Commit Graph

1574 Commits

Author SHA1 Message Date
github-actions[bot] 93e643d142 Version Packages 2026-04-14 14:57:31 +00:00
Patrik Oldsberg c9212bf4ce auth-backend: remove unused isCimdUrl function (#33882)
The function was a thin wrapper around validateCimdUrl that caught errors
and returned a boolean. It was never imported by any production code —
only by test files. Tests now use validateCimdUrl directly.


Made-with: Cursor

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2026-04-13 23:43:26 +02:00
github-actions[bot] 6c10d88c13 Version Packages (next) 2026-04-07 15:30:58 +00:00
Patrik Oldsberg b2319ffe45 errors: add toError utility and migrate assertError usages
Add a `toError` utility function to `@backstage/errors` that converts
unknown values to `ErrorLike` objects. If the value is already error-like
it is returned as-is. Strings are used directly as the error message, and
other values are stringified with a fallback to JSON.stringify to avoid
unhelpful `[object Object]` messages.

Non-error causes passed to `CustomErrorBase` are now converted and stored
using `toError` rather than discarded. Existing `assertError` call sites
across the codebase are migrated to `toError`.

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
2026-04-03 10:16:23 +02:00
github-actions[bot] a2cb332e25 Version Packages (next) 2026-03-31 15:30:51 +00:00
github-actions[bot] c1b510cabb Version Packages (next) 2026-03-24 14:54:00 +00:00
Ben Lambert 2e753eefb6 fix(auth-backend): allow any port for loopback redirect URIs per RFC 8252 (#33508)
For CIMD clients using loopback redirect URIs (localhost/127.0.0.1),
match by scheme, hostname, and path only, ignoring the port. Native
CLI apps like Claude Code use ephemeral ports for OAuth callbacks.

Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-21 23:19:38 +00:00
Fredrik Adelöw d7c67cddf5 switch omitIdentityTokenOwnershipClaim to true
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
2026-03-18 22:10:50 +01:00
github-actions[bot] 5725b5fcfa Version Packages 2026-03-17 21:39:07 +00:00
Fredrik Adelöw 4919273bea chore: align auth-backend zod version range with rest of repo
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
2026-03-17 16:52:00 +01:00
Gabriel Dugny ffaded0b30 chore: lint & changeset
Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>
2026-03-17 16:48:43 +01:00
Gabriel Dugny 49171c9de4 chore: Update all imports to zod/v3
Signed-off-by: Gabriel Dugny <gabriel.dugny@believe.com>
2026-03-17 16:48:42 +01:00
Patrik Oldsberg aba94d2b27 Merge pull request #33385 from drodil/auth_mem_leaks
fix(auth): memory leaks
2026-03-17 11:03:20 +01:00
Hellgren Heikki 634ededdc9 fix(auth): memory leaks
alb-provider: JWT verification block was wrapped in generic error
that turned 401 to 500 causing clients to retry the login

cimd: cimd clients are not registered in oidc_clients table
so inserting offline sessions for them violates the foreign key
constraint. dropping the fk.

offline: return access token even when refresh token issuing fails.
if the refresh token issue fails for some reason, it will return
500 which will then cause client to retry even it can get valid
access token without refresh token.

closes #33329
Signed-off-by: Hellgren Heikki <heikki.hellgren@op.fi>
2026-03-17 10:52:40 +02:00
benjdlambert 26b5f7a5f9 chore: fix main build
Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-11 13:41:01 +01:00
Ben Lambert e9b6e978f1 Merge commit from fork
* fix: prevent SSRF via redirect in CIMD metadata fetch

* fix: prevent SSRF via redirect in CIMD metadata fetch

* fix: add redirect target listener to SSRF redirect test
2026-03-11 13:34:25 +01:00
Ben Lambert 0f9d673e82 Merge commit from fork
* Fix redirect URI allowlist bypass via URL userinfo syntax

* Validate redirect URIs against normalized origin+pathname
2026-03-11 13:33:00 +01:00
github-actions[bot] ed7c4e3bef Version Packages (next) 2026-03-10 17:34:12 +00:00
Ben Lambert d0f4cd215b feat(cli): add auth commands for OIDC login (#32920)
* feat(cli): add auth commands for OIDC login

Signed-off-by: benjdlambert <ben@blam.sh>

* address PR review feedback

- move CIMD check before callback server start
- add try/finally for callback server cleanup
- validate URLs with human-readable errors
- deduplicate config URL candidates
- preserve selected flag on re-authentication
- delete accessToken on logout
- log token refresh to stderr in show command
- fix command descriptions to reference CIMD not DCR
- type keytar as optionalDependency, rename storage paths
- add auth-backend changeset

Signed-off-by: benjdlambert <ben@blam.sh>

* migrate auth module from yargs to cleye pattern

Signed-off-by: benjdlambert <ben@blam.sh>

* address PR review feedback

- consolidate storage imports in auth.ts
- add withMetadataLock to setSelectedInstance
- skip file permission tests on Windows
- clarify changeset endpoint path

Signed-off-by: benjdlambert <ben@blam.sh>

* address review feedback from Rugvip and Copilot

- use stdout for user-facing messages instead of stderr
- remove clientSecret remnants from logout
- make refresh_token optional in token response schema
- add timeout to CIMD metadata fetch
- pass same state to callback server and authorize URL
- remove inaccurate test comment

Signed-off-by: benjdlambert <ben@blam.sh>

* validate state in callback server, add CIMD endpoint tests

- localServer now validates the OAuth state parameter in the request
  handler and returns 400 on mismatch
- Added tests for the CIMD metadata endpoint in OidcRouter covering
  both disabled and enabled cases

Signed-off-by: benjdlambert <ben@blam.sh>

* revert validateRequest to use Zod error details

Signed-off-by: benjdlambert <ben@blam.sh>

* fix callback server hanging by closing keep-alive connections

Signed-off-by: benjdlambert <ben@blam.sh>

* rename secret store service prefix to backstage-cli:auth-instance

Signed-off-by: benjdlambert <ben@blam.sh>

---------

Signed-off-by: benjdlambert <ben@blam.sh>
2026-03-10 13:28:25 +00:00
github-actions[bot] db0d171511 Version Packages (next) 2026-03-03 14:16:49 +00:00
Ben Lambert 1ccad86e35 feat(auth-backend): add who-am-i action to actions registry (#33046)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-28 10:08:46 +01:00
github-actions[bot] 4bd6a3a1af Version Packages (next) 2026-02-24 19:24:06 +00:00
Fredrik Adelöw 619be54133 auth: got rid of the sql report warnings
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
2026-02-22 14:52:48 +01:00
dependabot[bot] 6738cf0842 build(deps): bump minimatch from 9.0.5 to 10.2.1 (#32915)
Bumps [minimatch](https://github.com/isaacs/minimatch) from 9.0.5 to 10.2.1.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v9.0.5...v10.2.1)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 10.2.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-19 08:58:00 +01:00
Patrik Oldsberg 9506f2af73 auth-backend: correct changelog
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
2026-02-17 20:49:55 +01:00
Patrik Oldsberg c4d19ed1b6 Merge pull request #32796 from backstage/changeset-release/master
Version Packages
2026-02-17 18:50:32 +01:00
benjdlambert 7dc3dfe5cb Revert configurable DCR token expiration (#31278)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-17 17:07:24 +01:00
github-actions[bot] e6df5d52ce Version Packages 2026-02-17 16:06:18 +00:00
Ben Lambert 31de2c9b3a feat(auth-backend): add experimental CIMD support (#32307)
Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-17 17:00:49 +01:00
github-actions[bot] 7c41134684 Version Packages (next) 2026-02-10 16:14:59 +00:00
Ben Lambert d0786b968e auth-backend: add experimental refresh token support (#32695)
* auth-backend: add experimental refresh token support

Signed-off-by: benjdlambert <ben@blam.sh>

* auth-backend: refresh token review fixes

Signed-off-by: benjdlambert <ben@blam.sh>

* auth-backend: address PR review feedback for refresh tokens

Signed-off-by: benjdlambert <ben@blam.sh>

---------

Signed-off-by: benjdlambert <ben@blam.sh>
2026-02-10 17:00:51 +01:00
imgbot[bot] 21b60d8b5f [ImgBot] Optimize images (#32227)
*Total -- 517.71kb -> 473.87kb (8.47%)

/microsite/static/img/tech-radar.svg -- 1.03kb -> 0.56kb (45.5%)
/beps/0001-notifications-system/notifications-architecture.drawio.svg -- 44.41kb -> 32.82kb (26.11%)
/plugins/auth-backend/architecture.drawio.svg -- 22.74kb -> 16.81kb (26.09%)
/microsite/static/img/backstage-search-platform.svg -- 0.99kb -> 0.73kb (25.77%)
/beps/0003-auth-architecture-evolution/token-sequence-obo.drawio.svg -- 17.62kb -> 13.12kb (25.53%)
/beps/0003-auth-architecture-evolution/token-sequence-cookie.drawio.svg -- 18.01kb -> 13.55kb (24.77%)
/microsite/static/img/cyclops.svg -- 3.30kb -> 2.68kb (18.79%)
/packages/app-next/architecture.drawio.svg -- 69.32kb -> 56.49kb (18.51%)
/microsite/static/img/kiali.svg -- 1.32kb -> 1.08kb (18.26%)
/microsite/static/img/daytona.svg -- 1.23kb -> 1.01kb (18.1%)
/microsite/static/img/octopus-deploy.svg -- 0.94kb -> 0.79kb (15.9%)
/microsite/static/img/s3-bucket.svg -- 3.25kb -> 2.88kb (11.45%)
/microsite/static/img/tekton.svg -- 1.77kb -> 1.59kb (10.13%)
/microsite/static/img/terraform-logo.svg -- 0.44kb -> 0.40kb (9.07%)
/microsite/static/img/dynatrace.svg -- 3.60kb -> 3.37kb (6.43%)
/microsite/static/img/plugin-feedback-logo.svg -- 0.69kb -> 0.65kb (5.8%)
/microsite/static/img/codescene_logo.svg -- 4.64kb -> 4.42kb (4.84%)
/microsite/static/img/codacy-icon.svg -- 1.37kb -> 1.32kb (3.5%)
/microsite/static/img/entity-validation.svg -- 0.31kb -> 0.30kb (3.49%)
/microsite/static/img/bazaar.svg -- 1.44kb -> 1.39kb (3.25%)
/microsite/static/img/badges.svg -- 0.25kb -> 0.24kb (2.79%)
/microsite/static/img/shortcuts.svg -- 0.29kb -> 0.28kb (2.35%)
/microsite/static/img/catalog-graph.svg -- 0.30kb -> 0.29kb (2.3%)
/microsite/static/img/devtools.svg -- 0.34kb -> 0.33kb (2.03%)
/microsite/static/img/3scale.svg -- 6.74kb -> 6.64kb (1.55%)
/microsite/static/img/linguist.svg -- 0.44kb -> 0.44kb (1.55%)
/microsite/static/img/digital.ai-deploy.svg -- 0.70kb -> 0.69kb (1.53%)
/microsite/static/img/digital.ai-release.svg -- 1.28kb -> 1.27kb (1.44%)
/microsite/static/img/nexus-repository-manager.svg -- 7.81kb -> 7.71kb (1.35%)
/microsite/static/img/quay.svg -- 7.81kb -> 7.71kb (1.34%)
/microsite/static/img/jfrog-artifactory.svg -- 7.82kb -> 7.72kb (1.34%)
/microsite/static/img/keycloak.svg -- 8.04kb -> 7.93kb (1.3%)
/microsite/static/img/topology.svg -- 8.62kb -> 8.51kb (1.21%)
/microsite/static/img/ocm.svg -- 9.86kb -> 9.76kb (1.06%)
/microsite/static/img/cicd-statistics.svg -- 0.72kb -> 0.71kb (0.95%)
/microsite/static/img/github-pull-requests-board-logo.svg -- 3.92kb -> 3.88kb (0.92%)
/packages/ui/static/favicon.svg -- 0.69kb -> 0.68kb (0.85%)
/microsite/static/img/hcp-consul.svg -- 6.78kb -> 6.76kb (0.33%)
/microsite/static/img/nobl9.svg -- 1.60kb -> 1.59kb (0.31%)
/microsite/static/img/buildkite.svg -- 0.39kb -> 0.39kb (0.25%)
/microsite/blog/assets/2024-06-27/backstage-engineer-journey.svg -- 224.46kb -> 223.97kb (0.22%)
/docs-ui/src/app/icon.svg -- 4.61kb -> 4.60kb (0.06%)
/microsite/static/img/wheel-of-names.svg -- 9.51kb -> 9.50kb (0.05%)
/microsite/static/img/cncf-white.svg -- 6.32kb -> 6.32kb (0.02%)

Signed-off-by: ImgBotApp <ImgBotHelp@gmail.com>
Co-authored-by: ImgBotApp <ImgBotHelp@gmail.com>
2026-02-03 15:08:27 +01:00
github-actions[bot] d4b85dddee Version Packages (next) 2026-01-27 15:51:11 +00:00
Fredrik Adelöw 7455dae884 require the use of node prefix on native imports
Signed-off-by: Fredrik Adelöw <freben@gmail.com>
2026-01-26 13:22:53 +01:00
github-actions[bot] 2e902e7b43 Version Packages 2026-01-20 16:40:05 +00:00
github-actions[bot] 880310b797 Version Packages (next) 2026-01-13 12:10:45 +00:00
Fredrik Adelöw c065d53a63 Merge pull request #31799 from jtbry/master
fix(auth): user_created_at migration non constant defaults SQLiteError
2026-01-08 12:04:55 +01:00
github-actions[bot] c24788d5bb Version Packages 2025-12-16 14:08:20 +00:00
github-actions[bot] e08f48a9b5 Version Packages (next) 2025-12-09 15:00:09 +00:00
dependabot[bot] de96a60f7a chore(deps): bump express from 4.21.2 to 4.22.0
Bumps [express](https://github.com/expressjs/express) from 4.21.2 to 4.22.0.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.2...4.22.0)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 4.22.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-02 20:33:46 +01:00
github-actions[bot] 756986e5e7 Version Packages (next) 2025-11-25 16:21:32 +00:00
github-actions[bot] 792f4d7e3d Version Packages 2025-11-18 12:23:09 +00:00
benjdlambert 3511ba4431 chore: fix down migration
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 12:29:24 +01:00
benjdlambert 064471c87f chore: update sql reports
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 11:32:15 +01:00
benjdlambert eb279cbe7b chore: codereview comments
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 11:12:37 +01:00
benjdlambert 986bf8f3aa feat: set state column to text instead of varchar
Signed-off-by: benjdlambert <ben@blam.sh>
2025-11-18 11:03:39 +01:00
Justin Bryant 7ffc873b78 fix(auth): user_created_at migration non constant defaults to remedy SQLiteError
Signed-off-by: Justin Bryant <justintbry@gmail.com>
2025-11-17 13:05:25 -05:00
github-actions[bot] 3738293d26 Version Packages (next) 2025-11-04 15:00:26 +00:00
Ben Lambert f70ad4b1c2 Merge pull request #31278 from drodil/dynamic_client_reg_expires_in
feat(auth): allow configuring DCR token expiration
2025-11-04 09:52:11 +01:00
github-actions[bot] 807af8ce0e Version Packages (next) 2025-10-21 16:14:43 +00:00