[WIP] AuthZen API Implementation #240
Conversation
Co-authored-by: Maria Ines Parnisari <maria.inesparnisari@okta.com>
make CheckError types snake case
The old one has been deprecated and is causing CI errors as can be seen here: https://github.com/openfga/api/actions/runs/12349913805/job/34484604530?pr=211
* Add name as a filter for ListStores * Add validation and openapi annotations * Skip validation on empty name * Add description
* add pattern restriction on continuation_tokens * update continuation_token regex to be specific to url base64
* chore: remove lingering comment in proto defn * fix regex pattern to allow empty continuation token
…oto (#178) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.64.0 to 1.64.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.64.0...v1.64.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…dates (#217) Bumps the dependencies group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [bufbuild/buf-setup-action](https://github.com/bufbuild/buf-setup-action) and [swaggerexpert/swagger-editor-validate](https://github.com/swaggerexpert/swagger-editor-validate). Updates `actions/checkout` from 4.1.3 to 4.2.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1d96c77...11bd719) Updates `bufbuild/buf-setup-action` from 1.34.0 to 1.48.0 - [Release notes](https://github.com/bufbuild/buf-setup-action/releases) - [Commits](bufbuild/buf-setup-action@35c243d...1115d0a) Updates `swaggerexpert/swagger-editor-validate` from 1.4.1 to 1.4.2 - [Release notes](https://github.com/swaggerexpert/swagger-editor-validate/releases) - [Commits](swaggerexpert/swagger-editor-validate@db517d5...e8e51db) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: bufbuild/buf-setup-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: swaggerexpert/swagger-editor-validate dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Add regex to assert that read API's user field (if specified) must have both type and object. Close openfga/openfga#2189
* fix(api): add max 50 batch check by default note * comment fix * after daniel review * add spacing
) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.26.0 to 0.36.0. - [Commits](golang/net@v0.26.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS" * "chore: updating SECURITY-INSIGHTS"
…dates (#223) Bumps the dependencies group with 2 updates in the / directory: [bufbuild/buf-setup-action](https://github.com/bufbuild/buf-setup-action) and [swaggerexpert/swagger-editor-validate](https://github.com/swaggerexpert/swagger-editor-validate). Updates `bufbuild/buf-setup-action` from 1.48.0 to 1.50.0 - [Release notes](https://github.com/bufbuild/buf-setup-action/releases) - [Commits](bufbuild/buf-setup-action@1115d0a...a47c93e) Updates `swaggerexpert/swagger-editor-validate` from 1.4.2 to 1.5.1 - [Release notes](https://github.com/swaggerexpert/swagger-editor-validate/releases) - [Commits](swaggerexpert/swagger-editor-validate@e8e51db...264fd87) --- updated-dependencies: - dependency-name: bufbuild/buf-setup-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: swaggerexpert/swagger-editor-validate dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ncies group (#230) chore(deps): bump actions/checkout in the dependencies group Bumps the dependencies group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.2.2 to 4.3.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08eba0b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ons (#233) * OpenFGA API Protobuf for Idempotent Writes * Update openfga/v1/openfga_service.proto Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * CodeReview fixes * CodeReview fixes * changing on_missing and on_duplicate to string value instead of Enum for proper JSON values * Make sure on_duplicate, on_missing are optional params --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
…ncies group (#232) chore(deps): bump actions/checkout in the dependencies group Bumps the dependencies group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08eba0b...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(docs): update README
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the WalkthroughThis PR introduces an AuthZEN service with comprehensive authorization evaluation, search, and PDP discovery endpoints via new protocol buffers. Concurrently, it extends the OpenFGA service with idempotency controls, tightens request/response validation patterns, and updates CI/CD workflows, security configurations, and documentation accordingly. Changes
Sequence DiagramssequenceDiagram
participant Client
participant AuthZenService
participant Storage
participant Config
rect rgb(200, 220, 240)
note over Client,Config: Evaluation Flow
Client->>AuthZenService: Evaluation(subject, resource, action, context)
AuthZenService->>Storage: Query authorization model & relationships
Storage-->>AuthZenService: Model + relationships
AuthZenService->>AuthZenService: Evaluate decision (context applied)
AuthZenService-->>Client: EvaluationResponse(allowed, context)
end
rect rgb(220, 240, 200)
note over Client,Config: Batch Evaluations Flow
Client->>AuthZenService: Evaluations([items with semantics])
loop For each item
AuthZenService->>Storage: Query relationships
Storage-->>AuthZenService: Data
AuthZenService->>AuthZenService: Evaluate per semantic (EXECUTE_ALL/DENY_ON_FIRST_DENY/PERMIT_ON_FIRST_PERMIT)
end
AuthZenService-->>Client: EvaluationsResponse([results, next_token])
end
rect rgb(240, 220, 200)
note over Client,Config: Search & Discovery Flow
Client->>AuthZenService: SubjectSearch/ResourceSearch/ActionSearch
AuthZenService->>Storage: Query subjects/resources/actions (paginated)
Storage-->>AuthZenService: Filtered list with pagination token
AuthZenService-->>Client: SearchResponse(items, next_token)
Client->>AuthZenService: GetConfiguration()
AuthZenService->>Config: Fetch PDP metadata & endpoints
Config-->>AuthZenService: PolicyDecisionPoint info
AuthZenService-->>Client: GetConfigurationResponse(endpoints, capabilities)
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Related Documentation Checked 6 published document(s) in 1 knowledge base(s). No updates required. How did I do? Any feedback? |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Fix all issues with AI agents
In @.github/SECURITY-INSIGHTS.yml:
- Line 70: The security-policy URL value under the security-policy key is
malformed; update the value to point to the correct GitHub blob path and
filename casing (SECURITY.md) — e.g., replace the current
https://github.com/openfga/api/security.md with the full blob URL including
/blob/<branch>/SECURITY.md (or point to the org-level policy at
https://github.com/openfga/.github/blob/main/SECURITY.md) so the link resolves
correctly.
In @authzen/v1/authzen_service.proto:
- Around line 582-589: The enum values in EvaluationsSemantic must be renamed to
follow protobuf conventions: change the zero value to
EVALUATIONS_SEMANTIC_UNSPECIFIED = 0 and prefix all other values with the enum
name (e.g., EVALUATIONS_SEMANTIC_EXECUTE_ALL,
EVALUATIONS_SEMANTIC_DENY_ON_FIRST_DENY,
EVALUATIONS_SEMANTIC_PERMIT_ON_FIRST_PERMIT) and update any references,
including the Evaluations RPC description, to use the new enum names.
In @docs/openapiv2/apidocs.swagger.json:
- Around line 749-752: The OpenAPI schema uses the full Resource definition for
ResourceSearch which requires both type and id, but search contexts should allow
id to be optional; add a new definition named ResourceFilter (mirroring
SubjectFilter) that requires only "type" and makes "id" optional (include
optional "properties" as in Resource), then update any references in
ResourceSearch (or the "resource" $ref) to point to
"#/definitions/ResourceFilter" instead of "#/definitions/Resource" so the search
schema correctly treats id as optional.
- Around line 35-64: The GetConfiguration endpoint description claims it "does
not require authentication" but its operation (operationId "GetConfiguration"
under path "/.well-known/authzen-configuration") includes 401 and 403 responses;
update the OpenAPI fragment to make them consistent by either removing the 401
and 403 response entries from the GetConfiguration operation if it is truly
public, or revise the description to explain the circumstances that would cause
401/403 and keep the responses; modify the responses object accordingly to
reflect the chosen behavior so the documentation is consistent.
- Around line 164-170: In the OpenAPI parameter object for the query parameter
with "name": "name" update the "description" string to add a missing space after
the period between sentences so it reads "...will be returned. Multiple
results..." (i.e., insert a single space after "returned."). Ensure the
corrected description keeps the rest of the text unchanged.
- Around line 556-562: The evaluations array schema is missing size constraints;
update the "evaluations" property (the array whose items reference
"EvaluationsItemRequest") to include "minItems": 1 and a sensible "maxItems"
(e.g., 1000) to match other batch endpoints and prevent unbounded requests; add
these two fields to the evaluations object in the OpenAPI JSON.
- Around line 2766-2782: EvaluationResponseContext currently defines fields
reasonAdmin and reasonUser in camelCase which conflicts with the API's
snake_case convention; update the definition to use snake_case (reason_admin and
reason_user) and adjust any references to these properties across the
codebase/consumers to match, ensuring the "$ref":
"#/definitions/ResponseContextError" remains unchanged and preserving the type
semantics of those properties.
In @openfga/v1/openfga_service.proto:
- Around line 1838-1843: The regex for the continuation_token field contains a
duplicate empty-string alternative; update the (validate.rules).string.pattern
for the field named continuation_token to remove the redundant `^$|` so it
matches the same pattern used elsewhere (`^$|^[A-Za-z0-9-_]+={0,2}$`); locate
the continuation_token declaration in openfga_service.proto and replace the
current pattern `^$|^$|^[A-Za-z0-9-_]+={0,2}$` with the single-empty alternative
version `^$|^[A-Za-z0-9-_]+={0,2}$`.
In @proto/openfga/v1/openfga_service.pb.validate.go:
- Around line 7056-7065: The regex for ListStoresRequest.continuation_token
includes a duplicated empty-alt prefix; update the proto pattern from
`^$|^$|^[A-Za-z0-9-_]+={0,2}$` to `^$|^[A-Za-z0-9-_]+={0,2}$` (remove the
redundant `^$|`), regenerate the Go validation code so
`_ListStoresRequest_ContinuationToken_Pattern` (and the analogous pattern used
at the other occurrence) is updated accordingly, and ensure the validation in
the generated method that checks m.GetContinuationToken() uses the corrected
pattern.
🧹 Nitpick comments (10)
.github/dependabot.yaml (1)
9-12: Consider more descriptive group names to clarify which ecosystem each group applies to.The group name
dependenciesis generic and doesn't indicate it applies to eithergomodorgithub-actionsupdates. Use ecosystem-aware names likegomodandgithub-actions(or alternativelygomod-updatesandactions-updates) to improve clarity when reviewing grouped updates.📝 Optional refactor for clearer group names
For the gomod ecosystem:
groups: - dependencies: + gomod: patterns: - "*"For the github-actions ecosystem:
groups: - dependencies: + github-actions: patterns: - "*"README.md (3)
6-6: Minor: Use hyphenated "open-source" as a compound adjective.Per grammar conventions, "open-source" should be hyphenated when used as an adjective before a noun.
📝 Suggested fix
-[OpenFGA](https://openfga.dev) is an open source Fine-Grained Authorization solution inspired by [Google's Zanzibar paper](https://research.google/pubs/pub48190/). +[OpenFGA](https://openfga.dev) is an open-source Fine-Grained Authorization solution inspired by [Google's Zanzibar paper](https://research.google/pubs/pub48190/).
15-15: Minor: Convert bare URL to markdown link.Bare URLs can cause rendering issues in some markdown parsers. Consider wrapping in angle brackets or using link syntax.
📝 Suggested fix
-You can find various SDKs autogenerated by buf based on the protobuf definitions here: https://buf.build/openfga/api/sdks/main:protobuf +You can find various SDKs autogenerated by buf based on the protobuf definitions here: <https://buf.build/openfga/api/sdks/main:protobuf>
23-23: Minor: Convert bare URL to markdown link.📝 Suggested fix
-If you are looking for the currently supported OpenFGA HTTP SDKs, you can find them here: https://github.com/openfga/sdk-generator#currently-supported-sdks +If you are looking for the currently supported OpenFGA HTTP SDKs, you can find them here: <https://github.com/openfga/sdk-generator#currently-supported-sdks>authzen/v1/authzen_service.proto (3)
514-517: Consider adding validation pattern toResource.id.The
Resource.typefield has a validation pattern (^[^:#@\\s]{1,50}$), butResource.idonly hasREQUIREDbehavior without pattern validation. This inconsistency may allow invalid resource IDs.♻️ Suggested fix
string id = 2 [ + (validate.rules).string = { + pattern: "^[^:#@\\s]{1,500}$" + ignore_empty: false + }, (google.api.field_behavior) = REQUIRED, (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"roadmap\""} ];
641-641: Add validation pattern toauthorization_model_id.The
authorization_model_idfield inSubjectSearchRequestlacks the ULID validation pattern that's used consistently inopenfga/v1/openfga_service.proto. The same issue exists inResourceSearchRequest(line 676) andActionSearchRequest(line 708).♻️ Suggested fix for SubjectSearchRequest
- string authorization_model_id = 7 [json_name = "authorization_model_id"]; + string authorization_model_id = 7 [ + json_name = "authorization_model_id", + (validate.rules).string = { + pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$" + ignore_empty: true + }, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""} + ];Apply the same pattern to lines 676 and 708.
597-602: Consider adding validation pattern toPageRequest.token.The continuation token should follow the same Base64 URL-safe pattern used elsewhere in the codebase (
^$|^[A-Za-z0-9-_]+={0,2}$) to ensure consistency.♻️ Suggested fix
message PageRequest { // Continuation token from previous response - optional string token = 1; + optional string token = 1 [ + (validate.rules).string = { + pattern: "^$|^[A-Za-z0-9-_]+={0,2}$" + max_bytes: 5120 + } + ]; // Maximum number of results to return (default: 50, max: 1000) optional uint32 limit = 2 [(validate.rules).uint32 = {lte: 1000}]; }docs/openapiv2/apidocs.swagger.json (3)
17-24: Tag naming inconsistency with endpoint tags.The tag defined here is
AuthZenService, but the AuthZen endpoints (e.g., lines 90-92, 571-573) useAuthZenas the tag. Consider aligning these for consistency—either define bothAuthZenandAuthZenServicetags, or update the endpoint tags to match this definition.
442-467: Consider extracting inline schema to a named definition.The request body schema is defined inline rather than using a
$refto a named definition. For maintainability and consistency with other endpoints (e.g.,BatchCheckuses$reftoBatchCheckItem), consider extracting this toEvaluationRequestdefinition.Additionally, unlike the
Checkendpoint, this lacks aconsistencyparameter. Verify if this omission is intentional for the AuthZen API.
3132-3136: Consider usingint32for pagination limit.The
limitfield usesint64format, but pagination limits elsewhere in this API useint32(e.g.,page_sizeat line 2001). With a maximum of 1000 results,int32is sufficient and maintains consistency.Suggested fix
"limit": { "type": "integer", - "format": "int64", + "format": "int32", "title": "Maximum number of results to return (default: 50, max: 1000)" }
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (5)
proto/authzen/v1/authzen_service.pb.gois excluded by!**/*.pb.goproto/authzen/v1/authzen_service.pb.gw.gois excluded by!**/*.pb.gw.goproto/authzen/v1/authzen_service_grpc.pb.gois excluded by!**/*.pb.goproto/go.sumis excluded by!**/*.sumproto/openfga/v1/openfga_service.pb.gois excluded by!**/*.pb.go
📒 Files selected for processing (12)
.github/SECURITY-INSIGHTS.yml.github/dependabot.yaml.github/workflows/push.yaml.github/workflows/review.yamlREADME.mdauthzen/v1/authzen_service.protodocs/openapiv2/apidocs.swagger.jsongo.modopenfga/v1/openfga_service.protoproto/authzen/v1/authzen_service.pb.validate.goproto/go.modproto/openfga/v1/openfga_service.pb.validate.go
🧰 Additional context used
🪛 Checkov (3.2.334)
docs/openapiv2/apidocs.swagger.json
[medium] 556-561: Ensure that arrays have a maximum number of items
(CKV_OPENAPI_21)
🪛 GitHub Check: build
authzen/v1/authzen_service.proto
[failure] 588-588:
Enum value name "PERMIT_ON_FIRST_PERMIT" should be prefixed with "EVALUATIONS_SEMANTIC_".
[failure] 586-586:
Enum value name "DENY_ON_FIRST_DENY" should be prefixed with "EVALUATIONS_SEMANTIC_".
[failure] 584-584:
Enum zero value name "EXECUTE_ALL" should be suffixed with "_UNSPECIFIED".
[failure] 584-584:
Enum value name "EXECUTE_ALL" should be prefixed with "EVALUATIONS_SEMANTIC_".
🪛 LanguageTool
README.md
[grammar] ~6-~6: Use a hyphen to join words.
Context: ...OpenFGA](https://openfga.dev) is an open source Fine-Grained Authorization soluti...
(QB_NEW_EN_HYPHEN)
🪛 markdownlint-cli2 (0.18.1)
README.md
15-15: Bare URL used
(MD034, no-bare-urls)
23-23: Bare URL used
(MD034, no-bare-urls)
🔇 Additional comments (28)
.github/dependabot.yaml (1)
1-1: LGTM! Schema directive enhances IDE support.The YAML language server directive enables validation and autocomplete in compatible editors.
.github/workflows/push.yaml (2)
28-33: Good addition of failure alerting.The PagerDuty alert step is well-configured: conditioned on
failure(), uses secrets for the integration key, and provides a clear incident summary. Pinning to a commit hash is a good security practice.
20-24: No action needed—actions/checkoutv5.0.0 is available.The workflow correctly uses
actions/checkoutv5.0.0 (released August 11, 2025) andbufbuild/buf-setup-actionv1.50.0, both pinned to commit hashes for good security practice.Likely an incorrect or invalid review comment.
.github/workflows/review.yaml (3)
15-18: Consistent action version updates.The
actions/checkoutandbufbuild/buf-setup-actionupdates are consistent withpush.yaml. Both are pinned to commit hashes. The same verification concern aboutactions/checkoutv5.0.0 applies here.
29-32: Consistent updates in diff-openapi job.Same action version updates as the build job, maintaining consistency across the workflow.
44-46: Ownership change fromchar0ntoswaggerexpertis confirmed as legitimate.The
swaggerexpert/swagger-editor-validateaction is the official current maintainer listed in the GitHub Actions Marketplace, with v1.5.1 released recently (Feb 14, 2025). The change is safe to use..github/SECURITY-INSIGHTS.yml (2)
1-64: Well-structured Security Insights configuration.The header, repository metadata, core team listing, and license information are comprehensive and follow the OSSF Security Insights 2.0 schema. Good practice to maintain this governance documentation.
72-113: Comprehensive security tooling and assessment documentation.The security assessments section properly references the CNCF joint assessment, and the tools section documents a good mix of SCA (Dependabot, Snyk) and supply chain security (Socket) tooling with appropriate CI/release integration flags.
proto/go.mod (1)
3-16: LGTM! Dependency updates look reasonable.The Go toolchain bump to 1.23.0 and the gRPC patch update to v1.64.1 are appropriate maintenance updates. The indirect dependency updates (especially
golang.org/x/netto v0.38.0) often include important security patches.openfga/v1/openfga_service.proto (5)
1256-1268: LGTM! Idempotency controls are well-designed.The
on_duplicatefield with"error"(default) and"ignore"options provides clear control over write behavior. The OpenAPI documentation is comprehensive.
1278-1290: LGTM! Consistent idempotency design for deletes.The
on_missingfield mirrors theon_duplicatepattern, providing symmetry in the API design for handling non-existent tuples during delete operations.
1419-1423: Verify impact of makingtuple_keyrequired in BatchCheckItem.Adding
(validate.rules).message.required = truetotuple_keyis a breaking change for clients that may have been sending requests without this field. Ensure this is intentional and documented in migration guides.
1198-1204: Tighter validation for Read API user field.The new pattern
^[^\\s]{1,511}:[^\\s]{1,511}$enforces thetype:idformat with a colon separator, which is stricter than before. This is a good change for data consistency but may reject previously valid inputs.Ensure existing clients are aware of this stricter validation requirement.
1844-1857: LGTM! Name filter for ListStores is a useful addition.The optional
namefield with exact-match semantics provides filtering capability without introducing complex query patterns.authzen/v1/authzen_service.proto (2)
415-450: LGTM! EvaluationRequest is well-structured.The required fields (
subject,resource,action) are properly validated, and the optionalstore_idandauthorization_model_idhave appropriate ULID patterns withignore_empty: true.
376-412: LGTM! GetConfiguration follows AuthZEN spec section 13.The well-known endpoint path
/.well-known/authzen-configurationis correctly implemented for PDP discovery. The response structure withPolicyDecisionPoint,Endpoints, andcapabilitiesaligns with the spec.go.mod (1)
1-3: Go version 1.25.5 is valid. It is the latest stable release as of January 2026 and was recently published as a security update.However, there is a version inconsistency:
go.modspecifies Go 1.25.5 whileproto/go.modspecifies Go 1.23.0. Consider aligning these versions, with preference for updatingproto/go.modto 1.25.5 to match the current stable release.docs/openapiv2/apidocs.swagger.json (2)
3930-3966: LGTM! Well-designed idempotency options.The
on_duplicateandon_missingoptions are well-implemented with:
- Clear enum values (
error,ignore)- Sensible defaults (
errorpreserves backward compatibility)- Good documentation explaining the behavior
This provides explicit control over write/delete idempotency, which is valuable for operational safety.
2488-2501: This is not a breaking change to existing fields—CheckError is part of the new AuthZEN 1.0 API implementation.The
CheckErrorfields (input_error,internal_error) were defined with snake_case naming in the proto source file from the start, with explicitjson_namedirectives. The swagger file is auto-generated from the proto definitions and reflects this intentional naming convention. Since this is a new API addition (not a modification to existing fields), there is no breaking change for existing clients.Likely an incorrect or invalid review comment.
proto/openfga/v1/openfga_service.pb.validate.go (9)
1258-1267: LGTM: ContinuationToken validation for ReadRequest.The pattern
^$|^[A-Za-z0-9-_]+={0,2}$correctly enforces base64url-encoded tokens or empty strings, consistent with pagination token requirements.Also applies to: 1359-1360
1383-1407: LGTM: User field validation for ReadRequestTupleKey.The validation correctly:
- Guards pattern check on non-empty values
- Enforces max 512 bytes length
- Validates
type:idformat via pattern^[^\s]{1,511}:[^\s]{1,511}$Also applies to: 1519-1520
2962-2971: LGTM: TupleKey required validation for BatchCheckItem.Adding the nil check ensures the required field is present before attempting embedded validation, consistent with other required field checks in this file (e.g.,
CheckRequest.TupleKey,ListUsersRequest.Object).
4746-4755: LGTM: ContinuationToken validation for ReadAuthorizationModels Request/Response.Consistent pattern and structure with other ContinuationToken validations in the file.
Also applies to: 4840-4841, 4909-4918, 5001-5002
5629-5638: LGTM: ContinuationToken validation for ReadChanges Request/Response.Consistent pattern and structure with other ContinuationToken validations in the file.
Also applies to: 5754-5755, 5823-5832, 5914-5915
7067-7080: LGTM: Name filter validation for ListStoresRequest.The Name pattern
^[a-zA-Z0-9\s\.\-\/^_&@]{3,64}$is consistent withCreateStoreRequest.Namevalidation, enabling users to filter stores by name with the same constraints.Also applies to: 7164-7164
7233-7242: LGTM: ContinuationToken validation for ListStoresResponse.Pattern is correct and consistent with other response message validations.
Also applies to: 7324-7325
1749-1750: LGTM: OnDuplicate and OnMissing fields without validation rules.These idempotency control fields for Write API operations have no additional validation rules, which is acceptable as enum value validation is handled by protobuf deserialization. This aligns with the PR's objective to add idempotent options (
on_duplicate,on_missing).Also applies to: 1898-1899
1592-1601: LGTM: ContinuationToken validation for ReadResponse.Pattern is correct and consistent with ReadRequest validation.
Also applies to: 1680-1681
| dependency-management-policy: https://github.com/openfga/openfga/blob/main/docs/dependencies-policy.md | ||
| governance: https://github.com/openfga/.github/blob/main/GOVERNANCE.md | ||
| review-policy: https://github.com/openfga/.github/blob/main/CONTRIBUTING.md | ||
| security-policy: https://github.com/openfga/api/security.md |
There was a problem hiding this comment.
Security policy URL appears malformed.
The security-policy URL https://github.com/openfga/api/security.md is missing the blob path and uses incorrect casing. GitHub security policy files are typically at SECURITY.md (uppercase) and the full URL should include the blob path.
🔧 Suggested fix
- security-policy: https://github.com/openfga/api/security.md
+ security-policy: https://github.com/openfga/api/blob/main/SECURITY.mdAlternatively, if using the organization-level security policy:
security-policy: https://github.com/openfga/.github/blob/main/SECURITY.md🤖 Prompt for AI Agents
In @.github/SECURITY-INSIGHTS.yml at line 70, The security-policy URL value
under the security-policy key is malformed; update the value to point to the
correct GitHub blob path and filename casing (SECURITY.md) — e.g., replace the
current https://github.com/openfga/api/security.md with the full blob URL
including /blob/<branch>/SECURITY.md (or point to the org-level policy at
https://github.com/openfga/.github/blob/main/SECURITY.md) so the link resolves
correctly.
| enum EvaluationsSemantic { | ||
| // Execute all evaluations (default behavior) | ||
| EXECUTE_ALL = 0; | ||
| // Stop on first deny decision | ||
| DENY_ON_FIRST_DENY = 1; | ||
| // Stop on first permit decision | ||
| PERMIT_ON_FIRST_PERMIT = 2; | ||
| } |
There was a problem hiding this comment.
Fix enum naming to follow protobuf conventions (build failure).
The static analysis is failing because enum values don't follow the standard naming convention:
- Zero value should be suffixed with
_UNSPECIFIED - All values should be prefixed with the enum name
🐛 Proposed fix
// Enum for evaluation semantics
enum EvaluationsSemantic {
- // Execute all evaluations (default behavior)
- EXECUTE_ALL = 0;
- // Stop on first deny decision
- DENY_ON_FIRST_DENY = 1;
- // Stop on first permit decision
- PERMIT_ON_FIRST_PERMIT = 2;
+ // Unspecified - defaults to execute all
+ EVALUATIONS_SEMANTIC_UNSPECIFIED = 0;
+ // Execute all evaluations
+ EVALUATIONS_SEMANTIC_EXECUTE_ALL = 1;
+ // Stop on first deny decision
+ EVALUATIONS_SEMANTIC_DENY_ON_FIRST_DENY = 2;
+ // Stop on first permit decision
+ EVALUATIONS_SEMANTIC_PERMIT_ON_FIRST_PERMIT = 3;
}Note: This change also requires updating the documentation in the Evaluations RPC description (lines 159-162) to reference the new enum value names.
🧰 Tools
🪛 GitHub Check: build
[failure] 588-588:
Enum value name "PERMIT_ON_FIRST_PERMIT" should be prefixed with "EVALUATIONS_SEMANTIC_".
[failure] 586-586:
Enum value name "DENY_ON_FIRST_DENY" should be prefixed with "EVALUATIONS_SEMANTIC_".
[failure] 584-584:
Enum zero value name "EXECUTE_ALL" should be suffixed with "_UNSPECIFIED".
[failure] 584-584:
Enum value name "EXECUTE_ALL" should be prefixed with "EVALUATIONS_SEMANTIC_".
🤖 Prompt for AI Agents
In @authzen/v1/authzen_service.proto around lines 582 - 589, The enum values in
EvaluationsSemantic must be renamed to follow protobuf conventions: change the
zero value to EVALUATIONS_SEMANTIC_UNSPECIFIED = 0 and prefix all other values
with the enum name (e.g., EVALUATIONS_SEMANTIC_EXECUTE_ALL,
EVALUATIONS_SEMANTIC_DENY_ON_FIRST_DENY,
EVALUATIONS_SEMANTIC_PERMIT_ON_FIRST_PERMIT) and update any references,
including the Evaluations RPC description, to use the new enum names.
docs/openapiv2/apidocs.swagger.json
Outdated
| "/.well-known/authzen-configuration": { | ||
| "get": { | ||
| "summary": "Get AuthZEN PDP configuration and capabilities", | ||
| "description": "The GetConfiguration API returns metadata about the Policy Decision Point (PDP) including its name, version, supported endpoints, and capabilities. This endpoint follows the AuthZEN specification section 13 for PDP discovery.\n\nThis endpoint is available at the well-known path `/.well-known/authzen-configuration` and does not require authentication.\n\n## Example Response\n```json\n{\n \"policy_decision_point\": {\n \"name\": \"OpenFGA\",\n \"version\": \"1.8.0\",\n \"description\": \"OpenFGA is a high-performance authorization system\"\n },\n \"access_endpoints\": {\n \"evaluation\": \"/access/v1/evaluation\",\n \"evaluations\": \"/access/v1/evaluations\",\n \"subject_search\": \"/access/v1/search/subject\",\n \"resource_search\": \"/access/v1/search/resource\",\n \"action_search\": \"/access/v1/search/action\"\n },\n \"capabilities\": [\n \"evaluation\",\n \"evaluations\",\n \"subject_search\",\n \"resource_search\",\n \"action_search\"\n ]\n}\n```\n", | ||
| "operationId": "GetConfiguration", | ||
| "responses": { | ||
| "200": { | ||
| "description": "A successful response.", | ||
| "schema": { | ||
| "$ref": "#/definitions/GetConfigurationResponse" | ||
| } | ||
| }, | ||
| "400": { | ||
| "description": "Request failed due to invalid input.", | ||
| "schema": { | ||
| "$ref": "#/definitions/ValidationErrorMessageResponse" | ||
| } | ||
| }, | ||
| "401": { | ||
| "description": "Not authenticated.", | ||
| "schema": { | ||
| "$ref": "#/definitions/UnauthenticatedResponse" | ||
| } | ||
| }, | ||
| "403": { | ||
| "description": "Forbidden.", | ||
| "schema": { | ||
| "$ref": "#/definitions/ForbiddenResponse" | ||
| } | ||
| }, |
There was a problem hiding this comment.
Documentation inconsistency regarding authentication.
The description states this endpoint "does not require authentication," but the response schema includes 401 (Not authenticated) and 403 (Forbidden) error responses. If this endpoint is truly public, consider removing these responses or clarifying when authentication might still apply.
🤖 Prompt for AI Agents
In @docs/openapiv2/apidocs.swagger.json around lines 35 - 64, The
GetConfiguration endpoint description claims it "does not require
authentication" but its operation (operationId "GetConfiguration" under path
"/.well-known/authzen-configuration") includes 401 and 403 responses; update the
OpenAPI fragment to make them consistent by either removing the 401 and 403
response entries from the GetConfiguration operation if it is truly public, or
revise the description to explain the circumstances that would cause 401/403 and
keep the responses; modify the responses object accordingly to reflect the
chosen behavior so the documentation is consistent.
| { | ||
| "name": "name", | ||
| "description": "The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated", | ||
| "in": "query", | ||
| "required": false, | ||
| "type": "string" | ||
| } |
There was a problem hiding this comment.
Minor grammatical issue in description.
Missing space between sentences: "...will be returned.Multiple results..." should be "...will be returned. Multiple results...".
Suggested fix
- "description": "The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated",
+ "description": "The name parameter instructs the API to only include results that match that name. Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| { | |
| "name": "name", | |
| "description": "The name parameter instructs the API to only include results that match that name.Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated", | |
| "in": "query", | |
| "required": false, | |
| "type": "string" | |
| } | |
| { | |
| "name": "name", | |
| "description": "The name parameter instructs the API to only include results that match that name. Multiple results may be returned. Only exact matches will be returned; substring matches and regexes will not be evaluated", | |
| "in": "query", | |
| "required": false, | |
| "type": "string" | |
| } |
🤖 Prompt for AI Agents
In @docs/openapiv2/apidocs.swagger.json around lines 164 - 170, In the OpenAPI
parameter object for the query parameter with "name": "name" update the
"description" string to add a missing space after the period between sentences
so it reads "...will be returned. Multiple results..." (i.e., insert a single
space after "returned."). Ensure the corrected description keeps the rest of the
text unchanged.
| "evaluations": { | ||
| "type": "array", | ||
| "items": { | ||
| "type": "object", | ||
| "$ref": "#/definitions/EvaluationsItemRequest" | ||
| } | ||
| }, |
There was a problem hiding this comment.
Missing array size constraints on evaluations - potential resource exhaustion.
The evaluations array lacks maxItems and minItems constraints. Other batch operations in this API (e.g., BatchCheck at line 1369, WriteAssertions at line 1028) define these limits. Without constraints, clients could send unbounded arrays, potentially causing resource exhaustion.
Suggested fix
"evaluations": {
"type": "array",
"items": {
"type": "object",
"$ref": "#/definitions/EvaluationsItemRequest"
- }
+ },
+ "minItems": 1,
+ "maxItems": 100
},📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "evaluations": { | |
| "type": "array", | |
| "items": { | |
| "type": "object", | |
| "$ref": "#/definitions/EvaluationsItemRequest" | |
| } | |
| }, | |
| "evaluations": { | |
| "type": "array", | |
| "items": { | |
| "type": "object", | |
| "$ref": "#/definitions/EvaluationsItemRequest" | |
| }, | |
| "minItems": 1, | |
| "maxItems": 100 | |
| }, |
🧰 Tools
🪛 Checkov (3.2.334)
[medium] 556-561: Ensure that arrays have a maximum number of items
(CKV_OPENAPI_21)
🤖 Prompt for AI Agents
In @docs/openapiv2/apidocs.swagger.json around lines 556 - 562, The evaluations
array schema is missing size constraints; update the "evaluations" property (the
array whose items reference "EvaluationsItemRequest") to include "minItems": 1
and a sensible "maxItems" (e.g., 1000) to match other batch endpoints and
prevent unbounded requests; add these two fields to the evaluations object in
the OpenAPI JSON.
| "resource": { | ||
| "$ref": "#/definitions/Resource", | ||
| "title": "Optional filter by resource type" | ||
| }, |
There was a problem hiding this comment.
Schema mismatch: Resource id required but optional in search context.
The Resource definition (lines 3372-3375) marks both type and id as required. However, for ResourceSearch, the resource serves as a type filter where id should be optional (similar to how SubjectFilter handles optional id for SubjectSearch).
Consider creating a ResourceFilter definition (analogous to SubjectFilter) for search operations where only type is required.
Suggested ResourceFilter definition
"ResourceFilter": {
"type": "object",
"properties": {
"type": {
"type": "string",
"example": "document"
},
"id": {
"type": "string",
"example": "roadmap",
"title": "Optional resource id filter"
},
"properties": {
"type": "object"
}
},
"title": "ResourceFilter is used for search operations where id is optional",
"required": [
"type"
]
}🤖 Prompt for AI Agents
In @docs/openapiv2/apidocs.swagger.json around lines 749 - 752, The OpenAPI
schema uses the full Resource definition for ResourceSearch which requires both
type and id, but search contexts should allow id to be optional; add a new
definition named ResourceFilter (mirroring SubjectFilter) that requires only
"type" and makes "id" optional (include optional "properties" as in Resource),
then update any references in ResourceSearch (or the "resource" $ref) to point
to "#/definitions/ResourceFilter" instead of "#/definitions/Resource" so the
search schema correctly treats id as optional.
| "EvaluationResponseContext": { | ||
| "type": "object", | ||
| "properties": { | ||
| "id": { | ||
| "type": "string" | ||
| }, | ||
| "reasonAdmin": { | ||
| "type": "object" | ||
| }, | ||
| "reasonUser": { | ||
| "type": "object" | ||
| }, | ||
| "error": { | ||
| "$ref": "#/definitions/ResponseContextError" | ||
| } | ||
| } | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
AuthZEN 1.0 specification response context field naming convention
💡 Result:
-
The PDP response uses a top-level field named "context" (an object) to carry additional decision info. [1]
-
AuthZEN 1.0 does not mandate a specific naming convention for keys inside that context object — the spec explicitly says the semantics/format of the context object are an implementation concern and gives only non‑normative examples (e.g., error, reason, advices/obligations). Implementations MAY reuse common keys from other standards (HTTP status, etc.) for interoperability. [1][2][3]
If you want, I can list the concrete example keys shown in the spec and drafts (error.status, error.message, reason, advice/obligations). [1][2][3]
Sources:
[1] AuthZEN Authorization API 1.0 (OpenID draft).
[2] draft-brossard OAuth RAR AuthZEN profile (IETF).
[3] AuthZEN subgroup / implementer notes (HackMD).
🏁 Script executed:
# Check the actual swagger file content around EvaluationResponseContext
cat -n docs/openapiv2/apidocs.swagger.json | sed -n '2760,2790p'Repository: openfga/api
Length of output: 964
🏁 Script executed:
# Search for CheckError definition to verify snake_case naming claim
rg -n "CheckError" docs/openapiv2/apidocs.swagger.json -A 15 | head -40Repository: openfga/api
Length of output: 588
🏁 Script executed:
# Search for other context definitions to understand the naming pattern
rg -n "Context.*:" docs/openapiv2/apidocs.swagger.json | grep "type.*object" -B 2 | head -30Repository: openfga/api
Length of output: 4046
🏁 Script executed:
# Check for more context definitions and their naming patterns
rg -n "ResponseContext" docs/openapiv2/apidocs.swagger.json -A 10 | head -50Repository: openfga/api
Length of output: 1063
🏁 Script executed:
# Look at other similar definition objects to establish naming patterns
rg -n '"[A-Z][a-zA-Z]*Context"' docs/openapiv2/apidocs.swagger.json | head -20Repository: openfga/api
Length of output: 94
Address naming convention inconsistency in EvaluationResponseContext.
EvaluationResponseContext uses camelCase for reasonAdmin and reasonUser, while other error/response definitions in the API use snake_case (e.g., input_error, internal_error in CheckError). Align with the API's snake_case convention for consistency, or document the intentional deviation.
Note: The AuthZEN 1.0 specification does not mandate a specific naming convention for context object fields—this is treated as an implementation concern. The inconsistency is an internal API design issue rather than a spec compliance issue.
🤖 Prompt for AI Agents
In @docs/openapiv2/apidocs.swagger.json around lines 2766 - 2782,
EvaluationResponseContext currently defines fields reasonAdmin and reasonUser in
camelCase which conflicts with the API's snake_case convention; update the
definition to use snake_case (reason_admin and reason_user) and adjust any
references to these properties across the codebase/consumers to match, ensuring
the "$ref": "#/definitions/ResponseContextError" remains unchanged and
preserving the type semantics of those properties.
| string continuation_token = 2 [ | ||
| json_name = "continuation_token", | ||
| (validate.rules).string.max_bytes = 5120, | ||
| (validate.rules).string.pattern = "^$|^$|^[A-Za-z0-9-_]+={0,2}$", | ||
| (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} | ||
| ]; |
There was a problem hiding this comment.
Bug: Duplicate ^$| prefix in continuation_token pattern.
The pattern ^$|^$|^[A-Za-z0-9-_]+={0,2}$ has a redundant ^$| prefix, unlike other continuation_token fields in this file which use ^$|^[A-Za-z0-9-_]+={0,2}$.
🐛 Proposed fix
string continuation_token = 2 [
json_name = "continuation_token",
(validate.rules).string.max_bytes = 5120,
- (validate.rules).string.pattern = "^$|^$|^[A-Za-z0-9-_]+={0,2}$",
+ (validate.rules).string.pattern = "^$|^[A-Za-z0-9-_]+={0,2}$",
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""}
];📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| string continuation_token = 2 [ | |
| json_name = "continuation_token", | |
| (validate.rules).string.max_bytes = 5120, | |
| (validate.rules).string.pattern = "^$|^$|^[A-Za-z0-9-_]+={0,2}$", | |
| (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} | |
| ]; | |
| string continuation_token = 2 [ | |
| json_name = "continuation_token", | |
| (validate.rules).string.max_bytes = 5120, | |
| (validate.rules).string.pattern = "^$|^[A-Za-z0-9-_]+={0,2}$", | |
| (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ==\""} | |
| ]; |
🤖 Prompt for AI Agents
In @openfga/v1/openfga_service.proto around lines 1838 - 1843, The regex for the
continuation_token field contains a duplicate empty-string alternative; update
the (validate.rules).string.pattern for the field named continuation_token to
remove the redundant `^$|` so it matches the same pattern used elsewhere
(`^$|^[A-Za-z0-9-_]+={0,2}$`); locate the continuation_token declaration in
openfga_service.proto and replace the current pattern
`^$|^$|^[A-Za-z0-9-_]+={0,2}$` with the single-empty alternative version
`^$|^[A-Za-z0-9-_]+={0,2}$`.
| if !_ListStoresRequest_ContinuationToken_Pattern.MatchString(m.GetContinuationToken()) { | ||
| err := ListStoresRequestValidationError{ | ||
| field: "ContinuationToken", | ||
| reason: "value does not match regex pattern \"^$|^$|^[A-Za-z0-9-_]+={0,2}$\"", | ||
| } | ||
| if !all { | ||
| return err | ||
| } | ||
| errors = append(errors, err) | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Get the specific lines mentioned in the review
echo "=== Lines 7056-7065 from openfga_service.pb.validate.go ==="
sed -n '7056,7065p' proto/openfga/v1/openfga_service.pb.validate.go
echo ""
echo "=== Lines 7162-7163 from openfga_service.pb.validate.go ==="
sed -n '7162,7164p' proto/openfga/v1/openfga_service.pb.validate.go
echo ""
echo "=== All ContinuationToken pattern definitions in the file ==="
rg -n 'ContinuationToken.*Pattern' proto/openfga/v1/openfga_service.pb.validate.go
echo ""
echo "=== All ContinuationToken regex patterns in the file ==="
rg -n '\^\\$\|.*A-Za-z0-9-_' proto/openfga/v1/openfga_service.pb.validate.go | head -20Repository: openfga/api
Length of output: 2445
🏁 Script executed:
#!/bin/bash
# Find proto files
echo "=== Looking for proto files ==="
find . -name "*.proto" -type f | head -20
echo ""
echo "=== Searching for ListStoresRequest definition in proto files ==="
rg -n 'ListStoresRequest' --type=proto -A10 | grep -A10 'message ListStoresRequest'
echo ""
echo "=== Searching for continuation_token validation rule in proto files ==="
rg -n 'continuation_token.*=' --type=proto -B2 -A2Repository: openfga/api
Length of output: 537
🏁 Script executed:
#!/bin/bash
# Search for ListStoresRequest in openfga_service.proto
echo "=== ListStoresRequest definition in openfga_service.proto ==="
rg -n 'ListStoresRequest' openfga/v1/openfga_service.proto -A15 | head -40
echo ""
echo "=== Searching for continuation_token validation rules ==="
rg -n 'continuation_token.*=' openfga/v1/openfga_service.proto -B2 -A2Repository: openfga/api
Length of output: 3931
🏁 Script executed:
#!/bin/bash
# Search for all continuation_token patterns in the proto file to confirm the issue is only in ListStoresRequest
echo "=== All continuation_token pattern definitions in openfga_service.proto ==="
rg -n 'string.pattern.*\^' openfga/v1/openfga_service.proto | grep continuation_tokenRepository: openfga/api
Length of output: 130
🏁 Script executed:
#!/bin/bash
# Get all continuation_token field definitions with their validation rules
echo "=== All continuation_token patterns in openfga_service.proto ==="
rg -n 'string continuation_token' openfga/v1/openfga_service.proto -A3Repository: openfga/api
Length of output: 1737
Fix redundant ^$| in ListStoresRequest.continuation_token pattern.
The proto definition at line 1841 of openfga_service.proto specifies the pattern as ^$|^$|^[A-Za-z0-9-_]+={0,2}$, which has a redundant ^$| prefix. All other continuation_token fields in the proto use the correct pattern ^$|^[A-Za-z0-9-_]+={0,2}$ (with a single prefix). Update the proto definition to remove the duplicate.
Also applies to: 7162-7163
🤖 Prompt for AI Agents
In @proto/openfga/v1/openfga_service.pb.validate.go around lines 7056 - 7065,
The regex for ListStoresRequest.continuation_token includes a duplicated
empty-alt prefix; update the proto pattern from `^$|^$|^[A-Za-z0-9-_]+={0,2}$`
to `^$|^[A-Za-z0-9-_]+={0,2}$` (remove the redundant `^$|`), regenerate the Go
validation code so `_ListStoresRequest_ContinuationToken_Pattern` (and the
analogous pattern used at the other occurrence) is updated accordingly, and
ensure the validation in the generated method that checks
m.GetContinuationToken() uses the corrected pattern.
Description
What problem is being solved?
How is it being solved?
What changes are made to solve it?
References
Review Checklist
mainSummary by CodeRabbit
Release Notes
New Features
Improvements
Chores
✏️ Tip: You can customize this high-level summary in your review settings.