Add privacy policies and services for Job Board and Website 2026#164
Add privacy policies and services for Job Board and Website 2026#164wesenbergg wants to merge 1 commit intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds two new OAuth services (Job Board and Website 2026) with corresponding privacy policies to the user service seed data. Additionally, it includes a critical bug fix to ensure OpenID Connect compliance by guaranteeing the sub claim is always present in ID tokens.
Changes:
- Fixes OpenID Connect compliance by ensuring the
sub(subject) claim is always included in ID tokens, regardless of requested scopes or service permissions - Adds Job Board service (id 9) and Website 2026 service (id 10) to seed data
- Adds corresponding privacy policies for both new services
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/controllers/OAuthController.ts | Ensures sub claim is always present in ID tokens for OpenID Connect compliance |
| seeds/seedData/services.js | Adds Job Board and Website 2026 services to seed data with full data permissions |
| seeds/seedData/privacy_policies.ts | Adds placeholder privacy policies for the two new services |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| id: 10, | ||
| service_identifier: "47496d92-ce34-46db-92d1-b0ab5c71ab17", |
There was a problem hiding this comment.
The service_identifier UUIDs for the two new services share the same first three segments (47496d92-ce34-46db-92d1-*). While not technically incorrect, this pattern doesn't appear in other services and could indicate a copy-paste error. Consider verifying that these UUIDs are intentionally related or generating completely different UUIDs to avoid potential confusion.
| service_identifier: "47496d92-ce34-46db-92d1-b0ab5c71ab17", | |
| service_identifier: "2b8f0c62-1a7d-4e3b-9c4f-5d8a1b2c3d4e", |
|
|
||
| const token = { | ||
| iss: process.env.ISSUER_ID, | ||
| sub: String(user.id), |
There was a problem hiding this comment.
The PR title and description only mention adding privacy policies and services, but this change also includes a critical bug fix to ensure the 'sub' claim is always present in OpenID Connect ID tokens. This is a significant change that fixes OpenID Connect compliance and should be mentioned in the PR description. Consider updating the PR description to document this important fix.
| sub: String(user.id), | ||
| aud: service.serviceIdentifier, | ||
| ...claims, |
There was a problem hiding this comment.
The order of object spread may not be optimal. Currently, if claims contains sub, it will overwrite the explicitly set value (though both should be the same). Consider moving the sub assignment after the spread operator to make the intent clearer that sub must always be present regardless of the claims content. This would change the code to:
const token = {
iss: process.env.ISSUER_ID,
aud: service.serviceIdentifier,
...claims,
sub: String(user.id),
};This ensures sub is always the final value and makes the code's intent more explicit.
| sub: String(user.id), | |
| aud: service.serviceIdentifier, | |
| ...claims, | |
| aud: service.serviceIdentifier, | |
| ...claims, | |
| sub: String(user.id), |
No description provided.