npm - @backstage/plugin-auth-backend - Versions diffs - 0.4.9 → 0.5.2 - Mend

@backstage/plugin-auth-backend 0.4.9 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { UserEntity, Entity } from '@backstage/catalog-model';
 import { Config } from '@backstage/config';
 import { Profile } from 'passport';
 import { JSONWebKey } from 'jose';
+import { TokenSet, UserinfoResponse } from 'openid-client';
 /** Represents any form of serializable JWK */
 interface AnyJWK extends Record<string, string> {
@@ -69,7 +70,16 @@ declare type OAuthResult = {
     accessToken: string;
     refreshToken?: string;
 };
-declare type OAuthResponse = AuthResponse<OAuthProviderInfo>;
+/**
+ * The expected response from an OAuth flow.
+ *
+ * @public
+ */
+declare type OAuthResponse = {
+    profile: ProfileInfo;
+    providerInfo: OAuthProviderInfo;
+    backstageIdentity?: BackstageSignInResult;
+};
 declare type OAuthProviderInfo = {
     /**
      * An access token issued for the signed in user.
@@ -122,7 +132,7 @@ interface OAuthHandlers {
      * @param {express.Request} req
      */
     handler(req: express.Request): Promise<{
-        response: AuthResponse<OAuthProviderInfo>;
+        response: OAuthResponse;
         refreshToken?: string;
     }>;
     /**
@@ -130,7 +140,7 @@ interface OAuthHandlers {
      * @param {string} refreshToken
      * @param {string} scope
      */
-    refresh?(req: OAuthRefreshRequest): Promise<AuthResponse<OAuthProviderInfo>>;
+    refresh?(req: OAuthRefreshRequest): Promise<OAuthResponse>;
     /**
      * (Optional) Sign out of the auth provider.
      */
@@ -157,7 +167,7 @@ declare class IdentityClient {
      * Returns a BackstageIdentity (user) matching the token.
      * The method throws an error if verification fails.
      */
-    authenticate(token: string | undefined): Promise<BackstageIdentity>;
+    authenticate(token: string | undefined): Promise<BackstageIdentityResponse>;
     /**
      * Parses the given authorization header and returns
      * the bearer token, or null if no bearer token is given
@@ -210,9 +220,11 @@ declare class CatalogIdentityClient {
      *
      * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
      */
-    resolveCatalogMembership({ entityRefs, logger, }: MemberClaimQuery): Promise<string[]>;
+    resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
+declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
 declare type AuthProviderConfig = {
     /**
      * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -314,37 +326,83 @@ declare type AuthProviderFactory = (options: AuthProviderFactoryOptions) => Auth
 declare type AuthResponse<ProviderInfo> = {
     providerInfo: ProviderInfo;
     profile: ProfileInfo;
-    backstageIdentity?: BackstageIdentity;
+    backstageIdentity?: BackstageIdentityResponse;
 };
-declare type BackstageIdentity = {
+/**
+ * User identity information within Backstage.
+ *
+ * @public
+ */
+declare type BackstageUserIdentity = {
     /**
-     * An opaque ID that uniquely identifies the user within Backstage.
-     *
-     * This is typically the same as the user entity `metadata.name`.
+     * The type of identity that this structure represents. In the frontend app
+     * this will currently always be 'user'.
      */
-    id: string;
+    type: 'user';
     /**
-     * This is deprecated, use `token` instead.
-     * @deprecated
+     * The entityRef of the user in the catalog.
+     * For example User:default/sandra
      */
-    idToken?: string;
+    userEntityRef: string;
     /**
-     * The token used to authenticate the user within Backstage.
+     * The user and group entities that the user claims ownership through
+     */
+    ownershipEntityRefs: string[];
+};
+/**
+ * A representation of a successful Backstage sign-in.
+ *
+ * Compared to the {@link BackstageIdentityResponse} this type omits
+ * the decoded identity information embedded in the token.
+ *
+ * @public
+ */
+interface BackstageSignInResult {
+    /**
+     * An opaque ID that uniquely identifies the user within Backstage.
+     *
+     * This is typically the same as the user entity `metadata.name`.
+     *
+     * @deprecated Use the `identity` field instead
      */
-    token?: string;
+    id: string;
     /**
      * The entity that the user is represented by within Backstage.
      *
      * This entity may or may not exist within the Catalog, and it can be used
      * to read and store additional metadata about the user.
+     *
+     * @deprecated Use the `identity` field instead.
      */
     entity?: Entity;
-};
+    /**
+     * The token used to authenticate the user within Backstage.
+     */
+    token: string;
+}
+/**
+ * The old exported symbol for {@link BackstageSignInResult}.
+ * @public
+ * @deprecated Use the `BackstageSignInResult` type instead.
+ */
+declare type BackstageIdentity = BackstageSignInResult;
+/**
+ * Response object containing the {@link BackstageUserIdentity} and the token from the authentication provider.
+ * @public
+ */
+interface BackstageIdentityResponse extends BackstageSignInResult {
+    /**
+     * A plaintext description of the identity that is encapsulated within the token.
+     */
+    identity: BackstageUserIdentity;
+}
 /**
  * Used to display login information to user, i.e. sidebar popup.
  *
  * It is also temporarily used as the profile of the signed-in user's Backstage
  * identity, but we want to replace that with data from identity and/org catalog service
+ *
+ * @public
  */
 declare type ProfileInfo = {
     /**
@@ -361,6 +419,10 @@ declare type ProfileInfo = {
      */
     picture?: string;
 };
+/**
+ * type of sign in information context, includes the profile information and authentication result which contains auth. related information
+ * @public
+ */
 declare type SignInInfo<AuthResult> = {
     /**
      * The simple profile passed down for use in the frontend.
@@ -371,11 +433,20 @@ declare type SignInInfo<AuthResult> = {
      */
     result: AuthResult;
 };
+/**
+ * Sign in resolver type describes the function which handles the result of a successful authentication
+ * and it must return a valid {@link BackstageSignInResult}
+ * @public
+ */
 declare type SignInResolver<AuthResult> = (info: SignInInfo<AuthResult>, context: {
     tokenIssuer: TokenIssuer;
     catalogIdentityClient: CatalogIdentityClient;
     logger: Logger;
-}) => Promise<BackstageIdentity>;
+}) => Promise<BackstageSignInResult>;
+/**
+ * The return type of authentication handler which must contain a valid profile information
+ * @public
+ */
 declare type AuthHandlerResult = {
     profile: ProfileInfo;
 };
@@ -386,6 +457,8 @@ declare type AuthHandlerResult = {
  *
  * Throwing an error in the function will cause the authentication to fail, making it
  * possible to use this function as a way to limit access to a certain group of users.
+ *
+ * @public
  */
 declare type AuthHandler<AuthResult> = (input: AuthResult) => Promise<AuthHandlerResult>;
 declare type StateEncoder = (req: OAuthStartRequest) => Promise<{
@@ -552,6 +625,34 @@ declare type OAuth2ProviderOptions = {
 };
 declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
+/**
+ * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
+ * @public
+ */
+declare type OidcAuthResult = {
+    tokenset: TokenSet;
+    userinfo: UserinfoResponse;
+};
+/**
+ * OIDC provider callback options. An auth handler and a sign in resolver
+ * can be passed while creating a OIDC provider.
+ *
+ * authHandler : called after sign in was successful, a new object must be returned which includes a profile
+ * signInResolver: called after sign in was successful, expects to return a new {@link BackstageSignInResult}
+ *
+ * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
+ * otherwise it throws an error
+ *
+ * @public
+ */
+declare type OidcProviderOptions = {
+    authHandler?: AuthHandler<OidcAuthResult>;
+    signIn?: {
+        resolver?: SignInResolver<OidcAuthResult>;
+    };
+};
+declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
 declare const oktaEmailSignInResolver: SignInResolver<OAuthResult>;
 declare type OktaProviderOptions = {
     /**
@@ -676,10 +777,41 @@ declare type AwsAlbProviderOptions = {
 };
 declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare type SamlAuthResult = {
+    fullProfile: any;
+};
+/** @public */
+declare type SamlProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<SamlAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<SamlAuthResult>;
+    };
+};
+/** @public */
+declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
 declare const factories: {
     [providerId: string]: AuthProviderFactory;
 };
+/**
+ * Parses token and decorates the BackstageIdentityResponse with identity information sourced from the token
+ *
+ * @public
+ */
+declare function prepareBackstageIdentityResponse(result: BackstageSignInResult): BackstageIdentityResponse;
 declare type ProviderFactories = {
     [s: string]: AuthProviderFactory;
 };
@@ -690,7 +822,7 @@ interface RouterOptions {
     discovery: PluginEndpointDiscovery;
     providerFactories?: ProviderFactories;
 }
-declare function createRouter({ logger, config, discovery, database, providerFactories, }: RouterOptions): Promise<express.Router>;
+declare function createRouter(options: RouterOptions): Promise<express.Router>;
 declare function createOriginFilter(config: Config): (origin: string) => boolean;
 /**
@@ -708,4 +840,4 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
-export { AtlassianAuthProvider, AtlassianProviderOptions, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OktaProviderOptions, ProfileInfo, RouterOptions, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAwsAlbProvider, createBitbucketProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOktaProvider, createOriginFilter, createRouter, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, readState, verifyNonce };
+export { AtlassianAuthProvider, AtlassianProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAwsAlbProvider, createBitbucketProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOidcProvider, createOktaProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.4.9",
+  "version": "0.5.2",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -30,19 +30,18 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.9.11",
-    "@backstage/catalog-client": "^0.5.2",
-    "@backstage/catalog-model": "^0.9.7",
+    "@backstage/backend-common": "^0.10.0",
+    "@backstage/catalog-client": "^0.5.3",
+    "@backstage/catalog-model": "^0.9.8",
     "@backstage/config": "^0.1.11",
     "@backstage/errors": "^0.1.5",
-    "@backstage/test-utils": "^0.1.23",
+    "@backstage/test-utils": "^0.2.0",
     "@google-cloud/firestore": "^4.15.1",
     "@types/express": "^4.17.6",
     "@types/passport": "^1.0.3",
     "compression": "^1.7.4",
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
-    "cross-fetch": "^3.0.6",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
     "express-session": "^1.17.1",
@@ -57,6 +56,7 @@
     "minimatch": "^3.0.3",
     "morgan": "^1.10.0",
     "node-cache": "^5.1.2",
+    "node-fetch": "^2.6.1",
     "openid-client": "^4.2.1",
     "passport": "^0.4.1",
     "passport-bitbucket-oauth2": "^0.1.2",
@@ -73,7 +73,7 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.9.1",
+    "@backstage/cli": "^0.10.3",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",
@@ -92,5 +92,5 @@
     "config.d.ts"
   ],
   "configSchema": "config.d.ts",
-  "gitHead": "85c127e436a24140bb3606f17f034f82aa9c7c0d"
+  "gitHead": "b315430f9dfcfa19ab0dd90f5b4ac6904938fba7"
 }