search

nhost / cli

Nhost CLI
https://docs.nhost.io/development/cli/overview
MIT License
77 stars 28 forks source link

chore: update schema #916

Closed dbarrosop closed 2 months ago

dbarrosop commented 2 months ago

PR Type

Enhancement

Description

Changes walkthrough πŸ“

Relevant files
Enhancement
example.go
Add Turnstile configuration to SignUp                                       
cmd/config/example.go
  • Added Turnstile configuration to the SignUp struct with a SecretKey
    field
    		•  +3/-0     
    Tests
    auth_test.go
    Add Turnstile secret to auth test configuration                   
    dockercompose/auth_test.go
  • Added AUTH_TURNSTILE_SECRET environment variable with value
    "turnstileSecretKey"
    		•  +1/-0     
    main_test.go
    Update test config with Turnstile settings                             
    dockercompose/main_test.go
  • Added Turnstile configuration to the SignUp struct in the test config
    		•  +3/-0     
    Dependencies
    go.mod
    Update nhost/be dependency version                                             
    go.mod
  • Updated github.com/nhost/be dependency to version
    v0.0.0-20240925125635-9b2298f21170
    		•  +1/-1     
    go.sum
    Update checksum for nhost/be dependency                                   
    go.sum
  • Updated checksum for github.com/nhost/be to match the new version
    		•  +2/-2     

    πŸ’‘ PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    github-actions[bot] commented 2 months ago

    PR Reviewer Guide πŸ”

    ⏱️ Estimated effort to review: 2 πŸ”΅πŸ”΅βšͺβšͺβšͺ
    πŸ§ͺ PR contains tests
    πŸ”’ Security concerns

    Sensitive information exposure:
    The Turnstile secret key is hardcoded in the example configuration file (cmd/config/example.go) and in the test configuration (dockercompose/main_test.go). Although these are likely not production files, it's generally a bad practice to include even example secrets in code, as they might accidentally be used in real environments.
    ⚑ Key issues to review

    Hardcoded Secret
    The Turnstile secret key is hardcoded in the example configuration. This might lead to accidental exposure of the secret in version control.
    github-actions[bot] commented 2 months ago

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Security
    Use an environment variable for sensitive configuration data ___ **Consider using a constant or environment variable for the Turnstile secret key
    instead of hardcoding it directly in the configuration.** [cmd/config/example.go [162-168]](https://github.com/nhost/cli/pull/916/files#diff-49de1d039dc29237e62d701aea07feeeb61ca2f6b2fd3c8ca5ac36c68e1396ecR162-R168) ```diff SignUp: &model.ConfigAuthSignUp{ Enabled: ptr(true), DisableNewUsers: ptr(false), Turnstile: &model.ConfigAuthSignUpTurnstile{ - SecretKey: "turnstileSecretKey", + SecretKey: os.Getenv("TURNSTILE_SECRET_KEY"), }, }, ```
    Suggestion importance[1-10]: 9 Why: The suggestion addresses a significant security concern by recommending the use of environment variables for sensitive data instead of hardcoding it.
    		9
    Best practice
    Use a mock value for sensitive data in test configurations ___ **Consider using a placeholder or mock value for the Turnstile secret key in test
    configurations to avoid exposing sensitive information in test files.** [dockercompose/auth_test.go [31]](https://github.com/nhost/cli/pull/916/files#diff-70746ae54c1a33a5ec884f6aed960e89daef7db608a5bb35e3cfedbf64b0a66eR31-R31) ```diff -"AUTH_TURNSTILE_SECRET": "turnstileSecretKey", +"AUTH_TURNSTILE_SECRET": "test_turnstile_secret", ```
    Suggestion importance[1-10]: 8 Why: This suggestion improves security and test practices by recommending the use of mock values for sensitive data in test configurations.
    		8
    Maintainability
    Use a constant for sensitive test data to improve maintainability ___ **Similar to the previous suggestions, consider using a mock value or a constant for
    the Turnstile secret key in test configurations to maintain consistency and avoid
    potential security risks.** [dockercompose/main_test.go [203-209]](https://github.com/nhost/cli/pull/916/files#diff-cbd7bf3ae89752b4e39860c598bf584d6fecb846d098ad2fb9bafa5b205774faR203-R209) ```diff SignUp: &model.ConfigAuthSignUp{ Enabled: ptr(true), DisableNewUsers: ptr(false), Turnstile: &model.ConfigAuthSignUpTurnstile{ - SecretKey: "turnstileSecretKey", + SecretKey: testTurnstileSecretKey, }, }, ```
    Suggestion importance[1-10]: 7 Why: The suggestion enhances maintainability and consistency in test configurations, though it's slightly less critical than the previous two suggestions.
    		7