feat: add directive to validate auth token and feature flag #122
Conversation
jira: B2BTEAM-1484
|
Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖 Please select which version do you want to release:
And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.
|
|
Beep boop 🤖 I noticed you didn't make any changes at the
In order to keep track, I'll create an issue if you decide now is not a good time
|
|
|
||
| if (adminUserAuthToken) { | ||
| try { | ||
| await identity.validateToken({ token: adminUserAuthToken }) |
There was a problem hiding this comment.
Can this cause us to send duplicated checks for validating these tokens? Or are we not already doing this validation on any of these fields today?
There was a problem hiding this comment.
It was implemented previously. I refactored it into a new function to reuse in another directive.
There was a problem hiding this comment.
I saw that, but I mean if there are other files that are doing these checks inside field resolvers. Some of the fields where you added this new checkAccessFeatureFlag directive may already be doing these checks internally, so we'd do it twice now, duplicating the work. If the only place doing this was the function you refactored than we should be good.
| throw new ForbiddenError('Unauthorized Access') | ||
| } | ||
| } | ||
| await checkUserOrAdminTokenAccess(context, field.astNode?.name?.value) |
There was a problem hiding this comment.
I think I'm missing something, here, but from what I understood we now have both directives:
@auditAccess. Always checks the token and throws errors when it's not present or valid.@checkAccessWithFeatureFlag. Does the same as the other one, but only when the feature flag is enabled.
Why have both? The auditAccess will already do the check and throw before checkAccessWithFeatureFlag ever runs right? Shouldn't we only have checkAccessWithFeatureFlag, so that we can control when the check is made? And having both will make us call vtexid/identity twice when the feature flag is enabled and the check passes, since we'll check the same thing that has been checked by the first directive.
I think I misunderstood something though, can you explain the idea of the two directives with more details?
There was a problem hiding this comment.
I think you said about the @checkUserAccess instead of @auditAccess, is it?
There was a problem hiding this comment.
@checkUserAccess - Validates the storeUserToken or adminToken, but is not applied for all operations.
@auditAccess - Generate metrics about the use of the operation and if it uses the token or not.
@checkAccessWithFeatureFlag - It was created for temporary use. We put in some operations with @auditAccess, without token validation, and mapped in the task. The intention is to control whether we can enable or disable token validation for these operations in production.
There was a problem hiding this comment.
Ah, got it! I was confusing auditAccess with checkUserAccess, then. I get it now!
There was a problem hiding this comment.
Final question then: will we be able to remove this auditAccess directive after all the missing access checks are fully launched? We won't need those metrics anymore when that happens right?
There was a problem hiding this comment.
Yes, this is the intention. I almost removed it in this PR, but I let it go for the next one.
I putted for all operations declared in this task and that has the |
There was a problem hiding this comment.
Some final comments before approving. They also apply for the other PR that's similar to this one.
Btw it would be nice if we could share this logic between these apps, but I don't have a good enough suggestion for now. Just throwing it for the future, we need to determine a way to share code between these B2B Suite IO apps, they have too much duplicated code already.
node/directives/checkUserAccess.ts
Outdated
| } catch (err) { | ||
| logger.warn({ | ||
| error: err, | ||
| message: `CheckUserAccess: Invalid admin token for ${operation}`, |
There was a problem hiding this comment.
My only remaining suggestion here is to remove this ${operation} text from these log messages. You already have the operation as one of the fields being logged here. It's a good practice to keep log messages static, without variables within them, using just fields instead. That helps analyze and aggregate them all, and you can use the field when you want to focus on the the differences between different operations. You'll also won't lose historic log data for these log messages, you'll just be adding a field to it.
There was a problem hiding this comment.
Same for the other log messages in this file.
There was a problem hiding this comment.
Yes, I know, but just a reminder that this is an IO app, so it isn't easy to add a new field to index. If everybody wants to put a new field, there is a problem.
node/directives/checkUserAccess.ts
Outdated
| error: err, | ||
| message: `CheckUserAccess: Invalid admin token for ${operation}`, | ||
| operation, | ||
| token: adminUserAuthToken, |
There was a problem hiding this comment.
Auth tokens shouldn't be logged, that's sensitive data so it's a security guideline never to log them.
There was a problem hiding this comment.
Same for the other log messages in this file.
There was a problem hiding this comment.
I agree, and I will remove it. The problem was in the previous solution.
- remove token from field and operation from message
Rudge
force-pushed
the
feature/B2BTEAM-1484-flag-enable-token-validation
branch
from
e38ab2b to
d8055a7
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
|
We deployed the version without a feature flag and it doesn’t need to deploy this one. |
What problem is this solving?
Enable the auth token validation for insecure operations. Previously, we put the directive
@auditAccessand now we add the directive@checkAccessWithFeatureFlag.How to test it?