cfaccess: fallback to identity email when constructing the user profile

Signed-off-by: Tyler Davis <tylerd@canva.com>

.changeset/fast-seas-hunt.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend-module-cloudflare-access-provider': patch
+---
+
+Fallback to email from cfIdentity when constructing user profile for Service Token support.

plugins/auth-backend-module-cloudflare-access-provider/src/authenticator.test.ts

@@ -18,7 +18,7 @@ import { mockServices } from '@backstage/backend-test-utils';
 import { createCloudflareAccessAuthenticator } from './authenticator';
 
 describe('authenticator', () => {
-  it('createCloudflareAccessAuthenticator works', async () => {
+  it('works for normal users', async () => {
     const auth = createCloudflareAccessAuthenticator({
       cache: mockServices.cache.mock(),
     });
@@ -38,4 +38,25 @@ describe('authenticator', () => {
       },
     });
   });
+
+  it('works for service tokens', async () => {
+    const auth = createCloudflareAccessAuthenticator({
+      cache: mockServices.cache.mock(),
+    });
+
+    const profile = await auth.defaultProfileTransform(
+      {
+        cfIdentity: { name: 'Name', email: 'hello@example.com' } as any,
+        claims: {} as any,
+        token: 'fake',
+      },
+      {} as any,
+    );
+    expect(profile).toEqual({
+      profile: {
+        displayName: 'Name',
+        email: 'hello@example.com',
+      },
+    });
+  });
 });

plugins/auth-backend-module-cloudflare-access-provider/src/authenticator.ts

@@ -38,7 +38,7 @@ export function createCloudflareAccessAuthenticator(options?: {
     async defaultProfileTransform(result: CloudflareAccessResult) {
       return {
         profile: {
-          email: result.claims.email,
+          email: result.claims.email ?? result.cfIdentity.email,
           displayName: result.cfIdentity.name,
         },
       };