added single sign on functionality to autoaudit#95
Conversation
…sign up pages both allow the users to sign in using google.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1bc3648dc7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
du-dhartley
left a comment
du-dhartley
left a comment
There was a problem hiding this comment.
There are a couple of things to clarify and a couple of comments to resolve around the storage of credentials.
Having a password for a locally running container that is not used by anything else is low risk. However credentials for a globally accessible service, whether it's for development or otherwise, shouldn't be committed to the codebase and these should be rotated after they have been removed from git (client secret and the gmail password)
docker-compose.yml
Outdated
|
|
||
| # Google OAuth (SSO) - set these after creating credentials in Google Cloud Console | ||
| - GOOGLE_OAUTH_CLIENT_ID=237734019606-8lft9r71d02ljcegsq4d6huglh8ke151.apps.googleusercontent.com | ||
| - GOOGLE_OAUTH_CLIENT_SECRET=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 |
There was a problem hiding this comment.
The client ID is OK here, but the client secret shouldn't be in the docker compose yaml (this repository is public)
docs/GETTING_STARTED.md
Outdated
| ```bash | ||
| docker compose --profile all up -d | ||
| ``` | ||
| - Google SSO test user email: `autoauditdev@gmail.com` |
There was a problem hiding this comment.
Both the email and password shouldn't be in this markdown file, we need to come up with a more secure way to communicate how to log in to this.
There was a problem hiding this comment.
Yes I agree, maybe we could have a separate private repository for storing necessary credentials or a dedicated sharepoint service where we do the same. Let me know what sounds better and we can take action
| title: "Ensure Compliance", | ||
| description: | ||
| "Stay aligned with CIS, NIST, ISO 27001, SOC 2, and other regulatory frameworks.", | ||
| "Stay aligned with cybersecurity frameworks as they get updated wit ease", |
There was a problem hiding this comment.
typo here, should be updated with ease
… the codebase for all contributors to copy from when testing sso locally
… into integrating-single-sign-on/google-and-microsoft
|
merge |
romil-bijarnia
deleted the
integrating-single-sign-on/google-and-microsoft
branch
2 participants
Single sign on has now been integrated to both the sign in and the sign up pages. We are only supporting google at the moment and in a scenario where a new user created their account using the SSO functionality, their email address(unique) is stored as their username in autoaudit.