search

RoadieHQ / roadie-backstage-plugins

All Backstage plugins created by Roadie.
https://roadie.io
Apache License 2.0
251 stars 371 forks source link

http:backstage:request action will throw out invalid plugin token error when call custom plugin #1464

Open RaoJackie123 opened 5 days ago

RaoJackie123 commented 5 days ago

http:backstage:request action will throw out invalid plugin token error when call custom plugin

Expected Behavior

When we use the http:backstage:request action, we would like to call an internal API from our custom plugin, it should work as our frontend plugin can call it without any issue

Current Behavior

However, when we call the internal API, it throws out the invalid plugin token error like below: image

The issue happened after our backstage upgrade to 1.28+. Currently we can only use the action to call the internal api from backstage catalog plugin without any issue.

Steps to Reproduce

Possible Solution

We did some investigation for the issue, and found some reason:

  1. in the latest backstage, the auth method has been changed: https://backstage.io/docs/auth/service-to-service-auth/#standard-plugin-to-plugin-auth
  2. Currently the action code use the ctx.secrets.backstageToken as the token: https://github.com/RoadieHQ/roadie-backstage-plugins/blob/9684eb1480dd3586b7a320724a7b90d3d192c360/plugins/scaffolder-actions/scaffolder-backend-module-http-request/src/actions/run/backstageRequest.ts#L120
  3. In backstage scaffolder-backend plugin, the secrets.backstageToken is hardcoded to the catalog plugin only: https://github.com/backstage/backstage/blob/96e143f744160f2a581bef4b691209a5a04fcd55/plugins/scaffolder-backend/src/service/router.ts#L478 https://github.com/backstage/backstage/blob/96e143f744160f2a581bef4b691209a5a04fcd55/plugins/scaffolder-backend/src/service/router.ts#L541

That's why we only be able to call the catalog plugin api with this action. I think we can update our token logic to get the target plugin token with the standard method: const { token } = await auth.getPluginRequestToken({ onBehalfOf: credentials, targetPluginId: '', // e.g. 'catalog' });

Context

Your Environment

yangcao77 commented 2 days ago

This error is also been seen due to the ctx.secrets.backstageToken change: https://github.com/backstage/backstage/issues/25096

in addition, I have my proxy config set as following:

proxy:
  endpoints:
    '/gitlab':
      target: 'https://gitlab.com/api/v4'
      headers:
        content-type: 'application/json'
        Authorization: 'Bearer {token}'
      changeOrigin: true
      # Change to "false" in case of using self hosted instance with a self-signed certificate
      secure: true

and get the following error: 

 401 Response body: {"error":{"name":"AuthenticationError","message":"Illegal token","stack":"AuthenticationError: Illegal token\n

does the plugin try to override the authentication token even when if the Authentication hearder has already been set in proxy config?

RaoJackie123 commented 2 days ago

So, I think this should be a bug for the action, I will try to create a PR on this.