cboard-org / cboard-api Goto Github PK

Bring support to report a public board. Send an email to support with data received from the Front-end

See purchases.subscriptionsv2

We want to provide ability to create a new user by social login. Initially we want to support Facebook.

Mock the email server on test for faster feedback of unit tests

Line

Error: E11000 duplicate key error collection: cboard-api.subscribers index: country_1 dup key: { country: "Not localized" }

Probably we need to deleate the country indexed on mongo production DB, im not really sure about that

Test /location endpoint mocking external request with nock.
Test cases for success and error requests.

I don't have enough knowledge in order to provide details here. Open to suggestions for everyone that wants to collaborate.

we have to implement the models for the new collections to be added for subscriptions

The updateUser route is available to both admin and regular users. However, regular users are able to update any user and any field. This means that they can give themselves the admin role, take away another admin's privileges, change someone's email address, etc. This is a critical issue.

Acceptance criteria

• A non-admin user gets a 403 if they try to update another user.
• We can only update a subset of fields. Additional properties are simply ignored. Currently, the frontend only supports updating name, email, and birthdate.

The schemas for communicators and boards currently use the email field to identify the owner. This is problematic because a user loses access to their communicators and boards if they change their email address. A simple solution would be to update the documents when needed, but it would be preferable to use a stable identifier like the user id.

Suggested approach

• Add a userId field to the Communicator and Board schemas. Migrate existing documents.
• Update the listCommunicators and listBoards routes to only return the caller's communicators and boards. The user id should be taken from the token rather than passed explicitly by the caller. The frontend would need to be updated to use these routes instead of the /byemail versions.
• Update the getCommunicatorsEmail and getBoardsEmail routes to return a 403 if a non-admin user sends the wrong email address. There would be no restriction for admins. Ideally we would only let admins call the routes, but we need to do this so that users with an older version of the app don't have to update.

@martinbedouret Does this make sense?

Hi! I was just looking throughapp.js and noticed the following in it, around line 29:

  //use sessions for tracking logins
  app.use(
    session({
      secret: 'work hard',
      resave: true,
      saveUninitialized: false,
      store: new MongoStore({
        mongooseConnection: db
      })
    })
  );

The session secret is hard-coded to 'work hard'... I'm not sure what the full scope of your user sessions is, but I'm curious if this could lead to any kind of security vulnerabilities. Either way, it might be useful to either change (e.g. by pulling the secret from an environment variable) or document in a comment!

When a subscription is validated, the status attribute on subscriber controller is not beeing updated. The value, that status will have its the same than transaction.subscriptionState

As part of the repo, we need to add test cases under tests/ folder.
The proposal is to use Mocha (https://mochajs.org/) or JEST to handle unit and functional tests bassed in our swagger specification, anyway I'm quite open to using any other framework as shown below:

https://2019.stateofjs.com/testing/

We need to improve the README file in order to give details on how to run and check API.
Need to include POSTman file and write some examples of calls.
Location of Postman collection is:

• cboard-api\test\postman\cboard-api.postman_collection.json

The collection field on response should be an array.
To match succesPayload collection type: https://github.com/j3k0/cordova-plugin-purchase/blob/v13/api/interfaces/CdvPurchase.Validator.Response.SuccessPayload.md#type-declaration

Create a root Mocha file for set up test. Mock nodemailer and Clean dB.
Evaluate the possibility of including it with --require or a config file.
https://mochajs.org/#root-hook-plugins
https://mochajs.org/#global-fixtures
https://mochajs.org/#configuring-mocha-nodejs

We need to do some config updates for deployment on Azure.

The goal is to develop a new suite of unit tests to check the following controller:
cboard-api\api\controllers\user.js
Use the following test suite as an example of what we have to do:
cboard-api\test\controllers\board.js

Check the Readme file to understand how to run the unit tests.
Here you have a tutorial on how to develop nodejs and express unit tests: https://medium.com/@ehtemam/writing-test-with-supertest-and-mocha-for-expressjs-routes-555d2910d2c2

delete the done() callback using async functions.

see line

We want to have following structure for config:

-- config
---- env
--------development.js
--------production.js
--------xxxx.js
---- index.js

Any env value should be available in code by doing:

var config = require('./config');
var value = config.anyConfigValue

And server must be run using the right env variable:

NODE_ENV=production swagger project start

we want GPLv3, same we have for UI

following test suites are currently skipped:

1. test/controllers/analytics.js
2. test/controllers/media.js
3. test/controllers/user.js

Please complete them and be sure they run successfully on circleci: https://app.circleci.com/pipelines/github/cboard-org/cboard-api

See purchases.subscriptionsv2

Get geolocation of users and send it to cboard API.

RESOURCES

based on these Articles:
https://www.softwaretestinghelp.com/best-ip-geolocation-api/
https://stackoverflow.com/a/35123097
Consider the uses of the following resources:

1. https://www.geoplugin.com
   prices to get SSL: https://www.geoplugin.com/webservices/ssl

👍

• Free Acces without a token.
• High precision of city.

👎

• No SSL connection without a paid account

2. https://geolocation-db.com

👍

• Free Acces without a token.
• SSL connection without a paid account

👎

• Low precision of city.

3. https://ipdata.co/
   prices: https://ipdata.co/pricing.html

👍

• 1500 free requests daily with a token. (should be stored on API)
• SSL connection with a free account
• High precision of city.

👎

• is necessary a token that should be stored on our API.

5. https://ip-api.com/
   Commercial use prices https://members.ip-api.com/#pricing

👍

• 1500 free requests daily with a token. (should be stored on API)
• SSL connection with a free account
• High precision of city.

👎

• Non-commercial use for free.
• No SSL connection without a paid account.

When should store data?

-Should store the location when a Cboard user creates a new account.
-In the case that users that already have accounts should evaluate when make the requests.
Consider checking if the location is available at a login moment. Compare if it is available to make the request or not

The deleteBoard route currently allows callers to delete boards owned by another user, even if the caller is not an admin.

Acceptance criteria

• A non-admin user gets a 404 if they try to delete another user's board.
• An admin can delete any board.
• The tests added in #174 are not skipped and are passing.

Remove done Callback on test. istead, use async functions

For subscribers:

• Only registered users can access the API calls.
• DELETE operation is restricted to an admin user.
• Transaction object can be empty when POST a new subscriber.
• Transaction object is POSTed using a dedicated endpoint: https://api.app.cboard.io/subscriber/{id}/transaction

For subscriptions:

• just an admin user can access the API calls.

part of #214

it's possible to change the password of any account only with post an email on user/forgot and using the id of the user on user/store-password

Not only that, when post to /user/forgot endpoint is sending the private token in the response.

Currently API is accesible at https://cboard-api.appspot.com/docs/
We want to use our own domain like https://api.cboard.io/

I did some tries to upload pdf and videos with /media and I get a status 200; @sylvansson