Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update schema #916

Merged
merged 3 commits into from
Sep 27, 2024
Merged

chore: update schema #916

merged 3 commits into from
Sep 27, 2024

Conversation

dbarrosop
Copy link
Member

@dbarrosop dbarrosop commented Sep 25, 2024
edited by github-actions bot
Loading

PR Type

Enhancement

Description

  • Added Turnstile integration to the authentication system:
    • Introduced Turnstile configuration in the SignUp struct with a SecretKey field
    • Updated test configurations to include Turnstile secret
  • Updated github.com/nhost/be dependency to the latest version
  • Modified relevant test files to accommodate the new Turnstile configuration

Changes walkthrough 📝

Relevant files
Enhancement
example.go
Add Turnstile configuration to SignUp                                       

cmd/config/example.go

  • Added Turnstile configuration to the SignUp struct with a SecretKey
    field
    		•  +3/-0     
    Tests
    auth_test.go
    Add Turnstile secret to auth test configuration                   

    dockercompose/auth_test.go

  • Added AUTH_TURNSTILE_SECRET environment variable with value
    "turnstileSecretKey"
    		•  +1/-0     
    main_test.go
    Update test config with Turnstile settings                             

    dockercompose/main_test.go

  • Added Turnstile configuration to the SignUp struct in the test config
    		•  +3/-0     
    Dependencies
    go.mod
    Update nhost/be dependency version                                             

    go.mod

  • Updated github.com/nhost/be dependency to version
    v0.0.0-20240925125635-9b2298f21170
    		•  +1/-1     
    go.sum
    Update checksum for nhost/be dependency                                   

    go.sum

  • Updated checksum for github.com/nhost/be to match the new version
    		•  +2/-2     

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    @github-actions GitHub Actions
    Copy link
    Contributor

    PR Reviewer Guide 🔍

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 PR contains tests
    🔒 Security concerns

    Sensitive information exposure:
    The Turnstile secret key is hardcoded in the example configuration file (cmd/config/example.go) and in the test configuration (dockercompose/main_test.go). Although these are likely not production files, it's generally a bad practice to include even example secrets in code, as they might accidentally be used in real environments.

    ⚡ Key issues to review

    Hardcoded Secret
    The Turnstile secret key is hardcoded in the example configuration. This might lead to accidental exposure of the secret in version control.

    @github-actions GitHub Actions
    Copy link
    Contributor

    github-actions bot commented Sep 25, 2024
    edited
    Loading

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Security
    Use an environment variable for sensitive configuration data

    Consider using a constant or environment variable for the Turnstile secret key
    instead of hardcoding it directly in the configuration.

    cmd/config/example.go [162-168]

     SignUp: &model.ConfigAuthSignUp{
   Enabled:         ptr(true),
   DisableNewUsers: ptr(false),
   Turnstile: &model.ConfigAuthSignUpTurnstile{
-    SecretKey: "turnstileSecretKey",
+    SecretKey: os.Getenv("TURNSTILE_SECRET_KEY"),
   },
 },
    Suggestion importance[1-10]: 9

    Why: The suggestion addresses a significant security concern by recommending the use of environment variables for sensitive data instead of hardcoding it.

    		9
    Best practice
    Use a mock value for sensitive data in test configurations

    Consider using a placeholder or mock value for the Turnstile secret key in test
    configurations to avoid exposing sensitive information in test files.

    dockercompose/auth_test.go [31]

    -"AUTH_TURNSTILE_SECRET":                     "turnstileSecretKey",
+"AUTH_TURNSTILE_SECRET":                     "test_turnstile_secret",
    Suggestion importance[1-10]: 8

    Why: This suggestion improves security and test practices by recommending the use of mock values for sensitive data in test configurations.

    		8
    Maintainability
    Use a constant for sensitive test data to improve maintainability

    Similar to the previous suggestions, consider using a mock value or a constant for
    the Turnstile secret key in test configurations to maintain consistency and avoid
    potential security risks.

    dockercompose/main_test.go [203-209]

     SignUp: &model.ConfigAuthSignUp{
   Enabled:         ptr(true),
   DisableNewUsers: ptr(false),
   Turnstile: &model.ConfigAuthSignUpTurnstile{
-    SecretKey: "turnstileSecretKey",
+    SecretKey: testTurnstileSecretKey,
   },
 },
    Suggestion importance[1-10]: 7

    Why: The suggestion enhances maintainability and consistency in test configurations, though it's slightly less critical than the previous two suggestions.

    		7

    @dbarrosop dbarrosop merged commit 7c0dae2 into main Sep 27, 2024
    8 checks passed
    @dbarrosop dbarrosop deleted the upd34 branch September 27, 2024 10:02
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @nunopato nunopato nunopato approved these changes

    Assignees
    No one assigned
    Labels
    chore Enhancement Review effort [1-5]: 2
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    2 participants
    @dbarrosop @nunopato