This property helps the spring security library derive the host name, protocol and port accurately even while running behind a Nginx load balancer. This is because nginx adds X-Forward-* headers that are parsed by Spring security library.
This is required for OAuth2 failure handling. When the client makes an OAuth2 request, we don't receive an origin header. If the OAuth2 login fails for some reason, our failure handler will not redirect correctly unless we also check for the referer header.
This is required because when we host inside a docker container, the default host and port picked up by the code is the docker container's name & port. This will not work when Google (for example) needs to redirect back to our server after authentication is complete. Hence, we need to customize the default redirect uri for all OAuth2 endpoints.
The issue was that the chain would receive a mono instead of an object. This would cause it to not persist the token in the DB. Moving to flatMap fixes this problem as we then deal with the actual object instead of the Mono.
Also fixing the url encoding in the email to ensure that the links generated are correct. By default mustache does HTML escaping and not URL encoding.
Also refactoring the code to use the MultiValueMap for filter params which is a generic implementation and can support filtering on multiple fields of the domain object groups. This can be replicated to other domain objects as well.
Ensuring that a user's personal workspace name is their first name by default.
This is because the full name makes the entire workspace name very long. If we just use the first name, it'll be a shorter string and easier to read by the end user as well.
See merge request theappsmith/internal-tools-server!142
This is because the full name makes the entire workspace name very long. If we just use the first name, it'll be a shorter string and easier to read by the end user as well.
2. Only dependencies of actions over other actions are counted. If the action is dependent on widgets, thats is not counted as a dependency and is left for the frontend to handle.
We use the referer header to find the client's endpoint and redirect to that endpoint once the OAuth2 login is successful. This is implemented via CustomServerOAuth2AuthorizationRequestResolver and AuthenticationSuccessHandler
Responding with 401 unauthorized http response header for all unauthenticated requests
This ensures that the client can redirect to the login page whenever it receives the http status 401 in the response header. Now, the server is no longer responsible for redirecting to the login page. All server redirects have been disabled.
See merge request theappsmith/internal-tools-server!128
This ensures that the client can redirect to the login page whenever it receives the http status 401 in the response header. Now, the server is no longer responsible for redirecting to the login page. All server redirects have been disabled.
Adding the invite user flow to invite a new user into the organization.
This includes multiple APIs:
1. Invite user which creates an invite token for the user and then sends it to the new user via email. This token is valid for 1 hour (for now).
2. An endpoint to verify the invite token so that the client can pre-emptively show any errors or expired token messages. This endpoint is publicly accessible and doesn't require a session.
3. An endpoint for the new user to sign up and set their password by providing their invite token. This endpoint is publicly accessible and doesn't require a session.
Also extending the redis session timeout to 1 day instead of 30 mins.
See merge request theappsmith/internal-tools-server!125
Handling duplicate email in forgotPassword flow.
Now if the user requests for the reset password token multiple times, we will override the previous token and save the new token against that user.
See merge request theappsmith/internal-tools-server!122
Correcting the HTTP methods in SecurityConfig and acl.rego to fix bug in forgotPassword and resetPassword authorization.
See merge request theappsmith/internal-tools-server!121
Adding a flag to determine if we should send emails for that particular environment
This is to prevent us from sending erroneous emails from our dev/test environments
See merge request theappsmith/internal-tools-server!120
Removing the logic to bind actions to pages when a dynamic binding happens.
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
See merge request theappsmith/internal-tools-server!119
This is because when an action is created, it is already bound to that page. This assumption will not change. Also, adding the pageId when searching for an action because the action name and pageId is a unique index. There may be actions with similar names across multiple pages.
OPA controls access to all endpoints and the list of authenticated resources and public URLs is defined in a single place in that file.
The url_allow function in acl.rego is an overloaded function that replicates the OR condition in Rego. Either the user is authenticated and has permissions to access those resources, or the URL is public and accessible by any user.
Now, we have an authenticationSuccessHandler & authenticationFailureHandler for OAuth & Form sign ups. This makes the whole flow much easier to handle.
Also redirecting the browser to this user profile endpoint on username password login success. This ensures that the client fetches the profile along with setting the session ID cookie in the browser
