@backstage/plugin-auth-node 0.6.3-next.0 → 0.6.3-next.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +16 -0
  2. package/dist/identity/prepareBackstageIdentityResponse.cjs.js +1 -1
  3. package/dist/identity/prepareBackstageIdentityResponse.cjs.js.map +1 -1
  4. package/dist/index.d.ts +6 -3
  5. package/dist/types.cjs.js.map +1 -1
  6. package/package.json +5 -5
package/CHANGELOG.md CHANGED
@@ -1,5 +1,21 @@
1
1
  # @backstage/plugin-auth-node
2
2
 
3
+ ## 0.6.3-next.1
4
+
5
+ ### Patch Changes
6
+
7
+ - 332e934: Added the `identity` property to `BackstageSignInResult`.
8
+
9
+ The `prepareBackstageIdentityResponse` function will now also forward the `identity` to the response if present in the provided sign-in result.
10
+
11
+ - Updated dependencies
12
+ - @backstage/backend-plugin-api@1.3.1-next.1
13
+ - @backstage/catalog-client@1.10.0-next.0
14
+ - @backstage/catalog-model@1.7.3
15
+ - @backstage/config@1.3.2
16
+ - @backstage/errors@1.2.7
17
+ - @backstage/types@1.2.1
18
+
3
19
  ## 0.6.3-next.0
4
20
 
5
21
  ### Patch Changes
package/dist/identity/prepareBackstageIdentityResponse.cjs.js CHANGED
@@ -24,7 +24,7 @@ function prepareBackstageIdentityResponse(result) {
24
24
  return {
25
25
  ...result,
26
26
  expiresInSeconds: exp,
27
- identity: {
27
+ identity: result.identity ?? {
28
28
  type: "user",
29
29
  userEntityRef: sub,
30
30
  ownershipEntityRefs: ent
package/dist/identity/prepareBackstageIdentityResponse.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"prepareBackstageIdentityResponse.cjs.js","sources":["../../src/identity/prepareBackstageIdentityResponse.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { InputError } from '@backstage/errors';\nimport {\n BackstageIdentityResponse,\n BackstageSignInResult,\n} from '@backstage/plugin-auth-node';\n\nfunction parseJwtPayload(token: string) {\n const [_header, payload, _signature] = token.split('.');\n return JSON.parse(Buffer.from(payload, 'base64').toString());\n}\n\n/**\n * Parses a Backstage-issued token and decorates the\n * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the\n * token.\n *\n * @public\n */\nexport function prepareBackstageIdentityResponse(\n result: BackstageSignInResult,\n): BackstageIdentityResponse {\n if (!result.token) {\n throw new InputError(`Identity response must return a token`);\n }\n\n const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);\n if (!sub) {\n throw new InputError(\n `Identity response must return a token with subject claim`,\n );\n }\n\n const expAt = Number(expStr);\n\n // Default to 1 hour if no expiration is set, in particular to make testing simpler\n const exp = expAt ? Math.round(expAt - Date.now() / 1000) : undefined;\n if (exp && exp < 0) {\n throw new InputError(`Identity response must not return an expired token`);\n }\n\n return {\n ...result,\n expiresInSeconds: exp,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n"],"names":["InputError"],"mappings":";;;;AAsBA,SAAS,gBAAgB,KAAe,EAAA;AACtC,EAAA,MAAM,CAAC,OAAS,EAAA,OAAA,EAAS,UAAU,CAAI,GAAA,KAAA,CAAM,MAAM,GAAG,CAAA;AACtD,EAAO,OAAA,IAAA,CAAK,MAAM,MAAO,CAAA,IAAA,CAAK,SAAS,QAAQ,CAAA,CAAE,UAAU,CAAA;AAC7D;AASO,SAAS,iCACd,MAC2B,EAAA;AAC3B,EAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,EAAM,MAAA,EAAE,GAAK,EAAA,GAAA,GAAM,EAAC,EAAG,KAAK,MAAO,EAAA,GAAI,eAAgB,CAAA,MAAA,CAAO,KAAK,CAAA;AACnE,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAA,MAAM,IAAIA,iBAAA;AAAA,MACR,CAAA,wDAAA;AAAA,KACF;AAAA;AAGF,EAAM,MAAA,KAAA,GAAQ,OAAO,MAAM,CAAA;AAG3B,EAAM,MAAA,GAAA,GAAM,QAAQ,IAAK,CAAA,KAAA,CAAM,QAAQ,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAI,CAAI,GAAA,KAAA,CAAA;AAC5D,EAAI,IAAA,GAAA,IAAO,MAAM,CAAG,EAAA;AAClB,IAAM,MAAA,IAAIA,kBAAW,CAAoD,kDAAA,CAAA,CAAA;AAAA;AAG3E,EAAO,OAAA;AAAA,IACL,GAAG,MAAA;AAAA,IACH,gBAAkB,EAAA,GAAA;AAAA,IAClB,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA;AAAA;AACvB,GACF;AACF;;;;"}
1
+ {"version":3,"file":"prepareBackstageIdentityResponse.cjs.js","sources":["../../src/identity/prepareBackstageIdentityResponse.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { InputError } from '@backstage/errors';\nimport {\n BackstageIdentityResponse,\n BackstageSignInResult,\n} from '@backstage/plugin-auth-node';\n\nfunction parseJwtPayload(token: string) {\n const [_header, payload, _signature] = token.split('.');\n return JSON.parse(Buffer.from(payload, 'base64').toString());\n}\n\n/**\n * Parses a Backstage-issued token and decorates the\n * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the\n * token.\n *\n * @public\n */\nexport function prepareBackstageIdentityResponse(\n result: BackstageSignInResult,\n): BackstageIdentityResponse {\n if (!result.token) {\n throw new InputError(`Identity response must return a token`);\n }\n\n const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);\n if (!sub) {\n throw new InputError(\n `Identity response must return a token with subject claim`,\n );\n }\n\n const expAt = Number(expStr);\n\n // Default to 1 hour if no expiration is set, in particular to make testing simpler\n const exp = expAt ? Math.round(expAt - Date.now() / 1000) : undefined;\n if (exp && exp < 0) {\n throw new InputError(`Identity response must not return an expired token`);\n }\n\n return {\n ...result,\n expiresInSeconds: exp,\n identity: result.identity ?? {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n"],"names":["InputError"],"mappings":";;;;AAsBA,SAAS,gBAAgB,KAAe,EAAA;AACtC,EAAA,MAAM,CAAC,OAAS,EAAA,OAAA,EAAS,UAAU,CAAI,GAAA,KAAA,CAAM,MAAM,GAAG,CAAA;AACtD,EAAO,OAAA,IAAA,CAAK,MAAM,MAAO,CAAA,IAAA,CAAK,SAAS,QAAQ,CAAA,CAAE,UAAU,CAAA;AAC7D;AASO,SAAS,iCACd,MAC2B,EAAA;AAC3B,EAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,EAAM,MAAA,EAAE,GAAK,EAAA,GAAA,GAAM,EAAC,EAAG,KAAK,MAAO,EAAA,GAAI,eAAgB,CAAA,MAAA,CAAO,KAAK,CAAA;AACnE,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAA,MAAM,IAAIA,iBAAA;AAAA,MACR,CAAA,wDAAA;AAAA,KACF;AAAA;AAGF,EAAM,MAAA,KAAA,GAAQ,OAAO,MAAM,CAAA;AAG3B,EAAM,MAAA,GAAA,GAAM,QAAQ,IAAK,CAAA,KAAA,CAAM,QAAQ,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAI,CAAI,GAAA,KAAA,CAAA;AAC5D,EAAI,IAAA,GAAA,IAAO,MAAM,CAAG,EAAA;AAClB,IAAM,MAAA,IAAIA,kBAAW,CAAoD,kDAAA,CAAA,CAAA;AAAA;AAG3E,EAAO,OAAA;AAAA,IACL,GAAG,MAAA;AAAA,IACH,gBAAkB,EAAA,GAAA;AAAA,IAClB,QAAA,EAAU,OAAO,QAAY,IAAA;AAAA,MAC3B,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA;AAAA;AACvB,GACF;AACF;;;;"}
package/dist/index.d.ts CHANGED
@@ -22,6 +22,11 @@ interface BackstageSignInResult {
22
22
  * The token used to authenticate the user within Backstage.
23
23
  */
24
24
  token: string;
25
+ /**
26
+ * Identity information to pass to the client rather than using the
27
+ * information that's embeeded in the token.
28
+ */
29
+ identity?: BackstageUserIdentity;
25
30
  }
26
31
  /**
27
32
  * Response object containing the {@link BackstageUserIdentity} and the token
@@ -116,9 +121,7 @@ type AuthResolverContext = {
116
121
  /**
117
122
  * Issues a Backstage token using the provided parameters.
118
123
  */
119
- issueToken(params: TokenParams): Promise<{
120
- token: string;
121
- }>;
124
+ issueToken(params: TokenParams): Promise<BackstageSignInResult>;
122
125
  /**
123
126
  * Finds a single user in the catalog using the provided query.
124
127
  *
package/dist/types.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.cjs.js","sources":["../src/types.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { EntityFilterQuery } from '@backstage/catalog-client';\nimport { Entity } from '@backstage/catalog-model';\nimport { Config } from '@backstage/config';\nimport { JsonValue } from '@backstage/types';\nimport { Request, Response } from 'express';\n\n/**\n * A representation of a successful Backstage sign-in.\n *\n * Compared to the {@link BackstageIdentityResponse} this type omits\n * the decoded identity information embedded in the token.\n *\n * @public\n */\nexport interface BackstageSignInResult {\n /**\n * The token used to authenticate the user within Backstage.\n */\n token: string;\n}\n\n/**\n * Response object containing the {@link BackstageUserIdentity} and the token\n * from the authentication provider.\n *\n * @public\n */\nexport interface BackstageIdentityResponse extends BackstageSignInResult {\n /**\n * The number of seconds until the token expires. If not set, it can be assumed that the token does not expire.\n */\n expiresInSeconds?: number;\n\n /**\n * A plaintext description of the identity that is encapsulated within the token.\n */\n identity: BackstageUserIdentity;\n}\n\n/**\n * User identity information within Backstage.\n *\n * @public\n */\nexport type BackstageUserIdentity = {\n /**\n * The type of identity that this structure represents. In the frontend app\n * this will currently always be 'user'.\n */\n type: 'user';\n\n /**\n * The entityRef of the user in the catalog.\n * For example User:default/sandra\n */\n userEntityRef: string;\n\n /**\n * The user and group entities that the user claims ownership through\n */\n ownershipEntityRefs: string[];\n};\n\n/**\n * A query for a single user in the catalog.\n *\n * If `entityRef` is used, the default kind is `'User'`.\n *\n * If `annotations` are used, all annotations must be present and\n * match the provided value exactly. Only entities of kind `'User'` will be considered.\n *\n * If `filter` are used, only entities of kind `'User'` will be considered unless it is explicitly specified differently in the filter.\n *\n * Regardless of the query method, the query must match exactly one entity\n * in the catalog, or an error will be thrown.\n *\n * @public\n */\nexport type AuthResolverCatalogUserQuery =\n | {\n entityRef:\n | string\n | {\n kind?: string;\n namespace?: string;\n name: string;\n };\n }\n | {\n annotations: Record<string, string>;\n }\n | {\n filter: EntityFilterQuery;\n };\n\n/**\n * Parameters used to issue new Backstage Tokens\n *\n * @public\n */\nexport type TokenParams = {\n /**\n * The claims that will be embedded within the token. At a minimum, this should include\n * the subject claim, `sub`. It is common to also list entity ownership relations in the\n * `ent` list. Additional claims may also be added at the developer's discretion except\n * for the following list, which will be overwritten by the TokenIssuer: `iss`, `aud`,\n * `iat`, and `exp`. The Backstage team also maintains the right add new claims in the future\n * without listing the change as a \"breaking change\".\n */\n claims: {\n /** The token subject, i.e. User ID */\n sub: string;\n /** A list of entity references that the user claims ownership through */\n ent?: string[];\n } & Record<string, JsonValue>;\n};\n\n/**\n * The context that is used for auth processing.\n *\n * @public\n */\nexport type AuthResolverContext = {\n /**\n * Issues a Backstage token using the provided parameters.\n */\n issueToken(params: TokenParams): Promise<{ token: string }>;\n\n /**\n * Finds a single user in the catalog using the provided query.\n *\n * See {@link AuthResolverCatalogUserQuery} for details.\n */\n findCatalogUser(\n query: AuthResolverCatalogUserQuery,\n ): Promise<{ entity: Entity }>;\n\n /**\n * Finds a single user in the catalog using the provided query, and then\n * issues an identity for that user using default ownership resolution.\n *\n * See {@link AuthResolverCatalogUserQuery} for details.\n */\n signInWithCatalogUser(\n query: AuthResolverCatalogUserQuery,\n ): Promise<BackstageSignInResult>;\n\n /**\n * Resolves the ownership entity references for the provided entity.\n * This will use the `AuthOwnershipResolver` if one is installed, and otherwise fall back to the default resolution logic.\n */\n resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }>;\n};\n\n/**\n * Resolver interface for resolving the ownership entity references for entity\n *\n * @public\n */\nexport interface AuthOwnershipResolver {\n resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }>;\n}\n\n/**\n * Any Auth provider needs to implement this interface which handles the routes in the\n * auth backend. Any auth API requests from the frontend reaches these methods.\n *\n * The routes in the auth backend API are tied to these methods like below\n *\n * `/auth/[provider]/start -> start`\n * `/auth/[provider]/handler/frame -> frameHandler`\n * `/auth/[provider]/refresh -> refresh`\n * `/auth/[provider]/logout -> logout`\n *\n * @public\n */\nexport interface AuthProviderRouteHandlers {\n /**\n * Handles the start route of the API. This initiates a sign in request with an auth provider.\n *\n * Request\n * - scopes for the auth request (Optional)\n * Response\n * - redirect to the auth provider for the user to sign in or consent.\n * - sets a nonce cookie and also pass the nonce as 'state' query parameter in the redirect request\n */\n start(req: Request, res: Response): Promise<void>;\n\n /**\n * Once the user signs in or consents in the OAuth screen, the auth provider redirects to the\n * callbackURL which is handled by this method.\n *\n * Request\n * - to contain a nonce cookie and a 'state' query parameter\n * Response\n * - postMessage to the window with a payload that contains accessToken, expiryInSeconds?, idToken? and scope.\n * - sets a refresh token cookie if the auth provider supports refresh tokens\n */\n frameHandler(req: Request, res: Response): Promise<void>;\n\n /**\n * (Optional) If the auth provider supports refresh tokens then this method handles\n * requests to get a new access token.\n *\n * Other types of providers may also use this method to implement its own logic to create new sessions\n * upon request. For example, this can be used to create a new session for a provider that handles requests\n * from an authenticating proxy.\n *\n * Request\n * - to contain a refresh token cookie and scope (Optional) query parameter.\n * Response\n * - payload with accessToken, expiryInSeconds?, idToken?, scope and user profile information.\n */\n refresh?(req: Request, res: Response): Promise<void>;\n\n /**\n * (Optional) Handles sign out requests\n *\n * Response\n * - removes the refresh token cookie\n */\n logout?(req: Request, res: Response): Promise<void>;\n}\n\n/**\n * @public\n * @deprecated Use top-level properties passed to `AuthProviderFactory` instead\n */\nexport type AuthProviderConfig = {\n /**\n * The protocol://domain[:port] where the app is hosted. This is used to construct the\n * callbackURL to redirect to once the user signs in to the auth provider.\n */\n baseUrl: string;\n\n /**\n * The base URL of the app as provided by app.baseUrl\n */\n appUrl: string;\n\n /**\n * A function that is called to check whether an origin is allowed to receive the authentication result.\n */\n isOriginAllowed: (origin: string) => boolean;\n\n /**\n * The function used to resolve cookie configuration based on the auth provider options.\n */\n cookieConfigurer?: CookieConfigurer;\n};\n\n/** @public */\nexport type AuthProviderFactory = (options: {\n providerId: string;\n /** @deprecated Use top-level properties instead */\n globalConfig: AuthProviderConfig;\n config: Config;\n logger: LoggerService;\n resolverContext: AuthResolverContext;\n /**\n * The protocol://domain[:port] where the app is hosted. This is used to construct the\n * callbackURL to redirect to once the user signs in to the auth provider.\n */\n baseUrl: string;\n\n /**\n * The base URL of the app as provided by app.baseUrl\n */\n appUrl: string;\n\n /**\n * A function that is called to check whether an origin is allowed to receive the authentication result.\n */\n isOriginAllowed: (origin: string) => boolean;\n\n /**\n * The function used to resolve cookie configuration based on the auth provider options.\n */\n cookieConfigurer?: CookieConfigurer;\n}) => AuthProviderRouteHandlers;\n\n/** @public */\nexport type ClientAuthResponse<TProviderInfo> = {\n providerInfo: TProviderInfo;\n profile: ProfileInfo;\n backstageIdentity?: BackstageIdentityResponse;\n};\n\n/**\n * Type of sign in information context. Includes the profile information and\n * authentication result which contains auth related information.\n *\n * @public\n */\nexport type SignInInfo<TAuthResult> = {\n /**\n * The simple profile passed down for use in the frontend.\n */\n profile: ProfileInfo;\n\n /**\n * The authentication result that was received from the authentication\n * provider.\n */\n result: TAuthResult;\n};\n\n/**\n * Describes the function which handles the result of a successful\n * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.\n *\n * @public\n */\nexport type SignInResolver<TAuthResult> = (\n info: SignInInfo<TAuthResult>,\n context: AuthResolverContext,\n) => Promise<BackstageSignInResult>;\n\n/**\n * Describes the function that transforms the result of a successful\n * authentication into a {@link ProfileInfo} object.\n *\n * This function may optionally throw an error in order to reject authentication.\n *\n * @public\n */\nexport type ProfileTransform<TResult> = (\n result: TResult,\n context: AuthResolverContext,\n) => Promise<{ profile: ProfileInfo }>;\n\n/**\n * Used to display login information to user, i.e. sidebar popup.\n *\n * It is also temporarily used as the profile of the signed-in user's Backstage\n * identity, but we want to replace that with data from identity and/org catalog\n * service\n *\n * @public\n */\nexport type ProfileInfo = {\n /**\n * Email ID of the signed in user.\n */\n email?: string;\n /**\n * Display name that can be presented to the signed in user.\n */\n displayName?: string;\n /**\n * URL to an image that can be used as the display image or avatar of the\n * signed in user.\n */\n picture?: string;\n};\n\n/**\n * The callback used to resolve the cookie configuration for auth providers that use cookies.\n * @public\n */\nexport type CookieConfigurer = (ctx: {\n /** ID of the auth provider that this configuration applies to */\n providerId: string;\n /** The externally reachable base URL of the auth-backend plugin */\n baseUrl: string;\n /** The configured callback URL of the auth provider */\n callbackUrl: string;\n /** The origin URL of the app */\n appOrigin: string;\n}) => {\n domain: string;\n path: string;\n secure: boolean;\n sameSite?: 'none' | 'lax' | 'strict';\n};\n\n/**\n * Core properties of various token types.\n *\n * @public\n */\nexport const tokenTypes = Object.freeze({\n user: Object.freeze({\n typParam: 'vnd.backstage.user',\n audClaim: 'backstage',\n }),\n limitedUser: Object.freeze({\n typParam: 'vnd.backstage.limited-user',\n }),\n plugin: Object.freeze({\n typParam: 'vnd.backstage.plugin',\n }),\n});\n"],"names":[],"mappings":";;AAkZa,MAAA,UAAA,GAAa,OAAO,MAAO,CAAA;AAAA,EACtC,IAAA,EAAM,OAAO,MAAO,CAAA;AAAA,IAClB,QAAU,EAAA,oBAAA;AAAA,IACV,QAAU,EAAA;AAAA,GACX,CAAA;AAAA,EACD,WAAA,EAAa,OAAO,MAAO,CAAA;AAAA,IACzB,QAAU,EAAA;AAAA,GACX,CAAA;AAAA,EACD,MAAA,EAAQ,OAAO,MAAO,CAAA;AAAA,IACpB,QAAU,EAAA;AAAA,GACX;AACH,CAAC;;;;"}
1
+ {"version":3,"file":"types.cjs.js","sources":["../src/types.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { LoggerService } from '@backstage/backend-plugin-api';\nimport { EntityFilterQuery } from '@backstage/catalog-client';\nimport { Entity } from '@backstage/catalog-model';\nimport { Config } from '@backstage/config';\nimport { JsonValue } from '@backstage/types';\nimport { Request, Response } from 'express';\n\n/**\n * A representation of a successful Backstage sign-in.\n *\n * Compared to the {@link BackstageIdentityResponse} this type omits\n * the decoded identity information embedded in the token.\n *\n * @public\n */\nexport interface BackstageSignInResult {\n /**\n * The token used to authenticate the user within Backstage.\n */\n token: string;\n\n /**\n * Identity information to pass to the client rather than using the\n * information that's embeeded in the token.\n */\n identity?: BackstageUserIdentity;\n}\n\n/**\n * Response object containing the {@link BackstageUserIdentity} and the token\n * from the authentication provider.\n *\n * @public\n */\nexport interface BackstageIdentityResponse extends BackstageSignInResult {\n /**\n * The number of seconds until the token expires. If not set, it can be assumed that the token does not expire.\n */\n expiresInSeconds?: number;\n\n /**\n * A plaintext description of the identity that is encapsulated within the token.\n */\n identity: BackstageUserIdentity;\n}\n\n/**\n * User identity information within Backstage.\n *\n * @public\n */\nexport type BackstageUserIdentity = {\n /**\n * The type of identity that this structure represents. In the frontend app\n * this will currently always be 'user'.\n */\n type: 'user';\n\n /**\n * The entityRef of the user in the catalog.\n * For example User:default/sandra\n */\n userEntityRef: string;\n\n /**\n * The user and group entities that the user claims ownership through\n */\n ownershipEntityRefs: string[];\n};\n\n/**\n * A query for a single user in the catalog.\n *\n * If `entityRef` is used, the default kind is `'User'`.\n *\n * If `annotations` are used, all annotations must be present and\n * match the provided value exactly. Only entities of kind `'User'` will be considered.\n *\n * If `filter` are used, only entities of kind `'User'` will be considered unless it is explicitly specified differently in the filter.\n *\n * Regardless of the query method, the query must match exactly one entity\n * in the catalog, or an error will be thrown.\n *\n * @public\n */\nexport type AuthResolverCatalogUserQuery =\n | {\n entityRef:\n | string\n | {\n kind?: string;\n namespace?: string;\n name: string;\n };\n }\n | {\n annotations: Record<string, string>;\n }\n | {\n filter: EntityFilterQuery;\n };\n\n/**\n * Parameters used to issue new Backstage Tokens\n *\n * @public\n */\nexport type TokenParams = {\n /**\n * The claims that will be embedded within the token. At a minimum, this should include\n * the subject claim, `sub`. It is common to also list entity ownership relations in the\n * `ent` list. Additional claims may also be added at the developer's discretion except\n * for the following list, which will be overwritten by the TokenIssuer: `iss`, `aud`,\n * `iat`, and `exp`. The Backstage team also maintains the right add new claims in the future\n * without listing the change as a \"breaking change\".\n */\n claims: {\n /** The token subject, i.e. User ID */\n sub: string;\n /** A list of entity references that the user claims ownership through */\n ent?: string[];\n } & Record<string, JsonValue>;\n};\n\n/**\n * The context that is used for auth processing.\n *\n * @public\n */\nexport type AuthResolverContext = {\n /**\n * Issues a Backstage token using the provided parameters.\n */\n issueToken(params: TokenParams): Promise<BackstageSignInResult>;\n\n /**\n * Finds a single user in the catalog using the provided query.\n *\n * See {@link AuthResolverCatalogUserQuery} for details.\n */\n findCatalogUser(\n query: AuthResolverCatalogUserQuery,\n ): Promise<{ entity: Entity }>;\n\n /**\n * Finds a single user in the catalog using the provided query, and then\n * issues an identity for that user using default ownership resolution.\n *\n * See {@link AuthResolverCatalogUserQuery} for details.\n */\n signInWithCatalogUser(\n query: AuthResolverCatalogUserQuery,\n ): Promise<BackstageSignInResult>;\n\n /**\n * Resolves the ownership entity references for the provided entity.\n * This will use the `AuthOwnershipResolver` if one is installed, and otherwise fall back to the default resolution logic.\n */\n resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }>;\n};\n\n/**\n * Resolver interface for resolving the ownership entity references for entity\n *\n * @public\n */\nexport interface AuthOwnershipResolver {\n resolveOwnershipEntityRefs(\n entity: Entity,\n ): Promise<{ ownershipEntityRefs: string[] }>;\n}\n\n/**\n * Any Auth provider needs to implement this interface which handles the routes in the\n * auth backend. Any auth API requests from the frontend reaches these methods.\n *\n * The routes in the auth backend API are tied to these methods like below\n *\n * `/auth/[provider]/start -> start`\n * `/auth/[provider]/handler/frame -> frameHandler`\n * `/auth/[provider]/refresh -> refresh`\n * `/auth/[provider]/logout -> logout`\n *\n * @public\n */\nexport interface AuthProviderRouteHandlers {\n /**\n * Handles the start route of the API. This initiates a sign in request with an auth provider.\n *\n * Request\n * - scopes for the auth request (Optional)\n * Response\n * - redirect to the auth provider for the user to sign in or consent.\n * - sets a nonce cookie and also pass the nonce as 'state' query parameter in the redirect request\n */\n start(req: Request, res: Response): Promise<void>;\n\n /**\n * Once the user signs in or consents in the OAuth screen, the auth provider redirects to the\n * callbackURL which is handled by this method.\n *\n * Request\n * - to contain a nonce cookie and a 'state' query parameter\n * Response\n * - postMessage to the window with a payload that contains accessToken, expiryInSeconds?, idToken? and scope.\n * - sets a refresh token cookie if the auth provider supports refresh tokens\n */\n frameHandler(req: Request, res: Response): Promise<void>;\n\n /**\n * (Optional) If the auth provider supports refresh tokens then this method handles\n * requests to get a new access token.\n *\n * Other types of providers may also use this method to implement its own logic to create new sessions\n * upon request. For example, this can be used to create a new session for a provider that handles requests\n * from an authenticating proxy.\n *\n * Request\n * - to contain a refresh token cookie and scope (Optional) query parameter.\n * Response\n * - payload with accessToken, expiryInSeconds?, idToken?, scope and user profile information.\n */\n refresh?(req: Request, res: Response): Promise<void>;\n\n /**\n * (Optional) Handles sign out requests\n *\n * Response\n * - removes the refresh token cookie\n */\n logout?(req: Request, res: Response): Promise<void>;\n}\n\n/**\n * @public\n * @deprecated Use top-level properties passed to `AuthProviderFactory` instead\n */\nexport type AuthProviderConfig = {\n /**\n * The protocol://domain[:port] where the app is hosted. This is used to construct the\n * callbackURL to redirect to once the user signs in to the auth provider.\n */\n baseUrl: string;\n\n /**\n * The base URL of the app as provided by app.baseUrl\n */\n appUrl: string;\n\n /**\n * A function that is called to check whether an origin is allowed to receive the authentication result.\n */\n isOriginAllowed: (origin: string) => boolean;\n\n /**\n * The function used to resolve cookie configuration based on the auth provider options.\n */\n cookieConfigurer?: CookieConfigurer;\n};\n\n/** @public */\nexport type AuthProviderFactory = (options: {\n providerId: string;\n /** @deprecated Use top-level properties instead */\n globalConfig: AuthProviderConfig;\n config: Config;\n logger: LoggerService;\n resolverContext: AuthResolverContext;\n /**\n * The protocol://domain[:port] where the app is hosted. This is used to construct the\n * callbackURL to redirect to once the user signs in to the auth provider.\n */\n baseUrl: string;\n\n /**\n * The base URL of the app as provided by app.baseUrl\n */\n appUrl: string;\n\n /**\n * A function that is called to check whether an origin is allowed to receive the authentication result.\n */\n isOriginAllowed: (origin: string) => boolean;\n\n /**\n * The function used to resolve cookie configuration based on the auth provider options.\n */\n cookieConfigurer?: CookieConfigurer;\n}) => AuthProviderRouteHandlers;\n\n/** @public */\nexport type ClientAuthResponse<TProviderInfo> = {\n providerInfo: TProviderInfo;\n profile: ProfileInfo;\n backstageIdentity?: BackstageIdentityResponse;\n};\n\n/**\n * Type of sign in information context. Includes the profile information and\n * authentication result which contains auth related information.\n *\n * @public\n */\nexport type SignInInfo<TAuthResult> = {\n /**\n * The simple profile passed down for use in the frontend.\n */\n profile: ProfileInfo;\n\n /**\n * The authentication result that was received from the authentication\n * provider.\n */\n result: TAuthResult;\n};\n\n/**\n * Describes the function which handles the result of a successful\n * authentication. Must return a valid {@link @backstage/plugin-auth-node#BackstageSignInResult}.\n *\n * @public\n */\nexport type SignInResolver<TAuthResult> = (\n info: SignInInfo<TAuthResult>,\n context: AuthResolverContext,\n) => Promise<BackstageSignInResult>;\n\n/**\n * Describes the function that transforms the result of a successful\n * authentication into a {@link ProfileInfo} object.\n *\n * This function may optionally throw an error in order to reject authentication.\n *\n * @public\n */\nexport type ProfileTransform<TResult> = (\n result: TResult,\n context: AuthResolverContext,\n) => Promise<{ profile: ProfileInfo }>;\n\n/**\n * Used to display login information to user, i.e. sidebar popup.\n *\n * It is also temporarily used as the profile of the signed-in user's Backstage\n * identity, but we want to replace that with data from identity and/org catalog\n * service\n *\n * @public\n */\nexport type ProfileInfo = {\n /**\n * Email ID of the signed in user.\n */\n email?: string;\n /**\n * Display name that can be presented to the signed in user.\n */\n displayName?: string;\n /**\n * URL to an image that can be used as the display image or avatar of the\n * signed in user.\n */\n picture?: string;\n};\n\n/**\n * The callback used to resolve the cookie configuration for auth providers that use cookies.\n * @public\n */\nexport type CookieConfigurer = (ctx: {\n /** ID of the auth provider that this configuration applies to */\n providerId: string;\n /** The externally reachable base URL of the auth-backend plugin */\n baseUrl: string;\n /** The configured callback URL of the auth provider */\n callbackUrl: string;\n /** The origin URL of the app */\n appOrigin: string;\n}) => {\n domain: string;\n path: string;\n secure: boolean;\n sameSite?: 'none' | 'lax' | 'strict';\n};\n\n/**\n * Core properties of various token types.\n *\n * @public\n */\nexport const tokenTypes = Object.freeze({\n user: Object.freeze({\n typParam: 'vnd.backstage.user',\n audClaim: 'backstage',\n }),\n limitedUser: Object.freeze({\n typParam: 'vnd.backstage.limited-user',\n }),\n plugin: Object.freeze({\n typParam: 'vnd.backstage.plugin',\n }),\n});\n"],"names":[],"mappings":";;AAwZa,MAAA,UAAA,GAAa,OAAO,MAAO,CAAA;AAAA,EACtC,IAAA,EAAM,OAAO,MAAO,CAAA;AAAA,IAClB,QAAU,EAAA,oBAAA;AAAA,IACV,QAAU,EAAA;AAAA,GACX,CAAA;AAAA,EACD,WAAA,EAAa,OAAO,MAAO,CAAA;AAAA,IACzB,QAAU,EAAA;AAAA,GACX,CAAA;AAAA,EACD,MAAA,EAAQ,OAAO,MAAO,CAAA;AAAA,IACpB,QAAU,EAAA;AAAA,GACX;AACH,CAAC;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage/plugin-auth-node",
3
- "version": "0.6.3-next.0",
3
+ "version": "0.6.3-next.1",
4
4
  "backstage": {
5
5
  "role": "node-library",
6
6
  "pluginId": "auth",
@@ -37,7 +37,7 @@
37
37
  "test": "backstage-cli package test"
38
38
  },
39
39
  "dependencies": {
40
- "@backstage/backend-plugin-api": "1.3.1-next.0",
40
+ "@backstage/backend-plugin-api": "1.3.1-next.1",
41
41
  "@backstage/catalog-client": "1.10.0-next.0",
42
42
  "@backstage/catalog-model": "1.7.3",
43
43
  "@backstage/config": "1.3.2",
@@ -54,9 +54,9 @@
54
54
  "zod-validation-error": "^3.4.0"
55
55
  },
56
56
  "devDependencies": {
57
- "@backstage/backend-defaults": "0.9.1-next.0",
58
- "@backstage/backend-test-utils": "1.5.0-next.0",
59
- "@backstage/cli": "0.32.1-next.0",
57
+ "@backstage/backend-defaults": "0.10.0-next.1",
58
+ "@backstage/backend-test-utils": "1.5.0-next.1",
59
+ "@backstage/cli": "0.32.1-next.1",
60
60
  "cookie-parser": "^1.4.6",
61
61
  "express-promise-router": "^4.1.1",
62
62
  "lodash": "^4.17.21",