npm - @backstage/plugin-auth-backend - Versions diffs - 0.4.5 → 0.4.9 - Mend

@backstage/plugin-auth-backend 0.4.5 → 0.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,63 @@
 # @backstage/plugin-auth-backend
+## 0.4.9
+### Patch Changes
+- 9312572360: Switched to using the standardized JSON error responses for all provider endpoints.
+- bab752e2b3: Change default port of backend from 7000 to 7007.
+  This is due to the AirPlay Receiver process occupying port 7000 and preventing local Backstage instances on MacOS to start.
+  You can change the port back to 7000 or any other value by providing an `app-config.yaml` with the following values:
+  ```
+  backend:
+    listen: 0.0.0.0:7123
+    baseUrl: http://localhost:7123
+  ```
+  More information can be found here: https://backstage.io/docs/conf/writing
+- Updated dependencies
+  - @backstage/errors@0.1.5
+  - @backstage/backend-common@0.9.11
+  - @backstage/test-utils@0.1.23
+## 0.4.8
+### Patch Changes
+- 892c1d9202: Update OAuthAdapter to create identity.token from identity.idToken if it does not exist, and prevent overwrites to identity.toke. Update login page commonProvider to prefer .token over .idToken
+- Updated dependencies
+  - @backstage/catalog-client@0.5.2
+  - @backstage/catalog-model@0.9.7
+  - @backstage/backend-common@0.9.10
+  - @backstage/test-utils@0.1.22
+## 0.4.7
+### Patch Changes
+- 5ee31f860b: Only use settings that have a value when creating a new FirestoreKeyStore instance
+- 3e0e2f09d5: Added forwarding of the `audience` option for the SAML provider, making it possible to enable `audience` verification.
+- Updated dependencies
+  - @backstage/backend-common@0.9.9
+  - @backstage/test-utils@0.1.21
+  - @backstage/catalog-client@0.5.1
+## 0.4.6
+### Patch Changes
+- 3b767f19c9: Allow OAuth state to be encoded by a stateEncoder.
+- Updated dependencies
+  - @backstage/test-utils@0.1.20
+  - @backstage/config@0.1.11
+  - @backstage/errors@0.1.4
+  - @backstage/backend-common@0.9.8
+  - @backstage/catalog-model@0.9.6
 ## 0.4.5
 ### Patch Changes

package/README.md CHANGED Viewed

@@ -34,7 +34,7 @@ Follow this link, [Create new OAuth App](https://github.com/settings/application
 1. Set Application Name to `backstage-dev` or something along those lines.
 1. You can set the Homepage URL to whatever you want to.
 1. The Authorization Callback URL should match the redirect URI set in Backstage.
-   1. Set this to `http://localhost:7000/api/auth/github` for local development.
+   1. Set this to `http://localhost:7007/api/auth/github` for local development.
    1. Set this to `http://{APP_FQDN}:{APP_BACKEND_PORT}/api/auth/github` for non-local deployments.
 ```bash
@@ -58,7 +58,7 @@ Follow this link, [Add new application](https://gitlab.com/-/profile/application
 1. Set Application Name to `backstage-dev` or something along those lines.
 1. The Authorization Callback URL should match the redirect URI set in Backstage.
-   1. Set this to `http://localhost:7000/api/auth/gitlab/handler/frame` for local development.
+   1. Set this to `http://localhost:7007/api/auth/gitlab/handler/frame` for local development.
    1. Set this to `http://{APP_FQDN}:{APP_BACKEND_PORT}/api/auth/gitlab/handler/frame` for non-local deployments.
    1. Select the following scopes from the list:
       - [x] `read_user` Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
@@ -91,9 +91,9 @@ export AUTH_GITLAB_CLIENT_SECRET=x
 Add a new Okta application using the following URI conventions:
-Login redirect URI's: `http://localhost:7000/api/auth/okta/handler/frame`
-Logout redirect URI's: `http://localhost:7000/api/auth/okta/logout`
-Initiate login URI's: `http://localhost:7000/api/auth/okta/start`
+Login redirect URI's: `http://localhost:7007/api/auth/okta/handler/frame`
+Logout redirect URI's: `http://localhost:7007/api/auth/okta/logout`
+Initiate login URI's: `http://localhost:7007/api/auth/okta/start`
 Then configure the following environment variables to be used in the `app-config.yaml` file:
@@ -122,7 +122,7 @@ Click [here](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMe
 - Give the app a name. e.g. `backstage-dev`
 - Select `Accounts in this organizational directory only` under supported account types.
 - Enter the callback URL for your backstage backend instance:
-  - For local development, this is likely `http://localhost:7000/api/auth/microsoft/handler/frame`
+  - For local development, this is likely `http://localhost:7007/api/auth/microsoft/handler/frame`
   - For non-local deployments, this will be `https://{APP_FQDN}:{APP_BACKEND_PORT}/auth/microsoft/handler/frame`
 - Click `Register`.

package/config.d.ts CHANGED Viewed

@@ -75,6 +75,7 @@ export interface Config {
         logoutUrl?: string;
         issuer: string;
         cert: string;
+        audience?: string;
         privateKey?: string;
         authnContext?: string[];
         identifierFormat?: string;

package/dist/index.cjs.js CHANGED Viewed

@@ -30,6 +30,7 @@ var uuid = require('uuid');
 var luxon = require('luxon');
 var backendCommon = require('@backstage/backend-common');
 var firestore = require('@google-cloud/firestore');
+var lodash = require('lodash');
 var session = require('express-session');
 var passport = require('passport');
 var minimatch = require('minimatch');
@@ -226,22 +227,22 @@ class OAuthEnvironmentHandler {
     return new OAuthEnvironmentHandler(handlers);
   }
   async start(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.start(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.start(req, res);
   }
   async frameHandler(req, res) {
-    const provider = this.getProviderForEnv(req, res);
-    await (provider == null ? void 0 : provider.frameHandler(req, res));
+    const provider = this.getProviderForEnv(req);
+    await provider.frameHandler(req, res);
   }
   async refresh(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.refresh) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.refresh) == null ? void 0 : _a.call(provider, req, res));
   }
   async logout(req, res) {
     var _a;
-    const provider = this.getProviderForEnv(req, res);
-    await ((_a = provider == null ? void 0 : provider.logout) == null ? void 0 : _a.call(provider, req, res));
+    const provider = this.getProviderForEnv(req);
+    await ((_a = provider.logout) == null ? void 0 : _a.call(provider, req, res));
   }
   getRequestFromEnv(req) {
     var _a, _b;
@@ -256,19 +257,16 @@ class OAuthEnvironmentHandler {
     const env = readState(stateParams).env;
     return env;
   }
-  getProviderForEnv(req, res) {
+  getProviderForEnv(req) {
     const env = this.getRequestFromEnv(req);
     if (!env) {
       throw new errors.InputError(`Must specify 'env' query to select environment`);
     }
-    if (!this.handlers.has(env)) {
-      res.status(404).send(`Missing configuration.
-    <br>
-    <br>
-    For this flow to work you need to supply a valid configuration for the "${env}" environment of provider.`);
-      return void 0;
+    const handler = this.handlers.get(env);
+    if (!handler) {
+      throw new errors.NotFoundError(`No configuration available for the '${env}' environment of this provider.`);
     }
-    return this.handlers.get(env);
+    return handler;
   }
 }
@@ -427,26 +425,23 @@ class OAuthAdapter {
   }
   async logout(req, res) {
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     this.removeRefreshTokenCookie(res);
-    res.status(200).send("logout!");
+    res.status(200).end();
   }
   async refresh(req, res) {
     var _a, _b;
     if (!ensuresXRequestedWith(req)) {
-      res.status(401).send("Invalid X-Requested-With header");
-      return;
+      throw new errors.AuthenticationError("Invalid X-Requested-With header");
     }
     if (!this.handlers.refresh || this.options.disableRefresh) {
-      res.status(400).send(`Refresh token not supported for provider: ${this.options.providerId}`);
-      return;
+      throw new errors.InputError(`Refresh token is not supported for provider ${this.options.providerId}`);
     }
     try {
       const refreshToken = req.cookies[`${this.options.providerId}-refresh-token`];
       if (!refreshToken) {
-        throw new Error("Missing session cookie");
+        throw new errors.InputError("Missing session cookie");
       }
       const scope = (_b = (_a = req.query.scope) == null ? void 0 : _a.toString()) != null ? _b : "";
       const forwardReq = Object.assign(req, {scope, refreshToken});
@@ -457,17 +452,19 @@ class OAuthAdapter {
       }
       res.status(200).json(response);
     } catch (error) {
-      res.status(401).send(String(error));
+      throw new errors.AuthenticationError("Refresh failed", error);
     }
   }
   async populateIdentity(identity) {
     if (!identity) {
       return;
     }
-    if (!identity.idToken) {
-      identity.idToken = await this.options.tokenIssuer.issueToken({
+    if (!(identity.token || identity.idToken)) {
+      identity.token = await this.options.tokenIssuer.issueToken({
         claims: {sub: identity.id}
       });
+    } else if (!identity.token && identity.idToken) {
+      identity.token = identity.idToken;
     }
   }
 }
@@ -550,6 +547,7 @@ class GithubAuthProvider {
   constructor(options) {
     this.signInResolver = options.signInResolver;
     this.authHandler = options.authHandler;
+    this.stateEncoder = options.stateEncoder;
     this.tokenIssuer = options.tokenIssuer;
     this.catalogIdentityClient = options.catalogIdentityClient;
     this.logger = options.logger;
@@ -567,7 +565,7 @@ class GithubAuthProvider {
   async start(req) {
     return await executeRedirectStrategy(req, this._strategy, {
       scope: req.scope,
-      state: encodeState(req.state)
+      state: (await this.stateEncoder(req)).encodedState
     });
   }
   async handler(req) {
@@ -633,7 +631,7 @@ const createGithubProvider = (options) => {
     catalogApi,
     logger
   }) => OAuthEnvironmentHandler.mapConfig(config, (envConfig) => {
-    var _a, _b;
+    var _a, _b, _c;
     const clientId = envConfig.getString("clientId");
     const clientSecret = envConfig.getString("clientSecret");
     const enterpriseInstanceUrl = envConfig.getOptionalString("enterpriseInstanceUrl");
@@ -655,6 +653,9 @@ const createGithubProvider = (options) => {
       tokenIssuer,
       logger
     });
+    const stateEncoder = (_c = options == null ? void 0 : options.stateEncoder) != null ? _c : async (req) => {
+      return {encodedState: encodeState(req.state)};
+    };
     const provider = new GithubAuthProvider({
       clientId,
       clientSecret,
@@ -666,6 +667,7 @@ const createGithubProvider = (options) => {
       authHandler,
       tokenIssuer,
       catalogIdentityClient,
+      stateEncoder,
       logger
     });
     return OAuthAdapter.fromConfig(globalConfig, provider, {
@@ -2028,6 +2030,7 @@ const createSamlProvider = (_options) => {
       callbackUrl: `${globalConfig.baseUrl}/${providerId}/handler/frame`,
       entryPoint: config.getString("entryPoint"),
       logoutUrl: config.getOptionalString("logoutUrl"),
+      audience: config.getOptionalString("audience"),
       issuer: config.getString("issuer"),
       cert: config.getString("cert"),
       privateCert: config.getOptionalString("privateKey"),
@@ -2560,7 +2563,7 @@ class KeyStores {
     }
     if (provider === "firestore") {
       const settings = ks == null ? void 0 : ks.getConfig(provider);
-      const keyStore = await FirestoreKeyStore.create({
+      const keyStore = await FirestoreKeyStore.create(lodash.pickBy({
         projectId: settings == null ? void 0 : settings.getOptionalString("projectId"),
         keyFilename: settings == null ? void 0 : settings.getOptionalString("keyFilename"),
         host: settings == null ? void 0 : settings.getOptionalString("host"),
@@ -2568,7 +2571,7 @@ class KeyStores {
         ssl: settings == null ? void 0 : settings.getOptionalBoolean("ssl"),
         path: settings == null ? void 0 : settings.getOptionalString("path"),
         timeout: settings == null ? void 0 : settings.getOptionalNumber("timeout")
-      });
+      }, (value) => value !== void 0));
       await FirestoreKeyStore.verifyConnection(keyStore, logger);
       return keyStore;
     }