fix(auth): consider only entities of kind user when using findCatalogUser with filter query

Signed-off-by: Elias Rieb <e.rieb@posteo.de>

.changeset/poor-scissors-carry.md

@@ -0,0 +1,6 @@
+---
+'@backstage/plugin-auth-backend': patch
+'@backstage/plugin-auth-node': patch
+---
+
+Only consider entities of kind `User` when using `findCatalogUser` with a filter query, unless an explicit `kind` filter is provided.

plugins/auth-backend/src/lib/resolvers/CatalogAuthResolverContext.ts

@@ -123,8 +123,17 @@ export class CatalogAuthResolverContext implements AuthResolverContext {
       const res = await this.catalogApi.getEntities({ filter }, { token });
       result = res.items;
     } else if ('filter' in query) {
+      const filter = [query.filter].flat().map(value => {
+        if (!('kind' in Object.keys(value).map(key => key.toLowerCase()))) {
+          return {
+            ...value,
+            kind: 'user',
+          };
+        }
+        return value;
+      });
       const res = await this.catalogApi.getEntities(
-        { filter: query.filter },
+        { filter: filter },
         { token },
       );
       result = res.items;

plugins/auth-node/src/types.ts

@@ -86,7 +86,7 @@ export type BackstageUserIdentity = {
  * If `annotations` are used, all annotations must be present and
  * match the provided value exactly. Only entities of kind `'User'` will be considered.
  *
- * If `filter` are used they are passed on as they are to the `CatalogApi`.
+ * If `filter` are used, only entities of kind `'User'` will be considered unless it is explicitly specified differently in the filter.
  *
  * Regardless of the query method, the query must match exactly one entity
  * in the catalog, or an error will be thrown.