feat/security header enhancement#1910
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds cross-platform device-model detection, security headers for terminal/device/OS metadata, classified access-token hashing, and request-time hashing in cached HTTP and Lark SDK transport chains. ChangesAccess-token metadata
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant AccessTokenHashTransport
participant SecurityPolicyTransport
participant HTTPTransport
Client->>AccessTokenHashTransport: Send request with bearer token
AccessTokenHashTransport->>AccessTokenHashTransport: Clone request and inject token hash
AccessTokenHashTransport->>SecurityPolicyTransport: Forward enriched request
SecurityPolicyTransport->>HTTPTransport: Apply policy and send request
Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🚀 PR Preview Install Guide🧰 CLI updatenpm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@49bb2d87beeaa9669a853ad753f936c7293cdec9🧩 Skill updatenpx skills add larksuite/cli#feat/security_header_enhancement -y -g |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/cmdutil/secheader.go`:
- Around line 268-320: The accessTokenKind flow currently classifies any
parseable JWT without access_mode as UAT; update jwtAccessMode to require an
explicit access-token marker before returning a JWT match, while preserving
app-only as TAT and delegated or omitted access_mode as UAT for valid access
tokens. Add a test covering non-access JWT payloads such as {}, null, or
equivalent markers and verify they produce no token-hash classification.
In `@internal/devicemodel/model_windows.go`:
- Around line 18-33: Update readDeviceModel to use an injectable
registry-reading helper, following the existing Darwin pattern, while preserving
systemInfoRegistryPaths priority and normalization behavior. Add adjacent tests
covering successful first-path lookup, registry open/read failures, empty
normalized values, and fallback to later paths or an empty result when none
succeed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1307e12e-ff4f-46d3-9cb9-2bcfb8fa32b4
📒 Files selected for processing (13)
internal/cmdutil/factory_default.gointernal/cmdutil/factory_http_test.gointernal/cmdutil/secheader.gointernal/cmdutil/secheader_test.gointernal/cmdutil/transport.gointernal/cmdutil/transport_test.gointernal/devicemodel/model.gointernal/devicemodel/model_darwin.gointernal/devicemodel/model_darwin_test.gointernal/devicemodel/model_linux.gointernal/devicemodel/model_other.gointernal/devicemodel/model_test.gointernal/devicemodel/model_windows.go
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1910 +/- ##
==========================================
+ Coverage 74.96% 74.98% +0.01%
==========================================
Files 892 894 +2
Lines 94077 94228 +151
==========================================
+ Hits 70529 70657 +128
- Misses 18137 18154 +17
- Partials 5411 5417 +6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
4a9de95 to
ddefcd7
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/cmdutil/secheader_test.go`:
- Around line 353-374: Update the table fixtures in the secheader tests so the
empty-token case contains no token body after the Bearer scheme, and make
unknownJWT include typ access_token while retaining its unsupported access_mode.
Keep the existing expected skipped outcomes, ensuring these cases reach the
intended empty-body and unknown-mode branches rather than being rejected for
unrelated reasons.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1474ade5-a44c-4773-988d-a905a040cc56
📒 Files selected for processing (14)
internal/cmdutil/factory_default.gointernal/cmdutil/factory_http_test.gointernal/cmdutil/secheader.gointernal/cmdutil/secheader_test.gointernal/cmdutil/transport.gointernal/cmdutil/transport_test.gointernal/devicemodel/model.gointernal/devicemodel/model_darwin.gointernal/devicemodel/model_darwin_test.gointernal/devicemodel/model_linux.gointernal/devicemodel/model_other.gointernal/devicemodel/model_test.gointernal/devicemodel/model_windows.gointernal/devicemodel/model_windows_test.go
🚧 Files skipped from review as they are similar to previous changes (9)
- internal/devicemodel/model_linux.go
- internal/devicemodel/model_darwin.go
- internal/devicemodel/model_darwin_test.go
- internal/devicemodel/model_other.go
- internal/devicemodel/model_windows_test.go
- internal/devicemodel/model_windows.go
- internal/cmdutil/transport.go
- internal/cmdutil/factory_default.go
- internal/cmdutil/secheader.go
ddefcd7 to
04b961f
Compare
db50326 to
624ef45
Compare
Add X-Agent-Terminal-Type, X-Agent-Device-Type, X-Agent-Os-Type, X-Agent-Tat-Hash, X-Agent-Uat-Hash header
624ef45 to
49bb2d8
Compare
Summary
Add baseline risk-control headers to Lark CLI requests, including terminal, OS, device model, and TAT/UAT token fingerprints.
Changes
Test Plan
Related Issues
Summary by CodeRabbit
New Features
User-Agent,X-Agent-*terminal/device/OS metadata, andX-Agent-TAT-Hash/X-Agent-UAT-Hash.Bug Fixes
X-Agent-*headers when requests target non-allowed hosts.Tests