opslevel / backstage-plugin Goto Github PK

Hi,
I tried installing this plugin by following the steps mentioned here: https://github.com/OpsLevel/backstage-plugin
After I added all the configurations and started the backstage-app, I got this error:

When I tried to check which configuration step is causing this error, I realized this error prompts as soon as I added this plugin using below command:

yarn add --cwd packages/app backstage-plugin-opslevel-maturity

Please, let me if I am missing something @patrick-th @sabeerzaman and @sergio-opslevel.

Environment

Calls to graphql endpoint are insecure (see

Documentation requires us to use backstage proxy configuration which, by default since version 1.28, is now requiring to send backstage user jwt token via Authorization HTTP header. This is in direct conflict with opslevel proxy settings that sets a static opslevel api token. The workaround is to add credentials: dangerously-allow-unauthenticated in the proxy setting. However, this allows anyone on the internet to use our backstage instance as an unauthenticated proxy to our opslevel account.

A potential solution would be to add an oauth endpoint in opslevel, ask the backstage user to authenticate using backstage scmAuth api and use the oauth token in the graphql API. This would secure the endpoint and allow using credentials: dangerously-allow-unauthenticated without risk.

What did you do?

opslevel:
  baseUrl: 'https://app.opslevel.com'

proxy:
  endpoints:
    '/opslevel':
      target: 'https://app.opslevel.com'
      headers:
        X-Custom-Source: backstage
        Authorization: Bearer ${OPSLEVEL_API_KEY}
      allowedHeaders: ['GraphQL-Visibility']

What did you expect to happen?

Opslevel should ask user authentication instead of using a global token.

What actually happened?

Anyone can use a backstage instance configured with opslevel to bypass backstage's authentication and directly use the proxy configured opslevel api key.