Uploaded image for project: 'CFA MX '
  1. CFA MX
  2. CFAMX-1273

API Standardization (INF-11065)

    Details

    • Type: Feature Request
    • Status: In Development (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
    • HLE (1 man day = 8 hrs):
      15

      Description

      I think we need to back up a second and revisit the security of our WebAPI layer.

      Specifically I looked through the new Cash Management stuff (like Mobile/Areas/Financial/Mx.Financial.Services/CommandServices/TransactionCashDepositCommandService.cs) and 2 things jump out at me:

      1) We did not add any Permission directives, so any logged in User would be able to run this stuff even without permission if they knew how to use Postman or ARC.

      2) We are not really validating that the logged in user actually has access to the Entity they are making calls for. I think this might be a problem in most places, but I feel like a bad actor could start sending us API calls for any EntityId or random object Id and potentially start manipulating objects they should not have access to.

      As a developer, I'd like to have a thoughtful, consistent organization to the routes used by the API so that it is easier to navigate the endpoints available. I'd also like to have a consistent way that routes are defined in code so that code is easier to find and maintain.

      1) Missing Routings
      Especially for Swagger enhancement we should definitely tackle all the missing routing. Please review the following documentation.

      https://fourthlimited.atlassian.net/wiki/spaces/RBCD/pages/1707018654/Mobile+Swagger+Api+Documentation

      2) Define MxConnect api routing Standards
      We need to come up with some standard way of defining API routings.

      3) Make sure not break Rest Api outside calls
      The riskiest part for this some of our APIs are getting called from outside of MxConnect

      I have found the following codes are calling MxConnect Apis. So When we are making the changes we need to make sure we are not breaking the outside calls.

      We may need to look for if there is any other possible calls or not.

      ~\inform\AreaPackages\Mx.Administration.Services\DayCharacteristicRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).DayCharacteristic(businessDay).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).DayCharacteristic(businessDay).Uri;

      ~\inform\AreaPackages\Mx.Forecasting.Services\ForecastEventRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).ForecastEvent().Uri;

      ~\inform\AreaPackages\Mx.Forecasting.Services\FutureOrderRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).FutureOrder().Uri;
      ResourceURI = MxResourceUris.Entity(entityId).FutureOrder(businessDay).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).FutureOrder(startDate, endDate).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).FutureOrder(startDate, endDate, statusTypes, excludeMobileOrders).Uri;

      ~\inform\AreaPackages\Mx.Forecasting.Services\ForecastRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).ForecastGeneration().Uri;
      ResourceURI = MxResourceUris.Entity(entityId).GetCurrentForecastHeaderForBusinessDay(businessDay).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).GetCurrentForecastHeadersForBusinessDayRange(startDate, endDate).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(mostRecentForecastId).Metrics(filterId: filterId, includeActuals: includeActuals).Uri;
      MxResourceUris.Entity(entityId)
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(mostRecentForecastId).SalesItem(salesItemId, includeActuals, aggregate, filterId).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(mostRecentForecastId).SalesItem(salesItemIds, aggregate, filterId).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(mostRecentForecastId).InventoryItem(itemId, includeActuals, aggregate, filterId).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(mostRecentForecastId).InventoryItems(itemIds, aggregate, filterId).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast(forecastId).Metrics().Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast((Object)businessDay).SalesItemSystemAdjustments().Uri;
      ResourceURI = MxResourceUris.Entity(entityId).Forecast((Object)businessDay).SystemAdjustment().Uri;
      ResourceURI = MxResourceUris.Entity(entityId).SystemForecastGeneration().Uri;

      ~\inform\Mx.Core.Services\NotificationsRestClient.cs
      ResourceURI = MxResourceUris.Entity(notification.EntityId).Notifications().Uri;

      ~\inform\Mx.Core.Services\ReportMeasureRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).GenerateOnDemand().Uri;

      ~\inform\Mx.Administration.Services\HelpArticleService.cs
      ResourceURI = new HelpArticleUri(url).Uri;
      ResourceURI = new HelpArticleUri(NormalizeUrl(url)).Uri;

      ~\inform\Mx.Inventory.Services\RestClient\OrderRestClient.cs
      ResourceURI = MxResourceUris.Entity(entityId).Order(supplyOrderRequest).Uri;
      ResourceURI = MxResourceUris.Entity(entityId).ScheduledOrder(startDate, actionItemId, actionItemInstanceId).Uri;

      4) Assumptions
      We need a full regression after having these changes.

        Attachments

          Issue Links

          is implemented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9729 API Standardization - Core

          • Open

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9739 API Standardization - Forecasting

          • Open

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9744 API Standardization - Workforce

          • Open

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9749 API Standardization - Remaining

          • Open

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9306 API Standardization - Administration

          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9724 API Standardization - Inventory

          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9318 API Documentation

          • In QA

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. CFAMX-9734 API Standardization - Financial

          • In Dev
          relates to

          Feature Request - CFAMX-7392 Standardize API routes

          • Major - Major loss of function.
          • Closed

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                neha.shah Neha Shah (Inactive)
              • Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.