diff --git a/.changeset/red-bottles-swim.md b/.changeset/red-bottles-swim.md new file mode 100644 index 0000000000..eebdc85298 --- /dev/null +++ b/.changeset/red-bottles-swim.md @@ -0,0 +1,7 @@ +--- +'@backstage/plugin-auth-backend': patch +'@backstage/plugin-auth-node': patch +--- + +The helper function `makeProfileInfo` and `PassportHelpers.transformProfile` +were refactored to use the `jose` library. diff --git a/plugins/auth-backend/package.json b/plugins/auth-backend/package.json index eb0d30a9ba..25e0651361 100644 --- a/plugins/auth-backend/package.json +++ b/plugins/auth-backend/package.json @@ -64,7 +64,6 @@ "fs-extra": "10.1.0", "google-auth-library": "^8.0.0", "jose": "^4.6.0", - "jwt-decode": "^3.1.0", "knex": "^3.0.0", "lodash": "^4.17.21", "luxon": "^3.0.0", diff --git a/plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts b/plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts index 7589254862..44feb916c5 100644 --- a/plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts +++ b/plugins/auth-backend/src/lib/passport/PassportStrategyHelper.ts @@ -16,7 +16,7 @@ import express from 'express'; import passport from 'passport'; -import jwtDecoder from 'jwt-decode'; +import { decodeJwt } from 'jose'; import { InternalOAuthError } from 'passport-oauth2'; import { PassportProfile } from './types'; @@ -51,7 +51,11 @@ export const makeProfileInfo = ( if ((!email || !picture || !displayName) && idToken) { try { - const decoded: Record = jwtDecoder(idToken); + const decoded = decodeJwt(idToken) as { + email?: string; + name?: string; + picture?: string; + }; if (!email && decoded.email) { email = decoded.email; } diff --git a/plugins/auth-node/src/passport/PassportHelpers.ts b/plugins/auth-node/src/passport/PassportHelpers.ts index 6c13523811..d7b554d56a 100644 --- a/plugins/auth-node/src/passport/PassportHelpers.ts +++ b/plugins/auth-node/src/passport/PassportHelpers.ts @@ -15,6 +15,7 @@ */ import { Request } from 'express'; +import { decodeJwt } from 'jose'; import { Strategy } from 'passport'; import { PassportProfile } from './types'; import { ProfileInfo } from '../types'; @@ -27,30 +28,6 @@ interface InternalOAuthError extends Error { }; } -/** @internal */ -function decodeJwtPayload(token: string): Record { - const payloadStr = token.split('.')[1]; - if (!payloadStr) { - throw new Error('Invalid JWT token'); - } - - let payload: unknown; - try { - payload = JSON.parse( - Buffer.from( - payloadStr.replace(/-/g, '+').replace(/_/g, '/'), - 'base64', - ).toString('utf8'), - ); - } catch (e) { - throw new Error('Invalid JWT token'); - } - if (!payload || typeof payload !== 'object' || Array.isArray(payload)) { - throw new Error('Invalid JWT token'); - } - return payload as Record; -} - /** @public */ export class PassportHelpers { private constructor() {} @@ -78,7 +55,11 @@ export class PassportHelpers { if ((!email || !picture || !displayName) && idToken) { try { - const decoded: Record = decodeJwtPayload(idToken); + const decoded = decodeJwt(idToken) as { + email?: string; + name?: string; + picture?: string; + }; if (!email && decoded.email) { email = decoded.email; } diff --git a/yarn.lock b/yarn.lock index 8c0ddcabc2..de0169115f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4932,7 +4932,6 @@ __metadata: fs-extra: 10.1.0 google-auth-library: ^8.0.0 jose: ^4.6.0 - jwt-decode: ^3.1.0 knex: ^3.0.0 lodash: ^4.17.21 luxon: ^3.0.0