Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: check authorities in app adapter [LIBS-370] #757

Closed
wants to merge 15 commits into from

Conversation

KaiVandivier
Copy link
Contributor

@KaiVandivier KaiVandivier commented Oct 17, 2022

Address LIBS-370

Includes the fixes for LIBS-356 and LIBS-357 (which were split off from here and merged in separate PRs)

Checks authorization on the client side by using an AuthBoundary component to check correct authorities and block the app if necessary. This is needed because some deployment environments don't return a 403 'Forbidden' response (like standalone deployments and Netlify, it seems)

Todo:

  • Get correct app name (and maybe format) for auth checks from CLI and add to app env
  • Add UI for "Forbidden" screen instead of just hitting the error boundary
  • Clean up useVerifyLatestUser

UI Draft, updated:
Screen Shot 2022-10-18 at 9 22 15 AM

Comment on lines 40 to 44
// Skip check on dev
// TODO: should we check on dev environments too?
if (!IS_PRODUCTION_ENV) {
return true
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious what others think -- most app devs probably have admin privileges, but if they don't have app management authority, it's possible that someone might end up working on an a new app which they don't have authorities for.

Someone might be able to bypass their authorities limitations by running an app locally though?...

Currently I guess we don't do any checks like this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(You can make testing easier by commenting out the return true to run it on dev)

Copy link
Contributor

@HendrikThePendric HendrikThePendric Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially wasn't sold on the idea of always returning true in a development environment, but think I'm coming around to it.

Full reload From SW
Production Server renders no-access page App-shell renders no-access view
Development Dev can access app Dev can access app

This is actually very consistent and I like it.

Comment on lines 13 to 17
if (config.coreApp) {
// TODO: Verify this formatting - are there any transformations,
// or do we trust that it's lower-case and hyphenated?
return APP_AUTH_PREFIX + DHIS_WEB + config.name
}
Copy link
Contributor Author

@KaiVandivier KaiVandivier Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about whether this formatting of core app names is correct?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the user app I am also inferring specific types of authorities based on their naming scheme. This has been in production for about 4 years now, so this suggests to me the naming scheme is consistent enough. You can also review the response of this requests: https://play.dhis2.org/dev/api/40/authorities?fields=id,name&paging=false

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do need to do transformation here, as the "name" in the d2 config is NOT necessarily what's used for the authority (or URL name) - see here. We already replicate this logic in the platform here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see we're doing that below - but we should also do it for core apps.

Copy link
Contributor Author

@KaiVandivier KaiVandivier Oct 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, notice that the formatting is different between those two things you linked, namely around hyphens -- core apps seem to be getting a different treatment? But I didn't find what exactly it is

Copy link
Contributor Author

@KaiVandivier KaiVandivier Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some formatting insurance in this commit

Comment on lines 102 to 107
if (response.type === 'opaqueredirect' || !response.ok) {
// It's sending a redirect to the login page,
// or an 'unauthorized'/'forbidden' response.
// Return that to the client
return response
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pass 403 responses to the client in production, instead of returning index.html

const IS_PRODUCTION_ENV = process.env.NODE_ENV === 'production'

const APP_MANAGER_AUTHORITY = 'M_dhis-web-maintenance-appmanager'
const REQUIRED_APP_AUTHORITY = process.env.REACT_APP_DHIS2_APP_AUTH_NAME
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in CLI

@KaiVandivier KaiVandivier marked this pull request as ready for review October 17, 2022 14:36
@KaiVandivier
Copy link
Contributor Author

You can test the boundary by logging in as a guest user (user guest, pass Guest123), which shouldn't have access to all apps -- also see the 'production env' test above that you can comment out to test it in a dev environment locally

Copy link
Contributor

@HendrikThePendric HendrikThePendric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very Kai. Thanks for noticing this had slipped through the cracks and turning this around so quickly. I've left a few comments.

adapter/src/components/AuthBoundary.js Outdated Show resolved Hide resolved
adapter/src/components/AuthBoundary.js Outdated Show resolved Hide resolved
Comment on lines 13 to 17
if (config.coreApp) {
// TODO: Verify this formatting - are there any transformations,
// or do we trust that it's lower-case and hyphenated?
return APP_AUTH_PREFIX + DHIS_WEB + config.name
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the user app I am also inferring specific types of authorities based on their naming scheme. This has been in production for about 4 years now, so this suggests to me the naming scheme is consistent enough. You can also review the response of this requests: https://play.dhis2.org/dev/api/40/authorities?fields=id,name&paging=false

@amcgee
Copy link
Member

amcgee commented Oct 17, 2022

@KaiVandivier there is quite a bit of overlap here with #754 by the way

@KaiVandivier
Copy link
Contributor Author

KaiVandivier commented Oct 17, 2022

@amcgee I noticed that -- I refactored the app wrapper in my latest commit to work well with the changes that you have here: https://github.com/dhis2/app-platform/pull/754/files#diff-58fcbeed2ec3103f3d186cb172bf2da570e316e008fb614240d6aa0f72df7574

Taking a closer look now though

Copy link
Member

@amcgee amcgee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to not duplicate logic between this and the session expiration PR

Comment on lines 13 to 17
if (config.coreApp) {
// TODO: Verify this formatting - are there any transformations,
// or do we trust that it's lower-case and hyphenated?
return APP_AUTH_PREFIX + DHIS_WEB + config.name
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do need to do transformation here, as the "name" in the d2 config is NOT necessarily what's used for the authority (or URL name) - see here. We already replicate this logic in the platform here

Comment on lines 13 to 17
if (config.coreApp) {
// TODO: Verify this formatting - are there any transformations,
// or do we trust that it's lower-case and hyphenated?
return APP_AUTH_PREFIX + DHIS_WEB + config.name
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see we're doing that below - but we should also do it for core apps.

pwa/src/service-worker/service-worker.js Outdated Show resolved Hide resolved
@KaiVandivier
Copy link
Contributor Author

@KaiVandivier KaiVandivier marked this pull request as draft February 16, 2023 14:08
@KaiVandivier KaiVandivier changed the title fix(pwa): handle navigations [LIBS-356] [LIBS-357] fix: check authorities in app adapter [LIBS-356] [LIBS-357] Feb 16, 2023
@KaiVandivier
Copy link
Contributor Author

Drafted while this is on the back-burner

@KaiVandivier KaiVandivier changed the title fix: check authorities in app adapter [LIBS-356] [LIBS-357] fix: check authorities in app adapter [LIBS-370] Feb 23, 2023
@KaiVandivier KaiVandivier marked this pull request as ready for review February 23, 2023 13:25
@KaiVandivier
Copy link
Contributor Author

I think concerns have been addressed and this is ready for rereview @amcgee

@KaiVandivier KaiVandivier removed the request for review from HendrikThePendric February 23, 2023 15:26
@KaiVandivier
Copy link
Contributor Author

KaiVandivier commented Oct 8, 2024

Closing since this is stagnant to clean up open PRs -- can be reopened if needed. This may be relevant to the global shell

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants