fix(security): harden auth and calendar sharing#806
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
courseweb-web | b76e9db | Commit Preview URL Branch Preview URL |
May 06 2026, 02:12 PM |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several security-sensitive paths across the secure API, public API proxy, and web UI by tightening token handling, replacing unsafe HTML rendering, and introducing dedicated calendar share tokens to avoid leaking long-lived credentials in URLs.
Changes:
- Enforce
ACCESS-type tokens for secure API resource auth and add regression tests. - Replace calendar query-string API key sharing with dedicated, revocable calendar share tokens and update proxy/docs/OpenAPI accordingly.
- Remove sensitive debug logging and replace prerequisite HTML rendering (
dangerouslySetInnerHTML) with plain-text rendering.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| services/secure-api/src/oidc.tsx | Removes sensitive logs; tightens /userinfo token lookup to ACCESS tokens. |
| services/secure-api/src/middleware/requireAuth.ts | Restricts resource middleware token lookup to ACCESS tokens. |
| services/secure-api/src/middleware/requireAuth.test.ts | Adds tests proving refresh tokens are rejected and valid access tokens are accepted. |
| services/secure-api/src/middleware/apikey.ts | Removes API key query-string support (header-only). |
| services/secure-api/src/api/replication.ts | Removes sensitive debug logs from replication push paths. |
| services/secure-api/src/api/calendar.ts | Adds calendar share-token CRUD + token-based ICS access; keeps API-key calendar JSON endpoint. |
| services/secure-api/README.md | Updates calendar docs to use share tokens instead of query-string API keys. |
| services/secure-api/prisma/schema.prisma | Adds CalendarShareToken model and user relation. |
| services/secure-api/prisma/migrations/20260506193000_add_calendar_share_tokens/migration.sql | Introduces the CalendarShareToken table and constraints. |
| services/api/src/calendar-proxy.ts | Switches proxy from key to required token query param. |
| services/api/README.md | Updates API docs to reflect share-token calendar access. |
| services/api/openapi.yaml | Updates OpenAPI schema from key to required token parameter. |
| docs/security-review-notes.md | Documents the security review findings, fixes, and follow-up backlog issues. |
| apps/web/src/hooks/useSyncedStorage.tsx | Removes debug logging. |
| apps/web/src/hooks/useAIChat.tsx | Removes debug logging that could leak streamed content. |
| apps/web/src/hooks/contexts/useUserTimetable.tsx | Removes debug logging. |
| apps/web/src/hooks/contexts/useAuth.tsx | Removes debug logging around auth flows. |
| apps/web/src/components/Courses/CourseListItem.tsx | Replaces dangerouslySetInnerHTML prerequisite rendering with plain text. |
| apps/web/src/components/CourseDetails/CourseDetailsContainer.tsx | Replaces dangerouslySetInnerHTML prerequisite rendering with plain text. |
| apps/web/src/app/[lang]/(mods-pages)/student/planner/course-picker/PlannerCourseListItem.tsx | Replaces dangerouslySetInnerHTML prerequisite rendering with plain text. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+145
to
+149
| const shareToken = await prisma.calendarShareToken.findUnique({ | ||
| where: { tokenHash }, | ||
| include: { | ||
| user: { | ||
| select: { |
Comment on lines
+170
to
+173
| await prisma.calendarShareToken.update({ | ||
| where: { id: shareToken.id }, | ||
| data: { lastUsedAt: new Date() }, | ||
| }); |
Comment on lines
+47
to
+51
| .post( | ||
| "/share-tokens", | ||
| requireAuth(["calendar"]), | ||
| zValidator( | ||
| "json", |
| ```bash | ||
| curl -H "Authorization: ApiKey your-api-key" \ | ||
| "https://api.example.com/calendar/ics/user123?type=basic" | ||
| curl "https://api.example.com/calendar/ics/user123?token=calendar-share-token&type=basic" |
ImJustChew
force-pushed
the
security/auth-calendar-share-tokens
branch
from
348360a to
b76e9db
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
bun test src/middleware/requireAuth.test.ts src/api/calendar.test.ts src/utils/apiKeyValidationBun.test.ts src/utils/icalendar.test.tsinservices/secure-apibun run buildinservices/secure-apibun run buildinservices/apiFollow-up Issues