feat: admin api v1 - create url #2213
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
disKeith
changed the title
There was a problem hiding this comment.
mostly lgtm, thanks a lot for this!!
regarding an open question from before on whether this should or shouldn't be external API v2: after considering it more, I think I'd still somewhat (but not strongly) be in favour of it being admin API v1 instead. the functionality provided in this PR to create links under anyone else's account is not just equivalent to creating a link under your own account and then transferring it to someone else's, but involves possibly creating an entirely new account for that someone; plus, their email address need not even be whitelisted! perhaps it's a matter of personal opinion and risk tolerance, but to me this might just be too much power to give to just any public officer who can access Go?
plus, if we're not 100% confident that v2 should be released not just to specific admin users but rolled out to all ordinary public officers (like in v1), then it appears to me that by default they should be kept separate -- if v1 and v2 cater to different groups of people with different permissions and powers, they seem different enough to warrant separating this one out as an admin-only API. documentation-wise, labelling it as a new 'version' might also be misleading, as it implies to our current external API v1 users that there's a new version that they can upgrade to, when in fact it's exclusive to only certain privileged parties like Forms
disKeith
changed the title
| API_ADMIN_V1_URLS, | ||
| { longUrl }, | ||
| undefined, | ||
| 'this-is-an-invalid-api-key', |
Check failure
Code scanning / CodeQL
Hard-coded credentials
There was a problem hiding this comment.
LGTM, great work pushing out such a large feature 🔥 let's test it on staging sometime as we prepare it for prod release!
Some deploy notes:
- Before deployment: set
ADMIN_API_EMAILSon gov/edu/health staging - Before deployment: set
ADMIN_API_EMAILSon gov/edu/health prod - After deployment: remove
ADMIN_API_EMAILon gov/edu/health staging - After deployment: remove
ADMIN_API_EMAILon gov/edu/health prod
src/server/modules/api/admin-v1/__tests__/AdminApiV1Controller.test.ts
Outdated
Show resolved
Hide resolved
* fix: package.json & package-lock.json to reduce vulnerabilities (#2207) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-XML2JS-5414874 * feat: allow zip files and block password-protected files (#2203) * feat: admin api v1 - create url (#2213) * feat: api v2 endpoint and update admin auth middleware * chore: add and handle external user creation * chore: rename admin api env variable * chore: api v2 unit testing * chore: add integration tests * chore: update test api key string * chore: update unauthorized user error * chore: undo conditional user creation * chore: update admin email env var parsing * chore: port to admin api v1 and update unit and integration tests * chore: remove external user type and add domain validation error msg * chore: remainder port from v2 to admin v1 * chore: add missing return in external v1 * fix: ownership transfer condition and tests * chore: move api structure and update tests * chore: update readme * chore: add email domain validation to schema * chore: fix error type for generic errors * chore: undo types from external v1 * 1.76.0 --------- Co-authored-by: halfwhole <41856541+halfwhole@users.noreply.github.com> Co-authored-by: Snyk bot <snyk-bot@snyk.io>
Problem
This PR closes APIs for Forms to create shortlinks
Solution
This PR implements a new endpoint
{{host}}/api/v1/admin/urlswhich is allows for whitelisted emails defined inADMIN_API_EMAILSto call the endpoint to create new short URLs and transfer its ownership to a provided email address.Features:
Added new route to
{{host}}/api/v1/admin/urlsthat usesapiKeyAdminAuthMiddlewarefor authenticationapiKeyAdminAuthMiddlewareto throwjsonMessageif api key is unauthorizedemailattribute on top of existing validationsAdded
AdminApiV1Controllerthat handles POST requests withshortUrl,longUrl, andemailattributes in the JSON bodycreateUrlmethod to find or create a new user withemailprovided, then creates a new link with the authenticated user before transferring ownership to the parsedemail.Improvements:
Renamed
ADMIN_API_EMAILenv variable toADMIN_API_EMAILSto reflect its use to white list multiple emailsintegration-test-admin@open.gov.sgto the white list for integration testsUpdated
isAdminmethod inApiKeyAuthServiceto handle multiple white listed emailsTests
Unit Test Cases
Integration Test
createIntegrationTestAdminUserto create a new integration test admin user which is using the definedintegration-test-admin@open.gov.sgemail