Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open API - security update #14868

Merged
merged 6 commits into from
Oct 25, 2024
Merged

Open API - security update #14868

merged 6 commits into from
Oct 25, 2024

Conversation

mike12345567
Copy link
Collaborator

Description

@shogunpurple noticed there was an issue with using the public API to access development apps from non-builder roles, when this occurred the response was a re-direct as we expect in the browser, however this makes little sense in an API call.

I've updated the test cases a bit around the public API to make this a testable scenario, as well as updating currentapp.ts to 403 in these cases rather than a re-direct, by detecting it is using an API key.

I've also removed the isTest which was hiding this from our test cases and instead check if the call is coming from a browser.

Final small update is the OpenAPI spec was a little hard to use as you had to work out all the variables you needed, I've defaulted these so that when imported to tools that support OpenAPI specifications it shows all the variables listed with descriptions, making it a lot quicker to get up and running.

@mike12345567 mike12345567 self-assigned this Oct 24, 2024
@mike12345567 mike12345567 requested a review from a team as a code owner October 24, 2024 16:52
@mike12345567 mike12345567 requested review from adrinr and removed request for a team October 24, 2024 16:52
@qa-wolf QA Wolf
Copy link

qa-wolf bot commented Oct 24, 2024

QA Wolf here! As you write new code it's important that your test coverage is keeping up.
Click here to request test coverage for this PR!

@github-actions github-actions bot added firestorm Data/Infra/Revenue Team size/m labels Oct 24, 2024
shogunpurple
shogunpurple approved these changes Oct 24, 2024
View reviewed changes
Copy link
Member

@shogunpurple shogunpurple left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - great tests

@mike12345567 mike12345567 merged commit 0107f2c into master Oct 25, 2024
11 of 12 checks passed
@mike12345567 mike12345567 deleted the fix/openapi-security branch October 25, 2024 10:16
@github-actions github-actions bot locked and limited conversation to collaborators Oct 25, 2024
samwho
samwho requested changes Oct 25, 2024
View reviewed changes
packages/server/specs/openapi.json
@@ -833,7 +831,8 @@
"type": "string",
"enum": [
"static",
"dynamic"
"dynamic",
"ai"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description field here as well.

packages/server/src/api/routes/public/tests/Request.ts Show resolved Hide resolved
packages/server/src/api/routes/public/tests/Request.ts Show resolved Hide resolved
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@samwho samwho samwho requested changes

@shogunpurple shogunpurple shogunpurple approved these changes

@adrinr adrinr Awaiting requested review from adrinr adrinr is a code owner automatically assigned from Budibase/backend

Assignees

@mike12345567 mike12345567

Labels
firestorm Data/Infra/Revenue Team size/m
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mike12345567 @samwho @shogunpurple