Draft
Conversation
Janis4411
force-pushed
the
jv/SODEV-2997-Implement-API-to-GDPR-delete-users
branch
from
85f5e83 to
4c3c10a
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Comment on lines
+21
to
+22
| verify_token! | ||
| verify_signature! |
There was a problem hiding this comment.
Bug: Sequential calls to head :unauthorized in verify_token! and verify_signature! without a return can cause a DoubleRenderError if both checks fail.
Severity: MEDIUM
Suggested Fix
Add an explicit return statement after each head :unauthorized call in both the verify_token! and verify_signature! methods to ensure execution is halted after the response is rendered.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: app/controllers/api/internal/users/deletions_controller.rb#L21-L22
Potential issue: In the `deletions_controller`, the `authenticate_request!` method
sequentially calls `verify_token!` and `verify_signature!`. If a token is invalid,
`verify_token!` calls `head :unauthorized` but does not halt execution. Control then
proceeds to `verify_signature!`. If the signature is also invalid, it too calls `head
:unauthorized`. This second attempt to render a response in the same request cycle
triggers an `ActionController::DoubleRenderError`. This will occur for any API request
that has both an invalid token and an invalid signature.
Did we get this right? 👍 / 👎 to inform future reviews.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3224 +/- ##
==========================================
- Coverage 70.33% 70.25% -0.09%
==========================================
Files 214 216 +2
Lines 6839 6871 +32
==========================================
+ Hits 4810 4827 +17
- Misses 2029 2044 +15 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Janis4411
force-pushed
the
jv/SODEV-2997-Implement-API-to-GDPR-delete-users
branch
from
4c3c10a to
5cee070
Compare
This is a possible way to GDPR delete users via a API. The background is that if we delete a user on openhpi we also want to delete the user on codeocean. Part of SODEV-2997
Janis4411
force-pushed
the
jv/SODEV-2997-Implement-API-to-GDPR-delete-users
branch
from
5cee070 to
3238780
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces a possible way to GDPR delete users via a API.
If we delete a user on openHPI we also have to delete the user on codeocean. Previously this was handled via a rake task that has to be triggered manually.
Part of SODEV-2997