-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat/better config UX #58
Conversation
This will sync only latest 20 events, so let's not suggest otherwise
@@ -29,8 +29,11 @@ public static function init() { | |||
Hub\Newspack_Ads_GAM::init(); | |||
} | |||
|
|||
if ( Site_Role::is_node() ) { | |||
// Allow to access node settings before the site has a role, so it can be set via URL. | |||
if ( Site_Role::is_node() || ! Site_Role::get() ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this change the "Node settings" menu is visible even before I define the site's role. Don't think it's ideal;
WDYT to process the incoming link in the "Site Role" settings page instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in faab389. Moving the incoming link processing to "Site Role" would not allow the code to leverage the existing settings-updating code.
includes/class-admin.php
Outdated
/** | ||
* Is updating the Node settings from URL? | ||
*/ | ||
public static function is_updating_from_url() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this live in the class that will actually process the request instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
includes/node/class-settings.php
Outdated
// Remove the params from URL - settings were just saved. | ||
if ( $referrer ) { | ||
if ( ! \Newspack_Network\Site_Role::get() ) { | ||
update_option( \Newspack_Network\Site_Role::OPTION_NAME, \Newspack_Network\Site_Role::NODE_ROLE ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, but a \Newspack_Network\Site_Role::set_as_node()
method would look prettier
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
includes/hub/class-nodes.php
Outdated
return add_query_arg( | ||
[ | ||
'page' => \Newspack_Network\Node\Settings::PAGE_SLUG, | ||
'secret_key' => $secret_key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe not a huge deal, but it's not best practice to share a secret key like this.
We should create a temporary key, that expires within minutes, that will allow the node to make a request to the Hub to fetch the key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this actually would increase security. The secret key would end up in a request URL anyway, and if someone has access to server logs they'd see the URL param from any request. And I don't think the risk warrants the added complexity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not exactly. The secret key would be in the body of a POST response, encrypted by https. no middle man can see it and no risk of this URL be in the browser history, or the user accidentally sharing it.
I don't think we need to be radical and 100% secure and follow all security recommendations, if we were to do that we would probably use a pair of private/public keys for each site (this would increase complexity) or use Application passwords in both ends (which would also increase complexity)... but having the secret key to be exposed like that in the URL I think is going to radical in the opposite direction
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Query string is also encrypted by HTTPS, but you're right that the secret key would be persisted in browser history. Still a pretty elaborate attack scenario, but I agree it's not ideal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(improved security add in #64 by @leogermani)
# [1.3.0-alpha.1](v1.2.0...v1.3.0-alpha.1) (2024-02-23) ### Bug Fixes * memberships sync ([#63](#63)) ([0a54f1d](0a54f1d)) ### Features * add hub bookmarks to nodes ([#56](#56)) ([54700a0](54700a0)) * add option to manually sync users ([#53](#53)) ([3ec1b19](3ec1b19)) * display membership plans from the network ([#59](#59)) ([6fa01fd](6fa01fd)) * enhance network subscriptions and orders search ([#55](#55)) ([bcb0615](bcb0615)) * Node connection using a link ([#58](#58)) ([721f8b2](721f8b2)) * **wp-cli:** add command to backfill events ([#51](#51)) ([13d2498](13d2498)) * **wp-cli:** add process pending webhook requests command ([#67](#67)) ([7dbd8dc](7dbd8dc)) * **wp-cli:** sync all events from the Hub ([#65](#65)) ([dc595ca](dc595ca))
🎉 This PR is included in version 1.3.0-alpha.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
# [1.3.0](v1.2.0...v1.3.0) (2024-02-28) ### Bug Fixes * backfill duplicate handling; woo links in wp-admin-bar ([#71](#71), [#72](#72)) ([bbce13b](bbce13b)) * cli commands ([#73](#73)) ([ff563ac](ff563ac)) * memberships sync ([#63](#63)) ([0a54f1d](0a54f1d)) * missing woocommerce-memberships handling ([76dbdf7](76dbdf7)) ### Features * add hub bookmarks to nodes ([#56](#56)) ([54700a0](54700a0)) * add option to manually sync users ([#53](#53)) ([3ec1b19](3ec1b19)) * display membership plans from the network ([#59](#59)) ([6fa01fd](6fa01fd)) * enhance network subscriptions and orders search ([#55](#55)) ([bcb0615](bcb0615)) * Node connection using a link ([#58](#58)) ([721f8b2](721f8b2)) * **wp-cli:** add command to backfill events ([#51](#51)) ([13d2498](13d2498)) * **wp-cli:** add process pending webhook requests command ([#67](#67)) ([7dbd8dc](7dbd8dc)) * **wp-cli:** sync all events from the Hub ([#65](#65)) ([dc595ca](dc595ca))
🎉 This PR is included in version 1.3.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
All Submissions:
Changes proposed in this Pull Request:
Adds better and less error-prone UX around adding nodes.
See 1205909204837811-as-1206321490407427/f
How to test the changes in this Pull Request:
*
wp option delete newspack_node_hub_url newspack_node_secret_key newspack_network_site_role
Other information: