feat: add new directive to validate auth token with feature flag

[Rudge]

What problem is this solving?

Enable the auth token validation for insecure operations. Previously, we put the directive @auditAccess and now we add the directive @checkAccessWithFeatureFlag.

How to test it?

• Configure the feature flag in masterdata

curl --location 'https://tokenvalidation--b2bsuite.vtexcommercestable.com.br/api/dataentities/auth_validation_config/documents' \
--header 'VtexIdclientAutCookie: {{TOKEN}}' \
--header 'Content-Type: application/json' \
--data '{
    "id": "b2b-organizations-graphql",
    "enable": false
 }
'

• Update the config

curl --location --request PATCH 'https://tokenvalidation--b2bsuite.vtexcommercestable.com.br/api/dataentities/auth_validation_config/documents/b2b-organizations-graphql' \
--header 'VtexIdclientAutCookie: {{token}}' \
--header 'Content-Type: application/json' \
--data '{
    "enable": true
 }
'

• Call an operation that has the new directive.

• We called the getOrganizationByIdStorefront in the performance test and the difference between them was 100 ms for average, 90 ms for mediana, and 160 ms for P95.

  scenarios: (100.00%) 1 scenario, 2 max VUs, 45s max duration (incl. graceful stop):
  * default: 2 looping VUs for 15s (gracefulStop: 30s)

• Performance test without querying masterdata to get the feature flag:

 checks.........................: 100.00% ✓ 68       ✗ 0
 data_received..................: 104 kB  6.8 kB/s
 data_sent......................: 281 kB  18 kB/s
 http_req_blocked...............: avg=1.39ms   min=0s       med=0s       max=48.89ms p(90)=1µs      p(95)=1µs
 http_req_connecting............: avg=199.76µs min=0s       med=0s       max=6.79ms  p(90)=0s       p(95)=0s
 http_req_duration..............: avg=447.16ms min=283.85ms med=334.7ms  max=2.01s   p(90)=678.68ms p(95)=846.22ms
   { expected_response:true }...: avg=447.16ms min=283.85ms med=334.7ms  max=2.01s   p(90)=678.68ms p(95)=846.22ms
 http_req_failed................: 0.00%   ✓ 0        ✗ 68
 http_req_receiving.............: avg=78.76µs  min=36µs     med=57.5µs   max=440µs   p(90)=126.9µs  p(95)=164.69µs
 http_req_sending...............: avg=159.45µs min=94µs     med=126µs    max=827µs   p(90)=269.1µs  p(95)=310.29µs
 http_req_tls_handshaking.......: avg=853.38µs min=0s       med=0s       max=30.62ms p(90)=0s       p(95)=0s
 http_req_waiting...............: avg=446.92ms min=283.48ms med=334.41ms max=2.01s   p(90)=678.5ms  p(95)=846.04ms
 http_reqs......................: 68      4.449138/s
 iteration_duration.............: avg=448.76ms min=284.06ms med=334.94ms max=2.01s   p(90)=691.53ms p(95)=846.38ms
 iterations.....................: 68      4.449138/s
 vus............................: 2       min=2      max=2
 vus_max........................: 2       min=2      max=2

• Performance test with querying masterdata to get the feature flag:

checks.........................: 100.00% ✓ 55       ✗ 0
 data_received..................: 87 kB   5.7 kB/s
 data_sent......................: 227 kB  15 kB/s
 http_req_blocked...............: avg=6.07ms   min=0s       med=1µs      max=167.95ms p(90)=1µs      p(95)=1µs
 http_req_connecting............: avg=300.87µs min=0s       med=0s       max=8.4ms    p(90)=0s       p(95)=0s
 http_req_duration..............: avg=542.62ms min=359.82ms med=424.6ms  max=2.16s    p(90)=793.51ms p(95)=1.03s
   { expected_response:true }...: avg=542.62ms min=359.82ms med=424.6ms  max=2.16s    p(90)=793.51ms p(95)=1.03s
 http_req_failed................: 0.00%   ✓ 0        ✗ 55
 http_req_receiving.............: avg=67.05µs  min=47µs     med=60µs     max=156µs    p(90)=90.6µs   p(95)=101.09µs
 http_req_sending...............: avg=165.09µs min=97µs     med=128µs    max=1.36ms   p(90)=195.2µs  p(95)=264.49µs
 http_req_tls_handshaking.......: avg=1.01ms   min=0s       med=0s       max=29.21ms  p(90)=0s       p(95)=0s
 http_req_waiting...............: avg=542.39ms min=359.55ms med=424.38ms max=2.16s    p(90)=793.3ms  p(95)=1.03s
 http_reqs......................: 55      3.633857/s
 iteration_duration.............: avg=548.92ms min=360.1ms  med=424.77ms max=2.32s    p(90)=808.77ms p(95)=1.06s
 iterations.....................: 55      3.633857/s
 vus............................: 2       min=2      max=2
 vus_max........................: 2       min=2      max=2

Workspace

[vtex-io-ci-cd]

Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖

Please select which version do you want to release:

• Patch (backwards-compatible bug fixes)

• Minor (backwards-compatible functionality)

• Major (incompatible API changes)

And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.

• No thanks, I would rather do it manually 😞

[vtex-io-docs-bot]

Beep boop 🤖

I noticed you didn't make any changes at the docs/ folder

• There's nothing new to document 🤔
• I'll do it later 😞

In order to keep track, I'll create an issue if you decide now is not a good time

• I just updated 🎉🎉

[github-actions]

	Messages
📖	❤️ Thanks!
📖	🎉 PR additions = 141, PR deletions = 55

Generated by 🚫 dangerJS against 9326eb4

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

3.4% Coverage
0.0% Duplication

The version of Java (11.0.17) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

[enzomerca]

Could you add a comment on this PR explaining why some operations do not have the new @checkAccessWithFeatureFlag directive? e.g. getOrganizationByIdStorefront has but getCostCentersByOrganizationIdStorefront does not.

[enzomerca]

why did this change? What is the difference between rc and analytics urls?

[Rudge]

I found some issues with using rc and the documentation suggests using analytics.

"This can be done by sending events to the following endpoint: https://analytics.vtex.com/api/analytics/schemaless-events (For applications on the VTEX Network) or to https://rc.vtex.com/api/analytics/schemaless-events (For applications outside the VTEX Network, such as Front End Applications)"

[mairatma]

Hey @Rudge , before merging can you take a look at my comment on the other similar PR here?

[Rudge]

getCostCentersByOrganizationIdStorefront

Good point,

Could you add a comment on this PR explaining why some operations do not have the new @checkAccessWithFeatureFlag directive? e.g. getOrganizationByIdStorefront has but getCostCentersByOrganizationIdStorefront does not.

Good point. I added in getOrganizationByIdStorefront but not mapped getCostCentersByOrganizationIdStorefront previously. I will add and review based on B2BTEAM-1285.

[enzomerca]

getOrganizationsByEmail is on https://vtex-dev.atlassian.net/browse/B2BTEAM-1285 but we did not add the @checkAccessWithFeatureFlag for it

[Rudge]

It is not necessary because there is already a directive @checkUserAccess. I am removing it from the task.

[mairatma]

This PR is just missing the changes you made on that other similar for storefront-permissions, where you removed the token field from the logs and also removed operation from the log messages.

[mairatma]

Leaving this approved, but don't forget the log adjustments, ok?

[Rudge]

We deployed the version without a feature flag and it doesn’t need to deploy this one.