@backstage/plugin-auth-node 0.5.2 → 0.5.3-next.1

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # @backstage/plugin-auth-node
 
+## 0.5.3-next.1
+
+### Patch Changes
+
+- 217458a: Added a new `allowedDomains` option for the common `emailLocalPartMatchingUserEntityName` sign-in resolver.
+- Updated dependencies
+  - @backstage/catalog-client@1.7.1-next.0
+  - @backstage/backend-plugin-api@1.0.1-next.1
+  - @backstage/catalog-model@1.7.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+
+## 0.5.3-next.0
+
+### Patch Changes
+
+- 094eaa3: Remove references to in-repo backend-common
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.0.1-next.0
+  - @backstage/catalog-client@1.7.0
+  - @backstage/catalog-model@1.7.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/types@1.1.1
+
 ## 0.5.2
 
 ### Patch Changes

package/dist/extensions/AuthOwnershipResolutionExtensionPoint.cjs.js

@@ -0,0 +1,10 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+
+const authOwnershipResolutionExtensionPoint = backendPluginApi.createExtensionPoint({
+  id: "auth.ownershipResolution"
+});
+
+exports.authOwnershipResolutionExtensionPoint = authOwnershipResolutionExtensionPoint;
+//# sourceMappingURL=AuthOwnershipResolutionExtensionPoint.cjs.js.map

package/dist/extensions/AuthOwnershipResolutionExtensionPoint.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthOwnershipResolutionExtensionPoint.cjs.js","sources":["../../src/extensions/AuthOwnershipResolutionExtensionPoint.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { AuthOwnershipResolver } from '../types';\nimport { createExtensionPoint } from '@backstage/backend-plugin-api';\n\n/** @public */\nexport interface AuthOwnershipResolutionExtensionPoint {\n  setAuthOwnershipResolver(ownershipResolver: AuthOwnershipResolver): void;\n}\n\n/** @public */\nexport const authOwnershipResolutionExtensionPoint =\n  createExtensionPoint<AuthOwnershipResolutionExtensionPoint>({\n    id: 'auth.ownershipResolution',\n  });\n"],"names":["createExtensionPoint"],"mappings":";;;;AAwBO,MAAM,wCACXA,qCAA4D,CAAA;AAAA,EAC1D,EAAI,EAAA,0BAAA;AACN,CAAC;;;;"}

package/dist/extensions/AuthProvidersExtensionPoint.cjs.js

@@ -0,0 +1,10 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+
+const authProvidersExtensionPoint = backendPluginApi.createExtensionPoint({
+  id: "auth.providers"
+});
+
+exports.authProvidersExtensionPoint = authProvidersExtensionPoint;
+//# sourceMappingURL=AuthProvidersExtensionPoint.cjs.js.map

package/dist/extensions/AuthProvidersExtensionPoint.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProvidersExtensionPoint.cjs.js","sources":["../../src/extensions/AuthProvidersExtensionPoint.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { createExtensionPoint } from '@backstage/backend-plugin-api';\nimport { AuthProviderFactory } from '../types';\n\n/** @public */\nexport interface AuthProviderRegistrationOptions {\n  providerId: string;\n  factory: AuthProviderFactory;\n}\n\n/** @public */\nexport interface AuthProvidersExtensionPoint {\n  registerProvider(options: AuthProviderRegistrationOptions): void;\n}\n\n/** @public */\nexport const authProvidersExtensionPoint =\n  createExtensionPoint<AuthProvidersExtensionPoint>({\n    id: 'auth.providers',\n  });\n"],"names":["createExtensionPoint"],"mappings":";;;;AA+BO,MAAM,8BACXA,qCAAkD,CAAA;AAAA,EAChD,EAAI,EAAA,gBAAA;AACN,CAAC;;;;"}

package/dist/flow/sendWebMessageResponse.cjs.js

@@ -0,0 +1,41 @@
+'use strict';
+
+var crypto = require('crypto');
+var errors = require('@backstage/errors');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
+
+function safelyEncodeURIComponent(value) {
+  return encodeURIComponent(value).replace(/'/g, "%27");
+}
+function sendWebMessageResponse(res, appOrigin, response) {
+  const jsonData = JSON.stringify(response, (_, value) => {
+    if (value instanceof Error) {
+      return errors.serializeError(value);
+    }
+    return value;
+  });
+  const base64Data = safelyEncodeURIComponent(jsonData);
+  const base64Origin = safelyEncodeURIComponent(appOrigin);
+  const script = `
+    var authResponse = decodeURIComponent('${base64Data}');
+    var origin = decodeURIComponent('${base64Origin}');
+    var originInfo = {'type': 'config_info', 'targetOrigin': origin};
+    (window.opener || window.parent).postMessage(originInfo, '*');
+    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);
+    setTimeout(() => {
+      window.close();
+    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
+  `;
+  const hash = crypto__default.default.createHash("sha256").update(script).digest("base64");
+  res.setHeader("Content-Type", "text/html");
+  res.setHeader("X-Frame-Options", "sameorigin");
+  res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
+  res.end(`<html><body><script>${script}<\/script></body></html>`);
+}
+
+exports.safelyEncodeURIComponent = safelyEncodeURIComponent;
+exports.sendWebMessageResponse = sendWebMessageResponse;
+//# sourceMappingURL=sendWebMessageResponse.cjs.js.map

package/dist/flow/sendWebMessageResponse.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sendWebMessageResponse.cjs.js","sources":["../../src/flow/sendWebMessageResponse.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Response } from 'express';\nimport crypto from 'crypto';\nimport { ClientAuthResponse } from '../types';\nimport { serializeError } from '@backstage/errors';\n\n/**\n * Payload sent as a post message after the auth request is complete.\n * If successful then has a valid payload with Auth information else contains an error.\n *\n * @public\n */\nexport type WebMessageResponse =\n  | {\n      type: 'authorization_response';\n      response: ClientAuthResponse<unknown>;\n    }\n  | {\n      type: 'authorization_response';\n      error: Error;\n    };\n\n/** @internal */\nexport function safelyEncodeURIComponent(value: string): string {\n  // Note the g at the end of the regex; all occurrences of single quotes must\n  // be replaced, which encodeURIComponent does not do itself by default\n  return encodeURIComponent(value).replace(/'/g, '%27');\n}\n\n/** @public */\nexport function sendWebMessageResponse(\n  res: Response,\n  appOrigin: string,\n  response: WebMessageResponse,\n): void {\n  const jsonData = JSON.stringify(response, (_, value) => {\n    if (value instanceof Error) {\n      return serializeError(value);\n    }\n    return value;\n  });\n  const base64Data = safelyEncodeURIComponent(jsonData);\n  const base64Origin = safelyEncodeURIComponent(appOrigin);\n\n  // NOTE: It is absolutely imperative that we use the safe encoder above, to\n  // be sure that the js code below does not allow the injection of malicious\n  // data.\n\n  // TODO: Make target app origin configurable globally\n\n  //\n  // postMessage fails silently if the targetOrigin is disallowed.\n  // So 2 postMessages are sent from the popup to the parent window.\n  // First, the origin being used to post the actual authorization response is\n  // shared with the parent window with a postMessage with targetOrigin '*'.\n  // Second, the actual authorization response is sent with the app origin\n  // as the targetOrigin.\n  // If the first message was received but the actual auth response was\n  // never received, the event listener can conclude that targetOrigin\n  // was disallowed, indicating potential misconfiguration.\n  //\n  const script = `\n    var authResponse = decodeURIComponent('${base64Data}');\n    var origin = decodeURIComponent('${base64Origin}');\n    var originInfo = {'type': 'config_info', 'targetOrigin': origin};\n    (window.opener || window.parent).postMessage(originInfo, '*');\n    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);\n    setTimeout(() => {\n      window.close();\n    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)\n  `;\n  const hash = crypto.createHash('sha256').update(script).digest('base64');\n\n  res.setHeader('Content-Type', 'text/html');\n  res.setHeader('X-Frame-Options', 'sameorigin');\n  res.setHeader('Content-Security-Policy', `script-src 'sha256-${hash}'`);\n  res.end(`<html><body><script>${script}</script></body></html>`);\n}\n"],"names":["serializeError","crypto"],"mappings":";;;;;;;;;AAsCO,SAAS,yBAAyB,KAAuB,EAAA;AAG9D,EAAA,OAAO,kBAAmB,CAAA,KAAK,CAAE,CAAA,OAAA,CAAQ,MAAM,KAAK,CAAA,CAAA;AACtD,CAAA;AAGgB,SAAA,sBAAA,CACd,GACA,EAAA,SAAA,EACA,QACM,EAAA;AACN,EAAA,MAAM,WAAW,IAAK,CAAA,SAAA,CAAU,QAAU,EAAA,CAAC,GAAG,KAAU,KAAA;AACtD,IAAA,IAAI,iBAAiB,KAAO,EAAA;AAC1B,MAAA,OAAOA,sBAAe,KAAK,CAAA,CAAA;AAAA,KAC7B;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACR,CAAA,CAAA;AACD,EAAM,MAAA,UAAA,GAAa,yBAAyB,QAAQ,CAAA,CAAA;AACpD,EAAM,MAAA,YAAA,GAAe,yBAAyB,SAAS,CAAA,CAAA;AAmBvD,EAAA,MAAM,MAAS,GAAA,CAAA;AAAA,2CAAA,EAC4B,UAAU,CAAA;AAAA,qCAAA,EAChB,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAAA;AAQjD,EAAM,MAAA,IAAA,GAAOC,wBAAO,UAAW,CAAA,QAAQ,EAAE,MAAO,CAAA,MAAM,CAAE,CAAA,MAAA,CAAO,QAAQ,CAAA,CAAA;AAEvE,EAAI,GAAA,CAAA,SAAA,CAAU,gBAAgB,WAAW,CAAA,CAAA;AACzC,EAAI,GAAA,CAAA,SAAA,CAAU,mBAAmB,YAAY,CAAA,CAAA;AAC7C,EAAA,GAAA,CAAI,SAAU,CAAA,yBAAA,EAA2B,CAAsB,mBAAA,EAAA,IAAI,CAAG,CAAA,CAAA,CAAA,CAAA;AACtE,EAAI,GAAA,CAAA,GAAA,CAAI,CAAuB,oBAAA,EAAA,MAAM,CAAyB,wBAAA,CAAA,CAAA,CAAA;AAChE;;;;;"}

package/dist/identity/DefaultIdentityClient.cjs.js

@@ -0,0 +1,103 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+var jose = require('jose');
+var getBearerTokenFromAuthorizationHeader = require('./getBearerTokenFromAuthorizationHeader.cjs.js');
+
+const CLOCK_MARGIN_S = 10;
+class DefaultIdentityClient {
+  discovery;
+  issuer;
+  algorithms;
+  keyStore;
+  keyStoreUpdated = 0;
+  /**
+   * Create a new {@link DefaultIdentityClient} instance.
+   */
+  static create(options) {
+    return new DefaultIdentityClient(options);
+  }
+  constructor(options) {
+    this.discovery = options.discovery;
+    this.issuer = options.issuer;
+    this.algorithms = options.hasOwnProperty("algorithms") ? options.algorithms : ["ES256"];
+  }
+  async getIdentity(options) {
+    const {
+      request: { headers }
+    } = options;
+    if (!headers.authorization) {
+      return void 0;
+    }
+    try {
+      return await this.authenticate(
+        getBearerTokenFromAuthorizationHeader.getBearerTokenFromAuthorizationHeader(headers.authorization)
+      );
+    } catch (e) {
+      throw new errors.AuthenticationError(e.message);
+    }
+  }
+  /**
+   * Verifies the given backstage identity token
+   * Returns a BackstageIdentity (user) matching the token.
+   * The method throws an error if verification fails.
+   *
+   * @deprecated You should start to use getIdentity instead of authenticate to retrieve the user
+   * identity.
+   */
+  async authenticate(token) {
+    if (!token) {
+      throw new errors.AuthenticationError("No token specified");
+    }
+    await this.refreshKeyStore(token);
+    if (!this.keyStore) {
+      throw new errors.AuthenticationError("No keystore exists");
+    }
+    const decoded = await jose.jwtVerify(token, this.keyStore, {
+      algorithms: this.algorithms,
+      audience: "backstage",
+      issuer: this.issuer
+    });
+    if (!decoded.payload.sub) {
+      throw new errors.AuthenticationError("No user sub found in token");
+    }
+    const user = {
+      token,
+      identity: {
+        type: "user",
+        userEntityRef: decoded.payload.sub,
+        ownershipEntityRefs: decoded.payload.ent ? decoded.payload.ent : []
+      }
+    };
+    return user;
+  }
+  /**
+   * If the last keystore refresh is stale, update the keystore URL to the latest
+   */
+  async refreshKeyStore(rawJwtToken) {
+    const payload = await jose.decodeJwt(rawJwtToken);
+    const header = await jose.decodeProtectedHeader(rawJwtToken);
+    let keyStoreHasKey;
+    try {
+      if (this.keyStore) {
+        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
+        keyStoreHasKey = await this.keyStore(header, {
+          payload: rawPayload,
+          signature: rawSignature
+        });
+      }
+    } catch (error) {
+      keyStoreHasKey = false;
+    }
+    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
+    if (!this.keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
+      const url = await this.discovery.getBaseUrl("auth");
+      const endpoint = new URL(`${url}/.well-known/jwks.json`);
+      this.keyStore = jose.createRemoteJWKSet(endpoint);
+      this.keyStoreUpdated = Date.now() / 1e3;
+    }
+  }
+}
+
+exports.DefaultIdentityClient = DefaultIdentityClient;
+//# sourceMappingURL=DefaultIdentityClient.cjs.js.map

package/dist/identity/DefaultIdentityClient.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DefaultIdentityClient.cjs.js","sources":["../../src/identity/DefaultIdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n  createRemoteJWKSet,\n  decodeJwt,\n  decodeProtectedHeader,\n  FlattenedJWSInput,\n  JWSHeaderParameters,\n  jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\nimport { getBearerTokenFromAuthorizationHeader } from './getBearerTokenFromAuthorizationHeader';\nimport { IdentityApi, IdentityApiGetIdentityRequest } from './IdentityApi';\nimport { BackstageIdentityResponse } from '../types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/**\n * An identity client options object which allows extra configurations\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport type IdentityClientOptions = {\n  discovery: PluginEndpointDiscovery;\n  issuer?: string;\n\n  /** JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n   * More info on supported algorithms: https://github.com/panva/jose */\n  algorithms?: string[];\n};\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @experimental This is not a stable API yet\n * @public\n */\nexport class DefaultIdentityClient implements IdentityApi {\n  private readonly discovery: PluginEndpointDiscovery;\n  private readonly issuer?: string;\n  private readonly algorithms?: string[];\n  private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n  private keyStoreUpdated: number = 0;\n\n  /**\n   * Create a new {@link DefaultIdentityClient} instance.\n   */\n  static create(options: IdentityClientOptions): DefaultIdentityClient {\n    return new DefaultIdentityClient(options);\n  }\n\n  private constructor(options: IdentityClientOptions) {\n    this.discovery = options.discovery;\n    this.issuer = options.issuer;\n    this.algorithms = options.hasOwnProperty('algorithms')\n      ? options.algorithms\n      : ['ES256'];\n  }\n\n  async getIdentity(options: IdentityApiGetIdentityRequest) {\n    const {\n      request: { headers },\n    } = options;\n    if (!headers.authorization) {\n      return undefined;\n    }\n    try {\n      return await this.authenticate(\n        getBearerTokenFromAuthorizationHeader(headers.authorization),\n      );\n    } catch (e) {\n      throw new AuthenticationError(e.message);\n    }\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use getIdentity instead of authenticate to retrieve the user\n   * identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    // Extract token from header\n    if (!token) {\n      throw new AuthenticationError('No token specified');\n    }\n\n    // Verify token claims and signature\n    // Note: Claims must match those set by TokenFactory when issuing tokens\n    // Note: verify throws if verification fails\n    // Check if the keystore needs to be updated\n    await this.refreshKeyStore(token);\n    if (!this.keyStore) {\n      throw new AuthenticationError('No keystore exists');\n    }\n    const decoded = await jwtVerify(token, this.keyStore, {\n      algorithms: this.algorithms,\n      audience: 'backstage',\n      issuer: this.issuer,\n    });\n    // Verified, return the matching user as BackstageIdentity\n    // TODO: Settle internal user format/properties\n    if (!decoded.payload.sub) {\n      throw new AuthenticationError('No user sub found in token');\n    }\n\n    const user: BackstageIdentityResponse = {\n      token,\n      identity: {\n        type: 'user',\n        userEntityRef: decoded.payload.sub,\n        ownershipEntityRefs: decoded.payload.ent\n          ? (decoded.payload.ent as string[])\n          : [],\n      },\n    };\n    return user;\n  }\n\n  /**\n   * If the last keystore refresh is stale, update the keystore URL to the latest\n   */\n  private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n    const payload = await decodeJwt(rawJwtToken);\n    const header = await decodeProtectedHeader(rawJwtToken);\n\n    // Refresh public keys if needed\n    let keyStoreHasKey;\n    try {\n      if (this.keyStore) {\n        // Check if the key is present in the keystore\n        const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n        keyStoreHasKey = await this.keyStore(header, {\n          payload: rawPayload,\n          signature: rawSignature,\n        });\n      }\n    } catch (error) {\n      keyStoreHasKey = false;\n    }\n    // Refresh public key URL if needed\n    // Add a small margin in case clocks are out of sync\n    const issuedAfterLastRefresh =\n      payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n    if (!this.keyStore || (!keyStoreHasKey && issuedAfterLastRefresh)) {\n      const url = await this.discovery.getBaseUrl('auth');\n      const endpoint = new URL(`${url}/.well-known/jwks.json`);\n      this.keyStore = createRemoteJWKSet(endpoint);\n      this.keyStoreUpdated = Date.now() / 1000;\n    }\n  }\n}\n"],"names":["getBearerTokenFromAuthorizationHeader","AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet"],"mappings":";;;;;;AA+BA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAwBhB,MAAM,qBAA6C,CAAA;AAAA,EACvC,SAAA,CAAA;AAAA,EACA,MAAA,CAAA;AAAA,EACA,UAAA,CAAA;AAAA,EACT,QAAA,CAAA;AAAA,EACA,eAA0B,GAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,EAKlC,OAAO,OAAO,OAAuD,EAAA;AACnE,IAAO,OAAA,IAAI,sBAAsB,OAAO,CAAA,CAAA;AAAA,GAC1C;AAAA,EAEQ,YAAY,OAAgC,EAAA;AAClD,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,UAAA,GAAa,QAAQ,cAAe,CAAA,YAAY,IACjD,OAAQ,CAAA,UAAA,GACR,CAAC,OAAO,CAAA,CAAA;AAAA,GACd;AAAA,EAEA,MAAM,YAAY,OAAwC,EAAA;AACxD,IAAM,MAAA;AAAA,MACJ,OAAA,EAAS,EAAE,OAAQ,EAAA;AAAA,KACjB,GAAA,OAAA,CAAA;AACJ,IAAI,IAAA,CAAC,QAAQ,aAAe,EAAA;AAC1B,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAK,CAAA,YAAA;AAAA,QAChBA,2EAAA,CAAsC,QAAQ,aAAa,CAAA;AAAA,OAC7D,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAM,MAAA,IAAIC,0BAAoB,CAAA,CAAA,CAAE,OAAO,CAAA,CAAA;AAAA,KACzC;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AAEpC,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAMA,IAAM,MAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,CAAA;AAChC,IAAI,IAAA,CAAC,KAAK,QAAU,EAAA;AAClB,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AACA,IAAA,MAAM,OAAU,GAAA,MAAMC,cAAU,CAAA,KAAA,EAAO,KAAK,QAAU,EAAA;AAAA,MACpD,YAAY,IAAK,CAAA,UAAA;AAAA,MACjB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,OAAQ,CAAA,OAAA,CAAQ,GAAK,EAAA;AACxB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,QAAQ,OAAQ,CAAA,GAAA;AAAA,QAC/B,qBAAqB,OAAQ,CAAA,OAAA,CAAQ,MAChC,OAAQ,CAAA,OAAA,CAAQ,MACjB,EAAC;AAAA,OACP;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAgB,WAAoC,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAME,cAAA,CAAU,WAAW,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAAS,MAAMC,0BAAA,CAAsB,WAAW,CAAA,CAAA;AAGtD,IAAI,IAAA,cAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,IAAI,KAAK,QAAU,EAAA;AAEjB,QAAA,MAAM,CAAC,CAAG,EAAA,UAAA,EAAY,YAAY,CAAI,GAAA,WAAA,CAAY,MAAM,GAAG,CAAA,CAAA;AAC3D,QAAiB,cAAA,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,MAAQ,EAAA;AAAA,UAC3C,OAAS,EAAA,UAAA;AAAA,UACT,SAAW,EAAA,YAAA;AAAA,SACZ,CAAA,CAAA;AAAA,OACH;AAAA,aACO,KAAO,EAAA;AACd,MAAiB,cAAA,GAAA,KAAA,CAAA;AAAA,KACnB;AAGA,IAAA,MAAM,yBACJ,OAAS,EAAA,GAAA,IAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,CAAK,QAAa,IAAA,CAAC,kBAAkB,sBAAyB,EAAA;AACjE,MAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,MAAM,CAAA,CAAA;AAClD,MAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,CAAA,EAAG,GAAG,CAAwB,sBAAA,CAAA,CAAA,CAAA;AACvD,MAAK,IAAA,CAAA,QAAA,GAAWC,wBAAmB,QAAQ,CAAA,CAAA;AAC3C,MAAK,IAAA,CAAA,eAAA,GAAkB,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AAAA,KACtC;AAAA,GACF;AACF;;;;"}

package/dist/identity/IdentityClient.cjs.js

@@ -0,0 +1,27 @@
+'use strict';
+
+var DefaultIdentityClient = require('./DefaultIdentityClient.cjs.js');
+
+class IdentityClient {
+  defaultIdentityClient;
+  static create(options) {
+    return new IdentityClient(DefaultIdentityClient.DefaultIdentityClient.create(options));
+  }
+  constructor(defaultIdentityClient) {
+    this.defaultIdentityClient = defaultIdentityClient;
+  }
+  /**
+   * Verifies the given backstage identity token
+   * Returns a BackstageIdentity (user) matching the token.
+   * The method throws an error if verification fails.
+   *
+   * @deprecated You should start to use IdentityApi#getIdentity instead of authenticate
+   * to retrieve the user identity.
+   */
+  async authenticate(token) {
+    return await this.defaultIdentityClient.authenticate(token);
+  }
+}
+
+exports.IdentityClient = IdentityClient;
+//# sourceMappingURL=IdentityClient.cjs.js.map

package/dist/identity/IdentityClient.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IdentityClient.cjs.js","sources":["../../src/identity/IdentityClient.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  DefaultIdentityClient,\n  IdentityClientOptions,\n} from './DefaultIdentityClient';\nimport { BackstageIdentityResponse } from '../types';\n\n/**\n * An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n *\n * @public\n * @experimental This is not a stable API yet\n * @deprecated Please migrate to the DefaultIdentityClient.\n */\nexport class IdentityClient {\n  private readonly defaultIdentityClient: DefaultIdentityClient;\n  static create(options: IdentityClientOptions): IdentityClient {\n    return new IdentityClient(DefaultIdentityClient.create(options));\n  }\n\n  private constructor(defaultIdentityClient: DefaultIdentityClient) {\n    this.defaultIdentityClient = defaultIdentityClient;\n  }\n\n  /**\n   * Verifies the given backstage identity token\n   * Returns a BackstageIdentity (user) matching the token.\n   * The method throws an error if verification fails.\n   *\n   * @deprecated You should start to use IdentityApi#getIdentity instead of authenticate\n   * to retrieve the user identity.\n   */\n  async authenticate(\n    token: string | undefined,\n  ): Promise<BackstageIdentityResponse> {\n    return await this.defaultIdentityClient.authenticate(token);\n  }\n}\n"],"names":["DefaultIdentityClient"],"mappings":";;;;AA8BO,MAAM,cAAe,CAAA;AAAA,EACT,qBAAA,CAAA;AAAA,EACjB,OAAO,OAAO,OAAgD,EAAA;AAC5D,IAAA,OAAO,IAAI,cAAA,CAAeA,2CAAsB,CAAA,MAAA,CAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjE;AAAA,EAEQ,YAAY,qBAA8C,EAAA;AAChE,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,qBAAsB,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GAC5D;AACF;;;;"}

package/dist/identity/getBearerTokenFromAuthorizationHeader.cjs.js

@@ -0,0 +1,12 @@
+'use strict';
+
+function getBearerTokenFromAuthorizationHeader(authorizationHeader) {
+  if (typeof authorizationHeader !== "string") {
+    return void 0;
+  }
+  const matches = authorizationHeader.match(/^Bearer[ ]+(\S+)$/i);
+  return matches?.[1];
+}
+
+exports.getBearerTokenFromAuthorizationHeader = getBearerTokenFromAuthorizationHeader;
+//# sourceMappingURL=getBearerTokenFromAuthorizationHeader.cjs.js.map

package/dist/identity/getBearerTokenFromAuthorizationHeader.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getBearerTokenFromAuthorizationHeader.cjs.js","sources":["../../src/identity/getBearerTokenFromAuthorizationHeader.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n *\n * @remarks\n *\n * This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n *\n * @deprecated Use the `credentials` method of `HttpAuthService` from `@backstage/backend-plugin-api` instead\n * @public\n */\nexport function getBearerTokenFromAuthorizationHeader(\n  authorizationHeader: unknown,\n): string | undefined {\n  if (typeof authorizationHeader !== 'string') {\n    return undefined;\n  }\n  const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n  return matches?.[1];\n}\n"],"names":[],"mappings":";;AA6BO,SAAS,sCACd,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,UAAU,CAAC,CAAA,CAAA;AACpB;;;;"}

package/dist/identity/prepareBackstageIdentityResponse.cjs.js

@@ -0,0 +1,36 @@
+'use strict';
+
+var errors = require('@backstage/errors');
+
+function parseJwtPayload(token) {
+  const [_header, payload, _signature] = token.split(".");
+  return JSON.parse(Buffer.from(payload, "base64").toString());
+}
+function prepareBackstageIdentityResponse(result) {
+  if (!result.token) {
+    throw new errors.InputError(`Identity response must return a token`);
+  }
+  const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);
+  if (!sub) {
+    throw new errors.InputError(
+      `Identity response must return a token with subject claim`
+    );
+  }
+  const expAt = Number(expStr);
+  const exp = expAt ? Math.round(expAt - Date.now() / 1e3) : void 0;
+  if (exp && exp < 0) {
+    throw new errors.InputError(`Identity response must not return an expired token`);
+  }
+  return {
+    ...result,
+    expiresInSeconds: exp,
+    identity: {
+      type: "user",
+      userEntityRef: sub,
+      ownershipEntityRefs: ent
+    }
+  };
+}
+
+exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
+//# sourceMappingURL=prepareBackstageIdentityResponse.cjs.js.map

package/dist/identity/prepareBackstageIdentityResponse.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prepareBackstageIdentityResponse.cjs.js","sources":["../../src/identity/prepareBackstageIdentityResponse.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { InputError } from '@backstage/errors';\nimport {\n  BackstageIdentityResponse,\n  BackstageSignInResult,\n} from '@backstage/plugin-auth-node';\n\nfunction parseJwtPayload(token: string) {\n  const [_header, payload, _signature] = token.split('.');\n  return JSON.parse(Buffer.from(payload, 'base64').toString());\n}\n\n/**\n * Parses a Backstage-issued token and decorates the\n * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the\n * token.\n *\n * @public\n */\nexport function prepareBackstageIdentityResponse(\n  result: BackstageSignInResult,\n): BackstageIdentityResponse {\n  if (!result.token) {\n    throw new InputError(`Identity response must return a token`);\n  }\n\n  const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);\n  if (!sub) {\n    throw new InputError(\n      `Identity response must return a token with subject claim`,\n    );\n  }\n\n  const expAt = Number(expStr);\n\n  // Default to 1 hour if no expiration is set, in particular to make testing simpler\n  const exp = expAt ? Math.round(expAt - Date.now() / 1000) : undefined;\n  if (exp && exp < 0) {\n    throw new InputError(`Identity response must not return an expired token`);\n  }\n\n  return {\n    ...result,\n    expiresInSeconds: exp,\n    identity: {\n      type: 'user',\n      userEntityRef: sub,\n      ownershipEntityRefs: ent,\n    },\n  };\n}\n"],"names":["InputError"],"mappings":";;;;AAsBA,SAAS,gBAAgB,KAAe,EAAA;AACtC,EAAA,MAAM,CAAC,OAAS,EAAA,OAAA,EAAS,UAAU,CAAI,GAAA,KAAA,CAAM,MAAM,GAAG,CAAA,CAAA;AACtD,EAAO,OAAA,IAAA,CAAK,MAAM,MAAO,CAAA,IAAA,CAAK,SAAS,QAAQ,CAAA,CAAE,UAAU,CAAA,CAAA;AAC7D,CAAA;AASO,SAAS,iCACd,MAC2B,EAAA;AAC3B,EAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA,CAAA;AAAA,GAC9D;AAEA,EAAM,MAAA,EAAE,GAAK,EAAA,GAAA,GAAM,EAAC,EAAG,KAAK,MAAO,EAAA,GAAI,eAAgB,CAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AACnE,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAA,MAAM,IAAIA,iBAAA;AAAA,MACR,CAAA,wDAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,KAAA,GAAQ,OAAO,MAAM,CAAA,CAAA;AAG3B,EAAM,MAAA,GAAA,GAAM,QAAQ,IAAK,CAAA,KAAA,CAAM,QAAQ,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAI,CAAI,GAAA,KAAA,CAAA,CAAA;AAC5D,EAAI,IAAA,GAAA,IAAO,MAAM,CAAG,EAAA;AAClB,IAAM,MAAA,IAAIA,kBAAW,CAAoD,kDAAA,CAAA,CAAA,CAAA;AAAA,GAC3E;AAEA,EAAO,OAAA;AAAA,IACL,GAAG,MAAA;AAAA,IACH,gBAAkB,EAAA,GAAA;AAAA,IAClB,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA,GAAA;AAAA,KACvB;AAAA,GACF,CAAA;AACF;;;;"}