Add composite identity verification to Duo Code Review API

Kinshuk Singhrequested to merge
578840-add-security-validations-dcr-api-endpoint into master

What does this MR do and why?

  • This change adds security validation to prevent direct API access and spoofing attacks on the code review comments endpoint.
  • The endpoint now verifies that requests come through Duo Workflow Service using composite identity, where a service account (e.g. duo-developer) acts on behalf of a human user.

Security improvements:

  • Blocks direct API calls from regular users
  • Blocks direct API calls from service accounts without composite identity
  • Prevents users from crafting malicious review comments by calling the API directly

How to set up and validate locally

  • Follow the steps to reproduce section and validate that unauthorized users can no longer spoof AI code review comments. The API should now return 404 Not Found when the feature flag is disabled or 403 Forbidden when proper authorization requirements are not met.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #578840

Edited by Kinshuk Singh

Merge request reports