chore: improve metrics/logs for checkUserAccess/checkAdminAccess #139
Conversation
|
Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖 Please select which version do you want to release:
And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.
|
| @@ -157,7 +16,155 @@ export class CheckUserAccess extends SchemaDirectiveVisitor { | |||
| context: Context, | |||
| info: any | |||
| ) => { | |||
| await checkUserOrAdminTokenAccess(context, field.astNode?.name?.value) | |||
There was a problem hiding this comment.
Removed this extra function call as there was no real gain with it and to keep same style as checkAdminAccess directive
| @@ -14,4 +14,14 @@ export default class IdentityClient extends JanusClient { | |||
| public async validateToken({ token }: { token: string }): Promise<any> { | |||
| return this.http.post('/api/vtexid/credential/validate', { token }) | |||
| } | |||
|
|
|||
| public async getToken({ | |||
There was a problem hiding this comment.
The storefront-permissions app was not properly handling appkey/apptokens. Now we can get a token from identity for a given appkey/apptoken and allow/block requests properly.
| if (!adminUserAuthToken) { | ||
| metric.error = 'No admin token provided' | ||
| sendAuthMetric(logger, metric) | ||
| sendAuthMetric(logger, auditMetric) |
There was a problem hiding this comment.
we validate all possible tokens above so we can emit a metric here with all the necessary data, and below we actually apply the validations and allow/block the request.
|
|
Your PR has been merged! App is being published. 🚀 After the publishing process has been completed (check #vtex-io-releases) and doing A/B tests with the new version, you can deploy your release by running:
After that your app will be updated on all accounts. For more information on the deployment process check the docs. 📖 |
What problem is this solving?
Improve logging and metrics on checkUserAccess and checkAdminAccess directives. This will help us understand how these APIs are used.
This change keeps previous authentication behavior, it just make sure to validate all provided tokens and emit metric before applying rules.
How should this be manually tested?
Tested calling APIs with each directive with multiple different authentication methods.