LearnCard
LearnCard copied to clipboard
learningeconomy
Iteration: Restrict Update Auth Grants to Name/Description Only
Overview
π‘οΈ What Changed
This PR tightens the update logic for AuthGrants, so that only the name and description fields can be updated after creation. Attempts to update sensitive fields such as scope, challenge, id, createdAt, expiresAt, or status will now be rejected.
π€ Why?
Allowing updates to critical fields like scope, challenge, or status after an AuthGrant is issued can lead to security issues and unpredictable authorization behavior. These fields define the core permissions and lifecycle of an AuthGrantβchanging them after the fact undermines the integrity of the access control model.
π Security & Best Practices
-
Immutable AuthGrants: Once an AuthGrant is created, its scope and challenge are locked in. If a change is needed, the recommended pattern is to revoke the old grant and issue a new one with the desired properties.
-
Auditability: This approach makes it easier to audit and track permission changes, as each grantβs lifecycle is clear and tamper-resistant.
-
Consistency: Aligns with best practices for token and grant management in modern authentication systems.
π Developer Impact
- You can still update an AuthGrantβs name and description for clarity or UI/UX purposes.
- To change the scope, challenge, or other sensitive attributes, revoke the existing grant and create a new one.
π Types of Changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Chore (refactor, documentation update, etc)
π³ Does This Create Any New Technical Debt? ( If yes, please describe and add JIRA TODOs )
- [x] No
- [ ] Yes
Testing
π¬ How Can Someone QA This?
π± π₯ Which devices would you like help testing on?
π§ͺ Code Coverage
Documentation
π Gitbook
π Storybook
β PR Checklist
- [ ] Related to a Jira issue (create one if not)
- [x] My code follows style guidelines (eslint / prettier)
- [x] I have manually tested common end-2-end cases
- [ ] I have reviewed my code
- [ ] I have commented my code, particularly where ambiguous
- [x] New and existing unit tests pass locally with my changes
- [x] I have made corresponding changes to gitbook documentation
π Ready to squash-and-merge?:
- [x] Code is backwards compatible
- [x] There is not a "Do Not Merge" label on this PR
- [x] I have thoughtfully considered the security implications of this change.
- [x] This change does not expose new public facing endpoints that do not have authentication
π¦ Changeset detected
Latest commit: 139e8298d929c9339461aaf59a8106240c206b62
The changes in this PR will be included in the next version bump.
This PR includes changesets to release 10 packages
| Name | Type |
|---|---|
| @learncard/network-brain-service | Patch |
| @learncard/network-brain-client | Patch |
| @learncard/network-plugin | Patch |
| @learncard/init | Patch |
| @learncard/chapi-example | Patch |
| @learncard/create-http-bridge | Patch |
| @learncard/cli | Patch |
| @learncard/react | Patch |
| learn-card-discord-bot | Patch |
| @learncard/snap-chapi-example | Patch |
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for learn-card-chapi-example canceled.
| Name | Link |
|---|---|
| Latest commit | 0919fc3440df17f51a5dbf50dd47d3d93bc05977 |
| Latest deploy log | https://app.netlify.com/sites/learn-card-chapi-example/deploys/680a83c1ad1a750008c6072d |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for learncarddocs canceled.
| Name | Link |
|---|---|
| Latest commit | 0919fc3440df17f51a5dbf50dd47d3d93bc05977 |
| Latest deploy log | https://app.netlify.com/sites/learncarddocs/deploys/680a83c13f593300085da9d6 |
Deploy Preview for learn-card-chapi-example canceled.
| Name | Link |
|---|---|
| Latest commit | 139e8298d929c9339461aaf59a8106240c206b62 |
| Latest deploy log | https://app.netlify.com/sites/learn-card-chapi-example/deploys/680fdc00868df30008d9d6c1 |
Deploy Preview for learncarddocs canceled.
| Name | Link |
|---|---|
| Latest commit | 139e8298d929c9339461aaf59a8106240c206b62 |
| Latest deploy log | https://app.netlify.com/sites/learncarddocs/deploys/680fdc00504c2600083baee1 |
This PR is missing a Jira ticket reference in the title or description. Please add a Jira ticket reference to the title or description of this PR.
![gitstream-cm[bot] avatar](https://avatars.githubusercontent.com/in/230441?v=4 "Published by a pub.dev verified publisher"){kind=small}
This PR is missing a Jira ticket reference in the title or description. Please add a Jira ticket reference to the title or description of this PR.
π₯· Code experts: no user but you matched threshold 10
Custard7 has most π©βπ» activity in the files. Custard7 has most π§ knowledge in the files.
See details
services/learn-card-network/brain-service/src/routes/auth-grants.ts
Activity based on git-commit:
| Custard7 | |
|---|---|
| APR | 275 additions & 44 deletions |
| MAR | |
| FEB | |
| JAN | |
| DEC | |
| NOV |
Knowledge based on git-blame: Custard7: 97%
services/learn-card-network/brain-service/test/auth-grant.spec.ts
Activity based on git-commit:
| Custard7 | |
|---|---|
| APR | 555 additions & 18 deletions |
| MAR | |
| FEB | |
| JAN | |
| DEC | |
| NOV |
Knowledge based on git-blame: Custard7: 100%
To learn more about /:\ gitStream - Visit our Docs
This PR is missing a Jira ticket reference in the title or description. Please add a Jira ticket reference to the title or description of this PR.