UNPKG

@backstage/backend-defaults

Version:

Backend defaults used by Backstage backend apps

backstage.io

backstage/backstage

79 lines (75 loc) 2.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
'use strict'; var errors = require('@backstage/errors'); var legacy = require('./legacy.cjs.js'); var _static = require('./static.cjs.js'); var jwks = require('./jwks.cjs.js'); const NEW_CONFIG_KEY = "backend.auth.externalAccess"; const OLD_CONFIG_KEY = "backend.auth.keys"; let loggedDeprecationWarning = false; class ExternalTokenHandler { constructor(ownPluginId, handlers) { this.ownPluginId = ownPluginId; this.handlers = handlers; } static create(options) { const { ownPluginId, config, logger } = options; const staticHandler = new _static.StaticTokenHandler(); const legacyHandler = new legacy.LegacyTokenHandler(); const jwksHandler = new jwks.JWKSHandler(); const handlers = { static: staticHandler, legacy: legacyHandler, jwks: jwksHandler }; const handlerConfigs = config.getOptionalConfigArray(NEW_CONFIG_KEY) ?? []; for (const handlerConfig of handlerConfigs) { const type = handlerConfig.getString("type"); const handler = handlers[type]; if (!handler) { const valid = Object.keys(handlers).map((k) => `'${k}'`).join(", "); throw new Error( `Unknown type '${type}' in ${NEW_CONFIG_KEY}, expected one of ${valid}` ); } handler.add(handlerConfig); } const legacyConfigs = config.getOptionalConfigArray(OLD_CONFIG_KEY) ?? []; if (legacyConfigs.length && !loggedDeprecationWarning) { loggedDeprecationWarning = true; logger.warn( `DEPRECATION WARNING: The ${OLD_CONFIG_KEY} config has been replaced by ${NEW_CONFIG_KEY}, see https://backstage.io/docs/auth/service-to-service-auth` ); } for (const handlerConfig of legacyConfigs) { legacyHandler.addOld(handlerConfig); } return new ExternalTokenHandler(ownPluginId, Object.values(handlers)); } async verifyToken(token) { for (const handler of this.handlers) { const result = await handler.verifyToken(token); if (result) { const { allAccessRestrictions, ...rest } = result; if (allAccessRestrictions) { const accessRestrictions = allAccessRestrictions.get( this.ownPluginId ); if (!accessRestrictions) { const valid = [...allAccessRestrictions.keys()].map((k) => `'${k}'`).join(", "); throw new errors.NotAllowedError( `This token's access is restricted to plugin(s) ${valid}` ); } return { ...rest, accessRestrictions }; } return rest; } } return void 0; } } exports.ExternalTokenHandler = ExternalTokenHandler; //# sourceMappingURL=ExternalTokenHandler.cjs.js.map