Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clean the output when useJWT=true #756

Merged
merged 24 commits into from
May 7, 2021
Merged

Clean the output when useJWT=true #756

merged 24 commits into from
May 7, 2021

Conversation

cea2aj
Copy link
Member

@cea2aj cea2aj commented May 7, 2021

Remove the apiKey from the build output when useJWT=true

The apiKey needs to be removed in the templatedataformatter and in the JAMBO_INJECTED_DATA that weback puts in the bundles.

J=J=SLAP-1118
TEST=manual, auto

When useJWT is true, run a build and search for the apiKey and confirm that it does not appear anywhere in the build output. Test this with JAMBO_INJECTED_DATA which contains apiKeys. Smoke test the JWT integration and the standard integration. Add unit test.

@cea2aj cea2aj requested review from tmeyer2115 and oshi97 May 7, 2021 04:51
tmeyer2115
tmeyer2115 reviewed May 7, 2021
View reviewed changes
static/webpack-config.js Outdated
new webpack.EnvironmentPlugin({
JAMBO_INJECTED_DATA: null
new webpack.DefinePlugin({
'process.env.JAMBO_INJECTED_DATA': JSON.stringify(JSON.stringify(updatedJamboInjectedData))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own edification, what's the scope of using the JAMBO_INJECTED_DATA in our Webpack toolchain? I believe we use it in the iFrame assets to get domains and such. Are we embedding the whole object in any of our static assets or using the apiKey in any of the static assets?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do put the whole object in a few spots, and that ends up in many of our assets.

Webpack puts it into the HitchhikerJS.getInjectedProp() function. The only spot where that accesses the apiKey in our code is in core.hbs, but I disabled that access when useJWT is true. It's possible that someone might be trying to get the apiKey from getInjectedProp(), but that really doesn't make sense if a site is built with useJWT=true.

Secondly, it's put in the InjectedData class which simply provides info about the domains, so the apiKey is not needed there.

static/webpack/getSecuredJamboInjectedData.js Outdated Show resolved Hide resolved
@oshi97
Copy link
Contributor

oshi97 commented May 7, 2021

it looks like there's something funny with the iframe snapshots

oshi97
oshi97 reviewed May 7, 2021
View reviewed changes
hooks/templatedataformatter.js Outdated Show resolved Hide resolved
hooks/templatedataformatter.js Outdated Show resolved Hide resolved
static/webpack-config.js Outdated Show resolved Hide resolved
static/webpack/getSecuredJamboInjectedData.js Outdated Show resolved Hide resolved
@cea2aj cea2aj changed the title Secure the output when useJWT=true Clean the output when useJWT=true May 7, 2021
@cea2aj
Copy link
Member Author

cea2aj commented May 7, 2021

it looks like there's something funny with the iframe snapshots

The issue was that I needed to fall back to null if JAMBO_INJECTED_DATA was not supplied

@cea2aj cea2aj requested review from tmeyer2115 and oshi97 May 7, 2021 18:29
oshi97
oshi97 reviewed May 7, 2021
View reviewed changes
static/webpack-config.js Outdated Show resolved Hide resolved
static/webpack-config.js Show resolved Hide resolved
oshi97
oshi97 approved these changes May 7, 2021
View reviewed changes
Copy link
Contributor

@oshi97 oshi97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@cea2aj cea2aj changed the base branch from dev/iframe-jwt to feature/jwt-support May 7, 2021 19:39
@cea2aj cea2aj merged commit 2cea8e5 into feature/jwt-support May 7, 2021
cea2aj added a commit that referenced this pull request Jun 1, 2021
@cea2aj
Clean the output when useJWT=true (#756)
96bf8f2 
Remove the apiKey from the build output when useJWT=true

The apiKey needs to be removed in the templatedataformatter and in the JAMBO_INJECTED_DATA that weback puts in the bundles.

J=J=SLAP-1118
TEST=manual, auto

When useJWT is true, run a build and search for the apiKey and confirm that it does not appear anywhere in the build output. Test this with JAMBO_INJECTED_DATA which contains apiKeys. Smoke test the JWT integration and the standard integration. Add unit test.
cea2aj added a commit that referenced this pull request Jun 1, 2021
@cea2aj
Clean the output when useJWT=true (#756)
37a6827 
Remove the apiKey from the build output when useJWT=true

The apiKey needs to be removed in the templatedataformatter and in the JAMBO_INJECTED_DATA that weback puts in the bundles.

J=J=SLAP-1118
TEST=manual, auto

When useJWT is true, run a build and search for the apiKey and confirm that it does not appear anywhere in the build output. Test this with JAMBO_INJECTED_DATA which contains apiKeys. Smoke test the JWT integration and the standard integration. Add unit test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oshi97 oshi97 oshi97 approved these changes

@tmeyer2115 tmeyer2115 Awaiting requested review from tmeyer2115

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cea2aj @oshi97 @tmeyer2115