Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add directive to validate auth token #123

Merged
merged 9 commits into from
Dec 14, 2023
Merged

feat: add directive to validate auth token #123

merged 9 commits into from
Dec 14, 2023

Conversation

Rudge
Copy link
Contributor

@Rudge Rudge commented Nov 17, 2023

What problem is this solving?

Some operations that return sensitive information don't validate the admin or store token. So I added the directive @checkUserAccess to validate the token before calling the operation.

I improved the log warning for token validation by logging the operation that has an invalid token.

The operations were previously mapped in the task, and with the directive that was added @auditAcess.

How should this be manually tested?

  • Call the operation without cookie and header
curl --location 'https://b2bsuite.myvtex.com/_v/private/graphql/v1' \
--header 'Content-Type: application/json' \
--data '{
    "query": "query users {\n listAllUsers {\n id\n orgId\n costId\n name\n email\n roleId\n userId\n }\n }",
    "variables": {}
}'

Workspace

Rudge added 2 commits November 17, 2023 13:25
@Rudge
feat: add directive to validate auth token
fad516a 
- adjust validation log to map the operation

jira: B2BTEAM-1287
@Rudge
chore: update changelog
69f55cf
@vtex-io-ci-cd VTEX IO CI/CD
Copy link

vtex-io-ci-cd bot commented Nov 17, 2023
edited by Rudge
Loading

Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖

Please select which version do you want to release:

  • Patch (backwards-compatible bug fixes)

  • Minor (backwards-compatible functionality)

  • Major (incompatible API changes)

And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.

  • No thanks, I would rather do it manually 😞

@vtex-io-docs-bot
Copy link

vtex-io-docs-bot bot commented Nov 17, 2023
edited by Rudge
Loading

Beep boop 🤖

I noticed you didn't make any changes at the docs/ folder

  • There's nothing new to document 🤔
  • I'll do it later 😞

In order to keep track, I'll create an issue if you decide now is not a good time

  • I just updated 🎉🎉

@Rudge Rudge requested a review from a team November 17, 2023 16:39
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 17, 2023
edited
Loading

Messages
📖 ❤️ Thanks!
📖

🎉 PR additions = 209, PR deletions = 162

Generated by 🚫 dangerJS against e98efe3

mairatma
mairatma reviewed Nov 17, 2023
View reviewed changes
Copy link
Contributor

@mairatma mairatma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code lgtm, but just to be sure: did the metrics from the existing @auditAccess directive already show that we can turn on this token validation without breaking existing stores? Just worried that this might cause problems for callers that are using it wrong, specially since we're near BF.

node/directives/checkUserAccess.ts Outdated Show resolved Hide resolved
@mairatma
Copy link
Contributor

Also, there's a check failing right now. It's just about selecting a checkbox on the doc question post from the bot though.

@Rudge Rudge force-pushed the feature/B2BTEAM-1287-add-token-validation branch from df08689 to b0ee130 Compare November 30, 2023 19:58
@Rudge Rudge requested review from a team, mairatma and ArthurTriis1 November 30, 2023 20:13
@Rudge Rudge force-pushed the feature/B2BTEAM-1287-add-token-validation branch from 462f71a to 883a8d7 Compare December 14, 2023 19:27
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@Rudge Rudge merged commit ac63dcc into master Dec 14, 2023
13 checks passed
@Rudge Rudge deleted the feature/B2BTEAM-1287-add-token-validation branch December 14, 2023 19:36
@vtex-io-ci-cd VTEX IO CI/CD
Copy link

vtex-io-ci-cd bot commented Dec 14, 2023

Your PR has been merged! App is being published. 🚀
Version 1.37.3 → 1.38.0

After the publishing process has been completed (check #vtex-io-releases) and doing A/B tests with the new version, you can deploy your release by running:

vtex deploy [email protected]

After that your app will be updated on all accounts.

For more information on the deployment process check the docs. 📖

@Rudge Rudge mentioned this pull request Dec 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mairatma mairatma mairatma approved these changes

@ArthurTriis1 ArthurTriis1 Awaiting requested review from ArthurTriis1

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rudge @mairatma @ArthurTriis1