-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Bug Report: Front-end config is available to unauthorized users #27492
Comments
Hi @AhrazA, perhaps this could help? https://backstage.io/docs/tutorials/enable-public-entry |
Hey @awanlin, thanks for your input. This looks like exactly what we are after. Unfortunately, the instructions provided did not work for me and there are no working examples I can find that demonstrate how to get it working. We are on Backstage version 1.31.1. I followed the steps on how to get this working for the new frontend system and ended up with this:
import React from 'react';
import ReactDOM from 'react-dom/client';
import { SignInPage } from "@backstage/core-components";
import { microsoftAuthApiRef } from '@backstage/core-plugin-api';
import { SignInPageBlueprint, createFrontendModule } from '@backstage/frontend-plugin-api';
import { createPublicSignInApp } from '@backstage/frontend-defaults';
const microsoftSignInPage = SignInPageBlueprint.make({
name: 'microsoft',
params: {
loader: async () => props => {
return (
<SignInPage
{...props}
auto
provider={{
id: 'microsoft-auth-provider',
title: 'Microsoft Entra ID',
message: 'Sign in using your account',
apiRef: microsoftAuthApiRef,
}}
/>
)
}
}
});
const signInPageModule = createFrontendModule({
pluginId: 'app',
extensions: [microsoftSignInPage]
});
const app = createPublicSignInApp({
features: [signInPageModule],
});
ReactDOM.createRoot(document.getElementById('root')!).render(app.createRoot()); This results in the following error when trying to load the page:
Seems like |
I have also tried this with the default starter ( |
📜 Description
The backend injects the front-end config into the bundle upon initialization here.
The issue is that this configuration is available to users before authentication. It can reveal details about various integrations enabled in Backstage and other internal data with that should not be shared to unauthorized users. For example the Backstage demo configuration contains cost metrics that, in an ideal case, should not be shared with unauthorized parties.
👍 Expected behavior
The front-end app config is not available to users prior to authorization.
👎 Actual Behavior with Screenshots
When navigating to the sign in page as an unauthorized user of a Backstage instance with auth providers configured, the entire front-end app config is available.
👟 Reproduction steps
npx @backstage/create-app@latest
yarn build:all
yarn start-backend
script
tag inindex.html
withtype="backstage.io/config"
📃 Provide the context for the Bug.
No response
🖥️ Your Environment
No response
👀 Have you spent some time to check if this bug has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
No, I don't have time to work on this right now
The text was updated successfully, but these errors were encountered: