@backstage/plugin-auth-backend 0.9.0 → 0.10.2

package/dist/index.d.ts

@@ -4,9 +4,9 @@ import { Logger } from 'winston';
 import { Config } from '@backstage/config';
 import { TokenManager, PluginEndpointDiscovery, PluginDatabaseManager } from '@backstage/backend-common';
 import { CatalogApi } from '@backstage/catalog-client';
-import { UserEntity, Entity } from '@backstage/catalog-model';
+import { BackstageSignInResult, BackstageIdentityResponse } from '@backstage/plugin-auth-node';
 import { Profile } from 'passport';
-import { JSONWebKey } from 'jose';
+import { UserEntity } from '@backstage/catalog-model';
 import { TokenSet, UserinfoResponse } from 'openid-client';
 import { JsonValue } from '@backstage/types';
 
@@ -178,49 +178,6 @@ declare class CatalogIdentityClient {
     resolveCatalogMembership(query: MemberClaimQuery): Promise<string[]>;
 }
 
-/**
- * A identity client to interact with auth-backend
- * and authenticate backstage identity tokens
- *
- * @experimental This is not a stable API yet
- */
-declare class IdentityClient {
-    private readonly discovery;
-    private readonly issuer;
-    private keyStore;
-    private keyStoreUpdated;
-    constructor(options: {
-        discovery: PluginEndpointDiscovery;
-        issuer: string;
-    });
-    /**
-     * Verifies the given backstage identity token
-     * Returns a BackstageIdentity (user) matching the token.
-     * The method throws an error if verification fails.
-     */
-    authenticate(token: string | undefined): Promise<BackstageIdentityResponse>;
-    /**
-     * Parses the given authorization header and returns
-     * the bearer token, or null if no bearer token is given
-     */
-    static getBearerToken(authorizationHeader: string | undefined): string | undefined;
-    /**
-     * Returns the public signing key matching the given jwt token,
-     * or null if no matching key was found
-     */
-    private getKey;
-    /**
-     * Lists public part of keys used to sign Backstage Identity tokens
-     */
-    listPublicKeys(): Promise<{
-        keys: JSONWebKey[];
-    }>;
-    /**
-     * Fetches public keys and caches them locally
-     */
-    private refreshKeyStore;
-}
-
 declare function getEntityClaims(entity: UserEntity): TokenParams['claims'];
 
 /**
@@ -233,6 +190,22 @@ declare type AuthResolverContext = {
     catalogIdentityClient: CatalogIdentityClient;
     logger: Logger;
 };
+/**
+ * The callback used to resolve the cookie configuration for auth providers that use cookies.
+ * @public
+ */
+declare type CookieConfigurer = (ctx: {
+    /** ID of the auth provider that this configuration applies to */
+    providerId: string;
+    /** The externally reachable base URL of the auth-backend plugin */
+    baseUrl: string;
+    /** The configured callback URL of the auth provider */
+    callbackUrl: string;
+}) => {
+    domain: string;
+    path: string;
+    secure: boolean;
+};
 declare type AuthProviderConfig = {
     /**
      * The protocol://domain[:port] where the app is hosted. This is used to construct the
@@ -247,6 +220,10 @@ declare type AuthProviderConfig = {
      * A function that is called to check whether an origin is allowed to receive the authentication result.
      */
     isOriginAllowed: (origin: string) => boolean;
+    /**
+     * The function used to resolve cookie configuration based on the auth provider options.
+     */
+    cookieConfigurer?: CookieConfigurer;
 };
 declare type RedirectInfo = {
     /**
@@ -325,77 +302,6 @@ declare type AuthResponse<ProviderInfo> = {
     profile: ProfileInfo;
     backstageIdentity?: BackstageIdentityResponse;
 };
-/**
- * User identity information within Backstage.
- *
- * @public
- */
-declare type BackstageUserIdentity = {
-    /**
-     * The type of identity that this structure represents. In the frontend app
-     * this will currently always be 'user'.
-     */
-    type: 'user';
-    /**
-     * The entityRef of the user in the catalog.
-     * For example User:default/sandra
-     */
-    userEntityRef: string;
-    /**
-     * The user and group entities that the user claims ownership through
-     */
-    ownershipEntityRefs: string[];
-};
-/**
- * A representation of a successful Backstage sign-in.
- *
- * Compared to the {@link BackstageIdentityResponse} this type omits
- * the decoded identity information embedded in the token.
- *
- * @public
- */
-interface BackstageSignInResult {
-    /**
-     * An opaque ID that uniquely identifies the user within Backstage.
-     *
-     * This is typically the same as the user entity `metadata.name`.
-     *
-     * @deprecated Use the `identity` field instead
-     */
-    id: string;
-    /**
-     * The entity that the user is represented by within Backstage.
-     *
-     * This entity may or may not exist within the Catalog, and it can be used
-     * to read and store additional metadata about the user.
-     *
-     * @deprecated Use the `identity` field instead.
-     */
-    entity?: Entity;
-    /**
-     * The token used to authenticate the user within Backstage.
-     */
-    token: string;
-}
-/**
- * The old exported symbol for {@link BackstageSignInResult}.
- *
- * @public
- * @deprecated Use the {@link BackstageSignInResult} instead.
- */
-declare type BackstageIdentity = BackstageSignInResult;
-/**
- * Response object containing the {@link BackstageUserIdentity} and the token
- * from the authentication provider.
- *
- * @public
- */
-interface BackstageIdentityResponse extends BackstageSignInResult {
-    /**
-     * A plaintext description of the identity that is encapsulated within the token.
-     */
-    identity: BackstageUserIdentity;
-}
 /**
  * Used to display login information to user, i.e. sidebar popup.
  *
@@ -439,7 +345,7 @@ declare type SignInInfo<TAuthResult> = {
 };
 /**
  * Describes the function which handles the result of a successful
- * authentication. Must return a valid {@link BackstageSignInResult}.
+ * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.
  *
  * @public
  */
@@ -493,7 +399,7 @@ declare type Options = {
     appOrigin: string;
     tokenIssuer: TokenIssuer;
     isOriginAllowed: (origin: string) => boolean;
-    callbackUrl?: string;
+    callbackUrl: string;
 };
 declare class OAuthAdapter implements AuthProviderRouteHandlers {
     private readonly handlers;
@@ -817,7 +723,7 @@ declare type OidcAuthResult = {
  * can be passed while creating a OIDC provider.
  *
  * authHandler : called after sign in was successful, a new object must be returned which includes a profile
- * signInResolver: called after sign in was successful, expects to return a new {@link BackstageSignInResult}
+ * signInResolver: called after sign in was successful, expects to return a new {@link @backstage/plugin-auth-node#BackstageSignInResult}
  *
  * Both options are optional. There is fallback for authHandler where the default handler expect an e-mail explicitly
  * otherwise it throws an error
@@ -963,7 +869,7 @@ declare const factories: {
 
 /**
  * Parses a Backstage-issued token and decorates the
- * {@link BackstageIdentityResponse} with identity information sourced from the
+ * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the
  * token.
  *
  * @public
@@ -999,4 +905,4 @@ declare type WebMessageResponse = {
 declare const postMessageResponse: (res: express.Response, appOrigin: string, response: WebMessageResponse) => void;
 declare const ensuresXRequestedWith: (req: express.Request) => boolean;
 
-export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BackstageIdentity, BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, IdentityClient, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };
+export { AtlassianAuthProvider, AtlassianProviderOptions, Auth0ProviderOptions, AuthHandler, AuthHandlerResult, AuthProviderFactory, AuthProviderFactoryOptions, AuthProviderRouteHandlers, AuthResolverContext, AuthResponse, AwsAlbProviderOptions, BitbucketOAuthResult, BitbucketPassportProfile, BitbucketProviderOptions, CatalogIdentityClient, CookieConfigurer, GcpIapProviderOptions, GcpIapResult, GcpIapTokenInfo, GithubOAuthResult, GithubProviderOptions, GitlabProviderOptions, GoogleProviderOptions, MicrosoftProviderOptions, OAuth2ProviderOptions, OAuth2ProxyResult, OAuthAdapter, OAuthEnvironmentHandler, OAuthHandlers, OAuthProviderInfo, OAuthProviderOptions, OAuthRefreshRequest, OAuthResponse, OAuthResult, OAuthStartRequest, OAuthState, Oauth2ProxyProviderOptions, OidcAuthResult, OidcProviderOptions, OktaProviderOptions, OneLoginProviderOptions, ProfileInfo, RouterOptions, SamlAuthResult, SamlProviderOptions, SignInInfo, SignInResolver, TokenIssuer, WebMessageResponse, bitbucketUserIdSignInResolver, bitbucketUsernameSignInResolver, createAtlassianProvider, createAuth0Provider, createAwsAlbProvider, createBitbucketProvider, createGcpIapProvider, createGithubProvider, createGitlabProvider, createGoogleProvider, createMicrosoftProvider, createOAuth2Provider, createOauth2ProxyProvider, createOidcProvider, createOktaProvider, createOneLoginProvider, createOriginFilter, createRouter, createSamlProvider, factories as defaultAuthProviderFactories, encodeState, ensuresXRequestedWith, getEntityClaims, googleEmailSignInResolver, microsoftEmailSignInResolver, oktaEmailSignInResolver, postMessageResponse, prepareBackstageIdentityResponse, readState, verifyNonce };

package/migrations/20210326100300_timestamptz.js

@@ -28,7 +28,7 @@ exports.up = async function up(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };
@@ -45,7 +45,7 @@ exports.down = async function down(knex) {
         .notNullable()
         .defaultTo(knex.fn.now())
         .comment('The creation time of the key')
-        .alter();
+        .alter({ alterType: true });
     });
   }
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@backstage/plugin-auth-backend",
   "description": "A Backstage backend plugin that handles authentication",
-  "version": "0.9.0",
+  "version": "0.10.2",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -11,6 +11,9 @@
     "main": "dist/index.cjs.js",
     "types": "dist/index.d.ts"
   },
+  "backstage": {
+    "role": "backend-plugin"
+  },
   "homepage": "https://backstage.io",
   "repository": {
     "type": "git",
@@ -21,21 +24,22 @@
     "backstage"
   ],
   "scripts": {
-    "start": "backstage-cli backend:dev",
-    "build": "backstage-cli backend:build",
-    "lint": "backstage-cli lint",
-    "test": "backstage-cli test",
-    "prepack": "backstage-cli prepack",
-    "postpack": "backstage-cli postpack",
-    "clean": "backstage-cli clean"
+    "start": "backstage-cli package start",
+    "build": "backstage-cli package build",
+    "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
+    "prepack": "backstage-cli package prepack",
+    "postpack": "backstage-cli package postpack",
+    "clean": "backstage-cli package clean"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.10.6",
-    "@backstage/catalog-client": "^0.5.5",
-    "@backstage/catalog-model": "^0.9.10",
-    "@backstage/config": "^0.1.13",
-    "@backstage/errors": "^0.2.0",
-    "@backstage/types": "^0.1.1",
+    "@backstage/backend-common": "^0.10.9",
+    "@backstage/catalog-client": "^0.7.1",
+    "@backstage/catalog-model": "^0.10.1",
+    "@backstage/config": "^0.1.15",
+    "@backstage/errors": "^0.2.2",
+    "@backstage/plugin-auth-node": "^0.1.2",
+    "@backstage/types": "^0.1.3",
     "@google-cloud/firestore": "^5.0.2",
     "@types/express": "^4.17.6",
     "@types/passport": "^1.0.3",
@@ -47,16 +51,15 @@
     "express-session": "^1.17.1",
     "fs-extra": "9.1.0",
     "google-auth-library": "^7.6.1",
-    "helmet": "^4.0.0",
     "jose": "^1.27.1",
     "jwt-decode": "^3.1.0",
-    "knex": "^0.95.1",
+    "knex": "^1.0.2",
     "lodash": "^4.17.21",
     "luxon": "^2.0.2",
     "minimatch": "^3.0.3",
     "morgan": "^1.10.0",
     "node-cache": "^5.1.2",
-    "node-fetch": "^2.6.1",
+    "node-fetch": "^2.6.7",
     "openid-client": "^4.2.1",
     "passport": "^0.5.2",
     "passport-bitbucket-oauth2": "^0.1.2",
@@ -64,7 +67,7 @@
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
     "passport-microsoft": "^0.1.0",
-    "passport-oauth2": "^1.5.0",
+    "passport-oauth2": "^1.6.1",
     "passport-okta-oauth": "^0.0.1",
     "passport-onelogin-oauth": "^0.0.1",
     "passport-saml": "^3.1.2",
@@ -73,8 +76,8 @@
     "yn": "^4.0.0"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.13.1",
-    "@backstage/test-utils": "^0.2.4",
+    "@backstage/cli": "^0.14.0",
+    "@backstage/test-utils": "^0.2.5",
     "@types/body-parser": "^1.19.0",
     "@types/cookie-parser": "^1.4.2",
     "@types/express-session": "^1.17.2",
@@ -94,5 +97,5 @@
     "config.d.ts"
   ],
   "configSchema": "config.d.ts",
-  "gitHead": "f944a625c4a8ec7f6a6237502691da9209ce6b14"
+  "gitHead": "e244b348c473700e7d5e5fbcef38bd9f9fd1d0ba"
 }