Have an endpoint to ensure that resumes are not publicly readable and only readable by sponsors with access and the uploader of the resumes.

May include other features with perks for roles among other things.

Now that resume uploading works, we need to save the file path to the user object.

This involves modifying the user.js model in models/
Modifying the app.post('register-mymlh') to save the path to the user object

Would you be a able to move Camelot to its own repo and archive since it doesn’t have anything to do with lcs/is a separate stand alone project?

Our use of bcrypt.gensalt is too slow by default. We need to find a number that tunes it just right: fewer rounds = less secure, more rounds = too much time.

handle all the day-of event updates through a separate endpoint.

May be use the misc bucket to validate the events.

• use sls to make a new api gateway
• repoint dev to the new gateway
• verify with test
• db cleanup/decide to reeuse
• repoint prod

lcs currently considers [email protected] to be a different email from [email protected] so users have to remember the exact capitalization they used at signup in order to be able to login again.

In authorize.py, ln 214, in change_password function,

if len(list(tests.find({"role":{"hacker":True}}))) >= 500:
        return {"statusCode":403, "body":"Event capacity reached."}

I'm not sure how it makes sense for users to not be able to change passwords when there are 500 users or more. It doesn't sound like FAD.

The MLH callback takes in a redir parameter that is a URL. If this URL itself has query parameters, they are parsed incorrectly in that the code parameter passed to MLH if considered

It seems like you're double checking hashed passwords? But why? There's no need to make an extra DB query to make sure this works.

# check if the hash is correct - this is double-checking
    checkhash  = tests.find_one({"email":email})

We need to check if the folder for dumping resumes exists in the first place. The path for the location is built using
path.join(__dirname + '/../resumes/' + config.SemesterID)

We could check that it exists before executing the callback(line 16) in multer.js and create the directories if they don't exist already.

EDIT: change path

in some cases the body's status code will disagree with the actual responses status code. for example if the update is malformed. also when testing if a hacker can check themselves into an event the error format completely changes (potentially it is getting handled by pymongo). There was no status code in the body and the response code was 200. the body was {errorMessage: '$set' is empty. You must specify a field like so: {$set: {<field>: ...}}, errorType: WriteError, stackTrace: [[/var/task/schemas.py, 17, wrapt, return config.add_cors_headers(fn(event, context, *extras))], [/var/task/schemas.py, 46, wrapt, return fn(event, context, results, *args)], [/var/task/validate.py, 246, update, tests.update_one({'email': event['user_email']}, updates)], [/var/task/pymongo/collection.py, 975, update_one, session=session),], [/var/task/pymongo/collection.py, 835, _update_retryable, _update, session)], [/var/task/pymongo/mongo_client.py, 1099, _retryable_write, return self._retry_with_session(retryable, func, s, None)], [/var/task/pymongo/mongo_client.py, 1076, _retry_with_session, return func(session, sock_info, retryable)], [/var/task/pymongo/collection.py, 831, _update, retryable_write=retryable_write)], [/var/task/pymongo/collection.py, 797, _update, _check_write_command_response(result)], [/var/task/pymongo/helpers.py, 208, _check_write_command_response, _raise_last_write_error(write_errors)], [/var/task/pymongo/helpers.py, 190, _raise_last_write_error, raise WriteError(error.get("errmsg"), error.get("code"), error)]]}
this may have been caused by realizing a hacker shouldn't be able to check them self in for an event and deleteing that update, thus leaving an empty update object.

Here are some thoughts on cleaning up this repo for easier development.

1. folders for different files
2. a makefile with all the deploy (and testing) scripts

The folders would be as follows:

• CRUD (for read, authorize, validate, and update)
• user-free (for dayof-slack, dayof-events, and qr)
• user-extra (for magic links and emailing)

There might be some python importing troubles, but we'll iron those out. Config should probably live next to the directories, at the project root.

The makefile would make using the above and the deploy script way more convenient.

This might lead to a re-organization of the code, which would be nice since there is some copy-pasting too.

Thoughts?

partially a config issue. do some refactoring while we're there

this requires more investigation but it may be posible to use the slack api to link them to a dm channel. this could be super useful for team builder or helpq so we can quickly get hackers/mentors in communication

once completed Make a frontend issue

In authorize.py, ln 205, change_password function,
return config.add_cors_headers({"statusCode":200, "body":"invalid password"})
If an invalid password was given, shouldn't this be a 400 level response?

Outdated venv info + #20 details fixed.

for login, the result winds up getting serialized as a string and put in some aws payload. this results in users having to reach in the json payload and json.parse something inside it.

curl https://m7cwj1fy7c.execute-api.us-west-2.amazonaws.com/mlhtest/dayof-events
returns
{"statusCode": 400, "body": "Unable to get events.", "headers": {"Access-Control-Allow-Origin": ["*"], "Access-Control-Allow-Headers": ["Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token"], "Access-Control-Allow-Credentials": [true]}}
did the calendar api credentials change or something?
we need this to finish the app

REEEEEEEEEEEEE

also, lcs test should include travel reimbursement tests

Add a field for people to request how much they want to be reimbursed

Steps to reproduce:
curl -X POST https://<LCS URL>/mlhtest/authorize -H "Content-Type: application/json" --data '{"email":"<VALID EMAIL>","password":"<INCORRECT PASS>"}'
Actual behavior:
the error response is "invalid email,hash combo"
Expected behavior:
as implied by lcs documentation if you give lcs a valid user with the wrong password it should return "wrong password" as the error.

related question:
the documentation also says that lcs could potentially give the error "Please use MLH to login". will this cause issues for user's returning to the hackathon who previously used mlh accounts to login? will they have to re-register? should we drop all of the pre-exisitng mlh accounts before sign up to avoid issues?

In multer.js, we need to write a fileFilter to make sure we're getting files we want. Not too sure how we might go about checking.

Maybe checking MIMEtypes are the way to go. I have a list of formats I'm okay with taking in in config/config.example.js.

Example of how fileFilter works in multer

Though sparkpost is invoked, the error cases are not handled. This should be altered for a well-functioning system.

Currently, a mismatch between emailsTo's length and numLinks can cause an out of bounds array access. This should be remedied. A simple fix would be just accepting an emailsTo parameter with the number of links inferred from the length.

last time I checked it was broken. not sure why.
this is needed by teambuilder.
also make sure it gives the expiration of the token

https://wiki.python.org/moin/Md5Passwords#Security

MD5 is not secure enough, use bcrypt or similar instead. ALSO please remember to salt the passwords. In its current state, you aren't salting passwords at all.

email = event['email']
pass_ = event['password']
pass_ = hashlib.md5(pass_.encode('utf-8') ).hexdigest() 

This probably happens when the same user tries to submit an "attending" POST request to /comfirm-status

The dayof-slack endpoint caches the slack messages, clearing the database every 10 mintues to update the cache of all the messages.

This is dysfunctional. Why it does not function needs to be investigated too.

We need a means to update travel reimbursement information with estimates.

The current formula is as follows:

• If car: 0.12 * number of miles
• If bus: use wanderu to estimate reimbursement
• If train: use amtrak to estimate reimbursement
• Else (basically plane): $60 cap will probably hit

If the amount is above $60, just drop it to $60.

We can config our endpoints to work this way: if an MLH user tries to normal login, we return a redirect to the correct MLH URL, with the incoming URL as the redirect URL (once #18 is fixed) and then we don't have to have frontends with support for both types of login by force.

(Instead, they 100% have to support the token in the URL trash.)

the example says to use the plain text password but in the possible responses it says you can get an invalid password hash combo
https://github.com/HackRU/lcs/wiki/LCS-API-Endpoints

When API calls return an error, would like a more uniform style in messages for better UI handling.

Could status codes also be grouped by applicable situation? e.g. 403 for an invalid field for all endpoints, 400 for a missing field for all endpoints, etc.

There appears to be some sort of clustering already, so this may be easy change.

In lieu of #29 and #22 ... we should watch out for some things in updates.

Namely, fields can be removed by skilled enough frontend users.

Also, the travel field is open to anything... that should change.

When asking for a password change with a magic link, does lcs check if the email used is the one that originally generated the magic link?

Could someone potentially apply for a magic link on their own email and then manipulate the password of someone else's email? I was able to do it with my own email and a test user.

Match QRs from authentication to day-of QRs and handle all the day-of event updates through a separate endpoint.

May be use the misc bucket to validate the events.

It looks like theres an API key and a compiled version of a config file. These should be in a .gitignore file.

Need someone to test if the Confirmation system properly moves people off of it if someone else selects "Not Attending"

Steps to complete:

• Set config.capacity = 1 and config.waitlistCapacity = 1
• Create 2 users
• Have both users register and confirm attendance, this should make one user be confirmed and the other user on waitlist.
• Have the confirmed user select "Not Attending"
• Check to see if waitlisted user has been moved off of the Waitlist

Full response body is unexpected behavior

 {"errorType": "DataOverflowError", "stackTrace": [["/var/task/qru.py", 19, "email2qr", "pilImg = qrcode.make(email)"], ["/var/task/qrcode/main.py", 11, "make", "return qr.make_image()"], ["/var/task/qrcode/main.py", 263, "make_image", "self.make()"], ["/var/task/qrcode/main.py", 78, "make", "self.best_fit(start=self.version)"], ["/var/task/qrcode/main.py", 147, "best_fit", "raise exceptions.DataOverflowError()"]]}

Consider https://www.gerritcodereview.com/ for the code coverage and testing.

Travis CI should be able to hook in.

this allows us to encode whatever extra meta data we want like email and expiration. this reduces the amount of information clients hand to lcs, and gives clients more info on login. it also allows other backends to verify that a token is valid since jwt's can be public key signed.

in the case of magic links this can also let us pass the email to the client.

Aggregation can lead to a lot of shooting oneself in the foot. This should not be accessible through the API as it is a bit too advanced.

At the very least, the allowed aggregations should be validated to ensure the integrity of the database.

On the backend:

We will now just display an amount based on the mileage. If they've traveled x miles, then they get up to x amount. This is for car mileage only.

For trains & buses --> $59.99 for everyone....

The "budget limiter" that scales down all reimbursements to not exceed a $1,500 budget limit, needs to be available. We'll see if we use it based on applications.... (update, directors meeting 9/23, this is not needed)

the budget limter component from the old code is going to be removed. now if its train or bus it will just assign "up to" $59.99 and if they are coming by car, it will use google maps to find the distance and then assign whatever amount based on the above table

Otherwise, N/A

it is "checkIn" when the user is created by events has it as "check-in".

The poor slack documentation has declared that the workspace tokens we're using are going to die as of October. https://api.slack.com/docs/working-with-workspace-tokens

We need to find a free way to just read the messages on a channel for the slack endpoint.

setup the lcs codebase to use aws sam, or serverless framework (with python plugin).
one of the primary objectives is to move to the more flexible lambda-proxy integration.

new approach to #86

its pretty easy for clients to grab a lib and generate a qr code themselves so this isn't strictly needed.

• remove in source
• remove in api gateway
• remove in lambda
• redeploy