Replace SessionId hacks with SecReview safe solution

aquivalabs / my-org-butler

AI Agent for the Salesforce Utility Bar. Performs tasks for the user & answers questions about the org. As opposed to Salesforce native Einstein Copilot it uses OpenAI Assistants under the hood.

MIT License

29 stars 7 forks source link

Replace SessionId hacks with SecReview safe solution #1

Open rsoesemann opened 4 months ago

rsoesemann commented 4 months ago

Not sure if that even works but the current way we get the Session Id are hacks that will never pass Security review. We need to research and play with alternatives:

Connected App, Named Credential (old or new, packaged or Apex-created) and Authprovider.
Not sure what other solutions we have

mbedlinski commented 4 months ago

Probably the appropriate solution:

connected app + client credentials flow - needs a client credential oauth flow in apex
connected app + auth provider + named credential + external credential - declarative solution

mbedlinski commented 3 months ago

Regarding https://developer.salesforce.com/docs/metadata-coverage

For Unlocked Package: everything except the Connected App can be packaged. It's not a problem Connected App can be created from Scratch by the Client Admin User - for the Auth Provider we only need the Client Key / Client Secret

For 2GP Manage Package: everything except Auth Provider can be packaged. Salesforce allows creating it using Connect API

it is necessary to discover if there is an intelligent way to create it for the 2GP managed package - maybe in a post-install script?

mbedlinski commented 3 months ago

Connected App needs to be created per user org, because of callback URL of Auth Provider that needs to be fulfilled in Connected App

mbedlinski commented 3 months ago

In Named Credential there is a part of it connected to Namespaces - its also worth checking out