refactor auth plugins to use jose

Signed-off-by: Jamie Klassen <jamie.klassen@broadcom.com>

.changeset/red-bottles-swim.md

@@ -0,0 +1,7 @@
+---
+'@backstage/plugin-auth-backend': patch
+'@backstage/plugin-auth-node': patch
+---
+
+The helper function `makeProfileInfo` and `PassportHelpers.transformProfile`
+were refactored to use the `jose` library.

plugins/auth-backend/package.json

@@ -64,7 +64,6 @@
     "fs-extra": "10.1.0",
     "google-auth-library": "^8.0.0",
     "jose": "^4.6.0",
-    "jwt-decode": "^3.1.0",
     "knex": "^3.0.0",
     "lodash": "^4.17.21",
     "luxon": "^3.0.0",

plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts

@@ -16,7 +16,7 @@
 
 import express from 'express';
 import passport from 'passport';
-import jwtDecoder from 'jwt-decode';
+import { decodeJwt } from 'jose';
 import { InternalOAuthError } from 'passport-oauth2';
 
 import { PassportProfile } from './types';
@@ -51,7 +51,11 @@ export const makeProfileInfo = (
 
   if ((!email || !picture || !displayName) && idToken) {
     try {
-      const decoded: Record<string, string> = jwtDecoder(idToken);
+      const decoded = decodeJwt(idToken) as {
+        email?: string;
+        name?: string;
+        picture?: string;
+      };
       if (!email && decoded.email) {
         email = decoded.email;
       }

plugins/auth-node/src/passport/PassportHelpers.ts

@@ -15,6 +15,7 @@
  */
 
 import { Request } from 'express';
+import { decodeJwt } from 'jose';
 import { Strategy } from 'passport';
 import { PassportProfile } from './types';
 import { ProfileInfo } from '../types';
@@ -27,30 +28,6 @@ interface InternalOAuthError extends Error {
   };
 }
 
-/** @internal */
-function decodeJwtPayload(token: string): Record<string, string> {
-  const payloadStr = token.split('.')[1];
-  if (!payloadStr) {
-    throw new Error('Invalid JWT token');
-  }
-
-  let payload: unknown;
-  try {
-    payload = JSON.parse(
-      Buffer.from(
-        payloadStr.replace(/-/g, '+').replace(/_/g, '/'),
-        'base64',
-      ).toString('utf8'),
-    );
-  } catch (e) {
-    throw new Error('Invalid JWT token');
-  }
-  if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
-    throw new Error('Invalid JWT token');
-  }
-  return payload as Record<string, string>;
-}
-
 /** @public */
 export class PassportHelpers {
   private constructor() {}
@@ -78,7 +55,11 @@ export class PassportHelpers {
 
     if ((!email || !picture || !displayName) && idToken) {
       try {
-        const decoded: Record<string, string> = decodeJwtPayload(idToken);
+        const decoded = decodeJwt(idToken) as {
+          email?: string;
+          name?: string;
+          picture?: string;
+        };
         if (!email && decoded.email) {
           email = decoded.email;
         }

yarn.lock

@@ -4932,7 +4932,6 @@ __metadata:
     fs-extra: 10.1.0
     google-auth-library: ^8.0.0
     jose: ^4.6.0
-    jwt-decode: ^3.1.0
     knex: ^3.0.0
     lodash: ^4.17.21
     luxon: ^3.0.0