This PR addresses a potential data breach if row-level security was applied. Here are the significant changes and rationale:
Moves all Looker interactions into the extension
All queries run within the user context, applying row-level security and access grants
Proxies all calls to the backend through extensionSDK.serverProxy
Network or origin security can be applied to the backend service, since all calls originate from Looker
If network security is enabled for the backend service, this could prevent DDOS attacks
Uses a secret key through extensionSDK.createSecretKeyTag
This key is never exposed to the user or their browser
In Looker, it is stored as a user attribute
It prevents unauthorized invocation of the backend api
Changed websockets service to restful service
Unfortunately, this is necessary to proxy calls through Looker and gain the above benefits.
BONUS: This also allows 'Next Steps Instructions', an additional user input passed to the backend.
BONUS: This operates in the standlone extension context, using a URL context! May be backward compatibility issues with the dashboard-based version.
This PR addresses a potential data breach if row-level security was applied. Here are the significant changes and rationale:
BONUS: This also allows 'Next Steps Instructions', an additional user input passed to the backend. BONUS: This operates in the standlone extension context, using a URL context! May be backward compatibility issues with the dashboard-based version.