fix(onboarding): auto-generate AWS External ID and make field readonly#36
Conversation
Issue #18 reported the External ID input in the Add AWS Account modal as blank and user-editable. An editable External ID lets operators set any value (or leave it empty), defeating the cross-account role-assumption security model — the sts:ExternalId is a shared secret between CUDly and the customer, and CUDly must own the value. - index.html: mark `account-aws-external-id` readonly, wrap it in a `.input-with-copy` flex container with a copy button that copies the value to the clipboard. Replace the "External ID (optional)" label with a hint pointing operators at sts:ExternalId in their trust policy. - settings.ts: on modal open, populate the field with the stored `aws_external_id` for existing accounts or a fresh `crypto.randomUUID()` for new accounts. New helper `generateExternalID` falls back to a timestamp+random string if crypto.randomUUID is unavailable (test environments, odd webviews) so the user never sees an empty field. - settings.ts: extend `copyToClipboard` to prefer `.value` on form controls (the new input-with-copy layout uses an <input>) and fall back to `.textContent` for code/span sources. Resolve the feedback button from the element's parent instead of only its nextElementSibling so nested-wrapper layouts work. Replace the innerHTML swap in the feedback path with childNode array save/ restore — semantically identical, hook-friendly, and avoids re-proving XSS safety at every edit. - components.css: new `.input-with-copy` rule so the input and copy button read as a single control. - settings-accounts.test.ts + html.test.ts: regression tests for the auto-generation + readonly + hint text. Closes #18.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 25 minutes and 18 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
#37) Issue #19 reported the AWS Add-Account modal asks for a Role ARN but provides no trust-policy snippet for the operator to apply in their AWS account. Getting the principal, action, or ExternalId wrong silently breaks cross-account role assumption — this was the highest-friction step in AWS onboarding. - index.html: add a `.trust-policy-section` inside `#account-aws-role-fields` with a `<pre id="account-aws-trust-policy">` and a copy button. Includes a guidance `<small>` below for screen-reader context; the actual text is rendered dynamically. - settings.ts: new `renderAwsTrustPolicy` fetches the CUDly host AWS account ID from `api.getConfig().source_identity.account_id` and writes a fully-qualified trust policy JSON into the `<pre>`, interpolating the per-account External ID alongside the CUDly Principal ARN. Called automatically whenever the AWS modal opens via `populateAwsAccountFields`. - When the deployment can't determine its own AWS account ID (CUDly running on Azure / GCP, or missing sts:GetCallerIdentity), the `<pre>` stays empty and the hint is swapped for an operator-facing explanation of what to do manually, so operators don't paste a half-rendered policy. - Wires a copy-to-clipboard button on the snippet. - Adds `.code-block` + `.trust-policy-section` CSS for the JSON block styling. - Regression test in html.test.ts locks in the new DOM hooks. Depends on #18 (External ID auto-generation), which landed as PR #36 / commit 544ae3e. Closes #19.
cristim
added
type/feat
1 participant
Summary
crypto.randomUUID(); preserves the stored value for existing accounts.input-with-copylayout with a copy-to-clipboard buttonsts:ExternalIdin their IAM trust policycopyToClipboardto work with form inputs (reads.value) and nested wrappers (finds the.copy-btnvia parent); also replaces the innerHTML-based feedback swap with childNode save/restore so the helper is scanner-friendlyWhy
The editable + blank External ID let operators set any value or leave it empty, defeating the cross-account role-assumption security model. CUDly must own this shared secret.
Closes #18.
Test plan
npx jest— 1238 tests pass (+2 new: auto-generation on modal open; readonly + copy button + trust-policy hint in HTML)npx tsc --noEmit— clean