diff --git a/audiences-react/docs/CHANGELOG.md b/audiences-react/docs/CHANGELOG.md index a5a3fd92..e480bf59 100644 --- a/audiences-react/docs/CHANGELOG.md +++ b/audiences-react/docs/CHANGELOG.md @@ -1,5 +1,9 @@ # Unreleased +# Version 1.3.0 (2024-12-12) + +- Protect SCIM search from backend [#451](https://github.com/powerhome/audiences/pull/451) + # Version 1.2.1 (2024-08-06) - Add error handling to audiences form [#372](https://github.com/powerhome/audiences/pull/372) diff --git a/audiences-react/package.json b/audiences-react/package.json index 6d6ffa67..27fd43c1 100644 --- a/audiences-react/package.json +++ b/audiences-react/package.json @@ -1,6 +1,6 @@ { "name": "audiences", - "version": "1.2.1", + "version": "1.3.0", "description": "Audiences SCIM client", "files": [ "dist/*.*", diff --git a/audiences-react/src/scim.ts b/audiences-react/src/scim.ts index 17239931..dada8e0b 100644 --- a/audiences-react/src/scim.ts +++ b/audiences-react/src/scim.ts @@ -11,7 +11,7 @@ export function useScim(): UseScimResources { const { get } = useFetch(uri) const filter = async (resourceId: string, displayName: string) => { - return await get(`${resourceId}?filter=displayName co "${displayName}"`) + return await get(`${resourceId}?filter=${displayName}`) } return { filter } diff --git a/audiences/Gemfile.lock b/audiences/Gemfile.lock index 7e5012f6..0f9b493e 100644 --- a/audiences/Gemfile.lock +++ b/audiences/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - audiences (1.4.0) + audiences (1.5.0) rails (>= 6.0) GEM diff --git a/audiences/app/controllers/audiences/scim_proxy_controller.rb b/audiences/app/controllers/audiences/scim_proxy_controller.rb index e17b7046..fea98af5 100644 --- a/audiences/app/controllers/audiences/scim_proxy_controller.rb +++ b/audiences/app/controllers/audiences/scim_proxy_controller.rb @@ -4,7 +4,11 @@ module Audiences class ScimProxyController < ApplicationController def get resources = Audiences::Scim.resource(params[:scim_path].to_sym) - .query(filter: params[:filter], startIndex: params[:startIndex], count: params[:count]) + .query( + filter: "displayName co \"#{params[:filter]}\"", + startIndex: params[:startIndex], count: params[:count], + attributes: %w[id externalId displayName photos] + ) render json: resources, except: %w[schemas meta] end diff --git a/audiences/docs/CHANGELOG.md b/audiences/docs/CHANGELOG.md index 89ade94b..2621bb28 100644 --- a/audiences/docs/CHANGELOG.md +++ b/audiences/docs/CHANGELOG.md @@ -1,5 +1,9 @@ # Unreleased +# Version 1.5.0 (2024-12-12) + +- SCIM proxy will only return data used by the UI [#451](https://github.com/powerhome/audiences/pull/451) + # Version 1.4.0 (2024-11-01) - Add authentication hooks for Audiences controllers [#438](https://github.com/powerhome/audiences/pull/438) diff --git a/audiences/gemfiles/rails_6_1.gemfile.lock b/audiences/gemfiles/rails_6_1.gemfile.lock index cc12a4be..9c2e4fda 100644 --- a/audiences/gemfiles/rails_6_1.gemfile.lock +++ b/audiences/gemfiles/rails_6_1.gemfile.lock @@ -1,7 +1,7 @@ PATH remote: .. specs: - audiences (1.4.0) + audiences (1.5.0) rails (>= 6.0) GEM @@ -139,7 +139,7 @@ GEM parser (3.3.5.0) ast (~> 2.4.1) racc - pg (1.5.8) + pg (1.5.9) psych (5.1.2) stringio public_suffix (6.0.1) diff --git a/audiences/gemfiles/rails_7_0.gemfile.lock b/audiences/gemfiles/rails_7_0.gemfile.lock index a8edd71b..a533bf69 100644 --- a/audiences/gemfiles/rails_7_0.gemfile.lock +++ b/audiences/gemfiles/rails_7_0.gemfile.lock @@ -1,7 +1,7 @@ PATH remote: .. specs: - audiences (1.4.0) + audiences (1.5.0) rails (>= 6.0) GEM @@ -145,7 +145,7 @@ GEM parser (3.3.5.0) ast (~> 2.4.1) racc - pg (1.5.8) + pg (1.5.9) psych (5.1.2) stringio public_suffix (6.0.1) diff --git a/audiences/gemfiles/rails_7_1.gemfile.lock b/audiences/gemfiles/rails_7_1.gemfile.lock index 9053b194..74d8afbf 100644 --- a/audiences/gemfiles/rails_7_1.gemfile.lock +++ b/audiences/gemfiles/rails_7_1.gemfile.lock @@ -1,7 +1,7 @@ PATH remote: .. specs: - audiences (1.4.0) + audiences (1.5.0) rails (>= 6.0) GEM @@ -157,7 +157,7 @@ GEM parser (3.3.5.0) ast (~> 2.4.1) racc - pg (1.5.8) + pg (1.5.9) psych (5.1.2) stringio public_suffix (6.0.1) diff --git a/audiences/lib/audiences/version.rb b/audiences/lib/audiences/version.rb index ee3b94c0..8fdca287 100644 --- a/audiences/lib/audiences/version.rb +++ b/audiences/lib/audiences/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module Audiences - VERSION = "1.4.0" + VERSION = "1.5.0" end diff --git a/audiences/spec/controllers/scim_proxy_controller_spec.rb b/audiences/spec/controllers/scim_proxy_controller_spec.rb index cfc49ec0..3ec2ee97 100644 --- a/audiences/spec/controllers/scim_proxy_controller_spec.rb +++ b/audiences/spec/controllers/scim_proxy_controller_spec.rb @@ -31,11 +31,11 @@ it "proxies queries with arguments" do expect(resource_query).to( receive(:query) - .with(filter: "name eq John", startIndex: "12", count: "21") + .with(hash_including(filter: 'displayName co "John"', startIndex: "12", count: "21")) .and_return({ "response" => "body" }) ) - get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "name eq John" } + get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "John" } expect(response.parsed_body).to eq({ "response" => "body" }) end @@ -51,5 +51,17 @@ expect(response.parsed_body).to eq({ "response" => "body" }) end + + it "only fetches less sensitive attributes" do + expect(resource_query).to( + receive(:query) + .with(hash_including(attributes: %w[id externalId displayName photos])) + .and_return({ "response" => "body" }) + ) + + get :get, params: { scim_path: "MyResources", count: 21, startIndex: 12, filter: "name eq John" } + + expect(response.parsed_body).to eq({ "response" => "body" }) + end end end