[Site Admin] Add e2e tests for siteadmin apis#5694
Conversation
| X-Authgear-Session-Valid: "true" | ||
| X-Authgear-User-Id: "00000000-0000-0000-0000-000000000001" |
There was a problem hiding this comment.
I thought we need to provide a access token here?
There was a problem hiding this comment.
The test setup is simplified. It uses WEB_SDK_SESSION_TYPE=cookie and assumes the server is behind the resolver proxy, so an access token is not needed.
There was a problem hiding this comment.
I was actually thinking, did we exposed a security risk in our helm chart if webSDKSessionType is set to cookies? It seems in portal when webSDKSessionType is set to cookies, we automatically setup a nginx proxy and expose the nginx instead. However, in siteadmin, looks like we do not have such setup. Therefore, if the user set webSDKSessionType to cookies, the api caller can claim himself as anyone? Did I missed anything?
There was a problem hiding this comment.
Yes, good catch. Users should never set webSDKSessionType to cookie, so maybe we should hardcode the env and remove webSDKSessionType from the helm chart for site admin.
There was a problem hiding this comment.
What if we remove the SITEADMIN_AUTHGEAR_WEB_SDK_SESSION_TYPE environment variable and always use access token instead?
I think practically we do not need cookies auth in site admin. This prevent anyone to set it up wrongly.
There was a problem hiding this comment.
2 participants
ref DEV-3518