-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
US-NOTIFY-COMPLY 50: Verify Nonce For Invite #2024
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @xlorepdarkhelm! This looks mostly good to me too and I appreciate the small refactoring to pull some of that token generation into its own method! Are there tests that could go along with that to make sure we have proper coverage of that code or are they already present? They might be and may just have to shift to cover the new method, but I wanted to double check.
I do see that CodeQL flagged a thing that's not necessarily a part of your PR directly, but since it appeared here, let's see if we can also resolve it as well, and/or dismiss it if it's truly not an issue. Thanks!
I haven't gotten the tests set up yet, there are a couple that need changes, and yeah, need something to validate the id token unpacking.
yeah, I'll get that cleared up. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar comments to Carlo, which Cliff already said he'd resolve. So, approved based on that resolution.
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
invite. Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
function. Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
Signed-off-by: Cliff Hill <clifford.hill@gsa.gov>
48b6600
to
e04adba
Compare
A note to PR reviewers: it may be helpful to review our code review documentation to know what to keep in mind while reviewing pull requests.
Description
Makes nonce opertions for login.gov work for invites as well as the logins now. (admin side)
Issue
https://github.com/GSA/us-notify-compliance/issues/50
Security Considerations
This improves the security for logins through login.gov.
NOTE
Do not merge until GSA/notifications-api#1365 is also ready.