@backstage/plugin-auth-backend 0.25.0-next.1 → 0.25.0

package/CHANGELOG.md

@@ -1,5 +1,68 @@
 # @backstage/plugin-auth-backend
 
+## 0.25.0
+
+### Minor Changes
+
+- 57221d9: **BREAKING**: Removed support for the old backend system, and removed all deprecated exports.
+
+  If you were using one of the deprecated imports from this package, you will have to follow the instructions in their respective deprecation notices before upgrading. Most of the general utilities are available from `@backstage/plugin-auth-node`, and the specific auth providers are available from dedicated packages such as for example `@backstage/plugin-auth-backend-module-github-provider`. See [the auth docs](https://backstage.io/docs/auth/) for specific instructions.
+
+### Patch Changes
+
+- 0d606ac: Added the configuration flag `auth.omitIdentityTokenOwnershipClaim` that causes issued user tokens to no longer contain the `ent` claim that represents the ownership references of the user.
+
+  The benefit of this new flag is that issued user tokens will be much smaller in
+  size, but they will no longer be self-contained. This means that any consumers
+  of the token that require access to the ownership claims now need to call the
+  `/api/auth/v1/userinfo` endpoint instead. Within the Backstage ecosystem this is
+  done automatically, as clients will still receive the full set of claims during
+  authentication, while plugin backends will need to use the `UserInfoService`
+  which already calls the user info endpoint if necessary.
+
+  When enabling this flag, it is important that any custom sign-in resolvers directly return the result of the sign-in method. For example, the following would not work:
+
+  ```ts
+  const { token } = await ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  return { token }; // WARNING: This will not work with the flag enabled
+  ```
+
+  Instead, the sign-in resolver should directly return the result:
+
+  ```ts
+  return ctx.issueToken({
+    claims: { sub: entityRef, ent: [entityRef] },
+  });
+  ```
+
+- 72d019d: Removed various typos
+- ab53e6f: Added support for the new `dangerousEntityRefFallback` option for `signInWithCatalogUser` in `AuthResolverContext`.
+- b128ed9: The `static` key store now issues tokens with the same structure as other key stores. Tokens now include the `typ` field in the header and the `uip` (user identity proof) in the payload.
+- Updated dependencies
+  - @backstage/catalog-model@1.7.4
+  - @backstage/plugin-catalog-node@1.17.0
+  - @backstage/plugin-auth-node@0.6.3
+  - @backstage/backend-plugin-api@1.3.1
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+
+## 0.25.0-next.2
+
+### Patch Changes
+
+- ab53e6f: Added support for the new `dangerousEntityRefFallback` option for `signInWithCatalogUser` in `AuthResolverContext`.
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.3-next.2
+  - @backstage/backend-plugin-api@1.3.1-next.2
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+  - @backstage/plugin-catalog-node@1.17.0-next.2
+
 ## 0.25.0-next.1
 
 ### Patch Changes

package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js

@@ -89,17 +89,35 @@ class CatalogAuthResolverContext {
     }
     return { entity: result };
   }
-  async signInWithCatalogUser(query) {
-    const { entity } = await this.findCatalogUser(query);
-    const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(
-      entity
-    );
-    return await this.tokenIssuer.issueToken({
-      claims: {
-        sub: catalogModel.stringifyEntityRef(entity),
-        ent: ownershipEntityRefs
+  async signInWithCatalogUser(query, options) {
+    try {
+      const { entity } = await this.findCatalogUser(query);
+      const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(
+        entity
+      );
+      return await this.tokenIssuer.issueToken({
+        claims: {
+          sub: catalogModel.stringifyEntityRef(entity),
+          ent: ownershipEntityRefs
+        }
+      });
+    } catch (error) {
+      if (error?.name !== "NotFoundError" || !options?.dangerousEntityRefFallback) {
+        throw error;
       }
-    });
+      const userEntityRef = catalogModel.stringifyEntityRef(
+        catalogModel.parseEntityRef(options.dangerousEntityRefFallback.entityRef, {
+          defaultKind: "User",
+          defaultNamespace: catalogModel.DEFAULT_NAMESPACE
+        })
+      );
+      return await this.tokenIssuer.issueToken({
+        claims: {
+          sub: userEntityRef,
+          ent: [userEntityRef]
+        }
+      });
+    }
   }
   async resolveOwnershipEntityRefs(entity) {
     if (this.ownershipResolver) {

package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DEFAULT_NAMESPACE,\n  Entity,\n  parseEntityRef,\n  RELATION_MEMBER_OF,\n  stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n  AuthOwnershipResolver,\n  AuthResolverCatalogUserQuery,\n  AuthResolverContext,\n  TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n  const membershipRefs =\n    entity.relations\n      ?.filter(\n        r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n      )\n      .map(r => r.targetRef) ?? [];\n\n  return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n  static create(options: {\n    logger: LoggerService;\n    catalog: CatalogService;\n    tokenIssuer: TokenIssuer;\n    auth: AuthService;\n    ownershipResolver?: AuthOwnershipResolver;\n  }): CatalogAuthResolverContext {\n    const catalogIdentityClient = new CatalogIdentityClient({\n      catalog: options.catalog,\n      auth: options.auth,\n    });\n\n    return new CatalogAuthResolverContext(\n      options.logger,\n      options.tokenIssuer,\n      catalogIdentityClient,\n      options.catalog,\n      options.auth,\n      options.ownershipResolver,\n    );\n  }\n\n  private constructor(\n    public readonly logger: LoggerService,\n    public readonly tokenIssuer: TokenIssuer,\n    public readonly catalogIdentityClient: CatalogIdentityClient,\n    private readonly catalog: CatalogService,\n    private readonly auth: AuthService,\n    private readonly ownershipResolver?: AuthOwnershipResolver,\n  ) {}\n\n  async issueToken(params: TokenParams) {\n    return await this.tokenIssuer.issueToken(params);\n  }\n\n  async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n    let result: Entity[] | Entity | undefined = undefined;\n\n    if ('entityRef' in query) {\n      const entityRef = parseEntityRef(query.entityRef, {\n        defaultKind: 'User',\n        defaultNamespace: DEFAULT_NAMESPACE,\n      });\n      result = await this.catalog.getEntityByRef(entityRef, {\n        credentials: await this.auth.getOwnServiceCredentials(),\n      });\n    } else if ('annotations' in query) {\n      const filter: Record<string, string> = {\n        kind: 'user',\n      };\n      for (const [key, value] of Object.entries(query.annotations)) {\n        filter[`metadata.annotations.${key}`] = value;\n      }\n      const res = await this.catalog.getEntities(\n        { filter },\n        { credentials: await this.auth.getOwnServiceCredentials() },\n      );\n      result = res.items;\n    } else if ('filter' in query) {\n      const filter = [query.filter].flat().map(value => {\n        if (\n          !Object.keys(value).some(\n            key => key.toLocaleLowerCase('en-US') === 'kind',\n          )\n        ) {\n          return {\n            ...value,\n            kind: 'user',\n          };\n        }\n        return value;\n      });\n      const res = await this.catalog.getEntities(\n        { filter: filter },\n        { credentials: await this.auth.getOwnServiceCredentials() },\n      );\n      result = res.items;\n    } else {\n      throw new InputError('Invalid user lookup query');\n    }\n\n    if (Array.isArray(result)) {\n      if (result.length > 1) {\n        throw new ConflictError('User lookup resulted in multiple matches');\n      }\n      result = result[0];\n    }\n    if (!result) {\n      throw new NotFoundError('User not found');\n    }\n\n    return { entity: result };\n  }\n\n  async signInWithCatalogUser(query: AuthResolverCatalogUserQuery) {\n    const { entity } = await this.findCatalogUser(query);\n\n    const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n      entity,\n    );\n\n    return await this.tokenIssuer.issueToken({\n      claims: {\n        sub: stringifyEntityRef(entity),\n        ent: ownershipEntityRefs,\n      },\n    });\n  }\n\n  async resolveOwnershipEntityRefs(\n    entity: Entity,\n  ): Promise<{ ownershipEntityRefs: string[] }> {\n    if (this.ownershipResolver) {\n      return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n    }\n    return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n  }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAmCA,SAAS,8BAA8B,MAAgB,EAAA;AACrD,EAAM,MAAA,cAAA,GACJ,OAAO,SACH,EAAA,MAAA;AAAA,IACA,OAAK,CAAE,CAAA,IAAA,KAASA,mCAAsB,CAAE,CAAA,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAE/B,EAAO,OAAA,KAAA,CAAM,IAAK,iBAAA,IAAI,GAAI,CAAA,CAACC,+BAAmB,CAAA,MAAM,CAAG,EAAA,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAA0D,CAAA;AAAA,EAuB7D,YACU,MACA,EAAA,WAAA,EACA,qBACC,EAAA,OAAA,EACA,MACA,iBACjB,EAAA;AANgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA;AAChB,EA7BH,OAAO,OAAO,OAMiB,EAAA;AAC7B,IAAM,MAAA,qBAAA,GAAwB,IAAIC,2CAAsB,CAAA;AAAA,MACtD,SAAS,OAAQ,CAAA,OAAA;AAAA,MACjB,MAAM,OAAQ,CAAA;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAQ,CAAA,MAAA;AAAA,MACR,OAAQ,CAAA,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAQ,CAAA,OAAA;AAAA,MACR,OAAQ,CAAA,IAAA;AAAA,MACR,OAAQ,CAAA;AAAA,KACV;AAAA;AACF,EAWA,MAAM,WAAW,MAAqB,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,WAAY,CAAA,UAAA,CAAW,MAAM,CAAA;AAAA;AACjD,EAEA,MAAM,gBAAgB,KAAqC,EAAA;AACzD,IAAA,IAAI,MAAwC,GAAA,KAAA,CAAA;AAE5C,IAAA,IAAI,eAAe,KAAO,EAAA;AACxB,MAAM,MAAA,SAAA,GAAYC,2BAAe,CAAA,KAAA,CAAM,SAAW,EAAA;AAAA,QAChD,WAAa,EAAA,MAAA;AAAA,QACb,gBAAkB,EAAAC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAQ,CAAA,cAAA,CAAe,SAAW,EAAA;AAAA,QACpD,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB;AAAA,OACvD,CAAA;AAAA,KACH,MAAA,IAAW,iBAAiB,KAAO,EAAA;AACjC,MAAA,MAAM,MAAiC,GAAA;AAAA,QACrC,IAAM,EAAA;AAAA,OACR;AACA,MAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,QAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA;AAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAO,EAAA;AAAA,QACT,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACf,MAAA,IAAW,YAAY,KAAO,EAAA;AAC5B,MAAM,MAAA,MAAA,GAAS,CAAC,KAAM,CAAA,MAAM,EAAE,IAAK,EAAA,CAAE,IAAI,CAAS,KAAA,KAAA;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAK,CAAA,KAAK,CAAE,CAAA,IAAA;AAAA,UAClB,CAAO,GAAA,KAAA,GAAA,CAAI,iBAAkB,CAAA,OAAO,CAAM,KAAA;AAAA,SAE5C,EAAA;AACA,UAAO,OAAA;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAM,EAAA;AAAA,WACR;AAAA;AAEF,QAAO,OAAA,KAAA;AAAA,OACR,CAAA;AACD,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAe,EAAA;AAAA,QACjB,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACR,MAAA;AACL,MAAM,MAAA,IAAIC,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,MAAM,CAAG,EAAA;AACzB,MAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA;AAAA;AAEpE,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA;AAEnB,IAAA,IAAI,CAAC,MAAQ,EAAA;AACX,MAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;AAG1C,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA;AAAA;AAC1B,EAEA,MAAM,sBAAsB,KAAqC,EAAA;AAC/D,IAAA,MAAM,EAAE,MAAO,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,IAAA,MAAM,EAAE,mBAAA,EAAwB,GAAA,MAAM,IAAK,CAAA,0BAAA;AAAA,MACzC;AAAA,KACF;AAEA,IAAO,OAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,MACvC,MAAQ,EAAA;AAAA,QACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,QAC9B,GAAK,EAAA;AAAA;AACP,KACD,CAAA;AAAA;AACH,EAEA,MAAM,2BACJ,MAC4C,EAAA;AAC5C,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MAAO,OAAA,IAAA,CAAK,iBAAkB,CAAA,0BAAA,CAA2B,MAAM,CAAA;AAAA;AAEjE,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAA8B,CAAA,MAAM,CAAE,EAAA;AAAA;AAExE;;;;"}
+{"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DEFAULT_NAMESPACE,\n  Entity,\n  parseEntityRef,\n  RELATION_MEMBER_OF,\n  stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n  AuthOwnershipResolver,\n  AuthResolverCatalogUserQuery,\n  AuthResolverContext,\n  TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n  const membershipRefs =\n    entity.relations\n      ?.filter(\n        r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n      )\n      .map(r => r.targetRef) ?? [];\n\n  return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n  static create(options: {\n    logger: LoggerService;\n    catalog: CatalogService;\n    tokenIssuer: TokenIssuer;\n    auth: AuthService;\n    ownershipResolver?: AuthOwnershipResolver;\n  }): CatalogAuthResolverContext {\n    const catalogIdentityClient = new CatalogIdentityClient({\n      catalog: options.catalog,\n      auth: options.auth,\n    });\n\n    return new CatalogAuthResolverContext(\n      options.logger,\n      options.tokenIssuer,\n      catalogIdentityClient,\n      options.catalog,\n      options.auth,\n      options.ownershipResolver,\n    );\n  }\n\n  private constructor(\n    public readonly logger: LoggerService,\n    public readonly tokenIssuer: TokenIssuer,\n    public readonly catalogIdentityClient: CatalogIdentityClient,\n    private readonly catalog: CatalogService,\n    private readonly auth: AuthService,\n    private readonly ownershipResolver?: AuthOwnershipResolver,\n  ) {}\n\n  async issueToken(params: TokenParams) {\n    return await this.tokenIssuer.issueToken(params);\n  }\n\n  async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n    let result: Entity[] | Entity | undefined = undefined;\n\n    if ('entityRef' in query) {\n      const entityRef = parseEntityRef(query.entityRef, {\n        defaultKind: 'User',\n        defaultNamespace: DEFAULT_NAMESPACE,\n      });\n      result = await this.catalog.getEntityByRef(entityRef, {\n        credentials: await this.auth.getOwnServiceCredentials(),\n      });\n    } else if ('annotations' in query) {\n      const filter: Record<string, string> = {\n        kind: 'user',\n      };\n      for (const [key, value] of Object.entries(query.annotations)) {\n        filter[`metadata.annotations.${key}`] = value;\n      }\n      const res = await this.catalog.getEntities(\n        { filter },\n        { credentials: await this.auth.getOwnServiceCredentials() },\n      );\n      result = res.items;\n    } else if ('filter' in query) {\n      const filter = [query.filter].flat().map(value => {\n        if (\n          !Object.keys(value).some(\n            key => key.toLocaleLowerCase('en-US') === 'kind',\n          )\n        ) {\n          return {\n            ...value,\n            kind: 'user',\n          };\n        }\n        return value;\n      });\n      const res = await this.catalog.getEntities(\n        { filter: filter },\n        { credentials: await this.auth.getOwnServiceCredentials() },\n      );\n      result = res.items;\n    } else {\n      throw new InputError('Invalid user lookup query');\n    }\n\n    if (Array.isArray(result)) {\n      if (result.length > 1) {\n        throw new ConflictError('User lookup resulted in multiple matches');\n      }\n      result = result[0];\n    }\n    if (!result) {\n      throw new NotFoundError('User not found');\n    }\n\n    return { entity: result };\n  }\n\n  async signInWithCatalogUser(\n    query: AuthResolverCatalogUserQuery,\n    options?: {\n      dangerousEntityRefFallback?: {\n        entityRef:\n          | string\n          | {\n              kind?: string;\n              namespace?: string;\n              name: string;\n            };\n      };\n    },\n  ) {\n    try {\n      const { entity } = await this.findCatalogUser(query);\n\n      const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n        entity,\n      );\n\n      return await this.tokenIssuer.issueToken({\n        claims: {\n          sub: stringifyEntityRef(entity),\n          ent: ownershipEntityRefs,\n        },\n      });\n    } catch (error) {\n      if (\n        error?.name !== 'NotFoundError' ||\n        !options?.dangerousEntityRefFallback\n      ) {\n        throw error;\n      }\n      const userEntityRef = stringifyEntityRef(\n        parseEntityRef(options.dangerousEntityRefFallback.entityRef, {\n          defaultKind: 'User',\n          defaultNamespace: DEFAULT_NAMESPACE,\n        }),\n      );\n\n      return await this.tokenIssuer.issueToken({\n        claims: {\n          sub: userEntityRef,\n          ent: [userEntityRef],\n        },\n      });\n    }\n  }\n\n  async resolveOwnershipEntityRefs(\n    entity: Entity,\n  ): Promise<{ ownershipEntityRefs: string[] }> {\n    if (this.ownershipResolver) {\n      return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n    }\n    return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n  }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAmCA,SAAS,8BAA8B,MAAgB,EAAA;AACrD,EAAM,MAAA,cAAA,GACJ,OAAO,SACH,EAAA,MAAA;AAAA,IACA,OAAK,CAAE,CAAA,IAAA,KAASA,mCAAsB,CAAE,CAAA,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAE/B,EAAO,OAAA,KAAA,CAAM,IAAK,iBAAA,IAAI,GAAI,CAAA,CAACC,+BAAmB,CAAA,MAAM,CAAG,EAAA,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAA0D,CAAA;AAAA,EAuB7D,YACU,MACA,EAAA,WAAA,EACA,qBACC,EAAA,OAAA,EACA,MACA,iBACjB,EAAA;AANgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA;AAChB,EA7BH,OAAO,OAAO,OAMiB,EAAA;AAC7B,IAAM,MAAA,qBAAA,GAAwB,IAAIC,2CAAsB,CAAA;AAAA,MACtD,SAAS,OAAQ,CAAA,OAAA;AAAA,MACjB,MAAM,OAAQ,CAAA;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAQ,CAAA,MAAA;AAAA,MACR,OAAQ,CAAA,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAQ,CAAA,OAAA;AAAA,MACR,OAAQ,CAAA,IAAA;AAAA,MACR,OAAQ,CAAA;AAAA,KACV;AAAA;AACF,EAWA,MAAM,WAAW,MAAqB,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,WAAY,CAAA,UAAA,CAAW,MAAM,CAAA;AAAA;AACjD,EAEA,MAAM,gBAAgB,KAAqC,EAAA;AACzD,IAAA,IAAI,MAAwC,GAAA,KAAA,CAAA;AAE5C,IAAA,IAAI,eAAe,KAAO,EAAA;AACxB,MAAM,MAAA,SAAA,GAAYC,2BAAe,CAAA,KAAA,CAAM,SAAW,EAAA;AAAA,QAChD,WAAa,EAAA,MAAA;AAAA,QACb,gBAAkB,EAAAC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAQ,CAAA,cAAA,CAAe,SAAW,EAAA;AAAA,QACpD,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB;AAAA,OACvD,CAAA;AAAA,KACH,MAAA,IAAW,iBAAiB,KAAO,EAAA;AACjC,MAAA,MAAM,MAAiC,GAAA;AAAA,QACrC,IAAM,EAAA;AAAA,OACR;AACA,MAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,QAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA;AAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAO,EAAA;AAAA,QACT,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACf,MAAA,IAAW,YAAY,KAAO,EAAA;AAC5B,MAAM,MAAA,MAAA,GAAS,CAAC,KAAM,CAAA,MAAM,EAAE,IAAK,EAAA,CAAE,IAAI,CAAS,KAAA,KAAA;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAK,CAAA,KAAK,CAAE,CAAA,IAAA;AAAA,UAClB,CAAO,GAAA,KAAA,GAAA,CAAI,iBAAkB,CAAA,OAAO,CAAM,KAAA;AAAA,SAE5C,EAAA;AACA,UAAO,OAAA;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAM,EAAA;AAAA,WACR;AAAA;AAEF,QAAO,OAAA,KAAA;AAAA,OACR,CAAA;AACD,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAe,EAAA;AAAA,QACjB,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACR,MAAA;AACL,MAAM,MAAA,IAAIC,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,MAAM,CAAG,EAAA;AACzB,MAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA;AAAA;AAEpE,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA;AAEnB,IAAA,IAAI,CAAC,MAAQ,EAAA;AACX,MAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;AAG1C,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA;AAAA;AAC1B,EAEA,MAAM,qBACJ,CAAA,KAAA,EACA,OAWA,EAAA;AACA,IAAI,IAAA;AACF,MAAA,MAAM,EAAE,MAAO,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,MAAA,MAAM,EAAE,mBAAA,EAAwB,GAAA,MAAM,IAAK,CAAA,0BAAA;AAAA,QACzC;AAAA,OACF;AAEA,MAAO,OAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,QACvC,MAAQ,EAAA;AAAA,UACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,UAC9B,GAAK,EAAA;AAAA;AACP,OACD,CAAA;AAAA,aACM,KAAO,EAAA;AACd,MAAA,IACE,KAAO,EAAA,IAAA,KAAS,eAChB,IAAA,CAAC,SAAS,0BACV,EAAA;AACA,QAAM,MAAA,KAAA;AAAA;AAER,MAAA,MAAM,aAAgB,GAAAA,+BAAA;AAAA,QACpBE,2BAAA,CAAe,OAAQ,CAAA,0BAAA,CAA2B,SAAW,EAAA;AAAA,UAC3D,WAAa,EAAA,MAAA;AAAA,UACb,gBAAkB,EAAAC;AAAA,SACnB;AAAA,OACH;AAEA,MAAO,OAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,QACvC,MAAQ,EAAA;AAAA,UACN,GAAK,EAAA,aAAA;AAAA,UACL,GAAA,EAAK,CAAC,aAAa;AAAA;AACrB,OACD,CAAA;AAAA;AACH;AACF,EAEA,MAAM,2BACJ,MAC4C,EAAA;AAC5C,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MAAO,OAAA,IAAA,CAAK,iBAAkB,CAAA,0BAAA,CAA2B,MAAM,CAAA;AAAA;AAEjE,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAA8B,CAAA,MAAM,CAAE,EAAA;AAAA;AAExE;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.25.0-next.1",
+  "version": "0.25.0",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -46,13 +46,13 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.3.1-next.1",
-    "@backstage/catalog-model": "1.7.3",
-    "@backstage/config": "1.3.2",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-auth-node": "0.6.3-next.1",
-    "@backstage/plugin-catalog-node": "1.17.0-next.1",
-    "@backstage/types": "1.2.1",
+    "@backstage/backend-plugin-api": "^1.3.1",
+    "@backstage/catalog-model": "^1.7.4",
+    "@backstage/config": "^1.3.2",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/plugin-auth-node": "^0.6.3",
+    "@backstage/plugin-catalog-node": "^1.17.0",
+    "@backstage/types": "^1.2.1",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
     "cookie-parser": "^1.4.5",
@@ -68,11 +68,11 @@
     "uuid": "^11.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.10.0-next.1",
-    "@backstage/backend-test-utils": "1.5.0-next.1",
-    "@backstage/cli": "0.32.1-next.1",
-    "@backstage/plugin-auth-backend-module-google-provider": "0.3.3-next.1",
-    "@backstage/plugin-auth-backend-module-guest-provider": "0.2.8-next.1",
+    "@backstage/backend-defaults": "^0.10.0",
+    "@backstage/backend-test-utils": "^1.5.0",
+    "@backstage/cli": "^0.32.1",
+    "@backstage/plugin-auth-backend-module-google-provider": "^0.3.3",
+    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.8",
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.17.2",