[DevPortal] Fix distribution and configs#2734
Conversation
|
Warning Review limit reached
Next review available in: 17 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (44)
📝 WalkthroughWalkthroughThe Developer Portal now uses explicit configuration interpolation and fail-closed secrets, generated local TLS and admin credentials, simplified Docker Compose services, external sample seeding, removed demo onboarding, and updated standalone distribution packaging and documentation. ChangesDeveloper Portal standalone runtime
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant setup.sh
participant DockerCompose
participant platform-api
participant devportal
setup.sh->>setup.sh: Generate secrets and TLS files
DockerCompose->>platform-api: Start with env file and mounted certificates
DockerCompose->>devportal: Start with env file and mounted certificates
platform-api-->>devportal: Healthcheck succeeds
devportal->>devportal: Validate configuration and TLS files
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…ile }} config interpolation
…cates under resources/, add setup.sh script dir
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
portals/developer-portal/src/config/configLoader.js (1)
220-224: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winPreserve each field’s declared type during interpolation.
This converts every numeric-looking string into a
Number; values such as numeric usernames, IDs, passwords, or zero-prefixed keys are altered or lose precision. Coerce according to the corresponding configuration schema/default type, or introduce explicitly typed helpers.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@portals/developer-portal/src/config/configLoader.js` around lines 220 - 224, Update coerceValue and its interpolation call sites to preserve each field’s declared schema/default type instead of converting every numeric-looking string to Number. Coerce only when the corresponding configuration field is explicitly boolean or numeric; retain strings unchanged for identifiers, passwords, zero-prefixed values, and other string-typed fields.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@portals/developer-portal/configs/config-platform-api-template.toml`:
- Around line 19-25: Update the manual setup instruction in the configuration
comment to direct operators to place both generated values in api-platform.env
instead of keys.env, matching setup.sh and the env lookups already described.
In `@portals/developer-portal/configs/config.toml`:
- Around line 70-72: Update the `insecure` setting in the Platform API
configuration to default to `false` instead of `true`, while preserving the
existing environment-variable override and certificate trust behavior.
- Around line 69-71: Update the local authentication configuration around
base_url and jwt_secret so the Platform API JWT verification key is required
when idp.clientId is empty. Remove the empty-string fallback for
APIP_DP_PLATFORMAPI_JWTSECRET or add conditional startup validation that fails
when local authentication is active without the key, while preserving non-local
authentication behavior.
In `@portals/developer-portal/scripts/seed-samples.sh`:
- Around line 88-89: Update the login request in the TOKEN assignment to
URL-encode both ADMIN_USERNAME and ADMIN_PASSWORD using curl’s --data-urlencode
options, while preserving the existing authentication endpoint and token
extraction.
- Around line 98-113: Update the temporary archive setup in the sample seeding
flow to create a private temporary directory with mktemp -d, then write the ZIP
inside that directory without deleting and reusing a temporary file path. Use
the resulting archive path for the curl upload and clean up the temporary
directory after the request completes.
In `@portals/developer-portal/scripts/setup.sh`:
- Around line 137-144: Update the JWT secret provisioning flow around
APIP_CP_AUTH_JWT_SECRET_KEY and APIP_DP_PLATFORMAPI_JWTSECRET so both aliases
are validated and provisioned atomically. Detect differing existing values and
fail with clear rotation instructions, or generate/reuse one secret and write
the same value to both entries together; do not let set_env_var preserve a stale
Developer Portal value.
- Around line 75-86: Update the setup flow around touch "$ENV_FILE" to enforce
mode 0600 for the generated environment file, and change CERT_FILE_MODE from 644
to owner/group-restricted permissions for key.pem. Ensure the container can
still read the mounted key by adjusting its ownership or using Docker secrets,
without leaving either secret globally readable.
- Around line 211-215: Update the admin credential provisioning logic around
APIP_CP_ADMIN_USERNAME and the corresponding password-hash variable to validate
them as a pair. Provision both credentials when neither exists, preserve both
when present, and explicitly fail when exactly one is set; ensure
CREDENTIALS_PROVISIONED reflects the pair’s valid state.
- Line 233: Update the ADMIN_HASH generation around docker run to provide
ADMIN_PASSWORD through standard input rather than exposing it as a command-line
argument, while preserving htpasswd output handling. In the fresh-provisioning
password display logic, print a generated password only when both stdin and
stdout are interactive; suppress it for non-interactive CI runs.
---
Outside diff comments:
In `@portals/developer-portal/src/config/configLoader.js`:
- Around line 220-224: Update coerceValue and its interpolation call sites to
preserve each field’s declared schema/default type instead of converting every
numeric-looking string to Number. Coerce only when the corresponding
configuration field is explicitly boolean or numeric; retain strings unchanged
for identifiers, passwords, zero-prefixed values, and other string-typed fields.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4e38d18f-4cbe-437c-90af-0aa32976eb75
📒 Files selected for processing (44)
portals/developer-portal/.dockerignoreportals/developer-portal/.gitignoreportals/developer-portal/Dockerfileportals/developer-portal/Makefileportals/developer-portal/README.mdportals/developer-portal/configs/config-platform-api-template.tomlportals/developer-portal/configs/config-template.tomlportals/developer-portal/configs/config.tomlportals/developer-portal/database/schema.postgres.sqlportals/developer-portal/distribution/README.mdportals/developer-portal/distribution/docker-compose.yamlportals/developer-portal/docker-compose.override.yamlportals/developer-portal/docker-compose.platform-api.yamlportals/developer-portal/docker-compose.yamlportals/developer-portal/docker-entrypoint.shportals/developer-portal/docs/administer/manage-organizations.mdportals/developer-portal/docs/introduction/quick-start.mdportals/developer-portal/it/configs/config-platform-api-it.tomlportals/developer-portal/it/docker-compose.test.postgres.yamlportals/developer-portal/it/docker-compose.test.yamlportals/developer-portal/it/test-config.tomlportals/developer-portal/package.jsonportals/developer-portal/scripts/seed-samples.shportals/developer-portal/scripts/setup.shportals/developer-portal/seeders/seed-apis.shportals/developer-portal/src/app.jsportals/developer-portal/src/config/configDefaults.jsportals/developer-portal/src/config/configLoader.jsportals/developer-portal/src/controllers/apiContentController.jsportals/developer-portal/src/controllers/orgContentController.jsportals/developer-portal/src/controllers/viewConfigureController.jsportals/developer-portal/src/dao/apiDao.jsportals/developer-portal/src/defaultContent/pages/home/page.hbsportals/developer-portal/src/defaultContent/pages/home/partials/onboarding-overlay.hbsportals/developer-portal/src/pages/settings/partials/cfg-apis-panel.hbsportals/developer-portal/src/routes/pages/apiContentRoute.jsportals/developer-portal/src/scripts/onboarding-overlay.jsportals/developer-portal/src/scripts/settings-apis.jsportals/developer-portal/src/server.jsportals/developer-portal/src/services/apiMetadataService.jsportals/developer-portal/src/services/sampleSeederService.jsportals/developer-portal/src/utils/util.jsportals/developer-portal/tools/drift_check.jsportals/developer-portal/tools/generate-ddl.js
💤 Files with no reviewable changes (13)
- portals/developer-portal/distribution/docker-compose.yaml
- portals/developer-portal/src/scripts/onboarding-overlay.js
- portals/developer-portal/src/pages/settings/partials/cfg-apis-panel.hbs
- portals/developer-portal/seeders/seed-apis.sh
- portals/developer-portal/src/defaultContent/pages/home/partials/onboarding-overlay.hbs
- portals/developer-portal/src/server.js
- portals/developer-portal/src/routes/pages/apiContentRoute.js
- portals/developer-portal/src/utils/util.js
- portals/developer-portal/src/services/sampleSeederService.js
- portals/developer-portal/src/controllers/orgContentController.js
- portals/developer-portal/src/defaultContent/pages/home/page.hbs
- portals/developer-portal/src/controllers/apiContentController.js
- portals/developer-portal/src/scripts/settings-apis.js
Purpose
This PR fixes distribution with secret generation and sample seeder scripts. Also, included a config restructure to use
{{ env "value" "default" }}and{{ file "/path" "value" }}convention.Security checks