[WEB-2603] fix: remove validation of roles from the live server

[Palanikannan1437]

Description

If a guest created a page, they aren't able to sync their page edits in realtime. Hence now, we've removed the check of membership from the live server and we're letting the app subscribing to our server handle it now.

Summary by CodeRabbit

• Bug Fixes
  • Removed unnecessary logic related to fetching user project membership for project pages, streamlining the authentication process.
  • Adjusted error message formatting for incomplete query parameters.
• Chores
  • Removed methods for fetching user workspace and project membership, simplifying the user service.
  • Updated the authentication process by eliminating unnecessary parameters in the function signature.

[coderabbitai]

Walkthrough

The changes in this pull request focus on the handleAuthentication function within live/src/core/lib/authentication.ts. The primary modification involves the removal of logic that fetches the current user's project membership information specifically for the documentType "project_page". This includes eliminating the call to userService.getUserProjectMembership, its associated error handling, and the logic for setting the connection to read-only based on the user's project role. The function now directly returns user information for other document types without additional checks.

Changes

File Path	Change Summary
live/src/core/lib/authentication.ts	Removed logic for fetching user project membership for "project_page"; adjusted error message formatting.
live/src/services/user.service.ts	Removed methods getUserWorkspaceMembership and getUserProjectMembership; modified import to retain only IUser.
live/src/ce/lib/authentication.ts	Deleted type definition TArgs and the authenticateUser function.
live/src/core/hocuspocus-server.ts	Updated onAuthenticate function signature and adjusted handleAuthentication call to remove unnecessary parameters.

Possibly related PRs

• [WEB-2055] fix: enable admins to change role of other admins and add missing observers #5236: The changes in this PR involve user role management, which may relate to the modifications in the handleAuthentication function that impacts user permissions.
• [WEB-2140] fix: member setting role edit validation #5278: This PR alters role edit validation logic, which could be connected to the changes in user authentication and role checks in the main PR.
• [WEB-2443] fix: project favorite permission validation #5587: The modifications to user role visibility in this PR may relate to the changes in how user roles are handled in the main PR.
• [WEB-2443] fix: project intake edit permission #5588: This PR addresses permissions for guest users, which could be relevant to the authentication changes made in the main PR.
• [WEB-2443] fix: project member validation #5601: The changes in role validation for project members may connect with the adjustments in user authentication logic in the main PR.
• [WEB-2250] fix: filter projects with create permission while selecting the project in create issue modal. #5630: The focus on user permissions in project selection aligns with the changes in user authentication and role checks in the main PR.
• [WEB-2498] fix: workspace archives and setting validation #5654: The validation of settings and permissions in this PR may relate to the overall user authentication and role management changes in the main PR.

Suggested labels

🐛bug, ⚙️backend, 🧹chore

Suggested reviewers

• sriramveeraghanta
• SatishGandham
• rahulramesha

🐇 In the code where logic once thrived,
A project check has now been deprived.
With roles and rights, we dance and play,
Authentication leads the way!
Hopping through changes, swift and bright,
Our code is lighter, ready for flight! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

live/src/core/lib/authentication.ts (1)

44-46: Consider enhancing error message for incomplete query parameters.

While the error message formatting has been adjusted, this could be an opportunity to improve error handling and provide more specific information.

Consider modifying the error message to include which specific parameter is missing:

throw Error(
  `Authentication failed: Incomplete query params. Missing ${!workspaceSlug ? 'workspaceSlug' : 'projectId'}.`
);

This change would make debugging easier by pinpointing exactly which parameter is missing.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7bb0400 and 48447c2.

📒 Files selected for processing (1)

• live/src/core/lib/authentication.ts (1 hunks)

🧰 Additional context used

🔇 Additional comments (1)

live/src/core/lib/authentication.ts (1)

Line range hint 1-58: Changes align with PR objectives but require careful consideration.

The removal of project membership validation for "project_page" document type aligns with the PR objectives, allowing guests to sync their edits without role validation constraints. However, this change requires careful consideration of its implications.

1. Security Implications:
   The removal of role validation on the live server might have security implications. Ensure that proper access controls are implemented in the web application to prevent unauthorized access to project pages.

2. Error Handling:
   The error handling for "project_page" document type is now less specific. Consider improving it to provide more informative error messages.

3. Functionality Verification:
   Verify that the removal of project membership validation doesn't negatively impact the functionality of project pages.

To verify the impact of these changes, please run the following script:

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

live/src/core/services/user.service.ts (1)

Line range hint 1-31: Overall changes look good and align with PR objective.

The modifications to this file are focused and consistent with the goal of removing role validation from the live server. The UserService class retains its core functionality for fetching the current user's information, while removing the specific methods related to project and workspace membership validation.

To ensure a smooth transition:

1. Verify that the removal of getUserWorkspaceMembership and getUserProjectMembership methods doesn't break any existing functionality in other parts of the application.
2. Update any documentation or comments that might reference these removed methods.
3. Consider adding a comment explaining why these methods were removed, referencing the PR or issue number for future context.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 48447c2 and 9d71626.

📒 Files selected for processing (1)

• live/src/core/services/user.service.ts (1 hunks)

🧰 Additional context used

🔇 Additional comments (2)

live/src/core/services/user.service.ts (2)

2-2: LGTM: Import statement updated correctly.

The import statement has been appropriately updated to remove the unused IProjectMember type. This change aligns with the removal of methods that previously used this type and helps maintain clean imports.

---

Line range hint 1-31: Removal of membership validation methods aligns with PR objective.

The removal of getUserWorkspaceMembership and getUserProjectMembership methods is in line with the PR objective to remove role validation from the live server. This change should allow guests to sync their page edits without being hindered by role validation constraints.

To ensure this change doesn't break existing functionality, let's verify that these methods are not being used elsewhere in the codebase:

✅ Verification successful

To ensure that the removed methods are not used elsewhere in the codebase, please run the following verification scripts:

---

Removal of getUserWorkspaceMembership and getUserProjectMembership is verified.

No usages found in the codebase, ensuring that the removal is safe and aligns with the PR objectives.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any remaining usage of the removed methods

# Test 1: Search for getUserWorkspaceMembership usage
echo "Checking for getUserWorkspaceMembership usage:"
rg --type typescript "getUserWorkspaceMembership"

# Test 2: Search for getUserProjectMembership usage
echo "Checking for getUserProjectMembership usage:"
rg --type typescript "getUserProjectMembership"

# If any results are found, they will be displayed, indicating potential issues.
# If no results are found, it suggests that the removal is safe.

Length of output: 369

---

Script:

#!/bin/bash
# Description: Check for any remaining usage of the removed methods

# Test 1: Search for getUserWorkspaceMembership usage
echo "Checking for getUserWorkspaceMembership usage:"
rg "getUserWorkspaceMembership" --glob "*.ts" --glob "*.tsx"

# Test 2: Search for getUserProjectMembership usage
echo "Checking for getUserProjectMembership usage:"
rg "getUserProjectMembership" --glob "*.ts" --glob "*.tsx"

# If any results are found, they will be displayed, indicating potential issues.
# If no results are found, it suggests that the removal is safe.

Length of output: 321

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

live/src/core/hocuspocus-server.ts (2)

35-35: LGTM! Minor style improvement.

The addition of a trailing comma after the debounce option is a good practice. It makes future additions to the configuration object easier and results in cleaner diffs when changes are made.

Consider adding trailing commas to other object literals in the file for consistency, if they don't already have them.

---

Line range hint 1-37: Summary: Authentication process simplified, aligning with PR objectives.

The changes in this file successfully remove the role validation from the live server by simplifying the onAuthenticate function and handleAuthentication call. This aligns well with the PR objective of allowing guests to sync their page edits without being hindered by role validation constraints.

However, given the security-sensitive nature of these changes:

1. Ensure that all suggested verification steps are completed.
2. Conduct a thorough security review to confirm that removing this validation doesn't introduce any vulnerabilities.
3. Update any relevant documentation to reflect these changes in the authentication process.

Consider implementing compensating controls in the web application to ensure that proper access controls are still in place, even though the live server is no longer performing role validation.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 9d71626 and 3ad770a.

📒 Files selected for processing (3)

• live/src/ce/lib/authentication.ts (0 hunks)
• live/src/core/hocuspocus-server.ts (1 hunks)
• live/src/core/lib/authentication.ts (1 hunks)

💤 Files with no reviewable changes (1)

• live/src/ce/lib/authentication.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• live/src/core/lib/authentication.ts

🧰 Additional context used

🔇 Additional comments (2)

live/src/core/hocuspocus-server.ts (2)

28-31: LGTM! Simplified handleAuthentication call.

The removal of connection and params arguments from the handleAuthentication function call is consistent with the changes to the onAuthenticate function signature. This further simplifies the authentication process by only passing the essential cookie and token information.

To ensure that the handleAuthentication function in the imported module has been updated to match this new signature, please run the following verification script:

#!/bin/bash
# Description: Check the signature of the handleAuthentication function in the authentication module

# Test: Display the handleAuthentication function signature
ast-grep --lang typescript --pattern $'export const handleAuthentication = ({ $_ }) => {
  $$$
}' src/core/lib/authentication.ts

Verify that the displayed function signature matches the new call signature (i.e., it only expects cookie and token parameters).

---

15-20: LGTM! Simplified authentication signature.

The removal of requestParameters and connection from the onAuthenticate function signature aligns with the PR objective of removing role validation from the live server. This change simplifies the authentication process and potentially reduces the attack surface.

To ensure this change doesn't inadvertently break any existing functionality or security measures, please run the following verification script:

If the script returns any results, please review those occurrences to ensure they're not critical to the authentication process.