UNPKG

@backstage/backend-defaults

Version:

Backend defaults used by Backstage backend apps

backstage.io

backstage/backstage

74 lines (70 loc) 1.95 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
'use strict'; var jose = require('jose'); var helpers = require('./helpers.cjs.js'); class LegacyTokenHandler { #entries = new Array(); add(config) { const allAccessRestrictions = helpers.readAccessRestrictionsFromConfig(config); this.#doAdd( config.getString("options.secret"), config.getString("options.subject"), allAccessRestrictions ); } // used only for the old backend.auth.keys array addOld(config) { this.#doAdd(config.getString("secret"), "external:backstage-plugin"); } #doAdd(secret, subject, allAccessRestrictions) { if (!secret.match(/^\S+$/)) { throw new Error("Illegal secret, must be a valid base64 string"); } else if (!subject.match(/^\S+$/)) { throw new Error("Illegal subject, must be a set of non-space characters"); } let key; try { key = jose.base64url.decode(secret); } catch { throw new Error("Illegal secret, must be a valid base64 string"); } if (this.#entries.some((e) => e.key === key)) { throw new Error( "Legacy externalAccess token was declared more than once" ); } this.#entries.push({ key, result: { subject, allAccessRestrictions } }); } async verifyToken(token) { try { const { alg } = jose.decodeProtectedHeader(token); if (alg !== "HS256") { return void 0; } const { sub, aud } = jose.decodeJwt(token); if (sub !== "backstage-server" || aud) { return void 0; } } catch (e) { return void 0; } for (const { key, result } of this.#entries) { try { await jose.jwtVerify(token, key); return result; } catch (e) { if (e.code !== "ERR_JWS_SIGNATURE_VERIFICATION_FAILED") { throw e; } } } return void 0; } } exports.LegacyTokenHandler = LegacyTokenHandler; //# sourceMappingURL=legacy.cjs.js.map