fix: remove credentials for file uploads

[pablohashescobar]

Description

Remove withCredentials from file uploads service in web and space.

Summary by CodeRabbit

• New Features

  • Introduced a new option for handling credentials during file uploads, enhancing control over cross-origin requests.

• Bug Fixes

  • Adjusted the file upload process to ensure consistent behavior regarding credential management.

[coderabbitai]

Walkthrough

The changes involve modifications to the FileUploadService class in two service files, specifically adding a withCredentials property set to false in the uploadFile method's configuration object. This adjustment impacts how credentials are managed during file uploads, particularly affecting cross-origin requests. No other changes were made to the logic or public entity declarations within the class.

Changes

File Path	Change Summary
space/core/services/file-upload.service.ts, web/core/services/file-upload.service.ts	Added withCredentials property set to false in the uploadFile method's configuration object.

Possibly related PRs

• [WEB-2415] fix:remove input type to fix image upload #5563: The changes in this PR involve modifications to input handling in image upload components, which may relate to the overall file upload process, similar to the changes made in the FileUploadService class regarding file uploads.

Suggested labels

🐛bug, 🌐frontend

Suggested reviewers

• sriramveeraghanta
• SatishGandham

🐇 In the meadow, files take flight,
With credentials set to light,
Uploads now dance, swift and free,
A change so small, yet key to me.
Hops of joy, we celebrate,
For smoother paths, we elevate! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

space/core/services/file-upload.service.ts (1)

Line range hint 1-35: Suggestions for improved error handling and type safety

While the main change looks good, here are some suggestions to further improve the code:

1. Error Handling: Consider enhancing the error handling to provide more specific error messages or to handle different types of errors separately. This could improve debugging and user feedback.

2. Type Safety: Replace the any type for cancelSource with a more specific type from axios. This will improve type safety and make the code more robust.

Here's a suggested implementation:

import axios, { CancelTokenSource } from "axios";
// services
import { APIService } from "@/services/api.service";

export class FileUploadService extends APIService {
  private cancelSource: CancelTokenSource;

  constructor() {
    super("");
  }

  async uploadFile(url: string, data: FormData): Promise<any> {
    this.cancelSource = axios.CancelToken.source();
    try {
      const response = await this.post(url, data, {
        headers: {
          "Content-Type": "multipart/form-data",
        },
        cancelToken: this.cancelSource.token,
        withCredentials: false,
      });
      return response?.data;
    } catch (error) {
      if (axios.isCancel(error)) {
        console.log("Upload canceled:", error.message);
        // You might want to throw a custom error or handle this case differently
        throw new Error("Upload canceled by user");
      } else if (axios.isAxiosError(error)) {
        console.error("Upload failed:", error.response?.data || error.message);
        throw error.response?.data || error;
      } else {
        console.error("Unexpected error during upload:", error);
        throw error;
      }
    }
  }

  cancelUpload() {
    if (this.cancelSource) {
      this.cancelSource.cancel("Upload canceled by user");
    }
  }
}

These changes will make the code more robust and easier to maintain.

web/core/services/file-upload.service.ts (1)

Line range hint 1-35: Suggestions for code improvements

While not directly related to the current change, here are some suggestions to improve the overall code quality:

1. Improve type safety by replacing any with a more specific type for cancelSource:

   private cancelSource: CancelTokenSource;

   You'll need to import CancelTokenSource from axios.

2. Consider using async/await instead of promise chains for better readability:

   async uploadFile(url: string, data: FormData): Promise<any> {
     this.cancelSource = axios.CancelToken.source();
     try {
       const response = await this.post(url, data, {
         headers: {
           "Content-Type": "multipart/form-data",
         },
         cancelToken: this.cancelSource.token,
         withCredentials: false,
       });
       return response?.data;
     } catch (error) {
       if (axios.isCancel(error)) {
         console.log(error.message);
         return;
       }
       throw error?.response?.data;
     }
   }

3. Consider adding more specific error handling for different types of errors that might occur during file upload.

Would you like me to implement these changes?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between db91942 and 46325f1.

📒 Files selected for processing (2)

• space/core/services/file-upload.service.ts (1 hunks)
• web/core/services/file-upload.service.ts (1 hunks)

🧰 Additional context used

🔇 Additional comments (2)

space/core/services/file-upload.service.ts (1)

19-19: Verify the impact of disabling credentials for file uploads

The addition of withCredentials: false aligns with the PR objective to remove credentials for file uploads. This change enhances security by preventing the browser from sending credentials like cookies, authorization headers, or TLS client certificates with the request.

However, we should consider the following:

1. Ensure this change is consistent across the codebase, particularly in the web component mentioned in the PR objectives.
2. Verify that this modification doesn't break any existing functionality that might have relied on credentials being sent with file uploads.
3. Test the file upload functionality thoroughly, especially for cross-origin requests, to confirm that it still works as expected.

To ensure consistency and identify potential issues, run the following script:

✅ Verification successful

Verification Successful: withCredentials correctly set to false for file uploads

The addition of withCredentials: false in space/core/services/file-upload.service.ts ensures that credentials are not sent with file upload requests, aligning with the PR's objective to enhance security. All other API services that require authentication continue to have withCredentials: true, maintaining necessary functionality.

No inconsistencies or issues were found regarding credential handling in file uploads.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other instances of file upload configurations and verify consistency

# Search for file upload related code in TypeScript and JavaScript files
echo "Searching for file upload configurations:"
rg --type-add 'web:*.{ts,js}' --type web -i '(upload.*file|file.*upload)' -A 5 -B 5

# Search for withCredentials configurations
echo "Searching for withCredentials configurations:"
rg --type-add 'web:*.{ts,js}' --type web 'withCredentials'

# Search for potential CORS configurations that might be affected
echo "Searching for CORS configurations:"
rg --type-add 'web:*.{ts,js}' --type web '(cors|cross.?origin)'

Length of output: 46997

web/core/services/file-upload.service.ts (1)

19-19: Approve the change with considerations

The addition of withCredentials: false aligns with the PR objective to remove credentials for file uploads. This change enhances security by preventing the browser from sending credentials like cookies with the request, which is generally a good practice for file upload endpoints.

However, consider the following points:

1. Ensure this change is consistent across all file upload services in the codebase.
2. Verify that the server-side is updated to handle requests without credentials, if necessary.
3. Test thoroughly to confirm that file uploads still function correctly without credentials.
4. Update any documentation that might reference the previous behavior.

To ensure consistency, let's check for other instances of file upload services: