Skip to content

feat: Allow default Backstage auth policy on plugin route #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Allow default Backstage auth policy on plugin route #72

wants to merge 1 commit into from

Conversation

jkueh
Copy link

@jkueh jkueh commented Sep 4, 2025
edited
Loading

Description

This is a recreation of PagerDuty/backstage-plugin-backend#114.

Corresponding documentation update: PagerDuty/backstage-plugin-docs#14

Currently, any user that is able to access a Backstage instance that has the PagerDuty plugin installed can make proxied calls to the PagerDuty API without needing a user session in Backstage, e.g.

curl "https://${BACKSTAGE_HOST}/api/pagerduty/services"

The above will return a list of all the services in the account, and presumably can make other proxied API calls to the rest of the PagerDuty API, subject to the permissions of the API token available in Backstage.

This PR adds opt-in support to disable the unauthenticated policy, which Backstage's own documentation refers to as dangerous.

Ideally this would be more of an opt-out feature, but I don't have visibility into current usage of this plugin, so I'm leaving it as opt-in for now.

I've tested this in a local instance of Backstage, and can confirm I get an HTTP 401 when attempting to run the same curl command as above without a valid Authorization: Bearer ... header.

Affected plugin

  • backstage-plugin
  • backstage-plugin-backend
  • backstage-plugin-scaffolder-actions
  • backstage-plugin-entity-processor

Type of change

  • New feature (non-breaking change which adds functionality)
  • Fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

If this is a breaking change 👇

  • I have documented the migration process
  • I have implemented necessary warnings (if it can live side by side)

Acknowledgement

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jkueh