@backstage/plugin-auth-backend 0.26.1-next.0 → 0.27.0

package/dist/service/router.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n  AuthService,\n  DatabaseService,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport {\n  readBackstageTokenExpiration,\n  readDcrTokenExpiration,\n} from './readTokenExpiration.ts';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\nimport { OidcRouter } from './OidcRouter';\nimport { OidcDatabase } from '../database/OidcDatabase';\n\ninterface RouterOptions {\n  logger: LoggerService;\n  database: DatabaseService;\n  config: RootConfigService;\n  discovery: DiscoveryService;\n  auth: AuthService;\n  tokenFactoryAlgorithm?: string;\n  providerFactories?: ProviderFactories;\n  catalog: CatalogService;\n  ownershipResolver?: AuthOwnershipResolver;\n  httpAuth: HttpAuthService;\n}\n\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const {\n    logger,\n    config,\n    discovery,\n    database: db,\n    tokenFactoryAlgorithm,\n    providerFactories = {},\n    httpAuth,\n  } = options;\n\n  const router = Router();\n\n  const appUrl = config.getString('app.baseUrl');\n  const authUrl = await discovery.getExternalBaseUrl('auth');\n  const backstageTokenExpiration = readBackstageTokenExpiration(config);\n  const database = AuthDatabase.create(db);\n\n  const keyStore = await KeyStores.fromConfig(config, {\n    logger,\n    database,\n  });\n\n  const userInfo = await UserInfoDatabase.create({\n    database,\n  });\n\n  const omitClaimsFromToken = config.getOptionalBoolean(\n    'auth.omitIdentityTokenOwnershipClaim',\n  )\n    ? ['ent']\n    : [];\n\n  const createTokenIssuer = (opts: {\n    logger: LoggerService;\n    expirationSeconds: number;\n  }) => {\n    if (keyStore instanceof StaticKeyStore) {\n      return new StaticTokenIssuer(\n        {\n          logger: opts.logger,\n          issuer: authUrl,\n          sessionExpirationSeconds: opts.expirationSeconds,\n          omitClaimsFromToken,\n        },\n        keyStore as StaticKeyStore,\n      );\n    }\n    return new TokenFactory({\n      issuer: authUrl,\n      keyStore,\n      keyDurationSeconds: opts.expirationSeconds,\n      logger: opts.logger,\n      algorithm:\n        tokenFactoryAlgorithm ??\n        config.getOptionalString('auth.identityTokenAlgorithm'),\n      omitClaimsFromToken,\n    });\n  };\n\n  const tokenIssuer = createTokenIssuer({\n    logger: logger.child({ component: 'token-factory' }),\n    expirationSeconds: backstageTokenExpiration,\n  });\n\n  const secret = config.getOptionalString('auth.session.secret');\n  if (secret) {\n    router.use(cookieParser(secret));\n    const enforceCookieSSL = authUrl.startsWith('https');\n    const KnexSessionStore = connectSessionKnex(session);\n    router.use(\n      session({\n        secret,\n        saveUninitialized: false,\n        resave: false,\n        cookie: { secure: enforceCookieSSL ? 'auto' : false },\n        store: new KnexSessionStore({\n          createtable: false,\n          knex: await database.get(),\n        }),\n      }),\n    );\n    router.use(passport.initialize());\n    router.use(passport.session());\n  } else {\n    router.use(cookieParser());\n  }\n\n  router.use(express.urlencoded({ extended: false }));\n  router.use(express.json());\n\n  bindProviderRouters(router, {\n    providers: providerFactories,\n    appUrl,\n    baseUrl: authUrl,\n    tokenIssuer,\n    ...options,\n    auth: options.auth,\n    userInfo,\n  });\n\n  const dcrTokenExpiration = readDcrTokenExpiration(config);\n\n  const oidcTokenIssuer = createTokenIssuer({\n    logger: logger.child({ component: 'oidc-token-factory' }),\n    expirationSeconds: dcrTokenExpiration,\n  });\n\n  const oidc = await OidcDatabase.create({ database });\n\n  const oidcRouter = OidcRouter.create({\n    auth: options.auth,\n    tokenIssuer: oidcTokenIssuer,\n    baseUrl: authUrl,\n    appUrl,\n    userInfo,\n    oidc,\n    logger,\n    httpAuth,\n    config,\n  });\n\n  router.use(oidcRouter.getRouter());\n\n  // Gives a more helpful error message than a plain 404\n  router.use('/:provider/', req => {\n    const { provider } = req.params;\n    throw new NotFoundError(`Unknown auth provider '${provider}'`);\n  });\n\n  return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabase","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","readDcrTokenExpiration","OidcDatabase","OidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4DA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA,EAAU,EAAA;AAAA,IACV,qBAAA;AAAA,IACA,oBAAoB,EAAC;AAAA,IACrB;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAMA,WAASC,uBAAA,EAAO;AAEtB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,MAAM,SAAA,CAAU,kBAAA,CAAmB,MAAM,CAAA;AACzD,EAAA,MAAM,wBAAA,GAA2BC,iDAA6B,MAAM,CAAA;AACpE,EAAA,MAAM,QAAA,GAAWC,yBAAA,CAAa,MAAA,CAAO,EAAE,CAAA;AAEvC,EAAA,MAAM,QAAA,GAAW,MAAMC,mBAAA,CAAU,UAAA,CAAW,MAAA,EAAQ;AAAA,IAClD,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,QAAA,GAAW,MAAMC,iCAAA,CAAiB,MAAA,CAAO;AAAA,IAC7C;AAAA,GACD,CAAA;AAED,EAAA,MAAM,sBAAsB,MAAA,CAAO,kBAAA;AAAA,IACjC;AAAA,GACF,GACI,CAAC,KAAK,CAAA,GACN,EAAC;AAEL,EAAA,MAAM,iBAAA,GAAoB,CAAC,IAAA,KAGrB;AACJ,IAAA,IAAI,oBAAoBC,6BAAA,EAAgB;AACtC,MAAA,OAAO,IAAIC,mCAAA;AAAA,QACT;AAAA,UACE,QAAQ,IAAA,CAAK,MAAA;AAAA,UACb,MAAA,EAAQ,OAAA;AAAA,UACR,0BAA0B,IAAA,CAAK,iBAAA;AAAA,UAC/B;AAAA,SACF;AAAA,QACA;AAAA,OACF;AAAA,IACF;AACA,IAAA,OAAO,IAAIC,yBAAA,CAAa;AAAA,MACtB,MAAA,EAAQ,OAAA;AAAA,MACR,QAAA;AAAA,MACA,oBAAoB,IAAA,CAAK,iBAAA;AAAA,MACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,SAAA,EACE,qBAAA,IACA,MAAA,CAAO,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD;AAAA,KACD,CAAA;AAAA,EACH,CAAA;AAEA,EAAA,MAAM,cAAc,iBAAA,CAAkB;AAAA,IACpC,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,IACnD,iBAAA,EAAmB;AAAA,GACpB,CAAA;AAED,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,MAAA,EAAQ;AACV,IAAAR,QAAA,CAAO,GAAA,CAAIS,6BAAA,CAAa,MAAM,CAAC,CAAA;AAC/B,IAAA,MAAM,gBAAA,GAAmB,OAAA,CAAQ,UAAA,CAAW,OAAO,CAAA;AACnD,IAAA,MAAM,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,IAAAX,QAAA,CAAO,GAAA;AAAA,MACLW,wBAAA,CAAQ;AAAA,QACN,MAAA;AAAA,QACA,iBAAA,EAAmB,KAAA;AAAA,QACnB,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,EAAE,MAAA,EAAQ,gBAAA,GAAmB,SAAS,KAAA,EAAM;AAAA,QACpD,KAAA,EAAO,IAAI,gBAAA,CAAiB;AAAA,UAC1B,WAAA,EAAa,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,QAAA,CAAS,GAAA;AAAI,SAC1B;AAAA,OACF;AAAA,KACH;AACA,IAAAX,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,UAAA,EAAY,CAAA;AAChC,IAAAZ,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,OAAA,EAAS,CAAA;AAAA,EAC/B,CAAA,MAAO;AACL,IAAAZ,QAAA,CAAO,GAAA,CAAIS,+BAAc,CAAA;AAAA,EAC3B;AAEA,EAAAT,QAAA,CAAO,IAAIa,wBAAA,CAAQ,UAAA,CAAW,EAAE,QAAA,EAAU,KAAA,EAAO,CAAC,CAAA;AAClD,EAAAb,QAAA,CAAO,GAAA,CAAIa,wBAAA,CAAQ,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,QAAA,EAAQ;AAAA,IAC1B,SAAA,EAAW,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,OAAA,EAAS,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd;AAAA,GACD,CAAA;AAED,EAAA,MAAM,kBAAA,GAAqBe,2CAAuB,MAAM,CAAA;AAExD,EAAA,MAAM,kBAAkB,iBAAA,CAAkB;AAAA,IACxC,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,sBAAsB,CAAA;AAAA,IACxD,iBAAA,EAAmB;AAAA,GACpB,CAAA;AAED,EAAA,MAAM,OAAO,MAAMC,yBAAA,CAAa,MAAA,CAAO,EAAE,UAAU,CAAA;AAEnD,EAAA,MAAM,UAAA,GAAaC,sBAAW,MAAA,CAAO;AAAA,IACnC,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,OAAA;AAAA,IACT,MAAA;AAAA,IACA,QAAA;AAAA,IACA,IAAA;AAAA,IACA,MAAA;AAAA,IACA,QAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAAjB,QAAA,CAAO,GAAA,CAAI,UAAA,CAAW,SAAA,EAAW,CAAA;AAGjC,EAAAA,QAAA,CAAO,GAAA,CAAI,eAAe,CAAA,GAAA,KAAO;AAC/B,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,GAAA,CAAI,MAAA;AACzB,IAAA,MAAM,IAAIkB,oBAAA,CAAc,CAAA,uBAAA,EAA0B,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAC/D,CAAC,CAAA;AAED,EAAA,OAAOlB,QAAA;AACT;;;;"}
+{"version":3,"file":"router.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport cookieParser from 'cookie-parser';\nimport {\n  AuthService,\n  DatabaseService,\n  DiscoveryService,\n  HttpAuthService,\n  LoggerService,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthOwnershipResolver } from '@backstage/plugin-auth-node';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { NotFoundError } from '@backstage/errors';\nimport { KeyStores } from '../identity/KeyStores';\nimport { TokenFactory } from '../identity/TokenFactory';\nimport { UserInfoDatabase } from '../database/UserInfoDatabase';\nimport session from 'express-session';\nimport connectSessionKnex from 'connect-session-knex';\nimport passport from 'passport';\nimport { AuthDatabase } from '../database/AuthDatabase';\nimport { readBackstageTokenExpiration } from './readTokenExpiration';\nimport { TokenIssuer } from '../identity/types';\nimport { StaticTokenIssuer } from '../identity/StaticTokenIssuer';\nimport { StaticKeyStore } from '../identity/StaticKeyStore';\nimport { bindProviderRouters, ProviderFactories } from '../providers/router';\nimport { OidcRouter } from './OidcRouter';\nimport { OidcDatabase } from '../database/OidcDatabase';\nimport { OfflineAccessService } from './OfflineAccessService';\n\ninterface RouterOptions {\n  logger: LoggerService;\n  database: DatabaseService;\n  config: RootConfigService;\n  discovery: DiscoveryService;\n  auth: AuthService;\n  tokenFactoryAlgorithm?: string;\n  providerFactories?: ProviderFactories;\n  catalog: CatalogService;\n  ownershipResolver?: AuthOwnershipResolver;\n  httpAuth: HttpAuthService;\n  offlineAccess?: OfflineAccessService;\n}\n\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const {\n    logger,\n    config,\n    discovery,\n    database: db,\n    tokenFactoryAlgorithm,\n    providerFactories = {},\n    httpAuth,\n  } = options;\n\n  const router = Router();\n\n  const appUrl = config.getString('app.baseUrl');\n  const authUrl = await discovery.getExternalBaseUrl('auth');\n  const backstageTokenExpiration = readBackstageTokenExpiration(config);\n  const database = AuthDatabase.create(db);\n\n  const keyStore = await KeyStores.fromConfig(config, {\n    logger,\n    database,\n  });\n\n  const userInfo = await UserInfoDatabase.create({\n    database,\n  });\n\n  const omitClaimsFromToken = config.getOptionalBoolean(\n    'auth.omitIdentityTokenOwnershipClaim',\n  )\n    ? ['ent']\n    : [];\n\n  let tokenIssuer: TokenIssuer;\n  if (keyStore instanceof StaticKeyStore) {\n    tokenIssuer = new StaticTokenIssuer(\n      {\n        logger: logger.child({ component: 'token-factory' }),\n        issuer: authUrl,\n        sessionExpirationSeconds: backstageTokenExpiration,\n        omitClaimsFromToken,\n      },\n      keyStore as StaticKeyStore,\n    );\n  } else {\n    tokenIssuer = new TokenFactory({\n      issuer: authUrl,\n      keyStore,\n      keyDurationSeconds: backstageTokenExpiration,\n      logger: logger.child({ component: 'token-factory' }),\n      algorithm:\n        tokenFactoryAlgorithm ??\n        config.getOptionalString('auth.identityTokenAlgorithm'),\n      omitClaimsFromToken,\n    });\n  }\n\n  const secret = config.getOptionalString('auth.session.secret');\n  if (secret) {\n    router.use(cookieParser(secret));\n    const enforceCookieSSL = authUrl.startsWith('https');\n    const KnexSessionStore = connectSessionKnex(session);\n    router.use(\n      session({\n        secret,\n        saveUninitialized: false,\n        resave: false,\n        cookie: { secure: enforceCookieSSL ? 'auto' : false },\n        store: new KnexSessionStore({\n          createtable: false,\n          knex: await database.get(),\n        }),\n      }),\n    );\n    router.use(passport.initialize());\n    router.use(passport.session());\n  } else {\n    router.use(cookieParser());\n  }\n\n  router.use(express.urlencoded({ extended: false }));\n  router.use(express.json());\n\n  bindProviderRouters(router, {\n    providers: providerFactories,\n    appUrl,\n    baseUrl: authUrl,\n    tokenIssuer,\n    ...options,\n    auth: options.auth,\n    userInfo,\n  });\n\n  const oidc = await OidcDatabase.create({ database });\n\n  const oidcRouter = OidcRouter.create({\n    auth: options.auth,\n    tokenIssuer,\n    baseUrl: authUrl,\n    appUrl,\n    userInfo,\n    oidc,\n    logger,\n    httpAuth,\n    config,\n    offlineAccess: options.offlineAccess,\n  });\n\n  router.use(oidcRouter.getRouter());\n\n  // Gives a more helpful error message than a plain 404\n  router.use('/:provider/', req => {\n    const { provider } = req.params;\n    throw new NotFoundError(`Unknown auth provider '${provider}'`);\n  });\n\n  return router;\n}\n"],"names":["router","Router","readBackstageTokenExpiration","AuthDatabase","KeyStores","UserInfoDatabase","StaticKeyStore","StaticTokenIssuer","TokenFactory","cookieParser","connectSessionKnex","session","passport","express","bindProviderRouters","OidcDatabase","OidcRouter","NotFoundError"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4DA,eAAsB,aACpB,OAAA,EACyB;AACzB,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,MAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA,EAAU,EAAA;AAAA,IACV,qBAAA;AAAA,IACA,oBAAoB,EAAC;AAAA,IACrB;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAMA,WAASC,uBAAA,EAAO;AAEtB,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,aAAa,CAAA;AAC7C,EAAA,MAAM,OAAA,GAAU,MAAM,SAAA,CAAU,kBAAA,CAAmB,MAAM,CAAA;AACzD,EAAA,MAAM,wBAAA,GAA2BC,iDAA6B,MAAM,CAAA;AACpE,EAAA,MAAM,QAAA,GAAWC,yBAAA,CAAa,MAAA,CAAO,EAAE,CAAA;AAEvC,EAAA,MAAM,QAAA,GAAW,MAAMC,mBAAA,CAAU,UAAA,CAAW,MAAA,EAAQ;AAAA,IAClD,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAA,MAAM,QAAA,GAAW,MAAMC,iCAAA,CAAiB,MAAA,CAAO;AAAA,IAC7C;AAAA,GACD,CAAA;AAED,EAAA,MAAM,sBAAsB,MAAA,CAAO,kBAAA;AAAA,IACjC;AAAA,GACF,GACI,CAAC,KAAK,CAAA,GACN,EAAC;AAEL,EAAA,IAAI,WAAA;AACJ,EAAA,IAAI,oBAAoBC,6BAAA,EAAgB;AACtC,IAAA,WAAA,GAAc,IAAIC,mCAAA;AAAA,MAChB;AAAA,QACE,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,QACnD,MAAA,EAAQ,OAAA;AAAA,QACR,wBAAA,EAA0B,wBAAA;AAAA,QAC1B;AAAA,OACF;AAAA,MACA;AAAA,KACF;AAAA,EACF,CAAA,MAAO;AACL,IAAA,WAAA,GAAc,IAAIC,yBAAA,CAAa;AAAA,MAC7B,MAAA,EAAQ,OAAA;AAAA,MACR,QAAA;AAAA,MACA,kBAAA,EAAoB,wBAAA;AAAA,MACpB,QAAQ,MAAA,CAAO,KAAA,CAAM,EAAE,SAAA,EAAW,iBAAiB,CAAA;AAAA,MACnD,SAAA,EACE,qBAAA,IACA,MAAA,CAAO,iBAAA,CAAkB,6BAA6B,CAAA;AAAA,MACxD;AAAA,KACD,CAAA;AAAA,EACH;AAEA,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,iBAAA,CAAkB,qBAAqB,CAAA;AAC7D,EAAA,IAAI,MAAA,EAAQ;AACV,IAAAR,QAAA,CAAO,GAAA,CAAIS,6BAAA,CAAa,MAAM,CAAC,CAAA;AAC/B,IAAA,MAAM,gBAAA,GAAmB,OAAA,CAAQ,UAAA,CAAW,OAAO,CAAA;AACnD,IAAA,MAAM,gBAAA,GAAmBC,oCAAmBC,wBAAO,CAAA;AACnD,IAAAX,QAAA,CAAO,GAAA;AAAA,MACLW,wBAAA,CAAQ;AAAA,QACN,MAAA;AAAA,QACA,iBAAA,EAAmB,KAAA;AAAA,QACnB,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,EAAE,MAAA,EAAQ,gBAAA,GAAmB,SAAS,KAAA,EAAM;AAAA,QACpD,KAAA,EAAO,IAAI,gBAAA,CAAiB;AAAA,UAC1B,WAAA,EAAa,KAAA;AAAA,UACb,IAAA,EAAM,MAAM,QAAA,CAAS,GAAA;AAAI,SAC1B;AAAA,OACF;AAAA,KACH;AACA,IAAAX,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,UAAA,EAAY,CAAA;AAChC,IAAAZ,QAAA,CAAO,GAAA,CAAIY,yBAAA,CAAS,OAAA,EAAS,CAAA;AAAA,EAC/B,CAAA,MAAO;AACL,IAAAZ,QAAA,CAAO,GAAA,CAAIS,+BAAc,CAAA;AAAA,EAC3B;AAEA,EAAAT,QAAA,CAAO,IAAIa,wBAAA,CAAQ,UAAA,CAAW,EAAE,QAAA,EAAU,KAAA,EAAO,CAAC,CAAA;AAClD,EAAAb,QAAA,CAAO,GAAA,CAAIa,wBAAA,CAAQ,IAAA,EAAM,CAAA;AAEzB,EAAAC,0BAAA,CAAoBd,QAAA,EAAQ;AAAA,IAC1B,SAAA,EAAW,iBAAA;AAAA,IACX,MAAA;AAAA,IACA,OAAA,EAAS,OAAA;AAAA,IACT,WAAA;AAAA,IACA,GAAG,OAAA;AAAA,IACH,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd;AAAA,GACD,CAAA;AAED,EAAA,MAAM,OAAO,MAAMe,yBAAA,CAAa,MAAA,CAAO,EAAE,UAAU,CAAA;AAEnD,EAAA,MAAM,UAAA,GAAaC,sBAAW,MAAA,CAAO;AAAA,IACnC,MAAM,OAAA,CAAQ,IAAA;AAAA,IACd,WAAA;AAAA,IACA,OAAA,EAAS,OAAA;AAAA,IACT,MAAA;AAAA,IACA,QAAA;AAAA,IACA,IAAA;AAAA,IACA,MAAA;AAAA,IACA,QAAA;AAAA,IACA,MAAA;AAAA,IACA,eAAe,OAAA,CAAQ;AAAA,GACxB,CAAA;AAED,EAAAhB,QAAA,CAAO,GAAA,CAAI,UAAA,CAAW,SAAA,EAAW,CAAA;AAGjC,EAAAA,QAAA,CAAO,GAAA,CAAI,eAAe,CAAA,GAAA,KAAO;AAC/B,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,GAAA,CAAI,MAAA;AACzB,IAAA,MAAM,IAAIiB,oBAAA,CAAc,CAAA,uBAAA,EAA0B,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAC/D,CAAC,CAAA;AAED,EAAA,OAAOjB,QAAA;AACT;;;;"}

package/migrations/20251020000000_offline_sessions.js

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2025 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// @ts-check
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  await knex.schema.createTable('offline_sessions', table => {
+    table.comment(
+      'Offline sessions for refresh tokens in dynamic client registration and device auth flows',
+    );
+
+    table
+      .string('id')
+      .primary()
+      .notNullable()
+      .comment('Persistent session ID that remains across token rotations');
+
+    table
+      .string('user_entity_ref')
+      .notNullable()
+      .comment('Backstage user entity reference');
+
+    table
+      .string('oidc_client_id')
+      .nullable()
+      .comment('OIDC client identifier (optional, for OIDC flows)');
+
+    table
+      .text('token_hash')
+      .notNullable()
+      .comment('Current refresh token hash (scrypt)');
+
+    table
+      .timestamp('created_at', { useTz: true, precision: 0 })
+      .notNullable()
+      .defaultTo(knex.fn.now())
+      .comment('Session creation timestamp');
+
+    table
+      .timestamp('last_used_at', { useTz: true, precision: 0 })
+      .notNullable()
+      .defaultTo(knex.fn.now())
+      .comment('Last token refresh timestamp');
+
+    table
+      .foreign('oidc_client_id')
+      .references('client_id')
+      .inTable('oidc_clients')
+      .onDelete('CASCADE');
+    table.index('user_entity_ref', 'offline_sessions_user_idx');
+    table.index('oidc_client_id', 'offline_sessions_oidc_client_idx');
+    table.index('created_at', 'offline_sessions_created_idx');
+    table.index('last_used_at', 'offline_sessions_last_used_idx');
+  });
+};
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTable('offline_sessions');
+};

package/migrations/20251217120000_drop_oidc_clients_fk.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2025 The Backstage Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// @ts-check
+
+/**
+ * Drop the foreign key constraint on oauth_authorization_sessions.client_id
+ * to allow CIMD (Client ID Metadata Document) clients which are not stored
+ * in the oidc_clients table.
+ *
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  await knex.schema.alterTable('oauth_authorization_sessions', table => {
+    table.dropForeign(['client_id']);
+  });
+};
+
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  // Delete sessions with CIMD client_ids (not in oidc_clients) before re-adding FK
+  await knex('oauth_authorization_sessions')
+    .whereNotIn('client_id', knex('oidc_clients').select('client_id'))
+    .delete();
+
+  await knex.schema.alterTable('oauth_authorization_sessions', table => {
+    table.foreign('client_id').references('client_id').inTable('oidc_clients');
+  });
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.26.1-next.0",
+  "version": "0.27.0",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -47,19 +47,20 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.7.0-next.0",
-    "@backstage/catalog-model": "1.7.6",
-    "@backstage/config": "1.3.6",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-auth-node": "0.6.12-next.0",
-    "@backstage/plugin-catalog-node": "1.21.0-next.0",
-    "@backstage/types": "1.2.2",
+    "@backstage/backend-plugin-api": "^1.7.0",
+    "@backstage/catalog-model": "^1.7.6",
+    "@backstage/config": "^1.3.6",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/plugin-auth-node": "^0.6.13",
+    "@backstage/plugin-catalog-node": "^2.0.0",
+    "@backstage/types": "^1.2.2",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
     "cookie-parser": "^1.4.5",
     "express": "^4.22.0",
     "express-promise-router": "^4.1.0",
     "express-session": "^1.17.1",
+    "ipaddr.js": "^2.3.0",
     "jose": "^5.0.0",
     "knex": "^3.0.0",
     "lodash": "^4.17.21",
@@ -67,18 +68,21 @@
     "matcher": "^4.0.0",
     "minimatch": "^9.0.0",
     "passport": "^0.7.0",
-    "uuid": "^11.0.0"
+    "uuid": "^11.0.0",
+    "zod": "^4.3.5",
+    "zod-validation-error": "^5.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.15.1-next.0",
-    "@backstage/backend-test-utils": "1.10.4-next.0",
-    "@backstage/cli": "0.35.3-next.0",
-    "@backstage/plugin-auth-backend-module-google-provider": "0.3.11-next.0",
-    "@backstage/plugin-auth-backend-module-guest-provider": "0.2.16-next.0",
+    "@backstage/backend-defaults": "^0.15.2",
+    "@backstage/backend-test-utils": "^1.11.0",
+    "@backstage/cli": "^0.35.4",
+    "@backstage/plugin-auth-backend-module-google-provider": "^0.3.12",
+    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.16",
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.17.2",
     "@types/passport": "^1.0.3",
+    "msw": "^1.0.0",
     "supertest": "^7.0.0"
   },
   "configSchema": "config.d.ts",