@backstage/plugin-auth-backend 0.9.0-next.1 → 0.10.1

package/CHANGELOG.md

@@ -1,5 +1,144 @@
 # @backstage/plugin-auth-backend
 
+## 0.10.1
+
+### Patch Changes
+
+- 1ed305728b: Bump `node-fetch` to version 2.6.7 and `cross-fetch` to version 3.1.5
+- c77c5c7eb6: Added `backstage.role` to `package.json`
+- a31559d1f5: Bump `passport-oauth2` to version 1.6.1
+- deaf6065db: Adapt to the new `CatalogApi.getLocationByRef`
+- 1433045c08: Removed unused `helmet` dependency.
+- 7aeb491394: Replace use of deprecated `ENTITY_DEFAULT_NAMESPACE` constant with `DEFAULT_NAMESPACE`.
+- Updated dependencies
+  - @backstage/backend-common@0.10.8
+  - @backstage/catalog-client@0.7.0
+  - @backstage/errors@0.2.1
+  - @backstage/plugin-auth-node@0.1.1
+  - @backstage/catalog-model@0.10.0
+  - @backstage/config@0.1.14
+  - @backstage/types@0.1.2
+
+## 0.10.0
+
+### Minor Changes
+
+- 08fcda13ef: The `callbackUrl` option of `OAuthAdapter` is now required.
+- 6bc86fcf2d: The following breaking changes were made, which may imply specifically needing
+  to make small adjustments in your custom auth providers.
+
+  - **BREAKING**: Moved `IdentityClient`, `BackstageSignInResult`,
+    `BackstageIdentityResponse`, and `BackstageUserIdentity` to
+    `@backstage/plugin-auth-node`.
+  - **BREAKING**: Removed deprecated type `BackstageIdentity`, please use
+    `BackstageSignInResult` from `@backstage/plugin-auth-node` instead.
+
+  While moving over, `IdentityClient` was also changed in the following ways:
+
+  - **BREAKING**: Made `IdentityClient.listPublicKeys` private. It was only used
+    in tests, and should not be part of the API surface of that class.
+  - **BREAKING**: Removed the static `IdentityClient.getBearerToken`. It is now
+    replaced by `getBearerTokenFromAuthorizationHeader` from
+    `@backstage/plugin-auth-node`.
+  - **BREAKING**: Removed the constructor. Please use the `IdentityClient.create`
+    static method instead.
+
+  Since the `IdentityClient` interface is marked as experimental, this is a
+  breaking change without a deprecation period.
+
+  In your auth providers, you may need to update your imports and usages as
+  follows (example code; yours may be slightly different):
+
+  ````diff
+  -import { IdentityClient } from '@backstage/plugin-auth-backend';
+  +import {
+  +  IdentityClient,
+  +  getBearerTokenFromAuthorizationHeader
+  +} from '@backstage/plugin-auth-node';
+
+     // ...
+
+  -  const identity = new IdentityClient({
+  +  const identity = IdentityClient.create({
+       discovery,
+       issuer: await discovery.getExternalBaseUrl('auth'),
+     });```
+
+     // ...
+
+     const token =
+  -     IdentityClient.getBearerToken(req.headers.authorization) ||
+  +     getBearerTokenFromAuthorizationHeader(req.headers.authorization) ||
+        req.cookies['token'];
+  ````
+
+### Patch Changes
+
+- 2441d1cf59: chore(deps): bump `knex` from 0.95.6 to 1.0.2
+
+  This also replaces `sqlite3` with `@vscode/sqlite3` 5.0.7
+
+- 3396bc5973: Enabled refresh for the Atlassian provider.
+- 08fcda13ef: Added a new `cookieConfigurer` option to `AuthProviderConfig` that makes it possible to override the default logic for configuring OAuth provider cookies.
+- Updated dependencies
+  - @backstage/catalog-client@0.6.0
+  - @backstage/backend-common@0.10.7
+  - @backstage/plugin-auth-node@0.1.0
+
+## 0.10.0-next.0
+
+### Minor Changes
+
+- 08fcda13ef: The `callbackUrl` option of `OAuthAdapter` is now required.
+
+### Patch Changes
+
+- 2441d1cf59: chore(deps): bump `knex` from 0.95.6 to 1.0.2
+
+  This also replaces `sqlite3` with `@vscode/sqlite3` 5.0.7
+
+- 3396bc5973: Enabled refresh for the Atlassian provider.
+- 08fcda13ef: Added a new `cookieConfigurer` option to `AuthProviderConfig` that makes it possible to override the default logic for configuring OAuth provider cookies.
+- Updated dependencies
+  - @backstage/backend-common@0.10.7-next.0
+
+## 0.9.0
+
+### Minor Changes
+
+- cef64b1561: **BREAKING** Added `tokenManager` as a required property for the auth-backend `createRouter` function. This dependency is used to issue server tokens that are used by the `CatalogIdentityClient` when looking up users and their group membership during authentication.
+
+  These changes are **required** to `packages/backend/src/plugins/auth.ts`:
+
+  ```diff
+  export default async function createPlugin({
+    logger,
+    database,
+    config,
+    discovery,
+  + tokenManager,
+  }: PluginEnvironment): Promise<Router> {
+    return await createRouter({
+      logger,
+      config,
+      database,
+      discovery,
+  +   tokenManager,
+    });
+  }
+  ```
+
+  **BREAKING** The `CatalogIdentityClient` constructor now expects a `TokenManager` instead of a `TokenIssuer`. The `TokenManager` interface is used to generate a server token when [resolving a user's identity and membership through the catalog](https://backstage.io/docs/auth/identity-resolver). Using server tokens for these requests allows the auth-backend to bypass authorization checks when permissions are enabled for Backstage. This change will break apps that rely on the user tokens that were previously used by the client. Refer to the ["Backend-to-backend Authentication" tutorial](https://backstage.io/docs/tutorials/backend-to-backend-auth) for more information on server token usage.
+
+### Patch Changes
+
+- 9d75a939b6: Fixed a bug where providers that tracked the granted scopes through a cookie would not take failed authentication attempts into account.
+- 28a5f9d0b1: chore(deps): bump `passport` from 0.4.1 to 0.5.2
+- 5d09bdd1de: Added custom `callbackUrl` support for multiple providers. `v0.8.0` introduced this change for `github`, and now we're adding the same capability to the following providers: `atlassian, auth0, bitbucket, gitlab, google, microsoft, oauth2, oidc, okta, onelogin`.
+- 648606b3ac: Added support for storing static GitHub access tokens in cookies and using them to refresh the Backstage session.
+- Updated dependencies
+  - @backstage/backend-common@0.10.6
+
 ## 0.9.0-next.1
 
 ### Patch Changes