@backstage/plugin-auth-backend 0.27.0 → 0.27.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @backstage/plugin-auth-backend
 
+## 0.27.1-next.1
+
+### Patch Changes
+
+- 1ccad86: Added `who-am-i` action to the auth backend actions registry. Returns the catalog entity and user info for the currently authenticated user.
+- Updated dependencies
+  - @backstage/plugin-auth-node@0.6.14-next.1
+  - @backstage/plugin-catalog-node@2.1.0-next.1
+  - @backstage/backend-plugin-api@1.7.1-next.0
+  - @backstage/catalog-model@1.7.6
+  - @backstage/config@1.3.6
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.2
+
+## 0.27.1-next.0
+
+### Patch Changes
+
+- 6738cf0: build(deps): bump `minimatch` from 9.0.5 to 10.2.1
+- 619be54: Update migrations to be reversible
+- Updated dependencies
+  - @backstage/plugin-catalog-node@2.1.0-next.0
+  - @backstage/backend-plugin-api@1.7.1-next.0
+  - @backstage/catalog-model@1.7.6
+  - @backstage/config@1.3.6
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.2
+  - @backstage/plugin-auth-node@0.6.14-next.0
+
 ## 0.27.0
 
 ### Minor Changes
@@ -39,6 +68,16 @@
 
 ### Patch Changes
 
+- 7dc3dfe: Removed the `auth.experimentalDynamicClientRegistration.tokenExpiration` config option. DCR tokens now use the default 1 hour expiration.
+
+  If you need longer-lived access, use refresh tokens via the `offline_access` scope instead. DCR clients should already have the `offline_access` scope available. Enable refresh tokens by setting:
+
+  ```yaml
+  auth:
+    experimentalRefreshToken:
+      enabled: true
+  ```
+
 - 7455dae: Use node prefix on native imports
 - Updated dependencies
   - @backstage/plugin-catalog-node@2.0.0

package/dist/actions/createWhoAmIAction.cjs.js

@@ -0,0 +1,59 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+
+const createWhoAmIAction = ({
+  auth,
+  catalog,
+  userInfo,
+  actionsRegistry
+}) => {
+  actionsRegistry.register({
+    name: "who-am-i",
+    title: "Who Am I",
+    attributes: {
+      destructive: false,
+      readOnly: true,
+      idempotent: true
+    },
+    description: "Returns the catalog entity and user info for the currently authenticated user. This action requires user credentials and cannot be used with service or unauthenticated credentials.",
+    schema: {
+      input: (z) => z.object({}),
+      output: (z) => z.object({
+        entity: z.object({}).passthrough().describe("The full catalog entity for the authenticated user"),
+        userInfo: z.object({
+          userEntityRef: z.string().describe(
+            "The entity ref of the user, e.g. user:default/jane.doe"
+          ),
+          ownershipEntityRefs: z.array(z.string()).describe("Entity refs that the user claims ownership through")
+        }).describe(
+          "User identity information extracted from the authentication token"
+        )
+      })
+    },
+    action: async ({ credentials }) => {
+      if (!auth.isPrincipal(credentials, "user")) {
+        throw new errors.NotAllowedError("This action requires user credentials");
+      }
+      const { userEntityRef } = credentials.principal;
+      const [entity, info] = await Promise.all([
+        catalog.getEntityByRef(userEntityRef, { credentials }),
+        userInfo.getUserInfo(credentials)
+      ]);
+      if (!entity) {
+        throw new errors.NotFoundError(
+          `User entity not found in the catalog for "${userEntityRef}"`
+        );
+      }
+      return {
+        output: {
+          entity,
+          userInfo: info
+        }
+      };
+    }
+  });
+};
+
+exports.createWhoAmIAction = createWhoAmIAction;
+//# sourceMappingURL=createWhoAmIAction.cjs.js.map

package/dist/actions/createWhoAmIAction.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createWhoAmIAction.cjs.js","sources":["../../src/actions/createWhoAmIAction.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { AuthService, UserInfoService } from '@backstage/backend-plugin-api';\nimport { ActionsRegistryService } from '@backstage/backend-plugin-api/alpha';\nimport { NotAllowedError, NotFoundError } from '@backstage/errors';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\n\nexport const createWhoAmIAction = ({\n  auth,\n  catalog,\n  userInfo,\n  actionsRegistry,\n}: {\n  auth: AuthService;\n  catalog: CatalogService;\n  userInfo: UserInfoService;\n  actionsRegistry: ActionsRegistryService;\n}) => {\n  actionsRegistry.register({\n    name: 'who-am-i',\n    title: 'Who Am I',\n    attributes: {\n      destructive: false,\n      readOnly: true,\n      idempotent: true,\n    },\n    description:\n      'Returns the catalog entity and user info for the currently authenticated user. This action requires user credentials and cannot be used with service or unauthenticated credentials.',\n    schema: {\n      input: z => z.object({}),\n      output: z =>\n        z.object({\n          entity: z\n            .object({})\n            .passthrough()\n            .describe('The full catalog entity for the authenticated user'),\n          userInfo: z\n            .object({\n              userEntityRef: z\n                .string()\n                .describe(\n                  'The entity ref of the user, e.g. user:default/jane.doe',\n                ),\n              ownershipEntityRefs: z\n                .array(z.string())\n                .describe('Entity refs that the user claims ownership through'),\n            })\n            .describe(\n              'User identity information extracted from the authentication token',\n            ),\n        }),\n    },\n    action: async ({ credentials }) => {\n      if (!auth.isPrincipal(credentials, 'user')) {\n        throw new NotAllowedError('This action requires user credentials');\n      }\n\n      const { userEntityRef } = credentials.principal;\n\n      const [entity, info] = await Promise.all([\n        catalog.getEntityByRef(userEntityRef, { credentials }),\n        userInfo.getUserInfo(credentials),\n      ]);\n\n      if (!entity) {\n        throw new NotFoundError(\n          `User entity not found in the catalog for \"${userEntityRef}\"`,\n        );\n      }\n\n      return {\n        output: {\n          entity,\n          userInfo: info,\n        },\n      };\n    },\n  });\n};\n"],"names":["NotAllowedError","NotFoundError"],"mappings":";;;;AAoBO,MAAM,qBAAqB,CAAC;AAAA,EACjC,IAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF,CAAA,KAKM;AACJ,EAAA,eAAA,CAAgB,QAAA,CAAS;AAAA,IACvB,IAAA,EAAM,UAAA;AAAA,IACN,KAAA,EAAO,UAAA;AAAA,IACP,UAAA,EAAY;AAAA,MACV,WAAA,EAAa,KAAA;AAAA,MACb,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY;AAAA,KACd;AAAA,IACA,WAAA,EACE,sLAAA;AAAA,IACF,MAAA,EAAQ;AAAA,MACN,KAAA,EAAO,CAAA,CAAA,KAAK,CAAA,CAAE,MAAA,CAAO,EAAE,CAAA;AAAA,MACvB,MAAA,EAAQ,CAAA,CAAA,KACN,CAAA,CAAE,MAAA,CAAO;AAAA,QACP,MAAA,EAAQ,EACL,MAAA,CAAO,EAAE,CAAA,CACT,WAAA,EAAY,CACZ,QAAA,CAAS,oDAAoD,CAAA;AAAA,QAChE,QAAA,EAAU,EACP,MAAA,CAAO;AAAA,UACN,aAAA,EAAe,CAAA,CACZ,MAAA,EAAO,CACP,QAAA;AAAA,YACC;AAAA,WACF;AAAA,UACF,mBAAA,EAAqB,EAClB,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAChB,SAAS,oDAAoD;AAAA,SACjE,CAAA,CACA,QAAA;AAAA,UACC;AAAA;AACF,OACH;AAAA,KACL;AAAA,IACA,MAAA,EAAQ,OAAO,EAAE,WAAA,EAAY,KAAM;AACjC,MAAA,IAAI,CAAC,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,MAAM,CAAA,EAAG;AAC1C,QAAA,MAAM,IAAIA,uBAAgB,uCAAuC,CAAA;AAAA,MACnE;AAEA,MAAA,MAAM,EAAE,aAAA,EAAc,GAAI,WAAA,CAAY,SAAA;AAEtC,MAAA,MAAM,CAAC,MAAA,EAAQ,IAAI,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,QACvC,OAAA,CAAQ,cAAA,CAAe,aAAA,EAAe,EAAE,aAAa,CAAA;AAAA,QACrD,QAAA,CAAS,YAAY,WAAW;AAAA,OACjC,CAAA;AAED,MAAA,IAAI,CAAC,MAAA,EAAQ;AACX,QAAA,MAAM,IAAIC,oBAAA;AAAA,UACR,6CAA6C,aAAa,CAAA,CAAA;AAAA,SAC5D;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,MAAA,EAAQ;AAAA,UACN,MAAA;AAAA,UACA,QAAA,EAAU;AAAA;AACZ,OACF;AAAA,IACF;AAAA,GACD,CAAA;AACH;;;;"}

package/dist/actions/index.cjs.js

@@ -0,0 +1,10 @@
+'use strict';
+
+var createWhoAmIAction = require('./createWhoAmIAction.cjs.js');
+
+const createAuthActions = (options) => {
+  createWhoAmIAction.createWhoAmIAction(options);
+};
+
+exports.createAuthActions = createAuthActions;
+//# sourceMappingURL=index.cjs.js.map

package/dist/actions/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../../src/actions/index.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { AuthService, UserInfoService } from '@backstage/backend-plugin-api';\nimport { ActionsRegistryService } from '@backstage/backend-plugin-api/alpha';\nimport { CatalogService } from '@backstage/plugin-catalog-node';\nimport { createWhoAmIAction } from './createWhoAmIAction';\n\nexport const createAuthActions = (options: {\n  auth: AuthService;\n  actionsRegistry: ActionsRegistryService;\n  catalog: CatalogService;\n  userInfo: UserInfoService;\n}) => {\n  createWhoAmIAction(options);\n};\n"],"names":["createWhoAmIAction"],"mappings":";;;;AAoBO,MAAM,iBAAA,GAAoB,CAAC,OAAA,KAK5B;AACJ,EAAAA,qCAAA,CAAmB,OAAO,CAAA;AAC5B;;;;"}

package/dist/authPlugin.cjs.js

@@ -2,7 +2,9 @@
 
 var backendPluginApi = require('@backstage/backend-plugin-api');
 var pluginAuthNode = require('@backstage/plugin-auth-node');
+var alpha = require('@backstage/backend-plugin-api/alpha');
 var pluginCatalogNode = require('@backstage/plugin-catalog-node');
+var index = require('./actions/index.cjs.js');
 var router = require('./service/router.cjs.js');
 var OfflineAccessService = require('./service/OfflineAccessService.cjs.js');
 
@@ -39,7 +41,9 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         auth: backendPluginApi.coreServices.auth,
         httpAuth: backendPluginApi.coreServices.httpAuth,
         lifecycle: backendPluginApi.coreServices.lifecycle,
-        catalog: pluginCatalogNode.catalogServiceRef
+        catalog: pluginCatalogNode.catalogServiceRef,
+        actionsRegistry: alpha.actionsRegistryServiceRef,
+        userInfo: backendPluginApi.coreServices.userInfo
       },
       async init({
         httpRouter,
@@ -50,7 +54,9 @@ const authPlugin = backendPluginApi.createBackendPlugin({
         auth,
         httpAuth,
         lifecycle,
-        catalog
+        catalog,
+        actionsRegistry,
+        userInfo
       }) {
         const refreshTokensEnabled = config.getOptionalBoolean(
           "auth.experimentalRefreshToken.enabled"
@@ -78,6 +84,7 @@ const authPlugin = backendPluginApi.createBackendPlugin({
           allow: "unauthenticated"
         });
         httpRouter.use(router$1);
+        index.createAuthActions({ auth, catalog, userInfo, actionsRegistry });
       }
     });
   }

package/dist/authPlugin.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n  authOwnershipResolutionExtensionPoint,\n  AuthOwnershipResolver,\n  AuthProviderFactory,\n  authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createRouter } from './service/router';\nimport { OfflineAccessService } from './service/OfflineAccessService';\n\n/**\n * Auth plugin\n *\n * @public\n */\nexport const authPlugin = createBackendPlugin({\n  pluginId: 'auth',\n  register(reg) {\n    const providers = new Map<string, AuthProviderFactory>();\n    let ownershipResolver: AuthOwnershipResolver | undefined = undefined;\n\n    reg.registerExtensionPoint(authProvidersExtensionPoint, {\n      registerProvider({ providerId, factory }) {\n        if (providers.has(providerId)) {\n          throw new Error(\n            `Auth provider '${providerId}' was already registered`,\n          );\n        }\n        providers.set(providerId, factory);\n      },\n    });\n\n    reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n      setAuthOwnershipResolver(resolver) {\n        if (ownershipResolver) {\n          throw new Error('Auth ownership resolver is already set');\n        }\n        ownershipResolver = resolver;\n      },\n    });\n\n    reg.registerInit({\n      deps: {\n        httpRouter: coreServices.httpRouter,\n        logger: coreServices.logger,\n        config: coreServices.rootConfig,\n        database: coreServices.database,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        lifecycle: coreServices.lifecycle,\n        catalog: catalogServiceRef,\n      },\n      async init({\n        httpRouter,\n        logger,\n        config,\n        database,\n        discovery,\n        auth,\n        httpAuth,\n        lifecycle,\n        catalog,\n      }) {\n        const refreshTokensEnabled = config.getOptionalBoolean(\n          'auth.experimentalRefreshToken.enabled',\n        );\n\n        const offlineAccess = refreshTokensEnabled\n          ? await OfflineAccessService.create({\n              config,\n              database,\n              logger,\n              lifecycle,\n            })\n          : undefined;\n\n        const router = await createRouter({\n          logger,\n          config,\n          database,\n          discovery,\n          auth,\n          catalog,\n          providerFactories: Object.fromEntries(providers),\n          ownershipResolver,\n          httpAuth,\n          offlineAccess,\n        });\n        httpRouter.addAuthPolicy({\n          path: '/',\n          allow: 'unauthenticated',\n        });\n        httpRouter.use(router);\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","OfflineAccessService","router","createRouter"],"mappings":";;;;;;;;AAmCO,MAAM,aAAaA,oCAAA,CAAoB;AAAA,EAC5C,QAAA,EAAU,MAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,SAAA,uBAAgB,GAAA,EAAiC;AACvD,IAAA,IAAI,iBAAA,GAAuD,MAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAAA,EAA6B;AAAA,MACtD,gBAAA,CAAiB,EAAE,UAAA,EAAY,OAAA,EAAQ,EAAG;AACxC,QAAA,IAAI,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA,QACF;AACA,QAAA,SAAA,CAAU,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA,MACnC;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAA,EAAuC;AAAA,MAChE,yBAAyB,QAAA,EAAU;AACjC,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,QAC1D;AACA,QAAA,iBAAA,GAAoB,QAAA;AAAA,MACtB;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,YAAYC,6BAAA,CAAa,UAAA;AAAA,QACzB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,OAAA,EAASC;AAAA,OACX;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,uBAAuB,MAAA,CAAO,kBAAA;AAAA,UAClC;AAAA,SACF;AAEA,QAAA,MAAM,aAAA,GAAgB,oBAAA,GAClB,MAAMC,yCAAA,CAAqB,MAAA,CAAO;AAAA,UAChC,MAAA;AAAA,UACA,QAAA;AAAA,UACA,MAAA;AAAA,UACA;AAAA,SACD,CAAA,GACD,MAAA;AAEJ,QAAA,MAAMC,QAAA,GAAS,MAAMC,mBAAA,CAAa;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C,iBAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAA,CAAc;AAAA,UACvB,IAAA,EAAM,GAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAAA,MACvB;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}
+{"version":3,"file":"authPlugin.cjs.js","sources":["../src/authPlugin.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport {\n  authOwnershipResolutionExtensionPoint,\n  AuthOwnershipResolver,\n  AuthProviderFactory,\n  authProvidersExtensionPoint,\n} from '@backstage/plugin-auth-node';\nimport { actionsRegistryServiceRef } from '@backstage/backend-plugin-api/alpha';\nimport { catalogServiceRef } from '@backstage/plugin-catalog-node';\nimport { createAuthActions } from './actions';\nimport { createRouter } from './service/router';\nimport { OfflineAccessService } from './service/OfflineAccessService';\n\n/**\n * Auth plugin\n *\n * @public\n */\nexport const authPlugin = createBackendPlugin({\n  pluginId: 'auth',\n  register(reg) {\n    const providers = new Map<string, AuthProviderFactory>();\n    let ownershipResolver: AuthOwnershipResolver | undefined = undefined;\n\n    reg.registerExtensionPoint(authProvidersExtensionPoint, {\n      registerProvider({ providerId, factory }) {\n        if (providers.has(providerId)) {\n          throw new Error(\n            `Auth provider '${providerId}' was already registered`,\n          );\n        }\n        providers.set(providerId, factory);\n      },\n    });\n\n    reg.registerExtensionPoint(authOwnershipResolutionExtensionPoint, {\n      setAuthOwnershipResolver(resolver) {\n        if (ownershipResolver) {\n          throw new Error('Auth ownership resolver is already set');\n        }\n        ownershipResolver = resolver;\n      },\n    });\n\n    reg.registerInit({\n      deps: {\n        httpRouter: coreServices.httpRouter,\n        logger: coreServices.logger,\n        config: coreServices.rootConfig,\n        database: coreServices.database,\n        discovery: coreServices.discovery,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        lifecycle: coreServices.lifecycle,\n        catalog: catalogServiceRef,\n        actionsRegistry: actionsRegistryServiceRef,\n        userInfo: coreServices.userInfo,\n      },\n      async init({\n        httpRouter,\n        logger,\n        config,\n        database,\n        discovery,\n        auth,\n        httpAuth,\n        lifecycle,\n        catalog,\n        actionsRegistry,\n        userInfo,\n      }) {\n        const refreshTokensEnabled = config.getOptionalBoolean(\n          'auth.experimentalRefreshToken.enabled',\n        );\n\n        const offlineAccess = refreshTokensEnabled\n          ? await OfflineAccessService.create({\n              config,\n              database,\n              logger,\n              lifecycle,\n            })\n          : undefined;\n\n        const router = await createRouter({\n          logger,\n          config,\n          database,\n          discovery,\n          auth,\n          catalog,\n          providerFactories: Object.fromEntries(providers),\n          ownershipResolver,\n          httpAuth,\n          offlineAccess,\n        });\n        httpRouter.addAuthPolicy({\n          path: '/',\n          allow: 'unauthenticated',\n        });\n        httpRouter.use(router);\n\n        createAuthActions({ auth, catalog, userInfo, actionsRegistry });\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","authProvidersExtensionPoint","authOwnershipResolutionExtensionPoint","coreServices","catalogServiceRef","actionsRegistryServiceRef","OfflineAccessService","router","createRouter","createAuthActions"],"mappings":";;;;;;;;;;AAqCO,MAAM,aAAaA,oCAAA,CAAoB;AAAA,EAC5C,QAAA,EAAU,MAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,SAAA,uBAAgB,GAAA,EAAiC;AACvD,IAAA,IAAI,iBAAA,GAAuD,MAAA;AAE3D,IAAA,GAAA,CAAI,uBAAuBC,0CAAA,EAA6B;AAAA,MACtD,gBAAA,CAAiB,EAAE,UAAA,EAAY,OAAA,EAAQ,EAAG;AACxC,QAAA,IAAI,SAAA,CAAU,GAAA,CAAI,UAAU,CAAA,EAAG;AAC7B,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,kBAAkB,UAAU,CAAA,wBAAA;AAAA,WAC9B;AAAA,QACF;AACA,QAAA,SAAA,CAAU,GAAA,CAAI,YAAY,OAAO,CAAA;AAAA,MACnC;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,uBAAuBC,oDAAA,EAAuC;AAAA,MAChE,yBAAyB,QAAA,EAAU;AACjC,QAAA,IAAI,iBAAA,EAAmB;AACrB,UAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,QAC1D;AACA,QAAA,iBAAA,GAAoB,QAAA;AAAA,MACtB;AAAA,KACD,CAAA;AAED,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,YAAYC,6BAAA,CAAa,UAAA;AAAA,QACzB,QAAQA,6BAAA,CAAa,MAAA;AAAA,QACrB,QAAQA,6BAAA,CAAa,UAAA;AAAA,QACrB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,OAAA,EAASC,mCAAA;AAAA,QACT,eAAA,EAAiBC,+BAAA;AAAA,QACjB,UAAUF,6BAAA,CAAa;AAAA,OACzB;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,IAAA;AAAA,QACA,QAAA;AAAA,QACA,SAAA;AAAA,QACA,OAAA;AAAA,QACA,eAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,uBAAuB,MAAA,CAAO,kBAAA;AAAA,UAClC;AAAA,SACF;AAEA,QAAA,MAAM,aAAA,GAAgB,oBAAA,GAClB,MAAMG,yCAAA,CAAqB,MAAA,CAAO;AAAA,UAChC,MAAA;AAAA,UACA,QAAA;AAAA,UACA,MAAA;AAAA,UACA;AAAA,SACD,CAAA,GACD,MAAA;AAEJ,QAAA,MAAMC,QAAA,GAAS,MAAMC,mBAAA,CAAa;AAAA,UAChC,MAAA;AAAA,UACA,MAAA;AAAA,UACA,QAAA;AAAA,UACA,SAAA;AAAA,UACA,IAAA;AAAA,UACA,OAAA;AAAA,UACA,iBAAA,EAAmB,MAAA,CAAO,WAAA,CAAY,SAAS,CAAA;AAAA,UAC/C,iBAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,UAAA,CAAW,aAAA,CAAc;AAAA,UACvB,IAAA,EAAM,GAAA;AAAA,UACN,KAAA,EAAO;AAAA,SACR,CAAA;AACD,QAAA,UAAA,CAAW,IAAID,QAAM,CAAA;AAErB,QAAAE,uBAAA,CAAkB,EAAE,IAAA,EAAM,OAAA,EAAS,QAAA,EAAU,iBAAiB,CAAA;AAAA,MAChE;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/migrations/20200619125845_init.js

@@ -42,5 +42,5 @@ exports.up = async function up(knex) {
  * @param {import('knex').Knex} knex
  */
 exports.down = async function down(knex) {
-  return knex.schema.dropTable('auth_keystore');
+  return knex.schema.dropTable('signing_keys');
 };

package/migrations/20220321100910_timestamptz_again.js

@@ -48,7 +48,7 @@ exports.down = async function down(knex) {
   if (!knex.client.config.client.includes('sqlite3')) {
     await knex.schema.alterTable('signing_keys', table => {
       table
-        .timestamp('created_at', { useTz: false, precision: 0 })
+        .timestamp('created_at', { useTz: true, precision: 0 })
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.27.0",
+  "version": "0.27.1-next.1",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -47,13 +47,13 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.7.0",
-    "@backstage/catalog-model": "^1.7.6",
-    "@backstage/config": "^1.3.6",
-    "@backstage/errors": "^1.2.7",
-    "@backstage/plugin-auth-node": "^0.6.13",
-    "@backstage/plugin-catalog-node": "^2.0.0",
-    "@backstage/types": "^1.2.2",
+    "@backstage/backend-plugin-api": "1.7.1-next.0",
+    "@backstage/catalog-model": "1.7.6",
+    "@backstage/config": "1.3.6",
+    "@backstage/errors": "1.2.7",
+    "@backstage/plugin-auth-node": "0.6.14-next.1",
+    "@backstage/plugin-catalog-node": "2.1.0-next.1",
+    "@backstage/types": "1.2.2",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
     "cookie-parser": "^1.4.5",
@@ -66,18 +66,18 @@
     "lodash": "^4.17.21",
     "luxon": "^3.0.0",
     "matcher": "^4.0.0",
-    "minimatch": "^9.0.0",
+    "minimatch": "^10.2.1",
     "passport": "^0.7.0",
     "uuid": "^11.0.0",
     "zod": "^4.3.5",
     "zod-validation-error": "^5.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "^0.15.2",
-    "@backstage/backend-test-utils": "^1.11.0",
-    "@backstage/cli": "^0.35.4",
-    "@backstage/plugin-auth-backend-module-google-provider": "^0.3.12",
-    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.16",
+    "@backstage/backend-defaults": "0.16.0-next.1",
+    "@backstage/backend-test-utils": "1.11.1-next.1",
+    "@backstage/cli": "0.36.0-next.1",
+    "@backstage/plugin-auth-backend-module-google-provider": "0.3.13-next.0",
+    "@backstage/plugin-auth-backend-module-guest-provider": "0.2.17-next.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express": "^4.17.6",
     "@types/express-session": "^1.17.2",