@backstage/plugin-events-backend-module-github 0.3.0 → 0.4.0-next.1

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # @backstage/plugin-events-backend-module-github
 
+## 0.4.0-next.1
+
+### Minor Changes
+
+- ae249fc: **BREAKING**: Removed the `createGithubSignatureValidator` export.
+
+  Added support webhook validation based on `integrations.github.[].apps.[].webhookSecret`.
+
+### Patch Changes
+
+- c7ef81c: Correct README installation instructions.
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.3.1-next.1
+  - @backstage/integration@1.16.4-next.1
+  - @backstage/config@1.3.2
+  - @backstage/types@1.2.1
+  - @backstage/plugin-events-node@0.4.11-next.1
+
+## 0.3.1-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.3.1-next.0
+  - @backstage/plugin-events-node@0.4.11-next.0
+  - @backstage/config@1.3.2
+
 ## 0.3.0
 
 ### Minor Changes

package/README.md

@@ -27,16 +27,14 @@ Please find all possible webhook event types at the
 yarn --cwd packages/backend add @backstage/plugin-events-backend-module-github
 ```
 
-### Event Router
-
 ```ts
 // packages/backend/src/index.ts
-import { eventsModuleGithubEventRouter } from '@backstage/plugin-events-backend-module-github/alpha';
-// ...
-backend.add(eventsModuleGithubEventRouter);
+backend.add(import('@backstage/plugin-events-backend-module-github'));
 ```
 
-#### Legacy Backend System
+### Legacy Backend System
+
+#### Event Router
 
 ```ts
 // packages/backend/src/plugins/events.ts
@@ -44,16 +42,7 @@ const eventRouter = new GithubEventRouter({ events: env.events });
 await eventRouter.subscribe();
 ```
 
-### Signature Validator
-
-```ts
-// packages/backend/src/index.ts
-import { eventsModuleGithubWebhook } from '@backstage/plugin-events-backend-module-github/alpha';
-// ...
-backend.add(eventsModuleGithubWebhook);
-```
-
-#### Legacy Backend System
+#### Signature Validator
 
 Add the signature validator for the topic `github`:
 

package/dist/http/createGithubSignatureValidator.cjs.js

@@ -1,26 +1,48 @@
 'use strict';
 
+var integration = require('@backstage/integration');
 var webhooksMethods = require('@octokit/webhooks-methods');
+var createAppIdResolver = require('../util/createAppIdResolver.cjs.js');
 
-function createGithubSignatureValidator(config) {
-  const secret = config.getOptionalString(
+function createGithubSignatureValidator(config, octokitProvider) {
+  const integrations = integration.ScmIntegrations.fromConfig(config);
+  const githubAppSecrets = /* @__PURE__ */ new Map();
+  for (const integration of integrations.github.list()) {
+    for (const { appId, webhookSecret } of integration.config.apps ?? []) {
+      if (appId && webhookSecret) {
+        githubAppSecrets.set(appId, webhookSecret);
+      }
+    }
+  }
+  const genericSecret = config.getOptionalString(
     "events.modules.github.webhookSecret"
   );
-  if (!secret) {
+  if (!genericSecret && githubAppSecrets.size === 0) {
     return void 0;
   }
+  const appIdResolver = createAppIdResolver.createAppIdResolver(octokitProvider);
   return async (request, context) => {
     const signature = request.headers["x-hub-signature-256"];
-    if (!signature || !await webhooksMethods.verify(
-      secret,
-      request.raw.body.toString(request.raw.encoding),
-      signature
-    )) {
-      context.reject({
-        status: 403,
-        payload: { message: "invalid signature" }
-      });
+    if (signature) {
+      const body = request.raw.body.toString(request.raw.encoding);
+      if (githubAppSecrets.size) {
+        const appId = await appIdResolver(request);
+        if (appId && githubAppSecrets.has(appId)) {
+          if (await webhooksMethods.verify(githubAppSecrets.get(appId), body, signature)) {
+            return;
+          }
+        }
+      }
+      if (genericSecret) {
+        if (await webhooksMethods.verify(genericSecret, body, signature)) {
+          return;
+        }
+      }
     }
+    context.reject({
+      status: 403,
+      payload: { message: "invalid signature" }
+    });
   };
 }
 

package/dist/http/createGithubSignatureValidator.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"createGithubSignatureValidator.cjs.js","sources":["../../src/http/createGithubSignatureValidator.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport {\n  RequestDetails,\n  RequestValidationContext,\n  RequestValidator,\n} from '@backstage/plugin-events-node';\nimport { verify } from '@octokit/webhooks-methods';\n\n/**\n * Validates that the request received is the expected GitHub request\n * using the signature received with the `x-hub-signature-256` header\n * which is based on a secret token configured at GitHub and here.\n *\n * See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks\n * for more details.\n *\n * @param config - root config\n * @public\n */\nexport function createGithubSignatureValidator(\n  config: Config,\n): RequestValidator | undefined {\n  const secret = config.getOptionalString(\n    'events.modules.github.webhookSecret',\n  );\n  if (!secret) {\n    return undefined;\n  }\n\n  return async (\n    request: RequestDetails,\n    context: RequestValidationContext,\n  ): Promise<void> => {\n    const signature = request.headers['x-hub-signature-256'] as\n      | string\n      | undefined;\n\n    if (\n      !signature ||\n      !(await verify(\n        secret,\n        request.raw.body.toString(request.raw.encoding),\n        signature,\n      ))\n    ) {\n      context.reject({\n        status: 403,\n        payload: { message: 'invalid signature' },\n      });\n    }\n  };\n}\n"],"names":["verify"],"mappings":";;;;AAmCO,SAAS,+BACd,MAC8B,EAAA;AAC9B,EAAA,MAAM,SAAS,MAAO,CAAA,iBAAA;AAAA,IACpB;AAAA,GACF;AACA,EAAA,IAAI,CAAC,MAAQ,EAAA;AACX,IAAO,OAAA,KAAA,CAAA;AAAA;AAGT,EAAO,OAAA,OACL,SACA,OACkB,KAAA;AAClB,IAAM,MAAA,SAAA,GAAY,OAAQ,CAAA,OAAA,CAAQ,qBAAqB,CAAA;AAIvD,IACE,IAAA,CAAC,SACD,IAAA,CAAE,MAAMA,sBAAA;AAAA,MACN,MAAA;AAAA,MACA,QAAQ,GAAI,CAAA,IAAA,CAAK,QAAS,CAAA,OAAA,CAAQ,IAAI,QAAQ,CAAA;AAAA,MAC9C;AAAA,KAEF,EAAA;AACA,MAAA,OAAA,CAAQ,MAAO,CAAA;AAAA,QACb,MAAQ,EAAA,GAAA;AAAA,QACR,OAAA,EAAS,EAAE,OAAA,EAAS,mBAAoB;AAAA,OACzC,CAAA;AAAA;AACH,GACF;AACF;;;;"}
+{"version":3,"file":"createGithubSignatureValidator.cjs.js","sources":["../../src/http/createGithubSignatureValidator.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport { ScmIntegrations } from '@backstage/integration';\nimport {\n  RequestDetails,\n  RequestValidationContext,\n  RequestValidator,\n} from '@backstage/plugin-events-node';\nimport { verify } from '@octokit/webhooks-methods';\nimport { createAppIdResolver } from '../util/createAppIdResolver';\nimport { OctokitProviderService } from '../util/octokitProviderService';\n\n/**\n * Validates that the request received is the expected GitHub request\n * using the signature received with the `x-hub-signature-256` header\n * which is based on a secret token configured at GitHub and here.\n *\n * See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks\n * for more details.\n *\n * @param config - root config\n * @public\n */\nexport function createGithubSignatureValidator(\n  config: Config,\n  octokitProvider: OctokitProviderService,\n): RequestValidator | undefined {\n  const integrations = ScmIntegrations.fromConfig(config);\n\n  // GitHub App installation ID to secret\n  const githubAppSecrets = new Map<number, string>();\n  for (const integration of integrations.github.list()) {\n    for (const { appId, webhookSecret } of integration.config.apps ?? []) {\n      if (appId && webhookSecret) {\n        githubAppSecrets.set(appId, webhookSecret);\n      }\n    }\n  }\n\n  // A single optional secret for all GitHub events\n  const genericSecret = config.getOptionalString(\n    'events.modules.github.webhookSecret',\n  );\n\n  if (!genericSecret && githubAppSecrets.size === 0) {\n    return undefined;\n  }\n\n  const appIdResolver = createAppIdResolver(octokitProvider);\n\n  return async (\n    request: RequestDetails,\n    context: RequestValidationContext,\n  ): Promise<void> => {\n    const signature = request.headers['x-hub-signature-256'] as\n      | string\n      | undefined;\n\n    if (signature) {\n      const body = request.raw.body.toString(request.raw.encoding);\n\n      if (githubAppSecrets.size) {\n        const appId = await appIdResolver(request);\n        if (appId && githubAppSecrets.has(appId)) {\n          if (await verify(githubAppSecrets.get(appId)!, body, signature)) {\n            return;\n          }\n        }\n      }\n\n      if (genericSecret) {\n        if (await verify(genericSecret, body, signature)) {\n          return;\n        }\n      }\n    }\n\n    context.reject({\n      status: 403,\n      payload: { message: 'invalid signature' },\n    });\n  };\n}\n"],"names":["ScmIntegrations","createAppIdResolver","verify"],"mappings":";;;;;;AAsCgB,SAAA,8BAAA,CACd,QACA,eAC8B,EAAA;AAC9B,EAAM,MAAA,YAAA,GAAeA,2BAAgB,CAAA,UAAA,CAAW,MAAM,CAAA;AAGtD,EAAM,MAAA,gBAAA,uBAAuB,GAAoB,EAAA;AACjD,EAAA,KAAA,MAAW,WAAe,IAAA,YAAA,CAAa,MAAO,CAAA,IAAA,EAAQ,EAAA;AACpD,IAAW,KAAA,MAAA,EAAE,OAAO,aAAc,EAAA,IAAK,YAAY,MAAO,CAAA,IAAA,IAAQ,EAAI,EAAA;AACpE,MAAA,IAAI,SAAS,aAAe,EAAA;AAC1B,QAAiB,gBAAA,CAAA,GAAA,CAAI,OAAO,aAAa,CAAA;AAAA;AAC3C;AACF;AAIF,EAAA,MAAM,gBAAgB,MAAO,CAAA,iBAAA;AAAA,IAC3B;AAAA,GACF;AAEA,EAAA,IAAI,CAAC,aAAA,IAAiB,gBAAiB,CAAA,IAAA,KAAS,CAAG,EAAA;AACjD,IAAO,OAAA,KAAA,CAAA;AAAA;AAGT,EAAM,MAAA,aAAA,GAAgBC,wCAAoB,eAAe,CAAA;AAEzD,EAAO,OAAA,OACL,SACA,OACkB,KAAA;AAClB,IAAM,MAAA,SAAA,GAAY,OAAQ,CAAA,OAAA,CAAQ,qBAAqB,CAAA;AAIvD,IAAA,IAAI,SAAW,EAAA;AACb,MAAA,MAAM,OAAO,OAAQ,CAAA,GAAA,CAAI,KAAK,QAAS,CAAA,OAAA,CAAQ,IAAI,QAAQ,CAAA;AAE3D,MAAA,IAAI,iBAAiB,IAAM,EAAA;AACzB,QAAM,MAAA,KAAA,GAAQ,MAAM,aAAA,CAAc,OAAO,CAAA;AACzC,QAAA,IAAI,KAAS,IAAA,gBAAA,CAAiB,GAAI,CAAA,KAAK,CAAG,EAAA;AACxC,UAAI,IAAA,MAAMC,uBAAO,gBAAiB,CAAA,GAAA,CAAI,KAAK,CAAI,EAAA,IAAA,EAAM,SAAS,CAAG,EAAA;AAC/D,YAAA;AAAA;AACF;AACF;AAGF,MAAA,IAAI,aAAe,EAAA;AACjB,QAAA,IAAI,MAAMA,sBAAA,CAAO,aAAe,EAAA,IAAA,EAAM,SAAS,CAAG,EAAA;AAChD,UAAA;AAAA;AACF;AACF;AAGF,IAAA,OAAA,CAAQ,MAAO,CAAA;AAAA,MACb,MAAQ,EAAA,GAAA;AAAA,MACR,OAAA,EAAS,EAAE,OAAA,EAAS,mBAAoB;AAAA,KACzC,CAAA;AAAA,GACH;AACF;;;;"}

package/dist/index.cjs.js

@@ -3,7 +3,6 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var backendPluginApi = require('@backstage/backend-plugin-api');
-var createGithubSignatureValidator = require('./http/createGithubSignatureValidator.cjs.js');
 var GithubEventRouter = require('./router/GithubEventRouter.cjs.js');
 
 var index = backendPluginApi.createBackendFeatureLoader({
@@ -15,7 +14,6 @@ var index = backendPluginApi.createBackendFeatureLoader({
   }
 });
 
-exports.createGithubSignatureValidator = createGithubSignatureValidator.createGithubSignatureValidator;
 exports.GithubEventRouter = GithubEventRouter.GithubEventRouter;
 exports.default = index;
 //# sourceMappingURL=index.cjs.js.map

package/dist/index.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.cjs.js","sources":["../src/index.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * The module `github` for the Backstage backend plugin \"events-backend\"\n * adding an event router and signature validator for GitHub.\n *\n * @packageDocumentation\n */\nimport { createBackendFeatureLoader } from '@backstage/backend-plugin-api';\n\nexport default createBackendFeatureLoader({\n  loader() {\n    return [\n      import('./service/eventsModuleGithubEventRouter'),\n      import('./service/eventsModuleGithubWebhook'),\n    ];\n  },\n});\n\nexport { createGithubSignatureValidator } from './http/createGithubSignatureValidator';\nexport { GithubEventRouter } from './router/GithubEventRouter';\n"],"names":["createBackendFeatureLoader"],"mappings":";;;;;;;;AAwBA,YAAeA,2CAA2B,CAAA;AAAA,EACxC,MAAS,GAAA;AACP,IAAO,OAAA;AAAA,MACL,OAAO,gDAAyC,CAAA;AAAA,MAChD,OAAO,4CAAqC;AAAA,KAC9C;AAAA;AAEJ,CAAC,CAAA;;;;;;"}
+{"version":3,"file":"index.cjs.js","sources":["../src/index.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\n/**\n * The module `github` for the Backstage backend plugin \"events-backend\"\n * adding an event router and signature validator for GitHub.\n *\n * @packageDocumentation\n */\n\nimport { createBackendFeatureLoader } from '@backstage/backend-plugin-api';\n\nexport default createBackendFeatureLoader({\n  loader() {\n    return [\n      import('./service/eventsModuleGithubEventRouter'),\n      import('./service/eventsModuleGithubWebhook'),\n    ];\n  },\n});\n\n// TODO(freben): This is not exported at the moment since it depends on the octokit provider.\n// Until we have made that a core thing in integrations, we can't export it\n// export { createGithubSignatureValidator } from './http/createGithubSignatureValidator';\n\nexport { GithubEventRouter } from './router/GithubEventRouter';\n"],"names":["createBackendFeatureLoader"],"mappings":";;;;;;;AAyBA,YAAeA,2CAA2B,CAAA;AAAA,EACxC,MAAS,GAAA;AACP,IAAO,OAAA;AAAA,MACL,OAAO,gDAAyC,CAAA;AAAA,MAChD,OAAO,4CAAqC;AAAA,KAC9C;AAAA;AAEJ,CAAC,CAAA;;;;;"}

package/dist/index.d.ts

@@ -1,19 +1,5 @@
 import * as _backstage_backend_plugin_api from '@backstage/backend-plugin-api';
-import { Config } from '@backstage/config';
-import { RequestValidator, SubTopicEventRouter, EventsService, EventParams } from '@backstage/plugin-events-node';
-
-/**
- * Validates that the request received is the expected GitHub request
- * using the signature received with the `x-hub-signature-256` header
- * which is based on a secret token configured at GitHub and here.
- *
- * See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks
- * for more details.
- *
- * @param config - root config
- * @public
- */
-declare function createGithubSignatureValidator(config: Config): RequestValidator | undefined;
+import { SubTopicEventRouter, EventsService, EventParams } from '@backstage/plugin-events-node';
 
 /**
  * Subscribes to the generic `github` topic
@@ -32,4 +18,4 @@ declare class GithubEventRouter extends SubTopicEventRouter {
 
 declare const _default: _backstage_backend_plugin_api.BackendFeature;
 
-export { GithubEventRouter, createGithubSignatureValidator, _default as default };
+export { GithubEventRouter, _default as default };

package/dist/service/eventsModuleGithubWebhook.cjs.js

@@ -5,6 +5,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 var backendPluginApi = require('@backstage/backend-plugin-api');
 var alpha = require('@backstage/plugin-events-node/alpha');
 var createGithubSignatureValidator = require('../http/createGithubSignatureValidator.cjs.js');
+var octokitProviderService = require('../util/octokitProviderService.cjs.js');
 
 var eventsModuleGithubWebhook = backendPluginApi.createBackendModule({
   pluginId: "events",
@@ -13,10 +14,14 @@ var eventsModuleGithubWebhook = backendPluginApi.createBackendModule({
     env.registerInit({
       deps: {
         config: backendPluginApi.coreServices.rootConfig,
-        events: alpha.eventsExtensionPoint
+        events: alpha.eventsExtensionPoint,
+        octokitProvider: octokitProviderService.octokitProviderServiceRef
       },
-      async init({ config, events }) {
-        const validator = createGithubSignatureValidator.createGithubSignatureValidator(config);
+      async init({ config, events, octokitProvider }) {
+        const validator = createGithubSignatureValidator.createGithubSignatureValidator(
+          config,
+          octokitProvider
+        );
         if (validator) {
           events.addHttpPostIngress({
             topic: "github",

package/dist/service/eventsModuleGithubWebhook.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"eventsModuleGithubWebhook.cjs.js","sources":["../../src/service/eventsModuleGithubWebhook.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendModule,\n} from '@backstage/backend-plugin-api';\nimport { eventsExtensionPoint } from '@backstage/plugin-events-node/alpha';\nimport { createGithubSignatureValidator } from '../http/createGithubSignatureValidator';\n\n/**\n * Module for the events-backend plugin,\n * registering an HTTP POST ingress with request validator\n * which verifies the webhook signature based on a secret.\n *\n * @public\n */\nexport default createBackendModule({\n  pluginId: 'events',\n  moduleId: 'github-webhook',\n  register(env) {\n    env.registerInit({\n      deps: {\n        config: coreServices.rootConfig,\n        events: eventsExtensionPoint,\n      },\n      async init({ config, events }) {\n        const validator = createGithubSignatureValidator(config);\n        if (validator) {\n          events.addHttpPostIngress({\n            topic: 'github',\n            validator,\n          });\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","coreServices","eventsExtensionPoint","createGithubSignatureValidator"],"mappings":";;;;;;;;AA8BA,gCAAeA,oCAAoB,CAAA;AAAA,EACjC,QAAU,EAAA,QAAA;AAAA,EACV,QAAU,EAAA,gBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,QAAQC,6BAAa,CAAA,UAAA;AAAA,QACrB,MAAQ,EAAAC;AAAA,OACV;AAAA,MACA,MAAM,IAAA,CAAK,EAAE,MAAA,EAAQ,QAAU,EAAA;AAC7B,QAAM,MAAA,SAAA,GAAYC,8DAA+B,MAAM,CAAA;AACvD,QAAA,IAAI,SAAW,EAAA;AACb,UAAA,MAAA,CAAO,kBAAmB,CAAA;AAAA,YACxB,KAAO,EAAA,QAAA;AAAA,YACP;AAAA,WACD,CAAA;AAAA;AACH;AACF,KACD,CAAA;AAAA;AAEL,CAAC,CAAA;;;;"}
+{"version":3,"file":"eventsModuleGithubWebhook.cjs.js","sources":["../../src/service/eventsModuleGithubWebhook.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createBackendModule,\n} from '@backstage/backend-plugin-api';\nimport { eventsExtensionPoint } from '@backstage/plugin-events-node/alpha';\nimport { createGithubSignatureValidator } from '../http/createGithubSignatureValidator';\nimport { octokitProviderServiceRef } from '../util/octokitProviderService';\n\n/**\n * Module for the events-backend plugin,\n * registering an HTTP POST ingress with request validator\n * which verifies the webhook signature based on a secret.\n *\n * @public\n */\nexport default createBackendModule({\n  pluginId: 'events',\n  moduleId: 'github-webhook',\n  register(env) {\n    env.registerInit({\n      deps: {\n        config: coreServices.rootConfig,\n        events: eventsExtensionPoint,\n        octokitProvider: octokitProviderServiceRef,\n      },\n      async init({ config, events, octokitProvider }) {\n        const validator = createGithubSignatureValidator(\n          config,\n          octokitProvider,\n        );\n        if (validator) {\n          events.addHttpPostIngress({\n            topic: 'github',\n            validator,\n          });\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendModule","coreServices","eventsExtensionPoint","octokitProviderServiceRef","createGithubSignatureValidator"],"mappings":";;;;;;;;;AA+BA,gCAAeA,oCAAoB,CAAA;AAAA,EACjC,QAAU,EAAA,QAAA;AAAA,EACV,QAAU,EAAA,gBAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,QAAQC,6BAAa,CAAA,UAAA;AAAA,QACrB,MAAQ,EAAAC,0BAAA;AAAA,QACR,eAAiB,EAAAC;AAAA,OACnB;AAAA,MACA,MAAM,IAAK,CAAA,EAAE,MAAQ,EAAA,MAAA,EAAQ,iBAAmB,EAAA;AAC9C,QAAA,MAAM,SAAY,GAAAC,6DAAA;AAAA,UAChB,MAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,IAAI,SAAW,EAAA;AACb,UAAA,MAAA,CAAO,kBAAmB,CAAA;AAAA,YACxB,KAAO,EAAA,QAAA;AAAA,YACP;AAAA,WACD,CAAA;AAAA;AACH;AACF,KACD,CAAA;AAAA;AAEL,CAAC,CAAA;;;;"}

package/dist/util/createAppIdResolver.cjs.js

@@ -0,0 +1,38 @@
+'use strict';
+
+var lodash = require('lodash');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var lodash__default = /*#__PURE__*/_interopDefaultCompat(lodash);
+
+function createAppIdResolver(octokitProvider) {
+  const installationIdToAppId = /* @__PURE__ */ new Map();
+  return async (request) => {
+    const installationId = lodash__default.default.get(
+      request.body,
+      "installation.id"
+    );
+    if (!installationId || typeof installationId !== "number") {
+      return void 0;
+    }
+    let appIdPromsie = installationIdToAppId.get(installationId);
+    if (appIdPromsie) {
+      return await appIdPromsie;
+    }
+    const repositoryUrl = lodash__default.default.get(
+      request.body,
+      "repository.html_url"
+    );
+    if (!repositoryUrl || typeof repositoryUrl !== "string") {
+      return void 0;
+    }
+    const octokit = await octokitProvider.getOctokit(repositoryUrl);
+    appIdPromsie = octokit.rest.apps.getInstallation({ installation_id: installationId }).then((response) => Number(response.data.app_id)).catch(() => void 0);
+    installationIdToAppId.set(installationId, appIdPromsie);
+    return await appIdPromsie;
+  };
+}
+
+exports.createAppIdResolver = createAppIdResolver;
+//# sourceMappingURL=createAppIdResolver.cjs.js.map

package/dist/util/createAppIdResolver.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createAppIdResolver.cjs.js","sources":["../../src/util/createAppIdResolver.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { RequestDetails } from '@backstage/plugin-events-node';\nimport { OctokitProviderService } from './octokitProviderService';\nimport lodash from 'lodash';\n\nexport type AppIdResolver = (\n  request: RequestDetails,\n) => Promise<number | undefined>;\n\n/**\n * Helps with resolving what app ID (if any) that sent a webhook event.\n */\nexport function createAppIdResolver(\n  octokitProvider: OctokitProviderService,\n): AppIdResolver {\n  const installationIdToAppId = new Map<number, Promise<number | undefined>>();\n\n  return async (request: RequestDetails) => {\n    const installationId = lodash.get(\n      request.body,\n      'installation.id',\n    ) as unknown;\n\n    if (!installationId || typeof installationId !== 'number') {\n      return undefined;\n    }\n\n    let appIdPromsie = installationIdToAppId.get(installationId);\n    if (appIdPromsie) {\n      return await appIdPromsie;\n    }\n\n    const repositoryUrl = lodash.get(\n      request.body,\n      'repository.html_url',\n    ) as unknown;\n\n    if (!repositoryUrl || typeof repositoryUrl !== 'string') {\n      return undefined;\n    }\n\n    const octokit = await octokitProvider.getOctokit(repositoryUrl);\n    appIdPromsie = octokit.rest.apps\n      .getInstallation({ installation_id: installationId })\n      .then(response => Number(response.data.app_id))\n      .catch(() => undefined);\n\n    installationIdToAppId.set(installationId, appIdPromsie);\n    return await appIdPromsie;\n  };\n}\n"],"names":["lodash"],"mappings":";;;;;;;;AA2BO,SAAS,oBACd,eACe,EAAA;AACf,EAAM,MAAA,qBAAA,uBAA4B,GAAyC,EAAA;AAE3E,EAAA,OAAO,OAAO,OAA4B,KAAA;AACxC,IAAA,MAAM,iBAAiBA,uBAAO,CAAA,GAAA;AAAA,MAC5B,OAAQ,CAAA,IAAA;AAAA,MACR;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,cAAA,IAAkB,OAAO,cAAA,KAAmB,QAAU,EAAA;AACzD,MAAO,OAAA,KAAA,CAAA;AAAA;AAGT,IAAI,IAAA,YAAA,GAAe,qBAAsB,CAAA,GAAA,CAAI,cAAc,CAAA;AAC3D,IAAA,IAAI,YAAc,EAAA;AAChB,MAAA,OAAO,MAAM,YAAA;AAAA;AAGf,IAAA,MAAM,gBAAgBA,uBAAO,CAAA,GAAA;AAAA,MAC3B,OAAQ,CAAA,IAAA;AAAA,MACR;AAAA,KACF;AAEA,IAAA,IAAI,CAAC,aAAA,IAAiB,OAAO,aAAA,KAAkB,QAAU,EAAA;AACvD,MAAO,OAAA,KAAA,CAAA;AAAA;AAGT,IAAA,MAAM,OAAU,GAAA,MAAM,eAAgB,CAAA,UAAA,CAAW,aAAa,CAAA;AAC9D,IAAA,YAAA,GAAe,QAAQ,IAAK,CAAA,IAAA,CACzB,gBAAgB,EAAE,eAAA,EAAiB,gBAAgB,CAAA,CACnD,KAAK,CAAY,QAAA,KAAA,MAAA,CAAO,SAAS,IAAK,CAAA,MAAM,CAAC,CAC7C,CAAA,KAAA,CAAM,MAAM,KAAS,CAAA,CAAA;AAExB,IAAsB,qBAAA,CAAA,GAAA,CAAI,gBAAgB,YAAY,CAAA;AACtD,IAAA,OAAO,MAAM,YAAA;AAAA,GACf;AACF;;;;"}

package/dist/util/octokitProviderService.cjs.js

@@ -0,0 +1,67 @@
+'use strict';
+
+var backendPluginApi = require('@backstage/backend-plugin-api');
+var integration = require('@backstage/integration');
+var types = require('@backstage/types');
+var octokit = require('octokit');
+
+class OctokitProviderImpl {
+  #integrations;
+  #githubCredentials;
+  #octokitCache;
+  #octokitCacheTtl;
+  constructor(config) {
+    this.#integrations = integration.ScmIntegrations.fromConfig(config);
+    this.#githubCredentials = integration.DefaultGithubCredentialsProvider.fromIntegrations(
+      this.#integrations
+    );
+    this.#octokitCache = /* @__PURE__ */ new Map();
+    this.#octokitCacheTtl = { hours: 1 };
+  }
+  async getOctokit(url) {
+    const integration = this.#integrations.github.byUrl(url);
+    if (!integration) {
+      throw new Error(`No integration found for url: ${url}`);
+    }
+    const key = integration.config.host;
+    if (this.#octokitCache.has(key)) {
+      return this.#octokitCache.get(key);
+    }
+    const { createCallbackAuth } = await import('@octokit/auth-callback');
+    const octokit$1 = new octokit.Octokit({
+      baseUrl: integration.config.apiBaseUrl,
+      authStrategy: createCallbackAuth,
+      auth: {
+        callback: async () => {
+          try {
+            const credentials = await this.#githubCredentials.getCredentials({
+              url
+            });
+            return credentials.token;
+          } catch {
+            return void 0;
+          }
+        }
+      }
+    });
+    this.#octokitCache.set(key, octokit$1);
+    setTimeout(() => {
+      this.#octokitCache.delete(key);
+    }, types.durationToMilliseconds(this.#octokitCacheTtl));
+    return octokit$1;
+  }
+}
+const octokitProviderServiceRef = backendPluginApi.createServiceRef({
+  id: "octokitProvider",
+  scope: "root",
+  defaultFactory: async (service) => backendPluginApi.createServiceFactory({
+    service,
+    deps: { config: backendPluginApi.coreServices.rootConfig },
+    async factory({ config }) {
+      return new OctokitProviderImpl(config);
+    }
+  })
+});
+
+exports.octokitProviderServiceRef = octokitProviderServiceRef;
+//# sourceMappingURL=octokitProviderService.cjs.js.map

package/dist/util/octokitProviderService.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"octokitProviderService.cjs.js","sources":["../../src/util/octokitProviderService.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport {\n  coreServices,\n  createServiceFactory,\n  createServiceRef,\n  RootConfigService,\n} from '@backstage/backend-plugin-api';\nimport {\n  DefaultGithubCredentialsProvider,\n  GithubCredentialsProvider,\n  ScmIntegrationRegistry,\n  ScmIntegrations,\n} from '@backstage/integration';\nimport { durationToMilliseconds, HumanDuration } from '@backstage/types';\nimport { Octokit } from 'octokit';\n\nexport interface OctokitProviderService {\n  getOctokit: (url: string) => Promise<Octokit>;\n}\n\nclass OctokitProviderImpl implements OctokitProviderService {\n  readonly #integrations: ScmIntegrationRegistry;\n  readonly #githubCredentials: GithubCredentialsProvider;\n  readonly #octokitCache: Map<string, Octokit>;\n  readonly #octokitCacheTtl: HumanDuration;\n\n  constructor(config: RootConfigService) {\n    this.#integrations = ScmIntegrations.fromConfig(config);\n    this.#githubCredentials = DefaultGithubCredentialsProvider.fromIntegrations(\n      this.#integrations,\n    );\n    this.#octokitCache = new Map();\n    this.#octokitCacheTtl = { hours: 1 };\n  }\n\n  async getOctokit(url: string): Promise<Octokit> {\n    // TODO(freben): Be smart and cache these more granularly, e.g. by\n    // organization or even repo.\n    const integration = this.#integrations.github.byUrl(url);\n    if (!integration) {\n      throw new Error(`No integration found for url: ${url}`);\n    }\n    const key = integration.config.host;\n\n    if (this.#octokitCache.has(key)) {\n      return this.#octokitCache.get(key)!;\n    }\n\n    const { createCallbackAuth } = await import('@octokit/auth-callback');\n\n    const octokit = new Octokit({\n      baseUrl: integration.config.apiBaseUrl,\n      authStrategy: createCallbackAuth,\n      auth: {\n        callback: async () => {\n          try {\n            const credentials = await this.#githubCredentials.getCredentials({\n              url,\n            });\n            return credentials.token;\n          } catch {\n            return undefined;\n          }\n        },\n      },\n    });\n\n    this.#octokitCache.set(key, octokit);\n    setTimeout(() => {\n      this.#octokitCache.delete(key);\n    }, durationToMilliseconds(this.#octokitCacheTtl));\n\n    return octokit;\n  }\n}\n\nexport const octokitProviderServiceRef =\n  createServiceRef<OctokitProviderService>({\n    id: 'octokitProvider',\n    scope: 'root',\n    defaultFactory: async service =>\n      createServiceFactory({\n        service,\n        deps: { config: coreServices.rootConfig },\n        async factory({ config }) {\n          return new OctokitProviderImpl(config);\n        },\n      }),\n  });\n"],"names":["ScmIntegrations","DefaultGithubCredentialsProvider","octokit","Octokit","durationToMilliseconds","createServiceRef","createServiceFactory","coreServices"],"mappings":";;;;;;;AAmCA,MAAM,mBAAsD,CAAA;AAAA,EACjD,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EAET,YAAY,MAA2B,EAAA;AACrC,IAAK,IAAA,CAAA,aAAA,GAAgBA,2BAAgB,CAAA,UAAA,CAAW,MAAM,CAAA;AACtD,IAAA,IAAA,CAAK,qBAAqBC,4CAAiC,CAAA,gBAAA;AAAA,MACzD,IAAK,CAAA;AAAA,KACP;AACA,IAAK,IAAA,CAAA,aAAA,uBAAoB,GAAI,EAAA;AAC7B,IAAK,IAAA,CAAA,gBAAA,GAAmB,EAAE,KAAA,EAAO,CAAE,EAAA;AAAA;AACrC,EAEA,MAAM,WAAW,GAA+B,EAAA;AAG9C,IAAA,MAAM,WAAc,GAAA,IAAA,CAAK,aAAc,CAAA,MAAA,CAAO,MAAM,GAAG,CAAA;AACvD,IAAA,IAAI,CAAC,WAAa,EAAA;AAChB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAiC,8BAAA,EAAA,GAAG,CAAE,CAAA,CAAA;AAAA;AAExD,IAAM,MAAA,GAAA,GAAM,YAAY,MAAO,CAAA,IAAA;AAE/B,IAAA,IAAI,IAAK,CAAA,aAAA,CAAc,GAAI,CAAA,GAAG,CAAG,EAAA;AAC/B,MAAO,OAAA,IAAA,CAAK,aAAc,CAAA,GAAA,CAAI,GAAG,CAAA;AAAA;AAGnC,IAAA,MAAM,EAAE,kBAAA,EAAuB,GAAA,MAAM,OAAO,wBAAwB,CAAA;AAEpE,IAAM,MAAAC,SAAA,GAAU,IAAIC,eAAQ,CAAA;AAAA,MAC1B,OAAA,EAAS,YAAY,MAAO,CAAA,UAAA;AAAA,MAC5B,YAAc,EAAA,kBAAA;AAAA,MACd,IAAM,EAAA;AAAA,QACJ,UAAU,YAAY;AACpB,UAAI,IAAA;AACF,YAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,cAAe,CAAA;AAAA,cAC/D;AAAA,aACD,CAAA;AACD,YAAA,OAAO,WAAY,CAAA,KAAA;AAAA,WACb,CAAA,MAAA;AACN,YAAO,OAAA,KAAA,CAAA;AAAA;AACT;AACF;AACF,KACD,CAAA;AAED,IAAK,IAAA,CAAA,aAAA,CAAc,GAAI,CAAA,GAAA,EAAKD,SAAO,CAAA;AACnC,IAAA,UAAA,CAAW,MAAM;AACf,MAAK,IAAA,CAAA,aAAA,CAAc,OAAO,GAAG,CAAA;AAAA,KAC5B,EAAAE,4BAAA,CAAuB,IAAK,CAAA,gBAAgB,CAAC,CAAA;AAEhD,IAAO,OAAAF,SAAA;AAAA;AAEX;AAEO,MAAM,4BACXG,iCAAyC,CAAA;AAAA,EACvC,EAAI,EAAA,iBAAA;AAAA,EACJ,KAAO,EAAA,MAAA;AAAA,EACP,cAAA,EAAgB,OAAM,OAAA,KACpBC,qCAAqB,CAAA;AAAA,IACnB,OAAA;AAAA,IACA,IAAM,EAAA,EAAE,MAAQ,EAAAC,6BAAA,CAAa,UAAW,EAAA;AAAA,IACxC,MAAM,OAAA,CAAQ,EAAE,MAAA,EAAU,EAAA;AACxB,MAAO,OAAA,IAAI,oBAAoB,MAAM,CAAA;AAAA;AACvC,GACD;AACL,CAAC;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-events-backend-module-github",
-  "version": "0.3.0",
+  "version": "0.4.0-next.1",
   "backstage": {
     "role": "backend-plugin-module",
     "pluginId": "events",
@@ -51,15 +51,20 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "^1.3.0",
-    "@backstage/config": "^1.3.2",
-    "@backstage/plugin-events-node": "^0.4.10",
-    "@octokit/webhooks-methods": "^3.0.0"
+    "@backstage/backend-plugin-api": "1.3.1-next.1",
+    "@backstage/config": "1.3.2",
+    "@backstage/integration": "1.16.4-next.1",
+    "@backstage/plugin-events-node": "0.4.11-next.1",
+    "@backstage/types": "1.2.1",
+    "@octokit/auth-callback": "^5.0.0",
+    "@octokit/webhooks-methods": "^3.0.0",
+    "lodash": "^4.17.21",
+    "octokit": "^3.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^1.4.0",
-    "@backstage/cli": "^0.32.0",
-    "@backstage/plugin-events-backend-test-utils": "^0.1.43"
+    "@backstage/backend-test-utils": "1.5.0-next.1",
+    "@backstage/cli": "0.32.1-next.1",
+    "@backstage/plugin-events-backend-test-utils": "0.1.44-next.1"
   },
   "configSchema": "config.d.ts"
 }