-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/system info #5087
Feature/system info #5087
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good!
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/resolvers/Query/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Outdated
Show resolved
Hide resolved
Maybe you're already thinking about this, but is this API going to remain public, or will it be behind auth of some kind? Since this is system info, it feels like it should be secured somehow. |
@mikemurray I was considering throwing in @aldeed do you agree this should be behind authentication? |
7b4ec39
to
dc63918
Compare
I think there is enough here for a PR with final review. This can then be used when refactoring the admin page issue in #1948 when that is reconfigured to use updated API techniques. what do you think @focusaurus @aldeed ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another round of comments
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/resolvers/Query/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Outdated
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/schemas/schema.graphql
Show resolved
Hide resolved
imports/plugins/core/system-info/server/no-meteor/queries/systemInformation.js
Outdated
Show resolved
Hide resolved
This should definitely be protected. We should not expose information like installed plugins to the public API. That would expose business secrets (ie which payment provider is used) as well as provide valuable information to attackers. |
@ticean In most cases it's going to be pretty obvious what payment provider is used. Frontend code will have
|
I just used payment provider as an example. It doesn't matter if the users see which payment is used on the frontend. That doesn't expose which plugin and plugin version are providing the functionality. A plugin list does. Such a list provides mineable data that can be analyzed to describe all the functionalities the site has, the vulnerabilities available (via cross reference), and generally how up to date the site is keeping their dependencies. I don't think any part of this endpoint should be public. |
I think this will effect this PR nevermind, looks like shopId is passed rather than as a context variable. |
@aldeed i think this is ready for your review again! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrispotter A few new suggestions
@@ -0,0 +1,26 @@ | |||
import packageJson from "/package.json"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've started thinking about how we're soon wanting to move plugins to be npm packages. An import from outside the plugin like this one won't work in that case. At the moment, we only need the version. Instead, there are two files where new ReactionNodeApp()
is done. You can import packageJson
in those two files, and add the version to context in the ReactionNodeApp
constructor options: appVersion: packageJson.version
.
Then here you can use context.appVersion
.
|
||
const mongoAdmin = await db.admin(); | ||
const mongoInfo = await mongoAdmin.serverStatus(); | ||
const plugins = await Packages.find({ shopId: { shopId }, version: { $ne: null } }, { projection: { name: 1, version: 1 } }).toArray(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since initially reviewing this, we've been talking more about trying to stop using the Packages
collection. The problem is that the collection can get out of sync with what plugins are truly in the codebase. So it would be better to access the actual list of plugins that were registered when the app started up.
On context, context.app
is the ReactionNodeApp
instance. On that you can find the plugin config for all plugins on app.registeredPlugins
object. So I think it would be something like this:
const plugins = Object.values(context.app.registeredPlugins);
The rest should be the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that unlike the Packages
collection, registeredPlugins
is NOT different per shopId. But I think you should keep the shopId param in GraphQL for the permission check and potential future use.
} | ||
"Represents Reaction Plugin" | ||
type Plugin { | ||
"name of plugin" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All field descriptions should begin with a capital letter by convention. I guess our GraphQL linter does not check this.
7927f41
to
514e836
Compare
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
Signed-off-by: Chris Potter <chris@reactioncommerce.com>
514e836
to
03c50e8
Compare
Merged in latest develop to fix the startup bug, and then tested. Looks good! |
Initial Solution to #1948
Impact: major
Type: feature
Issue
This is the start to a
system-info
plugin that will offer information related to systemSolution
This is step one from Issue #1948 to add a new graphql schema to be referenced from the dashboard to show appVersion.
Testing
http://localhost:3000/graphql-alpha
Use admin auth token and your correct primary shop ID.