@backstage/plugin-auth-node 0.0.0-nightly-20220211021943

package/CHANGELOG.md

@@ -0,0 +1,22 @@
+# @backstage/plugin-auth-node
+
+## 0.0.0-nightly-20220211021943
+
+### Patch Changes
+
+- 1ed305728b: Bump `node-fetch` to version 2.6.7 and `cross-fetch` to version 3.1.5
+- Updated dependencies
+  - @backstage/backend-common@0.0.0-nightly-20220211021943
+  - @backstage/errors@0.0.0-nightly-20220211021943
+
+## 0.1.0
+
+### Minor Changes
+
+- 9058bb1b5e: Added this package, to hold shared types and functionality that other backend
+  packages need to import.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.10.7

package/README.md

@@ -0,0 +1,3 @@
+# Auth Node
+
+Common functionality and types for the Backstage `auth` plugin.

package/dist/index.cjs.js

@@ -0,0 +1,94 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var fetch = require('node-fetch');
+
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
+
+var fetch__default = /*#__PURE__*/_interopDefaultLegacy(fetch);
+
+function getBearerTokenFromAuthorizationHeader(authorizationHeader) {
+  if (typeof authorizationHeader !== "string") {
+    return void 0;
+  }
+  const matches = authorizationHeader.match(/^Bearer[ ]+(\S+)$/i);
+  return matches == null ? void 0 : matches[1];
+}
+
+const CLOCK_MARGIN_S = 10;
+class IdentityClient {
+  static create(options) {
+    return new IdentityClient(options);
+  }
+  constructor(options) {
+    this.discovery = options.discovery;
+    this.issuer = options.issuer;
+    this.keyStore = new jose.JWKS.KeyStore();
+    this.keyStoreUpdated = 0;
+  }
+  async authenticate(token) {
+    var _a;
+    if (!token) {
+      throw new errors.AuthenticationError("No token specified");
+    }
+    const key = await this.getKey(token);
+    if (!key) {
+      throw new errors.AuthenticationError("No signing key matching token found");
+    }
+    const decoded = jose.JWT.IdToken.verify(token, key, {
+      algorithms: ["ES256"],
+      audience: "backstage",
+      issuer: this.issuer
+    });
+    if (!decoded.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
+    const user = {
+      id: decoded.sub,
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.sub,
+        ownershipEntityRefs: (_a = decoded.ent) != null ? _a : []
+      }
+    };
+    return user;
+  }
+  async getKey(rawJwtToken) {
+    const { header, payload } = jose.JWT.decode(rawJwtToken, {
+      complete: true
+    });
+    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });
+    const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!keyStoreHasKey && issuedAfterLastRefresh) {
+      await this.refreshKeyStore();
+    }
+    return this.keyStore.get({ kid: header.kid });
+  }
+  async listPublicKeys() {
+    const url = `${await this.discovery.getBaseUrl("auth")}/.well-known/jwks.json`;
+    const response = await fetch__default["default"](url);
+    if (!response.ok) {
+      const payload = await response.text();
+      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;
+      throw new Error(message);
+    }
+    const publicKeys = await response.json();
+    return publicKeys;
+  }
+  async refreshKeyStore() {
+    const now = Date.now() / 1e3;
+    const publicKeys = await this.listPublicKeys();
+    this.keyStore = jose.JWKS.asKeyStore({
+      keys: publicKeys.keys.map((key) => key)
+    });
+    this.keyStoreUpdated = now;
+  }
+}
+
+exports.IdentityClient = IdentityClient;
+exports.getBearerTokenFromAuthorizationHeader = getBearerTokenFromAuthorizationHeader;
+//# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport { JSONWebKey, JWK, JWKS, JWT } from 'jose';\nimport fetch from 'node-fetch';\nimport { BackstageIdentityResponse } from './types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class IdentityClient {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer: string;\n  private keyStore: JWKS.KeyStore;\n  private keyStoreUpdated: number;\n\n  /**\n   * Create a new {@link IdentityClient} instance.\n   */\n  static create(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }): IdentityClient {\n    return new IdentityClient(options);\n  }\n\n  private constructor(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.keyStore = new JWKS.KeyStore();\n    this.keyStoreUpdated = 0;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n    // Get signing key matching token\n    const key = await this.getKey(token);\n    if (!key) {\n      throw new AuthenticationError('No signing key matching token found');\n    }\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    const decoded = JWT.IdToken.verify(token, key, {\n      algorithms: ['ES256'],\n      audience: 'backstage',\n      issuer: this.issuer,\n    }) as { sub: string; ent: string[] };\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      id: decoded.sub,\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.sub,\n        ownershipEntityRefs: decoded.ent ?? [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * Returns the public signing key matching the given jwt token,\n   * or null if no matching key was found\n   */\n  private async getKey(rawJwtToken: string): Promise<JWK.Key | null> {\n    const { header, payload } = JWT.decode(rawJwtToken, {\n      complete: true,\n    }) as {\n      header: { kid: string };\n      payload: { iat: number };\n    };\n\n    // Refresh public keys if needed\n    // Add a small margin in case clocks are out of sync\n    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!keyStoreHasKey && issuedAfterLastRefresh) {\n      await this.refreshKeyStore();\n    }\n\n    return this.keyStore.get({ kid: header.kid });\n  }\n\n  /**\n   * Lists public part of keys used to sign Backstage Identity tokens\n   */\n  private async listPublicKeys(): Promise<{\n    keys: JSONWebKey[];\n  }> {\n    const url = `${await this.discovery.getBaseUrl(\n      'auth',\n    )}/.well-known/jwks.json`;\n    const response = await fetch(url);\n\n    if (!response.ok) {\n      const payload = await response.text();\n      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;\n      throw new Error(message);\n    }\n\n    const publicKeys: { keys: JSONWebKey[] } = await response.json();\n\n    return publicKeys;\n  }\n\n  /**\n   * Fetches public keys and caches them locally\n   */\n  private async refreshKeyStore(): Promise<void> {\n    const now = Date.now() / 1000;\n    const publicKeys = await this.listPublicKeys();\n    this.keyStore = JWKS.asKeyStore({\n      keys: publicKeys.keys.map(key => key as JSONWebKey),\n    });\n    this.keyStoreUpdated = now;\n  }\n}\n"],"names":["JWKS","AuthenticationError","JWT","fetch"],"mappings":";;;;;;;;;;;;+CA6BE,qBACoB;AACpB,MAAI,OAAO,wBAAwB,UAAU;AAC3C,WAAO;AAAA;AAET,QAAM,UAAU,oBAAoB,MAAM;AAC1C,SAAO,mCAAU;AAAA;;ACbnB,MAAM,iBAAiB;qBASK;AAAA,SASnB,OAAO,SAGK;AACjB,WAAO,IAAI,eAAe;AAAA;AAAA,EAGpB,YAAY,SAGjB;AACD,SAAK,YAAY,QAAQ;AACzB,SAAK,SAAS,QAAQ;AACtB,SAAK,WAAW,IAAIA,UAAK;AACzB,SAAK,kBAAkB;AAAA;AAAA,QAQnB,aACJ,OACoC;AAhExC;AAkEI,QAAI,CAAC,OAAO;AACV,YAAM,IAAIC,2BAAoB;AAAA;AAGhC,UAAM,MAAM,MAAM,KAAK,OAAO;AAC9B,QAAI,CAAC,KAAK;AACR,YAAM,IAAIA,2BAAoB;AAAA;AAKhC,UAAM,UAAUC,SAAI,QAAQ,OAAO,OAAO,KAAK;AAAA,MAC7C,YAAY,CAAC;AAAA,MACb,UAAU;AAAA,MACV,QAAQ,KAAK;AAAA;AAIf,QAAI,CAAC,QAAQ,KAAK;AAChB,YAAM,IAAID,2BAAoB;AAAA;AAGhC,UAAM,OAAkC;AAAA,MACtC,IAAI,QAAQ;AAAA,MACZ;AAAA,MACA,UAAU;AAAA,QACR,MAAM;AAAA,QACN,eAAe,QAAQ;AAAA,QACvB,qBAAqB,cAAQ,QAAR,YAAe;AAAA;AAAA;AAGxC,WAAO;AAAA;AAAA,QAOK,OAAO,aAA8C;AACjE,UAAM,EAAE,QAAQ,YAAYC,SAAI,OAAO,aAAa;AAAA,MAClD,UAAU;AAAA;AAQZ,UAAM,iBAAiB,CAAC,CAAC,KAAK,SAAS,IAAI,EAAE,KAAK,OAAO;AACzD,UAAM,yBACJ,oCAAS,QAAO,QAAQ,MAAM,KAAK,kBAAkB;AACvD,QAAI,CAAC,kBAAkB,wBAAwB;AAC7C,YAAM,KAAK;AAAA;AAGb,WAAO,KAAK,SAAS,IAAI,EAAE,KAAK,OAAO;AAAA;AAAA,QAM3B,iBAEX;AACD,UAAM,MAAM,GAAG,MAAM,KAAK,UAAU,WAClC;AAEF,UAAM,WAAW,MAAMC,0BAAM;AAE7B,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,UAAU,MAAM,SAAS;AAC/B,YAAM,UAAU,uBAAuB,SAAS,UAAU,SAAS,eAAe;AAClF,YAAM,IAAI,MAAM;AAAA;AAGlB,UAAM,aAAqC,MAAM,SAAS;AAE1D,WAAO;AAAA;AAAA,QAMK,kBAAiC;AAC7C,UAAM,MAAM,KAAK,QAAQ;AACzB,UAAM,aAAa,MAAM,KAAK;AAC9B,SAAK,WAAWH,UAAK,WAAW;AAAA,MAC9B,MAAM,WAAW,KAAK,IAAI,SAAO;AAAA;AAEnC,SAAK,kBAAkB;AAAA;AAAA;;;;;"}

package/dist/index.d.ts

@@ -0,0 +1,124 @@
+import { PluginEndpointDiscovery } from '@backstage/backend-common';
+import { Entity } from '@backstage/catalog-model';
+
+/**
+ * Parses the given authorization header and returns the bearer token, or
+ * undefined if no bearer token is given.
+ *
+ * @remarks
+ *
+ * This function is explicitly built to tolerate bad inputs safely, so you may
+ * call it directly with e.g. the output of `req.header('authorization')`
+ * without first checking that it exists.
+ *
+ * @public
+ */
+declare function getBearerTokenFromAuthorizationHeader(authorizationHeader: unknown): string | undefined;
+
+/**
+ * A representation of a successful Backstage sign-in.
+ *
+ * Compared to the {@link BackstageIdentityResponse} this type omits
+ * the decoded identity information embedded in the token.
+ *
+ * @public
+ */
+interface BackstageSignInResult {
+    /**
+     * An opaque ID that uniquely identifies the user within Backstage.
+     *
+     * This is typically the same as the user entity `metadata.name`.
+     *
+     * @deprecated Use the `identity` field instead
+     */
+    id: string;
+    /**
+     * The entity that the user is represented by within Backstage.
+     *
+     * This entity may or may not exist within the Catalog, and it can be used
+     * to read and store additional metadata about the user.
+     *
+     * @deprecated Use the `identity` field instead.
+     */
+    entity?: Entity;
+    /**
+     * The token used to authenticate the user within Backstage.
+     */
+    token: string;
+}
+/**
+ * Response object containing the {@link BackstageUserIdentity} and the token
+ * from the authentication provider.
+ *
+ * @public
+ */
+interface BackstageIdentityResponse extends BackstageSignInResult {
+    /**
+     * A plaintext description of the identity that is encapsulated within the token.
+     */
+    identity: BackstageUserIdentity;
+}
+/**
+ * User identity information within Backstage.
+ *
+ * @public
+ */
+declare type BackstageUserIdentity = {
+    /**
+     * The type of identity that this structure represents. In the frontend app
+     * this will currently always be 'user'.
+     */
+    type: 'user';
+    /**
+     * The entityRef of the user in the catalog.
+     * For example User:default/sandra
+     */
+    userEntityRef: string;
+    /**
+     * The user and group entities that the user claims ownership through
+     */
+    ownershipEntityRefs: string[];
+};
+
+/**
+ * An identity client to interact with auth-backend and authenticate Backstage
+ * tokens
+ *
+ * @experimental This is not a stable API yet
+ * @public
+ */
+declare class IdentityClient {
+    private readonly discovery;
+    private readonly issuer;
+    private keyStore;
+    private keyStoreUpdated;
+    /**
+     * Create a new {@link IdentityClient} instance.
+     */
+    static create(options: {
+        discovery: PluginEndpointDiscovery;
+        issuer: string;
+    }): IdentityClient;
+    private constructor();
+    /**
+     * Verifies the given backstage identity token
+     * Returns a BackstageIdentity (user) matching the token.
+     * The method throws an error if verification fails.
+     */
+    authenticate(token: string | undefined): Promise<BackstageIdentityResponse>;
+    /**
+     * Returns the public signing key matching the given jwt token,
+     * or null if no matching key was found
+     */
+    private getKey;
+    /**
+     * Lists public part of keys used to sign Backstage Identity tokens
+     */
+    private listPublicKeys;
+    /**
+     * Fetches public keys and caches them locally
+     */
+    private refreshKeyStore;
+}
+
+export { BackstageIdentityResponse, BackstageSignInResult, BackstageUserIdentity, IdentityClient, getBearerTokenFromAuthorizationHeader };

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@backstage/plugin-auth-node",
+  "version": "0.0.0-nightly-20220211021943",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
+  "private": false,
+  "publishConfig": {
+    "access": "public",
+    "main": "dist/index.cjs.js",
+    "types": "dist/index.d.ts"
+  },
+  "scripts": {
+    "build": "backstage-cli backend:build",
+    "lint": "backstage-cli lint",
+    "test": "backstage-cli test",
+    "prepack": "backstage-cli prepack",
+    "postpack": "backstage-cli postpack",
+    "clean": "backstage-cli clean"
+  },
+  "dependencies": {
+    "@backstage/backend-common": "^0.0.0-nightly-20220211021943",
+    "@backstage/catalog-model": "^0.9.10",
+    "@backstage/config": "^0.1.13",
+    "@backstage/errors": "^0.0.0-nightly-20220211021943",
+    "jose": "^1.27.1",
+    "node-fetch": "^2.6.7",
+    "winston": "^3.2.1"
+  },
+  "devDependencies": {
+    "@backstage/cli": "^0.0.0-nightly-20220211021943",
+    "msw": "^0.35.0",
+    "uuid": "^8.0.0"
+  },
+  "files": [
+    "dist"
+  ]
+}