feat(GraphQL): Add DialogToken requirement for subscriptions

[oskogstad]

Description

DialogEvents subscription now requires a valid DialogToken

Related Issue(s)

• Add dialog token auth check on subscriptions #1104

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Enhanced security for dialogEvents subscription with new authorization requirements.
  • Introduced DialogTokenMiddleware for handling JWT in requests.
  • Added methods to extract dialog ID from subscription operations.
  • New constant for dialog token issuer version introduced.

• Bug Fixes

  • Improved authorization policies with added null checks and validations.

• Documentation

  • Updated configuration settings for local development to enable authentication and adjust JWT generation settings.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The pull request introduces several changes aimed at enhancing authorization mechanisms within the GraphQL schema and related components. Key modifications include adding authorization directives to the Subscriptions type, implementing a new middleware for handling JWTs, and updating authorization policies. Additionally, configuration settings for local development have been adjusted to enable authentication and modify the usage of the local development compact JWS generator.

Changes

File Path	Change Summary
docs/schema/V1/schema.verified.graphql	Updated the Subscriptions type to include an authorization directive for the dialogEvents field, changing the policy from "enduser" to "enduserSubscription" and adding validation.
src/Digdir.Domain.Dialogporten.Application/Common/ICompactJwsGenerator.cs	Modified Ed25519Generator to initialize the signing key in the constructor instead of in the GetCompactJws method.
src/Digdir.Domain.Dialogporten.Application/Common/Authorization/Constants.cs	Added a new constant DialogTokenIssuerVersion with the value "/api/v1".
src/Digdir.Domain.Dialogporten.Application/Features/V1/EndUser/Dialogs/Queries/Get/GetDialogQuery.cs	Updated the argument passed to _dialogTokenGenerator.GetDialogToken to use Constants.DialogTokenIssuerVersion instead of a hardcoded string.
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs	Added a new authorization policy EndUserSubscription and included a null check in the constructor for AuthorizationOptionsSetup.
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/DialogTokenMiddleware.cs	Added a new middleware component for handling JWTs, validating the DigDir-Dialog-Token header, and managing user claims.
src/Digdir.Domain.Dialogporten.GraphQL/Common/Extensions/HotChocolate/DefinitionNodeExtensions.cs	Created a new static class with an extension method TryGetSubscriptionDialogId to extract dialog IDs from GraphQL definition nodes.
src/Digdir.Domain.Dialogporten.GraphQL/Common/Extensions/HotChocolate/OperationDefinitionNodeExtensions.cs	Introduced a new static method TryGetDialogEventsSubscriptionDialogId to extract dialog IDs from OperationDefinitionNode.
src/Digdir.Domain.Dialogporten.GraphQL/EndUser/DialogById/Subscriptions.cs	Added an Authorize attribute to the DialogEvents method requiring the EndUserSubscription policy and included a GraphQLDescription attribute regarding the dialog token.
src/Digdir.Domain.Dialogporten.GraphQL/Program.cs	Integrated the DialogTokenMiddleware into the application pipeline.
src/Digdir.Domain.Dialogporten.GraphQL/ServiceCollectionExtensions.cs	Reordered method calls in AddDialogportenGraphQl for service registration without changing functionality.
src/Digdir.Domain.Dialogporten.GraphQL/appsettings.Development.json	Updated local development settings to disable several features and enabled authentication.
src/Digdir.Domain.Dialogporten.WebApi/appsettings.Development.json	Changed the UseLocalDevelopmentCompactJwsGenerator setting from true to false.

Possibly related issues

• Add dialog token auth check on subscriptions #1104: The changes in this PR address the need for a dialog token authorization check on subscriptions by implementing the DialogTokenMiddleware and updating the Subscriptions type.

Possibly related PRs

• fix: Add missing events to dialog subscription #1163: The changes in this PR directly relate to the modifications made to the Subscriptions type in the GraphQL schema, specifically the introduction of the dialogEvents field and the new DialogEventPayload, which aligns with the updates in the main PR regarding authorization directives for the dialogEvents field.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between e215ecf and 0b1faa3.

📒 Files selected for processing (1)

• src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (3 hunks)

🔇 Additional comments (2)

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (2)

16-16: Previous concern about exception parameter remains unresolved

The issue regarding the exception parameter in the constructor is still present. The exception should accurately reflect which argument is null, using nameof(options.Value) instead of nameof(options).

---

50-55: Previous concerns on null handling and claim validation remain

The earlier review comments about handling potential null references and ensuring the claim value is present are still valid for this code segment. Specifically:

• Null Policy Handling: Using ! operator on options.GetPolicy(AuthorizationPolicy.EndUser)! assumes the policy exists, which could lead to a NullReferenceException if it doesn't.
• Check Claim Retrieval Success: The return value of context.User.TryGetClaimValue is not checked, which may result in unexpected behavior if the claim is absent.

Please refer to the past review comments to address these issues.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 11

Outside diff range comments (4)

src/Digdir.Domain.Dialogporten.GraphQL/ServiceCollectionExtensions.cs (1)

Line range hint 9-29: Suggestion: Review entire GraphQL configuration

Given that the PR objectives mention adding a DialogToken requirement for subscriptions, it might be beneficial to review the entire GraphQL configuration in this file. Consider if any other parts of this setup need to be updated to fully implement and enforce the DialogToken requirement for subscriptions. This could include adding specific authorization policies, middleware, or other configuration options related to the DialogToken.

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationPolicy.cs (1)

Line range hint 22-29: Consider optimizing the GetAll method in AuthorizationScope.

While not directly related to the current changes, the GetAll method uses reflection to collect all string constants. This approach might be less efficient and could potentially miss new constants like EndUserSubscription if they're needed in the AllScopes collection.

Consider replacing the reflection-based approach with an explicit list of constants:

private static ReadOnlyCollection<string> GetAll() => new ReadOnlyCollection<string>(new[]
{
    EndUser,
    ServiceProvider,
    ServiceProviderSearch,
    Testing
});

This approach would be more performant and ensure that all relevant constants are included.

src/Digdir.Domain.Dialogporten.WebApi/appsettings.Development.json (1)

Line range hint 1-80: General observation: Sensitive information management

I noticed several "TODO" placeholders for sensitive information throughout the file. While this is common in development settings, it's crucial to ensure:

1. These placeholders are replaced with actual values securely before deployment.
2. The team follows best practices for managing secrets, such as using environment-specific secret stores or local user secrets.
3. No sensitive information is accidentally committed to version control.

Consider adding a comment at the top of the file reminding developers about proper secret management practices.

src/Digdir.Domain.Dialogporten.Application/Common/ICompactJwsGenerator.cs (1)

Line range hint 104-143: Consider using a standard library for Base64Url encoding/decoding

The custom Base64Url class implementation is well-written, but it might be worth checking if there's a standard library implementation available for Base64Url encoding and decoding in C#. Using a standard library, if available, could potentially improve maintainability and reduce the risk of bugs.

Research if there's a built-in or widely used library for Base64Url encoding/decoding in C#. If found, consider replacing the custom implementation with the standard one.

Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE

Commits

Files that changed from the base of the PR and between 3092260 and 78c5947.

Files selected for processing (11)

• docs/schema/V1/schema.verified.graphql (2 hunks)
• src/Digdir.Domain.Dialogporten.Application/Common/ICompactJwsGenerator.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (3 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationPolicy.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/DialogTokenMiddleware.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/Common/Extensions/HotChocolate/DefinitionNodeExtensions.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/EndUser/DialogById/Subscriptions.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/Program.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/ServiceCollectionExtensions.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.GraphQL/appsettings.Development.json (1 hunks)
• src/Digdir.Domain.Dialogporten.WebApi/appsettings.Development.json (1 hunks)

Additional comments not posted (20)

src/Digdir.Domain.Dialogporten.GraphQL/ServiceCollectionExtensions.cs (2)

16-16: Approve: Improved order of GraphQL service configuration

The reordering of .AddSubscriptionType<Subscriptions>() to come after .AddAuthorization() is a positive change. This ensures that authorization is set up before adding the subscription type, which could potentially resolve any initialization issues if the Subscriptions type relies on authorization services. It also aligns with the best practice of configuring core services before adding specific features that might depend on them.

---

16-16: Clarify: How does this change relate to the DialogToken requirement?

The PR objectives mention adding a DialogToken requirement for subscriptions, but this file doesn't show any explicit changes related to that. Could you please clarify how this reordering of the subscription type addition relates to the DialogToken requirement? Are there other files in this PR that implement this requirement more directly?

To help clarify this, let's check for any DialogToken-related changes:

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationPolicy.cs (1)

8-8: New authorization policy added for end-user subscriptions.

The addition of EndUserSubscription constant is consistent with the existing naming convention and likely relates to the new DialogToken requirement for subscriptions mentioned in the PR objectives.

Let's verify if this new constant is used elsewhere in the codebase:

Verification successful

---

EndUserSubscription constant usage verified as consistent across the codebase.

The new constant EndUserSubscription is appropriately utilized in authorization setups and within the Subscriptions.cs file, aligning with the project's authorization strategy.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for usage of the new EndUserSubscription constant

# Test: Search for "EndUserSubscription" or "enduserSubscription" in all files
rg --type-add 'csharp:*.{cs,csproj}' --type csharp -i '(EndUserSubscription|enduserSubscription)'

Length of output: 580

src/Digdir.Domain.Dialogporten.GraphQL/Common/Extensions/HotChocolate/DefinitionNodeExtensions.cs (2)

5-8: LGTM: Class and method signature are well-designed.

The DefinitionNodeExtensions class and TryGetSubscriptionDialogId method are correctly implemented as public and static. The method signature follows the TryParse pattern, which is appropriate for this use case.

---

9-22: LGTM: Initial setup and iteration logic are well-implemented.

The method correctly initializes dialogId to Guid.Empty and efficiently iterates through the definitions. The type checking and early continue statements for non-matching definitions improve the code's readability and performance.

src/Digdir.Domain.Dialogporten.GraphQL/appsettings.Development.json (7)

56-56: LGTM: Disabling local development user aligns with PR objective

Changing UseLocalDevelopmentUser to false is consistent with the PR's goal of adding a DialogToken requirement for subscriptions. This change moves the development environment closer to production-like conditions by disabling mock users.

---

57-57: LGTM: Disabling local resource register enhances environment fidelity

Setting UseLocalDevelopmentResourceRegister to false is a positive change. It moves the development environment closer to production conditions by using actual resource registers instead of local mocks. This change will help catch potential issues earlier in the development process.

---

58-58: LGTM: Consistent approach in disabling local development features

Changing UseLocalDevelopmentOrganizationRegister to false is consistent with the previous changes. It further aligns the development environment with production-like conditions by using actual organization registers instead of local mocks.

---

59-59: LGTM: Consistent disabling of local development features

Setting UseLocalDevelopmentNameRegister to false follows the pattern of disabling local development mocks. This change, along with the previous ones, creates a more realistic development environment that closely mimics production conditions.

---

60-60: LGTM: Disabling local Altinn authorization supports PR objective

Changing UseLocalDevelopmentAltinnAuthorization to false directly supports the PR's goal of enhancing authorization mechanisms. This change ensures that the development environment uses actual Altinn authorization, which is crucial for testing the new DialogToken requirement for subscriptions.

---

62-62: LGTM: Critical changes for implementing DialogToken requirement

Two important changes have been made:

1. Setting UseLocalDevelopmentCompactJwsGenerator to false continues the trend of disabling local development mocks.
2. Changing DisableAuth to false enables authentication, which is crucial for implementing and testing the new DialogToken requirement for subscriptions.

These changes are essential for achieving the PR's objective and ensure that the development environment closely mirrors production conditions for authentication and authorization.

Also applies to: 65-65

---

56-65: Overall changes align well with PR objective and improve development environment

The modifications to the LocalDevelopment settings collectively achieve the following:

1. Disable various local development mocks (user, resource register, organization register, name register, Altinn authorization, and compact JWS generator).
2. Enable authentication by setting DisableAuth to false.

These changes significantly align the development environment with production-like conditions, which is crucial for implementing and testing the new DialogToken requirement for subscriptions. This approach will likely help catch potential issues earlier in the development process and ensure a smoother transition to production.

However, it's important to note that these changes might increase the complexity of local development setup. To mitigate any potential issues:

1. Ensure that the necessary production-like services are accessible in the development environment.
2. Update the development documentation to reflect these changes and provide guidance on setting up the required services.
3. Consider creating a script or tool to help developers easily switch between local mocks and production-like services when needed.

These steps will help ensure a smooth transition for developers working with the updated configuration.

Verification successful

---

Verification Successful: All services are accessible and documentation is up-to-date

The verification process confirmed that:

1. Service Accessibility:

   • Maskinporten: Accessible (HTTP 200)
   • Altinn: Accessible (HTTP 200)
   • ID-porten: Accessible (HTTP 200)

2. Development Documentation:

   • The documentation includes necessary references to LocalDevelopment, ensuring that the setup is well-documented and aligned with the recent configuration changes.

These results confirm that the changes to the appsettings.Development.json have been properly implemented and that the development environment is correctly configured to reflect production-like conditions. No further action is required at this time.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the necessary services are accessible in the development environment
echo "Verifying access to required services..."

# Check Maskinporten
curl -s -o /dev/null -w "%{http_code}" https://test.maskinporten.no/.well-known/oauth-authorization-server/ | grep 200 || echo "Warning: Maskinporten service is not accessible"

# Check Altinn
curl -s -o /dev/null -w "%{http_code}" https://platform.tt02.altinn.no/authentication/api/v1/openid/.well-known/openid-configuration | grep 200 || echo "Warning: Altinn service is not accessible"

# Check ID-porten
curl -s -o /dev/null -w "%{http_code}" https://test.idporten.no/.well-known/openid-configuration | grep 200 || echo "Warning: ID-porten service is not accessible"

# Check for updated development documentation
echo "Checking for updated development documentation..."
grep -r "LocalDevelopment" docs/ || echo "Warning: Development documentation may need to be updated to reflect recent changes"

echo "Verification complete. Please address any warnings before proceeding."

Length of output: 1150

src/Digdir.Domain.Dialogporten.WebApi/appsettings.Development.json (1)

75-75: Approved: Disabling local development compact JWS generator

This change aligns with the PR objective of adding a DialogToken requirement for subscriptions. It likely enforces stricter token generation in the local development environment.

Please verify the following:

1. Ensure that this change doesn't break local development workflows.
2. Confirm that all team members are aware of this change and its implications on local testing.
3. Update any local development documentation to reflect this change.

Additionally, I noticed that the "DisableAuth" setting is still set to true. Is this intentional, or should it also be set to false to fully enforce authentication in the local environment?

src/Digdir.Domain.Dialogporten.GraphQL/Program.cs (1)

103-103: Please provide more context about DialogTokenMiddleware

The addition of DialogTokenMiddleware to the request pipeline is a significant change. Could you please provide more information about its purpose and functionality? Specifically:

1. What does this middleware do, and how does it relate to the DialogToken requirement for subscriptions mentioned in the PR objectives?
2. Are there any performance implications of adding this middleware to all requests?
3. Should this middleware be conditionally applied only to certain routes (e.g., subscription-related endpoints) rather than all routes?

Also, consider adding a comment in the code explaining the purpose of this middleware and its placement in the pipeline for future maintainability.

To better understand the implementation of DialogTokenMiddleware, could you provide its source code? You can use the following command:

Verification successful

---

DialogTokenMiddleware Addition Verified

The addition of DialogTokenMiddleware to the request pipeline is appropriate and aligns with the PR objectives. This middleware effectively validates the DigDir-Dialog-Token to ensure secure operations related to GraphQL subscriptions.

• Purpose: Validates the custom DialogToken JWT to authenticate and authorize specific requests.
• Placement: Positioned after authentication and authorization middleware, ensuring it acts on authenticated requests without interfering with global request logging.
• Performance: Minimal impact due to efficient token validation using pre-imported public keys.
• Scope: Currently applied globally; consider conditional application if DialogToken is only required for specific routes to optimize performance.

Consider adding inline comments within the middleware to enhance future maintainability and provide clarity on its functionality and placement.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for the DialogTokenMiddleware implementation
rg -t cs -A 20 "class DialogTokenMiddleware"

Length of output: 2703

---

Script:

#!/bin/bash
# Retrieve the full content of DialogTokenMiddleware.cs for complete analysis
cat src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/DialogTokenMiddleware.cs

Length of output: 2544

src/Digdir.Domain.Dialogporten.Application/Common/ICompactJwsGenerator.cs (4)

25-25: Excellent optimization: Initializing signing key in the constructor

Moving the InitSigningKey() call to the constructor is a great improvement. This change ensures that the signing key is initialized only once during object creation, rather than potentially multiple times in the GetCompactJws method. This optimization will likely improve performance, especially if GetCompactJws is called frequently.

Benefits of this change:

1. Improved performance by avoiding redundant initializations.
2. Guaranteed initialization state before any method calls.
3. Adheres to the principle of performing initialization work in the constructor.

Great job on this optimization!

---

Line range hint 66-77: Robust JWT verification in VerifyCompactJws method

The VerifyCompactJws method in the Ed25519Generator class performs important security checks, including verifying the kid (Key ID) and the signature. This is a crucial part of ensuring the integrity and authenticity of the JWTs.

The implementation looks secure and follows best practices for JWT verification. Good job on including these important checks!

---

Line range hint 1-143: Overall assessment: Well-implemented JWT handling with room for minor improvements

The file demonstrates a robust implementation of JWT generation and verification using the Ed25519 algorithm. The recent optimization of initializing the signing key in the constructor is a notable improvement. The code is generally well-structured and follows good practices for security-sensitive operations.

Key points:

1. The constructor optimization in Ed25519Generator is excellent.
2. JWT verification in VerifyCompactJws is thorough and secure.
3. The LocalDevelopmentCompactJwsGeneratorDecorator needs careful handling to prevent production use.
4. Consider replacing the custom Base64Url implementation with a standard library if available.

Overall, the code is of good quality with attention to security details. Addressing the minor suggestions would further enhance its robustness and maintainability.

---

Line range hint 93-102: Ensure LocalDevelopmentCompactJwsGeneratorDecorator is not used in production

The LocalDevelopmentCompactJwsGeneratorDecorator class bypasses actual JWT generation and verification, which is useful for local development but could pose a significant security risk if accidentally used in a production environment.

To ensure this class is not used in production, please run the following script:

If the script returns any results, please review those occurrences to ensure they are properly guarded against production use.

Verification successful

---

Verified: LocalDevelopmentCompactJwsGeneratorDecorator is conditionally applied based on environment settings and is not used in production.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for usage of LocalDevelopmentCompactJwsGeneratorDecorator in production code

# Test: Search for LocalDevelopmentCompactJwsGeneratorDecorator usage outside of test files
rg --type csharp -g '!**/test/**' 'LocalDevelopmentCompactJwsGeneratorDecorator'

Length of output: 561

---

Script:

#!/bin/bash
# Description: Verify if LocalDevelopmentCompactJwsGeneratorDecorator is conditionally applied based on environment

# Search for LocalDevelopmentCompactJwsGeneratorDecorator usage and check for surrounding environment conditions
rg --type csharp 'LocalDevelopmentCompactJwsGeneratorDecorator' src/Digdir.Domain.Dialogporten.Application/ApplicationExtensions.cs -B5 -A5

Length of output: 591

docs/schema/V1/schema.verified.graphql (2)

214-216: Summary: DialogToken requirement successfully implemented for subscriptions

The changes to the GraphQL schema effectively implement the DialogToken requirement for subscriptions as outlined in the PR objectives. Key points:

1. The Subscriptions type now includes an authorization directive with the "enduserSubscription" policy.
2. A comment has been added to clarify the DialogToken header requirement.
3. The changes are localized to the Subscriptions type and don't affect other parts of the schema.

These modifications enhance the security of subscriptions by enforcing proper authorization. The implementation aligns well with the PR's goals and maintains the integrity of the existing schema structure.

---

216-216: Verify the implementation of the "enduserSubscription" policy.

The authorization directive uses the "enduserSubscription" policy, which is not defined in this schema file. To ensure the correct implementation of this new requirement:

1. Verify that the "enduserSubscription" policy is properly defined in the application's authorization system.
2. Ensure that the policy correctly validates the DialogToken from the 'DigDir-Dialog-Token' header.
3. Confirm that the policy provides the appropriate level of access control for subscriptions.

To assist in verifying the policy implementation, you can run the following script:

This script will help locate the relevant code for the policy implementation and token validation.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud