Skip to content

Fix authentication #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 13, 2025
Merged

Fix authentication #16

merged 3 commits into from
Jul 13, 2025

Conversation

fulleni
Copy link
Member

@fulleni fulleni commented Jul 13, 2025

Status

READY/IN DEVELOPMENT/HOLD

Description

Type of Change

  • ✨ New feature (non-breaking change which adds functionality)
  • 🛠️ Bug fix (non-breaking change which fixes an issue)
  • ❌ Breaking change (fix or feature that would cause existing functionality to change)
  • 🧹 Code refactor
  • ✅ Build configuration change
  • 📝 Documentation
  • 🗑️ Chore

fulleni added 3 commits July 13, 2025 16:06
@fulleni
fix(auth): enhance dashboard login security
aefe69e 
- Added role verification for dashboard logins.
- Prevents non-admin access via code verification.
- Improved security against unauthorized access.
- Closed loophole in existing authentication flow.
- Added logging for successful/failed verifications.
@fulleni
feat(auth): implement permission-based dashboard login
384267d 
- Added PermissionService to AuthService
- Created dashboard login permission
- Updated login logic to use PermissionService
- Improved logging for permission checks
- Refactored role-based checks to permission checks
@fulleni
feat(rbac): Add user preference bypass permission
9e89851 
- Added `userPreferenceBypassLimits` permission
- Updated role permissions to include new permission
- Implemented permission check in limit service
- Modified `app_dependencies.dart` to inject `PermissionService`
- Updated `DefaultUserPreferenceLimitService` to use new permission
@fulleni fulleni merged commit deb906e into main Jul 13, 2025
1 check failed
@fulleni fulleni deleted the fix_authentication branch July 13, 2025 15:22
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 13, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @fulleni, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the application's authentication and authorization mechanisms by introducing a dedicated PermissionService. This service is now central to determining access for dashboard logins and bypassing user preference limits, moving away from direct role-based checks. The changes enhance security by enforcing granular permissions and addressing a potential loophole in the dashboard login flow.

Highlights

  • Permission Service Integration: Introduced a new PermissionService and integrated it into core application services (AuthService and DefaultUserPreferenceLimitService) to centralize and standardize permission checks.
  • New Granular Permissions: Defined dashboard.login and user_preference.bypass_limits to allow for more fine-grained control over specific functionalities.
  • Enhanced Dashboard Authentication: Updated AuthService to leverage the dashboard.login permission for dashboard sign-in, replacing direct role checks, and added a critical re-verification step during code verification to prevent unauthorized dashboard access.
  • Permission-Based User Preference Limits: Modified DefaultUserPreferenceLimitService to use the user_preference.bypass_limits permission, allowing designated users (e.g., admins) to bypass user preference restrictions.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 13, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request introduces a permission-based model for authentication, enhancing security and maintainability. There's some code duplication in DefaultUserPreferenceLimitService that could be refactored into a helper method.

lib/src/services/default_user_preference_limit_service.dart
Comment on lines +42 to 48
// Users with the bypass permission (e.g., admins) have no limits.
if (_permissionService.hasPermission(
user,
Permissions.userPreferenceBypassLimits,
)) {
return;
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The logic for checking user permissions and retrieving remote configuration is duplicated in the checkUpdatePreferences method (lines 105-111). To avoid this duplication, extract this logic into a private helper method.

lib/src/services/default_user_preference_limit_service.dart
Comment on lines +105 to 111
// Users with the bypass permission (e.g., admins) have no limits.
if (_permissionService.hasPermission(
user,
Permissions.userPreferenceBypassLimits,
)) {
return;
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The logic for checking user permissions and retrieving remote configuration is duplicated from the checkAddItem method (lines 42-48). Extract this logic into a private helper method to avoid code duplication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fulleni