-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1202 from isomerpages/release/0.70.0
* fix(otp): increment instead of update for concurrency (#1186) * fix(otp): increment instead of update for concurrency * ref(otp): migrate to use neverthrow instead * chore: remove unneeded check for empty string * Fix/add validators (#1197) * chore: add validators * fix: tests * fix: add test * chore: enforce 6 length otp * fix(autoLogoutIssue): failing whoami (#1196) ## Problem There was an issue with #1183 due to the removal of the `trust proxy` setting in express. There are two packages that rely on express apis, `express-rate-limit` and `express-session`. due to changes in the way we used `express-rate-limit`, I thought that this setting can be removed, and this was only done with the intention of a cleanup and does not affect the functionality of how we are currently using `express-rate-limit`. The [documentation](https://github.com/expressjs/session?tab=readme-ov-file#cookiesecure) for `express-session` also states that: > If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express Checking in with the vapt folks to sense check this fix as well ## Solution add back trust proxy **Breaking Changes** <!-- Does this PR contain any backward incompatible changes? If so, what are they and should there be special considerations for release? --> - [ ] Yes - this PR contains breaking changes - Details ... - [X] No - this PR is backwards compatible with ALL of the following feature flags in this [doc](https://www.notion.so/opengov/Existing-feature-flags-518ad2cdc325420893a105e88c432be5) # Note: This test will take a while, and requires at worse 15 mins to conduct ## Tests - [ ] create a file called ddos.js ``` const stg = "https://staging-cms-api.isomer.gov.sg/v2/auth/verify" async function send() { try { const resp = await fetch(stg, { method: "POST", body: JSON.stringify({ email: "[email protected]", otp: "111111", }), headers: { "Content-Type": "application/json", "X-Forwarded-For": generateRandomIp(), }, }) const text = await resp.text() console.log(text) console.log({ Limit: resp.headers.get("Ratelimit-Limit"), Remaining: resp.headers.get("Ratelimit-Remaining"), Reset: resp.headers.get("Ratelimit-Reset"), }) } catch (err) { console.log(err.message) } } for (let i = 1; i <= 25; i++) { send() } ``` - [ ] connect to ogp vpn - [ ] run `node ddos.js` - [ ] assert that the remaining counter fell from 100 ![Screenshot 2024-03-08 at 9 09 39 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/9cfb6417-c96c-45fd-8b58-820dd14c90bc) - [ ] note the reset time (this is the window time, and by extension the amount of time to wait for this test) - [ ] unconnect from vpn - [ ] run `node ddos.js` - [ ] assert that the remaining counter fell from 100 ![Screenshot 2024-03-08 at 9 09 39 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/9cfb6417-c96c-45fd-8b58-820dd14c90bc) - [ ] After the reset time is achieved, do above steps again and verify that after the reset time, the counters for both the simulated user resets. ![Screenshot 2024-03-08 at 9 14 36 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/54e99386-6339-43ee-8bf8-1d182e299d33) * 0.70.0 --------- Co-authored-by: Alexander Lee <[email protected]> Co-authored-by: Kishore <[email protected]>
- Loading branch information
Showing
25 changed files
with
599 additions
and
171 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.