-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Add input validation for instance URL #3156
Conversation
vscode/src/services/AuthProvider.ts
Outdated
@@ -31,6 +31,9 @@ import { telemetryRecorder } from './telemetry-v2' | |||
type Listener = (authStatus: AuthStatus) => void | |||
type Unsubscribe = () => void | |||
|
|||
const sourcegraphTokenRegex = /sgp_[a-zA-Z0-9]+_[a-zA-Z0-9]+/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@abeatrix this does not look to be catching the old format. Does everyone uses the new token format only? Can we include the ones from this list? cc:@willdollman @shivasurya
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dcomas @willdollman @shivasurya Thanks for the link! Would it be safe to assume anything without a .
in the URL is an invalid URL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Broadly no (e.g. http://localhost
) and slight concern that some edge case customer will have a crazy dns setup that this would break.
What about ensuring the url matches this: ([.]|^https?:\/\/)
Matches anything containg a dot or anything starting with https?://
Matches:
https://sourcegraph.com
http://localhost
sourcegraph.com
http://customersourcegraph
Doesn't match:
sgp_abcd_foobar
sgp_abcd
sgp_foobar
foobar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm making the assumption that we automatically add the missing https:// if a user enters a url without a prefix (sourcegraph.com
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(what Will is proposing) LGTM 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm making the assumption that we automatically add the missing https:// if a user enters a url without a prefix (sourcegraph.com)
@willdollman yea i added the check before we add the https://
prefix:
cody/vscode/src/services/AuthProvider.ts
Lines 463 to 465 in 7711472
if (!uri.startsWith('http')) { | |
uri = `https://${uri}` | |
} |
But that's a good callout, I'll make sure to include those cases
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validating new tokens lgtm - thanks! @abeatrix are you able to also validate that if a user already has a token saved in local storage as the endpoint, will this update result in the token being purged? I see it will purge via |
@willdollman we call the auth function when we first get the stored endpoint from the local storage, and then first thing we do in the auth function is to run the |
Yep looks good! My concern was whether the bad endpoint is (eventually) removed from local storage and I see in
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. Thank you for the quick work on this! 🙏
This commit adds validation for sourcegraph tokens in the AuthMenus and AuthProvider files. The showInstanceURLInputBox function in AuthMenus now checks if the user is entering a token as a URL and displays an error message if so. Similarly, the formatURL function in AuthProvider now throws an error if the URI is a sourcegraph token, and return `null`. Additionally, the LocalStorageProvider file now ignores and clears the last used endpoint if the provided endpoint is a sourcegraph token. ![image](https://github.com/sourcegraph/cody/assets/68532117/c77005be-edd9-4018-9c42-4655baff2782) Update placeholder value for URL to always starts with `https://` to make it clear that the field is for URL input: ![image](https://github.com/sourcegraph/cody/assets/68532117/cea4f78a-d39e-4819-bc97-a59f6af4c369) ## Test plan <!-- Required. See https://sourcegraph.com/docs/dev/background-information/testing_principles. --> https://github.com/sourcegraph/cody/assets/68532117/9d44427a-3b8b-4c35-812d-aa5b22120d6d
This commit adds validation for sourcegraph tokens in the AuthMenus and AuthProvider files. The showInstanceURLInputBox function in AuthMenus now checks if the user is entering a token as a URL and displays an error message if so.
Similarly, the formatURL function in AuthProvider now throws an error if the URI is a sourcegraph token, and return
null
.Additionally, the LocalStorageProvider file now ignores and clears the last used endpoint if the provided endpoint is a sourcegraph token.
Update placeholder value for URL to always starts with
https://
to make it clear that the field is for URL input:Test plan
Screen.Recording.2024-02-13.at.8.57.40.AM.mov