Stytch b2b python quickstart #34
Conversation
This workflow replaces legacy service account key-based deploys with Workload Identity Federation (OIDC) for secure, keyless authentication between GitHub Actions and Google Cloud. 🔐 Key Benefits: No secrets required: Auth is handled via GitHub-issued OIDC tokens. Scoped access: Only workflows from luckmantrading/firebase-deploy can impersonate the firebase-deploy-bot service account. Modular and branded: Includes emoji headers and workflow dispatch for team-friendly onboarding. Reusable: Easily adapted across repos by updating the attribute.repository and service account. 🚀 Workflow Highlights: Auth via google-github-actions/auth@v1 Firebase CLI install and deploy to Hosting Project ID: xpert-forex-trade Project Number: 491439791457 Signed-off-by: XPERT FOREX TRADE INC <[email protected]>
Adds alternate version of landing page with Bootstrap styling and onboarding buttons. Useful for A/B testing or future design iterations. Signed-off-by: XPERT FOREX TRADE INC <[email protected]>
Enhances the landing page with Bootstrap styling, a dark-themed navbar, and clear onboarding buttons. Introduces a responsive layout with a welcome message and call-to-action links for login and registration. Footer includes dynamic copyright. Future enhancements may include animated trade stats, client testimonials, and dashboard previews to improve user engagement and showcase platform capabilities. Signed-off-by: XPERT FOREX TRADE INC <[email protected]>
Refines GCP authentication workflow using Workload Identity Federation. Ensures secure, keyless access to Google Cloud by referencing secrets for identity provider and service account. Prepares the workflow for future Firebase deploy steps and modular onboarding. Adds clarity for team reuse and CI/CD scalability. Signed-off-by: XPERT FOREX TRADE INC <[email protected]>
Adds GitHub Actions workflow for deploying to Firebase Hosting on push to main. Uses Workload Identity Federation for secure GCP authentication without JSON keys. Includes steps for dependency installation, build, and targeted hosting deploy. Designed for scalable CI/CD and team onboarding. Signed-off-by: XPERT FOREX TRADE INC <[email protected]>
openapi: 3.0.3
info:
title: XPERT Forex Trade API
description: >
Contributor-safe schema for endpoint protection via Cloudflare.
This schema defines public-facing routes used in onboarding, audit logging,
and payout address whitelisting. Non-compliant traffic will be blocked or logged.
version: 1.0.0
contact:
name: XPERT Compliance Team
email: [email protected]
servers:
- url: https://api.xpertforextradex.com
description: Production API
paths:
/onboard:
post:
summary: Submit contributor onboarding data
tags: [Onboarding]
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
contributor_id:
type: string
wallet_address:
type: string
ssh_key:
type: string
responses:
'200':
description: Onboarding successful
/audit-log:
get:
summary: Retrieve contributor audit logs
tags: [Audit]
parameters:
- name: contributor_id
in: query
required: true
schema:
type: string
responses:
'200':
description: Audit log returned
/whitelist-address:
post:
summary: Add payout address to whitelist
tags: [Payout]
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
address:
type: string
label:
type: string
network:
type: string
responses:
'201':
description: Address whitelisted
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
security:
- bearerAuth: []
Signed-off-by: LUCKMAN WORLD <[email protected]>
Added a dedicated Node.js setup step to the Docker-based CI workflow using actions/[email protected]. This ensures consistent Node.js environment provisioning across builds, supports caching of dependencies, and prepares the pipeline for future Node-based tooling or test runners. Configuration options are left flexible for versioning, registry auth, and architecture targeting to support contributor customization and audit clarity. Signed-off-by: LUCKMAN WORLD <[email protected]>
import os
import logging
from telegram.ext import ApplicationBuilder, CommandHandler
from config.settings import BOT_TOKEN
from handlers.onboard import onboard
from handlers.logger import logger
from handlers.diagnose import diagnose
from handlers.alert import alert
from handlers.monitor import monitor
from handlers.sandbox import sandbox
from handlers.contentkit import contentkit
from handlers.validate import validate
from handlers.commitguide import commitguide
from handlers.auditdoc import auditdoc
# 🧾 Ensure logs directory exists
os.makedirs("logs", exist_ok=True)
# 🪵 Configure fallback logging
logging.basicConfig(
filename="logs/bot.log",
format="%(asctime)s - %(levelname)s - %(message)s",
level=logging.INFO
)
# 🚀 Initialize bot
app = ApplicationBuilder().token(BOT_TOKEN).build()
# 🔗 Register command handlers
app.add_handler(CommandHandler("onboard", onboard))
app.add_handler(CommandHandler("logger", logger))
app.add_handler(CommandHandler("diagnose", diagnose))
app.add_handler(CommandHandler("alert", alert))
app.add_handler(CommandHandler("monitor", monitor))
app.add_handler(CommandHandler("sandbox", sandbox))
app.add_handler(CommandHandler("contentkit", contentkit))
app.add_handler(CommandHandler("validate", validate))
app.add_handler(CommandHandler("commitguide", commitguide))
app.add_handler(CommandHandler("auditdoc", auditdoc))
# 🏁 Run bot
app.run_polling()
Signed-off-by: LUCKMAN WORLD <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: LUCKMAN WORLD <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: LUCKMAN WORLD <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: LUCKMAN WORLD <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @xpertforextradeinc, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces a collection of new files that collectively lay groundwork for various components of what appears to be a trading platform. It includes documentation for Cloudflare endpoint schema, a PHP-based user dashboard for displaying trading data, an HTML landing page for user onboarding, and a structural guide for a Python Telegram bot. While the PR title and description suggest a focus on a Stytch B2B Python quickstart, the actual file changes diverge significantly, indicating a broader scope of initial setup.
Highlights
- Cloudflare Endpoint Schema Documentation: A new
.yamlfile has been added, providing detailed documentation for Cloudflare Endpoint Schema uploads, including location, accepted formats, schema requirements, security behavior, and recommendations for best practices. - PHP Trading Dashboard: A new PHP view,
app/Views/dashboard.php, has been introduced to display a personalized welcome message, open trades, and trade history for users, integratingheader.phpandfooter.php. - Xpert-Forex-Tradex Landing Page: An
index-alt.htmlfile has been added, serving as a new HTML landing page for 'Xpert-Forex-Tradex', featuring a navigation bar, a welcome message, and links for user login and registration, styled with Bootstrap. - Telegram Bot Structure Outline: A
bot.pyfile has been added, which outlines the intended directory structure for axpert_telegram_botproject, indicating the placement of the main bot script and other components.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
|
try: CI/CD and Deployment Automation:
Authentication Setup:
Application UI Enhancements:
Documentation and Structure:
|
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a Stytch B2B Python quickstart authentication system along with supporting web infrastructure and deployment configurations. The implementation includes a Flask-based authentication portal that integrates with Stytch's magic link authentication for B2B users.
- Adds HTML frontend with Bootstrap styling for the Xpert-Forex-Tradex platform
- Creates PHP dashboard views for trading interface
- Implements multiple GitHub Actions workflows for GCP, Firebase, and Azure deployments
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| index-alt.html | Bootstrap-styled landing page with login/register navigation |
| bot.py | Directory structure outline for Telegram bot project |
| app/Views/dashboard.php | PHP dashboard template displaying user trades and history |
| .yaml | Documentation for Cloudflare endpoint schema upload requirements |
| .github/workflows/gcp-auth.yml | Simplified GCP authentication workflow using secrets |
| .github/workflows/firebase-deploy.yml | Firebase hosting deployment automation |
| .github/workflows/docker-image.yml | Node.js setup configuration template |
| .github/workflows/azure-webapps-node.yml | Firebase hosting deployment workflow with enhanced permissions |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -0,0 +1,29 @@ | |||
| <?php include 'header.php'; ?> | |||
| <div class="container mt-5"> | |||
| <h2 class="mb-4">Welcome, <?= $_SESSION['username']; ?>!</h2> | |||
There was a problem hiding this comment.
Direct output of session data without escaping could lead to XSS vulnerabilities. Use htmlspecialchars($_SESSION['username'], ENT_QUOTES, 'UTF-8') to prevent XSS attacks.
| <h2 class="mb-4">Welcome, <?= $_SESSION['username']; ?>!</h2> | |
| <h2 class="mb-4">Welcome, <?= htmlspecialchars($_SESSION['username'], ENT_QUOTES, 'UTF-8'); ?>!</h2> |
| <ul class="list-group"> | ||
| <?php foreach ($openTrades as $trade): ?> | ||
| <li class="list-group-item"> | ||
| <?= $trade['pair']; ?> - <?= $trade['direction']; ?> - $<?= $trade['amount']; ?> |
There was a problem hiding this comment.
Trade data is output directly without escaping, which could lead to XSS vulnerabilities. All dynamic content should be escaped using htmlspecialchars() before output.
.github/workflows/docker-image.yml
Outdated
| - name: Setup Node.js environment | ||
| uses: actions/[email protected] | ||
| with: | ||
| # Set always-auth in npmrc. | ||
| always-auth: # optional, default is false | ||
| # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. | ||
| node-version: # optional | ||
| # File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions. | ||
| node-version-file: # optional | ||
| # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. | ||
| architecture: # optional | ||
| # Set this option if you want the action to check for the latest available version that satisfies the version spec. | ||
| check-latest: # optional | ||
| # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. | ||
| registry-url: # optional | ||
| # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). | ||
| scope: # optional | ||
| # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | ||
| token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} | ||
| # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. | ||
| cache: # optional | ||
| # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. | ||
| cache-dependency-path: # optional | ||
|
|
There was a problem hiding this comment.
Invalid YAML syntax. The first line appears to be a fragment with incorrect indentation. This workflow file is malformed and will not execute properly.
| - name: Setup Node.js environment | |
| uses: actions/[email protected] | |
| with: | |
| # Set always-auth in npmrc. | |
| always-auth: # optional, default is false | |
| # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. | |
| node-version: # optional | |
| # File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions. | |
| node-version-file: # optional | |
| # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. | |
| architecture: # optional | |
| # Set this option if you want the action to check for the latest available version that satisfies the version spec. | |
| check-latest: # optional | |
| # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. | |
| registry-url: # optional | |
| # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). | |
| scope: # optional | |
| # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | |
| token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} | |
| # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. | |
| cache: # optional | |
| # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. | |
| cache-dependency-path: # optional | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Node.js environment | |
| uses: actions/[email protected] | |
| with: | |
| # Set always-auth in npmrc. | |
| always-auth: # optional, default is false | |
| # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. | |
| node-version: # optional | |
| # File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions. | |
| node-version-file: # optional | |
| # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. | |
| architecture: # optional | |
| # Set this option if you want the action to check for the latest available version that satisfies the version spec. | |
| check-latest: # optional | |
| # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. | |
| registry-url: # optional | |
| # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). | |
| scope: # optional | |
| # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. | |
| token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} | |
| # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. | |
| cache: # optional | |
| # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. | |
| cache-dependency-path: # optional |
There was a problem hiding this comment.
Code Review
This pull request introduces several new files for what appears to be different components of a system. My review has identified several high-severity issues that should be addressed.
The most critical findings are multiple Cross-Site Scripting (XSS) vulnerabilities in the new app/Views/dashboard.php file. Untrusted data is being rendered directly to the page, which poses a significant security risk. I've left specific comments with suggestions on how to fix this using htmlspecialchars().
Additionally, the bot.py file does not contain valid Python code but rather a text diagram of a directory structure. This is incorrect for a .py file and should be rectified. The file named .yaml is also unusual and likely a typo; it should probably have a more descriptive name.
The PR seems to lack a clear focus, combining a Python quickstart (as per the title), PHP view files, and other documentation. It would be beneficial to clarify the purpose of this PR and potentially split it into smaller, more focused changes.
| <ul class="list-group"> | ||
| <?php foreach ($openTrades as $trade): ?> | ||
| <li class="list-group-item"> | ||
| <?= $trade['pair']; ?> - <?= $trade['direction']; ?> - $<?= $trade['amount']; ?> |
There was a problem hiding this comment.
The trade data (pair, direction, amount) is rendered without escaping, which is a Cross-Site Scripting (XSS) vulnerability. If any of this data can be influenced by a user, it could be used to inject malicious scripts. To prevent this, you should escape all dynamic output using htmlspecialchars().
<?= htmlspecialchars($trade['pair'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['direction'], ENT_QUOTES, 'UTF-8'); ?> - $<?= htmlspecialchars($trade['amount'], ENT_QUOTES, 'UTF-8'); ?>| <ul class="list-group"> | ||
| <?php foreach ($tradeHistory as $trade): ?> | ||
| <li class="list-group-item"> | ||
| <?= $trade['pair']; ?> - <?= $trade['type']; ?> - <?= $trade['created_at']; ?> |
There was a problem hiding this comment.
Similar to the open trades list, the trade history data (pair, type, created_at) is rendered without proper escaping. This is a Cross-Site Scripting (XSS) vulnerability. Please ensure all dynamic data rendered in the HTML is escaped using htmlspecialchars().
<?= htmlspecialchars($trade['pair'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['type'], ENT_QUOTES, 'UTF-8'); ?> - <?= htmlspecialchars($trade['created_at'], ENT_QUOTES, 'UTF-8'); ?>
bot.py
Outdated
| xpert_telegram_bot/ | ||
| ├── bot.py ← Paste this code here | ||
| ├── handlers/ | ||
| ├── config/ | ||
| ├── logs/ | ||
| ├── .env | ||
| ├── requirements.txt | ||
| └── diagnostics.py |
There was a problem hiding this comment.
This file is named bot.py, which implies it should contain Python code. However, its content is a text representation of a directory structure. This is misleading and will cause an error if this file is executed as a Python script. If this is documentation, it should be in a file with an appropriate extension like .txt or .md. If this file is meant to be the bot's entry point, it should contain valid Python code. The PR description contains a Python Flask application; perhaps that code was intended to be here or in a different file?
Co-authored-by: Copilot <[email protected]> Signed-off-by: LUCKMAN WORLD <[email protected]>
except StytchError as e:
error_msg = f"Auth failed: {e.details.original_json}"
send_slack_alert(error_msg, token)
return f"🚨 {error_msg}", 401
Signed-off-by: LUCKMAN WORLD <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: LUCKMAN WORLD <[email protected]>
1 participant
import os
from flask import Flask, request, redirect, session
from dotenv import load_dotenv
from stytch import B2BClient
from stytch.core.response_base import StytchError
load_dotenv()
app = Flask(name)
app.secret_key = os.getenv("FLASK_SECRET", "xpert-global-secret")
Initialize Stytch client
stytch_client = B2BClient(
project_id=os.getenv("STYTCH_PROJECT_ID"),
secret=os.getenv("STYTCH_SECRET"),
environment="test"
)
@app.route("/")
def index():
return "✅ XPERT Global Auth Portal – Ready for contributor login"
@app.route("/authenticate", methods=["GET"])
def authenticate():
token = request.args.get("token")
if not token:
return "❌ Missing token", 400
if name == "main":
app.run(host="localhost", port=3000, debug=True)