Refactor auth token fetching #291
Conversation
cogs/get_token_authorisation.py
Outdated
| guest_role = await ctx.bot.guest_role | ||
| MAKE_EPHEMERAL: bool = True | ||
|
|
||
| if "committee" in ctx.channel.name.lower(): |
There was a problem hiding this comment.
This is an insecure way of checking if the message should be ephemeral. The name of a channel has no bearing on whether the channel is actually only accessible to committee members. Although it would be foolish for users to name a channel containing committee yet allow others to read it, we have an obligation to ensure security despite the stupidity of users.
I would also argue that a channel that has permissions set to only allow committee to read it, yet does not have the word "committee" in the channel's name should be allowed to not have messages sent ephemerally, whereas this check would prevent it.
There was a problem hiding this comment.
I mean to a certain extent I think we could just remove the check entirely and leave the responsibility of determining whether it should be ephemeral or not up to the committee member running the command. Could be in the form of an argument or just two commands.
| logger.debug( | ||
| "No admin table was found, meaning the token provided " | ||
| "does not have admin access to any societies.", | ||
| if isinstance(page_title, bs4.NavigableString) and "Login" in page_title or "Login" in page_title.string: # type: ignore[operator, union-attr] # noqa: E501 |
There was a problem hiding this comment.
Flip guard clause check & improve invalid type handling rather than ignoring errors.
Fix:
BAD_TOKEN_MESSAGE: Final[str] = (
"Unable to fetch profile page because the token was not valid."
)
profile_page_invalid_message: str | None = None
if isinstance(page_title, bs4.Tag):
if not hasattr(page_title, "string"):
profile_page_invalid_message = "Profile page had invalid format"
else:
title_string: object = getattr(page_title, "string")
if not isinstance(title_string, str):
raise TypeError
if "login" in title_string.lower():
profile_page_invalid_message = BAD_TOKEN_MESSAGE
elif isinstance(page_title, bs4.NavigableString):
if "login" in page_title.lower():
profile_page_invalid_message = BAD_TOKEN_MESSAGE
else:
raise TypeError
if profile_page_invalid_message is not None:
logger.warning(profile_page_invalid_message)
await ctx.respond(content=profile_page_invalid_message)
return(This could be improved by using Python's new match-case statement, but that's not too big of an issue)
CarrotManMatt
added
bug
No description provided.