npm - @backstage/plugin-auth-backend - Versions diffs - 0.25.4-next.0 → 0.25.4-next.1 - Mend

@backstage/plugin-auth-backend 0.25.4-next.0 → 0.25.4-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +10 -0
package/dist/authPlugin.cjs.js +4 -1
package/dist/authPlugin.cjs.js.map +1 -1
package/dist/database/OidcDatabase.cjs.js +214 -0
package/dist/database/OidcDatabase.cjs.js.map +1 -0
package/dist/service/OidcRouter.cjs.js +284 -5
package/dist/service/OidcRouter.cjs.js.map +1 -1
package/dist/service/OidcService.cjs.js +250 -5
package/dist/service/OidcService.cjs.js.map +1 -1
package/dist/service/router.cjs.js +10 -2
package/dist/service/router.cjs.js.map +1 -1
package/migrations/20250909120000_oidc_client_registration.js +159 -0
package/package.json +7 -5

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 # @backstage/plugin-auth-backend
+## 0.25.4-next.1
+### Patch Changes
+- 1d47bf3: Implementing Dynamic Client Registration with the OIDC server. You can enable this by setting `auth.experimentalDynamicClientRegistration.enabled` in `app-config.yaml`. This is highly experimental, but feedback welcome.
+- 54ddfef: Updating plugin metadata
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.7-next.1
+  - @backstage/plugin-catalog-node@1.19.0-next.1
 ## 0.25.4-next.0
 ### Patch Changes

package/dist/authPlugin.cjs.js CHANGED Viewed

@@ -36,6 +36,7 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database: backendPluginApi.coreServices.database,
         discovery: backendPluginApi.coreServices.discovery,
         auth: backendPluginApi.coreServices.auth,
+        httpAuth: backendPluginApi.coreServices.httpAuth,
         catalog: pluginCatalogNode.catalogServiceRef
       },
       async init({
@@ -45,6 +46,7 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         database,
         discovery,
         auth,
+        httpAuth,
         catalog
       }) {
         const router$1 = await router.createRouter({
@@ -55,7 +57,8 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           auth,
           catalog,
           providerFactories: Object.fromEntries(providers),
-          ownershipResolver
+          ownershipResolver,
+          httpAuth
         });
         httpRouter.addAuthPolicy({
           path: "/",

package/dist/authPlugin.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n coreServices,\n createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n authOwnershipResolutionExtensionPoint,\n AuthOwnershipResolver,\n AuthProviderFactory,\n authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\n\n/\n Auth plugin\n \n @public\n */\nexport const authPlugin = createBackendPlugin({\n pluginId: 'auth',\n register(reg) {\n const providers = new Map<string, AuthProviderFactory>();\n let ownershipResolver: AuthOwnershipResolver \| undefined = undefined;\n\n reg.registerExtensionPoint(authProvidersExtensionPoint, {\n registerProvider({ providerId, factory }) {\n if (providers.has(providerId)) {\n throw new Error(\n `Auth provider '${providerId}' was already registered`,\n );\n }\n providers.set(providerId, factory);\n },\n });\n\n reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n setAuthOwnershipResolver(resolver) {\n if (ownershipResolver) {\n throw new Error('Auth ownership resolver is already set');\n }\n ownershipResolver = resolver;\n },\n });\n\n reg.registerInit({\n deps: {\n httpRouter: coreServices.httpRouter,\n logger: coreServices.logger,\n config: coreServices.rootConfig,\n database: coreServices.database,\n discovery: coreServices.discovery,\n auth: coreServices.auth,\n catalog: catalogServiceRef,\n },\n async init({\n httpRouter,\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n }) {\n const router = await createRouter({\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n providerFactories: Object.fromEntries(providers),\n ownershipResolver,\n });\n httpRouter.addAuthPolicy({\n path: '/',\n allow: 'unauthenticated',\n });\n httpRouter.use(router);\n },\n });\n },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,oCAAA,CAAoB;AAAA,EAC5C,QAAA,EAAU,MAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,SAAA,uBAAgB,GAAA,EAAiC;AACvD,IAAA,IAAI,iBAAA,GAAuD,MAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAAA,EAA6B;AAAA,MACtD,gBAAA,CAAiB,EAAE,UAAA,EAAY,OAAA,EAAQ,EAAG;AACxC,QAAA,IAAI,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA,QACF;AACA,QAAA,SAAA,CAAU,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA,MACnC;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAA,EAAuC;AAAA,MAChE,yBAAyB,QAAA,EAAU;AACjC,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,QAC1D;AACA,QAAA,iBAAA,GAAoB,QAAA;AAAA,MACtB;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,YAAYC,6BAAA,CAAa,UAAA;AAAA,QACzB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,OAAA,EAASC;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAMC,QAAA,GAAS,MAAMC,mBAAA,CAAa;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAA,CAAc;AAAA,UACvB,IAAA,EAAM,GAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA,MACvB;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}
1	+ {"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n coreServices,\n createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n authOwnershipResolutionExtensionPoint,\n AuthOwnershipResolver,\n AuthProviderFactory,\n authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\n\n/\n Auth plugin\n \n @public\n */\nexport const authPlugin = createBackendPlugin({\n pluginId: 'auth',\n register(reg) {\n const providers = new Map<string, AuthProviderFactory>();\n let ownershipResolver: AuthOwnershipResolver \| undefined = undefined;\n\n reg.registerExtensionPoint(authProvidersExtensionPoint, {\n registerProvider({ providerId, factory }) {\n if (providers.has(providerId)) {\n throw new Error(\n `Auth provider '${providerId}' was already registered`,\n );\n }\n providers.set(providerId, factory);\n },\n });\n\n reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n setAuthOwnershipResolver(resolver) {\n if (ownershipResolver) {\n throw new Error('Auth ownership resolver is already set');\n }\n ownershipResolver = resolver;\n },\n });\n\n reg.registerInit({\n deps: {\n httpRouter: coreServices.httpRouter,\n logger: coreServices.logger,\n config: coreServices.rootConfig,\n database: coreServices.database,\n discovery: coreServices.discovery,\n auth: coreServices.auth,\n httpAuth: coreServices.httpAuth,\n catalog: catalogServiceRef,\n },\n async init({\n httpRouter,\n logger,\n config,\n database,\n discovery,\n auth,\n httpAuth,\n catalog,\n }) {\n const router = await createRouter({\n logger,\n config,\n database,\n discovery,\n auth,\n catalog,\n providerFactories: Object.fromEntries(providers),\n ownershipResolver,\n httpAuth,\n });\n httpRouter.addAuthPolicy({\n path: '/',\n allow: 'unauthenticated',\n });\n httpRouter.use(router);\n },\n });\n },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","router","createRouter"],"mappings":";;;;;;;AAkCO,MAAM,aAAaA,oCAAA,CAAoB;AAAA,EAC5C,QAAA,EAAU,MAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,SAAA,uBAAgB,GAAA,EAAiC;AACvD,IAAA,IAAI,iBAAA,GAAuD,MAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAAA,EAA6B;AAAA,MACtD,gBAAA,CAAiB,EAAE,UAAA,EAAY,OAAA,EAAQ,EAAG;AACxC,QAAA,IAAI,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA,QACF;AACA,QAAA,SAAA,CAAU,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA,MACnC;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAA,EAAuC;AAAA,MAChE,yBAAyB,QAAA,EAAU;AACjC,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,QAC1D;AACA,QAAA,iBAAA,GAAoB,QAAA;AAAA,MACtB;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,YAAYC,6BAAA,CAAa,UAAA;AAAA,QACzB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,OAAA,EAASC;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAMC,QAAA,GAAS,MAAMC,mBAAA,CAAa;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C,iBAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAA,CAAc;AAAA,UACvB,IAAA,EAAM,GAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA,MACvB;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/dist/database/OidcDatabase.cjs.js ADDED Viewed

@@ -0,0 +1,214 @@
+'use strict';
+function toDate(value) {
+  if (!value) {
+    return void 0;
+  }
+  return typeof value === "string" || typeof value === "number" ? new Date(value) : value;
+}
+class OidcDatabase {
+  constructor(db) {
+    this.db = db;
+  }
+  static async create(options) {
+    const client = await options.database.get();
+    return new OidcDatabase(client);
+  }
+  async createClient(client) {
+    await this.db("oidc_clients").insert({
+      client_id: client.clientId,
+      client_secret: client.clientSecret,
+      client_name: client.clientName,
+      response_types: JSON.stringify(client.responseTypes),
+      grant_types: JSON.stringify(client.grantTypes),
+      redirect_uris: JSON.stringify(client.redirectUris),
+      scope: client.scope,
+      metadata: JSON.stringify(client.metadata)
+    });
+    return client;
+  }
+  async getClient({ clientId }) {
+    const client = await this.db("oidc_clients").where("client_id", clientId).first();
+    if (!client) {
+      return null;
+    }
+    return this.rowToClient(client);
+  }
+  async createAuthorizationSession(session) {
+    await this.db(
+      "oauth_authorization_sessions"
+    ).insert({
+      id: session.id,
+      client_id: session.clientId,
+      user_entity_ref: session.userEntityRef,
+      redirect_uri: session.redirectUri,
+      scope: session.scope,
+      state: session.state,
+      response_type: session.responseType,
+      code_challenge: session.codeChallenge,
+      code_challenge_method: session.codeChallengeMethod,
+      nonce: session.nonce,
+      status: "pending",
+      expires_at: session.expiresAt
+    });
+    return {
+      ...session,
+      status: "pending"
+    };
+  }
+  async updateAuthorizationSession(session) {
+    const row = this.authorizationSessionToRow(session);
+    const updatedFields = Object.fromEntries(
+      Object.entries(row).filter(([_, value]) => value !== void 0)
+    );
+    if (this.db.client.config.client.includes("sqlite3") || this.db.client.config.client.includes("mysql")) {
+      return await this.db.transaction(async (trx) => {
+        await trx("oauth_authorization_sessions").where("id", session.id).update(updatedFields);
+        const updated = await trx(
+          "oauth_authorization_sessions"
+        ).where("id", session.id).first();
+        if (!updated) {
+          throw new Error(
+            `Failed to retrieve updated authorization session with id ${session.id}`
+          );
+        }
+        return this.rowToAuthorizationSession(updated);
+      });
+    }
+    const returnedRows = await this.db(
+      "oauth_authorization_sessions"
+    ).where("id", session.id).update(updatedFields).returning("*");
+    if (returnedRows.length !== 1) {
+      throw new Error(
+        `Failed to retrieve updated authorization session with id ${session.id}`
+      );
+    }
+    const [returnedSession] = returnedRows;
+    return this.rowToAuthorizationSession(
+      returnedSession
+    );
+  }
+  async getAuthorizationSession({ id }) {
+    const session = await this.db(
+      "oauth_authorization_sessions"
+    ).where("id", id).first();
+    if (!session) {
+      return null;
+    }
+    return this.rowToAuthorizationSession(session);
+  }
+  async createAuthorizationCode(authorizationCode) {
+    await this.db("oidc_authorization_codes").insert({
+      code: authorizationCode.code,
+      session_id: authorizationCode.sessionId,
+      expires_at: authorizationCode.expiresAt,
+      used: false
+    });
+    return {
+      ...authorizationCode,
+      used: false
+    };
+  }
+  async getAuthorizationCode({ code }) {
+    const authCode = await this.db(
+      "oidc_authorization_codes"
+    ).where("code", code).first();
+    if (!authCode) {
+      return null;
+    }
+    return this.rowToAuthorizationCode(authCode);
+  }
+  async updateAuthorizationCode(authorizationCode) {
+    const row = this.authorizationCodeToRow(authorizationCode);
+    const updatedFields = Object.fromEntries(
+      Object.entries(row).filter(([_, value]) => value !== void 0)
+    );
+    if (this.db.client.config.client.includes("sqlite3") || this.db.client.config.client.includes("mysql")) {
+      return await this.db.transaction(async (trx) => {
+        await trx("oidc_authorization_codes").where("code", authorizationCode.code).update(updatedFields);
+        const updated = await trx(
+          "oidc_authorization_codes"
+        ).where("code", authorizationCode.code).first();
+        if (!updated) {
+          throw new Error(
+            `Failed to retrieve updated authorization code with code ${authorizationCode.code}`
+          );
+        }
+        return this.rowToAuthorizationCode(updated);
+      });
+    }
+    const returnedRows = await this.db(
+      "oidc_authorization_codes"
+    ).where("code", authorizationCode.code).update(updatedFields).returning("*");
+    if (returnedRows.length !== 1) {
+      throw new Error(
+        `Failed to retrieve updated authorization code with code ${authorizationCode.code}`
+      );
+    }
+    const [returnedCode] = returnedRows;
+    return this.rowToAuthorizationCode(returnedCode);
+  }
+  rowToClient(row) {
+    return {
+      clientId: row.client_id,
+      clientName: row.client_name,
+      clientSecret: row.client_secret,
+      redirectUris: row.redirect_uris ? JSON.parse(row.redirect_uris) : void 0,
+      responseTypes: row.response_types ? JSON.parse(row.response_types) : void 0,
+      grantTypes: row.grant_types ? JSON.parse(row.grant_types) : void 0,
+      scope: row.scope ?? void 0,
+      metadata: row.metadata ? JSON.parse(row.metadata) : void 0
+    };
+  }
+  authorizationSessionToRow(session) {
+    return {
+      id: session.id,
+      client_id: session.clientId,
+      user_entity_ref: session.userEntityRef,
+      redirect_uri: session.redirectUri,
+      scope: session.scope,
+      state: session.state,
+      response_type: session.responseType,
+      code_challenge: session.codeChallenge,
+      code_challenge_method: session.codeChallengeMethod,
+      nonce: session.nonce,
+      status: session.status,
+      expires_at: toDate(session.expiresAt)
+    };
+  }
+  rowToAuthorizationSession(row) {
+    return {
+      id: row.id,
+      clientId: row.client_id,
+      userEntityRef: row.user_entity_ref ?? void 0,
+      redirectUri: row.redirect_uri,
+      scope: row.scope ?? void 0,
+      state: row.state ?? void 0,
+      responseType: row.response_type,
+      codeChallenge: row.code_challenge ?? void 0,
+      codeChallengeMethod: row.code_challenge_method ?? void 0,
+      nonce: row.nonce ?? void 0,
+      status: row.status,
+      expiresAt: toDate(row.expires_at)
+    };
+  }
+  authorizationCodeToRow(authorizationCode) {
+    return {
+      code: authorizationCode.code,
+      session_id: authorizationCode.sessionId,
+      expires_at: toDate(authorizationCode.expiresAt),
+      used: authorizationCode.used
+    };
+  }
+  rowToAuthorizationCode(row) {
+    return {
+      code: row.code,
+      sessionId: row.session_id,
+      expiresAt: toDate(row.expires_at),
+      used: Boolean(row.used)
+    };
+  }
+}
+exports.OidcDatabase = OidcDatabase;
+//# sourceMappingURL=OidcDatabase.cjs.js.map

package/dist/database/OidcDatabase.cjs.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"OidcDatabase.cjs.js","sources":["../../src/database/OidcDatabase.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Knex } from 'knex';\nimport { AuthDatabase } from './AuthDatabase';\n\nfunction toDate(value?: Date | string | number): Date | undefined {\n if (!value) {\n return undefined;\n }\n\n return typeof value === 'string' || typeof value === 'number'\n ? new Date(value)\n : value;\n}\ntype OidcClientRow = {\n client_id: string;\n client_secret: string;\n client_name: string;\n response_types: string;\n grant_types: string;\n redirect_uris: string;\n scope: string | null;\n metadata: string | null;\n};\n\ntype OAuthAuthorizationSessionRow = {\n id: string;\n client_id: string;\n user_entity_ref: string | null;\n redirect_uri: string;\n scope: string | null;\n state: string | null;\n response_type: string;\n code_challenge: string | null;\n code_challenge_method: string | null;\n nonce: string | null;\n status: 'pending' | 'approved' | 'rejected' | 'expired';\n expires_at: Date | string;\n};\n\ntype OidcAuthorizationCodeRow = {\n code: string;\n session_id: string;\n expires_at: Date | string;\n used: boolean;\n};\n\nexport type Client = {\n clientId: string;\n clientName: string;\n clientSecret: string;\n redirectUris: string[];\n responseTypes: string[];\n grantTypes: string[];\n scope?: string;\n metadata?: Record<string, unknown>;\n};\n\nexport type AuthorizationSession = {\n id: string;\n clientId: string;\n userEntityRef?: string;\n redirectUri: string;\n scope?: string;\n state?: string;\n responseType: string;\n codeChallenge?: string;\n codeChallengeMethod?: string;\n nonce?: string;\n status: 'pending' | 'approved' | 'rejected' | 'expired';\n expiresAt: Date;\n};\n\nexport type ConsentRequest = {\n id: string;\n sessionId: string;\n expiresAt: Date;\n};\n\nexport type AuthorizationCode = {\n code: string;\n sessionId: string;\n expiresAt: Date;\n used: boolean;\n};\n\nexport type AccessToken = {\n tokenId: string;\n sessionId: string;\n expiresAt: Date;\n};\n\n/**\n * This class provides database operations for OpenID Connect (OIDC) authentication flows.\n * It manages OIDC clients, authorization codes, and access tokens in the database.\n */\nexport class OidcDatabase {\n private constructor(private readonly db: Knex) {}\n\n static async create(options: { database: AuthDatabase }) {\n const client = await options.database.get();\n return new OidcDatabase(client);\n }\n\n async createClient(client: Client) {\n await this.db<OidcClientRow>('oidc_clients').insert({\n client_id: client.clientId,\n client_secret: client.clientSecret,\n client_name: client.clientName,\n response_types: JSON.stringify(client.responseTypes),\n grant_types: JSON.stringify(client.grantTypes),\n redirect_uris: JSON.stringify(client.redirectUris),\n scope: client.scope,\n metadata: JSON.stringify(client.metadata),\n });\n\n return client;\n }\n\n async getClient({ clientId }: { clientId: string }) {\n const client = await this.db<OidcClientRow>('oidc_clients')\n .where('client_id', clientId)\n .first();\n\n if (!client) {\n return null;\n }\n\n return this.rowToClient(client) as Client;\n }\n\n async createAuthorizationSession(\n session: Omit<AuthorizationSession, 'status'>,\n ) {\n await this.db<OAuthAuthorizationSessionRow>(\n 'oauth_authorization_sessions',\n ).insert({\n id: session.id,\n client_id: session.clientId,\n user_entity_ref: session.userEntityRef,\n redirect_uri: session.redirectUri,\n scope: session.scope,\n state: session.state,\n response_type: session.responseType,\n code_challenge: session.codeChallenge,\n code_challenge_method: session.codeChallengeMethod,\n nonce: session.nonce,\n status: 'pending',\n expires_at: session.expiresAt,\n });\n\n return {\n ...session,\n status: 'pending',\n };\n }\n\n async updateAuthorizationSession(\n session: Partial<AuthorizationSession> & { id: string },\n ) {\n const row = this.authorizationSessionToRow(session);\n const updatedFields = Object.fromEntries(\n Object.entries(row).filter(([_, value]) => value !== undefined),\n );\n\n // MySQL and SQLite3 don't support RETURNING\n if (\n this.db.client.config.client.includes('sqlite3') ||\n this.db.client.config.client.includes('mysql')\n ) {\n return await this.db.transaction(async trx => {\n await trx<OAuthAuthorizationSessionRow>('oauth_authorization_sessions')\n .where('id', session.id)\n .update(updatedFields);\n\n const updated = await trx<OAuthAuthorizationSessionRow>(\n 'oauth_authorization_sessions',\n )\n .where('id', session.id)\n .first();\n\n if (!updated) {\n throw new Error(\n `Failed to retrieve updated authorization session with id ${session.id}`,\n );\n }\n\n return this.rowToAuthorizationSession(updated) as AuthorizationSession;\n });\n }\n\n const returnedRows = await this.db<OAuthAuthorizationSessionRow>(\n 'oauth_authorization_sessions',\n )\n .where('id', session.id)\n .update(updatedFields)\n .returning('*');\n\n if (returnedRows.length !== 1) {\n throw new Error(\n `Failed to retrieve updated authorization session with id ${session.id}`,\n );\n }\n\n const [returnedSession] = returnedRows;\n\n return this.rowToAuthorizationSession(\n returnedSession,\n ) as AuthorizationSession;\n }\n\n async getAuthorizationSession({ id }: { id: string }) {\n const session = await this.db<OAuthAuthorizationSessionRow>(\n 'oauth_authorization_sessions',\n )\n .where('id', id)\n .first();\n\n if (!session) {\n return null;\n }\n\n return this.rowToAuthorizationSession(session) as AuthorizationSession;\n }\n\n async createAuthorizationCode(\n authorizationCode: Omit<AuthorizationCode, 'used'>,\n ) {\n await this.db<OidcAuthorizationCodeRow>('oidc_authorization_codes').insert({\n code: authorizationCode.code,\n session_id: authorizationCode.sessionId,\n expires_at: authorizationCode.expiresAt,\n used: false,\n });\n\n return {\n ...authorizationCode,\n used: false,\n };\n }\n\n async getAuthorizationCode({ code }: { code: string }) {\n const authCode = await this.db<OidcAuthorizationCodeRow>(\n 'oidc_authorization_codes',\n )\n .where('code', code)\n .first();\n\n if (!authCode) {\n return null;\n }\n\n return this.rowToAuthorizationCode(authCode) as AuthorizationCode;\n }\n\n async updateAuthorizationCode(\n authorizationCode: Partial<AuthorizationCode> & { code: string },\n ) {\n const row = this.authorizationCodeToRow(authorizationCode);\n const updatedFields = Object.fromEntries(\n Object.entries(row).filter(([_, value]) => value !== undefined),\n );\n\n // MySQL and SQLite3 don't support RETURNING\n if (\n this.db.client.config.client.includes('sqlite3') ||\n this.db.client.config.client.includes('mysql')\n ) {\n return await this.db.transaction(async trx => {\n await trx<OidcAuthorizationCodeRow>('oidc_authorization_codes')\n .where('code', authorizationCode.code)\n .update(updatedFields);\n\n const updated = await trx<OidcAuthorizationCodeRow>(\n 'oidc_authorization_codes',\n )\n .where('code', authorizationCode.code)\n .first();\n\n if (!updated) {\n throw new Error(\n `Failed to retrieve updated authorization code with code ${authorizationCode.code}`,\n );\n }\n\n return this.rowToAuthorizationCode(updated) as AuthorizationCode;\n });\n }\n\n const returnedRows = await this.db<OidcAuthorizationCodeRow>(\n 'oidc_authorization_codes',\n )\n .where('code', authorizationCode.code)\n .update(updatedFields)\n .returning('*');\n\n if (returnedRows.length !== 1) {\n throw new Error(\n `Failed to retrieve updated authorization code with code ${authorizationCode.code}`,\n );\n }\n\n const [returnedCode] = returnedRows;\n\n return this.rowToAuthorizationCode(returnedCode) as AuthorizationCode;\n }\n\n private rowToClient(row: OidcClientRow): Client {\n return {\n clientId: row.client_id,\n clientName: row.client_name,\n clientSecret: row.client_secret,\n redirectUris: row.redirect_uris\n ? JSON.parse(row.redirect_uris)\n : undefined,\n responseTypes: row.response_types\n ? JSON.parse(row.response_types)\n : undefined,\n grantTypes: row.grant_types ? JSON.parse(row.grant_types) : undefined,\n scope: row.scope ?? undefined,\n metadata: row.metadata ? JSON.parse(row.metadata) : undefined,\n };\n }\n\n private authorizationSessionToRow(\n session: Partial<AuthorizationSession>,\n ): Partial<OAuthAuthorizationSessionRow> {\n return {\n id: session.id,\n client_id: session.clientId,\n user_entity_ref: session.userEntityRef,\n redirect_uri: session.redirectUri,\n scope: session.scope,\n state: session.state,\n response_type: session.responseType,\n code_challenge: session.codeChallenge,\n code_challenge_method: session.codeChallengeMethod,\n nonce: session.nonce,\n status: session.status,\n expires_at: toDate(session.expiresAt),\n };\n }\n\n private rowToAuthorizationSession(\n row: OAuthAuthorizationSessionRow,\n ): Partial<AuthorizationSession> {\n return {\n id: row.id,\n clientId: row.client_id,\n userEntityRef: row.user_entity_ref ?? undefined,\n redirectUri: row.redirect_uri,\n scope: row.scope ?? undefined,\n state: row.state ?? undefined,\n responseType: row.response_type,\n codeChallenge: row.code_challenge ?? undefined,\n codeChallengeMethod: row.code_challenge_method ?? undefined,\n nonce: row.nonce ?? undefined,\n status: row.status,\n expiresAt: toDate(row.expires_at),\n };\n }\n\n private authorizationCodeToRow(\n authorizationCode: Partial<AuthorizationCode>,\n ): Partial<OidcAuthorizationCodeRow> {\n return {\n code: authorizationCode.code,\n session_id: authorizationCode.sessionId,\n expires_at: toDate(authorizationCode.expiresAt),\n used: authorizationCode.used,\n };\n }\n\n private rowToAuthorizationCode(\n row: OidcAuthorizationCodeRow,\n ): Partial<AuthorizationCode> {\n return {\n code: row.code,\n sessionId: row.session_id,\n expiresAt: toDate(row.expires_at),\n used: Boolean(row.used),\n };\n }\n}\n"],"names":[],"mappings":";;AAkBA,SAAS,OAAO,KAAA,EAAkD;AAChE,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,OAAO,UAAU,QAAA,IAAY,OAAO,UAAU,QAAA,GACjD,IAAI,IAAA,CAAK,KAAK,CAAA,GACd,KAAA;AACN;AAmFO,MAAM,YAAA,CAAa;AAAA,EAChB,YAA6B,EAAA,EAAU;AAAV,IAAA,IAAA,CAAA,EAAA,GAAA,EAAA;AAAA,EAAW;AAAA,EAEhD,aAAa,OAAO,OAAA,EAAqC;AACvD,IAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,QAAA,CAAS,GAAA,EAAI;AAC1C,IAAA,OAAO,IAAI,aAAa,MAAM,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,aAAa,MAAA,EAAgB;AACjC,IAAA,MAAM,IAAA,CAAK,EAAA,CAAkB,cAAc,CAAA,CAAE,MAAA,CAAO;AAAA,MAClD,WAAW,MAAA,CAAO,QAAA;AAAA,MAClB,eAAe,MAAA,CAAO,YAAA;AAAA,MACtB,aAAa,MAAA,CAAO,UAAA;AAAA,MACpB,cAAA,EAAgB,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,aAAa,CAAA;AAAA,MACnD,WAAA,EAAa,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,UAAU,CAAA;AAAA,MAC7C,aAAA,EAAe,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,YAAY,CAAA;AAAA,MACjD,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,QAAA,EAAU,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,QAAQ;AAAA,KACzC,CAAA;AAED,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,MAAM,SAAA,CAAU,EAAE,QAAA,EAAS,EAAyB;AAClD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,EAAA,CAAkB,cAAc,EACvD,KAAA,CAAM,WAAA,EAAa,QAAQ,CAAA,CAC3B,KAAA,EAAM;AAET,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA,CAAK,YAAY,MAAM,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,2BACJ,OAAA,EACA;AACA,IAAA,MAAM,IAAA,CAAK,EAAA;AAAA,MACT;AAAA,MACA,MAAA,CAAO;AAAA,MACP,IAAI,OAAA,CAAQ,EAAA;AAAA,MACZ,WAAW,OAAA,CAAQ,QAAA;AAAA,MACnB,iBAAiB,OAAA,CAAQ,aAAA;AAAA,MACzB,cAAc,OAAA,CAAQ,WAAA;AAAA,MACtB,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,eAAe,OAAA,CAAQ,YAAA;AAAA,MACvB,gBAAgB,OAAA,CAAQ,aAAA;AAAA,MACxB,uBAAuB,OAAA,CAAQ,mBAAA;AAAA,MAC/B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,MAAA,EAAQ,SAAA;AAAA,MACR,YAAY,OAAA,CAAQ;AAAA,KACrB,CAAA;AAED,IAAA,OAAO;AAAA,MACL,GAAG,OAAA;AAAA,MACH,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAAA,EAEA,MAAM,2BACJ,OAAA,EACA;AACA,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,yBAAA,CAA0B,OAAO,CAAA;AAClD,IAAA,MAAM,gBAAgB,MAAA,CAAO,WAAA;AAAA,MAC3B,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,CAAE,MAAA,CAAO,CAAC,CAAC,CAAA,EAAG,KAAK,CAAA,KAAM,KAAA,KAAU,MAAS;AAAA,KAChE;AAGA,IAAA,IACE,IAAA,CAAK,EAAA,CAAG,MAAA,CAAO,MAAA,CAAO,OAAO,QAAA,CAAS,SAAS,CAAA,IAC/C,IAAA,CAAK,GAAG,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,OAAO,CAAA,EAC7C;AACA,MAAA,OAAO,MAAM,IAAA,CAAK,EAAA,CAAG,WAAA,CAAY,OAAM,GAAA,KAAO;AAC5C,QAAA,MAAM,GAAA,CAAkC,8BAA8B,CAAA,CACnE,KAAA,CAAM,MAAM,OAAA,CAAQ,EAAE,CAAA,CACtB,MAAA,CAAO,aAAa,CAAA;AAEvB,QAAA,MAAM,UAAU,MAAM,GAAA;AAAA,UACpB;AAAA,UAEC,KAAA,CAAM,IAAA,EAAM,OAAA,CAAQ,EAAE,EACtB,KAAA,EAAM;AAET,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,yDAAA,EAA4D,QAAQ,EAAE,CAAA;AAAA,WACxE;AAAA,QACF;AAEA,QAAA,OAAO,IAAA,CAAK,0BAA0B,OAAO,CAAA;AAAA,MAC/C,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,EAAA;AAAA,MAC9B;AAAA,KACF,CACG,KAAA,CAAM,IAAA,EAAM,OAAA,CAAQ,EAAE,EACtB,MAAA,CAAO,aAAa,CAAA,CACpB,SAAA,CAAU,GAAG,CAAA;AAEhB,IAAA,IAAI,YAAA,CAAa,WAAW,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,yDAAA,EAA4D,QAAQ,EAAE,CAAA;AAAA,OACxE;AAAA,IACF;AAEA,IAAA,MAAM,CAAC,eAAe,CAAA,GAAI,YAAA;AAE1B,IAAA,OAAO,IAAA,CAAK,yBAAA;AAAA,MACV;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,uBAAA,CAAwB,EAAE,EAAA,EAAG,EAAmB;AACpD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,EAAA;AAAA,MACzB;AAAA,KACF,CACG,KAAA,CAAM,IAAA,EAAM,EAAE,EACd,KAAA,EAAM;AAET,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA,CAAK,0BAA0B,OAAO,CAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,wBACJ,iBAAA,EACA;AACA,IAAA,MAAM,IAAA,CAAK,EAAA,CAA6B,0BAA0B,CAAA,CAAE,MAAA,CAAO;AAAA,MACzE,MAAM,iBAAA,CAAkB,IAAA;AAAA,MACxB,YAAY,iBAAA,CAAkB,SAAA;AAAA,MAC9B,YAAY,iBAAA,CAAkB,SAAA;AAAA,MAC9B,IAAA,EAAM;AAAA,KACP,CAAA;AAED,IAAA,OAAO;AAAA,MACL,GAAG,iBAAA;AAAA,MACH,IAAA,EAAM;AAAA,KACR;AAAA,EACF;AAAA,EAEA,MAAM,oBAAA,CAAqB,EAAE,IAAA,EAAK,EAAqB;AACrD,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,EAAA;AAAA,MAC1B;AAAA,KACF,CACG,KAAA,CAAM,MAAA,EAAQ,IAAI,EAClB,KAAA,EAAM;AAET,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA,CAAK,uBAAuB,QAAQ,CAAA;AAAA,EAC7C;AAAA,EAEA,MAAM,wBACJ,iBAAA,EACA;AACA,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,sBAAA,CAAuB,iBAAiB,CAAA;AACzD,IAAA,MAAM,gBAAgB,MAAA,CAAO,WAAA;AAAA,MAC3B,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,CAAE,MAAA,CAAO,CAAC,CAAC,CAAA,EAAG,KAAK,CAAA,KAAM,KAAA,KAAU,MAAS;AAAA,KAChE;AAGA,IAAA,IACE,IAAA,CAAK,EAAA,CAAG,MAAA,CAAO,MAAA,CAAO,OAAO,QAAA,CAAS,SAAS,CAAA,IAC/C,IAAA,CAAK,GAAG,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,OAAO,CAAA,EAC7C;AACA,MAAA,OAAO,MAAM,IAAA,CAAK,EAAA,CAAG,WAAA,CAAY,OAAM,GAAA,KAAO;AAC5C,QAAA,MAAM,GAAA,CAA8B,0BAA0B,CAAA,CAC3D,KAAA,CAAM,QAAQ,iBAAA,CAAkB,IAAI,CAAA,CACpC,MAAA,CAAO,aAAa,CAAA;AAEvB,QAAA,MAAM,UAAU,MAAM,GAAA;AAAA,UACpB;AAAA,UAEC,KAAA,CAAM,MAAA,EAAQ,iBAAA,CAAkB,IAAI,EACpC,KAAA,EAAM;AAET,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,CAAA,wDAAA,EAA2D,kBAAkB,IAAI,CAAA;AAAA,WACnF;AAAA,QACF;AAEA,QAAA,OAAO,IAAA,CAAK,uBAAuB,OAAO,CAAA;AAAA,MAC5C,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,EAAA;AAAA,MAC9B;AAAA,KACF,CACG,KAAA,CAAM,MAAA,EAAQ,iBAAA,CAAkB,IAAI,EACpC,MAAA,CAAO,aAAa,CAAA,CACpB,SAAA,CAAU,GAAG,CAAA;AAEhB,IAAA,IAAI,YAAA,CAAa,WAAW,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,wDAAA,EAA2D,kBAAkB,IAAI,CAAA;AAAA,OACnF;AAAA,IACF;AAEA,IAAA,MAAM,CAAC,YAAY,CAAA,GAAI,YAAA;AAEvB,IAAA,OAAO,IAAA,CAAK,uBAAuB,YAAY,CAAA;AAAA,EACjD;AAAA,EAEQ,YAAY,GAAA,EAA4B;AAC9C,IAAA,OAAO;AAAA,MACL,UAAU,GAAA,CAAI,SAAA;AAAA,MACd,YAAY,GAAA,CAAI,WAAA;AAAA,MAChB,cAAc,GAAA,CAAI,aAAA;AAAA,MAClB,cAAc,GAAA,CAAI,aAAA,GACd,KAAK,KAAA,CAAM,GAAA,CAAI,aAAa,CAAA,GAC5B,MAAA;AAAA,MACJ,eAAe,GAAA,CAAI,cAAA,GACf,KAAK,KAAA,CAAM,GAAA,CAAI,cAAc,CAAA,GAC7B,MAAA;AAAA,MACJ,YAAY,GAAA,CAAI,WAAA,GAAc,KAAK,KAAA,CAAM,GAAA,CAAI,WAAW,CAAA,GAAI,MAAA;AAAA,MAC5D,KAAA,EAAO,IAAI,KAAA,IAAS,MAAA;AAAA,MACpB,UAAU,GAAA,CAAI,QAAA,GAAW,KAAK,KAAA,CAAM,GAAA,CAAI,QAAQ,CAAA,GAAI;AAAA,KACtD;AAAA,EACF;AAAA,EAEQ,0BACN,OAAA,EACuC;AACvC,IAAA,OAAO;AAAA,MACL,IAAI,OAAA,CAAQ,EAAA;AAAA,MACZ,WAAW,OAAA,CAAQ,QAAA;AAAA,MACnB,iBAAiB,OAAA,CAAQ,aAAA;AAAA,MACzB,cAAc,OAAA,CAAQ,WAAA;AAAA,MACtB,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,eAAe,OAAA,CAAQ,YAAA;AAAA,MACvB,gBAAgB,OAAA,CAAQ,aAAA;AAAA,MACxB,uBAAuB,OAAA,CAAQ,mBAAA;AAAA,MAC/B,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,UAAA,EAAY,MAAA,CAAO,OAAA,CAAQ,SAAS;AAAA,KACtC;AAAA,EACF;AAAA,EAEQ,0BACN,GAAA,EAC+B;AAC/B,IAAA,OAAO;AAAA,MACL,IAAI,GAAA,CAAI,EAAA;AAAA,MACR,UAAU,GAAA,CAAI,SAAA;AAAA,MACd,aAAA,EAAe,IAAI,eAAA,IAAmB,MAAA;AAAA,MACtC,aAAa,GAAA,CAAI,YAAA;AAAA,MACjB,KAAA,EAAO,IAAI,KAAA,IAAS,MAAA;AAAA,MACpB,KAAA,EAAO,IAAI,KAAA,IAAS,MAAA;AAAA,MACpB,cAAc,GAAA,CAAI,aAAA;AAAA,MAClB,aAAA,EAAe,IAAI,cAAA,IAAkB,MAAA;AAAA,MACrC,mBAAA,EAAqB,IAAI,qBAAA,IAAyB,MAAA;AAAA,MAClD,KAAA,EAAO,IAAI,KAAA,IAAS,MAAA;AAAA,MACpB,QAAQ,GAAA,CAAI,MAAA;AAAA,MACZ,SAAA,EAAW,MAAA,CAAO,GAAA,CAAI,UAAU;AAAA,KAClC;AAAA,EACF;AAAA,EAEQ,uBACN,iBAAA,EACmC;AACnC,IAAA,OAAO;AAAA,MACL,MAAM,iBAAA,CAAkB,IAAA;AAAA,MACxB,YAAY,iBAAA,CAAkB,SAAA;AAAA,MAC9B,UAAA,EAAY,MAAA,CAAO,iBAAA,CAAkB,SAAS,CAAA;AAAA,MAC9C,MAAM,iBAAA,CAAkB;AAAA,KAC1B;AAAA,EACF;AAAA,EAEQ,uBACN,GAAA,EAC4B;AAC5B,IAAA,OAAO;AAAA,MACL,MAAM,GAAA,CAAI,IAAA;AAAA,MACV,WAAW,GAAA,CAAI,UAAA;AAAA,MACf,SAAA,EAAW,MAAA,CAAO,GAAA,CAAI,UAAU,CAAA;AAAA,MAChC,IAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,IAAI;AAAA,KACxB;AAAA,EACF;AACF;;;;"}

package/dist/service/OidcRouter.cjs.js CHANGED Viewed

@@ -3,20 +3,34 @@
 var Router = require('express-promise-router');
 var OidcService = require('./OidcService.cjs.js');
 var errors = require('@backstage/errors');
+var express = require('express');
 function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
 var Router__default = /*#__PURE__*/_interopDefaultCompat(Router);
 class OidcRouter {
-  constructor(oidc) {
+  constructor(oidc, logger, auth, appUrl, httpAuth, config) {
     this.oidc = oidc;
+    this.logger = logger;
+    this.auth = auth;
+    this.appUrl = appUrl;
+    this.httpAuth = httpAuth;
+    this.config = config;
   }
   static create(options) {
-    return new OidcRouter(OidcService.OidcService.create(options));
+    return new OidcRouter(
+      OidcService.OidcService.create(options),
+      options.logger,
+      options.auth,
+      options.appUrl,
+      options.httpAuth,
+      options.config
+    );
   }
   getRouter() {
     const router = Router__default.default();
+    router.use(express.json());
     router.get("/.well-known/openid-configuration", (_req, res) => {
       res.json(this.oidc.getConfiguration());
     });
@@ -24,9 +38,6 @@ class OidcRouter {
       const { keys } = await this.oidc.listPublicKeys();
       res.json({ keys });
     });
-    router.get("/v1/token", (_req, res) => {
-      res.status(501).send("Not Implemented");
-    });
     router.get("/v1/userinfo", async (req, res) => {
       const matches = req.headers.authorization?.match(/^Bearer[ ]+(\S+)$/i);
       const token = matches?.[1];
@@ -40,9 +51,277 @@ class OidcRouter {
       }
       res.json(userInfo);
     });
+    if (this.config.getOptionalBoolean(
+      "auth.experimentalDynamicClientRegistration.enabled"
+    )) {
+      router.get("/v1/authorize", async (req, res) => {
+        const {
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          response_type: responseType,
+          scope,
+          state,
+          nonce,
+          code_challenge: codeChallenge,
+          code_challenge_method: codeChallengeMethod
+        } = req.query;
+        if (!clientId || !redirectUri || !responseType) {
+          this.logger.error(`Failed to authorize: Missing required parameters`);
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing required parameters: client_id, redirect_uri, response_type"
+          });
+        }
+        try {
+          const result = await this.oidc.createAuthorizationSession({
+            clientId,
+            redirectUri,
+            responseType,
+            scope,
+            state,
+            nonce,
+            codeChallenge,
+            codeChallengeMethod
+          });
+          const authSessionRedirectUrl = new URL(
+            `./oauth2/authorize/${result.id}`,
+            ensureTrailingSlash(this.appUrl)
+          );
+          return res.redirect(authSessionRedirectUrl.toString());
+        } catch (error) {
+          const errorParams = new URLSearchParams();
+          errorParams.append(
+            "error",
+            errors.isError(error) ? error.name : "server_error"
+          );
+          errorParams.append(
+            "error_description",
+            errors.isError(error) ? error.message : "Unknown error"
+          );
+          if (state) {
+            errorParams.append("state", state);
+          }
+          const redirectUrl = new URL(redirectUri);
+          redirectUrl.search = errorParams.toString();
+          return res.redirect(redirectUrl.toString());
+        }
+      });
+      router.get("/v1/sessions/:sessionId", async (req, res) => {
+        const { sessionId } = req.params;
+        if (!sessionId) {
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing Authorization Session ID"
+          });
+        }
+        try {
+          const session = await this.oidc.getAuthorizationSession({
+            sessionId
+          });
+          return res.json({
+            id: session.id,
+            clientName: session.clientName,
+            scope: session.scope,
+            redirectUri: session.redirectUri
+          });
+        } catch (error) {
+          const description = errors.isError(error) ? error.message : "Unknown error";
+          this.logger.error(
+            `Failed to get authorization session: ${description}`,
+            error
+          );
+          return res.status(404).json({
+            error: "not_found",
+            error_description: description
+          });
+        }
+      });
+      router.post("/v1/sessions/:sessionId/approve", async (req, res) => {
+        const { sessionId } = req.params;
+        if (!sessionId) {
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing authorization session ID"
+          });
+        }
+        try {
+          const httpCredentials = await this.httpAuth.credentials(req);
+          if (!this.auth.isPrincipal(httpCredentials, "user")) {
+            return res.status(401).json({
+              error: "unauthorized",
+              error_description: "Authentication required"
+            });
+          }
+          const { userEntityRef } = httpCredentials.principal;
+          const result = await this.oidc.approveAuthorizationSession({
+            sessionId,
+            userEntityRef
+          });
+          return res.json({
+            redirectUrl: result.redirectUrl
+          });
+        } catch (error) {
+          const description = errors.isError(error) ? error.message : "Unknown error";
+          this.logger.error(
+            `Failed to approve authorization session: ${description}`,
+            error
+          );
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: description
+          });
+        }
+      });
+      router.post("/v1/sessions/:sessionId/reject", async (req, res) => {
+        const { sessionId } = req.params;
+        if (!sessionId) {
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing authorization session ID"
+          });
+        }
+        const httpCredentials = await this.httpAuth.credentials(req);
+        if (!this.auth.isPrincipal(httpCredentials, "user")) {
+          return res.status(401).json({
+            error: "unauthorized",
+            error_description: "Authentication required"
+          });
+        }
+        const { userEntityRef } = httpCredentials.principal;
+        try {
+          const session = await this.oidc.getAuthorizationSession({
+            sessionId
+          });
+          await this.oidc.rejectAuthorizationSession({
+            sessionId,
+            userEntityRef
+          });
+          const errorParams = new URLSearchParams();
+          errorParams.append("error", "access_denied");
+          errorParams.append("error_description", "User denied the request");
+          if (session.state) {
+            errorParams.append("state", session.state);
+          }
+          const redirectUrl = new URL(session.redirectUri);
+          redirectUrl.search = errorParams.toString();
+          return res.json({
+            redirectUrl: redirectUrl.toString()
+          });
+        } catch (error) {
+          const description = errors.isError(error) ? error.message : "Unknown error";
+          this.logger.error(
+            `Failed to reject authorization session: ${description}`,
+            error
+          );
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: description
+          });
+        }
+      });
+      router.post("/v1/token", async (req, res) => {
+        const {
+          grant_type: grantType,
+          code,
+          redirect_uri: redirectUri,
+          code_verifier: codeVerifier
+        } = req.body;
+        if (!grantType || !code || !redirectUri) {
+          this.logger.error(
+            `Failed to exchange code for token: Missing required parameters`
+          );
+          return res.status(400).json({
+            error: "invalid_request",
+            error_description: "Missing required parameters"
+          });
+        }
+        try {
+          const result = await this.oidc.exchangeCodeForToken({
+            code,
+            redirectUri,
+            codeVerifier,
+            grantType
+          });
+          return res.json({
+            access_token: result.accessToken,
+            token_type: result.tokenType,
+            expires_in: result.expiresIn,
+            id_token: result.idToken,
+            scope: result.scope
+          });
+        } catch (error) {
+          const description = errors.isError(error) ? error.message : "Unknown error";
+          this.logger.error(
+            `Failed to exchange code for token: ${description}`,
+            error
+          );
+          if (errors.isError(error)) {
+            if (error.name === "AuthenticationError") {
+              return res.status(401).json({
+                error: "invalid_client",
+                error_description: error.message
+              });
+            }
+            if (error.name === "InputError") {
+              return res.status(400).json({
+                error: "invalid_request",
+                error_description: error.message
+              });
+            }
+          }
+          return res.status(500).json({
+            error: "server_error",
+            error_description: description
+          });
+        }
+      });
+      router.post("/v1/register", async (req, res) => {
+        const {
+          client_name: clientName,
+          redirect_uris: redirectUris,
+          response_types: responseTypes,
+          grant_types: grantTypes,
+          scope
+        } = req.body;
+        if (!redirectUris?.length) {
+          res.status(400).json({
+            error: "invalid_request",
+            error_description: "redirect_uris is required"
+          });
+          return;
+        }
+        try {
+          const client = await this.oidc.registerClient({
+            clientName,
+            redirectUris,
+            responseTypes,
+            grantTypes,
+            scope
+          });
+          res.status(201).json({
+            client_id: client.clientId,
+            redirect_uris: client.redirectUris,
+            client_secret: client.clientSecret
+          });
+        } catch (e) {
+          const description = errors.isError(e) ? e.message : "Unknown error";
+          this.logger.error(`Failed to register client: ${description}`, e);
+          res.status(500).json({
+            error: "server_error",
+            error_description: `Failed to register client: ${description}`
+          });
+        }
+      });
+    }
     return router;
   }
 }
+function ensureTrailingSlash(appUrl) {
+  if (appUrl.endsWith("/")) {
+    return appUrl;
+  }
+  return `${appUrl}/`;
+}
 exports.OidcRouter = OidcRouter;
 //# sourceMappingURL=OidcRouter.cjs.js.map