@backstage/plugin-proxy-backend 0.4.16-next.1 → 0.5.0-next.0

package/CHANGELOG.md

@@ -1,5 +1,69 @@
 # @backstage/plugin-proxy-backend
 
+## 0.5.0-next.0
+
+### Minor Changes
+
+- 88480e4: **BREAKING**: The proxy backend plugin is now protected by Backstage auth, by
+  default. Unless specifically configured (see below), all proxy endpoints will
+  reject requests immediately unless a valid Backstage user or service token is
+  passed along with the request. This aligns the proxy with how other Backstage
+  backends behave out of the box, and serves to protect your upstreams from
+  unauthorized access.
+
+  A proxy configuration section can now look as follows:
+
+  ```yaml
+  proxy:
+    endpoints:
+      '/pagerduty':
+        target: https://api.pagerduty.com
+        credentials: require # NEW!
+        headers:
+          Authorization: Token token=${PAGERDUTY_TOKEN}
+  ```
+
+  There are three possible `credentials` settings at this point:
+
+  - `require`: Callers must provide Backstage user or service credentials with
+    each request. The credentials are not forwarded to the proxy target.
+  - `forward`: Callers must provide Backstage user or service credentials with
+    each request, and those credentials are forwarded to the proxy target.
+  - `dangerously-allow-unauthenticated`: No Backstage credentials are required to
+    access this proxy target. The target can still apply its own credentials
+    checks, but the proxy will not help block non-Backstage-blessed callers. If
+    you also add `allowedHeaders: ['Authorization']` to an endpoint configuration,
+    then the Backstage token (if provided) WILL be forwarded.
+
+  The value `dangerously-allow-unauthenticated` was the old default.
+
+  The value `require` is the new default, so requests that were previously
+  permitted may now start resulting in `401 Unauthorized` responses. If you have
+  `backend.auth.dangerouslyDisableDefaultAuthPolicy` set to `true`, this does not
+  apply; the proxy will behave as if all endpoints were set to
+  `dangerously-allow-unauthenticated`.
+
+  If you have proxy endpoints that require unauthenticated access still, please
+  add `credentials: dangerously-allow-unauthenticated` to their declarations in
+  your app-config.
+
+### Patch Changes
+
+- 8869b8e: Updated local development setup.
+- Updated dependencies
+  - @backstage/backend-common@0.22.1-next.0
+  - @backstage/backend-plugin-api@0.6.19-next.0
+  - @backstage/config@1.2.0
+  - @backstage/types@1.1.1
+
+## 0.4.16
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-common@0.22.0
+  - @backstage/backend-plugin-api@0.6.18
+
 ## 0.4.16-next.1
 
 ### Patch Changes

package/alpha/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-proxy-backend",
-  "version": "0.4.16-next.1",
+  "version": "0.5.0-next.0",
   "main": "../dist/alpha.cjs.js",
   "types": "../dist/alpha.d.ts"
 }

package/config.d.ts

@@ -71,6 +71,33 @@ export interface Config {
              * and headers that are set by the proxy will be forwarded.
              */
             allowedHeaders?: string[];
+            /**
+             * The credentials policy to apply.
+             *
+             * @remarks
+             *
+             * The values are as follows:
+             *
+             * - 'require': Callers must provide Backstage user or service
+             *   credentials with each request. The credentials are not
+             *   forwarded to the proxy target.
+             * - 'forward': Callers must provide Backstage user or service
+             *   credentials with each request, and those credentials are
+             *   forwarded to the proxy target.
+             * - 'dangerously-allow-unauthenticated': No Backstage credentials
+             *   are required to access this proxy target. The target can still
+             *   apply its own credentials checks, but the proxy will not help
+             *   block non-Backstage-blessed callers.
+             *
+             * Note that if you have
+             * `backend.auth.dangerouslyDisableDefaultAuthPolicy` set to `true`,
+             * the `credentials` value does not apply; the proxy will behave as
+             * if all endpoints were set to `dangerously-allow-unauthenticated`.
+             */
+            credentials?:
+              | 'require'
+              | 'forward'
+              | 'dangerously-allow-unauthenticated';
           };
     };
   } & {
@@ -121,6 +148,33 @@ export interface Config {
            * and headers that are set by the proxy will be forwarded.
            */
           allowedHeaders?: string[];
+          /**
+           * The credentials policy to apply.
+           *
+           * @remarks
+           *
+           * The values are as follows:
+           *
+           * - 'require': Callers must provide Backstage user or service
+           *   credentials with each request. The credentials are not forwarded
+           *   to the proxy target.
+           * - 'forward': Callers must provide Backstage user or service
+           *   credentials with each request, and those credentials are
+           *   forwarded to the proxy target.
+           * - 'dangerously-allow-unauthenticated': No Backstage credentials are
+           *   required to access this proxy target. The target can still apply
+           *   its own credentials checks, but the proxy will not help block
+           *   non-Backstage-blessed callers.
+           *
+           * Note that if you have
+           * `backend.auth.dangerouslyDisableDefaultAuthPolicy` set to `true`,
+           * the `credentials` value does not apply; the proxy will behave as if
+           * all endpoints were set to `dangerously-allow-unauthenticated`.
+           */
+          credentials?:
+            | 'require'
+            | 'forward'
+            | 'dangerously-allow-unauthenticated';
         };
   };
 }

package/dist/alpha.cjs.js

@@ -4,7 +4,7 @@ Object.defineProperty(exports, '__esModule', { value: true });
 
 var backendCommon = require('@backstage/backend-common');
 var backendPluginApi = require('@backstage/backend-plugin-api');
-var router = require('./cjs/router-D6Z1qlfG.cjs.js');
+var router = require('./cjs/router-BB9HHp8x.cjs.js');
 require('express-promise-router');
 require('http-proxy-middleware');
 
@@ -19,16 +19,11 @@ var alpha = backendPluginApi.createBackendPlugin({
         httpRouter: backendPluginApi.coreServices.httpRouter
       },
       async init({ config, discovery, logger, httpRouter }) {
-        httpRouter.use(
-          await router.createRouter({
-            config,
-            discovery,
-            logger: backendCommon.loggerToWinstonLogger(logger)
-          })
-        );
-        httpRouter.addAuthPolicy({
-          allow: "unauthenticated",
-          path: "/"
+        await router.createRouterInternal({
+          config,
+          discovery,
+          logger: backendCommon.loggerToWinstonLogger(logger),
+          httpRouterService: httpRouter
         });
       }
     });

package/dist/alpha.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"alpha.cjs.js","sources":["../src/alpha.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { loggerToWinstonLogger } from '@backstage/backend-common';\nimport {\n  createBackendPlugin,\n  coreServices,\n} from '@backstage/backend-plugin-api';\nimport { createRouter } from './service/router';\n\n/**\n * The proxy backend plugin.\n *\n * @alpha\n */\nexport default createBackendPlugin({\n  pluginId: 'proxy',\n  register(env) {\n    env.registerInit({\n      deps: {\n        config: coreServices.rootConfig,\n        discovery: coreServices.discovery,\n        logger: coreServices.logger,\n        httpRouter: coreServices.httpRouter,\n      },\n      async init({ config, discovery, logger, httpRouter }) {\n        httpRouter.use(\n          await createRouter({\n            config,\n            discovery,\n            logger: loggerToWinstonLogger(logger),\n          }),\n        );\n        httpRouter.addAuthPolicy({\n          allow: 'unauthenticated',\n          path: '/',\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","createRouter","loggerToWinstonLogger"],"mappings":";;;;;;;;;;AA4BA,YAAeA,oCAAoB,CAAA;AAAA,EACjC,QAAU,EAAA,OAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,QAAQC,6BAAa,CAAA,UAAA;AAAA,QACrB,WAAWA,6BAAa,CAAA,SAAA;AAAA,QACxB,QAAQA,6BAAa,CAAA,MAAA;AAAA,QACrB,YAAYA,6BAAa,CAAA,UAAA;AAAA,OAC3B;AAAA,MACA,MAAM,IAAK,CAAA,EAAE,QAAQ,SAAW,EAAA,MAAA,EAAQ,YAAc,EAAA;AACpD,QAAW,UAAA,CAAA,GAAA;AAAA,UACT,MAAMC,mBAAa,CAAA;AAAA,YACjB,MAAA;AAAA,YACA,SAAA;AAAA,YACA,MAAA,EAAQC,oCAAsB,MAAM,CAAA;AAAA,WACrC,CAAA;AAAA,SACH,CAAA;AACA,QAAA,UAAA,CAAW,aAAc,CAAA;AAAA,UACvB,KAAO,EAAA,iBAAA;AAAA,UACP,IAAM,EAAA,GAAA;AAAA,SACP,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC,CAAA;;;;"}
+{"version":3,"file":"alpha.cjs.js","sources":["../src/alpha.ts"],"sourcesContent":["/*\n * Copyright 2023 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { loggerToWinstonLogger } from '@backstage/backend-common';\nimport {\n  createBackendPlugin,\n  coreServices,\n} from '@backstage/backend-plugin-api';\nimport { createRouterInternal } from './service/router';\n\n/**\n * The proxy backend plugin.\n *\n * @alpha\n */\nexport default createBackendPlugin({\n  pluginId: 'proxy',\n  register(env) {\n    env.registerInit({\n      deps: {\n        config: coreServices.rootConfig,\n        discovery: coreServices.discovery,\n        logger: coreServices.logger,\n        httpRouter: coreServices.httpRouter,\n      },\n      async init({ config, discovery, logger, httpRouter }) {\n        await createRouterInternal({\n          config,\n          discovery,\n          logger: loggerToWinstonLogger(logger),\n          httpRouterService: httpRouter,\n        });\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","createRouterInternal","loggerToWinstonLogger"],"mappings":";;;;;;;;;;AA4BA,YAAeA,oCAAoB,CAAA;AAAA,EACjC,QAAU,EAAA,OAAA;AAAA,EACV,SAAS,GAAK,EAAA;AACZ,IAAA,GAAA,CAAI,YAAa,CAAA;AAAA,MACf,IAAM,EAAA;AAAA,QACJ,QAAQC,6BAAa,CAAA,UAAA;AAAA,QACrB,WAAWA,6BAAa,CAAA,SAAA;AAAA,QACxB,QAAQA,6BAAa,CAAA,MAAA;AAAA,QACrB,YAAYA,6BAAa,CAAA,UAAA;AAAA,OAC3B;AAAA,MACA,MAAM,IAAK,CAAA,EAAE,QAAQ,SAAW,EAAA,MAAA,EAAQ,YAAc,EAAA;AACpD,QAAA,MAAMC,2BAAqB,CAAA;AAAA,UACzB,MAAA;AAAA,UACA,SAAA;AAAA,UACA,MAAA,EAAQC,oCAAsB,MAAM,CAAA;AAAA,UACpC,iBAAmB,EAAA,UAAA;AAAA,SACpB,CAAA,CAAA;AAAA,OACH;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAC,CAAA;;;;"}

package/dist/cjs/{router-D6Z1qlfG.cjs.js → router-BB9HHp8x.cjs.js}

@@ -24,9 +24,34 @@ const safeForwardHeaders = [
   "accept-language",
   "user-agent"
 ];
-function buildMiddleware(pathPrefix, logger, route, config, reviveConsumedRequestBodies) {
-  var _a;
-  const fullConfig = typeof config === "string" ? { target: config } : { ...config };
+function buildMiddleware(pathPrefix, logger, route, config, reviveConsumedRequestBodies, httpRouterService) {
+  let fullConfig;
+  let credentialsPolicy;
+  if (typeof config === "string") {
+    fullConfig = { target: config };
+    credentialsPolicy = "require";
+  } else {
+    const { credentials, ...rest } = config;
+    fullConfig = rest;
+    credentialsPolicy = credentials ?? "require";
+  }
+  const credentialsPolicyCandidates = [
+    "require",
+    "forward",
+    "dangerously-allow-unauthenticated"
+  ];
+  if (!credentialsPolicyCandidates.includes(credentialsPolicy)) {
+    const valid = credentialsPolicyCandidates.map((c) => `'${c}'`).join(", ");
+    throw new Error(
+      `Unknown credentials policy '${credentialsPolicy}' for proxy route '${route}'; expected one of ${valid}`
+    );
+  }
+  if (credentialsPolicy === "dangerously-allow-unauthenticated") {
+    httpRouterService?.addAuthPolicy({
+      path: route,
+      allow: "unauthenticated"
+    });
+  }
   const targetType = typeof fullConfig.target;
   if (targetType !== "string") {
     throw new Error(
@@ -37,7 +62,7 @@ function buildMiddleware(pathPrefix, logger, route, config, reviveConsumedReques
     new URL(fullConfig.target);
   } catch {
     throw new Error(
-      `Proxy target is not a valid URL: ${(_a = fullConfig.target) != null ? _a : ""}`
+      `Proxy target is not a valid URL: ${fullConfig.target ?? ""}`
     );
   }
   if (fullConfig.pathRewrite === void 0) {
@@ -66,15 +91,17 @@ function buildMiddleware(pathPrefix, logger, route, config, reviveConsumedReques
       ...fullConfig.allowedHeaders || []
     ].map((h) => h.toLocaleLowerCase())
   );
+  if (credentialsPolicy === "forward") {
+    requestHeaderAllowList.add("authorization");
+  }
   const filter = (_pathname, req) => {
-    var _a2, _b;
     const headerNames = Object.keys(req.headers);
     headerNames.forEach((h) => {
       if (!requestHeaderAllowList.has(h.toLocaleLowerCase())) {
         delete req.headers[h];
       }
     });
-    return (_b = (_a2 = fullConfig == null ? void 0 : fullConfig.allowedMethods) == null ? void 0 : _a2.includes(req.method)) != null ? _b : true;
+    return fullConfig?.allowedMethods?.includes(req.method) ?? true;
   };
   filter.toString = () => route;
   const responseHeaderAllowList = new Set(
@@ -99,12 +126,11 @@ function buildMiddleware(pathPrefix, logger, route, config, reviveConsumedReques
   return httpProxyMiddleware.createProxyMiddleware(filter, fullConfig);
 }
 function readProxyConfig(config, logger) {
-  var _a, _b;
-  const endpoints = (_a = config.getOptionalConfig("proxy.endpoints")) == null ? void 0 : _a.get();
+  const endpoints = config.getOptionalConfig("proxy.endpoints")?.get();
   if (endpoints) {
     return endpoints;
   }
-  const root = (_b = config.getOptionalConfig("proxy")) == null ? void 0 : _b.get();
+  const root = config.getOptionalConfig("proxy")?.get();
   if (!root) {
     return {};
   }
@@ -120,11 +146,13 @@ function readProxyConfig(config, logger) {
   return rootEndpoints;
 }
 async function createRouter(options) {
-  var _a, _b, _c, _d;
+  return createRouterInternal(options);
+}
+async function createRouterInternal(options) {
   const router = Router__default.default();
   let currentRouter = Router__default.default();
-  const skipInvalidProxies = (_b = (_a = options.skipInvalidProxies) != null ? _a : options.config.getOptionalBoolean("proxy.skipInvalidProxies")) != null ? _b : false;
-  const reviveConsumedRequestBodies = (_d = (_c = options.reviveConsumedRequestBodies) != null ? _c : options.config.getOptionalBoolean("proxy.reviveConsumedRequestBodies")) != null ? _d : false;
+  const skipInvalidProxies = options.skipInvalidProxies ?? options.config.getOptionalBoolean("proxy.skipInvalidProxies") ?? false;
+  const reviveConsumedRequestBodies = options.reviveConsumedRequestBodies ?? options.config.getOptionalBoolean("proxy.reviveConsumedRequestBodies") ?? false;
   const proxyOptions = {
     skipInvalidProxies,
     reviveConsumedRequestBodies,
@@ -133,7 +161,13 @@ async function createRouter(options) {
   const externalUrl = await options.discovery.getExternalBaseUrl("proxy");
   const { pathname: pathPrefix } = new URL(externalUrl);
   const proxyConfig = readProxyConfig(options.config, options.logger);
-  configureMiddlewares(proxyOptions, currentRouter, pathPrefix, proxyConfig);
+  configureMiddlewares(
+    proxyOptions,
+    currentRouter,
+    pathPrefix,
+    proxyConfig,
+    options.httpRouterService
+  );
   router.use((...args) => currentRouter(...args));
   if (options.config.subscribe) {
     let currentKey = JSON.stringify(proxyConfig);
@@ -147,14 +181,16 @@ async function createRouter(options) {
           proxyOptions,
           currentRouter,
           pathPrefix,
-          newProxyConfig
+          newProxyConfig,
+          options.httpRouterService
         );
       }
     });
   }
+  options.httpRouterService?.use(router);
   return router;
 }
-function configureMiddlewares(options, router, pathPrefix, proxyConfig) {
+function configureMiddlewares(options, router, pathPrefix, proxyConfig, httpRouterService) {
   Object.entries(proxyConfig).forEach(([route, proxyRouteConfig]) => {
     try {
       router.use(
@@ -164,7 +200,8 @@ function configureMiddlewares(options, router, pathPrefix, proxyConfig) {
           options.logger,
           route,
           proxyRouteConfig,
-          options.reviveConsumedRequestBodies
+          options.reviveConsumedRequestBodies,
+          httpRouterService
         )
       );
     } catch (e) {
@@ -178,4 +215,5 @@ function configureMiddlewares(options, router, pathPrefix, proxyConfig) {
 }
 
 exports.createRouter = createRouter;
-//# sourceMappingURL=router-D6Z1qlfG.cjs.js.map
+exports.createRouterInternal = createRouterInternal;
+//# sourceMappingURL=router-BB9HHp8x.cjs.js.map

package/dist/cjs/router-BB9HHp8x.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router-BB9HHp8x.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport {\n  createProxyMiddleware,\n  fixRequestBody,\n  Options,\n  RequestHandler,\n} from 'http-proxy-middleware';\nimport { Logger } from 'winston';\nimport http from 'http';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { JsonObject } from '@backstage/types';\nimport { HttpRouterService } from '@backstage/backend-plugin-api';\n\n// A list of headers that are always forwarded to the proxy targets.\nconst safeForwardHeaders = [\n  // https://fetch.spec.whatwg.org/#cors-safelisted-request-header\n  'cache-control',\n  'content-language',\n  'content-length',\n  'content-type',\n  'expires',\n  'last-modified',\n  'pragma',\n\n  // host is overridden by default. if changeOrigin is configured to false,\n  // we assume this is a intentional and should also be forwarded.\n  'host',\n\n  // other headers that we assume to be ok\n  'accept',\n  'accept-language',\n  'user-agent',\n];\n\n/** @public */\nexport interface RouterOptions {\n  logger: Logger;\n  config: Config;\n  discovery: PluginEndpointDiscovery;\n  skipInvalidProxies?: boolean;\n  reviveConsumedRequestBodies?: boolean;\n}\n\nexport interface ProxyConfig extends Options {\n  allowedMethods?: string[];\n  allowedHeaders?: string[];\n  reviveRequestBody?: boolean;\n}\n\n// Creates a proxy middleware, possibly with defaults added on top of the\n// given config.\nexport function buildMiddleware(\n  pathPrefix: string,\n  logger: Logger,\n  route: string,\n  config: string | ProxyConfig,\n  reviveConsumedRequestBodies?: boolean,\n  httpRouterService?: HttpRouterService,\n): RequestHandler {\n  let fullConfig: ProxyConfig;\n  let credentialsPolicy: string;\n  if (typeof config === 'string') {\n    fullConfig = { target: config };\n    credentialsPolicy = 'require';\n  } else {\n    const { credentials, ...rest } = config as any;\n    fullConfig = rest;\n    credentialsPolicy = credentials ?? 'require';\n  }\n\n  const credentialsPolicyCandidates = [\n    'require',\n    'forward',\n    'dangerously-allow-unauthenticated',\n  ];\n  if (!credentialsPolicyCandidates.includes(credentialsPolicy)) {\n    const valid = credentialsPolicyCandidates.map(c => `'${c}'`).join(', ');\n    throw new Error(\n      `Unknown credentials policy '${credentialsPolicy}' for proxy route '${route}'; expected one of ${valid}`,\n    );\n  }\n\n  if (credentialsPolicy === 'dangerously-allow-unauthenticated') {\n    httpRouterService?.addAuthPolicy({\n      path: route,\n      allow: 'unauthenticated',\n    });\n  }\n\n  // Validate that target is a valid URL.\n  const targetType = typeof fullConfig.target;\n  if (targetType !== 'string') {\n    throw new Error(\n      `Proxy target for route \"${route}\" must be a string, but is of type ${targetType}`,\n    );\n  }\n  try {\n    // eslint-disable-next-line no-new\n    new URL(fullConfig.target! as string);\n  } catch {\n    throw new Error(\n      `Proxy target is not a valid URL: ${fullConfig.target ?? ''}`,\n    );\n  }\n\n  // Default is to do a path rewrite that strips out the proxy's path prefix\n  // and the rest of the route.\n  if (fullConfig.pathRewrite === undefined) {\n    let routeWithSlash = route.endsWith('/') ? route : `${route}/`;\n\n    if (!pathPrefix.endsWith('/') && !routeWithSlash.startsWith('/')) {\n      // Need to insert a / between pathPrefix and routeWithSlash\n      routeWithSlash = `/${routeWithSlash}`;\n    } else if (pathPrefix.endsWith('/') && routeWithSlash.startsWith('/')) {\n      // Never expect this to happen at this point in time as\n      // pathPrefix is set using `getExternalBaseUrl` which \"Returns the\n      // external HTTP base backend URL for a given plugin,\n      // **without a trailing slash.**\". But in case this changes in future, we\n      // need to drop a / on either pathPrefix or routeWithSlash\n      routeWithSlash = routeWithSlash.substring(1);\n    }\n\n    // The ? makes the slash optional for the rewrite, so that a base path without an ending slash\n    // will also be matched (e.g. '/sample' and then requesting just '/api/proxy/sample' without an\n    // ending slash). Otherwise the target gets called with the full '/api/proxy/sample' path\n    // appended.\n    fullConfig.pathRewrite = {\n      [`^${pathPrefix}${routeWithSlash}?`]: '/',\n    };\n  }\n\n  // Default is to update the Host header to the target\n  if (fullConfig.changeOrigin === undefined) {\n    fullConfig.changeOrigin = true;\n  }\n\n  // Attach the logger to the proxy config\n  fullConfig.logProvider = () => logger;\n  // http-proxy-middleware uses this log level to check if it should log the\n  // requests that it proxies. Setting this to the most verbose log level\n  // ensures that it always logs these requests. Our logger ends up deciding\n  // if the logs are displayed or not.\n  fullConfig.logLevel = 'debug';\n\n  // Only return the allowed HTTP headers to not forward unwanted secret headers\n  const requestHeaderAllowList = new Set<string>(\n    [\n      // allow all safe headers\n      ...safeForwardHeaders,\n\n      // allow all headers that are set by the proxy\n      ...((fullConfig.headers && Object.keys(fullConfig.headers)) || []),\n\n      // allow all configured headers\n      ...(fullConfig.allowedHeaders || []),\n    ].map(h => h.toLocaleLowerCase()),\n  );\n\n  if (credentialsPolicy === 'forward') {\n    requestHeaderAllowList.add('authorization');\n  }\n\n  // Use the custom middleware filter to do two things:\n  //  1. Remove any headers not in the allow list to stop them being forwarded\n  //  2. Only permit the allowed HTTP methods if configured\n  //\n  // We are filtering the proxy request headers here rather than in\n  // `onProxyReq` because when global-agent is enabled then `onProxyReq`\n  // fires _after_ the agent has already sent the headers to the proxy\n  // target, causing a ERR_HTTP_HEADERS_SENT crash\n  const filter = (_pathname: string, req: http.IncomingMessage): boolean => {\n    const headerNames = Object.keys(req.headers);\n    headerNames.forEach(h => {\n      if (!requestHeaderAllowList.has(h.toLocaleLowerCase())) {\n        delete req.headers[h];\n      }\n    });\n\n    return fullConfig?.allowedMethods?.includes(req.method!) ?? true;\n  };\n  // Makes http-proxy-middleware logs look nicer and include the mount path\n  filter.toString = () => route;\n\n  // Only forward the allowed HTTP headers to not forward unwanted secret headers\n  const responseHeaderAllowList = new Set<string>(\n    [\n      // allow all safe headers\n      ...safeForwardHeaders,\n\n      // allow all configured headers\n      ...(fullConfig.allowedHeaders || []),\n    ].map(h => h.toLocaleLowerCase()),\n  );\n\n  // only forward the allowed headers in backend->client\n  fullConfig.onProxyRes = (proxyRes: http.IncomingMessage) => {\n    const headerNames = Object.keys(proxyRes.headers);\n\n    headerNames.forEach(h => {\n      if (!responseHeaderAllowList.has(h.toLocaleLowerCase())) {\n        delete proxyRes.headers[h];\n      }\n    });\n  };\n\n  if (reviveConsumedRequestBodies) {\n    fullConfig.onProxyReq = fixRequestBody;\n  }\n\n  return createProxyMiddleware(filter, fullConfig);\n}\n\nfunction readProxyConfig(config: Config, logger: Logger): JsonObject {\n  const endpoints = config\n    .getOptionalConfig('proxy.endpoints')\n    ?.get<JsonObject>();\n  if (endpoints) {\n    return endpoints;\n  }\n\n  const root = config.getOptionalConfig('proxy')?.get<JsonObject>();\n  if (!root) {\n    return {};\n  }\n\n  const rootEndpoints = Object.fromEntries(\n    Object.entries(root).filter(([key]) => key.startsWith('/')),\n  );\n  if (Object.keys(rootEndpoints).length === 0) {\n    return {};\n  }\n\n  logger.warn(\n    \"Configuring proxy endpoints in the root 'proxy' configuration is deprecated. Move this configuration to 'proxy.endpoints' instead.\",\n  );\n\n  return rootEndpoints;\n}\n\n/**\n * Creates a new\n * {@link https://expressjs.com/en/api.html#router | \"express router\"} that\n * proxies each target configured under the `proxy.endpoints` key of the config.\n *\n * @remarks\n *\n * Example configuration:\n *\n * ```yaml\n * proxy:\n *   endpoints:\n *      # Option 1: Simple URL String\n *     simple-example: http://simple.example.com:8080\n *     # Option 2: `http-proxy-middleware` compatible object\n *     '/larger-example/v1':\n *       target: http://larger.example.com:8080/svc.v1\n *       headers:\n *         Authorization: Bearer ${EXAMPLE_AUTH_TOKEN}\n * ```\n *\n * @see https://backstage.io/docs/plugins/proxying\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  return createRouterInternal(options);\n}\n\nexport async function createRouterInternal(\n  options: RouterOptions & { httpRouterService?: HttpRouterService },\n): Promise<express.Router> {\n  const router = Router();\n  let currentRouter = Router();\n\n  const skipInvalidProxies =\n    options.skipInvalidProxies ??\n    options.config.getOptionalBoolean('proxy.skipInvalidProxies') ??\n    false;\n  const reviveConsumedRequestBodies =\n    options.reviveConsumedRequestBodies ??\n    options.config.getOptionalBoolean('proxy.reviveConsumedRequestBodies') ??\n    false;\n  const proxyOptions = {\n    skipInvalidProxies,\n    reviveConsumedRequestBodies,\n    logger: options.logger,\n  };\n\n  const externalUrl = await options.discovery.getExternalBaseUrl('proxy');\n  const { pathname: pathPrefix } = new URL(externalUrl);\n\n  const proxyConfig = readProxyConfig(options.config, options.logger);\n  configureMiddlewares(\n    proxyOptions,\n    currentRouter,\n    pathPrefix,\n    proxyConfig,\n    options.httpRouterService,\n  );\n  router.use((...args) => currentRouter(...args));\n\n  if (options.config.subscribe) {\n    let currentKey = JSON.stringify(proxyConfig);\n\n    options.config.subscribe(() => {\n      const newProxyConfig = readProxyConfig(options.config, options.logger);\n      const newKey = JSON.stringify(newProxyConfig);\n\n      if (currentKey !== newKey) {\n        currentKey = newKey;\n        currentRouter = Router();\n        configureMiddlewares(\n          proxyOptions,\n          currentRouter,\n          pathPrefix,\n          newProxyConfig,\n          options.httpRouterService,\n        );\n      }\n    });\n  }\n\n  options.httpRouterService?.use(router);\n  return router;\n}\n\nfunction configureMiddlewares(\n  options: {\n    reviveConsumedRequestBodies: boolean;\n    skipInvalidProxies: boolean;\n    logger: Logger;\n  },\n  router: express.Router,\n  pathPrefix: string,\n  proxyConfig: any,\n  httpRouterService?: HttpRouterService,\n) {\n  Object.entries<any>(proxyConfig).forEach(([route, proxyRouteConfig]) => {\n    try {\n      router.use(\n        route,\n        buildMiddleware(\n          pathPrefix,\n          options.logger,\n          route,\n          proxyRouteConfig,\n          options.reviveConsumedRequestBodies,\n          httpRouterService,\n        ),\n      );\n    } catch (e) {\n      if (options.skipInvalidProxies) {\n        options.logger.warn(`skipped configuring ${route} due to ${e.message}`);\n      } else {\n        throw e;\n      }\n    }\n  });\n}\n"],"names":["fixRequestBody","createProxyMiddleware","Router"],"mappings":";;;;;;;;;AAgCA,MAAM,kBAAqB,GAAA;AAAA;AAAA,EAEzB,eAAA;AAAA,EACA,kBAAA;AAAA,EACA,gBAAA;AAAA,EACA,cAAA;AAAA,EACA,SAAA;AAAA,EACA,eAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA,EAIA,MAAA;AAAA;AAAA,EAGA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,YAAA;AACF,CAAA,CAAA;AAmBO,SAAS,gBACd,UACA,EAAA,MAAA,EACA,KACA,EAAA,MAAA,EACA,6BACA,iBACgB,EAAA;AAChB,EAAI,IAAA,UAAA,CAAA;AACJ,EAAI,IAAA,iBAAA,CAAA;AACJ,EAAI,IAAA,OAAO,WAAW,QAAU,EAAA;AAC9B,IAAa,UAAA,GAAA,EAAE,QAAQ,MAAO,EAAA,CAAA;AAC9B,IAAoB,iBAAA,GAAA,SAAA,CAAA;AAAA,GACf,MAAA;AACL,IAAA,MAAM,EAAE,WAAA,EAAa,GAAG,IAAA,EAAS,GAAA,MAAA,CAAA;AACjC,IAAa,UAAA,GAAA,IAAA,CAAA;AACb,IAAA,iBAAA,GAAoB,WAAe,IAAA,SAAA,CAAA;AAAA,GACrC;AAEA,EAAA,MAAM,2BAA8B,GAAA;AAAA,IAClC,SAAA;AAAA,IACA,SAAA;AAAA,IACA,mCAAA;AAAA,GACF,CAAA;AACA,EAAA,IAAI,CAAC,2BAAA,CAA4B,QAAS,CAAA,iBAAiB,CAAG,EAAA;AAC5D,IAAM,MAAA,KAAA,GAAQ,4BAA4B,GAAI,CAAA,CAAA,CAAA,KAAK,IAAI,CAAC,CAAA,CAAA,CAAG,CAAE,CAAA,IAAA,CAAK,IAAI,CAAA,CAAA;AACtE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAA+B,4BAAA,EAAA,iBAAiB,CAAsB,mBAAA,EAAA,KAAK,sBAAsB,KAAK,CAAA,CAAA;AAAA,KACxG,CAAA;AAAA,GACF;AAEA,EAAA,IAAI,sBAAsB,mCAAqC,EAAA;AAC7D,IAAA,iBAAA,EAAmB,aAAc,CAAA;AAAA,MAC/B,IAAM,EAAA,KAAA;AAAA,MACN,KAAO,EAAA,iBAAA;AAAA,KACR,CAAA,CAAA;AAAA,GACH;AAGA,EAAM,MAAA,UAAA,GAAa,OAAO,UAAW,CAAA,MAAA,CAAA;AACrC,EAAA,IAAI,eAAe,QAAU,EAAA;AAC3B,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,wBAAA,EAA2B,KAAK,CAAA,mCAAA,EAAsC,UAAU,CAAA,CAAA;AAAA,KAClF,CAAA;AAAA,GACF;AACA,EAAI,IAAA;AAEF,IAAI,IAAA,GAAA,CAAI,WAAW,MAAiB,CAAA,CAAA;AAAA,GAC9B,CAAA,MAAA;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,iCAAA,EAAoC,UAAW,CAAA,MAAA,IAAU,EAAE,CAAA,CAAA;AAAA,KAC7D,CAAA;AAAA,GACF;AAIA,EAAI,IAAA,UAAA,CAAW,gBAAgB,KAAW,CAAA,EAAA;AACxC,IAAA,IAAI,iBAAiB,KAAM,CAAA,QAAA,CAAS,GAAG,CAAI,GAAA,KAAA,GAAQ,GAAG,KAAK,CAAA,CAAA,CAAA,CAAA;AAE3D,IAAI,IAAA,CAAC,WAAW,QAAS,CAAA,GAAG,KAAK,CAAC,cAAA,CAAe,UAAW,CAAA,GAAG,CAAG,EAAA;AAEhE,MAAA,cAAA,GAAiB,IAAI,cAAc,CAAA,CAAA,CAAA;AAAA,KACrC,MAAA,IAAW,WAAW,QAAS,CAAA,GAAG,KAAK,cAAe,CAAA,UAAA,CAAW,GAAG,CAAG,EAAA;AAMrE,MAAiB,cAAA,GAAA,cAAA,CAAe,UAAU,CAAC,CAAA,CAAA;AAAA,KAC7C;AAMA,IAAA,UAAA,CAAW,WAAc,GAAA;AAAA,MACvB,CAAC,CAAI,CAAA,EAAA,UAAU,CAAG,EAAA,cAAc,GAAG,GAAG,GAAA;AAAA,KACxC,CAAA;AAAA,GACF;AAGA,EAAI,IAAA,UAAA,CAAW,iBAAiB,KAAW,CAAA,EAAA;AACzC,IAAA,UAAA,CAAW,YAAe,GAAA,IAAA,CAAA;AAAA,GAC5B;AAGA,EAAA,UAAA,CAAW,cAAc,MAAM,MAAA,CAAA;AAK/B,EAAA,UAAA,CAAW,QAAW,GAAA,OAAA,CAAA;AAGtB,EAAA,MAAM,yBAAyB,IAAI,GAAA;AAAA,IACjC;AAAA;AAAA,MAEE,GAAG,kBAAA;AAAA;AAAA,MAGH,GAAK,WAAW,OAAW,IAAA,MAAA,CAAO,KAAK,UAAW,CAAA,OAAO,KAAM,EAAC;AAAA;AAAA,MAGhE,GAAI,UAAW,CAAA,cAAA,IAAkB,EAAC;AAAA,KAClC,CAAA,GAAA,CAAI,CAAK,CAAA,KAAA,CAAA,CAAE,mBAAmB,CAAA;AAAA,GAClC,CAAA;AAEA,EAAA,IAAI,sBAAsB,SAAW,EAAA;AACnC,IAAA,sBAAA,CAAuB,IAAI,eAAe,CAAA,CAAA;AAAA,GAC5C;AAUA,EAAM,MAAA,MAAA,GAAS,CAAC,SAAA,EAAmB,GAAuC,KAAA;AACxE,IAAA,MAAM,WAAc,GAAA,MAAA,CAAO,IAAK,CAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAC3C,IAAA,WAAA,CAAY,QAAQ,CAAK,CAAA,KAAA;AACvB,MAAA,IAAI,CAAC,sBAAuB,CAAA,GAAA,CAAI,CAAE,CAAA,iBAAA,EAAmB,CAAG,EAAA;AACtD,QAAO,OAAA,GAAA,CAAI,QAAQ,CAAC,CAAA,CAAA;AAAA,OACtB;AAAA,KACD,CAAA,CAAA;AAED,IAAA,OAAO,UAAY,EAAA,cAAA,EAAgB,QAAS,CAAA,GAAA,CAAI,MAAO,CAAK,IAAA,IAAA,CAAA;AAAA,GAC9D,CAAA;AAEA,EAAA,MAAA,CAAO,WAAW,MAAM,KAAA,CAAA;AAGxB,EAAA,MAAM,0BAA0B,IAAI,GAAA;AAAA,IAClC;AAAA;AAAA,MAEE,GAAG,kBAAA;AAAA;AAAA,MAGH,GAAI,UAAW,CAAA,cAAA,IAAkB,EAAC;AAAA,KAClC,CAAA,GAAA,CAAI,CAAK,CAAA,KAAA,CAAA,CAAE,mBAAmB,CAAA;AAAA,GAClC,CAAA;AAGA,EAAW,UAAA,CAAA,UAAA,GAAa,CAAC,QAAmC,KAAA;AAC1D,IAAA,MAAM,WAAc,GAAA,MAAA,CAAO,IAAK,CAAA,QAAA,CAAS,OAAO,CAAA,CAAA;AAEhD,IAAA,WAAA,CAAY,QAAQ,CAAK,CAAA,KAAA;AACvB,MAAA,IAAI,CAAC,uBAAwB,CAAA,GAAA,CAAI,CAAE,CAAA,iBAAA,EAAmB,CAAG,EAAA;AACvD,QAAO,OAAA,QAAA,CAAS,QAAQ,CAAC,CAAA,CAAA;AAAA,OAC3B;AAAA,KACD,CAAA,CAAA;AAAA,GACH,CAAA;AAEA,EAAA,IAAI,2BAA6B,EAAA;AAC/B,IAAA,UAAA,CAAW,UAAa,GAAAA,kCAAA,CAAA;AAAA,GAC1B;AAEA,EAAO,OAAAC,yCAAA,CAAsB,QAAQ,UAAU,CAAA,CAAA;AACjD,CAAA;AAEA,SAAS,eAAA,CAAgB,QAAgB,MAA4B,EAAA;AACnE,EAAA,MAAM,SAAY,GAAA,MAAA,CACf,iBAAkB,CAAA,iBAAiB,GAClC,GAAgB,EAAA,CAAA;AACpB,EAAA,IAAI,SAAW,EAAA;AACb,IAAO,OAAA,SAAA,CAAA;AAAA,GACT;AAEA,EAAA,MAAM,IAAO,GAAA,MAAA,CAAO,iBAAkB,CAAA,OAAO,GAAG,GAAgB,EAAA,CAAA;AAChE,EAAA,IAAI,CAAC,IAAM,EAAA;AACT,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAEA,EAAA,MAAM,gBAAgB,MAAO,CAAA,WAAA;AAAA,IAC3B,MAAO,CAAA,OAAA,CAAQ,IAAI,CAAA,CAAE,MAAO,CAAA,CAAC,CAAC,GAAG,CAAM,KAAA,GAAA,CAAI,UAAW,CAAA,GAAG,CAAC,CAAA;AAAA,GAC5D,CAAA;AACA,EAAA,IAAI,MAAO,CAAA,IAAA,CAAK,aAAa,CAAA,CAAE,WAAW,CAAG,EAAA;AAC3C,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAEA,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,oIAAA;AAAA,GACF,CAAA;AAEA,EAAO,OAAA,aAAA,CAAA;AACT,CAAA;AA0BA,eAAsB,aACpB,OACyB,EAAA;AACzB,EAAA,OAAO,qBAAqB,OAAO,CAAA,CAAA;AACrC,CAAA;AAEA,eAAsB,qBACpB,OACyB,EAAA;AACzB,EAAA,MAAM,SAASC,uBAAO,EAAA,CAAA;AACtB,EAAA,IAAI,gBAAgBA,uBAAO,EAAA,CAAA;AAE3B,EAAA,MAAM,qBACJ,OAAQ,CAAA,kBAAA,IACR,QAAQ,MAAO,CAAA,kBAAA,CAAmB,0BAA0B,CAC5D,IAAA,KAAA,CAAA;AACF,EAAA,MAAM,8BACJ,OAAQ,CAAA,2BAAA,IACR,QAAQ,MAAO,CAAA,kBAAA,CAAmB,mCAAmC,CACrE,IAAA,KAAA,CAAA;AACF,EAAA,MAAM,YAAe,GAAA;AAAA,IACnB,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,QAAQ,OAAQ,CAAA,MAAA;AAAA,GAClB,CAAA;AAEA,EAAA,MAAM,WAAc,GAAA,MAAM,OAAQ,CAAA,SAAA,CAAU,mBAAmB,OAAO,CAAA,CAAA;AACtE,EAAA,MAAM,EAAE,QAAU,EAAA,UAAA,EAAe,GAAA,IAAI,IAAI,WAAW,CAAA,CAAA;AAEpD,EAAA,MAAM,WAAc,GAAA,eAAA,CAAgB,OAAQ,CAAA,MAAA,EAAQ,QAAQ,MAAM,CAAA,CAAA;AAClE,EAAA,oBAAA;AAAA,IACE,YAAA;AAAA,IACA,aAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,OAAQ,CAAA,iBAAA;AAAA,GACV,CAAA;AACA,EAAA,MAAA,CAAO,IAAI,CAAI,GAAA,IAAA,KAAS,aAAc,CAAA,GAAG,IAAI,CAAC,CAAA,CAAA;AAE9C,EAAI,IAAA,OAAA,CAAQ,OAAO,SAAW,EAAA;AAC5B,IAAI,IAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,WAAW,CAAA,CAAA;AAE3C,IAAQ,OAAA,CAAA,MAAA,CAAO,UAAU,MAAM;AAC7B,MAAA,MAAM,cAAiB,GAAA,eAAA,CAAgB,OAAQ,CAAA,MAAA,EAAQ,QAAQ,MAAM,CAAA,CAAA;AACrE,MAAM,MAAA,MAAA,GAAS,IAAK,CAAA,SAAA,CAAU,cAAc,CAAA,CAAA;AAE5C,MAAA,IAAI,eAAe,MAAQ,EAAA;AACzB,QAAa,UAAA,GAAA,MAAA,CAAA;AACb,QAAA,aAAA,GAAgBA,uBAAO,EAAA,CAAA;AACvB,QAAA,oBAAA;AAAA,UACE,YAAA;AAAA,UACA,aAAA;AAAA,UACA,UAAA;AAAA,UACA,cAAA;AAAA,UACA,OAAQ,CAAA,iBAAA;AAAA,SACV,CAAA;AAAA,OACF;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAEA,EAAQ,OAAA,CAAA,iBAAA,EAAmB,IAAI,MAAM,CAAA,CAAA;AACrC,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,oBACP,CAAA,OAAA,EAKA,MACA,EAAA,UAAA,EACA,aACA,iBACA,EAAA;AACA,EAAO,MAAA,CAAA,OAAA,CAAa,WAAW,CAAE,CAAA,OAAA,CAAQ,CAAC,CAAC,KAAA,EAAO,gBAAgB,CAAM,KAAA;AACtE,IAAI,IAAA;AACF,MAAO,MAAA,CAAA,GAAA;AAAA,QACL,KAAA;AAAA,QACA,eAAA;AAAA,UACE,UAAA;AAAA,UACA,OAAQ,CAAA,MAAA;AAAA,UACR,KAAA;AAAA,UACA,gBAAA;AAAA,UACA,OAAQ,CAAA,2BAAA;AAAA,UACR,iBAAA;AAAA,SACF;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,IAAI,QAAQ,kBAAoB,EAAA;AAC9B,QAAA,OAAA,CAAQ,OAAO,IAAK,CAAA,CAAA,oBAAA,EAAuB,KAAK,CAAW,QAAA,EAAA,CAAA,CAAE,OAAO,CAAE,CAAA,CAAA,CAAA;AAAA,OACjE,MAAA;AACL,QAAM,MAAA,CAAA,CAAA;AAAA,OACR;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AACH;;;;;"}

package/dist/index.cjs.js

@@ -1,6 +1,6 @@
 'use strict';
 
-var router = require('./cjs/router-D6Z1qlfG.cjs.js');
+var router = require('./cjs/router-BB9HHp8x.cjs.js');
 require('express-promise-router');
 require('http-proxy-middleware');
 

package/dist/index.d.ts

@@ -12,20 +12,26 @@ interface RouterOptions {
     reviveConsumedRequestBodies?: boolean;
 }
 /**
- * Creates a new {@link https://expressjs.com/en/api.html#router | "express router"} that proxy each target configured under the `proxy` key of the config
- * @example
- * ```ts
- * let router = await createRouter({logger, config, discovery});
- * ```
- * @config
+ * Creates a new
+ * {@link https://expressjs.com/en/api.html#router | "express router"} that
+ * proxies each target configured under the `proxy.endpoints` key of the config.
+ *
+ * @remarks
+ *
+ * Example configuration:
+ *
  * ```yaml
  * proxy:
- *  simple-example: http://simple.example.com:8080 # Opt 1 Simple URL String
- *  '/larger-example/v1': # Opt 2 `http-proxy-middleware` compatible object
- *    target: http://larger.example.com:8080/svc.v1
- *    headers:
- *      Authorization: Bearer ${EXAMPLE_AUTH_TOKEN}
- *```
+ *   endpoints:
+ *      # Option 1: Simple URL String
+ *     simple-example: http://simple.example.com:8080
+ *     # Option 2: `http-proxy-middleware` compatible object
+ *     '/larger-example/v1':
+ *       target: http://larger.example.com:8080/svc.v1
+ *       headers:
+ *         Authorization: Bearer ${EXAMPLE_AUTH_TOKEN}
+ * ```
+ *
  * @see https://backstage.io/docs/plugins/proxying
  * @public
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-proxy-backend",
-  "version": "0.4.16-next.1",
+  "version": "0.5.0-next.0",
   "description": "A Backstage backend plugin that helps you set up proxy endpoints in the backend",
   "backstage": {
     "role": "backend-plugin"
@@ -48,9 +48,10 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.22.0-next.1",
-    "@backstage/backend-plugin-api": "^0.6.18-next.1",
+    "@backstage/backend-common": "^0.22.1-next.0",
+    "@backstage/backend-plugin-api": "^0.6.19-next.0",
     "@backstage/config": "^1.2.0",
+    "@backstage/types": "^1.1.1",
     "@types/express": "^4.17.6",
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
@@ -63,14 +64,18 @@
     "yup": "^1.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.3.8-next.1",
-    "@backstage/cli": "^0.26.5-next.0",
+    "@backstage/backend-defaults": "^0.2.19-next.0",
+    "@backstage/backend-test-utils": "^0.3.9-next.0",
+    "@backstage/cli": "^0.26.6-next.0",
     "@backstage/config-loader": "^1.8.0",
+    "@backstage/errors": "^1.2.4",
     "@types/http-proxy-middleware": "^1.0.0",
     "@types/supertest": "^2.0.8",
     "@types/uuid": "^9.0.0",
     "@types/yup": "^0.32.0",
     "msw": "^1.0.0",
+    "node-fetch": "^2.6.7",
+    "portfinder": "^1.0.32",
     "supertest": "^6.1.3"
   },
   "configSchema": "config.d.ts"

package/dist/cjs/router-D6Z1qlfG.cjs.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"router-D6Z1qlfG.cjs.js","sources":["../../src/service/router.ts"],"sourcesContent":["/*\n * Copyright 2020 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport express from 'express';\nimport Router from 'express-promise-router';\nimport {\n  createProxyMiddleware,\n  fixRequestBody,\n  Options,\n  RequestHandler,\n} from 'http-proxy-middleware';\nimport { Logger } from 'winston';\nimport http from 'http';\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\n\n// A list of headers that are always forwarded to the proxy targets.\nconst safeForwardHeaders = [\n  // https://fetch.spec.whatwg.org/#cors-safelisted-request-header\n  'cache-control',\n  'content-language',\n  'content-length',\n  'content-type',\n  'expires',\n  'last-modified',\n  'pragma',\n\n  // host is overridden by default. if changeOrigin is configured to false,\n  // we assume this is a intentional and should also be forwarded.\n  'host',\n\n  // other headers that we assume to be ok\n  'accept',\n  'accept-language',\n  'user-agent',\n];\n\n/** @public */\nexport interface RouterOptions {\n  logger: Logger;\n  config: Config;\n  discovery: PluginEndpointDiscovery;\n  skipInvalidProxies?: boolean;\n  reviveConsumedRequestBodies?: boolean;\n}\n\nexport interface ProxyConfig extends Options {\n  allowedMethods?: string[];\n  allowedHeaders?: string[];\n  reviveRequestBody?: boolean;\n}\n\n// Creates a proxy middleware, possibly with defaults added on top of the\n// given config.\nexport function buildMiddleware(\n  pathPrefix: string,\n  logger: Logger,\n  route: string,\n  config: string | ProxyConfig,\n  reviveConsumedRequestBodies?: boolean,\n): RequestHandler {\n  const fullConfig =\n    typeof config === 'string' ? { target: config } : { ...config };\n\n  // Validate that target is a valid URL.\n  const targetType = typeof fullConfig.target;\n  if (targetType !== 'string') {\n    throw new Error(\n      `Proxy target for route \"${route}\" must be a string, but is of type ${targetType}`,\n    );\n  }\n  try {\n    // eslint-disable-next-line no-new\n    new URL(fullConfig.target! as string);\n  } catch {\n    throw new Error(\n      `Proxy target is not a valid URL: ${fullConfig.target ?? ''}`,\n    );\n  }\n\n  // Default is to do a path rewrite that strips out the proxy's path prefix\n  // and the rest of the route.\n  if (fullConfig.pathRewrite === undefined) {\n    let routeWithSlash = route.endsWith('/') ? route : `${route}/`;\n\n    if (!pathPrefix.endsWith('/') && !routeWithSlash.startsWith('/')) {\n      // Need to insert a / between pathPrefix and routeWithSlash\n      routeWithSlash = `/${routeWithSlash}`;\n    } else if (pathPrefix.endsWith('/') && routeWithSlash.startsWith('/')) {\n      // Never expect this to happen at this point in time as\n      // pathPrefix is set using `getExternalBaseUrl` which \"Returns the\n      // external HTTP base backend URL for a given plugin,\n      // **without a trailing slash.**\". But in case this changes in future, we\n      // need to drop a / on either pathPrefix or routeWithSlash\n      routeWithSlash = routeWithSlash.substring(1);\n    }\n\n    // The ? makes the slash optional for the rewrite, so that a base path without an ending slash\n    // will also be matched (e.g. '/sample' and then requesting just '/api/proxy/sample' without an\n    // ending slash). Otherwise the target gets called with the full '/api/proxy/sample' path\n    // appended.\n    fullConfig.pathRewrite = {\n      [`^${pathPrefix}${routeWithSlash}?`]: '/',\n    };\n  }\n\n  // Default is to update the Host header to the target\n  if (fullConfig.changeOrigin === undefined) {\n    fullConfig.changeOrigin = true;\n  }\n\n  // Attach the logger to the proxy config\n  fullConfig.logProvider = () => logger;\n  // http-proxy-middleware uses this log level to check if it should log the\n  // requests that it proxies. Setting this to the most verbose log level\n  // ensures that it always logs these requests. Our logger ends up deciding\n  // if the logs are displayed or not.\n  fullConfig.logLevel = 'debug';\n\n  // Only return the allowed HTTP headers to not forward unwanted secret headers\n  const requestHeaderAllowList = new Set<string>(\n    [\n      // allow all safe headers\n      ...safeForwardHeaders,\n\n      // allow all headers that are set by the proxy\n      ...((fullConfig.headers && Object.keys(fullConfig.headers)) || []),\n\n      // allow all configured headers\n      ...(fullConfig.allowedHeaders || []),\n    ].map(h => h.toLocaleLowerCase()),\n  );\n\n  // Use the custom middleware filter to do two things:\n  //  1. Remove any headers not in the allow list to stop them being forwarded\n  //  2. Only permit the allowed HTTP methods if configured\n  //\n  // We are filtering the proxy request headers here rather than in\n  // `onProxyReq` because when global-agent is enabled then `onProxyReq`\n  // fires _after_ the agent has already sent the headers to the proxy\n  // target, causing a ERR_HTTP_HEADERS_SENT crash\n  const filter = (_pathname: string, req: http.IncomingMessage): boolean => {\n    const headerNames = Object.keys(req.headers);\n    headerNames.forEach(h => {\n      if (!requestHeaderAllowList.has(h.toLocaleLowerCase())) {\n        delete req.headers[h];\n      }\n    });\n\n    return fullConfig?.allowedMethods?.includes(req.method!) ?? true;\n  };\n  // Makes http-proxy-middleware logs look nicer and include the mount path\n  filter.toString = () => route;\n\n  // Only forward the allowed HTTP headers to not forward unwanted secret headers\n  const responseHeaderAllowList = new Set<string>(\n    [\n      // allow all safe headers\n      ...safeForwardHeaders,\n\n      // allow all configured headers\n      ...(fullConfig.allowedHeaders || []),\n    ].map(h => h.toLocaleLowerCase()),\n  );\n\n  // only forward the allowed headers in backend->client\n  fullConfig.onProxyRes = (proxyRes: http.IncomingMessage) => {\n    const headerNames = Object.keys(proxyRes.headers);\n\n    headerNames.forEach(h => {\n      if (!responseHeaderAllowList.has(h.toLocaleLowerCase())) {\n        delete proxyRes.headers[h];\n      }\n    });\n  };\n\n  if (reviveConsumedRequestBodies) {\n    fullConfig.onProxyReq = fixRequestBody;\n  }\n\n  return createProxyMiddleware(filter, fullConfig);\n}\n\nfunction readProxyConfig(config: Config, logger: Logger): unknown {\n  const endpoints = config.getOptionalConfig('proxy.endpoints')?.get();\n  if (endpoints) {\n    return endpoints;\n  }\n\n  const root = config.getOptionalConfig('proxy')?.get();\n  if (!root) {\n    return {};\n  }\n\n  const rootEndpoints = Object.fromEntries(\n    Object.entries(root).filter(([key]) => key.startsWith('/')),\n  );\n  if (Object.keys(rootEndpoints).length === 0) {\n    return {};\n  }\n\n  logger.warn(\n    \"Configuring proxy endpoints in the root 'proxy' configuration is deprecated. Move this configuration to 'proxy.endpoints' instead.\",\n  );\n\n  return rootEndpoints;\n}\n\n/**\n * Creates a new {@link https://expressjs.com/en/api.html#router | \"express router\"} that proxy each target configured under the `proxy` key of the config\n * @example\n * ```ts\n * let router = await createRouter({logger, config, discovery});\n * ```\n * @config\n * ```yaml\n * proxy:\n *  simple-example: http://simple.example.com:8080 # Opt 1 Simple URL String\n *  '/larger-example/v1': # Opt 2 `http-proxy-middleware` compatible object\n *    target: http://larger.example.com:8080/svc.v1\n *    headers:\n *      Authorization: Bearer ${EXAMPLE_AUTH_TOKEN}\n *```\n * @see https://backstage.io/docs/plugins/proxying\n * @public\n */\nexport async function createRouter(\n  options: RouterOptions,\n): Promise<express.Router> {\n  const router = Router();\n  let currentRouter = Router();\n\n  const skipInvalidProxies =\n    options.skipInvalidProxies ??\n    options.config.getOptionalBoolean('proxy.skipInvalidProxies') ??\n    false;\n  const reviveConsumedRequestBodies =\n    options.reviveConsumedRequestBodies ??\n    options.config.getOptionalBoolean('proxy.reviveConsumedRequestBodies') ??\n    false;\n  const proxyOptions = {\n    skipInvalidProxies,\n    reviveConsumedRequestBodies,\n    logger: options.logger,\n  };\n\n  const externalUrl = await options.discovery.getExternalBaseUrl('proxy');\n  const { pathname: pathPrefix } = new URL(externalUrl);\n\n  const proxyConfig = readProxyConfig(options.config, options.logger);\n  configureMiddlewares(proxyOptions, currentRouter, pathPrefix, proxyConfig);\n  router.use((...args) => currentRouter(...args));\n\n  if (options.config.subscribe) {\n    let currentKey = JSON.stringify(proxyConfig);\n\n    options.config.subscribe(() => {\n      const newProxyConfig = readProxyConfig(options.config, options.logger);\n      const newKey = JSON.stringify(newProxyConfig);\n\n      if (currentKey !== newKey) {\n        currentKey = newKey;\n        currentRouter = Router();\n        configureMiddlewares(\n          proxyOptions,\n          currentRouter,\n          pathPrefix,\n          newProxyConfig,\n        );\n      }\n    });\n  }\n\n  return router;\n}\n\nfunction configureMiddlewares(\n  options: {\n    reviveConsumedRequestBodies: boolean;\n    skipInvalidProxies: boolean;\n    logger: Logger;\n  },\n  router: express.Router,\n  pathPrefix: string,\n  proxyConfig: any,\n) {\n  Object.entries<any>(proxyConfig).forEach(([route, proxyRouteConfig]) => {\n    try {\n      router.use(\n        route,\n        buildMiddleware(\n          pathPrefix,\n          options.logger,\n          route,\n          proxyRouteConfig,\n          options.reviveConsumedRequestBodies,\n        ),\n      );\n    } catch (e) {\n      if (options.skipInvalidProxies) {\n        options.logger.warn(`skipped configuring ${route} due to ${e.message}`);\n      } else {\n        throw e;\n      }\n    }\n  });\n}\n"],"names":["_a","fixRequestBody","createProxyMiddleware","Router"],"mappings":";;;;;;;;;AA8BA,MAAM,kBAAqB,GAAA;AAAA;AAAA,EAEzB,eAAA;AAAA,EACA,kBAAA;AAAA,EACA,gBAAA;AAAA,EACA,cAAA;AAAA,EACA,SAAA;AAAA,EACA,eAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA,EAIA,MAAA;AAAA;AAAA,EAGA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,YAAA;AACF,CAAA,CAAA;AAmBO,SAAS,eACd,CAAA,UAAA,EACA,MACA,EAAA,KAAA,EACA,QACA,2BACgB,EAAA;AAzElB,EAAA,IAAA,EAAA,CAAA;AA0EE,EAAM,MAAA,UAAA,GACJ,OAAO,MAAA,KAAW,QAAW,GAAA,EAAE,QAAQ,MAAO,EAAA,GAAI,EAAE,GAAG,MAAO,EAAA,CAAA;AAGhE,EAAM,MAAA,UAAA,GAAa,OAAO,UAAW,CAAA,MAAA,CAAA;AACrC,EAAA,IAAI,eAAe,QAAU,EAAA;AAC3B,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,wBAAA,EAA2B,KAAK,CAAA,mCAAA,EAAsC,UAAU,CAAA,CAAA;AAAA,KAClF,CAAA;AAAA,GACF;AACA,EAAI,IAAA;AAEF,IAAI,IAAA,GAAA,CAAI,WAAW,MAAiB,CAAA,CAAA;AAAA,GAC9B,CAAA,MAAA;AACN,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAoC,iCAAA,EAAA,CAAA,EAAA,GAAA,UAAA,CAAW,MAAX,KAAA,IAAA,GAAA,EAAA,GAAqB,EAAE,CAAA,CAAA;AAAA,KAC7D,CAAA;AAAA,GACF;AAIA,EAAI,IAAA,UAAA,CAAW,gBAAgB,KAAW,CAAA,EAAA;AACxC,IAAA,IAAI,iBAAiB,KAAM,CAAA,QAAA,CAAS,GAAG,CAAI,GAAA,KAAA,GAAQ,GAAG,KAAK,CAAA,CAAA,CAAA,CAAA;AAE3D,IAAI,IAAA,CAAC,WAAW,QAAS,CAAA,GAAG,KAAK,CAAC,cAAA,CAAe,UAAW,CAAA,GAAG,CAAG,EAAA;AAEhE,MAAA,cAAA,GAAiB,IAAI,cAAc,CAAA,CAAA,CAAA;AAAA,KACrC,MAAA,IAAW,WAAW,QAAS,CAAA,GAAG,KAAK,cAAe,CAAA,UAAA,CAAW,GAAG,CAAG,EAAA;AAMrE,MAAiB,cAAA,GAAA,cAAA,CAAe,UAAU,CAAC,CAAA,CAAA;AAAA,KAC7C;AAMA,IAAA,UAAA,CAAW,WAAc,GAAA;AAAA,MACvB,CAAC,CAAI,CAAA,EAAA,UAAU,CAAG,EAAA,cAAc,GAAG,GAAG,GAAA;AAAA,KACxC,CAAA;AAAA,GACF;AAGA,EAAI,IAAA,UAAA,CAAW,iBAAiB,KAAW,CAAA,EAAA;AACzC,IAAA,UAAA,CAAW,YAAe,GAAA,IAAA,CAAA;AAAA,GAC5B;AAGA,EAAA,UAAA,CAAW,cAAc,MAAM,MAAA,CAAA;AAK/B,EAAA,UAAA,CAAW,QAAW,GAAA,OAAA,CAAA;AAGtB,EAAA,MAAM,yBAAyB,IAAI,GAAA;AAAA,IACjC;AAAA;AAAA,MAEE,GAAG,kBAAA;AAAA;AAAA,MAGH,GAAK,WAAW,OAAW,IAAA,MAAA,CAAO,KAAK,UAAW,CAAA,OAAO,KAAM,EAAC;AAAA;AAAA,MAGhE,GAAI,UAAW,CAAA,cAAA,IAAkB,EAAC;AAAA,KAClC,CAAA,GAAA,CAAI,CAAK,CAAA,KAAA,CAAA,CAAE,mBAAmB,CAAA;AAAA,GAClC,CAAA;AAUA,EAAM,MAAA,MAAA,GAAS,CAAC,SAAA,EAAmB,GAAuC,KAAA;AA1J5E,IAAA,IAAAA,GAAA,EAAA,EAAA,CAAA;AA2JI,IAAA,MAAM,WAAc,GAAA,MAAA,CAAO,IAAK,CAAA,GAAA,CAAI,OAAO,CAAA,CAAA;AAC3C,IAAA,WAAA,CAAY,QAAQ,CAAK,CAAA,KAAA;AACvB,MAAA,IAAI,CAAC,sBAAuB,CAAA,GAAA,CAAI,CAAE,CAAA,iBAAA,EAAmB,CAAG,EAAA;AACtD,QAAO,OAAA,GAAA,CAAI,QAAQ,CAAC,CAAA,CAAA;AAAA,OACtB;AAAA,KACD,CAAA,CAAA;AAED,IAAO,OAAA,CAAA,EAAA,GAAA,CAAAA,MAAA,UAAY,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,UAAA,CAAA,cAAA,KAAZ,gBAAAA,GAA4B,CAAA,QAAA,CAAS,GAAI,CAAA,MAAA,CAAA,KAAzC,IAAqD,GAAA,EAAA,GAAA,IAAA,CAAA;AAAA,GAC9D,CAAA;AAEA,EAAA,MAAA,CAAO,WAAW,MAAM,KAAA,CAAA;AAGxB,EAAA,MAAM,0BAA0B,IAAI,GAAA;AAAA,IAClC;AAAA;AAAA,MAEE,GAAG,kBAAA;AAAA;AAAA,MAGH,GAAI,UAAW,CAAA,cAAA,IAAkB,EAAC;AAAA,KAClC,CAAA,GAAA,CAAI,CAAK,CAAA,KAAA,CAAA,CAAE,mBAAmB,CAAA;AAAA,GAClC,CAAA;AAGA,EAAW,UAAA,CAAA,UAAA,GAAa,CAAC,QAAmC,KAAA;AAC1D,IAAA,MAAM,WAAc,GAAA,MAAA,CAAO,IAAK,CAAA,QAAA,CAAS,OAAO,CAAA,CAAA;AAEhD,IAAA,WAAA,CAAY,QAAQ,CAAK,CAAA,KAAA;AACvB,MAAA,IAAI,CAAC,uBAAwB,CAAA,GAAA,CAAI,CAAE,CAAA,iBAAA,EAAmB,CAAG,EAAA;AACvD,QAAO,OAAA,QAAA,CAAS,QAAQ,CAAC,CAAA,CAAA;AAAA,OAC3B;AAAA,KACD,CAAA,CAAA;AAAA,GACH,CAAA;AAEA,EAAA,IAAI,2BAA6B,EAAA;AAC/B,IAAA,UAAA,CAAW,UAAa,GAAAC,kCAAA,CAAA;AAAA,GAC1B;AAEA,EAAO,OAAAC,yCAAA,CAAsB,QAAQ,UAAU,CAAA,CAAA;AACjD,CAAA;AAEA,SAAS,eAAA,CAAgB,QAAgB,MAAyB,EAAA;AApMlE,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAqME,EAAA,MAAM,SAAY,GAAA,CAAA,EAAA,GAAA,MAAA,CAAO,iBAAkB,CAAA,iBAAiB,MAA1C,IAA6C,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,GAAA,EAAA,CAAA;AAC/D,EAAA,IAAI,SAAW,EAAA;AACb,IAAO,OAAA,SAAA,CAAA;AAAA,GACT;AAEA,EAAA,MAAM,IAAO,GAAA,CAAA,EAAA,GAAA,MAAA,CAAO,iBAAkB,CAAA,OAAO,MAAhC,IAAmC,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,GAAA,EAAA,CAAA;AAChD,EAAA,IAAI,CAAC,IAAM,EAAA;AACT,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAEA,EAAA,MAAM,gBAAgB,MAAO,CAAA,WAAA;AAAA,IAC3B,MAAO,CAAA,OAAA,CAAQ,IAAI,CAAA,CAAE,MAAO,CAAA,CAAC,CAAC,GAAG,CAAM,KAAA,GAAA,CAAI,UAAW,CAAA,GAAG,CAAC,CAAA;AAAA,GAC5D,CAAA;AACA,EAAA,IAAI,MAAO,CAAA,IAAA,CAAK,aAAa,CAAA,CAAE,WAAW,CAAG,EAAA;AAC3C,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAEA,EAAO,MAAA,CAAA,IAAA;AAAA,IACL,oIAAA;AAAA,GACF,CAAA;AAEA,EAAO,OAAA,aAAA,CAAA;AACT,CAAA;AAoBA,eAAsB,aACpB,OACyB,EAAA;AAjP3B,EAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAkPE,EAAA,MAAM,SAASC,uBAAO,EAAA,CAAA;AACtB,EAAA,IAAI,gBAAgBA,uBAAO,EAAA,CAAA;AAE3B,EAAM,MAAA,kBAAA,GAAA,CACJ,mBAAQ,kBAAR,KAAA,IAAA,GAAA,EAAA,GACA,QAAQ,MAAO,CAAA,kBAAA,CAAmB,0BAA0B,CAAA,KAD5D,IAEA,GAAA,EAAA,GAAA,KAAA,CAAA;AACF,EAAM,MAAA,2BAAA,GAAA,CACJ,mBAAQ,2BAAR,KAAA,IAAA,GAAA,EAAA,GACA,QAAQ,MAAO,CAAA,kBAAA,CAAmB,mCAAmC,CAAA,KADrE,IAEA,GAAA,EAAA,GAAA,KAAA,CAAA;AACF,EAAA,MAAM,YAAe,GAAA;AAAA,IACnB,kBAAA;AAAA,IACA,2BAAA;AAAA,IACA,QAAQ,OAAQ,CAAA,MAAA;AAAA,GAClB,CAAA;AAEA,EAAA,MAAM,WAAc,GAAA,MAAM,OAAQ,CAAA,SAAA,CAAU,mBAAmB,OAAO,CAAA,CAAA;AACtE,EAAA,MAAM,EAAE,QAAU,EAAA,UAAA,EAAe,GAAA,IAAI,IAAI,WAAW,CAAA,CAAA;AAEpD,EAAA,MAAM,WAAc,GAAA,eAAA,CAAgB,OAAQ,CAAA,MAAA,EAAQ,QAAQ,MAAM,CAAA,CAAA;AAClE,EAAqB,oBAAA,CAAA,YAAA,EAAc,aAAe,EAAA,UAAA,EAAY,WAAW,CAAA,CAAA;AACzE,EAAA,MAAA,CAAO,IAAI,CAAI,GAAA,IAAA,KAAS,aAAc,CAAA,GAAG,IAAI,CAAC,CAAA,CAAA;AAE9C,EAAI,IAAA,OAAA,CAAQ,OAAO,SAAW,EAAA;AAC5B,IAAI,IAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,WAAW,CAAA,CAAA;AAE3C,IAAQ,OAAA,CAAA,MAAA,CAAO,UAAU,MAAM;AAC7B,MAAA,MAAM,cAAiB,GAAA,eAAA,CAAgB,OAAQ,CAAA,MAAA,EAAQ,QAAQ,MAAM,CAAA,CAAA;AACrE,MAAM,MAAA,MAAA,GAAS,IAAK,CAAA,SAAA,CAAU,cAAc,CAAA,CAAA;AAE5C,MAAA,IAAI,eAAe,MAAQ,EAAA;AACzB,QAAa,UAAA,GAAA,MAAA,CAAA;AACb,QAAA,aAAA,GAAgBA,uBAAO,EAAA,CAAA;AACvB,QAAA,oBAAA;AAAA,UACE,YAAA;AAAA,UACA,aAAA;AAAA,UACA,UAAA;AAAA,UACA,cAAA;AAAA,SACF,CAAA;AAAA,OACF;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAEA,EAAO,OAAA,MAAA,CAAA;AACT,CAAA;AAEA,SAAS,oBACP,CAAA,OAAA,EAKA,MACA,EAAA,UAAA,EACA,WACA,EAAA;AACA,EAAO,MAAA,CAAA,OAAA,CAAa,WAAW,CAAE,CAAA,OAAA,CAAQ,CAAC,CAAC,KAAA,EAAO,gBAAgB,CAAM,KAAA;AACtE,IAAI,IAAA;AACF,MAAO,MAAA,CAAA,GAAA;AAAA,QACL,KAAA;AAAA,QACA,eAAA;AAAA,UACE,UAAA;AAAA,UACA,OAAQ,CAAA,MAAA;AAAA,UACR,KAAA;AAAA,UACA,gBAAA;AAAA,UACA,OAAQ,CAAA,2BAAA;AAAA,SACV;AAAA,OACF,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAA,IAAI,QAAQ,kBAAoB,EAAA;AAC9B,QAAA,OAAA,CAAQ,OAAO,IAAK,CAAA,CAAA,oBAAA,EAAuB,KAAK,CAAW,QAAA,EAAA,CAAA,CAAE,OAAO,CAAE,CAAA,CAAA,CAAA;AAAA,OACjE,MAAA;AACL,QAAM,MAAA,CAAA,CAAA;AAAA,OACR;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AACH;;;;"}