feat(security): implement safe guest auth flow and harden request_jwt
- Patched request_jwt to strip privileged IDs when signing with public keys - Updated AccountContext and V3 dependencies to preserve JWT payloads for guests - Whitelisted Archive, Post, Event, and other core objects for public read access - Added 'default_qry_str' to Event searchable fields - Added test_e2e_jwt_guest_auth.py for security verification
This commit is contained in:
Scott Idem
@@ -40,6 +40,7 @@ cms_obj_li = {
|
||||
'table_name_alt': 'v_post_detail',
|
||||
'tbl_name_update': 'post',
|
||||
'base_name': Post_Base,
|
||||
'public_read': True,
|
||||
'exp_default': [
|
||||
'post_id_random',
|
||||
'account_id_random',
|
||||
@@ -70,6 +71,7 @@ cms_obj_li = {
|
||||
'table_name_alt': 'v_post_comment_detail',
|
||||
'tbl_name_update': 'post_comment',
|
||||
'base_name': Post_Comment_Base,
|
||||
'public_read': True,
|
||||
'exp_default': [
|
||||
'post_comment_id_random',
|
||||
'account_id_random', 'post_id_random',
|
||||
@@ -118,6 +120,7 @@ cms_obj_li = {
|
||||
'tbl_name_update': 'site_domain',
|
||||
'base_name': Site_Domain_Base,
|
||||
'base_name_alt': Site_Domain_FQDN_ID_Base,
|
||||
'public_read': True,
|
||||
# V3 Search Security:
|
||||
'searchable_fields': [
|
||||
'id', 'account_id', 'site_id',
|
||||
|
||||
@@ -20,6 +20,7 @@ events_general_obj_li = {
|
||||
'tbl_name_update': 'event',
|
||||
'base_name': Event_Base,
|
||||
'base_name_alt': Event_Meeting_Flat_Base,
|
||||
'public_read': True,
|
||||
'exp_default': [
|
||||
'event_id_random',
|
||||
'conference', 'type',
|
||||
@@ -46,7 +47,7 @@ events_general_obj_li = {
|
||||
'event_id_random', 'account_id_random', 'event_code', 'conference',
|
||||
'type', 'name', 'summary', 'description', 'format', 'timezone',
|
||||
'location_text', 'status', 'enable', 'hide', 'priority', 'sort',
|
||||
'group', 'notes', 'created_on', 'updated_on'
|
||||
'group', 'notes', 'created_on', 'updated_on', 'default_qry_str'
|
||||
],
|
||||
},
|
||||
'event_file': {
|
||||
@@ -63,6 +64,7 @@ events_general_obj_li = {
|
||||
'table_name_alt': 'v_event_file',
|
||||
'tbl_name_update': 'event_file',
|
||||
'base_name': Event_File_Base,
|
||||
'public_read': True,
|
||||
# V3 Search Security:
|
||||
'searchable_fields': [
|
||||
'event_file_id_random', 'hosted_file_id_random', 'event_id_random',
|
||||
|
||||
@@ -61,6 +61,7 @@ events_presentation_obj_li = {
|
||||
'table_name_alt': 'v_event_presentation_w_file_count',
|
||||
'tbl_name_update': 'event_presentation',
|
||||
'base_name': Event_Presentation_Base,
|
||||
'public_read': True,
|
||||
# V3 Search Security:
|
||||
'searchable_fields': [
|
||||
'event_presentation_id_random', 'event_id_random',
|
||||
@@ -85,6 +86,7 @@ events_presentation_obj_li = {
|
||||
'table_name_alt': 'v_event_presenter_w_file_count',
|
||||
'tbl_name_update': 'event_presenter',
|
||||
'base_name': Event_Presenter_Base,
|
||||
'public_read': True,
|
||||
'exp_default': [
|
||||
'event_presenter_id_random',
|
||||
'title_names', 'given_name', 'middle_name', 'family_name', 'designations',
|
||||
@@ -119,6 +121,7 @@ events_presentation_obj_li = {
|
||||
'table_name': 'v_event_session',
|
||||
'tbl_name_update': 'event_session',
|
||||
'base_name': Event_Session_Base,
|
||||
'public_read': True,
|
||||
# V3 Search Security:
|
||||
'searchable_fields': [
|
||||
'event_session_id_random', 'event_id_random',
|
||||
|
||||
@@ -102,6 +102,7 @@ other_obj_li = {
|
||||
'table_name': 'v_archive_content',
|
||||
'tbl_name_update': 'archive_content',
|
||||
'base_name': Archive_Content_Base,
|
||||
'public_read': True,
|
||||
# V3 Search Security:
|
||||
'searchable_fields': [
|
||||
'archive_content_id_random', 'account_id_random', 'archive_id_random',
|
||||
@@ -122,6 +123,7 @@ other_obj_li = {
|
||||
'table_name': 'v_hosted_file',
|
||||
'tbl_name_update': 'hosted_file',
|
||||
'base_name': Hosted_File_Base,
|
||||
'public_read': True,
|
||||
'exp_default': [
|
||||
'hosted_file_id_random',
|
||||
'hash_sha256',
|
||||
|
||||
Reference in New Issue
Block a user