auth-node: add allowedDomains options for emailLocalPartMatchingUserEntityName + fixes
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
This commit is contained in:
Patrik Oldsberg
@@ -0,0 +1,18 @@
|
||||
---
|
||||
'@backstage/plugin-auth-backend-module-cloudflare-access-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-vmware-cloud-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-atlassian-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-bitbucket-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-microsoft-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-onelogin-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-aws-alb-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-gcp-iap-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-github-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-gitlab-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-google-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-oauth2-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-oidc-provider': patch
|
||||
'@backstage/plugin-auth-backend-module-okta-provider': patch
|
||||
---
|
||||
|
||||
Updated configuration schema to include the new `allowedDomains` option for the `emailLocalPartMatchingUserEntityName` sign-in resolver.
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
'@backstage/plugin-auth-node': patch
|
||||
---
|
||||
|
||||
Added a new `allowedDomains` option for the common `emailLocalPartMatchingUserEntityName` sign-in resolver.
|
||||
@@ -31,7 +31,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'usernameMatchingUserEntityName' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -41,7 +41,10 @@ export interface Config {
|
||||
region: string;
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -29,7 +29,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'userIdMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -31,7 +31,10 @@ export interface Config {
|
||||
authorizationCookieName?: string;
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -36,7 +36,10 @@ export interface Config {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'idMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -31,7 +31,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'usernameMatchingUserEntityName' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -31,7 +31,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'usernameMatchingUserEntityName' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -30,7 +30,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -32,7 +32,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -35,7 +35,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'usernameMatchingUserEntityName' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -33,7 +33,10 @@ export interface Config {
|
||||
prompt?: string;
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
+4
-1
@@ -33,7 +33,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailMatchingUserEntityAnnotation' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -30,7 +30,10 @@ export interface Config {
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'usernameMatchingUserEntityName' }
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -27,7 +27,10 @@ export interface Config {
|
||||
additionalScopes?: string | string[];
|
||||
signIn?: {
|
||||
resolvers: Array<
|
||||
| { resolver: 'emailLocalPartMatchingUserEntityName' }
|
||||
| {
|
||||
resolver: 'emailLocalPartMatchingUserEntityName';
|
||||
allowedDomains?: string[];
|
||||
}
|
||||
| { resolver: 'emailMatchingUserEntityProfileEmail' }
|
||||
>;
|
||||
};
|
||||
|
||||
@@ -53,7 +53,8 @@
|
||||
"passport": "^0.7.0",
|
||||
"winston": "^3.2.1",
|
||||
"zod": "^3.22.4",
|
||||
"zod-to-json-schema": "^3.21.4"
|
||||
"zod-to-json-schema": "^3.21.4",
|
||||
"zod-validation-error": "^3.4.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@backstage/backend-test-utils": "workspace:^",
|
||||
|
||||
@@ -34,10 +34,7 @@ export function createOAuthProviderFactory<TProfile>(options: {
|
||||
profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;
|
||||
signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;
|
||||
signInResolverFactories?: {
|
||||
[name in string]: SignInResolverFactory<
|
||||
OAuthAuthenticatorResult<TProfile>,
|
||||
unknown
|
||||
>;
|
||||
[name in string]: SignInResolverFactory;
|
||||
};
|
||||
}): AuthProviderFactory {
|
||||
return ctx => {
|
||||
|
||||
@@ -31,10 +31,7 @@ export function createProxyAuthProviderFactory<TResult>(options: {
|
||||
authenticator: ProxyAuthenticator<unknown, TResult, unknown>;
|
||||
profileTransform?: ProfileTransform<TResult>;
|
||||
signInResolver?: SignInResolver<TResult>;
|
||||
signInResolverFactories?: Record<
|
||||
string,
|
||||
SignInResolverFactory<TResult, unknown>
|
||||
>;
|
||||
signInResolverFactories?: Record<string, SignInResolverFactory>;
|
||||
}): AuthProviderFactory {
|
||||
return ctx => {
|
||||
const signInResolver =
|
||||
|
||||
@@ -14,7 +14,9 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
import { z } from 'zod';
|
||||
import { createSignInResolverFactory } from './createSignInResolverFactory';
|
||||
import { NotAllowedError } from '@backstage/errors';
|
||||
|
||||
// This splits an email "joe+work@acme.com" into ["joe", "+work", "@acme.com"]
|
||||
// so that we can remove the plus addressing. May output a shorter array:
|
||||
@@ -77,7 +79,13 @@ export namespace commonSignInResolvers {
|
||||
*/
|
||||
export const emailLocalPartMatchingUserEntityName =
|
||||
createSignInResolverFactory({
|
||||
create() {
|
||||
optionsSchema: z
|
||||
.object({
|
||||
allowedDomains: z.array(z.string()).optional(),
|
||||
})
|
||||
.optional(),
|
||||
create(options = {}) {
|
||||
const { allowedDomains } = options;
|
||||
return async (info, ctx) => {
|
||||
const { profile } = info;
|
||||
|
||||
@@ -87,6 +95,13 @@ export namespace commonSignInResolvers {
|
||||
);
|
||||
}
|
||||
const [localPart] = profile.email.split('@');
|
||||
const domain = profile.email.slice(localPart.length + 1);
|
||||
|
||||
if (allowedDomains && !allowedDomains.includes(domain)) {
|
||||
throw new NotAllowedError(
|
||||
'Sign-in user email is not from an allowed domain',
|
||||
);
|
||||
}
|
||||
|
||||
return ctx.signInWithCatalogUser({
|
||||
entityRef: { name: localPart },
|
||||
|
||||
@@ -18,10 +18,11 @@ import { ZodSchema, ZodTypeDef } from 'zod';
|
||||
import { SignInResolver } from '../types';
|
||||
import zodToJsonSchema from 'zod-to-json-schema';
|
||||
import { JsonObject } from '@backstage/types';
|
||||
import { fromError } from 'zod-validation-error';
|
||||
import { InputError } from '@backstage/errors';
|
||||
|
||||
/** @public */
|
||||
export interface SignInResolverFactory<TAuthResult, TOptions> {
|
||||
export interface SignInResolverFactory<TAuthResult = any, TOptions = any> {
|
||||
(
|
||||
...options: undefined extends TOptions
|
||||
? [options?: TOptions]
|
||||
@@ -66,7 +67,14 @@ export function createSignInResolverFactory<
|
||||
? [options?: TOptionsInput]
|
||||
: [options: TOptionsInput]
|
||||
) => {
|
||||
const parsedOptions = optionsSchema.parse(resolverOptions);
|
||||
let parsedOptions;
|
||||
try {
|
||||
parsedOptions = optionsSchema.parse(resolverOptions);
|
||||
} catch (error) {
|
||||
throw new InputError(
|
||||
`Invalid sign-in resolver options, ${fromError(error)}`,
|
||||
);
|
||||
}
|
||||
return options.create(parsedOptions);
|
||||
};
|
||||
|
||||
|
||||
@@ -5461,6 +5461,7 @@ __metadata:
|
||||
winston: ^3.2.1
|
||||
zod: ^3.22.4
|
||||
zod-to-json-schema: ^3.21.4
|
||||
zod-validation-error: ^3.4.0
|
||||
languageName: unknown
|
||||
linkType: soft
|
||||
|
||||
@@ -45286,12 +45287,12 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"zod-validation-error@npm:^3.0.3":
|
||||
version: 3.1.0
|
||||
resolution: "zod-validation-error@npm:3.1.0"
|
||||
"zod-validation-error@npm:^3.0.3, zod-validation-error@npm:^3.4.0":
|
||||
version: 3.4.0
|
||||
resolution: "zod-validation-error@npm:3.4.0"
|
||||
peerDependencies:
|
||||
zod: ^3.18.0
|
||||
checksum: 84df01c91d594701eaf7f5f007be881e47f7adef2e3f3765f7be031cb78033f9be0924273106cb81b586d8020da9885dbb81b3da363f00a51df00f26274f2b23
|
||||
checksum: b07fbfc39582dbdf6972f5f5f0c3bac9e6b5e6d2e55ef3dd891fd08f1966ebf1023a4bc270e9b569eaa48ed1684ac2252c9f260b0bd07b167671596e6e4d0fa8
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
|
||||
Reference in New Issue
Block a user