feat(sdk): detect if session.id is not a string (#50890) (#51055)

* feat(sdk): detect if session.id is not a string * use yup, also validate exp as we use it Co-authored-by: Nicolò Pretto <info@npretto.com>

feat(sdk): detect if session.id is not a string (#50890) (#51055)
9930ed8a · github-automation-metabase · GitHub · 489986cf · 9930ed8a · 9930ed8a
Unverified Commit 9930ed8a authored 3 months ago by github-automation-metabase Committed by GitHub 3 months ago
--- a/enterprise/frontend/src/embedding-sdk/store/auth.ts
+++ b/enterprise/frontend/src/embedding-sdk/store/auth.ts
+import * as Yup from "yup";
+
 import type {
  EmbeddingSessionToken,
  FetchRequestTokenFn,
@@ -121,8 +123,8 @@ export const refreshTokenAsync = createAsyncThunk(
          );
        }
      }
-      // Lastly if we don't have an error message or status, check if we actually got the session ID
-      if (!("id" in session)) {
+      // Lastly if we don't have an error message or status, check if we actually got the session ID and expiration
+      if (!sessionSchema.isValidSync(session)) {
        throw new Error(
          `The ${source} must return an object with the shape {id:string, exp:number, iat:number, status:string}, got ${safeStringify(session)} instead`,
        );
@@ -170,3 +172,10 @@ export const defaultGetRefreshTokenFn: FetchRequestTokenFn = async url => {
    return asText;
  }
 };
+
+const sessionSchema = Yup.object({
+  id: Yup.string().required(),
+  exp: Yup.number().required(),
+  // We should also receive `iat` and `status` in the response, but we don't actually need them
+  // as we don't use them, so we don't throw an error if they are missing
+});
--- a/enterprise/frontend/src/embedding-sdk/test/sdk-config-errors.unit.spec.tsx
+++ b/enterprise/frontend/src/embedding-sdk/test/sdk-config-errors.unit.spec.tsx
@@ -112,6 +112,20 @@ describe("SDK auth errors", () => {
      );
    });

+    it("should show a message when the auth provider returns the id as an object", async () => {
+      mockAuthUriProviderResponse({
+        body: { id: { id: "123" } },
+      });
+
+      await setup(defaultAuthUriConfig);
+
+      await waitForRequest(() => getLastAuthProviderApiCall());
+
+      await expectErrorMessage(
+        `The authProviderUri endpoint must return an object with the shape {id:string, exp:number, iat:number, status:string}, got`,
+      );
+    });
+
    it("should show a message when fetchRequestToken doesn't return a json object", async () => {
      const config = defineEmbeddingSdkConfig({
        ...defaultAuthUriConfig,