Consumer App Portal read only mode

[dariom]

Are you able to provide details on which features are/are not available in read only mode for the Consumer App Portal?

Unless I'm doing something wrong, in my testing I've found that in rea only mode I can:

• Create a new endpoint
• Edit an existing endpoint
• Delete an existing endpoint
• Disable/endale an endpoint
• Resend messages to an endpoint (either individually or in bulk)

Is that to be expected?

Is there any way in the Consumer App Portal to stop a user from modifying endpoints?

[tasn]

This shouldn't be the case. CC @svix-lucho to check this out.

[svix-lucho]

@dariom resending messages is allowed in the read-only mode of the App Portal.

As for the edit/create operations on the endpoint, you should see something like this:

I just verified it and it seems to be working as expected. Can you make sure that you enabled read-only mode for the environment your app portal belongs to? Also, when making a change that affects the app portal, to see your change, you need to log in to the app portal from scratch again (using app.svix.com/login#key=...). Just refreshing the page is not enough.

[dariom]

Thanks @svix-lucho. I had simply been refreshing the portal, not logging in again. Can I suggest adding some additional guidance in your docs?

On a related note, I have some questions about white-labeling the App Portal. I see some elements of Svix content/branding/links in the custom portal. We'd hope to hide this once we move to a Professional plan - can you confirm whether this is the case?

Right now, I see "Svix" when loading the portal:

in the bottom left-hand navigation:

and after logging out (the custom logo isn't showing here either):

Similarly, the help drop-down menu shows Svix-specific links:

Are there ways to address these to make the portal experience truly white-labeled and hide references to Svix?

I understand that the Event Catalog can be published using a custom domain. Is the same true of the App Portal?

[tasn]

@dariom, the app portal can also be fully whitelabeled in the free tier, you just need to embed it in your own UI which then removes all the Svix branding: https://docs.svix.com/app-portal#embedding-in-your-own-dashboard

[dariom]

Thanks,, we'll look into this. We were hoping not to create our own UI, but will explore this option.

[mderriey]

Hi,

Apologies for piggybacking on Dario's question, however it's closely related so I think it makes sense.

As we're exploring embedding the portal into one of our apps, we noticed that the URL we get back from the Get Consumer App Portal Access endpoint contains a few query-string parameters, most specifically readOnly=true.

We found that if we remove this query string parameter, then the portal becomes editable — we've made sure to do these tests in incognito/InPrivate windows with no cookies or data in local storage.

It looks to us that given this is all happening client-side, it could mean someone could get access to an editable portal, which we want to avoid as we're enforcing limits through our API, like the maximum number of endpoints for an application.

I took a quick look, and it looks like we exchange the one-time token for a token; Would it be possible to look up the portal settings during this operation and issue a read-only token, so that even if the UI doesn't show the buttons disabled, the operations would fail when reaching the server?

I appreciate it's surely more complex than this, but I didn't want to come "empty-handed" to the conversation.

Thanks a lot.

[mderriey]

Friendly bump in case this went through the net with the Easter weekend 🙏

[tasn]

Yes, the app portal "read only" is aesthetic at the moment, but not actually backend enforced. That (along with other more fine-grained abilities) is coming soon.

[svix-jplatte]

App portal "read only" mode is now no longer aesthetic, as of a few weeks ago.