Export Via Key Functionality #155
Conversation
|
Hey y'all! A deployment of this PR can be found here: |
server/common.ts
Outdated
| }); | ||
| } else { | ||
| let userKey = request.params.exportKey; | ||
| console.log("Yasss", userKey, exportKey); |
There was a problem hiding this comment.
Can you please remove this console.log?
server/routes/templates.ts
Outdated
| @@ -133,7 +133,8 @@ templateRoutes.route("/").get(authenticateWithRedirect, async (request, response | |||
| user: request.user, | |||
| settings: { | |||
| teamsEnabled: await getSetting<boolean>("teamsEnabled"), | |||
| qrEnabled: await getSetting<boolean>("qrEnabled") | |||
| qrEnabled: await getSetting<boolean>("qrEnabled"), | |||
| exportKey: await getSetting<string>("exportKey") | |||
There was a problem hiding this comment.
Why is the export key being sent to the template engine for routes that don't need it?
petschekr
added
enhancement
|
@petschekr implemented your changes, lmk if I need anything else. There are some conflicts with master; I'll resolve those once everything looks good to you |
server/common.ts
Outdated
| @@ -306,7 +306,7 @@ export async function setDefaultSettings() { | |||
| "confirmationClose": new Date(), | |||
| "teamsEnabled": true, | |||
| "qrEnabled": true, | |||
| "exportKey": "", | |||
| "exportKey": crypto.randomBytes(16).toString('hex'), | |||
|
Other than that this looks ready to merge once Andrew's dumpster fire is extinguished and you can fix any merge conflicts that probably cropped up |
|
@petschekr just added double quotes @illegalprime can you take a look over this when you're free Lmk when Andrew's stuff gets sorted out and I'll fix merge conflicts. |
client/js/admin.ts
Outdated
| @@ -473,6 +473,9 @@ settingsUpdateButton.addEventListener("click", e => { | |||
| let qrEnabledData = new FormData(); | |||
| qrEnabledData.append("enabled", (document.getElementById("qr-enabled") as HTMLInputElement).checked ? "true" : "false"); | |||
|
|
|||
| let exportKeyData = new FormData(); | |||
| exportKeyData.append("key", (document.getElementById("export-key") as HTMLInputElement).value); | |||
server/common.ts
Outdated
| @@ -306,6 +306,7 @@ export async function setDefaultSettings() { | |||
| "confirmationClose": new Date(), | |||
| "teamsEnabled": true, | |||
| "qrEnabled": true, | |||
| "exportKey": crypto.randomBytes(16).toString("hex"), | |||
There was a problem hiding this comment.
best expressed as a configuration option (so you can set an env var or file with this key on multiple instances).
I think we should eventually merge settings + configuration, what do you think @petschekr ?
There was a problem hiding this comment.
@illegalprime I figured this might be better as a setting, since we wouldn't have to restart the server to change the key
|
@illegalprime @petschekr just merged with Andrew's code |
|
@mjkaufer didn't read the summary of your PR, but we have cas auth hooked up right now! We can communicate in a better way than pushing CSVs back n' forth. |
|
I also think that the right way to do this is to provide APIs that check-in can use to:
|
|
BTW: We're thinking of doing it through GraphQL for all our services, but now these patent issues have made me uneasy: graphql/graphql-spec#351 ... |
illegalprime
force-pushed
the
export-to-checkin
branch
2 times, most recently
from
b02f404 to
8f6175c
Compare
|
I changed it to just be a |
server/middleware.ts
Outdated
| @@ -73,7 +73,10 @@ export function isUserOrAdmin(request: express.Request, response: express.Respon | |||
| export function isAdmin(request: express.Request, response: express.Response, next: express.NextFunction) { | |||
| response.setHeader("Cache-Control", "private"); | |||
| let user = request.user as IUser; | |||
| if (!request.isAuthenticated()) { | |||
| if (request.query.adminKey === config.secrets.adminKey) { | |||
There was a problem hiding this comment.
Are you sure you want this admin-level access information in a query string? It may be behind HTTPS but will probably appear in server logs / history logs. A cookie or Authorization header might be better.
|
@petschekr changed it to a header |
server/middleware.ts
Outdated
| const auth = request.headers.authorization; | ||
|
|
||
| if (auth && typeof auth === "string") { | ||
| const key = new Buffer(auth.split(" ")[1], "base64").toString(); |
There was a problem hiding this comment.
This will crash the server if the Authorization header doesn't have a space in it due to it indexing an array of length 0 or 1
… random exportKey by default
petschekr
force-pushed
the
export-to-checkin
branch
from
8b3d038 to
79bf69b
Compare
To prepare for the integration between checkin and registration, I've added a configurable
exportKeyparameter and a route at/api/user/all/export/:exportKey. Since we don't have CAS hooked up right now, we need some alternate way to tell registration that checkin is allowed to fetch data from it. You can configure the key from the registration admin settings.After this is merged, I'll add functionality in checkin to request this endpoint with a configurable key, so we can programmatically import the zip file into checkin.