Conversation
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 25710850 | Triggered | Generic High Entropy Secret | 8fb61c2 | api/manifest.json | View secret |
| 25710851 | Triggered | Generic High Entropy Secret | 8fb61c2 | app.json | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
There was a problem hiding this comment.
Pull request overview
This PR adds SSO/OAuth-based login support and a backend logout API, plus scripts/config to set up an OAuth app and integrate bearer-token authentication across multiple API calls.
Changes:
- Add UI SSO login flow (app-config fetch + SSO status polling) and backend endpoints for app-config, OAuth callback, SSO status, and logout.
- Add setup tooling (build script + migration utility) and introduce app/manifest JSON artifacts for OAuth configuration.
- Update multiple backend services to support both Basic (authtoken) and SSO (Bearer access_token) authentication headers.
Reviewed changes
Copilot reviewed 28 out of 30 changed files in this pull request and generated 25 comments.
Show a summary per file
| File | Description |
|---|---|
| upload-api/src/config/index.ts | Updates default CMS type and local path defaults. |
| ui/src/services/api/login.service.ts | Adds API wrappers for app-config, SSO status, and logout. |
| ui/src/pages/Login/index.tsx | Implements SSO login UX and polling-based completion flow. |
| ui/src/pages/Login/index.scss | Adds SSO button styling and new utility-like classes. |
| ui/src/components/ProfileHeader/index.tsx | Calls backend logout before clearing local storage; adds “Logging out…” UI state. |
| build.sh | New interactive setup script for region selection, OAuth login, redirect_uri update, and migration run. |
| app.json | New OAuth/app configuration file (currently committed). |
| api/sso.utils.js | New migration utility to create/update app and generate app.json with OAuth/PKCE data. |
| api/src/utils/config-handler.util.ts | New helpers to write BASIC/OAUTH auth settings into CLI config. |
| api/src/utils/auth.utils.ts | Adds access-token getters and app.json-derived org/app config helpers. |
| api/src/services/user.service.ts | Adds SSO-aware user profile fetching and org membership checks. |
| api/src/services/taxonomy.service.ts | Switches request auth header to Bearer when access_token exists. |
| api/src/services/runCli.service.ts | Switches CLI auth setup between BASIC and OAUTH based on stored tokens. |
| api/src/services/projects.service.ts | Adds isSSO project flag and uses Bearer/authtoken accordingly in stack calls. |
| api/src/services/org.service.ts | Adds Bearer/authtoken header selection for org/stack/locale endpoints. |
| api/src/services/migration.service.ts | Adds Bearer/authtoken header selection for test stack create/delete. |
| api/src/services/marketplace.service.ts | Updates app manifest creation logic to support Bearer token. |
| api/src/services/globalField.service.ts | Updates global field requests to support Bearer token. |
| api/src/services/contentMapper.service.ts | Updates content type requests to support Bearer token. |
| api/src/services/auth.service.ts | Adds logout, OAuth callback token exchange, refresh token support, and SSO status logic. |
| api/src/routes/auth.routes.ts | Exposes new routes for save-token, app-config, sso-status, and logout. |
| api/src/models/types.ts | Extends JWT payload with is_sso and adds RefreshTokenResponse type. |
| api/src/models/authentication.ts | Extends auth DB schema typing to include access_token. |
| api/src/controllers/auth.controller.ts | Adds controllers for OAuth callback, app-config, SSO status, and logout. |
| api/src/constants/index.ts | Adds token endpoint + regional host mappings for OAuth flows. |
| api/package.json | Removes type: module; bumps axios; adds @types/express-session. |
| api/package-lock.json | Locks axios bump and adds express-session types; large dependency churn. |
| api/manifest.json | New app manifest containing OAuth client credentials (currently committed). |
| .talismanrc | Adds new ignore entries (currently duplicated blocks). |
| .gitignore | Adds app.json to ignores (but app.json is currently committed in this PR). |
Files not reviewed (1)
- api/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "timestamp": "2026-01-09T08:35:28.575Z", | ||
| "region": { | ||
| "key": "NA", | ||
| "name": "North America", | ||
| "endpoints": { | ||
| "name": "North America", | ||
| "cma": "https://api.contentstack.io", | ||
| "cda": "https://cdn.contentstack.io", | ||
| "app": "https://app.contentstack.com", | ||
| "developerHub": "https://developerhub-api.contentstack.com", | ||
| "personalize": "https://personalize-api.contentstack.com", | ||
| "launch": "https://launch-api.contentstack.com" | ||
| } | ||
| }, | ||
| "user": { | ||
| "email": "shobhit.upadhyay@contentstack.com", | ||
| "uid": "bltf56d4d5438c9db89" | ||
| }, | ||
| "organization": { | ||
| "name": "TSO Playground", | ||
| "uid": "blt364e72a5e260a11d" | ||
| }, | ||
| "app": { | ||
| "name": "Migration Tool", | ||
| "uid": "689ad8516e9f420012a72fce", | ||
| "manifest": "Migration Tool" | ||
| }, | ||
| "oauthData": { | ||
| "client_id": "AAOuqJu_1z5wFLwM", | ||
| "client_secret": "11S3mkDtBukROD7x58CvLKV87P9fyIyf", | ||
| "redirect_uri": "http://localhost:5001/v2/auth/save-token", | ||
| "user_token_config": { |
There was a problem hiding this comment.
This file contains sensitive data (OAuth client_secret, PKCE code_verifier, and a real user email) and is now committed to the repo. It should not be checked in; instead provide an app.json.template (without secrets/PII) and generate the real app.json locally at setup/runtime.
| "icon": "", | ||
| "oauth": { | ||
| "client_id": "xJek_yZraa_HbU8v", | ||
| "client_secret": "LoTjFkVJakE9pGXXcS_nQQAJTEVlen9E", |
There was a problem hiding this comment.
api/manifest.json includes OAuth client_secret. Committing client secrets is unsafe; move secrets to environment variables or a local-only config generated during setup, and keep only non-secret metadata in the repository.
| "client_secret": "LoTjFkVJakE9pGXXcS_nQQAJTEVlen9E", |
| /** | ||
| * @route GET /api/app-config | ||
| * @desc Get app configuration from app.json | ||
| * @access Public | ||
| */ | ||
| router.get('/app-config', authController.getAppConfigHandler); | ||
|
|
There was a problem hiding this comment.
This route returns the contents of app.json via the controller, which includes OAuth client_secret/PKCE verifier. Exposing that to the UI (and making the route public) is a credential leak. Return a redacted/safe subset (e.g., authUrl, region key, isDefault) and protect the endpoint appropriately.
| /** | ||
| * @route GET /v2/auth/sso-status/:userId | ||
| * @desc Check SSO authentication status for a user | ||
| * @param userId - The user ID to check authentication status for | ||
| * @access Public | ||
| */ | ||
| router.get('/sso-status/:userId', authController.getSSOAuthStatus); | ||
|
|
There was a problem hiding this comment.
The SSO status endpoint is marked public and can return an app_token when authenticated. Without binding to the initiating browser session (e.g., via an unguessable nonce/state), anyone who knows/guesses a userId could poll and obtain an auth token. This endpoint should require authentication or use a one-time, session-bound token instead of userId.
| /** | ||
| * @route POST /v2/auth/logout | ||
| * @desc Log out a user | ||
| * @access Public | ||
| */ | ||
| router.post('/logout', authController.logout); |
There was a problem hiding this comment.
The logout endpoint is public and identifies the user by email in the request body. This allows anyone to log out (and delete auth records for) any email address. Require a valid app token/JWT and derive the user identity from it instead of trusting an arbitrary email.
| token_payload?.region, | ||
| token_payload?.user_id | ||
| ); | ||
| let headers: any = {} |
There was a problem hiding this comment.
Avoid automated semicolon insertion (92% of all statements in the enclosing function have an explicit semicolon).
| let headers: any = {} | |
| let headers: any = {}; |
| try { | ||
| let headers: any = { | ||
| organization_uid: orgId, | ||
| } |
There was a problem hiding this comment.
Avoid automated semicolon insertion (96% of all statements in the enclosing function have an explicit semicolon).
| } | |
| }; |
| try { | ||
| let headers: any = { | ||
| api_key: stack_key, | ||
| } |
There was a problem hiding this comment.
Avoid automated semicolon insertion (94% of all statements in the enclosing function have an explicit semicolon).
| } | |
| }; |
| await fs.promises.mkdir(taxonomiesPath, { recursive: true }); | ||
| let headers: any = { | ||
| api_key : stackId, | ||
| } |
There was a problem hiding this comment.
Avoid automated semicolon insertion (96% of all statements in the enclosing function have an explicit semicolon).
| } | |
| }; |
| const project = ProjectModelLowdb.data.projects[projectIndex]; | ||
| const headers :any = { | ||
| organization_uid: orgId, | ||
| } |
There was a problem hiding this comment.
Avoid automated semicolon insertion (95% of all statements in the enclosing function have an explicit semicolon).
| } | |
| }; |
- Introduced a new build.sh script for region selection and OAuth login. - Added app.json to .gitignore and included manifest.json in API .gitignore. - Updated package dependencies for improved functionality. - Implemented saveOAuthToken endpoint for secure token handling. - Enhanced region configuration and API host management in constants. - Added error handling and logging improvements in auth service.
…cies - Removed redundant variables for client_id and client_secret in saveOAuthToken function. - Updated logging to use a centralized logger instead of console methods. - Removed unnecessary deletion of code_verifier from the request session. - Updated package.json to remove outdated "api" dependency.
- Modified build.sh to append '/v2/auth/save-token' to the redirect_uri. - Updated auth.service.ts to use the correct redirect_uri for token requests. - Ensured consistency in region configuration and API endpoint handling.
- Added new endpoints for retrieving app configuration and checking SSO authentication status. - Updated authentication service to handle SSO tokens and access tokens more effectively. - Enhanced error handling for SSO-related operations. - Updated UI components to support SSO login and added corresponding styles. - Refactored API service calls to accommodate new SSO logic and improved token management.
- Added logout endpoint to the authentication service for user session management. - Updated UI components to handle logout actions and provide user feedback during the process. - Enhanced error handling for SSO-related operations and improved user experience during authentication. - Introduced app.json for configuration management and updated related services to utilize this configuration. - Refactored authentication logic to streamline SSO checks and improve overall flow.
- Added app.json to the main .gitignore to prevent tracking of configuration files. - Included manifest.json in the api/.gitignore to exclude it from version control.
shobhitupadhyayy
force-pushed
the
feature/cmg-686
branch
from
89cddec to
fa2cd13
Compare
- Added isSSO property to the Project interface for better SSO handling. - Introduced requestWithSsoTokenRefresh utility to streamline SSO token management across services. - Updated various service methods to utilize SSO token refresh logic, improving authentication flow. - Refactored API calls in org.service.ts, migration.service.ts, and user.service.ts to support SSO. - Enhanced pagination utility to accommodate SSO token handling for paginated requests. - Updated configuration handling to prefer updated_at for OAuth token management.
- Changed default value of cmsType to 'cmsType' for clarity. - Updated localPath default to 'localPath' to standardize configuration settings.
1 participant
No description provided.