Stop the IdentityAuthInjectorFetchMiddleware adding Bearer to the authorization header | Backstage | Page 1

vapid shadow Mar 30, 2023, 10:55 AM

#

I want to use Authorization: Basic ${token} but the IdentityAuthInjectorFetchMiddleware adds Bearer is there any way I can configure things to stop this behaviour?

weary radish Mar 30, 2023, 3:40 PM

#

The bearer auth is specifically the Backstage auth, to be clear - Basic is an entirely different thing

#

Bearer is part of the contract. Can't just switch that out, the receiving ends will break

#

But yes you can provide your own FetchApi that has a custom set of middlewares added. You just absolutely cannot use it for Backstage token auth

#

But backing up a bit - maybe you actually wanted to use the fetch api to talk to something entirely different, as in a third party service - is that what your end goal was?

#

Because if that's the case, just go ahead and use the fetch api just like you use plain fetch and add your Authorization header

#

It'll use that instead of injecting

#

https://github.com/backstage/backstage/blob/master/packages/core-app-api/src/apis/implementations/FetchApi/IdentityAuthInjectorFetchMiddleware.ts#L62

GitHub

backstage/IdentityAuthInjectorFetchMiddleware.ts at master · backst...

Backstage is an open platform for building developer portals - backstage/IdentityAuthInjectorFetchMiddleware.ts at master · backstage/backstage

vapid shadow Mar 31, 2023, 10:27 AM

#

@weary radish Thanks for the reply, I ended up doing this which is quite verbose

createApiFactory({
  api: fetchApiRef,
  deps: {
    configApi: configApiRef,
    identityApi: identityApiRef,
    discoveryApi: discoveryApiRef,
  },
  factory: ({ configApi, identityApi, discoveryApi }) => {
    return createFetchApi({
      middleware: [
        FetchMiddlewares.resolvePluginProtocol({
          discoveryApi,
        }),
        FetchMiddlewares.injectIdentityAuth({
          identityApi,
          config: configApi,
          header: {
            name: 'Authorization',
            value: token => `Basic ${token}`,
          },
        }),
      ],
    });
  },
}),

Is there a simpler way?

weary radish Mar 31, 2023, 10:30 AM

#

No that's it. But I gotta ask, why? It'll badly break expectations throughout the ecosystem unless I'm missing something with your approach

vapid shadow Mar 31, 2023, 10:31 AM

#

it is just for a demo. Basic auth is all I can expect the backend to have for this demo. We just want to show it is covered

#

so you mean this makes it basic auth everywhere the fetchApi is used?

#

can I create a basicAuth fetchAPI?

weary radish Mar 31, 2023, 10:42 AM

#

Yeah it affects all FetchApi use.

You control what the backend has in the form of auth middleware right? Can't you just add a custom middleware in the receiving end, for demo purposes, that just rejects the request if no token exists?

#

If you want to show just like that it exists and can work

#Stop the IdentityAuthInjectorFetchMiddleware adding Bearer to the authorization header