@backstage/plugin-auth-node 0.2.2-next.2 → 0.2.2

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @backstage/plugin-auth-node
 
+## 0.2.2
+
+### Patch Changes
+
+- 5ca0b86b88: Address corner cases where the key store was not being created at startup
+- 8f7b1835df: Updated dependency `msw` to `^0.41.0`.
+- 9079a78078: Added configurable algorithms array for IdentityClient
+- Updated dependencies
+  - @backstage/backend-common@0.14.0
+
 ## 0.2.2-next.2
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -67,7 +67,7 @@ class IdentityClient {
       keyStoreHasKey = false;
     }
     const issuedAfterLastRefresh = (payload == null ? void 0 : payload.iat) && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!keyStoreHasKey && issuedAfterLastRefresh) {
+    if (!this.keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
       const url = await this.discovery.getBaseUrl("auth");
       const endpoint = new URL(`${url}/.well-known/jwks.json`);
       this.keyStore = jose.createRemoteJWKSet(endpoint);

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  createRemoteJWKSet,\n  decodeJwt,\n  decodeProtectedHeader,\n  FlattenedJWSInput,\n  JWSHeaderParameters,\n  jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\n\nimport { BackstageIdentityResponse } from './types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client options object which allows extra configurations\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport type IdentityClientOptions = {\n  discovery: PluginEndpointDiscovery;\n  issuer: string;\n\n  /** JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithms?: string[];\n};\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class IdentityClient {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer: string;\n  private readonly algorithms: string[];\n  private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n  private keyStoreUpdated: number = 0;\n\n  /**\n   * Create a new {@link IdentityClient} instance.\n   */\n  static create(options: IdentityClientOptions): IdentityClient {\n    return new IdentityClient(options);\n  }\n\n  private constructor(options: IdentityClientOptions) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.algorithms = options.algorithms ?? ['ES256'];\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    // Check if the keystore needs to be updated\n    await this.refreshKeyStore(token);\n    if (!this.keyStore) {\n      throw new AuthenticationError('No keystore exists');\n    }\n    const decoded = await jwtVerify(token, this.keyStore, {\n      algorithms: this.algorithms,\n      audience: 'backstage',\n      issuer: this.issuer,\n    });\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.payload.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.payload.sub,\n        ownershipEntityRefs: decoded.payload.ent\n          ? (decoded.payload.ent as string[])\n          : [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * If the last keystore refresh is stale, update the keystore URL to the latest\n   */\n  private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n    const payload = await decodeJwt(rawJwtToken);\n    const header = await decodeProtectedHeader(rawJwtToken);\n\n    // Refresh public keys if needed\n    let keyStoreHasKey;\n    try {\n      if (this.keyStore) {\n        // Check if the key is present in the keystore\n        const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n        keyStoreHasKey = await this.keyStore(header, {\n          payload: rawPayload,\n          signature: rawSignature,\n        });\n      }\n    } catch (error) {\n      keyStoreHasKey = false;\n    }\n    // Refresh public key URL if needed\n    // Add a small margin in case clocks are out of sync\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!keyStoreHasKey && issuedAfterLastRefresh) {\n      const url = await this.discovery.getBaseUrl('auth');\n      const endpoint = new URL(`${url}/.well-known/jwks.json`);\n      this.keyStore = createRemoteJWKSet(endpoint);\n      this.keyStoreUpdated = Date.now() / 1000;\n    }\n  }\n}\n"],"names":["AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet"],"mappings":";;;;;;;AAAO,SAAS,qCAAqC,CAAC,mBAAmB,EAAE;AAC3E,EAAE,IAAI,OAAO,mBAAmB,KAAK,QAAQ,EAAE;AAC/C,IAAI,OAAO,KAAK,CAAC,CAAC;AAClB,GAAG;AACH,EAAE,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;AAClE,EAAE,OAAO,OAAO,IAAI,IAAI,GAAG,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;AAC/C;;ACCA,MAAM,cAAc,GAAG,EAAE,CAAC;AACnB,MAAM,cAAc,CAAC;AAC5B,EAAE,WAAW,CAAC,OAAO,EAAE;AACvB,IAAI,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;AAC7B,IAAI,IAAI,EAAE,CAAC;AACX,IAAI,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;AACvC,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;AACjC,IAAI,IAAI,CAAC,UAAU,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,UAAU,KAAK,IAAI,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACzE,GAAG;AACH,EAAE,OAAO,MAAM,CAAC,OAAO,EAAE;AACzB,IAAI,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;AACvC,GAAG;AACH,EAAE,MAAM,YAAY,CAAC,KAAK,EAAE;AAC5B,IAAI,IAAI,CAAC,KAAK,EAAE;AAChB,MAAM,MAAM,IAAIA,0BAAmB,CAAC,oBAAoB,CAAC,CAAC;AAC1D,KAAK;AACL,IAAI,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;AACtC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE;AACxB,MAAM,MAAM,IAAIA,0BAAmB,CAAC,oBAAoB,CAAC,CAAC;AAC1D,KAAK;AACL,IAAI,MAAM,OAAO,GAAG,MAAMC,cAAS,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;AAC1D,MAAM,UAAU,EAAE,IAAI,CAAC,UAAU;AACjC,MAAM,QAAQ,EAAE,WAAW;AAC3B,MAAM,MAAM,EAAE,IAAI,CAAC,MAAM;AACzB,KAAK,CAAC,CAAC;AACP,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;AAC9B,MAAM,MAAM,IAAID,0BAAmB,CAAC,4BAA4B,CAAC,CAAC;AAClE,KAAK;AACL,IAAI,MAAM,IAAI,GAAG;AACjB,MAAM,KAAK;AACX,MAAM,QAAQ,EAAE;AAChB,QAAQ,IAAI,EAAE,MAAM;AACpB,QAAQ,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG;AAC1C,QAAQ,mBAAmB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE;AAC3E,OAAO;AACP,KAAK,CAAC;AACN,IAAI,OAAO,IAAI,CAAC;AAChB,GAAG;AACH,EAAE,MAAM,eAAe,CAAC,WAAW,EAAE;AACrC,IAAI,MAAM,OAAO,GAAG,MAAME,cAAS,CAAC,WAAW,CAAC,CAAC;AACjD,IAAI,MAAM,MAAM,GAAG,MAAMC,0BAAqB,CAAC,WAAW,CAAC,CAAC;AAC5D,IAAI,IAAI,cAAc,CAAC;AACvB,IAAI,IAAI;AACR,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE;AACzB,QAAQ,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACrE,QAAQ,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;AACrD,UAAU,OAAO,EAAE,UAAU;AAC7B,UAAU,SAAS,EAAE,YAAY;AACjC,SAAS,CAAC,CAAC;AACX,OAAO;AACP,KAAK,CAAC,OAAO,KAAK,EAAE;AACpB,MAAM,cAAc,GAAG,KAAK,CAAC;AAC7B,KAAK;AACL,IAAI,MAAM,sBAAsB,GAAG,CAAC,OAAO,IAAI,IAAI,GAAG,KAAK,CAAC,GAAG,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;AACnI,IAAI,IAAI,CAAC,cAAc,IAAI,sBAAsB,EAAE;AACnD,MAAM,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAC1D,MAAM,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAC/D,MAAM,IAAI,CAAC,QAAQ,GAAGC,uBAAkB,CAAC,QAAQ,CAAC,CAAC;AACnD,MAAM,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC;AAC9C,KAAK;AACL,GAAG;AACH;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/getBearerTokenFromAuthorizationHeader.ts","../src/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n","/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  createRemoteJWKSet,\n  decodeJwt,\n  decodeProtectedHeader,\n  FlattenedJWSInput,\n  JWSHeaderParameters,\n  jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\n\nimport { BackstageIdentityResponse } from './types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client options object which allows extra configurations\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport type IdentityClientOptions = {\n  discovery: PluginEndpointDiscovery;\n  issuer: string;\n\n  /** JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithms?: string[];\n};\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class IdentityClient {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer: string;\n  private readonly algorithms: string[];\n  private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n  private keyStoreUpdated: number = 0;\n\n  /**\n   * Create a new {@link IdentityClient} instance.\n   */\n  static create(options: IdentityClientOptions): IdentityClient {\n    return new IdentityClient(options);\n  }\n\n  private constructor(options: IdentityClientOptions) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.algorithms = options.algorithms ?? ['ES256'];\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    // Check if the keystore needs to be updated\n    await this.refreshKeyStore(token);\n    if (!this.keyStore) {\n      throw new AuthenticationError('No keystore exists');\n    }\n    const decoded = await jwtVerify(token, this.keyStore, {\n      algorithms: this.algorithms,\n      audience: 'backstage',\n      issuer: this.issuer,\n    });\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.payload.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.payload.sub,\n        ownershipEntityRefs: decoded.payload.ent\n          ? (decoded.payload.ent as string[])\n          : [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * If the last keystore refresh is stale, update the keystore URL to the latest\n   */\n  private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n    const payload = await decodeJwt(rawJwtToken);\n    const header = await decodeProtectedHeader(rawJwtToken);\n\n    // Refresh public keys if needed\n    let keyStoreHasKey;\n    try {\n      if (this.keyStore) {\n        // Check if the key is present in the keystore\n        const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n        keyStoreHasKey = await this.keyStore(header, {\n          payload: rawPayload,\n          signature: rawSignature,\n        });\n      }\n    } catch (error) {\n      keyStoreHasKey = false;\n    }\n    // Refresh public key URL if needed\n    // Add a small margin in case clocks are out of sync\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!this.keyStore || (!keyStoreHasKey && issuedAfterLastRefresh)) {\n      const url = await this.discovery.getBaseUrl('auth');\n      const endpoint = new URL(`${url}/.well-known/jwks.json`);\n      this.keyStore = createRemoteJWKSet(endpoint);\n      this.keyStoreUpdated = Date.now() / 1000;\n    }\n  }\n}\n"],"names":["AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet"],"mappings":";;;;;;;AAAO,SAAS,qCAAqC,CAAC,mBAAmB,EAAE;AAC3E,EAAE,IAAI,OAAO,mBAAmB,KAAK,QAAQ,EAAE;AAC/C,IAAI,OAAO,KAAK,CAAC,CAAC;AAClB,GAAG;AACH,EAAE,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;AAClE,EAAE,OAAO,OAAO,IAAI,IAAI,GAAG,KAAK,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;AAC/C;;ACCA,MAAM,cAAc,GAAG,EAAE,CAAC;AACnB,MAAM,cAAc,CAAC;AAC5B,EAAE,WAAW,CAAC,OAAO,EAAE;AACvB,IAAI,IAAI,CAAC,eAAe,GAAG,CAAC,CAAC;AAC7B,IAAI,IAAI,EAAE,CAAC;AACX,IAAI,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;AACvC,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;AACjC,IAAI,IAAI,CAAC,UAAU,GAAG,CAAC,EAAE,GAAG,OAAO,CAAC,UAAU,KAAK,IAAI,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;AACzE,GAAG;AACH,EAAE,OAAO,MAAM,CAAC,OAAO,EAAE;AACzB,IAAI,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;AACvC,GAAG;AACH,EAAE,MAAM,YAAY,CAAC,KAAK,EAAE;AAC5B,IAAI,IAAI,CAAC,KAAK,EAAE;AAChB,MAAM,MAAM,IAAIA,0BAAmB,CAAC,oBAAoB,CAAC,CAAC;AAC1D,KAAK;AACL,IAAI,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;AACtC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE;AACxB,MAAM,MAAM,IAAIA,0BAAmB,CAAC,oBAAoB,CAAC,CAAC;AAC1D,KAAK;AACL,IAAI,MAAM,OAAO,GAAG,MAAMC,cAAS,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;AAC1D,MAAM,UAAU,EAAE,IAAI,CAAC,UAAU;AACjC,MAAM,QAAQ,EAAE,WAAW;AAC3B,MAAM,MAAM,EAAE,IAAI,CAAC,MAAM;AACzB,KAAK,CAAC,CAAC;AACP,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;AAC9B,MAAM,MAAM,IAAID,0BAAmB,CAAC,4BAA4B,CAAC,CAAC;AAClE,KAAK;AACL,IAAI,MAAM,IAAI,GAAG;AACjB,MAAM,KAAK;AACX,MAAM,QAAQ,EAAE;AAChB,QAAQ,IAAI,EAAE,MAAM;AACpB,QAAQ,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG;AAC1C,QAAQ,mBAAmB,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE;AAC3E,OAAO;AACP,KAAK,CAAC;AACN,IAAI,OAAO,IAAI,CAAC;AAChB,GAAG;AACH,EAAE,MAAM,eAAe,CAAC,WAAW,EAAE;AACrC,IAAI,MAAM,OAAO,GAAG,MAAME,cAAS,CAAC,WAAW,CAAC,CAAC;AACjD,IAAI,MAAM,MAAM,GAAG,MAAMC,0BAAqB,CAAC,WAAW,CAAC,CAAC;AAC5D,IAAI,IAAI,cAAc,CAAC;AACvB,IAAI,IAAI;AACR,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE;AACzB,QAAQ,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACrE,QAAQ,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;AACrD,UAAU,OAAO,EAAE,UAAU;AAC7B,UAAU,SAAS,EAAE,YAAY;AACjC,SAAS,CAAC,CAAC;AACX,OAAO;AACP,KAAK,CAAC,OAAO,KAAK,EAAE;AACpB,MAAM,cAAc,GAAG,KAAK,CAAC;AAC7B,KAAK;AACL,IAAI,MAAM,sBAAsB,GAAG,CAAC,OAAO,IAAI,IAAI,GAAG,KAAK,CAAC,GAAG,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;AACnI,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,cAAc,IAAI,sBAAsB,EAAE;AACrE,MAAM,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AAC1D,MAAM,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAC/D,MAAM,IAAI,CAAC,QAAQ,GAAGC,uBAAkB,CAAC,QAAQ,CAAC,CAAC;AACnD,MAAM,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC;AAC9C,KAAK;AACL,GAAG;AACH;;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-node",
-  "version": "0.2.2-next.2",
+  "version": "0.2.2",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -23,7 +23,7 @@
     "start": "backstage-cli package start"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.14.0-next.2",
+    "@backstage/backend-common": "^0.14.0",
     "@backstage/config": "^1.0.1",
     "@backstage/errors": "^1.0.0",
     "jose": "^4.6.0",
@@ -31,7 +31,7 @@
     "winston": "^3.2.1"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.17.2-next.2",
+    "@backstage/cli": "^0.17.2",
     "lodash": "^4.17.21",
     "msw": "^0.42.0",
     "uuid": "^8.0.0"
@@ -39,5 +39,5 @@
   "files": [
     "dist"
   ],
-  "gitHead": "afc672d59763a835574e6c47819107d22cfd1ad7"
+  "gitHead": "e42cb3887e41f756c16380d757d93feda27f40ee"
 }