8000 fix: stop verifying token on ingore cmd by jlourenc · Pull Request #5793 · snyk/cli · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: stop verifying token on ingore cmd #5793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 25, 2025
Merged

fix: stop verifying token on ingore cmd #5793

merged 1 commit into from
Apr 25, 2025

Conversation

jlourenc
Copy link
@jlourenc jlourenc commented Mar 24, 2025
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • [] Highlights breaking API changes (if applicable)
  • [] Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • [] Updates relevant GitBook documentation (PR link: ___)
  • [] Includes product update to be announced in the next stable release notes

What does this PR do?

Ignore command is the sole command (auth aside) that verifies against Snyk platform that a token is valid.

This is redundant as an invalid token would be identified as invalid on any requests performed against the platform with a 401 status code.

This change refactors the code to only perform local validation, verifying that the token is set appropriately either via configuration or environment variable.

Background

In preparation of enhanced API keys, a clean-up of the Snyk clients codebase to facilitate their integration is being done.

@jlourenc jlourenc requested a review from a team as a code owner March 24, 2025 20:52
@github-actions GitHub Actions
Copy link
Contributor
github-actions bot commented Mar 24, 2025
edited
Loading
Warnings
⚠️

Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones.
A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax.
Files found:

  • test/tap/auth.test.ts

Generated by 🚫 dangerJS against 14c5679

@jlourenc jlourenc force-pushed the fix/ACC-2350-ignore-is-authed branch from 825a88a to c1bf1a7 Compare March 24, 2025 20:55
CatalinSnyk
CatalinSnyk reviewed Mar 28, 2025
View reviewed changes
src/cli/commands/ignore.ts Outdated
}
throw err;
}
})
.then(() => {
return authorization.actionAllowed('cliIgnore', options);
})
Copy link
Contributor
@CatalinSnyk CatalinSnyk Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: this might need a catch in case of authentication failures. The actionAllowed returns am object, that should return an auth error (AuthFailedError).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is true before this change as well, right? I believe this to be handled by the thing using the promise 🤔

Copy link
Contributor
@CatalinSnyk CatalinSnyk Apr 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I was just thinking that the API call to check the cliIgnoreAuthorization seem to not care about the status codes (neither does the verify function call), which seems like a bad idea.

I would say this is the last thing to be taken care of for this PR, just to make sure there's some better error messages for the users. Happy to pair on this if you want to, feel free to book a time in my calendar.

LE: this also needs a rebase to fix some vulnerabilities that came up.

@CatalinSnyk
Copy link
Contributor

The acceptance tests seem to also need an update:

cli/test/jest/acceptance/snyk-ignore/snyk-ignore.spec.ts

Line 4 in 09aa7d4

import { requireSnykToken } from '../../util/requireSnykToken';

@jlourenc
Copy link
Author

The acceptance tests seem to also need an update:

@CatalinSnyk, do you happen to know what needs updating?

@CatalinSnyk
Copy link
Contributor

I think the tests might not actually need updating. The promise that was previously used was not resolving at all, so the command was not doing anything. Should be solved with the commit I made.

@jlourenc jlourenc force-pushed the fix/ACC-2350-ignore-is-authed branch 2 times, most recently from 3cae0a6 to b486945 Compare April 24, 2025 10:34
@dotkas dotkas enabled auto-merge April 25, 2025 11:33
@dotkas
fix: stop verifying token on ignore cmd
14c5679 
Ignore command is the sole command (auth aside) that verifies against
Snyk platform that a token is valid.

This is redundant as an invalid token would be identified as invalid on
any requests performed against the platform with a 401 status code.

This change refactors the code to only perform local validation,
verifying that the token is set appropriately either via configuration
or environment variable.
@dotkas dotkas force-pushed the fix/ACC-2350-ignore-is-authed branch from b486945 to 14c5679 Compare April 25, 2025 11:33
@dotkas dotkas merged commit a05e055 into main Apr 25, 2025
7 checks passed
@dotkas dotkas deleted the fix/ACC-2350-ignore-is-authed branch April 25, 2025 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CatalinSnyk CatalinSnyk CatalinSnyk left review comments

@dotkas dotkas dotkas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jlourenc @CatalinSnyk @dotkas
0