diff --git a/.changeset/poor-scissors-carry.md b/.changeset/poor-scissors-carry.md new file mode 100644 index 0000000000..fd0d6e10e3 --- /dev/null +++ b/.changeset/poor-scissors-carry.md @@ -0,0 +1,6 @@ +--- +'@backstage/plugin-auth-backend': patch +'@backstage/plugin-auth-node': patch +--- + +Only consider entities of kind `User` when using `findCatalogUser` with a filter query, unless an explicit `kind` filter is provided. diff --git a/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts b/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts index a4bd2203ae..1f4b2766e8 100644 --- a/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts +++ b/plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts @@ -123,8 +123,17 @@ export class CatalogAuthResolverContext implements AuthResolverContext { const res = await this.catalogApi.getEntities({ filter }, { token }); result = res.items; } else if ('filter' in query) { + const filter = [query.filter].flat().map(value => { + if (!('kind' in Object.keys(value).map(key => key.toLowerCase()))) { + return { + ...value, + kind: 'user', + }; + } + return value; + }); const res = await this.catalogApi.getEntities( - { filter: query.filter }, + { filter: filter }, { token }, ); result = res.items; diff --git a/plugins/auth-node/src/types.ts b/plugins/auth-node/src/types.ts index d4cb0ac48e..1ee9e9cd96 100644 --- a/plugins/auth-node/src/types.ts +++ b/plugins/auth-node/src/types.ts @@ -86,7 +86,7 @@ export type BackstageUserIdentity = { * If `annotations` are used, all annotations must be present and * match the provided value exactly. Only entities of kind `'User'` will be considered. * - * If `filter` are used they are passed on as they are to the `CatalogApi`. + * If `filter` are used, only entities of kind `'User'` will be considered unless it is explicitly specified differently in the filter. * * Regardless of the query method, the query must match exactly one entity * in the catalog, or an error will be thrown.