GraphQL: Migrate `signatureHtml` to structured data
Why are we doing this work
The LastCommit
Vue component currently retrieves HTML from Rails and renders it. This is a potential XSS vector which we should remove by migrating the server-side HTML over to client-side Vue components. We previously tried to address this using v-html-safe
which introduced a rendering bug. See !84862 (comment 908331969) for discussion.
To enable the frontend to begin constructing the HTML on the client side, we need to expose all the data used in the HTML via the GraphQL LastCommitResolver
Implementation guide
- Add a new
CommitSignatureType
toapp/graphql/types/
. This will be a multi-type field with the following possible types:CommitSignatures::GpgSignatureType
CommitSignatures::X509SignatureType
- Add
GpgSignatureType
toapp/graphql/types/commit_signatures/
which exposes the following fields:user
verification_status
commit_sha
project
gpg_key_user_name
gpg_key_user_email
gpg_key_primary_keyid
- Add an
X509Certificate
type toapp/graphql/types/
which exposes the fields on the X509Certificate model - Add a
X509Signature
type toapp/graphql/types/commit_signatures/
which exposes the following fields:user
verification_status
commit_sha
project
x509_certificate
- Expose the
CommitSignatureType
through the:signature
field on https://gitlab.com/gitlab-org/gitlab/-/blob/ed7496baa022608ab36a3609448fd861b8c49347/app/graphql/types/commit_type.rb
Verification steps
-
Paste the following query:
To be added by implementer
-
Verify that the output contains the new signature data
Edited by Brian Williams