Ensure that signed fields maintain validity#370
Open
jklina wants to merge 1 commit intointercom:masterfrom
Open
Ensure that signed fields maintain validity#370jklina wants to merge 1 commit intointercom:masterfrom
jklina wants to merge 1 commit intointercom:masterfrom
Conversation
The script tag checks for validity by making sure there's a `user_id` or an `email`. When using signed fields, however, these fields are removed from the `user_details` hash, so each time both the `user_id` and the `email` fields are promoted to the JWT payload, they will invalidate the script tag even though the information is there, just moved into the payload. This attempts to fix the issue by ensuring the state of the `user_fields` hash is maintained for validation purposes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The script tag checks for validity by making sure there's a
user_idor anemail. When using signed fields, however, these fields are removed from theuser_detailshash, so each time both theuser_idand theemailfields are promoted to the JWT payload, they will invalidate the script tag even though the information is there, just moved into the payload. The invalid script tag is then quietly hidden from the views.This attempts to fix the issue by ensuring the state of the
user_fieldshash is maintained for validation purposes.Why?
Why are you making this change?
Promoting both the
user_idandemailfields to the JWT payload makes the script tag invalid.How?
Technical details on your change
Use the original, unaltered,
user_fieldshash for validation. Tests are added to ensure different configuration options produce valid script tags.