@backstage/plugin-auth-backend 0.5.0 → 0.6.1

package/dist/index.d.ts

@@ -1,13 +1,14 @@
 /// <reference types="node" />
 import express from 'express';
 import { Logger } from 'winston';
+import { Config } from '@backstage/config';
 import { PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
 import { CatalogApi } from '@backstage/catalog-client';
 import { UserEntity, Entity } from '@backstage/catalog-model';
-import { Config } from '@backstage/config';
 import { Profile } from 'passport';
 import { JSONWebKey } from 'jose';
 import { TokenSet, UserinfoResponse } from 'openid-client';
+import { JsonValue } from '@backstage/types';
 
 /** Represents any form of serializable JWK */
 interface AnyJWK extends Record<string, string> {
@@ -97,10 +98,6 @@ declare type OAuthProviderInfo = {
      * Scopes granted for the access token.
      */
     scope: string;
-    /**
-     * A refresh token issued for the signed in user
-     */
-    refreshToken?: string;
 };
 declare type OAuthState = {
     nonce: string;
@@ -140,7 +137,10 @@ interface OAuthHandlers {
      * @param {string} refreshToken
      * @param {string} scope
      */
-    refresh?(req: OAuthRefreshRequest): Promise<OAuthResponse>;
+    refresh?(req: OAuthRefreshRequest): Promise<{
+        response: OAuthResponse;
+        refreshToken?: string;
+    }>;
     /**
      * (Optional) Sign out of the auth provider.
      */
@@ -382,12 +382,15 @@ interface BackstageSignInResult {
 }
 /**
  * The old exported symbol for {@link BackstageSignInResult}.
+ *
  * @public
- * @deprecated Use the `BackstageSignInResult` type instead.
+ * @deprecated Use the {@link BackstageSignInResult} instead.
  */
 declare type BackstageIdentity = BackstageSignInResult;
 /**
- * Response object containing the {@link BackstageUserIdentity} and the token from the authentication provider.
+ * Response object containing the {@link BackstageUserIdentity} and the token
+ * from the authentication provider.
+ *
  * @public
  */
 interface BackstageIdentityResponse extends BackstageSignInResult {
@@ -400,7 +403,8 @@ interface BackstageIdentityResponse extends BackstageSignInResult {
  * Used to display login information to user, i.e. sidebar popup.
  *
  * It is also temporarily used as the profile of the signed-in user's Backstage
- * identity, but we want to replace that with data from identity and/org catalog service
+ * identity, but we want to replace that with data from identity and/org catalog
+ * service
  *
  * @public
  */
@@ -419,33 +423,57 @@ declare type ProfileInfo = {
      */
     picture?: string;
 };
-declare type SignInInfo<AuthResult> = {
+/**
+ * Type of sign in information context. Includes the profile information and
+ * authentication result which contains auth related information.
+ *
+ * @public
+ */
+declare type SignInInfo<TAuthResult> = {
     /**
      * The simple profile passed down for use in the frontend.
      */
     profile: ProfileInfo;
     /**
-     * The authentication result that was received from the authentication provider.
+     * The authentication result that was received from the authentication
+     * provider.
      */
-    result: AuthResult;
+    result: TAuthResult;
 };
-declare type SignInResolver<AuthResult> = (info: SignInInfo<AuthResult>, context: {
+/**
+ * Describes the function which handles the result of a successful
+ * authentication. Must return a valid {@link BackstageSignInResult}.
+ *
+ * @public
+ */
+declare type SignInResolver<TAuthResult> = (info: SignInInfo<TAuthResult>, context: {
     tokenIssuer: TokenIssuer;
     catalogIdentityClient: CatalogIdentityClient;
     logger: Logger;
 }) => Promise<BackstageSignInResult>;
+/**
+ * The return type of an authentication handler. Must contain valid profile
+ * information.
+ *
+ * @public
+ */
 declare type AuthHandlerResult = {
     profile: ProfileInfo;
 };
 /**
- * The AuthHandler function is called every time the user authenticates using the provider.
+ * The AuthHandler function is called every time the user authenticates using
+ * the provider.
+ *
+ * The handler should return a profile that represents the session for the user
+ * in the frontend.
  *
- * The handler should return a profile that represents the session for the user in the frontend.
+ * Throwing an error in the function will cause the authentication to fail,
+ * making it possible to use this function as a way to limit access to a certain
+ * group of users.
  *
- * Throwing an error in the function will cause the authentication to fail, making it
- * possible to use this function as a way to limit access to a certain group of users.
+ * @public
  */
-declare type AuthHandler<AuthResult> = (input: AuthResult) => Promise<AuthHandlerResult>;
+declare type AuthHandler<TAuthResult> = (input: TAuthResult) => Promise<AuthHandlerResult>;
 declare type StateEncoder = (req: OAuthStartRequest) => Promise<{
     encodedState: string;
 }>;
@@ -498,6 +526,134 @@ declare const readState: (stateString: string) => OAuthState;
 declare const encodeState: (state: OAuthState) => string;
 declare const verifyNonce: (req: express.Request, providerId: string) => void;
 
+declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
+    scopes: string;
+    signInResolver?: SignInResolver<OAuthResult>;
+    authHandler: AuthHandler<OAuthResult>;
+    tokenIssuer: TokenIssuer;
+    catalogIdentityClient: CatalogIdentityClient;
+    logger: Logger;
+};
+declare class AtlassianAuthProvider implements OAuthHandlers {
+    private readonly _strategy;
+    private readonly signInResolver?;
+    private readonly authHandler;
+    private readonly tokenIssuer;
+    private readonly catalogIdentityClient;
+    private readonly logger;
+    constructor(options: AtlassianAuthProviderOptions);
+    start(req: OAuthStartRequest): Promise<RedirectInfo>;
+    handler(req: express.Request): Promise<{
+        response: OAuthResponse;
+        refreshToken: string | undefined;
+    }>;
+    private handleResult;
+    refresh(req: OAuthRefreshRequest): Promise<{
+        response: OAuthResponse;
+        refreshToken: string | undefined;
+    }>;
+}
+declare type AtlassianProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+declare const createAtlassianProvider: (options?: AtlassianProviderOptions | undefined) => AuthProviderFactory;
+
+/** @public */
+declare type Auth0ProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+/** @public */
+declare const createAuth0Provider: (options?: Auth0ProviderOptions | undefined) => AuthProviderFactory;
+
+declare type AwsAlbResult = {
+    fullProfile: Profile;
+    expiresInSeconds?: number;
+    accessToken: string;
+};
+declare type AwsAlbProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<AwsAlbResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<AwsAlbResult>;
+    };
+};
+declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
+
+declare type BitbucketOAuthResult = {
+    fullProfile: BitbucketPassportProfile;
+    params: {
+        id_token?: string;
+        scope: string;
+        expires_in: number;
+    };
+    accessToken: string;
+    refreshToken?: string;
+};
+declare type BitbucketPassportProfile = Profile & {
+    id?: string;
+    displayName?: string;
+    username?: string;
+    avatarUrl?: string;
+    _json?: {
+        links?: {
+            avatar?: {
+                href?: string;
+            };
+        };
+    };
+};
+declare const bitbucketUsernameSignInResolver: SignInResolver<BitbucketOAuthResult>;
+declare const bitbucketUserIdSignInResolver: SignInResolver<BitbucketOAuthResult>;
+declare type BitbucketProviderOptions = {
+    /**
+     * The profile transformation function used to verify and convert the auth response
+     * into the profile that will be presented to the user.
+     */
+    authHandler?: AuthHandler<OAuthResult>;
+    /**
+     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     */
+    signIn?: {
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver: SignInResolver<OAuthResult>;
+    };
+};
+declare const createBitbucketProvider: (options?: BitbucketProviderOptions | undefined) => AuthProviderFactory;
+
 declare type GithubOAuthResult = {
     fullProfile: Profile;
     params: {
@@ -610,14 +766,30 @@ declare type OAuth2ProviderOptions = {
 };
 declare const createOAuth2Provider: (options?: OAuth2ProviderOptions | undefined) => AuthProviderFactory;
 
-declare type AuthResult = {
+/**
+ * authentication result for the OIDC which includes the token set and user information (a profile response sent by OIDC server)
+ * @public
+ */
+declare type OidcAuthResult = {
     tokenset: TokenSet;
     userinfo: UserinfoResponse;
 };
+/**
+ * OIDC provider callback options. An auth handler and a sign in resolver
+ * can be passed while creating a OIDC provider.
+ *
+ * authHandler : called after sign in was successful, a new object must be returned which includes a profile
+ * signInResolver: called after sign in was successful, expects to return a new {@link BackstageSignInResult}
+ *
+ * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
+ * otherwise it throws an error
+ *
+ * @public
+ */
 declare type OidcProviderOptions = {
-    authHandler?: AuthHandler<AuthResult>;
+    authHandler?: AuthHandler<OidcAuthResult>;
     signIn?: {
-        resolver?: SignInResolver<AuthResult>;
+        resolver?: SignInResolver<OidcAuthResult>;
     };
 };
 declare const createOidcProvider: (options?: OidcProviderOptions | undefined) => AuthProviderFactory;
@@ -641,32 +813,8 @@ declare type OktaProviderOptions = {
 };
 declare const createOktaProvider: (_options?: OktaProviderOptions | undefined) => AuthProviderFactory;
 
-declare type BitbucketOAuthResult = {
-    fullProfile: BitbucketPassportProfile;
-    params: {
-        id_token?: string;
-        scope: string;
-        expires_in: number;
-    };
-    accessToken: string;
-    refreshToken?: string;
-};
-declare type BitbucketPassportProfile = Profile & {
-    id?: string;
-    displayName?: string;
-    username?: string;
-    avatarUrl?: string;
-    _json?: {
-        links?: {
-            avatar?: {
-                href?: string;
-            };
-        };
-    };
-};
-declare const bitbucketUsernameSignInResolver: SignInResolver<BitbucketOAuthResult>;
-declare const bitbucketUserIdSignInResolver: SignInResolver<BitbucketOAuthResult>;
-declare type BitbucketProviderOptions = {
+/** @public */
+declare type OneLoginProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
      * into the profile that will be presented to the user.
@@ -682,100 +830,103 @@ declare type BitbucketProviderOptions = {
         resolver: SignInResolver<OAuthResult>;
     };
 };
-declare const createBitbucketProvider: (options?: BitbucketProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare const createOneLoginProvider: (options?: OneLoginProviderOptions | undefined) => AuthProviderFactory;
 
-declare type AtlassianAuthProviderOptions = OAuthProviderOptions & {
-    scopes: string;
-    signInResolver?: SignInResolver<OAuthResult>;
-    authHandler: AuthHandler<OAuthResult>;
-    tokenIssuer: TokenIssuer;
-    catalogIdentityClient: CatalogIdentityClient;
-    logger: Logger;
+/** @public */
+declare type SamlAuthResult = {
+    fullProfile: any;
 };
-declare class AtlassianAuthProvider implements OAuthHandlers {
-    private readonly _strategy;
-    private readonly signInResolver?;
-    private readonly authHandler;
-    private readonly tokenIssuer;
-    private readonly catalogIdentityClient;
-    private readonly logger;
-    constructor(options: AtlassianAuthProviderOptions);
-    start(req: OAuthStartRequest): Promise<RedirectInfo>;
-    handler(req: express.Request): Promise<{
-        response: OAuthResponse;
-        refreshToken: string;
-    }>;
-    private handleResult;
-    refresh(req: OAuthRefreshRequest): Promise<OAuthResponse>;
-}
-declare type AtlassianProviderOptions = {
+/** @public */
+declare type SamlProviderOptions = {
     /**
      * The profile transformation function used to verify and convert the auth response
      * into the profile that will be presented to the user.
      */
-    authHandler?: AuthHandler<OAuthResult>;
+    authHandler?: AuthHandler<SamlAuthResult>;
     /**
      * Configure sign-in for this provider, without it the provider can not be used to sign users in.
      */
     signIn?: {
-        resolver: SignInResolver<OAuthResult>;
+        /**
+         * Maps an auth result to a Backstage identity for the user.
+         */
+        resolver?: SignInResolver<SamlAuthResult>;
     };
 };
-declare const createAtlassianProvider: (options?: AtlassianProviderOptions | undefined) => AuthProviderFactory;
+/** @public */
+declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
 
-declare type AwsAlbResult = {
-    fullProfile: Profile;
-    expiresInSeconds?: number;
-    accessToken: string;
-};
-declare type AwsAlbProviderOptions = {
+/**
+ * The data extracted from an IAP token.
+ *
+ * @public
+ */
+declare type GcpIapTokenInfo = {
     /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
+     * The unique, stable identifier for the user.
      */
-    authHandler?: AuthHandler<AwsAlbResult>;
+    sub: string;
     /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     * User email address.
      */
-    signIn: {
-        /**
-         * Maps an auth result to a Backstage identity for the user.
-         */
-        resolver: SignInResolver<AwsAlbResult>;
-    };
+    email: string;
+    /**
+     * Other fields.
+     */
+    [key: string]: JsonValue;
 };
-declare const createAwsAlbProvider: (options?: AwsAlbProviderOptions | undefined) => AuthProviderFactory;
-
-/** @public */
-declare type SamlAuthResult = {
-    fullProfile: any;
+/**
+ * The result of the initial auth challenge. This is the input to the auth
+ * callbacks.
+ *
+ * @public
+ */
+declare type GcpIapResult = {
+    /**
+     * The data extracted from the IAP token header.
+     */
+    iapToken: GcpIapTokenInfo;
 };
-/** @public */
-declare type SamlProviderOptions = {
+/**
+ * Options for {@link createGcpIapProvider}.
+ *
+ * @public
+ */
+declare type GcpIapProviderOptions = {
     /**
-     * The profile transformation function used to verify and convert the auth response
-     * into the profile that will be presented to the user.
+     * The profile transformation function used to verify and convert the auth
+     * response into the profile that will be presented to the user. The default
+     * implementation just provides the authenticated email that the IAP
+     * presented.
      */
-    authHandler?: AuthHandler<SamlAuthResult>;
+    authHandler?: AuthHandler<GcpIapResult>;
     /**
-     * Configure sign-in for this provider, without it the provider can not be used to sign users in.
+     * Configures sign-in for this provider.
      */
-    signIn?: {
+    signIn: {
         /**
          * Maps an auth result to a Backstage identity for the user.
          */
-        resolver?: SignInResolver<SamlAuthResult>;
+        resolver: SignInResolver<GcpIapResult>;
     };
 };
-/** @public */
-declare const createSamlProvider: (options?: SamlProviderOptions | undefined) => AuthProviderFactory;
+
+/**
+ * Creates an auth provider for Google Identity-Aware Proxy.
+ *
+ * @public
+ */
+declare function createGcpIapProvider(options: GcpIapProviderOptions): AuthProviderFactory;
 
 declare const factories: {
     [providerId: string]: AuthProviderFactory;
 };
 
 /**
- * Parses token and decorates the BackstageIdentityResponse with identity information sourced from the token
+ * Parses a Backstage-issued token and decorates the
+ * {@link BackstageIdentityResponse} with identity information sourced from the
+ * token.
  *
  * @public
  */
@@ -809,4 +960,4 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OktaProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAwsAlbProvider, createBitbucketProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOidcProvider, createOktaProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -30,12 +30,13 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.9.13",
-    "@backstage/catalog-client": "^0.5.2",
-    "@backstage/catalog-model": "^0.9.7",
+    "@backstage/backend-common": "^0.10.2",
+    "@backstage/catalog-client": "^0.5.3",
+    "@backstage/catalog-model": "^0.9.8",
     "@backstage/config": "^0.1.11",
     "@backstage/errors": "^0.1.5",
-    "@backstage/test-utils": "^0.1.24",
+    "@backstage/test-utils": "^0.2.1",
+    "@backstage/types": "^0.1.1",
     "@google-cloud/firestore": "^4.15.1",
     "@types/express": "^4.17.6",
     "@types/passport": "^1.0.3",
@@ -46,7 +47,7 @@
     "express-promise-router": "^4.1.0",
     "express-session": "^1.17.1",
     "fs-extra": "9.1.0",
-    "got": "^11.5.2",
+    "google-auth-library": "^7.6.1",
     "helmet": "^4.0.0",
     "jose": "^1.27.1",
     "jwt-decode": "^3.1.0",
@@ -73,7 +74,7 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.10.1",
+    "@backstage/cli": "^0.10.5",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",
@@ -84,7 +85,8 @@
     "@types/passport-saml": "^1.1.3",
     "@types/passport-strategy": "^0.2.35",
     "@types/xml2js": "^0.4.7",
-    "msw": "^0.35.0"
+    "msw": "^0.35.0",
+    "supertest": "^6.1.3"
   },
   "files": [
     "dist",
@@ -92,5 +94,5 @@
     "config.d.ts"
   ],
   "configSchema": "config.d.ts",
-  "gitHead": "562be0b43016294e27af3ad024191bb86b13b1c1"
+  "gitHead": "ffdb98aa2973366d48ff1774a7f892bc0c926e7e"
 }