@backstage/plugin-auth-backend 0.8.0 → 0.10.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +95 -0
  2. package/dist/index.cjs.js +178 -107
  3. package/dist/index.cjs.js.map +1 -1
  4. package/dist/index.d.ts +62 -38
  5. package/migrations/20210326100300_timestamptz.js +2 -2
  6. package/package.json +7 -7
package/dist/index.d.ts CHANGED
@@ -2,7 +2,7 @@
2
2
  import express from 'express';
3
3
  import { Logger } from 'winston';
4
4
  import { Config } from '@backstage/config';
5
- import { PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
5
+ import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
6
6
  import { CatalogApi } from '@backstage/catalog-client';
7
7
  import { UserEntity, Entity } from '@backstage/catalog-model';
8
8
  import { Profile } from 'passport';
@@ -103,6 +103,7 @@ declare type OAuthState = {
103
103
  nonce: string;
104
104
  env: string;
105
105
  origin?: string;
106
+ scope?: string;
106
107
  };
107
108
  declare type OAuthStartRequest = express.Request<{}> & {
108
109
  scope: string;
@@ -144,6 +145,39 @@ interface OAuthHandlers {
144
145
  logout?(): Promise<void>;
145
146
  }
146
147
 
148
+ declare type UserQuery = {
149
+ annotations: Record<string, string>;
150
+ };
151
+ declare type MemberClaimQuery = {
152
+ entityRefs: string[];
153
+ logger?: Logger;
154
+ };
155
+ /**
156
+ * A catalog client tailored for reading out identity data from the catalog.
157
+ */
158
+ declare class CatalogIdentityClient {
159
+ private readonly catalogApi;
160
+ private readonly tokenManager;
161
+ constructor(options: {
162
+ catalogApi: CatalogApi;
163
+ tokenManager: TokenManager;
164
+ });
165
+ /**
166
+ * Looks up a single user using a query.
167
+ *
168
+ * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
169
+ */
170
+ findUser(query: UserQuery): Promise<UserEntity>;
171
+ /**
172
+ * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
173
+ * to be used within a `signInResolver` where additional entity claims might be provided, but
174
+ * group membership and transient group membership lean on imported catalog relations.
175
+ *
176
+ * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
177
+ */
178
+ resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
179
+ }
180
+
147
181
  /**
148
182
  * A identity client to interact with auth-backend
149
183
  * and authenticate backstage identity tokens
@@ -187,39 +221,6 @@ declare class IdentityClient {
187
221
  private refreshKeyStore;
188
222
  }
189
223
 
190
- declare type UserQuery = {
191
- annotations: Record<string, string>;
192
- };
193
- declare type MemberClaimQuery = {
194
- entityRefs: string[];
195
- logger?: Logger;
196
- };
197
- /**
198
- * A catalog client tailored for reading out identity data from the catalog.
199
- */
200
- declare class CatalogIdentityClient {
201
- private readonly catalogApi;
202
- private readonly tokenIssuer;
203
- constructor(options: {
204
- catalogApi: CatalogApi;
205
- tokenIssuer: TokenIssuer;
206
- });
207
- /**
208
- * Looks up a single user using a query.
209
- *
210
- * Throws a NotFoundError or ConflictError if 0 or multiple users are found.
211
- */
212
- findUser(query: UserQuery): Promise<UserEntity>;
213
- /**
214
- * Resolve additional entity claims from the catalog, using the passed-in entity names. Designed
215
- * to be used within a `signInResolver` where additional entity claims might be provided, but
216
- * group membership and transient group membership lean on imported catalog relations.
217
- *
218
- * Returns a superset of the entity names that can be passed directly to `issueToken` as `ent`.
219
- */
220
- resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
221
- }
222
-
223
224
  declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
224
225
 
225
226
  /**
@@ -232,6 +233,22 @@ declare type AuthResolverContext = {
232
233
  catalogIdentityClient: CatalogIdentityClient;
233
234
  logger: Logger;
234
235
  };
236
+ /**
237
+ * The callback used to resolve the cookie configuration for auth providers that use cookies.
238
+ * @public
239
+ */
240
+ declare type CookieConfigurer = (ctx: {
241
+ /** ID of the auth provider that this configuration applies to */
242
+ providerId: string;
243
+ /** The externally reachable base URL of the auth-backend plugin */
244
+ baseUrl: string;
245
+ /** The configured callback URL of the auth provider */
246
+ callbackUrl: string;
247
+ }) => {
248
+ domain: string;
249
+ path: string;
250
+ secure: boolean;
251
+ };
235
252
  declare type AuthProviderConfig = {
236
253
  /**
237
254
  * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -246,6 +263,10 @@ declare type AuthProviderConfig = {
246
263
  * A function that is called to check whether an origin is allowed to receive the authentication result.
247
264
  */
248
265
  isOriginAllowed: (origin: string) => boolean;
266
+ /**
267
+ * The function used to resolve cookie configuration based on the auth provider options.
268
+ */
269
+ cookieConfigurer?: CookieConfigurer;
249
270
  };
250
271
  declare type RedirectInfo = {
251
272
  /**
@@ -313,6 +334,7 @@ declare type AuthProviderFactoryOptions = {
313
334
  globalConfig: AuthProviderConfig;
314
335
  config: Config;
315
336
  logger: Logger;
337
+ tokenManager: TokenManager;
316
338
  tokenIssuer: TokenIssuer;
317
339
  discovery: PluginEndpointDiscovery;
318
340
  catalogApi: CatalogApi;
@@ -491,12 +513,13 @@ declare type Options = {
491
513
  appOrigin: string;
492
514
  tokenIssuer: TokenIssuer;
493
515
  isOriginAllowed: (origin: string) => boolean;
494
- callbackUrl?: string;
516
+ callbackUrl: string;
495
517
  };
496
518
  declare class OAuthAdapter implements AuthProviderRouteHandlers {
497
519
  private readonly handlers;
498
520
  private readonly options;
499
521
  static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'disableRefresh' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
522
+ private readonly baseCookieOptions;
500
523
  constructor(handlers: OAuthHandlers, options: Options);
501
524
  start(req: express.Request, res: express.Response): Promise<void>;
502
525
  frameHandler(req: express.Request, res: express.Response): Promise<void>;
@@ -508,8 +531,8 @@ declare class OAuthAdapter implements AuthProviderRouteHandlers {
508
531
  */
509
532
  private populateIdentity;
510
533
  private setNonceCookie;
511
- private setScopesCookie;
512
- private getScopesFromCookie;
534
+ private setGrantedScopeCookie;
535
+ private getGrantedScopeFromCookie;
513
536
  private setRefreshTokenCookie;
514
537
  private removeRefreshTokenCookie;
515
538
  }
@@ -975,6 +998,7 @@ interface RouterOptions {
975
998
  database: PluginDatabaseManager;
976
999
  config: Config;
977
1000
  discovery: PluginEndpointDiscovery;
1001
+ tokenManager: TokenManager;
978
1002
  providerFactories?: ProviderFactories;
979
1003
  }
980
1004
  declare function createRouter(options: RouterOptions): Promise<express.Router>;
@@ -995,4 +1019,4 @@ declare type WebMessageResponse = {
995
1019
  declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
996
1020
  declare const ensuresXRequestedWith: (req: express.Request) => boolean;
997
1021
 
998
- export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
1022
+ export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
package/migrations/20210326100300_timestamptz.js CHANGED
@@ -28,7 +28,7 @@ exports.up = async function up(knex) {
28
28
  .notNullable()
29
29
  .defaultTo(knex.fn.now())
30
30
  .comment('The creation time of the key')
31
- .alter();
31
+ .alter({ alterType: true });
32
32
  });
33
33
  }
34
34
  };
@@ -45,7 +45,7 @@ exports.down = async function down(knex) {
45
45
  .notNullable()
46
46
  .defaultTo(knex.fn.now())
47
47
  .comment('The creation time of the key')
48
- .alter();
48
+ .alter({ alterType: true });
49
49
  });
50
50
  }
51
51
  };
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@backstage/plugin-auth-backend",
3
3
  "description": "A Backstage backend plugin that handles authentication",
4
- "version": "0.8.0",
4
+ "version": "0.10.0-next.0",
5
5
  "main": "dist/index.cjs.js",
6
6
  "types": "dist/index.d.ts",
7
7
  "license": "Apache-2.0",
@@ -30,7 +30,7 @@
30
30
  "clean": "backstage-cli clean"
31
31
  },
32
32
  "dependencies": {
33
- "@backstage/backend-common": "^0.10.5",
33
+ "@backstage/backend-common": "^0.10.7-next.0",
34
34
  "@backstage/catalog-client": "^0.5.5",
35
35
  "@backstage/catalog-model": "^0.9.10",
36
36
  "@backstage/config": "^0.1.13",
@@ -50,7 +50,7 @@
50
50
  "helmet": "^4.0.0",
51
51
  "jose": "^1.27.1",
52
52
  "jwt-decode": "^3.1.0",
53
- "knex": "^0.95.1",
53
+ "knex": "^1.0.2",
54
54
  "lodash": "^4.17.21",
55
55
  "luxon": "^2.0.2",
56
56
  "minimatch": "^3.0.3",
@@ -58,7 +58,7 @@
58
58
  "node-cache": "^5.1.2",
59
59
  "node-fetch": "^2.6.1",
60
60
  "openid-client": "^4.2.1",
61
- "passport": "^0.4.1",
61
+ "passport": "^0.5.2",
62
62
  "passport-bitbucket-oauth2": "^0.1.2",
63
63
  "passport-github2": "^0.1.12",
64
64
  "passport-gitlab2": "^5.0.0",
@@ -73,8 +73,8 @@
73
73
  "yn": "^4.0.0"
74
74
  },
75
75
  "devDependencies": {
76
- "@backstage/cli": "^0.13.0",
77
- "@backstage/test-utils": "^0.2.3",
76
+ "@backstage/cli": "^0.13.2-next.0",
77
+ "@backstage/test-utils": "^0.2.4",
78
78
  "@types/body-parser": "^1.19.0",
79
79
  "@types/cookie-parser": "^1.4.2",
80
80
  "@types/express-session": "^1.17.2",
@@ -94,5 +94,5 @@
94
94
  "config.d.ts"
95
95
  ],
96
96
  "configSchema": "config.d.ts",
97
- "gitHead": "493394603a2c47ea1d141159af9bc7bb84fac9e5"
97
+ "gitHead": "e6f167225d843beeb974c287c3364d951b587626"
98
98
  }