Feature/portal auth#61
Conversation
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
- Update Go version to 1.26.3 - Enhance correlation ID validation with ASCII checks - Update golangci-lint to version 2.12.2 and adjust Taskfile commands
…chamikara/openfgc into feature/portal-backend
- Fix go version in dockerfile - Enhance CORS middleware to append Vary header
- Improve error handling for request body size - Fix overwriting other users authorizations - Add tests for read failures
- Add CORS support for same-origin requests without allowlist
…aceholder mode is disabled
- Correlation ID fallback now uses UnixNano + pid + atomic - Client-supplied forwarding headers are stripped - CORS allowed origins now reject path, query string, and fragment.
- handler.go: MeConsentApprove now routes ErrUpstreamResponseTooLarge through writeProxyError, so it returns the proper 502 UPSTREAM_RESPONSE_TOO_LARGE instead of 400 INVALID_PAYLOAD. - service.go: proxy header filtering now strips Cookie and Authorization.
Add OpenFGC Portal Frontend
- Moved `golangci-lint` before tests in `.github/workflows/portal-backend-ci.yml`. - Added a comment explaining the `time.Sleep(50 * time.Millisecond)` in `portal/backend/cmd/server/main.go`. - Changed upstream timeout mapping from `503` to `504` in `portal/backend/internal/proxy/handler.go`. - Added Phase 3 TODO comments for missing ownership enforcement in: - `MeConsentByID` - `MeConsentApprove` - `MeConsentRevoke` - Consolidated duplicated correlation ID generation into shared code under `portal/backend/internal/correlation/`. - Added TODO notes documenting the sequential metadata enrichment limitation in `portal/backend/internal/proxy/handler.go`. - Updated docs/tests that depended on the timeout status change. - Updated buildRevokePayload in [handler.go (line 585)](/abs/path/portal/backend/internal/proxy/handler.go:585) to initialize payload as an empty map and keep the final actionBy assignment as the source of truth.
- Added path escaping when forwarding `consentId`. - Added invalid-consent-ID integration coverage. - Updated integration fixtures to use valid UUID consent IDs.
…kend Add OpenFGC Portal Backend
- Add abstracted authnetication - Add asgardeo and thunder sdk adapters
- `PortalAuth` now exposes `getAccessToken()`. - Both adapters implement it. - API requests retry once after `401`, obtaining a fresh SDK token for the retry. - Added a test covering the single `401` retry. - Updated test auth context. - Replaced `accessToken.ts` with [authBridge.ts](D:\wso2\openfgc-portal\portal\frontend\src\auth\authBridge.ts). - The bridge exposes only `getAccessToken` and one-shot `handleUnauthorized`. - Both adapters register the bridge. - API client retries `401` once, then triggers login once if still unauthorized. - `403` has an explicit consent-registry authorization message. - ThunderID now clears chached decoded ID-token profile data before sign-out
- /me/consents/{id}, approve, and revoke now fetch the consent and require an authorization entry whose userId matches the request’s UserIdentity.UserID.
- Non-owned consents returns 404 Not Found, preventing users from inferring that another user’s consent exists.
- `/me` now reads `UserIdentityFromContext()` directly.
- Removed legacy `WithUserID()` and `UserIDFromContext()`.
- Removed unused placeholder-only `middleware/userid.go` and its tests.
- Missing request identity now reports `500 IDENTITY_UNAVAILABLE`, since authentication middleware should have resolved it first.
- Add tests - Update env.example - Removes the fallback that injected TPP-client-id from BFF_PROXY__PLACEHOLDER_CLIENT_ID on every proxied request.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (10)
📒 Files selected for processing (106)
📝 WalkthroughSummary
WalkthroughThis change adds a complete portal stack: a Go BFF with configuration, JWT/JWKS authentication, CORS and correlation middleware, health endpoints, allowlisted proxying, consent aggregation and mutation routes, OpenAPI contracts, Docker support, and integration tests. It also adds a React frontend with provider-based authentication, consent registry and detail views, API/query utilities, localization, UI components, tests, TypeScript/Vite configuration, and CI workflows for both backend and frontend. Sequence Diagram(s)sequenceDiagram
participant Browser
participant PortalFrontend
participant PortalBackend
participant OpenFGC
Browser->>PortalFrontend: Request consent registry
PortalFrontend->>PortalBackend: GET /me/consents with bearer token
PortalBackend->>PortalBackend: Validate token and enforce scope
PortalBackend->>OpenFGC: Forward consent query with trusted identity
OpenFGC-->>PortalBackend: Consent response
PortalBackend-->>PortalFrontend: JSON consent response
PortalFrontend-->>Browser: Render consent registry
sequenceDiagram
participant Browser
participant PortalFrontend
participant PortalBackend
participant OpenFGC
Browser->>PortalFrontend: Approve or revoke consent
PortalFrontend->>PortalBackend: Submit consent mutation
PortalBackend->>OpenFGC: Fetch consent and verify ownership
PortalBackend->>OpenFGC: Submit transformed update
OpenFGC-->>PortalBackend: Mutation response
PortalBackend-->>PortalFrontend: Mutation result
PortalFrontend-->>Browser: Update consent view
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Rabbit's Review Thread