Skip to content

Comments

[feature] SC-166737/improve app proxy security by restricting where token replacements can go#65

Open
HappyPaul55 wants to merge 1 commit intomainfrom
SC-166737/improve-app-proxy-security-by-restricting-where-token-replacements-can-go
Open

[feature] SC-166737/improve app proxy security by restricting where token replacements can go#65
HappyPaul55 wants to merge 1 commit intomainfrom
SC-166737/improve-app-proxy-security-by-restricting-where-token-replacements-can-go

Conversation

@HappyPaul55
Copy link
Contributor

@HappyPaul55 HappyPaul55 commented Nov 18, 2025
edited by sourcery-ai bot
Loading

This pull request introduces improvements to how authentication credentials are injected into API requests and adds type safety to the placeholders object in the codebase. The most important changes are grouped below:

Authentication Settings Injection:

  • Updated the manifest.json API configuration to include a new settingsInjection object, which maps client_id, client_secret, and global_access_token to specific fields in the request body. This change allows for more flexible and secure injection of authentication credentials into API calls.

Type Safety Enhancements:

  • Added as const to the placeholders object in src/constants.ts, ensuring that the object is treated as a read-only constant and improving type safety throughout the codebase.

Summary by Sourcery

Introduce secure injection of authentication credentials in API requests and enhance type safety for placeholder constants

New Features:

  • Add settingsInjection configuration in manifest.json to map client_id, client_secret, and global_access_token to specific request body fields

Enhancements:

  • Mark the placeholders object as a read-only constant with as const for improved type safety

@HappyPaul55 HappyPaul55 requested a review from Copilot November 18, 2025 15:57
@sourcery-ai
Copy link

sourcery-ai bot commented Nov 18, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Introduce a new settingsInjection section in manifest.json to explicitly map authentication credentials into specific request body fields for enhanced security, and enforce read-only type safety on the placeholders object by adding 'as const'.

Class diagram for updated placeholders constant

classDiagram
  class placeholders {
    <<const>>
    ACCESS_TOKEN : string
    GLOBAL_ACCESS_TOKEN : string
    GLOBAL_REFRESH_TOKEN : string
  }
Loading

File-Level Changes

Change Details Files
Configurable authentication credentials injection
  • Added settingsInjection mapping for client_id, client_secret, and global_access_token
  • Specified target fields in request body for each credential
 manifest.json
Improved type safety for placeholders
  • Appended 'as const' to the placeholders object declaration
 src/constants.ts
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Nov 18, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • Update your manifest.json schema/TypeScript interfaces to include the new settingsInjection field so you get compile-time validation of your injection mappings.
  • Add a runtime validation step to ensure settingsInjection keys align with actual placeholders and prevent misconfiguration or accidental token injection into unintended fields.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Update your manifest.json schema/TypeScript interfaces to include the new settingsInjection field so you get compile-time validation of your injection mappings.
- Add a runtime validation step to ensure settingsInjection keys align with actual placeholders and prevent misconfiguration or accidental token injection into unintended fields.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copilot AI reviewed Nov 18, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request enhances security and type safety in the Lansweeper Deskpro app by restricting where authentication credentials can be injected and improving TypeScript type definitions.

  • Adds a settingsInjection configuration to the API proxy whitelist entry, explicitly defining which settings can be injected into specific request body fields
  • Applies as const assertion to the placeholders object for improved type safety and immutability

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/constants.ts Adds as const assertion to the placeholders object to make it immutable and provide better type inference
manifest.json Introduces settingsInjection configuration that maps authentication settings (client_id, client_secret, global_access_token) to specific request body fields, restricting where credential replacements can occur in proxied API requests

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link

github-actions bot commented Nov 20, 2025

Build for commit c2c56dc deployed to: https://lansweeper-pr-65.ci.next.deskprodemo.com

URLs:
https://lansweeper-pr-65.ci.next.deskprodemo.com/horizon-ui/app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@AshleyDawson AshleyDawson Awaiting requested review from AshleyDawson AshleyDawson is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HappyPaul55