Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release/0.70.0 #1202

Merged
merged 7 commits into from
Mar 11, 2024
Merged

Release/0.70.0 #1202

merged 7 commits into from
Mar 11, 2024

Conversation

dcshzj
Copy link
Contributor

@dcshzj dcshzj commented Mar 11, 2024

What's Changed

Full Changelog: v0.69.0...v0.70.0

Tests

#1186 - @alexanderleegs

  • Use the script provided in the VAPT report on page 17 and 18
  • Adjust the URL to point to your test instance
  • Adjust the email address to be one that is valid (i.e. your own account) and attempt to log in (without keying in the correct OTP)
  • Run the script and verify that you hit the max attempts after 5 tries

#1196 - @alexanderleegs

  • connect to ogp vpn
  • run node ddos.js
  • assert that the remaining counter fell from 100
    Screenshot 2024-03-08 at 9 09 39 AM
  • note the reset time (this is the window time, and by extension the amount of time to wait for this test)
  • unconnect from vpn
  • run node ddos.js
  • assert that the remaining counter fell from 100
    Screenshot 2024-03-08 at 9 09 39 AM
  • After the reset time is achieved, do above steps again and verify that after the reset time, the counters for both the simulated user resets.
    Screenshot 2024-03-08 at 9 14 36 AM

#1197 - @dcshzj

Check that the following endpoints do not throw an error from validation:

  • Create collaborator
  • Feedback
  • Create Review Request
  • Update review request
  • Create Comment
  • get preview info
  • Verify email otp
  • Verify mobile otp
    • Specifically, verify that the /mobile/verifyOtp endpoint no longer accepts an array for mobile
  • Sgid login

alexanderleegs and others added 4 commits March 7, 2024 17:21
* fix(otp): increment instead of update for concurrency

* ref(otp): migrate to use neverthrow instead

* chore: remove unneeded check for empty string
* chore: add validators

* fix: tests

* fix: add test

* chore: enforce 6 length otp
## Problem

There was an issue with  #1183 due to the removal of the 

`trust proxy` setting in express. There are two packages that rely on express apis,  `express-rate-limit` and `express-session`. due to changes in the way we used `express-rate-limit`, I thought that this setting can be removed, and this was only done with the intention of a cleanup and does not affect the functionality of how we are currently using `express-rate-limit`.


The [documentation](https://github.com/expressjs/session?tab=readme-ov-file#cookiesecure) for `express-session` also states that:
>  If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express

Checking in with the vapt folks to sense check this fix as well


## Solution

add back trust proxy 

**Breaking Changes**

<!-- Does this PR contain any backward incompatible changes? If so, what are they and should there be special considerations for release? -->

- [ ] Yes - this PR contains breaking changes
  - Details ...
- [X] No - this PR is backwards compatible with ALL of the following feature flags in this [doc](https://www.notion.so/opengov/Existing-feature-flags-518ad2cdc325420893a105e88c432be5)


#  Note: This test will take a while, and requires at worse 15 mins to conduct 
## Tests
- [ ] create a file called ddos.js
```
const stg = "https://staging-cms-api.isomer.gov.sg/v2/auth/verify"
async function send() {
  try {
    const resp = await fetch(stg, {
      method: "POST",
      body: JSON.stringify({
        email: "[email protected]",
        otp: "111111",
      }),
      headers: {
        "Content-Type": "application/json",
        "X-Forwarded-For": generateRandomIp(),
      },
    })
    const text = await resp.text()
    console.log(text)
    console.log({
      Limit: resp.headers.get("Ratelimit-Limit"),
      Remaining: resp.headers.get("Ratelimit-Remaining"),
      Reset: resp.headers.get("Ratelimit-Reset"),
    })
  } catch (err) {
    console.log(err.message)
  }
}
for (let i = 1; i <= 25; i++) {
  send()
}

```
- [ ] connect to ogp vpn 
- [ ] run `node ddos.js` 
- [ ] assert that the remaining counter fell from 100 
![Screenshot 2024-03-08 at 9 09 39 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/9cfb6417-c96c-45fd-8b58-820dd14c90bc)
- [ ] note the reset time (this is the window time, and by extension the amount of time to wait for this test)
- [ ] unconnect from vpn
- [ ] run `node ddos.js` 
- [ ] assert that the remaining counter fell from 100 
![Screenshot 2024-03-08 at 9 09 39 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/9cfb6417-c96c-45fd-8b58-820dd14c90bc)
- [ ] After the reset time is achieved, do above steps again and verify that after the reset time, the counters for both the simulated user resets. 
![Screenshot 2024-03-08 at 9 14 36 AM](https://github.com/isomerpages/isomercms-backend/assets/42832651/54e99386-6339-43ee-8bf8-1d182e299d33)
@dcshzj dcshzj requested a review from a team March 11, 2024 09:56
Copy link

mergify bot commented Mar 11, 2024

⚠️ The sha of the head commit of this PR conflicts with #1201. Mergify cannot evaluate rules on this PR. ⚠️

dcshzj and others added 3 commits March 11, 2024 19:19
* fix: schema

* fix: make feedback optional

* chore: make feedback optional
Copy link

mergify bot commented Mar 11, 2024

⚠️ The sha of the head commit of this PR conflicts with #1201. Mergify cannot evaluate rules on this PR. ⚠️

@dcshzj dcshzj merged commit b649898 into master Mar 11, 2024
25 of 28 checks passed
@mergify mergify bot deleted the release/0.70.0 branch March 11, 2024 11:30
This was referenced Jun 27, 2024
@dcshzj dcshzj mentioned this pull request Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants