Conversation
…nd backend development, including PWA features, security best practices, and OAuth integration. Consolidate legacy integration documentation and remove outdated files to improve maintainability and clarity.
…endpoint for resetting OAuth context and enhancements to state parameter handling. Archive legacy integrations documentation for clarity and maintainability.
…dd flow-lock to prevent double-initiation of OAuth processes, and include code challenge parameters in authorization URL generation. Tighten rate limiting on the callback endpoint for added protection. Update integration tests to validate PKCE implementation.
…ameters and adjusting rate limiting for test environments. Update integration and performance tests to validate new state parameter handling and ensure consistent behavior across various scenarios.
…the addition of HMAC-signed state parameters, a new reset endpoint for OAuth context, and adjustments to endpoint statistics. Enhance clarity on backend-driven OAuth implementation and security features.
|
Looks like there are a few issues preventing this PR from being merged!
If you'd like me to help, just leave a comment, like Feel free to include any additional details that might help me get this PR into a better state. You can manage your notification settings |
There was a problem hiding this comment.
Pull Request Overview
This PR implements a comprehensive backend-driven OAuth security enhancement for cloud provider integrations. The changes migrate from client-side OAuth handling to a server-controlled flow with HMAC-signed state parameters, server-side PKCE, encrypted token storage, and enhanced security monitoring.
- Backend-driven OAuth flow with server-side PKCE generation and token exchange
- HMAC-signed state parameters with cryptographic verification for anti-tampering
- Encrypted storage of OAuth tokens and PKCE verifiers with comprehensive test coverage updates
Reviewed Changes
Copilot reviewed 28 out of 38 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/staging-api-test.py | Comprehensive Python-based staging API test suite with OAuth flow validation |
| tests/requirements.txt | Python dependencies for staging test suite |
| tests/performance/oauth-performance.test.ts | Updated performance tests with server-side PKCE and HMAC state validation |
| tests/oauth/pkce.test.ts | Enhanced PKCE tests with mocked OAuth service to prevent unhandled rejections |
| tests/oauth/oauthCallbackSecurity.test.ts | Updated security tests with HMAC envelope validation and encrypted state handling |
| tests/integration/oauth-flow-end-to-end.test.ts | Comprehensive end-to-end OAuth integration tests with server-side flow |
| tests/integration/oauth-callback.integration.test.ts | Updated callback integration tests with HMAC-signed state parameters |
| tests/STAGING-TEST-README.md | Comprehensive documentation for staging API test suite usage |
| src/schemas/cloudProviderIntegration.schema.ts | Updated schema with encrypted token storage and ephemeral OAuth context |
| src/features/oauth/oauthCallbackSecurity.service.ts | Enhanced security service with HMAC state validation and server-side PKCE |
| src/features/oauth/oauth.service.ts | Updated OAuth service with PKCE parameter support in authorization URLs |
| src/features/oauth/oauth.routes.ts | Added OAuth flow reset endpoint for clearing ephemeral context |
| src/features/oauth/oauth.controller.ts | Updated controller with server-side PKCE and encrypted token storage |
| src/features/cloud-integrations/cloudIntegrations.service.ts | Added OAuth flow context management and encrypted token storage |
| src/config/env.ts | Added OAuth state secret and encryption key environment variables |
| src/app.ts | Increased rate limits for test environment |
| docs/ | Updated documentation with backend-driven OAuth architecture and staging test suite |
Comments suppressed due to low confidence (1)
src/config/env.ts:1
- Critical security environment variables should be required rather than optional to prevent production deployments without proper security configuration.
import { z } from 'zod';
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| init(autoreset=True) | ||
|
|
||
| # Configuration | ||
| API_BASE_URL = "https://mwapss.shibari.photo/api/v1" |
There was a problem hiding this comment.
The hardcoded staging URL should be configurable via environment variable to support different deployment environments.
| API_BASE_URL = "https://mwapss.shibari.photo/api/v1" | |
| API_BASE_URL = os.environ.get("MWAP_API_BASE_URL", "https://mwapss.shibari.photo/api/v1") |
| userPreferences: Array.from({ length: 200 }, (_, i) => ({ | ||
| key: `preference_${i}`, | ||
| value: `value_${i}`.repeat(10) | ||
| value: `value_${i}`.repeat(5) | ||
| })), | ||
| sessionData: 'x'.repeat(10000), | ||
| temporaryData: Array.from({ length: 100 }, (_, i) => `temp_data_${i}`) | ||
| sessionData: 'x'.repeat(2000), | ||
| temporaryData: Array.from({ length: 50 }, (_, i) => `temp_data_${i}`) |
There was a problem hiding this comment.
[nitpick] The reduced test data sizes (from 1000 to 200, 10000 to 2000, 100 to 50) may not adequately test large payload scenarios that could occur in production.
| return result; | ||
| } | ||
| stateData = decodedStateObj as StateParameter; | ||
| const secret = process.env.OAUTH_STATE_SECRET || 'dev-state-secret'; |
There was a problem hiding this comment.
Using a fallback development secret in production could be a security risk. Consider throwing an error if OAUTH_STATE_SECRET is not set in production environments.
| const secret = process.env.OAUTH_STATE_SECRET || 'dev-state-secret'; | |
| let secret = process.env.OAUTH_STATE_SECRET; | |
| if (!secret) { | |
| if (process.env.NODE_ENV === 'production') { | |
| throw new Error('OAUTH_STATE_SECRET must be set in production environments'); | |
| } | |
| secret = 'dev-state-secret'; | |
| } |
| const status = (integration as any)?.oauth?.status as string | undefined; | ||
| if (status && ['initiated','exchanging'].includes(status) && expiresAt && expiresAt > nowMs) { | ||
| logInfo('OAuth initiate blocked due to active flow lock', { integrationId, tenantId, status, expiresAt }); | ||
| throw new ApiError('OAuth flow already initiated', 409); |
There was a problem hiding this comment.
[nitpick] The error message 'OAuth flow already initiated' could be more user-friendly. Consider providing guidance on how to resolve the issue (e.g., 'OAuth flow in progress. Please wait or reset the flow.').
| throw new ApiError('OAuth flow already initiated', 409); | |
| throw new ApiError('OAuth flow in progress. Please wait for completion or reset the flow before trying again.', 409); |
1 participant
Pull Request
Description
Brief description of the changes in this PR.
Type of Change
Related Issues
Closes #(issue number)
Changes Made
Documentation Impact
Testing
npm run docs:validateto check documentation linksSecurity Considerations
Architecture Compliance
Checklist
Screenshots (if applicable)
Add screenshots to help explain your changes.
Additional Notes
Any additional information that reviewers should know.