npm - @backstage/plugin-auth-backend - Versions diffs - 0.7.0 → 0.8.0 - Mend

@backstage/plugin-auth-backend 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,17 @@
 # @backstage/plugin-auth-backend
+## 0.8.0
+### Minor Changes
+- 67349916ac: The `sub` claim in Backstage tokens generated by the default Google and OIDC sign-in resolvers are now full entity references of the format `<kind>:<namespace>/<name>`.
+### Patch Changes
+- 033493a8af: Running the `auth-backend` on multiple domains, perhaps different domains depending on the `auth.environment`, was previously not possible as the `domain` name of the cookie was taken from `backend.baseUrl`. This prevented any cookies to be set in the start of the auth flow as the domain of the cookie would not match the domain of the callbackUrl configured in the OAuth app. This change checks if a provider supports custom `callbackUrl`'s to be configured in the application configuration and uses the domain from that, allowing the `domain`'s to match and the cookie to be set.
+- Updated dependencies
+  - @backstage/backend-common@0.10.5
 ## 0.7.0
 ### Minor Changes

package/dist/index.cjs.js CHANGED Viewed

@@ -149,6 +149,16 @@ const verifyNonce = (req, providerId) => {
     throw new Error("Invalid nonce");
   }
 };
+const getCookieConfig = (authUrl, providerId) => {
+  const { hostname: cookieDomain, pathname, protocol } = authUrl;
+  const secure = protocol === "https:";
+  const cookiePath = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
+  return {
+    cookieDomain,
+    cookiePath,
+    secure
+  };
+};
 class OAuthEnvironmentHandler {
   constructor(handlers) {
@@ -313,14 +323,14 @@ class OAuthAdapter {
     };
   }
   static fromConfig(config, handlers, options) {
+    var _a;
     const { origin: appOrigin } = new url.URL(config.appUrl);
-    const secure = config.baseUrl.startsWith("https://");
-    const url$1 = new url.URL(config.baseUrl);
-    const cookiePath = `${url$1.pathname}/${options.providerId}`;
+    const authUrl = new url.URL((_a = options.callbackUrl) != null ? _a : config.baseUrl);
+    const { cookieDomain, cookiePath, secure } = getCookieConfig(authUrl, options.providerId);
     return new OAuthAdapter(handlers, {
       ...options,
       appOrigin,
-      cookieDomain: url$1.hostname,
+      cookieDomain,
       cookiePath,
       secure,
       isOriginAllowed: config.isOriginAllowed
@@ -1273,7 +1283,8 @@ const createGithubProvider = (options) => {
     return OAuthAdapter.fromConfig(globalConfig, provider, {
       persistScopes: true,
       providerId,
-      tokenIssuer
+      tokenIssuer,
+      callbackUrl
     });
   });
 };
@@ -1515,7 +1526,7 @@ const googleDefaultSignInResolver = async (info, ctx) => {
     userId = profile.email.split("@")[0];
   }
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: { sub: `user:default/${userId}`, ent: [`user:default/${userId}`] }
   });
   return { id: userId, token };
 };
@@ -2388,7 +2399,10 @@ const oAuth2DefaultSignInResolver = async (info, ctx) => {
   }
   const userId = profile.email.split("@")[0];
   const token = await ctx.tokenIssuer.issueToken({
-    claims: { sub: userId, ent: [`user:default/${userId}`] }
+    claims: {
+      sub: `user:default/${userId}`,
+      ent: [`user:default/${userId}`]
+    }
   });
   return { id: userId, token };
 };