@backstage/plugin-auth-backend 0.9.0-next.0 → 0.10.0

package/dist/index.d.ts

@@ -4,9 +4,9 @@ import { Logger } from 'winston';
 import { Config } from '@backstage/config';
 import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
 import { CatalogApi } from '@backstage/catalog-client';
-import { UserEntity, Entity } from '@backstage/catalog-model';
+import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
-import { JSONWebKey } from 'jose';
+import { UserEntity } from '@backstage/catalog-model';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
 
@@ -103,6 +103,7 @@ declare type OAuthState = {
     nonce: string;
     env: string;
     origin?: string;
+    scope?: string;
 };
 declare type OAuthStartRequest = express.Request<{}> & {
     scope: string;
@@ -177,49 +178,6 @@ declare class CatalogIdentityClient {
     resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
 
-/**
- * A identity client to interact with auth-backend
- * and authenticate backstage identity tokens
- *
- * @experimental This is not a stable API yet
- */
-declare class IdentityClient {
-    private readonly discovery;
-    private readonly issuer;
-    private keyStore;
-    private keyStoreUpdated;
-    constructor(options: {
-        discovery: PluginEndpointDiscovery;
-        issuer: string;
-    });
-    /**
-     * Verifies the given backstage identity token
-     * Returns a BackstageIdentity (user) matching the token.
-     * The method throws an error if verification fails.
-     */
-    authenticate(token: string | undefined): Promise<BackstageIdentityResponse>;
-    /**
-     * Parses the given authorization header and returns
-     * the bearer token, or null if no bearer token is given
-     */
-    static getBearerToken(authorizationHeader: string | undefined): string | undefined;
-    /**
-     * Returns the public signing key matching the given jwt token,
-     * or null if no matching key was found
-     */
-    private getKey;
-    /**
-     * Lists public part of keys used to sign Backstage Identity tokens
-     */
-    listPublicKeys(): Promise<{
-        keys: JSONWebKey[];
-    }>;
-    /**
-     * Fetches public keys and caches them locally
-     */
-    private refreshKeyStore;
-}
-
 declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
 
 /**
@@ -232,6 +190,22 @@ declare type AuthResolverContext = {
     catalogIdentityClient: CatalogIdentityClient;
     logger: Logger;
 };
+/**
+ * The callback used to resolve the cookie configuration for auth providers that use cookies.
+ * @public
+ */
+declare type CookieConfigurer = (ctx: {
+    /** ID of the auth provider that this configuration applies to */
+    providerId: string;
+    /** The externally reachable base URL of the auth-backend plugin */
+    baseUrl: string;
+    /** The configured callback URL of the auth provider */
+    callbackUrl: string;
+}) => {
+    domain: string;
+    path: string;
+    secure: boolean;
+};
 declare type AuthProviderConfig = {
     /**
      * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -246,6 +220,10 @@ declare type AuthProviderConfig = {
      * A function that is called to check whether an origin is allowed to receive the authentication result.
      */
     isOriginAllowed: (origin: string) => boolean;
+    /**
+     * The function used to resolve cookie configuration based on the auth provider options.
+     */
+    cookieConfigurer?: CookieConfigurer;
 };
 declare type RedirectInfo = {
     /**
@@ -324,77 +302,6 @@ declare type AuthResponse<ProviderInfo> = {
     profile: ProfileInfo;
     backstageIdentity?: BackstageIdentityResponse;
 };
-/**
- * User identity information within Backstage.
- *
- * @public
- */
-declare type BackstageUserIdentity = {
-    /**
-     * The type of identity that this structure represents. In the frontend app
-     * this will currently always be 'user'.
-     */
-    type: 'user';
-    /**
-     * The entityRef of the user in the catalog.
-     * For example User:default/sandra
-     */
-    userEntityRef: string;
-    /**
-     * The user and group entities that the user claims ownership through
-     */
-    ownershipEntityRefs: string[];
-};
-/**
- * A representation of a successful Backstage sign-in.
- *
- * Compared to the {@link BackstageIdentityResponse} this type omits
- * the decoded identity information embedded in the token.
- *
- * @public
- */
-interface BackstageSignInResult {
-    /**
-     * An opaque ID that uniquely identifies the user within Backstage.
-     *
-     * This is typically the same as the user entity `metadata.name`.
-     *
-     * @deprecated Use the `identity` field instead
-     */
-    id: string;
-    /**
-     * The entity that the user is represented by within Backstage.
-     *
-     * This entity may or may not exist within the Catalog, and it can be used
-     * to read and store additional metadata about the user.
-     *
-     * @deprecated Use the `identity` field instead.
-     */
-    entity?: Entity;
-    /**
-     * The token used to authenticate the user within Backstage.
-     */
-    token: string;
-}
-/**
- * The old exported symbol for {@link BackstageSignInResult}.
- *
- * @public
- * @deprecated Use the {@link BackstageSignInResult} instead.
- */
-declare type BackstageIdentity = BackstageSignInResult;
-/**
- * Response object containing the {@link BackstageUserIdentity} and the token
- * from the authentication provider.
- *
- * @public
- */
-interface BackstageIdentityResponse extends BackstageSignInResult {
-    /**
-     * A plaintext description of the identity that is encapsulated within the token.
-     */
-    identity: BackstageUserIdentity;
-}
 /**
  * Used to display login information to user, i.e. sidebar popup.
  *
@@ -438,7 +345,7 @@ declare type SignInInfo<TAuthResult> = {
 };
 /**
  * Describes the function which handles the result of a successful
- * authentication. Must return a valid {@link BackstageSignInResult}.
+ * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.
  *
  * @public
  */
@@ -492,12 +399,13 @@ declare type Options = {
     appOrigin: string;
     tokenIssuer: TokenIssuer;
     isOriginAllowed: (origin: string) => boolean;
-    callbackUrl?: string;
+    callbackUrl: string;
 };
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
     private readonly options;
     static fromConfig(config: AuthProviderConfig, handlers: OAuthHandlers, options: Pick<Options, 'providerId' | 'persistScopes' | 'disableRefresh' | 'tokenIssuer' | 'callbackUrl'>): OAuthAdapter;
+    private readonly baseCookieOptions;
     constructor(handlers: OAuthHandlers, options: Options);
     start(req: express.Request, res: express.Response): Promise<void>;
     frameHandler(req: express.Request, res: express.Response): Promise<void>;
@@ -509,8 +417,8 @@ declare class OAuthAdapter implements AuthProviderRouteHandlers {
      */
     private populateIdentity;
     private setNonceCookie;
-    private setScopesCookie;
-    private getScopesFromCookie;
+    private setGrantedScopeCookie;
+    private getGrantedScopeFromCookie;
     private setRefreshTokenCookie;
     private removeRefreshTokenCookie;
 }
@@ -815,7 +723,7 @@ declare type OidcAuthResult = {
  * can be passed while creating a OIDC provider.
  *
  * authHandler : called after sign in was successful, a new object must be returned which includes a profile
- * signInResolver: called after sign in was successful, expects to return a new {@link BackstageSignInResult}
+ * signInResolver: called after sign in was successful, expects to return a new {@link @backstage/plugin-auth-node#BackstageSignInResult}
  *
  * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
  * otherwise it throws an error
@@ -961,7 +869,7 @@ declare const factories: {
 
 /**
  * Parses a Backstage-issued token and decorates the
- * {@link BackstageIdentityResponse} with identity information sourced from the
+ * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
  * token.
  *
  * @public
@@ -997,4 +905,4 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };

package/migrations/20210326100300_timestamptz.js

@@ -28,7 +28,7 @@ exports.up = async function up(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };
@@ -45,7 +45,7 @@ exports.down = async function down(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.9.0-next.0",
+  "version": "0.10.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -30,11 +30,12 @@
     "clean": "backstage-cli clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.10.5",
-    "@backstage/catalog-client": "^0.5.5",
+    "@backstage/backend-common": "^0.10.7",
+    "@backstage/catalog-client": "^0.6.0",
     "@backstage/catalog-model": "^0.9.10",
     "@backstage/config": "^0.1.13",
     "@backstage/errors": "^0.2.0",
+    "@backstage/plugin-auth-node": "^0.1.0",
     "@backstage/types": "^0.1.1",
     "@google-cloud/firestore": "^5.0.2",
     "@types/express": "^4.17.6",
@@ -50,7 +51,7 @@
     "helmet": "^4.0.0",
     "jose": "^1.27.1",
     "jwt-decode": "^3.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "minimatch": "^3.0.3",
@@ -73,8 +74,8 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.13.1-next.0",
-    "@backstage/test-utils": "^0.2.3",
+    "@backstage/cli": "^0.13.2",
+    "@backstage/test-utils": "^0.2.4",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",
@@ -94,5 +95,5 @@
     "config.d.ts"
   ],
   "configSchema": "config.d.ts",
-  "gitHead": "a28838ac5c80c7332caa6ca0569d2ec85151784f"
+  "gitHead": "4f4bc77a4152d372b10a4e8d97d92f00e23f3b56"
 }