router.ts

/*
 * Copyright 2020 The Backstage Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
import { Config } from '@backstage/config'
import { errorHandler } from '@backstage/backend-common';
import express from 'express';
import Router from 'express-promise-router';
import { Logger } from 'winston';
import jwt from 'express-jwt';
import jwksRsa from 'jwks-rsa';

export interface RouterOptions {
  config: Config;
  logger: Logger;
}

type BackstageUser = {
  sub: string;
}

export async function createRouter(
  options: RouterOptions,
): Promise<express.Router> {
  const baseUrl = options.config.getString('backend.baseUrl');
  const checkJwt = jwt({
    algorithms: ['ES256'],
    audience: 'backstage',
    issuer: `${baseUrl}/api/auth`,
    secret: jwksRsa.expressJwtSecret({
      cache: true,
      jwksRequestsPerMinute: 5,
      jwksUri: `${baseUrl}/api/auth/.well-known/jwks.json`,
      rateLimit: true,
    }),
  });

  const { logger } = options;

  const router = Router();
  router.use(express.json());

  router.get('/health', checkJwt, (req, response) => {
    const user = req.user as BackstageUser;
    if (user === undefined) {
      response.status(401).send();
      return;
    }
    logger.info('PONG!');
    response.send({ status: user.sub });
  });

  router.use(errorHandler());
  return router;
}