@backstage/plugin-auth-backend 0.23.1-next.0 → 0.23.1

package/dist/lib/catalog/CatalogIdentityClient.cjs.js

@@ -0,0 +1,94 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var catalogModel = require('@backstage/catalog-model');
+var backendCommon = require('@backstage/backend-common');
+
+class CatalogIdentityClient {
+  catalogApi;
+  auth;
+  constructor(options) {
+    this.catalogApi = options.catalogApi;
+    const { auth } = backendCommon.createLegacyAuthAdapters({
+      auth: options.auth,
+      httpAuth: options.httpAuth,
+      discovery: options.discovery,
+      tokenManager: options.tokenManager
+    });
+    this.auth = auth;
+  }
+  /**
+   * Looks up a single user using a query.
+   *
+   * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
+   */
+  async findUser(query) {
+    const filter = {
+      kind: "user"
+    };
+    for (const [key, value] of Object.entries(query.annotations)) {
+      filter[`metadata.annotations.${key}`] = value;
+    }
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities({ filter }, { token });
+    if (items.length !== 1) {
+      if (items.length > 1) {
+        throw new errors.ConflictError("User lookup resulted in multiple matches");
+      } else {
+        throw new errors.NotFoundError("User not found");
+      }
+    }
+    return items[0];
+  }
+  /**
+   * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
+   * to be used within a `signInResolver` where additional entity claims might be provided, but
+   * group membership and transient group membership lean on imported catalog relations.
+   *
+   * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
+   */
+  async resolveCatalogMembership(query) {
+    const { entityRefs, logger } = query;
+    const resolvedEntityRefs = entityRefs.map((ref) => {
+      try {
+        const parsedRef = catalogModel.parseEntityRef(ref.toLocaleLowerCase("en-US"), {
+          defaultKind: "user",
+          defaultNamespace: "default"
+        });
+        return parsedRef;
+      } catch {
+        logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);
+        return null;
+      }
+    }).filter((ref) => ref !== null);
+    const filter = resolvedEntityRefs.map((ref) => ({
+      kind: ref.kind,
+      "metadata.namespace": ref.namespace,
+      "metadata.name": ref.name
+    }));
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const entities = await this.catalogApi.getEntities({ filter }, { token }).then((r) => r.items);
+    if (entityRefs.length !== entities.length) {
+      const foundEntityNames = entities.map(catalogModel.stringifyEntityRef);
+      const missingEntityNames = resolvedEntityRefs.map(catalogModel.stringifyEntityRef).filter((s) => !foundEntityNames.includes(s));
+      logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);
+    }
+    const memberOf = entities.flatMap(
+      (e) => e.relations?.filter((r) => r.type === catalogModel.RELATION_MEMBER_OF).map((r) => r.targetRef) ?? []
+    );
+    const newEntityRefs = [
+      ...new Set(resolvedEntityRefs.map(catalogModel.stringifyEntityRef).concat(memberOf))
+    ];
+    logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);
+    return newEntityRefs;
+  }
+}
+
+exports.CatalogIdentityClient = CatalogIdentityClient;
+//# sourceMappingURL=CatalogIdentityClient.cjs.js.map

package/dist/lib/catalog/CatalogIdentityClient.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CatalogIdentityClient.cjs.js","sources":["../../../src/lib/catalog/CatalogIdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  AuthService,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n} from '@backstage/backend-plugin-api';\nimport { ConflictError, NotFoundError } from '@backstage/errors';\nimport { CatalogApi } from '@backstage/catalog-client';\nimport {\n  CompoundEntityRef,\n  parseEntityRef,\n  RELATION_MEMBER_OF,\n  stringifyEntityRef,\n  UserEntity,\n} from '@backstage/catalog-model';\nimport {\n  TokenManager,\n  createLegacyAuthAdapters,\n} from '@backstage/backend-common';\n\n/**\n * A catalog client tailored for reading out identity data from the catalog.\n *\n * @public\n */\nexport class CatalogIdentityClient {\n  private readonly catalogApi: CatalogApi;\n  private readonly auth: AuthService;\n\n  constructor(options: {\n    catalogApi: CatalogApi;\n    tokenManager?: TokenManager;\n    discovery: DiscoveryService;\n    auth?: AuthService;\n    httpAuth?: HttpAuthService;\n  }) {\n    this.catalogApi = options.catalogApi;\n\n    const { auth } = createLegacyAuthAdapters({\n      auth: options.auth,\n      httpAuth: options.httpAuth,\n      discovery: options.discovery,\n      tokenManager: options.tokenManager,\n    });\n\n    this.auth = auth;\n  }\n\n  /**\n   * Looks up a single user using a query.\n   *\n   * Throws a NotFoundError or ConflictError if 0 or multiple users are found.\n   */\n  async findUser(query: {\n    annotations: Record<string, string>;\n  }): Promise<UserEntity> {\n    const filter: Record<string, string> = {\n      kind: 'user',\n    };\n    for (const [key, value] of Object.entries(query.annotations)) {\n      filter[`metadata.annotations.${key}`] = value;\n    }\n\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n\n    const { items } = await this.catalogApi.getEntities({ filter }, { token });\n\n    if (items.length !== 1) {\n      if (items.length > 1) {\n        throw new ConflictError('User lookup resulted in multiple matches');\n      } else {\n        throw new NotFoundError('User not found');\n      }\n    }\n\n    return items[0] as UserEntity;\n  }\n\n  /**\n   * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed\n   * to be used within a `signInResolver` where additional entity claims might be provided, but\n   * group membership and transient group membership lean on imported catalog relations.\n   *\n   * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.\n   */\n  async resolveCatalogMembership(query: {\n    entityRefs: string[];\n    logger?: LoggerService;\n  }): Promise<string[]> {\n    const { entityRefs, logger } = query;\n    const resolvedEntityRefs = entityRefs\n      .map((ref: string) => {\n        try {\n          const parsedRef = parseEntityRef(ref.toLocaleLowerCase('en-US'), {\n            defaultKind: 'user',\n            defaultNamespace: 'default',\n          });\n          return parsedRef;\n        } catch {\n          logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);\n          return null;\n        }\n      })\n      .filter((ref): ref is CompoundEntityRef => ref !== null);\n\n    const filter = resolvedEntityRefs.map(ref => ({\n      kind: ref.kind,\n      'metadata.namespace': ref.namespace,\n      'metadata.name': ref.name,\n    }));\n\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n\n    const entities = await this.catalogApi\n      .getEntities({ filter }, { token })\n      .then(r => r.items);\n\n    if (entityRefs.length !== entities.length) {\n      const foundEntityNames = entities.map(stringifyEntityRef);\n      const missingEntityNames = resolvedEntityRefs\n        .map(stringifyEntityRef)\n        .filter(s => !foundEntityNames.includes(s));\n      logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);\n    }\n\n    const memberOf = entities.flatMap(\n      e =>\n        e!.relations\n          ?.filter(r => r.type === RELATION_MEMBER_OF)\n          .map(r => r.targetRef) ?? [],\n    );\n\n    const newEntityRefs = [\n      ...new Set(resolvedEntityRefs.map(stringifyEntityRef).concat(memberOf)),\n    ];\n\n    logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);\n    return newEntityRefs;\n  }\n}\n"],"names":["createLegacyAuthAdapters","ConflictError","NotFoundError","parseEntityRef","stringifyEntityRef","RELATION_MEMBER_OF"],"mappings":";;;;;;AAyCO,MAAM,qBAAsB,CAAA;AAAA,EAChB,UAAA,CAAA;AAAA,EACA,IAAA,CAAA;AAAA,EAEjB,YAAY,OAMT,EAAA;AACD,IAAA,IAAA,CAAK,aAAa,OAAQ,CAAA,UAAA,CAAA;AAE1B,IAAM,MAAA,EAAE,IAAK,EAAA,GAAIA,sCAAyB,CAAA;AAAA,MACxC,MAAM,OAAQ,CAAA,IAAA;AAAA,MACd,UAAU,OAAQ,CAAA,QAAA;AAAA,MAClB,WAAW,OAAQ,CAAA,SAAA;AAAA,MACnB,cAAc,OAAQ,CAAA,YAAA;AAAA,KACvB,CAAA,CAAA;AAED,IAAA,IAAA,CAAK,IAAO,GAAA,IAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,KAES,EAAA;AACtB,IAAA,MAAM,MAAiC,GAAA;AAAA,MACrC,IAAM,EAAA,MAAA;AAAA,KACR,CAAA;AACA,IAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,MAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA,CAAA;AAAA,KAC1C;AAEA,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA,SAAA;AAAA,KACjB,CAAA,CAAA;AAED,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,IAAK,CAAA,UAAA,CAAW,WAAY,CAAA,EAAE,MAAO,EAAA,EAAG,EAAE,KAAA,EAAO,CAAA,CAAA;AAEzE,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAI,IAAA,KAAA,CAAM,SAAS,CAAG,EAAA;AACpB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA,CAAA;AAAA,OAC7D,MAAA;AACL,QAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA,CAAA;AAAA,OAC1C;AAAA,KACF;AAEA,IAAA,OAAO,MAAM,CAAC,CAAA,CAAA;AAAA,GAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,yBAAyB,KAGT,EAAA;AACpB,IAAM,MAAA,EAAE,UAAY,EAAA,MAAA,EAAW,GAAA,KAAA,CAAA;AAC/B,IAAA,MAAM,kBAAqB,GAAA,UAAA,CACxB,GAAI,CAAA,CAAC,GAAgB,KAAA;AACpB,MAAI,IAAA;AACF,QAAA,MAAM,SAAY,GAAAC,2BAAA,CAAe,GAAI,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AAAA,UAC/D,WAAa,EAAA,MAAA;AAAA,UACb,gBAAkB,EAAA,SAAA;AAAA,SACnB,CAAA,CAAA;AACD,QAAO,OAAA,SAAA,CAAA;AAAA,OACD,CAAA,MAAA;AACN,QAAQ,MAAA,EAAA,IAAA,CAAK,CAAkC,+BAAA,EAAA,GAAG,CAAY,UAAA,CAAA,CAAA,CAAA;AAC9D,QAAO,OAAA,IAAA,CAAA;AAAA,OACT;AAAA,KACD,CACA,CAAA,MAAA,CAAO,CAAC,GAAA,KAAkC,QAAQ,IAAI,CAAA,CAAA;AAEzD,IAAM,MAAA,MAAA,GAAS,kBAAmB,CAAA,GAAA,CAAI,CAAQ,GAAA,MAAA;AAAA,MAC5C,MAAM,GAAI,CAAA,IAAA;AAAA,MACV,sBAAsB,GAAI,CAAA,SAAA;AAAA,MAC1B,iBAAiB,GAAI,CAAA,IAAA;AAAA,KACrB,CAAA,CAAA,CAAA;AAEF,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA,SAAA;AAAA,KACjB,CAAA,CAAA;AAED,IAAA,MAAM,QAAW,GAAA,MAAM,IAAK,CAAA,UAAA,CACzB,YAAY,EAAE,MAAA,EAAU,EAAA,EAAE,OAAO,CAAA,CACjC,IAAK,CAAA,CAAA,CAAA,KAAK,EAAE,KAAK,CAAA,CAAA;AAEpB,IAAI,IAAA,UAAA,CAAW,MAAW,KAAA,QAAA,CAAS,MAAQ,EAAA;AACzC,MAAM,MAAA,gBAAA,GAAmB,QAAS,CAAA,GAAA,CAAIC,+BAAkB,CAAA,CAAA;AACxD,MAAM,MAAA,kBAAA,GAAqB,kBACxB,CAAA,GAAA,CAAIA,+BAAkB,CAAA,CACtB,MAAO,CAAA,CAAA,CAAA,KAAK,CAAC,gBAAA,CAAiB,QAAS,CAAA,CAAC,CAAC,CAAA,CAAA;AAC5C,MAAA,MAAA,EAAQ,KAAM,CAAA,CAAA,4BAAA,EAA+B,kBAAmB,CAAA,IAAA,EAAM,CAAE,CAAA,CAAA,CAAA;AAAA,KAC1E;AAEA,IAAA,MAAM,WAAW,QAAS,CAAA,OAAA;AAAA,MACxB,CACE,CAAA,KAAA,CAAA,CAAG,SACC,EAAA,MAAA,CAAO,OAAK,CAAE,CAAA,IAAA,KAASC,+BAAkB,CAAA,CAC1C,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAAA,KACjC,CAAA;AAEA,IAAA,MAAM,aAAgB,GAAA;AAAA,MACpB,GAAG,IAAI,GAAI,CAAA,kBAAA,CAAmB,IAAID,+BAAkB,CAAA,CAAE,MAAO,CAAA,QAAQ,CAAC,CAAA;AAAA,KACxE,CAAA;AAEA,IAAA,MAAA,EAAQ,KAAM,CAAA,CAAA,0BAAA,EAA6B,aAAc,CAAA,IAAA,EAAM,CAAE,CAAA,CAAA,CAAA;AACjE,IAAO,OAAA,aAAA,CAAA;AAAA,GACT;AACF;;;;"}

package/dist/lib/flow/authFlowHelpers.cjs.js

@@ -0,0 +1,43 @@
+'use strict';
+
+var crypto = require('crypto');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
+
+const safelyEncodeURIComponent = (value) => {
+  return encodeURIComponent(value).replace(/'/g, "%27");
+};
+const postMessageResponse = (res, appOrigin, response) => {
+  const jsonData = JSON.stringify(response);
+  const base64Data = safelyEncodeURIComponent(jsonData);
+  const base64Origin = safelyEncodeURIComponent(appOrigin);
+  const script = `
+    var authResponse = decodeURIComponent('${base64Data}');
+    var origin = decodeURIComponent('${base64Origin}');
+    var originInfo = {'type': 'config_info', 'targetOrigin': origin};
+    (window.opener || window.parent).postMessage(originInfo, '*');
+    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);
+    setTimeout(() => {
+      window.close();
+    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
+  `;
+  const hash = crypto__default.default.createHash("sha256").update(script).digest("base64");
+  res.setHeader("Content-Type", "text/html");
+  res.setHeader("X-Frame-Options", "sameorigin");
+  res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
+  res.end(`<html><body><script>${script}<\/script></body></html>`);
+};
+const ensuresXRequestedWith = (req) => {
+  const requiredHeader = req.header("X-Requested-With");
+  if (!requiredHeader || requiredHeader !== "XMLHttpRequest") {
+    return false;
+  }
+  return true;
+};
+
+exports.ensuresXRequestedWith = ensuresXRequestedWith;
+exports.postMessageResponse = postMessageResponse;
+exports.safelyEncodeURIComponent = safelyEncodeURIComponent;
+//# sourceMappingURL=authFlowHelpers.cjs.js.map

package/dist/lib/flow/authFlowHelpers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authFlowHelpers.cjs.js","sources":["../../../src/lib/flow/authFlowHelpers.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport crypto from 'crypto';\nimport { WebMessageResponse } from './types';\n\nexport const safelyEncodeURIComponent = (value: string) => {\n  // Note the g at the end of the regex; all occurrences of single quotes must\n  // be replaced, which encodeURIComponent does not do itself by default\n  return encodeURIComponent(value).replace(/'/g, '%27');\n};\n\n/**\n * @public\n * @deprecated Use `sendWebMessageResponse` from `@backstage/plugin-auth-node` instead\n */\nexport const postMessageResponse = (\n  res: express.Response,\n  appOrigin: string,\n  response: WebMessageResponse,\n) => {\n  const jsonData = JSON.stringify(response);\n  const base64Data = safelyEncodeURIComponent(jsonData);\n  const base64Origin = safelyEncodeURIComponent(appOrigin);\n\n  // NOTE: It is absolutely imperative that we use the safe encoder above, to\n  // be sure that the js code below does not allow the injection of malicious\n  // data.\n\n  // TODO: Make target app origin configurable globally\n\n  //\n  // postMessage fails silently if the targetOrigin is disallowed.\n  // So 2 postMessages are sent from the popup to the parent window.\n  // First, the origin being used to post the actual authorization response is\n  // shared with the parent window with a postMessage with targetOrigin '*'.\n  // Second, the actual authorization response is sent with the app origin\n  // as the targetOrigin.\n  // If the first message was received but the actual auth response was\n  // never received, the event listener can conclude that targetOrigin\n  // was disallowed, indicating potential misconfiguration.\n  //\n  const script = `\n    var authResponse = decodeURIComponent('${base64Data}');\n    var origin = decodeURIComponent('${base64Origin}');\n    var originInfo = {'type': 'config_info', 'targetOrigin': origin};\n    (window.opener || window.parent).postMessage(originInfo, '*');\n    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);\n    setTimeout(() => {\n      window.close();\n    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)\n  `;\n  const hash = crypto.createHash('sha256').update(script).digest('base64');\n\n  res.setHeader('Content-Type', 'text/html');\n  res.setHeader('X-Frame-Options', 'sameorigin');\n  res.setHeader('Content-Security-Policy', `script-src 'sha256-${hash}'`);\n  res.end(`<html><body><script>${script}</script></body></html>`);\n};\n\n/**\n * @public\n * @deprecated Use inline logic to check that the `X-Requested-With` header is set to `'XMLHttpRequest'` instead.\n */\nexport const ensuresXRequestedWith = (req: express.Request) => {\n  const requiredHeader = req.header('X-Requested-With');\n  if (!requiredHeader || requiredHeader !== 'XMLHttpRequest') {\n    return false;\n  }\n  return true;\n};\n"],"names":["crypto"],"mappings":";;;;;;;;AAoBa,MAAA,wBAAA,GAA2B,CAAC,KAAkB,KAAA;AAGzD,EAAA,OAAO,kBAAmB,CAAA,KAAK,CAAE,CAAA,OAAA,CAAQ,MAAM,KAAK,CAAA,CAAA;AACtD,EAAA;AAMO,MAAM,mBAAsB,GAAA,CACjC,GACA,EAAA,SAAA,EACA,QACG,KAAA;AACH,EAAM,MAAA,QAAA,GAAW,IAAK,CAAA,SAAA,CAAU,QAAQ,CAAA,CAAA;AACxC,EAAM,MAAA,UAAA,GAAa,yBAAyB,QAAQ,CAAA,CAAA;AACpD,EAAM,MAAA,YAAA,GAAe,yBAAyB,SAAS,CAAA,CAAA;AAmBvD,EAAA,MAAM,MAAS,GAAA,CAAA;AAAA,2CAAA,EAC4B,UAAU,CAAA;AAAA,qCAAA,EAChB,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAAA;AAQjD,EAAM,MAAA,IAAA,GAAOA,wBAAO,UAAW,CAAA,QAAQ,EAAE,MAAO,CAAA,MAAM,CAAE,CAAA,MAAA,CAAO,QAAQ,CAAA,CAAA;AAEvE,EAAI,GAAA,CAAA,SAAA,CAAU,gBAAgB,WAAW,CAAA,CAAA;AACzC,EAAI,GAAA,CAAA,SAAA,CAAU,mBAAmB,YAAY,CAAA,CAAA;AAC7C,EAAA,GAAA,CAAI,SAAU,CAAA,yBAAA,EAA2B,CAAsB,mBAAA,EAAA,IAAI,CAAG,CAAA,CAAA,CAAA,CAAA;AACtE,EAAI,GAAA,CAAA,GAAA,CAAI,CAAuB,oBAAA,EAAA,MAAM,CAAyB,wBAAA,CAAA,CAAA,CAAA;AAChE,EAAA;AAMa,MAAA,qBAAA,GAAwB,CAAC,GAAyB,KAAA;AAC7D,EAAM,MAAA,cAAA,GAAiB,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,CAAA;AACpD,EAAI,IAAA,CAAC,cAAkB,IAAA,cAAA,KAAmB,gBAAkB,EAAA;AAC1D,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AACA,EAAO,OAAA,IAAA,CAAA;AACT;;;;;;"}

package/dist/lib/legacy/adaptLegacyOAuthHandler.cjs.js

@@ -0,0 +1,20 @@
+'use strict';
+
+function adaptLegacyOAuthHandler(authHandler) {
+  return authHandler && (async (result, ctx) => authHandler(
+    {
+      fullProfile: result.fullProfile,
+      accessToken: result.session.accessToken,
+      params: {
+        scope: result.session.scope,
+        id_token: result.session.idToken,
+        token_type: result.session.tokenType,
+        expires_in: result.session.expiresInSeconds
+      }
+    },
+    ctx
+  ));
+}
+
+exports.adaptLegacyOAuthHandler = adaptLegacyOAuthHandler;
+//# sourceMappingURL=adaptLegacyOAuthHandler.cjs.js.map

package/dist/lib/legacy/adaptLegacyOAuthHandler.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adaptLegacyOAuthHandler.cjs.js","sources":["../../../src/lib/legacy/adaptLegacyOAuthHandler.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  OAuthAuthenticatorResult,\n  ProfileTransform,\n} from '@backstage/plugin-auth-node';\nimport { AuthHandler } from '../../providers';\nimport { OAuthResult } from '../oauth';\nimport { PassportProfile } from '../passport/types';\n\n/** @internal */\nexport function adaptLegacyOAuthHandler(\n  authHandler?: AuthHandler<OAuthResult>,\n): ProfileTransform<OAuthAuthenticatorResult<PassportProfile>> | undefined {\n  return (\n    authHandler &&\n    (async (result, ctx) =>\n      authHandler(\n        {\n          fullProfile: result.fullProfile,\n          accessToken: result.session.accessToken,\n          params: {\n            scope: result.session.scope,\n            id_token: result.session.idToken,\n            token_type: result.session.tokenType,\n            expires_in: result.session.expiresInSeconds!,\n          },\n        },\n        ctx,\n      ))\n  );\n}\n"],"names":[],"mappings":";;AAyBO,SAAS,wBACd,WACyE,EAAA;AACzE,EACE,OAAA,WAAA,KACC,OAAO,MAAA,EAAQ,GACd,KAAA,WAAA;AAAA,IACE;AAAA,MACE,aAAa,MAAO,CAAA,WAAA;AAAA,MACpB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,MAC5B,MAAQ,EAAA;AAAA,QACN,KAAA,EAAO,OAAO,OAAQ,CAAA,KAAA;AAAA,QACtB,QAAA,EAAU,OAAO,OAAQ,CAAA,OAAA;AAAA,QACzB,UAAA,EAAY,OAAO,OAAQ,CAAA,SAAA;AAAA,QAC3B,UAAA,EAAY,OAAO,OAAQ,CAAA,gBAAA;AAAA,OAC7B;AAAA,KACF;AAAA,IACA,GAAA;AAAA,GACF,CAAA,CAAA;AAEN;;;;"}

package/dist/lib/legacy/adaptLegacyOAuthSignInResolver.cjs.js

@@ -0,0 +1,24 @@
+'use strict';
+
+function adaptLegacyOAuthSignInResolver(signInResolver) {
+  return signInResolver && (async (input, ctx) => signInResolver(
+    {
+      profile: input.profile,
+      result: {
+        fullProfile: input.result.fullProfile,
+        accessToken: input.result.session.accessToken,
+        refreshToken: input.result.session.refreshToken,
+        params: {
+          scope: input.result.session.scope,
+          id_token: input.result.session.idToken,
+          token_type: input.result.session.tokenType,
+          expires_in: input.result.session.expiresInSeconds
+        }
+      }
+    },
+    ctx
+  ));
+}
+
+exports.adaptLegacyOAuthSignInResolver = adaptLegacyOAuthSignInResolver;
+//# sourceMappingURL=adaptLegacyOAuthSignInResolver.cjs.js.map

package/dist/lib/legacy/adaptLegacyOAuthSignInResolver.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adaptLegacyOAuthSignInResolver.cjs.js","sources":["../../../src/lib/legacy/adaptLegacyOAuthSignInResolver.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  OAuthAuthenticatorResult,\n  PassportProfile,\n  SignInResolver,\n} from '@backstage/plugin-auth-node';\nimport { OAuthResult } from '../oauth';\n\n/** @internal */\nexport function adaptLegacyOAuthSignInResolver(\n  signInResolver?: SignInResolver<OAuthResult>,\n): SignInResolver<OAuthAuthenticatorResult<PassportProfile>> | undefined {\n  return (\n    signInResolver &&\n    (async (input, ctx) =>\n      signInResolver(\n        {\n          profile: input.profile,\n          result: {\n            fullProfile: input.result.fullProfile,\n            accessToken: input.result.session.accessToken,\n            refreshToken: input.result.session.refreshToken,\n            params: {\n              scope: input.result.session.scope,\n              id_token: input.result.session.idToken,\n              token_type: input.result.session.tokenType,\n              expires_in: input.result.session.expiresInSeconds!,\n            },\n          },\n        },\n        ctx,\n      ))\n  );\n}\n"],"names":[],"mappings":";;AAwBO,SAAS,+BACd,cACuE,EAAA;AACvE,EACE,OAAA,cAAA,KACC,OAAO,KAAA,EAAO,GACb,KAAA,cAAA;AAAA,IACE;AAAA,MACE,SAAS,KAAM,CAAA,OAAA;AAAA,MACf,MAAQ,EAAA;AAAA,QACN,WAAA,EAAa,MAAM,MAAO,CAAA,WAAA;AAAA,QAC1B,WAAA,EAAa,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,WAAA;AAAA,QAClC,YAAA,EAAc,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,YAAA;AAAA,QACnC,MAAQ,EAAA;AAAA,UACN,KAAA,EAAO,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,KAAA;AAAA,UAC5B,QAAA,EAAU,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,OAAA;AAAA,UAC/B,UAAA,EAAY,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,SAAA;AAAA,UACjC,UAAA,EAAY,KAAM,CAAA,MAAA,CAAO,OAAQ,CAAA,gBAAA;AAAA,SACnC;AAAA,OACF;AAAA,KACF;AAAA,IACA,GAAA;AAAA,GACF,CAAA,CAAA;AAEN;;;;"}

package/dist/lib/legacy/adaptOAuthSignInResolverToLegacy.cjs.js

@@ -0,0 +1,29 @@
+'use strict';
+
+function adaptOAuthSignInResolverToLegacy(resolvers) {
+  const legacyResolvers = {};
+  for (const name of Object.keys(resolvers)) {
+    const resolver = resolvers[name];
+    legacyResolvers[name] = () => async (input, ctx) => resolver(
+      {
+        profile: input.profile,
+        result: {
+          fullProfile: input.result.fullProfile,
+          session: {
+            accessToken: input.result.accessToken,
+            expiresInSeconds: input.result.params.expires_in,
+            scope: input.result.params.scope,
+            idToken: input.result.params.id_token,
+            tokenType: input.result.params.token_type ?? "bearer",
+            refreshToken: input.result.refreshToken
+          }
+        }
+      },
+      ctx
+    );
+  }
+  return legacyResolvers;
+}
+
+exports.adaptOAuthSignInResolverToLegacy = adaptOAuthSignInResolverToLegacy;
+//# sourceMappingURL=adaptOAuthSignInResolverToLegacy.cjs.js.map

package/dist/lib/legacy/adaptOAuthSignInResolverToLegacy.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adaptOAuthSignInResolverToLegacy.cjs.js","sources":["../../../src/lib/legacy/adaptOAuthSignInResolverToLegacy.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  OAuthAuthenticatorResult,\n  PassportProfile,\n  SignInResolver,\n} from '@backstage/plugin-auth-node';\nimport { OAuthResult } from '../oauth';\n\n/** @internal */\nexport function adaptOAuthSignInResolverToLegacy<\n  TKeys extends string,\n>(resolvers: {\n  [key in TKeys]: SignInResolver<OAuthAuthenticatorResult<PassportProfile>>;\n}): { [key in TKeys]: () => SignInResolver<OAuthResult> } {\n  const legacyResolvers = {} as {\n    [key in TKeys]: () => SignInResolver<OAuthResult>;\n  };\n  for (const name of Object.keys(resolvers) as TKeys[]) {\n    const resolver = resolvers[name];\n    legacyResolvers[name] = () => async (input, ctx) =>\n      resolver(\n        {\n          profile: input.profile,\n          result: {\n            fullProfile: input.result.fullProfile,\n            session: {\n              accessToken: input.result.accessToken,\n              expiresInSeconds: input.result.params.expires_in,\n              scope: input.result.params.scope,\n              idToken: input.result.params.id_token,\n              tokenType: input.result.params.token_type ?? 'bearer',\n              refreshToken: input.result.refreshToken,\n            },\n          },\n        },\n        ctx,\n      );\n  }\n  return legacyResolvers;\n}\n"],"names":[],"mappings":";;AAwBO,SAAS,iCAEd,SAEwD,EAAA;AACxD,EAAA,MAAM,kBAAkB,EAAC,CAAA;AAGzB,EAAA,KAAA,MAAW,IAAQ,IAAA,MAAA,CAAO,IAAK,CAAA,SAAS,CAAc,EAAA;AACpD,IAAM,MAAA,QAAA,GAAW,UAAU,IAAI,CAAA,CAAA;AAC/B,IAAA,eAAA,CAAgB,IAAI,CAAA,GAAI,MAAM,OAAO,OAAO,GAC1C,KAAA,QAAA;AAAA,MACE;AAAA,QACE,SAAS,KAAM,CAAA,OAAA;AAAA,QACf,MAAQ,EAAA;AAAA,UACN,WAAA,EAAa,MAAM,MAAO,CAAA,WAAA;AAAA,UAC1B,OAAS,EAAA;AAAA,YACP,WAAA,EAAa,MAAM,MAAO,CAAA,WAAA;AAAA,YAC1B,gBAAA,EAAkB,KAAM,CAAA,MAAA,CAAO,MAAO,CAAA,UAAA;AAAA,YACtC,KAAA,EAAO,KAAM,CAAA,MAAA,CAAO,MAAO,CAAA,KAAA;AAAA,YAC3B,OAAA,EAAS,KAAM,CAAA,MAAA,CAAO,MAAO,CAAA,QAAA;AAAA,YAC7B,SAAW,EAAA,KAAA,CAAM,MAAO,CAAA,MAAA,CAAO,UAAc,IAAA,QAAA;AAAA,YAC7C,YAAA,EAAc,MAAM,MAAO,CAAA,YAAA;AAAA,WAC7B;AAAA,SACF;AAAA,OACF;AAAA,MACA,GAAA;AAAA,KACF,CAAA;AAAA,GACJ;AACA,EAAO,OAAA,eAAA,CAAA;AACT;;;;"}

package/dist/lib/oauth/OAuthAdapter.cjs.js

@@ -0,0 +1,220 @@
+'use strict';
+
+var crypto = require('crypto');
+var url = require('url');
+var errors = require('@backstage/errors');
+var helpers = require('./helpers.cjs.js');
+var authFlowHelpers = require('../flow/authFlowHelpers.cjs.js');
+var prepareBackstageIdentityResponse = require('../../providers/prepareBackstageIdentityResponse.cjs.js');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
+
+const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
+const TEN_MINUTES_MS = 600 * 1e3;
+class OAuthAdapter {
+  constructor(handlers, options) {
+    this.handlers = handlers;
+    this.options = options;
+    this.baseCookieOptions = {
+      httpOnly: true,
+      sameSite: "lax"
+    };
+  }
+  static fromConfig(config, handlers, options) {
+    const { appUrl, baseUrl, isOriginAllowed } = config;
+    const { origin: appOrigin } = new url.URL(appUrl);
+    const cookieConfigurer = config.cookieConfigurer ?? helpers.defaultCookieConfigurer;
+    return new OAuthAdapter(handlers, {
+      ...options,
+      appOrigin,
+      baseUrl,
+      cookieConfigurer,
+      isOriginAllowed
+    });
+  }
+  baseCookieOptions;
+  async start(req, res) {
+    const scope = req.query.scope?.toString() ?? "";
+    const env = req.query.env?.toString();
+    const origin = req.query.origin?.toString();
+    const redirectUrl = req.query.redirectUrl?.toString();
+    const flow = req.query.flow?.toString();
+    if (!env) {
+      throw new errors.InputError("No env provided in request query parameters");
+    }
+    const cookieConfig = this.getCookieConfig(origin);
+    const nonce = crypto__default.default.randomBytes(16).toString("base64");
+    this.setNonceCookie(res, nonce, cookieConfig);
+    const state = { nonce, env, origin, redirectUrl, flow };
+    if (this.options.persistScopes) {
+      state.scope = scope;
+    }
+    const forwardReq = Object.assign(req, { scope, state });
+    const { url, status } = await this.handlers.start(
+      forwardReq
+    );
+    res.statusCode = status || 302;
+    res.setHeader("Location", url);
+    res.setHeader("Content-Length", "0");
+    res.end();
+  }
+  async frameHandler(req, res) {
+    let appOrigin = this.options.appOrigin;
+    try {
+      const state = helpers.readState(req.query.state?.toString() ?? "");
+      if (state.origin) {
+        try {
+          appOrigin = new url.URL(state.origin).origin;
+        } catch {
+          throw new errors.NotAllowedError("App origin is invalid, failed to parse");
+        }
+        if (!this.options.isOriginAllowed(appOrigin)) {
+          throw new errors.NotAllowedError(`Origin '${appOrigin}' is not allowed`);
+        }
+      }
+      helpers.verifyNonce(req, this.options.providerId);
+      const { response, refreshToken } = await this.handlers.handler(req);
+      const cookieConfig = this.getCookieConfig(appOrigin);
+      if (this.options.persistScopes && state.scope) {
+        this.setGrantedScopeCookie(res, state.scope, cookieConfig);
+        response.providerInfo.scope = state.scope;
+      }
+      if (refreshToken) {
+        this.setRefreshTokenCookie(res, refreshToken, cookieConfig);
+      }
+      const identity = await this.populateIdentity(response.backstageIdentity);
+      const responseObj = {
+        type: "authorization_response",
+        response: { ...response, backstageIdentity: identity }
+      };
+      if (state.flow === "redirect") {
+        if (!state.redirectUrl) {
+          throw new errors.InputError(
+            "No redirectUrl provided in request query parameters"
+          );
+        }
+        res.redirect(state.redirectUrl);
+        return void 0;
+      }
+      return authFlowHelpers.postMessageResponse(res, appOrigin, responseObj);
+    } catch (error) {
+      const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
+      return authFlowHelpers.postMessageResponse(res, appOrigin, {
+        type: "authorization_response",
+        error: { name, message }
+      });
+    }
+  }
+  async logout(req, res) {
+    if (!authFlowHelpers.ensuresXRequestedWith(req)) {
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
+    }
+    if (this.handlers.logout) {
+      const refreshToken = this.getRefreshTokenFromCookie(req);
+      const revokeRequest = Object.assign(req, {
+        refreshToken
+      });
+      await this.handlers.logout(revokeRequest);
+    }
+    const origin = req.get("origin");
+    const cookieConfig = this.getCookieConfig(origin);
+    this.removeRefreshTokenCookie(res, cookieConfig);
+    res.status(200).end();
+  }
+  async refresh(req, res) {
+    if (!authFlowHelpers.ensuresXRequestedWith(req)) {
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
+    }
+    if (!this.handlers.refresh) {
+      throw new errors.InputError(
+        `Refresh token is not supported for provider ${this.options.providerId}`
+      );
+    }
+    try {
+      const refreshToken = this.getRefreshTokenFromCookie(req);
+      if (!refreshToken) {
+        throw new errors.InputError("Missing session cookie");
+      }
+      let scope = req.query.scope?.toString() ?? "";
+      if (this.options.persistScopes) {
+        scope = this.getGrantedScopeFromCookie(req);
+      }
+      const forwardReq = Object.assign(req, { scope, refreshToken });
+      const { response, refreshToken: newRefreshToken } = await this.handlers.refresh(forwardReq);
+      const backstageIdentity = await this.populateIdentity(
+        response.backstageIdentity
+      );
+      if (newRefreshToken && newRefreshToken !== refreshToken) {
+        const origin = req.get("origin");
+        const cookieConfig = this.getCookieConfig(origin);
+        this.setRefreshTokenCookie(res, newRefreshToken, cookieConfig);
+      }
+      res.status(200).json({ ...response, backstageIdentity });
+    } catch (error) {
+      throw new errors.AuthenticationError("Refresh failed", error);
+    }
+  }
+  /**
+   * If the response from the OAuth provider includes a Backstage identity, we
+   * make sure it's populated with all the information we can derive from the user ID.
+   */
+  async populateIdentity(identity) {
+    if (!identity) {
+      return void 0;
+    }
+    if (!identity.token) {
+      throw new errors.InputError(`Identity response must return a token`);
+    }
+    return prepareBackstageIdentityResponse.prepareBackstageIdentityResponse(identity);
+  }
+  setNonceCookie = (res, nonce, cookieConfig) => {
+    res.cookie(`${this.options.providerId}-nonce`, nonce, {
+      maxAge: TEN_MINUTES_MS,
+      ...this.baseCookieOptions,
+      ...cookieConfig,
+      path: `${cookieConfig.path}/handler`
+    });
+  };
+  setGrantedScopeCookie = (res, scope, cookieConfig) => {
+    res.cookie(`${this.options.providerId}-granted-scope`, scope, {
+      maxAge: THOUSAND_DAYS_MS,
+      ...this.baseCookieOptions,
+      ...cookieConfig
+    });
+  };
+  getRefreshTokenFromCookie = (req) => {
+    return req.cookies[`${this.options.providerId}-refresh-token`];
+  };
+  getGrantedScopeFromCookie = (req) => {
+    return req.cookies[`${this.options.providerId}-granted-scope`];
+  };
+  setRefreshTokenCookie = (res, refreshToken, cookieConfig) => {
+    res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {
+      maxAge: THOUSAND_DAYS_MS,
+      ...this.baseCookieOptions,
+      ...cookieConfig
+    });
+  };
+  removeRefreshTokenCookie = (res, cookieConfig) => {
+    res.cookie(`${this.options.providerId}-refresh-token`, "", {
+      maxAge: 0,
+      ...this.baseCookieOptions,
+      ...cookieConfig
+    });
+  };
+  getCookieConfig = (origin) => {
+    return this.options.cookieConfigurer({
+      providerId: this.options.providerId,
+      baseUrl: this.options.baseUrl,
+      callbackUrl: this.options.callbackUrl,
+      appOrigin: origin ?? this.options.appOrigin
+    });
+  };
+}
+
+exports.OAuthAdapter = OAuthAdapter;
+exports.TEN_MINUTES_MS = TEN_MINUTES_MS;
+exports.THOUSAND_DAYS_MS = THOUSAND_DAYS_MS;
+//# sourceMappingURL=OAuthAdapter.cjs.js.map

package/dist/lib/oauth/OAuthAdapter.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuthAdapter.cjs.js","sources":["../../../src/lib/oauth/OAuthAdapter.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express, { CookieOptions } from 'express';\nimport crypto from 'crypto';\nimport { URL } from 'url';\nimport {\n  AuthProviderConfig,\n  AuthProviderRouteHandlers,\n  BackstageIdentityResponse,\n  BackstageSignInResult,\n  CookieConfigurer,\n  OAuthState,\n} from '@backstage/plugin-auth-node';\nimport {\n  AuthenticationError,\n  InputError,\n  isError,\n  NotAllowedError,\n} from '@backstage/errors';\nimport { defaultCookieConfigurer, readState, verifyNonce } from './helpers';\nimport {\n  postMessageResponse,\n  ensuresXRequestedWith,\n  WebMessageResponse,\n} from '../flow';\nimport {\n  OAuthHandlers,\n  OAuthStartRequest,\n  OAuthRefreshRequest,\n  OAuthLogoutRequest,\n} from './types';\nimport { prepareBackstageIdentityResponse } from '../../providers/prepareBackstageIdentityResponse';\n\nexport const THOUSAND_DAYS_MS = 1000 * 24 * 60 * 60 * 1000;\nexport const TEN_MINUTES_MS = 600 * 1000;\n\n/**\n * @public\n * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead\n */\nexport type OAuthAdapterOptions = {\n  providerId: string;\n  persistScopes?: boolean;\n  appOrigin: string;\n  baseUrl: string;\n  cookieConfigurer: CookieConfigurer;\n  isOriginAllowed: (origin: string) => boolean;\n  callbackUrl: string;\n};\n\n/**\n * @public\n * @deprecated Use `createOAuthRouteHandlers` from `@backstage/plugin-auth-node` instead\n */\nexport class OAuthAdapter implements AuthProviderRouteHandlers {\n  static fromConfig(\n    config: AuthProviderConfig,\n    handlers: OAuthHandlers,\n    options: Pick<\n      OAuthAdapterOptions,\n      'providerId' | 'persistScopes' | 'callbackUrl'\n    >,\n  ): OAuthAdapter {\n    const { appUrl, baseUrl, isOriginAllowed } = config;\n    const { origin: appOrigin } = new URL(appUrl);\n\n    const cookieConfigurer = config.cookieConfigurer ?? defaultCookieConfigurer;\n\n    return new OAuthAdapter(handlers, {\n      ...options,\n      appOrigin,\n      baseUrl,\n      cookieConfigurer,\n      isOriginAllowed,\n    });\n  }\n\n  private readonly baseCookieOptions: CookieOptions;\n\n  constructor(\n    private readonly handlers: OAuthHandlers,\n    private readonly options: OAuthAdapterOptions,\n  ) {\n    this.baseCookieOptions = {\n      httpOnly: true,\n      sameSite: 'lax',\n    };\n  }\n\n  async start(req: express.Request, res: express.Response): Promise<void> {\n    // retrieve scopes from request\n    const scope = req.query.scope?.toString() ?? '';\n    const env = req.query.env?.toString();\n    const origin = req.query.origin?.toString();\n    const redirectUrl = req.query.redirectUrl?.toString();\n    const flow = req.query.flow?.toString();\n\n    if (!env) {\n      throw new InputError('No env provided in request query parameters');\n    }\n\n    const cookieConfig = this.getCookieConfig(origin);\n\n    const nonce = crypto.randomBytes(16).toString('base64');\n    // set a nonce cookie before redirecting to oauth provider\n    this.setNonceCookie(res, nonce, cookieConfig);\n\n    const state: OAuthState = { nonce, env, origin, redirectUrl, flow };\n\n    // If scopes are persisted then we pass them through the state so that we\n    // can set the cookie on successful auth\n    if (this.options.persistScopes) {\n      state.scope = scope;\n    }\n    const forwardReq = Object.assign(req, { scope, state });\n\n    const { url, status } = await this.handlers.start(\n      forwardReq as OAuthStartRequest,\n    );\n\n    res.statusCode = status || 302;\n    res.setHeader('Location', url);\n    res.setHeader('Content-Length', '0');\n    res.end();\n  }\n\n  async frameHandler(\n    req: express.Request,\n    res: express.Response,\n  ): Promise<void> {\n    let appOrigin = this.options.appOrigin;\n\n    try {\n      const state: OAuthState = readState(req.query.state?.toString() ?? '');\n\n      if (state.origin) {\n        try {\n          appOrigin = new URL(state.origin).origin;\n        } catch {\n          throw new NotAllowedError('App origin is invalid, failed to parse');\n        }\n        if (!this.options.isOriginAllowed(appOrigin)) {\n          throw new NotAllowedError(`Origin '${appOrigin}' is not allowed`);\n        }\n      }\n\n      // verify nonce cookie and state cookie on callback\n      verifyNonce(req, this.options.providerId);\n\n      const { response, refreshToken } = await this.handlers.handler(req);\n\n      const cookieConfig = this.getCookieConfig(appOrigin);\n\n      // Store the scope that we have been granted for this session. This is useful if\n      // the provider does not return granted scopes on refresh or if they are normalized.\n      if (this.options.persistScopes && state.scope) {\n        this.setGrantedScopeCookie(res, state.scope, cookieConfig);\n        response.providerInfo.scope = state.scope;\n      }\n\n      if (refreshToken) {\n        // set new refresh token\n        this.setRefreshTokenCookie(res, refreshToken, cookieConfig);\n      }\n\n      const identity = await this.populateIdentity(response.backstageIdentity);\n\n      const responseObj: WebMessageResponse = {\n        type: 'authorization_response',\n        response: { ...response, backstageIdentity: identity },\n      };\n\n      if (state.flow === 'redirect') {\n        if (!state.redirectUrl) {\n          throw new InputError(\n            'No redirectUrl provided in request query parameters',\n          );\n        }\n        res.redirect(state.redirectUrl);\n        return undefined;\n      }\n      // post message back to popup if successful\n      return postMessageResponse(res, appOrigin, responseObj);\n    } catch (error) {\n      const { name, message } = isError(error)\n        ? error\n        : new Error('Encountered invalid error'); // Being a bit safe and not forwarding the bad value\n      // post error message back to popup if failure\n      return postMessageResponse(res, appOrigin, {\n        type: 'authorization_response',\n        error: { name, message },\n      });\n    }\n  }\n\n  async logout(req: express.Request, res: express.Response): Promise<void> {\n    if (!ensuresXRequestedWith(req)) {\n      throw new AuthenticationError('Invalid X-Requested-With header');\n    }\n\n    if (this.handlers.logout) {\n      const refreshToken = this.getRefreshTokenFromCookie(req);\n      const revokeRequest: OAuthLogoutRequest = Object.assign(req, {\n        refreshToken,\n      });\n      await this.handlers.logout(revokeRequest);\n    }\n\n    // remove refresh token cookie if it is set\n    const origin = req.get('origin');\n    const cookieConfig = this.getCookieConfig(origin);\n    this.removeRefreshTokenCookie(res, cookieConfig);\n\n    res.status(200).end();\n  }\n\n  async refresh(req: express.Request, res: express.Response): Promise<void> {\n    if (!ensuresXRequestedWith(req)) {\n      throw new AuthenticationError('Invalid X-Requested-With header');\n    }\n\n    if (!this.handlers.refresh) {\n      throw new InputError(\n        `Refresh token is not supported for provider ${this.options.providerId}`,\n      );\n    }\n\n    try {\n      const refreshToken = this.getRefreshTokenFromCookie(req);\n\n      // throw error if refresh token is missing in the request\n      if (!refreshToken) {\n        throw new InputError('Missing session cookie');\n      }\n\n      let scope = req.query.scope?.toString() ?? '';\n      if (this.options.persistScopes) {\n        scope = this.getGrantedScopeFromCookie(req);\n      }\n      const forwardReq = Object.assign(req, { scope, refreshToken });\n\n      // get new access_token\n      const { response, refreshToken: newRefreshToken } =\n        await this.handlers.refresh(forwardReq as OAuthRefreshRequest);\n\n      const backstageIdentity = await this.populateIdentity(\n        response.backstageIdentity,\n      );\n\n      if (newRefreshToken && newRefreshToken !== refreshToken) {\n        const origin = req.get('origin');\n        const cookieConfig = this.getCookieConfig(origin);\n        this.setRefreshTokenCookie(res, newRefreshToken, cookieConfig);\n      }\n\n      res.status(200).json({ ...response, backstageIdentity });\n    } catch (error) {\n      throw new AuthenticationError('Refresh failed', error);\n    }\n  }\n\n  /**\n   * If the response from the OAuth provider includes a Backstage identity, we\n   * make sure it's populated with all the information we can derive from the user ID.\n   */\n  private async populateIdentity(\n    identity?: BackstageSignInResult,\n  ): Promise<BackstageIdentityResponse | undefined> {\n    if (!identity) {\n      return undefined;\n    }\n    if (!identity.token) {\n      throw new InputError(`Identity response must return a token`);\n    }\n\n    return prepareBackstageIdentityResponse(identity);\n  }\n\n  private setNonceCookie = (\n    res: express.Response,\n    nonce: string,\n    cookieConfig: ReturnType<CookieConfigurer>,\n  ) => {\n    res.cookie(`${this.options.providerId}-nonce`, nonce, {\n      maxAge: TEN_MINUTES_MS,\n      ...this.baseCookieOptions,\n      ...cookieConfig,\n      path: `${cookieConfig.path}/handler`,\n    });\n  };\n\n  private setGrantedScopeCookie = (\n    res: express.Response,\n    scope: string,\n    cookieConfig: ReturnType<CookieConfigurer>,\n  ) => {\n    res.cookie(`${this.options.providerId}-granted-scope`, scope, {\n      maxAge: THOUSAND_DAYS_MS,\n      ...this.baseCookieOptions,\n      ...cookieConfig,\n    });\n  };\n\n  private getRefreshTokenFromCookie = (req: express.Request) => {\n    return req.cookies[`${this.options.providerId}-refresh-token`];\n  };\n\n  private getGrantedScopeFromCookie = (req: express.Request) => {\n    return req.cookies[`${this.options.providerId}-granted-scope`];\n  };\n\n  private setRefreshTokenCookie = (\n    res: express.Response,\n    refreshToken: string,\n    cookieConfig: ReturnType<CookieConfigurer>,\n  ) => {\n    res.cookie(`${this.options.providerId}-refresh-token`, refreshToken, {\n      maxAge: THOUSAND_DAYS_MS,\n      ...this.baseCookieOptions,\n      ...cookieConfig,\n    });\n  };\n\n  private removeRefreshTokenCookie = (\n    res: express.Response,\n    cookieConfig: ReturnType<CookieConfigurer>,\n  ) => {\n    res.cookie(`${this.options.providerId}-refresh-token`, '', {\n      maxAge: 0,\n      ...this.baseCookieOptions,\n      ...cookieConfig,\n    });\n  };\n\n  private getCookieConfig = (origin?: string) => {\n    return this.options.cookieConfigurer({\n      providerId: this.options.providerId,\n      baseUrl: this.options.baseUrl,\n      callbackUrl: this.options.callbackUrl,\n      appOrigin: origin ?? this.options.appOrigin,\n    });\n  };\n}\n"],"names":["URL","defaultCookieConfigurer","InputError","crypto","readState","NotAllowedError","verifyNonce","postMessageResponse","isError","ensuresXRequestedWith","AuthenticationError","prepareBackstageIdentityResponse"],"mappings":";;;;;;;;;;;;;AA+CO,MAAM,gBAAmB,GAAA,GAAA,GAAO,EAAK,GAAA,EAAA,GAAK,EAAK,GAAA,IAAA;AAC/C,MAAM,iBAAiB,GAAM,GAAA,IAAA;AAoB7B,MAAM,YAAkD,CAAA;AAAA,EAyB7D,WAAA,CACmB,UACA,OACjB,EAAA;AAFiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA,CAAA;AAEjB,IAAA,IAAA,CAAK,iBAAoB,GAAA;AAAA,MACvB,QAAU,EAAA,IAAA;AAAA,MACV,QAAU,EAAA,KAAA;AAAA,KACZ,CAAA;AAAA,GACF;AAAA,EAhCA,OAAO,UAAA,CACL,MACA,EAAA,QAAA,EACA,OAIc,EAAA;AACd,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAS,EAAA,eAAA,EAAoB,GAAA,MAAA,CAAA;AAC7C,IAAA,MAAM,EAAE,MAAQ,EAAA,SAAA,EAAc,GAAA,IAAIA,QAAI,MAAM,CAAA,CAAA;AAE5C,IAAM,MAAA,gBAAA,GAAmB,OAAO,gBAAoB,IAAAC,+BAAA,CAAA;AAEpD,IAAO,OAAA,IAAI,aAAa,QAAU,EAAA;AAAA,MAChC,GAAG,OAAA;AAAA,MACH,SAAA;AAAA,MACA,OAAA;AAAA,MACA,gBAAA;AAAA,MACA,eAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAEiB,iBAAA,CAAA;AAAA,EAYjB,MAAM,KAAM,CAAA,GAAA,EAAsB,GAAsC,EAAA;AAEtE,IAAA,MAAM,KAAQ,GAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAc,IAAA,EAAA,CAAA;AAC7C,IAAA,MAAM,GAAM,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,EAAK,QAAS,EAAA,CAAA;AACpC,IAAA,MAAM,MAAS,GAAA,GAAA,CAAI,KAAM,CAAA,MAAA,EAAQ,QAAS,EAAA,CAAA;AAC1C,IAAA,MAAM,WAAc,GAAA,GAAA,CAAI,KAAM,CAAA,WAAA,EAAa,QAAS,EAAA,CAAA;AACpD,IAAA,MAAM,IAAO,GAAA,GAAA,CAAI,KAAM,CAAA,IAAA,EAAM,QAAS,EAAA,CAAA;AAEtC,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIC,kBAAW,6CAA6C,CAAA,CAAA;AAAA,KACpE;AAEA,IAAM,MAAA,YAAA,GAAe,IAAK,CAAA,eAAA,CAAgB,MAAM,CAAA,CAAA;AAEhD,IAAA,MAAM,QAAQC,uBAAO,CAAA,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,QAAQ,CAAA,CAAA;AAEtD,IAAK,IAAA,CAAA,cAAA,CAAe,GAAK,EAAA,KAAA,EAAO,YAAY,CAAA,CAAA;AAE5C,IAAA,MAAM,QAAoB,EAAE,KAAA,EAAO,GAAK,EAAA,MAAA,EAAQ,aAAa,IAAK,EAAA,CAAA;AAIlE,IAAI,IAAA,IAAA,CAAK,QAAQ,aAAe,EAAA;AAC9B,MAAA,KAAA,CAAM,KAAQ,GAAA,KAAA,CAAA;AAAA,KAChB;AACA,IAAA,MAAM,aAAa,MAAO,CAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,OAAO,CAAA,CAAA;AAEtD,IAAA,MAAM,EAAE,GAAK,EAAA,MAAA,EAAW,GAAA,MAAM,KAAK,QAAS,CAAA,KAAA;AAAA,MAC1C,UAAA;AAAA,KACF,CAAA;AAEA,IAAA,GAAA,CAAI,aAAa,MAAU,IAAA,GAAA,CAAA;AAC3B,IAAI,GAAA,CAAA,SAAA,CAAU,YAAY,GAAG,CAAA,CAAA;AAC7B,IAAI,GAAA,CAAA,SAAA,CAAU,kBAAkB,GAAG,CAAA,CAAA;AACnC,IAAA,GAAA,CAAI,GAAI,EAAA,CAAA;AAAA,GACV;AAAA,EAEA,MAAM,YACJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,IAAI,IAAA,SAAA,GAAY,KAAK,OAAQ,CAAA,SAAA,CAAA;AAE7B,IAAI,IAAA;AACF,MAAA,MAAM,QAAoBC,iBAAU,CAAA,GAAA,CAAI,MAAM,KAAO,EAAA,QAAA,MAAc,EAAE,CAAA,CAAA;AAErE,MAAA,IAAI,MAAM,MAAQ,EAAA;AAChB,QAAI,IAAA;AACF,UAAA,SAAA,GAAY,IAAIJ,OAAA,CAAI,KAAM,CAAA,MAAM,CAAE,CAAA,MAAA,CAAA;AAAA,SAC5B,CAAA,MAAA;AACN,UAAM,MAAA,IAAIK,uBAAgB,wCAAwC,CAAA,CAAA;AAAA,SACpE;AACA,QAAA,IAAI,CAAC,IAAA,CAAK,OAAQ,CAAA,eAAA,CAAgB,SAAS,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAIA,sBAAA,CAAgB,CAAW,QAAA,EAAA,SAAS,CAAkB,gBAAA,CAAA,CAAA,CAAA;AAAA,SAClE;AAAA,OACF;AAGA,MAAYC,mBAAA,CAAA,GAAA,EAAK,IAAK,CAAA,OAAA,CAAQ,UAAU,CAAA,CAAA;AAExC,MAAM,MAAA,EAAE,UAAU,YAAa,EAAA,GAAI,MAAM,IAAK,CAAA,QAAA,CAAS,QAAQ,GAAG,CAAA,CAAA;AAElE,MAAM,MAAA,YAAA,GAAe,IAAK,CAAA,eAAA,CAAgB,SAAS,CAAA,CAAA;AAInD,MAAA,IAAI,IAAK,CAAA,OAAA,CAAQ,aAAiB,IAAA,KAAA,CAAM,KAAO,EAAA;AAC7C,QAAA,IAAA,CAAK,qBAAsB,CAAA,GAAA,EAAK,KAAM,CAAA,KAAA,EAAO,YAAY,CAAA,CAAA;AACzD,QAAS,QAAA,CAAA,YAAA,CAAa,QAAQ,KAAM,CAAA,KAAA,CAAA;AAAA,OACtC;AAEA,MAAA,IAAI,YAAc,EAAA;AAEhB,QAAK,IAAA,CAAA,qBAAA,CAAsB,GAAK,EAAA,YAAA,EAAc,YAAY,CAAA,CAAA;AAAA,OAC5D;AAEA,MAAA,MAAM,QAAW,GAAA,MAAM,IAAK,CAAA,gBAAA,CAAiB,SAAS,iBAAiB,CAAA,CAAA;AAEvE,MAAA,MAAM,WAAkC,GAAA;AAAA,QACtC,IAAM,EAAA,wBAAA;AAAA,QACN,QAAU,EAAA,EAAE,GAAG,QAAA,EAAU,mBAAmB,QAAS,EAAA;AAAA,OACvD,CAAA;AAEA,MAAI,IAAA,KAAA,CAAM,SAAS,UAAY,EAAA;AAC7B,QAAI,IAAA,CAAC,MAAM,WAAa,EAAA;AACtB,UAAA,MAAM,IAAIJ,iBAAA;AAAA,YACR,qDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAI,GAAA,CAAA,QAAA,CAAS,MAAM,WAAW,CAAA,CAAA;AAC9B,QAAO,OAAA,KAAA,CAAA,CAAA;AAAA,OACT;AAEA,MAAO,OAAAK,mCAAA,CAAoB,GAAK,EAAA,SAAA,EAAW,WAAW,CAAA,CAAA;AAAA,aAC/C,KAAO,EAAA;AACd,MAAM,MAAA,EAAE,IAAM,EAAA,OAAA,EAAY,GAAAC,cAAA,CAAQ,KAAK,CACnC,GAAA,KAAA,GACA,IAAI,KAAA,CAAM,2BAA2B,CAAA,CAAA;AAEzC,MAAO,OAAAD,mCAAA,CAAoB,KAAK,SAAW,EAAA;AAAA,QACzC,IAAM,EAAA,wBAAA;AAAA,QACN,KAAA,EAAO,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,OACxB,CAAA,CAAA;AAAA,KACH;AAAA,GACF;AAAA,EAEA,MAAM,MAAO,CAAA,GAAA,EAAsB,GAAsC,EAAA;AACvE,IAAI,IAAA,CAACE,qCAAsB,CAAA,GAAG,CAAG,EAAA;AAC/B,MAAM,MAAA,IAAIC,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,KACjE;AAEA,IAAI,IAAA,IAAA,CAAK,SAAS,MAAQ,EAAA;AACxB,MAAM,MAAA,YAAA,GAAe,IAAK,CAAA,yBAAA,CAA0B,GAAG,CAAA,CAAA;AACvD,MAAM,MAAA,aAAA,GAAoC,MAAO,CAAA,MAAA,CAAO,GAAK,EAAA;AAAA,QAC3D,YAAA;AAAA,OACD,CAAA,CAAA;AACD,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,aAAa,CAAA,CAAA;AAAA,KAC1C;AAGA,IAAM,MAAA,MAAA,GAAS,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAA,CAAA;AAC/B,IAAM,MAAA,YAAA,GAAe,IAAK,CAAA,eAAA,CAAgB,MAAM,CAAA,CAAA;AAChD,IAAK,IAAA,CAAA,wBAAA,CAAyB,KAAK,YAAY,CAAA,CAAA;AAE/C,IAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA,CAAA;AAAA,GACtB;AAAA,EAEA,MAAM,OAAQ,CAAA,GAAA,EAAsB,GAAsC,EAAA;AACxE,IAAI,IAAA,CAACD,qCAAsB,CAAA,GAAG,CAAG,EAAA;AAC/B,MAAM,MAAA,IAAIC,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,KACjE;AAEA,IAAI,IAAA,CAAC,IAAK,CAAA,QAAA,CAAS,OAAS,EAAA;AAC1B,MAAA,MAAM,IAAIR,iBAAA;AAAA,QACR,CAAA,4CAAA,EAA+C,IAAK,CAAA,OAAA,CAAQ,UAAU,CAAA,CAAA;AAAA,OACxE,CAAA;AAAA,KACF;AAEA,IAAI,IAAA;AACF,MAAM,MAAA,YAAA,GAAe,IAAK,CAAA,yBAAA,CAA0B,GAAG,CAAA,CAAA;AAGvD,MAAA,IAAI,CAAC,YAAc,EAAA;AACjB,QAAM,MAAA,IAAIA,kBAAW,wBAAwB,CAAA,CAAA;AAAA,OAC/C;AAEA,MAAA,IAAI,KAAQ,GAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAc,IAAA,EAAA,CAAA;AAC3C,MAAI,IAAA,IAAA,CAAK,QAAQ,aAAe,EAAA;AAC9B,QAAQ,KAAA,GAAA,IAAA,CAAK,0BAA0B,GAAG,CAAA,CAAA;AAAA,OAC5C;AACA,MAAA,MAAM,aAAa,MAAO,CAAA,MAAA,CAAO,KAAK,EAAE,KAAA,EAAO,cAAc,CAAA,CAAA;AAG7D,MAAM,MAAA,EAAE,UAAU,YAAc,EAAA,eAAA,KAC9B,MAAM,IAAA,CAAK,QAAS,CAAA,OAAA,CAAQ,UAAiC,CAAA,CAAA;AAE/D,MAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,gBAAA;AAAA,QACnC,QAAS,CAAA,iBAAA;AAAA,OACX,CAAA;AAEA,MAAI,IAAA,eAAA,IAAmB,oBAAoB,YAAc,EAAA;AACvD,QAAM,MAAA,MAAA,GAAS,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAA,CAAA;AAC/B,QAAM,MAAA,YAAA,GAAe,IAAK,CAAA,eAAA,CAAgB,MAAM,CAAA,CAAA;AAChD,QAAK,IAAA,CAAA,qBAAA,CAAsB,GAAK,EAAA,eAAA,EAAiB,YAAY,CAAA,CAAA;AAAA,OAC/D;AAEA,MAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAE,CAAA,IAAA,CAAK,EAAE,GAAG,QAAA,EAAU,mBAAmB,CAAA,CAAA;AAAA,aAChD,KAAO,EAAA;AACd,MAAM,MAAA,IAAIQ,0BAAoB,CAAA,gBAAA,EAAkB,KAAK,CAAA,CAAA;AAAA,KACvD;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,iBACZ,QACgD,EAAA;AAChD,IAAA,IAAI,CAAC,QAAU,EAAA;AACb,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA,CAAC,SAAS,KAAO,EAAA;AACnB,MAAM,MAAA,IAAIR,kBAAW,CAAuC,qCAAA,CAAA,CAAA,CAAA;AAAA,KAC9D;AAEA,IAAA,OAAOS,kEAAiC,QAAQ,CAAA,CAAA;AAAA,GAClD;AAAA,EAEQ,cAAiB,GAAA,CACvB,GACA,EAAA,KAAA,EACA,YACG,KAAA;AACH,IAAA,GAAA,CAAI,OAAO,CAAG,EAAA,IAAA,CAAK,OAAQ,CAAA,UAAU,UAAU,KAAO,EAAA;AAAA,MACpD,MAAQ,EAAA,cAAA;AAAA,MACR,GAAG,IAAK,CAAA,iBAAA;AAAA,MACR,GAAG,YAAA;AAAA,MACH,IAAA,EAAM,CAAG,EAAA,YAAA,CAAa,IAAI,CAAA,QAAA,CAAA;AAAA,KAC3B,CAAA,CAAA;AAAA,GACH,CAAA;AAAA,EAEQ,qBAAwB,GAAA,CAC9B,GACA,EAAA,KAAA,EACA,YACG,KAAA;AACH,IAAA,GAAA,CAAI,OAAO,CAAG,EAAA,IAAA,CAAK,OAAQ,CAAA,UAAU,kBAAkB,KAAO,EAAA;AAAA,MAC5D,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,iBAAA;AAAA,MACR,GAAG,YAAA;AAAA,KACJ,CAAA,CAAA;AAAA,GACH,CAAA;AAAA,EAEQ,yBAAA,GAA4B,CAAC,GAAyB,KAAA;AAC5D,IAAA,OAAO,IAAI,OAAQ,CAAA,CAAA,EAAG,IAAK,CAAA,OAAA,CAAQ,UAAU,CAAgB,cAAA,CAAA,CAAA,CAAA;AAAA,GAC/D,CAAA;AAAA,EAEQ,yBAAA,GAA4B,CAAC,GAAyB,KAAA;AAC5D,IAAA,OAAO,IAAI,OAAQ,CAAA,CAAA,EAAG,IAAK,CAAA,OAAA,CAAQ,UAAU,CAAgB,cAAA,CAAA,CAAA,CAAA;AAAA,GAC/D,CAAA;AAAA,EAEQ,qBAAwB,GAAA,CAC9B,GACA,EAAA,YAAA,EACA,YACG,KAAA;AACH,IAAA,GAAA,CAAI,OAAO,CAAG,EAAA,IAAA,CAAK,OAAQ,CAAA,UAAU,kBAAkB,YAAc,EAAA;AAAA,MACnE,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,iBAAA;AAAA,MACR,GAAG,YAAA;AAAA,KACJ,CAAA,CAAA;AAAA,GACH,CAAA;AAAA,EAEQ,wBAAA,GAA2B,CACjC,GAAA,EACA,YACG,KAAA;AACH,IAAA,GAAA,CAAI,OAAO,CAAG,EAAA,IAAA,CAAK,OAAQ,CAAA,UAAU,kBAAkB,EAAI,EAAA;AAAA,MACzD,MAAQ,EAAA,CAAA;AAAA,MACR,GAAG,IAAK,CAAA,iBAAA;AAAA,MACR,GAAG,YAAA;AAAA,KACJ,CAAA,CAAA;AAAA,GACH,CAAA;AAAA,EAEQ,eAAA,GAAkB,CAAC,MAAoB,KAAA;AAC7C,IAAO,OAAA,IAAA,CAAK,QAAQ,gBAAiB,CAAA;AAAA,MACnC,UAAA,EAAY,KAAK,OAAQ,CAAA,UAAA;AAAA,MACzB,OAAA,EAAS,KAAK,OAAQ,CAAA,OAAA;AAAA,MACtB,WAAA,EAAa,KAAK,OAAQ,CAAA,WAAA;AAAA,MAC1B,SAAA,EAAW,MAAU,IAAA,IAAA,CAAK,OAAQ,CAAA,SAAA;AAAA,KACnC,CAAA,CAAA;AAAA,GACH,CAAA;AACF;;;;;;"}

package/dist/lib/oauth/OAuthEnvironmentHandler.cjs.js

@@ -0,0 +1,8 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+const OAuthEnvironmentHandler = pluginAuthNode.OAuthEnvironmentHandler;
+
+exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
+//# sourceMappingURL=OAuthEnvironmentHandler.cjs.js.map

package/dist/lib/oauth/OAuthEnvironmentHandler.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuthEnvironmentHandler.cjs.js","sources":["../../../src/lib/oauth/OAuthEnvironmentHandler.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { OAuthEnvironmentHandler as _OAuthEnvironmentHandler } from '@backstage/plugin-auth-node';\n\n/**\n * @public\n * @deprecated import from `@backstage/plugin-auth-node` instead\n */\nexport const OAuthEnvironmentHandler = _OAuthEnvironmentHandler;\n"],"names":["_OAuthEnvironmentHandler"],"mappings":";;;;AAsBO,MAAM,uBAA0B,GAAAA;;;;"}

package/dist/lib/oauth/helpers.cjs.js

@@ -0,0 +1,40 @@
+'use strict';
+
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+
+const readState = pluginAuthNode.decodeOAuthState;
+const encodeState = pluginAuthNode.encodeOAuthState;
+const verifyNonce = (req, providerId) => {
+  const cookieNonce = req.cookies[`${providerId}-nonce`];
+  const state = readState(req.query.state?.toString() ?? "");
+  const stateNonce = state.nonce;
+  if (!cookieNonce) {
+    throw new Error("Auth response is missing cookie nonce");
+  }
+  if (stateNonce.length === 0) {
+    throw new Error("Auth response is missing state nonce");
+  }
+  if (cookieNonce !== stateNonce) {
+    throw new Error("Invalid nonce");
+  }
+};
+const defaultCookieConfigurer = ({
+  callbackUrl,
+  providerId,
+  appOrigin
+}) => {
+  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
+  const secure = protocol === "https:";
+  let sameSite = "lax";
+  if (new URL(appOrigin).hostname !== domain && secure) {
+    sameSite = "none";
+  }
+  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return { domain, path, secure, sameSite };
+};
+
+exports.defaultCookieConfigurer = defaultCookieConfigurer;
+exports.encodeState = encodeState;
+exports.readState = readState;
+exports.verifyNonce = verifyNonce;
+//# sourceMappingURL=helpers.cjs.js.map

package/dist/lib/oauth/helpers.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.cjs.js","sources":["../../../src/lib/oauth/helpers.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n  CookieConfigurer,\n  OAuthState,\n  decodeOAuthState,\n  encodeOAuthState,\n} from '@backstage/plugin-auth-node';\n\n/**\n * @public\n * @deprecated Use `decodeOAuthState` from `@backstage/plugin-auth-node` instead\n */\nexport const readState = decodeOAuthState;\n\n/**\n * @public\n * @deprecated Use `encodeOAuthState` from `@backstage/plugin-auth-node` instead\n */\nexport const encodeState = encodeOAuthState;\n\n/**\n * @public\n * @deprecated Use inline logic to make sure the session and state nonce matches instead.\n */\nexport const verifyNonce = (req: express.Request, providerId: string) => {\n  const cookieNonce = req.cookies[`${providerId}-nonce`];\n  const state: OAuthState = readState(req.query.state?.toString() ?? '');\n  const stateNonce = state.nonce;\n\n  if (!cookieNonce) {\n    throw new Error('Auth response is missing cookie nonce');\n  }\n  if (stateNonce.length === 0) {\n    throw new Error('Auth response is missing state nonce');\n  }\n  if (cookieNonce !== stateNonce) {\n    throw new Error('Invalid nonce');\n  }\n};\n\nexport const defaultCookieConfigurer: CookieConfigurer = ({\n  callbackUrl,\n  providerId,\n  appOrigin,\n}) => {\n  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);\n  const secure = protocol === 'https:';\n\n  // For situations where the auth-backend is running on a\n  // different domain than the app, we set the SameSite attribute\n  // to 'none' to allow third-party access to the cookie, but\n  // only if it's in a secure context (https).\n  let sameSite: ReturnType<CookieConfigurer>['sameSite'] = 'lax';\n  if (new URL(appOrigin).hostname !== domain && secure) {\n    sameSite = 'none';\n  }\n\n  // If the provider supports callbackUrls, the pathname will\n  // contain the complete path to the frame handler so we need\n  // to slice off the trailing part of the path.\n  const path = pathname.endsWith(`${providerId}/handler/frame`)\n    ? pathname.slice(0, -'/handler/frame'.length)\n    : `${pathname}/${providerId}`;\n\n  return { domain, path, secure, sameSite };\n};\n"],"names":["decodeOAuthState","encodeOAuthState"],"mappings":";;;;AA4BO,MAAM,SAAY,GAAAA,gCAAA;AAMlB,MAAM,WAAc,GAAAC,gCAAA;AAMd,MAAA,WAAA,GAAc,CAAC,GAAA,EAAsB,UAAuB,KAAA;AACvE,EAAA,MAAM,WAAc,GAAA,GAAA,CAAI,OAAQ,CAAA,CAAA,EAAG,UAAU,CAAQ,MAAA,CAAA,CAAA,CAAA;AACrD,EAAA,MAAM,QAAoB,SAAU,CAAA,GAAA,CAAI,MAAM,KAAO,EAAA,QAAA,MAAc,EAAE,CAAA,CAAA;AACrE,EAAA,MAAM,aAAa,KAAM,CAAA,KAAA,CAAA;AAEzB,EAAA,IAAI,CAAC,WAAa,EAAA;AAChB,IAAM,MAAA,IAAI,MAAM,uCAAuC,CAAA,CAAA;AAAA,GACzD;AACA,EAAI,IAAA,UAAA,CAAW,WAAW,CAAG,EAAA;AAC3B,IAAM,MAAA,IAAI,MAAM,sCAAsC,CAAA,CAAA;AAAA,GACxD;AACA,EAAA,IAAI,gBAAgB,UAAY,EAAA;AAC9B,IAAM,MAAA,IAAI,MAAM,eAAe,CAAA,CAAA;AAAA,GACjC;AACF,EAAA;AAEO,MAAM,0BAA4C,CAAC;AAAA,EACxD,WAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AACF,CAAM,KAAA;AACJ,EAAM,MAAA,EAAE,UAAU,MAAQ,EAAA,QAAA,EAAU,UAAa,GAAA,IAAI,IAAI,WAAW,CAAA,CAAA;AACpE,EAAA,MAAM,SAAS,QAAa,KAAA,QAAA,CAAA;AAM5B,EAAA,IAAI,QAAqD,GAAA,KAAA,CAAA;AACzD,EAAA,IAAI,IAAI,GAAI,CAAA,SAAS,CAAE,CAAA,QAAA,KAAa,UAAU,MAAQ,EAAA;AACpD,IAAW,QAAA,GAAA,MAAA,CAAA;AAAA,GACb;AAKA,EAAA,MAAM,OAAO,QAAS,CAAA,QAAA,CAAS,CAAG,EAAA,UAAU,gBAAgB,CACxD,GAAA,QAAA,CAAS,KAAM,CAAA,CAAA,EAAG,CAAC,gBAAiB,CAAA,MAAM,IAC1C,CAAG,EAAA,QAAQ,IAAI,UAAU,CAAA,CAAA,CAAA;AAE7B,EAAA,OAAO,EAAE,MAAA,EAAQ,IAAM,EAAA,MAAA,EAAQ,QAAS,EAAA,CAAA;AAC1C;;;;;;;"}