Conversation
There was a problem hiding this comment.
Pull request overview
Adds a configuration toggle to control whether admin tenant endpoints return decrypted, sensitive tenant configuration values.
Changes:
- Introduces
ADMIN_RETURN_TENANT_SENSITIVE_DATAconfig flag (defaulting to enabled unless explicitly set tofalse). - Gates sensitive fields (
anonKey, DB URLs,jwtSecret,jwks,serviceKey) in adminGET /tenantsandGET /tenants/:tenantIdresponses behind the new flag. - Documents the new environment variable in
.env.sample.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/http/routes/admin/tenants.ts |
Conditionally includes decrypted tenant secrets in admin GET responses based on config flag. |
src/config.ts |
Adds adminReturnTenantSensitiveData to runtime config, sourced from env. |
.env.sample |
Documents ADMIN_RETURN_TENANT_SENSITIVE_DATA and its effect on tenant admin endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ...(adminReturnTenantSensitiveData | ||
| ? { | ||
| anonKey: decrypt(anon_key), | ||
| databaseUrl: decrypt(database_url), | ||
| databasePoolUrl: database_pool_url ? decrypt(database_pool_url) : undefined, | ||
| jwtSecret: decrypt(jwt_secret), | ||
| jwks, | ||
| serviceKey: decrypt(service_key), | ||
| } |
There was a problem hiding this comment.
New behavior is gated by adminReturnTenantSensitiveData, but there are no automated tests asserting that GET /tenants and GET /tenants/:tenantId omit decrypted secrets when the env var is set to false. Add a test case (e.g., in src/test/tenant.test.ts) that sets process.env.ADMIN_RETURN_TENANT_SENSITIVE_DATA='false', reloads config, and verifies the response does not include anonKey, databaseUrl, databasePoolUrl, jwtSecret, jwks, or serviceKey.
| DATABASE_MULTITENANT_POOL_URL=postgresql://postgres:postgres@127.0.0.1:6454/postgres | ||
| REQUEST_X_FORWARDED_HOST_REGEXP=^([a-z]{20}).local.(?:com|dev)$ | ||
| SERVER_ADMIN_API_KEYS=apikey | ||
| # When set to false, GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. |
There was a problem hiding this comment.
The sample env comment refers to "GET /tenants endpoints" but these routes are part of the admin API (served on the admin port / behind admin API keys). Consider clarifying the comment to avoid implying that the public API exposes this toggle.
| # When set to false, GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. | |
| # When set to false, admin API GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. |
Coverage Report for CI Build 24080150991Coverage increased (+0.008%) to 80.672%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
fenos
force-pushed
the
tenant/env-for-tenant-sensible-info
branch
from
6fadb26 to
c6ed793
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 'REQUEST_ADMIN_TRACE_HEADER' | ||
| ), | ||
| adminReturnTenantSensitiveData: | ||
| getOptionalConfigFromEnv('ADMIN_RETURN_TENANT_SENSITIVE_DATA') !== 'false', |
There was a problem hiding this comment.
The new flag is read only from ADMIN_RETURN_TENANT_SENSITIVE_DATA, but other admin-related settings in this config consistently use the SERVER_ADMIN_* prefix with a fallback (e.g. SERVER_ADMIN_PORT, SERVER_ADMIN_API_KEYS). To avoid configuration confusion and keep naming consistent, consider reading SERVER_ADMIN_RETURN_TENANT_SENSITIVE_DATA with a fallback to ADMIN_RETURN_TENANT_SENSITIVE_DATA (or rename the variable entirely and keep a backward-compatible fallback).
| getOptionalConfigFromEnv('ADMIN_RETURN_TENANT_SENSITIVE_DATA') !== 'false', | |
| getOptionalConfigFromEnv( | |
| 'SERVER_ADMIN_RETURN_TENANT_SENSITIVE_DATA', | |
| 'ADMIN_RETURN_TENANT_SENSITIVE_DATA' | |
| ) !== 'false', |
| # When set to false, GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. | ||
| # ADMIN_RETURN_TENANT_SENSITIVE_DATA=true |
There was a problem hiding this comment.
The sample env var name here (ADMIN_RETURN_TENANT_SENSITIVE_DATA) doesn’t match the SERVER_ADMIN_* naming used for other admin settings in this file (e.g. SERVER_ADMIN_API_KEYS, SERVER_ADMIN_PORT). Aligning the name (or documenting both with a clear precedence) would reduce operator confusion.
| # When set to false, GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. | |
| # ADMIN_RETURN_TENANT_SENSITIVE_DATA=true | |
| # When set to false, GET /tenants endpoints omit decrypted secrets (database urls, jwt secret, service key, anon key, jwks). Defaults to true. | |
| # Uses the legacy/current env var name below; `SERVER_ADMIN_RETURN_TENANT_SENSITIVE_DATA` is the convention-aligned equivalent for admin settings. | |
| # ADMIN_RETURN_TENANT_SENSITIVE_DATA=true | |
| # SERVER_ADMIN_RETURN_TENANT_SENSITIVE_DATA=true |
What kind of change does this PR introduce?
Improvement
What is the current behavior?
What is the new behavior?