Closed naelob closed 2 months ago
Latest commit: b50f22d7736fe3068dcf2880c78acdc9fc7000f0
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
panora-client-ts | ❌ Failed (Inspect) | May 1, 2024 11:56pm |
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
The recent updates aim to streamline synchronization processes across CRM and ticketing services, enhancing user-specific syncing and introducing new sync processors and services. Notable changes include the addition of sync controllers, modules, and services, along with adjustments to handling ProviderVertical.Unknown
and updating CRON schedules for synchronization tasks.
File Path | Change Summary |
---|---|
packages/api/src/@core/sync/* |
Introduced SyncController , SyncModule , and CoreSyncService for synchronization tasks across systems. |
.../connections.controller.ts , .../utils/unification/*.ts |
Removed handling for ProviderVertical.Unknown , impacting control flow. |
.../crm/*/*.ts , .../ticketing/*/*.ts |
Updated CRM and ticketing modules with new sync processors and user-specific syncing. |
.../crm/*/*module.ts , .../ticketing/*/*module.ts |
Modified BullModule.registerQueue to include syncTasks alongside existing queues. |
apps/client-ts/src/app/(Dashboard)/*/*.tsx , .../hooks/*.tsx , .../components/*/*.tsx |
Refactored various components and hooks to adjust parameters and fetch URLs for improved functionality. |
apps/client-ts/src/components/RootLayout/index.tsx , .../shared/team-switcher.tsx |
Updated components to include useRefreshAccessTokenMutation and removed redundant code. |
apps/client-ts/src/hooks/mutations/useRefreshAccessTokenMutation.tsx |
Introduced useRefreshAccessTokenMutation for handling token refresh logic with Cookies and toast . |
packages/api/src/@core/auth/* |
Adjusted methods in auth.controller.ts and auth.service.ts for handling API keys and access token refresh. |
packages/api/src/@core/auth/dto/refresh.dto.ts , .../strategies/jwt.strategy.ts |
Added RefreshDto class and id_project field to enhance authentication strategies. |
packages/api/src/@core/connections-strategies/connections-strategies.controller.ts |
Updated getConnectionStrategiesForProject method to use req.user for project retrieval. |
packages/api/src/@core/events/events.controller.ts , .../linked-users/linked-users.controller.ts , .../webhook/webhook.controller.ts |
Refactored controllers for improved request handling and data retrieval. |
🐇✨ In the digital fields where data flows, A rabbit tends to code that grows. Syncing bits and bytes with care, Crafting changes in the software's lair. With each update, a leap of delight, Ensuring systems shine bright. 🌟🐾
Build and Test (18.x) success (15)
packages/api/src/@core/auth/auth.controller.ts: [warning] 8-8: 'Query' is defined but never used
packages/api/src/@core/auth/dto/refresh.dto.ts (1)
`1-6`: The `RefreshDto` class is well-defined and correctly uses the `@ApiProperty` decorator for API documentation.packages/api/src/@core/auth/strategies/jwt.strategy.ts (1)
`23-23`: Addition of `id_project` to the JWT validation return object. Ensure that the payload structure includes `id_project` and that it's utilized appropriately in the application.apps/client-ts/src/hooks/useApiKeys.tsx (1)
`6-10`: The `useApiKeys` hook correctly implements fetching of API keys with appropriate error handling. Ensure that the access token used for authorization is handled securely throughout the application.apps/client-ts/src/hooks/useConnections.tsx (1)
`7-11`: The `useConnections` hook correctly implements fetching of connection data with appropriate error handling. Ensure that the access token used for authorization is handled securely throughout the application.Verification successful
--- The search results indicate extensive usage of `access_token` across various services in the application, particularly in the API layer where tokens are often encrypted using a `cryptoService`. This suggests a pattern of secure handling of access tokens at the API level. In the client-side code (`apps/client-ts`), the `access_token` is managed via cookies, with several hooks and components using `Cookies.get('access_token')` to include the token in authorization headers. The code also shows instances of setting and removing the token from cookies, which is a common practice for managing session tokens in web applications. Given the encryption of tokens in the backend and the standard practices observed in the frontend, the application appears to handle access tokens securely. However, it's important to ensure that cookies are configured with secure attributes (such as HttpOnly and Secure flags) to prevent access from client-side scripts and transmission over non-HTTPS connections, respectively. This specific detail wasn't verified in the provided outputs and might need further review or testing. **Conclusion:** The `useConnections` hook and other parts of the application seem to implement secure handling of access tokens, aligning with common security practices. However, a detailed security review, especially focusing on cookie security attributes, is recommended to ensure comprehensive protection. - Ensure cookies storing access tokens are configured with HttpOnly and Secure flags. - Continue to use encryption for tokens in the backend as observed.Scripts Executed
The following scripts were executed for the analysis: --- Script: ```shell #!/bin/bash # Description: Verify the secure handling of the access token used in the `useConnections` hook. # Search for the usage of `Cookies.get('access_token')` to ensure it's handled securely. rg --type js --type ts "Cookies.get('access_token')" ``` Length of output: 60 --- --- Script: ```shell #!/bin/bash # Description: Broaden the search to understand how access tokens are managed in the application. # Search for any references to 'access_token' in JavaScript or TypeScript files to see how it's handled. rg --type js --type ts "access_token" ``` Length of output: 34280apps/client-ts/src/hooks/useLinkedUsers.tsx (1)
`6-10`: The `useLinkedUsers` hook correctly implements fetching of linked user data with appropriate error handling. Ensure that the access token used for authorization is handled securely throughout the application.Verification successful
--- The expanded search for `access_token` usage across JavaScript and TypeScript files in the codebase has provided a comprehensive view of how access tokens are handled. The results show that access tokens are used in various services across the application, often encrypted using a `cryptoService`, which suggests a focus on security. Additionally, in the client-side hooks, the access token is retrieved using `Cookies.get('access_token')` and included in the Authorization header as a Bearer token. This approach is typical and acceptable provided that the cookies are secured properly (e.g., using HttpOnly and Secure flags) and the application ensures that the access token is not exposed to cross-site scripting (XSS) attacks. The removal of the access token using `Cookies.remove("access_token")` in certain parts of the application also indicates an awareness of security regarding session management. Given this information, the handling of the access token in the `useLinkedUsers` hook and throughout the application appears to be implemented with security considerations. However, it is recommended to ensure that cookies storing access tokens are configured with security best practices and that there is adequate protection against XSS. **Conclusion:** - The `useLinkedUsers` hook and other parts of the application handle the access token securely, primarily using encryption and secure storage methods. - It is advisable to review the cookie security settings and continue monitoring for potential security vulnerabilities related to token handling.Scripts Executed
The following scripts were executed for the analysis: --- Script: ```shell #!/bin/bash # Description: Verify the secure handling of the access token used in the `useLinkedUsers` hook. # Search for the usage of `Cookies.get('access_token')` to ensure it's handled securely. rg --type js --type ts "Cookies.get('access_token')" ``` Length of output: 60 --- --- Script: ```shell #!/bin/bash # Broaden the search to find any references to 'access_token' in JavaScript or TypeScript files to understand how it's handled. rg --type js --type ts "access_token" ``` Length of output: 34280apps/client-ts/src/hooks/useWebhooks.tsx (1)
`6-11`: The `useWebhooks` hook correctly implements fetching of webhook data with appropriate error handling. Ensure that the access token used for authorization is handled securely throughout the application.apps/client-ts/src/hooks/useConnectionStrategies.tsx (1)
`6-10`: The `useConnectionStrategies` hook correctly implements fetching of connection strategy data with appropriate error handling. Ensure that the access token used for authorization is handled securely throughout the application.apps/client-ts/src/hooks/useEvents.tsx (1)
`7-13`: The `useEvents` hook correctly implements fetching of event data with appropriate error handling and pagination support. Ensure that the access token used for authorization is handled securely throughout the application. Also applies to: 28-31packages/api/src/@core/events/events.controller.ts (2)
`37-37`: Added JWT guard to `getEvents` method. This ensures that the endpoint is protected and only accessible to authenticated users, aligning with security best practices. --- `39-41`: Implementation of `getEvents` method. The method correctly retrieves the `id_project` from the request's user object and passes it along with the pagination DTO to the service layer. This is a clean and efficient way to handle data retrieval based on user context.packages/api/src/@core/webhook/webhook.controller.ts (2)
`32-32`: Added JWT guard to `getWebhooks` method. This ensures that the endpoint is protected and only accessible to authenticated users, aligning with security best practices. --- `34-36`: Implementation of `getWebhooks` method. The method correctly retrieves the `id_project` from the request's user object and uses it to fetch webhook endpoints. This approach maintains consistency in handling user-specific data.apps/client-ts/src/app/(Dashboard)/b2c/profile/page.tsx (1)
`22-23`: Use of state management hooks in profile page. The use of `useProfileStore` and `useProjectStore` hooks for managing profile and project data is appropriate and follows React best practices for state management.apps/client-ts/src/hooks/mutations/useRefreshAccessTokenMutation.tsx (1)
`10-56`: Implementation of `useRefreshAccessTokenMutation` hook. The hook is well-implemented using `react-query` for handling the asynchronous operation of refreshing access tokens. The use of error handling and success callbacks enhances the user experience by providing feedback.packages/api/src/@core/linked-users/linked-users.controller.ts (2)
`47-47`: Added JWT guard to `getLinkedUsers` method. This ensures that the endpoint is protected and only accessible to authenticated users, aligning with security best practices. --- `49-51`: Implementation of `getLinkedUsers` method. The method correctly retrieves the `id_project` from the request's user object and uses it to fetch linked users. This approach maintains consistency in handling user-specific data.apps/client-ts/src/components/RootLayout/index.tsx (2)
`15-15`: Use of `useRefreshAccessTokenMutation` hook in root layout. The integration of the `useRefreshAccessTokenMutation` hook in the root layout component is appropriate for managing access token refreshes at a global level, ensuring that the user session remains active. --- `34-34`: Review of `useEffect` dependencies. The inclusion of `idProject`, `projectsData`, `refreshAccessToken`, and `setIdProject` in the dependency array of `useEffect` is correct, ensuring that the effect reruns only when these dependencies change.packages/api/src/@core/auth/auth.controller.ts (3)
`17-17`: Introduction of `RefreshDto`. The addition of `RefreshDto` is a good practice for encapsulating the data structure required for the refresh token functionality, enhancing maintainability and type safety. --- `70-74`: Implementation of `getApiKeys` method. The method correctly retrieves the `id_project` from the request's user object and uses it to fetch API keys. This approach is consistent and secure, ensuring that API keys are retrieved based on the user's project context. --- `90-107`: Implementation of `refreshAccessToken` method. The method effectively uses the `RefreshDto` to receive the `projectId` and extracts necessary user details from the request object to refresh the access token. This implementation is robust, ensuring that tokens are refreshed in a secure and user-specific manner.packages/api/src/@core/connections-strategies/connections-strategies.controller.ts (2)
`138-138`: Added JWT guard to `getConnectionStrategiesForProject` method. This ensures that the endpoint is protected and only accessible to authenticated users, aligning with security best practices. --- `140-143`: Implementation of `getConnectionStrategiesForProject` method. The method correctly retrieves the `id_project` from the request's user object and uses it to fetch all connection strategies for that project. This approach maintains consistency in handling user-specific data and ensures that the data is relevant to the user's context.apps/client-ts/src/components/Connection/ConnectionTable.tsx (1)
`29-29`: Ensure error handling is robust for the `useConnections` hook.apps/client-ts/src/app/(Dashboard)/api-keys/page.tsx (1)
`60-60`: Ensure error handling is robust for the `useApiKeys` hook.apps/client-ts/src/components/shared/team-switcher.tsx (1)
`59-59`: Ensure error handling is robust for the `useRefreshAccessTokenMutation` hook.apps/client-ts/src/app/(Dashboard)/configuration/page.tsx (1)
`49-49`: Ensure error handling is robust for the `useLinkedUsers` hook.packages/api/src/@core/auth/auth.service.ts (1)
`63-63`: Ensure error handling is robust for the `getApiKeys` method.Verification successful
--- The verification process has successfully identified robust error handling within the `getApiKeys` method in the `auth.service.ts` file. The method includes catch blocks that handle errors by calling a `handleServiceError` function, which presumably logs these errors appropriately. This aligns with the initial review comment's concern about ensuring robust error handling. **Conclusion:** - The `getApiKeys` method in `auth.service.ts` includes error handling that logs errors, which is crucial for debugging and maintaining the robustness of the application.Scripts Executed
The following scripts were executed for the analysis: --- Script: ```shell #!/bin/bash # Description: Verify that the error handling for the `getApiKeys` method is robust and logs sufficient information for debugging. # Search for the getApiKeys method implementation and check for error handling. rg --type typescript "async getApiKeys" --exec cat {} | grep -E "catch|error" ``` Length of output: 490 --- --- Script: ```shell #!/bin/bash # Description: Verify that the error handling for the `getApiKeys` method is robust and logs sufficient information for debugging. # Find the file containing the getApiKeys method file_path=$(rg --type typescript -l "async getApiKeys") # Output the contents of the method and check for error handling if [[ -n "$file_path" ]]; then cat "$file_path" | grep -A 10 -B 10 "async getApiKeys" | grep -E "catch|error" else echo "No file containing 'async getApiKeys' found." fi ``` Length of output: 212 --- --- Script: ```shell #!/bin/bash # Description: Verify that the error handling for the `getApiKeys` method is robust and logs sufficient information for debugging. # Find the file containing the getApiKeys method file_path=$(rg -l "async getApiKeys" *.ts) # Output the contents of the method and check for error handling if [[ -n "$file_path" ]]; then cat "$file_path" | grep -A 10 -B 10 "async getApiKeys" | grep -E "catch|error" else echo "No file containing 'async getApiKeys' found." fi ``` Length of output: 211 --- --- Script: ```shell #!/bin/bash # Description: Verify that the error handling for the `getApiKeys` method is robust and logs sufficient information for debugging. # Find the file containing the getApiKeys method file_path=$(rg -l "async getApiKeys" --type ts) # Output the contents of the method and check for error handling if [[ -n "$file_path" ]]; then cat "$file_path" | grep -A 10 -B 10 "async getApiKeys" | grep -E "catch|error" else echo "No file containing 'async getApiKeys' found." fi ``` Length of output: 536 --- --- Script: ```shell #!/bin/bash # Description: Verify that the error handling for the `getApiKeys` method is robust and logs sufficient information for debugging. # Find the files containing the getApiKeys method file_paths=$(rg -l "async getApiKeys" --type ts) # Output the contents of the method and check for error handling if [[ -n "$file_paths" ]]; then echo "$file_paths" | while read file_path; do if [[ -n "$file_path" ]]; then cat "$file_path" | grep -A 10 -B 10 "async getApiKeys" | grep -E "catch|error" fi done else echo "No file containing 'async getApiKeys' found." fi ``` Length of output: 872apps/client-ts/src/components/Configuration/FieldMappingModal.tsx (1)
`112-112`: Ensure error handling is robust for the `useLinkedUsers` hook.
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@nestjs/cli@10.0.0, npm/@nestjs/common@10.0.0, npm/@nestjs/core@10.0.0, npm/@nestjs/mapped-types@0.0.1, npm/@nestjs/platform-express@10.0.0, npm/@nestjs/schedule@4.0.2, npm/@nestjs/schematics@10.0.0, npm/@nestjs/swagger@7.1.14, npm/@nestjs/testing@10.0.0, npm/@prisma/client@5.4.2, npm/@sentry/node@7.112.2, npm/@sentry/tracing@7.112.2, npm/@types/express@4.17.17, npm/@types/jest@29.5.2, npm/@types/node@20.3.1, npm/@types/supertest@2.0.12, npm/@typescript-eslint/eslint-plugin@5.59.11, npm/@typescript-eslint/parser@5.59.11, npm/axios@1.5.1, npm/eslint-config-prettier@8.8.0, npm/eslint@8.42.0, npm/jest@29.5.0, npm/nestjs-pino@3.5.0, npm/passport-headerapikey@1.2.2, npm/passport-jwt@4.0.1, npm/passport-local@1.0.0, npm/passport@0.6.0, npm/pino-pretty@10.3.1, npm/prettier@2.8.8, npm/prisma@5.4.2, npm/reflect-metadata@0.1.13, npm/rxjs@7.8.1, npm/source-map-support@0.5.21, npm/stytch@10.15.1, npm/supertest@6.3.3, npm/ts-jest@29.1.0, npm/ts-loader@9.4.3, npm/ts-node@10.9.1, npm/tsconfig-paths@4.2.0, npm/typescript@5.1.3, npm/uuid@9.0.1
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
Alert | Package | Note | Source |
---|---|---|---|
Install scripts | npm/esbuild@0.18.20 |
|
|
Install scripts | npm/esbuild@0.19.12 |
|
|
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
To ignore an alert, reply with a comment starting with @SocketSecurity ignore
followed by a space separated list of ecosystem/package-name@version
specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0
or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/esbuild@0.18.20
@SocketSecurity ignore npm/esbuild@0.19.12
:wq
Summary by CodeRabbit