feat: security banner concept

[ackernaut]

Concept

Adds a banner with color and message options. Fixes #9778

Demo

Loom 1 of 3 — Proof of Concept
Loom 2 of 3 — Fixed Banner in All App Views
Loom 3 of 3 — Layout Accounts for Banner

Todo

• Does the banner cause any overflow issues in the dashboard viewports when views are overflowing with content?
• Add .env vars to provide message and style (change vars to generic banner naming convention)
• Make sure banner shows in all views (e.g. move to Action.ts)
• Tested: remote reflection drag and drop has accurate coordinates

Test

• The banner is fixed at the top of all app views — it doesn’t scroll away
• The banner is set using .env variables including options for text, text color, and background colors
• Remote reflection visual feedback (other users are dragging a reflection and you see it) has accurate coordinates (use a second browser and user to test this)
• Check all views when banner is disabled for desktop
• Check all views when banner is enabled for desktop
• Check all views when banner is disabled for mobile
• Check all views when banner is enabled for mobile
• Views to check:
  • auth page
  • /invitation-link/12345678 view
  • 404
  • dash timeline, meetings, tasks
  • dash team, team tasks
  • dash team drawers (manage team, agenda)
  • dash team invite dialog
  • dash meeting summary
  • org admin views
  • org admin billing drawer
  • activity library
  • activity library details
  • meeting nav
  • meeting layout
  • poker discussion drawer
  • stand-up response thread drawer
  • stand-up work drawer
  • recurring retro choose template drawer
  • retro demo

[mattkrick]

For QA, we may have a spot or 2 in the app that calculates coordinates assuming a banner doesn't exist, e.g. remotely dragged reflections & oauth popup windows. Chances are any calculation that adds a hardcoded number to innerHeight from window could be vulnerable

[ackernaut]

For QA, we may have a spot or 2 in the app that calculates coordinates assuming a banner doesn't exist, e.g. remotely dragged reflections & oauth popup windows. Chances are any calculation that adds a hardcoded number to innerHeight from window could be vulnerable

Good to know @mattkrick — if I set a height to the banner, can we add or subtract that amount to the innerHeight (have to see how it works)?

[mattkrick]

I think it'll just be a case-by-case basis, if thing look good with the banner, we're good!

[mattkrick]

it looks good! the only downfall is that this adds quite a bit of complexity to our whole app. before merging, can we make sure that there's no simpler way to do this? I think we could probably keep the logic constrained to the parent <Action/> component

[mattkrick]

-1 as we build out our app, it'd be pretty easy to forget to include this logic! Instead of making sure this is included in every child component, could we just keep it in <Action/>? We can wrap the <Switch/> with <div className={isGlobalBannerEnabled ? 'pt-6' : ''}>

[ackernaut]

Maybe, I can try this and see if layout breaks.

[ackernaut]

The problem is we have some components that use 100vh so we’d probably at least have to touch those. I can see about reducing the scope to <Action /> and any components using 100vh

[ackernaut]

This was due to auto-formatting

[ackernaut]

@mattkrick I added a wrapper around the <Switch /> in <Action /> and one around both the Banner and the inner wrapper to control sizing more consistently from a single place. I still had to apply some conditional styling to side sheets that use 100vh — still haven’t found a good way to do that since the swipeable/transition parents are generated by the library.

<div>
  <Banner />
  <div>
    <Switch/>
  </div>
</div>

[ackernaut]

Ready for additional review and testing!

[dbumblis-parabol]

I noticed if the env var does not exist then the banner still appears with no text. I think the banner should not appear unless the env var is explicitly set

[dbumblis-parabol]

Testing logic changes and smoke tested the views. LGTM! @mattkrick if things look ok to you let's ship it

[mattkrick]

in testing, i deleted this div & everything still worked OK, is there a use case where this is required?

[ackernaut]

This one allows for better control of the main height by wrapping both the banner and the main view. I think there may be one other way I could try. Let me test.

[mattkrick]

can we get rid of everything here except the pt-6? having overflow-hidden as a parent could make things difficult because that means no component will be able to use the viewport scroll

[ackernaut]

I think it was hard to control height of inner components on all the main views. In other words, I can do it on this one view and then tweak a few things here in there, or I have to go to most of the main views and adjust heights and what not. I’m not sure how much that would have to be conditional based on the GLOBAL_BANNER_ENABLED which I was trying to use less. So much of the app has to control inner scrolling. Maybe only mobile is relying on true viewport scrolling?

[ackernaut]

I’ve got something I want to try but I think we should consider moving forward and making an additional set of improvements in a later PR.

[ackernaut]

Trying to remove those new outermost containers, I run into the same problems I fixed with them, go figure. I’m not sure how to get containers to behave. We have many, many containers where we are controlling the scrolling, and we have many views that layout to fit the viewport with inner scrolling. Introducing a global banner affects all views. Not sure if or how long it will take to try to find a way to achieve the tight views without odd scrolling etc due to the banner. We could ship this as it is timely, and then maybe clean up the container later. I’ll see if I can get somewhere with another approach that plays nice with all views, but until then I think it’s shippable. Good over perfect.

[ackernaut]

@mattkrick thanks for reviewing, do I merge now or do you or @Dschoordsch have to merge?