search

PagerDuty / backstage-plugin

PagerDuty plugin for Backstage
https://pagerduty.github.io/backstage-plugin-docs/index.html
Apache License 2.0
22 stars 5 forks source link

Backend plugin for querying PagerDuty plugin #37

Closed jcoelho93 closed 5 months ago

jcoelho93 commented 7 months ago

Is your feature request related to a problem? Please describe.

As stated in the README of this project "the PagerDuty plugin requires the /pagerduty proxy endpoint be exposed by the Backstage backend as an unprotected endpoint". This raises some security concerns as it leaves the PagerDuty API open to anyone with access to Backstage, without the need to provide any credentials.

Describe the solution you'd like

Backstage documentation recommend using a backend plugin to mitigate this issue. See here

Anyone with access to your Backstage deployment will be able to make requests to the upstream service using the injected credentials. It is recommended that you instead create a backend plugin that forwards individual requests to the upstream service in a secure way

Describe alternatives you've considered

A likely easier alternative, but still not as safe, would be to log each request to the PagerDuty API with the user ID of the requester. This would at least give us a place to start to investigate any potential security incidents.

t1agob commented 5 months ago

This capability is now merged to main and will be launch on release 0.8.1.