The Proxy API returns all feature toggles, even those from projects that are disabled for the requested environment

Unleash / unleash-proxy

Unleash Proxy is used to safely integrate frontend application with Unleash in a secure and scaleable way.

https://docs.getunleash.io/sdks/unleash-proxy

Apache License 2.0

53 stars 43 forks source link

The Proxy API returns all feature toggles, even those from projects that are disabled for the requested environment #122

Closed bogdanzurac closed 1 year ago

bogdanzurac commented 1 year ago

Describe the bug

Suppose we have Projects A and B declared on Unleash, each containing a few feature toggles. We also have Environments 1 and 2.

Project A is enabled for Environments 1 & 2. Project B is enabled only for Environment 1.

Steps to reproduce the bug

When requesting the list of feature toggles from the Proxy API for Environment 1, we get all feature toggles, from both Projects A and B, which works as expected
But the same thing applies for Environment 2 as well, we receive all feature toggles from both Projects A and B, even though only Project A is enabled for Environment 2

Expected behavior

When requesting feature toggles for Environment 2, only the toggles from Project A should be returned

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

4.19.2

Subscription type

Enterprise

Hosting type

Self-hosted

SDK information (language and version)

No response

ivarconr commented 1 year ago

Hi,

Based on the description I assume you are running the proxy with ENABLE_ALL_ENDPOINTenabled?

The default behavior of the proxy is only return "enabled" toggles for the given environment, and therefore what you describe is not a problem under default configurations.

Technically in Unleash, all toggles will exists under all environments, but they will take a disabled state. This is by design. You can limit what the proxy sees by using "project scoped" tokens.

Because of limited flexibility in the proxy (all clients need to consume the same as the proxy, you need to think of the proxy as an SDK) we decided to build something more flexible and scaleable, called unleash-edge. With the edge you can use ordinary client and frontend tokens, and they can be scoped to environments and projects as you like, giving ultimate control on what you expose where.

bogdanzurac commented 1 year ago

Yes, we're using the ENABLE_ALL_ENDPOINT, because we need to know all feature toggles for the current environment, even disabled ones.

However, we're not interested in the disabled ones for the current environment in case the toggle's project is not enabled for the current environment.

I know this would probably ideally be solved through project scoped tokens, but those are created once for a set of projects without the possibility of adding a new project down the line. So this is pretty restrictive for our existing setup.

But regardless, even conceptually, if a project is not enabled for an environment, we expect that its feature toggles won't be returned at all.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

gsannec commented 9 months ago

Hi!

"When requesting the list of feature toggles from the Proxy API for Environment 1, we get all feature toggles, from both Projects A and B, which works as expected"

If there are 50 projects and 50 enabled toggles per project then one little front-end app, that uses a few toggles and connects via Proxy, will get 2500 toggles.

Is it possible to restrict the list of enabled feature toggles from Proxy by projects?

For example, I've got a front-end app AAA and want to get toggles for it from Project A only, and I've got another front-end app BBB and want to get toggles for it from Project B only.