npm - @backstage/plugin-auth-backend - Versions diffs - 0.25.0-next.0 → 0.25.0-next.2 - Mend

@backstage/plugin-auth-backend 0.25.0-next.0 → 0.25.0-next.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +56 -0
package/config.d.ts +9 -0
package/dist/identity/StaticTokenIssuer.cjs.js +14 -21
package/dist/identity/StaticTokenIssuer.cjs.js.map +1 -1
package/dist/identity/TokenFactory.cjs.js +11 -76
package/dist/identity/TokenFactory.cjs.js.map +1 -1
package/dist/identity/issueUserToken.cjs.js +98 -0
package/dist/identity/issueUserToken.cjs.js.map +1 -0
package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js +29 -13
package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map +1 -1
package/dist/service/router.cjs.js +8 -2
package/dist/service/router.cjs.js.map +1 -1
package/package.json +9 -8

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,61 @@
 # @backstage/plugin-auth-backend
+## 0.25.0-next.2
+### Patch Changes
+- ab53e6f: Added support for the new `dangerousEntityRefFallback` option for `signInWithCatalogUser` in `AuthResolverContext`.
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.3-next.2
+  - @backstage/backend-plugin-api@1.3.1-next.2
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+  - @backstage/plugin-catalog-node@1.17.0-next.2
+## 0.25.0-next.1
+### Patch Changes
+- 0d606ac: Added the configuration flag `auth.omitIdentityTokenOwnershipClaim` that causes issued user tokens to no longer contain the `ent` claim that represents the ownership references of the user.
+  The benefit of this new flag is that issued user tokens will be much smaller in
+  size, but they will no longer be self-contained. This means that any consumers
+  of the token that require access to the ownership claims now need to call the
+  `/api/auth/v1/userinfo` endpoint instead. Within the Backstage ecosystem this is
+  done automatically, as clients will still receive the full set of claims during
+  authentication, while plugin backends will need to use the `UserInfoService`
+  which already calls the user info endpoint if necessary.
+  When enabling this flag, it is important that any custom sign-in resolvers directly return the result of the sign-in method. For example, the following would not work:
+  ```ts
+  const { token } = await ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  return { token }; // WARNING: This will not work with the flag enabled
+  ```
+  Instead, the sign-in resolver should directly return the result:
+  ```ts
+  return ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  ```
+- 72d019d: Removed various typos
+- b128ed9: The `static` key store now issues tokens with the same structure as other key stores. Tokens now include the `typ` field in the header and the `uip` (user identity proof) in the payload.
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.17.0-next.1
+  - @backstage/plugin-auth-node@0.6.3-next.1
+  - @backstage/backend-plugin-api@1.3.1-next.1
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
 ## 0.25.0-next.0
 ### Minor Changes

package/config.d.ts CHANGED Viewed

@@ -43,6 +43,15 @@ export interface Config {
      */
     identityTokenAlgorithm?: string;
+    /**
+     * Whether to omit the entity ownership references (`ent`) claim from the
+     * identity token. If this is enabled the `ent` claim will only be available
+     * via the user info endpoint and the `UserInfoService`.
+     *
+     * Defaults to `false`.
+     */
+    omitIdentityTokenOwnershipClaim?: boolean;
     /** To control how to store JWK data in auth-backend */
     keyStore?: {
       provider?: 'database' | 'memory' | 'firestore' | 'static';

package/dist/identity/StaticTokenIssuer.cjs.js CHANGED Viewed

@@ -1,40 +1,33 @@
 'use strict';
-var jose = require('jose');
-var catalogModel = require('@backstage/catalog-model');
-var errors = require('@backstage/errors');
+var issueUserToken = require('./issueUserToken.cjs.js');
-const MS_IN_S = 1e3;
 class StaticTokenIssuer {
   issuer;
   logger;
   keyStore;
   sessionExpirationSeconds;
+  omitClaimsFromToken;
+  userInfoDatabaseHandler;
   constructor(options, keyStore) {
     this.issuer = options.issuer;
     this.logger = options.logger;
     this.sessionExpirationSeconds = options.sessionExpirationSeconds;
     this.keyStore = keyStore;
+    this.omitClaimsFromToken = options.omitClaimsFromToken;
+    this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getSigningKey();
-    const iss = this.issuer;
-    const { sub, ent, ...additionalClaims } = params.claims;
-    const aud = "backstage";
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.sessionExpirationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    return new jose.SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp }).setProtectedHeader({ alg: key.alg, kid: key.kid }).setIssuer(iss).setAudience(aud).setSubject(sub).setIssuedAt(iat).setExpirationTime(exp).sign(await jose.importJWK(key));
+    return issueUserToken.issueUserToken({
+      issuer: this.issuer,
+      key,
+      keyDurationSeconds: this.sessionExpirationSeconds,
+      logger: this.logger,
+      omitClaimsFromToken: this.omitClaimsFromToken,
+      params,
+      userInfoDatabaseHandler: this.userInfoDatabaseHandler
+    });
   }
   async getSigningKey() {
     const { items: keys } = await this.keyStore.listKeys();

package/dist/identity/StaticTokenIssuer.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { ~~SignJWT, importJWK,~~ JWK } from 'jose';\nimport { ~~parseEntityRef~~ } from '@backstage/~~catalog~~-~~model~~';\nimport { ~~AuthenticationError~~ } from '~~@backstage/errors~~';\nimport { ~~LoggerService~~ } from '@backstage/~~backend-~~plugin-~~api~~';\nimport { ~~StaticKeyStore~~ } from './~~StaticKeyStore~~';\nimport { ~~TokenParams~~ } from '~~@backstage/plugin-auth-node~~';\n\~~nconst MS_IN_S = 1000;\n\~~nexport type Config = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm?: string;\n};\n\nexport type Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Expiration time of the JWT in seconds /\n sessionExpirationSeconds: number;\n};\n\n/\n A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: StaticKeyStore;\n private readonly sessionExpirationSeconds: number;\n\n public constructor(options: Options, keyStore: StaticKeyStore) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n this.keyStore = keyStore;\n }\n\n public async issueToken(params: TokenParams): Promise<~~string~~> {\n const key = await this.getSigningKey();\n\n // ~~TODO: code shared with TokenFactory.ts~~\n ~~const~~ ~~iss =~~ this.issuer;\n ~~const { sub, ent, ...additionalClaims } = params.claims;\~~n ~~const~~ ~~aud = 'backstage';\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat +~~ this.sessionExpirationSeconds;\n~~\n // Validate that the subject claim is a valid EntityRef\n try {\n~~ ~~parseEntityRef(sub);\n }~~ ~~catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef~~.',\n ~~);\n }\n\n~~ this.~~logger.info(`Issuing token for ${sub}, with entities ${ent ?? []}`);\~~n~~\n if (!key.alg) {\n~~ ~~throw new AuthenticationError('No algorithm was provided in the key');\~~n ~~}\n\n return new SignJWT({ ...additionalClaims, iss, sub, ent, aud, iat, exp })\n~~ ~~.setProtectedHeader({ alg~~: ~~key~~.~~alg, kid: key.kid~~ })~~\n .setIssuer(iss)\n .setAudience(aud)\n .setSubject(sub)\n .setIssuedAt(iat)\n .setExpirationTime(exp)\n .sign(await importJWK(key))~~;\n }\n\n private async getSigningKey(): Promise<JWK> {\n const { items: keys } = await this.keyStore.listKeys();\n if (keys.length >= 1) {\n return this.keyStore.getPrivateKey(keys[0].key.kid);\n }\n throw new Error('Keystore should hold at least 1 key');\n }\n\n public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n return { keys: keys.map(({ key }) => key) };\n }\n}\n"],"names":["~~parseEntityRef~~"~~,"AuthenticationError","SignJWT","importJWK"~~],"mappings":"~~;;;;;;AAwBA~~,MAAM,~~OAAU,GAAA,GAAA;AAqBT,MAAM,~~iBAAyC,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,QAA0B,EAAA;AAC7D,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,OAAQ,CAAA,wBAAA;AACxC,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA;~~AAAA;AAClB~~,~~EAEA~~,~~MAAa,WAAW,MAAsC,EAAA;AAC5D,IAAM,MAAA,GAAA,GAAM,MAAM,~~IAAA,CAAK,~~aAAc~~,~~EAAA;AAGrC~~,~~IAAA,MAAM,MAAM,IAAK,~~CAAA,~~MAAA~~;~~AACjB~~,IAAA,~~MAAM~~,~~EAAE~~,~~GAAK~~,~~EAAA~~,~~GAAA,EAAK,GAAG,gBAAA,KAAqB,MAAO,~~CAAA,~~MAAA~~;~~AACjD,IAAA,MAAM,GAAM,GAAA,WAAA~~;~~AACZ~~,~~IAAA~~,~~MAAM~~,~~MAAM~~,~~IAAK~~,~~CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA~~;~~AAC3C~~,IAAM,MAAA,GAAA,GAAM,MAAM,~~IAAK~~,~~CAAA~~,~~wBAAA~~;~~AAGvB~~,~~IAAI,~~IAAA~~;AACF~~,~~MAAAA~~,~~2BAAA~~,~~CAAe,GAAG,~~CAAA;AAAA,~~aACX~~,~~KAAO~~,~~EAAA;AACd~~,MAAA~~,MAAM,IAAI,KAAA~~;AAAA,~~QACR;AAAA~~,~~OACF~~;AAAA~~;AAGF~~,IAAK,~~IAAA,~~CAAA,~~MAAA~~,~~CAAO~~,~~KAAK~~,~~CAAqB~~,~~kBAAA,EAAA,GAAG,mBAAmB,GAAO,IAAA,EAAE,CAAE,~~CAAA,~~CAAA~~;~~AAEvE~~,~~IAAI~~,~~IAAA~~,~~CAAC~~,~~IAAI~~,~~GAAK,EAAA~~;~~AACZ~~,~~MAAM~~,MAAA,~~IAAIC~~,~~2BAAoB~~,~~sCAAsC~~,CAAA;AAAA~~;AAGtE~~,~~IAAA~~,~~OAAO,IAAIC,YAAQ,~~CAAA,EAAE,GAAG,gBAAkB,EAAA,GAAA,EAAK,KAAK,GAAK,EAAA,GAAA,EAAK,KAAK,GAAI,EAAC,EACrE,kBAAmB,CAAA,EAAE,KAAK,GAAI,CAAA,GAAA,EAAK,KAAK,GAAI,CAAA,GAAA,EAAK,CAAA,CACjD,UAAU,GAAG,CAAA,CACb,YAAY,GAAG,CAAA,CACf,WAAW,GAAG,CAAA,CACd,YAAY,GAAG,CAAA,CACf,kBAAkB,GAAG,CAAA,CACrB,KAAK,MAAMC,cAAA,CAAU,GAAG,CAAC,CAAA;AAAA;~~AAC9B~~,EAEA,MAAc,aAA8B,GAAA;AAC1C,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAI,IAAA,IAAA,CAAK,UAAU,CAAG,EAAA;AACpB,MAAA,OAAO,KAAK,QAAS,CAAA,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA;AAEpD,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AACvD,EAEA,MAAa,cAA8C,GAAA;AACzD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAE9C;;;;"}
1	+ {"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { JWK } from 'jose';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { StaticKeyStore } from './StaticKeyStore';\nimport {\n BackstageSignInResult,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { issueUserToken } from './issueUserToken';\n\nexport type Config = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm?: string;\n};\n\nexport type Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Expiration time of the JWT in seconds /\n sessionExpirationSeconds: number;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/\n A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: StaticKeyStore;\n private readonly sessionExpirationSeconds: number;\n private readonly omitClaimsFromToken?: string[];\n private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n public constructor(options: Options, keyStore: StaticKeyStore) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n this.keyStore = keyStore;\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n }\n\n public async issueToken(params: TokenParams): Promise<BackstageSignInResult> {\n const key = await this.getSigningKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.sessionExpirationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n userInfoDatabaseHandler: this.userInfoDatabaseHandler,\n });\n }\n\n private async getSigningKey(): Promise<JWK> {\n const { items: keys } = await this.keyStore.listKeys();\n if (keys.length >= 1) {\n return this.keyStore.getPrivateKey(keys[0].key.kid);\n }\n throw new Error('Keystore should hold at least 1 key');\n }\n\n public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n return { keys: keys.map(({ key }) => key) };\n }\n}\n"],"names":["issueUserToken"],"mappings":";;;;AAmDO,MAAM,iBAAyC,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EACA,mBAAA;AAAA,EACA,uBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,QAA0B,EAAA;AAC7D,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,OAAQ,CAAA,wBAAA;AACxC,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA;AAChB,IAAA,IAAA,CAAK,sBAAsB,OAAQ,CAAA,mBAAA;AACnC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAa,WAAW,MAAqD,EAAA;AAC3E,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,aAAc,EAAA;AAErC,IAAA,OAAOA,6BAAe,CAAA;AAAA,MACpB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAK,CAAA,wBAAA;AAAA,MACzB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,qBAAqB,IAAK,CAAA,mBAAA;AAAA,MAC1B,MAAA;AAAA,MACA,yBAAyB,IAAK,CAAA;AAAA,KAC/B,CAAA;AAAA;AACH,EAEA,MAAc,aAA8B,GAAA;AAC1C,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAI,IAAA,IAAA,CAAK,UAAU,CAAG,EAAA;AACpB,MAAA,OAAO,KAAK,QAAS,CAAA,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA;AAEpD,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AACvD,EAEA,MAAa,cAA8C,GAAA;AACzD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AACrD,IAAO,OAAA,EAAE,MAAM,IAAK,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AAE9C;;;;"}

package/dist/identity/TokenFactory.cjs.js CHANGED Viewed

@@ -1,21 +1,17 @@
 'use strict';
-var catalogModel = require('@backstage/catalog-model');
-var errors = require('@backstage/errors');
 var jose = require('jose');
-var lodash = require('lodash');
 var luxon = require('luxon');
 var uuid = require('uuid');
-var pluginAuthNode = require('@backstage/plugin-auth-node');
+var issueUserToken = require('./issueUserToken.cjs.js');
-const MS_IN_S = 1e3;
-const MAX_TOKEN_LENGTH = 32768;
 class TokenFactory {
   issuer;
   logger;
   keyStore;
   keyDurationSeconds;
   algorithm;
+  omitClaimsFromToken;
   userInfoDatabaseHandler;
   keyExpiry;
   privateKeyPromise;
@@ -25,62 +21,20 @@ class TokenFactory {
     this.keyStore = options.keyStore;
     this.keyDurationSeconds = options.keyDurationSeconds;
     this.algorithm = options.algorithm ?? "ES256";
+    this.omitClaimsFromToken = options.omitClaimsFromToken;
     this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;
   }
   async issueToken(params) {
     const key = await this.getKey();
-    const iss = this.issuer;
-    const { sub, ent = [sub], ...additionalClaims } = params.claims;
-    const aud = pluginAuthNode.tokenTypes.user.audClaim;
-    const iat = Math.floor(Date.now() / MS_IN_S);
-    const exp = iat + this.keyDurationSeconds;
-    try {
-      catalogModel.parseEntityRef(sub);
-    } catch (error) {
-      throw new Error(
-        '"sub" claim provided by the auth resolver is not a valid EntityRef.'
-      );
-    }
-    if (!key.alg) {
-      throw new errors.AuthenticationError("No algorithm was provided in the key");
-    }
-    this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);
-    const signingKey = await jose.importJWK(key);
-    const uip = await this.createUserIdentityClaim({
-      header: {
-        typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
-        alg: key.alg,
-        kid: key.kid
-      },
-      payload: { sub, iat, exp },
-      key: signingKey
+    return issueUserToken.issueUserToken({
+      issuer: this.issuer,
+      key,
+      keyDurationSeconds: this.keyDurationSeconds,
+      logger: this.logger,
+      omitClaimsFromToken: this.omitClaimsFromToken,
+      params,
+      userInfoDatabaseHandler: this.userInfoDatabaseHandler
     });
-    const claims = {
-      ...additionalClaims,
-      iss,
-      sub,
-      ent,
-      aud,
-      iat,
-      exp,
-      uip
-    };
-    const token = await new jose.SignJWT(claims).setProtectedHeader({
-      typ: pluginAuthNode.tokenTypes.user.typParam,
-      alg: key.alg,
-      kid: key.kid
-    }).sign(signingKey);
-    if (token.length > MAX_TOKEN_LENGTH) {
-      throw new Error(
-        `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
-          claims
-        )}'`
-      );
-    }
-    await this.userInfoDatabaseHandler.addUserInfo({
-      claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
-    });
-    return token;
   }
   // This will be called by other services that want to verify ID tokens.
   // It is important that it returns a list of all public keys that could
@@ -139,25 +93,6 @@ class TokenFactory {
     }
     return promise;
   }
-  // Creates a string claim that can be used as part of reconstructing a limited
-  // user token. The output of this function is only the signature part of a
-  // JWS.
-  async createUserIdentityClaim(options) {
-    const header = {
-      typ: options.header.typ,
-      alg: options.header.alg,
-      ...options.header.kid ? { kid: options.header.kid } : {}
-    };
-    const payload = {
-      sub: options.payload.sub,
-      iat: options.payload.iat,
-      exp: options.payload.exp
-    };
-    const jws = await new jose.GeneralSign(
-      new TextEncoder().encode(JSON.stringify(payload))
-    ).addSignature(options.key).setProtectedHeader(header).done().sign();
-    return jws.signatures[0].signature;
-  }
 }
 exports.TokenFactory = TokenFactory;

package/dist/identity/TokenFactory.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n exportJWK,\n generateKeyPair,\n importJWK,\n JWK,\n SignJWT,\n GeneralSign,\n KeyLike,\n} from 'jose';\nimport { omit } from 'lodash';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { TokenParams, tokenTypes } from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\n/\n The payload contents of a valid Backstage JWT token\n /\nexport interface BackstageTokenPayload {\n /\n The issuer of the token, currently the discovery URL of the auth backend\n /\n iss: string;\n\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n The entity refs that the user claims ownership througg\n /\n ent: string[];\n\n /\n A hard coded audience string\n /\n aud: typeof tokenTypes.user.audClaim;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n\n /\n A separate user identity proof that the auth service can convert to a limited user token\n /\n uip: string;\n\n /\n Any other custom claims that the adopter may have added\n /\n [claim: string]: JsonValue;\n}\n\n/\n The payload contents of a valid Backstage user identity claim token\n \n @internal\n /\ninterface BackstageUserIdentityProofPayload {\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n}\n\ntype Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Key store used for storing signing keys /\n keyStore: KeyStore;\n /* Expiration time of signing keys in seconds /\n keyDurationSeconds: number;\n /* JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n * Must match one of the algorithms defined for IdentityClient.\n * When setting a different algorithm, check if the `key` field\n * of the `signing_keys` table can fit the length of the generated keys.\n * If not, add a knex migration file in the migrations folder.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithm?: string;\n userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/\n A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n \n The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n \n Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n /\nexport class TokenFactory implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: KeyStore;\n private readonly keyDurationSeconds: number;\n private readonly algorithm: string;\n private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n private keyExpiry?: Date;\n private privateKeyPromise?: Promise<JWK>;\n\n constructor(options: Options) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.keyStore = options.keyStore;\n this.keyDurationSeconds = options.keyDurationSeconds;\n this.algorithm = options.algorithm ?? 'ES256';\n this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n }\n\n async issueToken(params: TokenParams): Promise<string> {\n const key = await this.getKey();\n\n const iss = this.issuer;\n const { sub, ent = [sub], ...additionalClaims } = params.claims;\n const aud = tokenTypes.user.audClaim;\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat + this.keyDurationSeconds;\n\n try {\n // The subject must be a valid entity ref\n parseEntityRef(sub);\n } catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n );\n }\n\n if (!key.alg) {\n throw new AuthenticationError('No algorithm was provided in the key');\n }\n\n this.logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n const signingKey = await importJWK(key);\n\n const uip = await this.createUserIdentityClaim({\n header: {\n typ: tokenTypes.limitedUser.typParam,\n alg: key.alg,\n kid: key.kid,\n },\n payload: { sub, iat, exp },\n key: signingKey,\n });\n\n const claims: BackstageTokenPayload = {\n ...additionalClaims,\n iss,\n sub,\n ent,\n aud,\n iat,\n exp,\n uip,\n };\n\n const token = await new SignJWT(claims)\n .setProtectedHeader({\n typ: tokenTypes.user.typParam,\n alg: key.alg,\n kid: key.kid,\n })\n .sign(signingKey);\n\n if (token.length > MAX_TOKEN_LENGTH) {\n throw new Error(\n `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n claims,\n )}'`,\n );\n }\n\n // Store the user info in the database upon successful token\n // issuance so that it can be retrieved later by limited user tokens\n await this.userInfoDatabaseHandler.addUserInfo({\n claims: omit(claims, ['aud', 'iat', 'iss', 'uip']),\n });\n\n return token;\n }\n\n // This will be called by other services that want to verify ID tokens.\n // It is important that it returns a list of all public keys that could\n // have been used to sign tokens that have not yet expired.\n async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n\n const validKeys = [];\n const expiredKeys = [];\n\n for (const key of keys) {\n // Allow for a grace period of another full key duration before we remove the keys from the database\n const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n seconds: 3 this.keyDurationSeconds,\n });\n if (expireAt < DateTime.local()) {\n expiredKeys.push(key);\n } else {\n validKeys.push(key);\n }\n }\n\n // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n if (expiredKeys.length > 0) {\n const kids = expiredKeys.map(({ key }) => key.kid);\n\n this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n // We don't await this, just let it run in the background\n this.keyStore.removeKeys(kids).catch(error => {\n this.logger.error(`Failed to remove expired keys, ${error}`);\n });\n }\n\n // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n return { keys: validKeys.map(({ key }) => key) };\n }\n\n private async getKey(): Promise<JWK> {\n // Make sure that we only generate one key at a time\n if (this.privateKeyPromise) {\n if (\n this.keyExpiry &&\n DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n ) {\n return this.privateKeyPromise;\n }\n this.logger.info(`Signing key has expired, generating new key`);\n delete this.privateKeyPromise;\n }\n\n this.keyExpiry = DateTime.utc()\n .plus({\n seconds: this.keyDurationSeconds,\n })\n .toJSDate();\n const promise = (async () => {\n // This generates a new signing key to be used to sign tokens until the next key rotation\n const key = await generateKeyPair(this.algorithm);\n const publicKey = await exportJWK(key.publicKey);\n const privateKey = await exportJWK(key.privateKey);\n publicKey.kid = privateKey.kid = uuid();\n publicKey.alg = privateKey.alg = this.algorithm;\n\n // We're not allowed to use the key until it has been successfully stored\n // TODO: some token verification implementations aggressively cache the list of keys, and\n // don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n // may want to keep using the existing key for some period of time until we switch to\n // the new one. This also needs to be implemented cross-service though, meaning new services\n // that boot up need to be able to grab an existing key to use for signing.\n this.logger.info(`Created new signing key ${publicKey.kid}`);\n await this.keyStore.addKey(publicKey as AnyJWK);\n\n // At this point we are allowed to start using the new key\n return privateKey;\n })();\n\n this.privateKeyPromise = promise;\n\n try {\n // If we fail to generate a new key, we need to clear the state so that\n // the next caller will try to generate another key.\n await promise;\n } catch (error) {\n this.logger.error(`Failed to generate new signing key, ${error}`);\n delete this.keyExpiry;\n delete this.privateKeyPromise;\n }\n\n return promise;\n }\n\n // Creates a string claim that can be used as part of reconstructing a limited\n // user token. The output of this function is only the signature part of a\n // JWS.\n private async createUserIdentityClaim(options: {\n header: {\n typ: string;\n alg: string;\n kid?: string;\n };\n payload: BackstageUserIdentityProofPayload;\n key: KeyLike \| Uint8Array;\n }): Promise<string> {\n // NOTE: We reconstruct the header and payload structures carefully to\n // perfectly guarantee ordering. The reason for this is that we store only\n // the signature part of these to reduce duplication within the Backstage\n // token. Anyone who wants to make an actual JWT based on all this must be\n // able to do the EXACT reconstruction of the header and payload parts, to\n // then append the signature.\n\n const header = {\n typ: options.header.typ,\n alg: options.header.alg,\n ...(options.header.kid ? { kid: options.header.kid } : {}),\n };\n\n const payload = {\n sub: options.payload.sub,\n iat: options.payload.iat,\n exp: options.payload.exp,\n };\n\n const jws = await new GeneralSign(\n new TextEncoder().encode(JSON.stringify(payload)),\n )\n .addSignature(options.key)\n .setProtectedHeader(header)\n .done()\n .sign();\n\n return jws.signatures[0].signature;\n }\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","SignJWT","omit","DateTime","generateKeyPair","exportJWK","uuid","GeneralSign"],"mappings":";;;;;;;;;;AAoCA,MAAM,OAAU,GAAA,GAAA;AAChB,MAAM,gBAAmB,GAAA,KAAA;AAqGlB,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,uBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA;AACtC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAM,WAAW,MAAsC,EAAA;AACrD,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA;AAE9B,IAAA,MAAM,MAAM,IAAK,CAAA,MAAA;AACjB,IAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA;AACzD,IAAM,MAAA,GAAA,GAAMA,0BAAW,IAAK,CAAA,QAAA;AAC5B,IAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA;AAC3C,IAAM,MAAA,GAAA,GAAM,MAAM,IAAK,CAAA,kBAAA;AAEvB,IAAI,IAAA;AAEF,MAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,aACX,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,MAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;AAGtE,IAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA,CAAA;AAEjE,IAAM,MAAA,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,uBAAwB,CAAA;AAAA,MAC7C,MAAQ,EAAA;AAAA,QACN,GAAA,EAAKH,0BAAW,WAAY,CAAA,QAAA;AAAA,QAC5B,KAAK,GAAI,CAAA,GAAA;AAAA,QACT,KAAK,GAAI,CAAA;AAAA,OACX;AAAA,MACA,OAAS,EAAA,EAAE,GAAK,EAAA,GAAA,EAAK,GAAI,EAAA;AAAA,MACzB,GAAK,EAAA;AAAA,KACN,CAAA;AAED,IAAA,MAAM,MAAgC,GAAA;AAAA,MACpC,GAAG,gBAAA;AAAA,MACH,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,QAAQ,MAAM,IAAII,YAAQ,CAAA,MAAM,EACnC,kBAAmB,CAAA;AAAA,MAClB,GAAA,EAAKJ,0BAAW,IAAK,CAAA,QAAA;AAAA,MACrB,KAAK,GAAI,CAAA,GAAA;AAAA,MACT,KAAK,GAAI,CAAA;AAAA,KACV,CACA,CAAA,IAAA,CAAK,UAAU,CAAA;AAElB,IAAI,IAAA,KAAA,CAAM,SAAS,gBAAkB,EAAA;AACnC,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,6PAA6P,IAAK,CAAA,SAAA;AAAA,UAChQ;AAAA,SACD,CAAA,CAAA;AAAA,OACH;AAAA;AAKF,IAAM,MAAA,IAAA,CAAK,wBAAwB,WAAY,CAAA;AAAA,MAC7C,MAAA,EAAQK,YAAK,MAAQ,EAAA,CAAC,OAAO,KAAO,EAAA,KAAA,EAAO,KAAK,CAAC;AAAA,KAClD,CAAA;AAED,IAAO,OAAA,KAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA;AAAA,OACnB,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA;AACpB;AAIF,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAAA,OAC5D,CAAA;AAAA;AAIH,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AACjD,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAEd,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA;AAAA,KACf,EACA,QAAS,EAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAO,OAAA,UAAA;AAAA,KACN,GAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA,EAKA,MAAc,wBAAwB,OAQlB,EAAA;AAQlB,IAAA,MAAM,MAAS,GAAA;AAAA,MACb,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,MACpB,GAAI,OAAQ,CAAA,MAAA,CAAO,GAAM,GAAA,EAAE,KAAK,OAAQ,CAAA,MAAA,CAAO,GAAI,EAAA,GAAI;AAAC,KAC1D;AAEA,IAAA,MAAM,OAAU,GAAA;AAAA,MACd,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,MACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA;AAAA,KACvB;AAEA,IAAM,MAAA,GAAA,GAAM,MAAM,IAAIC,gBAAA;AAAA,MACpB,IAAI,WAAY,EAAA,CAAE,OAAO,IAAK,CAAA,SAAA,CAAU,OAAO,CAAC;AAAA,KAClD,CACG,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAK,EAAA,CACL,IAAK,EAAA;AAER,IAAO,OAAA,GAAA,CAAI,UAAW,CAAA,CAAC,CAAE,CAAA,SAAA;AAAA;AAE7B;;;;"}
1	+ {"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { issueUserToken } from './issueUserToken';\n\n/\n The payload contents of a valid Backstage JWT token\n /\nexport interface BackstageTokenPayload {\n /\n The issuer of the token, currently the discovery URL of the auth backend\n /\n iss: string;\n\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n The entity refs that the user claims ownership through\n /\n ent: string[];\n\n /\n A hard coded audience string\n /\n aud: typeof tokenTypes.user.audClaim;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n\n /\n A separate user identity proof that the auth service can convert to a limited user token\n /\n uip: string;\n\n /\n Any other custom claims that the adopter may have added\n /\n [claim: string]: JsonValue;\n}\n\ntype Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Key store used for storing signing keys /\n keyStore: KeyStore;\n /* Expiration time of signing keys in seconds /\n keyDurationSeconds: number;\n /* JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n * Must match one of the algorithms defined for IdentityClient.\n * When setting a different algorithm, check if the `key` field\n * of the `signing_keys` table can fit the length of the generated keys.\n * If not, add a knex migration file in the migrations folder.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithm?: string;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n userInfoDatabaseHandler: UserInfoDatabaseHandler;\n};\n\n/\n A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n \n The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n \n Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n /\nexport class TokenFactory implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: KeyStore;\n private readonly keyDurationSeconds: number;\n private readonly algorithm: string;\n private readonly omitClaimsFromToken?: string[];\n private readonly userInfoDatabaseHandler: UserInfoDatabaseHandler;\n\n private keyExpiry?: Date;\n private privateKeyPromise?: Promise<JWK>;\n\n constructor(options: Options) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.keyStore = options.keyStore;\n this.keyDurationSeconds = options.keyDurationSeconds;\n this.algorithm = options.algorithm ?? 'ES256';\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n this.userInfoDatabaseHandler = options.userInfoDatabaseHandler;\n }\n\n async issueToken(params: TokenParams): Promise<BackstageSignInResult> {\n const key = await this.getKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.keyDurationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n userInfoDatabaseHandler: this.userInfoDatabaseHandler,\n });\n }\n\n // This will be called by other services that want to verify ID tokens.\n // It is important that it returns a list of all public keys that could\n // have been used to sign tokens that have not yet expired.\n async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n\n const validKeys = [];\n const expiredKeys = [];\n\n for (const key of keys) {\n // Allow for a grace period of another full key duration before we remove the keys from the database\n const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n seconds: 3 this.keyDurationSeconds,\n });\n if (expireAt < DateTime.local()) {\n expiredKeys.push(key);\n } else {\n validKeys.push(key);\n }\n }\n\n // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n if (expiredKeys.length > 0) {\n const kids = expiredKeys.map(({ key }) => key.kid);\n\n this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n // We don't await this, just let it run in the background\n this.keyStore.removeKeys(kids).catch(error => {\n this.logger.error(`Failed to remove expired keys, ${error}`);\n });\n }\n\n // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n return { keys: validKeys.map(({ key }) => key) };\n }\n\n private async getKey(): Promise<JWK> {\n // Make sure that we only generate one key at a time\n if (this.privateKeyPromise) {\n if (\n this.keyExpiry &&\n DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n ) {\n return this.privateKeyPromise;\n }\n this.logger.info(`Signing key has expired, generating new key`);\n delete this.privateKeyPromise;\n }\n\n this.keyExpiry = DateTime.utc()\n .plus({\n seconds: this.keyDurationSeconds,\n })\n .toJSDate();\n const promise = (async () => {\n // This generates a new signing key to be used to sign tokens until the next key rotation\n const key = await generateKeyPair(this.algorithm);\n const publicKey = await exportJWK(key.publicKey);\n const privateKey = await exportJWK(key.privateKey);\n publicKey.kid = privateKey.kid = uuid();\n publicKey.alg = privateKey.alg = this.algorithm;\n\n // We're not allowed to use the key until it has been successfully stored\n // TODO: some token verification implementations aggressively cache the list of keys, and\n // don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n // may want to keep using the existing key for some period of time until we switch to\n // the new one. This also needs to be implemented cross-service though, meaning new services\n // that boot up need to be able to grab an existing key to use for signing.\n this.logger.info(`Created new signing key ${publicKey.kid}`);\n await this.keyStore.addKey(publicKey as AnyJWK);\n\n // At this point we are allowed to start using the new key\n return privateKey;\n })();\n\n this.privateKeyPromise = promise;\n\n try {\n // If we fail to generate a new key, we need to clear the state so that\n // the next caller will try to generate another key.\n await promise;\n } catch (error) {\n this.logger.error(`Failed to generate new signing key, ${error}`);\n delete this.keyExpiry;\n delete this.privateKeyPromise;\n }\n\n return promise;\n }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA+GO,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EACA,uBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAQ,CAAA,mBAAA;AACnC,IAAA,IAAA,CAAK,0BAA0B,OAAQ,CAAA,uBAAA;AAAA;AACzC,EAEA,MAAM,WAAW,MAAqD,EAAA;AACpE,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA;AAE9B,IAAA,OAAOA,6BAAe,CAAA;AAAA,MACpB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAK,CAAA,kBAAA;AAAA,MACzB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,qBAAqB,IAAK,CAAA,mBAAA;AAAA,MAC1B,MAAA;AAAA,MACA,yBAAyB,IAAK,CAAA;AAAA,KAC/B,CAAA;AAAA;AACH;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA;AAAA,OACnB,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA;AACpB;AAIF,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAAA,OAC5D,CAAA;AAAA;AAIH,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AACjD,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAEd,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA;AAAA,KACf,EACA,QAAS,EAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAO,OAAA,UAAA;AAAA,KACN,GAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAO,OAAA,OAAA;AAAA;AAEX;;;;"}

package/dist/identity/issueUserToken.cjs.js ADDED Viewed

@@ -0,0 +1,98 @@
+'use strict';
+var catalogModel = require('@backstage/catalog-model');
+var errors = require('@backstage/errors');
+var pluginAuthNode = require('@backstage/plugin-auth-node');
+var lodash = require('lodash');
+var jose = require('jose');
+const MS_IN_S = 1e3;
+const MAX_TOKEN_LENGTH = 32768;
+async function issueUserToken({
+  issuer,
+  key,
+  keyDurationSeconds,
+  logger,
+  omitClaimsFromToken,
+  params,
+  userInfoDatabaseHandler
+}) {
+  const { sub, ent = [sub], ...additionalClaims } = params.claims;
+  const aud = pluginAuthNode.tokenTypes.user.audClaim;
+  const iat = Math.floor(Date.now() / MS_IN_S);
+  const exp = iat + keyDurationSeconds;
+  try {
+    catalogModel.parseEntityRef(sub);
+  } catch (error) {
+    throw new Error(
+      '"sub" claim provided by the auth resolver is not a valid EntityRef.'
+    );
+  }
+  if (!key.alg) {
+    throw new errors.AuthenticationError("No algorithm was provided in the key");
+  }
+  logger.info(`Issuing token for ${sub}, with entities ${ent}`);
+  const signingKey = await jose.importJWK(key);
+  const uip = await createUserIdentityClaim({
+    header: {
+      typ: pluginAuthNode.tokenTypes.limitedUser.typParam,
+      alg: key.alg,
+      kid: key.kid
+    },
+    payload: { sub, iat, exp },
+    key: signingKey
+  });
+  const claims = {
+    ...additionalClaims,
+    iss: issuer,
+    sub,
+    ent,
+    aud,
+    iat,
+    exp,
+    uip
+  };
+  const tokenClaims = omitClaimsFromToken ? lodash.omit(claims, omitClaimsFromToken) : claims;
+  const token = await new jose.SignJWT(tokenClaims).setProtectedHeader({
+    typ: pluginAuthNode.tokenTypes.user.typParam,
+    alg: key.alg,
+    kid: key.kid
+  }).sign(signingKey);
+  if (token.length > MAX_TOKEN_LENGTH) {
+    throw new Error(
+      `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(
+        tokenClaims
+      )}'`
+    );
+  }
+  await userInfoDatabaseHandler.addUserInfo({
+    claims: lodash.omit(claims, ["aud", "iat", "iss", "uip"])
+  });
+  return {
+    token,
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent
+    }
+  };
+}
+async function createUserIdentityClaim(options) {
+  const header = {
+    typ: options.header.typ,
+    alg: options.header.alg,
+    ...options.header.kid ? { kid: options.header.kid } : {}
+  };
+  const payload = {
+    sub: options.payload.sub,
+    iat: options.payload.iat,
+    exp: options.payload.exp
+  };
+  const jws = await new jose.GeneralSign(
+    new TextEncoder().encode(JSON.stringify(payload))
+  ).addSignature(options.key).setProtectedHeader(header).done().sign();
+  return jws.signatures[0].signature;
+}
+exports.issueUserToken = issueUserToken;
+//# sourceMappingURL=issueUserToken.cjs.js.map

package/dist/identity/issueUserToken.cjs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"issueUserToken.cjs.js","sources":["../../src/identity/issueUserToken.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { omit } from 'lodash';\nimport { UserInfoDatabaseHandler } from './UserInfoDatabaseHandler';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { GeneralSign, importJWK, JWK, KeyLike, SignJWT } from 'jose';\nimport { BackstageTokenPayload } from './TokenFactory';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\nexport async function issueUserToken({\n issuer,\n key,\n keyDurationSeconds,\n logger,\n omitClaimsFromToken,\n params,\n userInfoDatabaseHandler,\n}: {\n issuer: string;\n key: JWK;\n keyDurationSeconds: number;\n logger: LoggerService;\n omitClaimsFromToken?: string[];\n params: TokenParams;\n userInfoDatabaseHandler: UserInfoDatabaseHandler;\n}): Promise<BackstageSignInResult> {\n const { sub, ent = [sub], ...additionalClaims } = params.claims;\n const aud = tokenTypes.user.audClaim;\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat + keyDurationSeconds;\n\n try {\n // The subject must be a valid entity ref\n parseEntityRef(sub);\n } catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n );\n }\n\n if (!key.alg) {\n throw new AuthenticationError('No algorithm was provided in the key');\n }\n\n logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n const signingKey = await importJWK(key);\n\n const uip = await createUserIdentityClaim({\n header: {\n typ: tokenTypes.limitedUser.typParam,\n alg: key.alg,\n kid: key.kid,\n },\n payload: { sub, iat, exp },\n key: signingKey,\n });\n\n const claims: BackstageTokenPayload = {\n ...additionalClaims,\n iss: issuer,\n sub,\n ent,\n aud,\n iat,\n exp,\n uip,\n };\n\n const tokenClaims = omitClaimsFromToken\n ? omit(claims, omitClaimsFromToken)\n : claims;\n const token = await new SignJWT(tokenClaims)\n .setProtectedHeader({\n typ: tokenTypes.user.typParam,\n alg: key.alg,\n kid: key.kid,\n })\n .sign(signingKey);\n\n if (token.length > MAX_TOKEN_LENGTH) {\n throw new Error(\n `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n tokenClaims,\n )}'`,\n );\n }\n\n // Store the user info in the database upon successful token\n // issuance so that it can be retrieved later by limited user tokens\n await userInfoDatabaseHandler.addUserInfo({\n claims: omit(claims, ['aud', 'iat', 'iss', 'uip']),\n });\n\n return {\n token,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n\n/**\n * The payload contents of a valid Backstage user identity claim token\n *\n * @internal\n */\ninterface BackstageUserIdentityProofPayload {\n /**\n * The entity ref of the user\n */\n sub: string;\n\n /**\n * Standard expiry in epoch seconds\n */\n exp: number;\n\n /**\n * Standard issue time in epoch seconds\n */\n iat: number;\n}\n\n/**\n * Creates a string claim that can be used as part of reconstructing a limited\n * user token. The output of this function is only the signature part of a JWS.\n */\nasync function createUserIdentityClaim(options: {\n header: {\n typ: string;\n alg: string;\n kid?: string;\n };\n payload: BackstageUserIdentityProofPayload;\n key: KeyLike | Uint8Array;\n}): Promise<string> {\n // NOTE: We reconstruct the header and payload structures carefully to\n // perfectly guarantee ordering. The reason for this is that we store only\n // the signature part of these to reduce duplication within the Backstage\n // token. Anyone who wants to make an actual JWT based on all this must be\n // able to do the EXACT reconstruction of the header and payload parts, to\n // then append the signature.\n\n const header = {\n typ: options.header.typ,\n alg: options.header.alg,\n ...(options.header.kid ? { kid: options.header.kid } : {}),\n };\n\n const payload = {\n sub: options.payload.sub,\n iat: options.payload.iat,\n exp: options.payload.exp,\n };\n\n const jws = await new GeneralSign(\n new TextEncoder().encode(JSON.stringify(payload)),\n )\n .addSignature(options.key)\n .setProtectedHeader(header)\n .done()\n .sign();\n\n return jws.signatures[0].signature;\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","omit","SignJWT","GeneralSign"],"mappings":";;;;;;;;AA6BA,MAAM,OAAU,GAAA,GAAA;AAChB,MAAM,gBAAmB,GAAA,KAAA;AAEzB,eAAsB,cAAe,CAAA;AAAA,EACnC,MAAA;AAAA,EACA,GAAA;AAAA,EACA,kBAAA;AAAA,EACA,MAAA;AAAA,EACA,mBAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAQmC,EAAA;AACjC,EAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA;AACzD,EAAM,MAAA,GAAA,GAAMA,0BAAW,IAAK,CAAA,QAAA;AAC5B,EAAA,MAAM,MAAM,IAAK,CAAA,KAAA,CAAM,IAAK,CAAA,GAAA,KAAQ,OAAO,CAAA;AAC3C,EAAA,MAAM,MAAM,GAAM,GAAA,kBAAA;AAElB,EAAI,IAAA;AAEF,IAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,WACX,KAAO,EAAA;AACd,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,CAAC,IAAI,GAAK,EAAA;AACZ,IAAM,MAAA,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;AAGtE,EAAA,MAAA,CAAO,IAAK,CAAA,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA,CAAA;AAE5D,EAAM,MAAA,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,EAAM,MAAA,GAAA,GAAM,MAAM,uBAAwB,CAAA;AAAA,IACxC,MAAQ,EAAA;AAAA,MACN,GAAA,EAAKH,0BAAW,WAAY,CAAA,QAAA;AAAA,MAC5B,KAAK,GAAI,CAAA,GAAA;AAAA,MACT,KAAK,GAAI,CAAA;AAAA,KACX;AAAA,IACA,OAAS,EAAA,EAAE,GAAK,EAAA,GAAA,EAAK,GAAI,EAAA;AAAA,IACzB,GAAK,EAAA;AAAA,GACN,CAAA;AAED,EAAA,MAAM,MAAgC,GAAA;AAAA,IACpC,GAAG,gBAAA;AAAA,IACH,GAAK,EAAA,MAAA;AAAA,IACL,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,WAAc,GAAA,mBAAA,GAChBI,WAAK,CAAA,MAAA,EAAQ,mBAAmB,CAChC,GAAA,MAAA;AACJ,EAAA,MAAM,QAAQ,MAAM,IAAIC,YAAQ,CAAA,WAAW,EACxC,kBAAmB,CAAA;AAAA,IAClB,GAAA,EAAKL,0BAAW,IAAK,CAAA,QAAA;AAAA,IACrB,KAAK,GAAI,CAAA,GAAA;AAAA,IACT,KAAK,GAAI,CAAA;AAAA,GACV,CACA,CAAA,IAAA,CAAK,UAAU,CAAA;AAElB,EAAI,IAAA,KAAA,CAAM,SAAS,gBAAkB,EAAA;AACnC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,6PAA6P,IAAK,CAAA,SAAA;AAAA,QAChQ;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA;AAKF,EAAA,MAAM,wBAAwB,WAAY,CAAA;AAAA,IACxC,MAAA,EAAQI,YAAK,MAAQ,EAAA,CAAC,OAAO,KAAO,EAAA,KAAA,EAAO,KAAK,CAAC;AAAA,GAClD,CAAA;AAED,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA;AAAA;AACvB,GACF;AACF;AA4BA,eAAe,wBAAwB,OAQnB,EAAA;AAQlB,EAAA,MAAM,MAAS,GAAA;AAAA,IACb,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,IACpB,GAAA,EAAK,QAAQ,MAAO,CAAA,GAAA;AAAA,IACpB,GAAI,OAAQ,CAAA,MAAA,CAAO,GAAM,GAAA,EAAE,KAAK,OAAQ,CAAA,MAAA,CAAO,GAAI,EAAA,GAAI;AAAC,GAC1D;AAEA,EAAA,MAAM,OAAU,GAAA;AAAA,IACd,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAQ,CAAA;AAAA,GACvB;AAEA,EAAM,MAAA,GAAA,GAAM,MAAM,IAAIE,gBAAA;AAAA,IACpB,IAAI,WAAY,EAAA,CAAE,OAAO,IAAK,CAAA,SAAA,CAAU,OAAO,CAAC;AAAA,GAClD,CACG,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAK,EAAA,CACL,IAAK,EAAA;AAER,EAAO,OAAA,GAAA,CAAI,UAAW,CAAA,CAAC,CAAE,CAAA,SAAA;AAC3B;;;;"}

package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js CHANGED Viewed

@@ -34,8 +34,7 @@ class CatalogAuthResolverContext {
     );
   }
   async issueToken(params) {
-    const token = await this.tokenIssuer.issueToken(params);
-    return { token };
+    return await this.tokenIssuer.issueToken(params);
   }
   async findCatalogUser(query) {
     let result = void 0;
@@ -90,18 +89,35 @@ class CatalogAuthResolverContext {
     }
     return { entity: result };
   }
-  async signInWithCatalogUser(query) {
-    const { entity } = await this.findCatalogUser(query);
-    const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(
-      entity
-    );
-    const token = await this.tokenIssuer.issueToken({
-      claims: {
-        sub: catalogModel.stringifyEntityRef(entity),
-        ent: ownershipEntityRefs
+  async signInWithCatalogUser(query, options) {
+    try {
+      const { entity } = await this.findCatalogUser(query);
+      const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(
+        entity
+      );
+      return await this.tokenIssuer.issueToken({
+        claims: {
+          sub: catalogModel.stringifyEntityRef(entity),
+          ent: ownershipEntityRefs
+        }
+      });
+    } catch (error) {
+      if (error?.name !== "NotFoundError" || !options?.dangerousEntityRefFallback) {
+        throw error;
       }
-    });
-    return { token };
+      const userEntityRef = catalogModel.stringifyEntityRef(
+        catalogModel.parseEntityRef(options.dangerousEntityRefFallback.entityRef, {
+          defaultKind: "User",
+          defaultNamespace: catalogModel.DEFAULT_NAMESPACE
+        })
+      );
+      return await this.tokenIssuer.issueToken({
+        claims: {
+          sub: userEntityRef,
+          ent: [userEntityRef]
+        }
+      });
+    }
   }
   async resolveOwnershipEntityRefs(entity) {
     if (this.ownershipResolver) {

package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/\n Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n DEFAULT_NAMESPACE,\n Entity,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n AuthOwnershipResolver,\n AuthResolverCatalogUserQuery,\n AuthResolverContext,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n const membershipRefs =\n entity.relations\n ?.filter(\n r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n )\n .map(r => r.targetRef) ?? [];\n\n return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n static create(options: {\n logger: LoggerService;\n catalog: CatalogService;\n tokenIssuer: TokenIssuer;\n auth: AuthService;\n ownershipResolver?: AuthOwnershipResolver;\n }): CatalogAuthResolverContext {\n const catalogIdentityClient = new CatalogIdentityClient({\n catalog: options.catalog,\n auth: options.auth,\n });\n\n return new CatalogAuthResolverContext(\n options.logger,\n options.tokenIssuer,\n catalogIdentityClient,\n options.catalog,\n options.auth,\n options.ownershipResolver,\n );\n }\n\n private constructor(\n public readonly logger: LoggerService,\n public readonly tokenIssuer: TokenIssuer,\n public readonly catalogIdentityClient: CatalogIdentityClient,\n private readonly catalog: CatalogService,\n private readonly auth: AuthService,\n private readonly ownershipResolver?: AuthOwnershipResolver,\n ) {}\n\n async issueToken(params: TokenParams) {\n const token = await this.tokenIssuer.issueToken(params);\n return { token };\n }\n\n async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n let result: Entity[] \| Entity \| undefined = undefined;\n\n if ('entityRef' in query) {\n const entityRef = parseEntityRef(query.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n });\n result = await this.catalog.getEntityByRef(entityRef, {\n credentials: await this.auth.getOwnServiceCredentials(),\n });\n } else if ('annotations' in query) {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n const res = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else if ('filter' in query) {\n const filter = [query.filter].flat().map(value => {\n if (\n !Object.keys(value).some(\n key => key.toLocaleLowerCase('en-US') === 'kind',\n )\n ) {\n return {\n ...value,\n kind: 'user',\n };\n }\n return value;\n });\n const res = await this.catalog.getEntities(\n { filter: filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else {\n throw new InputError('Invalid user lookup query');\n }\n\n if (Array.isArray(result)) {\n if (result.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n }\n result = result[0];\n }\n if (!result) {\n throw new NotFoundError('User not found');\n }\n\n return { entity: result };\n }\n\n async signInWithCatalogUser(query: AuthResolverCatalogUserQuery) {\n const { entity } = await this.findCatalogUser(query);\n\n const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n entity,\n );\n\n const token = await this.tokenIssuer.issueToken({\n claims: {\n sub: stringifyEntityRef(entity),\n ent: ownershipEntityRefs,\n },\n });\n return { token };\n }\n\n async resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }> {\n if (this.ownershipResolver) {\n return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n }\n return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAmCA,SAAS,8BAA8B,MAAgB,EAAA;AACrD,EAAM,MAAA,cAAA,GACJ,OAAO,SACH,EAAA,MAAA;AAAA,IACA,OAAK,CAAE,CAAA,IAAA,KAASA,mCAAsB,CAAE,CAAA,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAE/B,EAAO,OAAA,KAAA,CAAM,IAAK,iBAAA,IAAI,GAAI,CAAA,CAACC,+BAAmB,CAAA,MAAM,CAAG,EAAA,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAA0D,CAAA;AAAA,EAuB7D,YACU,MACA,EAAA,WAAA,EACA,qBACC,EAAA,OAAA,EACA,MACA,iBACjB,EAAA;AANgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA;AAChB,EA7BH,OAAO,OAAO,OAMiB,EAAA;AAC7B,IAAM,MAAA,qBAAA,GAAwB,IAAIC,2CAAsB,CAAA;AAAA,MACtD,SAAS,OAAQ,CAAA,OAAA;AAAA,MACjB,MAAM,OAAQ,CAAA;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAQ,CAAA,MAAA;AAAA,MACR,OAAQ,CAAA,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAQ,CAAA,OAAA;AAAA,MACR,OAAQ,CAAA,IAAA;AAAA,MACR,OAAQ,CAAA;AAAA,KACV;AAAA;AACF,EAWA,MAAM,WAAW,MAAqB,EAAA;AACpC,IAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,WAAA,CAAY,WAAW,MAAM,CAAA;AACtD,IAAA,OAAO,EAAE,KAAM,EAAA;AAAA;AACjB,EAEA,MAAM,gBAAgB,KAAqC,EAAA;AACzD,IAAA,IAAI,MAAwC,GAAA,KAAA,CAAA;AAE5C,IAAA,IAAI,eAAe,KAAO,EAAA;AACxB,MAAM,MAAA,SAAA,GAAYC,2BAAe,CAAA,KAAA,CAAM,SAAW,EAAA;AAAA,QAChD,WAAa,EAAA,MAAA;AAAA,QACb,gBAAkB,EAAAC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAQ,CAAA,cAAA,CAAe,SAAW,EAAA;AAAA,QACpD,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB;AAAA,OACvD,CAAA;AAAA,KACH,MAAA,IAAW,iBAAiB,KAAO,EAAA;AACjC,MAAA,MAAM,MAAiC,GAAA;AAAA,QACrC,IAAM,EAAA;AAAA,OACR;AACA,MAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,QAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA;AAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAO,EAAA;AAAA,QACT,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACf,MAAA,IAAW,YAAY,KAAO,EAAA;AAC5B,MAAM,MAAA,MAAA,GAAS,CAAC,KAAM,CAAA,MAAM,EAAE,IAAK,EAAA,CAAE,IAAI,CAAS,KAAA,KAAA;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAK,CAAA,KAAK,CAAE,CAAA,IAAA;AAAA,UAClB,CAAO,GAAA,KAAA,GAAA,CAAI,iBAAkB,CAAA,OAAO,CAAM,KAAA;AAAA,SAE5C,EAAA;AACA,UAAO,OAAA;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAM,EAAA;AAAA,WACR;AAAA;AAEF,QAAO,OAAA,KAAA;AAAA,OACR,CAAA;AACD,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAe,EAAA;AAAA,QACjB,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACR,MAAA;AACL,MAAM,MAAA,IAAIC,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,MAAM,CAAG,EAAA;AACzB,MAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA;AAAA;AAEpE,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA;AAEnB,IAAA,IAAI,CAAC,MAAQ,EAAA;AACX,MAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;AAG1C,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA;AAAA;AAC1B,EAEA,MAAM,sBAAsB,KAAqC,EAAA;AAC/D,IAAA,MAAM,EAAE,MAAO,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,IAAA,MAAM,EAAE,mBAAA,EAAwB,GAAA,MAAM,IAAK,CAAA,0BAAA;AAAA,MACzC;AAAA,KACF;AAEA,IAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,MAC9C,MAAQ,EAAA;AAAA,QACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,QAC9B,GAAK,EAAA;AAAA;AACP,KACD,CAAA;AACD,IAAA,OAAO,EAAE,KAAM,EAAA;AAAA;AACjB,EAEA,MAAM,2BACJ,MAC4C,EAAA;AAC5C,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MAAO,OAAA,IAAA,CAAK,iBAAkB,CAAA,0BAAA,CAA2B,MAAM,CAAA;AAAA;AAEjE,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAA8B,CAAA,MAAM,CAAE,EAAA;AAAA;AAExE;;;;"}
1	+ {"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/\n Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n DEFAULT_NAMESPACE,\n Entity,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n AuthOwnershipResolver,\n AuthResolverCatalogUserQuery,\n AuthResolverContext,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n const membershipRefs =\n entity.relations\n ?.filter(\n r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n )\n .map(r => r.targetRef) ?? [];\n\n return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n static create(options: {\n logger: LoggerService;\n catalog: CatalogService;\n tokenIssuer: TokenIssuer;\n auth: AuthService;\n ownershipResolver?: AuthOwnershipResolver;\n }): CatalogAuthResolverContext {\n const catalogIdentityClient = new CatalogIdentityClient({\n catalog: options.catalog,\n auth: options.auth,\n });\n\n return new CatalogAuthResolverContext(\n options.logger,\n options.tokenIssuer,\n catalogIdentityClient,\n options.catalog,\n options.auth,\n options.ownershipResolver,\n );\n }\n\n private constructor(\n public readonly logger: LoggerService,\n public readonly tokenIssuer: TokenIssuer,\n public readonly catalogIdentityClient: CatalogIdentityClient,\n private readonly catalog: CatalogService,\n private readonly auth: AuthService,\n private readonly ownershipResolver?: AuthOwnershipResolver,\n ) {}\n\n async issueToken(params: TokenParams) {\n return await this.tokenIssuer.issueToken(params);\n }\n\n async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n let result: Entity[] \| Entity \| undefined = undefined;\n\n if ('entityRef' in query) {\n const entityRef = parseEntityRef(query.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n });\n result = await this.catalog.getEntityByRef(entityRef, {\n credentials: await this.auth.getOwnServiceCredentials(),\n });\n } else if ('annotations' in query) {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n const res = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else if ('filter' in query) {\n const filter = [query.filter].flat().map(value => {\n if (\n !Object.keys(value).some(\n key => key.toLocaleLowerCase('en-US') === 'kind',\n )\n ) {\n return {\n ...value,\n kind: 'user',\n };\n }\n return value;\n });\n const res = await this.catalog.getEntities(\n { filter: filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else {\n throw new InputError('Invalid user lookup query');\n }\n\n if (Array.isArray(result)) {\n if (result.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n }\n result = result[0];\n }\n if (!result) {\n throw new NotFoundError('User not found');\n }\n\n return { entity: result };\n }\n\n async signInWithCatalogUser(\n query: AuthResolverCatalogUserQuery,\n options?: {\n dangerousEntityRefFallback?: {\n entityRef:\n \| string\n \| {\n kind?: string;\n namespace?: string;\n name: string;\n };\n };\n },\n ) {\n try {\n const { entity } = await this.findCatalogUser(query);\n\n const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n entity,\n );\n\n return await this.tokenIssuer.issueToken({\n claims: {\n sub: stringifyEntityRef(entity),\n ent: ownershipEntityRefs,\n },\n });\n } catch (error) {\n if (\n error?.name !== 'NotFoundError' \|\|\n !options?.dangerousEntityRefFallback\n ) {\n throw error;\n }\n const userEntityRef = stringifyEntityRef(\n parseEntityRef(options.dangerousEntityRefFallback.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n }),\n );\n\n return await this.tokenIssuer.issueToken({\n claims: {\n sub: userEntityRef,\n ent: [userEntityRef],\n },\n });\n }\n }\n\n async resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }> {\n if (this.ownershipResolver) {\n return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n }\n return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAmCA,SAAS,8BAA8B,MAAgB,EAAA;AACrD,EAAM,MAAA,cAAA,GACJ,OAAO,SACH,EAAA,MAAA;AAAA,IACA,OAAK,CAAE,CAAA,IAAA,KAASA,mCAAsB,CAAE,CAAA,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAE/B,EAAO,OAAA,KAAA,CAAM,IAAK,iBAAA,IAAI,GAAI,CAAA,CAACC,+BAAmB,CAAA,MAAM,CAAG,EAAA,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAA0D,CAAA;AAAA,EAuB7D,YACU,MACA,EAAA,WAAA,EACA,qBACC,EAAA,OAAA,EACA,MACA,iBACjB,EAAA;AANgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA;AAChB,EA7BH,OAAO,OAAO,OAMiB,EAAA;AAC7B,IAAM,MAAA,qBAAA,GAAwB,IAAIC,2CAAsB,CAAA;AAAA,MACtD,SAAS,OAAQ,CAAA,OAAA;AAAA,MACjB,MAAM,OAAQ,CAAA;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAQ,CAAA,MAAA;AAAA,MACR,OAAQ,CAAA,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAQ,CAAA,OAAA;AAAA,MACR,OAAQ,CAAA,IAAA;AAAA,MACR,OAAQ,CAAA;AAAA,KACV;AAAA;AACF,EAWA,MAAM,WAAW,MAAqB,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,WAAY,CAAA,UAAA,CAAW,MAAM,CAAA;AAAA;AACjD,EAEA,MAAM,gBAAgB,KAAqC,EAAA;AACzD,IAAA,IAAI,MAAwC,GAAA,KAAA,CAAA;AAE5C,IAAA,IAAI,eAAe,KAAO,EAAA;AACxB,MAAM,MAAA,SAAA,GAAYC,2BAAe,CAAA,KAAA,CAAM,SAAW,EAAA;AAAA,QAChD,WAAa,EAAA,MAAA;AAAA,QACb,gBAAkB,EAAAC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAQ,CAAA,cAAA,CAAe,SAAW,EAAA;AAAA,QACpD,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB;AAAA,OACvD,CAAA;AAAA,KACH,MAAA,IAAW,iBAAiB,KAAO,EAAA;AACjC,MAAA,MAAM,MAAiC,GAAA;AAAA,QACrC,IAAM,EAAA;AAAA,OACR;AACA,MAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,QAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA;AAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAO,EAAA;AAAA,QACT,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACf,MAAA,IAAW,YAAY,KAAO,EAAA;AAC5B,MAAM,MAAA,MAAA,GAAS,CAAC,KAAM,CAAA,MAAM,EAAE,IAAK,EAAA,CAAE,IAAI,CAAS,KAAA,KAAA;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAK,CAAA,KAAK,CAAE,CAAA,IAAA;AAAA,UAClB,CAAO,GAAA,KAAA,GAAA,CAAI,iBAAkB,CAAA,OAAO,CAAM,KAAA;AAAA,SAE5C,EAAA;AACA,UAAO,OAAA;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAM,EAAA;AAAA,WACR;AAAA;AAEF,QAAO,OAAA,KAAA;AAAA,OACR,CAAA;AACD,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAe,EAAA;AAAA,QACjB,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACR,MAAA;AACL,MAAM,MAAA,IAAIC,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,MAAM,CAAG,EAAA;AACzB,MAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA;AAAA;AAEpE,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA;AAEnB,IAAA,IAAI,CAAC,MAAQ,EAAA;AACX,MAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;AAG1C,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA;AAAA;AAC1B,EAEA,MAAM,qBACJ,CAAA,KAAA,EACA,OAWA,EAAA;AACA,IAAI,IAAA;AACF,MAAA,MAAM,EAAE,MAAO,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,MAAA,MAAM,EAAE,mBAAA,EAAwB,GAAA,MAAM,IAAK,CAAA,0BAAA;AAAA,QACzC;AAAA,OACF;AAEA,MAAO,OAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,QACvC,MAAQ,EAAA;AAAA,UACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,UAC9B,GAAK,EAAA;AAAA;AACP,OACD,CAAA;AAAA,aACM,KAAO,EAAA;AACd,MAAA,IACE,KAAO,EAAA,IAAA,KAAS,eAChB,IAAA,CAAC,SAAS,0BACV,EAAA;AACA,QAAM,MAAA,KAAA;AAAA;AAER,MAAA,MAAM,aAAgB,GAAAA,+BAAA;AAAA,QACpBE,2BAAA,CAAe,OAAQ,CAAA,0BAAA,CAA2B,SAAW,EAAA;AAAA,UAC3D,WAAa,EAAA,MAAA;AAAA,UACb,gBAAkB,EAAAC;AAAA,SACnB;AAAA,OACH;AAEA,MAAO,OAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,QACvC,MAAQ,EAAA;AAAA,UACN,GAAK,EAAA,aAAA;AAAA,UACL,GAAA,EAAK,CAAC,aAAa;AAAA;AACrB,OACD,CAAA;AAAA;AACH;AACF,EAEA,MAAM,2BACJ,MAC4C,EAAA;AAC5C,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MAAO,OAAA,IAAA,CAAK,iBAAkB,CAAA,0BAAA,CAA2B,MAAM,CAAA;AAAA;AAEjE,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAA8B,CAAA,MAAM,CAAE,EAAA;AAAA;AAExE;;;;"}

package/dist/service/router.cjs.js CHANGED Viewed

@@ -47,13 +47,18 @@ async function createRouter(options) {
   const userInfoDatabaseHandler = new UserInfoDatabaseHandler.UserInfoDatabaseHandler(
     await authDb.get()
   );
+  const omitClaimsFromToken = config.getOptionalBoolean(
+    "auth.omitIdentityTokenOwnershipClaim"
+  ) ? ["ent"] : [];
   let tokenIssuer;
   if (keyStore instanceof StaticKeyStore.StaticKeyStore) {
     tokenIssuer = new StaticTokenIssuer.StaticTokenIssuer(
       {
         logger: logger.child({ component: "token-factory" }),
         issuer: authUrl,
-        sessionExpirationSeconds: backstageTokenExpiration
+        sessionExpirationSeconds: backstageTokenExpiration,
+        userInfoDatabaseHandler,
+        omitClaimsFromToken
       },
       keyStore
     );
@@ -64,7 +69,8 @@ async function createRouter(options) {
       keyDurationSeconds: backstageTokenExpiration,
       logger: logger.child({ component: "token-factory" }),
       algorithm: tokenFactoryAlgorithm ?? config.getOptionalString("auth.identityTokenAlgorithm"),
-      userInfoDatabaseHandler
+      userInfoDatabaseHandler,
+      omitClaimsFromToken
     });
   }
   const secret = config.getOptionalString("auth.session.secret");

package/dist/service/router.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n AuthService,\n DatabaseService,\n DiscoveryService,\n LoggerService,\n RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { bindOidcRouter } from '../identity/router';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabaseHandler } from '../identity/UserInfoDatabaseHandler';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { readBackstageTokenExpiration } from './readBackstageTokenExpiration';\nimport { TokenIssuer } from '../identity/types';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\n\ninterface RouterOptions {\n logger: LoggerService;\n database: DatabaseService;\n config: RootConfigService;\n discovery: DiscoveryService;\n auth: AuthService;\n tokenFactoryAlgorithm?: string;\n providerFactories?: ProviderFactories;\n catalog: CatalogService;\n ownershipResolver?: AuthOwnershipResolver;\n}\n\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const {\n logger,\n config,\n discovery,\n database,\n tokenFactoryAlgorithm,\n providerFactories = {},\n } = options;\n\n const router = Router();\n\n const appUrl = config.getString('app.baseUrl');\n const authUrl = await discovery.getExternalBaseUrl('auth');\n const backstageTokenExpiration = readBackstageTokenExpiration(config);\n const authDb = AuthDatabase.create(database);\n\n const keyStore = await KeyStores.fromConfig(config, {\n logger,\n database: authDb,\n });\n\n const userInfoDatabaseHandler = new UserInfoDatabaseHandler(\n await authDb.get(),\n );\n\n let tokenIssuer: TokenIssuer;\n if (keyStore instanceof StaticKeyStore) {\n tokenIssuer = new StaticTokenIssuer(\n {\n logger: logger.child({ component: 'token-factory' }),\n issuer: authUrl,\n sessionExpirationSeconds: backstageTokenExpiration,\n },\n keyStore as StaticKeyStore,\n );\n } else {\n tokenIssuer = new TokenFactory({\n issuer: authUrl,\n keyStore,\n keyDurationSeconds: backstageTokenExpiration,\n logger: logger.child({ component: 'token-factory' }),\n algorithm:\n tokenFactoryAlgorithm ??\n config.getOptionalString('auth.identityTokenAlgorithm'),\n userInfoDatabaseHandler,\n });\n }\n\n const secret = config.getOptionalString('auth.session.secret');\n if (secret) {\n router.use(cookieParser(secret));\n const enforceCookieSSL = authUrl.startsWith('https');\n const KnexSessionStore = connectSessionKnex(session);\n router.use(\n session({\n secret,\n saveUninitialized: false,\n resave: false,\n cookie: { secure: enforceCookieSSL ? 'auto' : false },\n store: new KnexSessionStore({\n createtable: false,\n knex: await authDb.get(),\n }),\n }),\n );\n router.use(passport.initialize());\n router.use(passport.session());\n } else {\n router.use(cookieParser());\n }\n\n router.use(express.urlencoded({ extended: false }));\n router.use(express.json());\n\n bindProviderRouters(router, {\n providers: providerFactories,\n appUrl,\n baseUrl: authUrl,\n tokenIssuer,\n ...options,\n auth: options.auth,\n });\n\n bindOidcRouter(router, {\n auth: options.auth,\n tokenIssuer,\n baseUrl: authUrl,\n userInfoDatabaseHandler,\n });\n\n // Gives a more helpful error message than a plain 404\n router.use('/:provider/', req => {\n const { provider } = req.params;\n throw new NotFoundError(`Unknown auth provider '${provider}'`);\n });\n\n return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabaseHandler","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","bindOidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuDA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAM,MAAA;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,qBAAA;AAAA,IACA,oBAAoB;AAAC,GACnB,GAAA,OAAA;AAEJ,EAAA,MAAMA,WAASC,uBAAO,EAAA;AAEtB,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,OAAU,GAAA,MAAM,SAAU,CAAA,kBAAA,CAAmB,MAAM,CAAA;AACzD,EAAM,MAAA,wBAAA,GAA2BC,0DAA6B,MAAM,CAAA;AACpE,EAAM,MAAA,MAAA,GAASC,yBAAa,CAAA,MAAA,CAAO,QAAQ,CAAA;AAE3C,EAAA,MAAM,QAAW,GAAA,MAAMC,mBAAU,CAAA,UAAA,CAAW,MAAQ,EAAA;AAAA,IAClD,MAAA;AAAA,IACA,QAAU,EAAA;AAAA,GACX,CAAA;AAED,EAAA,MAAM,0BAA0B,IAAIC,+CAAA;AAAA,IAClC,MAAM,OAAO,GAAI;AAAA,GACnB;AAEA,EAAI,IAAA,WAAA;AACJ,EAAA,IAAI,oBAAoBC,6BAAgB,EAAA;AACtC,IAAA,WAAA,GAAc,IAAIC,mCAAA;AAAA,MAChB;AAAA,QACE,QAAQ,MAAO,CAAA,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,QACnD,MAAQ,EAAA,OAAA;AAAA,QACR,wBAA0B,EAAA;AAAA,~~OAC5B~~;AAAA,MACA;AAAA,KACF;AAAA,GACK,MAAA;AACL,IAAA,WAAA,GAAc,IAAIC,yBAAa,CAAA;AAAA,MAC7B,MAAQ,EAAA,OAAA;AAAA,MACR,QAAA;AAAA,MACA,kBAAoB,EAAA,wBAAA;AAAA,MACpB,QAAQ,MAAO,CAAA,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,MACnD,SACE,EAAA,qBAAA,IACA,MAAO,CAAA,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD;AAAA,KACD,CAAA;AAAA;AAGH,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,MAAQ,EAAA;AACV,IAAOR,QAAA,CAAA,GAAA,CAAIS,6BAAa,CAAA,MAAM,CAAC,CAAA;AAC/B,IAAM,MAAA,gBAAA,GAAmB,OAAQ,CAAA,UAAA,CAAW,OAAO,CAAA;AACnD,IAAM,MAAA,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,IAAOX,QAAA,CAAA,GAAA;AAAA,MACLW,wBAAQ,CAAA;AAAA,QACN,MAAA;AAAA,QACA,iBAAmB,EAAA,KAAA;AAAA,QACnB,MAAQ,EAAA,KAAA;AAAA,QACR,MAAQ,EAAA,EAAE,MAAQ,EAAA,gBAAA,GAAmB,SAAS,KAAM,EAAA;AAAA,QACpD,KAAA,EAAO,IAAI,gBAAiB,CAAA;AAAA,UAC1B,WAAa,EAAA,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,MAAA,CAAO,GAAI;AAAA,SACxB;AAAA,OACF;AAAA,KACH;AACA,IAAOX,QAAA,CAAA,GAAA,CAAIY,yBAAS,CAAA,UAAA,EAAY,CAAA;AAChC,IAAOZ,QAAA,CAAA,GAAA,CAAIY,yBAAS,CAAA,OAAA,EAAS,CAAA;AAAA,GACxB,MAAA;AACL,IAAOZ,QAAA,CAAA,GAAA,CAAIS,+BAAc,CAAA;AAAA;AAG3B,EAAAT,QAAA,CAAO,IAAIa,wBAAQ,CAAA,UAAA,CAAW,EAAE,QAAU,EAAA,KAAA,EAAO,CAAC,CAAA;AAClD,EAAOb,QAAA,CAAA,GAAA,CAAIa,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,QAAQ,EAAA;AAAA,IAC1B,SAAW,EAAA,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,OAAS,EAAA,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,OAAQ,CAAA;AAAA,GACf,CAAA;AAED,EAAAe,uBAAA,CAAef,QAAQ,EAAA;AAAA,IACrB,MAAM,OAAQ,CAAA,IAAA;AAAA,IACd,WAAA;AAAA,IACA,OAAS,EAAA,OAAA;AAAA,IACT;AAAA,GACD,CAAA;AAGD,EAAOA,QAAA,CAAA,GAAA,CAAI,eAAe,CAAO,GAAA,KAAA;AAC/B,IAAM,MAAA,EAAE,QAAS,EAAA,GAAI,GAAI,CAAA,MAAA;AACzB,IAAA,MAAM,IAAIgB,oBAAA,CAAc,CAA0B,uBAAA,EAAA,QAAQ,CAAG,CAAA,CAAA,CAAA;AAAA,GAC9D,CAAA;AAED,EAAO,OAAAhB,QAAA;AACT;;;;"}
1	+ {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n AuthService,\n DatabaseService,\n DiscoveryService,\n LoggerService,\n RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { bindOidcRouter } from '../identity/router';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabaseHandler } from '../identity/UserInfoDatabaseHandler';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { readBackstageTokenExpiration } from './readBackstageTokenExpiration';\nimport { TokenIssuer } from '../identity/types';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\n\ninterface RouterOptions {\n logger: LoggerService;\n database: DatabaseService;\n config: RootConfigService;\n discovery: DiscoveryService;\n auth: AuthService;\n tokenFactoryAlgorithm?: string;\n providerFactories?: ProviderFactories;\n catalog: CatalogService;\n ownershipResolver?: AuthOwnershipResolver;\n}\n\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const {\n logger,\n config,\n discovery,\n database,\n tokenFactoryAlgorithm,\n providerFactories = {},\n } = options;\n\n const router = Router();\n\n const appUrl = config.getString('app.baseUrl');\n const authUrl = await discovery.getExternalBaseUrl('auth');\n const backstageTokenExpiration = readBackstageTokenExpiration(config);\n const authDb = AuthDatabase.create(database);\n\n const keyStore = await KeyStores.fromConfig(config, {\n logger,\n database: authDb,\n });\n\n const userInfoDatabaseHandler = new UserInfoDatabaseHandler(\n await authDb.get(),\n );\n\n const omitClaimsFromToken = config.getOptionalBoolean(\n 'auth.omitIdentityTokenOwnershipClaim',\n )\n ? ['ent']\n : [];\n\n let tokenIssuer: TokenIssuer;\n if (keyStore instanceof StaticKeyStore) {\n tokenIssuer = new StaticTokenIssuer(\n {\n logger: logger.child({ component: 'token-factory' }),\n issuer: authUrl,\n sessionExpirationSeconds: backstageTokenExpiration,\n userInfoDatabaseHandler,\n omitClaimsFromToken,\n },\n keyStore as StaticKeyStore,\n );\n } else {\n tokenIssuer = new TokenFactory({\n issuer: authUrl,\n keyStore,\n keyDurationSeconds: backstageTokenExpiration,\n logger: logger.child({ component: 'token-factory' }),\n algorithm:\n tokenFactoryAlgorithm ??\n config.getOptionalString('auth.identityTokenAlgorithm'),\n userInfoDatabaseHandler,\n omitClaimsFromToken,\n });\n }\n\n const secret = config.getOptionalString('auth.session.secret');\n if (secret) {\n router.use(cookieParser(secret));\n const enforceCookieSSL = authUrl.startsWith('https');\n const KnexSessionStore = connectSessionKnex(session);\n router.use(\n session({\n secret,\n saveUninitialized: false,\n resave: false,\n cookie: { secure: enforceCookieSSL ? 'auto' : false },\n store: new KnexSessionStore({\n createtable: false,\n knex: await authDb.get(),\n }),\n }),\n );\n router.use(passport.initialize());\n router.use(passport.session());\n } else {\n router.use(cookieParser());\n }\n\n router.use(express.urlencoded({ extended: false }));\n router.use(express.json());\n\n bindProviderRouters(router, {\n providers: providerFactories,\n appUrl,\n baseUrl: authUrl,\n tokenIssuer,\n ...options,\n auth: options.auth,\n });\n\n bindOidcRouter(router, {\n auth: options.auth,\n tokenIssuer,\n baseUrl: authUrl,\n userInfoDatabaseHandler,\n });\n\n // Gives a more helpful error message than a plain 404\n router.use('/:provider/', req => {\n const { provider } = req.params;\n throw new NotFoundError(`Unknown auth provider '${provider}'`);\n });\n\n return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabaseHandler","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","bindOidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuDA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAM,MAAA;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,qBAAA;AAAA,IACA,oBAAoB;AAAC,GACnB,GAAA,OAAA;AAEJ,EAAA,MAAMA,WAASC,uBAAO,EAAA;AAEtB,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,OAAU,GAAA,MAAM,SAAU,CAAA,kBAAA,CAAmB,MAAM,CAAA;AACzD,EAAM,MAAA,wBAAA,GAA2BC,0DAA6B,MAAM,CAAA;AACpE,EAAM,MAAA,MAAA,GAASC,yBAAa,CAAA,MAAA,CAAO,QAAQ,CAAA;AAE3C,EAAA,MAAM,QAAW,GAAA,MAAMC,mBAAU,CAAA,UAAA,CAAW,MAAQ,EAAA;AAAA,IAClD,MAAA;AAAA,IACA,QAAU,EAAA;AAAA,GACX,CAAA;AAED,EAAA,MAAM,0BAA0B,IAAIC,+CAAA;AAAA,IAClC,MAAM,OAAO,GAAI;AAAA,GACnB;AAEA,EAAA,MAAM,sBAAsB,MAAO,CAAA,kBAAA;AAAA,IACjC;AAAA,GAEE,GAAA,CAAC,KAAK,CAAA,GACN,EAAC;AAEL,EAAI,IAAA,WAAA;AACJ,EAAA,IAAI,oBAAoBC,6BAAgB,EAAA;AACtC,IAAA,WAAA,GAAc,IAAIC,mCAAA;AAAA,MAChB;AAAA,QACE,QAAQ,MAAO,CAAA,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,QACnD,MAAQ,EAAA,OAAA;AAAA,QACR,wBAA0B,EAAA,wBAAA;AAAA,QAC1B,uBAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA;AAAA,KACF;AAAA,GACK,MAAA;AACL,IAAA,WAAA,GAAc,IAAIC,yBAAa,CAAA;AAAA,MAC7B,MAAQ,EAAA,OAAA;AAAA,MACR,QAAA;AAAA,MACA,kBAAoB,EAAA,wBAAA;AAAA,MACpB,QAAQ,MAAO,CAAA,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,MACnD,SACE,EAAA,qBAAA,IACA,MAAO,CAAA,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD,uBAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA;AAGH,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,MAAQ,EAAA;AACV,IAAOR,QAAA,CAAA,GAAA,CAAIS,6BAAa,CAAA,MAAM,CAAC,CAAA;AAC/B,IAAM,MAAA,gBAAA,GAAmB,OAAQ,CAAA,UAAA,CAAW,OAAO,CAAA;AACnD,IAAM,MAAA,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,IAAOX,QAAA,CAAA,GAAA;AAAA,MACLW,wBAAQ,CAAA;AAAA,QACN,MAAA;AAAA,QACA,iBAAmB,EAAA,KAAA;AAAA,QACnB,MAAQ,EAAA,KAAA;AAAA,QACR,MAAQ,EAAA,EAAE,MAAQ,EAAA,gBAAA,GAAmB,SAAS,KAAM,EAAA;AAAA,QACpD,KAAA,EAAO,IAAI,gBAAiB,CAAA;AAAA,UAC1B,WAAa,EAAA,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,MAAA,CAAO,GAAI;AAAA,SACxB;AAAA,OACF;AAAA,KACH;AACA,IAAOX,QAAA,CAAA,GAAA,CAAIY,yBAAS,CAAA,UAAA,EAAY,CAAA;AAChC,IAAOZ,QAAA,CAAA,GAAA,CAAIY,yBAAS,CAAA,OAAA,EAAS,CAAA;AAAA,GACxB,MAAA;AACL,IAAOZ,QAAA,CAAA,GAAA,CAAIS,+BAAc,CAAA;AAAA;AAG3B,EAAAT,QAAA,CAAO,IAAIa,wBAAQ,CAAA,UAAA,CAAW,EAAE,QAAU,EAAA,KAAA,EAAO,CAAC,CAAA;AAClD,EAAOb,QAAA,CAAA,GAAA,CAAIa,wBAAQ,CAAA,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,QAAQ,EAAA;AAAA,IAC1B,SAAW,EAAA,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,OAAS,EAAA,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,OAAQ,CAAA;AAAA,GACf,CAAA;AAED,EAAAe,uBAAA,CAAef,QAAQ,EAAA;AAAA,IACrB,MAAM,OAAQ,CAAA,IAAA;AAAA,IACd,WAAA;AAAA,IACA,OAAS,EAAA,OAAA;AAAA,IACT;AAAA,GACD,CAAA;AAGD,EAAOA,QAAA,CAAA,GAAA,CAAI,eAAe,CAAO,GAAA,KAAA;AAC/B,IAAM,MAAA,EAAE,QAAS,EAAA,GAAI,GAAI,CAAA,MAAA;AACzB,IAAA,MAAM,IAAIgB,oBAAA,CAAc,CAA0B,uBAAA,EAAA,QAAQ,CAAG,CAAA,CAAA,CAAA;AAAA,GAC9D,CAAA;AAED,EAAO,OAAAhB,QAAA;AACT;;;;"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.25.0-next.0",
+  "version": "0.25.0-next.2",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -46,12 +46,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.3.1-next.0",
+    "@backstage/backend-plugin-api": "1.3.1-next.2",
     "@backstage/catalog-model": "1.7.3",
     "@backstage/config": "1.3.2",
     "@backstage/errors": "1.2.7",
-    "@backstage/plugin-auth-node": "0.6.3-next.0",
-    "@backstage/plugin-catalog-node": "1.17.0-next.0",
+    "@backstage/plugin-auth-node": "0.6.3-next.2",
+    "@backstage/plugin-catalog-node": "1.17.0-next.2",
     "@backstage/types": "1.2.1",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
@@ -68,10 +68,11 @@
     "uuid": "^11.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.9.1-next.0",
-    "@backstage/backend-test-utils": "1.5.0-next.0",
-    "@backstage/cli": "0.32.1-next.0",
-    "@backstage/plugin-auth-backend-module-google-provider": "0.3.3-next.0",
+    "@backstage/backend-defaults": "0.10.0-next.3",
+    "@backstage/backend-test-utils": "1.5.0-next.3",
+    "@backstage/cli": "0.32.1-next.3",
+    "@backstage/plugin-auth-backend-module-google-provider": "0.3.3-next.2",
+    "@backstage/plugin-auth-backend-module-guest-provider": "0.2.8-next.2",
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.17.2",