_supported: [
-      "RS256",
-      "RS384",
-      "RS512",
-      "ES256",
-      "ES384",
-      "ES512",
-      "PS256",
-      "PS384",
-      "PS512",
-      "EdDSA"
-    ],
-    scopes_supported: ["openid"],
-    token_endpoint_auth_methods_supported: [],
-    claims_supported: ["sub", "ent"],
-    grant_types_supported: []
-  };
-  router.get("/.well-known/openid-configuration", (_req, res) => {
-    res.json(config);
-  });
-  router.get("/.well-known/jwks.json", async (_req, res) => {
-    const { keys } = await tokenIssuer.listPublicKeys();
-    res.json({ keys });
-  });
-  router.get("/v1/token", (_req, res) => {
-    res.status(501).send("Not Implemented");
-  });
-  router.get("/v1/userinfo", async (req, res) => {
-    const matches = req.headers.authorization?.match(/^Bearer[ ]+(\S+)$/i);
-    const token = matches?.[1];
-    if (!token) {
-      throw new errors.AuthenticationError("No token provided");
-    }
-    const credentials = await auth.authenticate(token, {
-      allowLimitedAccess: true
-    });
-    if (!auth.isPrincipal(credentials, "user")) {
-      throw new errors.InputError(
-        "Userinfo endpoint must be called with a token that represents a user principal"
-      );
-    }
-    const { sub: userEntityRef } = jose.decodeJwt(token);
-    if (typeof userEntityRef !== "string") {
-      throw new Error("Invalid user token, user entity ref must be a string");
-    }
-    const userInfo = await userInfoDatabaseHandler.getUserInfo(userEntityRef);
-    if (!userInfo) {
-      res.status(404).send("User info not found");
-      return;
-    }
-    res.json(userInfo);
-  });
-}
-
-const MS_IN_S$1 = 1e3;
-const MAX_TOKEN_LENGTH = 32768;
-class TokenFactory {
-  issuer;
-  logger;
-  keyStore;
-  keyDurationSeconds;
-  algorithm;
-  userInfoDatabaseHandler;
-  keyExpiry;
-  privateKeyPromise;
-  constructor(options) {
-    this.issuer = options.issuer;
-    this.logger = options.logger;
-    this.keyStore = options.keyStore;
-    this.keyDurationSeconds = options.keyDurationSeconds;
-    this.algorithm = options.algorithm ?? "ES256";
-    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
-  }
-  async issueToken(params) {
-    const key = await this.getKey();
-    const iss = this.issuer;
-    const { sub, ent = [sub], ...additionalClaims } = params.claims;
-    const aud = pluginAuthNode.tokenTypes.user.audClaim;
-    const iat = Math.floor(Date.now() / MS_IN_S$1);
-    const exp = iat + this.keyDurationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
-    const signingKey = await jose.importJWK(key);
-    const uip = await this.createUserIdentityClaim({
-      header: {
-        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-        alg: key.alg,
-        kid: key.kid
-      },
-      payload: { sub, iat, exp },
-      key: signingKey
-    });
-    const claims = {
-      ...additionalClaims,
-      iss,
-      sub,
-      ent,
-      aud,
-      iat,
-      exp,
-      uip
-    };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.user.typParam,
-      alg: key.alg,
-      kid: key.kid
-    }).sign(signingKey);
-    if (token.length > MAX_TOKEN_LENGTH) {
-      throw new Error(
-        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
-          claims
-        )}'`
-      );
-    }
-    await this.userInfoDatabaseHandler.addUserInfo({
-      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
-    });
-    return token;
-  }
-  // This will be called by other services that want to verify ID tokens.
-  // It is important that it returns a list of all public keys that could
-  // have been used to sign tokens that have not yet expired.
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    const validKeys = [];
-    const expiredKeys = [];
-    for (const key of keys) {
-      const expireAt = luxon.DateTime.fromJSDate(key.createdAt).plus({
-        seconds: 3 * this.keyDurationSeconds
-      });
-      if (expireAt < luxon.DateTime.local()) {
-        expiredKeys.push(key);
-      } else {
-        validKeys.push(key);
-      }
-    }
-    if (expiredKeys.length > 0) {
-      const kids = expiredKeys.map(({ key }) => key.kid);
-      this.logger.info(`Removing expired signing keys, '${kids.join("', '")}'`);
-      this.keyStore.removeKeys(kids).catch((error) => {
-        this.logger.error(`Failed to remove expired keys, ${error}`);
-      });
-    }
-    return { keys: validKeys.map(({ key }) => key) };
-  }
-  async getKey() {
-    if (this.privateKeyPromise) {
-      if (this.keyExpiry && luxon.DateTime.fromJSDate(this.keyExpiry) > luxon.DateTime.local()) {
-        return this.privateKeyPromise;
-      }
-      this.logger.info(`Signing key has expired, generating new key`);
-      delete this.privateKeyPromise;
-    }
-    this.keyExpiry = luxon.DateTime.utc().plus({
-      seconds: this.keyDurationSeconds
-    }).toJSDate();
-    const promise = (async () => {
-      const key = await jose.generateKeyPair(this.algorithm);
-      const publicKey = await jose.exportJWK(key.publicKey);
-      const privateKey = await jose.exportJWK(key.privateKey);
-      publicKey.kid = privateKey.kid = uuid.v4();
-      publicKey.alg = privateKey.alg = this.algorithm;
-      this.logger.info(`Created new signing key ${publicKey.kid}`);
-      await this.keyStore.addKey(publicKey);
-      return privateKey;
-    })();
-    this.privateKeyPromise = promise;
-    try {
-      await promise;
-    } catch (error) {
-      this.logger.error(`Failed to generate new signing key, ${error}`);
-      delete this.keyExpiry;
-      delete this.privateKeyPromise;
-    }
-    return promise;
-  }
-  // Creates a string claim that can be used as part of reconstructing a limited
-  // user token. The output of this function is only the signature part of a
-  // JWS.
-  async createUserIdentityClaim(options) {
-    const header = {
-      typ: options.header.typ,
-      alg: options.header.alg,
-      ...options.header.kid ? { kid: options.header.kid } : {}
-    };
-    const payload = {
-      sub: options.payload.sub,
-      iat: options.payload.iat,
-      exp: options.payload.exp
-    };
-    const jws = await new jose.GeneralSign(
-      new TextEncoder().encode(JSON.stringify(payload))
-    ).addSignature(options.key).setProtectedHeader(header).done().sign();
-    return jws.signatures[0].signature;
-  }
-}
-
-const TABLE$1 = "signing_keys";
-const parseDate = (date) => {
-  const parsedDate = typeof date === "string" ? luxon.DateTime.fromSQL(date, { zone: "UTC" }) : luxon.DateTime.fromJSDate(date);
-  if (!parsedDate.isValid) {
-    throw new Error(
-      `Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`
-    );
-  }
-  return parsedDate.toJSDate();
-};
-class DatabaseKeyStore {
-  constructor(client) {
-    this.client = client;
-  }
-  async addKey(key) {
-    await this.client(TABLE$1).insert({
-      kid: key.kid,
-      key: JSON.stringify(key)
-    });
-  }
-  async listKeys() {
-    const rows = await this.client(TABLE$1).select();
-    return {
-      items: rows.map((row) => ({
-        key: JSON.parse(row.key),
-        createdAt: parseDate(row.created_at)
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    await this.client(TABLE$1).delete().whereIn("kid", kids);
-  }
-}
-
-class MemoryKeyStore {
-  keys = /* @__PURE__ */ new Map();
-  async addKey(key) {
-    this.keys.set(key.kid, {
-      createdAt: luxon.DateTime.utc().toJSDate(),
-      key: JSON.stringify(key)
-    });
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      this.keys.delete(kid);
-    }
-  }
-  async listKeys() {
-    return {
-      items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({
-        createdAt,
-        key: JSON.parse(keyStr)
-      }))
-    };
-  }
-}
-
-const DEFAULT_TIMEOUT_MS = 1e4;
-const DEFAULT_DOCUMENT_PATH = "sessions";
-class FirestoreKeyStore {
-  constructor(database, path, timeout) {
-    this.database = database;
-    this.path = path;
-    this.timeout = timeout;
-  }
-  static async create(settings) {
-    const { path, timeout, ...firestoreSettings } = settings ?? {};
-    const database = new firestore.Firestore(firestoreSettings);
-    return new FirestoreKeyStore(
-      database,
-      path ?? DEFAULT_DOCUMENT_PATH,
-      timeout ?? DEFAULT_TIMEOUT_MS
-    );
-  }
-  static async verifyConnection(keyStore, logger) {
-    try {
-      await keyStore.verify();
-    } catch (error) {
-      if (process.env.NODE_ENV !== "development") {
-        throw new Error(
-          `Failed to connect to database: ${error.message}`
-        );
-      }
-      logger?.warn(
-        `Failed to connect to database: ${error.message}`
-      );
-    }
-  }
-  async addKey(key) {
-    await this.withTimeout(
-      this.database.collection(this.path).doc(key.kid).set({
-        kid: key.kid,
-        key: JSON.stringify(key)
-      })
-    );
-  }
-  async listKeys() {
-    const keys = await this.withTimeout(
-      this.database.collection(this.path).get()
-    );
-    return {
-      items: keys.docs.map((key) => ({
-        key: key.data(),
-        createdAt: key.createTime.toDate()
-      }))
-    };
-  }
-  async removeKeys(kids) {
-    for (const kid of kids) {
-      await this.withTimeout(
-        this.database.collection(this.path).doc(kid).delete()
-      );
-    }
-  }
-  /**
-   * Helper function to allow us to modify the timeout used when
-   * performing Firestore database operations.
-   *
-   * The reason for this is that it seems that there's no other
-   * practical solution to change the default timeout of 10mins
-   * that Firestore has.
-   *
-   */
-  async withTimeout(operation) {
-    const timer = new Promise(
-      (_, reject) => setTimeout(() => {
-        reject(new Error(`Operation timed out after ${this.timeout}ms`));
-      }, this.timeout)
-    );
-    return Promise.race([operation, timer]);
-  }
-  /**
-   * Used to verify that the database is reachable.
-   */
-  async verify() {
-    await this.withTimeout(this.database.collection(this.path).limit(1).get());
-  }
-}
-
-const DEFAULT_ALGORITHM = "ES256";
-class StaticKeyStore {
-  keyPairs;
-  createdAt;
-  constructor(keyPairs) {
-    if (keyPairs.length === 0) {
-      throw new Error("Should provide at least one key pair");
-    }
-    this.keyPairs = keyPairs;
-    this.createdAt = /* @__PURE__ */ new Date();
-  }
-  static async fromConfig(config) {
-    const keyConfigs = config.getConfigArray("auth.keyStore.static.keys").map((c) => {
-      const staticKeyConfig = {
-        publicKeyFile: c.getString("publicKeyFile"),
-        privateKeyFile: c.getString("privateKeyFile"),
-        keyId: c.getString("keyId"),
-        algorithm: c.getOptionalString("algorithm") ?? DEFAULT_ALGORITHM
-      };
-      return staticKeyConfig;
-    });
-    const keyPairs = await Promise.all(
-      keyConfigs.map(async (k) => await this.loadKeyPair(k))
-    );
-    return new StaticKeyStore(keyPairs);
-  }
-  addKey(_key) {
-    throw new Error("Cannot add keys to the static key store");
-  }
-  listKeys() {
-    const keys = this.keyPairs.map((k) => this.keyPairToStoredKey(k));
-    return Promise.resolve({ items: keys });
-  }
-  getPrivateKey(keyId) {
-    const keyPair = this.keyPairs.find((k) => k.publicKey.kid === keyId);
-    if (keyPair === void 0) {
-      throw new Error(`Could not find key with keyId: ${keyId}`);
-    }
-    return keyPair.privateKey;
-  }
-  removeKeys(_kids) {
-    throw new Error("Cannot remove keys from the static key store");
-  }
-  keyPairToStoredKey(keyPair) {
-    const publicKey = {
-      ...keyPair.publicKey,
-      use: "sig"
-    };
-    return {
-      key: publicKey,
-      createdAt: this.createdAt
-    };
-  }
-  static async loadKeyPair(options) {
-    const algorithm = options.algorithm;
-    const keyId = options.keyId;
-    const publicKey = await this.loadPublicKeyFromFile(
-      options.publicKeyFile,
-      keyId,
-      algorithm
-    );
-    const privateKey = await this.loadPrivateKeyFromFile(
-      options.privateKeyFile,
-      keyId,
-      algorithm
-    );
-    return { publicKey, privateKey };
-  }
-  static async loadPublicKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importSPKI);
-  }
-  static async loadPrivateKeyFromFile(path, keyId, algorithm) {
-    return this.loadKeyFromFile(path, keyId, algorithm, jose.importPKCS8);
-  }
-  static async loadKeyFromFile(path, keyId, algorithm, importer) {
-    const content = await fs.promises.readFile(path, { encoding: "utf8", flag: "r" });
-    const key = await importer(content, algorithm);
-    const jwk = await jose.exportJWK(key);
-    jwk.kid = keyId;
-    jwk.alg = algorithm;
-    return jwk;
-  }
-}
-
-class KeyStores {
-  /**
-   * Looks at the `auth.keyStore` section in the application configuration
-   * and returns a KeyStore store. Defaults to `database`
-   *
-   * @returns a KeyStore store
-   */
-  static async fromConfig(config, options) {
-    const { logger, database } = options;
-    const ks = config.getOptionalConfig("auth.keyStore");
-    const provider = ks?.getOptionalString("provider") ?? "database";
-    logger.info(`Configuring "${provider}" as KeyStore provider`);
-    if (provider === "database") {
-      return new DatabaseKeyStore(await database.get());
-    }
-    if (provider === "memory") {
-      return new MemoryKeyStore();
-    }
-    if (provider === "firestore") {
-      const settings = ks?.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create(
-        lodash.pickBy(
-          {
-            projectId: settings?.getOptionalString("projectId"),
-            keyFilename: settings?.getOptionalString("keyFilename"),
-            host: settings?.getOptionalString("host"),
-            port: settings?.getOptionalNumber("port"),
-            ssl: settings?.getOptionalBoolean("ssl"),
-            path: settings?.getOptionalString("path"),
-            timeout: settings?.getOptionalNumber("timeout")
-          },
-          (value) => value !== void 0
-        )
-      );
-      await FirestoreKeyStore.verifyConnection(keyStore, logger);
-      return keyStore;
-    }
-    if (provider === "static") {
-      return await StaticKeyStore.fromConfig(config);
-    }
-    throw new Error(`Unknown KeyStore provider: ${provider}`);
-  }
-}
-
-const TABLE = "user_info";
-class UserInfoDatabaseHandler {
-  constructor(client) {
-    this.client = client;
-  }
-  async addUserInfo(userInfo) {
-    await this.client(TABLE).insert({
-      user_entity_ref: userInfo.claims.sub,
-      user_info: JSON.stringify(userInfo),
-      exp: luxon.DateTime.fromSeconds(userInfo.claims.exp, {
-        zone: "utc"
-      }).toSQL({ includeOffset: false })
-    }).onConflict("user_entity_ref").merge();
-  }
-  async getUserInfo(userEntityRef) {
-    const info = await this.client(TABLE).where({ user_entity_ref: userEntityRef }).first();
-    if (!info) {
-      return void 0;
-    }
-    const userInfo = JSON.parse(info.user_info);
-    return userInfo;
-  }
-}
-
-const migrationsDir = backendPluginApi.resolvePackagePath(
-  "@backstage/plugin-auth-backend",
-  "migrations"
-);
-class AuthDatabase {
-  #database;
-  #promise;
-  static create(database) {
-    return new AuthDatabase(database);
-  }
-  /** @internal */
-  static forTesting() {
-    const config$1 = new config.ConfigReader({
-      backend: {
-        database: {
-          client: "better-sqlite3",
-          connection: ":memory:",
-          useNullAsDefault: true
-        }
-      }
-    });
-    const database = backendCommon.DatabaseManager.fromConfig(config$1).forPlugin("auth");
-    return new AuthDatabase(database);
-  }
-  static async runMigrations(knex) {
-    await knex.migrate.latest({
-      directory: migrationsDir
-    });
-  }
-  constructor(database) {
-    this.#database = database;
-  }
-  get() {
-    this.#promise ??= this.#database.getClient().then(async (client) => {
-      if (!this.#database.migrations?.skip) {
-        await AuthDatabase.runMigrations(client);
-      }
-      return client;
-    });
-    return this.#promise;
-  }
-}
-
-const TOKEN_EXP_DEFAULT_S = 3600;
-const TOKEN_EXP_MIN_S = 600;
-const TOKEN_EXP_MAX_S = 86400;
-function readBackstageTokenExpiration(config$1) {
-  const processingIntervalKey = "auth.backstageTokenExpiration";
-  if (!config$1.has(processingIntervalKey)) {
-    return TOKEN_EXP_DEFAULT_S;
-  }
-  const duration = config.readDurationFromConfig(config$1, {
-    key: processingIntervalKey
-  });
-  const durationS = Math.round(types.durationToMilliseconds(duration) / 1e3);
-  if (durationS < TOKEN_EXP_MIN_S) {
-    return TOKEN_EXP_MIN_S;
-  } else if (durationS > TOKEN_EXP_MAX_S) {
-    return TOKEN_EXP_MAX_S;
-  }
-  return durationS;
-}
-
-const MS_IN_S = 1e3;
-class StaticTokenIssuer {
-  issuer;
-  logger;
-  keyStore;
-  sessionExpirationSeconds;
-  constructor(options, keyStore) {
-    this.issuer = options.issuer;
-    this.logger = options.logger;
-    this.sessionExpirationSeconds = options.sessionExpirationSeconds;
-    this.keyStore = keyStore;
-  }
-  async issueToken(params) {
-    const key = await this.getSigningKey();
-    const iss = this.issuer;
-    const { sub, ent, ...additionalClaims } = params.claims;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.sessionExpirationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
-  }
-  async getSigningKey() {
-    const { items: keys } = await this.keyStore.listKeys();
-    if (keys.length >= 1) {
-      return this.keyStore.getPrivateKey(keys[0].key.kid);
-    }
-    throw new Error("Keystore should hold at least 1 key");
-  }
-  async listPublicKeys() {
-    const { items: keys } = await this.keyStore.listKeys();
-    return { keys: keys.map(({ key }) => key) };
-  }
-}
-
-async function createRouter(options) {
-  const {
-    logger,
-    config,
-    discovery,
-    database,
-    tokenFactoryAlgorithm,
-    providerFactories = {}
-  } = options;
-  const { auth, httpAuth } = backendCommon.createLegacyAuthAdapters(options);
-  const router = Router__default.default();
-  const appUrl = config.getString("app.baseUrl");
-  const authUrl = await discovery.getExternalBaseUrl("auth");
-  const backstageTokenExpiration = readBackstageTokenExpiration(config);
-  const authDb = AuthDatabase.create(database);
-  const keyStore = await KeyStores.fromConfig(config, {
-    logger,
-    database: authDb
-  });
-  const userInfoDatabaseHandler = new UserInfoDatabaseHandler(
-    await authDb.get()
-  );
-  let tokenIssuer;
-  if (keyStore instanceof StaticKeyStore) {
-    tokenIssuer = new StaticTokenIssuer(
-      {
-        logger: logger.child({ component: "token-factory" }),
-        issuer: authUrl,
-        sessionExpirationSeconds: backstageTokenExpiration
-      },
-      keyStore
-    );
-  } else {
-    tokenIssuer = new TokenFactory({
-      issuer: authUrl,
-      keyStore,
-      keyDurationSeconds: backstageTokenExpiration,
-      logger: logger.child({ component: "token-factory" }),
-      algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm"),
-      userInfoDatabaseHandler
-    });
-  }
-  const secret = config.getOptionalString("auth.session.secret");
-  if (secret) {
-    router.use(cookieParser__default.default(secret));
-    const enforceCookieSSL = authUrl.startsWith("https");
-    const KnexSessionStore = connectSessionKnex__default.default(session__default.default);
-    router.use(
-      session__default.default({
-        secret,
-        saveUninitialized: false,
-        resave: false,
-        cookie: { secure: enforceCookieSSL ? "auto" : false },
-        store: new KnexSessionStore({
-          createtable: false,
-          knex: await authDb.get()
-        })
-      })
-    );
-    router.use(passport__default.default.initialize());
-    router.use(passport__default.default.session());
-  } else {
-    router.use(cookieParser__default.default());
-  }
-  router.use(express__default.default.urlencoded({ extended: false }));
-  router.use(express__default.default.json());
-  const providers = options.disableDefaultProviderFactories ? providerFactories : {
-    ...defaultAuthProviderFactories,
-    ...providerFactories
-  };
-  bindProviderRouters(router, {
-    providers,
-    appUrl,
-    baseUrl: authUrl,
-    tokenIssuer,
-    ...options,
-    auth,
-    httpAuth
-  });
-  bindOidcRouter(router, {
-    auth,
-    tokenIssuer,
-    baseUrl: authUrl,
-    userInfoDatabaseHandler
-  });
-  router.use("/:provider/", (req) => {
-    const { provider } = req.params;
-    throw new errors.NotFoundError(`Unknown auth provider '${provider}'`);
-  });
-  return router;
-}
-
-const authPlugin = backendPluginApi.createBackendPlugin({
-  pluginId: "auth",
-  register(reg) {
-    const providers = /* @__PURE__ */ new Map();
-    let ownershipResolver = void 0;
-    reg.registerExtensionPoint(pluginAuthNode.authProvidersExtensionPoint, {
-      registerProvider({ providerId, factory }) {
-        if (providers.has(providerId)) {
-          throw new Error(
-            `Auth provider '${providerId}' was already registered`
-          );
-        }
-        providers.set(providerId, factory);
-      }
-    });
-    reg.registerExtensionPoint(pluginAuthNode.authOwnershipResolutionExtensionPoint, {
-      setAuthOwnershipResolver(resolver) {
-        if (ownershipResolver) {
-          throw new Error("Auth ownership resolver is already set");
-        }
-        ownershipResolver = resolver;
-      }
-    });
-    reg.registerInit({
-      deps: {
-        httpRouter: backendPluginApi.coreServices.httpRouter,
-        logger: backendPluginApi.coreServices.logger,
-        config: backendPluginApi.coreServices.rootConfig,
-        database: backendPluginApi.coreServices.database,
-        discovery: backendPluginApi.coreServices.discovery,
-        auth: backendPluginApi.coreServices.auth,
-        httpAuth: backendPluginApi.coreServices.httpAuth,
-        catalogApi: alpha.catalogServiceRef
-      },
-      async init({
-        httpRouter,
-        logger,
-        config,
-        database,
-        discovery,
-        auth,
-        httpAuth,
-        catalogApi
-      }) {
-        const router = await createRouter({
-          logger,
-          config,
-          database,
-          discovery,
-          auth,
-          httpAuth,
-          catalogApi,
-          providerFactories: Object.fromEntries(providers),
-          disableDefaultProviderFactories: true,
-          ownershipResolver
-        });
-        httpRouter.addAuthPolicy({
-          path: "/",
-          allow: "unauthenticated"
-        });
-        httpRouter.use(router);
-      }
-    });
-  }
-});
-
-const OAuthEnvironmentHandler = pluginAuthNode.OAuthEnvironmentHandler;
-
-const readState = pluginAuthNode.decodeOAuthState;
-const encodeState = pluginAuthNode.encodeOAuthState;
-const verifyNonce = (req, providerId) => {
-  const cookieNonce = req.cookies[`${providerId}-nonce`];
-  const state = readState(req.query.state?.toString() ?? "");
-  const stateNonce = state.nonce;
-  if (!cookieNonce) {
-    throw new Error("Auth response is missing cookie nonce");
-  }
-  if (stateNonce.length === 0) {
-    throw new Error("Auth response is missing state nonce");
-  }
-  if (cookieNonce !== stateNonce) {
-    throw new Error("Invalid nonce");
-  }
-};
-const defaultCookieConfigurer = ({
-  callbackUrl,
-  providerId,
-  appOrigin
-}) => {
-  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
-  const secure = protocol === "https:";
-  let sameSite = "lax";
-  if (new URL(appOrigin).hostname !== domain && secure) {
-    sameSite = "none";
-  }
-  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return { domain, path, secure, sameSite };
-};
-
-const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
-const TEN_MINUTES_MS = 600 * 1e3;
-class OAuthAdapter {
-  constructor(handlers, options) {
-    this.handlers = handlers;
-    this.options = options;
-    this.baseCookieOptions = {
-      httpOnly: true,
-      sameSite: "lax"
-    };
-  }
-  static fromConfig(config, handlers, options) {
-    const { appUrl, baseUrl, isOriginAllowed } = config;
-    const { origin: appOrigin } = new url.URL(appUrl);
-    const cookieConfigurer = config.cookieConfigurer ?? defaultCookieConfigurer;
-    return new OAuthAdapter(handlers, {
-      ...options,
-      appOrigin,
-      baseUrl,
-      cookieConfigurer,
-      isOriginAllowed
-    });
-  }
-  baseCookieOptions;
-  async start(req, res) {
-    const scope = req.query.scope?.toString() ?? "";
-    const env = req.query.env?.toString();
-    const origin = req.query.origin?.toString();
-    const redirectUrl = req.query.redirectUrl?.toString();
-    const flow = req.query.flow?.toString();
-    if (!env) {
-      throw new errors.InputError("No env provided in request query parameters");
-    }
-    const cookieConfig = this.getCookieConfig(origin);
-    const nonce = crypto__default.default.randomBytes(16).toString("base64");
-    this.setNonceCookie(res, nonce, cookieConfig);
-    const state = { nonce, env, origin, redirectUrl, flow };
-    if (this.options.persistScopes) {
-      state.scope = scope;
-    }
-    const forwardReq = Object.assign(req, { scope, state });
-    const { url, status } = await this.handlers.start(
-      forwardReq
-    );
-    res.statusCode = status || 302;
-    res.setHeader("Location", url);
-    res.setHeader("Content-Length", "0");
-    res.end();
-  }
-  async frameHandler(req, res) {
-    let appOrigin = this.options.appOrigin;
-    try {
-      const state = readState(req.query.state?.toString() ?? "");
-      if (state.origin) {
-        try {
-          appOrigin = new url.URL(state.origin).origin;
-        } catch {
-          throw new errors.NotAllowedError("App origin is invalid, failed to parse");
-        }
-        if (!this.options.isOriginAllowed(appOrigin)) {
-          throw new errors.NotAllowedError(`Origin '${appOrigin}' is not allowed`);
-        }
-      }
-      verifyNonce(req, this.options.providerId);
-      const { response, refreshToken } = await this.handlers.handler(req);
-      const cookieConfig = this.getCookieConfig(appOrigin);
-      if (this.options.persistScopes && state.scope) {
-        this.setGrantedScopeCookie(res, state.scope, cookieConfig);
-        response.providerInfo.scope = state.scope;
-      }
-      if (refreshToken) {
-        this.setRefreshTokenCookie(res, refreshToken, cookieConfig);
-      }
-      const identity = await this.populateIdentity(response.backstageIdentity);
-      const responseObj = {
-        type: "authorization_response",
-        response: { ...response, backstageIdentity: identity }
-      };
-      if (state.flow === "redirect") {
-        if (!state.redirectUrl) {
-          throw new errors.InputError(
-            "No redirectUrl provided in request query parameters"
-          );
-        }
-        res.redirect(state.redirectUrl);
-        return void 0;
-      }
-      return postMessageResponse(res, appOrigin, responseObj);
-    } catch (error) {
-      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-      return postMessageResponse(res, appOrigin, {
-        type: "authorization_response",
-        error: { name, message }
-      });
-    }
-  }
-  async logout(req, res) {
-    if (!ensuresXRequestedWith(req)) {
-      throw new errors.AuthenticationError("Invalid X-Requested-With header");
-    }
-    if (this.handlers.logout) {
-      const refreshToken = this.getRefreshTokenFromCookie(req);
-      const revokeRequest = Object.assign(req, {
-        refreshToken
-      });
-      await this.handlers.logout(revokeRequest);
-    }
-    const origin = req.get("origin");
-    const cookieConfig = this.getCookieConfig(origin);
-    this.removeRefreshTokenCookie(res, cookieConfig);
-    res.status(200).end();
-  }
-  async refresh(req, res) {
-    if (!ensuresXRequestedWith(req)) {
-      throw new errors.AuthenticationError("Invalid X-Requested-With header");
-    }
-    if (!this.handlers.refresh) {
-      throw new errors.InputError(
-        `Refresh token is not supported for provider ${this.options.providerId}`
-      );
-    }
-    try {
-      const refreshToken = this.getRefreshTokenFromCookie(req);
-      if (!refreshToken) {
-        throw new errors.InputError("Missing session cookie");
-      }
-      let scope = req.query.scope?.toString() ?? "";
-      if (this.options.persistScopes) {
-        scope = this.getGrantedScopeFromCookie(req);
-      }
-      const forwardReq = Object.assign(req, { scope, refreshToken });
-      const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
-      const backstageIdentity = await this.populateIdentity(
-        response.backstageIdentity
-      );
-      if (newRefreshToken && newRefreshToken !== refreshToken) {
-        const origin = req.get("origin");
-        const cookieConfig = this.getCookieConfig(origin);
-        this.setRefreshTokenCookie(res, newRefreshToken, cookieConfig);
-      }
-      res.status(200).json({ ...response, backstageIdentity });
-    } catch (error) {
-      throw new errors.AuthenticationError("Refresh failed", error);
-    }
-  }
-  /**
-   * If the response from the OAuth provider includes a Backstage identity, we
-   * make sure it's populated with all the information we can derive from the user ID.
-   */
-  async populateIdentity(identity) {
-    if (!identity) {
-      return void 0;
-    }
-    if (!identity.token) {
-      throw new errors.InputError(`Identity response must return a token`);
-    }
-    return prepareBackstageIdentityResponse(identity);
-  }
-  setNonceCookie = (res, nonce, cookieConfig) => {
-    res.cookie(`${this.options.providerId}-nonce`, nonce, {
-      maxAge: TEN_MINUTES_MS,
-      ...this.baseCookieOptions,
-      ...cookieConfig,
-      path: `${cookieConfig.path}/handler`
-    });
-  };
-  setGrantedScopeCookie = (res, scope, cookieConfig) => {
-    res.cookie(`${this.options.providerId}-granted-scope`, scope, {
-      maxAge: THOUSAND_DAYS_MS,
-      ...this.baseCookieOptions,
-      ...cookieConfig
-    });
-  };
-  getRefreshTokenFromCookie = (req) => {
-    return req.cookies[`${this.options.providerId}-refresh-token`];
-  };
-  getGrantedScopeFromCookie = (req) => {
-    return req.cookies[`${this.options.providerId}-granted-scope`];
-  };
-  setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
-    res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
-      maxAge: THOUSAND_DAYS_MS,
-      ...this.baseCookieOptions,
-      ...cookieConfig
-    });
-  };
-  removeRefreshTokenCookie = (res, cookieConfig) => {
-    res.cookie(`${this.options.providerId}-refresh-token`, "", {
-      maxAge: 0,
-      ...this.baseCookieOptions,
-      ...cookieConfig
-    });
-  };
-  getCookieConfig = (origin) => {
-    return this.options.cookieConfigurer({
-      providerId: this.options.providerId,
-      baseUrl: this.options.baseUrl,
-      callbackUrl: this.options.callbackUrl,
-      appOrigin: origin ?? this.options.appOrigin
-    });
-  };
-}
-
-exports.CatalogIdentityClient = CatalogIdentityClient;
-exports.OAuthAdapter = OAuthAdapter;
-exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.createAuthProviderIntegration = createAuthProviderIntegration;
-exports.createOriginFilter = createOriginFilter;
-exports.createRouter = createRouter;
-exports.default = authPlugin;
-exports.defaultAuthProviderFactories = defaultAuthProviderFactories;
-exports.encodeState = encodeState;
-exports.ensuresXRequestedWith = ensuresXRequestedWith;
-exports.getDefaultOwnershipEntityRefs = getDefaultOwnershipEntityRefs;
-exports.postMessageResponse = postMessageResponse;
-exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
-exports.providers = providers;
-exports.readState = readState;
-exports.verifyNonce = verifyNonce;
+var authPlugin = require('./authPlugin.cjs.js');
+var router = require('./service/router.cjs.js');
+var providers = require('./providers/providers.cjs.js');
+var router$1 = require('./providers/router.cjs.js');
+var createAuthProviderIntegration = require('./providers/createAuthProviderIntegration.cjs.js');
+var prepareBackstageIdentityResponse = require('./providers/prepareBackstageIdentityResponse.cjs.js');
+var authFlowHelpers = require('./lib/flow/authFlowHelpers.cjs.js');
+var OAuthEnvironmentHandler = require('./lib/oauth/OAuthEnvironmentHandler.cjs.js');
+var OAuthAdapter = require('./lib/oauth/OAuthAdapter.cjs.js');
+var helpers = require('./lib/oauth/helpers.cjs.js');
+var CatalogIdentityClient = require('./lib/catalog/CatalogIdentityClient.cjs.js');
+var CatalogAuthResolverContext = require('./lib/resolvers/CatalogAuthResolverContext.cjs.js');
+
+
+
+exports.default = authPlugin.authPlugin;
+exports.createRouter = router.createRouter;
+exports.defaultAuthProviderFactories = providers.defaultAuthProviderFactories;
+exports.providers = providers.providers;
+exports.createOriginFilter = router$1.createOriginFilter;
+exports.createAuthProviderIntegration = createAuthProviderIntegration.createAuthProviderIntegration;
+exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse.prepareBackstageIdentityResponse;
+exports.ensuresXRequestedWith = authFlowHelpers.ensuresXRequestedWith;
+exports.postMessageResponse = authFlowHelpers.postMessageResponse;
+exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler.OAuthEnvironmentHandler;
+exports.OAuthAdapter = OAuthAdapter.OAuthAdapter;
+exports.encodeState = helpers.encodeState;
+exports.readState = helpers.readState;
+exports.verifyNonce = helpers.verifyNonce;
+exports.CatalogIdentityClient = CatalogIdentityClient.CatalogIdentityClient;
+exports.getDefaultOwnershipEntityRefs = CatalogAuthResolverContext.getDefaultOwnershipEntityRefs;
 //# sourceMappingURL=index.cjs.js.map