paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

read awsalb signer from header

Browse Source 
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
This commit is contained in:
Fredrik Adelöw
2024-08-26 11:42:18 +02:00
parent 469e06b5e2
commit ecbc47e236
4 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/blue-forks-cry.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-auth-backend-module-aws-alb-provider': patch
---
Fix a bug where the signer was checked from the payload instead of the header
plugins/auth-backend-module-aws-alb-provider/src/authenticator.test.ts
+3 -4
View File
@@ -35,7 +35,6 @@ describe('AwsAlbProvider', () => {
email: 'user.name@email.test',
exp: Date.now() + 10000,
iss: 'ISSUER_URL',
signer: 'SIGNER_ARN',
};
const signingKey = new TextEncoder().encode('signingKey');
let mockJwt: string;
@@ -78,7 +77,7 @@ describe('AwsAlbProvider', () => {
beforeEach(async () => {
mockJwt = await new SignJWT(mockClaims)
.setProtectedHeader({ alg: 'HS256' })
.setProtectedHeader({ alg: 'HS256', signer: 'SIGNER_ARN' })
.sign(signingKey);
});
@@ -206,8 +205,8 @@ describe('AwsAlbProvider', () => {
});
it('signer is invalid', async () => {
const jwt = await new SignJWT({ signer: 'INVALID_SIGNER_ARN' })
.setProtectedHeader({ alg: 'HS256' })
const jwt = await new SignJWT({})
.setProtectedHeader({ alg: 'HS256', signer: 'INVALID_SIGNER_ARN' })
.sign(signingKey);
const req = {
header: jest.fn(name => {
plugins/auth-backend-module-aws-alb-provider/src/authenticator.ts
+3 -2
View File
@@ -15,7 +15,7 @@
*/
import { AuthenticationError } from '@backstage/errors';
import { AwsAlbClaims, AwsAlbResult } from './types';
import { AwsAlbClaims, AwsAlbResult, AwsAlbProtectedHeader } from './types';
import { jwtVerify } from 'jose';
import {
PassportProfile,
@@ -60,11 +60,12 @@ export const awsAlbAuthenticator = createProxyAuthenticator({
try {
const verifyResult = await jwtVerify(jwt, getKey);
const header = verifyResult.protectedHeader as AwsAlbProtectedHeader;
const claims = verifyResult.payload as AwsAlbClaims;
if (claims?.iss !== issuer) {
throw new AuthenticationError('Issuer mismatch on JWT token');
} else if (signer && claims?.signer !== signer) {
} else if (signer && header?.signer !== signer) {
throw new AuthenticationError('Signer mismatch on JWT token');
}
plugins/auth-backend-module-aws-alb-provider/src/types.ts
+6 -1
View File
@@ -38,5 +38,10 @@ export type AwsAlbClaims = {
email: string;
exp: number;
iss: string;
signer: string;
};
/**
* @internal
*/
export type AwsAlbProtectedHeader = {
signer?: string;
};