@backstage/plugin-auth-node 0.1.6 → 0.2.0-next.0

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @backstage/plugin-auth-node
 
+## 0.2.0-next.0
+
+### Minor Changes
+
+- 15d3a3c39a: **BREAKING**: Removed the deprecated `id` and `entity` fields from `BackstageSignInResult`.
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.13.2-next.0
+
 ## 0.1.6
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -47,7 +47,6 @@ class IdentityClient {
       throw new errors.AuthenticationError("No user sub found in token");
     }
     const user = {
-      id: decoded.sub,
       token,
       identity: {
         type: "user",

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport { JSONWebKey, JWK, JWKS, JWT } from 'jose';\nimport fetch from 'node-fetch';\nimport { BackstageIdentityResponse } from './types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class IdentityClient {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer: string;\n  private keyStore: JWKS.KeyStore;\n  private keyStoreUpdated: number;\n\n  /**\n   * Create a new {@link IdentityClient} instance.\n   */\n  static create(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }): IdentityClient {\n    return new IdentityClient(options);\n  }\n\n  private constructor(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.keyStore = new JWKS.KeyStore();\n    this.keyStoreUpdated = 0;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n    // Get signing key matching token\n    const key = await this.getKey(token);\n    if (!key) {\n      throw new AuthenticationError('No signing key matching token found');\n    }\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    const decoded = JWT.IdToken.verify(token, key, {\n      algorithms: ['ES256'],\n      audience: 'backstage',\n      issuer: this.issuer,\n    }) as { sub: string; ent: string[] };\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      id: decoded.sub,\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.sub,\n        ownershipEntityRefs: decoded.ent ?? [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * Returns the public signing key matching the given jwt token,\n   * or null if no matching key was found\n   */\n  private async getKey(rawJwtToken: string): Promise<JWK.Key | null> {\n    const { header, payload } = JWT.decode(rawJwtToken, {\n      complete: true,\n    }) as {\n      header: { kid: string };\n      payload: { iat: number };\n    };\n\n    // Refresh public keys if needed\n    // Add a small margin in case clocks are out of sync\n    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!keyStoreHasKey && issuedAfterLastRefresh) {\n      await this.refreshKeyStore();\n    }\n\n    return this.keyStore.get({ kid: header.kid });\n  }\n\n  /**\n   * Lists public part of keys used to sign Backstage Identity tokens\n   */\n  private async listPublicKeys(): Promise<{\n    keys: JSONWebKey[];\n  }> {\n    const url = `${await this.discovery.getBaseUrl(\n      'auth',\n    )}/.well-known/jwks.json`;\n    const response = await fetch(url);\n\n    if (!response.ok) {\n      const payload = await response.text();\n      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;\n      throw new Error(message);\n    }\n\n    const publicKeys: { keys: JSONWebKey[] } = await response.json();\n\n    return publicKeys;\n  }\n\n  /**\n   * Fetches public keys and caches them locally\n   */\n  private async refreshKeyStore(): Promise<void> {\n    const now = Date.now() / 1000;\n    const publicKeys = await this.listPublicKeys();\n    this.keyStore = JWKS.asKeyStore({\n      keys: publicKeys.keys.map(key => key as JSONWebKey),\n    });\n    this.keyStoreUpdated = now;\n  }\n}\n"],"names":["JWKS","AuthenticationError","JWT","fetch"],"mappings":";;;;;;;;;;;;AA4BO,SAAA,qCAAA,CACL,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GAAA;AAET,EAAM,MAAA,OAAA,GAAU,oBAAoB,KAAM,CAAA,oBAAA,CAAA,CAAA;AAC1C,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AAAA;;ACbnB,MAAM,cAAiB,GAAA,EAAA,CAAA;AASK,MAAA,cAAA,CAAA;AAAA,EAAA,OASnB,OAAO,OAGK,EAAA;AACjB,IAAA,OAAO,IAAI,cAAe,CAAA,OAAA,CAAA,CAAA;AAAA,GAAA;AAAA,EAGpB,YAAY,OAGjB,EAAA;AACD,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,QAAA,GAAW,IAAIA,SAAK,CAAA,QAAA,EAAA,CAAA;AACzB,IAAA,IAAA,CAAK,eAAkB,GAAA,CAAA,CAAA;AAAA,GAAA;AAAA,EAAA,MAQnB,aACJ,KACoC,EAAA;AAhExC,IAAA,IAAA,EAAA,CAAA;AAkEI,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAA,MAAM,IAAIC,0BAAoB,CAAA,oBAAA,CAAA,CAAA;AAAA,KAAA;AAGhC,IAAM,MAAA,GAAA,GAAM,MAAM,IAAA,CAAK,MAAO,CAAA,KAAA,CAAA,CAAA;AAC9B,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAA,MAAM,IAAIA,0BAAoB,CAAA,qCAAA,CAAA,CAAA;AAAA,KAAA;AAKhC,IAAA,MAAM,OAAU,GAAAC,QAAA,CAAI,OAAQ,CAAA,MAAA,CAAO,OAAO,GAAK,EAAA;AAAA,MAC7C,YAAY,CAAC,OAAA,CAAA;AAAA,MACb,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KAAA,CAAA,CAAA;AAIf,IAAI,IAAA,CAAC,QAAQ,GAAK,EAAA;AAChB,MAAA,MAAM,IAAID,0BAAoB,CAAA,4BAAA,CAAA,CAAA;AAAA,KAAA;AAGhC,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,IAAI,OAAQ,CAAA,GAAA;AAAA,MACZ,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,eAAe,OAAQ,CAAA,GAAA;AAAA,QACvB,mBAAA,EAAqB,CAAQ,EAAA,GAAA,OAAA,CAAA,GAAA,KAAR,IAAe,GAAA,EAAA,GAAA,EAAA;AAAA,OAAA;AAAA,KAAA,CAAA;AAGxC,IAAO,OAAA,IAAA,CAAA;AAAA,GAAA;AAAA,EAAA,MAOK,OAAO,WAA8C,EAAA;AACjE,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAY,EAAA,GAAAC,QAAA,CAAI,OAAO,WAAa,EAAA;AAAA,MAClD,QAAU,EAAA,IAAA;AAAA,KAAA,CAAA,CAAA;AAQZ,IAAM,MAAA,cAAA,GAAiB,CAAC,CAAC,IAAA,CAAK,SAAS,GAAI,CAAA,EAAE,KAAK,MAAO,CAAA,GAAA,EAAA,CAAA,CAAA;AACzD,IAAA,MAAM,yBACJ,CAAS,OAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAI,IAAA,CAAC,kBAAkB,sBAAwB,EAAA;AAC7C,MAAA,MAAM,IAAK,CAAA,eAAA,EAAA,CAAA;AAAA,KAAA;AAGb,IAAA,OAAO,IAAK,CAAA,QAAA,CAAS,GAAI,CAAA,EAAE,KAAK,MAAO,CAAA,GAAA,EAAA,CAAA,CAAA;AAAA,GAAA;AAAA,EAAA,MAM3B,cAEX,GAAA;AACD,IAAA,MAAM,GAAM,GAAA,CAAA,EAAG,MAAM,IAAA,CAAK,UAAU,UAClC,CAAA,MAAA,CAAA,CAAA,sBAAA,CAAA,CAAA;AAEF,IAAM,MAAA,QAAA,GAAW,MAAMC,yBAAM,CAAA,GAAA,CAAA,CAAA;AAE7B,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,OAAA,GAAU,MAAM,QAAS,CAAA,IAAA,EAAA,CAAA;AAC/B,MAAA,MAAM,OAAU,GAAA,CAAA,oBAAA,EAAuB,QAAS,CAAA,MAAA,CAAA,CAAA,EAAU,SAAS,UAAe,CAAA,EAAA,EAAA,OAAA,CAAA,CAAA,CAAA;AAClF,MAAA,MAAM,IAAI,KAAM,CAAA,OAAA,CAAA,CAAA;AAAA,KAAA;AAGlB,IAAM,MAAA,UAAA,GAAqC,MAAM,QAAS,CAAA,IAAA,EAAA,CAAA;AAE1D,IAAO,OAAA,UAAA,CAAA;AAAA,GAAA;AAAA,EAAA,MAMK,eAAiC,GAAA;AAC7C,IAAM,MAAA,GAAA,GAAM,KAAK,GAAQ,EAAA,GAAA,GAAA,CAAA;AACzB,IAAM,MAAA,UAAA,GAAa,MAAM,IAAK,CAAA,cAAA,EAAA,CAAA;AAC9B,IAAK,IAAA,CAAA,QAAA,GAAWH,UAAK,UAAW,CAAA;AAAA,MAC9B,IAAM,EAAA,UAAA,CAAW,IAAK,CAAA,GAAA,CAAI,CAAO,GAAA,KAAA,GAAA,CAAA;AAAA,KAAA,CAAA,CAAA;AAEnC,IAAA,IAAA,CAAK,eAAkB,GAAA,GAAA,CAAA;AAAA,GAAA;AAAA;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport { JSONWebKey, JWK, JWKS, JWT } from 'jose';\nimport fetch from 'node-fetch';\nimport { BackstageIdentityResponse } from './types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class IdentityClient {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer: string;\n  private keyStore: JWKS.KeyStore;\n  private keyStoreUpdated: number;\n\n  /**\n   * Create a new {@link IdentityClient} instance.\n   */\n  static create(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }): IdentityClient {\n    return new IdentityClient(options);\n  }\n\n  private constructor(options: {\n    discovery: PluginEndpointDiscovery;\n    issuer: string;\n  }) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.keyStore = new JWKS.KeyStore();\n    this.keyStoreUpdated = 0;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n    // Get signing key matching token\n    const key = await this.getKey(token);\n    if (!key) {\n      throw new AuthenticationError('No signing key matching token found');\n    }\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    const decoded = JWT.IdToken.verify(token, key, {\n      algorithms: ['ES256'],\n      audience: 'backstage',\n      issuer: this.issuer,\n    }) as { sub: string; ent: string[] };\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.sub,\n        ownershipEntityRefs: decoded.ent ?? [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * Returns the public signing key matching the given jwt token,\n   * or null if no matching key was found\n   */\n  private async getKey(rawJwtToken: string): Promise<JWK.Key | null> {\n    const { header, payload } = JWT.decode(rawJwtToken, {\n      complete: true,\n    }) as {\n      header: { kid: string };\n      payload: { iat: number };\n    };\n\n    // Refresh public keys if needed\n    // Add a small margin in case clocks are out of sync\n    const keyStoreHasKey = !!this.keyStore.get({ kid: header.kid });\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!keyStoreHasKey && issuedAfterLastRefresh) {\n      await this.refreshKeyStore();\n    }\n\n    return this.keyStore.get({ kid: header.kid });\n  }\n\n  /**\n   * Lists public part of keys used to sign Backstage Identity tokens\n   */\n  private async listPublicKeys(): Promise<{\n    keys: JSONWebKey[];\n  }> {\n    const url = `${await this.discovery.getBaseUrl(\n      'auth',\n    )}/.well-known/jwks.json`;\n    const response = await fetch(url);\n\n    if (!response.ok) {\n      const payload = await response.text();\n      const message = `Request failed with ${response.status} ${response.statusText}, ${payload}`;\n      throw new Error(message);\n    }\n\n    const publicKeys: { keys: JSONWebKey[] } = await response.json();\n\n    return publicKeys;\n  }\n\n  /**\n   * Fetches public keys and caches them locally\n   */\n  private async refreshKeyStore(): Promise<void> {\n    const now = Date.now() / 1000;\n    const publicKeys = await this.listPublicKeys();\n    this.keyStore = JWKS.asKeyStore({\n      keys: publicKeys.keys.map(key => key as JSONWebKey),\n    });\n    this.keyStoreUpdated = now;\n  }\n}\n"],"names":["JWKS","AuthenticationError","JWT","fetch"],"mappings":";;;;;;;;;;;;AA4BO,SAAA,qCAAA,CACL,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AACnB;;ACdA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAShB,MAAM,cAAe,CAAA;AAAA,EAAA,OASnB,OAAO,OAGK,EAAA;AACjB,IAAO,OAAA,IAAI,eAAe,OAAO,CAAA,CAAA;AAAA,GACnC;AAAA,EAEQ,YAAY,OAGjB,EAAA;AACD,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,QAAA,GAAW,IAAIA,SAAA,CAAK,QAAS,EAAA,CAAA;AAClC,IAAA,IAAA,CAAK,eAAkB,GAAA,CAAA,CAAA;AAAA,GACzB;AAAA,EAAA,MAOM,aACJ,KACoC,EAAA;AAhExC,IAAA,IAAA,EAAA,CAAA;AAkEI,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIC,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAEA,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AACnC,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIA,2BAAoB,qCAAqC,CAAA,CAAA;AAAA,KACrE;AAIA,IAAA,MAAM,OAAU,GAAAC,QAAA,CAAI,OAAQ,CAAA,MAAA,CAAO,OAAO,GAAK,EAAA;AAAA,MAC7C,UAAA,EAAY,CAAC,OAAO,CAAA;AAAA,MACpB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,QAAQ,GAAK,EAAA;AAChB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,eAAe,OAAQ,CAAA,GAAA;AAAA,QACvB,mBAAqB,EAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,GAAR,KAAA,IAAA,GAAA,EAAA,GAAe,EAAC;AAAA,OACvC;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA,EAAA,MAMc,OAAO,WAA8C,EAAA;AACjE,IAAA,MAAM,EAAE,MAAA,EAAQ,OAAY,EAAA,GAAAC,QAAA,CAAI,OAAO,WAAa,EAAA;AAAA,MAClD,QAAU,EAAA,IAAA;AAAA,KACX,CAAA,CAAA;AAOD,IAAM,MAAA,cAAA,GAAiB,CAAC,CAAC,IAAK,CAAA,QAAA,CAAS,IAAI,EAAE,GAAA,EAAK,MAAO,CAAA,GAAA,EAAK,CAAA,CAAA;AAC9D,IAAA,MAAM,yBACJ,CAAS,OAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAI,IAAA,CAAC,kBAAkB,sBAAwB,EAAA;AAC7C,MAAA,MAAM,KAAK,eAAgB,EAAA,CAAA;AAAA,KAC7B;AAEA,IAAA,OAAO,KAAK,QAAS,CAAA,GAAA,CAAI,EAAE,GAAK,EAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,GAC9C;AAAA,EAAA,MAKc,cAEX,GAAA;AACD,IAAA,MAAM,MAAM,CAAG,EAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAClC,MACF,CAAA,CAAA,sBAAA,CAAA,CAAA;AACA,IAAM,MAAA,QAAA,GAAW,MAAMC,yBAAA,CAAM,GAAG,CAAA,CAAA;AAEhC,IAAI,IAAA,CAAC,SAAS,EAAI,EAAA;AAChB,MAAM,MAAA,OAAA,GAAU,MAAM,QAAA,CAAS,IAAK,EAAA,CAAA;AACpC,MAAA,MAAM,OAAU,GAAA,CAAA,oBAAA,EAAuB,QAAS,CAAA,MAAA,CAAA,CAAA,EAAU,SAAS,UAAe,CAAA,EAAA,EAAA,OAAA,CAAA,CAAA,CAAA;AAClF,MAAM,MAAA,IAAI,MAAM,OAAO,CAAA,CAAA;AAAA,KACzB;AAEA,IAAM,MAAA,UAAA,GAAqC,MAAM,QAAA,CAAS,IAAK,EAAA,CAAA;AAE/D,IAAO,OAAA,UAAA,CAAA;AAAA,GACT;AAAA,EAAA,MAKc,eAAiC,GAAA;AAC7C,IAAM,MAAA,GAAA,GAAM,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AACzB,IAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,cAAe,EAAA,CAAA;AAC7C,IAAK,IAAA,CAAA,QAAA,GAAWH,UAAK,UAAW,CAAA;AAAA,MAC9B,IAAM,EAAA,UAAA,CAAW,IAAK,CAAA,GAAA,CAAI,SAAO,GAAiB,CAAA;AAAA,KACnD,CAAA,CAAA;AACD,IAAA,IAAA,CAAK,eAAkB,GAAA,GAAA,CAAA;AAAA,GACzB;AACF;;;;;"}

package/dist/index.d.ts

@@ -1,5 +1,4 @@
 import { PluginEndpointDiscovery } from '@backstage/backend-common';
-import { Entity } from '@backstage/catalog-model';
 
 /**
  * Parses the given authorization header and returns the bearer token, or
@@ -24,23 +23,6 @@ declare function getBearerTokenFromAuthorizationHeader(authorizationHeader: unkn
  * @public
  */
 interface BackstageSignInResult {
-    /**
-     * An opaque ID that uniquely identifies the user within Backstage.
-     *
-     * This is typically the same as the user entity `metadata.name`.
-     *
-     * @deprecated Use the `identity` field instead
-     */
-    id: string;
-    /**
-     * The entity that the user is represented by within Backstage.
-     *
-     * This entity may or may not exist within the Catalog, and it can be used
-     * to read and store additional metadata about the user.
-     *
-     * @deprecated Use the `identity` field instead.
-     */
-    entity?: Entity;
     /**
      * The token used to authenticate the user within Backstage.
      */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-node",
-  "version": "0.1.6",
+  "version": "0.2.0-next.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -23,8 +23,7 @@
     "start": "backstage-cli package start"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.13.1",
-    "@backstage/catalog-model": "^1.0.0",
+    "@backstage/backend-common": "^0.13.2-next.0",
     "@backstage/config": "^1.0.0",
     "@backstage/errors": "^1.0.0",
     "jose": "^1.27.1",
@@ -32,12 +31,12 @@
     "winston": "^3.2.1"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.16.0",
+    "@backstage/cli": "^0.16.1-next.0",
     "msw": "^0.35.0",
     "uuid": "^8.0.0"
   },
   "files": [
     "dist"
   ],
-  "gitHead": "e9496f746b31600dbfac7fa76987479e66426257"
+  "gitHead": "6bc4253672337538ce7ea5aadb3e9f60daeb3f80"
 }