-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow sharing of secrets publicly + public page for secret sharing #1923
feat: allow sharing of secrets publicly + public page for secret sharing #1923
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. I think the UI need some fix up. @vmatsiiako will help with it.
Small nit, i would rename the page URL from /shared/secret/
to /share-secret
We actually had it initially but then from a security + brute force concern, we limited this to treat invalid secrets the same way as expired secrets so that one cannot try decoding it by brute forcing it. And the current setup deletes the secrets once they're expired on views and at 0 GMT when time bound expires so we technically do not store expired secrets as such. |
About the undefined error, I was not able to reproduce it :/ Can you try once now with the latest commit to see if you still see it? PS: @vmatsiiako will take a look at the UI side of this PR sometime tomorrow. Ready for review again 🙏🏼 |
t.uuid("orgId").nullable().alter(); | ||
t.uuid("userId").nullable().alter(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be adding hasColumn
checks for these ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not do that initially because the orgId will always be there since its a part of the initial schema, so I'm not sure if a case for this could be possible. But I'll add it now.
t.uuid("orgId").notNullable().alter(); | ||
t.uuid("userId").notNullable().alter(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
adding
iv, | ||
tag, | ||
hashedHex, | ||
expiresAt: new Date(expiresAt), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be validating the value of the expiresAt being passed to this endpoint so that no malicious user could fill up our records with non-expiring secrets (like they set it to 10 years from now or something)
or are we already doing that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, limiting it to 30 days for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Somewhere, we keep making these requests, we should catch and avoid these requests when the param is undefined:
{"reqId":"req-13","severity":"INFO","req":{"method":"GET","url":"/api/v1/secret-sharing/public/undefined?hashedHex=","hostname":"localhost:8080","remoteAddress":"192.168.144.1","remotePort":50246}}
-
The text area needs some work, you can only click on a specific area. We should also show the scroll bar if we haven't yet because for long shares, people may not know. Also i don't remember, did we set a max context limit that can be shared?
-
Not sure where the
share your own secret
button went, it was there but now i don't see it anymore
aa69f5b
to
f6e4446
Compare
Description 📣
/shared/secret
Public Page:
Shared Secret Page:
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets