Closed jjmerchante closed 2 years ago
I've tested it from the frontend and the queries and mutations work, but I get different errors from the one on the test_authentication
tests when I'm not logged in. In the addCredentials
mutation, the error message is Cannot assign \"<SimpleLazyObject: <django.contrib.auth.models.AnonymousUser object at 0x7f6d446842e0>>\": \"Credential.user\" must be a \"User\" instance.
and in the credentials
query instead of an error it returns { "data": { "credentials": { "entities": null } } }
One more thing, I think the tokens are not encrypted on the database, they should be obfuscated in some way.
I've tested it from the frontend and the queries and mutations work, but I get different errors from the one on the
test_authentication
tests when I'm not logged in. In theaddCredentials
mutation, the error message ...
Thank you, I didn't notice what happens when the GraphQL API is called with a non-authenticated user. When it request a list of repositories I changed it to an empty list, do you prefer an error? I am not sure what is the best UX scenario. For the error when a non-authenticated user adds a new credential I changed the error text.
One more thing, I think the tokens are not encrypted on the database, they should be obfuscated in some way.
I need to think a bit about this part, maybe include a key in the settings to encrypt/decrypt the value of the token.
When it request a list of repositories I changed it to an empty list, do you prefer an error? I am not sure what is the best UX scenario.
It can work either way on the UI since it will only be accessible to users that are logged in, but it could be helpful to return an error in case someone wants to use the GraphQL API without the interface.
I made the following changes:
name
.SECRET_KEY
.
This pull requests includes a new model named
Credential
that allows users to add tokens for every data source. There new methods and GraphQL mutation to add, remove or delete data source credentials.Each user can only use its own tokens.
This PR also removes
apiToken
parameter fromfetchGitHubOwnerRepos
and select a user token (if exists) for that job.Include also an Authorization header with the Bestiary JWT Token for each call from the UI.
Fixes https://github.com/chaoss/grimoirelab-bestiary/issues/94