Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(authentication): make cookie name unique between environments #2091

Conversation

subotic
Copy link
Collaborator

@subotic subotic commented Jul 1, 2022

Resolves DEV-994

PR Checklist

Please check if your PR fulfills the following requirements:

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • Other... Please describe:

What is the current behavior?

Issue Number: DEV-994

What is the new behavior?

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@subotic subotic self-assigned this Jul 7, 2022
Copy link
Collaborator

@BalduinLandolt BalduinLandolt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

host_port = webapi_hostname .. ':' .. webapi_port
server.log("host_port: " .. host_port, server.loglevel.LOG_DEBUG)

local customPadMap = { "", "999999", "9999", "999", "9" }
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just out of curiosity: what's the deal with this padMap?

Copy link
Collaborator Author

@subotic subotic Jul 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the standard padding is = which is not allowed because then the header is going to be something like KnoraAuthenticationDFJSKLFJDSLJ===JWT. No additional equal signs are allowed. This is why I changed it to 9 which is not used as part of the alphabet in the algorithm.

Comment on lines +180 to +182
"succeed with generating the name" in {
Authenticator.calculateCookieName(settings) should equal("KnoraAuthenticationGAXDALRQFYYDUMZTGMZQ9999")
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there an unhappy path that you could test? (if you made a copy of the settings where the .externalKnoraApiHostPort is an empty string or an invalid value, you'd expect a certain error, right?)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, the code expects this to be a valid thing. If this is not valid, then the whole API would not work. This would be something to test in the config or something for a valueobject.

Copy link

@irinaschubert irinaschubert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@mpro7 mpro7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found just cosmetic things, apart of that looks good. You keep forgetting to organize the imports ;) We can maybe think how to automate it, but last time I've checked there was nothing interesting to have it done on saving the file.

@sonarcloud
Copy link

sonarcloud bot commented Jul 7, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

No Coverage information No Coverage information
0.8% 0.8% Duplication

@subotic subotic merged commit 680021e into main Jul 7, 2022
@subotic subotic deleted the wip/DEV-994-dsp-app-dsp-api-auth-cookie-from-prod-domain-is-used-on-all-other-domains branch July 7, 2022 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants