Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate client IDs before applying them #17426

Merged
merged 3 commits into from
Nov 7, 2024
Merged

Validate client IDs before applying them #17426

merged 3 commits into from
Nov 7, 2024

Conversation

kjac
Copy link
Contributor

@kjac kjac commented Nov 5, 2024
edited
Loading

Prerequisites

  • I have added steps to test this contribution in the description below

Description

OpenId Connect Client IDs should only be made up of "unreserved characters" - that is, [a-z], [A-Z], [0-9] and [-._~] (see https://en.wikipedia.org/wiki/Percent-encoding).

The back-office client already limits the Client ID input to alphanumerical chars and dash, but of course the API also needs a validation - and that's what this PR adds 😄

Testing this PR

You'll need to use Swagger to test this, due to the above-mentioned restrictions in the back-office.

  1. It should be possible to create Client IDs for API Users which consists of valid chars.
  2. It should not be possible to create Client IDs for API Users containing one or more invalid chars.

@kjac kjac marked this pull request as ready for review November 6, 2024 06:58
Zeegaan
Zeegaan approved these changes Nov 6, 2024
View reviewed changes
Copy link
Member

@Zeegaan Zeegaan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took the liberty of adding a reponse for the operation result 😁
Looks good, tests good 🚀

Copilot
Copilot AI reviewed Nov 6, 2024
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 suggestion.

Files not reviewed (1)
  • src/Umbraco.Infrastructure/Security/BackOfficeUserClientCredentialsManager.cs: Evaluated as low risk

...Cms.Api.Management/Controllers/User/ClientCredentials/ClientCredentialsUserControllerBase.cs Outdated Show resolved Hide resolved
@Zeegaan @Copilot
Update src/Umbraco.Cms.Api.Management/Controllers/User/ClientCredenti…
2e2f10f 
…als/ClientCredentialsUserControllerBase.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Zeegaan Zeegaan merged commit 669c585 into release/15.0 Nov 7, 2024
13 of 15 checks passed
@Zeegaan Zeegaan deleted the v15/fix/validate-client-ids branch November 7, 2024 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@nul800sebastiaan nul800sebastiaan nul800sebastiaan left review comments

@Zeegaan Zeegaan Zeegaan approved these changes

Assignees
No one assigned
Labels
release/15.0.0-rc4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kjac @nul800sebastiaan @Zeegaan