Skip to content

Commit bdb4f20

Browse files
arielshaqedarielshaqed
committed
[CR] Limit loginRequestToken length; extract X-Lakefs-Mailbox header
1 parent 0d0cac0 commit bdb4f20

File tree

7 files changed

+18
-14
lines changed

7 files changed

+18
-14
lines changed

api/swagger.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3247,12 +3247,13 @@ paths:
32473247
/auth/get-token/release-token/{loginRequestToken}:
32483248
parameters:
32493249
- in: path
3250-
# The mailbox is secret. It is identified by the loginRequestToken
3251-
# - a JWT which is _not_ secret. So it can safely go in the header.
3250+
# The mailbox is secret. It is identified by the loginRequestToken - a JWT which is
3251+
# _not_ secret. So this JWT can safely go in a header.
32523252
name: loginRequestToken
32533253
required: true
32543254
schema:
32553255
type: string
3256+
maxLength: 1024
32563257
description: login request token returned by getTokenRedirect.
32573258
get: # Called by opening a URL on the browser!
32583259
tags:
@@ -6649,4 +6650,4 @@ paths:
66496650
404:
66506651
$ref: "#/components/responses/NotFound"
66516652
default:
6652-
$ref: "#/components/responses/ServerError"
6653+
$ref: "#/components/responses/ServerError"

clients/java/api/openapi.yaml

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

clients/python/lakefs_sdk/api/auth_api.py

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

clients/python/lakefs_sdk/api/experimental_api.py

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/lakectl/cmd/login.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
"github.com/skratchdot/open-golang/open"
1212
"github.com/spf13/cobra"
1313
"github.com/treeverse/lakefs/pkg/api/apigen"
14+
"github.com/treeverse/lakefs/pkg/httputil"
1415
)
1516

1617
const (
@@ -58,7 +59,7 @@ var loginCmd = &cobra.Command{
5859
if err != nil {
5960
DieErr(fmt.Errorf("parse relative redirect URL %s: %w", header.Get("location"), err))
6061
}
61-
mailbox := header.Get("x-lakefs-mailbox")
62+
mailbox := header.Get(httputil.LoginMailboxHeaderName)
6263

6364
redirectURL := serverURL.ResolveReference(relativeLocation)
6465

pkg/api/controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -867,7 +867,7 @@ func (c *Controller) GetTokenRedirect(w http.ResponseWriter, r *http.Request) {
867867
}
868868

869869
w.Header().Set("Location", redirect.RedirectURL)
870-
w.Header().Set("X-LakeFS-Mailbox", redirect.Mailbox)
870+
w.Header().Set(httputil.LoginMailboxHeaderName, redirect.Mailbox)
871871

872872
writeResponse(w, r, http.StatusOK, nil)
873873
}

pkg/httputil/headers.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
package httputil
22

33
const (
4-
RequestIDHeaderName = "X-Request-ID"
4+
RequestIDHeaderName = "X-Request-ID"
5+
LoginMailboxHeaderName = "X-LakeFS-Mailbox"
56
)

0 commit comments

Comments
 (0)