Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Added virus scan functionality for file upload (VAPT finding) #631

Merged
merged 8 commits into from
Feb 24, 2023

Conversation

QiluXie
Copy link
Contributor

@QiluXie QiluXie commented Feb 16, 2023

Problem

Fixed the VAPT finding - 03: Unrestricted File Upload (Medium)

Solution

Implemented virus scan feature when user uploads file or image using the cloudmersive API - API reference

Breaking Changes

  • Yes - this PR contains breaking changes
  • No - this PR is backwards compatible

Tests

Currently due to another issue that adds an extra dot to the file name of newly uploaded file, the file uploading feature is not working in VAPT branch. The issues is addressed in a separate PR in the frontend codebase.
To test this PR, please comment out the lines of media name check (line 23 & line 112) as a temporary measure as shown in the following screenshot.
Screenshot 2023-02-16 at 4 38 18 PM
Screenshot 2023-02-16 at 4 38 27 PM

New environment variables:

  • CM_API_KEY : API Key for calling Cloudmersive API

New dependencies:

  • cloudmersive-virus-api-client : cloudmersive client sdk

Copy link
Contributor

@seaerchin seaerchin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some comments! sidenote, i think the formatter might be broken for you because comments should automatically have a space after the double slash (//) so do take note of that

.env-example Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
@QiluXie
Copy link
Contributor Author

QiluXie commented Feb 17, 2023

@seaerchin thanks for all your comments, very helpful! I fixed some of them in a new commit and provided explanation to the rest, please take a look and let me know. Thanks!

@QiluXie QiluXie requested a review from seaerchin February 17, 2023 03:33
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
src/utils/file-upload-utils.js Outdated Show resolved Hide resolved
Copy link
Contributor

@alexanderleegs alexanderleegs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also keep the lockfile version at 1 for now? Otherwise it'll be difficult to resolve the merge into dev later

@QiluXie
Copy link
Contributor Author

QiluXie commented Feb 20, 2023

Could we also keep the lockfile version at 1 for now? Otherwise it'll be difficult to resolve the merge into dev later

@alexanderleegs downgraded the lockfile version to 1 in package-lock.json in fe67cac

@QiluXie QiluXie requested a review from seaerchin February 20, 2023 09:34
@QiluXie
Copy link
Contributor Author

QiluXie commented Feb 22, 2023

@seaerchin @harishv7 @alexanderleegs @kishore03109 All the current comments are addressed. Please help to approve the PR if there's no additional comment. Thanks!

@alexanderleegs
Copy link
Contributor

Could we also keep the lockfile version at 1 for now? Otherwise it'll be difficult to resolve the merge into dev later

@alexanderleegs downgraded the lockfile version to 1 in package-lock.json in fe67cac

actually i think we might need to do a reinstall with a lower node version because the formatting changes will be annoying to resolve later - for some reason it seems like npm i takes the system default version of node rather than the one specified by nvm, I had to explicitly use which npm to find the path of the node 14 installation and use that path explicitly to install instead (<PATH> install)

Hopefully all of this is resolved once we upgrade our node version!

@alexanderleegs alexanderleegs merged commit 94a9daf into vapt Feb 24, 2023
@mergify mergify bot deleted the feat/file-virus-scan branch February 24, 2023 06:02
alexanderleegs added a commit that referenced this pull request Mar 7, 2023
…631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>
alexanderleegs added a commit that referenced this pull request Mar 7, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
alexanderleegs added a commit that referenced this pull request Mar 8, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
alexanderleegs added a commit that referenced this pull request Mar 16, 2023
* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
seaerchin added a commit that referenced this pull request Mar 30, 2023
* Feat/login flow (#477)

* Feat: add SessionData class

* Refactor: swap out auth middleware to use sessionData

* Refactor: modify sessionData in rollbackRouteHandler

* Feat: update middleware and auth services

* Chore: swap out v1 routes

Using a 1-1 swap here for v1 routes, since these are mostly outdated or due for refactor

* Refactor: swap id used in logger

* Feat: add handler to attach site name to sessionData

* Chore: modify v2 routes and services to use sessionData

* Chore: swap whoamiAuth to verifyJwt and useSiteAccessTokenIfAvailable with checkHasAccess

* Test: add fixtures for new middleware

* Fix: tests

* Fix: allow e2e test user

* Chore: update v1 endpoint

* Fix: migrate auth middle to ts

* Chore: rename to usersessiondata

* Refactor: split sessionData into separate classes

* Chore: replace sessionData

* Chore: replace githubsessiondata

* Chore: add jsdoc for classes

* Chore: update routes and services to pass appropriate sessionData objects

* Fix: tests

* Fix: specify request types

* Chore: remove unnecessary comment

* Fix: simplify getGithubParamsWithSite

* Feat/site member verification for email (#479)

* Feat: add IsomerAdmins database table and migrations

* Feat: add access token via interceptor if missing

* Feat: add isomerAdminsService

* Feat: add hasAccessToSite to usersService

* Feat: shift site membership check to authorizationMiddlewareService

* Chore: replace authMiddleware.checkHasAccess with authorizationMiddleware.checkIsSiteMember

* Chore: migrate authmiddlewareservice to typescript

* Fix: rename auth middleware to authentication middleware

* Fix: move e2e_isomer_id into constants

* Chore: add cookie types

* Fix: more concise check for isSiteMember

* FIx: rebase errors

* Fix: remove unused identityAuthService dependency

* Fix: rename AuthService import as identityAuthService

* Nit: separate type definition

* Feat/email login flow (#480)

* build(deps): bump file-type from 16.5.3 to 16.5.4 (#475)

Bumps [file-type](https://github.com/sindresorhus/file-type) from 16.5.3 to 16.5.4.
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v16.5.3...v16.5.4)

---
updated-dependencies:
- dependency-name: file-type
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#476)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225

* build(deps): bump vm2 from 3.9.5 to 3.9.7 (#350)

Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.5 to 3.9.7.
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md)
- [Commits](patriksimek/vm2@3.9.5...3.9.7)

---
updated-dependencies:
- dependency-name: vm2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Chore: remove site links from description (#482)

* Fix: update resource room (#481)

* 0.10.0

* fix: remove unnecessary update step (#487)

* 0.10.1

* Chore: update commit message to include user id

* Feat: add login and verify endpoints

* Fix: model relations and alias

* Feat: add findSitesByUserId

* Feat: add site retrieval for email and admin users

* Fix: hasAccessToSite

* Fix: update email/mobile by isomer id

* Chore: update error message

* Fix: await check for whitelist

* Chore: add mockSessionData for email login

* Fix: SiteService behaviour for email users with no whitelisted sites

* Test: update sitesservice tests

* Test: add new authservice tests and fix existing tests

* Fix: update user model to allow null in github field

* Fix: update test fixture

* Fix: update user test suite

* Chore: remove unused endpoint

* Fix: rebase errors

* Chore: remove unnecessary message in test

* Chore: remove unnecessary userId field

* Nit: rename variable

* Refactor: shift site retrieval for email users into helper method

* Chore: spacing and remove unused var

* Fix: tests

* Tests: add new authorizationMiddlewareService test

* fix: remove resources_name and add support for url (#490)

* fix: remove resources_name and add support for url

* fix: display url parameter as domain but store with https scheme

* fix: resolve failing tests

* Chore: flip conditional

* Refactor: shift order of getSites to make it easier to understand

* Test: add new auth router tests

* Feat: add integration tests for getSites

* Fix: failing requests for getLastUpdated and getStagingUrl

* Nit: add comment

* Nit: test name and var name

* chore(mocks/axios): remove extra stuff

* test(sites.spec): refactor specs for clarity

* Fix: update settings

* Nit: update comment

* Fix: tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* Fix: e2e bypass of authorization middleware

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* feat: collaborators (#510)

* build(devdeps): add lodash types

* fix(model): rectify db model definitions

* refactor: add message param to ForbiddenError

* feat: add CollaboratorsService

* test: add tests for CollaboratorsService

* feat: use CollaboratorService in authorization middleware

* test: add tests for authorization middleware

* feat: add CollaboratorsRouter

* test: add tests for CollaboratorsRouter

* feat(db-migration): change site_members role enum in the database

* feat: modify authzMiddlewareService tests

* fix: error in mock collaborators fixture

* ref(services): migrate SitesService to TypeScript (#512)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* tests: use mockAxios directly instead of preparing an instance

* feat(rr): db migrations (#515)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat: introduce a new site info API endpoint (#513)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* fix: use correct endpoint to get latest commit data

* test: add unit tests for GitHubService getLatestCommitOfBranch

* fix: add stub for obtaining merge author details

* fix: return a well-formatted response for known exceptions

* test: enhance GitHubService test for all other error statuses

* chore: rename isType function and return boolean directly

* fix: create new siteUrls object instead of changing in-place

* fix: handle case of null or undefined user email

* chore: improve code style

* tests: fix output of getStagingUrl

* feat: add collaborators statistics API endpoint (#520)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* feat: add collaborators statistics API endpoint

* test: add unit tests for collaborators statistics

* fix: return 404 instead of throwing an exception

* tests: add test to check for 404 status

* refactor: remove all usages of TokenStore and tests (#533)

* feat(rr): add database models (#518)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat(db/models): add new db models for rr

fix(db models): update db models

fix(reviewmeat): update db model

* chore(reviewrequest): update db model for seq

* fix(reviewmeta): add annotation on db model

* chore(reviewrequest.ts): add col to db model

* fix(teardown): add enum dropping for tests teardown

* feat: add new siteUrl API endpoint to get the production URL of site (#535)

* Feat/notifications (#508)

* Feat: add notification database model and update related models

* Chore: add migrations

Also adds id to site_members table for easier reference

* Feat: add notificationService

* Feat: add notificationUtils

* Feat: add notifications router

* Chore: initialise Notifications table and services

* Fix: remove unused imports

* Fix: change behaviour of quick retrieval

Always returns only new notifications now, unless there are none, in which case it returns most recent 6

* Chore: remove unused imports

* Refactor: findAll method

* Chore: add notificationResponse type

* Feat: add created_at sorting criteria

* Fix: notification sorting order

* Chore: add documentation for sort criteria

* Fix: rebase errors

* Fix: rebase errors for tests

* feat(rr): services + routes (#519)

* feat(services): add initial services for rr

* feat(types): add github types

* feat(reviewrequestservice): add features

* chore(review): wip for review routes

* feat(types): add new types

* feat(reviewrequestservice): add impl for computing sha mappings

* feat(usersservice): add nwe method to user service to retrieve site admins

* feat(review): add route for creating review request

* refactor(collaboratorsservice): refactor method api for clarity

* feat(types): add more types

* refactor(collaborators): fix typings and add more steuff to return

* chore(routes): update authenticated routes

* chore(review): refactor to use collaborators service

* refactor(reviewrequestservice): update methods

* chore(server): add init code

* refactor(reviewmeta): updat eto use belongs to

* feat(types): add more types

* feat(requestnotfounderror): add new error type

* feat(review): add methods for listing review requests and retrieval of rr

* refactor(types/dto): update review types

* refactor(rrservice): update enum type

* feat(rrservice): add new method to merge rr

* feat(review): add new route to merge rr

* fix(collaborators): remove erroneous destructuring

* fix(routes/review): add siteId prop

* chore(review dto): add status

* chore(requestrequestservice): remove old comment

* fix(reviewrequestservice): changed some stuff to be optional

* refactor(rr service): split retrieving db/github view into 2 methods

* feat(rr service): add methods to close/approve rr

* refactor(rr service): refactor merge rr method

* chore(collaboratorsservice): remove extra typecasts

* feat(rr): add new endpoint to update rr

* chore(types): minor cleanup

* feat(rr routes): add new routes for close and approve pr

* chore(review): update to userwithsitesesiontoken

* refactor(reviewrequestservice): migrate api calls into own file

* refactor(authenticated): shift review router dpes to init function

* fix(index): fixed faulty init

* refactor(reviewrequestservice): add site to reviewreq object

* fix(review.ts): add explicit bearer token to api call

* refactor(rrservice): refactor to retrieve user from db

* chore(settingsservice): remove extra console log

* chore(github): remove extra `patch` property

* chore(review): add logging

* fix(server): update imports from rebase

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr status): add rr status enum

* chore(rr): update db model

* refactor(rrservice): updat to use enum

* chore(rrservice): fix commennt

* chore(review): update error codes

* chore(usersservice): rename hasAccess to getSiteMember

* chore(usersservice): update method name

* feat(rr): allow updating of admins (#539)

* chore(server): add init code

* chore(dto): removed trailing space on folder name

* refactor(reviewrequestservice): update to remove title/desc from update api

* chore(collaborators): update import

* chore(routes/review): updaterr api

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat: add model and migration for review_request_views table (#521)

* feat: add model and migration for review_request_views table

* chore: rename migration

* fix: add missing association with ReviewRequest model

* fix: revert adding association in ReviewRequest model

* fix: missing @column for primary and foreign key

* fix: add new database table to sequelize

* feat: add review request views API endpoint and functions (#532)

* feat: add review request views API endpoint and functions

* fix: adjust to use Promise.all to allow concurrent creations

* chore: adjust naming of variable to be more reflective of state

* Expose new API endpoint to update lastViewedAt timestamp

* fix(server): removed extra db assoc

* fix(formsgsitecreation): removed extra prop

* Fix: reviewRequestId instead of reviewId

* fix(server.js): add reviewrequestview init

* feat: add endpoint to mark a review request as viewed (#550)

* feat: add endpoint to mark a review request as viewed

* fix: use upsert for updateReviewRequestLastViewedAt

* Feat/comments (#534)

* Feat: add methods for retrieving comments from github

* Chore: add types

* Feat: add comments methods to reviewRequestService

* Feat: add comments routes

* fix: check for properly formatted comments

* Chore: remove incorrect comments

* Fix: remove error return type

* Fix: add logging if site not found

* Feat: swap use of email in github commit to userid

* Fix: response type

* Fix: rename method and add github comment type

* fix: compute the number of new comments to show (#549)

* fix: compute the number of new comments to show

* chore: adjust naming of variable and structure of code

* chore: split getting number of new comments into 2 lines

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr): adds be for unapproval of rr (#540)

* feat(rr): delete rr approval

* chore(review): update numbering and logging

* chore(review): update to send rather than empty json

* fix(rrservice): update to use enum

* fix: use review request requestor email for production commit email (#552)

* fix: include full model in order by due to presence of alias (#554)

* fix(server): swap order for auth to avoid nemspace conflicts

* fix(review): allow rr creation by users of the site (#556)

* tests: add remaining tests for identity features in SitesService (#566)

* chore: define more specific constants for source of URLs

* chore: move siteUrls type to repoInfo

* tests: add remaining tests for identity features

* tests: add spy method to check if extractAuthorEmail was called

* chore(collaborators): update typings (#568)

* chore(collaborators): update typings to be accurate

* chore(collaborators): update typings

* tests: add unit tests for ReviewRequestService (#569)

* chore: remove TODO comment as it is already done

* fix: should get the count of unread comments instead

* tests: add ReviewRequestService unit tests

* chore: move tests back to identity services

* chore: remove unused variable

* chore: adjust naming of test to be clearer on the situation

* ref(fixtures): allow generating router for different user types (#574)

* ref(fixtures): allow generating router for different user types

* fix: switch to specifying the siteName directly

* feat: allow adding a default user session

* Fix/reference sitename from repo (#577)

* Fix: use name from Repo instead of Site

* Fix: tests

* Fix: run tests sequentially

* Fix: remove required from includes

* Feat/add middleware for verifying email user (#573)

* Feat: add middleware for email user

* feat: add email verification middleware to collaborators

* tests: add integration tests for review requests and comments (#576)

* fix: force tests to run sequentially

* fix: reset the state of the tables before running the tests

* feat: add fixtures used for review requests

* fix: await results from IdentityService

* tests: add partial integration tests for review requests

* chore: switch site name to use repo name instead

* chore: switch to using variable for file name

* chore: standardise the response codes for non-happy paths

* fix: add additional sanity checks for comments-related features

* tests: add remaining integration tests for review requests

* fix: add methods to generate router for default values

* chore: rename test to be more reflective of its purpose

* fix: add missing return and await when updating database

* chore: add comment on the need for Table.sync

* fix(collaborators): add required middleware (#586)

* fix(collaborators): add required middleware

* chore(review): add missing await

* tests: add unit tests for review requests routes (#582)

* feat(rr): blob diffs (#575)

* feat(review): add service methods to get raw blob from gh

* feat(review): add route to retrieve blob diff

* chore(review): add comment for head refs at present

* fix(review): update types, fix header and remove extra await

* Feat/notifications tests (#514)

* Feat: add notificationService tests

* Test: add Notification router tests

* Test: add integration test for notifications

* Fix: notification tests to work with new behaviour

* Chore: swap constants to SCREAMING_SNAKE_CASE

* Chore: fix test description

* Chore: add comments

* Chore: modify test names

* Fix: cleanup tables between tests

* Feat/generic notification creation (#523)

* Feat: move notifications router to authenticated subrouter

* Feat: modify create notification arguments

* Feat: add notification middleware to handle edit notifications

* Fix: allow next on routeHandler

* Feat: add creatnotification middleware to authenticatesSitesRouter

* Chore: add notification types

* Feat: add notification changes when reviews are modified

* Fix: swap order of subrouters

* Fix: review request router dependencies

* Fix: time period for updating notification

* Fix: updating createdAt

* Fix: tests

* Chore: swap to promise.all

* fix: rebase errors

* Fix: add jsdoc

* Feat: add link to notificationHandler

* Fix: swap to promise.all and add links

* fix(review): fixed triggering event for request approved notif

* chore(notifications.spec): added correct ports

* Fix: update message on update notification

* Fix: notification integration tests

* Feat: add generic notification handler tests (#572)

* Feat: add generic notification handler tests

* Fix: router initialisation and cleanup

* fix: update github actions to use runInBand

* Fix: update tests

* Fix: reset database tables before integration tests

* Chore: modify imports

* Nit: test comment spelling

Co-authored-by: Kishore <[email protected]>

* Nit: comments and change var names

Co-authored-by: Kishore <[email protected]>

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Kishore <[email protected]>

* Vapt: merge back to tracking (#647)

* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* Fix: rebase errors

* Fix: error message for review request

* Fix: tests

* feat: use convict for env vars (#646)

* feat: add convict as dependency

* feat: config wip

* feat: add convict schema with defaults and validation

* feat: add config alias and update dependencies

* feat: replace process.env with config.get (wip)

* fix: use import over require

* feat: wip to use config

* feat: add cloudmersive key as env

* feat: wip to use config

* feat: update config properties

* feat: update imports and use config

* chore: update env.test and imports

* chore: standardise env

* chore: remove dotenv

* chore: format eslintrc

* fix: rename convict format and env enums

* chore: remove DOMAIN_WHITELIST from env

* chore: revert trust proxy change

* fix: cookie domain to be enums

* feat: update to use config

* fix: remove checks for env in logic

* fix: make gitGuardian optional env

* feat: add staging as option for node env

* chore(app): chagne to import syntax

* fix: remove string coercing for env key

* chore: remove check for undefine site create form key env

* chore: update package-lock

---------

Co-authored-by: seaerchin <[email protected]>

* fix: make default empty strings (#658)

* Fix/convict fixes (#660)

* fix: make site launch vars optional, remove redundant ones

* fix: remove duplicate express-session in package json

* Chore/change node env of local dev to expect dev (#659)

* chore: update references to node_env

* Fix: remove .toLowerCase when retrieving config

* Chore: add vapt to accepted application environments

* Refactor: use isSecure

* chore: replace IS_LOCAL_DEV with IS_DEV

* Fix: change isSecure to variable instead of func (#664)

* Fix/convict fixes (#663)

* fix: update database config to use process.env

* feat: strengthen validation for number check

* fix: add try-catch to convict validate to prevent hard failure on deployment

* fix: rename to use whole number

* fix: console log convict err

* fix: update check for whole to natural number

* fix: rename back to positive number

* fix: add radix param

* chore(package-lock): installed using old npm

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
harishv7 added a commit that referenced this pull request Mar 30, 2023
* Chore(Site launch microservices):managing cloud environments (#657)

* chore(serverless): remove offline packages

+ more meaningful naming for clarity

* chore(deps): add deps + add in commands for cloud development

* chore(readme): update readme

* chore(docker compose): remove local emulation of lambdas (#666)

we no longer use local stack

* feat(identity): phase 2  (#509)

* Feat/login flow (#477)

* Feat: add SessionData class

* Refactor: swap out auth middleware to use sessionData

* Refactor: modify sessionData in rollbackRouteHandler

* Feat: update middleware and auth services

* Chore: swap out v1 routes

Using a 1-1 swap here for v1 routes, since these are mostly outdated or due for refactor

* Refactor: swap id used in logger

* Feat: add handler to attach site name to sessionData

* Chore: modify v2 routes and services to use sessionData

* Chore: swap whoamiAuth to verifyJwt and useSiteAccessTokenIfAvailable with checkHasAccess

* Test: add fixtures for new middleware

* Fix: tests

* Fix: allow e2e test user

* Chore: update v1 endpoint

* Fix: migrate auth middle to ts

* Chore: rename to usersessiondata

* Refactor: split sessionData into separate classes

* Chore: replace sessionData

* Chore: replace githubsessiondata

* Chore: add jsdoc for classes

* Chore: update routes and services to pass appropriate sessionData objects

* Fix: tests

* Fix: specify request types

* Chore: remove unnecessary comment

* Fix: simplify getGithubParamsWithSite

* Feat/site member verification for email (#479)

* Feat: add IsomerAdmins database table and migrations

* Feat: add access token via interceptor if missing

* Feat: add isomerAdminsService

* Feat: add hasAccessToSite to usersService

* Feat: shift site membership check to authorizationMiddlewareService

* Chore: replace authMiddleware.checkHasAccess with authorizationMiddleware.checkIsSiteMember

* Chore: migrate authmiddlewareservice to typescript

* Fix: rename auth middleware to authentication middleware

* Fix: move e2e_isomer_id into constants

* Chore: add cookie types

* Fix: more concise check for isSiteMember

* FIx: rebase errors

* Fix: remove unused identityAuthService dependency

* Fix: rename AuthService import as identityAuthService

* Nit: separate type definition

* Feat/email login flow (#480)

* build(deps): bump file-type from 16.5.3 to 16.5.4 (#475)

Bumps [file-type](https://github.com/sindresorhus/file-type) from 16.5.3 to 16.5.4.
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v16.5.3...v16.5.4)

---
updated-dependencies:
- dependency-name: file-type
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: package.json & package-lock.json to reduce vulnerabilities (#476)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEQUELIZE-2959225

* build(deps): bump vm2 from 3.9.5 to 3.9.7 (#350)

Bumps [vm2](https://github.com/patriksimek/vm2) from 3.9.5 to 3.9.7.
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/master/CHANGELOG.md)
- [Commits](patriksimek/vm2@3.9.5...3.9.7)

---
updated-dependencies:
- dependency-name: vm2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Chore: remove site links from description (#482)

* Fix: update resource room (#481)

* 0.10.0

* fix: remove unnecessary update step (#487)

* 0.10.1

* Chore: update commit message to include user id

* Feat: add login and verify endpoints

* Fix: model relations and alias

* Feat: add findSitesByUserId

* Feat: add site retrieval for email and admin users

* Fix: hasAccessToSite

* Fix: update email/mobile by isomer id

* Chore: update error message

* Fix: await check for whitelist

* Chore: add mockSessionData for email login

* Fix: SiteService behaviour for email users with no whitelisted sites

* Test: update sitesservice tests

* Test: add new authservice tests and fix existing tests

* Fix: update user model to allow null in github field

* Fix: update test fixture

* Fix: update user test suite

* Chore: remove unused endpoint

* Fix: rebase errors

* Chore: remove unnecessary message in test

* Chore: remove unnecessary userId field

* Nit: rename variable

* Refactor: shift site retrieval for email users into helper method

* Chore: spacing and remove unused var

* Fix: tests

* Tests: add new authorizationMiddlewareService test

* fix: remove resources_name and add support for url (#490)

* fix: remove resources_name and add support for url

* fix: display url parameter as domain but store with https scheme

* fix: resolve failing tests

* Chore: flip conditional

* Refactor: shift order of getSites to make it easier to understand

* Test: add new auth router tests

* Feat: add integration tests for getSites

* Fix: failing requests for getLastUpdated and getStagingUrl

* Nit: add comment

* Nit: test name and var name

* chore(mocks/axios): remove extra stuff

* test(sites.spec): refactor specs for clarity

* Fix: update settings

* Nit: update comment

* Fix: tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* Fix: e2e bypass of authorization middleware

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: seaerchin <[email protected]>

* feat: collaborators (#510)

* build(devdeps): add lodash types

* fix(model): rectify db model definitions

* refactor: add message param to ForbiddenError

* feat: add CollaboratorsService

* test: add tests for CollaboratorsService

* feat: use CollaboratorService in authorization middleware

* test: add tests for authorization middleware

* feat: add CollaboratorsRouter

* test: add tests for CollaboratorsRouter

* feat(db-migration): change site_members role enum in the database

* feat: modify authzMiddlewareService tests

* fix: error in mock collaborators fixture

* ref(services): migrate SitesService to TypeScript (#512)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* tests: use mockAxios directly instead of preparing an instance

* feat(rr): db migrations (#515)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat: introduce a new site info API endpoint (#513)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* fix: use correct endpoint to get latest commit data

* test: add unit tests for GitHubService getLatestCommitOfBranch

* fix: add stub for obtaining merge author details

* fix: return a well-formatted response for known exceptions

* test: enhance GitHubService test for all other error statuses

* chore: rename isType function and return boolean directly

* fix: create new siteUrls object instead of changing in-place

* fix: handle case of null or undefined user email

* chore: improve code style

* tests: fix output of getStagingUrl

* feat: add collaborators statistics API endpoint (#520)

* ref(fixtures): convert repoInfo to typescript

* ref(services): migrate SitesService to typescript

* tests: update unit and integration tests for SitesService

* ref(sites): migrate sites router to typescript

* fix: revert back to using SessionData

* fix: remove use of Bluebird and unused getSiteToken function

* fix: use more accurate type

* chore: remove unused variable

* refactor(tests): migrate generic axios instance to __mocks__

* feat: introduce function to obtain latest commit details

* feat: add function for obtaining a User by ID

* feat: introduce a new site info API endpoint

* tests: add partial tests for SitesService

* tests: use mockAxios directly instead of preparing an instance

* tests: fix SitesService unit tests to pass

* chore: adjust constants to use SCREAMING_SNAKE_CASE

* fix: add authorizationMiddleware to ensure user is member of site

* chore: combine sessionData unpacking

* fix: insert try-catch to handle errors from JSON.parse

* chore: remove unnecessary check for undefined site

* chore: return instead of throwing NotFoundError

* fix: add assertion to ensure integrity of GitHubCommitData

* fix: remove need for adding site name to sessionData

* refactor: convert routes Sites.spec.js to TypeScript

* refactor: redesign getUrlsOfSite to increase readability

* feat: add collaborators statistics API endpoint

* test: add unit tests for collaborators statistics

* fix: return 404 instead of throwing an exception

* tests: add test to check for 404 status

* refactor: remove all usages of TokenStore and tests (#533)

* feat(rr): add database models (#518)

* chore(infraservice): remove unused prop

* chore(routes/auth): remove unused var

* build(package): add useful command to undo migration

* feat(migrations): add migrations for review requests

fix(db migratino): update property names

* chore(db migration): add migration to add status col to rr

* chore(db migrations): add required columns for seq creation

* feat(db/models): add new db models for rr

fix(db models): update db models

fix(reviewmeat): update db model

* chore(reviewrequest): update db model for seq

* fix(reviewmeta): add annotation on db model

* chore(reviewrequest.ts): add col to db model

* fix(teardown): add enum dropping for tests teardown

* feat: add new siteUrl API endpoint to get the production URL of site (#535)

* Feat/notifications (#508)

* Feat: add notification database model and update related models

* Chore: add migrations

Also adds id to site_members table for easier reference

* Feat: add notificationService

* Feat: add notificationUtils

* Feat: add notifications router

* Chore: initialise Notifications table and services

* Fix: remove unused imports

* Fix: change behaviour of quick retrieval

Always returns only new notifications now, unless there are none, in which case it returns most recent 6

* Chore: remove unused imports

* Refactor: findAll method

* Chore: add notificationResponse type

* Feat: add created_at sorting criteria

* Fix: notification sorting order

* Chore: add documentation for sort criteria

* Fix: rebase errors

* Fix: rebase errors for tests

* feat(rr): services + routes (#519)

* feat(services): add initial services for rr

* feat(types): add github types

* feat(reviewrequestservice): add features

* chore(review): wip for review routes

* feat(types): add new types

* feat(reviewrequestservice): add impl for computing sha mappings

* feat(usersservice): add nwe method to user service to retrieve site admins

* feat(review): add route for creating review request

* refactor(collaboratorsservice): refactor method api for clarity

* feat(types): add more types

* refactor(collaborators): fix typings and add more steuff to return

* chore(routes): update authenticated routes

* chore(review): refactor to use collaborators service

* refactor(reviewrequestservice): update methods

* chore(server): add init code

* refactor(reviewmeta): updat eto use belongs to

* feat(types): add more types

* feat(requestnotfounderror): add new error type

* feat(review): add methods for listing review requests and retrieval of rr

* refactor(types/dto): update review types

* refactor(rrservice): update enum type

* feat(rrservice): add new method to merge rr

* feat(review): add new route to merge rr

* fix(collaborators): remove erroneous destructuring

* fix(routes/review): add siteId prop

* chore(review dto): add status

* chore(requestrequestservice): remove old comment

* fix(reviewrequestservice): changed some stuff to be optional

* refactor(rr service): split retrieving db/github view into 2 methods

* feat(rr service): add methods to close/approve rr

* refactor(rr service): refactor merge rr method

* chore(collaboratorsservice): remove extra typecasts

* feat(rr): add new endpoint to update rr

* chore(types): minor cleanup

* feat(rr routes): add new routes for close and approve pr

* chore(review): update to userwithsitesesiontoken

* refactor(reviewrequestservice): migrate api calls into own file

* refactor(authenticated): shift review router dpes to init function

* fix(index): fixed faulty init

* refactor(reviewrequestservice): add site to reviewreq object

* fix(review.ts): add explicit bearer token to api call

* refactor(rrservice): refactor to retrieve user from db

* chore(settingsservice): remove extra console log

* chore(github): remove extra `patch` property

* chore(review): add logging

* fix(server): update imports from rebase

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* Chore: Update src/routes/v2/authenticated/review.ts

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr status): add rr status enum

* chore(rr): update db model

* refactor(rrservice): updat to use enum

* chore(rrservice): fix commennt

* chore(review): update error codes

* chore(usersservice): rename hasAccess to getSiteMember

* chore(usersservice): update method name

* feat(rr): allow updating of admins (#539)

* chore(server): add init code

* chore(dto): removed trailing space on folder name

* refactor(reviewrequestservice): update to remove title/desc from update api

* chore(collaborators): update import

* chore(routes/review): updaterr api

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat: add model and migration for review_request_views table (#521)

* feat: add model and migration for review_request_views table

* chore: rename migration

* fix: add missing association with ReviewRequest model

* fix: revert adding association in ReviewRequest model

* fix: missing @column for primary and foreign key

* fix: add new database table to sequelize

* feat: add review request views API endpoint and functions (#532)

* feat: add review request views API endpoint and functions

* fix: adjust to use Promise.all to allow concurrent creations

* chore: adjust naming of variable to be more reflective of state

* Expose new API endpoint to update lastViewedAt timestamp

* fix(server): removed extra db assoc

* fix(formsgsitecreation): removed extra prop

* Fix: reviewRequestId instead of reviewId

* fix(server.js): add reviewrequestview init

* feat: add endpoint to mark a review request as viewed (#550)

* feat: add endpoint to mark a review request as viewed

* fix: use upsert for updateReviewRequestLastViewedAt

* Feat/comments (#534)

* Feat: add methods for retrieving comments from github

* Chore: add types

* Feat: add comments methods to reviewRequestService

* Feat: add comments routes

* fix: check for properly formatted comments

* Chore: remove incorrect comments

* Fix: remove error return type

* Fix: add logging if site not found

* Feat: swap use of email in github commit to userid

* Fix: response type

* Fix: rename method and add github comment type

* fix: compute the number of new comments to show (#549)

* fix: compute the number of new comments to show

* chore: adjust naming of variable and structure of code

* chore: split getting number of new comments into 2 lines

Co-authored-by: Hsu Zhong Jun <[email protected]>

* feat(rr): adds be for unapproval of rr (#540)

* feat(rr): delete rr approval

* chore(review): update numbering and logging

* chore(review): update to send rather than empty json

* fix(rrservice): update to use enum

* fix: use review request requestor email for production commit email (#552)

* fix: include full model in order by due to presence of alias (#554)

* fix(server): swap order for auth to avoid nemspace conflicts

* fix(review): allow rr creation by users of the site (#556)

* tests: add remaining tests for identity features in SitesService (#566)

* chore: define more specific constants for source of URLs

* chore: move siteUrls type to repoInfo

* tests: add remaining tests for identity features

* tests: add spy method to check if extractAuthorEmail was called

* chore(collaborators): update typings (#568)

* chore(collaborators): update typings to be accurate

* chore(collaborators): update typings

* tests: add unit tests for ReviewRequestService (#569)

* chore: remove TODO comment as it is already done

* fix: should get the count of unread comments instead

* tests: add ReviewRequestService unit tests

* chore: move tests back to identity services

* chore: remove unused variable

* chore: adjust naming of test to be clearer on the situation

* ref(fixtures): allow generating router for different user types (#574)

* ref(fixtures): allow generating router for different user types

* fix: switch to specifying the siteName directly

* feat: allow adding a default user session

* Fix/reference sitename from repo (#577)

* Fix: use name from Repo instead of Site

* Fix: tests

* Fix: run tests sequentially

* Fix: remove required from includes

* Feat/add middleware for verifying email user (#573)

* Feat: add middleware for email user

* feat: add email verification middleware to collaborators

* tests: add integration tests for review requests and comments (#576)

* fix: force tests to run sequentially

* fix: reset the state of the tables before running the tests

* feat: add fixtures used for review requests

* fix: await results from IdentityService

* tests: add partial integration tests for review requests

* chore: switch site name to use repo name instead

* chore: switch to using variable for file name

* chore: standardise the response codes for non-happy paths

* fix: add additional sanity checks for comments-related features

* tests: add remaining integration tests for review requests

* fix: add methods to generate router for default values

* chore: rename test to be more reflective of its purpose

* fix: add missing return and await when updating database

* chore: add comment on the need for Table.sync

* fix(collaborators): add required middleware (#586)

* fix(collaborators): add required middleware

* chore(review): add missing await

* tests: add unit tests for review requests routes (#582)

* feat(rr): blob diffs (#575)

* feat(review): add service methods to get raw blob from gh

* feat(review): add route to retrieve blob diff

* chore(review): add comment for head refs at present

* fix(review): update types, fix header and remove extra await

* Feat/notifications tests (#514)

* Feat: add notificationService tests

* Test: add Notification router tests

* Test: add integration test for notifications

* Fix: notification tests to work with new behaviour

* Chore: swap constants to SCREAMING_SNAKE_CASE

* Chore: fix test description

* Chore: add comments

* Chore: modify test names

* Fix: cleanup tables between tests

* Feat/generic notification creation (#523)

* Feat: move notifications router to authenticated subrouter

* Feat: modify create notification arguments

* Feat: add notification middleware to handle edit notifications

* Fix: allow next on routeHandler

* Feat: add creatnotification middleware to authenticatesSitesRouter

* Chore: add notification types

* Feat: add notification changes when reviews are modified

* Fix: swap order of subrouters

* Fix: review request router dependencies

* Fix: time period for updating notification

* Fix: updating createdAt

* Fix: tests

* Chore: swap to promise.all

* fix: rebase errors

* Fix: add jsdoc

* Feat: add link to notificationHandler

* Fix: swap to promise.all and add links

* fix(review): fixed triggering event for request approved notif

* chore(notifications.spec): added correct ports

* Fix: update message on update notification

* Fix: notification integration tests

* Feat: add generic notification handler tests (#572)

* Feat: add generic notification handler tests

* Fix: router initialisation and cleanup

* fix: update github actions to use runInBand

* Fix: update tests

* Fix: reset database tables before integration tests

* Chore: modify imports

* Nit: test comment spelling

Co-authored-by: Kishore <[email protected]>

* Nit: comments and change var names

Co-authored-by: Kishore <[email protected]>

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Kishore <[email protected]>

* Vapt: merge back to tracking (#647)

* fix(notificationonedithandler): add check for email user

* fix(review.ts): update routes access control (#589)

* fix: prevent caching of backend API resp (#616)

* fix: sanitize file content (#591)

* feat: sanitize content via markdown utils

* deps: use isomorphic-dompurify instead

removes the need to declare a virtual DOM in node

* feat: add sanitizedYaml helpers

* feat: use sanitizedYaml helpers in codebase

* test: add tests for sanitizedYaml helpers

* chore: fix silly line break issues

* test: add tests for markdown sanitization utils

* fix: add express import that was removed

by accident

* chore: specify return types in yaml helpers

* fix: make sanitizeYamlParse return type more specific

* fix: hide contactNumber (#584)

* Fix: query for site through repo (#630)

* Fix/make login response indistinguishable (#624)

* feat: add extra logging for mail failure

* fix: always return 200 when attempting to retrieve otp

* chore: update logging for sms

* Fix: use logger.error

* feat: Added virus scan functionality for file upload (VAPT finding) (#631)

* feat: Added virus scan functionality for file/image upload using Cloudmersive API

* Fixed lint and naming convention issue

* uncomment the medianameChecks lines

* Addressed PR comments: added more info/error logging and consistent message

* Addressed PR comments: added check for Cloudmersive API key, corrected variable naming convention

* Removed unused declaration of schema

* auto-formatted by prettier and fixed formatting issue

* chore: fix formatting on package-lock

---------

Co-authored-by: Alexander Lee <[email protected]>

* Feat/swap jwt to session (#619)

* Chore: install new dependencies

* Chore: add migration

* Feat: add session middleware

* feat: replace jwt with session

* feat: update middleware

* feat: update auth routes

* chore: update method names

* Fix: tests

* chore: update .env-example

* chore: rename session middleware

* fix: use lodash isempty

* fix: .env-example

* chore: add logging to login and logout endpoints

* Fix: remove log on logout

Cookie may no longer exist

* fix: tests

* chore: fix rebase errors

* Feat/otp mechanism (#636)

* feat: adding bcrypt as dependency

* feat!: adding otp table and migration

* feat: logic complete for otp service

* test: fix auth service tests

* fix: user service tests

* feat: fix tests and improve checks

* fix: package-lock version formatting

* feat: adding env vars to example

* fix: remove console log

* fix: adding env vars to .env.test

* fix: parsed env vars with check

* fix: simplify find logic

* fix: remove unnecessary null check

* fix: throw instead of return

* test: adding more tests for otp mechanism

* test: add more cases, improve existing cases

* feat: simplify methods without enums

* fix: auth service otp tests

* Feat/throttling (#641)

* build(package): install rate limiting package

* feat(auth): add new rate limiter service and use it in auth router

* test(auth.spec): add skeleton for test cases for auth

* test(auth.spec): add tests for rate limiting

* refactor(ratelimiter.spec): shift to own test file

* chore(server): add trust proxy to our rate limiter

* refactor(ratelimiter): read from env var

* chore(auth.spec): remove unused import

* test(sitesservice.spec): update where condition

* fix(mediafileservice): revert api; fixed tests

* Chore: remove temp ip endpoint

* Fix: remove set number of max hops

* Fix: remove unused import

* chore: remove comment

* chore: change 1 to true

---------

Co-authored-by: seaerchin <[email protected]>

* feat: add gitguardian hook and update readme (#642)

* chore: use trust proxy

* feat: add gitguardian hook and readme

* fix: remove pre-commit config

* fix: fix nits

* fix: add ggshield cache files to gitignore

* feat: use env for gitguardian

* chore: update readme and env example

---------

Co-authored-by: Alexander Lee <[email protected]>

* fix: wrong constant name used in test (#645)

---------

Co-authored-by: seaerchin <[email protected]>
Co-authored-by: seaerchin <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* Fix: rebase errors

* Fix: error message for review request

* Fix: tests

* feat: use convict for env vars (#646)

* feat: add convict as dependency

* feat: config wip

* feat: add convict schema with defaults and validation

* feat: add config alias and update dependencies

* feat: replace process.env with config.get (wip)

* fix: use import over require

* feat: wip to use config

* feat: add cloudmersive key as env

* feat: wip to use config

* feat: update config properties

* feat: update imports and use config

* chore: update env.test and imports

* chore: standardise env

* chore: remove dotenv

* chore: format eslintrc

* fix: rename convict format and env enums

* chore: remove DOMAIN_WHITELIST from env

* chore: revert trust proxy change

* fix: cookie domain to be enums

* feat: update to use config

* fix: remove checks for env in logic

* fix: make gitGuardian optional env

* feat: add staging as option for node env

* chore(app): chagne to import syntax

* fix: remove string coercing for env key

* chore: remove check for undefine site create form key env

* chore: update package-lock

---------

Co-authored-by: seaerchin <[email protected]>

* fix: make default empty strings (#658)

* Fix/convict fixes (#660)

* fix: make site launch vars optional, remove redundant ones

* fix: remove duplicate express-session in package json

* Chore/change node env of local dev to expect dev (#659)

* chore: update references to node_env

* Fix: remove .toLowerCase when retrieving config

* Chore: add vapt to accepted application environments

* Refactor: use isSecure

* chore: replace IS_LOCAL_DEV with IS_DEV

* Fix: change isSecure to variable instead of func (#664)

* Fix/convict fixes (#663)

* fix: update database config to use process.env

* feat: strengthen validation for number check

* fix: add try-catch to convict validate to prevent hard failure on deployment

* fix: rename to use whole number

* fix: console log convict err

* fix: update check for whole to natural number

* fix: rename back to positive number

* fix: add radix param

* chore(package-lock): installed using old npm

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>

* 0.18.0

---------

Co-authored-by: Alexander Lee <[email protected]>
Co-authored-by: Kishore <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Snyk bot <[email protected]>
Co-authored-by: Hsu Zhong Jun <[email protected]>
Co-authored-by: Preston Lim <[email protected]>
Co-authored-by: Qilu Xie <[email protected]>
Co-authored-by: Harish <[email protected]>
Co-authored-by: Harish <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants