Closed eliykat closed 3 months ago
Attention: Patch coverage is 0%
with 7 lines
in your changes missing coverage. Please review.
Project coverage is 29.27%. Comparing base (
1826403
) to head (9b252a3
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Since this deny
command only handles one auth request it should hit the API endpoint for single request updates here. Right now it hits the dedicated bulk deny endpoint, which is going to be removed during post-release work anyway.
Instead of going down the currently committed route I would:
approvePendingRequest()
method in organization-auth-request-api.service
to updatePendingRequest()
. Supply it with an approved
bool to send to the API endpoint (currently this is just hardcoded to true
). That endpoint handles approvals and denials, and will return a 404 if the auth request it is given is not found. denyPendingRequest()
method that mirrors this approvePendingRequest
method in organization-auth-request.service
without the request.isApproved == true
specific logic. Have it reference the updatePendingRequest()
method on the api service that handles single-request updates. You could probably combine the approvePendingRequest()
and denyPendingRequest()
service methods into an updatePendingRequest()
method if you wanted. If you want to go this direction just supply updatePendingRequest()
with a boolean from your command and only do the key exchange if it's true
. This approach has the following advantages:
server
PR at allWe could use the whole "return a list of unprocessed requests from bulk methods" approach still, but that is different from the original design decision that we made that bulk operations should be mostly silent and ignore anything that fails or isn't found. I'd suggest we make that an enhancement for post-release if we want to change it.
Thanks @addisonbeck , that's a much better solution. I was getting turned around a bit with the different endpoints we have. I think we should probably delete the bulk deny endpoint in follow-up work (so that we only have single update or bulk update).
The only change I made was to keep separate approve/deny methods in the api service, because they have different interfaces and I think it's clearer.
Checkmarx One – Scan Summary & Details – 11f0407e-2ba7-45d7-97d1-955c427434bc
Severity | Issue | Source File / Package | Checkmarx Insight |
---|---|---|---|
Angular_Improper_Type_Pipe_Usage | /bitwarden_license/bit-web/src/app/admin-console/providers/providers-layout.component.html: 50 | Attack Vector |
🎟️ Tracking
https://bitwarden.atlassian.net/browse/AC-2797
📔 Objective
Address the following feedback:
This occurs because:
To his credit, @vincentsalucci raised this difference in code review, but I didn't want to add the api call just to make sure that the request exists.
That is still a potential solution, however I thought it might be better for the server to return a list of the device requests that were successfully denied. That way, the client can decide how to handle a partial result. However, I don't feel strongly about it.
If anyone thinks that copy/pasting the check in the approve command is a better solution, we can do that instead.
Depends on https://github.com/bitwarden/server/pull/4211.
📸 Screenshots
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:
) or similar for great changes:memo:
) or ℹ️ (:information_source:
) for notes or general info:question:
) for questions:thinking:
) or 💭 (:thought_balloon:
) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:
) for suggestions / improvements:x:
) or ⚠️ (:warning:
) for more significant problems or concerns needing attention:seedling:
) or ♻️ (:recycle:
) for future improvements or indications of technical debt:pick:
) for minor or nitpick changes