npm - @backstage/plugin-auth-backend - Versions diffs - 0.25.2 → 0.25.3 - Mend

@backstage/plugin-auth-backend 0.25.2 → 0.25.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/CHANGELOG.md +22 -0
package/dist/authPlugin.cjs.js.map +1 -1
package/dist/database/AuthDatabase.cjs.js.map +1 -1
package/dist/database/UserInfoDatabase.cjs.js.map +1 -1
package/dist/identity/DatabaseKeyStore.cjs.js.map +1 -1
package/dist/identity/FirestoreKeyStore.cjs.js.map +1 -1
package/dist/identity/KeyStores.cjs.js.map +1 -1
package/dist/identity/MemoryKeyStore.cjs.js.map +1 -1
package/dist/identity/StaticKeyStore.cjs.js.map +1 -1
package/dist/identity/StaticTokenIssuer.cjs.js.map +1 -1
package/dist/identity/TokenFactory.cjs.js.map +1 -1
package/dist/identity/issueUserToken.cjs.js.map +1 -1
package/dist/lib/catalog/CatalogIdentityClient.cjs.js.map +1 -1
package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map +1 -1
package/dist/providers/router.cjs.js.map +1 -1
package/dist/service/OidcRouter.cjs.js.map +1 -1
package/dist/service/OidcService.cjs.js.map +1 -1
package/dist/service/readBackstageTokenExpiration.cjs.js.map +1 -1
package/dist/service/router.cjs.js.map +1 -1
package/package.json +9 -9

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,27 @@
 # @backstage/plugin-auth-backend
+## 0.25.3
+### Patch Changes
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.18.0
+  - @backstage/plugin-auth-node@0.6.6
+  - @backstage/backend-plugin-api@1.4.2
+## 0.25.3-next.0
+### Patch Changes
+- Updated dependencies
+  - @backstage/plugin-catalog-node@1.18.0-next.0
+  - @backstage/plugin-auth-node@0.6.6-next.0
+  - @backstage/backend-plugin-api@1.4.2-next.0
+  - @backstage/catalog-model@1.7.5
+  - @backstage/config@1.3.3
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
 ## 0.25.2
 ### Patch Changes

package/dist/authPlugin.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n coreServices,\n createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n authOwnershipResolutionExtensionPoint,\n AuthOwnershipResolver,\n AuthProviderFactory,\n authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\n\n/\n Auth plugin\n \n @public\n */\nexport const authPlugin = createBackendPlugin({\n pluginId: 'auth',\n register(reg) {\n const providers = new Map<string, AuthProviderFactory>();\n let ownershipResolver: AuthOwnershipResolver \| undefined = undefined;\n\n reg.registerExtensionPoint(authProvidersExtensionPoint, {\n registerProvider({ providerId, factory }) {\n if (providers.has(providerId)) {\n throw new Error(\n `Auth provider '${providerId}' was already registered`,\n );\n }\n providers.set(providerId, factory);\n },\n });\n\n reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n setAuthOwnershipResolver(resolver) {\n if (ownershipResolver) {\n throw new Error('Auth ownership resolver is already set');\n }\n ownershipResolver = resolver;\n },\n });\n\n reg.registerInit({\n deps: {\n httpRouter: coreServices.httpRouter,\n logger: coreServices.logger,\n config: coreServices.rootConfig,\n database: coreServices.database,\n discovery: coreServices.discovery,\n auth: coreServices.auth,\n catalog: catalogServiceRef,\n },\n async init({\n httpRouter,\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n }) {\n const router = await createRouter({\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n providerFactories: Object.fromEntries(providers),\n ownershipResolver,\n });\n httpRouter.addAuthPolicy({\n path: '/',\n allow: 'unauthenticated',\n });\n httpRouter.use(router);\n },\n });\n },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,~~oCAAoB~~,~~CAAA~~;AAAA,EAC5C,~~QAAU~~,~~EAAA~~,MAAA;AAAA,EACV,SAAS,~~GAAK~~,~~EAAA~~;AACZ,~~IAAM~~,~~MAAA~~,SAAA,uBAAgB,~~GAAiC~~,~~EAAA~~;AACvD,IAAA,IAAI,~~iBAAuD~~,~~GAAA~~,~~KAAA,CAAA~~;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,~~0CAA6B~~,~~EAAA~~;AAAA,MACtD,~~gBAAiB~~,~~CAAA~~,EAAE,~~UAAY~~,~~EAAA~~,OAAA,~~EAAW~~,~~EAAA~~;AACxC,~~QAAI~~,~~IAAA~~,SAAA,CAAU,~~GAAI~~,~~CAAA~~,UAAU,~~CAAG~~,~~EAAA~~;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA;~~AAEF~~,~~QAAU~~,SAAA,~~CAAA~~,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA;~~AACnC~~,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,~~oDAAuC~~,~~EAAA~~;AAAA,MAChE,yBAAyB,~~QAAU~~,~~EAAA~~;AACjC,QAAA,IAAI,~~iBAAmB~~,~~EAAA~~;AACrB,~~UAAM~~,~~MAAA~~,IAAI,MAAM,wCAAwC,CAAA;AAAA;~~AAE1D~~,~~QAAoB~~,iBAAA,~~GAAA~~,QAAA;AAAA;~~AACtB~~,KACD,CAAA;AAED,IAAA,GAAA,CAAI,~~YAAa~~,~~CAAA~~;AAAA,MACf,~~IAAM~~,~~EAAA~~;AAAA,QACJ,YAAYC,~~6BAAa~~,~~CAAA~~,UAAA;AAAA,QACzB,QAAQA,~~6BAAa~~,~~CAAA~~,MAAA;AAAA,QACrB,QAAQA,~~6BAAa~~,~~CAAA~~,UAAA;AAAA,QACrB,UAAUA,~~6BAAa~~,~~CAAA~~,QAAA;AAAA,QACvB,WAAWA,~~6BAAa~~,~~CAAA~~,SAAA;AAAA,QACxB,MAAMA,~~6BAAa~~,~~CAAA~~,IAAA;AAAA,QACnB,~~OAAS~~,~~EAAAC~~;AAAA,OACX;AAAA,MACA,MAAM,~~IAAK~~,~~CAAA~~;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,~~OACC~~,~~EAAA~~;AACD,~~QAAM~~,~~MAAAC~~,QAAA,GAAS,MAAMC,~~mBAAa~~,~~CAAA~~;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,~~MAAO~~,~~CAAA~~,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,~~aAAc~~,~~CAAA~~;AAAA,UACvB,~~IAAM~~,~~EAAA~~,GAAA;AAAA,UACN,~~KAAO~~,~~EAAA~~;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA;~~AACvB~~,KACD,CAAA;AAAA;~~AAEL~~,CAAC;;;;"}
1	+ {"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n coreServices,\n createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n authOwnershipResolutionExtensionPoint,\n AuthOwnershipResolver,\n AuthProviderFactory,\n authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\n\n/\n Auth plugin\n \n @public\n */\nexport const authPlugin = createBackendPlugin({\n pluginId: 'auth',\n register(reg) {\n const providers = new Map<string, AuthProviderFactory>();\n let ownershipResolver: AuthOwnershipResolver \| undefined = undefined;\n\n reg.registerExtensionPoint(authProvidersExtensionPoint, {\n registerProvider({ providerId, factory }) {\n if (providers.has(providerId)) {\n throw new Error(\n `Auth provider '${providerId}' was already registered`,\n );\n }\n providers.set(providerId, factory);\n },\n });\n\n reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n setAuthOwnershipResolver(resolver) {\n if (ownershipResolver) {\n throw new Error('Auth ownership resolver is already set');\n }\n ownershipResolver = resolver;\n },\n });\n\n reg.registerInit({\n deps: {\n httpRouter: coreServices.httpRouter,\n logger: coreServices.logger,\n config: coreServices.rootConfig,\n database: coreServices.database,\n discovery: coreServices.discovery,\n auth: coreServices.auth,\n catalog: catalogServiceRef,\n },\n async init({\n httpRouter,\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n }) {\n const router = await createRouter({\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n providerFactories: Object.fromEntries(providers),\n ownershipResolver,\n });\n httpRouter.addAuthPolicy({\n path: '/',\n allow: 'unauthenticated',\n });\n httpRouter.use(router);\n },\n });\n },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,oCAAA,CAAoB;AAAA,EAC5C,QAAA,EAAU,MAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,SAAA,uBAAgB,GAAA,EAAiC;AACvD,IAAA,IAAI,iBAAA,GAAuD,MAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAAA,EAA6B;AAAA,MACtD,gBAAA,CAAiB,EAAE,UAAA,EAAY,OAAA,EAAQ,EAAG;AACxC,QAAA,IAAI,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA,QACF;AACA,QAAA,SAAA,CAAU,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA,MACnC;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAA,EAAuC;AAAA,MAChE,yBAAyB,QAAA,EAAU;AACjC,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,QAC1D;AACA,QAAA,iBAAA,GAAoB,QAAA;AAAA,MACtB;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,YAAYC,6BAAA,CAAa,UAAA;AAAA,QACzB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,OAAA,EAASC;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAMC,QAAA,GAAS,MAAMC,mBAAA,CAAa;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAA,CAAc;AAAA,UACvB,IAAA,EAAM,GAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA,MACvB;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/dist/database/AuthDatabase.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AuthDatabase.cjs.js","sources":["../../src/database/AuthDatabase.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n DatabaseService,\n resolvePackagePath,\n} from '@backstage/backend-plugin-api';\nimport { Knex } from 'knex';\n\nconst migrationsDir = resolvePackagePath(\n '@backstage/plugin-auth-backend',\n 'migrations',\n);\n\n/\n Ensures that a database connection is established exactly once and only when\n * asked for, and runs migrations.\n */\nexport class AuthDatabase {\n readonly #database: DatabaseService;\n #promise: Promise<Knex> \| undefined;\n\n static create(database: DatabaseService): AuthDatabase {\n return new AuthDatabase(database);\n }\n\n static async runMigrations(knex: Knex): Promise<void> {\n await knex.migrate.latest({\n directory: migrationsDir,\n });\n }\n\n private constructor(database: DatabaseService) {\n this.#database = database;\n }\n\n get(): Promise<Knex> {\n this.#promise ??= this.#database.getClient().then(async client => {\n if (!this.#database.migrations?.skip) {\n await AuthDatabase.runMigrations(client);\n }\n return client;\n });\n\n return this.#promise;\n }\n}\n"],"names":["resolvePackagePath"],"mappings":";;;;AAsBA,MAAM,~~aAAgB~~,~~GAAAA~~,mCAAA;AAAA,EACpB,gCAAA;AAAA,EACA;AACF,CAAA;AAMO,MAAM,~~YAAa~~,~~CAAA~~;AAAA,EACf,SAAA;AAAA,EACT,QAAA;AAAA,EAEA,OAAO,OAAO,~~QAAyC~~,~~EAAA~~;AACrD,~~IAAO~~,~~OAAA~~,IAAI,aAAa,QAAQ,CAAA;AAAA;~~AAClC~~,EAEA,aAAa,cAAc,~~IAA2B~~,~~EAAA~~;AACpD,~~IAAM~~,~~MAAA~~,IAAA,CAAK,QAAQ,~~MAAO~~,~~CAAA~~;AAAA,MACxB,~~SAAW~~,~~EAAA~~;AAAA,KACZ,CAAA;AAAA;~~AACH~~,EAEQ,YAAY,~~QAA2B~~,~~EAAA~~;AAC7C,IAAA,IAAA,CAAK,~~SAAY~~,~~GAAA~~,QAAA;AAAA;~~AACnB~~,EAEA,GAAqB~~,GAAA~~;AACnB,IAAA,IAAA,CAAK,aAAa,~~IAAK~~,~~CAAA~~,SAAA,CAAU,~~WAAY~~,~~CAAA~~,IAAA,CAAK,OAAM,~~MAAU~~,~~KAAA~~;AAChE,MAAA,IAAI,CAAC,IAAA,CAAK,~~SAAU~~,~~CAAA~~,UAAA,EAAY,~~IAAM~~,~~EAAA~~;AACpC,~~QAAM~~,~~MAAA~~,YAAA,CAAa,cAAc,MAAM,CAAA;AAAA;~~AAEzC~~,~~MAAO~~,~~OAAA~~,MAAA;AAAA,~~KACR~~,CAAA;AAED,IAAA,OAAO,~~IAAK~~,~~CAAA~~,QAAA;AAAA;~~AAEhB~~;;;;"}
1	+ {"version":3,"file":"AuthDatabase.cjs.js","sources":["../../src/database/AuthDatabase.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n DatabaseService,\n resolvePackagePath,\n} from '@backstage/backend-plugin-api';\nimport { Knex } from 'knex';\n\nconst migrationsDir = resolvePackagePath(\n '@backstage/plugin-auth-backend',\n 'migrations',\n);\n\n/\n Ensures that a database connection is established exactly once and only when\n * asked for, and runs migrations.\n */\nexport class AuthDatabase {\n readonly #database: DatabaseService;\n #promise: Promise<Knex> \| undefined;\n\n static create(database: DatabaseService): AuthDatabase {\n return new AuthDatabase(database);\n }\n\n static async runMigrations(knex: Knex): Promise<void> {\n await knex.migrate.latest({\n directory: migrationsDir,\n });\n }\n\n private constructor(database: DatabaseService) {\n this.#database = database;\n }\n\n get(): Promise<Knex> {\n this.#promise ??= this.#database.getClient().then(async client => {\n if (!this.#database.migrations?.skip) {\n await AuthDatabase.runMigrations(client);\n }\n return client;\n });\n\n return this.#promise;\n }\n}\n"],"names":["resolvePackagePath"],"mappings":";;;;AAsBA,MAAM,aAAA,GAAgBA,mCAAA;AAAA,EACpB,gCAAA;AAAA,EACA;AACF,CAAA;AAMO,MAAM,YAAA,CAAa;AAAA,EACf,SAAA;AAAA,EACT,QAAA;AAAA,EAEA,OAAO,OAAO,QAAA,EAAyC;AACrD,IAAA,OAAO,IAAI,aAAa,QAAQ,CAAA;AAAA,EAClC;AAAA,EAEA,aAAa,cAAc,IAAA,EAA2B;AACpD,IAAA,MAAM,IAAA,CAAK,QAAQ,MAAA,CAAO;AAAA,MACxB,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA,EACH;AAAA,EAEQ,YAAY,QAAA,EAA2B;AAC7C,IAAA,IAAA,CAAK,SAAA,GAAY,QAAA;AAAA,EACnB;AAAA,EAEA,GAAA,GAAqB;AACnB,IAAA,IAAA,CAAK,aAAa,IAAA,CAAK,SAAA,CAAU,WAAU,CAAE,IAAA,CAAK,OAAM,MAAA,KAAU;AAChE,MAAA,IAAI,CAAC,IAAA,CAAK,SAAA,CAAU,UAAA,EAAY,IAAA,EAAM;AACpC,QAAA,MAAM,YAAA,CAAa,cAAc,MAAM,CAAA;AAAA,MACzC;AACA,MAAA,OAAO,MAAA;AAAA,IACT,CAAC,CAAA;AAED,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AACF;;;;"}

package/dist/database/UserInfoDatabase.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"UserInfoDatabase.cjs.js","sources":["../../src/database/UserInfoDatabase.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DateTime } from 'luxon';\nimport { Knex } from 'knex';\n\nimport { AuthDatabase } from './AuthDatabase';\nimport { JsonObject } from '@backstage/types';\n\nconst TABLE = 'user_info';\n\ntype Row = {\n user_entity_ref: string;\n user_info: string;\n updated_at: string;\n};\n\ntype UserInfo = {\n claims: JsonObject;\n};\n\nexport class UserInfoDatabase {\n private constructor(private readonly client: Knex) {}\n\n async addUserInfo(userInfo: UserInfo): Promise<void> {\n await this.client<Row>(TABLE)\n .insert({\n user_entity_ref: userInfo.claims.sub as string,\n user_info: JSON.stringify(userInfo),\n updated_at: DateTime.utc().toSQL({ includeOffset: false }),\n })\n .onConflict('user_entity_ref')\n .merge();\n }\n\n async getUserInfo(userEntityRef: string): Promise<UserInfo \| undefined> {\n const info = await this.client<Row>(TABLE)\n .where({ user_entity_ref: userEntityRef })\n .first();\n\n if (!info) {\n return undefined;\n }\n\n const userInfo = JSON.parse(info.user_info);\n return userInfo;\n }\n\n static async create(options: { database: AuthDatabase }) {\n const client = await options.database.get();\n return new UserInfoDatabase(client);\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAsBA,MAAM,~~KAAQ~~,~~GAAA~~,WAAA;AAYP,MAAM,~~gBAAiB~~,~~CAAA~~;AAAA,EACpB,YAA6B,~~MAAc~~,~~EAAA~~;AAAd,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA;~~AAAe~~,EAEpD,MAAM,YAAY,~~QAAmC~~,~~EAAA~~;AACnD,IAAA,MAAM,~~IAAK~~,~~CAAA~~,MAAA,CAAY,KAAK,CAAA,CACzB,~~MAAO~~,~~CAAA~~;AAAA,MACN,eAAA,EAAiB,SAAS,~~MAAO~~,~~CAAA~~,GAAA;AAAA,MACjC,SAAA,EAAW,~~IAAK~~,~~CAAA~~,SAAA,CAAU,QAAQ,CAAA;AAAA,MAClC,UAAA,EAAYA,eAAS,~~GAAI~~,~~EAAA~~,CAAE,MAAM,EAAE,aAAA,EAAe,OAAO;AAAA,KAC1D,CAAA,CACA,~~UAAW~~,~~CAAA~~,iBAAiB,EAC5B,~~KAAM~~,~~EAAA~~;AAAA;~~AACX~~,EAEA,MAAM,YAAY,~~aAAsD~~,~~EAAA~~;AACtE,IAAA,MAAM,~~IAAO~~,~~GAAA~~,MAAM,~~IAAK~~,~~CAAA~~,MAAA,CAAY,KAAK,CAAA,CACtC,~~KAAM~~,~~CAAA~~,EAAE,~~eAAiB~~,~~EAAA~~,aAAA,EAAe,CAAA,CACxC,~~KAAM~~,~~EAAA~~;AAET,IAAA,IAAI,CAAC,~~IAAM~~,~~EAAA~~;AACT,~~MAAO~~,~~OAAA~~,~~KAAA,CAAA~~;AAAA;~~AAGT~~,IAAA,MAAM,~~QAAW~~,~~GAAA~~,IAAA,CAAK,~~KAAM~~,~~CAAA~~,IAAA,CAAK,SAAS,CAAA;AAC1C,~~IAAO~~,~~OAAA~~,QAAA;AAAA;~~AACT~~,EAEA,aAAa,OAAO,~~OAAqC~~,~~EAAA~~;AACvD,IAAA,MAAM,~~MAAS~~,~~GAAA~~,MAAM,~~OAAQ~~,~~CAAA~~,QAAA,CAAS,~~GAAI~~,~~EAAA~~;AAC1C,~~IAAO~~,~~OAAA~~,IAAI,iBAAiB,MAAM,CAAA;AAAA;~~AAEtC~~;;;;"}
1	+ {"version":3,"file":"UserInfoDatabase.cjs.js","sources":["../../src/database/UserInfoDatabase.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { DateTime } from 'luxon';\nimport { Knex } from 'knex';\n\nimport { AuthDatabase } from './AuthDatabase';\nimport { JsonObject } from '@backstage/types';\n\nconst TABLE = 'user_info';\n\ntype Row = {\n user_entity_ref: string;\n user_info: string;\n updated_at: string;\n};\n\ntype UserInfo = {\n claims: JsonObject;\n};\n\nexport class UserInfoDatabase {\n private constructor(private readonly client: Knex) {}\n\n async addUserInfo(userInfo: UserInfo): Promise<void> {\n await this.client<Row>(TABLE)\n .insert({\n user_entity_ref: userInfo.claims.sub as string,\n user_info: JSON.stringify(userInfo),\n updated_at: DateTime.utc().toSQL({ includeOffset: false }),\n })\n .onConflict('user_entity_ref')\n .merge();\n }\n\n async getUserInfo(userEntityRef: string): Promise<UserInfo \| undefined> {\n const info = await this.client<Row>(TABLE)\n .where({ user_entity_ref: userEntityRef })\n .first();\n\n if (!info) {\n return undefined;\n }\n\n const userInfo = JSON.parse(info.user_info);\n return userInfo;\n }\n\n static async create(options: { database: AuthDatabase }) {\n const client = await options.database.get();\n return new UserInfoDatabase(client);\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAsBA,MAAM,KAAA,GAAQ,WAAA;AAYP,MAAM,gBAAA,CAAiB;AAAA,EACpB,YAA6B,MAAA,EAAc;AAAd,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAe;AAAA,EAEpD,MAAM,YAAY,QAAA,EAAmC;AACnD,IAAA,MAAM,IAAA,CAAK,MAAA,CAAY,KAAK,CAAA,CACzB,MAAA,CAAO;AAAA,MACN,eAAA,EAAiB,SAAS,MAAA,CAAO,GAAA;AAAA,MACjC,SAAA,EAAW,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA;AAAA,MAClC,UAAA,EAAYA,eAAS,GAAA,EAAI,CAAE,MAAM,EAAE,aAAA,EAAe,OAAO;AAAA,KAC1D,CAAA,CACA,UAAA,CAAW,iBAAiB,EAC5B,KAAA,EAAM;AAAA,EACX;AAAA,EAEA,MAAM,YAAY,aAAA,EAAsD;AACtE,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,CAAY,KAAK,CAAA,CACtC,KAAA,CAAM,EAAE,eAAA,EAAiB,aAAA,EAAe,CAAA,CACxC,KAAA,EAAM;AAET,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAS,CAAA;AAC1C,IAAA,OAAO,QAAA;AAAA,EACT;AAAA,EAEA,aAAa,OAAO,OAAA,EAAqC;AACvD,IAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,QAAA,CAAS,GAAA,EAAI;AAC1C,IAAA,OAAO,IAAI,iBAAiB,MAAM,CAAA;AAAA,EACpC;AACF;;;;"}

package/dist/identity/DatabaseKeyStore.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"DatabaseKeyStore.cjs.js","sources":["../../src/identity/DatabaseKeyStore.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Knex } from 'knex';\nimport { DateTime } from 'luxon';\nimport { AnyJWK, KeyStore, StoredKey } from './types';\n\nconst TABLE = 'signing_keys';\n\ntype Row = {\n created_at: Date; // row.created_at is a string after being returned from the database\n kid: string;\n key: string;\n};\n\nconst parseDate = (date: string \| Date) => {\n const parsedDate =\n typeof date === 'string'\n ? DateTime.fromSQL(date, { zone: 'UTC' })\n : DateTime.fromJSDate(date);\n\n if (!parsedDate.isValid) {\n throw new Error(\n `Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`,\n );\n }\n\n return parsedDate.toJSDate();\n};\n\nexport class DatabaseKeyStore implements KeyStore {\n constructor(private readonly client: Knex) {}\n\n async addKey(key: AnyJWK): Promise<void> {\n await this.client<Row>(TABLE).insert({\n kid: key.kid,\n key: JSON.stringify(key),\n });\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n const rows = await this.client<Row>(TABLE).select();\n\n return {\n items: rows.map(row => ({\n key: JSON.parse(row.key),\n createdAt: parseDate(row.created_at),\n })),\n };\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n await this.client(TABLE).delete().whereIn('kid', kids);\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAoBA,MAAM,~~KAAQ~~,~~GAAA~~,cAAA;AAQd,MAAM,SAAA,GAAY,CAAC,~~IAAwB~~,~~KAAA~~;AACzC,EAAA,MAAM,~~UACJ~~,~~GAAA~~,OAAO,~~IAAS~~,~~KAAA~~,QAAA,GACZA,eAAS,~~OAAQ~~,~~CAAA~~,IAAA,EAAM,EAAE,IAAA,EAAM,~~KAAM~~,~~EAAC~~,~~CACtC~~,~~GAAAA~~,cAAA,CAAS,WAAW,IAAI,CAAA;AAE9B,~~EAAI~~,~~IAAA~~,CAAC,WAAW,~~OAAS~~,~~EAAA~~;AACvB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,~~CAAiC~~,8BAAA,~~EAAA~~,UAAA,CAAW,aAAa,CAAA,eAAA,EAAkB,WAAW,kBAAkB,CAAA;AAAA,KAC1G;AAAA;~~AAGF~~,EAAA,OAAO,WAAW,~~QAAS~~,~~EAAA~~;AAC7B,CAAA;AAEO,MAAM,~~gBAAqC~~,~~CAAA~~;AAAA,EAChD,YAA6B,~~MAAc~~,~~EAAA~~;AAAd,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA;~~AAAe~~,EAE5C,MAAM,OAAO,~~GAA4B~~,~~EAAA~~;AACvC,IAAA,MAAM,~~IAAK~~,~~CAAA~~,MAAA,CAAY,KAAK,CAAA,CAAE,~~MAAO~~,~~CAAA~~;AAAA,MACnC,KAAK,~~GAAI~~,~~CAAA~~,GAAA;AAAA,MACT,GAAA,EAAK,~~IAAK~~,~~CAAA~~,SAAA,CAAU,GAAG;AAAA,KACxB,CAAA;AAAA;~~AACH~~,EAEA,MAAM,~~QAA4C~~,~~GAAA~~;AAChD,IAAA,MAAM,OAAO,MAAM,IAAA,CAAK,~~MAAY~~,~~CAAA~~,KAAK,EAAE,~~MAAO~~,~~EAAA~~;AAElD,~~IAAO~~,~~OAAA~~;AAAA,MACL,KAAA,EAAO,~~IAAK~~,~~CAAA~~,GAAA,CAAI,~~CAAQ~~,GAAA,~~MAAA~~;AAAA,QACtB,~~GAAK~~,~~EAAA~~,IAAA,CAAK,~~KAAM~~,~~CAAA~~,GAAA,CAAI,GAAG,CAAA;AAAA,QACvB,SAAA,EAAW,~~SAAU~~,~~CAAA~~,GAAA,CAAI,UAAU;AAAA,~~OACnC~~,~~CAAA~~;AAAA,KACJ;AAAA;~~AACF~~,EAEA,MAAM,WAAW,~~IAA~~+B~~,EAAA~~;AAC9C,~~IAAM~~,~~MAAA~~,IAAA,CAAK,OAAO,KAAK,CAAA,CAAE,~~QAAS~~,~~CAAA~~,OAAA,CAAQ,OAAO,IAAI,CAAA;AAAA;~~AAEzD~~;;;;"}
1	+ {"version":3,"file":"DatabaseKeyStore.cjs.js","sources":["../../src/identity/DatabaseKeyStore.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Knex } from 'knex';\nimport { DateTime } from 'luxon';\nimport { AnyJWK, KeyStore, StoredKey } from './types';\n\nconst TABLE = 'signing_keys';\n\ntype Row = {\n created_at: Date; // row.created_at is a string after being returned from the database\n kid: string;\n key: string;\n};\n\nconst parseDate = (date: string \| Date) => {\n const parsedDate =\n typeof date === 'string'\n ? DateTime.fromSQL(date, { zone: 'UTC' })\n : DateTime.fromJSDate(date);\n\n if (!parsedDate.isValid) {\n throw new Error(\n `Failed to parse date, reason: ${parsedDate.invalidReason}, explanation: ${parsedDate.invalidExplanation}`,\n );\n }\n\n return parsedDate.toJSDate();\n};\n\nexport class DatabaseKeyStore implements KeyStore {\n constructor(private readonly client: Knex) {}\n\n async addKey(key: AnyJWK): Promise<void> {\n await this.client<Row>(TABLE).insert({\n kid: key.kid,\n key: JSON.stringify(key),\n });\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n const rows = await this.client<Row>(TABLE).select();\n\n return {\n items: rows.map(row => ({\n key: JSON.parse(row.key),\n createdAt: parseDate(row.created_at),\n })),\n };\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n await this.client(TABLE).delete().whereIn('kid', kids);\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAoBA,MAAM,KAAA,GAAQ,cAAA;AAQd,MAAM,SAAA,GAAY,CAAC,IAAA,KAAwB;AACzC,EAAA,MAAM,UAAA,GACJ,OAAO,IAAA,KAAS,QAAA,GACZA,eAAS,OAAA,CAAQ,IAAA,EAAM,EAAE,IAAA,EAAM,KAAA,EAAO,CAAA,GACtCA,cAAA,CAAS,WAAW,IAAI,CAAA;AAE9B,EAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACvB,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,8BAAA,EAAiC,UAAA,CAAW,aAAa,CAAA,eAAA,EAAkB,WAAW,kBAAkB,CAAA;AAAA,KAC1G;AAAA,EACF;AAEA,EAAA,OAAO,WAAW,QAAA,EAAS;AAC7B,CAAA;AAEO,MAAM,gBAAA,CAAqC;AAAA,EAChD,YAA6B,MAAA,EAAc;AAAd,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAe;AAAA,EAE5C,MAAM,OAAO,GAAA,EAA4B;AACvC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAY,KAAK,CAAA,CAAE,MAAA,CAAO;AAAA,MACnC,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,GAAA,EAAK,IAAA,CAAK,SAAA,CAAU,GAAG;AAAA,KACxB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,QAAA,GAA4C;AAChD,IAAA,MAAM,OAAO,MAAM,IAAA,CAAK,MAAA,CAAY,KAAK,EAAE,MAAA,EAAO;AAElD,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA,CAAK,GAAA,CAAI,CAAA,GAAA,MAAQ;AAAA,QACtB,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAAA,QACvB,SAAA,EAAW,SAAA,CAAU,GAAA,CAAI,UAAU;AAAA,OACrC,CAAE;AAAA,KACJ;AAAA,EACF;AAAA,EAEA,MAAM,WAAW,IAAA,EAA+B;AAC9C,IAAA,MAAM,IAAA,CAAK,OAAO,KAAK,CAAA,CAAE,QAAO,CAAE,OAAA,CAAQ,OAAO,IAAI,CAAA;AAAA,EACvD;AACF;;;;"}

package/dist/identity/FirestoreKeyStore.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"FirestoreKeyStore.cjs.js","sources":["../../src/identity/FirestoreKeyStore.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n DocumentData,\n Firestore,\n QuerySnapshot,\n Settings,\n WriteResult,\n} from '@google-cloud/firestore';\n\nimport { AnyJWK, KeyStore, StoredKey } from './types';\n\nexport type FirestoreKeyStoreSettings = Settings & Options;\n\ntype Options = {\n path?: string;\n timeout?: number;\n};\n\nexport const DEFAULT_TIMEOUT_MS = 10000;\nexport const DEFAULT_DOCUMENT_PATH = 'sessions';\n\nexport class FirestoreKeyStore implements KeyStore {\n static async create(\n settings?: FirestoreKeyStoreSettings,\n ): Promise<FirestoreKeyStore> {\n const { path, timeout, ...firestoreSettings } = settings ?? {};\n const database = new Firestore(firestoreSettings);\n\n return new FirestoreKeyStore(\n database,\n path ?? DEFAULT_DOCUMENT_PATH,\n timeout ?? DEFAULT_TIMEOUT_MS,\n );\n }\n\n private constructor(\n private readonly database: Firestore,\n private readonly path: string,\n private readonly timeout: number,\n ) {}\n\n static async verifyConnection(\n keyStore: FirestoreKeyStore,\n logger?: LoggerService,\n ): Promise<void> {\n try {\n await keyStore.verify();\n } catch (error) {\n if (process.env.NODE_ENV !== 'development') {\n throw new Error(\n `Failed to connect to database: ${(error as Error).message}`,\n );\n }\n logger?.warn(\n `Failed to connect to database: ${(error as Error).message}`,\n );\n }\n }\n\n async addKey(key: AnyJWK): Promise<void> {\n await this.withTimeout<WriteResult>(\n this.database.collection(this.path).doc(key.kid).set({\n kid: key.kid,\n key: key,\n }),\n );\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n const keys = await this.withTimeout<QuerySnapshot<DocumentData>>(\n this.database.collection(this.path).get(),\n );\n\n return {\n items: keys.docs.map(doc => {\n const { key } = doc.data();\n\n return {\n createdAt: doc.createTime.toDate(),\n key: typeof key === 'string' ? JSON.parse(key) : key,\n };\n }),\n };\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n // This is probably really slow, but it's done async in the background\n for (const kid of kids) {\n await this.withTimeout<WriteResult>(\n this.database.collection(this.path).doc(kid).delete(),\n );\n }\n\n /\n This could be achieved with batching but there's a couple of limitations with that:\n \n - A batched write can contain a maximum of 500 operations\n * https://firebase.google.com/docs/firestore/manage-data/transactions#batched-writes\n \n - The \"in\" operator can combine a maximum of 10 equality clauses\n * https://firebase.google.com/docs/firestore/query-data/queries#in_not-in_and_array-contains-any\n \n Example:\n \n const batch = this.database.batch();\n * const docs = await this.database\n * .collection(this.path)\n * .where('kid', 'in', kids)\n * .get();\n * docs.forEach(doc => {\n * batch.delete(doc.ref);\n * });\n * await batch.commit();\n \n /\n }\n\n /*\n Helper function to allow us to modify the timeout used when\n * performing Firestore database operations.\n \n The reason for this is that it seems that there's no other\n * practical solution to change the default timeout of 10mins\n * that Firestore has.\n \n /\n private async withTimeout<T>(operation: Promise<T>): Promise<T> {\n const timer = new Promise<never>((_, reject) =>\n setTimeout(() => {\n reject(new Error(`Operation timed out after ${this.timeout}ms`));\n }, this.timeout),\n );\n return Promise.race<T>([operation, timer]);\n }\n\n /*\n Used to verify that the database is reachable.\n */\n private async verify(): Promise<void> {\n await this.withTimeout(this.database.collection(this.path).limit(1).get());\n }\n}\n"],"names":["Firestore"],"mappings":";;;;AAkCO,MAAM,~~kBAAqB~~,~~GAAA~~;AAC3B,MAAM,~~qBAAwB~~,~~GAAA~~;AAE9B,MAAM,~~iBAAsC~~,~~CAAA~~;AAAA,EAczC,WAAA,CACW,~~QACA~~,~~EAAA~~,IAAA,EACA,~~OACjB~~,~~EAAA~~;AAHiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA;~~AAChB~~,EAjBH,aAAa,OACX,~~QAC4B~~,~~EAAA~~;AAC5B,IAAA,MAAM,EAAE,~~IAAM~~,~~EAAA~~,OAAA,EAAS,GAAG,~~iBAAkB~~,~~EAAA~~,GAAI,YAAY,EAAC;AAC7D,~~IAAM~~,~~MAAA~~,QAAA,GAAW,IAAIA,mBAAA,CAAU,iBAAiB,CAAA;AAEhD,IAAA,OAAO,IAAI,iBAAA;AAAA,MACT,QAAA;AAAA,MACA,IAAQ,~~IAAA,~~qBAAA;AAAA,MACR,~~OAAW~~,~~IAAA~~;AAAA,KACb;AAAA;~~AACF~~,EAQA,aAAa,~~gBACX~~,~~CAAA~~,QAAA,EACA,~~MACe~~,~~EAAA~~;AACf,IAAI~~,IAAA~~;AACF,MAAA,MAAM,SAAS,~~MAAO~~,~~EAAA~~;AAAA,~~aACf~~,~~KAAO~~,~~EAAA~~;AACd,~~MAAI~~,~~IAAA~~,OAAA,CAAQ,~~GAAI~~,~~CAAA~~,QAAA,KAAa,~~aAAe~~,~~EAAA~~;AAC1C,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA,SAC5D;AAAA;~~AAEF~~,~~MAAQ~~,MAAA,~~EAAA~~,IAAA;AAAA,QACN,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA,OAC5D;AAAA;~~AACF~~;~~AACF~~,EAEA,MAAM,OAAO,~~GAA4B~~,~~EAAA~~;AACvC,IAAA,MAAM,~~IAAK~~,~~CAAA~~,WAAA;AAAA,MACT,IAAA,CAAK,~~QAAS~~,~~CAAA~~,UAAA,CAAW,~~IAAK~~,~~CAAA~~,IAAI,EAAE,~~GAAI~~,~~CAAA~~,GAAA,CAAI,GAAG,CAAA,CAAE,~~GAAI~~,~~CAAA~~;AAAA,QACnD,KAAK,~~GAAI~~,~~CAAA~~,GAAA;AAAA,QACT;AAAA,OACD;AAAA,KACH;AAAA;~~AACF~~,EAEA,MAAM,~~QAA4C~~,~~GAAA~~;AAChD,~~IAAM~~,~~MAAA~~,IAAA,GAAO,MAAM,~~IAAK~~,~~CAAA~~,WAAA;AAAA,MACtB,KAAK,~~QAAS~~,~~CAAA~~,UAAA,CAAW,~~IAAK~~,~~CAAA~~,IAAI,EAAE,~~GAAI~~;~~AAAA~~,KAC1C;AAEA,~~IAAO~~,~~OAAA~~;AAAA,MACL,~~KAAO~~,~~EAAA~~,IAAA,CAAK,~~IAAK~~,~~CAAA~~,GAAA,CAAI,~~CAAO~~,GAAA,~~KAAA~~;AAC1B,QAAA,MAAM,EAAE,GAAA,~~EAAQ~~,~~GAAA~~,GAAA,CAAI,~~IAAK~~,~~EAAA~~;AAEzB,~~QAAO~~,~~OAAA~~;AAAA,UACL,SAAA,EAAW,~~GAAI~~,~~CAAA~~,UAAA,CAAW,~~MAAO~~,~~EAAA~~;AAAA,UACjC,KAAK,OAAO,GAAA,KAAQ,WAAW,~~IAAK~~,~~CAAA~~,KAAA,CAAM,GAAG,~~CAAI~~,~~GAAA~~;AAAA,SACnD;AAAA,~~OACD~~;AAAA,KACH;AAAA;~~AACF~~,EAEA,MAAM,WAAW,~~IAA~~+B~~,EAAA~~;AAE9C,IAAA,KAAA,MAAW,OAAO,~~IAAM~~,~~EAAA~~;AACtB,MAAA,MAAM,~~IAAK~~,~~CAAA~~,WAAA;AAAA,QACT,IAAA,CAAK,SAAS,~~UAAW~~,~~CAAA~~,IAAA,CAAK,IAAI,CAAE,~~CAAA,~~GAAA,CAAI,GAAG,CAAA,CAAE,~~MAAO~~;~~AAAA~~,OACtD;AAAA;~~AACF~~;~~AAwBF~~;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,YAAe,~~SAAmC~~,~~EAAA~~;AAC9D,IAAA,MAAM,QAAQ,IAAI,OAAA;AAAA,MAAe,CAAC,CAAA,EAAG,~~MACnC~~,~~KAAA~~,UAAA,CAAW,MAAM;AACf,QAAA,MAAA,CAAO,IAAI,~~KAAM~~,~~CAAA~~,CAAA,0BAAA,EAA6B,~~IAAK~~,~~CAAA~~,OAAO,IAAI,CAAC,CAAA;AAAA,~~OACjE~~,EAAG,KAAK,OAAO;AAAA,KACjB;AACA,IAAA,OAAO,~~OAAQ~~,~~CAAA~~,IAAA,CAAQ,CAAC,SAAA,EAAW,KAAK,CAAC,CAAA;AAAA;~~AAC3C~~;AAAA;AAAA;AAAA,EAKA,MAAc,~~MAAwB~~,~~GAAA~~;AACpC,IAAA,MAAM,~~IAAK~~,~~CAAA~~,WAAA,CAAY,~~IAAK~~,~~CAAA~~,QAAA,CAAS,~~UAAW~~,~~CAAA~~,IAAA,CAAK,IAAI,CAAA,CAAE,~~KAAM~~,~~CAAA~~,CAAC,CAAE,~~CAAA,~~GAAA,EAAK,CAAA;AAAA;~~AAE7E~~;;;;;;"}
1	+ {"version":3,"file":"FirestoreKeyStore.cjs.js","sources":["../../src/identity/FirestoreKeyStore.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n DocumentData,\n Firestore,\n QuerySnapshot,\n Settings,\n WriteResult,\n} from '@google-cloud/firestore';\n\nimport { AnyJWK, KeyStore, StoredKey } from './types';\n\nexport type FirestoreKeyStoreSettings = Settings & Options;\n\ntype Options = {\n path?: string;\n timeout?: number;\n};\n\nexport const DEFAULT_TIMEOUT_MS = 10000;\nexport const DEFAULT_DOCUMENT_PATH = 'sessions';\n\nexport class FirestoreKeyStore implements KeyStore {\n static async create(\n settings?: FirestoreKeyStoreSettings,\n ): Promise<FirestoreKeyStore> {\n const { path, timeout, ...firestoreSettings } = settings ?? {};\n const database = new Firestore(firestoreSettings);\n\n return new FirestoreKeyStore(\n database,\n path ?? DEFAULT_DOCUMENT_PATH,\n timeout ?? DEFAULT_TIMEOUT_MS,\n );\n }\n\n private constructor(\n private readonly database: Firestore,\n private readonly path: string,\n private readonly timeout: number,\n ) {}\n\n static async verifyConnection(\n keyStore: FirestoreKeyStore,\n logger?: LoggerService,\n ): Promise<void> {\n try {\n await keyStore.verify();\n } catch (error) {\n if (process.env.NODE_ENV !== 'development') {\n throw new Error(\n `Failed to connect to database: ${(error as Error).message}`,\n );\n }\n logger?.warn(\n `Failed to connect to database: ${(error as Error).message}`,\n );\n }\n }\n\n async addKey(key: AnyJWK): Promise<void> {\n await this.withTimeout<WriteResult>(\n this.database.collection(this.path).doc(key.kid).set({\n kid: key.kid,\n key: key,\n }),\n );\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n const keys = await this.withTimeout<QuerySnapshot<DocumentData>>(\n this.database.collection(this.path).get(),\n );\n\n return {\n items: keys.docs.map(doc => {\n const { key } = doc.data();\n\n return {\n createdAt: doc.createTime.toDate(),\n key: typeof key === 'string' ? JSON.parse(key) : key,\n };\n }),\n };\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n // This is probably really slow, but it's done async in the background\n for (const kid of kids) {\n await this.withTimeout<WriteResult>(\n this.database.collection(this.path).doc(kid).delete(),\n );\n }\n\n /\n This could be achieved with batching but there's a couple of limitations with that:\n \n - A batched write can contain a maximum of 500 operations\n * https://firebase.google.com/docs/firestore/manage-data/transactions#batched-writes\n \n - The \"in\" operator can combine a maximum of 10 equality clauses\n * https://firebase.google.com/docs/firestore/query-data/queries#in_not-in_and_array-contains-any\n \n Example:\n \n const batch = this.database.batch();\n * const docs = await this.database\n * .collection(this.path)\n * .where('kid', 'in', kids)\n * .get();\n * docs.forEach(doc => {\n * batch.delete(doc.ref);\n * });\n * await batch.commit();\n \n /\n }\n\n /*\n Helper function to allow us to modify the timeout used when\n * performing Firestore database operations.\n \n The reason for this is that it seems that there's no other\n * practical solution to change the default timeout of 10mins\n * that Firestore has.\n \n /\n private async withTimeout<T>(operation: Promise<T>): Promise<T> {\n const timer = new Promise<never>((_, reject) =>\n setTimeout(() => {\n reject(new Error(`Operation timed out after ${this.timeout}ms`));\n }, this.timeout),\n );\n return Promise.race<T>([operation, timer]);\n }\n\n /*\n Used to verify that the database is reachable.\n */\n private async verify(): Promise<void> {\n await this.withTimeout(this.database.collection(this.path).limit(1).get());\n }\n}\n"],"names":["Firestore"],"mappings":";;;;AAkCO,MAAM,kBAAA,GAAqB;AAC3B,MAAM,qBAAA,GAAwB;AAE9B,MAAM,iBAAA,CAAsC;AAAA,EAczC,WAAA,CACW,QAAA,EACA,IAAA,EACA,OAAA,EACjB;AAHiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAChB;AAAA,EAjBH,aAAa,OACX,QAAA,EAC4B;AAC5B,IAAA,MAAM,EAAE,IAAA,EAAM,OAAA,EAAS,GAAG,iBAAA,EAAkB,GAAI,YAAY,EAAC;AAC7D,IAAA,MAAM,QAAA,GAAW,IAAIA,mBAAA,CAAU,iBAAiB,CAAA;AAEhD,IAAA,OAAO,IAAI,iBAAA;AAAA,MACT,QAAA;AAAA,MACA,IAAA,IAAQ,qBAAA;AAAA,MACR,OAAA,IAAW;AAAA,KACb;AAAA,EACF;AAAA,EAQA,aAAa,gBAAA,CACX,QAAA,EACA,MAAA,EACe;AACf,IAAA,IAAI;AACF,MAAA,MAAM,SAAS,MAAA,EAAO;AAAA,IACxB,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA,SAC5D;AAAA,MACF;AACA,MAAA,MAAA,EAAQ,IAAA;AAAA,QACN,CAAA,+BAAA,EAAmC,MAAgB,OAAO,CAAA;AAAA,OAC5D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,GAAA,EAA4B;AACvC,IAAA,MAAM,IAAA,CAAK,WAAA;AAAA,MACT,IAAA,CAAK,QAAA,CAAS,UAAA,CAAW,IAAA,CAAK,IAAI,EAAE,GAAA,CAAI,GAAA,CAAI,GAAG,CAAA,CAAE,GAAA,CAAI;AAAA,QACnD,KAAK,GAAA,CAAI,GAAA;AAAA,QACT;AAAA,OACD;AAAA,KACH;AAAA,EACF;AAAA,EAEA,MAAM,QAAA,GAA4C;AAChD,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,WAAA;AAAA,MACtB,KAAK,QAAA,CAAS,UAAA,CAAW,IAAA,CAAK,IAAI,EAAE,GAAA;AAAI,KAC1C;AAEA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA,CAAK,IAAA,CAAK,GAAA,CAAI,CAAA,GAAA,KAAO;AAC1B,QAAA,MAAM,EAAE,GAAA,EAAI,GAAI,GAAA,CAAI,IAAA,EAAK;AAEzB,QAAA,OAAO;AAAA,UACL,SAAA,EAAW,GAAA,CAAI,UAAA,CAAW,MAAA,EAAO;AAAA,UACjC,KAAK,OAAO,GAAA,KAAQ,WAAW,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA,GAAI;AAAA,SACnD;AAAA,MACF,CAAC;AAAA,KACH;AAAA,EACF;AAAA,EAEA,MAAM,WAAW,IAAA,EAA+B;AAE9C,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,MAAM,IAAA,CAAK,WAAA;AAAA,QACT,IAAA,CAAK,SAAS,UAAA,CAAW,IAAA,CAAK,IAAI,CAAA,CAAE,GAAA,CAAI,GAAG,CAAA,CAAE,MAAA;AAAO,OACtD;AAAA,IACF;AAAA,EAwBF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,YAAe,SAAA,EAAmC;AAC9D,IAAA,MAAM,QAAQ,IAAI,OAAA;AAAA,MAAe,CAAC,CAAA,EAAG,MAAA,KACnC,UAAA,CAAW,MAAM;AACf,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,0BAAA,EAA6B,IAAA,CAAK,OAAO,IAAI,CAAC,CAAA;AAAA,MACjE,CAAA,EAAG,KAAK,OAAO;AAAA,KACjB;AACA,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAQ,CAAC,SAAA,EAAW,KAAK,CAAC,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,MAAA,GAAwB;AACpC,IAAA,MAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,QAAA,CAAS,UAAA,CAAW,IAAA,CAAK,IAAI,CAAA,CAAE,KAAA,CAAM,CAAC,CAAA,CAAE,GAAA,EAAK,CAAA;AAAA,EAC3E;AACF;;;;;;"}

package/dist/identity/KeyStores.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"KeyStores.cjs.js","sources":["../../src/identity/KeyStores.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { pickBy } from 'lodash';\nimport { LoggerService } from '@backstage/backend-plugin-api';\n\nimport { Config } from '@backstage/config';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { DatabaseKeyStore } from './DatabaseKeyStore';\nimport { FirestoreKeyStore } from './FirestoreKeyStore';\nimport { MemoryKeyStore } from './MemoryKeyStore';\nimport { KeyStore } from './types';\nimport { StaticKeyStore } from './StaticKeyStore';\n\ntype Options = {\n logger: LoggerService;\n database: AuthDatabase;\n};\n\nexport class KeyStores {\n /\n Looks at the `auth.keyStore` section in the application configuration\n * and returns a KeyStore store. Defaults to `database`\n \n @returns a KeyStore store\n */\n static async fromConfig(config: Config, options: Options): Promise<KeyStore> {\n const { logger, database } = options;\n\n const ks = config.getOptionalConfig('auth.keyStore');\n const provider = ks?.getOptionalString('provider') ?? 'database';\n\n logger.info(`Configuring \"${provider}\" as KeyStore provider`);\n\n if (provider === 'database') {\n return new DatabaseKeyStore(await database.get());\n }\n\n if (provider === 'memory') {\n return new MemoryKeyStore();\n }\n\n if (provider === 'firestore') {\n const settings = ks?.getConfig(provider);\n\n const keyStore = await FirestoreKeyStore.create(\n pickBy(\n {\n projectId: settings?.getOptionalString('projectId'),\n keyFilename: settings?.getOptionalString('keyFilename'),\n host: settings?.getOptionalString('host'),\n port: settings?.getOptionalNumber('port'),\n ssl: settings?.getOptionalBoolean('ssl'),\n path: settings?.getOptionalString('path'),\n timeout: settings?.getOptionalNumber('timeout'),\n },\n value => value !== undefined,\n ),\n );\n await FirestoreKeyStore.verifyConnection(keyStore, logger);\n\n return keyStore;\n }\n\n if (provider === 'static') {\n return await StaticKeyStore.fromConfig(config);\n }\n\n throw new Error(`Unknown KeyStore provider: ${provider}`);\n }\n}\n"],"names":["DatabaseKeyStore","MemoryKeyStore","FirestoreKeyStore","pickBy","StaticKeyStore"],"mappings":";;;;;;;;AAgCO,MAAM,~~SAAU~~,~~CAAA~~;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOrB,aAAa,~~UAAW~~,~~CAAA~~,MAAA,EAAgB,~~OAAqC~~,~~EAAA~~;AAC3E,~~IAAM~~,~~MAAA~~,EAAE,~~MAAQ~~,~~EAAA~~,QAAA,~~EAAa~~,~~GAAA~~,OAAA;AAE7B,~~IAAM~~,~~MAAA~~,EAAA,GAAK,~~MAAO~~,~~CAAA~~,iBAAA,CAAkB,eAAe,CAAA;AACnD,IAAA,MAAM,~~QAAW~~,~~GAAA~~,EAAA,EAAI,~~iBAAkB~~,~~CAAA~~,UAAU,~~CAAK~~,~~IAAA~~,UAAA;AAEtD,~~IAAO~~,MAAA,~~CAAA~~,IAAA,CAAK,~~CAAgB~~,aAAA,~~EAAA~~,QAAQ,~~CAAwB~~,sBAAA,~~CAAA~~,CAAA;AAE5D,IAAA,IAAI,aAAa,~~UAAY~~,~~EAAA~~;AAC3B,MAAA,OAAO,IAAIA,iCAAA,CAAiB,MAAM,QAAA,CAAS,KAAK,CAAA;AAAA;~~AAGlD~~,IAAA,IAAI,aAAa,~~QAAU~~,~~EAAA~~;AACzB,MAAA,OAAO,IAAIC,~~6BAAe~~,~~EAAA~~;AAAA;~~AAG5B~~,IAAA,IAAI,aAAa,~~WAAa~~,~~EAAA~~;AAC5B,MAAM,~~MAAA,~~QAAA,GAAW,EAAI,~~EAAA,~~SAAA,CAAU,QAAQ,CAAA;AAEvC,MAAM,~~MAAA,~~QAAA,GAAW,MAAMC,~~mCAAkB~~,~~CAAA~~,MAAA;AAAA,QACvCC,aAAA;AAAA,UACE;AAAA,YACE,SAAA,EAAW,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,WAAW,CAAA;AAAA,YAClD,WAAA,EAAa,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,aAAa,CAAA;AAAA,YACtD,IAAA,EAAM,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,IAAA,EAAM,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,GAAA,EAAK,~~QAAU~~,~~EAAA~~,kBAAA,CAAmB,KAAK,CAAA;AAAA,YACvC,IAAA,EAAM,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,OAAA,EAAS,~~QAAU~~,~~EAAA~~,iBAAA,CAAkB,SAAS;AAAA,WAChD;AAAA,UACA,WAAS,~~KAAU,~~KAAA,~~KAAA~~;AAAA;AACrB,OACF;AACA,~~MAAM~~,~~MAAAD~~,mCAAA,CAAkB,~~gBAAiB~~,~~CAAA~~,QAAA,EAAU,MAAM,CAAA;AAEzD,~~MAAO~~,~~OAAA~~,QAAA;AAAA;~~AAGT~~,IAAA,IAAI,aAAa,~~QAAU~~,~~EAAA~~;AACzB,~~MAAO~~,~~OAAA~~,MAAME,~~6BAAe~~,~~CAAA~~,UAAA,CAAW,MAAM,CAAA;AAAA~~;AAG~~/C,IAAA,MAAM,IAAI,KAAA,CAAM,~~CAA8B~~,2BAAA,~~EAAA~~,QAAQ,CAAE,CAAA~~,CAAA~~;AAAA;~~AAE5D~~;;;;"}
1	+ {"version":3,"file":"KeyStores.cjs.js","sources":["../../src/identity/KeyStores.ts"],"sourcesContent":["/\n Copyright 2021 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { pickBy } from 'lodash';\nimport { LoggerService } from '@backstage/backend-plugin-api';\n\nimport { Config } from '@backstage/config';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { DatabaseKeyStore } from './DatabaseKeyStore';\nimport { FirestoreKeyStore } from './FirestoreKeyStore';\nimport { MemoryKeyStore } from './MemoryKeyStore';\nimport { KeyStore } from './types';\nimport { StaticKeyStore } from './StaticKeyStore';\n\ntype Options = {\n logger: LoggerService;\n database: AuthDatabase;\n};\n\nexport class KeyStores {\n /\n Looks at the `auth.keyStore` section in the application configuration\n * and returns a KeyStore store. Defaults to `database`\n \n @returns a KeyStore store\n */\n static async fromConfig(config: Config, options: Options): Promise<KeyStore> {\n const { logger, database } = options;\n\n const ks = config.getOptionalConfig('auth.keyStore');\n const provider = ks?.getOptionalString('provider') ?? 'database';\n\n logger.info(`Configuring \"${provider}\" as KeyStore provider`);\n\n if (provider === 'database') {\n return new DatabaseKeyStore(await database.get());\n }\n\n if (provider === 'memory') {\n return new MemoryKeyStore();\n }\n\n if (provider === 'firestore') {\n const settings = ks?.getConfig(provider);\n\n const keyStore = await FirestoreKeyStore.create(\n pickBy(\n {\n projectId: settings?.getOptionalString('projectId'),\n keyFilename: settings?.getOptionalString('keyFilename'),\n host: settings?.getOptionalString('host'),\n port: settings?.getOptionalNumber('port'),\n ssl: settings?.getOptionalBoolean('ssl'),\n path: settings?.getOptionalString('path'),\n timeout: settings?.getOptionalNumber('timeout'),\n },\n value => value !== undefined,\n ),\n );\n await FirestoreKeyStore.verifyConnection(keyStore, logger);\n\n return keyStore;\n }\n\n if (provider === 'static') {\n return await StaticKeyStore.fromConfig(config);\n }\n\n throw new Error(`Unknown KeyStore provider: ${provider}`);\n }\n}\n"],"names":["DatabaseKeyStore","MemoryKeyStore","FirestoreKeyStore","pickBy","StaticKeyStore"],"mappings":";;;;;;;;AAgCO,MAAM,SAAA,CAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOrB,aAAa,UAAA,CAAW,MAAA,EAAgB,OAAA,EAAqC;AAC3E,IAAA,MAAM,EAAE,MAAA,EAAQ,QAAA,EAAS,GAAI,OAAA;AAE7B,IAAA,MAAM,EAAA,GAAK,MAAA,CAAO,iBAAA,CAAkB,eAAe,CAAA;AACnD,IAAA,MAAM,QAAA,GAAW,EAAA,EAAI,iBAAA,CAAkB,UAAU,CAAA,IAAK,UAAA;AAEtD,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,aAAA,EAAgB,QAAQ,CAAA,sBAAA,CAAwB,CAAA;AAE5D,IAAA,IAAI,aAAa,UAAA,EAAY;AAC3B,MAAA,OAAO,IAAIA,iCAAA,CAAiB,MAAM,QAAA,CAAS,KAAK,CAAA;AAAA,IAClD;AAEA,IAAA,IAAI,aAAa,QAAA,EAAU;AACzB,MAAA,OAAO,IAAIC,6BAAA,EAAe;AAAA,IAC5B;AAEA,IAAA,IAAI,aAAa,WAAA,EAAa;AAC5B,MAAA,MAAM,QAAA,GAAW,EAAA,EAAI,SAAA,CAAU,QAAQ,CAAA;AAEvC,MAAA,MAAM,QAAA,GAAW,MAAMC,mCAAA,CAAkB,MAAA;AAAA,QACvCC,aAAA;AAAA,UACE;AAAA,YACE,SAAA,EAAW,QAAA,EAAU,iBAAA,CAAkB,WAAW,CAAA;AAAA,YAClD,WAAA,EAAa,QAAA,EAAU,iBAAA,CAAkB,aAAa,CAAA;AAAA,YACtD,IAAA,EAAM,QAAA,EAAU,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,IAAA,EAAM,QAAA,EAAU,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,GAAA,EAAK,QAAA,EAAU,kBAAA,CAAmB,KAAK,CAAA;AAAA,YACvC,IAAA,EAAM,QAAA,EAAU,iBAAA,CAAkB,MAAM,CAAA;AAAA,YACxC,OAAA,EAAS,QAAA,EAAU,iBAAA,CAAkB,SAAS;AAAA,WAChD;AAAA,UACA,WAAS,KAAA,KAAU;AAAA;AACrB,OACF;AACA,MAAA,MAAMD,mCAAA,CAAkB,gBAAA,CAAiB,QAAA,EAAU,MAAM,CAAA;AAEzD,MAAA,OAAO,QAAA;AAAA,IACT;AAEA,IAAA,IAAI,aAAa,QAAA,EAAU;AACzB,MAAA,OAAO,MAAME,6BAAA,CAAe,UAAA,CAAW,MAAM,CAAA;AAAA,IAC/C;AAEA,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8B,QAAQ,CAAA,CAAE,CAAA;AAAA,EAC1D;AACF;;;;"}

package/dist/identity/MemoryKeyStore.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"MemoryKeyStore.cjs.js","sources":["../../src/identity/MemoryKeyStore.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { KeyStore, AnyJWK, StoredKey } from './types';\nimport { DateTime } from 'luxon';\n\nexport class MemoryKeyStore implements KeyStore {\n private readonly keys = new Map<string, { createdAt: Date; key: string }>();\n\n async addKey(key: AnyJWK): Promise<void> {\n this.keys.set(key.kid, {\n createdAt: DateTime.utc().toJSDate(),\n key: JSON.stringify(key),\n });\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n for (const kid of kids) {\n this.keys.delete(kid);\n }\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n return {\n items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({\n createdAt,\n key: JSON.parse(keyStr),\n })),\n };\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAmBO,MAAM,~~cAAmC~~,~~CAAA~~;AAAA,EAC7B,IAAA,uBAAW,~~GAA8C~~,~~EAAA~~;AAAA,EAE1E,MAAM,OAAO,~~GAA4B~~,~~EAAA~~;AACvC,~~IAAK~~,IAAA,~~CAAA~~,IAAA,CAAK,~~GAAI~~,~~CAAA~~,GAAA,CAAI,~~GAAK~~,~~EAAA~~;AAAA,MACrB,~~SAAW~~,~~EAAAA~~,cAAA,CAAS,~~GAAI~~,~~EAAA~~,CAAE,~~QAAS~~,~~EAAA~~;AAAA,MACnC,GAAA,EAAK,~~IAAK~~,~~CAAA~~,SAAA,CAAU,GAAG;AAAA,KACxB,CAAA;AAAA;~~AACH~~,EAEA,MAAM,WAAW,~~IAA~~+B~~,EAAA~~;AAC9C,IAAA,KAAA,MAAW,OAAO,~~IAAM~~,~~EAAA~~;AACtB,~~MAAK~~,IAAA,~~CAAA~~,IAAA,CAAK,OAAO,GAAG,CAAA;AAAA;~~AACtB~~;~~AACF~~,EAEA,MAAM,~~QAA4C~~,~~GAAA~~;AAChD,~~IAAO~~,~~OAAA~~;AAAA,MACL,~~KAAO~~,~~EAAA~~,KAAA,CAAM,~~IAAK~~,~~CAAA~~,IAAA,CAAK,IAAI,CAAE,~~CAAA,~~GAAA,CAAI,CAAC,GAAG,EAAE,SAAA,EAAW,~~GAAK~~,~~EAAA~~,MAAA,EAAQ,~~CAAO~~,~~MAAA~~;AAAA,QACpE,SAAA;AAAA,QACA,GAAA,EAAK,~~IAAK~~,~~CAAA~~,KAAA,CAAM,MAAM;AAAA,~~OACtB~~,~~CAAA~~;AAAA,KACJ;AAAA;~~AAEJ~~;;;;"}
1	+ {"version":3,"file":"MemoryKeyStore.cjs.js","sources":["../../src/identity/MemoryKeyStore.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { KeyStore, AnyJWK, StoredKey } from './types';\nimport { DateTime } from 'luxon';\n\nexport class MemoryKeyStore implements KeyStore {\n private readonly keys = new Map<string, { createdAt: Date; key: string }>();\n\n async addKey(key: AnyJWK): Promise<void> {\n this.keys.set(key.kid, {\n createdAt: DateTime.utc().toJSDate(),\n key: JSON.stringify(key),\n });\n }\n\n async removeKeys(kids: string[]): Promise<void> {\n for (const kid of kids) {\n this.keys.delete(kid);\n }\n }\n\n async listKeys(): Promise<{ items: StoredKey[] }> {\n return {\n items: Array.from(this.keys).map(([, { createdAt, key: keyStr }]) => ({\n createdAt,\n key: JSON.parse(keyStr),\n })),\n };\n }\n}\n"],"names":["DateTime"],"mappings":";;;;AAmBO,MAAM,cAAA,CAAmC;AAAA,EAC7B,IAAA,uBAAW,GAAA,EAA8C;AAAA,EAE1E,MAAM,OAAO,GAAA,EAA4B;AACvC,IAAA,IAAA,CAAK,IAAA,CAAK,GAAA,CAAI,GAAA,CAAI,GAAA,EAAK;AAAA,MACrB,SAAA,EAAWA,cAAA,CAAS,GAAA,EAAI,CAAE,QAAA,EAAS;AAAA,MACnC,GAAA,EAAK,IAAA,CAAK,SAAA,CAAU,GAAG;AAAA,KACxB,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,WAAW,IAAA,EAA+B;AAC9C,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,IAAA,CAAK,IAAA,CAAK,OAAO,GAAG,CAAA;AAAA,IACtB;AAAA,EACF;AAAA,EAEA,MAAM,QAAA,GAA4C;AAChD,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,IAAI,CAAA,CAAE,GAAA,CAAI,CAAC,GAAG,EAAE,SAAA,EAAW,GAAA,EAAK,MAAA,EAAQ,CAAA,MAAO;AAAA,QACpE,SAAA;AAAA,QACA,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,MAAM;AAAA,OACxB,CAAE;AAAA,KACJ;AAAA,EACF;AACF;;;;"}

package/dist/identity/StaticKeyStore.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"StaticKeyStore.cjs.js","sources":["../../src/identity/StaticKeyStore.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport { AnyJWK, KeyStore, StoredKey } from './types';\nimport { exportJWK, importPKCS8, importSPKI, JWK } from 'jose';\nimport { KeyLike } from 'jose';\nimport { promises as fs } from 'fs';\nimport { Config } from '@backstage/config';\n\nexport type KeyPair = {\n publicKey: JWK;\n privateKey: JWK;\n};\n\nexport type StaticKeyConfig = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm: string;\n};\n\nconst DEFAULT_ALGORITHM = 'ES256';\n\n/\n Key store that loads predefined public/private key pairs from disk\n \n The private key should be represented using the PKCS#8 format,\n * while the public key should be in the SPKI format.\n \n @remarks\n \n You can generate a public and private key pair, using\n * openssl:\n \n Generate a private key using the ES256 algorithm\n * ```sh\n * openssl ecparam -name prime256v1 -genkey -out private.ec.key\n * ```\n * Convert it to PKCS#8 format\n * ```sh\n * openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.ec.key -out private.key\n * ```\n * Extract the public key\n * ```sh\n * openssl ec -inform PEM -outform PEM -pubout -in private.key -out public.key\n * ```\n \n Provide the paths to private.key and public.key as the respective\n * private and public key paths in the StaticKeyStore.create(...) method.\n */\nexport class StaticKeyStore implements KeyStore {\n private readonly keyPairs: KeyPair[];\n private readonly createdAt: Date;\n\n private constructor(keyPairs: KeyPair[]) {\n if (keyPairs.length === 0) {\n throw new Error('Should provide at least one key pair');\n }\n\n this.keyPairs = keyPairs;\n this.createdAt = new Date();\n }\n\n public static async fromConfig(config: Config): Promise<StaticKeyStore> {\n const keyConfigs = config\n .getConfigArray('auth.keyStore.static.keys')\n .map(c => {\n const staticKeyConfig: StaticKeyConfig = {\n publicKeyFile: c.getString('publicKeyFile'),\n privateKeyFile: c.getString('privateKeyFile'),\n keyId: c.getString('keyId'),\n algorithm: c.getOptionalString('algorithm') ?? DEFAULT_ALGORITHM,\n };\n\n return staticKeyConfig;\n });\n\n const keyPairs = await Promise.all(\n keyConfigs.map(async k => await this.loadKeyPair(k)),\n );\n\n return new StaticKeyStore(keyPairs);\n }\n\n addKey(_key: AnyJWK): Promise<void> {\n throw new Error('Cannot add keys to the static key store');\n }\n\n listKeys(): Promise<{ items: StoredKey[] }> {\n const keys = this.keyPairs.map(k => this.keyPairToStoredKey(k));\n return Promise.resolve({ items: keys });\n }\n\n getPrivateKey(keyId: string): JWK {\n const keyPair = this.keyPairs.find(k => k.publicKey.kid === keyId);\n if (keyPair === undefined) {\n throw new Error(`Could not find key with keyId: ${keyId}`);\n }\n\n return keyPair.privateKey;\n }\n\n removeKeys(_kids: string[]): Promise<void> {\n throw new Error('Cannot remove keys from the static key store');\n }\n\n private keyPairToStoredKey(keyPair: KeyPair): StoredKey {\n const publicKey = {\n ...keyPair.publicKey,\n use: 'sig',\n };\n\n return {\n key: publicKey as AnyJWK,\n createdAt: this.createdAt,\n };\n }\n\n private static async loadKeyPair(options: StaticKeyConfig): Promise<KeyPair> {\n const algorithm = options.algorithm;\n const keyId = options.keyId;\n const publicKey = await this.loadPublicKeyFromFile(\n options.publicKeyFile,\n keyId,\n algorithm,\n );\n const privateKey = await this.loadPrivateKeyFromFile(\n options.privateKeyFile,\n keyId,\n algorithm,\n );\n\n return { publicKey, privateKey };\n }\n\n private static async loadPublicKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n ): Promise<JWK> {\n return this.loadKeyFromFile(path, keyId, algorithm, importSPKI);\n }\n\n private static async loadPrivateKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n ): Promise<JWK> {\n return this.loadKeyFromFile(path, keyId, algorithm, importPKCS8);\n }\n\n private static async loadKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n importer: (content: string, algorithm: string) => Promise<KeyLike>,\n ): Promise<JWK> {\n const content = await fs.readFile(path, { encoding: 'utf8', flag: 'r' });\n const key = await importer(content, algorithm);\n const jwk = await exportJWK(key);\n jwk.kid = keyId;\n jwk.alg = algorithm;\n\n return jwk;\n }\n}\n"],"names":["importSPKI","importPKCS8","fs","exportJWK"],"mappings":";;;;;AAiCA,MAAM,~~iBAAoB~~,~~GAAA~~,OAAA;AA6BnB,MAAM,~~cAAmC~~,~~CAAA~~;AAAA,EAC7B,QAAA;AAAA,EACA,SAAA;AAAA,EAET,YAAY,~~QAAqB~~,~~EAAA~~;AACvC,IAAI,~~IAAA,~~QAAA,CAAS,WAAW,~~CAAG~~,~~EAAA~~;AACzB,MAAM,~~MAAA,~~IAAI,MAAM,sCAAsC,CAAA;AAAA;~~AAGxD~~,IAAA,IAAA,CAAK,~~QAAW~~,~~GAAA~~,QAAA;AAChB,~~IAAK~~,IAAA,~~CAAA~~,SAAA,uBAAgB,~~IAAK~~,~~EAAA~~;AAAA;~~AAC5B~~,EAEA,aAAoB,WAAW,~~MAAyC~~,~~EAAA~~;AACtE,IAAA,MAAM,aAAa,~~MAChB~~,~~CAAA~~,cAAA,CAAe,2BAA2B,CAAA,CAC1C,IAAI,~~CAAK~~,CAAA,~~KAAA~~;AACR,MAAA,MAAM,~~eAAmC~~,~~GAAA~~;AAAA,QACvC,aAAA,EAAe,CAAE,~~CAAA,~~SAAA,CAAU,eAAe,CAAA;AAAA,QAC1C,cAAA,EAAgB,CAAE,~~CAAA,~~SAAA,CAAU,gBAAgB,CAAA;AAAA,QAC5C,KAAA,EAAO,CAAE,~~CAAA,~~SAAA,CAAU,OAAO,CAAA;AAAA,QAC1B,~~SAAW~~,~~EAAA~~,CAAA,CAAE,~~iBAAkB~~,~~CAAA~~,WAAW,~~CAAK~~,~~IAAA~~;AAAA,OACjD;AAEA,~~MAAO~~,~~OAAA~~,eAAA;AAAA,~~KACR~~,CAAA;AAEH,~~IAAM~~,~~MAAA~~,QAAA,GAAW,MAAM,~~OAAQ~~,~~CAAA~~,GAAA;AAAA,MAC7B,UAAA,CAAW,IAAI,OAAM,CAAA,KAAK,MAAM,~~IAAK~~,~~CAAA~~,WAAA,CAAY,CAAC,CAAC;AAAA,KACrD;AAEA,~~IAAO~~,~~OAAA~~,IAAI,eAAe,QAAQ,CAAA;AAAA;~~AACpC~~,EAEA,OAAO,~~IAA6B~~,~~EAAA~~;AAClC,~~IAAM~~,~~MAAA~~,IAAI,MAAM,yCAAyC,CAAA;AAAA;~~AAC3D~~,EAEA,~~QAA4C~~,~~GAAA~~;AAC1C,~~IAAM~~,~~MAAA~~,IAAA,GAAO,KAAK,~~QAAS~~,~~CAAA~~,GAAA,CAAI,OAAK,~~IAAK~~,~~CAAA~~,kBAAA,CAAmB,CAAC,CAAC,CAAA;AAC9D,IAAA,OAAO,~~OAAQ~~,~~CAAA~~,OAAA,CAAQ,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA;~~AACxC~~,EAEA,cAAc,~~KAAoB~~,~~EAAA~~;AAChC,~~IAAM~~,~~MAAA~~,OAAA,GAAU,KAAK,~~QAAS~~,~~CAAA~~,IAAA,CAAK,OAAK,CAAE,~~CAAA,~~SAAA,CAAU,QAAQ,KAAK,CAAA;AACjE,IAAA,IAAI,YAAY,~~KAAW~~,~~CAAA,EAAA~~;AACzB,MAAA,MAAM,IAAI,KAAA,CAAM,~~CAAkC~~,+BAAA,~~EAAA~~,KAAK,CAAE,CAAA~~,CAAA~~;AAAA;~~AAG3D~~,IAAA,OAAO,~~OAAQ~~,~~CAAA~~,UAAA;AAAA;~~AACjB~~,EAEA,WAAW,~~KAAgC~~,~~EAAA~~;AACzC,~~IAAM~~,~~MAAA~~,IAAI,MAAM,8CAA8C,CAAA;AAAA;~~AAChE~~,EAEQ,mBAAmB,~~OAA6B~~,~~EAAA~~;AACtD,IAAA,MAAM,~~SAAY~~,~~GAAA~~;AAAA,MAChB,GAAG,~~OAAQ~~,~~CAAA~~,SAAA;AAAA,MACX,~~GAAK~~,~~EAAA~~;AAAA,KACP;AAEA,~~IAAO~~,~~OAAA~~;AAAA,MACL,~~GAAK~~,~~EAAA~~,SAAA;AAAA,MACL,WAAW,~~IAAK~~,~~CAAA~~;AAAA,KAClB;AAAA;~~AACF~~,EAEA,aAAqB,YAAY,~~OAA4C~~,~~EAAA~~;AAC3E,IAAA,MAAM,YAAY,~~OAAQ~~,~~CAAA~~,SAAA;AAC1B,IAAA,MAAM,QAAQ,~~OAAQ~~,~~CAAA~~,KAAA;AACtB,~~IAAM~~,~~MAAA~~,SAAA,GAAY,MAAM,~~IAAK~~,~~CAAA~~,qBAAA;AAAA,MAC3B,~~OAAQ~~,~~CAAA~~,aAAA;AAAA,MACR,KAAA;AAAA,MACA;AAAA,KACF;AACA,~~IAAM~~,~~MAAA~~,UAAA,GAAa,MAAM,~~IAAK~~,~~CAAA~~,sBAAA;AAAA,MAC5B,~~OAAQ~~,~~CAAA~~,cAAA;AAAA,MACR,KAAA;AAAA,MACA;AAAA,KACF;AAEA,~~IAAO~~,~~OAAA~~,EAAE,WAAW,~~UAAW~~,~~EAAA~~;AAAA;~~AACjC~~,EAEA,aAAqB,qBAAA,CACnB,~~IACA~~,~~EAAA~~,KAAA,EACA,~~SACc~~,~~EAAA~~;AACd,IAAA,OAAO,~~IAAK~~,~~CAAA~~,eAAA,CAAgB,~~IAAM~~,~~EAAA~~,KAAA,EAAO,WAAWA,eAAU,CAAA;AAAA;~~AAChE~~,EAEA,aAAqB,sBAAA,CACnB,~~IACA~~,~~EAAA~~,KAAA,EACA,~~SACc~~,~~EAAA~~;AACd,IAAA,OAAO,~~IAAK~~,~~CAAA~~,eAAA,CAAgB,~~IAAM~~,~~EAAA~~,KAAA,EAAO,WAAWC,gBAAW,CAAA;AAAA;~~AACjE~~,EAEA,aAAqB,eAAA,CACnB,~~IACA~~,~~EAAA~~,KAAA,EACA,WACA,~~QACc~~,~~EAAA~~;AACd,~~IAAM~~,~~MAAA~~,OAAA,GAAU,MAAMC,WAAA,CAAG,~~QAAS~~,~~CAAA~~,IAAA,EAAM,EAAE,~~QAAU~~,~~EAAA~~,MAAA,EAAQ,~~IAAM~~,~~EAAA~~,GAAA,EAAK,CAAA;AACvE,IAAA,MAAM,GAAM,~~GAAA,~~MAAM,~~QAAS~~,~~CAAA~~,OAAA,EAAS,SAAS,CAAA;AAC7C,~~IAAM~~,~~MAAA~~,GAAA,GAAM,MAAMC,cAAA,CAAU,GAAG,CAAA;AAC/B,IAAA,GAAA,CAAI,GAAM,~~GAAA,~~KAAA;AACV,IAAA,GAAA,CAAI,GAAM,~~GAAA,~~SAAA;AAEV,~~IAAO~~,~~OAAA~~,GAAA;AAAA;~~AAEX~~;;;;"}
1	+ {"version":3,"file":"StaticKeyStore.cjs.js","sources":["../../src/identity/StaticKeyStore.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\nimport { AnyJWK, KeyStore, StoredKey } from './types';\nimport { exportJWK, importPKCS8, importSPKI, JWK } from 'jose';\nimport { KeyLike } from 'jose';\nimport { promises as fs } from 'fs';\nimport { Config } from '@backstage/config';\n\nexport type KeyPair = {\n publicKey: JWK;\n privateKey: JWK;\n};\n\nexport type StaticKeyConfig = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm: string;\n};\n\nconst DEFAULT_ALGORITHM = 'ES256';\n\n/\n Key store that loads predefined public/private key pairs from disk\n \n The private key should be represented using the PKCS#8 format,\n * while the public key should be in the SPKI format.\n \n @remarks\n \n You can generate a public and private key pair, using\n * openssl:\n \n Generate a private key using the ES256 algorithm\n * ```sh\n * openssl ecparam -name prime256v1 -genkey -out private.ec.key\n * ```\n * Convert it to PKCS#8 format\n * ```sh\n * openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.ec.key -out private.key\n * ```\n * Extract the public key\n * ```sh\n * openssl ec -inform PEM -outform PEM -pubout -in private.key -out public.key\n * ```\n \n Provide the paths to private.key and public.key as the respective\n * private and public key paths in the StaticKeyStore.create(...) method.\n */\nexport class StaticKeyStore implements KeyStore {\n private readonly keyPairs: KeyPair[];\n private readonly createdAt: Date;\n\n private constructor(keyPairs: KeyPair[]) {\n if (keyPairs.length === 0) {\n throw new Error('Should provide at least one key pair');\n }\n\n this.keyPairs = keyPairs;\n this.createdAt = new Date();\n }\n\n public static async fromConfig(config: Config): Promise<StaticKeyStore> {\n const keyConfigs = config\n .getConfigArray('auth.keyStore.static.keys')\n .map(c => {\n const staticKeyConfig: StaticKeyConfig = {\n publicKeyFile: c.getString('publicKeyFile'),\n privateKeyFile: c.getString('privateKeyFile'),\n keyId: c.getString('keyId'),\n algorithm: c.getOptionalString('algorithm') ?? DEFAULT_ALGORITHM,\n };\n\n return staticKeyConfig;\n });\n\n const keyPairs = await Promise.all(\n keyConfigs.map(async k => await this.loadKeyPair(k)),\n );\n\n return new StaticKeyStore(keyPairs);\n }\n\n addKey(_key: AnyJWK): Promise<void> {\n throw new Error('Cannot add keys to the static key store');\n }\n\n listKeys(): Promise<{ items: StoredKey[] }> {\n const keys = this.keyPairs.map(k => this.keyPairToStoredKey(k));\n return Promise.resolve({ items: keys });\n }\n\n getPrivateKey(keyId: string): JWK {\n const keyPair = this.keyPairs.find(k => k.publicKey.kid === keyId);\n if (keyPair === undefined) {\n throw new Error(`Could not find key with keyId: ${keyId}`);\n }\n\n return keyPair.privateKey;\n }\n\n removeKeys(_kids: string[]): Promise<void> {\n throw new Error('Cannot remove keys from the static key store');\n }\n\n private keyPairToStoredKey(keyPair: KeyPair): StoredKey {\n const publicKey = {\n ...keyPair.publicKey,\n use: 'sig',\n };\n\n return {\n key: publicKey as AnyJWK,\n createdAt: this.createdAt,\n };\n }\n\n private static async loadKeyPair(options: StaticKeyConfig): Promise<KeyPair> {\n const algorithm = options.algorithm;\n const keyId = options.keyId;\n const publicKey = await this.loadPublicKeyFromFile(\n options.publicKeyFile,\n keyId,\n algorithm,\n );\n const privateKey = await this.loadPrivateKeyFromFile(\n options.privateKeyFile,\n keyId,\n algorithm,\n );\n\n return { publicKey, privateKey };\n }\n\n private static async loadPublicKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n ): Promise<JWK> {\n return this.loadKeyFromFile(path, keyId, algorithm, importSPKI);\n }\n\n private static async loadPrivateKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n ): Promise<JWK> {\n return this.loadKeyFromFile(path, keyId, algorithm, importPKCS8);\n }\n\n private static async loadKeyFromFile(\n path: string,\n keyId: string,\n algorithm: string,\n importer: (content: string, algorithm: string) => Promise<KeyLike>,\n ): Promise<JWK> {\n const content = await fs.readFile(path, { encoding: 'utf8', flag: 'r' });\n const key = await importer(content, algorithm);\n const jwk = await exportJWK(key);\n jwk.kid = keyId;\n jwk.alg = algorithm;\n\n return jwk;\n }\n}\n"],"names":["importSPKI","importPKCS8","fs","exportJWK"],"mappings":";;;;;AAiCA,MAAM,iBAAA,GAAoB,OAAA;AA6BnB,MAAM,cAAA,CAAmC;AAAA,EAC7B,QAAA;AAAA,EACA,SAAA;AAAA,EAET,YAAY,QAAA,EAAqB;AACvC,IAAA,IAAI,QAAA,CAAS,WAAW,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,IACxD;AAEA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,SAAA,uBAAgB,IAAA,EAAK;AAAA,EAC5B;AAAA,EAEA,aAAoB,WAAW,MAAA,EAAyC;AACtE,IAAA,MAAM,aAAa,MAAA,CAChB,cAAA,CAAe,2BAA2B,CAAA,CAC1C,IAAI,CAAA,CAAA,KAAK;AACR,MAAA,MAAM,eAAA,GAAmC;AAAA,QACvC,aAAA,EAAe,CAAA,CAAE,SAAA,CAAU,eAAe,CAAA;AAAA,QAC1C,cAAA,EAAgB,CAAA,CAAE,SAAA,CAAU,gBAAgB,CAAA;AAAA,QAC5C,KAAA,EAAO,CAAA,CAAE,SAAA,CAAU,OAAO,CAAA;AAAA,QAC1B,SAAA,EAAW,CAAA,CAAE,iBAAA,CAAkB,WAAW,CAAA,IAAK;AAAA,OACjD;AAEA,MAAA,OAAO,eAAA;AAAA,IACT,CAAC,CAAA;AAEH,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAA;AAAA,MAC7B,UAAA,CAAW,IAAI,OAAM,CAAA,KAAK,MAAM,IAAA,CAAK,WAAA,CAAY,CAAC,CAAC;AAAA,KACrD;AAEA,IAAA,OAAO,IAAI,eAAe,QAAQ,CAAA;AAAA,EACpC;AAAA,EAEA,OAAO,IAAA,EAA6B;AAClC,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC3D;AAAA,EAEA,QAAA,GAA4C;AAC1C,IAAA,MAAM,IAAA,GAAO,KAAK,QAAA,CAAS,GAAA,CAAI,OAAK,IAAA,CAAK,kBAAA,CAAmB,CAAC,CAAC,CAAA;AAC9D,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,EAAE,KAAA,EAAO,MAAM,CAAA;AAAA,EACxC;AAAA,EAEA,cAAc,KAAA,EAAoB;AAChC,IAAA,MAAM,OAAA,GAAU,KAAK,QAAA,CAAS,IAAA,CAAK,OAAK,CAAA,CAAE,SAAA,CAAU,QAAQ,KAAK,CAAA;AACjE,IAAA,IAAI,YAAY,MAAA,EAAW;AACzB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,+BAAA,EAAkC,KAAK,CAAA,CAAE,CAAA;AAAA,IAC3D;AAEA,IAAA,OAAO,OAAA,CAAQ,UAAA;AAAA,EACjB;AAAA,EAEA,WAAW,KAAA,EAAgC;AACzC,IAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,EAChE;AAAA,EAEQ,mBAAmB,OAAA,EAA6B;AACtD,IAAA,MAAM,SAAA,GAAY;AAAA,MAChB,GAAG,OAAA,CAAQ,SAAA;AAAA,MACX,GAAA,EAAK;AAAA,KACP;AAEA,IAAA,OAAO;AAAA,MACL,GAAA,EAAK,SAAA;AAAA,MACL,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,EACF;AAAA,EAEA,aAAqB,YAAY,OAAA,EAA4C;AAC3E,IAAA,MAAM,YAAY,OAAA,CAAQ,SAAA;AAC1B,IAAA,MAAM,QAAQ,OAAA,CAAQ,KAAA;AACtB,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,qBAAA;AAAA,MAC3B,OAAA,CAAQ,aAAA;AAAA,MACR,KAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,UAAA,GAAa,MAAM,IAAA,CAAK,sBAAA;AAAA,MAC5B,OAAA,CAAQ,cAAA;AAAA,MACR,KAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,EAAE,WAAW,UAAA,EAAW;AAAA,EACjC;AAAA,EAEA,aAAqB,qBAAA,CACnB,IAAA,EACA,KAAA,EACA,SAAA,EACc;AACd,IAAA,OAAO,IAAA,CAAK,eAAA,CAAgB,IAAA,EAAM,KAAA,EAAO,WAAWA,eAAU,CAAA;AAAA,EAChE;AAAA,EAEA,aAAqB,sBAAA,CACnB,IAAA,EACA,KAAA,EACA,SAAA,EACc;AACd,IAAA,OAAO,IAAA,CAAK,eAAA,CAAgB,IAAA,EAAM,KAAA,EAAO,WAAWC,gBAAW,CAAA;AAAA,EACjE;AAAA,EAEA,aAAqB,eAAA,CACnB,IAAA,EACA,KAAA,EACA,WACA,QAAA,EACc;AACd,IAAA,MAAM,OAAA,GAAU,MAAMC,WAAA,CAAG,QAAA,CAAS,IAAA,EAAM,EAAE,QAAA,EAAU,MAAA,EAAQ,IAAA,EAAM,GAAA,EAAK,CAAA;AACvE,IAAA,MAAM,GAAA,GAAM,MAAM,QAAA,CAAS,OAAA,EAAS,SAAS,CAAA;AAC7C,IAAA,MAAM,GAAA,GAAM,MAAMC,cAAA,CAAU,GAAG,CAAA;AAC/B,IAAA,GAAA,CAAI,GAAA,GAAM,KAAA;AACV,IAAA,GAAA,CAAI,GAAA,GAAM,SAAA;AAEV,IAAA,OAAO,GAAA;AAAA,EACT;AACF;;;;"}

package/dist/identity/StaticTokenIssuer.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { JWK } from 'jose';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { StaticKeyStore } from './StaticKeyStore';\nimport {\n BackstageSignInResult,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { issueUserToken } from './issueUserToken';\n\nexport type Config = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm?: string;\n};\n\nexport type Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Expiration time of the JWT in seconds /\n sessionExpirationSeconds: number;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n};\n\n/\n A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: StaticKeyStore;\n private readonly sessionExpirationSeconds: number;\n private readonly omitClaimsFromToken?: string[];\n\n public constructor(options: Options, keyStore: StaticKeyStore) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n this.keyStore = keyStore;\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n }\n\n public async issueToken(\n params: TokenParams & { claims: { ent: string[] } },\n ): Promise<BackstageSignInResult> {\n const key = await this.getSigningKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.sessionExpirationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n });\n }\n\n private async getSigningKey(): Promise<JWK> {\n const { items: keys } = await this.keyStore.listKeys();\n if (keys.length >= 1) {\n return this.keyStore.getPrivateKey(keys[0].key.kid);\n }\n throw new Error('Keystore should hold at least 1 key');\n }\n\n public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n return { keys: keys.map(({ key }) => key) };\n }\n}\n"],"names":["issueUserToken"],"mappings":";;;;AAiDO,MAAM,~~iBAAyC~~,~~CAAA~~;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EACA,mBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,~~QAA0B~~,~~EAAA~~;AAC7D,IAAA,IAAA,CAAK,SAAS,~~OAAQ~~,~~CAAA~~,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,~~OAAQ~~,~~CAAA~~,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,~~OAAQ~~,~~CAAA~~,wBAAA;AACxC,IAAA,IAAA,CAAK,~~QAAW~~,~~GAAA~~,QAAA;AAChB,IAAA,IAAA,CAAK,sBAAsB,~~OAAQ~~,~~CAAA~~,mBAAA;AAAA;~~AACrC~~,EAEA,MAAa,WACX,~~MACgC~~,~~EAAA~~;AAChC,~~IAAM~~,~~MAAA~~,GAAA,GAAM,MAAM,IAAA,CAAK,~~aAAc~~,~~EAAA~~;AAErC,IAAA,OAAOA,~~6BAAe~~,~~CAAA~~;AAAA,MACpB,QAAQ,~~IAAK~~,~~CAAA~~,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,~~IAAK~~,~~CAAA~~,wBAAA;AAAA,MACzB,QAAQ,~~IAAK~~,~~CAAA~~,MAAA;AAAA,MACb,qBAAqB,~~IAAK~~,~~CAAA~~,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA;~~AACH~~,EAEA,MAAc,~~aAA8B~~,~~GAAA~~;AAC1C,IAAA,MAAM,EAAE,~~KAAO~~,~~EAAA~~,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,~~QAAS~~,~~EAAA~~;AACrD,IAAI,IAAA,~~IAAA,~~CAAK,UAAU,~~CAAG~~,~~EAAA~~;AACpB,MAAA,OAAO,KAAK,~~QAAS~~,~~CAAA~~,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA;~~AAEpD~~,~~IAAM~~,~~MAAA~~,IAAI,MAAM,qCAAqC,CAAA;AAAA;~~AACvD~~,EAEA,MAAa,~~cAA8C~~,~~GAAA~~;AACzD,IAAA,MAAM,EAAE,~~KAAO~~,~~EAAA~~,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,~~QAAS~~,~~EAAA~~;AACrD,~~IAAO~~,~~OAAA~~,EAAE,MAAM,~~IAAK~~,~~CAAA~~,GAAA,CAAI,CAAC,EAAE,GAAA,~~EAAU~~,~~KAAA~~,GAAG,~~CAAE~~,~~EAAA~~;AAAA;~~AAE9C~~;;;;"}
1	+ {"version":3,"file":"StaticTokenIssuer.cjs.js","sources":["../../src/identity/StaticTokenIssuer.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AnyJWK, TokenIssuer } from './types';\nimport { JWK } from 'jose';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { StaticKeyStore } from './StaticKeyStore';\nimport {\n BackstageSignInResult,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { issueUserToken } from './issueUserToken';\n\nexport type Config = {\n publicKeyFile: string;\n privateKeyFile: string;\n keyId: string;\n algorithm?: string;\n};\n\nexport type Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Expiration time of the JWT in seconds /\n sessionExpirationSeconds: number;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n};\n\n/\n A token issuer that issues tokens from predefined\n * public/private key pair stored in the static key store.\n */\nexport class StaticTokenIssuer implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: StaticKeyStore;\n private readonly sessionExpirationSeconds: number;\n private readonly omitClaimsFromToken?: string[];\n\n public constructor(options: Options, keyStore: StaticKeyStore) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.sessionExpirationSeconds = options.sessionExpirationSeconds;\n this.keyStore = keyStore;\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n }\n\n public async issueToken(\n params: TokenParams & { claims: { ent: string[] } },\n ): Promise<BackstageSignInResult> {\n const key = await this.getSigningKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.sessionExpirationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n });\n }\n\n private async getSigningKey(): Promise<JWK> {\n const { items: keys } = await this.keyStore.listKeys();\n if (keys.length >= 1) {\n return this.keyStore.getPrivateKey(keys[0].key.kid);\n }\n throw new Error('Keystore should hold at least 1 key');\n }\n\n public async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n return { keys: keys.map(({ key }) => key) };\n }\n}\n"],"names":["issueUserToken"],"mappings":";;;;AAiDO,MAAM,iBAAA,CAAyC;AAAA,EACnC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,wBAAA;AAAA,EACA,mBAAA;AAAA,EAEV,WAAA,CAAY,SAAkB,QAAA,EAA0B;AAC7D,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,2BAA2B,OAAA,CAAQ,wBAAA;AACxC,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,sBAAsB,OAAA,CAAQ,mBAAA;AAAA,EACrC;AAAA,EAEA,MAAa,WACX,MAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,aAAA,EAAc;AAErC,IAAA,OAAOA,6BAAA,CAAe;AAAA,MACpB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAA,CAAK,wBAAA;AAAA,MACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,qBAAqB,IAAA,CAAK,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,aAAA,GAA8B;AAC1C,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAA,EAAS;AACrD,IAAA,IAAI,IAAA,CAAK,UAAU,CAAA,EAAG;AACpB,MAAA,OAAO,KAAK,QAAA,CAAS,aAAA,CAAc,KAAK,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAAA,IACpD;AACA,IAAA,MAAM,IAAI,MAAM,qCAAqC,CAAA;AAAA,EACvD;AAAA,EAEA,MAAa,cAAA,GAA8C;AACzD,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAA,EAAS;AACrD,IAAA,OAAO,EAAE,MAAM,IAAA,CAAK,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,GAAG,CAAA,EAAE;AAAA,EAC5C;AACF;;;;"}

package/dist/identity/TokenFactory.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { issueUserToken } from './issueUserToken';\n\n/\n The payload contents of a valid Backstage JWT token\n /\nexport interface BackstageTokenPayload {\n /\n The issuer of the token, currently the discovery URL of the auth backend\n /\n iss: string;\n\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n The entity refs that the user claims ownership through\n /\n ent: string[];\n\n /\n A hard coded audience string\n /\n aud: typeof tokenTypes.user.audClaim;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n\n /\n A separate user identity proof that the auth service can convert to a limited user token\n /\n uip: string;\n\n /\n Any other custom claims that the adopter may have added\n /\n [claim: string]: JsonValue;\n}\n\ntype Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Key store used for storing signing keys /\n keyStore: KeyStore;\n /* Expiration time of signing keys in seconds /\n keyDurationSeconds: number;\n /* JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n * Must match one of the algorithms defined for IdentityClient.\n * When setting a different algorithm, check if the `key` field\n * of the `signing_keys` table can fit the length of the generated keys.\n * If not, add a knex migration file in the migrations folder.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithm?: string;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n};\n\n/\n A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n \n The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n \n Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n /\nexport class TokenFactory implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: KeyStore;\n private readonly keyDurationSeconds: number;\n private readonly algorithm: string;\n private readonly omitClaimsFromToken?: string[];\n\n private keyExpiry?: Date;\n private privateKeyPromise?: Promise<JWK>;\n\n constructor(options: Options) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.keyStore = options.keyStore;\n this.keyDurationSeconds = options.keyDurationSeconds;\n this.algorithm = options.algorithm ?? 'ES256';\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n }\n\n async issueToken(\n params: TokenParams & { claims: { ent: string[] } },\n ): Promise<BackstageSignInResult> {\n const key = await this.getKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.keyDurationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n });\n }\n\n // This will be called by other services that want to verify ID tokens.\n // It is important that it returns a list of all public keys that could\n // have been used to sign tokens that have not yet expired.\n async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n\n const validKeys = [];\n const expiredKeys = [];\n\n for (const key of keys) {\n // Allow for a grace period of another full key duration before we remove the keys from the database\n const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n seconds: 3 this.keyDurationSeconds,\n });\n if (expireAt < DateTime.local()) {\n expiredKeys.push(key);\n } else {\n validKeys.push(key);\n }\n }\n\n // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n if (expiredKeys.length > 0) {\n const kids = expiredKeys.map(({ key }) => key.kid);\n\n this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n // We don't await this, just let it run in the background\n this.keyStore.removeKeys(kids).catch(error => {\n this.logger.error(`Failed to remove expired keys, ${error}`);\n });\n }\n\n // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n return { keys: validKeys.map(({ key }) => key) };\n }\n\n private async getKey(): Promise<JWK> {\n // Make sure that we only generate one key at a time\n if (this.privateKeyPromise) {\n if (\n this.keyExpiry &&\n DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n ) {\n return this.privateKeyPromise;\n }\n this.logger.info(`Signing key has expired, generating new key`);\n delete this.privateKeyPromise;\n }\n\n this.keyExpiry = DateTime.utc()\n .plus({\n seconds: this.keyDurationSeconds,\n })\n .toJSDate();\n const promise = (async () => {\n // This generates a new signing key to be used to sign tokens until the next key rotation\n const key = await generateKeyPair(this.algorithm);\n const publicKey = await exportJWK(key.publicKey);\n const privateKey = await exportJWK(key.privateKey);\n publicKey.kid = privateKey.kid = uuid();\n publicKey.alg = privateKey.alg = this.algorithm;\n\n // We're not allowed to use the key until it has been successfully stored\n // TODO: some token verification implementations aggressively cache the list of keys, and\n // don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n // may want to keep using the existing key for some period of time until we switch to\n // the new one. This also needs to be implemented cross-service though, meaning new services\n // that boot up need to be able to grab an existing key to use for signing.\n this.logger.info(`Created new signing key ${publicKey.kid}`);\n await this.keyStore.addKey(publicKey as AnyJWK);\n\n // At this point we are allowed to start using the new key\n return privateKey;\n })();\n\n this.privateKeyPromise = promise;\n\n try {\n // If we fail to generate a new key, we need to clear the state so that\n // the next caller will try to generate another key.\n await promise;\n } catch (error) {\n this.logger.error(`Failed to generate new signing key, ${error}`);\n delete this.keyExpiry;\n delete this.privateKeyPromise;\n }\n\n return promise;\n }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA6GO,MAAM,YAAoC,CAAA;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAkB,EAAA;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAQ,CAAA,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAQ,CAAA,kBAAA;AAClC,IAAK,IAAA,CAAA,SAAA,GAAY,QAAQ,SAAa,IAAA,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAQ,CAAA,mBAAA;AAAA;AACrC,EAEA,MAAM,WACJ,MACgC,EAAA;AAChC,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,EAAA;AAE9B,IAAA,OAAOA,6BAAe,CAAA;AAAA,MACpB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAK,CAAA,kBAAA;AAAA,MACzB,QAAQ,IAAK,CAAA,MAAA;AAAA,MACb,qBAAqB,IAAK,CAAA,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA;AACH;AAAA;AAAA;AAAA,EAKA,MAAM,cAA8C,GAAA;AAClD,IAAA,MAAM,EAAE,KAAO,EAAA,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAS,EAAA;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AAEtB,MAAA,MAAM,WAAWC,cAAS,CAAA,UAAA,CAAW,GAAI,CAAA,SAAS,EAAE,IAAK,CAAA;AAAA,QACvD,OAAA,EAAS,IAAI,IAAK,CAAA;AAAA,OACnB,CAAA;AACD,MAAI,IAAA,QAAA,GAAWA,cAAS,CAAA,KAAA,EAAS,EAAA;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,OACf,MAAA;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA;AACpB;AAIF,IAAI,IAAA,WAAA,CAAY,SAAS,CAAG,EAAA;AAC1B,MAAM,MAAA,IAAA,GAAO,YAAY,GAAI,CAAA,CAAC,EAAE,GAAI,EAAA,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAK,CAAA,CAAA,gCAAA,EAAmC,KAAK,IAAK,CAAA,MAAM,CAAC,CAAG,CAAA,CAAA,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAS,KAAA,KAAA;AAC5C,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAkC,+BAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAAA,OAC5D,CAAA;AAAA;AAIH,IAAO,OAAA,EAAE,MAAM,SAAU,CAAA,GAAA,CAAI,CAAC,EAAE,GAAA,EAAU,KAAA,GAAG,CAAE,EAAA;AAAA;AACjD,EAEA,MAAc,MAAuB,GAAA;AAEnC,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MACE,IAAA,IAAA,CAAK,aACLA,cAAS,CAAA,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAS,CAAA,KAAA,EAC/C,EAAA;AACA,QAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAEd,MAAK,IAAA,CAAA,MAAA,CAAO,KAAK,CAA6C,2CAAA,CAAA,CAAA;AAC9D,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAA,IAAA,CAAK,SAAY,GAAAA,cAAA,CAAS,GAAI,EAAA,CAC3B,IAAK,CAAA;AAAA,MACJ,SAAS,IAAK,CAAA;AAAA,KACf,EACA,QAAS,EAAA;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAM,GAAA,MAAMC,oBAAgB,CAAA,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAY,GAAA,MAAMC,cAAU,CAAA,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAa,GAAA,MAAMA,cAAU,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAMC,OAAK,EAAA;AACtC,MAAU,SAAA,CAAA,GAAA,GAAM,UAAW,CAAA,GAAA,GAAM,IAAK,CAAA,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA,CAAK,CAA2B,wBAAA,EAAA,SAAA,CAAU,GAAG,CAAE,CAAA,CAAA;AAC3D,MAAM,MAAA,IAAA,CAAK,QAAS,CAAA,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAO,OAAA,UAAA;AAAA,KACN,GAAA;AAEH,IAAA,IAAA,CAAK,iBAAoB,GAAA,OAAA;AAEzB,IAAI,IAAA;AAGF,MAAM,MAAA,OAAA;AAAA,aACC,KAAO,EAAA;AACd,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA,CAAM,CAAuC,oCAAA,EAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAA,OAAO,IAAK,CAAA,SAAA;AACZ,MAAA,OAAO,IAAK,CAAA,iBAAA;AAAA;AAGd,IAAO,OAAA,OAAA;AAAA;AAEX;;;;"}
1	+ {"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { issueUserToken } from './issueUserToken';\n\n/\n The payload contents of a valid Backstage JWT token\n /\nexport interface BackstageTokenPayload {\n /\n The issuer of the token, currently the discovery URL of the auth backend\n /\n iss: string;\n\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n The entity refs that the user claims ownership through\n /\n ent: string[];\n\n /\n A hard coded audience string\n /\n aud: typeof tokenTypes.user.audClaim;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n\n /\n A separate user identity proof that the auth service can convert to a limited user token\n /\n uip: string;\n\n /\n Any other custom claims that the adopter may have added\n /\n [claim: string]: JsonValue;\n}\n\ntype Options = {\n logger: LoggerService;\n /* Value of the issuer claim in issued tokens /\n issuer: string;\n /* Key store used for storing signing keys /\n keyStore: KeyStore;\n /* Expiration time of signing keys in seconds /\n keyDurationSeconds: number;\n /* JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n * Must match one of the algorithms defined for IdentityClient.\n * When setting a different algorithm, check if the `key` field\n * of the `signing_keys` table can fit the length of the generated keys.\n * If not, add a knex migration file in the migrations folder.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithm?: string;\n /\n A list of claims to omit from issued tokens and only store in the user info database\n /\n omitClaimsFromToken?: string[];\n};\n\n/\n A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n \n The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n \n Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n /\nexport class TokenFactory implements TokenIssuer {\n private readonly issuer: string;\n private readonly logger: LoggerService;\n private readonly keyStore: KeyStore;\n private readonly keyDurationSeconds: number;\n private readonly algorithm: string;\n private readonly omitClaimsFromToken?: string[];\n\n private keyExpiry?: Date;\n private privateKeyPromise?: Promise<JWK>;\n\n constructor(options: Options) {\n this.issuer = options.issuer;\n this.logger = options.logger;\n this.keyStore = options.keyStore;\n this.keyDurationSeconds = options.keyDurationSeconds;\n this.algorithm = options.algorithm ?? 'ES256';\n this.omitClaimsFromToken = options.omitClaimsFromToken;\n }\n\n async issueToken(\n params: TokenParams & { claims: { ent: string[] } },\n ): Promise<BackstageSignInResult> {\n const key = await this.getKey();\n\n return issueUserToken({\n issuer: this.issuer,\n key,\n keyDurationSeconds: this.keyDurationSeconds,\n logger: this.logger,\n omitClaimsFromToken: this.omitClaimsFromToken,\n params,\n });\n }\n\n // This will be called by other services that want to verify ID tokens.\n // It is important that it returns a list of all public keys that could\n // have been used to sign tokens that have not yet expired.\n async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n const { items: keys } = await this.keyStore.listKeys();\n\n const validKeys = [];\n const expiredKeys = [];\n\n for (const key of keys) {\n // Allow for a grace period of another full key duration before we remove the keys from the database\n const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n seconds: 3 this.keyDurationSeconds,\n });\n if (expireAt < DateTime.local()) {\n expiredKeys.push(key);\n } else {\n validKeys.push(key);\n }\n }\n\n // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n if (expiredKeys.length > 0) {\n const kids = expiredKeys.map(({ key }) => key.kid);\n\n this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n // We don't await this, just let it run in the background\n this.keyStore.removeKeys(kids).catch(error => {\n this.logger.error(`Failed to remove expired keys, ${error}`);\n });\n }\n\n // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n return { keys: validKeys.map(({ key }) => key) };\n }\n\n private async getKey(): Promise<JWK> {\n // Make sure that we only generate one key at a time\n if (this.privateKeyPromise) {\n if (\n this.keyExpiry &&\n DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n ) {\n return this.privateKeyPromise;\n }\n this.logger.info(`Signing key has expired, generating new key`);\n delete this.privateKeyPromise;\n }\n\n this.keyExpiry = DateTime.utc()\n .plus({\n seconds: this.keyDurationSeconds,\n })\n .toJSDate();\n const promise = (async () => {\n // This generates a new signing key to be used to sign tokens until the next key rotation\n const key = await generateKeyPair(this.algorithm);\n const publicKey = await exportJWK(key.publicKey);\n const privateKey = await exportJWK(key.privateKey);\n publicKey.kid = privateKey.kid = uuid();\n publicKey.alg = privateKey.alg = this.algorithm;\n\n // We're not allowed to use the key until it has been successfully stored\n // TODO: some token verification implementations aggressively cache the list of keys, and\n // don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n // may want to keep using the existing key for some period of time until we switch to\n // the new one. This also needs to be implemented cross-service though, meaning new services\n // that boot up need to be able to grab an existing key to use for signing.\n this.logger.info(`Created new signing key ${publicKey.kid}`);\n await this.keyStore.addKey(publicKey as AnyJWK);\n\n // At this point we are allowed to start using the new key\n return privateKey;\n })();\n\n this.privateKeyPromise = promise;\n\n try {\n // If we fail to generate a new key, we need to clear the state so that\n // the next caller will try to generate another key.\n await promise;\n } catch (error) {\n this.logger.error(`Failed to generate new signing key, ${error}`);\n delete this.keyExpiry;\n delete this.privateKeyPromise;\n }\n\n return promise;\n }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA6GO,MAAM,YAAA,CAAoC;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAA,CAAQ,kBAAA;AAClC,IAAA,IAAA,CAAK,SAAA,GAAY,QAAQ,SAAA,IAAa,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAA,CAAQ,mBAAA;AAAA,EACrC;AAAA,EAEA,MAAM,WACJ,MAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,EAAO;AAE9B,IAAA,OAAOA,6BAAA,CAAe;AAAA,MACpB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAA,CAAK,kBAAA;AAAA,MACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,qBAAqB,IAAA,CAAK,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAA,GAA8C;AAClD,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAA,EAAS;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AAEtB,MAAA,MAAM,WAAWC,cAAA,CAAS,UAAA,CAAW,GAAA,CAAI,SAAS,EAAE,IAAA,CAAK;AAAA,QACvD,OAAA,EAAS,IAAI,IAAA,CAAK;AAAA,OACnB,CAAA;AACD,MAAA,IAAI,QAAA,GAAWA,cAAA,CAAS,KAAA,EAAM,EAAG;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA,MACpB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,MAAA,MAAM,IAAA,GAAO,YAAY,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAA,CAAK,CAAA,gCAAA,EAAmC,KAAK,IAAA,CAAK,MAAM,CAAC,CAAA,CAAA,CAAG,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAA,KAAA,KAAS;AAC5C,QAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,+BAAA,EAAkC,KAAK,CAAA,CAAE,CAAA;AAAA,MAC7D,CAAC,CAAA;AAAA,IACH;AAGA,IAAA,OAAO,EAAE,MAAM,SAAA,CAAU,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,GAAG,CAAA,EAAE;AAAA,EACjD;AAAA,EAEA,MAAc,MAAA,GAAuB;AAEnC,IAAA,IAAI,KAAK,iBAAA,EAAmB;AAC1B,MAAA,IACE,IAAA,CAAK,aACLA,cAAA,CAAS,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAA,CAAS,KAAA,EAAM,EACrD;AACA,QAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,MACd;AACA,MAAA,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA,2CAAA,CAA6C,CAAA;AAC9D,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,SAAA,GAAYA,cAAA,CAAS,GAAA,EAAI,CAC3B,IAAA,CAAK;AAAA,MACJ,SAAS,IAAA,CAAK;AAAA,KACf,EACA,QAAA,EAAS;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAA,GAAM,MAAMC,oBAAA,CAAgB,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAA,GAAY,MAAMC,cAAA,CAAU,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAA,GAAa,MAAMA,cAAA,CAAU,GAAA,CAAI,UAAU,CAAA;AACjD,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAMC,OAAA,EAAK;AACtC,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAM,IAAA,CAAK,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,CAAA,wBAAA,EAA2B,SAAA,CAAU,GAAG,CAAA,CAAE,CAAA;AAC3D,MAAA,MAAM,IAAA,CAAK,QAAA,CAAS,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAA,OAAO,UAAA;AAAA,IACT,CAAA,GAAG;AAEH,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAA;AAEzB,IAAA,IAAI;AAGF,MAAA,MAAM,OAAA;AAAA,IACR,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,oCAAA,EAAuC,KAAK,CAAA,CAAE,CAAA;AAChE,MAAA,OAAO,IAAA,CAAK,SAAA;AACZ,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;;"}

package/dist/identity/issueUserToken.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"issueUserToken.cjs.js","sources":["../../src/identity/issueUserToken.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { omit } from 'lodash';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { GeneralSign, importJWK, JWK, KeyLike, SignJWT } from 'jose';\nimport { BackstageTokenPayload } from './TokenFactory';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\nexport async function issueUserToken({\n issuer,\n key,\n keyDurationSeconds,\n logger,\n omitClaimsFromToken,\n params,\n}: {\n issuer: string;\n key: JWK;\n keyDurationSeconds: number;\n logger: LoggerService;\n omitClaimsFromToken?: string[];\n params: TokenParams & { claims: { ent: string[] } };\n}): Promise<BackstageSignInResult> {\n const { sub, ent, ...additionalClaims } = params.claims;\n const aud = tokenTypes.user.audClaim;\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat + keyDurationSeconds;\n\n try {\n // The subject must be a valid entity ref\n parseEntityRef(sub);\n } catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n );\n }\n\n if (!key.alg) {\n throw new AuthenticationError('No algorithm was provided in the key');\n }\n\n logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n const signingKey = await importJWK(key);\n\n const uip = await createUserIdentityClaim({\n header: {\n typ: tokenTypes.limitedUser.typParam,\n alg: key.alg,\n kid: key.kid,\n },\n payload: { sub, iat, exp },\n key: signingKey,\n });\n\n const claims: BackstageTokenPayload = {\n ...additionalClaims,\n iss: issuer,\n sub,\n ent,\n aud,\n iat,\n exp,\n uip,\n };\n\n const tokenClaims = omitClaimsFromToken\n ? omit(claims, omitClaimsFromToken)\n : claims;\n const token = await new SignJWT(tokenClaims)\n .setProtectedHeader({\n typ: tokenTypes.user.typParam,\n alg: key.alg,\n kid: key.kid,\n })\n .sign(signingKey);\n\n if (token.length > MAX_TOKEN_LENGTH) {\n throw new Error(\n `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n tokenClaims,\n )}'`,\n );\n }\n\n return {\n token,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n\n/\n The payload contents of a valid Backstage user identity claim token\n \n @internal\n /\ninterface BackstageUserIdentityProofPayload {\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n}\n\n/\n Creates a string claim that can be used as part of reconstructing a limited\n * user token. The output of this function is only the signature part of a JWS.\n */\nasync function createUserIdentityClaim(options: {\n header: {\n typ: string;\n alg: string;\n kid?: string;\n };\n payload: BackstageUserIdentityProofPayload;\n key: KeyLike \| Uint8Array;\n}): Promise<string> {\n // NOTE: We reconstruct the header and payload structures carefully to\n // perfectly guarantee ordering. The reason for this is that we store only\n // the signature part of these to reduce duplication within the Backstage\n // token. Anyone who wants to make an actual JWT based on all this must be\n // able to do the EXACT reconstruction of the header and payload parts, to\n // then append the signature.\n\n const header = {\n typ: options.header.typ,\n alg: options.header.alg,\n ...(options.header.kid ? { kid: options.header.kid } : {}),\n };\n\n const payload = {\n sub: options.payload.sub,\n iat: options.payload.iat,\n exp: options.payload.exp,\n };\n\n const jws = await new GeneralSign(\n new TextEncoder().encode(JSON.stringify(payload)),\n )\n .addSignature(options.key)\n .setProtectedHeader(header)\n .done()\n .sign();\n\n return jws.signatures[0].signature;\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","omit","SignJWT","GeneralSign"],"mappings":";;;;;;;;AA4BA,MAAM,~~OAAU~~,~~GAAA~~,GAAA;AAChB,MAAM,~~gBAAmB~~,~~GAAA~~,KAAA;AAEzB,eAAsB,~~cAAe~~,~~CAAA~~;AAAA,EACnC,MAAA;AAAA,EACA,GAAA;AAAA,EACA,kBAAA;AAAA,EACA,MAAA;AAAA,EACA,mBAAA;AAAA,EACA;AACF,~~CAOmC~~,~~EAAA~~;AACjC,EAAA,MAAM,EAAE,~~GAAK~~,~~EAAA~~,GAAA,EAAK,GAAG,gBAAA,KAAqB,~~MAAO~~,~~CAAA~~,MAAA;AACjD,~~EAAM~~,~~MAAA~~,GAAA,GAAMA,0BAAW,~~IAAK~~,~~CAAA~~,QAAA;AAC5B,EAAA,MAAM,MAAM,~~IAAK~~,~~CAAA~~,KAAA,CAAM,~~IAAK~~,~~CAAA~~,GAAA,KAAQ,OAAO,CAAA;AAC3C,EAAA,MAAM,MAAM,GAAM,~~GAAA,~~kBAAA;AAElB,~~EAAI~~,~~IAAA~~;AAEF,IAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,~~WACX~~,~~KAAO~~,~~EAAA~~;AACd,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA;~~AAGF~~,~~EAAI~~,~~IAAA~~,CAAC,IAAI,~~GAAK~~,~~EAAA~~;AACZ,~~IAAM~~,~~MAAA~~,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA;~~AAGtE~~,EAAA,MAAA,CAAO,~~IAAK~~,~~CAAA~~,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAE,CAAA~~,CAAA~~;AAE5D,~~EAAM~~,~~MAAA~~,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,~~EAAM~~,~~MAAA~~,GAAA,GAAM,MAAM,~~uBAAwB~~,~~CAAA~~;AAAA,IACxC,~~MAAQ~~,~~EAAA~~;AAAA,MACN,GAAA,EAAKH,0BAAW,~~WAAY~~,~~CAAA~~,QAAA;AAAA,MAC5B,KAAK,~~GAAI~~,~~CAAA~~,GAAA;AAAA,MACT,KAAK,~~GAAI~~,~~CAAA~~;AAAA,KACX;AAAA,IACA,~~OAAS~~,~~EAAA~~,EAAE,~~GAAK~~,~~EAAA~~,GAAA,EAAK,~~GAAI~~,~~EAAA~~;AAAA,IACzB,~~GAAK~~,~~EAAA~~;AAAA,GACN,CAAA;AAED,EAAA,MAAM,~~MAAgC~~,~~GAAA~~;AAAA,IACpC,GAAG,gBAAA;AAAA,IACH,~~GAAK~~,~~EAAA~~,MAAA;AAAA,IACL,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,~~WAAc~~,~~GAAA~~,mBAAA,GAChBI,~~WAAK~~,~~CAAA~~,MAAA,EAAQ,mBAAmB,~~CAChC~~,~~GAAA~~,MAAA;AACJ,EAAA,MAAM,QAAQ,MAAM,IAAIC,~~YAAQ~~,~~CAAA~~,WAAW,EACxC,~~kBAAmB~~,~~CAAA~~;AAAA,IAClB,GAAA,EAAKL,0BAAW,~~IAAK~~,~~CAAA~~,QAAA;AAAA,IACrB,KAAK,~~GAAI~~,~~CAAA~~,GAAA;AAAA,IACT,KAAK,~~GAAI~~,~~CAAA~~;AAAA,GACV,CACA,~~CAAA,~~IAAA,CAAK,UAAU,CAAA;AAElB,~~EAAI~~,~~IAAA~~,KAAA,CAAM,SAAS,~~gBAAkB~~,~~EAAA~~;AACnC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,6PAA6P,~~IAAK~~,~~CAAA~~,SAAA;AAAA,QAChQ;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA;~~AAGF~~,~~EAAO~~,~~OAAA~~;AAAA,IACL,KAAA;AAAA,IACA,~~QAAU~~,~~EAAA~~;AAAA,MACR,~~IAAM~~,~~EAAA~~,MAAA;AAAA,MACN,~~aAAe~~,~~EAAA~~,GAAA;AAAA,MACf,~~mBAAqB~~,~~EAAA~~;AAAA;AACvB,GACF;AACF;AA4BA,eAAe,wBAAwB,~~OAQnB~~,~~EAAA~~;AAQlB,EAAA,MAAM,~~MAAS~~,~~GAAA~~;AAAA,IACb,GAAA,EAAK,QAAQ,~~MAAO~~,~~CAAA~~,GAAA;AAAA,IACpB,GAAA,EAAK,QAAQ,~~MAAO~~,~~CAAA~~,GAAA;AAAA,IACpB,GAAI,~~OAAQ~~,~~CAAA~~,MAAA,CAAO,GAAM,~~GAAA,~~EAAE,KAAK,~~OAAQ~~,~~CAAA~~,MAAA,CAAO,~~GAAI~~,~~EAAA~~,GAAI;AAAC,GAC1D;AAEA,EAAA,MAAM,~~OAAU~~,~~GAAA~~;AAAA,IACd,GAAA,EAAK,QAAQ,~~OAAQ~~,~~CAAA~~,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,~~OAAQ~~,~~CAAA~~,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,~~OAAQ~~,~~CAAA~~;AAAA,GACvB;AAEA,~~EAAM~~,~~MAAA~~,GAAA,GAAM,MAAM,IAAIM,gBAAA;AAAA,IACpB,IAAI,~~WAAY~~,~~EAAA~~,CAAE,OAAO,~~IAAK~~,~~CAAA~~,SAAA,CAAU,OAAO,CAAC;AAAA,GAClD,CACG,~~YAAa~~,~~CAAA~~,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,~~IAAK~~,~~EAAA~~,CACL,~~IAAK~~,~~EAAA~~;AAER,~~EAAO~~,~~OAAA~~,GAAA,CAAI,~~UAAW~~,~~CAAA~~,CAAC,CAAE,~~CAAA,~~SAAA;AAC3B;;;;"}
1	+ {"version":3,"file":"issueUserToken.cjs.js","sources":["../../src/identity/issueUserToken.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n BackstageSignInResult,\n TokenParams,\n tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { omit } from 'lodash';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { GeneralSign, importJWK, JWK, KeyLike, SignJWT } from 'jose';\nimport { BackstageTokenPayload } from './TokenFactory';\n\nconst MS_IN_S = 1000;\nconst MAX_TOKEN_LENGTH = 32768; // At 64 bytes per entity ref this still leaves room for about 500 entities\n\nexport async function issueUserToken({\n issuer,\n key,\n keyDurationSeconds,\n logger,\n omitClaimsFromToken,\n params,\n}: {\n issuer: string;\n key: JWK;\n keyDurationSeconds: number;\n logger: LoggerService;\n omitClaimsFromToken?: string[];\n params: TokenParams & { claims: { ent: string[] } };\n}): Promise<BackstageSignInResult> {\n const { sub, ent, ...additionalClaims } = params.claims;\n const aud = tokenTypes.user.audClaim;\n const iat = Math.floor(Date.now() / MS_IN_S);\n const exp = iat + keyDurationSeconds;\n\n try {\n // The subject must be a valid entity ref\n parseEntityRef(sub);\n } catch (error) {\n throw new Error(\n '\"sub\" claim provided by the auth resolver is not a valid EntityRef.',\n );\n }\n\n if (!key.alg) {\n throw new AuthenticationError('No algorithm was provided in the key');\n }\n\n logger.info(`Issuing token for ${sub}, with entities ${ent}`);\n\n const signingKey = await importJWK(key);\n\n const uip = await createUserIdentityClaim({\n header: {\n typ: tokenTypes.limitedUser.typParam,\n alg: key.alg,\n kid: key.kid,\n },\n payload: { sub, iat, exp },\n key: signingKey,\n });\n\n const claims: BackstageTokenPayload = {\n ...additionalClaims,\n iss: issuer,\n sub,\n ent,\n aud,\n iat,\n exp,\n uip,\n };\n\n const tokenClaims = omitClaimsFromToken\n ? omit(claims, omitClaimsFromToken)\n : claims;\n const token = await new SignJWT(tokenClaims)\n .setProtectedHeader({\n typ: tokenTypes.user.typParam,\n alg: key.alg,\n kid: key.kid,\n })\n .sign(signingKey);\n\n if (token.length > MAX_TOKEN_LENGTH) {\n throw new Error(\n `Failed to issue a new user token. The resulting token is excessively large, with either too many ownership claims or too large custom claims. You likely have a bug either in the sign-in resolver or catalog data. The following claims were requested: '${JSON.stringify(\n tokenClaims,\n )}'`,\n );\n }\n\n return {\n token,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n\n/\n The payload contents of a valid Backstage user identity claim token\n \n @internal\n /\ninterface BackstageUserIdentityProofPayload {\n /\n The entity ref of the user\n /\n sub: string;\n\n /\n Standard expiry in epoch seconds\n /\n exp: number;\n\n /\n Standard issue time in epoch seconds\n /\n iat: number;\n}\n\n/\n Creates a string claim that can be used as part of reconstructing a limited\n * user token. The output of this function is only the signature part of a JWS.\n */\nasync function createUserIdentityClaim(options: {\n header: {\n typ: string;\n alg: string;\n kid?: string;\n };\n payload: BackstageUserIdentityProofPayload;\n key: KeyLike \| Uint8Array;\n}): Promise<string> {\n // NOTE: We reconstruct the header and payload structures carefully to\n // perfectly guarantee ordering. The reason for this is that we store only\n // the signature part of these to reduce duplication within the Backstage\n // token. Anyone who wants to make an actual JWT based on all this must be\n // able to do the EXACT reconstruction of the header and payload parts, to\n // then append the signature.\n\n const header = {\n typ: options.header.typ,\n alg: options.header.alg,\n ...(options.header.kid ? { kid: options.header.kid } : {}),\n };\n\n const payload = {\n sub: options.payload.sub,\n iat: options.payload.iat,\n exp: options.payload.exp,\n };\n\n const jws = await new GeneralSign(\n new TextEncoder().encode(JSON.stringify(payload)),\n )\n .addSignature(options.key)\n .setProtectedHeader(header)\n .done()\n .sign();\n\n return jws.signatures[0].signature;\n}\n"],"names":["tokenTypes","parseEntityRef","AuthenticationError","importJWK","omit","SignJWT","GeneralSign"],"mappings":";;;;;;;;AA4BA,MAAM,OAAA,GAAU,GAAA;AAChB,MAAM,gBAAA,GAAmB,KAAA;AAEzB,eAAsB,cAAA,CAAe;AAAA,EACnC,MAAA;AAAA,EACA,GAAA;AAAA,EACA,kBAAA;AAAA,EACA,MAAA;AAAA,EACA,mBAAA;AAAA,EACA;AACF,CAAA,EAOmC;AACjC,EAAA,MAAM,EAAE,GAAA,EAAK,GAAA,EAAK,GAAG,gBAAA,KAAqB,MAAA,CAAO,MAAA;AACjD,EAAA,MAAM,GAAA,GAAMA,0BAAW,IAAA,CAAK,QAAA;AAC5B,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,OAAO,CAAA;AAC3C,EAAA,MAAM,MAAM,GAAA,GAAM,kBAAA;AAElB,EAAA,IAAI;AAEF,IAAAC,2BAAA,CAAe,GAAG,CAAA;AAAA,EACpB,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,IAAI,GAAA,EAAK;AACZ,IAAA,MAAM,IAAIC,2BAAoB,sCAAsC,CAAA;AAAA,EACtE;AAEA,EAAA,MAAA,CAAO,IAAA,CAAK,CAAA,kBAAA,EAAqB,GAAG,CAAA,gBAAA,EAAmB,GAAG,CAAA,CAAE,CAAA;AAE5D,EAAA,MAAM,UAAA,GAAa,MAAMC,cAAA,CAAU,GAAG,CAAA;AAEtC,EAAA,MAAM,GAAA,GAAM,MAAM,uBAAA,CAAwB;AAAA,IACxC,MAAA,EAAQ;AAAA,MACN,GAAA,EAAKH,0BAAW,WAAA,CAAY,QAAA;AAAA,MAC5B,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,KAAK,GAAA,CAAI;AAAA,KACX;AAAA,IACA,OAAA,EAAS,EAAE,GAAA,EAAK,GAAA,EAAK,GAAA,EAAI;AAAA,IACzB,GAAA,EAAK;AAAA,GACN,CAAA;AAED,EAAA,MAAM,MAAA,GAAgC;AAAA,IACpC,GAAG,gBAAA;AAAA,IACH,GAAA,EAAK,MAAA;AAAA,IACL,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA,GAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,MAAM,WAAA,GAAc,mBAAA,GAChBI,WAAA,CAAK,MAAA,EAAQ,mBAAmB,CAAA,GAChC,MAAA;AACJ,EAAA,MAAM,QAAQ,MAAM,IAAIC,YAAA,CAAQ,WAAW,EACxC,kBAAA,CAAmB;AAAA,IAClB,GAAA,EAAKL,0BAAW,IAAA,CAAK,QAAA;AAAA,IACrB,KAAK,GAAA,CAAI,GAAA;AAAA,IACT,KAAK,GAAA,CAAI;AAAA,GACV,CAAA,CACA,IAAA,CAAK,UAAU,CAAA;AAElB,EAAA,IAAI,KAAA,CAAM,SAAS,gBAAA,EAAkB;AACnC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,6PAA6P,IAAA,CAAK,SAAA;AAAA,QAChQ;AAAA,OACD,CAAA,CAAA;AAAA,KACH;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,aAAA,EAAe,GAAA;AAAA,MACf,mBAAA,EAAqB;AAAA;AACvB,GACF;AACF;AA4BA,eAAe,wBAAwB,OAAA,EAQnB;AAQlB,EAAA,MAAM,MAAA,GAAS;AAAA,IACb,GAAA,EAAK,QAAQ,MAAA,CAAO,GAAA;AAAA,IACpB,GAAA,EAAK,QAAQ,MAAA,CAAO,GAAA;AAAA,IACpB,GAAI,OAAA,CAAQ,MAAA,CAAO,GAAA,GAAM,EAAE,KAAK,OAAA,CAAQ,MAAA,CAAO,GAAA,EAAI,GAAI;AAAC,GAC1D;AAEA,EAAA,MAAM,OAAA,GAAU;AAAA,IACd,GAAA,EAAK,QAAQ,OAAA,CAAQ,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAA,CAAQ,GAAA;AAAA,IACrB,GAAA,EAAK,QAAQ,OAAA,CAAQ;AAAA,GACvB;AAEA,EAAA,MAAM,GAAA,GAAM,MAAM,IAAIM,gBAAA;AAAA,IACpB,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC;AAAA,GAClD,CACG,YAAA,CAAa,OAAA,CAAQ,GAAG,CAAA,CACxB,mBAAmB,MAAM,CAAA,CACzB,IAAA,EAAK,CACL,IAAA,EAAK;AAER,EAAA,OAAO,GAAA,CAAI,UAAA,CAAW,CAAC,CAAA,CAAE,SAAA;AAC3B;;;;"}

package/dist/lib/catalog/CatalogIdentityClient.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CatalogIdentityClient.cjs.js","sources":["../../../src/lib/catalog/CatalogIdentityClient.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { ConflictError, NotFoundError } from '@backstage/errors';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport {\n CompoundEntityRef,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n UserEntity,\n} from '@backstage/catalog-model';\n\n/\n A catalog client tailored for reading out identity data from the catalog.\n /\nexport class CatalogIdentityClient {\n private readonly catalog: CatalogService;\n private readonly auth: AuthService;\n\n constructor(options: { catalog: CatalogService; auth: AuthService }) {\n this.catalog = options.catalog;\n this.auth = options.auth;\n }\n\n /\n Looks up a single user using a query.\n \n Throws a NotFoundError or ConflictError if 0 or multiple users are found.\n /\n async findUser(query: {\n annotations: Record<string, string>;\n }): Promise<UserEntity> {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n\n const { items } = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n\n if (items.length !== 1) {\n if (items.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n } else {\n throw new NotFoundError('User not found');\n }\n }\n\n return items[0] as UserEntity;\n }\n\n /\n Resolve additional entity claims from the catalog, using the passed-in entity names. Designed\n * to be used within a `signInResolver` where additional entity claims might be provided, but\n * group membership and transient group membership lean on imported catalog relations.\n \n Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.\n */\n async resolveCatalogMembership(query: {\n entityRefs: string[];\n logger?: LoggerService;\n }): Promise<string[]> {\n const { entityRefs, logger } = query;\n const resolvedEntityRefs = entityRefs\n .map((ref: string) => {\n try {\n const parsedRef = parseEntityRef(ref.toLocaleLowerCase('en-US'), {\n defaultKind: 'user',\n defaultNamespace: 'default',\n });\n return parsedRef;\n } catch {\n logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);\n return null;\n }\n })\n .filter((ref): ref is CompoundEntityRef => ref !== null);\n\n const filter = resolvedEntityRefs.map(ref => ({\n kind: ref.kind,\n 'metadata.namespace': ref.namespace,\n 'metadata.name': ref.name,\n }));\n\n const entities = await this.catalog\n .getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n )\n .then(r => r.items);\n\n if (entityRefs.length !== entities.length) {\n const foundEntityNames = entities.map(stringifyEntityRef);\n const missingEntityNames = resolvedEntityRefs\n .map(stringifyEntityRef)\n .filter(s => !foundEntityNames.includes(s));\n logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);\n }\n\n const memberOf = entities.flatMap(\n e =>\n e!.relations\n ?.filter(r => r.type === RELATION_MEMBER_OF)\n .map(r => r.targetRef) ?? [],\n );\n\n const newEntityRefs = [\n ...new Set(resolvedEntityRefs.map(stringifyEntityRef).concat(memberOf)),\n ];\n\n logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);\n return newEntityRefs;\n }\n}\n"],"names":["ConflictError","NotFoundError","parseEntityRef","stringifyEntityRef","RELATION_MEMBER_OF"],"mappings":";;;;;AA8BO,MAAM,~~qBAAsB~~,~~CAAA~~;AAAA,EAChB,OAAA;AAAA,EACA,IAAA;AAAA,EAEjB,YAAY,~~OAAyD~~,~~EAAA~~;AACnE,IAAA,IAAA,CAAK,UAAU,~~OAAQ~~,~~CAAA~~,OAAA;AACvB,IAAA,IAAA,CAAK,OAAO,~~OAAQ~~,~~CAAA~~,IAAA;AAAA;~~AACtB~~;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,~~KAES~~,~~EAAA~~;AACtB,IAAA,MAAM,~~MAAiC~~,~~GAAA~~;AAAA,MACrC,~~IAAM~~,~~EAAA~~;AAAA,KACR;AACA,~~IAAW~~,KAAA,~~MAAA~~,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,~~OAAQ~~,~~CAAA~~,KAAA,CAAM,WAAW,~~CAAG~~,~~EAAA~~;AAC5D,~~MAAO~~,MAAA,~~CAAA~~,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,~~CAAI~~,~~GAAA~~,KAAA;AAAA;~~AAG1C~~,IAAA,MAAM,EAAE,KAAA,~~EAAU~~,~~GAAA~~,MAAM,KAAK,~~OAAQ~~,~~CAAA~~,WAAA;AAAA,MACnC,EAAE,~~MAAO~~,~~EAAA~~;AAAA,MACT,EAAE,~~WAAa~~,~~EAAA~~,MAAM,~~IAAK~~,~~CAAA~~,IAAA,CAAK,~~0BAA2B~~;~~AAAA~~,KAC5D;AAEA,IAAI,~~IAAA,~~KAAA,CAAM,WAAW,~~CAAG~~,~~EAAA~~;AACtB,~~MAAI~~,~~IAAA~~,KAAA,CAAM,SAAS,~~CAAG~~,~~EAAA~~;AACpB,~~QAAM~~,~~MAAA~~,IAAIA,qBAAc,0CAA0C,CAAA;AAAA,~~OAC7D~~,~~MAAA~~;AACL,~~QAAM~~,~~MAAA~~,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;~~AAC1C~~;~~AAGF~~,IAAA,OAAO,MAAM,CAAC,CAAA;AAAA;~~AAChB~~;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,yBAAyB,~~KAGT~~,~~EAAA~~;AACpB,~~IAAM~~,~~MAAA~~,EAAE,~~UAAY~~,~~EAAA~~,MAAA,~~EAAW~~,~~GAAA~~,KAAA;AAC/B,IAAA,MAAM,~~kBAAqB~~,~~GAAA~~,UAAA,CACxB,~~GAAI~~,~~CAAA~~,CAAC,~~GAAgB~~,~~KAAA~~;AACpB,~~MAAI~~,~~IAAA~~;AACF,QAAA,MAAM,~~SAAY~~,~~GAAAC~~,2BAAA,CAAe,~~GAAI~~,~~CAAA~~,iBAAA,CAAkB,OAAO,~~CAAG~~,~~EAAA~~;AAAA,UAC/D,~~WAAa~~,~~EAAA~~,MAAA;AAAA,UACb,~~gBAAkB~~,~~EAAA~~;AAAA,SACnB,CAAA;AACD,~~QAAO~~,~~OAAA~~,SAAA;AAAA,~~OACD~~,CAAA,~~MAAA~~;AACN,~~QAAQ~~,MAAA,~~EAAA~~,IAAA,CAAK,~~CAAkC~~,+BAAA,~~EAAA~~,GAAG,~~CAAY~~,UAAA,~~CAAA~~,CAAA;AAC9D,~~QAAO~~,~~OAAA~~,IAAA;AAAA;~~AACT~~,~~KACD~~,~~CACA~~,CAAA,MAAA,CAAO,CAAC,GAAA,KAAkC,QAAQ,IAAI,CAAA;AAEzD,~~IAAM~~,~~MAAA~~,MAAA,GAAS,~~kBAAmB~~,~~CAAA~~,GAAA,CAAI,~~CAAQ~~,GAAA,~~MAAA~~;AAAA,MAC5C,MAAM,~~GAAI~~,~~CAAA~~,IAAA;AAAA,MACV,sBAAsB,~~GAAI~~,~~CAAA~~,SAAA;AAAA,MAC1B,iBAAiB,~~GAAI~~,~~CAAA~~;AAAA,~~KACrB~~,~~CAAA~~,CAAA;AAEF,~~IAAM~~,~~MAAA~~,QAAA,GAAW,MAAM,IAAA,CAAK,~~OACzB~~,~~CAAA~~,WAAA;AAAA,MACC,EAAE,~~MAAO~~,~~EAAA~~;AAAA,MACT,EAAE,~~WAAa~~,~~EAAA~~,MAAM,~~IAAK~~,~~CAAA~~,IAAA,CAAK,~~0BAA2B~~;~~AAAA~~,~~KAE3D~~,~~CAAA~~,IAAA,CAAK,~~CAAK~~,CAAA,~~KAAA~~,CAAA,CAAE,KAAK,CAAA;AAEpB,IAAI,~~IAAA,~~UAAA,CAAW,~~MAAW~~,~~KAAA~~,QAAA,CAAS,~~MAAQ~~,~~EAAA~~;AACzC,MAAM,~~MAAA,~~gBAAA,GAAmB,~~QAAS~~,~~CAAA~~,GAAA,CAAIC,+BAAkB,CAAA;AACxD,MAAM,~~MAAA,~~kBAAA,GAAqB,~~kBACxB~~,~~CAAA~~,GAAA,CAAIA,+BAAkB,CAAA,CACtB,~~MAAO~~,~~CAAA~~,CAAA,CAAA,KAAK,CAAC,gBAAA,CAAiB,~~QAAS~~,~~CAAA~~,CAAC,CAAC,CAAA;AAC5C,MAAA,MAAA,EAAQ,~~KAAM~~,~~CAAA~~,CAAA,4BAAA,EAA+B,~~kBAAmB~~,~~CAAA~~,IAAA,EAAM,CAAE,CAAA~~,CAAA~~;AAAA;~~AAG1E~~,IAAA,MAAM,WAAW,~~QAAS~~,~~CAAA~~,OAAA;AAAA,MACxB,~~CACE~~,CAAA,~~KAAA~~,CAAA,CAAG,~~SACC~~,~~EAAA~~,MAAA,CAAO,OAAK,CAAE,~~CAAA,~~IAAA,KAASC,+BAAkB,CAAA,CAC1C,~~GAAI~~,~~CAAA~~,CAAA,CAAA,KAAK,CAAE,~~CAAA,~~SAAS,KAAK;AAAC,KACjC;AAEA,IAAA,MAAM,~~aAAgB~~,~~GAAA~~;AAAA,MACpB,GAAG,IAAI,~~GAAI~~,~~CAAA~~,kBAAA,CAAmB,IAAID,+BAAkB,CAAA,CAAE,~~MAAO~~,~~CAAA~~,QAAQ,CAAC;AAAA,KACxE;AAEA,IAAA,MAAA,EAAQ,~~KAAM~~,~~CAAA~~,CAAA,0BAAA,EAA6B,~~aAAc~~,~~CAAA~~,IAAA,EAAM,CAAE,CAAA~~,CAAA~~;AACjE,~~IAAO~~,~~OAAA~~,aAAA;AAAA;~~AAEX~~;;;;"}
1	+ {"version":3,"file":"CatalogIdentityClient.cjs.js","sources":["../../../src/lib/catalog/CatalogIdentityClient.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { ConflictError, NotFoundError } from '@backstage/errors';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport {\n CompoundEntityRef,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n UserEntity,\n} from '@backstage/catalog-model';\n\n/\n A catalog client tailored for reading out identity data from the catalog.\n /\nexport class CatalogIdentityClient {\n private readonly catalog: CatalogService;\n private readonly auth: AuthService;\n\n constructor(options: { catalog: CatalogService; auth: AuthService }) {\n this.catalog = options.catalog;\n this.auth = options.auth;\n }\n\n /\n Looks up a single user using a query.\n \n Throws a NotFoundError or ConflictError if 0 or multiple users are found.\n /\n async findUser(query: {\n annotations: Record<string, string>;\n }): Promise<UserEntity> {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n\n const { items } = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n\n if (items.length !== 1) {\n if (items.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n } else {\n throw new NotFoundError('User not found');\n }\n }\n\n return items[0] as UserEntity;\n }\n\n /\n Resolve additional entity claims from the catalog, using the passed-in entity names. Designed\n * to be used within a `signInResolver` where additional entity claims might be provided, but\n * group membership and transient group membership lean on imported catalog relations.\n \n Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.\n */\n async resolveCatalogMembership(query: {\n entityRefs: string[];\n logger?: LoggerService;\n }): Promise<string[]> {\n const { entityRefs, logger } = query;\n const resolvedEntityRefs = entityRefs\n .map((ref: string) => {\n try {\n const parsedRef = parseEntityRef(ref.toLocaleLowerCase('en-US'), {\n defaultKind: 'user',\n defaultNamespace: 'default',\n });\n return parsedRef;\n } catch {\n logger?.warn(`Failed to parse entityRef from ${ref}, ignoring`);\n return null;\n }\n })\n .filter((ref): ref is CompoundEntityRef => ref !== null);\n\n const filter = resolvedEntityRefs.map(ref => ({\n kind: ref.kind,\n 'metadata.namespace': ref.namespace,\n 'metadata.name': ref.name,\n }));\n\n const entities = await this.catalog\n .getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n )\n .then(r => r.items);\n\n if (entityRefs.length !== entities.length) {\n const foundEntityNames = entities.map(stringifyEntityRef);\n const missingEntityNames = resolvedEntityRefs\n .map(stringifyEntityRef)\n .filter(s => !foundEntityNames.includes(s));\n logger?.debug(`Entities not found for refs ${missingEntityNames.join()}`);\n }\n\n const memberOf = entities.flatMap(\n e =>\n e!.relations\n ?.filter(r => r.type === RELATION_MEMBER_OF)\n .map(r => r.targetRef) ?? [],\n );\n\n const newEntityRefs = [\n ...new Set(resolvedEntityRefs.map(stringifyEntityRef).concat(memberOf)),\n ];\n\n logger?.debug(`Found catalog membership: ${newEntityRefs.join()}`);\n return newEntityRefs;\n }\n}\n"],"names":["ConflictError","NotFoundError","parseEntityRef","stringifyEntityRef","RELATION_MEMBER_OF"],"mappings":";;;;;AA8BO,MAAM,qBAAA,CAAsB;AAAA,EAChB,OAAA;AAAA,EACA,IAAA;AAAA,EAEjB,YAAY,OAAA,EAAyD;AACnE,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,OAAA;AACvB,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,KAAA,EAES;AACtB,IAAA,MAAM,MAAA,GAAiC;AAAA,MACrC,IAAA,EAAM;AAAA,KACR;AACA,IAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,KAAA,CAAM,WAAW,CAAA,EAAG;AAC5D,MAAA,MAAA,CAAO,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAA,GAAI,KAAA;AAAA,IAC1C;AAEA,IAAA,MAAM,EAAE,KAAA,EAAM,GAAI,MAAM,KAAK,OAAA,CAAQ,WAAA;AAAA,MACnC,EAAE,MAAA,EAAO;AAAA,MACT,EAAE,WAAA,EAAa,MAAM,IAAA,CAAK,IAAA,CAAK,0BAAyB;AAAE,KAC5D;AAEA,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,IAAI,KAAA,CAAM,SAAS,CAAA,EAAG;AACpB,QAAA,MAAM,IAAIA,qBAAc,0CAA0C,CAAA;AAAA,MACpE,CAAA,MAAO;AACL,QAAA,MAAM,IAAIC,qBAAc,gBAAgB,CAAA;AAAA,MAC1C;AAAA,IACF;AAEA,IAAA,OAAO,MAAM,CAAC,CAAA;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,yBAAyB,KAAA,EAGT;AACpB,IAAA,MAAM,EAAE,UAAA,EAAY,MAAA,EAAO,GAAI,KAAA;AAC/B,IAAA,MAAM,kBAAA,GAAqB,UAAA,CACxB,GAAA,CAAI,CAAC,GAAA,KAAgB;AACpB,MAAA,IAAI;AACF,QAAA,MAAM,SAAA,GAAYC,2BAAA,CAAe,GAAA,CAAI,iBAAA,CAAkB,OAAO,CAAA,EAAG;AAAA,UAC/D,WAAA,EAAa,MAAA;AAAA,UACb,gBAAA,EAAkB;AAAA,SACnB,CAAA;AACD,QAAA,OAAO,SAAA;AAAA,MACT,CAAA,CAAA,MAAQ;AACN,QAAA,MAAA,EAAQ,IAAA,CAAK,CAAA,+BAAA,EAAkC,GAAG,CAAA,UAAA,CAAY,CAAA;AAC9D,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAC,CAAA,CACA,MAAA,CAAO,CAAC,GAAA,KAAkC,QAAQ,IAAI,CAAA;AAEzD,IAAA,MAAM,MAAA,GAAS,kBAAA,CAAmB,GAAA,CAAI,CAAA,GAAA,MAAQ;AAAA,MAC5C,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,sBAAsB,GAAA,CAAI,SAAA;AAAA,MAC1B,iBAAiB,GAAA,CAAI;AAAA,KACvB,CAAE,CAAA;AAEF,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CACzB,WAAA;AAAA,MACC,EAAE,MAAA,EAAO;AAAA,MACT,EAAE,WAAA,EAAa,MAAM,IAAA,CAAK,IAAA,CAAK,0BAAyB;AAAE,KAC5D,CACC,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,KAAK,CAAA;AAEpB,IAAA,IAAI,UAAA,CAAW,MAAA,KAAW,QAAA,CAAS,MAAA,EAAQ;AACzC,MAAA,MAAM,gBAAA,GAAmB,QAAA,CAAS,GAAA,CAAIC,+BAAkB,CAAA;AACxD,MAAA,MAAM,kBAAA,GAAqB,kBAAA,CACxB,GAAA,CAAIA,+BAAkB,CAAA,CACtB,MAAA,CAAO,CAAA,CAAA,KAAK,CAAC,gBAAA,CAAiB,QAAA,CAAS,CAAC,CAAC,CAAA;AAC5C,MAAA,MAAA,EAAQ,KAAA,CAAM,CAAA,4BAAA,EAA+B,kBAAA,CAAmB,IAAA,EAAM,CAAA,CAAE,CAAA;AAAA,IAC1E;AAEA,IAAA,MAAM,WAAW,QAAA,CAAS,OAAA;AAAA,MACxB,CAAA,CAAA,KACE,CAAA,CAAG,SAAA,EACC,MAAA,CAAO,OAAK,CAAA,CAAE,IAAA,KAASC,+BAAkB,CAAA,CAC1C,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,SAAS,KAAK;AAAC,KACjC;AAEA,IAAA,MAAM,aAAA,GAAgB;AAAA,MACpB,GAAG,IAAI,GAAA,CAAI,kBAAA,CAAmB,IAAID,+BAAkB,CAAA,CAAE,MAAA,CAAO,QAAQ,CAAC;AAAA,KACxE;AAEA,IAAA,MAAA,EAAQ,KAAA,CAAM,CAAA,0BAAA,EAA6B,aAAA,CAAc,IAAA,EAAM,CAAA,CAAE,CAAA;AACjE,IAAA,OAAO,aAAA;AAAA,EACT;AACF;;;;"}

package/dist/lib/resolvers/CatalogAuthResolverContext.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/\n Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n DEFAULT_NAMESPACE,\n Entity,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n AuthOwnershipResolver,\n AuthResolverCatalogUserQuery,\n AuthResolverContext,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\nimport { UserInfoDatabase } from '../../database/UserInfoDatabase';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n const membershipRefs =\n entity.relations\n ?.filter(\n r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n )\n .map(r => r.targetRef) ?? [];\n\n return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n static create(options: {\n logger: LoggerService;\n catalog: CatalogService;\n tokenIssuer: TokenIssuer;\n auth: AuthService;\n ownershipResolver?: AuthOwnershipResolver;\n userInfo: UserInfoDatabase;\n }): CatalogAuthResolverContext {\n const catalogIdentityClient = new CatalogIdentityClient({\n catalog: options.catalog,\n auth: options.auth,\n });\n\n return new CatalogAuthResolverContext(\n options.logger,\n options.tokenIssuer,\n catalogIdentityClient,\n options.catalog,\n options.auth,\n options.userInfo,\n options.ownershipResolver,\n );\n }\n\n private constructor(\n public readonly logger: LoggerService,\n public readonly tokenIssuer: TokenIssuer,\n public readonly catalogIdentityClient: CatalogIdentityClient,\n private readonly catalog: CatalogService,\n private readonly auth: AuthService,\n private readonly userInfo: UserInfoDatabase,\n private readonly ownershipResolver?: AuthOwnershipResolver,\n ) {}\n\n async issueToken(params: TokenParams) {\n const { sub, ent = [sub], ...additionalClaims } = params.claims;\n const claims = {\n sub,\n ent,\n ...additionalClaims,\n };\n\n const issuedToken = await this.tokenIssuer.issueToken({\n claims,\n });\n\n // Store the user info in the database upon successful token\n // issuance so that it can be retrieved later by limited user tokens\n await this.userInfo.addUserInfo({\n claims,\n });\n\n return issuedToken;\n }\n\n async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n let result: Entity[] \| Entity \| undefined = undefined;\n\n if ('entityRef' in query) {\n const entityRef = parseEntityRef(query.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n });\n result = await this.catalog.getEntityByRef(entityRef, {\n credentials: await this.auth.getOwnServiceCredentials(),\n });\n } else if ('annotations' in query) {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n const res = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else if ('filter' in query) {\n const filter = [query.filter].flat().map(value => {\n if (\n !Object.keys(value).some(\n key => key.toLocaleLowerCase('en-US') === 'kind',\n )\n ) {\n return {\n ...value,\n kind: 'user',\n };\n }\n return value;\n });\n const res = await this.catalog.getEntities(\n { filter: filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else {\n throw new InputError('Invalid user lookup query');\n }\n\n if (Array.isArray(result)) {\n if (result.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n }\n result = result[0];\n }\n if (!result) {\n throw new NotFoundError('User not found');\n }\n\n return { entity: result };\n }\n\n async signInWithCatalogUser(\n query: AuthResolverCatalogUserQuery,\n options?: {\n dangerousEntityRefFallback?: {\n entityRef:\n \| string\n \| {\n kind?: string;\n namespace?: string;\n name: string;\n };\n };\n },\n ) {\n try {\n const { entity } = await this.findCatalogUser(query);\n\n const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n entity,\n );\n\n return await this.issueToken({\n claims: {\n sub: stringifyEntityRef(entity),\n ent: ownershipEntityRefs,\n },\n });\n } catch (error) {\n if (\n error?.name !== 'NotFoundError' \|\|\n !options?.dangerousEntityRefFallback\n ) {\n throw error;\n }\n const userEntityRef = stringifyEntityRef(\n parseEntityRef(options.dangerousEntityRefFallback.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n }),\n );\n\n return await this.issueToken({\n claims: {\n sub: userEntityRef,\n ent: [userEntityRef],\n },\n });\n }\n }\n\n async resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }> {\n if (this.ownershipResolver) {\n return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n }\n return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAoCA,SAAS,8BAA8B,MAAgB,EAAA;AACrD,EAAM,MAAA,cAAA,GACJ,OAAO,SACH,EAAA,MAAA;AAAA,IACA,OAAK,CAAE,CAAA,IAAA,KAASA,mCAAsB,CAAE,CAAA,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAI,CAAA,CAAA,CAAA,KAAK,CAAE,CAAA,SAAS,KAAK,EAAC;AAE/B,EAAO,OAAA,KAAA,CAAM,IAAK,iBAAA,IAAI,GAAI,CAAA,CAACC,+BAAmB,CAAA,MAAM,CAAG,EAAA,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAA0D,CAAA;AAAA,EAyB7D,YACU,MACA,EAAA,WAAA,EACA,uBACC,OACA,EAAA,IAAA,EACA,UACA,iBACjB,EAAA;AAPgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA;AAChB,EAhCH,OAAO,OAAO,OAOiB,EAAA;AAC7B,IAAM,MAAA,qBAAA,GAAwB,IAAIC,2CAAsB,CAAA;AAAA,MACtD,SAAS,OAAQ,CAAA,OAAA;AAAA,MACjB,MAAM,OAAQ,CAAA;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAQ,CAAA,MAAA;AAAA,MACR,OAAQ,CAAA,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAQ,CAAA,OAAA;AAAA,MACR,OAAQ,CAAA,IAAA;AAAA,MACR,OAAQ,CAAA,QAAA;AAAA,MACR,OAAQ,CAAA;AAAA,KACV;AAAA;AACF,EAYA,MAAM,WAAW,MAAqB,EAAA;AACpC,IAAM,MAAA,EAAE,KAAK,GAAM,GAAA,CAAC,GAAG,CAAG,EAAA,GAAG,gBAAiB,EAAA,GAAI,MAAO,CAAA,MAAA;AACzD,IAAA,MAAM,MAAS,GAAA;AAAA,MACb,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAG;AAAA,KACL;AAEA,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,WAAA,CAAY,UAAW,CAAA;AAAA,MACpD;AAAA,KACD,CAAA;AAID,IAAM,MAAA,IAAA,CAAK,SAAS,WAAY,CAAA;AAAA,MAC9B;AAAA,KACD,CAAA;AAED,IAAO,OAAA,WAAA;AAAA;AACT,EAEA,MAAM,gBAAgB,KAAqC,EAAA;AACzD,IAAA,IAAI,MAAwC,GAAA,KAAA,CAAA;AAE5C,IAAA,IAAI,eAAe,KAAO,EAAA;AACxB,MAAM,MAAA,SAAA,GAAYC,2BAAe,CAAA,KAAA,CAAM,SAAW,EAAA;AAAA,QAChD,WAAa,EAAA,MAAA;AAAA,QACb,gBAAkB,EAAAC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAQ,CAAA,cAAA,CAAe,SAAW,EAAA;AAAA,QACpD,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB;AAAA,OACvD,CAAA;AAAA,KACH,MAAA,IAAW,iBAAiB,KAAO,EAAA;AACjC,MAAA,MAAM,MAAiC,GAAA;AAAA,QACrC,IAAM,EAAA;AAAA,OACR;AACA,MAAW,KAAA,MAAA,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAQ,CAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AAC5D,QAAO,MAAA,CAAA,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAI,GAAA,KAAA;AAAA;AAE1C,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAO,EAAA;AAAA,QACT,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACf,MAAA,IAAW,YAAY,KAAO,EAAA;AAC5B,MAAM,MAAA,MAAA,GAAS,CAAC,KAAM,CAAA,MAAM,EAAE,IAAK,EAAA,CAAE,IAAI,CAAS,KAAA,KAAA;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAK,CAAA,KAAK,CAAE,CAAA,IAAA;AAAA,UAClB,CAAO,GAAA,KAAA,GAAA,CAAI,iBAAkB,CAAA,OAAO,CAAM,KAAA;AAAA,SAE5C,EAAA;AACA,UAAO,OAAA;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAM,EAAA;AAAA,WACR;AAAA;AAEF,QAAO,OAAA,KAAA;AAAA,OACR,CAAA;AACD,MAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,OAAQ,CAAA,WAAA;AAAA,QAC7B,EAAE,MAAe,EAAA;AAAA,QACjB,EAAE,WAAa,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,0BAA2B;AAAA,OAC5D;AACA,MAAA,MAAA,GAAS,GAAI,CAAA,KAAA;AAAA,KACR,MAAA;AACL,MAAM,MAAA,IAAIC,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,MAAM,CAAG,EAAA;AACzB,MAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,QAAM,MAAA,IAAIC,qBAAc,0CAA0C,CAAA;AAAA;AAEpE,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA;AAEnB,IAAA,IAAI,CAAC,MAAQ,EAAA;AACX,MAAM,MAAA,IAAIC,qBAAc,gBAAgB,CAAA;AAAA;AAG1C,IAAO,OAAA,EAAE,QAAQ,MAAO,EAAA;AAAA;AAC1B,EAEA,MAAM,qBACJ,CAAA,KAAA,EACA,OAWA,EAAA;AACA,IAAI,IAAA;AACF,MAAA,MAAM,EAAE,MAAO,EAAA,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,MAAA,MAAM,EAAE,mBAAA,EAAwB,GAAA,MAAM,IAAK,CAAA,0BAAA;AAAA,QACzC;AAAA,OACF;AAEA,MAAO,OAAA,MAAM,KAAK,UAAW,CAAA;AAAA,QAC3B,MAAQ,EAAA;AAAA,UACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,UAC9B,GAAK,EAAA;AAAA;AACP,OACD,CAAA;AAAA,aACM,KAAO,EAAA;AACd,MAAA,IACE,KAAO,EAAA,IAAA,KAAS,eAChB,IAAA,CAAC,SAAS,0BACV,EAAA;AACA,QAAM,MAAA,KAAA;AAAA;AAER,MAAA,MAAM,aAAgB,GAAAA,+BAAA;AAAA,QACpBE,2BAAA,CAAe,OAAQ,CAAA,0BAAA,CAA2B,SAAW,EAAA;AAAA,UAC3D,WAAa,EAAA,MAAA;AAAA,UACb,gBAAkB,EAAAC;AAAA,SACnB;AAAA,OACH;AAEA,MAAO,OAAA,MAAM,KAAK,UAAW,CAAA;AAAA,QAC3B,MAAQ,EAAA;AAAA,UACN,GAAK,EAAA,aAAA;AAAA,UACL,GAAA,EAAK,CAAC,aAAa;AAAA;AACrB,OACD,CAAA;AAAA;AACH;AACF,EAEA,MAAM,2BACJ,MAC4C,EAAA;AAC5C,IAAA,IAAI,KAAK,iBAAmB,EAAA;AAC1B,MAAO,OAAA,IAAA,CAAK,iBAAkB,CAAA,0BAAA,CAA2B,MAAM,CAAA;AAAA;AAEjE,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAA8B,CAAA,MAAM,CAAE,EAAA;AAAA;AAExE;;;;"}
1	+ {"version":3,"file":"CatalogAuthResolverContext.cjs.js","sources":["../../../src/lib/resolvers/CatalogAuthResolverContext.ts"],"sourcesContent":["/\n Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n DEFAULT_NAMESPACE,\n Entity,\n parseEntityRef,\n RELATION_MEMBER_OF,\n stringifyEntityRef,\n} from '@backstage/catalog-model';\nimport { ConflictError, InputError, NotFoundError } from '@backstage/errors';\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { TokenIssuer } from '../../identity/types';\nimport {\n AuthOwnershipResolver,\n AuthResolverCatalogUserQuery,\n AuthResolverContext,\n TokenParams,\n} from '@backstage/plugin-auth-node';\nimport { CatalogIdentityClient } from '../catalog/CatalogIdentityClient';\nimport { UserInfoDatabase } from '../../database/UserInfoDatabase';\n\nfunction getDefaultOwnershipEntityRefs(entity: Entity) {\n const membershipRefs =\n entity.relations\n ?.filter(\n r => r.type === RELATION_MEMBER_OF && r.targetRef.startsWith('group:'),\n )\n .map(r => r.targetRef) ?? [];\n\n return Array.from(new Set([stringifyEntityRef(entity), ...membershipRefs]));\n}\n\nexport class CatalogAuthResolverContext implements AuthResolverContext {\n static create(options: {\n logger: LoggerService;\n catalog: CatalogService;\n tokenIssuer: TokenIssuer;\n auth: AuthService;\n ownershipResolver?: AuthOwnershipResolver;\n userInfo: UserInfoDatabase;\n }): CatalogAuthResolverContext {\n const catalogIdentityClient = new CatalogIdentityClient({\n catalog: options.catalog,\n auth: options.auth,\n });\n\n return new CatalogAuthResolverContext(\n options.logger,\n options.tokenIssuer,\n catalogIdentityClient,\n options.catalog,\n options.auth,\n options.userInfo,\n options.ownershipResolver,\n );\n }\n\n private constructor(\n public readonly logger: LoggerService,\n public readonly tokenIssuer: TokenIssuer,\n public readonly catalogIdentityClient: CatalogIdentityClient,\n private readonly catalog: CatalogService,\n private readonly auth: AuthService,\n private readonly userInfo: UserInfoDatabase,\n private readonly ownershipResolver?: AuthOwnershipResolver,\n ) {}\n\n async issueToken(params: TokenParams) {\n const { sub, ent = [sub], ...additionalClaims } = params.claims;\n const claims = {\n sub,\n ent,\n ...additionalClaims,\n };\n\n const issuedToken = await this.tokenIssuer.issueToken({\n claims,\n });\n\n // Store the user info in the database upon successful token\n // issuance so that it can be retrieved later by limited user tokens\n await this.userInfo.addUserInfo({\n claims,\n });\n\n return issuedToken;\n }\n\n async findCatalogUser(query: AuthResolverCatalogUserQuery) {\n let result: Entity[] \| Entity \| undefined = undefined;\n\n if ('entityRef' in query) {\n const entityRef = parseEntityRef(query.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n });\n result = await this.catalog.getEntityByRef(entityRef, {\n credentials: await this.auth.getOwnServiceCredentials(),\n });\n } else if ('annotations' in query) {\n const filter: Record<string, string> = {\n kind: 'user',\n };\n for (const [key, value] of Object.entries(query.annotations)) {\n filter[`metadata.annotations.${key}`] = value;\n }\n const res = await this.catalog.getEntities(\n { filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else if ('filter' in query) {\n const filter = [query.filter].flat().map(value => {\n if (\n !Object.keys(value).some(\n key => key.toLocaleLowerCase('en-US') === 'kind',\n )\n ) {\n return {\n ...value,\n kind: 'user',\n };\n }\n return value;\n });\n const res = await this.catalog.getEntities(\n { filter: filter },\n { credentials: await this.auth.getOwnServiceCredentials() },\n );\n result = res.items;\n } else {\n throw new InputError('Invalid user lookup query');\n }\n\n if (Array.isArray(result)) {\n if (result.length > 1) {\n throw new ConflictError('User lookup resulted in multiple matches');\n }\n result = result[0];\n }\n if (!result) {\n throw new NotFoundError('User not found');\n }\n\n return { entity: result };\n }\n\n async signInWithCatalogUser(\n query: AuthResolverCatalogUserQuery,\n options?: {\n dangerousEntityRefFallback?: {\n entityRef:\n \| string\n \| {\n kind?: string;\n namespace?: string;\n name: string;\n };\n };\n },\n ) {\n try {\n const { entity } = await this.findCatalogUser(query);\n\n const { ownershipEntityRefs } = await this.resolveOwnershipEntityRefs(\n entity,\n );\n\n return await this.issueToken({\n claims: {\n sub: stringifyEntityRef(entity),\n ent: ownershipEntityRefs,\n },\n });\n } catch (error) {\n if (\n error?.name !== 'NotFoundError' \|\|\n !options?.dangerousEntityRefFallback\n ) {\n throw error;\n }\n const userEntityRef = stringifyEntityRef(\n parseEntityRef(options.dangerousEntityRefFallback.entityRef, {\n defaultKind: 'User',\n defaultNamespace: DEFAULT_NAMESPACE,\n }),\n );\n\n return await this.issueToken({\n claims: {\n sub: userEntityRef,\n ent: [userEntityRef],\n },\n });\n }\n }\n\n async resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }> {\n if (this.ownershipResolver) {\n return this.ownershipResolver.resolveOwnershipEntityRefs(entity);\n }\n return { ownershipEntityRefs: getDefaultOwnershipEntityRefs(entity) };\n }\n}\n"],"names":["RELATION_MEMBER_OF","stringifyEntityRef","CatalogIdentityClient","parseEntityRef","DEFAULT_NAMESPACE","InputError","ConflictError","NotFoundError"],"mappings":";;;;;;AAoCA,SAAS,8BAA8B,MAAA,EAAgB;AACrD,EAAA,MAAM,cAAA,GACJ,OAAO,SAAA,EACH,MAAA;AAAA,IACA,OAAK,CAAA,CAAE,IAAA,KAASA,mCAAsB,CAAA,CAAE,SAAA,CAAU,WAAW,QAAQ;AAAA,IAEtE,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,SAAS,KAAK,EAAC;AAE/B,EAAA,OAAO,KAAA,CAAM,IAAA,iBAAK,IAAI,GAAA,CAAI,CAACC,+BAAA,CAAmB,MAAM,CAAA,EAAG,GAAG,cAAc,CAAC,CAAC,CAAA;AAC5E;AAEO,MAAM,0BAAA,CAA0D;AAAA,EAyB7D,YACU,MAAA,EACA,WAAA,EACA,uBACC,OAAA,EACA,IAAA,EACA,UACA,iBAAA,EACjB;AAPgB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,iBAAA,GAAA,iBAAA;AAAA,EAChB;AAAA,EAhCH,OAAO,OAAO,OAAA,EAOiB;AAC7B,IAAA,MAAM,qBAAA,GAAwB,IAAIC,2CAAA,CAAsB;AAAA,MACtD,SAAS,OAAA,CAAQ,OAAA;AAAA,MACjB,MAAM,OAAA,CAAQ;AAAA,KACf,CAAA;AAED,IAAA,OAAO,IAAI,0BAAA;AAAA,MACT,OAAA,CAAQ,MAAA;AAAA,MACR,OAAA,CAAQ,WAAA;AAAA,MACR,qBAAA;AAAA,MACA,OAAA,CAAQ,OAAA;AAAA,MACR,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ,QAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AAAA,EAYA,MAAM,WAAW,MAAA,EAAqB;AACpC,IAAA,MAAM,EAAE,KAAK,GAAA,GAAM,CAAC,GAAG,CAAA,EAAG,GAAG,gBAAA,EAAiB,GAAI,MAAA,CAAO,MAAA;AACzD,IAAA,MAAM,MAAA,GAAS;AAAA,MACb,GAAA;AAAA,MACA,GAAA;AAAA,MACA,GAAG;AAAA,KACL;AAEA,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,WAAA,CAAY,UAAA,CAAW;AAAA,MACpD;AAAA,KACD,CAAA;AAID,IAAA,MAAM,IAAA,CAAK,SAAS,WAAA,CAAY;AAAA,MAC9B;AAAA,KACD,CAAA;AAED,IAAA,OAAO,WAAA;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,KAAA,EAAqC;AACzD,IAAA,IAAI,MAAA,GAAwC,MAAA;AAE5C,IAAA,IAAI,eAAe,KAAA,EAAO;AACxB,MAAA,MAAM,SAAA,GAAYC,2BAAA,CAAe,KAAA,CAAM,SAAA,EAAW;AAAA,QAChD,WAAA,EAAa,MAAA;AAAA,QACb,gBAAA,EAAkBC;AAAA,OACnB,CAAA;AACD,MAAA,MAAA,GAAS,MAAM,IAAA,CAAK,OAAA,CAAQ,cAAA,CAAe,SAAA,EAAW;AAAA,QACpD,WAAA,EAAa,MAAM,IAAA,CAAK,IAAA,CAAK,wBAAA;AAAyB,OACvD,CAAA;AAAA,IACH,CAAA,MAAA,IAAW,iBAAiB,KAAA,EAAO;AACjC,MAAA,MAAM,MAAA,GAAiC;AAAA,QACrC,IAAA,EAAM;AAAA,OACR;AACA,MAAA,KAAA,MAAW,CAAC,KAAK,KAAK,CAAA,IAAK,OAAO,OAAA,CAAQ,KAAA,CAAM,WAAW,CAAA,EAAG;AAC5D,QAAA,MAAA,CAAO,CAAA,qBAAA,EAAwB,GAAG,CAAA,CAAE,CAAA,GAAI,KAAA;AAAA,MAC1C;AACA,MAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,WAAA;AAAA,QAC7B,EAAE,MAAA,EAAO;AAAA,QACT,EAAE,WAAA,EAAa,MAAM,IAAA,CAAK,IAAA,CAAK,0BAAyB;AAAE,OAC5D;AACA,MAAA,MAAA,GAAS,GAAA,CAAI,KAAA;AAAA,IACf,CAAA,MAAA,IAAW,YAAY,KAAA,EAAO;AAC5B,MAAA,MAAM,MAAA,GAAS,CAAC,KAAA,CAAM,MAAM,EAAE,IAAA,EAAK,CAAE,IAAI,CAAA,KAAA,KAAS;AAChD,QAAA,IACE,CAAC,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,IAAA;AAAA,UAClB,CAAA,GAAA,KAAO,GAAA,CAAI,iBAAA,CAAkB,OAAO,CAAA,KAAM;AAAA,SAC5C,EACA;AACA,UAAA,OAAO;AAAA,YACL,GAAG,KAAA;AAAA,YACH,IAAA,EAAM;AAAA,WACR;AAAA,QACF;AACA,QAAA,OAAO,KAAA;AAAA,MACT,CAAC,CAAA;AACD,MAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,WAAA;AAAA,QAC7B,EAAE,MAAA,EAAe;AAAA,QACjB,EAAE,WAAA,EAAa,MAAM,IAAA,CAAK,IAAA,CAAK,0BAAyB;AAAE,OAC5D;AACA,MAAA,MAAA,GAAS,GAAA,CAAI,KAAA;AAAA,IACf,CAAA,MAAO;AACL,MAAA,MAAM,IAAIC,kBAAW,2BAA2B,CAAA;AAAA,IAClD;AAEA,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,MAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,QAAA,MAAM,IAAIC,qBAAc,0CAA0C,CAAA;AAAA,MACpE;AACA,MAAA,MAAA,GAAS,OAAO,CAAC,CAAA;AAAA,IACnB;AACA,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAIC,qBAAc,gBAAgB,CAAA;AAAA,IAC1C;AAEA,IAAA,OAAO,EAAE,QAAQ,MAAA,EAAO;AAAA,EAC1B;AAAA,EAEA,MAAM,qBAAA,CACJ,KAAA,EACA,OAAA,EAWA;AACA,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAA,EAAO,GAAI,MAAM,IAAA,CAAK,gBAAgB,KAAK,CAAA;AAEnD,MAAA,MAAM,EAAE,mBAAA,EAAoB,GAAI,MAAM,IAAA,CAAK,0BAAA;AAAA,QACzC;AAAA,OACF;AAEA,MAAA,OAAO,MAAM,KAAK,UAAA,CAAW;AAAA,QAC3B,MAAA,EAAQ;AAAA,UACN,GAAA,EAAKN,gCAAmB,MAAM,CAAA;AAAA,UAC9B,GAAA,EAAK;AAAA;AACP,OACD,CAAA;AAAA,IACH,SAAS,KAAA,EAAO;AACd,MAAA,IACE,KAAA,EAAO,IAAA,KAAS,eAAA,IAChB,CAAC,SAAS,0BAAA,EACV;AACA,QAAA,MAAM,KAAA;AAAA,MACR;AACA,MAAA,MAAM,aAAA,GAAgBA,+BAAA;AAAA,QACpBE,2BAAA,CAAe,OAAA,CAAQ,0BAAA,CAA2B,SAAA,EAAW;AAAA,UAC3D,WAAA,EAAa,MAAA;AAAA,UACb,gBAAA,EAAkBC;AAAA,SACnB;AAAA,OACH;AAEA,MAAA,OAAO,MAAM,KAAK,UAAA,CAAW;AAAA,QAC3B,MAAA,EAAQ;AAAA,UACN,GAAA,EAAK,aAAA;AAAA,UACL,GAAA,EAAK,CAAC,aAAa;AAAA;AACrB,OACD,CAAA;AAAA,IACH;AAAA,EACF;AAAA,EAEA,MAAM,2BACJ,MAAA,EAC4C;AAC5C,IAAA,IAAI,KAAK,iBAAA,EAAmB;AAC1B,MAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,0BAAA,CAA2B,MAAM,CAAA;AAAA,IACjE;AACA,IAAA,OAAO,EAAE,mBAAA,EAAqB,6BAAA,CAA8B,MAAM,CAAA,EAAE;AAAA,EACtE;AACF;;;;"}

package/dist/providers/router.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"router.cjs.js","sources":["../../src/providers/router.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { Config } from '@backstage/config';\nimport { assertError, NotFoundError } from '@backstage/errors';\nimport {\n AuthOwnershipResolver,\n AuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport { Minimatch } from 'minimatch';\nimport { CatalogAuthResolverContext } from '../lib/resolvers/CatalogAuthResolverContext';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\n\nexport type ProviderFactories = { [s: string]: AuthProviderFactory };\n\nexport function bindProviderRouters(\n targetRouter: express.Router,\n options: {\n providers: ProviderFactories;\n appUrl: string;\n baseUrl: string;\n config: Config;\n logger: LoggerService;\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n userInfo: UserInfoDatabase;\n ownershipResolver?: AuthOwnershipResolver;\n catalog: CatalogService;\n },\n) {\n const {\n providers,\n appUrl,\n baseUrl,\n config,\n logger,\n auth,\n tokenIssuer,\n catalog,\n ownershipResolver,\n userInfo,\n } = options;\n\n const providersConfig = config.getOptionalConfig('auth.providers');\n\n const isOriginAllowed = createOriginFilter(config);\n\n for (const [providerId, providerFactory] of Object.entries(providers)) {\n if (providersConfig?.has(providerId)) {\n logger.info(`Configuring auth provider: ${providerId}`);\n try {\n const provider = providerFactory({\n providerId,\n appUrl,\n baseUrl,\n isOriginAllowed,\n globalConfig: {\n baseUrl,\n appUrl,\n isOriginAllowed,\n },\n config: providersConfig.getConfig(providerId),\n logger,\n resolverContext: CatalogAuthResolverContext.create({\n logger,\n catalog,\n tokenIssuer,\n auth,\n ownershipResolver,\n userInfo,\n }),\n });\n\n const r = Router();\n\n r.get('/start', provider.start.bind(provider));\n r.get('/handler/frame', provider.frameHandler.bind(provider));\n r.post('/handler/frame', provider.frameHandler.bind(provider));\n if (provider.logout) {\n r.post('/logout', provider.logout.bind(provider));\n }\n if (provider.refresh) {\n r.get('/refresh', provider.refresh.bind(provider));\n r.post('/refresh', provider.refresh.bind(provider));\n }\n\n targetRouter.use(`/${providerId}`, r);\n } catch (e) {\n assertError(e);\n if (process.env.NODE_ENV !== 'development') {\n throw new Error(\n `Failed to initialize ${providerId} auth provider, ${e.message}`,\n );\n }\n\n logger.warn(`Skipping ${providerId} auth provider, ${e.message}`);\n\n targetRouter.use(`/${providerId}`, () => {\n // If the user added the provider under auth.providers but the clientId and clientSecret etc. were not found.\n throw new NotFoundError(\n `Auth provider registered for '${providerId}' is misconfigured. This could mean the configs under ` +\n `auth.providers.${providerId} are missing or the environment variables used are not defined. ` +\n `Check the auth backend plugin logs when the backend starts to see more details.`,\n );\n });\n }\n } else {\n targetRouter.use(`/${providerId}`, () => {\n throw new NotFoundError(\n `No auth provider registered for '${providerId}'`,\n );\n });\n }\n }\n}\n\nexport function createOriginFilter(\n config: Config,\n): (origin: string) => boolean {\n const appUrl = config.getString('app.baseUrl');\n const { origin: appOrigin } = new URL(appUrl);\n\n const allowedOrigins = config.getOptionalStringArray(\n 'auth.experimentalExtraAllowedOrigins',\n );\n\n const allowedOriginPatterns =\n allowedOrigins?.map(\n pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),\n ) ?? [];\n\n return origin => {\n if (origin === appOrigin) {\n return true;\n }\n return allowedOriginPatterns.some(pattern => pattern.match(origin));\n };\n}\n"],"names":["CatalogAuthResolverContext","Router","assertError","NotFoundError","Minimatch"],"mappings":";;;;;;;;;;;~~AAiCgB~~,~~SAAA~~,mBAAA,CACd,cACA,~~OAYA~~,~~EAAA~~;AACA,~~EAAM~~,~~MAAA~~;AAAA,IACJ,SAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,IAAA;AAAA,IACA,WAAA;AAAA,IACA,OAAA;AAAA,IACA,iBAAA;AAAA,IACA;AAAA,~~GACE~~,~~GAAA~~,OAAA;AAEJ,~~EAAM~~,~~MAAA~~,eAAA,GAAkB,~~MAAO~~,~~CAAA~~,iBAAA,CAAkB,gBAAgB,CAAA;AAEjE,~~EAAM~~,~~MAAA~~,eAAA,GAAkB,mBAAmB,MAAM,CAAA;AAEjD,EAAA,KAAA,MAAW,CAAC,~~UAAY~~,~~EAAA~~,eAAe,KAAK,~~MAAO~~,~~CAAA~~,OAAA,CAAQ,SAAS,~~CAAG~~,~~EAAA~~;AACrE,IAAI,~~IAAA,~~eAAA,EAAiB,~~GAAI~~,~~CAAA~~,UAAU,~~CAAG~~,~~EAAA~~;AACpC,~~MAAO~~,MAAA,~~CAAA~~,IAAA,CAAK,~~CAA8B~~,2BAAA,~~EAAA~~,UAAU,CAAE,CAAA~~,CAAA~~;AACtD,~~MAAI~~,~~IAAA~~;AACF,QAAA,MAAM,WAAW,~~eAAgB~~,~~CAAA~~;AAAA,UAC/B,UAAA;AAAA,UACA,MAAA;AAAA,UACA,OAAA;AAAA,UACA,eAAA;AAAA,UACA,~~YAAc~~,~~EAAA~~;AAAA,YACZ,OAAA;AAAA,YACA,MAAA;AAAA,YACA;AAAA,WACF;AAAA,UACA,MAAA,EAAQ,~~eAAgB~~,~~CAAA~~,SAAA,CAAU,UAAU,CAAA;AAAA,UAC5C,MAAA;AAAA,UACA,eAAA,EAAiBA,sDAA2B,~~MAAO~~,~~CAAA~~;AAAA,YACjD,MAAA;AAAA,YACA,OAAA;AAAA,YACA,WAAA;AAAA,YACA,IAAA;AAAA,YACA,iBAAA;AAAA,YACA;AAAA,WACD;AAAA,SACF,CAAA;AAED,QAAA,MAAM,IAAIC,~~uBAAO~~,~~EAAA~~;AAEjB,QAAA,CAAA,CAAE,IAAI,~~QAAU~~,~~EAAA~~,QAAA,CAAS,~~KAAM~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC7C,QAAA,CAAA,CAAE,IAAI,~~gBAAkB~~,~~EAAA~~,QAAA,CAAS,~~YAAa~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC5D,QAAA,CAAA,CAAE,KAAK,~~gBAAkB~~,~~EAAA~~,QAAA,CAAS,~~YAAa~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC7D,QAAA,IAAI,SAAS,~~MAAQ~~,~~EAAA~~;AACnB,UAAA,CAAA,CAAE,KAAK,~~SAAW~~,~~EAAA~~,QAAA,CAAS,~~MAAO~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA;~~AAElD~~,QAAA,IAAI,SAAS,~~OAAS~~,~~EAAA~~;AACpB,UAAA,CAAA,CAAE,IAAI,~~UAAY~~,~~EAAA~~,QAAA,CAAS,~~OAAQ~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AACjD,UAAA,CAAA,CAAE,KAAK,~~UAAY~~,~~EAAA~~,QAAA,CAAS,~~OAAQ~~,~~CAAA~~,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA;~~AAGpD~~,QAAA,YAAA,CAAa,~~GAAI~~,~~CAAA~~,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,CAAC,CAAA;AAAA,~~eAC7B~~,~~CAAG~~,~~EAAA~~;AACV,QAAAC,kBAAA,CAAY,CAAC,CAAA;AACb,~~QAAI~~,~~IAAA~~,OAAA,CAAQ,~~GAAI~~,~~CAAA~~,QAAA,KAAa,~~aAAe~~,~~EAAA~~;AAC1C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,~~CAAwB~~,qBAAA,~~EAAA~~,UAAU,~~CAAmB~~,gBAAA,~~EAAA~~,CAAA,CAAE,OAAO,CAAA;AAAA,WAChE;AAAA;~~AAGF~~,QAAA,MAAA,CAAO,KAAK,~~CAAY~~,SAAA,~~EAAA~~,UAAU,~~CAAmB~~,gBAAA,~~EAAA~~,CAAA,CAAE,OAAO,CAAE,CAAA~~,CAAA~~;AAEhE,QAAA,YAAA,CAAa,~~GAAI~~,~~CAAA~~,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,MAAM;AAEvC,UAAA,MAAM,IAAIC,oBAAA;AAAA,YACR,CAAA,8BAAA,EAAiC,UAAU,CAAA,qEAAA,EACvB,UAAU,CAAA,+IAAA;AAAA,WAEhC;AAAA,~~SACD~~,CAAA;AAAA;~~AACH~~,~~KACK~~,~~MAAA~~;AACL,MAAA,YAAA,CAAa,~~GAAI~~,~~CAAA~~,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,MAAM;AACvC,QAAA,MAAM,IAAIA,oBAAA;AAAA,UACR,oCAAoC,UAAU,CAAA,CAAA;AAAA,SAChD;AAAA,~~OACD~~,CAAA;AAAA;~~AACH~~;~~AAEJ~~;AAEO,SAAS,mBACd,~~MAC6B~~,~~EAAA~~;AAC7B,~~EAAM~~,~~MAAA~~,MAAA,GAAS,~~MAAO~~,~~CAAA~~,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,EAAE,~~MAAQ~~,~~EAAA~~,SAAA,~~EAAc~~,~~GAAA~~,IAAI,IAAI,MAAM,CAAA;AAE5C,EAAA,MAAM,iBAAiB,~~MAAO~~,~~CAAA~~,sBAAA;AAAA,IAC5B;AAAA,GACF;AAEA,EAAA,MAAM,wBACJ,~~cAAgB~~,~~EAAA~~,GAAA;AAAA,IACd,CAAA,OAAA,KAAW,IAAIC,~~mBAAU~~,~~CAAA~~,OAAA,EAAS,EAAE,~~MAAQ~~,~~EAAA~~,IAAA,EAAM,~~UAAY~~,~~EAAA~~,IAAA,EAAM;AAAA,OACjE,EAAC;AAER,EAAA,OAAO,~~CAAU~~,MAAA,~~KAAA~~;AACf,IAAA,IAAI,WAAW,~~SAAW~~,~~EAAA~~;AACxB,~~MAAO~~,~~OAAA~~,IAAA;AAAA;~~AAET~~,IAAA,OAAO,sBAAsB,~~IAAK~~,~~CAAA~~,CAAA,OAAA,KAAW,~~OAAQ~~,~~CAAA~~,KAAA,CAAM,MAAM,CAAC,CAAA;AAAA,~~GACpE~~;AACF;;;;;"}
1	+ {"version":3,"file":"router.cjs.js","sources":["../../src/providers/router.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport { Config } from '@backstage/config';\nimport { assertError, NotFoundError } from '@backstage/errors';\nimport {\n AuthOwnershipResolver,\n AuthProviderFactory,\n} from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport { Minimatch } from 'minimatch';\nimport { CatalogAuthResolverContext } from '../lib/resolvers/CatalogAuthResolverContext';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\n\nexport type ProviderFactories = { [s: string]: AuthProviderFactory };\n\nexport function bindProviderRouters(\n targetRouter: express.Router,\n options: {\n providers: ProviderFactories;\n appUrl: string;\n baseUrl: string;\n config: Config;\n logger: LoggerService;\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n userInfo: UserInfoDatabase;\n ownershipResolver?: AuthOwnershipResolver;\n catalog: CatalogService;\n },\n) {\n const {\n providers,\n appUrl,\n baseUrl,\n config,\n logger,\n auth,\n tokenIssuer,\n catalog,\n ownershipResolver,\n userInfo,\n } = options;\n\n const providersConfig = config.getOptionalConfig('auth.providers');\n\n const isOriginAllowed = createOriginFilter(config);\n\n for (const [providerId, providerFactory] of Object.entries(providers)) {\n if (providersConfig?.has(providerId)) {\n logger.info(`Configuring auth provider: ${providerId}`);\n try {\n const provider = providerFactory({\n providerId,\n appUrl,\n baseUrl,\n isOriginAllowed,\n globalConfig: {\n baseUrl,\n appUrl,\n isOriginAllowed,\n },\n config: providersConfig.getConfig(providerId),\n logger,\n resolverContext: CatalogAuthResolverContext.create({\n logger,\n catalog,\n tokenIssuer,\n auth,\n ownershipResolver,\n userInfo,\n }),\n });\n\n const r = Router();\n\n r.get('/start', provider.start.bind(provider));\n r.get('/handler/frame', provider.frameHandler.bind(provider));\n r.post('/handler/frame', provider.frameHandler.bind(provider));\n if (provider.logout) {\n r.post('/logout', provider.logout.bind(provider));\n }\n if (provider.refresh) {\n r.get('/refresh', provider.refresh.bind(provider));\n r.post('/refresh', provider.refresh.bind(provider));\n }\n\n targetRouter.use(`/${providerId}`, r);\n } catch (e) {\n assertError(e);\n if (process.env.NODE_ENV !== 'development') {\n throw new Error(\n `Failed to initialize ${providerId} auth provider, ${e.message}`,\n );\n }\n\n logger.warn(`Skipping ${providerId} auth provider, ${e.message}`);\n\n targetRouter.use(`/${providerId}`, () => {\n // If the user added the provider under auth.providers but the clientId and clientSecret etc. were not found.\n throw new NotFoundError(\n `Auth provider registered for '${providerId}' is misconfigured. This could mean the configs under ` +\n `auth.providers.${providerId} are missing or the environment variables used are not defined. ` +\n `Check the auth backend plugin logs when the backend starts to see more details.`,\n );\n });\n }\n } else {\n targetRouter.use(`/${providerId}`, () => {\n throw new NotFoundError(\n `No auth provider registered for '${providerId}'`,\n );\n });\n }\n }\n}\n\nexport function createOriginFilter(\n config: Config,\n): (origin: string) => boolean {\n const appUrl = config.getString('app.baseUrl');\n const { origin: appOrigin } = new URL(appUrl);\n\n const allowedOrigins = config.getOptionalStringArray(\n 'auth.experimentalExtraAllowedOrigins',\n );\n\n const allowedOriginPatterns =\n allowedOrigins?.map(\n pattern => new Minimatch(pattern, { nocase: true, noglobstar: true }),\n ) ?? [];\n\n return origin => {\n if (origin === appOrigin) {\n return true;\n }\n return allowedOriginPatterns.some(pattern => pattern.match(origin));\n };\n}\n"],"names":["CatalogAuthResolverContext","Router","assertError","NotFoundError","Minimatch"],"mappings":";;;;;;;;;;;AAiCO,SAAS,mBAAA,CACd,cACA,OAAA,EAYA;AACA,EAAA,MAAM;AAAA,IACJ,SAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,MAAA;AAAA,IACA,IAAA;AAAA,IACA,WAAA;AAAA,IACA,OAAA;AAAA,IACA,iBAAA;AAAA,IACA;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,iBAAA,CAAkB,gBAAgB,CAAA;AAEjE,EAAA,MAAM,eAAA,GAAkB,mBAAmB,MAAM,CAAA;AAEjD,EAAA,KAAA,MAAW,CAAC,UAAA,EAAY,eAAe,KAAK,MAAA,CAAO,OAAA,CAAQ,SAAS,CAAA,EAAG;AACrE,IAAA,IAAI,eAAA,EAAiB,GAAA,CAAI,UAAU,CAAA,EAAG;AACpC,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,2BAAA,EAA8B,UAAU,CAAA,CAAE,CAAA;AACtD,MAAA,IAAI;AACF,QAAA,MAAM,WAAW,eAAA,CAAgB;AAAA,UAC/B,UAAA;AAAA,UACA,MAAA;AAAA,UACA,OAAA;AAAA,UACA,eAAA;AAAA,UACA,YAAA,EAAc;AAAA,YACZ,OAAA;AAAA,YACA,MAAA;AAAA,YACA;AAAA,WACF;AAAA,UACA,MAAA,EAAQ,eAAA,CAAgB,SAAA,CAAU,UAAU,CAAA;AAAA,UAC5C,MAAA;AAAA,UACA,eAAA,EAAiBA,sDAA2B,MAAA,CAAO;AAAA,YACjD,MAAA;AAAA,YACA,OAAA;AAAA,YACA,WAAA;AAAA,YACA,IAAA;AAAA,YACA,iBAAA;AAAA,YACA;AAAA,WACD;AAAA,SACF,CAAA;AAED,QAAA,MAAM,IAAIC,uBAAA,EAAO;AAEjB,QAAA,CAAA,CAAE,IAAI,QAAA,EAAU,QAAA,CAAS,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC7C,QAAA,CAAA,CAAE,IAAI,gBAAA,EAAkB,QAAA,CAAS,YAAA,CAAa,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC5D,QAAA,CAAA,CAAE,KAAK,gBAAA,EAAkB,QAAA,CAAS,YAAA,CAAa,IAAA,CAAK,QAAQ,CAAC,CAAA;AAC7D,QAAA,IAAI,SAAS,MAAA,EAAQ;AACnB,UAAA,CAAA,CAAE,KAAK,SAAA,EAAW,QAAA,CAAS,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,QAClD;AACA,QAAA,IAAI,SAAS,OAAA,EAAS;AACpB,UAAA,CAAA,CAAE,IAAI,UAAA,EAAY,QAAA,CAAS,OAAA,CAAQ,IAAA,CAAK,QAAQ,CAAC,CAAA;AACjD,UAAA,CAAA,CAAE,KAAK,UAAA,EAAY,QAAA,CAAS,OAAA,CAAQ,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,QACpD;AAEA,QAAA,YAAA,CAAa,GAAA,CAAI,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,CAAC,CAAA;AAAA,MACtC,SAAS,CAAA,EAAG;AACV,QAAAC,kBAAA,CAAY,CAAC,CAAA;AACb,QAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,aAAA,EAAe;AAC1C,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,qBAAA,EAAwB,UAAU,CAAA,gBAAA,EAAmB,CAAA,CAAE,OAAO,CAAA;AAAA,WAChE;AAAA,QACF;AAEA,QAAA,MAAA,CAAO,KAAK,CAAA,SAAA,EAAY,UAAU,CAAA,gBAAA,EAAmB,CAAA,CAAE,OAAO,CAAA,CAAE,CAAA;AAEhE,QAAA,YAAA,CAAa,GAAA,CAAI,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,MAAM;AAEvC,UAAA,MAAM,IAAIC,oBAAA;AAAA,YACR,CAAA,8BAAA,EAAiC,UAAU,CAAA,qEAAA,EACvB,UAAU,CAAA,+IAAA;AAAA,WAEhC;AAAA,QACF,CAAC,CAAA;AAAA,MACH;AAAA,IACF,CAAA,MAAO;AACL,MAAA,YAAA,CAAa,GAAA,CAAI,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA,EAAI,MAAM;AACvC,QAAA,MAAM,IAAIA,oBAAA;AAAA,UACR,oCAAoC,UAAU,CAAA,CAAA;AAAA,SAChD;AAAA,MACF,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AACF;AAEO,SAAS,mBACd,MAAA,EAC6B;AAC7B,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,EAAE,MAAA,EAAQ,SAAA,EAAU,GAAI,IAAI,IAAI,MAAM,CAAA;AAE5C,EAAA,MAAM,iBAAiB,MAAA,CAAO,sBAAA;AAAA,IAC5B;AAAA,GACF;AAEA,EAAA,MAAM,wBACJ,cAAA,EAAgB,GAAA;AAAA,IACd,CAAA,OAAA,KAAW,IAAIC,mBAAA,CAAU,OAAA,EAAS,EAAE,MAAA,EAAQ,IAAA,EAAM,UAAA,EAAY,IAAA,EAAM;AAAA,OACjE,EAAC;AAER,EAAA,OAAO,CAAA,MAAA,KAAU;AACf,IAAA,IAAI,WAAW,SAAA,EAAW;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,sBAAsB,IAAA,CAAK,CAAA,OAAA,KAAW,OAAA,CAAQ,KAAA,CAAM,MAAM,CAAC,CAAA;AAAA,EACpE,CAAA;AACF;;;;;"}

package/dist/service/OidcRouter.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"OidcRouter.cjs.js","sources":["../../src/service/OidcRouter.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport Router from 'express-promise-router';\nimport { OidcService } from './OidcService';\nimport { AuthenticationError } from '@backstage/errors';\nimport { AuthService } from '@backstage/backend-plugin-api';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\n\nexport class OidcRouter {\n private constructor(private readonly oidc: OidcService) {}\n\n static create(options: {\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n baseUrl: string;\n userInfo: UserInfoDatabase;\n }) {\n return new OidcRouter(OidcService.create(options));\n }\n\n public getRouter() {\n const router = Router();\n\n router.get('/.well-known/openid-configuration', (_req, res) => {\n res.json(this.oidc.getConfiguration());\n });\n\n router.get('/.well-known/jwks.json', async (_req, res) => {\n const { keys } = await this.oidc.listPublicKeys();\n res.json({ keys });\n });\n\n router.get('/v1/token', (_req, res) => {\n res.status(501).send('Not Implemented');\n });\n\n // This endpoint doesn't use the regular HttpAuthoidc, since the contract\n // is specifically for the header to be communicated in the Authorization\n // header, regardless of token type\n router.get('/v1/userinfo', async (req, res) => {\n const matches = req.headers.authorization?.match(/^Bearer[ ]+(\\S+)$/i);\n const token = matches?.[1];\n if (!token) {\n throw new AuthenticationError('No token provided');\n }\n\n const userInfo = await this.oidc.getUserInfo({ token });\n\n if (!userInfo) {\n res.status(404).send('User info not found');\n return;\n }\n\n res.json(userInfo);\n });\n\n return router;\n }\n}\n"],"names":["OidcService","Router","AuthenticationError"],"mappings":";;;;;;;;;;AAsBO,MAAM,~~UAAW~~,~~CAAA~~;AAAA,EACd,YAA6B,~~IAAmB~~,~~EAAA~~;AAAnB,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAAA;~~AAAoB~~,EAEzD,OAAO,OAAO,~~OAKX~~,~~EAAA~~;AACD,IAAA,OAAO,IAAI,UAAA,CAAWA,~~uBAAY~~,~~CAAA~~,MAAA,CAAO,OAAO,CAAC,CAAA;AAAA;~~AACnD~~,EAEO,~~SAAY~~,~~GAAA~~;AACjB,IAAA,MAAM,SAASC,~~uBAAO~~,~~EAAA~~;AAEtB,IAAA,MAAA,CAAO,~~GAAI~~,~~CAAA~~,mCAAA,EAAqC,CAAC,IAAA,EAAM,~~GAAQ~~,~~KAAA~~;AAC7D,MAAA,GAAA,CAAI,~~IAAK~~,~~CAAA~~,IAAA,CAAK,~~IAAK~~,~~CAAA~~,gBAAA,EAAkB,CAAA;AAAA,~~KACtC~~,CAAA;AAED,IAAA,MAAA,CAAO,~~GAAI~~,~~CAAA~~,wBAAA,EAA0B,OAAO,IAAA,EAAM,~~GAAQ~~,~~KAAA~~;AACxD,MAAA,MAAM,EAAE,~~IAAK~~,~~EAAA~~,GAAI,MAAM,IAAA,CAAK,KAAK,~~cAAe~~,~~EAAA~~;AAChD,~~MAAI~~,GAAA,~~CAAA~~,IAAA,CAAK,EAAE,IAAA,EAAM,CAAA;AAAA,~~KAClB~~,CAAA;AAED,IAAA,MAAA,CAAO,~~GAAI~~,~~CAAA~~,WAAA,EAAa,CAAC,IAAA,EAAM,~~GAAQ~~,~~KAAA~~;AACrC,MAAA,GAAA,CAAI,~~MAAO~~,~~CAAA~~,GAAG,CAAE,~~CAAA,~~IAAA,CAAK,iBAAiB,CAAA;AAAA,~~KACvC~~,CAAA;AAKD,IAAA,MAAA,CAAO,~~GAAI~~,~~CAAA~~,cAAA,EAAgB,OAAO,GAAA,EAAK,~~GAAQ~~,~~KAAA~~;AAC7C,MAAA,MAAM,~~OAAU~~,~~GAAA~~,GAAA,CAAI,~~OAAQ~~,~~CAAA~~,aAAA,EAAe,MAAM,oBAAoB,CAAA;AACrE,MAAM,~~MAAA,~~KAAA,GAAQ,UAAU,CAAC,CAAA;AACzB,MAAA,IAAI,CAAC,~~KAAO~~,~~EAAA~~;AACV,~~QAAM~~,~~MAAA~~,IAAIC,2BAAoB,mBAAmB,CAAA;AAAA;~~AAGnD~~,MAAA,MAAM,WAAW,MAAM,IAAA,CAAK,KAAK,~~WAAY~~,~~CAAA~~,EAAE,OAAO,CAAA;AAEtD,MAAA,IAAI,CAAC,~~QAAU~~,~~EAAA~~;AACb,QAAA,GAAA,CAAI,~~MAAO~~,~~CAAA~~,GAAG,CAAE,~~CAAA,~~IAAA,CAAK,qBAAqB,CAAA;AAC1C,QAAA;AAAA;~~AAGF~~,MAAA,GAAA,CAAI,KAAK,QAAQ,CAAA;AAAA,~~KAClB~~,CAAA;AAED,~~IAAO~~,~~OAAA~~,MAAA;AAAA;~~AAEX~~;;;;"}
1	+ {"version":3,"file":"OidcRouter.cjs.js","sources":["../../src/service/OidcRouter.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport Router from 'express-promise-router';\nimport { OidcService } from './OidcService';\nimport { AuthenticationError } from '@backstage/errors';\nimport { AuthService } from '@backstage/backend-plugin-api';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\n\nexport class OidcRouter {\n private constructor(private readonly oidc: OidcService) {}\n\n static create(options: {\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n baseUrl: string;\n userInfo: UserInfoDatabase;\n }) {\n return new OidcRouter(OidcService.create(options));\n }\n\n public getRouter() {\n const router = Router();\n\n router.get('/.well-known/openid-configuration', (_req, res) => {\n res.json(this.oidc.getConfiguration());\n });\n\n router.get('/.well-known/jwks.json', async (_req, res) => {\n const { keys } = await this.oidc.listPublicKeys();\n res.json({ keys });\n });\n\n router.get('/v1/token', (_req, res) => {\n res.status(501).send('Not Implemented');\n });\n\n // This endpoint doesn't use the regular HttpAuthoidc, since the contract\n // is specifically for the header to be communicated in the Authorization\n // header, regardless of token type\n router.get('/v1/userinfo', async (req, res) => {\n const matches = req.headers.authorization?.match(/^Bearer[ ]+(\\S+)$/i);\n const token = matches?.[1];\n if (!token) {\n throw new AuthenticationError('No token provided');\n }\n\n const userInfo = await this.oidc.getUserInfo({ token });\n\n if (!userInfo) {\n res.status(404).send('User info not found');\n return;\n }\n\n res.json(userInfo);\n });\n\n return router;\n }\n}\n"],"names":["OidcService","Router","AuthenticationError"],"mappings":";;;;;;;;;;AAsBO,MAAM,UAAA,CAAW;AAAA,EACd,YAA6B,IAAA,EAAmB;AAAnB,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAAA,EAAoB;AAAA,EAEzD,OAAO,OAAO,OAAA,EAKX;AACD,IAAA,OAAO,IAAI,UAAA,CAAWA,uBAAA,CAAY,MAAA,CAAO,OAAO,CAAC,CAAA;AAAA,EACnD;AAAA,EAEO,SAAA,GAAY;AACjB,IAAA,MAAM,SAASC,uBAAA,EAAO;AAEtB,IAAA,MAAA,CAAO,GAAA,CAAI,mCAAA,EAAqC,CAAC,IAAA,EAAM,GAAA,KAAQ;AAC7D,MAAA,GAAA,CAAI,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,gBAAA,EAAkB,CAAA;AAAA,IACvC,CAAC,CAAA;AAED,IAAA,MAAA,CAAO,GAAA,CAAI,wBAAA,EAA0B,OAAO,IAAA,EAAM,GAAA,KAAQ;AACxD,MAAA,MAAM,EAAE,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,KAAK,cAAA,EAAe;AAChD,MAAA,GAAA,CAAI,IAAA,CAAK,EAAE,IAAA,EAAM,CAAA;AAAA,IACnB,CAAC,CAAA;AAED,IAAA,MAAA,CAAO,GAAA,CAAI,WAAA,EAAa,CAAC,IAAA,EAAM,GAAA,KAAQ;AACrC,MAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK,iBAAiB,CAAA;AAAA,IACxC,CAAC,CAAA;AAKD,IAAA,MAAA,CAAO,GAAA,CAAI,cAAA,EAAgB,OAAO,GAAA,EAAK,GAAA,KAAQ;AAC7C,MAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,aAAA,EAAe,MAAM,oBAAoB,CAAA;AACrE,MAAA,MAAM,KAAA,GAAQ,UAAU,CAAC,CAAA;AACzB,MAAA,IAAI,CAAC,KAAA,EAAO;AACV,QAAA,MAAM,IAAIC,2BAAoB,mBAAmB,CAAA;AAAA,MACnD;AAEA,MAAA,MAAM,WAAW,MAAM,IAAA,CAAK,KAAK,WAAA,CAAY,EAAE,OAAO,CAAA;AAEtD,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK,qBAAqB,CAAA;AAC1C,QAAA;AAAA,MACF;AAEA,MAAA,GAAA,CAAI,KAAK,QAAQ,CAAA;AAAA,IACnB,CAAC,CAAA;AAED,IAAA,OAAO,MAAA;AAAA,EACT;AACF;;;;"}

package/dist/service/OidcService.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"OidcService.cjs.js","sources":["../../src/service/OidcService.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { AuthService } from '@backstage/backend-plugin-api';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport { InputError } from '@backstage/errors';\nimport { decodeJwt } from 'jose';\n\nexport class OidcService {\n private constructor(\n private readonly auth: AuthService,\n private readonly tokenIssuer: TokenIssuer,\n private readonly baseUrl: string,\n private readonly userInfo: UserInfoDatabase,\n ) {}\n\n static create(options: {\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n baseUrl: string;\n userInfo: UserInfoDatabase;\n }) {\n return new OidcService(\n options.auth,\n options.tokenIssuer,\n options.baseUrl,\n options.userInfo,\n );\n }\n\n public getConfiguration() {\n return {\n issuer: this.baseUrl,\n token_endpoint: `${this.baseUrl}/v1/token`,\n userinfo_endpoint: `${this.baseUrl}/v1/userinfo`,\n jwks_uri: `${this.baseUrl}/.well-known/jwks.json`,\n response_types_supported: ['id_token'],\n subject_types_supported: ['public'],\n id_token_signing_alg_values_supported: [\n 'RS256',\n 'RS384',\n 'RS512',\n 'ES256',\n 'ES384',\n 'ES512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'EdDSA',\n ],\n scopes_supported: ['openid'],\n token_endpoint_auth_methods_supported: [],\n claims_supported: ['sub', 'ent'],\n grant_types_supported: [],\n };\n }\n\n public async listPublicKeys() {\n return await this.tokenIssuer.listPublicKeys();\n }\n\n public async getUserInfo({ token }: { token: string }) {\n const credentials = await this.auth.authenticate(token, {\n allowLimitedAccess: true,\n });\n if (!this.auth.isPrincipal(credentials, 'user')) {\n throw new InputError(\n 'Userinfo endpoint must be called with a token that represents a user principal',\n );\n }\n\n const { sub: userEntityRef } = decodeJwt(token);\n\n if (typeof userEntityRef !== 'string') {\n throw new Error('Invalid user token, user entity ref must be a string');\n }\n return await this.userInfo.getUserInfo(userEntityRef);\n }\n}\n"],"names":["InputError","decodeJwt"],"mappings":";;;;;AAqBO,MAAM,~~WAAY~~,~~CAAA~~;AAAA,EACf,~~WACW~~,~~CAAA~~,IAAA,EACA,~~WACA~~,~~EAAA~~,OAAA,EACA,~~QACjB~~,~~EAAA~~;AAJiB,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA;~~AAChB~~,EAEH,OAAO,OAAO,~~OAKX~~,~~EAAA~~;AACD,IAAA,OAAO,IAAI,WAAA;AAAA,MACT,~~OAAQ~~,~~CAAA~~,IAAA;AAAA,MACR,~~OAAQ~~,~~CAAA~~,WAAA;AAAA,MACR,~~OAAQ~~,~~CAAA~~,OAAA;AAAA,MACR,~~OAAQ~~,~~CAAA~~;AAAA,KACV;AAAA;~~AACF~~,EAEO,~~gBAAmB~~,~~GAAA~~;AACxB,~~IAAO~~,~~OAAA~~;AAAA,MACL,QAAQ,~~IAAK~~,~~CAAA~~,OAAA;AAAA,MACb,cAAA,EAAgB,~~CAAG~~,~~EAAA~~,IAAA,CAAK,OAAO,CAAA,SAAA,CAAA;AAAA,MAC/B,iBAAA,EAAmB,~~CAAG~~,~~EAAA~~,IAAA,CAAK,OAAO,CAAA,YAAA,CAAA;AAAA,MAClC,QAAA,EAAU,~~CAAG~~,~~EAAA~~,IAAA,CAAK,OAAO,CAAA,sBAAA,CAAA;AAAA,MACzB,wBAAA,EAA0B,CAAC,UAAU,CAAA;AAAA,MACrC,uBAAA,EAAyB,CAAC,QAAQ,CAAA;AAAA,MAClC,~~qCAAuC~~,~~EAAA~~;AAAA,QACrC,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,gBAAA,EAAkB,CAAC,QAAQ,CAAA;AAAA,MAC3B,uCAAuC,EAAC;AAAA,MACxC,gBAAA,EAAkB,CAAC,KAAA,EAAO,KAAK,CAAA;AAAA,MAC/B,uBAAuB;AAAC,KAC1B;AAAA;~~AACF~~,EAEA,MAAa,~~cAAiB~~,~~GAAA~~;AAC5B,~~IAAO~~,~~OAAA~~,MAAM,~~IAAK~~,~~CAAA~~,WAAA,CAAY,~~cAAe~~,~~EAAA~~;AAAA~~;AAC~~/C,EAEA,MAAa,WAAA,CAAY,EAAE,KAAA,~~EAA4B~~,~~EAAA~~;AACrD,IAAA,MAAM,~~WAAc~~,~~GAAA~~,MAAM,~~IAAK~~,~~CAAA~~,IAAA,CAAK,aAAa,~~KAAO~~,~~EAAA~~;AAAA,MACtD,~~kBAAoB~~,~~EAAA~~;AAAA,KACrB,CAAA;AACD,IAAA,IAAI,CAAC,~~IAAK~~,~~CAAA~~,IAAA,CAAK,~~WAAY~~,~~CAAA~~,WAAA,EAAa,MAAM,~~CAAG~~,~~EAAA~~;AAC/C,MAAA,MAAM,IAAIA,iBAAA;AAAA,QACR;AAAA,OACF;AAAA;~~AAGF~~,IAAA,MAAM,EAAE,GAAA,EAAK,~~aAAc~~,~~EAAA~~,GAAIC,eAAU,KAAK,CAAA;AAE9C,IAAI,~~IAAA,~~OAAO,kBAAkB,~~QAAU~~,~~EAAA~~;AACrC,MAAM,~~MAAA,~~IAAI,MAAM,sDAAsD,CAAA;AAAA;~~AAExE~~,IAAA,OAAO,MAAM,IAAA,CAAK,~~QAAS~~,~~CAAA~~,WAAA,CAAY,aAAa,CAAA;AAAA;~~AAExD~~;;;;"}
1	+ {"version":3,"file":"OidcService.cjs.js","sources":["../../src/service/OidcService.ts"],"sourcesContent":["/\n Copyright 2025 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { AuthService } from '@backstage/backend-plugin-api';\nimport { TokenIssuer } from '../identity/types';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport { InputError } from '@backstage/errors';\nimport { decodeJwt } from 'jose';\n\nexport class OidcService {\n private constructor(\n private readonly auth: AuthService,\n private readonly tokenIssuer: TokenIssuer,\n private readonly baseUrl: string,\n private readonly userInfo: UserInfoDatabase,\n ) {}\n\n static create(options: {\n auth: AuthService;\n tokenIssuer: TokenIssuer;\n baseUrl: string;\n userInfo: UserInfoDatabase;\n }) {\n return new OidcService(\n options.auth,\n options.tokenIssuer,\n options.baseUrl,\n options.userInfo,\n );\n }\n\n public getConfiguration() {\n return {\n issuer: this.baseUrl,\n token_endpoint: `${this.baseUrl}/v1/token`,\n userinfo_endpoint: `${this.baseUrl}/v1/userinfo`,\n jwks_uri: `${this.baseUrl}/.well-known/jwks.json`,\n response_types_supported: ['id_token'],\n subject_types_supported: ['public'],\n id_token_signing_alg_values_supported: [\n 'RS256',\n 'RS384',\n 'RS512',\n 'ES256',\n 'ES384',\n 'ES512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'EdDSA',\n ],\n scopes_supported: ['openid'],\n token_endpoint_auth_methods_supported: [],\n claims_supported: ['sub', 'ent'],\n grant_types_supported: [],\n };\n }\n\n public async listPublicKeys() {\n return await this.tokenIssuer.listPublicKeys();\n }\n\n public async getUserInfo({ token }: { token: string }) {\n const credentials = await this.auth.authenticate(token, {\n allowLimitedAccess: true,\n });\n if (!this.auth.isPrincipal(credentials, 'user')) {\n throw new InputError(\n 'Userinfo endpoint must be called with a token that represents a user principal',\n );\n }\n\n const { sub: userEntityRef } = decodeJwt(token);\n\n if (typeof userEntityRef !== 'string') {\n throw new Error('Invalid user token, user entity ref must be a string');\n }\n return await this.userInfo.getUserInfo(userEntityRef);\n }\n}\n"],"names":["InputError","decodeJwt"],"mappings":";;;;;AAqBO,MAAM,WAAA,CAAY;AAAA,EACf,WAAA,CACW,IAAA,EACA,WAAA,EACA,OAAA,EACA,QAAA,EACjB;AAJiB,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AACA,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA,EAChB;AAAA,EAEH,OAAO,OAAO,OAAA,EAKX;AACD,IAAA,OAAO,IAAI,WAAA;AAAA,MACT,OAAA,CAAQ,IAAA;AAAA,MACR,OAAA,CAAQ,WAAA;AAAA,MACR,OAAA,CAAQ,OAAA;AAAA,MACR,OAAA,CAAQ;AAAA,KACV;AAAA,EACF;AAAA,EAEO,gBAAA,GAAmB;AACxB,IAAA,OAAO;AAAA,MACL,QAAQ,IAAA,CAAK,OAAA;AAAA,MACb,cAAA,EAAgB,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,SAAA,CAAA;AAAA,MAC/B,iBAAA,EAAmB,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,YAAA,CAAA;AAAA,MAClC,QAAA,EAAU,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,sBAAA,CAAA;AAAA,MACzB,wBAAA,EAA0B,CAAC,UAAU,CAAA;AAAA,MACrC,uBAAA,EAAyB,CAAC,QAAQ,CAAA;AAAA,MAClC,qCAAA,EAAuC;AAAA,QACrC,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA,OAAA;AAAA,QACA;AAAA,OACF;AAAA,MACA,gBAAA,EAAkB,CAAC,QAAQ,CAAA;AAAA,MAC3B,uCAAuC,EAAC;AAAA,MACxC,gBAAA,EAAkB,CAAC,KAAA,EAAO,KAAK,CAAA;AAAA,MAC/B,uBAAuB;AAAC,KAC1B;AAAA,EACF;AAAA,EAEA,MAAa,cAAA,GAAiB;AAC5B,IAAA,OAAO,MAAM,IAAA,CAAK,WAAA,CAAY,cAAA,EAAe;AAAA,EAC/C;AAAA,EAEA,MAAa,WAAA,CAAY,EAAE,KAAA,EAAM,EAAsB;AACrD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,IAAA,CAAK,aAAa,KAAA,EAAO;AAAA,MACtD,kBAAA,EAAoB;AAAA,KACrB,CAAA;AACD,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,EAAG;AAC/C,MAAA,MAAM,IAAIA,iBAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,EAAE,GAAA,EAAK,aAAA,EAAc,GAAIC,eAAU,KAAK,CAAA;AAE9C,IAAA,IAAI,OAAO,kBAAkB,QAAA,EAAU;AACrC,MAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AAAA,IACxE;AACA,IAAA,OAAO,MAAM,IAAA,CAAK,QAAA,CAAS,WAAA,CAAY,aAAa,CAAA;AAAA,EACtD;AACF;;;;"}

package/dist/service/readBackstageTokenExpiration.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"readBackstageTokenExpiration.cjs.js","sources":["../../src/service/readBackstageTokenExpiration.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { RootConfigService } from '@backstage/backend-plugin-api';\nimport { readDurationFromConfig } from '@backstage/config';\nimport { durationToMilliseconds } from '@backstage/types';\n\nconst TOKEN_EXP_DEFAULT_S = 3600;\nconst TOKEN_EXP_MIN_S = 600;\nconst TOKEN_EXP_MAX_S = 86400;\n\nexport function readBackstageTokenExpiration(config: RootConfigService) {\n const processingIntervalKey = 'auth.backstageTokenExpiration';\n\n if (!config.has(processingIntervalKey)) {\n return TOKEN_EXP_DEFAULT_S;\n }\n\n const duration = readDurationFromConfig(config, {\n key: processingIntervalKey,\n });\n\n const durationS = Math.round(durationToMilliseconds(duration) / 1000);\n\n if (durationS < TOKEN_EXP_MIN_S) {\n return TOKEN_EXP_MIN_S;\n } else if (durationS > TOKEN_EXP_MAX_S) {\n return TOKEN_EXP_MAX_S;\n }\n return durationS;\n}\n"],"names":["config","readDurationFromConfig","durationToMilliseconds"],"mappings":";;;;;AAoBA,MAAM,~~mBAAsB~~,~~GAAA~~,IAAA;AAC5B,MAAM,~~eAAkB~~,~~GAAA~~,GAAA;AACxB,MAAM,~~eAAkB~~,~~GAAA~~,KAAA;AAEjB,SAAS,6BAA6BA,~~QAA2B~~,~~EAAA~~;AACtE,EAAA,MAAM,~~qBAAwB~~,~~GAAA~~,+BAAA;AAE9B,EAAA,IAAI,CAACA,QAAA,CAAO,~~GAAI~~,~~CAAA~~,qBAAqB,~~CAAG~~,~~EAAA~~;AACtC,~~IAAO~~,~~OAAA~~,mBAAA;AAAA;~~AAGT~~,~~EAAM~~,~~MAAA~~,QAAA,GAAWC,8BAAuBD,~~QAAQ~~,~~EAAA~~;AAAA,IAC9C,~~GAAK~~,~~EAAA~~;AAAA,GACN,CAAA;AAED,EAAA,MAAM,YAAY,~~IAAK~~,~~CAAA~~,KAAA,CAAME,~~4BAAuB~~,~~CAAA~~,QAAQ,IAAI,GAAI,CAAA;AAEpE,EAAA,IAAI,YAAY,~~eAAiB~~,~~EAAA~~;AAC/B,~~IAAO~~,~~OAAA~~,eAAA;AAAA,~~GACT~~,MAAA,IAAW,YAAY,~~eAAiB~~,~~EAAA~~;AACtC,~~IAAO~~,~~OAAA~~,eAAA;AAAA;~~AAET~~,~~EAAO~~,~~OAAA~~,SAAA;AACT;;;;"}
1	+ {"version":3,"file":"readBackstageTokenExpiration.cjs.js","sources":["../../src/service/readBackstageTokenExpiration.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { RootConfigService } from '@backstage/backend-plugin-api';\nimport { readDurationFromConfig } from '@backstage/config';\nimport { durationToMilliseconds } from '@backstage/types';\n\nconst TOKEN_EXP_DEFAULT_S = 3600;\nconst TOKEN_EXP_MIN_S = 600;\nconst TOKEN_EXP_MAX_S = 86400;\n\nexport function readBackstageTokenExpiration(config: RootConfigService) {\n const processingIntervalKey = 'auth.backstageTokenExpiration';\n\n if (!config.has(processingIntervalKey)) {\n return TOKEN_EXP_DEFAULT_S;\n }\n\n const duration = readDurationFromConfig(config, {\n key: processingIntervalKey,\n });\n\n const durationS = Math.round(durationToMilliseconds(duration) / 1000);\n\n if (durationS < TOKEN_EXP_MIN_S) {\n return TOKEN_EXP_MIN_S;\n } else if (durationS > TOKEN_EXP_MAX_S) {\n return TOKEN_EXP_MAX_S;\n }\n return durationS;\n}\n"],"names":["config","readDurationFromConfig","durationToMilliseconds"],"mappings":";;;;;AAoBA,MAAM,mBAAA,GAAsB,IAAA;AAC5B,MAAM,eAAA,GAAkB,GAAA;AACxB,MAAM,eAAA,GAAkB,KAAA;AAEjB,SAAS,6BAA6BA,QAAA,EAA2B;AACtE,EAAA,MAAM,qBAAA,GAAwB,+BAAA;AAE9B,EAAA,IAAI,CAACA,QAAA,CAAO,GAAA,CAAI,qBAAqB,CAAA,EAAG;AACtC,IAAA,OAAO,mBAAA;AAAA,EACT;AAEA,EAAA,MAAM,QAAA,GAAWC,8BAAuBD,QAAA,EAAQ;AAAA,IAC9C,GAAA,EAAK;AAAA,GACN,CAAA;AAED,EAAA,MAAM,YAAY,IAAA,CAAK,KAAA,CAAME,4BAAA,CAAuB,QAAQ,IAAI,GAAI,CAAA;AAEpE,EAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,IAAA,OAAO,eAAA;AAAA,EACT,CAAA,MAAA,IAAW,YAAY,eAAA,EAAiB;AACtC,IAAA,OAAO,eAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;;;;"}

package/dist/service/router.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n AuthService,\n DatabaseService,\n DiscoveryService,\n LoggerService,\n RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { readBackstageTokenExpiration } from './readBackstageTokenExpiration';\nimport { TokenIssuer } from '../identity/types';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\nimport { OidcRouter } from './OidcRouter';\n\ninterface RouterOptions {\n logger: LoggerService;\n database: DatabaseService;\n config: RootConfigService;\n discovery: DiscoveryService;\n auth: AuthService;\n tokenFactoryAlgorithm?: string;\n providerFactories?: ProviderFactories;\n catalog: CatalogService;\n ownershipResolver?: AuthOwnershipResolver;\n}\n\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const {\n logger,\n config,\n discovery,\n database: db,\n tokenFactoryAlgorithm,\n providerFactories = {},\n } = options;\n\n const router = Router();\n\n const appUrl = config.getString('app.baseUrl');\n const authUrl = await discovery.getExternalBaseUrl('auth');\n const backstageTokenExpiration = readBackstageTokenExpiration(config);\n const database = AuthDatabase.create(db);\n\n const keyStore = await KeyStores.fromConfig(config, {\n logger,\n database,\n });\n\n const userInfo = await UserInfoDatabase.create({\n database,\n });\n\n const omitClaimsFromToken = config.getOptionalBoolean(\n 'auth.omitIdentityTokenOwnershipClaim',\n )\n ? ['ent']\n : [];\n\n let tokenIssuer: TokenIssuer;\n if (keyStore instanceof StaticKeyStore) {\n tokenIssuer = new StaticTokenIssuer(\n {\n logger: logger.child({ component: 'token-factory' }),\n issuer: authUrl,\n sessionExpirationSeconds: backstageTokenExpiration,\n omitClaimsFromToken,\n },\n keyStore as StaticKeyStore,\n );\n } else {\n tokenIssuer = new TokenFactory({\n issuer: authUrl,\n keyStore,\n keyDurationSeconds: backstageTokenExpiration,\n logger: logger.child({ component: 'token-factory' }),\n algorithm:\n tokenFactoryAlgorithm ??\n config.getOptionalString('auth.identityTokenAlgorithm'),\n omitClaimsFromToken,\n });\n }\n\n const secret = config.getOptionalString('auth.session.secret');\n if (secret) {\n router.use(cookieParser(secret));\n const enforceCookieSSL = authUrl.startsWith('https');\n const KnexSessionStore = connectSessionKnex(session);\n router.use(\n session({\n secret,\n saveUninitialized: false,\n resave: false,\n cookie: { secure: enforceCookieSSL ? 'auto' : false },\n store: new KnexSessionStore({\n createtable: false,\n knex: await database.get(),\n }),\n }),\n );\n router.use(passport.initialize());\n router.use(passport.session());\n } else {\n router.use(cookieParser());\n }\n\n router.use(express.urlencoded({ extended: false }));\n router.use(express.json());\n\n bindProviderRouters(router, {\n providers: providerFactories,\n appUrl,\n baseUrl: authUrl,\n tokenIssuer,\n ...options,\n auth: options.auth,\n userInfo,\n });\n\n const oidcRouter = OidcRouter.create({\n auth: options.auth,\n tokenIssuer,\n baseUrl: authUrl,\n userInfo,\n });\n\n router.use(oidcRouter.getRouter());\n\n // Gives a more helpful error message than a plain 404\n router.use('/:provider/', req => {\n const { provider } = req.params;\n throw new NotFoundError(`Unknown auth provider '${provider}'`);\n });\n\n return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabase","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","OidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuDA,eAAsB,aACpB,~~OACyB~~,~~EAAA~~;AACzB,~~EAAM~~,~~MAAA~~;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,~~QAAU~~,~~EAAA~~,EAAA;AAAA,IACV,qBAAA;AAAA,IACA,oBAAoB;AAAC,~~GACnB~~,~~GAAA~~,OAAA;AAEJ,EAAA,MAAMA,WAASC,~~uBAAO~~,~~EAAA~~;AAEtB,~~EAAM~~,~~MAAA~~,MAAA,GAAS,~~MAAO~~,~~CAAA~~,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,~~OAAU~~,~~GAAA~~,MAAM,~~SAAU~~,~~CAAA~~,kBAAA,CAAmB,MAAM,CAAA;AACzD,~~EAAM~~,~~MAAA~~,wBAAA,GAA2BC,0DAA6B,MAAM,CAAA;AACpE,~~EAAM~~,~~MAAA~~,QAAA,GAAWC,~~yBAAa~~,~~CAAA~~,MAAA,CAAO,EAAE,CAAA;AAEvC,EAAA,MAAM,~~QAAW~~,~~GAAA~~,MAAMC,~~mBAAU~~,~~CAAA~~,UAAA,CAAW,~~MAAQ~~,~~EAAA~~;AAAA,IAClD,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,~~EAAM~~,~~MAAA~~,QAAA,GAAW,MAAMC,iCAAA,CAAiB,~~MAAO~~,~~CAAA~~;AAAA,IAC7C;AAAA,GACD,CAAA;AAED,EAAA,MAAM,sBAAsB,~~MAAO~~,~~CAAA~~,kBAAA;AAAA,IACjC;AAAA,~~GAEE~~,~~GAAA~~,CAAC,KAAK,CAAA,GACN,EAAC;AAEL,~~EAAI~~,~~IAAA~~,WAAA;AACJ,EAAA,IAAI,oBAAoBC,~~6BAAgB~~,~~EAAA~~;AACtC,IAAA,WAAA,GAAc,IAAIC,mCAAA;AAAA,MAChB;AAAA,QACE,QAAQ,~~MAAO~~,~~CAAA~~,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,QACnD,~~MAAQ~~,~~EAAA~~,OAAA;AAAA,QACR,~~wBAA0B~~,~~EAAA~~,wBAAA;AAAA,QAC1B;AAAA,OACF;AAAA,MACA;AAAA,KACF;AAAA,~~GACK~~,~~MAAA~~;AACL,IAAA,WAAA,GAAc,IAAIC,~~yBAAa~~,~~CAAA~~;AAAA,MAC7B,~~MAAQ~~,~~EAAA~~,OAAA;AAAA,MACR,QAAA;AAAA,MACA,~~kBAAoB~~,~~EAAA~~,wBAAA;AAAA,MACpB,QAAQ,~~MAAO~~,~~CAAA~~,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,MACnD,~~SACE~~,~~EAAA~~,qBAAA,IACA,~~MAAO~~,~~CAAA~~,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD;AAAA,KACD,CAAA;AAAA;~~AAGH~~,~~EAAM~~,~~MAAA~~,MAAA,GAAS,~~MAAO~~,~~CAAA~~,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,~~MAAQ~~,~~EAAA~~;AACV,~~IAAOR~~,QAAA,~~CAAA~~,GAAA,CAAIS,~~6BAAa~~,~~CAAA~~,MAAM,CAAC,CAAA;AAC/B,~~IAAM~~,~~MAAA~~,gBAAA,GAAmB,~~OAAQ~~,~~CAAA~~,UAAA,CAAW,OAAO,CAAA;AACnD,~~IAAM~~,~~MAAA~~,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,~~IAAOX~~,QAAA,~~CAAA~~,GAAA;AAAA,MACLW,~~wBAAQ~~,~~CAAA~~;AAAA,QACN,MAAA;AAAA,QACA,~~iBAAmB~~,~~EAAA~~,KAAA;AAAA,QACnB,~~MAAQ~~,~~EAAA~~,KAAA;AAAA,QACR,~~MAAQ~~,~~EAAA~~,EAAE,~~MAAQ~~,~~EAAA~~,gBAAA,GAAmB,SAAS,~~KAAM~~,~~EAAA~~;AAAA,QACpD,KAAA,EAAO,IAAI,~~gBAAiB~~,~~CAAA~~;AAAA,UAC1B,~~WAAa~~,~~EAAA~~,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,QAAA,CAAS,~~GAAI~~;~~AAAA~~,SAC1B;AAAA,OACF;AAAA,KACH;AACA,~~IAAOX~~,QAAA,~~CAAA~~,GAAA,CAAIY,~~yBAAS~~,~~CAAA~~,UAAA,EAAY,CAAA;AAChC,~~IAAOZ~~,QAAA,~~CAAA~~,GAAA,CAAIY,~~yBAAS~~,~~CAAA~~,OAAA,EAAS,CAAA;AAAA,~~GACxB~~,~~MAAA~~;AACL,~~IAAOZ~~,QAAA,~~CAAA~~,GAAA,CAAIS,+BAAc,CAAA;AAAA;~~AAG3B~~,EAAAT,QAAA,CAAO,IAAIa,~~wBAAQ~~,~~CAAA~~,UAAA,CAAW,EAAE,~~QAAU~~,~~EAAA~~,KAAA,EAAO,CAAC,CAAA;AAClD,~~EAAOb~~,QAAA,~~CAAA~~,GAAA,CAAIa,~~wBAAQ~~,~~CAAA~~,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,~~QAAQ~~,~~EAAA~~;AAAA,IAC1B,~~SAAW~~,~~EAAA~~,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,~~OAAS~~,~~EAAA~~,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,~~OAAQ~~,~~CAAA~~,IAAA;AAAA,IACd;AAAA,GACD,CAAA;AAED,~~EAAM~~,~~MAAA~~,UAAA,GAAae,sBAAW,~~MAAO~~,~~CAAA~~;AAAA,IACnC,MAAM,~~OAAQ~~,~~CAAA~~,IAAA;AAAA,IACd,WAAA;AAAA,IACA,~~OAAS~~,~~EAAA~~,OAAA;AAAA,IACT;AAAA,GACD,CAAA;AAED,~~EAAOf~~,QAAA,~~CAAA~~,GAAA,CAAI,~~UAAW~~,~~CAAA~~,SAAA,EAAW,CAAA;AAGjC,~~EAAOA~~,QAAA,~~CAAA~~,GAAA,CAAI,eAAe,~~CAAO~~,GAAA,~~KAAA~~;AAC/B,~~IAAM~~,~~MAAA~~,EAAE,~~QAAS~~,~~EAAA~~,GAAI,~~GAAI~~,~~CAAA~~,MAAA;AACzB,IAAA,MAAM,IAAIgB,oBAAA,CAAc,~~CAA0B~~,uBAAA,~~EAAA~~,QAAQ,~~CAAG,~~CAAA,CAAA,CAAA;AAAA,~~GAC9D~~,CAAA;AAED,~~EAAO~~,~~OAAAhB~~,QAAA;AACT;;;;"}
1	+ {"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n AuthService,\n DatabaseService,\n DiscoveryService,\n LoggerService,\n RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { readBackstageTokenExpiration } from './readBackstageTokenExpiration';\nimport { TokenIssuer } from '../identity/types';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\nimport { OidcRouter } from './OidcRouter';\n\ninterface RouterOptions {\n logger: LoggerService;\n database: DatabaseService;\n config: RootConfigService;\n discovery: DiscoveryService;\n auth: AuthService;\n tokenFactoryAlgorithm?: string;\n providerFactories?: ProviderFactories;\n catalog: CatalogService;\n ownershipResolver?: AuthOwnershipResolver;\n}\n\nexport async function createRouter(\n options: RouterOptions,\n): Promise<express.Router> {\n const {\n logger,\n config,\n discovery,\n database: db,\n tokenFactoryAlgorithm,\n providerFactories = {},\n } = options;\n\n const router = Router();\n\n const appUrl = config.getString('app.baseUrl');\n const authUrl = await discovery.getExternalBaseUrl('auth');\n const backstageTokenExpiration = readBackstageTokenExpiration(config);\n const database = AuthDatabase.create(db);\n\n const keyStore = await KeyStores.fromConfig(config, {\n logger,\n database,\n });\n\n const userInfo = await UserInfoDatabase.create({\n database,\n });\n\n const omitClaimsFromToken = config.getOptionalBoolean(\n 'auth.omitIdentityTokenOwnershipClaim',\n )\n ? ['ent']\n : [];\n\n let tokenIssuer: TokenIssuer;\n if (keyStore instanceof StaticKeyStore) {\n tokenIssuer = new StaticTokenIssuer(\n {\n logger: logger.child({ component: 'token-factory' }),\n issuer: authUrl,\n sessionExpirationSeconds: backstageTokenExpiration,\n omitClaimsFromToken,\n },\n keyStore as StaticKeyStore,\n );\n } else {\n tokenIssuer = new TokenFactory({\n issuer: authUrl,\n keyStore,\n keyDurationSeconds: backstageTokenExpiration,\n logger: logger.child({ component: 'token-factory' }),\n algorithm:\n tokenFactoryAlgorithm ??\n config.getOptionalString('auth.identityTokenAlgorithm'),\n omitClaimsFromToken,\n });\n }\n\n const secret = config.getOptionalString('auth.session.secret');\n if (secret) {\n router.use(cookieParser(secret));\n const enforceCookieSSL = authUrl.startsWith('https');\n const KnexSessionStore = connectSessionKnex(session);\n router.use(\n session({\n secret,\n saveUninitialized: false,\n resave: false,\n cookie: { secure: enforceCookieSSL ? 'auto' : false },\n store: new KnexSessionStore({\n createtable: false,\n knex: await database.get(),\n }),\n }),\n );\n router.use(passport.initialize());\n router.use(passport.session());\n } else {\n router.use(cookieParser());\n }\n\n router.use(express.urlencoded({ extended: false }));\n router.use(express.json());\n\n bindProviderRouters(router, {\n providers: providerFactories,\n appUrl,\n baseUrl: authUrl,\n tokenIssuer,\n ...options,\n auth: options.auth,\n userInfo,\n });\n\n const oidcRouter = OidcRouter.create({\n auth: options.auth,\n tokenIssuer,\n baseUrl: authUrl,\n userInfo,\n });\n\n router.use(oidcRouter.getRouter());\n\n // Gives a more helpful error message than a plain 404\n router.use('/:provider/', req => {\n const { provider } = req.params;\n throw new NotFoundError(`Unknown auth provider '${provider}'`);\n });\n\n return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabase","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","OidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuDA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA,EAAU,EAAA;AAAA,IACV,qBAAA;AAAA,IACA,oBAAoB;AAAC,GACvB,GAAI,OAAA;AAEJ,EAAA,MAAMA,WAASC,uBAAA,EAAO;AAEtB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,MAAM,SAAA,CAAU,kBAAA,CAAmB,MAAM,CAAA;AACzD,EAAA,MAAM,wBAAA,GAA2BC,0DAA6B,MAAM,CAAA;AACpE,EAAA,MAAM,QAAA,GAAWC,yBAAA,CAAa,MAAA,CAAO,EAAE,CAAA;AAEvC,EAAA,MAAM,QAAA,GAAW,MAAMC,mBAAA,CAAU,UAAA,CAAW,MAAA,EAAQ;AAAA,IAClD,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,QAAA,GAAW,MAAMC,iCAAA,CAAiB,MAAA,CAAO;AAAA,IAC7C;AAAA,GACD,CAAA;AAED,EAAA,MAAM,sBAAsB,MAAA,CAAO,kBAAA;AAAA,IACjC;AAAA,GACF,GACI,CAAC,KAAK,CAAA,GACN,EAAC;AAEL,EAAA,IAAI,WAAA;AACJ,EAAA,IAAI,oBAAoBC,6BAAA,EAAgB;AACtC,IAAA,WAAA,GAAc,IAAIC,mCAAA;AAAA,MAChB;AAAA,QACE,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,QACnD,MAAA,EAAQ,OAAA;AAAA,QACR,wBAAA,EAA0B,wBAAA;AAAA,QAC1B;AAAA,OACF;AAAA,MACA;AAAA,KACF;AAAA,EACF,CAAA,MAAO;AACL,IAAA,WAAA,GAAc,IAAIC,yBAAA,CAAa;AAAA,MAC7B,MAAA,EAAQ,OAAA;AAAA,MACR,QAAA;AAAA,MACA,kBAAA,EAAoB,wBAAA;AAAA,MACpB,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,MACnD,SAAA,EACE,qBAAA,IACA,MAAA,CAAO,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD;AAAA,KACD,CAAA;AAAA,EACH;AAEA,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,MAAA,EAAQ;AACV,IAAAR,QAAA,CAAO,GAAA,CAAIS,6BAAA,CAAa,MAAM,CAAC,CAAA;AAC/B,IAAA,MAAM,gBAAA,GAAmB,OAAA,CAAQ,UAAA,CAAW,OAAO,CAAA;AACnD,IAAA,MAAM,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,IAAAX,QAAA,CAAO,GAAA;AAAA,MACLW,wBAAA,CAAQ;AAAA,QACN,MAAA;AAAA,QACA,iBAAA,EAAmB,KAAA;AAAA,QACnB,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,EAAE,MAAA,EAAQ,gBAAA,GAAmB,SAAS,KAAA,EAAM;AAAA,QACpD,KAAA,EAAO,IAAI,gBAAA,CAAiB;AAAA,UAC1B,WAAA,EAAa,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,QAAA,CAAS,GAAA;AAAI,SAC1B;AAAA,OACF;AAAA,KACH;AACA,IAAAX,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,UAAA,EAAY,CAAA;AAChC,IAAAZ,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,OAAA,EAAS,CAAA;AAAA,EAC/B,CAAA,MAAO;AACL,IAAAZ,QAAA,CAAO,GAAA,CAAIS,+BAAc,CAAA;AAAA,EAC3B;AAEA,EAAAT,QAAA,CAAO,IAAIa,wBAAA,CAAQ,UAAA,CAAW,EAAE,QAAA,EAAU,KAAA,EAAO,CAAC,CAAA;AAClD,EAAAb,QAAA,CAAO,GAAA,CAAIa,wBAAA,CAAQ,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,QAAA,EAAQ;AAAA,IAC1B,SAAA,EAAW,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,OAAA,EAAS,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd;AAAA,GACD,CAAA;AAED,EAAA,MAAM,UAAA,GAAae,sBAAW,MAAA,CAAO;AAAA,IACnC,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd,WAAA;AAAA,IACA,OAAA,EAAS,OAAA;AAAA,IACT;AAAA,GACD,CAAA;AAED,EAAAf,QAAA,CAAO,GAAA,CAAI,UAAA,CAAW,SAAA,EAAW,CAAA;AAGjC,EAAAA,QAAA,CAAO,GAAA,CAAI,eAAe,CAAA,GAAA,KAAO;AAC/B,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,GAAA,CAAI,MAAA;AACzB,IAAA,MAAM,IAAIgB,oBAAA,CAAc,CAAA,uBAAA,EAA0B,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAC/D,CAAC,CAAA;AAED,EAAA,OAAOhB,QAAA;AACT;;;;"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.25.2",
+  "version": "0.25.3",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -46,12 +46,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.4.1",
+    "@backstage/backend-plugin-api": "^1.4.2",
     "@backstage/catalog-model": "^1.7.5",
     "@backstage/config": "^1.3.3",
     "@backstage/errors": "^1.2.7",
-    "@backstage/plugin-auth-node": "^0.6.5",
-    "@backstage/plugin-catalog-node": "^1.17.2",
+    "@backstage/plugin-auth-node": "^0.6.6",
+    "@backstage/plugin-catalog-node": "^1.18.0",
     "@backstage/types": "^1.2.1",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
@@ -68,11 +68,11 @@
     "uuid": "^11.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "^0.11.1",
-    "@backstage/backend-test-utils": "^1.7.0",
-    "@backstage/cli": "^0.33.1",
-    "@backstage/plugin-auth-backend-module-google-provider": "^0.3.5",
-    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.10",
+    "@backstage/backend-defaults": "^0.12.0",
+    "@backstage/backend-test-utils": "^1.8.0",
+    "@backstage/cli": "^0.34.0",
+    "@backstage/plugin-auth-backend-module-google-provider": "^0.3.6",
+    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.11",
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.17.2",