push_to_review_firm.yml: strip refreshToken to stop silent CONFIG_JSON poisoning#29
push_to_review_firm.yml: strip refreshToken to stop silent CONFIG_JSON poisoning#29michieldegezelle wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review for a one-time review, or @claude review always to subscribe this PR to a review on every future push.
Tip: disable this comment in your organization's Code Review settings.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe review workflow now sanitizes the generated Silverfin configuration by clearing ChangesConfiguration token sanitization
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Problem
push_to_review_firm.yml(#24) documents itself as read-only onCONFIG_JSON— "never refreshes tokens and never writes the secret back." That's true of the workflow script, but not of the silverfin-cli it shells out to:axiosFactory.js's response interceptor transparently refreshes the access token on any 401, for any command, and persists the rotated pair only to the local~/.silverfin/config.jsonon the runner (discarded when the job ends).Since this workflow is dispatched frequently and at unpredictable times (a Jira button, not tied to PR activity) and is chatty against one firm (per-template updates + a full
add-shared-part --allsweep), a run whose access token happens to be near/at its ~2h expiry silently rotates the refresh token server-side and throws the new pair away — leavingCONFIG_JSONholding an already-consumed refresh token. The next thing to use it (check_auth.yml's explicit refresh, the secret's sole writer) getsinvalid_grant.This is what happened to firm 400583 twice in two days (
be_marketruns29314984998/29318715898, 2026-07-14). Fixed manually via re-authorization, but the mechanism was still live.Fix
Blank every firm's
refreshTokenin the loaded local config before any CLI command runs (same mechanism already validated for the read-only test-runner inbe_market'srun_tests_TEST.yml). Effect:CONFIG_JSON's real refresh token is never touched.Trades "silently corrupts a secret shared by every other consumer" for "this one push occasionally needs a retry."
Validation
Live-tested against
be_market(throwaway PR #3028, closed after validation; firm 1355):400 Bad Request/ "Error refreshing credentials"), PR comment showed the failure legibly.check_auth.ymlrefresh — all 8 firms inbe_market'sCONFIG_JSON, including 1355, refreshed successfully. The forced-401 run never touched the real secret.Not in scope here (tracked separately)
test-templates(run_tests.yml) — same theoretical exposure, not yet exercised hard enough to manifest.be_market-local scheduled refresh wrapper to shrink the staleness window further (optional reliability improvement, not a correctness requirement — this fix is safe without it).