@backstage/plugin-auth-backend 0.28.1-next.0 → 0.28.1-next.1

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @backstage/plugin-auth-backend
 
+## 0.28.1-next.1
+
+### Patch Changes
+
+- e9b78e9: Removed the `uuid` dependency and replaced usage with the built-in `crypto.randomUUID()`.
+- Updated dependencies
+  - @backstage/catalog-model@1.8.1-next.1
+  - @backstage/plugin-catalog-node@2.2.1-next.1
+  - @backstage/plugin-auth-node@0.7.1-next.1
+
 ## 0.28.1-next.0
 
 ### Patch Changes

package/dist/identity/TokenFactory.cjs.js

@@ -2,7 +2,7 @@
 
 var jose = require('jose');
 var luxon = require('luxon');
-var uuid = require('uuid');
+var crypto = require('node:crypto');
 var issueUserToken = require('./issueUserToken.cjs.js');
 
 class TokenFactory {
@@ -74,7 +74,7 @@ class TokenFactory {
       const key = await jose.generateKeyPair(this.algorithm);
       const publicKey = await jose.exportJWK(key.publicKey);
       const privateKey = await jose.exportJWK(key.privateKey);
-      publicKey.kid = privateKey.kid = uuid.v4();
+      publicKey.kid = privateKey.kid = crypto.randomUUID();
       publicKey.alg = privateKey.alg = this.algorithm;
       this.logger.info(`Created new signing key ${publicKey.kid}`);
       await this.keyStore.addKey(publicKey);

package/dist/identity/TokenFactory.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { v4 as uuid } from 'uuid';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n  BackstageSignInResult,\n  TokenParams,\n  tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { issueUserToken } from './issueUserToken';\n\n/**\n * The payload contents of a valid Backstage JWT token\n */\nexport interface BackstageTokenPayload {\n  /**\n   * The issuer of the token, currently the discovery URL of the auth backend\n   */\n  iss: string;\n\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * The entity refs that the user claims ownership through\n   */\n  ent: string[];\n\n  /**\n   * A hard coded audience string\n   */\n  aud: typeof tokenTypes.user.audClaim;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n\n  /**\n   * A separate user identity proof that the auth service can convert to a limited user token\n   */\n  uip: string;\n\n  /**\n   * Any other custom claims that the adopter may have added\n   */\n  [claim: string]: JsonValue;\n}\n\ntype Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Key store used for storing signing keys */\n  keyStore: KeyStore;\n  /** Expiration time of signing keys in seconds */\n  keyDurationSeconds: number;\n  /** JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n   * Must match one of the algorithms defined for IdentityClient.\n   * When setting a different algorithm, check if the `key` field\n   * of the `signing_keys` table can fit the length of the generated keys.\n   * If not, add a knex migration file in the migrations folder.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithm?: string;\n  /**\n   * A list of claims to omit from issued tokens and only store in the user info database\n   */\n  omitClaimsFromToken?: string[];\n};\n\n/**\n * A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n *\n * The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n *\n * Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n */\nexport class TokenFactory implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: KeyStore;\n  private readonly keyDurationSeconds: number;\n  private readonly algorithm: string;\n  private readonly omitClaimsFromToken?: string[];\n\n  private keyExpiry?: Date;\n  private privateKeyPromise?: Promise<JWK>;\n\n  constructor(options: Options) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.keyStore = options.keyStore;\n    this.keyDurationSeconds = options.keyDurationSeconds;\n    this.algorithm = options.algorithm ?? 'ES256';\n    this.omitClaimsFromToken = options.omitClaimsFromToken;\n  }\n\n  async issueToken(\n    params: TokenParams & { claims: { ent: string[] } },\n  ): Promise<BackstageSignInResult> {\n    const key = await this.getKey();\n\n    return issueUserToken({\n      issuer: this.issuer,\n      key,\n      keyDurationSeconds: this.keyDurationSeconds,\n      logger: this.logger,\n      omitClaimsFromToken: this.omitClaimsFromToken,\n      params,\n    });\n  }\n\n  // This will be called by other services that want to verify ID tokens.\n  // It is important that it returns a list of all public keys that could\n  // have been used to sign tokens that have not yet expired.\n  async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n\n    const validKeys = [];\n    const expiredKeys = [];\n\n    for (const key of keys) {\n      // Allow for a grace period of another full key duration before we remove the keys from the database\n      const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n        seconds: 3 * this.keyDurationSeconds,\n      });\n      if (expireAt < DateTime.local()) {\n        expiredKeys.push(key);\n      } else {\n        validKeys.push(key);\n      }\n    }\n\n    // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n    if (expiredKeys.length > 0) {\n      const kids = expiredKeys.map(({ key }) => key.kid);\n\n      this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n      // We don't await this, just let it run in the background\n      this.keyStore.removeKeys(kids).catch(error => {\n        this.logger.error(`Failed to remove expired keys, ${error}`);\n      });\n    }\n\n    // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n    return { keys: validKeys.map(({ key }) => key) };\n  }\n\n  private async getKey(): Promise<JWK> {\n    // Make sure that we only generate one key at a time\n    if (this.privateKeyPromise) {\n      if (\n        this.keyExpiry &&\n        DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n      ) {\n        return this.privateKeyPromise;\n      }\n      this.logger.info(`Signing key has expired, generating new key`);\n      delete this.privateKeyPromise;\n    }\n\n    this.keyExpiry = DateTime.utc()\n      .plus({\n        seconds: this.keyDurationSeconds,\n      })\n      .toJSDate();\n    const promise = (async () => {\n      // This generates a new signing key to be used to sign tokens until the next key rotation\n      const key = await generateKeyPair(this.algorithm);\n      const publicKey = await exportJWK(key.publicKey);\n      const privateKey = await exportJWK(key.privateKey);\n      publicKey.kid = privateKey.kid = uuid();\n      publicKey.alg = privateKey.alg = this.algorithm;\n\n      // We're not allowed to use the key until it has been successfully stored\n      // TODO: some token verification implementations aggressively cache the list of keys, and\n      //       don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n      //       may want to keep using the existing key for some period of time until we switch to\n      //       the new one. This also needs to be implemented cross-service though, meaning new services\n      //       that boot up need to be able to grab an existing key to use for signing.\n      this.logger.info(`Created new signing key ${publicKey.kid}`);\n      await this.keyStore.addKey(publicKey as AnyJWK);\n\n      // At this point we are allowed to start using the new key\n      return privateKey;\n    })();\n\n    this.privateKeyPromise = promise;\n\n    try {\n      // If we fail to generate a new key, we need to clear the state so that\n      // the next caller will try to generate another key.\n      await promise;\n    } catch (error) {\n      this.logger.error(`Failed to generate new signing key, ${error}`);\n      delete this.keyExpiry;\n      delete this.privateKeyPromise;\n    }\n\n    return promise;\n  }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA6GO,MAAM,YAAA,CAAoC;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAA,CAAQ,kBAAA;AAClC,IAAA,IAAA,CAAK,SAAA,GAAY,QAAQ,SAAA,IAAa,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAA,CAAQ,mBAAA;AAAA,EACrC;AAAA,EAEA,MAAM,WACJ,MAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,EAAO;AAE9B,IAAA,OAAOA,6BAAA,CAAe;AAAA,MACpB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAA,CAAK,kBAAA;AAAA,MACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,qBAAqB,IAAA,CAAK,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAA,GAA8C;AAClD,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAA,EAAS;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AAEtB,MAAA,MAAM,WAAWC,cAAA,CAAS,UAAA,CAAW,GAAA,CAAI,SAAS,EAAE,IAAA,CAAK;AAAA,QACvD,OAAA,EAAS,IAAI,IAAA,CAAK;AAAA,OACnB,CAAA;AACD,MAAA,IAAI,QAAA,GAAWA,cAAA,CAAS,KAAA,EAAM,EAAG;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA,MACpB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,MAAA,MAAM,IAAA,GAAO,YAAY,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAA,CAAK,CAAA,gCAAA,EAAmC,KAAK,IAAA,CAAK,MAAM,CAAC,CAAA,CAAA,CAAG,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAA,KAAA,KAAS;AAC5C,QAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,+BAAA,EAAkC,KAAK,CAAA,CAAE,CAAA;AAAA,MAC7D,CAAC,CAAA;AAAA,IACH;AAGA,IAAA,OAAO,EAAE,MAAM,SAAA,CAAU,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,GAAG,CAAA,EAAE;AAAA,EACjD;AAAA,EAEA,MAAc,MAAA,GAAuB;AAEnC,IAAA,IAAI,KAAK,iBAAA,EAAmB;AAC1B,MAAA,IACE,IAAA,CAAK,aACLA,cAAA,CAAS,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAA,CAAS,KAAA,EAAM,EACrD;AACA,QAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,MACd;AACA,MAAA,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA,2CAAA,CAA6C,CAAA;AAC9D,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,SAAA,GAAYA,cAAA,CAAS,GAAA,EAAI,CAC3B,IAAA,CAAK;AAAA,MACJ,SAAS,IAAA,CAAK;AAAA,KACf,EACA,QAAA,EAAS;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAA,GAAM,MAAMC,oBAAA,CAAgB,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAA,GAAY,MAAMC,cAAA,CAAU,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAA,GAAa,MAAMA,cAAA,CAAU,GAAA,CAAI,UAAU,CAAA;AACjD,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAMC,OAAA,EAAK;AACtC,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAM,IAAA,CAAK,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,CAAA,wBAAA,EAA2B,SAAA,CAAU,GAAG,CAAA,CAAE,CAAA;AAC3D,MAAA,MAAM,IAAA,CAAK,QAAA,CAAS,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAA,OAAO,UAAA;AAAA,IACT,CAAA,GAAG;AAEH,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAA;AAEzB,IAAA,IAAI;AAGF,MAAA,MAAM,OAAA;AAAA,IACR,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,oCAAA,EAAuC,KAAK,CAAA,CAAE,CAAA;AAChE,MAAA,OAAO,IAAA,CAAK,SAAA;AACZ,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;;"}
+{"version":3,"file":"TokenFactory.cjs.js","sources":["../../src/identity/TokenFactory.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { exportJWK, generateKeyPair, JWK } from 'jose';\nimport { DateTime } from 'luxon';\nimport { randomUUID as uuid } from 'node:crypto';\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport {\n  BackstageSignInResult,\n  TokenParams,\n  tokenTypes,\n} from '@backstage/plugin-auth-node';\nimport { AnyJWK, KeyStore, TokenIssuer } from './types';\nimport { JsonValue } from '@backstage/types';\nimport { issueUserToken } from './issueUserToken';\n\n/**\n * The payload contents of a valid Backstage JWT token\n */\nexport interface BackstageTokenPayload {\n  /**\n   * The issuer of the token, currently the discovery URL of the auth backend\n   */\n  iss: string;\n\n  /**\n   * The entity ref of the user\n   */\n  sub: string;\n\n  /**\n   * The entity refs that the user claims ownership through\n   */\n  ent: string[];\n\n  /**\n   * A hard coded audience string\n   */\n  aud: typeof tokenTypes.user.audClaim;\n\n  /**\n   * Standard expiry in epoch seconds\n   */\n  exp: number;\n\n  /**\n   * Standard issue time in epoch seconds\n   */\n  iat: number;\n\n  /**\n   * A separate user identity proof that the auth service can convert to a limited user token\n   */\n  uip: string;\n\n  /**\n   * Any other custom claims that the adopter may have added\n   */\n  [claim: string]: JsonValue;\n}\n\ntype Options = {\n  logger: LoggerService;\n  /** Value of the issuer claim in issued tokens */\n  issuer: string;\n  /** Key store used for storing signing keys */\n  keyStore: KeyStore;\n  /** Expiration time of signing keys in seconds */\n  keyDurationSeconds: number;\n  /** JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256.\n   * Must match one of the algorithms defined for IdentityClient.\n   * When setting a different algorithm, check if the `key` field\n   * of the `signing_keys` table can fit the length of the generated keys.\n   * If not, add a knex migration file in the migrations folder.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithm?: string;\n  /**\n   * A list of claims to omit from issued tokens and only store in the user info database\n   */\n  omitClaimsFromToken?: string[];\n};\n\n/**\n * A token issuer that is able to issue tokens in a distributed system\n * backed by a single database. Tokens are issued using lazily generated\n * signing keys, where each running instance of the auth service uses its own\n * signing key.\n *\n * The public parts of the keys are all stored in the shared key storage,\n * and any of the instances of the auth service will return the full list\n * of public keys that are currently in storage.\n *\n * Signing keys are automatically rotated at the same interval as the token\n * duration. Expired keys are kept in storage until there are no valid tokens\n * in circulation that could have been signed by that key.\n */\nexport class TokenFactory implements TokenIssuer {\n  private readonly issuer: string;\n  private readonly logger: LoggerService;\n  private readonly keyStore: KeyStore;\n  private readonly keyDurationSeconds: number;\n  private readonly algorithm: string;\n  private readonly omitClaimsFromToken?: string[];\n\n  private keyExpiry?: Date;\n  private privateKeyPromise?: Promise<JWK>;\n\n  constructor(options: Options) {\n    this.issuer = options.issuer;\n    this.logger = options.logger;\n    this.keyStore = options.keyStore;\n    this.keyDurationSeconds = options.keyDurationSeconds;\n    this.algorithm = options.algorithm ?? 'ES256';\n    this.omitClaimsFromToken = options.omitClaimsFromToken;\n  }\n\n  async issueToken(\n    params: TokenParams & { claims: { ent: string[] } },\n  ): Promise<BackstageSignInResult> {\n    const key = await this.getKey();\n\n    return issueUserToken({\n      issuer: this.issuer,\n      key,\n      keyDurationSeconds: this.keyDurationSeconds,\n      logger: this.logger,\n      omitClaimsFromToken: this.omitClaimsFromToken,\n      params,\n    });\n  }\n\n  // This will be called by other services that want to verify ID tokens.\n  // It is important that it returns a list of all public keys that could\n  // have been used to sign tokens that have not yet expired.\n  async listPublicKeys(): Promise<{ keys: AnyJWK[] }> {\n    const { items: keys } = await this.keyStore.listKeys();\n\n    const validKeys = [];\n    const expiredKeys = [];\n\n    for (const key of keys) {\n      // Allow for a grace period of another full key duration before we remove the keys from the database\n      const expireAt = DateTime.fromJSDate(key.createdAt).plus({\n        seconds: 3 * this.keyDurationSeconds,\n      });\n      if (expireAt < DateTime.local()) {\n        expiredKeys.push(key);\n      } else {\n        validKeys.push(key);\n      }\n    }\n\n    // Lazily prune expired keys. This may cause duplicate removals if we have concurrent callers, but w/e\n    if (expiredKeys.length > 0) {\n      const kids = expiredKeys.map(({ key }) => key.kid);\n\n      this.logger.info(`Removing expired signing keys, '${kids.join(\"', '\")}'`);\n\n      // We don't await this, just let it run in the background\n      this.keyStore.removeKeys(kids).catch(error => {\n        this.logger.error(`Failed to remove expired keys, ${error}`);\n      });\n    }\n\n    // NOTE: we're currently only storing public keys, but if we start storing private keys we'd have to convert here\n    return { keys: validKeys.map(({ key }) => key) };\n  }\n\n  private async getKey(): Promise<JWK> {\n    // Make sure that we only generate one key at a time\n    if (this.privateKeyPromise) {\n      if (\n        this.keyExpiry &&\n        DateTime.fromJSDate(this.keyExpiry) > DateTime.local()\n      ) {\n        return this.privateKeyPromise;\n      }\n      this.logger.info(`Signing key has expired, generating new key`);\n      delete this.privateKeyPromise;\n    }\n\n    this.keyExpiry = DateTime.utc()\n      .plus({\n        seconds: this.keyDurationSeconds,\n      })\n      .toJSDate();\n    const promise = (async () => {\n      // This generates a new signing key to be used to sign tokens until the next key rotation\n      const key = await generateKeyPair(this.algorithm);\n      const publicKey = await exportJWK(key.publicKey);\n      const privateKey = await exportJWK(key.privateKey);\n      publicKey.kid = privateKey.kid = uuid();\n      publicKey.alg = privateKey.alg = this.algorithm;\n\n      // We're not allowed to use the key until it has been successfully stored\n      // TODO: some token verification implementations aggressively cache the list of keys, and\n      //       don't attempt to fetch new ones even if they encounter an unknown kid. Therefore we\n      //       may want to keep using the existing key for some period of time until we switch to\n      //       the new one. This also needs to be implemented cross-service though, meaning new services\n      //       that boot up need to be able to grab an existing key to use for signing.\n      this.logger.info(`Created new signing key ${publicKey.kid}`);\n      await this.keyStore.addKey(publicKey as AnyJWK);\n\n      // At this point we are allowed to start using the new key\n      return privateKey;\n    })();\n\n    this.privateKeyPromise = promise;\n\n    try {\n      // If we fail to generate a new key, we need to clear the state so that\n      // the next caller will try to generate another key.\n      await promise;\n    } catch (error) {\n      this.logger.error(`Failed to generate new signing key, ${error}`);\n      delete this.keyExpiry;\n      delete this.privateKeyPromise;\n    }\n\n    return promise;\n  }\n}\n"],"names":["issueUserToken","DateTime","generateKeyPair","exportJWK","uuid"],"mappings":";;;;;;;AA6GO,MAAM,YAAA,CAAoC;AAAA,EAC9B,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA,kBAAA;AAAA,EACA,SAAA;AAAA,EACA,mBAAA;AAAA,EAET,SAAA;AAAA,EACA,iBAAA;AAAA,EAER,YAAY,OAAA,EAAkB;AAC5B,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,qBAAqB,OAAA,CAAQ,kBAAA;AAClC,IAAA,IAAA,CAAK,SAAA,GAAY,QAAQ,SAAA,IAAa,OAAA;AACtC,IAAA,IAAA,CAAK,sBAAsB,OAAA,CAAQ,mBAAA;AAAA,EACrC;AAAA,EAEA,MAAM,WACJ,MAAA,EACgC;AAChC,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,EAAO;AAE9B,IAAA,OAAOA,6BAAA,CAAe;AAAA,MACpB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,GAAA;AAAA,MACA,oBAAoB,IAAA,CAAK,kBAAA;AAAA,MACzB,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,qBAAqB,IAAA,CAAK,mBAAA;AAAA,MAC1B;AAAA,KACD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAA,GAA8C;AAClD,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,KAAS,MAAM,IAAA,CAAK,SAAS,QAAA,EAAS;AAErD,IAAA,MAAM,YAAY,EAAC;AACnB,IAAA,MAAM,cAAc,EAAC;AAErB,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AAEtB,MAAA,MAAM,WAAWC,cAAA,CAAS,UAAA,CAAW,GAAA,CAAI,SAAS,EAAE,IAAA,CAAK;AAAA,QACvD,OAAA,EAAS,IAAI,IAAA,CAAK;AAAA,OACnB,CAAA;AACD,MAAA,IAAI,QAAA,GAAWA,cAAA,CAAS,KAAA,EAAM,EAAG;AAC/B,QAAA,WAAA,CAAY,KAAK,GAAG,CAAA;AAAA,MACtB,CAAA,MAAO;AACL,QAAA,SAAA,CAAU,KAAK,GAAG,CAAA;AAAA,MACpB;AAAA,IACF;AAGA,IAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,MAAA,MAAM,IAAA,GAAO,YAAY,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,IAAI,GAAG,CAAA;AAEjD,MAAA,IAAA,CAAK,OAAO,IAAA,CAAK,CAAA,gCAAA,EAAmC,KAAK,IAAA,CAAK,MAAM,CAAC,CAAA,CAAA,CAAG,CAAA;AAGxE,MAAA,IAAA,CAAK,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,CAAE,MAAM,CAAA,KAAA,KAAS;AAC5C,QAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,+BAAA,EAAkC,KAAK,CAAA,CAAE,CAAA;AAAA,MAC7D,CAAC,CAAA;AAAA,IACH;AAGA,IAAA,OAAO,EAAE,MAAM,SAAA,CAAU,GAAA,CAAI,CAAC,EAAE,GAAA,EAAI,KAAM,GAAG,CAAA,EAAE;AAAA,EACjD;AAAA,EAEA,MAAc,MAAA,GAAuB;AAEnC,IAAA,IAAI,KAAK,iBAAA,EAAmB;AAC1B,MAAA,IACE,IAAA,CAAK,aACLA,cAAA,CAAS,UAAA,CAAW,KAAK,SAAS,CAAA,GAAIA,cAAA,CAAS,KAAA,EAAM,EACrD;AACA,QAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,MACd;AACA,MAAA,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA,2CAAA,CAA6C,CAAA;AAC9D,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,IAAA,CAAK,SAAA,GAAYA,cAAA,CAAS,GAAA,EAAI,CAC3B,IAAA,CAAK;AAAA,MACJ,SAAS,IAAA,CAAK;AAAA,KACf,EACA,QAAA,EAAS;AACZ,IAAA,MAAM,WAAW,YAAY;AAE3B,MAAA,MAAM,GAAA,GAAM,MAAMC,oBAAA,CAAgB,IAAA,CAAK,SAAS,CAAA;AAChD,MAAA,MAAM,SAAA,GAAY,MAAMC,cAAA,CAAU,GAAA,CAAI,SAAS,CAAA;AAC/C,MAAA,MAAM,UAAA,GAAa,MAAMA,cAAA,CAAU,GAAA,CAAI,UAAU,CAAA;AACjD,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAMC,iBAAA,EAAK;AACtC,MAAA,SAAA,CAAU,GAAA,GAAM,UAAA,CAAW,GAAA,GAAM,IAAA,CAAK,SAAA;AAQtC,MAAA,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,CAAA,wBAAA,EAA2B,SAAA,CAAU,GAAG,CAAA,CAAE,CAAA;AAC3D,MAAA,MAAM,IAAA,CAAK,QAAA,CAAS,MAAA,CAAO,SAAmB,CAAA;AAG9C,MAAA,OAAO,UAAA;AAAA,IACT,CAAA,GAAG;AAEH,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAA;AAEzB,IAAA,IAAI;AAGF,MAAA,MAAM,OAAA;AAAA,IACR,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,MAAA,CAAO,KAAA,CAAM,CAAA,oCAAA,EAAuC,KAAK,CAAA,CAAE,CAAA;AAChE,MAAA,OAAO,IAAA,CAAK,SAAA;AACZ,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF;;;;"}

package/dist/service/OfflineAccessService.cjs.js

@@ -3,7 +3,7 @@
 var errors = require('@backstage/errors');
 var config = require('@backstage/config');
 var types = require('@backstage/types');
-var uuid = require('uuid');
+var crypto = require('node:crypto');
 var OfflineSessionDatabase = require('../database/OfflineSessionDatabase.cjs.js');
 var refreshToken = require('../lib/refreshToken.cjs.js');
 
@@ -89,7 +89,7 @@ class OfflineAccessService {
    */
   async issueRefreshToken(options) {
     const { userEntityRef, oidcClientId } = options;
-    const sessionId = uuid.v4();
+    const sessionId = crypto.randomUUID();
     const { token, hash } = await refreshToken.generateRefreshToken(sessionId);
     await this.#offlineSessionDb.createSession({
       id: sessionId,

package/dist/service/OfflineAccessService.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"OfflineAccessService.cjs.js","sources":["../../src/service/OfflineAccessService.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DatabaseService,\n  LifecycleService,\n  LoggerService,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError } from '@backstage/errors';\nimport { readDurationFromConfig } from '@backstage/config';\nimport { durationToMilliseconds } from '@backstage/types';\nimport { v4 as uuid } from 'uuid';\nimport { OfflineSessionDatabase } from '../database/OfflineSessionDatabase';\nimport {\n  generateRefreshToken,\n  getRefreshTokenId,\n  verifyRefreshToken,\n} from '../lib/refreshToken';\nimport { TokenIssuer } from '../identity/types';\n\n/**\n * Service for managing offline access (refresh tokens)\n * @internal\n */\nexport class OfflineAccessService {\n  readonly #offlineSessionDb: OfflineSessionDatabase;\n  readonly #logger: LoggerService;\n\n  static async create(options: {\n    config: RootConfigService;\n    database: DatabaseService;\n    logger: LoggerService;\n    lifecycle: LifecycleService;\n  }): Promise<OfflineAccessService> {\n    const { config, database, logger, lifecycle } = options;\n\n    const tokenLifetime = config.has(\n      'auth.experimentalRefreshToken.tokenLifetime',\n    )\n      ? readDurationFromConfig(config, {\n          key: 'auth.experimentalRefreshToken.tokenLifetime',\n        })\n      : { days: 30 };\n\n    const maxRotationLifetime = config.has(\n      'auth.experimentalRefreshToken.maxRotationLifetime',\n    )\n      ? readDurationFromConfig(config, {\n          key: 'auth.experimentalRefreshToken.maxRotationLifetime',\n        })\n      : { years: 1 };\n\n    const tokenLifetimeSeconds = Math.floor(\n      durationToMilliseconds(tokenLifetime) / 1000,\n    );\n    const maxRotationLifetimeSeconds = Math.floor(\n      durationToMilliseconds(maxRotationLifetime) / 1000,\n    );\n\n    if (tokenLifetimeSeconds <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.tokenLifetime must be a positive duration',\n      );\n    }\n    if (maxRotationLifetimeSeconds <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxRotationLifetime must be a positive duration',\n      );\n    }\n    if (maxRotationLifetimeSeconds <= tokenLifetimeSeconds) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxRotationLifetime must be greater than tokenLifetime',\n      );\n    }\n\n    const maxTokensPerUser =\n      config.getOptionalNumber(\n        'auth.experimentalRefreshToken.maxTokensPerUser',\n      ) ?? 20;\n\n    if (maxTokensPerUser <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxTokensPerUser must be a positive number',\n      );\n    }\n\n    const knex = await database.getClient();\n\n    if (\n      knex.client.config.client.includes('sqlite') ||\n      knex.client.config.client.includes('better-sqlite')\n    ) {\n      logger.warn(\n        'Refresh tokens are enabled with SQLite, which does not support row-level locking. ' +\n          'Concurrent token rotation may not be fully protected against race conditions. ' +\n          'Use PostgreSQL for production deployments.',\n      );\n    }\n\n    const offlineSessionDb = OfflineSessionDatabase.create({\n      knex,\n      tokenLifetimeSeconds,\n      maxRotationLifetimeSeconds,\n      maxTokensPerUser,\n    });\n\n    const cleanupIntervalMs = 60 * 60 * 1000;\n    const cleanupInterval = setInterval(async () => {\n      try {\n        const deleted = await offlineSessionDb.cleanupExpiredSessions();\n        if (deleted > 0) {\n          logger.info(`Cleaned up ${deleted} expired offline sessions`);\n        }\n      } catch (error) {\n        logger.error('Failed to cleanup expired offline sessions', error);\n      }\n    }, cleanupIntervalMs);\n    cleanupInterval.unref();\n\n    lifecycle.addShutdownHook(() => {\n      clearInterval(cleanupInterval);\n    });\n\n    return new OfflineAccessService(offlineSessionDb, logger);\n  }\n\n  private constructor(\n    offlineSessionDb: OfflineSessionDatabase,\n    logger: LoggerService,\n  ) {\n    this.#offlineSessionDb = offlineSessionDb;\n    this.#logger = logger;\n  }\n\n  /**\n   * Issue a new refresh token for a user\n   */\n  async issueRefreshToken(options: {\n    userEntityRef: string;\n    oidcClientId?: string;\n  }): Promise<string> {\n    const { userEntityRef, oidcClientId } = options;\n\n    const sessionId = uuid();\n    const { token, hash } = await generateRefreshToken(sessionId);\n\n    await this.#offlineSessionDb.createSession({\n      id: sessionId,\n      userEntityRef,\n      oidcClientId,\n      tokenHash: hash,\n    });\n\n    this.#logger.debug(\n      `Issued refresh token for user ${userEntityRef} with session ${sessionId}`,\n    );\n\n    return token;\n  }\n\n  /**\n   * Refresh an access token using a refresh token\n   */\n  async refreshAccessToken(options: {\n    refreshToken: string;\n    tokenIssuer: TokenIssuer;\n    clientId?: string;\n  }): Promise<{ accessToken: string; refreshToken: string }> {\n    const { refreshToken, tokenIssuer, clientId } = options;\n\n    let sessionId: string;\n    try {\n      sessionId = getRefreshTokenId(refreshToken);\n    } catch (error) {\n      this.#logger.debug('Failed to extract refresh token ID', error);\n      throw new AuthenticationError('Invalid refresh token format');\n    }\n\n    const session = await this.#offlineSessionDb.getSessionById(sessionId);\n    if (!session) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    if (this.#offlineSessionDb.isSessionExpired(session)) {\n      await this.#offlineSessionDb.deleteSession(sessionId);\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    if (clientId && session.oidcClientId && clientId !== session.oidcClientId) {\n      throw new AuthenticationError(\n        'Refresh token was not issued to this client',\n      );\n    }\n\n    // Verify the caller actually holds a valid token, not just the session ID\n    const isValid = await verifyRefreshToken(refreshToken, session.tokenHash);\n    if (!isValid) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    const { token: newRefreshToken, hash: newHash } =\n      await generateRefreshToken(sessionId);\n\n    // Atomically swap the hash so a concurrent request with the same token fails\n    const rotatedSession = await this.#offlineSessionDb.getAndRotateToken(\n      sessionId,\n      session.tokenHash,\n      newHash,\n    );\n\n    if (!rotatedSession) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    const { token: accessToken } = await tokenIssuer.issueToken({\n      claims: {\n        sub: rotatedSession.userEntityRef,\n      },\n    });\n\n    this.#logger.debug(\n      `Refreshed access token for user ${session.userEntityRef} with session ${sessionId}`,\n    );\n\n    return { accessToken, refreshToken: newRefreshToken };\n  }\n\n  /**\n   * Revoke a refresh token\n   */\n  async revokeRefreshToken(refreshToken: string): Promise<void> {\n    try {\n      const sessionId = getRefreshTokenId(refreshToken);\n      await this.#offlineSessionDb.deleteSession(sessionId);\n      this.#logger.debug(`Revoked refresh token with session ${sessionId}`);\n    } catch (error) {\n      // Ignore errors when revoking - token may already be invalid\n      this.#logger.debug('Failed to revoke refresh token', error);\n    }\n  }\n\n  /**\n   * Revoke all refresh tokens for a user\n   */\n  async revokeRefreshTokensByUserEntityRef(\n    userEntityRef: string,\n  ): Promise<void> {\n    const deletedCount =\n      await this.#offlineSessionDb.deleteSessionsByUserEntityRef(userEntityRef);\n    this.#logger.debug(\n      `Revoked ${deletedCount} refresh tokens for user ${userEntityRef}`,\n    );\n  }\n}\n"],"names":["config","readDurationFromConfig","durationToMilliseconds","OfflineSessionDatabase","uuid","generateRefreshToken","refreshToken","getRefreshTokenId","AuthenticationError","verifyRefreshToken"],"mappings":";;;;;;;;;AAsCO,MAAM,oBAAA,CAAqB;AAAA,EACvB,iBAAA;AAAA,EACA,OAAA;AAAA,EAET,aAAa,OAAO,OAAA,EAKc;AAChC,IAAA,MAAM,UAAEA,QAAA,EAAQ,QAAA,EAAU,MAAA,EAAQ,WAAU,GAAI,OAAA;AAEhD,IAAA,MAAM,gBAAgBA,QAAA,CAAO,GAAA;AAAA,MAC3B;AAAA,KACF,GACIC,8BAAuBD,QAAA,EAAQ;AAAA,MAC7B,GAAA,EAAK;AAAA,KACN,CAAA,GACD,EAAE,IAAA,EAAM,EAAA,EAAG;AAEf,IAAA,MAAM,sBAAsBA,QAAA,CAAO,GAAA;AAAA,MACjC;AAAA,KACF,GACIC,8BAAuBD,QAAA,EAAQ;AAAA,MAC7B,GAAA,EAAK;AAAA,KACN,CAAA,GACD,EAAE,KAAA,EAAO,CAAA,EAAE;AAEf,IAAA,MAAM,uBAAuB,IAAA,CAAK,KAAA;AAAA,MAChCE,4BAAA,CAAuB,aAAa,CAAA,GAAI;AAAA,KAC1C;AACA,IAAA,MAAM,6BAA6B,IAAA,CAAK,KAAA;AAAA,MACtCA,4BAAA,CAAuB,mBAAmB,CAAA,GAAI;AAAA,KAChD;AAEA,IAAA,IAAI,wBAAwB,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAI,8BAA8B,CAAA,EAAG;AACnC,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAI,8BAA8B,oBAAA,EAAsB;AACtD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,mBACJF,QAAA,CAAO,iBAAA;AAAA,MACL;AAAA,KACF,IAAK,EAAA;AAEP,IAAA,IAAI,oBAAoB,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,SAAA,EAAU;AAEtC,IAAA,IACE,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAC3C,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,eAAe,CAAA,EAClD;AACA,MAAA,MAAA,CAAO,IAAA;AAAA,QACL;AAAA,OAGF;AAAA,IACF;AAEA,IAAA,MAAM,gBAAA,GAAmBG,8CAAuB,MAAA,CAAO;AAAA,MACrD,IAAA;AAAA,MACA,oBAAA;AAAA,MACA,0BAAA;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,MAAM,iBAAA,GAAoB,KAAK,EAAA,GAAK,GAAA;AACpC,IAAA,MAAM,eAAA,GAAkB,YAAY,YAAY;AAC9C,MAAA,IAAI;AACF,QAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,sBAAA,EAAuB;AAC9D,QAAA,IAAI,UAAU,CAAA,EAAG;AACf,UAAA,MAAA,CAAO,IAAA,CAAK,CAAA,WAAA,EAAc,OAAO,CAAA,yBAAA,CAA2B,CAAA;AAAA,QAC9D;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,MAAA,CAAO,KAAA,CAAM,8CAA8C,KAAK,CAAA;AAAA,MAClE;AAAA,IACF,GAAG,iBAAiB,CAAA;AACpB,IAAA,eAAA,CAAgB,KAAA,EAAM;AAEtB,IAAA,SAAA,CAAU,gBAAgB,MAAM;AAC9B,MAAA,aAAA,CAAc,eAAe,CAAA;AAAA,IAC/B,CAAC,CAAA;AAED,IAAA,OAAO,IAAI,oBAAA,CAAqB,gBAAA,EAAkB,MAAM,CAAA;AAAA,EAC1D;AAAA,EAEQ,WAAA,CACN,kBACA,MAAA,EACA;AACA,IAAA,IAAA,CAAK,iBAAA,GAAoB,gBAAA;AACzB,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAkB,OAAA,EAGJ;AAClB,IAAA,MAAM,EAAE,aAAA,EAAe,YAAA,EAAa,GAAI,OAAA;AAExC,IAAA,MAAM,YAAYC,OAAA,EAAK;AACvB,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAK,GAAI,MAAMC,kCAAqB,SAAS,CAAA;AAE5D,IAAA,MAAM,IAAA,CAAK,kBAAkB,aAAA,CAAc;AAAA,MACzC,EAAA,EAAI,SAAA;AAAA,MACJ,aAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACZ,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,8BAAA,EAAiC,aAAa,CAAA,cAAA,EAAiB,SAAS,CAAA;AAAA,KAC1E;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,OAAA,EAIkC;AACzD,IAAA,MAAM,gBAAEC,cAAA,EAAc,WAAA,EAAa,QAAA,EAAS,GAAI,OAAA;AAEhD,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI;AACF,MAAA,SAAA,GAAYC,+BAAkBD,cAAY,CAAA;AAAA,IAC5C,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,oCAAA,EAAsC,KAAK,CAAA;AAC9D,MAAA,MAAM,IAAIE,2BAAoB,8BAA8B,CAAA;AAAA,IAC9D;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,iBAAA,CAAkB,eAAe,SAAS,CAAA;AACrE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAIA,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,IAAI,IAAA,CAAK,iBAAA,CAAkB,gBAAA,CAAiB,OAAO,CAAA,EAAG;AACpD,MAAA,MAAM,IAAA,CAAK,iBAAA,CAAkB,aAAA,CAAc,SAAS,CAAA;AACpD,MAAA,MAAM,IAAIA,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,IAAI,QAAA,IAAY,OAAA,CAAQ,YAAA,IAAgB,QAAA,KAAa,QAAQ,YAAA,EAAc;AACzE,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,OAAA,GAAU,MAAMC,+BAAA,CAAmBH,cAAA,EAAc,QAAQ,SAAS,CAAA;AACxE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAIE,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,EAAE,OAAO,eAAA,EAAiB,IAAA,EAAM,SAAQ,GAC5C,MAAMH,kCAAqB,SAAS,CAAA;AAGtC,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,iBAAA,CAAkB,iBAAA;AAAA,MAClD,SAAA;AAAA,MACA,OAAA,CAAQ,SAAA;AAAA,MACR;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,IAAIG,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,EAAE,KAAA,EAAO,WAAA,EAAY,GAAI,MAAM,YAAY,UAAA,CAAW;AAAA,MAC1D,MAAA,EAAQ;AAAA,QACN,KAAK,cAAA,CAAe;AAAA;AACtB,KACD,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,gCAAA,EAAmC,OAAA,CAAQ,aAAa,CAAA,cAAA,EAAiB,SAAS,CAAA;AAAA,KACpF;AAEA,IAAA,OAAO,EAAE,WAAA,EAAa,YAAA,EAAc,eAAA,EAAgB;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmBF,cAAA,EAAqC;AAC5D,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAYC,+BAAkBD,cAAY,CAAA;AAChD,MAAA,MAAM,IAAA,CAAK,iBAAA,CAAkB,aAAA,CAAc,SAAS,CAAA;AACpD,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,CAAA,mCAAA,EAAsC,SAAS,CAAA,CAAE,CAAA;AAAA,IACtE,SAAS,KAAA,EAAO;AAEd,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,gCAAA,EAAkC,KAAK,CAAA;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mCACJ,aAAA,EACe;AACf,IAAA,MAAM,YAAA,GACJ,MAAM,IAAA,CAAK,iBAAA,CAAkB,8BAA8B,aAAa,CAAA;AAC1E,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,QAAA,EAAW,YAAY,CAAA,yBAAA,EAA4B,aAAa,CAAA;AAAA,KAClE;AAAA,EACF;AACF;;;;"}
+{"version":3,"file":"OfflineAccessService.cjs.js","sources":["../../src/service/OfflineAccessService.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DatabaseService,\n  LifecycleService,\n  LoggerService,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport { AuthenticationError } from '@backstage/errors';\nimport { readDurationFromConfig } from '@backstage/config';\nimport { durationToMilliseconds } from '@backstage/types';\nimport { randomUUID as uuid } from 'node:crypto';\nimport { OfflineSessionDatabase } from '../database/OfflineSessionDatabase';\nimport {\n  generateRefreshToken,\n  getRefreshTokenId,\n  verifyRefreshToken,\n} from '../lib/refreshToken';\nimport { TokenIssuer } from '../identity/types';\n\n/**\n * Service for managing offline access (refresh tokens)\n * @internal\n */\nexport class OfflineAccessService {\n  readonly #offlineSessionDb: OfflineSessionDatabase;\n  readonly #logger: LoggerService;\n\n  static async create(options: {\n    config: RootConfigService;\n    database: DatabaseService;\n    logger: LoggerService;\n    lifecycle: LifecycleService;\n  }): Promise<OfflineAccessService> {\n    const { config, database, logger, lifecycle } = options;\n\n    const tokenLifetime = config.has(\n      'auth.experimentalRefreshToken.tokenLifetime',\n    )\n      ? readDurationFromConfig(config, {\n          key: 'auth.experimentalRefreshToken.tokenLifetime',\n        })\n      : { days: 30 };\n\n    const maxRotationLifetime = config.has(\n      'auth.experimentalRefreshToken.maxRotationLifetime',\n    )\n      ? readDurationFromConfig(config, {\n          key: 'auth.experimentalRefreshToken.maxRotationLifetime',\n        })\n      : { years: 1 };\n\n    const tokenLifetimeSeconds = Math.floor(\n      durationToMilliseconds(tokenLifetime) / 1000,\n    );\n    const maxRotationLifetimeSeconds = Math.floor(\n      durationToMilliseconds(maxRotationLifetime) / 1000,\n    );\n\n    if (tokenLifetimeSeconds <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.tokenLifetime must be a positive duration',\n      );\n    }\n    if (maxRotationLifetimeSeconds <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxRotationLifetime must be a positive duration',\n      );\n    }\n    if (maxRotationLifetimeSeconds <= tokenLifetimeSeconds) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxRotationLifetime must be greater than tokenLifetime',\n      );\n    }\n\n    const maxTokensPerUser =\n      config.getOptionalNumber(\n        'auth.experimentalRefreshToken.maxTokensPerUser',\n      ) ?? 20;\n\n    if (maxTokensPerUser <= 0) {\n      throw new Error(\n        'auth.experimentalRefreshToken.maxTokensPerUser must be a positive number',\n      );\n    }\n\n    const knex = await database.getClient();\n\n    if (\n      knex.client.config.client.includes('sqlite') ||\n      knex.client.config.client.includes('better-sqlite')\n    ) {\n      logger.warn(\n        'Refresh tokens are enabled with SQLite, which does not support row-level locking. ' +\n          'Concurrent token rotation may not be fully protected against race conditions. ' +\n          'Use PostgreSQL for production deployments.',\n      );\n    }\n\n    const offlineSessionDb = OfflineSessionDatabase.create({\n      knex,\n      tokenLifetimeSeconds,\n      maxRotationLifetimeSeconds,\n      maxTokensPerUser,\n    });\n\n    const cleanupIntervalMs = 60 * 60 * 1000;\n    const cleanupInterval = setInterval(async () => {\n      try {\n        const deleted = await offlineSessionDb.cleanupExpiredSessions();\n        if (deleted > 0) {\n          logger.info(`Cleaned up ${deleted} expired offline sessions`);\n        }\n      } catch (error) {\n        logger.error('Failed to cleanup expired offline sessions', error);\n      }\n    }, cleanupIntervalMs);\n    cleanupInterval.unref();\n\n    lifecycle.addShutdownHook(() => {\n      clearInterval(cleanupInterval);\n    });\n\n    return new OfflineAccessService(offlineSessionDb, logger);\n  }\n\n  private constructor(\n    offlineSessionDb: OfflineSessionDatabase,\n    logger: LoggerService,\n  ) {\n    this.#offlineSessionDb = offlineSessionDb;\n    this.#logger = logger;\n  }\n\n  /**\n   * Issue a new refresh token for a user\n   */\n  async issueRefreshToken(options: {\n    userEntityRef: string;\n    oidcClientId?: string;\n  }): Promise<string> {\n    const { userEntityRef, oidcClientId } = options;\n\n    const sessionId = uuid();\n    const { token, hash } = await generateRefreshToken(sessionId);\n\n    await this.#offlineSessionDb.createSession({\n      id: sessionId,\n      userEntityRef,\n      oidcClientId,\n      tokenHash: hash,\n    });\n\n    this.#logger.debug(\n      `Issued refresh token for user ${userEntityRef} with session ${sessionId}`,\n    );\n\n    return token;\n  }\n\n  /**\n   * Refresh an access token using a refresh token\n   */\n  async refreshAccessToken(options: {\n    refreshToken: string;\n    tokenIssuer: TokenIssuer;\n    clientId?: string;\n  }): Promise<{ accessToken: string; refreshToken: string }> {\n    const { refreshToken, tokenIssuer, clientId } = options;\n\n    let sessionId: string;\n    try {\n      sessionId = getRefreshTokenId(refreshToken);\n    } catch (error) {\n      this.#logger.debug('Failed to extract refresh token ID', error);\n      throw new AuthenticationError('Invalid refresh token format');\n    }\n\n    const session = await this.#offlineSessionDb.getSessionById(sessionId);\n    if (!session) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    if (this.#offlineSessionDb.isSessionExpired(session)) {\n      await this.#offlineSessionDb.deleteSession(sessionId);\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    if (clientId && session.oidcClientId && clientId !== session.oidcClientId) {\n      throw new AuthenticationError(\n        'Refresh token was not issued to this client',\n      );\n    }\n\n    // Verify the caller actually holds a valid token, not just the session ID\n    const isValid = await verifyRefreshToken(refreshToken, session.tokenHash);\n    if (!isValid) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    const { token: newRefreshToken, hash: newHash } =\n      await generateRefreshToken(sessionId);\n\n    // Atomically swap the hash so a concurrent request with the same token fails\n    const rotatedSession = await this.#offlineSessionDb.getAndRotateToken(\n      sessionId,\n      session.tokenHash,\n      newHash,\n    );\n\n    if (!rotatedSession) {\n      throw new AuthenticationError('Invalid refresh token');\n    }\n\n    const { token: accessToken } = await tokenIssuer.issueToken({\n      claims: {\n        sub: rotatedSession.userEntityRef,\n      },\n    });\n\n    this.#logger.debug(\n      `Refreshed access token for user ${session.userEntityRef} with session ${sessionId}`,\n    );\n\n    return { accessToken, refreshToken: newRefreshToken };\n  }\n\n  /**\n   * Revoke a refresh token\n   */\n  async revokeRefreshToken(refreshToken: string): Promise<void> {\n    try {\n      const sessionId = getRefreshTokenId(refreshToken);\n      await this.#offlineSessionDb.deleteSession(sessionId);\n      this.#logger.debug(`Revoked refresh token with session ${sessionId}`);\n    } catch (error) {\n      // Ignore errors when revoking - token may already be invalid\n      this.#logger.debug('Failed to revoke refresh token', error);\n    }\n  }\n\n  /**\n   * Revoke all refresh tokens for a user\n   */\n  async revokeRefreshTokensByUserEntityRef(\n    userEntityRef: string,\n  ): Promise<void> {\n    const deletedCount =\n      await this.#offlineSessionDb.deleteSessionsByUserEntityRef(userEntityRef);\n    this.#logger.debug(\n      `Revoked ${deletedCount} refresh tokens for user ${userEntityRef}`,\n    );\n  }\n}\n"],"names":["config","readDurationFromConfig","durationToMilliseconds","OfflineSessionDatabase","uuid","generateRefreshToken","refreshToken","getRefreshTokenId","AuthenticationError","verifyRefreshToken"],"mappings":";;;;;;;;;AAsCO,MAAM,oBAAA,CAAqB;AAAA,EACvB,iBAAA;AAAA,EACA,OAAA;AAAA,EAET,aAAa,OAAO,OAAA,EAKc;AAChC,IAAA,MAAM,UAAEA,QAAA,EAAQ,QAAA,EAAU,MAAA,EAAQ,WAAU,GAAI,OAAA;AAEhD,IAAA,MAAM,gBAAgBA,QAAA,CAAO,GAAA;AAAA,MAC3B;AAAA,KACF,GACIC,8BAAuBD,QAAA,EAAQ;AAAA,MAC7B,GAAA,EAAK;AAAA,KACN,CAAA,GACD,EAAE,IAAA,EAAM,EAAA,EAAG;AAEf,IAAA,MAAM,sBAAsBA,QAAA,CAAO,GAAA;AAAA,MACjC;AAAA,KACF,GACIC,8BAAuBD,QAAA,EAAQ;AAAA,MAC7B,GAAA,EAAK;AAAA,KACN,CAAA,GACD,EAAE,KAAA,EAAO,CAAA,EAAE;AAEf,IAAA,MAAM,uBAAuB,IAAA,CAAK,KAAA;AAAA,MAChCE,4BAAA,CAAuB,aAAa,CAAA,GAAI;AAAA,KAC1C;AACA,IAAA,MAAM,6BAA6B,IAAA,CAAK,KAAA;AAAA,MACtCA,4BAAA,CAAuB,mBAAmB,CAAA,GAAI;AAAA,KAChD;AAEA,IAAA,IAAI,wBAAwB,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAI,8BAA8B,CAAA,EAAG;AACnC,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAI,8BAA8B,oBAAA,EAAsB;AACtD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,mBACJF,QAAA,CAAO,iBAAA;AAAA,MACL;AAAA,KACF,IAAK,EAAA;AAEP,IAAA,IAAI,oBAAoB,CAAA,EAAG;AACzB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,SAAA,EAAU;AAEtC,IAAA,IACE,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAC3C,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,eAAe,CAAA,EAClD;AACA,MAAA,MAAA,CAAO,IAAA;AAAA,QACL;AAAA,OAGF;AAAA,IACF;AAEA,IAAA,MAAM,gBAAA,GAAmBG,8CAAuB,MAAA,CAAO;AAAA,MACrD,IAAA;AAAA,MACA,oBAAA;AAAA,MACA,0BAAA;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,MAAM,iBAAA,GAAoB,KAAK,EAAA,GAAK,GAAA;AACpC,IAAA,MAAM,eAAA,GAAkB,YAAY,YAAY;AAC9C,MAAA,IAAI;AACF,QAAA,MAAM,OAAA,GAAU,MAAM,gBAAA,CAAiB,sBAAA,EAAuB;AAC9D,QAAA,IAAI,UAAU,CAAA,EAAG;AACf,UAAA,MAAA,CAAO,IAAA,CAAK,CAAA,WAAA,EAAc,OAAO,CAAA,yBAAA,CAA2B,CAAA;AAAA,QAC9D;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,MAAA,CAAO,KAAA,CAAM,8CAA8C,KAAK,CAAA;AAAA,MAClE;AAAA,IACF,GAAG,iBAAiB,CAAA;AACpB,IAAA,eAAA,CAAgB,KAAA,EAAM;AAEtB,IAAA,SAAA,CAAU,gBAAgB,MAAM;AAC9B,MAAA,aAAA,CAAc,eAAe,CAAA;AAAA,IAC/B,CAAC,CAAA;AAED,IAAA,OAAO,IAAI,oBAAA,CAAqB,gBAAA,EAAkB,MAAM,CAAA;AAAA,EAC1D;AAAA,EAEQ,WAAA,CACN,kBACA,MAAA,EACA;AACA,IAAA,IAAA,CAAK,iBAAA,GAAoB,gBAAA;AACzB,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAkB,OAAA,EAGJ;AAClB,IAAA,MAAM,EAAE,aAAA,EAAe,YAAA,EAAa,GAAI,OAAA;AAExC,IAAA,MAAM,YAAYC,iBAAA,EAAK;AACvB,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAK,GAAI,MAAMC,kCAAqB,SAAS,CAAA;AAE5D,IAAA,MAAM,IAAA,CAAK,kBAAkB,aAAA,CAAc;AAAA,MACzC,EAAA,EAAI,SAAA;AAAA,MACJ,aAAA;AAAA,MACA,YAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACZ,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,8BAAA,EAAiC,aAAa,CAAA,cAAA,EAAiB,SAAS,CAAA;AAAA,KAC1E;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmB,OAAA,EAIkC;AACzD,IAAA,MAAM,gBAAEC,cAAA,EAAc,WAAA,EAAa,QAAA,EAAS,GAAI,OAAA;AAEhD,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI;AACF,MAAA,SAAA,GAAYC,+BAAkBD,cAAY,CAAA;AAAA,IAC5C,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,oCAAA,EAAsC,KAAK,CAAA;AAC9D,MAAA,MAAM,IAAIE,2BAAoB,8BAA8B,CAAA;AAAA,IAC9D;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,iBAAA,CAAkB,eAAe,SAAS,CAAA;AACrE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAIA,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,IAAI,IAAA,CAAK,iBAAA,CAAkB,gBAAA,CAAiB,OAAO,CAAA,EAAG;AACpD,MAAA,MAAM,IAAA,CAAK,iBAAA,CAAkB,aAAA,CAAc,SAAS,CAAA;AACpD,MAAA,MAAM,IAAIA,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,IAAI,QAAA,IAAY,OAAA,CAAQ,YAAA,IAAgB,QAAA,KAAa,QAAQ,YAAA,EAAc;AACzE,MAAA,MAAM,IAAIA,0BAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAGA,IAAA,MAAM,OAAA,GAAU,MAAMC,+BAAA,CAAmBH,cAAA,EAAc,QAAQ,SAAS,CAAA;AACxE,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,MAAM,IAAIE,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,EAAE,OAAO,eAAA,EAAiB,IAAA,EAAM,SAAQ,GAC5C,MAAMH,kCAAqB,SAAS,CAAA;AAGtC,IAAA,MAAM,cAAA,GAAiB,MAAM,IAAA,CAAK,iBAAA,CAAkB,iBAAA;AAAA,MAClD,SAAA;AAAA,MACA,OAAA,CAAQ,SAAA;AAAA,MACR;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,IAAIG,2BAAoB,uBAAuB,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,EAAE,KAAA,EAAO,WAAA,EAAY,GAAI,MAAM,YAAY,UAAA,CAAW;AAAA,MAC1D,MAAA,EAAQ;AAAA,QACN,KAAK,cAAA,CAAe;AAAA;AACtB,KACD,CAAA;AAED,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,gCAAA,EAAmC,OAAA,CAAQ,aAAa,CAAA,cAAA,EAAiB,SAAS,CAAA;AAAA,KACpF;AAEA,IAAA,OAAO,EAAE,WAAA,EAAa,YAAA,EAAc,eAAA,EAAgB;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mBAAmBF,cAAA,EAAqC;AAC5D,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAYC,+BAAkBD,cAAY,CAAA;AAChD,MAAA,MAAM,IAAA,CAAK,iBAAA,CAAkB,aAAA,CAAc,SAAS,CAAA;AACpD,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,CAAA,mCAAA,EAAsC,SAAS,CAAA,CAAE,CAAA;AAAA,IACtE,SAAS,KAAA,EAAO;AAEd,MAAA,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,gCAAA,EAAkC,KAAK,CAAA;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,mCACJ,aAAA,EACe;AACf,IAAA,MAAM,YAAA,GACJ,MAAM,IAAA,CAAK,iBAAA,CAAkB,8BAA8B,aAAa,CAAA;AAC1E,IAAA,IAAA,CAAK,OAAA,CAAQ,KAAA;AAAA,MACX,CAAA,QAAA,EAAW,YAAY,CAAA,yBAAA,EAA4B,aAAa,CAAA;AAAA,KAClE;AAAA,EACF;AACF;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-backend",
-  "version": "0.28.1-next.0",
+  "version": "0.28.1-next.1",
   "description": "A Backstage backend plugin that handles authentication",
   "backstage": {
     "role": "backend-plugin",
@@ -48,11 +48,11 @@
   },
   "dependencies": {
     "@backstage/backend-plugin-api": "1.9.1-next.0",
-    "@backstage/catalog-model": "1.8.1-next.0",
+    "@backstage/catalog-model": "1.8.1-next.1",
     "@backstage/config": "1.3.8-next.0",
     "@backstage/errors": "1.3.1-next.0",
-    "@backstage/plugin-auth-node": "0.7.1-next.0",
-    "@backstage/plugin-catalog-node": "2.2.1-next.0",
+    "@backstage/plugin-auth-node": "0.7.1-next.1",
+    "@backstage/plugin-catalog-node": "2.2.1-next.1",
     "@backstage/types": "1.2.2",
     "@google-cloud/firestore": "^7.0.0",
     "connect-session-knex": "^4.0.0",
@@ -68,14 +68,13 @@
     "matcher": "^4.0.0",
     "minimatch": "^10.2.1",
     "passport": "^0.7.0",
-    "uuid": "^11.0.0",
     "zod": "^3.25.76 || ^4.0.0",
     "zod-validation-error": "^5.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.17.1-next.0",
-    "@backstage/backend-test-utils": "1.11.3-next.0",
-    "@backstage/cli": "0.36.2-next.0",
+    "@backstage/backend-defaults": "0.17.1-next.1",
+    "@backstage/backend-test-utils": "1.11.3-next.1",
+    "@backstage/cli": "0.36.2-next.1",
     "@backstage/plugin-auth-backend-module-google-provider": "0.3.15-next.0",
     "@backstage/plugin-auth-backend-module-guest-provider": "0.2.19-next.0",
     "@types/cookie-parser": "^1.4.2",