Skip to content

Add validation for API key IP and Referrer restrictions in DevPortal#1393

Open
Gayuth-W wants to merge 2 commits into
wso2:mainfrom
Gayuth-W:fix/validate-ip
Open

Add validation for API key IP and Referrer restrictions in DevPortal#1393
Gayuth-W wants to merge 2 commits into
wso2:mainfrom
Gayuth-W:fix/validate-ip

Conversation

@Gayuth-W

Copy link
Copy Markdown

Purpose

The DevPortal API key generation dialogs accept any string as a Security Restriction value - a key generates successfully with an IP or Referrer restriction that can never match, silently producing an unusable or falsely-restricted key.

Approach

Added isValidPermittedIPList / isValidPermittedRefererList to the existing Shared/AppsAndKeys/constraintValidator.js and wired them into both key generation dialogs (ApiKeyGenerate/ApiKeyListing and LegacyApiKeys) with an inline field error alongside the existing toast. Rules mirror what the gateway accepts (ApiKeyAuthenticatorUtils#validateAPIKeyRestrictions):

  • IP - comma separated IPv4/IPv6 addresses or CIDR ranges, same patterns as the Admin Portal blacklist form
image
  • Referrer - comma-separated URL/host/wildcard patterns; non-empty, no whitespace, must contain one of . : / *
image

Covered by unit tests (npx jest: 74/74 passing); verified manually on a local APIM 4.7.0 instance.

Fixes wso2/api-manager#5093

Gayuth-W added 2 commits July 16, 2026 16:30
- Add isValidPermittedIPList and isValidPermittedRefererList for validating DevPortal API key Security Restriction inputs, with rules derived from what the gateway accepts (ApiKeyAuthenticatorUtils#validateAPIKeyRestrictions):
- IP: comma-separated IPv4/IPv6 addresses or CIDR ranges, using the same address patterns as the Admin Portal blacklist form
- Referrer: comma-separated URL/host/wildcard patterns; the gateway matches entries literally with '*' wildcards, so each entry must be non-empty, whitespace-free, and contain one of '.', ':', '/', '*'
- Reject invalid Security Restriction values before generating an API key, in both the per-API key dialog (ApiKeyGenerate/ApiKeyListing) and the legacy application key dialog (LegacyApiKeys). Previously any string was accepted and a key was generated with a restriction that could never match.
- Show an inline field error alongside the existing alert toast, clear it when the value or restriction type changes, and update the field placeholders to document the accepted formats.
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
19.6% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d4525b5f-2dba-4a08-be9c-9f5738def8a4

📥 Commits

Reviewing files that changed from the base of the PR and between 7b680fc and 19705eb.

📒 Files selected for processing (6)
  • portals/devportal/src/main/webapp/site/public/locales/en.json
  • portals/devportal/src/main/webapp/source/Tests/Unit/constraintValidator.test.js
  • portals/devportal/src/main/webapp/source/src/app/components/Apis/Details/APIKeys/ApiKeyGenerate.jsx
  • portals/devportal/src/main/webapp/source/src/app/components/Apis/Details/APIKeys/ApiKeyListing.jsx
  • portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/LegacyApiKeys.jsx
  • portals/devportal/src/main/webapp/source/src/app/components/Shared/AppsAndKeys/constraintValidator.js

📝 Walkthrough

Summary

  • Added validation for API key IP address and referrer restrictions, including IPv4/IPv6, CIDR, URL, host, and wildcard formats.
  • Integrated validation into standard and legacy API key generation flows for Production and Sandbox keys.
  • Added inline field errors and toast notifications that prevent generation with invalid values.
  • Improved placeholders and localization guidance for supported formats.
  • Added unit tests covering valid and invalid restriction lists.

Walkthrough

Added validation for IP/CIDR and referrer restrictions during standard and legacy API key generation. Invalid values now stop generation, show alerts, and display inline field errors. Error state resets when modals close, restriction types change, or values are edited. Localization strings and placeholders now document supported list, CIDR, and wildcard formats. Unit tests cover valid and invalid restriction inputs.

Sequence Diagram(s)

sequenceDiagram
  participant APIKeyForm
  participant Validator
  participant Alert
  APIKeyForm->>Validator: validate selected restriction
  Validator-->>APIKeyForm: return validation result
  APIKeyForm->>Alert: show error for invalid input
  APIKeyForm-->>APIKeyForm: render inline validation feedback
Loading

Suggested reviewers: ashera96, heshansudarshana, ashera96

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: adding IP and referrer restriction validation in DevPortal.
Description check ✅ Passed The description matches the implemented change and explains the new validators, UI wiring, and tests.
Linked Issues check ✅ Passed The changes address #5093 by validating IP and referrer restrictions before API key generation in DevPortal.
Out of Scope Changes check ✅ Passed The added tests, localization strings, and legacy key flow updates are all consistent with the validation work.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: one or more packages not found in the registry.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing validation for Security Restrictions (IP Address & Referrer ID) in DevPortal

1 participant