-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: release to test #1327
chore: release to test #1327
Conversation
* feat: rate limiting for logs * feat: create common mocks * feat: database env vars instead of conn string
* feat: use redis store as cache in prod env * fix: remove env specific tf file * feat: unit test for rate limit
app.get(`/verify-token`, async (req, res) => { | ||
try { | ||
const session = (await authenticate(req.headers)) as Session; | ||
res.status(200).json(session); | ||
return session; | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
authorization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we will introduce rate limiting to the route handler that performs authorization. We will use the express-rate-limit
package to set up a rate limiter and apply it to the /verify-token
route. This will ensure that the number of requests to this route is limited, mitigating the risk of DoS attacks.
- Install the
express-rate-limit
package if it is not already installed. - Import the
express-rate-limit
package in thelambda/app/src/routes.ts
file. - Set up a rate limiter with appropriate configuration (e.g., maximum number of requests per minute).
- Apply the rate limiter to the
/verify-token
route.
-
Copy modified line R3 -
Copy modified lines R83-R88 -
Copy modified line R130
@@ -2,2 +2,3 @@ | ||
import { authenticate } from './authenticate'; | ||
import rateLimit from 'express-rate-limit'; | ||
import { getEvents } from './controllers/events'; | ||
@@ -81,2 +82,8 @@ | ||
|
||
const authRateLimiter = rateLimit({ | ||
windowMs: 15 * 60 * 1000, // 15 minutes | ||
max: 100, // limit each IP to 100 requests per windowMs | ||
message: 'Too many requests from this IP, please try again after 15 minutes' | ||
}); | ||
|
||
const tryJSON = (str) => { | ||
@@ -122,3 +129,3 @@ | ||
|
||
app.get(`/verify-token`, async (req, res) => { | ||
app.get(`/verify-token`, authRateLimiter, async (req, res) => { | ||
try { |
app.get(`/teams/verify`, async (req, res) => { | ||
try { | ||
const token = req.query.token; | ||
if (!token) return res.redirect(`${APP_URL}/verify-user?message=notoken`); | ||
else { | ||
const { error, message, userId, teamId } = parseInvitationToken(token); | ||
|
||
if (error) return res.redirect(`${APP_URL}/verify-user?message=${message}`); | ||
|
||
const verified = await verifyTeamMember(userId, teamId); | ||
if (!verified) return res.redirect(`${APP_URL}/verify-user?message=notfound`); | ||
|
||
return res.redirect(`${APP_URL}/verify-user?message=success&teamId=${teamId}`); | ||
} | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
authorization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we will introduce a rate-limiting middleware using the express-rate-limit
package. This middleware will limit the number of requests to the /teams/verify
endpoint to a reasonable number within a specified time window. This will help prevent abuse and potential DoS attacks.
- Install the
express-rate-limit
package if it is not already installed. - Import the
express-rate-limit
package in thelambda/app/src/routes.ts
file. - Define a rate limiter with appropriate settings (e.g., maximum of 100 requests per 15 minutes).
- Apply the rate limiter to the
/teams/verify
endpoint.
-
Copy modified line R79 -
Copy modified lines R81-R84 -
Copy modified line R138
@@ -78,3 +78,8 @@ | ||
import { logsRateLimiter } from './utils/rate-limiters'; | ||
import rateLimit from 'express-rate-limit'; | ||
|
||
const verifyTeamRateLimiter = rateLimit({ | ||
windowMs: 15 * 60 * 1000, // 15 minutes | ||
max: 100, // limit each IP to 100 requests per windowMs | ||
}); | ||
const APP_URL = process.env.APP_URL || ''; | ||
@@ -132,3 +137,3 @@ | ||
|
||
app.get(`/teams/verify`, async (req, res) => { | ||
app.get(`/teams/verify`, verifyTeamRateLimiter, async (req, res) => { | ||
try { |
try { | ||
const { id: teamId, saId } = req.params; | ||
const result = await getServiceAccountCredentials(req.user.id, teamId, saId); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.put(`/teams/:id/service-accounts/:saId/credentials`, async (req, res) => { | ||
try { | ||
const { id: teamId, saId } = req.params; | ||
const result = await updateServiceAccountSecret(req.user.id, teamId, saId); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.delete(`/teams/:id/service-accounts/:saId`, async (req, res) => { | ||
try { | ||
const { id: teamId, saId } = req.params; | ||
const result = await deleteServiceAccount(req.session as Session, req.user.id, teamId, saId); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get(`/reports/all-standard-integrations`, async (req, res) => { | ||
try { | ||
assertSessionRole(req.session, 'sso-admin'); | ||
const result = await getAllStandardIntegrations(); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get(`/reports/database-tables`, async (req, res) => { | ||
try { | ||
assertSessionRole(req.session, 'sso-admin'); | ||
const result = await getDatabaseTable(req.query.type, req.query.orderBy); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get(`/reports/all-bceid-approved-requests-and-events`, async (req, res) => { | ||
try { | ||
assertSessionRole(req.session, 'sso-admin'); | ||
const result = await getBceidApprovedRequestsAndEvents(); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get(`/reports/data-integrity`, async (req, res) => { | ||
try { | ||
assertSessionRole(req.session, 'sso-admin'); | ||
const result = await getDataIntegrityReport(); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get('/bc-services-card/privacy-zones', async (req, res) => { | ||
try { | ||
const result = await getPrivacyZones(); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
app.get('/bc-services-card/claim-types', async (req, res) => { | ||
try { | ||
const result = await getAttributes(); | ||
res.status(200).json(result); | ||
} catch (err) { | ||
handleError(res, err); | ||
} | ||
}); | ||
|
||
try { | ||
const user: User = await findOrCreateUser(session); | ||
user.isAdmin = isAdmin(session); | ||
session.user = user; | ||
req.user = user; | ||
req.session = session; | ||
} catch (err) { | ||
handleError(res, err); | ||
return false; | ||
} | ||
|
||
if (next) next(); | ||
}); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
authorization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 months ago
To fix the problem, we will introduce rate limiting to the route handler that performs authorization. We will use the express-rate-limit
package to set up a rate limiter and apply it to the relevant route. This will help prevent denial-of-service attacks by limiting the number of requests that can be made to the authorization endpoint within a specified time window.
- Install the
express-rate-limit
package if it is not already installed. - Import the
express-rate-limit
package in thelambda/app/src/routes.ts
file. - Set up a rate limiter with appropriate configuration (e.g., maximum number of requests per minute).
- Apply the rate limiter to the route handler that performs authorization.
-
Copy modified line R2 -
Copy modified lines R83-R87 -
Copy modified line R174
@@ -1,2 +1,3 @@ | ||
import isString from 'lodash.isstring'; | ||
import rateLimit from 'express-rate-limit'; | ||
import { authenticate } from './authenticate'; | ||
@@ -81,2 +82,7 @@ | ||
|
||
const authRateLimiter = rateLimit({ | ||
windowMs: 15 * 60 * 1000, // 15 minutes | ||
max: 100, // limit each IP to 100 requests per windowMs | ||
}); | ||
|
||
const tryJSON = (str) => { | ||
@@ -167,3 +173,3 @@ | ||
|
||
app.use(async (req, res, next) => { | ||
app.use(authRateLimiter, async (req, res, next) => { | ||
const session = (await authenticate(req.headers)) as Session; |
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
1 similar comment
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
Terraform Format and Style 🖌
|
* chore: disable archived approval * chore: create tests * chore: fix name * chore: remove old file * chore: move the tests
Terraform Format and Style 🖌
|
* chore: local cypress record in gh action instead of cy cloud * test: pipeline test gh pipeline run * chore: flags remove flags for cy cloud * chore: flags remove flags for cy cloud * chore: flags remove flags for cy cloud * chore: path fix path wildcard settings * chore: path fix path wildcard settings * chore: path fix path wildcard settings * chore: path fix path wildcard settings * chore: screenshots upload artifacts from cypress in ci * chore: remove cloud remove cypress cloud in e2e suite
Terraform Format and Style 🖌
|
remove testing push trigger
Terraform Format and Style 🖌
|
* feat: log download allow log download from css api * chore: clearer test remove duplicate test, clarify variable names
Terraform Format and Style 🖌
|
* feat: log download allow log download from css api * chore: clearer test remove duplicate test, clarify variable names * fix: redis config add redis config for css api * chore: optional chain add optional chain and nullish coalescer
Terraform Format and Style 🖌
|
update bcsc vars for docker-compose setup
Terraform Format and Style 🖌
|
* feat: log download allow log download from css api * chore: clearer test remove duplicate test, clarify variable names * fix: redis config add redis config for css api * chore: optional chain add optional chain and nullish coalescer * feat: date order check enforce date order in api route
Terraform Format and Style 🖌
|
add information on the service account usernames to json payload
Terraform Format and Style 🖌
|
* chore: svc acct username add information on the service account usernames to json payload * chore: log compress add compression to sso api * chore: swagger update swagger docs for css api
Terraform Format and Style 🖌
|
* chore: notification only send notification if not archived * chore: test coments remove skips and test comments
Terraform Format and Style 🖌
|
* feat: refactored css api to boost load test perf * feat: fixed unit tests for css api
Terraform Format and Style 🖌
|
* chore: inactive user email fix inactive user logic and email messages * fix: env in email add env to remaining user deletion emails * chore: email snapshot update email snapshot test * fix: base url fix syntax on cypress base url in ci * chore: ci testing e2e tests in ci * chore: ci testing e2e tests in ci * chore: ci testing e2e tests in ci * chore: ci testing e2e tests in ci * chore: memory limit docker memory for ci pipeline runs * chore: memory limit docker memory for ci pipeline runs * chore: debug logs run docker compose with verbose logging * chore: e2e test run docker compose directly * chore: e2e test run docker compose directly * chore: e2e test run docker compose directly * chore: dockerfile version lock terraform version in docker * chore: dockerfile version lock terraform version in docker * chore: dockerfile version lock terraform version in docker * chore: curl install fix curl install * chore: revert tests revert gh action testing changes * chore: cleanup deploy remove unesecary deploy configs
Terraform Format and Style 🖌
|
* chore: backoff limit add a backoff limit to the request queue * fix: reference error fix incorrect key access * chore: too many requests msg update error message when rate limiting * chore: rocketchat message update rc handling and unit test
Terraform Format and Style 🖌
|
* fix: sequalize connections ensure to close and reconnect from pool on runs * fix: connection pool close and reopen connection in request queue * chore: redundent await rmeove un-needed await * chore: sequelize config separate sequelize connection for request queue * fix: global let move var definition into function * chore: sonarcloud refactor for sonarcloud warnings * chore: revert models revert change to other model imports * chore: connection restore getConnection if overridden by close
Terraform Format and Style 🖌
|
* chore: connection limit prevent too many open db connections * chore: early return remove early return statement * chore: env indicate environment in rc notification * chore: msg test fix message in test runs
Terraform Format and Style 🖌
|
* feat: service account roles allow api to use the client id as the service account username * test: css api tests test client id works as a username * test: unit move k6 to unit tests * chore: sonarcloud implement sonarcloud recommendations * chore: swagger docs document service account names in swagger
|
Terraform Format and Style 🖌
|
No description provided.