@backstage/plugin-auth-node 0.5.2 → 0.5.3-next.1

package/dist/index.cjs.js

@@ -1,1067 +1,52 @@
 'use strict';
 
-var backendPluginApi = require('@backstage/backend-plugin-api');
-var crypto = require('crypto');
-var errors = require('@backstage/errors');
-var jose = require('jose');
-var url = require('url');
-var pickBy = require('lodash/pickBy');
-var zodToJsonSchema = require('zod-to-json-schema');
-
-function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
-
-var crypto__default = /*#__PURE__*/_interopDefaultCompat(crypto);
-var pickBy__default = /*#__PURE__*/_interopDefaultCompat(pickBy);
-var zodToJsonSchema__default = /*#__PURE__*/_interopDefaultCompat(zodToJsonSchema);
-
-const authProvidersExtensionPoint = backendPluginApi.createExtensionPoint({
-  id: "auth.providers"
-});
-
-const authOwnershipResolutionExtensionPoint = backendPluginApi.createExtensionPoint({
-  id: "auth.ownershipResolution"
-});
-
-function safelyEncodeURIComponent(value) {
-  return encodeURIComponent(value).replace(/'/g, "%27");
-}
-function sendWebMessageResponse(res, appOrigin, response) {
-  const jsonData = JSON.stringify(response, (_, value) => {
-    if (value instanceof Error) {
-      return errors.serializeError(value);
-    }
-    return value;
-  });
-  const base64Data = safelyEncodeURIComponent(jsonData);
-  const base64Origin = safelyEncodeURIComponent(appOrigin);
-  const script = `
-    var authResponse = decodeURIComponent('${base64Data}');
-    var origin = decodeURIComponent('${base64Origin}');
-    var originInfo = {'type': 'config_info', 'targetOrigin': origin};
-    (window.opener || window.parent).postMessage(originInfo, '*');
-    (window.opener || window.parent).postMessage(JSON.parse(authResponse), origin);
-    setTimeout(() => {
-      window.close();
-    }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)
-  `;
-  const hash = crypto__default.default.createHash("sha256").update(script).digest("base64");
-  res.setHeader("Content-Type", "text/html");
-  res.setHeader("X-Frame-Options", "sameorigin");
-  res.setHeader("Content-Security-Policy", `script-src 'sha256-${hash}'`);
-  res.end(`<html><body><script>${script}<\/script></body></html>`);
-}
-
-function parseJwtPayload(token) {
-  const [_header, payload, _signature] = token.split(".");
-  return JSON.parse(Buffer.from(payload, "base64").toString());
-}
-function prepareBackstageIdentityResponse(result) {
-  if (!result.token) {
-    throw new errors.InputError(`Identity response must return a token`);
-  }
-  const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);
-  if (!sub) {
-    throw new errors.InputError(
-      `Identity response must return a token with subject claim`
-    );
-  }
-  const expAt = Number(expStr);
-  const exp = expAt ? Math.round(expAt - Date.now() / 1e3) : void 0;
-  if (exp && exp < 0) {
-    throw new errors.InputError(`Identity response must not return an expired token`);
-  }
-  return {
-    ...result,
-    expiresInSeconds: exp,
-    identity: {
-      type: "user",
-      userEntityRef: sub,
-      ownershipEntityRefs: ent
-    }
-  };
-}
-
-function getBearerTokenFromAuthorizationHeader(authorizationHeader) {
-  if (typeof authorizationHeader !== "string") {
-    return void 0;
-  }
-  const matches = authorizationHeader.match(/^Bearer[ ]+(\S+)$/i);
-  return matches?.[1];
-}
-
-const CLOCK_MARGIN_S = 10;
-class DefaultIdentityClient {
-  discovery;
-  issuer;
-  algorithms;
-  keyStore;
-  keyStoreUpdated = 0;
-  /**
-   * Create a new {@link DefaultIdentityClient} instance.
-   */
-  static create(options) {
-    return new DefaultIdentityClient(options);
-  }
-  constructor(options) {
-    this.discovery = options.discovery;
-    this.issuer = options.issuer;
-    this.algorithms = options.hasOwnProperty("algorithms") ? options.algorithms : ["ES256"];
-  }
-  async getIdentity(options) {
-    const {
-      request: { headers }
-    } = options;
-    if (!headers.authorization) {
-      return void 0;
-    }
-    try {
-      return await this.authenticate(
-        getBearerTokenFromAuthorizationHeader(headers.authorization)
-      );
-    } catch (e) {
-      throw new errors.AuthenticationError(e.message);
-    }
-  }
-  /**
-   * Verifies the given backstage identity token
-   * Returns a BackstageIdentity (user) matching the token.
-   * The method throws an error if verification fails.
-   *
-   * @deprecated You should start to use getIdentity instead of authenticate to retrieve the user
-   * identity.
-   */
-  async authenticate(token) {
-    if (!token) {
-      throw new errors.AuthenticationError("No token specified");
-    }
-    await this.refreshKeyStore(token);
-    if (!this.keyStore) {
-      throw new errors.AuthenticationError("No keystore exists");
-    }
-    const decoded = await jose.jwtVerify(token, this.keyStore, {
-      algorithms: this.algorithms,
-      audience: "backstage",
-      issuer: this.issuer
-    });
-    if (!decoded.payload.sub) {
-      throw new errors.AuthenticationError("No user sub found in token");
-    }
-    const user = {
-      token,
-      identity: {
-        type: "user",
-        userEntityRef: decoded.payload.sub,
-        ownershipEntityRefs: decoded.payload.ent ? decoded.payload.ent : []
-      }
-    };
-    return user;
-  }
-  /**
-   * If the last keystore refresh is stale, update the keystore URL to the latest
-   */
-  async refreshKeyStore(rawJwtToken) {
-    const payload = await jose.decodeJwt(rawJwtToken);
-    const header = await jose.decodeProtectedHeader(rawJwtToken);
-    let keyStoreHasKey;
-    try {
-      if (this.keyStore) {
-        const [_, rawPayload, rawSignature] = rawJwtToken.split(".");
-        keyStoreHasKey = await this.keyStore(header, {
-          payload: rawPayload,
-          signature: rawSignature
-        });
-      }
-    } catch (error) {
-      keyStoreHasKey = false;
-    }
-    const issuedAfterLastRefresh = payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;
-    if (!this.keyStore || !keyStoreHasKey && issuedAfterLastRefresh) {
-      const url = await this.discovery.getBaseUrl("auth");
-      const endpoint = new URL(`${url}/.well-known/jwks.json`);
-      this.keyStore = jose.createRemoteJWKSet(endpoint);
-      this.keyStoreUpdated = Date.now() / 1e3;
-    }
-  }
-}
-
-class IdentityClient {
-  defaultIdentityClient;
-  static create(options) {
-    return new IdentityClient(DefaultIdentityClient.create(options));
-  }
-  constructor(defaultIdentityClient) {
-    this.defaultIdentityClient = defaultIdentityClient;
-  }
-  /**
-   * Verifies the given backstage identity token
-   * Returns a BackstageIdentity (user) matching the token.
-   * The method throws an error if verification fails.
-   *
-   * @deprecated You should start to use IdentityApi#getIdentity instead of authenticate
-   * to retrieve the user identity.
-   */
-  async authenticate(token) {
-    return await this.defaultIdentityClient.authenticate(token);
-  }
-}
-
-function encodeOAuthState(state) {
-  const stateString = new URLSearchParams(
-    pickBy__default.default(state, (value) => value !== void 0)
-  ).toString();
-  return Buffer.from(stateString, "utf-8").toString("hex");
-}
-function decodeOAuthState(encodedState) {
-  const state = Object.fromEntries(
-    new URLSearchParams(Buffer.from(encodedState, "hex").toString("utf-8"))
-  );
-  if (!state.env || state.env?.length === 0) {
-    throw new errors.NotAllowedError("OAuth state is invalid, missing env");
-  }
-  if (!state.nonce || state.nonce?.length === 0) {
-    throw new errors.NotAllowedError("OAuth state is invalid, missing nonce");
-  }
-  return state;
-}
-
-const THOUSAND_DAYS_MS = 1e3 * 24 * 60 * 60 * 1e3;
-const TEN_MINUTES_MS = 600 * 1e3;
-const defaultCookieConfigurer = ({
-  callbackUrl,
-  providerId,
-  appOrigin
-}) => {
-  const { hostname: domain, pathname, protocol } = new URL(callbackUrl);
-  const secure = protocol === "https:";
-  let sameSite = "lax";
-  if (new URL(appOrigin).hostname !== domain && secure) {
-    sameSite = "none";
-  }
-  const path = pathname.endsWith(`${providerId}/handler/frame`) ? pathname.slice(0, -"/handler/frame".length) : `${pathname}/${providerId}`;
-  return { domain, path, secure, sameSite };
-};
-class OAuthCookieManager {
-  constructor(options) {
-    this.options = options;
-    this.cookieConfigurer = options.cookieConfigurer ?? defaultCookieConfigurer;
-    this.nonceCookie = `${options.providerId}-nonce`;
-    this.refreshTokenCookie = `${options.providerId}-refresh-token`;
-    this.grantedScopeCookie = `${options.providerId}-granted-scope`;
-  }
-  cookieConfigurer;
-  nonceCookie;
-  refreshTokenCookie;
-  grantedScopeCookie;
-  getConfig(origin, pathSuffix = "") {
-    const cookieConfig = this.cookieConfigurer({
-      providerId: this.options.providerId,
-      baseUrl: this.options.baseUrl,
-      callbackUrl: this.options.callbackUrl,
-      appOrigin: origin ?? this.options.defaultAppOrigin
-    });
-    return {
-      httpOnly: true,
-      sameSite: "lax",
-      ...cookieConfig,
-      path: cookieConfig.path + pathSuffix
-    };
-  }
-  setNonce(res, nonce, origin) {
-    res.cookie(this.nonceCookie, nonce, {
-      maxAge: TEN_MINUTES_MS,
-      ...this.getConfig(origin, "/handler")
-    });
-  }
-  setRefreshToken(res, refreshToken, origin) {
-    res.cookie(this.refreshTokenCookie, refreshToken, {
-      maxAge: THOUSAND_DAYS_MS,
-      ...this.getConfig(origin)
-    });
-  }
-  removeRefreshToken(res, origin) {
-    res.cookie(this.refreshTokenCookie, "", {
-      maxAge: 0,
-      ...this.getConfig(origin)
-    });
-  }
-  removeGrantedScopes(res, origin) {
-    res.cookie(this.grantedScopeCookie, "", {
-      maxAge: 0,
-      ...this.getConfig(origin)
-    });
-  }
-  setGrantedScopes(res, scope, origin) {
-    res.cookie(this.grantedScopeCookie, scope, {
-      maxAge: THOUSAND_DAYS_MS,
-      ...this.getConfig(origin)
-    });
-  }
-  getNonce(req) {
-    return req.cookies[this.nonceCookie];
-  }
-  getRefreshToken(req) {
-    return req.cookies[this.refreshTokenCookie];
-  }
-  getGrantedScopes(req) {
-    return req.cookies[this.grantedScopeCookie];
-  }
-}
-
-function reqRes(req) {
-  const res = req.res;
-  if (!res) {
-    throw new Error("No response object found in request");
-  }
-  return res;
-}
-const defaultTransform = ({ requested, granted, required, additional }) => {
-  return [...requested, ...granted, ...required, ...additional];
-};
-function splitScope(scope) {
-  if (!scope) {
-    return [];
-  }
-  return scope.split(/[\s|,]/).filter(Boolean);
-}
-class CookieScopeManager {
-  constructor(scopeTransform, cookieManager) {
-    this.scopeTransform = scopeTransform;
-    this.cookieManager = cookieManager;
-  }
-  static create(options) {
-    const { authenticator, config } = options;
-    const shouldPersistScopes = authenticator.scopes?.persist ?? authenticator.shouldPersistScopes ?? false;
-    const configScopes = typeof config?.getOptional("additionalScopes") === "string" ? splitScope(config.getString("additionalScopes")) : config?.getOptionalStringArray("additionalScopes") ?? [];
-    const transform = authenticator?.scopes?.transform ?? defaultTransform;
-    const additional = [...configScopes, ...options.additionalScopes ?? []];
-    const required = authenticator?.scopes?.required ?? [];
-    return new CookieScopeManager(
-      (requested, granted) => Array.from(
-        new Set(transform({ required, additional, requested, granted }))
-      ).join(" "),
-      shouldPersistScopes ? options.cookieManager : void 0
-    );
-  }
-  async start(req) {
-    const requestScope = splitScope(req.query.scope?.toString());
-    const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));
-    const scope = this.scopeTransform(requestScope, grantedScope);
-    if (this.cookieManager) {
-      return {
-        scope,
-        scopeState: { scope }
-      };
-    }
-    return { scope };
-  }
-  async handleCallback(req, ctx) {
-    if (!this.cookieManager) {
-      return Array.from(splitScope(ctx.result.session.scope)).join(" ");
-    }
-    const scope = ctx.state.scope;
-    if (scope === void 0) {
-      throw new errors.AuthenticationError("No scope found in OAuth state");
-    }
-    this.cookieManager.setGrantedScopes(reqRes(req), scope, ctx.origin);
-    return scope;
-  }
-  async clear(req) {
-    if (this.cookieManager) {
-      this.cookieManager.removeGrantedScopes(reqRes(req), req.get("origin"));
-    }
-  }
-  async refresh(req) {
-    const requestScope = splitScope(req.query.scope?.toString());
-    const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));
-    const scope = this.scopeTransform(requestScope, grantedScope);
-    return {
-      scope,
-      commit: async (result) => {
-        if (this.cookieManager) {
-          this.cookieManager.setGrantedScopes(
-            reqRes(req),
-            scope,
-            req.get("origin")
-          );
-          return scope;
-        }
-        return Array.from(splitScope(result.session.scope)).join(" ");
-      }
-    };
-  }
-}
-
-function createOAuthRouteHandlers(options) {
-  const {
-    authenticator,
-    config,
-    baseUrl,
-    appUrl,
-    providerId,
-    isOriginAllowed,
-    cookieConfigurer,
-    resolverContext,
-    signInResolver
-  } = options;
-  const defaultAppOrigin = new url.URL(appUrl).origin;
-  const callbackUrl = config.getOptionalString("callbackUrl") ?? `${baseUrl}/${providerId}/handler/frame`;
-  const stateTransform = options.stateTransform ?? ((state) => ({ state }));
-  const profileTransform = options.profileTransform ?? authenticator.defaultProfileTransform;
-  const authenticatorCtx = authenticator.initialize({ config, callbackUrl });
-  const cookieManager = new OAuthCookieManager({
-    baseUrl,
-    callbackUrl,
-    defaultAppOrigin,
-    providerId,
-    cookieConfigurer
-  });
-  const scopeManager = CookieScopeManager.create({
-    config,
-    authenticator,
-    cookieManager,
-    additionalScopes: options.additionalScopes
-  });
-  return {
-    async start(req, res) {
-      const env = req.query.env?.toString();
-      const origin = req.query.origin?.toString();
-      const redirectUrl = req.query.redirectUrl?.toString();
-      const flow = req.query.flow?.toString();
-      if (!env) {
-        throw new errors.InputError("No env provided in request query parameters");
-      }
-      const nonce = crypto__default.default.randomBytes(16).toString("base64");
-      cookieManager.setNonce(res, nonce, origin);
-      const { scope, scopeState } = await scopeManager.start(req);
-      const state = { nonce, env, origin, redirectUrl, flow, ...scopeState };
-      const { state: transformedState } = await stateTransform(state, { req });
-      const { url, status } = await options.authenticator.start(
-        {
-          req,
-          scope,
-          state: encodeOAuthState(transformedState)
-        },
-        authenticatorCtx
-      );
-      res.statusCode = status || 302;
-      res.setHeader("Location", url);
-      res.setHeader("Content-Length", "0");
-      res.end();
-    },
-    async frameHandler(req, res) {
-      let origin = defaultAppOrigin;
-      try {
-        const state = decodeOAuthState(req.query.state?.toString() ?? "");
-        if (state.origin) {
-          try {
-            origin = new url.URL(state.origin).origin;
-          } catch {
-            throw new errors.NotAllowedError("App origin is invalid, failed to parse");
-          }
-          if (!isOriginAllowed(origin)) {
-            throw new errors.NotAllowedError(`Origin '${origin}' is not allowed`);
-          }
-        }
-        const cookieNonce = cookieManager.getNonce(req);
-        const stateNonce = state.nonce;
-        if (!cookieNonce) {
-          throw new errors.NotAllowedError("Auth response is missing cookie nonce");
-        }
-        if (cookieNonce !== stateNonce) {
-          throw new errors.NotAllowedError("Invalid nonce");
-        }
-        const result = await authenticator.authenticate(
-          { req },
-          authenticatorCtx
-        );
-        const { profile } = await profileTransform(result, resolverContext);
-        const signInResult = signInResolver && await signInResolver({ profile, result }, resolverContext);
-        const grantedScopes = await scopeManager.handleCallback(req, {
-          result,
-          state,
-          origin
-        });
-        const response = {
-          profile,
-          providerInfo: {
-            idToken: result.session.idToken,
-            accessToken: result.session.accessToken,
-            scope: grantedScopes,
-            expiresInSeconds: result.session.expiresInSeconds
-          },
-          ...signInResult && {
-            backstageIdentity: prepareBackstageIdentityResponse(signInResult)
-          }
-        };
-        if (result.session.refreshToken) {
-          cookieManager.setRefreshToken(
-            res,
-            result.session.refreshToken,
-            origin
-          );
-        }
-        if (state.flow === "redirect") {
-          if (!state.redirectUrl) {
-            throw new errors.InputError(
-              "No redirectUrl provided in request query parameters"
-            );
-          }
-          res.redirect(state.redirectUrl);
-          return;
-        }
-        sendWebMessageResponse(res, origin, {
-          type: "authorization_response",
-          response
-        });
-      } catch (error) {
-        const { name, message } = errors.isError(error) ? error : new Error("Encountered invalid error");
-        sendWebMessageResponse(res, origin, {
-          type: "authorization_response",
-          error: { name, message }
-        });
-      }
-    },
-    async logout(req, res) {
-      if (req.header("X-Requested-With") !== "XMLHttpRequest") {
-        throw new errors.AuthenticationError("Invalid X-Requested-With header");
-      }
-      if (authenticator.logout) {
-        const refreshToken = cookieManager.getRefreshToken(req);
-        await authenticator.logout({ req, refreshToken }, authenticatorCtx);
-      }
-      cookieManager.removeRefreshToken(res, req.get("origin"));
-      await scopeManager.clear(req);
-      res.status(200).end();
-    },
-    async refresh(req, res) {
-      if (req.header("X-Requested-With") !== "XMLHttpRequest") {
-        throw new errors.AuthenticationError("Invalid X-Requested-With header");
-      }
-      try {
-        const refreshToken = cookieManager.getRefreshToken(req);
-        if (!refreshToken) {
-          throw new errors.InputError("Missing session cookie");
-        }
-        const scopeRefresh = await scopeManager.refresh(req);
-        const result = await authenticator.refresh(
-          { req, scope: scopeRefresh.scope, refreshToken },
-          authenticatorCtx
-        );
-        const grantedScope = await scopeRefresh.commit(result);
-        const { profile } = await profileTransform(result, resolverContext);
-        const newRefreshToken = result.session.refreshToken;
-        if (newRefreshToken && newRefreshToken !== refreshToken) {
-          cookieManager.setRefreshToken(
-            res,
-            newRefreshToken,
-            req.get("origin")
-          );
-        }
-        const response = {
-          profile,
-          providerInfo: {
-            idToken: result.session.idToken,
-            accessToken: result.session.accessToken,
-            scope: grantedScope,
-            expiresInSeconds: result.session.expiresInSeconds
-          }
-        };
-        if (signInResolver) {
-          const identity = await signInResolver(
-            { profile, result },
-            resolverContext
-          );
-          response.backstageIdentity = prepareBackstageIdentityResponse(identity);
-        }
-        res.status(200).json(response);
-      } catch (error) {
-        throw new errors.AuthenticationError("Refresh failed", error);
-      }
-    }
-  };
-}
-
-class PassportHelpers {
-  constructor() {
-  }
-  static transformProfile = (profile, idToken) => {
-    let email = void 0;
-    if (profile.emails && profile.emails.length > 0) {
-      const [firstEmail] = profile.emails;
-      email = firstEmail.value;
-    } else if (profile.email) {
-      email = profile.email;
-    }
-    let picture = void 0;
-    if (profile.avatarUrl) {
-      picture = profile.avatarUrl;
-    } else if (profile.photos && profile.photos.length > 0) {
-      const [firstPhoto] = profile.photos;
-      picture = firstPhoto.value;
-    } else if (profile.photo) {
-      picture = profile.photo;
-    }
-    let displayName = profile.displayName ?? profile.username ?? profile.id;
-    if ((!email || !picture || !displayName) && idToken) {
-      try {
-        const decoded = jose.decodeJwt(idToken);
-        if (!email && decoded.email) {
-          email = decoded.email;
-        }
-        if (!picture && decoded.picture) {
-          picture = decoded.picture;
-        }
-        if (!displayName && decoded.name) {
-          displayName = decoded.name;
-        }
-      } catch (e) {
-        throw new Error(`Failed to parse id token and get profile info, ${e}`);
-      }
-    }
-    return {
-      email,
-      picture,
-      displayName
-    };
-  };
-  static async executeRedirectStrategy(req, providerStrategy, options) {
-    return new Promise((resolve) => {
-      const strategy = Object.create(providerStrategy);
-      strategy.redirect = (url, status) => {
-        resolve({ url, status: status ?? void 0 });
-      };
-      strategy.authenticate(req, { ...options });
-    });
-  }
-  static async executeFrameHandlerStrategy(req, providerStrategy, options) {
-    return new Promise((resolve, reject) => {
-      const strategy = Object.create(providerStrategy);
-      strategy.success = (result, privateInfo) => {
-        resolve({ result, privateInfo });
-      };
-      strategy.fail = (info) => {
-        reject(new Error(`Authentication rejected, ${info.message ?? ""}`));
-      };
-      strategy.error = (error) => {
-        let message = `Authentication failed, ${error.message}`;
-        if (error.oauthError?.data) {
-          try {
-            const errorData = JSON.parse(error.oauthError.data);
-            if (errorData.message) {
-              message += ` - ${errorData.message}`;
-            }
-          } catch (parseError) {
-            message += ` - ${error.oauthError}`;
-          }
-        }
-        reject(new Error(message));
-      };
-      strategy.redirect = () => {
-        reject(new Error("Unexpected redirect"));
-      };
-      strategy.authenticate(req, { ...options ?? {} });
-    });
-  }
-  static async executeRefreshTokenStrategy(providerStrategy, refreshToken, scope) {
-    return new Promise((resolve, reject) => {
-      const anyStrategy = providerStrategy;
-      const OAuth2 = anyStrategy._oauth2.constructor;
-      const oauth2 = new OAuth2(
-        anyStrategy._oauth2._clientId,
-        anyStrategy._oauth2._clientSecret,
-        anyStrategy._oauth2._baseSite,
-        anyStrategy._oauth2._authorizeUrl,
-        anyStrategy._refreshURL || anyStrategy._oauth2._accessTokenUrl,
-        anyStrategy._oauth2._customHeaders
-      );
-      oauth2.getOAuthAccessToken(
-        refreshToken,
-        {
-          scope,
-          grant_type: "refresh_token"
-        },
-        (err, accessToken, newRefreshToken, params) => {
-          if (err) {
-            reject(
-              new Error(`Failed to refresh access token ${err.toString()}`)
-            );
-          }
-          if (!accessToken) {
-            reject(
-              new Error(
-                `Failed to refresh access token, no access token received`
-              )
-            );
-          }
-          resolve({
-            accessToken,
-            refreshToken: newRefreshToken,
-            params
-          });
-        }
-      );
-    });
-  }
-  static async executeFetchUserProfileStrategy(providerStrategy, accessToken) {
-    return new Promise((resolve, reject) => {
-      const anyStrategy = providerStrategy;
-      anyStrategy.userProfile(
-        accessToken,
-        (error, rawProfile) => {
-          if (error) {
-            reject(error);
-          } else {
-            resolve(rawProfile);
-          }
-        }
-      );
-    });
-  }
-}
-
-class PassportOAuthAuthenticatorHelper {
-  static defaultProfileTransform = async (input) => ({
-    profile: PassportHelpers.transformProfile(
-      input.fullProfile ?? {},
-      input.session.idToken
-    )
-  });
-  static from(strategy) {
-    return new PassportOAuthAuthenticatorHelper(strategy);
-  }
-  #strategy;
-  constructor(strategy) {
-    this.#strategy = strategy;
-  }
-  async start(input, options) {
-    return PassportHelpers.executeRedirectStrategy(input.req, this.#strategy, {
-      scope: input.scope,
-      state: input.state,
-      ...options
-    });
-  }
-  async authenticate(input, options) {
-    const { result, privateInfo } = await PassportHelpers.executeFrameHandlerStrategy(input.req, this.#strategy, options);
-    return {
-      fullProfile: result.fullProfile,
-      session: {
-        accessToken: result.accessToken,
-        tokenType: result.params.token_type ?? "bearer",
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in,
-        idToken: result.params.id_token,
-        refreshToken: privateInfo.refreshToken
-      }
-    };
-  }
-  async refresh(input) {
-    const result = await PassportHelpers.executeRefreshTokenStrategy(
-      this.#strategy,
-      input.refreshToken,
-      input.scope
-    );
-    const fullProfile = await this.fetchProfile(result.accessToken);
-    return {
-      fullProfile,
-      session: {
-        accessToken: result.accessToken,
-        tokenType: result.params.token_type ?? "bearer",
-        scope: result.params.scope,
-        expiresInSeconds: result.params.expires_in,
-        idToken: result.params.id_token,
-        refreshToken: result.refreshToken
-      }
-    };
-  }
-  async fetchProfile(accessToken) {
-    const profile = await PassportHelpers.executeFetchUserProfileStrategy(
-      this.#strategy,
-      accessToken
-    );
-    return profile;
-  }
-}
-
-class OAuthEnvironmentHandler {
-  constructor(handlers) {
-    this.handlers = handlers;
-  }
-  static mapConfig(config, factoryFunc) {
-    const envs = config.keys();
-    const handlers = /* @__PURE__ */ new Map();
-    for (const env of envs) {
-      const envConfig = config.getConfig(env);
-      const handler = factoryFunc(envConfig);
-      handlers.set(env, handler);
-    }
-    return new OAuthEnvironmentHandler(handlers);
-  }
-  async start(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.start(req, res);
-  }
-  async frameHandler(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.frameHandler(req, res);
-  }
-  async refresh(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.refresh?.(req, res);
-  }
-  async logout(req, res) {
-    const provider = this.getProviderForEnv(req);
-    await provider.logout?.(req, res);
-  }
-  getEnvFromRequest(req) {
-    const reqEnv = req.query.env?.toString();
-    if (reqEnv) {
-      return reqEnv;
-    }
-    const stateParams = req.query.state?.toString();
-    if (!stateParams) {
-      return void 0;
-    }
-    const { env } = decodeOAuthState(stateParams);
-    return env;
-  }
-  getProviderForEnv(req) {
-    const env = this.getEnvFromRequest(req);
-    if (!env) {
-      throw new errors.InputError(`Must specify 'env' query to select environment`);
-    }
-    const handler = this.handlers.get(env);
-    if (!handler) {
-      throw new errors.NotFoundError(
-        `No configuration available for the '${env}' environment of this provider.`
-      );
-    }
-    return handler;
-  }
-}
-
-function createSignInResolverFactory(options) {
-  const { optionsSchema } = options;
-  if (!optionsSchema) {
-    return (resolverOptions) => {
-      if (resolverOptions) {
-        throw new errors.InputError("sign-in resolver does not accept options");
-      }
-      return options.create(void 0);
-    };
-  }
-  const factory = (...[resolverOptions]) => {
-    const parsedOptions = optionsSchema.parse(resolverOptions);
-    return options.create(parsedOptions);
-  };
-  factory.optionsJsonSchema = zodToJsonSchema__default.default(optionsSchema);
-  return factory;
-}
-
-function readDeclarativeSignInResolver(options) {
-  const resolvers = options.config.getOptionalConfigArray("signIn.resolvers")?.map((resolverConfig) => {
-    const resolverName = resolverConfig.getString("resolver");
-    if (!Object.hasOwn(options.signInResolverFactories, resolverName)) {
-      throw new Error(
-        `Sign-in resolver '${resolverName}' is not available`
-      );
-    }
-    const resolver = options.signInResolverFactories[resolverName];
-    const { resolver: _ignored, ...resolverOptions } = resolverConfig.get();
-    return resolver(
-      Object.keys(resolverOptions).length > 0 ? resolverOptions : void 0
-    );
-  }) ?? [];
-  if (resolvers.length === 0) {
-    return void 0;
-  }
-  return async (profile, context) => {
-    for (const resolver of resolvers) {
-      try {
-        return await resolver(profile, context);
-      } catch (error) {
-        if (error?.name === "NotFoundError") {
-          continue;
-        }
-        throw error;
-      }
-    }
-    throw new Error(
-      "Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver."
-    );
-  };
-}
-
-const reEmail = /^([^@+]+)(\+[^@]+)?(@.*)$/;
-exports.commonSignInResolvers = void 0;
-((commonSignInResolvers2) => {
-  commonSignInResolvers2.emailMatchingUserEntityProfileEmail = createSignInResolverFactory({
-    create() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error(
-            "Login failed, user profile does not contain an email"
-          );
-        }
-        try {
-          return await ctx.signInWithCatalogUser({
-            filter: {
-              "spec.profile.email": profile.email
-            }
-          });
-        } catch (err) {
-          if (err?.name === "NotFoundError") {
-            const m = profile.email.match(reEmail);
-            if (m?.length === 4) {
-              const [_, name, _plus, domain] = m;
-              const noPlusEmail = `${name}${domain}`;
-              return ctx.signInWithCatalogUser({
-                filter: {
-                  "spec.profile.email": noPlusEmail
-                }
-              });
-            }
-          }
-          throw err;
-        }
-      };
-    }
-  });
-  commonSignInResolvers2.emailLocalPartMatchingUserEntityName = createSignInResolverFactory({
-    create() {
-      return async (info, ctx) => {
-        const { profile } = info;
-        if (!profile.email) {
-          throw new Error(
-            "Login failed, user profile does not contain an email"
-          );
-        }
-        const [localPart] = profile.email.split("@");
-        return ctx.signInWithCatalogUser({
-          entityRef: { name: localPart }
-        });
-      };
-    }
-  });
-})(exports.commonSignInResolvers || (exports.commonSignInResolvers = {}));
-
-function createOAuthProviderFactory(options) {
-  return (ctx) => {
-    return OAuthEnvironmentHandler.mapConfig(ctx.config, (envConfig) => {
-      const signInResolver = readDeclarativeSignInResolver({
-        config: envConfig,
-        signInResolverFactories: options.signInResolverFactories ?? {}
-      }) ?? options.signInResolver;
-      return createOAuthRouteHandlers({
-        authenticator: options.authenticator,
-        appUrl: ctx.appUrl,
-        baseUrl: ctx.baseUrl,
-        config: envConfig,
-        isOriginAllowed: ctx.isOriginAllowed,
-        cookieConfigurer: ctx.cookieConfigurer,
-        providerId: ctx.providerId,
-        resolverContext: ctx.resolverContext,
-        additionalScopes: options.additionalScopes,
-        stateTransform: options.stateTransform,
-        profileTransform: options.profileTransform,
-        signInResolver
-      });
-    });
-  };
-}
-
-function createOAuthAuthenticator(authenticator) {
-  return authenticator;
-}
-
-function createProxyAuthenticator(authenticator) {
-  return authenticator;
-}
-
-function createProxyAuthRouteHandlers(options) {
-  const { authenticator, config, resolverContext, signInResolver } = options;
-  const profileTransform = options.profileTransform ?? authenticator.defaultProfileTransform;
-  const authenticatorCtx = authenticator.initialize({ config });
-  return {
-    async start() {
-      throw new errors.NotImplementedError("Not implemented");
-    },
-    async frameHandler() {
-      throw new errors.NotImplementedError("Not implemented");
-    },
-    async refresh(req, res) {
-      const { result, providerInfo } = await authenticator.authenticate(
-        { req },
-        authenticatorCtx
-      );
-      const { profile } = await profileTransform(result, resolverContext);
-      const identity = await signInResolver(
-        { profile, result },
-        resolverContext
-      );
-      const response = {
-        profile,
-        providerInfo,
-        backstageIdentity: prepareBackstageIdentityResponse(identity)
-      };
-      res.status(200).json(response);
-    }
-  };
-}
-
-function createProxyAuthProviderFactory(options) {
-  return (ctx) => {
-    const signInResolver = options.signInResolver ?? readDeclarativeSignInResolver({
-      config: ctx.config,
-      signInResolverFactories: options.signInResolverFactories ?? {}
-    });
-    if (!signInResolver) {
-      throw new Error(
-        `No sign-in resolver configured for proxy auth provider '${ctx.providerId}'`
-      );
-    }
-    return createProxyAuthRouteHandlers({
-      signInResolver,
-      config: ctx.config,
-      authenticator: options.authenticator,
-      resolverContext: ctx.resolverContext,
-      profileTransform: options.profileTransform
-    });
-  };
-}
-
-const tokenTypes = Object.freeze({
-  user: Object.freeze({
-    typParam: "vnd.backstage.user",
-    audClaim: "backstage"
-  }),
-  limitedUser: Object.freeze({
-    typParam: "vnd.backstage.limited-user"
-  }),
-  plugin: Object.freeze({
-    typParam: "vnd.backstage.plugin"
-  })
+var AuthProvidersExtensionPoint = require('./extensions/AuthProvidersExtensionPoint.cjs.js');
+var AuthOwnershipResolutionExtensionPoint = require('./extensions/AuthOwnershipResolutionExtensionPoint.cjs.js');
+var sendWebMessageResponse = require('./flow/sendWebMessageResponse.cjs.js');
+var prepareBackstageIdentityResponse = require('./identity/prepareBackstageIdentityResponse.cjs.js');
+var getBearerTokenFromAuthorizationHeader = require('./identity/getBearerTokenFromAuthorizationHeader.cjs.js');
+var DefaultIdentityClient = require('./identity/DefaultIdentityClient.cjs.js');
+var IdentityClient = require('./identity/IdentityClient.cjs.js');
+var createOAuthRouteHandlers = require('./oauth/createOAuthRouteHandlers.cjs.js');
+var PassportOAuthAuthenticatorHelper = require('./oauth/PassportOAuthAuthenticatorHelper.cjs.js');
+var OAuthEnvironmentHandler = require('./oauth/OAuthEnvironmentHandler.cjs.js');
+var createOAuthProviderFactory = require('./oauth/createOAuthProviderFactory.cjs.js');
+var state = require('./oauth/state.cjs.js');
+var types$1 = require('./oauth/types.cjs.js');
+var PassportHelpers = require('./passport/PassportHelpers.cjs.js');
+var types$2 = require('./proxy/types.cjs.js');
+var createProxyAuthProviderFactory = require('./proxy/createProxyAuthProviderFactory.cjs.js');
+var createProxyRouteHandlers = require('./proxy/createProxyRouteHandlers.cjs.js');
+var createSignInResolverFactory = require('./sign-in/createSignInResolverFactory.cjs.js');
+var readDeclarativeSignInResolver = require('./sign-in/readDeclarativeSignInResolver.cjs.js');
+var commonSignInResolvers = require('./sign-in/commonSignInResolvers.cjs.js');
+var types = require('./types.cjs.js');
+
+
+
+exports.authProvidersExtensionPoint = AuthProvidersExtensionPoint.authProvidersExtensionPoint;
+exports.authOwnershipResolutionExtensionPoint = AuthOwnershipResolutionExtensionPoint.authOwnershipResolutionExtensionPoint;
+exports.sendWebMessageResponse = sendWebMessageResponse.sendWebMessageResponse;
+exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse.prepareBackstageIdentityResponse;
+exports.getBearerTokenFromAuthorizationHeader = getBearerTokenFromAuthorizationHeader.getBearerTokenFromAuthorizationHeader;
+exports.DefaultIdentityClient = DefaultIdentityClient.DefaultIdentityClient;
+exports.IdentityClient = IdentityClient.IdentityClient;
+exports.createOAuthRouteHandlers = createOAuthRouteHandlers.createOAuthRouteHandlers;
+exports.PassportOAuthAuthenticatorHelper = PassportOAuthAuthenticatorHelper.PassportOAuthAuthenticatorHelper;
+exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler.OAuthEnvironmentHandler;
+exports.createOAuthProviderFactory = createOAuthProviderFactory.createOAuthProviderFactory;
+exports.decodeOAuthState = state.decodeOAuthState;
+exports.encodeOAuthState = state.encodeOAuthState;
+exports.createOAuthAuthenticator = types$1.createOAuthAuthenticator;
+exports.PassportHelpers = PassportHelpers.PassportHelpers;
+exports.createProxyAuthenticator = types$2.createProxyAuthenticator;
+exports.createProxyAuthProviderFactory = createProxyAuthProviderFactory.createProxyAuthProviderFactory;
+exports.createProxyAuthRouteHandlers = createProxyRouteHandlers.createProxyAuthRouteHandlers;
+exports.createSignInResolverFactory = createSignInResolverFactory.createSignInResolverFactory;
+exports.readDeclarativeSignInResolver = readDeclarativeSignInResolver.readDeclarativeSignInResolver;
+Object.defineProperty(exports, "commonSignInResolvers", {
+  enumerable: true,
+  get: function () { return commonSignInResolvers.commonSignInResolvers; }
 });
-
-exports.DefaultIdentityClient = DefaultIdentityClient;
-exports.IdentityClient = IdentityClient;
-exports.OAuthEnvironmentHandler = OAuthEnvironmentHandler;
-exports.PassportHelpers = PassportHelpers;
-exports.PassportOAuthAuthenticatorHelper = PassportOAuthAuthenticatorHelper;
-exports.authOwnershipResolutionExtensionPoint = authOwnershipResolutionExtensionPoint;
-exports.authProvidersExtensionPoint = authProvidersExtensionPoint;
-exports.createOAuthAuthenticator = createOAuthAuthenticator;
-exports.createOAuthProviderFactory = createOAuthProviderFactory;
-exports.createOAuthRouteHandlers = createOAuthRouteHandlers;
-exports.createProxyAuthProviderFactory = createProxyAuthProviderFactory;
-exports.createProxyAuthRouteHandlers = createProxyAuthRouteHandlers;
-exports.createProxyAuthenticator = createProxyAuthenticator;
-exports.createSignInResolverFactory = createSignInResolverFactory;
-exports.decodeOAuthState = decodeOAuthState;
-exports.encodeOAuthState = encodeOAuthState;
-exports.getBearerTokenFromAuthorizationHeader = getBearerTokenFromAuthorizationHeader;
-exports.prepareBackstageIdentityResponse = prepareBackstageIdentityResponse;
-exports.readDeclarativeSignInResolver = readDeclarativeSignInResolver;
-exports.sendWebMessageResponse = sendWebMessageResponse;
-exports.tokenTypes = tokenTypes;
+exports.tokenTypes = types.tokenTypes;
 //# sourceMappingURL=index.cjs.js.map