fix(services-bff): Disable PAR until ids resolves error

[snaerth]

Disable PAR in bff servers

What

Disable PAR in bff servers.

Why

Ids is not handling expired request uris properly. This disables PAR auth on both bff servers. This will be reverted once confident on propper error handling in PAR

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Updated configuration for Pushed Authorization Requests (PAR) support within the Backend for Frontend (BFF) setup.

• Bug Fixes

  • Corrected the value of the BFF_PAR_SUPPORT_ENABLED property from 'true' to 'false' across multiple services.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes in this pull request involve modifications to multiple configuration files across various services, primarily focusing on the BFF_PAR_SUPPORT_ENABLED environment variable, which is updated from 'true' to 'false' in several locations. This adjustment affects the support for Pushed Authorization Requests (PAR) within the Backend for Frontend (BFF) setup. Additionally, health check paths and resource configurations have been updated for several services, but no other logic or control flow changes are included.

Changes

File	Change Summary
infra/src/dsl/bff.ts	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false' in the bffConfig function's env object.
charts/islandis/values.dev.yaml	Updated BFF_PAR_SUPPORT_ENABLED to 'false' in services-bff-portals-admin and services-bff-portals-my-pages. Updated health check paths.
charts/islandis/values.prod.yaml	Updated BFF_PAR_SUPPORT_ENABLED to 'false' in services-bff-portals-admin and services-bff-portals-my-pages. Updated health check paths and HPA settings.
charts/islandis/values.staging.yaml	Updated BFF_PAR_SUPPORT_ENABLED to 'false' in services-bff-portals-admin and services-bff-portals-my-pages. Standardized health checks and resource configurations.
charts/services/services-bff-portals-admin/values.dev.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
charts/services/services-bff-portals-admin/values.prod.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
charts/services/services-bff-portals-admin/values.staging.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
charts/services/services-bff-portals-my-pages/values.dev.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
charts/services/services-bff-portals-my-pages/values.prod.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
charts/services/services-bff-portals-my-pages/values.staging.yaml	Updated BFF_PAR_SUPPORT_ENABLED from 'true' to 'false'.
infra/src/dsl/feature-values.spec.ts	Updated expected BFF_PAR_SUPPORT_ENABLED value from 'true' to 'false' in the test suite.
infra/src/dsl/portal-env.spec.ts	Updated BFF_PAR_SUPPORT_ENABLED value from 'true' to 'false' in the test case.

Possibly related PRs

• feat(new-primary-school): Data implementation and remove not used pages #16096: The changes in this PR include updating the BFF_PAR_SUPPORT_ENABLED variable to false, which directly relates to the modification made in the main PR regarding the same variable in the bffConfig function.
• feat(j-s): Block create subpoena on staging and production #16297: This PR also modifies the BFF_PAR_SUPPORT_ENABLED variable, changing it to false, which aligns with the changes made in the main PR.
• chore(infra): Comments, and linting #16578: The changes in this PR involve the BFF_PAR_SUPPORT_ENABLED variable in the test suite, which is updated to false, reflecting the same adjustment made in the main PR.
• fix(services-bff): Fix bff proxy download service aws cognito #16719: This PR includes an update to the ingress configuration for the services-bff-portals-admin, adding an annotation that disables global authentication, which is relevant to the BFF service context discussed in the main PR.
• fix(services-bff): Move params from ids par requests body to header #16761: The addition of the NATIONAL_REGISTRY_B2C_CLIENT_SECRET in the context of the services-auth-delegation-api is relevant as it pertains to the broader configuration changes that include the BFF_PAR_SUPPORT_ENABLED variable.
• fix(application-system-api): add secret from aws parameter store for national registry client v3 #16782: This PR adds the NATIONAL_REGISTRY_B2C_CLIENT_SECRET to the application-system-api, which is part of the overall configuration changes that include the BFF_PAR_SUPPORT_ENABLED variable.
• chore(delegation-api): Add missing infra config. #17059: The addition of the NATIONAL_REGISTRY_B2C_CLIENT_SECRET in the delegation-api service is relevant as it ties into the broader context of service configurations that include the BFF_PAR_SUPPORT_ENABLED variable.
• fix(web): In case no organization page is found we still want to potentially render a frontpage #17116: While this PR focuses on rendering logic, it is part of the same codebase that includes the BFF_PAR_SUPPORT_ENABLED variable, indicating a connection to the overall service functionality.

Suggested labels

high priority

Suggested reviewers

• valurefugl

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 1e12ed3 and a9e90c3.

📒 Files selected for processing (11)

• charts/islandis/values.dev.yaml (2 hunks)
• charts/islandis/values.prod.yaml (2 hunks)
• charts/islandis/values.staging.yaml (2 hunks)
• charts/services/services-bff-portals-admin/values.dev.yaml (1 hunks)
• charts/services/services-bff-portals-admin/values.prod.yaml (1 hunks)
• charts/services/services-bff-portals-admin/values.staging.yaml (1 hunks)
• charts/services/services-bff-portals-my-pages/values.dev.yaml (1 hunks)
• charts/services/services-bff-portals-my-pages/values.prod.yaml (1 hunks)
• charts/services/services-bff-portals-my-pages/values.staging.yaml (1 hunks)
• infra/src/dsl/feature-values.spec.ts (1 hunks)
• infra/src/dsl/portal-env.spec.ts (1 hunks)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[robertaandersen]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

infra/src/dsl/bff.ts (2)

81-81: Add documentation for temporary PAR disable.

While the change correctly disables PAR support as intended, please add an inline comment explaining why PAR is disabled and that this is a temporary measure.

+      // Temporarily disabled PAR support due to IDS not handling expired request URIs correctly
+      // TODO: Re-enable once IDS properly handles expired request URIs
       BFF_PAR_SUPPORT_ENABLED: 'false',

---

81-81: Create a tracking issue for re-enabling PAR.

Since this is a temporary fix, we should track it to ensure PAR gets re-enabled once the IDS service properly handles expired request URIs.

Would you like me to create a GitHub issue to track the re-enabling of PAR support? The issue would include:

• Current status and reason for disabling
• Acceptance criteria for re-enabling
• Links to related PRs/issues

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between f6eea1c and 1e12ed3.

📒 Files selected for processing (1)

• infra/src/dsl/bff.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

infra/src/dsl/bff.ts (1)

Pattern infra/src/dsl/**/*: "Confirm that the code adheres to the following:

• The clarity and expressiveness of the DSL syntax.
• Integration with Helm charts and Kubernetes resources.
• Documentation on how to use the DSL to create complex Helm values."

🔇 Additional comments (1)

infra/src/dsl/bff.ts (1)

81-81: Verify security implications of disabling PAR.

While this change addresses the immediate issue with expired request URIs, we should verify the security impact of disabling PAR authentication.

Run the following to analyze PAR usage and dependencies:

Consider implementing additional security measures while PAR is disabled:

• Enhanced request validation
• Additional logging for authentication flows
• Rate limiting if not already in place

✅ Verification successful

Let me gather more specific information about PAR usage and security implications.

---

Let me search for OAuth and authentication flow configurations to better understand the security implications.

---

Based on the gathered information, I can now provide a final assessment of the PAR security implications.

Disabling PAR is acceptable with current security controls

The codebase shows that:

1. PAR (Pushed Authorization Request) is an optional security feature, as evidenced by its configuration being toggleable
2. The BFF (Backend-for-Frontend) maintains secure redirect URI validation through BFF_ALLOWED_REDIRECT_URIS
3. The system still enforces OAuth flow security through whitelisted redirect URIs for each environment

While PAR adds an extra security layer by pre-registering authorization requests, its absence is mitigated by:

• Strict redirect URI validation
• Environment-specific URI whitelisting
• Backend-for-Frontend architecture that handles auth flows

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check PAR-related configurations and dependencies

# Search for PAR-related code and configurations
echo "=== PAR Usage Analysis ==="
rg -i "PAR|pushed.authorization" --type ts

# Check for security-related comments or documentation
echo "=== Security Documentation ==="
rg -i "security|auth|oauth" "README.md" || true

Length of output: 68002

---

Script:

#!/bin/bash
# Search for PAR-related security configurations and OAuth flows
echo "=== PAR Security Analysis ==="
rg -i "PAR.*enabled|pushed.*authorization" -B 3 -A 3 infra/src/dsl/

# Search for OAuth/auth configuration files
echo "=== OAuth Configuration Analysis ==="
fd -e ts -e js -e json "oauth|auth" infra/src/

# Search for security documentation in markdown files
echo "=== Security Documentation ==="
fd -e md . -x rg -i "PAR|pushed.*authorization|oauth.*flow"

Length of output: 23626

---

Script:

#!/bin/bash
# Search for OAuth and authentication flow configurations
echo "=== OAuth Flow Analysis ==="
rg -i "oauth.*flow|authentication.*flow" -B 3 -A 3 infra/src/

# Search for BFF (Backend-for-Frontend) security configurations
echo "=== BFF Security Configuration ==="
rg -i "BFF.*security|BFF.*auth" -B 3 -A 3 infra/src/

# Check for redirect URI configurations
echo "=== Redirect URI Configuration ==="
rg "BFF_ALLOWED_REDIRECT_URIS" -B 2 -A 2 infra/src/

Length of output: 1451