Skip to content

feat: Allow default Backstage auth policy on plugin route #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhfgloria merged 7 commits into from
Nov 5, 2025
Merged

feat: Allow default Backstage auth policy on plugin route #72

jhfgloria merged 7 commits into from
Nov 5, 2025

Conversation

@jkueh
Copy link
Contributor

@jkueh jkueh commented Sep 4, 2025
edited
Loading

Description

This is a recreation of PagerDuty/backstage-plugin-backend#114.

Corresponding documentation update: PagerDuty/backstage-plugin-docs#14

Currently, any user that is able to access a Backstage instance that has the PagerDuty plugin installed can make proxied calls to the PagerDuty API without needing a user session in Backstage, e.g.

curl "https://${BACKSTAGE_HOST}/api/pagerduty/services"

The above will return a list of all the services in the account, and presumably can make other proxied API calls to the rest of the PagerDuty API, subject to the permissions of the API token available in Backstage.

This PR disables the unauthenticated policy by default. Backstage's documentation refers to the unauthenticated behaviour as dangerous.

I've tested this in a local instance of Backstage, and can confirm I get an HTTP 401 when attempting to run the same curl command as above without a valid Authorization: Bearer ... header.

Affected plugin

  • backstage-plugin
  • backstage-plugin-backend
  • backstage-plugin-scaffolder-actions
  • backstage-plugin-entity-processor

Type of change

  • New feature (non-breaking change which adds functionality)
  • Fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

If this is a breaking change 👇

  • I have documented the migration process
  • I have implemented necessary warnings (if it can live side by side)

Acknowledgement

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

jkueh and others added 3 commits September 4, 2025 14:47
@jkueh
feat: Allow default Backstage auth policy on plugin route
0c17302
@jhfgloria
Release (PagerDuty#87)
5d9c0e7 
* fix: remove the backstage ui css imports from frontend plugin (PagerDuty#86)

---------
@jhfgloria @github-actions
Version Packages (PagerDuty#90)
85885f8 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@jhfgloria
Copy link
Contributor

jhfgloria commented Nov 4, 2025
edited
Loading

Hello @jkueh! Thanks for flagging this! I think we should flip the enablement logic, making it unaccessible by default and having a property to make it accessible without token. That would make the plugin more secure by default and less secure on demand. In that case we would release a new minor version to flag the change. Could I ask you 2 things too? Since we changed the plugins into a monorepo, new contributions internal and external should be backed by a release note, which can be easily generated by running yarn changeset. Could you create a minor version for backstage-plugin-backend in this pull request? Also, could you change the base branch from main to next? Thank you again @jkueh!

@jkueh
Copy link
Contributor Author

jkueh commented Nov 5, 2025

Hi @jhfgloria!

Not a problem, will do those shortly.

My initial thinking was that if we're doing a minor release, we probably shouldn't be breaking any existing implementations that rely on access to this plugin being unauthenticated.

That being said, happy to switch it around as part of a minor release if this is more bug-fix territory :)

@jkueh jkueh changed the base branch from main to next November 5, 2025 05:28
@jkueh jkueh requested a review from a team as a code owner November 5, 2025 05:28
@jkueh
Copy link
Contributor Author

jkueh commented Nov 5, 2025

@jhfgloria All done, I think! Let me know if there's anything I've missed :)

jhfgloria
jhfgloria approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@jhfgloria jhfgloria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Thank you so much for your contribution @jkueh!

@jkueh
Copy link
Contributor Author

jkueh commented Nov 5, 2025
edited
Loading

No problem, thanks @jhfgloria!

@jhfgloria jhfgloria merged commit f50dfc7 into PagerDuty:next Nov 5, 2025
3 checks passed
jhfgloria added a commit that referenced this pull request Nov 7, 2025
@jhfgloria @sandornagy517
@cdmicacc @jkueh
Next (#97)
8add396 
* chore: change module main entry (#57)

* Chore: migrate backstage-plugin to new frontend system (#61)

* chore: migrate backstage-plugin to new frontend system

* update licence placeholder

* changeset

* feat: Migrate entity EntityPagerDutySmall card to backstage UI #62  (#64)

* feat: Migrate the relevant components of PagerDutySmallCard to Backstage UI

* chore: Adjust unit tests after migrating EntityPagerDutySmallCard

* chore: Update the imports of backstage ui css

* style: Remove useless line breaks

* chore: Fix failing unit tests

* feat: Include backstage ui css in the app package

* fix: Adjust styles for dark theme

* docs: Add tests for dark theme to the PR checklist

* chore: remove remainings of old backend system (#63)

* chore: remove remainings of old backend system

* changeset

* feat: Migrate PagerDutyCard to Backstage UI (#65)

* feat: Migrate PagerDutyCard to backstage UI

* chore: Add changeset

* chore: Add changeset

* chore: Get rid of wrong changeset

* chore: fix `package.json` metadata (#68)

* Fix package.json metadata

* Update .changeset/sad-teeth-show.md

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

* feat: Migrate PagerDutyPage to Backstage UI (#67)

* feat: Migrate PagerDutyPage to Backstage UI

* chore: Undo entities.yaml

* fix: Fix margins and use className instead of style

* Implement NFS best practices (#74)

* implement nfs best practices

* apply pr recommendations

* move backstage/ui back to dependencies

* apply pr suggestions

* Add CODEOWNERS file for repository ownership (#73) (#76)

Co-authored-by: Chris Micacchi <[email protected]>

* feat: Update the backstage plugin readme (#79)

* feat: Update the backstage plugin readme

* feat: Swap the order in the readme for backstage and portal

* feat: Add file an issue link to the readme

* feat: Add links to nested readmes

* chore: Add changeset

* chore: Get rid of past changesets (#81)

* fix: remove the backstage ui css imports from frontend plugin (#86)

* feat: Allow default Backstage auth policy on plugin route (#72)

* feat: Allow default Backstage auth policy on plugin route

* remove old changesets

* fix: update backstage ui to fix broken widget

* changeset

---------

Co-authored-by: sandornagy517 <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Chris Micacchi <[email protected]>
Co-authored-by: Jordan Kueh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhfgloria jhfgloria jhfgloria approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkueh @jhfgloria