@backstage/plugin-auth-backend 0.29.1 → 0.29.2-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/config.schema.json +324 -0
  3. package/package.json +15 -15
  4. package/config.d.ts +0 -204
package/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # @backstage/plugin-auth-backend
2
2
 
3
+ ## 0.29.2-next.0
4
+
5
+ ### Patch Changes
6
+
7
+ - Updated dependencies
8
+ - @backstage/plugin-auth-node@0.7.3-next.0
9
+ - @backstage/backend-plugin-api@1.9.3-next.0
10
+ - @backstage/plugin-catalog-node@2.2.3-next.0
11
+
3
12
  ## 0.29.1
4
13
 
5
14
  ### Patch Changes
package/config.schema.json ADDED
@@ -0,0 +1,324 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "type": "object",
4
+ "properties": {
5
+ "auth": {
6
+ "type": "object",
7
+ "properties": {
8
+ "environment": {
9
+ "type": "string",
10
+ "description": "The 'environment' attribute",
11
+ "visibility": "frontend"
12
+ },
13
+ "session": {
14
+ "type": "object",
15
+ "properties": {
16
+ "secret": {
17
+ "type": "string",
18
+ "description": "The secret attribute of session object.",
19
+ "visibility": "secret"
20
+ }
21
+ }
22
+ },
23
+ "identityTokenAlgorithm": {
24
+ "type": "string",
25
+ "description": "JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256. Must match one of the algorithms defined for IdentityClient. When setting a different algorithm, check if the `key` field of the `signing_keys` table can fit the length of the generated keys. If not, add a knex migration file in the migrations folder. More info on supported algorithms: https://github.com/panva/jose"
26
+ },
27
+ "omitIdentityTokenOwnershipClaim": {
28
+ "type": "boolean",
29
+ "description": "Whether to omit the entity ownership references (`ent`) claim from the identity token.\n\nIf this is disabled an `ent` claim will be included in the token containing all of the user's ownership refs as returned by the sign in resolver. This can in extreme cases lead to tokens that risk hitting HTTP header size limits. Setting it to `false` is therefore discouraged, and is only provided for backward compatibility reasons.\n\nDefaults to `true`, which means that the `ent` claim instead is available via the user info endpoint and the `UserInfoService`."
30
+ },
31
+ "keyStore": {
32
+ "type": "object",
33
+ "properties": {
34
+ "provider": {
35
+ "type": "string",
36
+ "enum": [
37
+ "database",
38
+ "memory",
39
+ "firestore",
40
+ "static"
41
+ ]
42
+ },
43
+ "firestore": {
44
+ "type": "object",
45
+ "properties": {
46
+ "host": {
47
+ "type": "string",
48
+ "description": "The host to connect to"
49
+ },
50
+ "port": {
51
+ "type": "number",
52
+ "description": "The port to connect to"
53
+ },
54
+ "ssl": {
55
+ "type": "boolean",
56
+ "description": "Whether to use SSL when connecting."
57
+ },
58
+ "projectId": {
59
+ "type": "string",
60
+ "description": "The Google Cloud Project ID"
61
+ },
62
+ "keyFilename": {
63
+ "type": "string",
64
+ "description": "Local file containing the Service Account credentials. You can omit this value to automatically read from GOOGLE_APPLICATION_CREDENTIALS env which is useful for local development."
65
+ },
66
+ "path": {
67
+ "type": "string",
68
+ "description": "The path to use for the collection. Defaults to 'sessions'"
69
+ },
70
+ "timeout": {
71
+ "type": "number",
72
+ "description": "Timeout used for database operations. Defaults to 10000ms"
73
+ }
74
+ }
75
+ },
76
+ "static": {
77
+ "type": "object",
78
+ "properties": {
79
+ "keys": {
80
+ "type": "array",
81
+ "items": {
82
+ "type": "object",
83
+ "properties": {
84
+ "publicKeyFile": {
85
+ "type": "string",
86
+ "description": "Path to the public key file in the SPKI format"
87
+ },
88
+ "privateKeyFile": {
89
+ "type": "string",
90
+ "description": "Path to the matching private key file in the PKCS#8 format"
91
+ },
92
+ "keyId": {
93
+ "type": "string",
94
+ "description": "id to uniquely identify this key within the JWK set"
95
+ },
96
+ "algorithm": {
97
+ "type": "string",
98
+ "description": "JWS \"alg\" (Algorithm) Header Parameter value. Defaults to ES256. Must match the algorithm used to generate the keys in the provided files"
99
+ }
100
+ },
101
+ "required": [
102
+ "publicKeyFile",
103
+ "privateKeyFile",
104
+ "keyId"
105
+ ]
106
+ },
107
+ "description": "Must be declared at least once and the first one will be used for signing"
108
+ }
109
+ },
110
+ "required": [
111
+ "keys"
112
+ ]
113
+ }
114
+ },
115
+ "description": "To control how to store JWK data in auth-backend"
116
+ },
117
+ "backstageTokenExpiration": {
118
+ "anyOf": [
119
+ {
120
+ "type": "object",
121
+ "properties": {
122
+ "years": {
123
+ "type": "number"
124
+ },
125
+ "months": {
126
+ "type": "number"
127
+ },
128
+ "weeks": {
129
+ "type": "number"
130
+ },
131
+ "days": {
132
+ "type": "number"
133
+ },
134
+ "hours": {
135
+ "type": "number"
136
+ },
137
+ "minutes": {
138
+ "type": "number"
139
+ },
140
+ "seconds": {
141
+ "type": "number"
142
+ },
143
+ "milliseconds": {
144
+ "type": "number"
145
+ }
146
+ },
147
+ "description": "Human friendly durations object."
148
+ },
149
+ {
150
+ "type": "string"
151
+ }
152
+ ],
153
+ "description": "The backstage token expiration."
154
+ },
155
+ "experimentalRefreshToken": {
156
+ "type": "object",
157
+ "properties": {
158
+ "enabled": {
159
+ "type": "boolean",
160
+ "description": "Whether to enable refresh tokens",
161
+ "default": false,
162
+ "visibility": "backend"
163
+ },
164
+ "tokenLifetime": {
165
+ "anyOf": [
166
+ {
167
+ "type": "object",
168
+ "properties": {
169
+ "years": {
170
+ "type": "number"
171
+ },
172
+ "months": {
173
+ "type": "number"
174
+ },
175
+ "weeks": {
176
+ "type": "number"
177
+ },
178
+ "days": {
179
+ "type": "number"
180
+ },
181
+ "hours": {
182
+ "type": "number"
183
+ },
184
+ "minutes": {
185
+ "type": "number"
186
+ },
187
+ "seconds": {
188
+ "type": "number"
189
+ },
190
+ "milliseconds": {
191
+ "type": "number"
192
+ }
193
+ },
194
+ "description": "Human friendly durations object."
195
+ },
196
+ {
197
+ "type": "string"
198
+ }
199
+ ],
200
+ "description": "Token lifetime before rotation required",
201
+ "default": "30 days",
202
+ "visibility": "backend"
203
+ },
204
+ "maxRotationLifetime": {
205
+ "anyOf": [
206
+ {
207
+ "type": "object",
208
+ "properties": {
209
+ "years": {
210
+ "type": "number"
211
+ },
212
+ "months": {
213
+ "type": "number"
214
+ },
215
+ "weeks": {
216
+ "type": "number"
217
+ },
218
+ "days": {
219
+ "type": "number"
220
+ },
221
+ "hours": {
222
+ "type": "number"
223
+ },
224
+ "minutes": {
225
+ "type": "number"
226
+ },
227
+ "seconds": {
228
+ "type": "number"
229
+ },
230
+ "milliseconds": {
231
+ "type": "number"
232
+ }
233
+ },
234
+ "description": "Human friendly durations object."
235
+ },
236
+ {
237
+ "type": "string"
238
+ }
239
+ ],
240
+ "description": "Maximum session lifetime across all rotations",
241
+ "default": "1 year",
242
+ "visibility": "backend"
243
+ },
244
+ "maxTokensPerUser": {
245
+ "type": "number",
246
+ "description": "Maximum number of refresh tokens per user",
247
+ "default": 20,
248
+ "visibility": "backend"
249
+ },
250
+ "dangerouslyDisableCatalogPresenceCheck": {
251
+ "type": "boolean",
252
+ "description": "Disables the check that verifies the user's catalog entity still exists when refreshing a token. This is an escape hatch for Backstage instances that allow sign-in without a corresponding catalog user entity. Without the check, refresh tokens for removed or offboarded users remain valid until they naturally expire.",
253
+ "default": false,
254
+ "visibility": "backend"
255
+ }
256
+ },
257
+ "description": "Configuration for refresh tokens (offline access)",
258
+ "visibility": "backend"
259
+ },
260
+ "experimentalExtraAllowedOrigins": {
261
+ "type": "array",
262
+ "items": {
263
+ "type": "string"
264
+ },
265
+ "description": "Additional app origins to allow for authenticating"
266
+ },
267
+ "experimentalDynamicClientRegistration": {
268
+ "type": "object",
269
+ "properties": {
270
+ "enabled": {
271
+ "type": "boolean",
272
+ "description": "Whether to enable dynamic client registration Defaults to false"
273
+ },
274
+ "allowedRedirectUriPatterns": {
275
+ "type": "array",
276
+ "items": {
277
+ "type": "string"
278
+ },
279
+ "description": "A list of allowed URI patterns to use for redirect URIs during dynamic client registration. Defaults to Cursor and loopback addresses (localhost, 127.0.0.1, [::1])."
280
+ }
281
+ },
282
+ "description": "Configuration for dynamic client registration"
283
+ },
284
+ "experimentalClientIdMetadataDocuments": {
285
+ "type": "object",
286
+ "properties": {
287
+ "enabled": {
288
+ "type": "boolean",
289
+ "description": "Whether to enable Client ID Metadata Documents support Defaults to false"
290
+ },
291
+ "allowedClientIdPatterns": {
292
+ "type": "array",
293
+ "items": {
294
+ "type": "string"
295
+ },
296
+ "description": "A list of allowed URI patterns for client_id URLs. Uses glob-style pattern matching where `*` matches any characters. Defaults to `['https://claude.ai/*', 'https://vscode.dev/*', '{baseUrl}/.well-known/oauth-client/cli.json']` where `{baseUrl}` is the auth backend's base URL.",
297
+ "examples": [
298
+ [
299
+ "https://example.com/*",
300
+ "https://*.trusted-domain.com/*"
301
+ ]
302
+ ]
303
+ },
304
+ "allowedRedirectUriPatterns": {
305
+ "type": "array",
306
+ "items": {
307
+ "type": "string"
308
+ },
309
+ "description": "A list of allowed URI patterns for redirect URIs. Uses glob-style pattern matching where `*` matches any characters. Defaults to loopback addresses (localhost, 127.0.0.1, [::1]).",
310
+ "examples": [
311
+ [
312
+ "http://localhost:*",
313
+ "http://127.0.0.1:*/callback"
314
+ ]
315
+ ]
316
+ }
317
+ },
318
+ "description": "Configuration for Client ID Metadata Documents (CIMD)"
319
+ }
320
+ },
321
+ "description": "Configuration options for the auth plugin"
322
+ }
323
+ }
324
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/plugin-auth-backend",
3
- "version": "0.29.1",
3
+ "version": "0.29.2-next.0",
4
4
  "description": "A Backstage backend plugin that handles authentication",
5
5
  "backstage": {
6
6
  "role": "backend-plugin",
@@ -35,7 +35,7 @@
35
35
  "files": [
36
36
  "dist",
37
37
  "migrations",
38
- "config.d.ts"
38
+ "config.schema.json"
39
39
  ],
40
40
  "scripts": {
41
41
  "build": "backstage-cli package build",
@@ -47,13 +47,13 @@
47
47
  "test": "backstage-cli package test"
48
48
  },
49
49
  "dependencies": {
50
- "@backstage/backend-plugin-api": "^1.9.2",
51
- "@backstage/catalog-model": "^1.9.0",
52
- "@backstage/config": "^1.3.8",
53
- "@backstage/errors": "^1.3.1",
54
- "@backstage/plugin-auth-node": "^0.7.2",
55
- "@backstage/plugin-catalog-node": "^2.2.2",
56
- "@backstage/types": "^1.2.2",
50
+ "@backstage/backend-plugin-api": "1.9.3-next.0",
51
+ "@backstage/catalog-model": "1.9.0",
52
+ "@backstage/config": "1.3.8",
53
+ "@backstage/errors": "1.3.1",
54
+ "@backstage/plugin-auth-node": "0.7.3-next.0",
55
+ "@backstage/plugin-catalog-node": "2.2.3-next.0",
56
+ "@backstage/types": "1.2.2",
57
57
  "@google-cloud/firestore": "^7.0.0",
58
58
  "connect-session-knex": "^4.0.0",
59
59
  "cookie-parser": "^1.4.5",
@@ -72,11 +72,11 @@
72
72
  "zod-validation-error": "^5.0.0"
73
73
  },
74
74
  "devDependencies": {
75
- "@backstage/backend-defaults": "^0.17.3",
76
- "@backstage/backend-test-utils": "^1.11.4",
77
- "@backstage/cli": "^0.36.3",
78
- "@backstage/plugin-auth-backend-module-google-provider": "^0.3.16",
79
- "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.20",
75
+ "@backstage/backend-defaults": "0.17.4-next.0",
76
+ "@backstage/backend-test-utils": "1.11.5-next.0",
77
+ "@backstage/cli": "0.36.4-next.0",
78
+ "@backstage/plugin-auth-backend-module-google-provider": "0.3.17-next.0",
79
+ "@backstage/plugin-auth-backend-module-guest-provider": "0.2.21-next.0",
80
80
  "@types/cookie-parser": "^1.4.2",
81
81
  "@types/express": "^4.17.6",
82
82
  "@types/express-session": "^1.17.2",
@@ -84,7 +84,7 @@
84
84
  "msw": "^1.0.0",
85
85
  "supertest": "^7.0.0"
86
86
  },
87
- "configSchema": "config.d.ts",
87
+ "configSchema": "config.schema.json",
88
88
  "typesVersions": {
89
89
  "*": {
90
90
  "package.json": [
package/config.d.ts DELETED
@@ -1,204 +0,0 @@
1
- /*
2
- * Copyright 2020 The Backstage Authors
3
- *
4
- * Licensed under the Apache License, Version 2.0 (the "License");
5
- * you may not use this file except in compliance with the License.
6
- * You may obtain a copy of the License at
7
- *
8
- * http://www.apache.org/licenses/LICENSE-2.0
9
- *
10
- * Unless required by applicable law or agreed to in writing, software
11
- * distributed under the License is distributed on an "AS IS" BASIS,
12
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
- * See the License for the specific language governing permissions and
14
- * limitations under the License.
15
- */
16
-
17
- import { HumanDuration } from '@backstage/types';
18
-
19
- export interface Config {
20
- /** Configuration options for the auth plugin */
21
- auth?: {
22
- /**
23
- * The 'environment' attribute
24
- * @visibility frontend
25
- */
26
- environment?: string;
27
-
28
- session?: {
29
- /**
30
- * The secret attribute of session object.
31
- * @visibility secret
32
- */
33
- secret?: string;
34
- };
35
-
36
- /**
37
- * JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256.
38
- * Must match one of the algorithms defined for IdentityClient.
39
- * When setting a different algorithm, check if the `key` field
40
- * of the `signing_keys` table can fit the length of the generated keys.
41
- * If not, add a knex migration file in the migrations folder.
42
- * More info on supported algorithms: https://github.com/panva/jose
43
- */
44
- identityTokenAlgorithm?: string;
45
-
46
- /**
47
- * Whether to omit the entity ownership references (`ent`) claim from the
48
- * identity token.
49
- *
50
- * If this is disabled an `ent` claim will be included in the token
51
- * containing all of the user's ownership refs as returned by the sign in
52
- * resolver. This can in extreme cases lead to tokens that risk hitting HTTP
53
- * header size limits. Setting it to `false` is therefore discouraged, and
54
- * is only provided for backward compatibility reasons.
55
- *
56
- * Defaults to `true`, which means that the `ent` claim instead is available
57
- * via the user info endpoint and the `UserInfoService`.
58
- */
59
- omitIdentityTokenOwnershipClaim?: boolean;
60
-
61
- /** To control how to store JWK data in auth-backend */
62
- keyStore?: {
63
- provider?: 'database' | 'memory' | 'firestore' | 'static';
64
- firestore?: {
65
- /** The host to connect to */
66
- host?: string;
67
- /** The port to connect to */
68
- port?: number;
69
- /** Whether to use SSL when connecting. */
70
- ssl?: boolean;
71
- /** The Google Cloud Project ID */
72
- projectId?: string;
73
- /**
74
- * Local file containing the Service Account credentials.
75
- * You can omit this value to automatically read from
76
- * GOOGLE_APPLICATION_CREDENTIALS env which is useful for local
77
- * development.
78
- */
79
- keyFilename?: string;
80
- /** The path to use for the collection. Defaults to 'sessions' */
81
- path?: string;
82
- /** Timeout used for database operations. Defaults to 10000ms */
83
- timeout?: number;
84
- };
85
- static?: {
86
- /** Must be declared at least once and the first one will be used for signing */
87
- keys: Array<{
88
- /** Path to the public key file in the SPKI format */
89
- publicKeyFile: string;
90
- /** Path to the matching private key file in the PKCS#8 format */
91
- privateKeyFile: string;
92
- /** id to uniquely identify this key within the JWK set */
93
- keyId: string;
94
- /** JWS "alg" (Algorithm) Header Parameter value. Defaults to ES256.
95
- * Must match the algorithm used to generate the keys in the provided files
96
- */
97
- algorithm?: string;
98
- }>;
99
- };
100
- };
101
-
102
- /**
103
- * The backstage token expiration.
104
- */
105
- backstageTokenExpiration?: HumanDuration | string;
106
-
107
- /**
108
- * Configuration for refresh tokens (offline access)
109
- * @visibility backend
110
- */
111
- experimentalRefreshToken?: {
112
- /**
113
- * Whether to enable refresh tokens
114
- * @default false
115
- * @visibility backend
116
- */
117
- enabled?: boolean;
118
- /**
119
- * Token lifetime before rotation required
120
- * @default '30 days'
121
- * @visibility backend
122
- */
123
- tokenLifetime?: HumanDuration | string;
124
- /**
125
- * Maximum session lifetime across all rotations
126
- * @default '1 year'
127
- * @visibility backend
128
- */
129
- maxRotationLifetime?: HumanDuration | string;
130
- /**
131
- * Maximum number of refresh tokens per user
132
- * @default 20
133
- * @visibility backend
134
- */
135
- maxTokensPerUser?: number;
136
- /**
137
- * Disables the check that verifies the user's catalog entity still
138
- * exists when refreshing a token. This is an escape hatch for
139
- * Backstage instances that allow sign-in without a corresponding
140
- * catalog user entity. Without the check, refresh tokens for
141
- * removed or offboarded users remain valid until they naturally
142
- * expire.
143
- * @default false
144
- * @visibility backend
145
- */
146
- dangerouslyDisableCatalogPresenceCheck?: boolean;
147
- };
148
-
149
- /**
150
- * Additional app origins to allow for authenticating
151
- */
152
- experimentalExtraAllowedOrigins?: string[];
153
-
154
- /**
155
- * Configuration for dynamic client registration
156
- */
157
- experimentalDynamicClientRegistration?: {
158
- /**
159
- * Whether to enable dynamic client registration
160
- * Defaults to false
161
- */
162
- enabled?: boolean;
163
-
164
- /**
165
- * A list of allowed URI patterns to use for redirect URIs during
166
- * dynamic client registration.
167
- * Defaults to Cursor and loopback addresses (localhost, 127.0.0.1, [::1]).
168
- */
169
- allowedRedirectUriPatterns?: string[];
170
- };
171
-
172
- /**
173
- * Configuration for Client ID Metadata Documents (CIMD)
174
- *
175
- * @see https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/
176
- */
177
- experimentalClientIdMetadataDocuments?: {
178
- /**
179
- * Whether to enable Client ID Metadata Documents support
180
- * Defaults to false
181
- */
182
- enabled?: boolean;
183
-
184
- /**
185
- * A list of allowed URI patterns for client_id URLs.
186
- * Uses glob-style pattern matching where `*` matches any characters.
187
- * Defaults to `['https://claude.ai/*', 'https://vscode.dev/*', '{baseUrl}/.well-known/oauth-client/cli.json']`
188
- * where `{baseUrl}` is the auth backend's base URL.
189
- *
190
- * @example ['https://example.com/*', 'https://*.trusted-domain.com/*']
191
- */
192
- allowedClientIdPatterns?: string[];
193
-
194
- /**
195
- * A list of allowed URI patterns for redirect URIs.
196
- * Uses glob-style pattern matching where `*` matches any characters.
197
- * Defaults to loopback addresses (localhost, 127.0.0.1, [::1]).
198
- *
199
- * @example ['http://localhost:*', 'http://127.0.0.1:*\/callback']
200
- */
201
- allowedRedirectUriPatterns?: string[];
202
- };
203
- };
204
- }