Skip to content

chore: explicitly opt-in to allow all users#502

Merged
ColeMurray merged 2 commits intoColeMurray:mainfrom
telli-ai:add-allow-all-users-check
Apr 20, 2026
Merged

chore: explicitly opt-in to allow all users#502
ColeMurray merged 2 commits intoColeMurray:mainfrom
telli-ai:add-allow-all-users-check

Conversation

@Bnowako
Copy link
Copy Markdown
Contributor

@Bnowako Bnowako commented Apr 19, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • New Features

    • Added an explicit unsafe_allow_all_users option (default: false) to opt into allowing all authenticated GitHub users when allowlists are empty.

  • Behavior Change

    • Default access now denies sign-in when both user and email allowlists are empty unless the new option is enabled.

  • Deployment / Validation

    • Production deploys now validate access-control configuration and will fail unless an allowlist is set or the new option is enabled.

  • Documentation

    • Updated docs and READMEs to explain the new option and validation behavior.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 19, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85f75c84-8ed2-4ba0-944f-714794755f4a

📥 Commits

Reviewing files that changed from the base of the PR and between 2c4d72c and 6093032.

📒 Files selected for processing (1)
  • terraform/environments/production/checks.tf
📝 Walkthrough

Walkthrough

This PR adds an explicit unsafe_allow_all_users (default false) flag and changes access-control behavior: empty allowlists no longer grant access by default. Updates include docs, a new parseBooleanEnv helper, AccessControl config change, auth integration, tests, Terraform variable, validation check, and environment variable exports for Cloudflare and Vercel.

Changes

Cohort / File(s) Summary
Documentation
docs/GETTING_STARTED.md, packages/web/README.md		 Clarified access-control semantics and added documentation for new unsafe_allow_all_users/UNSAFE_ALLOW_ALL_USERS; changed guidance that empty allowlists no longer permit all users unless the unsafe flag is enabled.
Access Control Logic & Tests
packages/web/src/lib/access-control.ts, packages/web/src/lib/access-control.test.ts		 Added unsafeAllowAllUsers: boolean to AccessControlConfig, implemented exported parseBooleanEnv(value) helper, updated checkAccessAllowed to require the unsafe flag when allowlists are empty, and extended tests to cover the new default-deny and override behavior.
Auth Integration
packages/web/src/lib/auth.ts		 Wired UNSAFE_ALLOW_ALL_USERS into the sign-in flow via parseBooleanEnv(process.env.UNSAFE_ALLOW_ALL_USERS) and passed unsafeAllowAllUsers into checkAccessAllowed.
Terraform: Variables & Validation
terraform/environments/production/variables.tf, terraform/environments/production/terraform.tfvars.example, terraform/environments/production/checks.tf		 Added unsafe_allow_all_users bool (default false), updated variable descriptions, and introduced check "access_controls_configured" that fails unless an allowlist is set or the unsafe flag is true.
Terraform: Environment Exports
terraform/environments/production/web-cloudflare.tf, terraform/environments/production/web-vercel.tf		 Exported UNSAFE_ALLOW_ALL_USERS to Cloudflare Worker vars and Vercel environment variables (sourced from var.unsafe_allow_all_users).

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AuthCallback
  participant AccessControl
  participant Env (Vercel/Cloudflare)

  Client->>AuthCallback: User signs in (OAuth)
  AuthCallback->>Env: Read UNSAFE_ALLOW_ALL_USERS (env var)
  AuthCallback->>AccessControl: checkAccessAllowed({allowedUsers, allowedDomains, unsafeAllowAllUsers})
  AccessControl-->>AuthCallback: allow / deny
  AuthCallback-->>Client: Complete sign-in or reject
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped the docs and code with care,

Closed the burrow to strangers there.
A tiny flag—unsafe to trawl—
Keeps the warren safe for all. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: explicitly opt-in to allow all users' directly reflects the main change: introducing a new unsafe_allow_all_users configuration option that requires explicit opt-in to allow all authenticated users, changing from implicit allow-all behavior when allowlists are empty.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@terraform/environments/production/checks.tf`:
- Around line 15-24: The Terraform check "access_controls_configured" can be
bypassed by strings that contain only commas/whitespace; update the assertion to
mirror the app parsing in packages/web/src/lib/access-control.ts
(parseAllowlist/checkAccessAllowed) by treating var.allowed_users and
var.allowed_email_domains as comma-separated lists: split on ",", trim each
element, filter out empty entries, and require at least one non-empty entry (or
unsafe_allow_all_users true). Concretely, replace the current
length(trimspace(...)) checks with logic that counts non-empty items after
splitting and trimming each element so the Terraform check fails when the
runtime would produce an empty allowlist.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c41d64e-c5da-480a-ae61-683bc3ae9e16

📥 Commits

Reviewing files that changed from the base of the PR and between 88906fc and 2c4d72c.

📒 Files selected for processing (10)
  • docs/GETTING_STARTED.md
  • packages/web/README.md
  • packages/web/src/lib/access-control.test.ts
  • packages/web/src/lib/access-control.ts
  • packages/web/src/lib/auth.ts
  • terraform/environments/production/checks.tf
  • terraform/environments/production/terraform.tfvars.example
  • terraform/environments/production/variables.tf
  • terraform/environments/production/web-cloudflare.tf
  • terraform/environments/production/web-vercel.tf

Comment thread terraform/environments/production/checks.tf
@ColeMurray ColeMurray merged commit 3c16e77 into ColeMurray:main Apr 20, 2026
18 checks passed
ColeMurray added a commit that referenced this pull request Apr 20, 2026
@ColeMurray
fix: make access control terraform check a hard error
3da77d8 
Replace the advisory `check` block with a `terraform_data` precondition
that actually blocks `terraform plan`/`apply` when no access control is
configured. Add missing test for unsafeAllowAllUsers with populated
allowlists.

Follow-up to #502.
@ColeMurray ColeMurray mentioned this pull request Apr 20, 2026
Merged
4 tasks
ColeMurray added a commit that referenced this pull request Apr 20, 2026
@ColeMurray
fix: make access control terraform check a hard error (#511)
924d089 
## Summary

Follow-up to #502 — strengthens the access control guardrails:

- **Replace advisory `check` block with `terraform_data` precondition**
— Terraform `check` blocks only produce warnings and don't block
`apply`. The new `precondition` on a `terraform_data` resource makes
this a hard error that blocks `terraform plan`/`apply` when neither
allowlist nor `unsafe_allow_all_users` is configured.
- **Add missing test for `unsafeAllowAllUsers: true` with populated
allowlists** — verifies that when both the flag and allowlists are set,
the allowlist is still enforced (non-matching users are denied).
- **Combine duplicated destructuring** in `checkAccessAllowed`.

## Test plan

- [x] `npm test -w @open-inspect/web` — 27 tests pass (2 new)
- [x] `terraform fmt -check` — clean
- [ ] Verify `terraform plan` fails when both allowlists are empty and
`unsafe_allow_all_users = false`
- [ ] Verify `terraform plan` succeeds when `unsafe_allow_all_users =
true` or an allowlist is set

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Expanded test coverage for access control scenarios, including
allowlist enforcement behavior with various configuration combinations.

* **Refactor**
* Optimized access control implementation code structure for improved
maintainability.

* **Chores**
* Updated production infrastructure access control validation to be
enforced at deployment-time via infrastructure preconditions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bnowako @ColeMurray