Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MM-51253][MM-51275]: Added check for full name and refactored error logs. #148

Merged
merged 11 commits into from
Mar 28, 2023

Conversation

avas27JTG
Copy link
Contributor

See [MM-51253] and [MM-51275]

avas27JTG and others added 9 commits January 4, 2023 16:08
… to "Close" on filter popover. (#17) (#21)

* [MI-2504][webapp]: Changed Hide to Close on filter popover

* [MI-2504][server]: Generated manifest files

* [MI-2504][server]: Updated version in manifest

Co-authored-by: Abhishek Verma <[email protected]>

Co-authored-by: Abhishek Verma <[email protected]>
…API and fixed Boards update subscription. (#22)

* [MI-2505][server]: Added logic to protect subscriptions notification webhook API and fixed Boards update subscription.

* [MI-2505][MI-2518] Fix failing testcases

* [MI-2505]:Added webhook secret encoding and review fixes

* [MI-2505]:Added webhook secret encryption

* [MI-2505]: Fixed CI

* [MI-2505]: Reverted change of auth scopes

* [MI-2505]: Fixed CI

* [MI-2505][MI-2603] Fixed testcases

* [MI-2505]: Used constant for path

* [MI-2505]: Refinded message

* [MI-2505]: Minor review fixes

* [MI-2505][MI-2603] Review fix

Co-authored-by: Abhishek Verma <[email protected]>
Co-authored-by: raghavaggarwal2308 <[email protected]>
@codecov-commenter
Copy link

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.17 🎉

Comparison is base (2d2f0ab) 65.65% compared to head (43b07f5) 65.82%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #148      +/-   ##
==========================================
+ Coverage   65.65%   65.82%   +0.17%     
==========================================
  Files          15       15              
  Lines        3313     3315       +2     
==========================================
+ Hits         2175     2182       +7     
+ Misses       1013     1009       -4     
+ Partials      125      124       -1     
Impacted Files Coverage Δ
server/plugin/oAuth.go 56.44% <ø> (+0.49%) ⬆️
server/plugin/api.go 63.86% <100.00%> (+0.31%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@avas27JTG avas27JTG requested review from m1lt0n and mickmister March 15, 2023 14:24
@m1lt0n m1lt0n requested a review from jupenur March 15, 2023 14:24
@m1lt0n m1lt0n added the 2: Dev Review Requires review by a core committer label Mar 15, 2023
@@ -126,9 +126,6 @@ func (p *Plugin) GenerateOAuthToken(code, state string) error {
mattermostUserID := strings.Split(state, "_")[1]

if err := p.Store.VerifyOAuthState(mattermostUserID, state); err != nil {
if _, DMErr := p.DM(mattermostUserID, constants.GenericErrorMessage, false); DMErr != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also make sure every endpoint intended to be used by a MM user is checked for authentication?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we have a check for authentication on all the plugin APIs where we are checking for MM user-id in the header.
Also, OAuthComplete API is used as a redirection URL by the Azure DevOps oAuth app which sends the state query param that we are validating here as authentication.

Copy link
Contributor

@mickmister mickmister Mar 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, OAuthComplete API is used as a redirection URL by the Azure DevOps oAuth app which sends the state query param that we are validating here as authentication.

The redirect is in the browser only though. Any request hitting MM in the process will be authenticated with a MM user token (and we should verify its presence). The Azure server never sends a request to the MM server in this process.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also check that the authenticated user's id matches the user id on line 126

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made the changes

@mickmister mickmister added this to the v2.2.2 milestone Mar 15, 2023
@avas27JTG avas27JTG requested a review from mickmister March 16, 2023 11:18
@avas27JTG avas27JTG changed the title [MM-51253][MM-51275] [MM-51253][MM-51275]: Added check for full name and refactored error logs. Mar 21, 2023
@mickmister mickmister merged commit c9399d6 into master Mar 28, 2023
@mickmister mickmister deleted the MI-2887 branch March 28, 2023 05:24
@m1lt0n m1lt0n added 4: Reviews Complete All reviewers have approved the pull request and removed 2: Dev Review Requires review by a core committer labels Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
4: Reviews Complete All reviewers have approved the pull request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants