Add validation for API key IP and Referrer restrictions in DevPortal#1393
Add validation for API key IP and Referrer restrictions in DevPortal#1393Gayuth-W wants to merge 2 commits into
Conversation
- Add isValidPermittedIPList and isValidPermittedRefererList for validating DevPortal API key Security Restriction inputs, with rules derived from what the gateway accepts (ApiKeyAuthenticatorUtils#validateAPIKeyRestrictions): - IP: comma-separated IPv4/IPv6 addresses or CIDR ranges, using the same address patterns as the Admin Portal blacklist form - Referrer: comma-separated URL/host/wildcard patterns; the gateway matches entries literally with '*' wildcards, so each entry must be non-empty, whitespace-free, and contain one of '.', ':', '/', '*'
- Reject invalid Security Restriction values before generating an API key, in both the per-API key dialog (ApiKeyGenerate/ApiKeyListing) and the legacy application key dialog (LegacyApiKeys). Previously any string was accepted and a key was generated with a restriction that could never match. - Show an inline field error alongside the existing alert toast, clear it when the value or restriction type changes, and update the field placeholders to document the accepted formats.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughSummary
WalkthroughAdded validation for IP/CIDR and referrer restrictions during standard and legacy API key generation. Invalid values now stop generation, show alerts, and display inline field errors. Error state resets when modals close, restriction types change, or values are edited. Localization strings and placeholders now document supported list, CIDR, and wildcard formats. Unit tests cover valid and invalid restriction inputs. Sequence Diagram(s)sequenceDiagram
participant APIKeyForm
participant Validator
participant Alert
APIKeyForm->>Validator: validate selected restriction
Validator-->>APIKeyForm: return validation result
APIKeyForm->>Alert: show error for invalid input
APIKeyForm-->>APIKeyForm: render inline validation feedback
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed: one or more packages not found in the registry. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |


Purpose
The DevPortal API key generation dialogs accept any string as a Security Restriction value - a key generates successfully with an IP or Referrer restriction that can never match, silently producing an unusable or falsely-restricted key.
Approach
Added
isValidPermittedIPList/isValidPermittedRefererListto the existingShared/AppsAndKeys/constraintValidator.jsand wired them into both key generation dialogs (ApiKeyGenerate/ApiKeyListingandLegacyApiKeys) with an inline field error alongside the existing toast. Rules mirror what the gateway accepts (ApiKeyAuthenticatorUtils#validateAPIKeyRestrictions):. : / *Covered by unit tests (
npx jest: 74/74 passing); verified manually on a local APIM 4.7.0 instance.Fixes wso2/api-manager#5093