Snj 34 person binding #39
Conversation
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 8171466 | Triggered | Generic High Entropy Secret | 9d876b1 | packages/sdk/test/infrastructure/resources/valid/PresentationSubmissionMocks.ts | View secret |
| 8171466 | Triggered | Generic High Entropy Secret | 819893e | packages/sdk/test/infrastructure/resources/valid/PresentationSubmissionMocks.ts | View secret |
| 8171466 | Triggered | Generic High Entropy Secret | 454f48c | packages/sdk/test/infrastructure/resources/valid/PresentationSubmissionMocks.ts | View secret |
| 5533133 | Triggered | Generic High Entropy Secret | 2edc5ce | packages/sdk/test/infrastructure/resources/valid/DeepLinkMocks.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
| let result: JSONObject = { | ||
| [VCLSubmission.KeyJti]: this.jti, | ||
| [VCLSubmission.KeyIss]: this.iss, | ||
| [VCLSubmission.KeyIss]: iss ? iss : this.iss, |
There was a problem hiding this comment.
the iss property should be removed from VCLSubmission, please see
https://github.com/velocitycareerlabs/WalletAndroid/blob/main/VCL/src/main/java/io/velocitycareerlabs/api/entities/VCLSubmission.kt
There was a problem hiding this comment.
The method in Android project have iss property in it, should I remove it anyway?
packages/sdk/src/impl/data/infrastructure/db/SecretStoreServiceImpl.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Should be implemented as an injected service
https://velocitycareerlabs.atlassian.net/browse/SNJ-36
packages/sdk/src/impl/jwt/local/VCLJwtVerifyServiceLocalImpl.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Recently we decided that the SDK will provide only injected implementation of crypto services. So VCLCryptoServicesDescriptor will contain only VCLInjectedCryptoServicesDescriptor, which must be mandatory.
See the decription in https://velocitycareerlabs.atlassian.net/browse/SNJ-36
| constructor( | ||
| public readonly keyService: VCLKeyService, | ||
| public readonly jwtSignService: VCLJwtSignService, | ||
| public readonly jwtVerifyService: Nullish<VCLJwtVerifyService> |
There was a problem hiding this comment.
jwtVerifyService should not be nullable, because there is alternative option for verification.
packages/sdk/src/impl/VCLImpl.ts
Outdated
| @@ -206,11 +260,13 @@ export class VCLImpl implements VCL { | |||
| }; | |||
|
|
|||
| submitPresentation = async ( | |||
| presentationSubmission: VCLPresentationSubmission | |||
| presentationSubmission: VCLPresentationSubmission, | |||
| didJwk: Nullish<VCLDidJwk> | |||
There was a problem hiding this comment.
didJwk should be non-nullable
chore: add verifiable profile to presentation request
…et-sdk-nodejs into SNJ-34-person-binding
…et-sdk-nodejs into SNJ-34-person-binding
…reerlabs/vnf-wallet-sdk-nodejs into SNJ-34-person-binding
No description provided.