Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/swap jwt to session #619

Merged
merged 16 commits into from
Feb 24, 2023
Merged

Feat/swap jwt to session #619

merged 16 commits into from
Feb 24, 2023

Conversation

alexanderleegs
Copy link
Contributor

@alexanderleegs alexanderleegs commented Jan 25, 2023

Problem

This PR modifies our existing jwt-based authentication to a session based authentication, using express-session and connect-session-sequelize. The appropriate auth methods have been modified to handle session data instead of jwt. Note that we still maintain jwt for use in github oauth, as well as for encrypting the stored github access token (for github login) - we can only remove jwt once we have migrated all users off github.

Before merging
Run database migrations

New environment variables:

Add SESSION_SECRET
Consider changing AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS - sessions are automatically renewed for user actions, so we should consider decreasing the amount of time - 8 hours (28800000) or less should be sufficient

Copy link
Contributor

@seaerchin seaerchin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we test for the case where a currently logged in user logs in from another device prior to session expiry?

src/routes/v2/auth.js Show resolved Hide resolved
src/server.js Show resolved Hide resolved
src/server.js Outdated Show resolved Hide resolved
src/types/express/session.d.ts Show resolved Hide resolved
@seaerchin
Copy link
Contributor

Should merge into vapt if we want this to be tested btw

@alexanderleegs alexanderleegs changed the base branch from feat/identity-phase-2 to vapt January 30, 2023 05:06
@alexanderleegs alexanderleegs force-pushed the feat/swap-jwt-to-session branch from c153fee to fd21212 Compare January 30, 2023 05:29
Copy link
Contributor

@seaerchin seaerchin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you point me to where to session extension is being done? i'm not sure i see it and the readme on express session didn't have it too

@alexanderleegs
Copy link
Contributor Author

alexanderleegs commented Feb 23, 2023

could you point me to where to session extension is being done? i'm not sure i see it and the readme on express session didn't have it too

It's a default setting by our store (connect-session-sequelize), which saves on touch - this can be verified by inspecting the session entry's expires value whenever any action is done on the same session

Copy link
Contributor

@seaerchin seaerchin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm if the touch behaviour is verified

@alexanderleegs alexanderleegs force-pushed the feat/swap-jwt-to-session branch from 1e8f381 to abaa860 Compare February 24, 2023 06:15
@alexanderleegs alexanderleegs merged commit 7578a8e into vapt Feb 24, 2023
@alexanderleegs alexanderleegs deleted the feat/swap-jwt-to-session branch February 24, 2023 06:17
alexanderleegs added a commit that referenced this pull request Mar 7, 2023
* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors
alexanderleegs added a commit that referenced this pull request Mar 7, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
alexanderleegs added a commit that referenced this pull request Mar 8, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
alexanderleegs added a commit that referenced this pull request Mar 16, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
seaerchin added a commit that referenced this pull request Mar 30, 2023
* Feat/login flow (#477)

* Feat: add SessionData class

* Refactor: swap out auth middleware to use sessionData

* Refactor: modify sessionData in rollbackRouteHandler

* Feat: update middleware and auth services

* Chore: swap out v1 routes

Using a 1-1 swap here for v1 routes, since these are mostly outdated or due for refactor

* Refactor: swap id used in logger

* Feat: add handler to attach site name to sessionData

* Chore: modify v2 routes and services to use sessionData

* Chore: swap whoamiAuth to verifyJwt and useSiteAccessTokenIfAvailable with checkHasAccess

* Test: add fixtures for new middleware

* Fix: tests

* Fix: allow e2e test user

* Chore: update v1 endpoint

* Fix: migrate auth middle to ts

* Chore: rename to usersessiondata

* Refactor: split sessionData into separate classes

* Chore: replace sessionData

* Chore: replace githubsessiondata

* Chore: add jsdoc for classes

* Chore: update routes and services to pass appropriate sessionData objects

* Fix: tests

* Fix: specify request types

* Chore: remove unnecessary comment

* Fix: simplify getGithubParamsWithSite

* Feat/site member verification for email (#479)

* Feat: add IsomerAdmins database table and migrations

* Feat: add access token via interceptor if missing

* Feat: add isomerAdminsService

* Feat: add hasAccessToSite to usersService

* Feat: shift site membership check to authorizationMiddlewareService

* Chore: replace authMiddleware.checkHasAccess with authorizationMiddleware.checkIsSiteMember

* Chore: migrate authmiddlewareservice to typescript

* Fix: rename auth middleware to authentication middleware

* Fix: move e2e_isomer_id into constants

* Chore: add cookie types

* Fix: more concise check for isSiteMember

* FIx: rebase errors

* Fix: remove unused identityAuthService dependency

* Fix: rename AuthService import as identityAuthService

* Nit: separate type definition

* Feat/email login flow (#480)

* build(deps): bump file-type from 16.5.3 to 16.5.4 (#475)

Bumps [file-type](https://github.com/sindresorhus/file-type) from 16.5.3 to 16.5.4.
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v16.5.3...v16.5.4)

---
updated-dependencies:
- dependency-name: file-type
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#476)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225

* build(deps): bump vm2 from 3.9.5 to 3.9.7 (#350)

Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.5 to 3.9.7.
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md)
- [Commits](patriksimek/vm2@3.9.5...3.9.7)

---
updated-dependencies:
- dependency-name: vm2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Chore: remove site links from description (#482)

* Fix: update resource room (#481)

* 0.10.0

* fix: remove unnecessary update step (#487)

* 0.10.1

* Chore: update commit message to include user id

* Feat: add login and verify endpoints

* Fix: model relations and alias

* Feat: add findSitesByUserId

* Feat: add site retrieval for email and admin users

* Fix: hasAccessToSite

* Fix: update email/mobile by isomer id

* Chore: update error message

* Fix: await check for whitelist

* Chore: add mockSessionData for email login

* Fix: SiteService behaviour for email users with no whitelisted sites

* Test: update sitesservice tests

* Test: add new authservice tests and fix existing tests

* Fix: update user model to allow null in github field

* Fix: update test fixture

* Fix: update user test suite

* Chore: remove unused endpoint

* Fix: rebase errors

* Chore: remove unnecessary message in test

* Chore: remove unnecessary userId field

* Nit: rename variable

* Refactor: shift site retrieval for email users into helper method

* Chore: spacing and remove unused var

* Fix: tests

* Tests: add new authorizationMiddlewareService test

* fix: remove resources_name and add support for url (#490)

* fix: remove resources_name and add support for url

* fix: display url parameter as domain but store with https scheme

* fix: resolve failing tests

* Chore: flip conditional

* Refactor: shift order of getSites to make it easier to understand

* Test: add new auth router tests

* Feat: add integration tests for getSites

* Fix: failing requests for getLastUpdated and getStagingUrl

* Nit: add comment

* Nit: test name and var name

* chore(mocks/axios): remove extra stuff

* test(sites.spec): refactor specs for clarity

* Fix: update settings

* Nit: update comment

* Fix: tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* Fix: e2e bypass of authorization middleware

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* feat: collaborators (#510)

* build(devdeps): add lodash types

* fix(model): rectify db model definitions

* refactor: add message param to ForbiddenError

* feat: add CollaboratorsService

* test: add tests for CollaboratorsService

* feat: use CollaboratorService in authorization middleware

* test: add tests for authorization middleware

* feat: add CollaboratorsRouter

* test: add tests for CollaboratorsRouter

* feat(db-migration): change site_members role enum in the database

* feat: modify authzMiddlewareService tests

* fix: error in mock collaborators fixture

* ref(services): migrate SitesService to TypeScript (#512)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* tests: use mockAxios directly instead of preparing an instance

* feat(rr): db migrations (#515)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat: introduce a new site info API endpoint (#513)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* fix: use correct endpoint to get latest commit data

* test: add unit tests for GitHubService getLatestCommitOfBranch

* fix: add stub for obtaining merge author details

* fix: return a well-formatted response for known exceptions

* test: enhance GitHubService test for all other error statuses

* chore: rename isType function and return boolean directly

* fix: create new siteUrls object instead of changing in-place

* fix: handle case of null or undefined user email

* chore: improve code style

* tests: fix output of getStagingUrl

* feat: add collaborators statistics API endpoint (#520)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* feat: add collaborators statistics API endpoint

* test: add unit tests for collaborators statistics

* fix: return 404 instead of throwing an exception

* tests: add test to check for 404 status

* refactor: remove all usages of TokenStore and tests (#533)

* feat(rr): add database models (#518)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat(db/models): add new db models for rr

fix(db models): update db models

fix(reviewmeat): update db model

* chore(reviewrequest): update db model for seq

* fix(reviewmeta): add annotation on db model

* chore(reviewrequest.ts): add col to db model

* fix(teardown): add enum dropping for tests teardown

* feat: add new siteUrl API endpoint to get the production URL of site (#535)

* Feat/notifications (#508)

* Feat: add notification database model and update related models

* Chore: add migrations

Also adds id to site_members table for easier reference

* Feat: add notificationService

* Feat: add notificationUtils

* Feat: add notifications router

* Chore: initialise Notifications table and services

* Fix: remove unused imports

* Fix: change behaviour of quick retrieval

Always returns only new notifications now, unless there are none, in which case it returns most recent 6

* Chore: remove unused imports

* Refactor: findAll method

* Chore: add notificationResponse type

* Feat: add created_at sorting criteria

* Fix: notification sorting order

* Chore: add documentation for sort criteria

* Fix: rebase errors

* Fix: rebase errors for tests

* feat(rr): services + routes (#519)

* feat(services): add initial services for rr

* feat(types): add github types

* feat(reviewrequestservice): add features

* chore(review): wip for review routes

* feat(types): add new types

* feat(reviewrequestservice): add impl for computing sha mappings

* feat(usersservice): add nwe method to user service to retrieve site admins

* feat(review): add route for creating review request

* refactor(collaboratorsservice): refactor method api for clarity

* feat(types): add more types

* refactor(collaborators): fix typings and add more steuff to return

* chore(routes): update authenticated routes

* chore(review): refactor to use collaborators service

* refactor(reviewrequestservice): update methods

* chore(server): add init code

* refactor(reviewmeta): updat eto use belongs to

* feat(types): add more types

* feat(requestnotfounderror): add new error type

* feat(review): add methods for listing review requests and retrieval of rr

* refactor(types/dto): update review types

* refactor(rrservice): update enum type

* feat(rrservice): add new method to merge rr

* feat(review): add new route to merge rr

* fix(collaborators): remove erroneous destructuring

* fix(routes/review): add siteId prop

* chore(review dto): add status

* chore(requestrequestservice): remove old comment

* fix(reviewrequestservice): changed some stuff to be optional

* refactor(rr service): split retrieving db/github view into 2 methods

* feat(rr service): add methods to close/approve rr

* refactor(rr service): refactor merge rr method

* chore(collaboratorsservice): remove extra typecasts

* feat(rr): add new endpoint to update rr

* chore(types): minor cleanup

* feat(rr routes): add new routes for close and approve pr

* chore(review): update to userwithsitesesiontoken

* refactor(reviewrequestservice): migrate api calls into own file

* refactor(authenticated): shift review router dpes to init function

* fix(index): fixed faulty init

* refactor(reviewrequestservice): add site to reviewreq object

* fix(review.ts): add explicit bearer token to api call

* refactor(rrservice): refactor to retrieve user from db

* chore(settingsservice): remove extra console log

* chore(github): remove extra `patch` property

* chore(review): add logging

* fix(server): update imports from rebase

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr status): add rr status enum

* chore(rr): update db model

* refactor(rrservice): updat to use enum

* chore(rrservice): fix commennt

* chore(review): update error codes

* chore(usersservice): rename hasAccess to getSiteMember

* chore(usersservice): update method name

* feat(rr): allow updating of admins (#539)

* chore(server): add init code

* chore(dto): removed trailing space on folder name

* refactor(reviewrequestservice): update to remove title/desc from update api

* chore(collaborators): update import

* chore(routes/review): updaterr api

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat: add model and migration for review_request_views table (#521)

* feat: add model and migration for review_request_views table

* chore: rename migration

* fix: add missing association with ReviewRequest model

* fix: revert adding association in ReviewRequest model

* fix: missing @column for primary and foreign key

* fix: add new database table to sequelize

* feat: add review request views API endpoint and functions (#532)

* feat: add review request views API endpoint and functions

* fix: adjust to use Promise.all to allow concurrent creations

* chore: adjust naming of variable to be more reflective of state

* Expose new API endpoint to update lastViewedAt timestamp

* fix(server): removed extra db assoc

* fix(formsgsitecreation): removed extra prop

* Fix: reviewRequestId instead of reviewId

* fix(server.js): add reviewrequestview init

* feat: add endpoint to mark a review request as viewed (#550)

* feat: add endpoint to mark a review request as viewed

* fix: use upsert for updateReviewRequestLastViewedAt

* Feat/comments (#534)

* Feat: add methods for retrieving comments from github

* Chore: add types

* Feat: add comments methods to reviewRequestService

* Feat: add comments routes

* fix: check for properly formatted comments

* Chore: remove incorrect comments

* Fix: remove error return type

* Fix: add logging if site not found

* Feat: swap use of email in github commit to userid

* Fix: response type

* Fix: rename method and add github comment type

* fix: compute the number of new comments to show (#549)

* fix: compute the number of new comments to show

* chore: adjust naming of variable and structure of code

* chore: split getting number of new comments into 2 lines

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr): adds be for unapproval of rr (#540)

* feat(rr): delete rr approval

* chore(review): update numbering and logging

* chore(review): update to send rather than empty json

* fix(rrservice): update to use enum

* fix: use review request requestor email for production commit email (#552)

* fix: include full model in order by due to presence of alias (#554)

* fix(server): swap order for auth to avoid nemspace conflicts

* fix(review): allow rr creation by users of the site (#556)

* tests: add remaining tests for identity features in SitesService (#566)

* chore: define more specific constants for source of URLs

* chore: move siteUrls type to repoInfo

* tests: add remaining tests for identity features

* tests: add spy method to check if extractAuthorEmail was called

* chore(collaborators): update typings (#568)

* chore(collaborators): update typings to be accurate

* chore(collaborators): update typings

* tests: add unit tests for ReviewRequestService (#569)

* chore: remove TODO comment as it is already done

* fix: should get the count of unread comments instead

* tests: add ReviewRequestService unit tests

* chore: move tests back to identity services

* chore: remove unused variable

* chore: adjust naming of test to be clearer on the situation

* ref(fixtures): allow generating router for different user types (#574)

* ref(fixtures): allow generating router for different user types

* fix: switch to specifying the siteName directly

* feat: allow adding a default user session

* Fix/reference sitename from repo (#577)

* Fix: use name from Repo instead of Site

* Fix: tests

* Fix: run tests sequentially

* Fix: remove required from includes

* Feat/add middleware for verifying email user (#573)

* Feat: add middleware for email user

* feat: add email verification middleware to collaborators

* tests: add integration tests for review requests and comments (#576)

* fix: force tests to run sequentially

* fix: reset the state of the tables before running the tests

* feat: add fixtures used for review requests

* fix: await results from IdentityService

* tests: add partial integration tests for review requests

* chore: switch site name to use repo name instead

* chore: switch to using variable for file name

* chore: standardise the response codes for non-happy paths

* fix: add additional sanity checks for comments-related features

* tests: add remaining integration tests for review requests

* fix: add methods to generate router for default values

* chore: rename test to be more reflective of its purpose

* fix: add missing return and await when updating database

* chore: add comment on the need for Table.sync

* fix(collaborators): add required middleware (#586)

* fix(collaborators): add required middleware

* chore(review): add missing await

* tests: add unit tests for review requests routes (#582)

* feat(rr): blob diffs (#575)

* feat(review): add service methods to get raw blob from gh

* feat(review): add route to retrieve blob diff

* chore(review): add comment for head refs at present

* fix(review): update types, fix header and remove extra await

* Feat/notifications tests (#514)

* Feat: add notificationService tests

* Test: add Notification router tests

* Test: add integration test for notifications

* Fix: notification tests to work with new behaviour

* Chore: swap constants to SCREAMING_SNAKE_CASE

* Chore: fix test description

* Chore: add comments

* Chore: modify test names

* Fix: cleanup tables between tests

* Feat/generic notification creation (#523)

* Feat: move notifications router to authenticated subrouter

* Feat: modify create notification arguments

* Feat: add notification middleware to handle edit notifications

* Fix: allow next on routeHandler

* Feat: add creatnotification middleware to authenticatesSitesRouter

* Chore: add notification types

* Feat: add notification changes when reviews are modified

* Fix: swap order of subrouters

* Fix: review request router dependencies

* Fix: time period for updating notification

* Fix: updating createdAt

* Fix: tests

* Chore: swap to promise.all

* fix: rebase errors

* Fix: add jsdoc

* Feat: add link to notificationHandler

* Fix: swap to promise.all and add links

* fix(review): fixed triggering event for request approved notif

* chore(notifications.spec): added correct ports

* Fix: update message on update notification

* Fix: notification integration tests

* Feat: add generic notification handler tests (#572)

* Feat: add generic notification handler tests

* Fix: router initialisation and cleanup

* fix: update github actions to use runInBand

* Fix: update tests

* Fix: reset database tables before integration tests

* Chore: modify imports

* Nit: test comment spelling

Co-authored-by: Kishore <[email protected]>

* Nit: comments and change var names

Co-authored-by: Kishore <[email protected]>

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Kishore <[email protected]>

* Vapt: merge back to tracking (#647)

* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* Fix: rebase errors

* Fix: error message for review request

* Fix: tests

* feat: use convict for env vars (#646)

* feat: add convict as dependency

* feat: config wip

* feat: add convict schema with defaults and validation

* feat: add config alias and update dependencies

* feat: replace process.env with config.get (wip)

* fix: use import over require

* feat: wip to use config

* feat: add cloudmersive key as env

* feat: wip to use config

* feat: update config properties

* feat: update imports and use config

* chore: update env.test and imports

* chore: standardise env

* chore: remove dotenv

* chore: format eslintrc

* fix: rename convict format and env enums

* chore: remove DOMAIN_WHITELIST from env

* chore: revert trust proxy change

* fix: cookie domain to be enums

* feat: update to use config

* fix: remove checks for env in logic

* fix: make gitGuardian optional env

* feat: add staging as option for node env

* chore(app): chagne to import syntax

* fix: remove string coercing for env key

* chore: remove check for undefine site create form key env

* chore: update package-lock

---------

Co-authored-by: seaerchin <[email protected]>

* fix: make default empty strings (#658)

* Fix/convict fixes (#660)

* fix: make site launch vars optional, remove redundant ones

* fix: remove duplicate express-session in package json

* Chore/change node env of local dev to expect dev (#659)

* chore: update references to node_env

* Fix: remove .toLowerCase when retrieving config

* Chore: add vapt to accepted application environments

* Refactor: use isSecure

* chore: replace IS_LOCAL_DEV with IS_DEV

* Fix: change isSecure to variable instead of func (#664)

* Fix/convict fixes (#663)

* fix: update database config to use process.env

* feat: strengthen validation for number check

* fix: add try-catch to convict validate to prevent hard failure on deployment

* fix: rename to use whole number

* fix: console log convict err

* fix: update check for whole to natural number

* fix: rename back to positive number

* fix: add radix param

* chore(package-lock): installed using old npm

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
harishv7 added a commit that referenced this pull request Mar 30, 2023
* Chore(Site launch microservices):managing cloud environments (#657)

* chore(serverless): remove offline packages

+ more meaningful naming for clarity

* chore(deps): add deps + add in commands for cloud development

* chore(readme): update readme

* chore(docker compose): remove local emulation of lambdas (#666)

we no longer use local stack

* feat(identity): phase 2  (#509)

* Feat/login flow (#477)

* Feat: add SessionData class

* Refactor: swap out auth middleware to use sessionData

* Refactor: modify sessionData in rollbackRouteHandler

* Feat: update middleware and auth services

* Chore: swap out v1 routes

Using a 1-1 swap here for v1 routes, since these are mostly outdated or due for refactor

* Refactor: swap id used in logger

* Feat: add handler to attach site name to sessionData

* Chore: modify v2 routes and services to use sessionData

* Chore: swap whoamiAuth to verifyJwt and useSiteAccessTokenIfAvailable with checkHasAccess

* Test: add fixtures for new middleware

* Fix: tests

* Fix: allow e2e test user

* Chore: update v1 endpoint

* Fix: migrate auth middle to ts

* Chore: rename to usersessiondata

* Refactor: split sessionData into separate classes

* Chore: replace sessionData

* Chore: replace githubsessiondata

* Chore: add jsdoc for classes

* Chore: update routes and services to pass appropriate sessionData objects

* Fix: tests

* Fix: specify request types

* Chore: remove unnecessary comment

* Fix: simplify getGithubParamsWithSite

* Feat/site member verification for email (#479)

* Feat: add IsomerAdmins database table and migrations

* Feat: add access token via interceptor if missing

* Feat: add isomerAdminsService

* Feat: add hasAccessToSite to usersService

* Feat: shift site membership check to authorizationMiddlewareService

* Chore: replace authMiddleware.checkHasAccess with authorizationMiddleware.checkIsSiteMember

* Chore: migrate authmiddlewareservice to typescript

* Fix: rename auth middleware to authentication middleware

* Fix: move e2e_isomer_id into constants

* Chore: add cookie types

* Fix: more concise check for isSiteMember

* FIx: rebase errors

* Fix: remove unused identityAuthService dependency

* Fix: rename AuthService import as identityAuthService

* Nit: separate type definition

* Feat/email login flow (#480)

* build(deps): bump file-type from 16.5.3 to 16.5.4 (#475)

Bumps [file-type](https://github.com/sindresorhus/file-type) from 16.5.3 to 16.5.4.
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v16.5.3...v16.5.4)

---
updated-dependencies:
- dependency-name: file-type
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#476)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225

* build(deps): bump vm2 from 3.9.5 to 3.9.7 (#350)

Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.5 to 3.9.7.
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md)
- [Commits](patriksimek/vm2@3.9.5...3.9.7)

---
updated-dependencies:
- dependency-name: vm2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Chore: remove site links from description (#482)

* Fix: update resource room (#481)

* 0.10.0

* fix: remove unnecessary update step (#487)

* 0.10.1

* Chore: update commit message to include user id

* Feat: add login and verify endpoints

* Fix: model relations and alias

* Feat: add findSitesByUserId

* Feat: add site retrieval for email and admin users

* Fix: hasAccessToSite

* Fix: update email/mobile by isomer id

* Chore: update error message

* Fix: await check for whitelist

* Chore: add mockSessionData for email login

* Fix: SiteService behaviour for email users with no whitelisted sites

* Test: update sitesservice tests

* Test: add new authservice tests and fix existing tests

* Fix: update user model to allow null in github field

* Fix: update test fixture

* Fix: update user test suite

* Chore: remove unused endpoint

* Fix: rebase errors

* Chore: remove unnecessary message in test

* Chore: remove unnecessary userId field

* Nit: rename variable

* Refactor: shift site retrieval for email users into helper method

* Chore: spacing and remove unused var

* Fix: tests

* Tests: add new authorizationMiddlewareService test

* fix: remove resources_name and add support for url (#490)

* fix: remove resources_name and add support for url

* fix: display url parameter as domain but store with https scheme

* fix: resolve failing tests

* Chore: flip conditional

* Refactor: shift order of getSites to make it easier to understand

* Test: add new auth router tests

* Feat: add integration tests for getSites

* Fix: failing requests for getLastUpdated and getStagingUrl

* Nit: add comment

* Nit: test name and var name

* chore(mocks/axios): remove extra stuff

* test(sites.spec): refactor specs for clarity

* Fix: update settings

* Nit: update comment

* Fix: tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* Fix: e2e bypass of authorization middleware

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* feat: collaborators (#510)

* build(devdeps): add lodash types

* fix(model): rectify db model definitions

* refactor: add message param to ForbiddenError

* feat: add CollaboratorsService

* test: add tests for CollaboratorsService

* feat: use CollaboratorService in authorization middleware

* test: add tests for authorization middleware

* feat: add CollaboratorsRouter

* test: add tests for CollaboratorsRouter

* feat(db-migration): change site_members role enum in the database

* feat: modify authzMiddlewareService tests

* fix: error in mock collaborators fixture

* ref(services): migrate SitesService to TypeScript (#512)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* tests: use mockAxios directly instead of preparing an instance

* feat(rr): db migrations (#515)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat: introduce a new site info API endpoint (#513)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* fix: use correct endpoint to get latest commit data

* test: add unit tests for GitHubService getLatestCommitOfBranch

* fix: add stub for obtaining merge author details

* fix: return a well-formatted response for known exceptions

* test: enhance GitHubService test for all other error statuses

* chore: rename isType function and return boolean directly

* fix: create new siteUrls object instead of changing in-place

* fix: handle case of null or undefined user email

* chore: improve code style

* tests: fix output of getStagingUrl

* feat: add collaborators statistics API endpoint (#520)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* feat: add collaborators statistics API endpoint

* test: add unit tests for collaborators statistics

* fix: return 404 instead of throwing an exception

* tests: add test to check for 404 status

* refactor: remove all usages of TokenStore and tests (#533)

* feat(rr): add database models (#518)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat(db/models): add new db models for rr

fix(db models): update db models

fix(reviewmeat): update db model

* chore(reviewrequest): update db model for seq

* fix(reviewmeta): add annotation on db model

* chore(reviewrequest.ts): add col to db model

* fix(teardown): add enum dropping for tests teardown

* feat: add new siteUrl API endpoint to get the production URL of site (#535)

* Feat/notifications (#508)

* Feat: add notification database model and update related models

* Chore: add migrations

Also adds id to site_members table for easier reference

* Feat: add notificationService

* Feat: add notificationUtils

* Feat: add notifications router

* Chore: initialise Notifications table and services

* Fix: remove unused imports

* Fix: change behaviour of quick retrieval

Always returns only new notifications now, unless there are none, in which case it returns most recent 6

* Chore: remove unused imports

* Refactor: findAll method

* Chore: add notificationResponse type

* Feat: add created_at sorting criteria

* Fix: notification sorting order

* Chore: add documentation for sort criteria

* Fix: rebase errors

* Fix: rebase errors for tests

* feat(rr): services + routes (#519)

* feat(services): add initial services for rr

* feat(types): add github types

* feat(reviewrequestservice): add features

* chore(review): wip for review routes

* feat(types): add new types

* feat(reviewrequestservice): add impl for computing sha mappings

* feat(usersservice): add nwe method to user service to retrieve site admins

* feat(review): add route for creating review request

* refactor(collaboratorsservice): refactor method api for clarity

* feat(types): add more types

* refactor(collaborators): fix typings and add more steuff to return

* chore(routes): update authenticated routes

* chore(review): refactor to use collaborators service

* refactor(reviewrequestservice): update methods

* chore(server): add init code

* refactor(reviewmeta): updat eto use belongs to

* feat(types): add more types

* feat(requestnotfounderror): add new error type

* feat(review): add methods for listing review requests and retrieval of rr

* refactor(types/dto): update review types

* refactor(rrservice): update enum type

* feat(rrservice): add new method to merge rr

* feat(review): add new route to merge rr

* fix(collaborators): remove erroneous destructuring

* fix(routes/review): add siteId prop

* chore(review dto): add status

* chore(requestrequestservice): remove old comment

* fix(reviewrequestservice): changed some stuff to be optional

* refactor(rr service): split retrieving db/github view into 2 methods

* feat(rr service): add methods to close/approve rr

* refactor(rr service): refactor merge rr method

* chore(collaboratorsservice): remove extra typecasts

* feat(rr): add new endpoint to update rr

* chore(types): minor cleanup

* feat(rr routes): add new routes for close and approve pr

* chore(review): update to userwithsitesesiontoken

* refactor(reviewrequestservice): migrate api calls into own file

* refactor(authenticated): shift review router dpes to init function

* fix(index): fixed faulty init

* refactor(reviewrequestservice): add site to reviewreq object

* fix(review.ts): add explicit bearer token to api call

* refactor(rrservice): refactor to retrieve user from db

* chore(settingsservice): remove extra console log

* chore(github): remove extra `patch` property

* chore(review): add logging

* fix(server): update imports from rebase

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr status): add rr status enum

* chore(rr): update db model

* refactor(rrservice): updat to use enum

* chore(rrservice): fix commennt

* chore(review): update error codes

* chore(usersservice): rename hasAccess to getSiteMember

* chore(usersservice): update method name

* feat(rr): allow updating of admins (#539)

* chore(server): add init code

* chore(dto): removed trailing space on folder name

* refactor(reviewrequestservice): update to remove title/desc from update api

* chore(collaborators): update import

* chore(routes/review): updaterr api

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat: add model and migration for review_request_views table (#521)

* feat: add model and migration for review_request_views table

* chore: rename migration

* fix: add missing association with ReviewRequest model

* fix: revert adding association in ReviewRequest model

* fix: missing @column for primary and foreign key

* fix: add new database table to sequelize

* feat: add review request views API endpoint and functions (#532)

* feat: add review request views API endpoint and functions

* fix: adjust to use Promise.all to allow concurrent creations

* chore: adjust naming of variable to be more reflective of state

* Expose new API endpoint to update lastViewedAt timestamp

* fix(server): removed extra db assoc

* fix(formsgsitecreation): removed extra prop

* Fix: reviewRequestId instead of reviewId

* fix(server.js): add reviewrequestview init

* feat: add endpoint to mark a review request as viewed (#550)

* feat: add endpoint to mark a review request as viewed

* fix: use upsert for updateReviewRequestLastViewedAt

* Feat/comments (#534)

* Feat: add methods for retrieving comments from github

* Chore: add types

* Feat: add comments methods to reviewRequestService

* Feat: add comments routes

* fix: check for properly formatted comments

* Chore: remove incorrect comments

* Fix: remove error return type

* Fix: add logging if site not found

* Feat: swap use of email in github commit to userid

* Fix: response type

* Fix: rename method and add github comment type

* fix: compute the number of new comments to show (#549)

* fix: compute the number of new comments to show

* chore: adjust naming of variable and structure of code

* chore: split getting number of new comments into 2 lines

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr): adds be for unapproval of rr (#540)

* feat(rr): delete rr approval

* chore(review): update numbering and logging

* chore(review): update to send rather than empty json

* fix(rrservice): update to use enum

* fix: use review request requestor email for production commit email (#552)

* fix: include full model in order by due to presence of alias (#554)

* fix(server): swap order for auth to avoid nemspace conflicts

* fix(review): allow rr creation by users of the site (#556)

* tests: add remaining tests for identity features in SitesService (#566)

* chore: define more specific constants for source of URLs

* chore: move siteUrls type to repoInfo

* tests: add remaining tests for identity features

* tests: add spy method to check if extractAuthorEmail was called

* chore(collaborators): update typings (#568)

* chore(collaborators): update typings to be accurate

* chore(collaborators): update typings

* tests: add unit tests for ReviewRequestService (#569)

* chore: remove TODO comment as it is already done

* fix: should get the count of unread comments instead

* tests: add ReviewRequestService unit tests

* chore: move tests back to identity services

* chore: remove unused variable

* chore: adjust naming of test to be clearer on the situation

* ref(fixtures): allow generating router for different user types (#574)

* ref(fixtures): allow generating router for different user types

* fix: switch to specifying the siteName directly

* feat: allow adding a default user session

* Fix/reference sitename from repo (#577)

* Fix: use name from Repo instead of Site

* Fix: tests

* Fix: run tests sequentially

* Fix: remove required from includes

* Feat/add middleware for verifying email user (#573)

* Feat: add middleware for email user

* feat: add email verification middleware to collaborators

* tests: add integration tests for review requests and comments (#576)

* fix: force tests to run sequentially

* fix: reset the state of the tables before running the tests

* feat: add fixtures used for review requests

* fix: await results from IdentityService

* tests: add partial integration tests for review requests

* chore: switch site name to use repo name instead

* chore: switch to using variable for file name

* chore: standardise the response codes for non-happy paths

* fix: add additional sanity checks for comments-related features

* tests: add remaining integration tests for review requests

* fix: add methods to generate router for default values

* chore: rename test to be more reflective of its purpose

* fix: add missing return and await when updating database

* chore: add comment on the need for Table.sync

* fix(collaborators): add required middleware (#586)

* fix(collaborators): add required middleware

* chore(review): add missing await

* tests: add unit tests for review requests routes (#582)

* feat(rr): blob diffs (#575)

* feat(review): add service methods to get raw blob from gh

* feat(review): add route to retrieve blob diff

* chore(review): add comment for head refs at present

* fix(review): update types, fix header and remove extra await

* Feat/notifications tests (#514)

* Feat: add notificationService tests

* Test: add Notification router tests

* Test: add integration test for notifications

* Fix: notification tests to work with new behaviour

* Chore: swap constants to SCREAMING_SNAKE_CASE

* Chore: fix test description

* Chore: add comments

* Chore: modify test names

* Fix: cleanup tables between tests

* Feat/generic notification creation (#523)

* Feat: move notifications router to authenticated subrouter

* Feat: modify create notification arguments

* Feat: add notification middleware to handle edit notifications

* Fix: allow next on routeHandler

* Feat: add creatnotification middleware to authenticatesSitesRouter

* Chore: add notification types

* Feat: add notification changes when reviews are modified

* Fix: swap order of subrouters

* Fix: review request router dependencies

* Fix: time period for updating notification

* Fix: updating createdAt

* Fix: tests

* Chore: swap to promise.all

* fix: rebase errors

* Fix: add jsdoc

* Feat: add link to notificationHandler

* Fix: swap to promise.all and add links

* fix(review): fixed triggering event for request approved notif

* chore(notifications.spec): added correct ports

* Fix: update message on update notification

* Fix: notification integration tests

* Feat: add generic notification handler tests (#572)

* Feat: add generic notification handler tests

* Fix: router initialisation and cleanup

* fix: update github actions to use runInBand

* Fix: update tests

* Fix: reset database tables before integration tests

* Chore: modify imports

* Nit: test comment spelling

Co-authored-by: Kishore <[email protected]>

* Nit: comments and change var names

Co-authored-by: Kishore <[email protected]>

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Kishore <[email protected]>

* Vapt: merge back to tracking (#647)

* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* Fix: rebase errors

* Fix: error message for review request

* Fix: tests

* feat: use convict for env vars (#646)

* feat: add convict as dependency

* feat: config wip

* feat: add convict schema with defaults and validation

* feat: add config alias and update dependencies

* feat: replace process.env with config.get (wip)

* fix: use import over require

* feat: wip to use config

* feat: add cloudmersive key as env

* feat: wip to use config

* feat: update config properties

* feat: update imports and use config

* chore: update env.test and imports

* chore: standardise env

* chore: remove dotenv

* chore: format eslintrc

* fix: rename convict format and env enums

* chore: remove DOMAIN_WHITELIST from env

* chore: revert trust proxy change

* fix: cookie domain to be enums

* feat: update to use config

* fix: remove checks for env in logic

* fix: make gitGuardian optional env

* feat: add staging as option for node env

* chore(app): chagne to import syntax

* fix: remove string coercing for env key

* chore: remove check for undefine site create form key env

* chore: update package-lock

---------

Co-authored-by: seaerchin <[email protected]>

* fix: make default empty strings (#658)

* Fix/convict fixes (#660)

* fix: make site launch vars optional, remove redundant ones

* fix: remove duplicate express-session in package json

* Chore/change node env of local dev to expect dev (#659)

* chore: update references to node_env

* Fix: remove .toLowerCase when retrieving config

* Chore: add vapt to accepted application environments

* Refactor: use isSecure

* chore: replace IS_LOCAL_DEV with IS_DEV

* Fix: change isSecure to variable instead of func (#664)

* Fix/convict fixes (#663)

* fix: update database config to use process.env

* feat: strengthen validation for number check

* fix: add try-catch to convict validate to prevent hard failure on deployment

* fix: rename to use whole number

* fix: console log convict err

* fix: update check for whole to natural number

* fix: rename back to positive number

* fix: add radix param

* chore(package-lock): installed using old npm

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* 0.18.0

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants