npm - @backstage/plugin-auth-node - Versions diffs - 0.6.0-next.1 → 0.6.0 - Mend

@backstage/plugin-auth-node 0.6.0-next.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +31 -0
package/dist/index.d.ts +4 -0
package/dist/oauth/CookieScopeManager.cjs.js +10 -0
package/dist/oauth/CookieScopeManager.cjs.js.map +1 -1
package/dist/oauth/createOAuthRouteHandlers.cjs.js +6 -1
package/dist/oauth/createOAuthRouteHandlers.cjs.js.map +1 -1
package/dist/oauth/types.cjs.js.map +1 -1
package/dist/passport/PassportHelpers.cjs.js +4 -1
package/dist/passport/PassportHelpers.cjs.js.map +1 -1
package/package.json +10 -10

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,36 @@
 # @backstage/plugin-auth-node
+## 0.6.0
+### Minor Changes
+- 61f464e: Added `auth.providers.<providerId>.sessionDuration` config for auth providers to allow the lifespan of user sessions to be configured.
+### Patch Changes
+- 8699b79: Removed unused dependencies
+- cb316fc: Add an `error` handler to the `strategy` to reject the `executeRedirectStrategy`
+- ab9a6fb: Added `scopeAlreadyGranted` property to `OAuthAuthenticatorRefreshInput`, signaling to the provider whether the requested scope has already been granted when persisting session scope.
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.2.0
+  - @backstage/catalog-client@1.9.1
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
+## 0.6.0-next.2
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.2.0-next.2
+  - @backstage/catalog-client@1.9.1
+  - @backstage/catalog-model@1.7.3
+  - @backstage/config@1.3.2
+  - @backstage/errors@1.2.7
+  - @backstage/types@1.2.1
 ## 0.6.0-next.1
 ### Minor Changes

package/dist/index.d.ts CHANGED Viewed

@@ -567,6 +567,10 @@ interface OAuthAuthenticatorAuthenticateInput {
 }
 /** @public */
 interface OAuthAuthenticatorRefreshInput {
+    /**
+     * Signals whether the requested scope has already been granted for the session. Will only be set if the `scopes.persist` option is enabled.
+     */
+    scopeAlreadyGranted?: boolean;
     scope: string;
     refreshToken: string;
     req: Request;

package/dist/oauth/CookieScopeManager.cjs.js CHANGED Viewed

@@ -71,6 +71,7 @@ class CookieScopeManager {
     const scope = this.scopeTransform(requestScope, grantedScope);
     return {
       scope,
+      scopeAlreadyGranted: this.cookieManager ? hasScopeBeenGranted(grantedScope, scope) : void 0,
       commit: async (result) => {
         if (this.cookieManager) {
           this.cookieManager.setGrantedScopes(
@@ -85,6 +86,15 @@ class CookieScopeManager {
     };
   }
 }
+function hasScopeBeenGranted(grantedScope, requestedScope) {
+  const granted = new Set(grantedScope);
+  for (const requested of splitScope(requestedScope)) {
+    if (!granted.has(requested)) {
+      return false;
+    }
+  }
+  return true;
+}
 exports.CookieScopeManager = CookieScopeManager;
 //# sourceMappingURL=CookieScopeManager.cjs.js.map

package/dist/oauth/CookieScopeManager.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CookieScopeManager.cjs.js","sources":["../../src/oauth/CookieScopeManager.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n OAuthAuthenticator,\n OAuthAuthenticatorResult,\n OAuthAuthenticatorScopeOptions,\n} from './types';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport { OAuthState } from './state';\nimport { AuthenticationError } from '@backstage/errors';\nimport { Config } from '@backstage/config';\n\nfunction reqRes(req: express.Request): express.Response {\n const res = req.res;\n if (!res) {\n throw new Error('No response object found in request');\n }\n return res;\n}\n\nconst defaultTransform: Required<OAuthAuthenticatorScopeOptions>['transform'] =\n ({ requested, granted, required, additional }) => {\n return [...requested, ...granted, ...required, ...additional];\n };\n\nfunction splitScope(scope?: string): Iterable<string> {\n if (!scope) {\n return [];\n }\n\n return scope.split(/[\\s\|,]/).filter(Boolean);\n}\n\nexport class CookieScopeManager {\n static create(options: {\n config?: Config;\n additionalScopes?: string[];\n authenticator: OAuthAuthenticator<any, any>;\n cookieManager: OAuthCookieManager;\n }) {\n const { authenticator, config } = options;\n\n const shouldPersistScopes =\n authenticator.scopes?.persist ??\n authenticator.shouldPersistScopes ??\n false;\n\n const configScopes =\n typeof config?.getOptional('additionalScopes') === 'string'\n ? splitScope(config.getString('additionalScopes'))\n : config?.getOptionalStringArray('additionalScopes') ?? [];\n\n const transform = authenticator?.scopes?.transform ?? defaultTransform;\n const additional = [...configScopes, ...(options.additionalScopes ?? [])];\n const required = authenticator?.scopes?.required ?? [];\n\n return new CookieScopeManager(\n (requested, granted) =>\n Array.from(\n new Set(transform({ required, additional, requested, granted })),\n ).join(' '),\n shouldPersistScopes ? options.cookieManager : undefined,\n );\n }\n\n private constructor(\n private readonly scopeTransform: (\n requested: Iterable<string>,\n granted: Iterable<string>,\n ) => string,\n private readonly cookieManager?: OAuthCookieManager,\n ) {}\n\n async start(\n req: express.Request,\n ): Promise<{ scopeState?: Partial<OAuthState>; scope: string }> {\n const requestScope = splitScope(req.query.scope?.toString());\n const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));\n\n const scope = this.scopeTransform(requestScope, grantedScope);\n\n if (this.cookieManager) {\n // If scopes are persisted then we pass them through the state so that we\n // can set the cookie on successful auth\n return {\n scope,\n scopeState: { scope },\n };\n }\n return { scope };\n }\n\n async handleCallback(\n req: express.Request,\n ctx: {\n result: OAuthAuthenticatorResult<any>;\n state: OAuthState;\n origin?: string;\n },\n ): Promise<string> {\n // If we are not persisting scopes we can forward the scope from the result\n if (!this.cookieManager) {\n return Array.from(splitScope(ctx.result.session.scope)).join(' ');\n }\n\n const scope = ctx.state.scope;\n if (scope === undefined) {\n throw new AuthenticationError('No scope found in OAuth state');\n }\n\n // Store the scope that we have been granted for this session. This is useful if\n // the provider does not return granted scopes on refresh or if they are normalized.\n this.cookieManager.setGrantedScopes(reqRes(req), scope, ctx.origin);\n\n return scope;\n }\n\n async clear(req: express.Request): Promise<void> {\n if (this.cookieManager) {\n this.cookieManager.removeGrantedScopes(reqRes(req), req.get('origin'));\n }\n }\n\n async refresh(req: express.Request): Promise<{\n scope: string;\n commit(result: OAuthAuthenticatorResult<any>): Promise<string>;\n }> {\n const requestScope = splitScope(req.query.scope?.toString());\n const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));\n\n const scope = this.scopeTransform(requestScope, grantedScope);\n\n return {\n scope,\n commit: async result => {\n if (this.cookieManager) {\n this.cookieManager.setGrantedScopes(\n reqRes(req),\n scope,\n req.get('origin'),\n );\n return scope;\n }\n\n return Array.from(splitScope(result.session.scope)).join(' ');\n },\n };\n }\n}\n"],"names":["AuthenticationError"],"mappings":";;;;AA2BA,SAAS,OAAO,GAAwC,EAAA;AACtD,EAAA,MAAM,MAAM,GAAI,CAAA,GAAA;AAChB,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AAEvD,EAAO,OAAA,GAAA;AACT;AAEA,MAAM,mBACJ,CAAC,EAAE,WAAW,OAAS,EAAA,QAAA,EAAU,YAAiB,KAAA;AAChD,EAAO,OAAA,CAAC,GAAG,SAAW,EAAA,GAAG,SAAS,GAAG,QAAA,EAAU,GAAG,UAAU,CAAA;AAC9D,CAAA;AAEF,SAAS,WAAW,KAAkC,EAAA;AACpD,EAAA,IAAI,CAAC,KAAO,EAAA;AACV,IAAA,OAAO,EAAC;AAAA;AAGV,EAAA,OAAO,KAAM,CAAA,KAAA,CAAM,QAAQ,CAAA,CAAE,OAAO,OAAO,CAAA;AAC7C;AAEO,MAAM,kBAAmB,CAAA;AAAA,EAgCtB,WAAA,CACW,gBAIA,aACjB,EAAA;AALiB,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AAIA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EArCH,OAAO,OAAO,OAKX,EAAA;AACD,IAAM,MAAA,EAAE,aAAe,EAAA,MAAA,EAAW,GAAA,OAAA;AAElC,IAAA,MAAM,mBACJ,GAAA,aAAA,CAAc,MAAQ,EAAA,OAAA,IACtB,cAAc,mBACd,IAAA,KAAA;AAEF,IAAA,MAAM,eACJ,OAAO,MAAA,EAAQ,WAAY,CAAA,kBAAkB,MAAM,QAC/C,GAAA,UAAA,CAAW,MAAO,CAAA,SAAA,CAAU,kBAAkB,CAAC,CAAA,GAC/C,QAAQ,sBAAuB,CAAA,kBAAkB,KAAK,EAAC;AAE7D,IAAM,MAAA,SAAA,GAAY,aAAe,EAAA,MAAA,EAAQ,SAAa,IAAA,gBAAA;AACtD,IAAM,MAAA,UAAA,GAAa,CAAC,GAAG,YAAA,EAAc,GAAI,OAAQ,CAAA,gBAAA,IAAoB,EAAG,CAAA;AACxE,IAAA,MAAM,QAAW,GAAA,aAAA,EAAe,MAAQ,EAAA,QAAA,IAAY,EAAC;AAErD,IAAA,OAAO,IAAI,kBAAA;AAAA,MACT,CAAC,SAAW,EAAA,OAAA,KACV,KAAM,CAAA,IAAA;AAAA,QACJ,IAAI,IAAI,SAAU,CAAA,EAAE,UAAU,UAAY,EAAA,SAAA,EAAW,OAAQ,EAAC,CAAC;AAAA,OACjE,CAAE,KAAK,GAAG,CAAA;AAAA,MACZ,mBAAA,GAAsB,QAAQ,aAAgB,GAAA,KAAA;AAAA,KAChD;AAAA;AACF,EAUA,MAAM,MACJ,GAC8D,EAAA;AAC9D,IAAA,MAAM,eAAe,UAAW,CAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAU,CAAA;AAC3D,IAAA,MAAM,eAAe,UAAW,CAAA,IAAA,CAAK,aAAe,EAAA,gBAAA,CAAiB,GAAG,CAAC,CAAA;AAEzE,IAAA,MAAM,KAAQ,GAAA,IAAA,CAAK,cAAe,CAAA,YAAA,EAAc,YAAY,CAAA;AAE5D,IAAA,IAAI,KAAK,aAAe,EAAA;AAGtB,MAAO,OAAA;AAAA,QACL,KAAA;AAAA,QACA,UAAA,EAAY,EAAE,KAAM;AAAA,OACtB;AAAA;AAEF,IAAA,OAAO,EAAE,KAAM,EAAA;AAAA;AACjB,EAEA,MAAM,cACJ,CAAA,GAAA,EACA,GAKiB,EAAA;AAEjB,IAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,MAAO,OAAA,KAAA,CAAM,IAAK,CAAA,UAAA,CAAW,GAAI,CAAA,MAAA,CAAO,QAAQ,KAAK,CAAC,CAAE,CAAA,IAAA,CAAK,GAAG,CAAA;AAAA;AAGlE,IAAM,MAAA,KAAA,GAAQ,IAAI,KAAM,CAAA,KAAA;AACxB,IAAA,IAAI,UAAU,KAAW,CAAA,EAAA;AACvB,MAAM,MAAA,IAAIA,2BAAoB,+BAA+B,CAAA;AAAA;AAK/D,IAAA,IAAA,CAAK,cAAc,gBAAiB,CAAA,MAAA,CAAO,GAAG,CAAG,EAAA,KAAA,EAAO,IAAI,MAAM,CAAA;AAElE,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,MAAM,MAAM,GAAqC,EAAA;AAC/C,IAAA,IAAI,KAAK,aAAe,EAAA;AACtB,MAAK,IAAA,CAAA,aAAA,CAAc,oBAAoB,MAAO,CAAA,GAAG,GAAG,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA;AACvE;AACF,EAEA,MAAM,QAAQ,~~GAGX~~,EAAA;AACD,IAAA,MAAM,eAAe,UAAW,CAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAU,CAAA;AAC3D,IAAA,MAAM,eAAe,UAAW,CAAA,IAAA,CAAK,aAAe,EAAA,gBAAA,CAAiB,GAAG,CAAC,CAAA;AAEzE,IAAA,MAAM,KAAQ,GAAA,IAAA,CAAK,cAAe,CAAA,YAAA,EAAc,YAAY,CAAA;AAE5D,IAAO,OAAA;AAAA,MACL,KAAA;AAAA,MACA,MAAA,EAAQ,OAAM,MAAU,KAAA;AACtB,QAAA,IAAI,KAAK,aAAe,EAAA;AACtB,UAAA,IAAA,CAAK,aAAc,CAAA,gBAAA;AAAA,YACjB,OAAO,GAAG,CAAA;AAAA,YACV,KAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ;AAAA,WAClB;AACA,UAAO,OAAA,KAAA;AAAA;AAGT,QAAO,OAAA,KAAA,CAAM,KAAK,UAAW,CAAA,MAAA,CAAO,QAAQ,KAAK,CAAC,CAAE,CAAA,IAAA,CAAK,GAAG,CAAA;AAAA;AAC9D,KACF;AAAA;AAEJ;;;;"}
1	+ {"version":3,"file":"CookieScopeManager.cjs.js","sources":["../../src/oauth/CookieScopeManager.ts"],"sourcesContent":["/\n Copyright 2024 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport express from 'express';\nimport {\n OAuthAuthenticator,\n OAuthAuthenticatorResult,\n OAuthAuthenticatorScopeOptions,\n} from './types';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport { OAuthState } from './state';\nimport { AuthenticationError } from '@backstage/errors';\nimport { Config } from '@backstage/config';\n\nfunction reqRes(req: express.Request): express.Response {\n const res = req.res;\n if (!res) {\n throw new Error('No response object found in request');\n }\n return res;\n}\n\nconst defaultTransform: Required<OAuthAuthenticatorScopeOptions>['transform'] =\n ({ requested, granted, required, additional }) => {\n return [...requested, ...granted, ...required, ...additional];\n };\n\nfunction splitScope(scope?: string): Iterable<string> {\n if (!scope) {\n return [];\n }\n\n return scope.split(/[\\s\|,]/).filter(Boolean);\n}\n\nexport class CookieScopeManager {\n static create(options: {\n config?: Config;\n additionalScopes?: string[];\n authenticator: OAuthAuthenticator<any, any>;\n cookieManager: OAuthCookieManager;\n }) {\n const { authenticator, config } = options;\n\n const shouldPersistScopes =\n authenticator.scopes?.persist ??\n authenticator.shouldPersistScopes ??\n false;\n\n const configScopes =\n typeof config?.getOptional('additionalScopes') === 'string'\n ? splitScope(config.getString('additionalScopes'))\n : config?.getOptionalStringArray('additionalScopes') ?? [];\n\n const transform = authenticator?.scopes?.transform ?? defaultTransform;\n const additional = [...configScopes, ...(options.additionalScopes ?? [])];\n const required = authenticator?.scopes?.required ?? [];\n\n return new CookieScopeManager(\n (requested, granted) =>\n Array.from(\n new Set(transform({ required, additional, requested, granted })),\n ).join(' '),\n shouldPersistScopes ? options.cookieManager : undefined,\n );\n }\n\n private constructor(\n private readonly scopeTransform: (\n requested: Iterable<string>,\n granted: Iterable<string>,\n ) => string,\n private readonly cookieManager?: OAuthCookieManager,\n ) {}\n\n async start(\n req: express.Request,\n ): Promise<{ scopeState?: Partial<OAuthState>; scope: string }> {\n const requestScope = splitScope(req.query.scope?.toString());\n const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));\n\n const scope = this.scopeTransform(requestScope, grantedScope);\n\n if (this.cookieManager) {\n // If scopes are persisted then we pass them through the state so that we\n // can set the cookie on successful auth\n return {\n scope,\n scopeState: { scope },\n };\n }\n return { scope };\n }\n\n async handleCallback(\n req: express.Request,\n ctx: {\n result: OAuthAuthenticatorResult<any>;\n state: OAuthState;\n origin?: string;\n },\n ): Promise<string> {\n // If we are not persisting scopes we can forward the scope from the result\n if (!this.cookieManager) {\n return Array.from(splitScope(ctx.result.session.scope)).join(' ');\n }\n\n const scope = ctx.state.scope;\n if (scope === undefined) {\n throw new AuthenticationError('No scope found in OAuth state');\n }\n\n // Store the scope that we have been granted for this session. This is useful if\n // the provider does not return granted scopes on refresh or if they are normalized.\n this.cookieManager.setGrantedScopes(reqRes(req), scope, ctx.origin);\n\n return scope;\n }\n\n async clear(req: express.Request): Promise<void> {\n if (this.cookieManager) {\n this.cookieManager.removeGrantedScopes(reqRes(req), req.get('origin'));\n }\n }\n\n async refresh(req: express.Request): Promise<{\n scope: string;\n scopeAlreadyGranted?: boolean;\n commit(result: OAuthAuthenticatorResult<any>): Promise<string>;\n }> {\n const requestScope = splitScope(req.query.scope?.toString());\n const grantedScope = splitScope(this.cookieManager?.getGrantedScopes(req));\n\n const scope = this.scopeTransform(requestScope, grantedScope);\n\n return {\n scope,\n scopeAlreadyGranted: this.cookieManager\n ? hasScopeBeenGranted(grantedScope, scope)\n : undefined,\n commit: async result => {\n if (this.cookieManager) {\n this.cookieManager.setGrantedScopes(\n reqRes(req),\n scope,\n req.get('origin'),\n );\n return scope;\n }\n\n return Array.from(splitScope(result.session.scope)).join(' ');\n },\n };\n }\n}\n\nfunction hasScopeBeenGranted(\n grantedScope: Iterable<string>,\n requestedScope: string,\n): boolean {\n const granted = new Set(grantedScope);\n for (const requested of splitScope(requestedScope)) {\n if (!granted.has(requested)) {\n return false;\n }\n }\n return true;\n}\n"],"names":["AuthenticationError"],"mappings":";;;;AA2BA,SAAS,OAAO,GAAwC,EAAA;AACtD,EAAA,MAAM,MAAM,GAAI,CAAA,GAAA;AAChB,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAM,MAAA,IAAI,MAAM,qCAAqC,CAAA;AAAA;AAEvD,EAAO,OAAA,GAAA;AACT;AAEA,MAAM,mBACJ,CAAC,EAAE,WAAW,OAAS,EAAA,QAAA,EAAU,YAAiB,KAAA;AAChD,EAAO,OAAA,CAAC,GAAG,SAAW,EAAA,GAAG,SAAS,GAAG,QAAA,EAAU,GAAG,UAAU,CAAA;AAC9D,CAAA;AAEF,SAAS,WAAW,KAAkC,EAAA;AACpD,EAAA,IAAI,CAAC,KAAO,EAAA;AACV,IAAA,OAAO,EAAC;AAAA;AAGV,EAAA,OAAO,KAAM,CAAA,KAAA,CAAM,QAAQ,CAAA,CAAE,OAAO,OAAO,CAAA;AAC7C;AAEO,MAAM,kBAAmB,CAAA;AAAA,EAgCtB,WAAA,CACW,gBAIA,aACjB,EAAA;AALiB,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AAIA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EArCH,OAAO,OAAO,OAKX,EAAA;AACD,IAAM,MAAA,EAAE,aAAe,EAAA,MAAA,EAAW,GAAA,OAAA;AAElC,IAAA,MAAM,mBACJ,GAAA,aAAA,CAAc,MAAQ,EAAA,OAAA,IACtB,cAAc,mBACd,IAAA,KAAA;AAEF,IAAA,MAAM,eACJ,OAAO,MAAA,EAAQ,WAAY,CAAA,kBAAkB,MAAM,QAC/C,GAAA,UAAA,CAAW,MAAO,CAAA,SAAA,CAAU,kBAAkB,CAAC,CAAA,GAC/C,QAAQ,sBAAuB,CAAA,kBAAkB,KAAK,EAAC;AAE7D,IAAM,MAAA,SAAA,GAAY,aAAe,EAAA,MAAA,EAAQ,SAAa,IAAA,gBAAA;AACtD,IAAM,MAAA,UAAA,GAAa,CAAC,GAAG,YAAA,EAAc,GAAI,OAAQ,CAAA,gBAAA,IAAoB,EAAG,CAAA;AACxE,IAAA,MAAM,QAAW,GAAA,aAAA,EAAe,MAAQ,EAAA,QAAA,IAAY,EAAC;AAErD,IAAA,OAAO,IAAI,kBAAA;AAAA,MACT,CAAC,SAAW,EAAA,OAAA,KACV,KAAM,CAAA,IAAA;AAAA,QACJ,IAAI,IAAI,SAAU,CAAA,EAAE,UAAU,UAAY,EAAA,SAAA,EAAW,OAAQ,EAAC,CAAC;AAAA,OACjE,CAAE,KAAK,GAAG,CAAA;AAAA,MACZ,mBAAA,GAAsB,QAAQ,aAAgB,GAAA,KAAA;AAAA,KAChD;AAAA;AACF,EAUA,MAAM,MACJ,GAC8D,EAAA;AAC9D,IAAA,MAAM,eAAe,UAAW,CAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAU,CAAA;AAC3D,IAAA,MAAM,eAAe,UAAW,CAAA,IAAA,CAAK,aAAe,EAAA,gBAAA,CAAiB,GAAG,CAAC,CAAA;AAEzE,IAAA,MAAM,KAAQ,GAAA,IAAA,CAAK,cAAe,CAAA,YAAA,EAAc,YAAY,CAAA;AAE5D,IAAA,IAAI,KAAK,aAAe,EAAA;AAGtB,MAAO,OAAA;AAAA,QACL,KAAA;AAAA,QACA,UAAA,EAAY,EAAE,KAAM;AAAA,OACtB;AAAA;AAEF,IAAA,OAAO,EAAE,KAAM,EAAA;AAAA;AACjB,EAEA,MAAM,cACJ,CAAA,GAAA,EACA,GAKiB,EAAA;AAEjB,IAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,MAAO,OAAA,KAAA,CAAM,IAAK,CAAA,UAAA,CAAW,GAAI,CAAA,MAAA,CAAO,QAAQ,KAAK,CAAC,CAAE,CAAA,IAAA,CAAK,GAAG,CAAA;AAAA;AAGlE,IAAM,MAAA,KAAA,GAAQ,IAAI,KAAM,CAAA,KAAA;AACxB,IAAA,IAAI,UAAU,KAAW,CAAA,EAAA;AACvB,MAAM,MAAA,IAAIA,2BAAoB,+BAA+B,CAAA;AAAA;AAK/D,IAAA,IAAA,CAAK,cAAc,gBAAiB,CAAA,MAAA,CAAO,GAAG,CAAG,EAAA,KAAA,EAAO,IAAI,MAAM,CAAA;AAElE,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,MAAM,MAAM,GAAqC,EAAA;AAC/C,IAAA,IAAI,KAAK,aAAe,EAAA;AACtB,MAAK,IAAA,CAAA,aAAA,CAAc,oBAAoB,MAAO,CAAA,GAAG,GAAG,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA;AAAA;AACvE;AACF,EAEA,MAAM,QAAQ,GAIX,EAAA;AACD,IAAA,MAAM,eAAe,UAAW,CAAA,GAAA,CAAI,KAAM,CAAA,KAAA,EAAO,UAAU,CAAA;AAC3D,IAAA,MAAM,eAAe,UAAW,CAAA,IAAA,CAAK,aAAe,EAAA,gBAAA,CAAiB,GAAG,CAAC,CAAA;AAEzE,IAAA,MAAM,KAAQ,GAAA,IAAA,CAAK,cAAe,CAAA,YAAA,EAAc,YAAY,CAAA;AAE5D,IAAO,OAAA;AAAA,MACL,KAAA;AAAA,MACA,qBAAqB,IAAK,CAAA,aAAA,GACtB,mBAAoB,CAAA,YAAA,EAAc,KAAK,CACvC,GAAA,KAAA,CAAA;AAAA,MACJ,MAAA,EAAQ,OAAM,MAAU,KAAA;AACtB,QAAA,IAAI,KAAK,aAAe,EAAA;AACtB,UAAA,IAAA,CAAK,aAAc,CAAA,gBAAA;AAAA,YACjB,OAAO,GAAG,CAAA;AAAA,YACV,KAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ;AAAA,WAClB;AACA,UAAO,OAAA,KAAA;AAAA;AAGT,QAAO,OAAA,KAAA,CAAM,KAAK,UAAW,CAAA,MAAA,CAAO,QAAQ,KAAK,CAAC,CAAE,CAAA,IAAA,CAAK,GAAG,CAAA;AAAA;AAC9D,KACF;AAAA;AAEJ;AAEA,SAAS,mBAAA,CACP,cACA,cACS,EAAA;AACT,EAAM,MAAA,OAAA,GAAU,IAAI,GAAA,CAAI,YAAY,CAAA;AACpC,EAAW,KAAA,MAAA,SAAA,IAAa,UAAW,CAAA,cAAc,CAAG,EAAA;AAClD,IAAA,IAAI,CAAC,OAAA,CAAQ,GAAI,CAAA,SAAS,CAAG,EAAA;AAC3B,MAAO,OAAA,KAAA;AAAA;AACT;AAEF,EAAO,OAAA,IAAA;AACT;;;;"}

package/dist/oauth/createOAuthRouteHandlers.cjs.js CHANGED Viewed

@@ -177,7 +177,12 @@ function createOAuthRouteHandlers(options) {
         }
         const scopeRefresh = await scopeManager.refresh(req);
         const result = await authenticator.refresh(
-          { req, scope: scopeRefresh.scope, refreshToken },
+          {
+            req,
+            scope: scopeRefresh.scope,
+            scopeAlreadyGranted: scopeRefresh.scopeAlreadyGranted,
+            refreshToken
+          },
           authenticatorCtx
         );
         const grantedScope = await scopeRefresh.commit(result);

package/dist/oauth/createOAuthRouteHandlers.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"createOAuthRouteHandlers.cjs.js","sources":["../../src/oauth/createOAuthRouteHandlers.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport crypto from 'crypto';\nimport { URL } from 'url';\nimport {\n AuthenticationError,\n InputError,\n isError,\n NotAllowedError,\n} from '@backstage/errors';\nimport {\n encodeOAuthState,\n decodeOAuthState,\n OAuthStateTransform,\n} from './state';\nimport { sendWebMessageResponse } from '../flow';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n CookieConfigurer,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { Config, readDurationFromConfig } from '@backstage/config';\nimport { CookieScopeManager } from './CookieScopeManager';\n\n/* @public /\nexport interface OAuthRouteHandlersOptions<TProfile> {\n authenticator: OAuthAuthenticator<any, TProfile>;\n appUrl: string;\n baseUrl: string;\n isOriginAllowed: (origin: string) => boolean;\n providerId: string;\n config: Config;\n resolverContext: AuthResolverContext;\n additionalScopes?: string[];\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n cookieConfigurer?: CookieConfigurer;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n}\n\n/* @internal /\ntype ClientOAuthResponse = ClientAuthResponse<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n (Optional) Id token issued for the signed in user.\n /\n idToken?: string;\n /\n Expiry of the access token in seconds.\n /\n expiresInSeconds?: number;\n /\n Scopes granted for the access token.\n /\n scope: string;\n}>;\n\n/* @public */\nexport function createOAuthRouteHandlers<TProfile>(\n options: OAuthRouteHandlersOptions<TProfile>,\n): AuthProviderRouteHandlers {\n const {\n authenticator,\n config,\n baseUrl,\n appUrl,\n providerId,\n isOriginAllowed,\n cookieConfigurer,\n resolverContext,\n signInResolver,\n } = options;\n\n const defaultAppOrigin = new URL(appUrl).origin;\n const callbackUrl =\n config.getOptionalString('callbackUrl') ??\n `${baseUrl}/${providerId}/handler/frame`;\n const sessionDuration = config.has('sessionDuration')\n ? readDurationFromConfig(config, { key: 'sessionDuration' })\n : undefined;\n\n const stateTransform = options.stateTransform ?? (state => ({ state }));\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config, callbackUrl });\n const cookieManager = new OAuthCookieManager({\n baseUrl,\n callbackUrl,\n defaultAppOrigin,\n providerId,\n cookieConfigurer,\n sessionDuration,\n });\n\n const scopeManager = CookieScopeManager.create({\n config,\n authenticator,\n cookieManager,\n additionalScopes: options.additionalScopes,\n });\n\n return {\n async start(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n const env = req.query.env?.toString();\n const origin = req.query.origin?.toString();\n const redirectUrl = req.query.redirectUrl?.toString();\n const flow = req.query.flow?.toString();\n\n if (!env) {\n throw new InputError('No env provided in request query parameters');\n }\n\n const nonce = crypto.randomBytes(16).toString('base64');\n // set a nonce cookie before redirecting to oauth provider\n cookieManager.setNonce(res, nonce, origin);\n\n const { scope, scopeState } = await scopeManager.start(req);\n\n const state = { nonce, env, origin, redirectUrl, flow, ...scopeState };\n const { state: transformedState } = await stateTransform(state, { req });\n\n const { url, status } = await options.authenticator.start(\n {\n req,\n scope,\n state: encodeOAuthState(transformedState),\n },\n authenticatorCtx,\n );\n\n res.statusCode = status \|\| 302;\n res.setHeader('Location', url);\n res.setHeader('Content-Length', '0');\n res.end();\n },\n\n async frameHandler(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n let origin = defaultAppOrigin;\n let state;\n\n try {\n state = decodeOAuthState(req.query.state?.toString() ?? '');\n\n if (state.origin) {\n try {\n origin = new URL(state.origin).origin;\n } catch {\n throw new NotAllowedError('App origin is invalid, failed to parse');\n }\n if (!isOriginAllowed(origin)) {\n throw new NotAllowedError(`Origin '${origin}' is not allowed`);\n }\n }\n\n // The same nonce is passed through cookie and state, and they must match\n const cookieNonce = cookieManager.getNonce(req);\n const stateNonce = state.nonce;\n if (!cookieNonce) {\n throw new NotAllowedError('Auth response is missing cookie nonce');\n }\n if (cookieNonce !== stateNonce) {\n throw new NotAllowedError('Invalid nonce');\n }\n\n const result = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n const { profile } = await profileTransform(result, resolverContext);\n\n const signInResult =\n signInResolver &&\n (await signInResolver({ profile, result }, resolverContext));\n\n const grantedScopes = await scopeManager.handleCallback(req, {\n result,\n state,\n origin,\n });\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: grantedScopes,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n ...(signInResult && {\n backstageIdentity: prepareBackstageIdentityResponse(signInResult),\n }),\n };\n\n if (result.session.refreshToken) {\n // set new refresh token\n cookieManager.setRefreshToken(\n res,\n result.session.refreshToken,\n origin,\n );\n }\n\n // When using the redirect flow we rely on refresh token we just\n // acquired to get a new session once we're back in the app.\n if (state.flow === 'redirect') {\n if (!state.redirectUrl) {\n throw new InputError(\n 'No redirectUrl provided in request query parameters',\n );\n }\n res.redirect(state.redirectUrl);\n return;\n }\n\n // post message back to popup if successful\n sendWebMessageResponse(res, origin, {\n type: 'authorization_response',\n response,\n });\n } catch (error) {\n const { name, message } = isError(error)\n ? error\n : new Error('Encountered invalid error'); // Being a bit safe and not forwarding the bad value\n\n if (state?.flow === 'redirect' && state?.redirectUrl) {\n const redirectUrl = new URL(state.redirectUrl);\n redirectUrl.searchParams.set('error', message);\n\n // set the error in a cookie and redirect user back to sign in where the error can be rendered\n res.redirect(redirectUrl.toString());\n } else {\n // post error message back to popup if failure\n sendWebMessageResponse(res, origin, {\n type: 'authorization_response',\n error: { name, message },\n });\n }\n }\n },\n\n async logout(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n if (authenticator.logout) {\n const refreshToken = cookieManager.getRefreshToken(req);\n await authenticator.logout({ req, refreshToken }, authenticatorCtx);\n }\n\n // remove refresh token cookie if it is set\n cookieManager.removeRefreshToken(res, req.get('origin'));\n\n // remove persisted scopes\n await scopeManager.clear(req);\n\n res.status(200).end();\n },\n\n async refresh(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n try {\n const refreshToken = cookieManager.getRefreshToken(req);\n\n // throw error if refresh token is missing in the request\n if (!refreshToken) {\n throw new InputError('Missing session cookie');\n }\n\n const scopeRefresh = await scopeManager.refresh(req);\n\n const result = await authenticator.refresh(\n { req, scope: scopeRefresh.scope, refreshToken },\n authenticatorCtx,\n );\n\n const grantedScope = await scopeRefresh.commit(result);\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const newRefreshToken = result.session.refreshToken;\n if (newRefreshToken && newRefreshToken !== refreshToken) {\n cookieManager.setRefreshToken(\n res,\n newRefreshToken,\n req.get('origin'),\n );\n }\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: grantedScope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n res.status(200).json(response);\n } catch (error) {\n throw new AuthenticationError('Refresh failed', error);\n }\n },\n };\n}\n"],"names":["config","URL","readDurationFromConfig","OAuthCookieManager","CookieScopeManager","InputError","crypto","state","encodeOAuthState","decodeOAuthState","NotAllowedError","prepareBackstageIdentityResponse","sendWebMessageResponse","isError","AuthenticationError"],"mappings":";;;;;;;;;;;;;;;;;AAkFO,SAAS,yBACd,OAC2B,EAAA;AAC3B,EAAM,MAAA;AAAA,IACJ,aAAA;AAAA,YACAA,QAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,UAAA;AAAA,IACA,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACE,GAAA,OAAA;AAEJ,EAAA,MAAM,gBAAmB,GAAA,IAAIC,OAAI,CAAA,MAAM,CAAE,CAAA,MAAA;AACzC,EAAM,MAAA,WAAA,GACJD,SAAO,iBAAkB,CAAA,aAAa,KACtC,CAAG,EAAA,OAAO,IAAI,UAAU,CAAA,cAAA,CAAA;AAC1B,EAAM,MAAA,eAAA,GAAkBA,QAAO,CAAA,GAAA,CAAI,iBAAiB,CAAA,GAChDE,6BAAuB,CAAAF,QAAA,EAAQ,EAAE,GAAA,EAAK,iBAAkB,EAAC,CACzD,GAAA,KAAA,CAAA;AAEJ,EAAA,MAAM,cAAiB,GAAA,OAAA,CAAQ,cAAmB,KAAA,CAAA,KAAA,MAAU,EAAE,KAAM,EAAA,CAAA,CAAA;AACpE,EAAM,MAAA,gBAAA,GACJ,OAAQ,CAAA,gBAAA,IAAoB,aAAc,CAAA,uBAAA;AAC5C,EAAA,MAAM,mBAAmB,aAAc,CAAA,UAAA,CAAW,UAAEA,QAAA,EAAQ,aAAa,CAAA;AACzE,EAAM,MAAA,aAAA,GAAgB,IAAIG,qCAAmB,CAAA;AAAA,IAC3C,OAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,gBAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAM,MAAA,YAAA,GAAeC,sCAAmB,MAAO,CAAA;AAAA,YAC7CJ,QAAA;AAAA,IACA,aAAA;AAAA,IACA,aAAA;AAAA,IACA,kBAAkB,OAAQ,CAAA;AAAA,GAC3B,CAAA;AAED,EAAO,OAAA;AAAA,IACL,MAAM,KAEJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,MAAA,MAAM,GAAM,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,EAAK,QAAS,EAAA;AACpC,MAAA,MAAM,MAAS,GAAA,GAAA,CAAI,KAAM,CAAA,MAAA,EAAQ,QAAS,EAAA;AAC1C,MAAA,MAAM,WAAc,GAAA,GAAA,CAAI,KAAM,CAAA,WAAA,EAAa,QAAS,EAAA;AACpD,MAAA,MAAM,IAAO,GAAA,GAAA,CAAI,KAAM,CAAA,IAAA,EAAM,QAAS,EAAA;AAEtC,MAAA,IAAI,CAAC,GAAK,EAAA;AACR,QAAM,MAAA,IAAIK,kBAAW,6CAA6C,CAAA;AAAA;AAGpE,MAAA,MAAM,QAAQC,uBAAO,CAAA,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEtD,MAAc,aAAA,CAAA,QAAA,CAAS,GAAK,EAAA,KAAA,EAAO,MAAM,CAAA;AAEzC,MAAA,MAAM,EAAE,KAAO,EAAA,UAAA,KAAe,MAAM,YAAA,CAAa,MAAM,GAAG,CAAA;AAE1D,MAAM,MAAAC,OAAA,GAAQ,EAAE,KAAO,EAAA,GAAA,EAAK,QAAQ,WAAa,EAAA,IAAA,EAAM,GAAG,UAAW,EAAA;AACrE,MAAM,MAAA,EAAE,OAAO,gBAAiB,EAAA,GAAI,MAAM,cAAe,CAAAA,OAAA,EAAO,EAAE,GAAA,EAAK,CAAA;AAEvE,MAAA,MAAM,EAAE,GAAK,EAAA,MAAA,EAAW,GAAA,MAAM,QAAQ,aAAc,CAAA,KAAA;AAAA,QAClD;AAAA,UACE,GAAA;AAAA,UACA,KAAA;AAAA,UACA,KAAA,EAAOC,uBAAiB,gBAAgB;AAAA,SAC1C;AAAA,QACA;AAAA,OACF;AAEA,MAAA,GAAA,CAAI,aAAa,MAAU,IAAA,GAAA;AAC3B,MAAI,GAAA,CAAA,SAAA,CAAU,YAAY,GAAG,CAAA;AAC7B,MAAI,GAAA,CAAA,SAAA,CAAU,kBAAkB,GAAG,CAAA;AACnC,MAAA,GAAA,CAAI,GAAI,EAAA;AAAA,KACV;AAAA,IAEA,MAAM,YAEJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,MAAA,IAAI,MAAS,GAAA,gBAAA;AACb,MAAI,IAAAD,OAAA;AAEJ,MAAI,IAAA;AACF,QAAAA,OAAA,GAAQE,uBAAiB,GAAI,CAAA,KAAA,CAAM,KAAO,EAAA,QAAA,MAAc,EAAE,CAAA;AAE1D,QAAA,IAAIF,QAAM,MAAQ,EAAA;AAChB,UAAI,IAAA;AACF,YAAA,MAAA,GAAS,IAAIN,OAAA,CAAIM,OAAM,CAAA,MAAM,CAAE,CAAA,MAAA;AAAA,WACzB,CAAA,MAAA;AACN,YAAM,MAAA,IAAIG,uBAAgB,wCAAwC,CAAA;AAAA;AAEpE,UAAI,IAAA,CAAC,eAAgB,CAAA,MAAM,CAAG,EAAA;AAC5B,YAAA,MAAM,IAAIA,sBAAA,CAAgB,CAAW,QAAA,EAAA,MAAM,CAAkB,gBAAA,CAAA,CAAA;AAAA;AAC/D;AAIF,QAAM,MAAA,WAAA,GAAc,aAAc,CAAA,QAAA,CAAS,GAAG,CAAA;AAC9C,QAAA,MAAM,aAAaH,OAAM,CAAA,KAAA;AACzB,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAM,MAAA,IAAIG,uBAAgB,uCAAuC,CAAA;AAAA;AAEnE,QAAA,IAAI,gBAAgB,UAAY,EAAA;AAC9B,UAAM,MAAA,IAAIA,uBAAgB,eAAe,CAAA;AAAA;AAG3C,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,YAAA;AAAA,UACjC,EAAE,GAAI,EAAA;AAAA,UACN;AAAA,SACF;AACA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA;AAElE,QAAM,MAAA,YAAA,GACJ,kBACC,MAAM,cAAA,CAAe,EAAE,OAAS,EAAA,MAAA,IAAU,eAAe,CAAA;AAE5D,QAAA,MAAM,aAAgB,GAAA,MAAM,YAAa,CAAA,cAAA,CAAe,GAAK,EAAA;AAAA,UAC3D,MAAA;AAAA,iBACAH,OAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,aAAA;AAAA,YACP,gBAAA,EAAkB,OAAO,OAAQ,CAAA;AAAA,WACnC;AAAA,UACA,GAAI,YAAgB,IAAA;AAAA,YAClB,iBAAA,EAAmBI,kEAAiC,YAAY;AAAA;AAClE,SACF;AAEA,QAAI,IAAA,MAAA,CAAO,QAAQ,YAAc,EAAA;AAE/B,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,OAAO,OAAQ,CAAA,YAAA;AAAA,YACf;AAAA,WACF;AAAA;AAKF,QAAI,IAAAJ,OAAA,CAAM,SAAS,UAAY,EAAA;AAC7B,UAAI,IAAA,CAACA,QAAM,WAAa,EAAA;AACtB,YAAA,MAAM,IAAIF,iBAAA;AAAA,cACR;AAAA,aACF;AAAA;AAEF,UAAI,GAAA,CAAA,QAAA,CAASE,QAAM,WAAW,CAAA;AAC9B,UAAA;AAAA;AAIF,QAAAK,6CAAA,CAAuB,KAAK,MAAQ,EAAA;AAAA,UAClC,IAAM,EAAA,wBAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,eACM,KAAO,EAAA;AACd,QAAM,MAAA,EAAE,IAAM,EAAA,OAAA,EAAY,GAAAC,cAAA,CAAQ,KAAK,CACnC,GAAA,KAAA,GACA,IAAI,KAAA,CAAM,2BAA2B,CAAA;AAEzC,QAAA,IAAIN,OAAO,EAAA,IAAA,KAAS,UAAc,IAAAA,OAAA,EAAO,WAAa,EAAA;AACpD,UAAA,MAAM,WAAc,GAAA,IAAIN,OAAI,CAAAM,OAAA,CAAM,WAAW,CAAA;AAC7C,UAAY,WAAA,CAAA,YAAA,CAAa,GAAI,CAAA,OAAA,EAAS,OAAO,CAAA;AAG7C,UAAI,GAAA,CAAA,QAAA,CAAS,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA,SAC9B,MAAA;AAEL,UAAAK,6CAAA,CAAuB,KAAK,MAAQ,EAAA;AAAA,YAClC,IAAM,EAAA,wBAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,OAAQ;AAAA,WACxB,CAAA;AAAA;AACH;AACF,KACF;AAAA,IAEA,MAAM,MAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIE,2BAAoB,iCAAiC,CAAA;AAAA;AAGjE,MAAA,IAAI,cAAc,MAAQ,EAAA;AACxB,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA;AACtD,QAAA,MAAM,cAAc,MAAO,CAAA,EAAE,GAAK,EAAA,YAAA,IAAgB,gBAAgB,CAAA;AAAA;AAIpE,MAAA,aAAA,CAAc,kBAAmB,CAAA,GAAA,EAAK,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA;AAGvD,MAAM,MAAA,YAAA,CAAa,MAAM,GAAG,CAAA;AAE5B,MAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,KACtB;AAAA,IAEA,MAAM,OAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIA,2BAAoB,iCAAiC,CAAA;AAAA;AAGjE,MAAI,IAAA;AACF,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA;AAGtD,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAM,MAAA,IAAIT,kBAAW,wBAAwB,CAAA;AAAA;AAG/C,QAAA,MAAM,YAAe,GAAA,MAAM,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA;AAEnD,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,OAAA;AAAA,UACjC,EAAE,GAAA,EAAK,KAAO,EAAA,YAAA,CAAa,OAAO,YAAa,EAAA;AAAA,UAC/C;AAAA,SACF;AAEA,QAAA,MAAM,YAAe,GAAA,MAAM,YAAa,CAAA,MAAA,CAAO,MAAM,CAAA;AAErD,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA;AAElE,QAAM,MAAA,eAAA,GAAkB,OAAO,OAAQ,CAAA,YAAA;AACvC,QAAI,IAAA,eAAA,IAAmB,oBAAoB,YAAc,EAAA;AACvD,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,eAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ;AAAA,WAClB;AAAA;AAGF,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,YAAA;AAAA,YACP,gBAAA,EAAkB,OAAO,OAAQ,CAAA;AAAA;AACnC,SACF;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB;AAAA,WACF;AACA,UAAS,QAAA,CAAA,iBAAA,GACPM,kEAAiC,QAAQ,CAAA;AAAA;AAG7C,QAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,eACtB,KAAO,EAAA;AACd,QAAM,MAAA,IAAIG,0BAAoB,CAAA,gBAAA,EAAkB,KAAK,CAAA;AAAA;AACvD;AACF,GACF;AACF;;;;"}
1	+ {"version":3,"file":"createOAuthRouteHandlers.cjs.js","sources":["../../src/oauth/createOAuthRouteHandlers.ts"],"sourcesContent":["/\n Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport crypto from 'crypto';\nimport { URL } from 'url';\nimport {\n AuthenticationError,\n InputError,\n isError,\n NotAllowedError,\n} from '@backstage/errors';\nimport {\n encodeOAuthState,\n decodeOAuthState,\n OAuthStateTransform,\n} from './state';\nimport { sendWebMessageResponse } from '../flow';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n CookieConfigurer,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { Config, readDurationFromConfig } from '@backstage/config';\nimport { CookieScopeManager } from './CookieScopeManager';\n\n/* @public /\nexport interface OAuthRouteHandlersOptions<TProfile> {\n authenticator: OAuthAuthenticator<any, TProfile>;\n appUrl: string;\n baseUrl: string;\n isOriginAllowed: (origin: string) => boolean;\n providerId: string;\n config: Config;\n resolverContext: AuthResolverContext;\n additionalScopes?: string[];\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n cookieConfigurer?: CookieConfigurer;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n}\n\n/* @internal /\ntype ClientOAuthResponse = ClientAuthResponse<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n (Optional) Id token issued for the signed in user.\n /\n idToken?: string;\n /\n Expiry of the access token in seconds.\n /\n expiresInSeconds?: number;\n /\n Scopes granted for the access token.\n /\n scope: string;\n}>;\n\n/* @public */\nexport function createOAuthRouteHandlers<TProfile>(\n options: OAuthRouteHandlersOptions<TProfile>,\n): AuthProviderRouteHandlers {\n const {\n authenticator,\n config,\n baseUrl,\n appUrl,\n providerId,\n isOriginAllowed,\n cookieConfigurer,\n resolverContext,\n signInResolver,\n } = options;\n\n const defaultAppOrigin = new URL(appUrl).origin;\n const callbackUrl =\n config.getOptionalString('callbackUrl') ??\n `${baseUrl}/${providerId}/handler/frame`;\n const sessionDuration = config.has('sessionDuration')\n ? readDurationFromConfig(config, { key: 'sessionDuration' })\n : undefined;\n\n const stateTransform = options.stateTransform ?? (state => ({ state }));\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config, callbackUrl });\n const cookieManager = new OAuthCookieManager({\n baseUrl,\n callbackUrl,\n defaultAppOrigin,\n providerId,\n cookieConfigurer,\n sessionDuration,\n });\n\n const scopeManager = CookieScopeManager.create({\n config,\n authenticator,\n cookieManager,\n additionalScopes: options.additionalScopes,\n });\n\n return {\n async start(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n const env = req.query.env?.toString();\n const origin = req.query.origin?.toString();\n const redirectUrl = req.query.redirectUrl?.toString();\n const flow = req.query.flow?.toString();\n\n if (!env) {\n throw new InputError('No env provided in request query parameters');\n }\n\n const nonce = crypto.randomBytes(16).toString('base64');\n // set a nonce cookie before redirecting to oauth provider\n cookieManager.setNonce(res, nonce, origin);\n\n const { scope, scopeState } = await scopeManager.start(req);\n\n const state = { nonce, env, origin, redirectUrl, flow, ...scopeState };\n const { state: transformedState } = await stateTransform(state, { req });\n\n const { url, status } = await options.authenticator.start(\n {\n req,\n scope,\n state: encodeOAuthState(transformedState),\n },\n authenticatorCtx,\n );\n\n res.statusCode = status \|\| 302;\n res.setHeader('Location', url);\n res.setHeader('Content-Length', '0');\n res.end();\n },\n\n async frameHandler(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n let origin = defaultAppOrigin;\n let state;\n\n try {\n state = decodeOAuthState(req.query.state?.toString() ?? '');\n\n if (state.origin) {\n try {\n origin = new URL(state.origin).origin;\n } catch {\n throw new NotAllowedError('App origin is invalid, failed to parse');\n }\n if (!isOriginAllowed(origin)) {\n throw new NotAllowedError(`Origin '${origin}' is not allowed`);\n }\n }\n\n // The same nonce is passed through cookie and state, and they must match\n const cookieNonce = cookieManager.getNonce(req);\n const stateNonce = state.nonce;\n if (!cookieNonce) {\n throw new NotAllowedError('Auth response is missing cookie nonce');\n }\n if (cookieNonce !== stateNonce) {\n throw new NotAllowedError('Invalid nonce');\n }\n\n const result = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n const { profile } = await profileTransform(result, resolverContext);\n\n const signInResult =\n signInResolver &&\n (await signInResolver({ profile, result }, resolverContext));\n\n const grantedScopes = await scopeManager.handleCallback(req, {\n result,\n state,\n origin,\n });\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: grantedScopes,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n ...(signInResult && {\n backstageIdentity: prepareBackstageIdentityResponse(signInResult),\n }),\n };\n\n if (result.session.refreshToken) {\n // set new refresh token\n cookieManager.setRefreshToken(\n res,\n result.session.refreshToken,\n origin,\n );\n }\n\n // When using the redirect flow we rely on refresh token we just\n // acquired to get a new session once we're back in the app.\n if (state.flow === 'redirect') {\n if (!state.redirectUrl) {\n throw new InputError(\n 'No redirectUrl provided in request query parameters',\n );\n }\n res.redirect(state.redirectUrl);\n return;\n }\n\n // post message back to popup if successful\n sendWebMessageResponse(res, origin, {\n type: 'authorization_response',\n response,\n });\n } catch (error) {\n const { name, message } = isError(error)\n ? error\n : new Error('Encountered invalid error'); // Being a bit safe and not forwarding the bad value\n\n if (state?.flow === 'redirect' && state?.redirectUrl) {\n const redirectUrl = new URL(state.redirectUrl);\n redirectUrl.searchParams.set('error', message);\n\n // set the error in a cookie and redirect user back to sign in where the error can be rendered\n res.redirect(redirectUrl.toString());\n } else {\n // post error message back to popup if failure\n sendWebMessageResponse(res, origin, {\n type: 'authorization_response',\n error: { name, message },\n });\n }\n }\n },\n\n async logout(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n if (authenticator.logout) {\n const refreshToken = cookieManager.getRefreshToken(req);\n await authenticator.logout({ req, refreshToken }, authenticatorCtx);\n }\n\n // remove refresh token cookie if it is set\n cookieManager.removeRefreshToken(res, req.get('origin'));\n\n // remove persisted scopes\n await scopeManager.clear(req);\n\n res.status(200).end();\n },\n\n async refresh(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n try {\n const refreshToken = cookieManager.getRefreshToken(req);\n\n // throw error if refresh token is missing in the request\n if (!refreshToken) {\n throw new InputError('Missing session cookie');\n }\n\n const scopeRefresh = await scopeManager.refresh(req);\n\n const result = await authenticator.refresh(\n {\n req,\n scope: scopeRefresh.scope,\n scopeAlreadyGranted: scopeRefresh.scopeAlreadyGranted,\n refreshToken,\n },\n authenticatorCtx,\n );\n\n const grantedScope = await scopeRefresh.commit(result);\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const newRefreshToken = result.session.refreshToken;\n if (newRefreshToken && newRefreshToken !== refreshToken) {\n cookieManager.setRefreshToken(\n res,\n newRefreshToken,\n req.get('origin'),\n );\n }\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: grantedScope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n res.status(200).json(response);\n } catch (error) {\n throw new AuthenticationError('Refresh failed', error);\n }\n },\n };\n}\n"],"names":["config","URL","readDurationFromConfig","OAuthCookieManager","CookieScopeManager","InputError","crypto","state","encodeOAuthState","decodeOAuthState","NotAllowedError","prepareBackstageIdentityResponse","sendWebMessageResponse","isError","AuthenticationError"],"mappings":";;;;;;;;;;;;;;;;;AAkFO,SAAS,yBACd,OAC2B,EAAA;AAC3B,EAAM,MAAA;AAAA,IACJ,aAAA;AAAA,YACAA,QAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,UAAA;AAAA,IACA,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA;AAAA,GACE,GAAA,OAAA;AAEJ,EAAA,MAAM,gBAAmB,GAAA,IAAIC,OAAI,CAAA,MAAM,CAAE,CAAA,MAAA;AACzC,EAAM,MAAA,WAAA,GACJD,SAAO,iBAAkB,CAAA,aAAa,KACtC,CAAG,EAAA,OAAO,IAAI,UAAU,CAAA,cAAA,CAAA;AAC1B,EAAM,MAAA,eAAA,GAAkBA,QAAO,CAAA,GAAA,CAAI,iBAAiB,CAAA,GAChDE,6BAAuB,CAAAF,QAAA,EAAQ,EAAE,GAAA,EAAK,iBAAkB,EAAC,CACzD,GAAA,KAAA,CAAA;AAEJ,EAAA,MAAM,cAAiB,GAAA,OAAA,CAAQ,cAAmB,KAAA,CAAA,KAAA,MAAU,EAAE,KAAM,EAAA,CAAA,CAAA;AACpE,EAAM,MAAA,gBAAA,GACJ,OAAQ,CAAA,gBAAA,IAAoB,aAAc,CAAA,uBAAA;AAC5C,EAAA,MAAM,mBAAmB,aAAc,CAAA,UAAA,CAAW,UAAEA,QAAA,EAAQ,aAAa,CAAA;AACzE,EAAM,MAAA,aAAA,GAAgB,IAAIG,qCAAmB,CAAA;AAAA,IAC3C,OAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,gBAAA;AAAA,IACA;AAAA,GACD,CAAA;AAED,EAAM,MAAA,YAAA,GAAeC,sCAAmB,MAAO,CAAA;AAAA,YAC7CJ,QAAA;AAAA,IACA,aAAA;AAAA,IACA,aAAA;AAAA,IACA,kBAAkB,OAAQ,CAAA;AAAA,GAC3B,CAAA;AAED,EAAO,OAAA;AAAA,IACL,MAAM,KAEJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,MAAA,MAAM,GAAM,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,EAAK,QAAS,EAAA;AACpC,MAAA,MAAM,MAAS,GAAA,GAAA,CAAI,KAAM,CAAA,MAAA,EAAQ,QAAS,EAAA;AAC1C,MAAA,MAAM,WAAc,GAAA,GAAA,CAAI,KAAM,CAAA,WAAA,EAAa,QAAS,EAAA;AACpD,MAAA,MAAM,IAAO,GAAA,GAAA,CAAI,KAAM,CAAA,IAAA,EAAM,QAAS,EAAA;AAEtC,MAAA,IAAI,CAAC,GAAK,EAAA;AACR,QAAM,MAAA,IAAIK,kBAAW,6CAA6C,CAAA;AAAA;AAGpE,MAAA,MAAM,QAAQC,uBAAO,CAAA,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEtD,MAAc,aAAA,CAAA,QAAA,CAAS,GAAK,EAAA,KAAA,EAAO,MAAM,CAAA;AAEzC,MAAA,MAAM,EAAE,KAAO,EAAA,UAAA,KAAe,MAAM,YAAA,CAAa,MAAM,GAAG,CAAA;AAE1D,MAAM,MAAAC,OAAA,GAAQ,EAAE,KAAO,EAAA,GAAA,EAAK,QAAQ,WAAa,EAAA,IAAA,EAAM,GAAG,UAAW,EAAA;AACrE,MAAM,MAAA,EAAE,OAAO,gBAAiB,EAAA,GAAI,MAAM,cAAe,CAAAA,OAAA,EAAO,EAAE,GAAA,EAAK,CAAA;AAEvE,MAAA,MAAM,EAAE,GAAK,EAAA,MAAA,EAAW,GAAA,MAAM,QAAQ,aAAc,CAAA,KAAA;AAAA,QAClD;AAAA,UACE,GAAA;AAAA,UACA,KAAA;AAAA,UACA,KAAA,EAAOC,uBAAiB,gBAAgB;AAAA,SAC1C;AAAA,QACA;AAAA,OACF;AAEA,MAAA,GAAA,CAAI,aAAa,MAAU,IAAA,GAAA;AAC3B,MAAI,GAAA,CAAA,SAAA,CAAU,YAAY,GAAG,CAAA;AAC7B,MAAI,GAAA,CAAA,SAAA,CAAU,kBAAkB,GAAG,CAAA;AACnC,MAAA,GAAA,CAAI,GAAI,EAAA;AAAA,KACV;AAAA,IAEA,MAAM,YAEJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,MAAA,IAAI,MAAS,GAAA,gBAAA;AACb,MAAI,IAAAD,OAAA;AAEJ,MAAI,IAAA;AACF,QAAAA,OAAA,GAAQE,uBAAiB,GAAI,CAAA,KAAA,CAAM,KAAO,EAAA,QAAA,MAAc,EAAE,CAAA;AAE1D,QAAA,IAAIF,QAAM,MAAQ,EAAA;AAChB,UAAI,IAAA;AACF,YAAA,MAAA,GAAS,IAAIN,OAAA,CAAIM,OAAM,CAAA,MAAM,CAAE,CAAA,MAAA;AAAA,WACzB,CAAA,MAAA;AACN,YAAM,MAAA,IAAIG,uBAAgB,wCAAwC,CAAA;AAAA;AAEpE,UAAI,IAAA,CAAC,eAAgB,CAAA,MAAM,CAAG,EAAA;AAC5B,YAAA,MAAM,IAAIA,sBAAA,CAAgB,CAAW,QAAA,EAAA,MAAM,CAAkB,gBAAA,CAAA,CAAA;AAAA;AAC/D;AAIF,QAAM,MAAA,WAAA,GAAc,aAAc,CAAA,QAAA,CAAS,GAAG,CAAA;AAC9C,QAAA,MAAM,aAAaH,OAAM,CAAA,KAAA;AACzB,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAM,MAAA,IAAIG,uBAAgB,uCAAuC,CAAA;AAAA;AAEnE,QAAA,IAAI,gBAAgB,UAAY,EAAA;AAC9B,UAAM,MAAA,IAAIA,uBAAgB,eAAe,CAAA;AAAA;AAG3C,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,YAAA;AAAA,UACjC,EAAE,GAAI,EAAA;AAAA,UACN;AAAA,SACF;AACA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA;AAElE,QAAM,MAAA,YAAA,GACJ,kBACC,MAAM,cAAA,CAAe,EAAE,OAAS,EAAA,MAAA,IAAU,eAAe,CAAA;AAE5D,QAAA,MAAM,aAAgB,GAAA,MAAM,YAAa,CAAA,cAAA,CAAe,GAAK,EAAA;AAAA,UAC3D,MAAA;AAAA,iBACAH,OAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,aAAA;AAAA,YACP,gBAAA,EAAkB,OAAO,OAAQ,CAAA;AAAA,WACnC;AAAA,UACA,GAAI,YAAgB,IAAA;AAAA,YAClB,iBAAA,EAAmBI,kEAAiC,YAAY;AAAA;AAClE,SACF;AAEA,QAAI,IAAA,MAAA,CAAO,QAAQ,YAAc,EAAA;AAE/B,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,OAAO,OAAQ,CAAA,YAAA;AAAA,YACf;AAAA,WACF;AAAA;AAKF,QAAI,IAAAJ,OAAA,CAAM,SAAS,UAAY,EAAA;AAC7B,UAAI,IAAA,CAACA,QAAM,WAAa,EAAA;AACtB,YAAA,MAAM,IAAIF,iBAAA;AAAA,cACR;AAAA,aACF;AAAA;AAEF,UAAI,GAAA,CAAA,QAAA,CAASE,QAAM,WAAW,CAAA;AAC9B,UAAA;AAAA;AAIF,QAAAK,6CAAA,CAAuB,KAAK,MAAQ,EAAA;AAAA,UAClC,IAAM,EAAA,wBAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,eACM,KAAO,EAAA;AACd,QAAM,MAAA,EAAE,IAAM,EAAA,OAAA,EAAY,GAAAC,cAAA,CAAQ,KAAK,CACnC,GAAA,KAAA,GACA,IAAI,KAAA,CAAM,2BAA2B,CAAA;AAEzC,QAAA,IAAIN,OAAO,EAAA,IAAA,KAAS,UAAc,IAAAA,OAAA,EAAO,WAAa,EAAA;AACpD,UAAA,MAAM,WAAc,GAAA,IAAIN,OAAI,CAAAM,OAAA,CAAM,WAAW,CAAA;AAC7C,UAAY,WAAA,CAAA,YAAA,CAAa,GAAI,CAAA,OAAA,EAAS,OAAO,CAAA;AAG7C,UAAI,GAAA,CAAA,QAAA,CAAS,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA,SAC9B,MAAA;AAEL,UAAAK,6CAAA,CAAuB,KAAK,MAAQ,EAAA;AAAA,YAClC,IAAM,EAAA,wBAAA;AAAA,YACN,KAAA,EAAO,EAAE,IAAA,EAAM,OAAQ;AAAA,WACxB,CAAA;AAAA;AACH;AACF,KACF;AAAA,IAEA,MAAM,MAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIE,2BAAoB,iCAAiC,CAAA;AAAA;AAGjE,MAAA,IAAI,cAAc,MAAQ,EAAA;AACxB,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA;AACtD,QAAA,MAAM,cAAc,MAAO,CAAA,EAAE,GAAK,EAAA,YAAA,IAAgB,gBAAgB,CAAA;AAAA;AAIpE,MAAA,aAAA,CAAc,kBAAmB,CAAA,GAAA,EAAK,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA;AAGvD,MAAM,MAAA,YAAA,CAAa,MAAM,GAAG,CAAA;AAE5B,MAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,KACtB;AAAA,IAEA,MAAM,OAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIA,2BAAoB,iCAAiC,CAAA;AAAA;AAGjE,MAAI,IAAA;AACF,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA;AAGtD,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAM,MAAA,IAAIT,kBAAW,wBAAwB,CAAA;AAAA;AAG/C,QAAA,MAAM,YAAe,GAAA,MAAM,YAAa,CAAA,OAAA,CAAQ,GAAG,CAAA;AAEnD,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,OAAA;AAAA,UACjC;AAAA,YACE,GAAA;AAAA,YACA,OAAO,YAAa,CAAA,KAAA;AAAA,YACpB,qBAAqB,YAAa,CAAA,mBAAA;AAAA,YAClC;AAAA,WACF;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,YAAe,GAAA,MAAM,YAAa,CAAA,MAAA,CAAO,MAAM,CAAA;AAErD,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA;AAElE,QAAM,MAAA,eAAA,GAAkB,OAAO,OAAQ,CAAA,YAAA;AACvC,QAAI,IAAA,eAAA,IAAmB,oBAAoB,YAAc,EAAA;AACvD,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,eAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ;AAAA,WAClB;AAAA;AAGF,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,YAAA;AAAA,YACP,gBAAA,EAAkB,OAAO,OAAQ,CAAA;AAAA;AACnC,SACF;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB;AAAA,WACF;AACA,UAAS,QAAA,CAAA,iBAAA,GACPM,kEAAiC,QAAQ,CAAA;AAAA;AAG7C,QAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA;AAAA,eACtB,KAAO,EAAA;AACd,QAAM,MAAA,IAAIG,0BAAoB,CAAA,gBAAA,EAAkB,KAAK,CAAA;AAAA;AACvD;AACF,GACF;AACF;;;;"}

package/dist/oauth/types.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.cjs.js","sources":["../../src/oauth/types.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface OAuthSession {\n accessToken: string;\n tokenType: string;\n idToken?: string;\n scope: string;\n expiresInSeconds?: number;\n refreshToken?: string;\n refreshTokenExpiresInSeconds?: number;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorScopeOptions {\n persist?: boolean;\n required?: string[];\n transform?: (options: {\n /* Scopes requested by the client /\n requested: Iterable<string>;\n /* Scopes which have already been granted /\n granted: Iterable<string>;\n /* Scopes that are required for the authenticator to function /\n required: Iterable<string>;\n /* Additional scopes added through configuration /\n additional: Iterable<string>;\n }) => Iterable<string>;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorStartInput {\n scope: string;\n state: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorAuthenticateInput {\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorRefreshInput {\n scope: string;\n refreshToken: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorLogoutInput {\n accessToken?: string;\n refreshToken?: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorResult<TProfile> {\n fullProfile: TProfile;\n session: OAuthSession;\n}\n\n/* @public /\nexport interface OAuthAuthenticator<TContext, TProfile> {\n defaultProfileTransform: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n /* @deprecated use `scopes.persist` instead /\n shouldPersistScopes?: boolean;\n scopes?: OAuthAuthenticatorScopeOptions;\n initialize(ctx: { callbackUrl: string; config: Config }): TContext;\n start(\n input: OAuthAuthenticatorStartInput,\n ctx: TContext,\n ): Promise<{ url: string; status?: number }>;\n authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n refresh(\n input: OAuthAuthenticatorRefreshInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n logout?(input: OAuthAuthenticatorLogoutInput, ctx: TContext): Promise<void>;\n}\n\n/* @public */\nexport function createOAuthAuthenticator<TContext, TProfile>(\n authenticator: OAuthAuthenticator<TContext, TProfile>,\n): OAuthAuthenticator<TContext, TProfile> {\n return authenticator;\n}\n"],"names":[],"mappings":";;~~AAsGO~~,SAAS,yBACd,aACwC,EAAA;AACxC,EAAO,OAAA,aAAA;AACT;;;;"}
1	+ {"version":3,"file":"types.cjs.js","sources":["../../src/oauth/types.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface OAuthSession {\n accessToken: string;\n tokenType: string;\n idToken?: string;\n scope: string;\n expiresInSeconds?: number;\n refreshToken?: string;\n refreshTokenExpiresInSeconds?: number;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorScopeOptions {\n persist?: boolean;\n required?: string[];\n transform?: (options: {\n /* Scopes requested by the client /\n requested: Iterable<string>;\n /* Scopes which have already been granted /\n granted: Iterable<string>;\n /* Scopes that are required for the authenticator to function /\n required: Iterable<string>;\n /* Additional scopes added through configuration /\n additional: Iterable<string>;\n }) => Iterable<string>;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorStartInput {\n scope: string;\n state: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorAuthenticateInput {\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorRefreshInput {\n /\n Signals whether the requested scope has already been granted for the session. Will only be set if the `scopes.persist` option is enabled.\n /\n scopeAlreadyGranted?: boolean;\n\n scope: string;\n refreshToken: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorLogoutInput {\n accessToken?: string;\n refreshToken?: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorResult<TProfile> {\n fullProfile: TProfile;\n session: OAuthSession;\n}\n\n/* @public /\nexport interface OAuthAuthenticator<TContext, TProfile> {\n defaultProfileTransform: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n /* @deprecated use `scopes.persist` instead /\n shouldPersistScopes?: boolean;\n scopes?: OAuthAuthenticatorScopeOptions;\n initialize(ctx: { callbackUrl: string; config: Config }): TContext;\n start(\n input: OAuthAuthenticatorStartInput,\n ctx: TContext,\n ): Promise<{ url: string; status?: number }>;\n authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n refresh(\n input: OAuthAuthenticatorRefreshInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n logout?(input: OAuthAuthenticatorLogoutInput, ctx: TContext): Promise<void>;\n}\n\n/* @public */\nexport function createOAuthAuthenticator<TContext, TProfile>(\n authenticator: OAuthAuthenticator<TContext, TProfile>,\n): OAuthAuthenticator<TContext, TProfile> {\n return authenticator;\n}\n"],"names":[],"mappings":";;AA2GO,SAAS,yBACd,aACwC,EAAA;AACxC,EAAO,OAAA,aAAA;AACT;;;;"}

package/dist/passport/PassportHelpers.cjs.js CHANGED Viewed

@@ -50,8 +50,11 @@ class PassportHelpers {
     };
   };
   static async executeRedirectStrategy(req, providerStrategy, options) {
-    return new Promise((resolve) => {
+    return new Promise((resolve, reject) => {
       const strategy = Object.create(providerStrategy);
+      strategy.error = (error) => {
+        reject(new Error(`Authentication failed, ${error.message ?? ""}`));
+      };
       strategy.redirect = (url, status) => {
         resolve({ url, status: status ?? void 0 });
       };

package/dist/passport/PassportHelpers.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"PassportHelpers.cjs.js","sources":["../../src/passport/PassportHelpers.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request } from 'express';\nimport { decodeJwt } from 'jose';\nimport { Strategy } from 'passport';\nimport { PassportProfile } from './types';\nimport { ProfileInfo } from '../types';\nimport { ForwardedError } from '@backstage/errors';\n\n// Re-declared here to avoid direct dependency on passport-oauth2\n/* @internal /\ninterface InternalOAuthError extends Error {\n oauthError?: {\n data?: string;\n };\n}\n\n/* @public /\nexport class PassportHelpers {\n private constructor() {}\n\n static transformProfile = (\n profile: PassportProfile,\n idToken?: string,\n ): ProfileInfo => {\n let email: string \| undefined = undefined;\n if (profile.emails && profile.emails.length > 0) {\n const [firstEmail] = profile.emails;\n email = firstEmail.value;\n } else if (profile.email) {\n // This is the case for Atlassian\n email = profile.email;\n }\n\n let picture: string \| undefined = undefined;\n if (profile.avatarUrl) {\n picture = profile.avatarUrl;\n } else if (profile.photos && profile.photos.length > 0) {\n const [firstPhoto] = profile.photos;\n picture = firstPhoto.value;\n } else if (profile.photo) {\n // This is the case for Atlassian\n picture = profile.photo;\n }\n\n let displayName: string \| undefined =\n profile.displayName ?? profile.username ?? profile.id;\n\n if ((!email \|\| !picture \|\| !displayName) && idToken) {\n try {\n const decoded = decodeJwt(idToken) as {\n email?: string;\n name?: string;\n picture?: string;\n };\n if (!email && decoded.email) {\n email = decoded.email;\n }\n if (!picture && decoded.picture) {\n picture = decoded.picture;\n }\n if (!displayName && decoded.name) {\n displayName = decoded.name;\n }\n } catch (e) {\n throw new ForwardedError(\n `Failed to parse id token and get profile info`,\n e,\n );\n }\n }\n\n return {\n email,\n picture,\n displayName,\n };\n };\n\n static async executeRedirectStrategy(\n req: Request,\n providerStrategy: Strategy,\n options: Record<string, string>,\n ): Promise<{\n /\n URL to redirect to\n /\n url: string;\n /\n Status code to use for the redirect\n /\n status?: number;\n }> {\n return new Promise(resolve => {\n const strategy = Object.create(providerStrategy);\n strategy.redirect = (url: string, status?: number) => {\n resolve({ url, status: status ?? undefined });\n };\n\n strategy.authenticate(req, { ...options });\n });\n }\n\n static async executeFrameHandlerStrategy<TResult, TPrivateInfo = never>(\n req: Request,\n providerStrategy: Strategy,\n options?: Record<string, string>,\n ): Promise<{ result: TResult; privateInfo: TPrivateInfo }> {\n return new Promise((resolve, reject) => {\n const strategy = Object.create(providerStrategy);\n strategy.success = (result: any, privateInfo: any) => {\n resolve({ result, privateInfo });\n };\n strategy.fail = (\n info: { type: 'success' \| 'error'; message?: string },\n // _status: number,\n ) => {\n reject(new Error(`Authentication rejected, ${info.message ?? ''}`));\n };\n strategy.error = (error: InternalOAuthError) => {\n let message = `Authentication failed, ${error.message}`;\n\n if (error.oauthError?.data) {\n try {\n const errorData = JSON.parse(error.oauthError.data);\n\n if (errorData.message) {\n message += ` - ${errorData.message}`;\n }\n } catch (parseError) {\n message += ` - ${error.oauthError}`;\n }\n }\n\n reject(new Error(message));\n };\n strategy.redirect = () => {\n reject(new Error('Unexpected redirect'));\n };\n strategy.authenticate(req, { ...(options ?? {}) });\n });\n }\n\n static async executeRefreshTokenStrategy(\n providerStrategy: Strategy,\n refreshToken: string,\n scope: string,\n ): Promise<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n Optionally, the server can issue a new Refresh Token for the user\n */\n refreshToken?: string;\n params: any;\n }> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as any;\n const OAuth2 = anyStrategy._oauth2.constructor;\n const oauth2 = new OAuth2(\n anyStrategy._oauth2._clientId,\n anyStrategy._oauth2._clientSecret,\n anyStrategy._oauth2._baseSite,\n anyStrategy._oauth2._authorizeUrl,\n anyStrategy._refreshURL \|\| anyStrategy._oauth2._accessTokenUrl,\n anyStrategy._oauth2._customHeaders,\n );\n\n oauth2.getOAuthAccessToken(\n refreshToken,\n {\n scope,\n grant_type: 'refresh_token',\n },\n (\n err: Error \| null,\n accessToken: string,\n newRefreshToken: string,\n params: any,\n ) => {\n if (err) {\n reject(new ForwardedError(`Failed to refresh access token`, err));\n }\n if (!accessToken) {\n reject(\n new Error(\n `Failed to refresh access token, no access token received`,\n ),\n );\n }\n\n resolve({\n accessToken,\n refreshToken: newRefreshToken,\n params,\n });\n },\n );\n });\n }\n\n static async executeFetchUserProfileStrategy(\n providerStrategy: Strategy,\n accessToken: string,\n ): Promise<PassportProfile> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as unknown as {\n userProfile(accessToken: string, callback: Function): void;\n };\n anyStrategy.userProfile(\n accessToken,\n (error: Error, rawProfile: PassportProfile) => {\n if (error) {\n reject(error);\n } else {\n resolve(rawProfile);\n }\n },\n );\n });\n }\n}\n"],"names":["decodeJwt","ForwardedError"],"mappings":";;;;;AAgCO,MAAM,eAAgB,CAAA;AAAA,EACnB,WAAc,GAAA;AAAA;AAAC,EAEvB,OAAO,gBAAA,GAAmB,CACxB,OAAA,EACA,OACgB,KAAA;AAChB,IAAA,IAAI,KAA4B,GAAA,KAAA,CAAA;AAChC,IAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,MAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA;AAC7B,MAAA,KAAA,GAAQ,UAAW,CAAA,KAAA;AAAA,KACrB,MAAA,IAAW,QAAQ,KAAO,EAAA;AAExB,MAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA;AAAA;AAGlB,IAAA,IAAI,OAA8B,GAAA,KAAA,CAAA;AAClC,IAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,MAAA,OAAA,GAAU,OAAQ,CAAA,SAAA;AAAA,eACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,MAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA;AAC7B,MAAA,OAAA,GAAU,UAAW,CAAA,KAAA;AAAA,KACvB,MAAA,IAAW,QAAQ,KAAO,EAAA;AAExB,MAAA,OAAA,GAAU,OAAQ,CAAA,KAAA;AAAA;AAGpB,IAAA,IAAI,WACF,GAAA,OAAA,CAAQ,WAAe,IAAA,OAAA,CAAQ,YAAY,OAAQ,CAAA,EAAA;AAErD,IAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,MAAI,IAAA;AACF,QAAM,MAAA,OAAA,GAAUA,eAAU,OAAO,CAAA;AAKjC,QAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,UAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA;AAAA;AAElB,QAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,UAAA,OAAA,GAAU,OAAQ,CAAA,OAAA;AAAA;AAEpB,QAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,UAAA,WAAA,GAAc,OAAQ,CAAA,IAAA;AAAA;AACxB,eACO,CAAG,EAAA;AACV,QAAA,MAAM,IAAIC,qBAAA;AAAA,UACR,CAAA,6CAAA,CAAA;AAAA,UACA;AAAA,SACF;AAAA;AACF;AAGF,IAAO,OAAA;AAAA,MACL,KAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AAAA,GACF;AAAA,EAEA,aAAa,uBAAA,CACX,GACA,EAAA,gBAAA,EACA,OAUC,EAAA;AACD,IAAO,OAAA,IAAI,QAAQ,CAAW,OAAA,KAAA;AAC5B,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA;AAC/C,MAAS,QAAA,CAAA,QAAA,GAAW,CAAC,GAAA,EAAa,MAAoB,KAAA;AACpD,QAAA,OAAA,CAAQ,EAAE,GAAA,EAAK,MAAQ,EAAA,MAAA,IAAU,QAAW,CAAA;AAAA,OAC9C;AAEA,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,EAAE,GAAG,SAAS,CAAA;AAAA,KAC1C,CAAA;AAAA;AACH,EAEA,aAAa,2BAAA,CACX,GACA,EAAA,gBAAA,EACA,OACyD,EAAA;AACzD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA;AAC/C,MAAS,QAAA,CAAA,OAAA,GAAU,CAAC,MAAA,EAAa,WAAqB,KAAA;AACpD,QAAQ,OAAA,CAAA,EAAE,MAAQ,EAAA,WAAA,EAAa,CAAA;AAAA,OACjC;AACA,MAAS,QAAA,CAAA,IAAA,GAAO,CACd,IAEG,KAAA;AACH,QAAA,MAAA,CAAO,IAAI,KAAM,CAAA,CAAA,yBAAA,EAA4B,KAAK,OAAW,IAAA,EAAE,EAAE,CAAC,CAAA;AAAA,OACpE;AACA,MAAS,QAAA,CAAA,KAAA,GAAQ,CAAC,KAA8B,KAAA;AAC9C,QAAI,IAAA,OAAA,GAAU,CAA0B,uBAAA,EAAA,KAAA,CAAM,OAAO,CAAA,CAAA;AAErD,QAAI,IAAA,KAAA,CAAM,YAAY,IAAM,EAAA;AAC1B,UAAI,IAAA;AACF,YAAA,MAAM,SAAY,GAAA,IAAA,CAAK,KAAM,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AAElD,YAAA,IAAI,UAAU,OAAS,EAAA;AACrB,cAAW,OAAA,IAAA,CAAA,GAAA,EAAM,UAAU,OAAO,CAAA,CAAA;AAAA;AACpC,mBACO,UAAY,EAAA;AACnB,YAAW,OAAA,IAAA,CAAA,GAAA,EAAM,MAAM,UAAU,CAAA,CAAA;AAAA;AACnC;AAGF,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,OAAO,CAAC,CAAA;AAAA,OAC3B;AACA,MAAA,QAAA,CAAS,WAAW,MAAM;AACxB,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,qBAAqB,CAAC,CAAA;AAAA,OACzC;AACA,MAAA,QAAA,CAAS,aAAa,GAAK,EAAA,EAAE,GAAI,OAAW,IAAA,IAAK,CAAA;AAAA,KAClD,CAAA;AAAA;AACH,EAEA,aAAa,2BAAA,CACX,gBACA,EAAA,YAAA,EACA,KAWC,EAAA;AACD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA;AACpB,MAAM,MAAA,MAAA,GAAS,YAAY,OAAQ,CAAA,WAAA;AACnC,MAAA,MAAM,SAAS,IAAI,MAAA;AAAA,QACjB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,WAAA,CAAY,WAAe,IAAA,WAAA,CAAY,OAAQ,CAAA,eAAA;AAAA,QAC/C,YAAY,OAAQ,CAAA;AAAA,OACtB;AAEA,MAAO,MAAA,CAAA,mBAAA;AAAA,QACL,YAAA;AAAA,QACA;AAAA,UACE,KAAA;AAAA,UACA,UAAY,EAAA;AAAA,SACd;AAAA,QACA,CACE,GAAA,EACA,WACA,EAAA,eAAA,EACA,MACG,KAAA;AACH,UAAA,IAAI,GAAK,EAAA;AACP,YAAA,MAAA,CAAO,IAAIA,qBAAA,CAAe,CAAkC,8BAAA,CAAA,EAAA,GAAG,CAAC,CAAA;AAAA;AAElE,UAAA,IAAI,CAAC,WAAa,EAAA;AAChB,YAAA,MAAA;AAAA,cACE,IAAI,KAAA;AAAA,gBACF,CAAA,wDAAA;AAAA;AACF,aACF;AAAA;AAGF,UAAQ,OAAA,CAAA;AAAA,YACN,WAAA;AAAA,YACA,YAAc,EAAA,eAAA;AAAA,YACd;AAAA,WACD,CAAA;AAAA;AACH,OACF;AAAA,KACD,CAAA;AAAA;AACH,EAEA,aAAa,+BACX,CAAA,gBAAA,EACA,WAC0B,EAAA;AAC1B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA;AAGpB,MAAY,WAAA,CAAA,WAAA;AAAA,QACV,WAAA;AAAA,QACA,CAAC,OAAc,UAAgC,KAAA;AAC7C,UAAA,IAAI,KAAO,EAAA;AACT,YAAA,MAAA,CAAO,KAAK,CAAA;AAAA,WACP,MAAA;AACL,YAAA,OAAA,CAAQ,UAAU,CAAA;AAAA;AACpB;AACF,OACF;AAAA,KACD,CAAA;AAAA;AAEL;;;;"}
1	+ {"version":3,"file":"PassportHelpers.cjs.js","sources":["../../src/passport/PassportHelpers.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request } from 'express';\nimport { decodeJwt } from 'jose';\nimport { Strategy } from 'passport';\nimport { PassportProfile } from './types';\nimport { ProfileInfo } from '../types';\nimport { ForwardedError } from '@backstage/errors';\n\n// Re-declared here to avoid direct dependency on passport-oauth2\n/* @internal /\ninterface InternalOAuthError extends Error {\n oauthError?: {\n data?: string;\n };\n}\n\n/* @public /\nexport class PassportHelpers {\n private constructor() {}\n\n static transformProfile = (\n profile: PassportProfile,\n idToken?: string,\n ): ProfileInfo => {\n let email: string \| undefined = undefined;\n if (profile.emails && profile.emails.length > 0) {\n const [firstEmail] = profile.emails;\n email = firstEmail.value;\n } else if (profile.email) {\n // This is the case for Atlassian\n email = profile.email;\n }\n\n let picture: string \| undefined = undefined;\n if (profile.avatarUrl) {\n picture = profile.avatarUrl;\n } else if (profile.photos && profile.photos.length > 0) {\n const [firstPhoto] = profile.photos;\n picture = firstPhoto.value;\n } else if (profile.photo) {\n // This is the case for Atlassian\n picture = profile.photo;\n }\n\n let displayName: string \| undefined =\n profile.displayName ?? profile.username ?? profile.id;\n\n if ((!email \|\| !picture \|\| !displayName) && idToken) {\n try {\n const decoded = decodeJwt(idToken) as {\n email?: string;\n name?: string;\n picture?: string;\n };\n if (!email && decoded.email) {\n email = decoded.email;\n }\n if (!picture && decoded.picture) {\n picture = decoded.picture;\n }\n if (!displayName && decoded.name) {\n displayName = decoded.name;\n }\n } catch (e) {\n throw new ForwardedError(\n `Failed to parse id token and get profile info`,\n e,\n );\n }\n }\n\n return {\n email,\n picture,\n displayName,\n };\n };\n\n static async executeRedirectStrategy(\n req: Request,\n providerStrategy: Strategy,\n options: Record<string, string>,\n ): Promise<{\n /\n URL to redirect to\n /\n url: string;\n /\n Status code to use for the redirect\n /\n status?: number;\n }> {\n return new Promise((resolve, reject) => {\n const strategy = Object.create(providerStrategy);\n strategy.error = (error: Error) => {\n reject(new Error(`Authentication failed, ${error.message ?? ''}`));\n };\n strategy.redirect = (url: string, status?: number) => {\n resolve({ url, status: status ?? undefined });\n };\n\n strategy.authenticate(req, { ...options });\n });\n }\n\n static async executeFrameHandlerStrategy<TResult, TPrivateInfo = never>(\n req: Request,\n providerStrategy: Strategy,\n options?: Record<string, string>,\n ): Promise<{ result: TResult; privateInfo: TPrivateInfo }> {\n return new Promise((resolve, reject) => {\n const strategy = Object.create(providerStrategy);\n strategy.success = (result: any, privateInfo: any) => {\n resolve({ result, privateInfo });\n };\n strategy.fail = (\n info: { type: 'success' \| 'error'; message?: string },\n // _status: number,\n ) => {\n reject(new Error(`Authentication rejected, ${info.message ?? ''}`));\n };\n strategy.error = (error: InternalOAuthError) => {\n let message = `Authentication failed, ${error.message}`;\n\n if (error.oauthError?.data) {\n try {\n const errorData = JSON.parse(error.oauthError.data);\n\n if (errorData.message) {\n message += ` - ${errorData.message}`;\n }\n } catch (parseError) {\n message += ` - ${error.oauthError}`;\n }\n }\n\n reject(new Error(message));\n };\n strategy.redirect = () => {\n reject(new Error('Unexpected redirect'));\n };\n strategy.authenticate(req, { ...(options ?? {}) });\n });\n }\n\n static async executeRefreshTokenStrategy(\n providerStrategy: Strategy,\n refreshToken: string,\n scope: string,\n ): Promise<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n Optionally, the server can issue a new Refresh Token for the user\n */\n refreshToken?: string;\n params: any;\n }> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as any;\n const OAuth2 = anyStrategy._oauth2.constructor;\n const oauth2 = new OAuth2(\n anyStrategy._oauth2._clientId,\n anyStrategy._oauth2._clientSecret,\n anyStrategy._oauth2._baseSite,\n anyStrategy._oauth2._authorizeUrl,\n anyStrategy._refreshURL \|\| anyStrategy._oauth2._accessTokenUrl,\n anyStrategy._oauth2._customHeaders,\n );\n\n oauth2.getOAuthAccessToken(\n refreshToken,\n {\n scope,\n grant_type: 'refresh_token',\n },\n (\n err: Error \| null,\n accessToken: string,\n newRefreshToken: string,\n params: any,\n ) => {\n if (err) {\n reject(new ForwardedError(`Failed to refresh access token`, err));\n }\n if (!accessToken) {\n reject(\n new Error(\n `Failed to refresh access token, no access token received`,\n ),\n );\n }\n\n resolve({\n accessToken,\n refreshToken: newRefreshToken,\n params,\n });\n },\n );\n });\n }\n\n static async executeFetchUserProfileStrategy(\n providerStrategy: Strategy,\n accessToken: string,\n ): Promise<PassportProfile> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as unknown as {\n userProfile(accessToken: string, callback: Function): void;\n };\n anyStrategy.userProfile(\n accessToken,\n (error: Error, rawProfile: PassportProfile) => {\n if (error) {\n reject(error);\n } else {\n resolve(rawProfile);\n }\n },\n );\n });\n }\n}\n"],"names":["decodeJwt","ForwardedError"],"mappings":";;;;;AAgCO,MAAM,eAAgB,CAAA;AAAA,EACnB,WAAc,GAAA;AAAA;AAAC,EAEvB,OAAO,gBAAA,GAAmB,CACxB,OAAA,EACA,OACgB,KAAA;AAChB,IAAA,IAAI,KAA4B,GAAA,KAAA,CAAA;AAChC,IAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,MAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA;AAC7B,MAAA,KAAA,GAAQ,UAAW,CAAA,KAAA;AAAA,KACrB,MAAA,IAAW,QAAQ,KAAO,EAAA;AAExB,MAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA;AAAA;AAGlB,IAAA,IAAI,OAA8B,GAAA,KAAA,CAAA;AAClC,IAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,MAAA,OAAA,GAAU,OAAQ,CAAA,SAAA;AAAA,eACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,MAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA;AAC7B,MAAA,OAAA,GAAU,UAAW,CAAA,KAAA;AAAA,KACvB,MAAA,IAAW,QAAQ,KAAO,EAAA;AAExB,MAAA,OAAA,GAAU,OAAQ,CAAA,KAAA;AAAA;AAGpB,IAAA,IAAI,WACF,GAAA,OAAA,CAAQ,WAAe,IAAA,OAAA,CAAQ,YAAY,OAAQ,CAAA,EAAA;AAErD,IAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,MAAI,IAAA;AACF,QAAM,MAAA,OAAA,GAAUA,eAAU,OAAO,CAAA;AAKjC,QAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,UAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA;AAAA;AAElB,QAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,UAAA,OAAA,GAAU,OAAQ,CAAA,OAAA;AAAA;AAEpB,QAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,UAAA,WAAA,GAAc,OAAQ,CAAA,IAAA;AAAA;AACxB,eACO,CAAG,EAAA;AACV,QAAA,MAAM,IAAIC,qBAAA;AAAA,UACR,CAAA,6CAAA,CAAA;AAAA,UACA;AAAA,SACF;AAAA;AACF;AAGF,IAAO,OAAA;AAAA,MACL,KAAA;AAAA,MACA,OAAA;AAAA,MACA;AAAA,KACF;AAAA,GACF;AAAA,EAEA,aAAa,uBAAA,CACX,GACA,EAAA,gBAAA,EACA,OAUC,EAAA;AACD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA;AAC/C,MAAS,QAAA,CAAA,KAAA,GAAQ,CAAC,KAAiB,KAAA;AACjC,QAAA,MAAA,CAAO,IAAI,KAAM,CAAA,CAAA,uBAAA,EAA0B,MAAM,OAAW,IAAA,EAAE,EAAE,CAAC,CAAA;AAAA,OACnE;AACA,MAAS,QAAA,CAAA,QAAA,GAAW,CAAC,GAAA,EAAa,MAAoB,KAAA;AACpD,QAAA,OAAA,CAAQ,EAAE,GAAA,EAAK,MAAQ,EAAA,MAAA,IAAU,QAAW,CAAA;AAAA,OAC9C;AAEA,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,EAAE,GAAG,SAAS,CAAA;AAAA,KAC1C,CAAA;AAAA;AACH,EAEA,aAAa,2BAAA,CACX,GACA,EAAA,gBAAA,EACA,OACyD,EAAA;AACzD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA;AAC/C,MAAS,QAAA,CAAA,OAAA,GAAU,CAAC,MAAA,EAAa,WAAqB,KAAA;AACpD,QAAQ,OAAA,CAAA,EAAE,MAAQ,EAAA,WAAA,EAAa,CAAA;AAAA,OACjC;AACA,MAAS,QAAA,CAAA,IAAA,GAAO,CACd,IAEG,KAAA;AACH,QAAA,MAAA,CAAO,IAAI,KAAM,CAAA,CAAA,yBAAA,EAA4B,KAAK,OAAW,IAAA,EAAE,EAAE,CAAC,CAAA;AAAA,OACpE;AACA,MAAS,QAAA,CAAA,KAAA,GAAQ,CAAC,KAA8B,KAAA;AAC9C,QAAI,IAAA,OAAA,GAAU,CAA0B,uBAAA,EAAA,KAAA,CAAM,OAAO,CAAA,CAAA;AAErD,QAAI,IAAA,KAAA,CAAM,YAAY,IAAM,EAAA;AAC1B,UAAI,IAAA;AACF,YAAA,MAAM,SAAY,GAAA,IAAA,CAAK,KAAM,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA;AAElD,YAAA,IAAI,UAAU,OAAS,EAAA;AACrB,cAAW,OAAA,IAAA,CAAA,GAAA,EAAM,UAAU,OAAO,CAAA,CAAA;AAAA;AACpC,mBACO,UAAY,EAAA;AACnB,YAAW,OAAA,IAAA,CAAA,GAAA,EAAM,MAAM,UAAU,CAAA,CAAA;AAAA;AACnC;AAGF,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,OAAO,CAAC,CAAA;AAAA,OAC3B;AACA,MAAA,QAAA,CAAS,WAAW,MAAM;AACxB,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,qBAAqB,CAAC,CAAA;AAAA,OACzC;AACA,MAAA,QAAA,CAAS,aAAa,GAAK,EAAA,EAAE,GAAI,OAAW,IAAA,IAAK,CAAA;AAAA,KAClD,CAAA;AAAA;AACH,EAEA,aAAa,2BAAA,CACX,gBACA,EAAA,YAAA,EACA,KAWC,EAAA;AACD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA;AACpB,MAAM,MAAA,MAAA,GAAS,YAAY,OAAQ,CAAA,WAAA;AACnC,MAAA,MAAM,SAAS,IAAI,MAAA;AAAA,QACjB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,WAAA,CAAY,WAAe,IAAA,WAAA,CAAY,OAAQ,CAAA,eAAA;AAAA,QAC/C,YAAY,OAAQ,CAAA;AAAA,OACtB;AAEA,MAAO,MAAA,CAAA,mBAAA;AAAA,QACL,YAAA;AAAA,QACA;AAAA,UACE,KAAA;AAAA,UACA,UAAY,EAAA;AAAA,SACd;AAAA,QACA,CACE,GAAA,EACA,WACA,EAAA,eAAA,EACA,MACG,KAAA;AACH,UAAA,IAAI,GAAK,EAAA;AACP,YAAA,MAAA,CAAO,IAAIA,qBAAA,CAAe,CAAkC,8BAAA,CAAA,EAAA,GAAG,CAAC,CAAA;AAAA;AAElE,UAAA,IAAI,CAAC,WAAa,EAAA;AAChB,YAAA,MAAA;AAAA,cACE,IAAI,KAAA;AAAA,gBACF,CAAA,wDAAA;AAAA;AACF,aACF;AAAA;AAGF,UAAQ,OAAA,CAAA;AAAA,YACN,WAAA;AAAA,YACA,YAAc,EAAA,eAAA;AAAA,YACd;AAAA,WACD,CAAA;AAAA;AACH,OACF;AAAA,KACD,CAAA;AAAA;AACH,EAEA,aAAa,+BACX,CAAA,gBAAA,EACA,WAC0B,EAAA;AAC1B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA;AAGpB,MAAY,WAAA,CAAA,WAAA;AAAA,QACV,WAAA;AAAA,QACA,CAAC,OAAc,UAAgC,KAAA;AAC7C,UAAA,IAAI,KAAO,EAAA;AACT,YAAA,MAAA,CAAO,KAAK,CAAA;AAAA,WACP,MAAA;AACL,YAAA,OAAA,CAAQ,UAAU,CAAA;AAAA;AACpB;AACF,OACF;AAAA,KACD,CAAA;AAAA;AAEL;;;;"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-auth-node",
-  "version": "0.6.0-next.1",
+  "version": "0.6.0",
   "backstage": {
     "role": "node-library",
     "pluginId": "auth",
@@ -37,12 +37,12 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.2.0-next.1",
-    "@backstage/catalog-client": "1.9.1",
-    "@backstage/catalog-model": "1.7.3",
-    "@backstage/config": "1.3.2",
-    "@backstage/errors": "1.2.7",
-    "@backstage/types": "1.2.1",
+    "@backstage/backend-plugin-api": "^1.2.0",
+    "@backstage/catalog-client": "^1.9.1",
+    "@backstage/catalog-model": "^1.7.3",
+    "@backstage/config": "^1.3.2",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/types": "^1.2.1",
     "@types/express": "^4.17.6",
     "@types/passport": "^1.0.3",
     "express": "^4.17.1",
@@ -54,9 +54,9 @@
     "zod-validation-error": "^3.4.0"
   },
   "devDependencies": {
-    "@backstage/backend-defaults": "0.8.0-next.2",
-    "@backstage/backend-test-utils": "1.3.0-next.2",
-    "@backstage/cli": "0.30.0-next.2",
+    "@backstage/backend-defaults": "^0.8.0",
+    "@backstage/backend-test-utils": "^1.3.0",
+    "@backstage/cli": "^0.30.0",
     "cookie-parser": "^1.4.6",
     "express-promise-router": "^4.1.1",
     "lodash": "^4.17.21",