citizenos / citizenos-api Goto Github PK
View Code? Open in Web Editor NEWCitizen OS API application - https://api.citizenos.com/
License: Other
Citizen OS API application - https://api.citizenos.com/
License: Other
Reproduce
Result
Expected
TODO
Enable filtering by:
The need - for example rahvaalgatus.ee wants User to see when and if he/she has voted.
Related tasks:
TODO
NOTE: Verify usage against application logs!
GET /api/users/:userId/groups/:groupId/topics
, which is replaced by GET /api/users/:userId/groups/:groupId/members/topics
GET/POST /api/users/:userId/groups/:groupId/members
which is replaced by /api/users/:userId/groups/:groupId/members/users
PUT/DELETE /api/users/:userId/groups/:groupId/members/:userId
which is replaced by /api/users/:userId/groups/:groupId/members/users/:userId
Overview
To ease debugging an unique ID should be added to each line logged in the request context no matter how deep in the stack.
The problem is that Node.JS being async, it is quite a difficult to carry on the id between context switches. It does not make sense to pass req
object or the id
to each function call either.
Possible solutions
Outdated:
TODO
There is a way to report an argument (comment) but not a whole Topic.
TODO
POST /api/topics/:topicId/reports
.POST /api/topics/:topicId/reports
to return moderation URL instantly when reported by a moderator, this will enable instant moderation without sending an e-mail.GET /api/topics/:topicId/reports/:reportId
POST /api/topics/:topicId/reports/:reportId/moderate
.GET /topcs/;topicId
, other views need to be addressed separately - #5 (comment)linkedData
usage is funky.social: config.email.social
option?config.email.linkViewModerationGuidelines
. Defaults to https://app.citizenos.com/en/topics/ac8b66a4-ca56-4d02-8406-5e19da73d7ceLLL Z
Background
In the beginning of times when I had no idea what I was doing, I wrote the BDOC generation code. Among other things it streams zip to disk and then pipes to response. Which is an interesting idea, why not just pipe to response? File cache just makes maintenance and code more difficult.
TODO
Overview
When an User has voted, the possibility to delegate the vote is disabled. As User can re-vote n+1 times, maybe it makes sense to enable delegating after voting?
TODO
Make a Wiki post how the citizenos-api versioning works. Also how to upgrade and downgrade.
Parse and store whole title, let client decide what to do.
Related tasks:
TODO
This should respond with something in the order of 4xx.
http https://api.citizenos.com/api/topics limit==400 sourcePartnerId==b563ee8c-ba8e-4cd6-b592-fbcd4e8f22bb "statuses[]==closed" "statuses[]==voting" "statuses[]==discussion"
Seems that a missing 7z
executable crashes the app on container download:
Error: spawn 7z ENOENT
at exports._errnoException (util.js:1020:11)
at Process.ChildProcess._handle.onexit (internal/child_process.js:197:32)
at onErrorNT (internal/child_process.js:376:16)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
While there is a 7z
exe in the bin
folder, using it requires remembering to set the PATH
before starting the server. Crashing, however, is probably not a good outcome in any situation.
Current situation:
Downloaded topic attachment loses its original name, turns from descriptive to random characters and numbers.
Expected behavior:
Downloaded topic attachment retains its original file name.
Reproduce:
Overview
Voting in general & mobiil-ID voting - GET /api/users/:userId/topics/:topicId/votes/:voteId/status
, which is used for polling signature state, creates multiple VoteList lines and is not idempotent which is a bad design.
There are several things questionable about this voting endpoints:
GET
should be safe (https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods) and idempotent (https://en.wikipedia.org/wiki/Idempotence) BUT the GET /status
is neither. It adds User entry on successful signing and also multiple VoteList lines if called several times AFTER success. NOTE: It does NOT affect the vote results./status
used for polling the Mobiil-ID signing status. Why not do the polling server-to-server in the background which would enable the person to close the window after initiating the signing? That would make the calling /status
optional. Right now it's required to register a vote, if something happens and the polling fails, the vote is never registered.Events - add support for eventType and createdAt.
New fields:
GET /topics/:topicId
- include=events - ideally also provide in what detail you want the event object.
Related tasks:
Overview
Thunderbird/Postbox off the top of my head, but there could/should be others that will not show inline images when their content type is not image/*.
Currently the headers of an attachment are:
Content-Transfer-Encoding: base64
Content-Id: <logo>
Content-Disposition: inline; filename="logo"
Content-Type: application/octet-stream; name="logo"
Research
This one is strange:
image/png
to Mailgun, but it ends up application/octet-stream
in the e-mail.POST /gmail.com/messages { from: 'CitizenOs Dev <[email protected]>',
to: [ '[email protected]' ],
subject: 'Activate your CitizenOS account - to: [email protected]',
html: '\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">\n<html>\n <head>\n <meta content="text/html; charset=utf-8" http-equiv="Content-Type">\n </head>\n\n <body style="margin: 0;mso-line-height-rule: exactly;padding: 0;min-width: 100%;background-color: #fbfbfb">\n <table border="0" cellpadding="0" cellspacing="0" id="backgroundTable" style="margin: 0;padding: 0;width: 100% !important;height: 100% !important;line-height: 100% !important;background-color: #f6f6f6;font-size: 14px;border-collapse: collapse;mso-table-lspace: 0;mso-table-rspace: 0">\n <tbody>\n <tr>\n <td align="center" height="70" style="border-collapse: collapse" valign="middle">\n <!--p style="font-family: arial, helvetica, sans-serif;font-size:12px;background-color: #f6f6f6; color:#828282;">Can\'t see this mail? <a href="#" target="_blank" style=" color:#828282; text-decoration:underline;font-family: arial, helvetica, sans-serif;font-size:12px;">Click here to view it in your browser</a></p-->\n </td>\n </tr>\n\n <tr>\n <td align="center" valign="top">\n <table border="0" cellpadding="0" cellspacing="0" id="templateContainer" style="background-color: #FFFFFF;margin: 0;padding: 0;" width="600">\n <tbody>\n <tr>\n <td align="center" valign="middle" style="background-color: #252525; border-bottom: 1px solid #e1e1e1; " height="100">\n <img width="237" height="43" src="cid:logo" alt="logo" style="display:block;" border="0">\n </td>\n </tr>\n\n <tr>\n <td align="center" valign="top">\n <table border="0" cellpadding="25" cellspacing="0" id="templateBody" width="600" style="background-color: #FFFFFF;margin: 0;padding: 0;">\n <tbody>\n <tr>\n <td class="bodyContent" style="background-color: #FFFFFF;" valign="top">\n <table border="0" cellpadding="10" cellspacing="0" width="100%">\n <tbody>\n\n <tr>\n <td align="center" valign="middle" style="background-color: #FFFFFF;border-bottom: 1px solid #f0f0f0;" height="80">\n <p style="font-family: georgia, serif;font-size:19px; font-weight:bold;background-color: #FFFFFF; color:#252525;">Hi Test 1496746632256!</p>\n </td>\n </tr>\n\n <tr>\n <td align="center" valign="middle" style="background-color: #FFFFFF;border-bottom: 1px solid #f0f0f0; border-top: 1px solid #fbfbfb; " height="130">\n <p style="font-family: arial, helvetica, sans-serif;font-size:14px;background-color: #FFFFFF; color:#252525;">To activate your account please verify your e-mail address by clicking the link below.</p>\n <p style="font-family: georgia, serif;font-size:18px; font-weight: bold; font-style: italic ;background-color: #FFFFFF; color:#0680fc;"><a href="https://dev.toru.ee:3001/api/auth/verify/bdbd054f-3d5e-43df-a310-6c1b8aed9cf5?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJyZWRpcmVjdFN1Y2Nlc3MiOiJodHRwczovL2Rldi50b3J1LmVlOjMwMDEiLCJpYXQiOjE0OTY3NDY2MzJ9.i3rQ3eeZXR8OOU2T8oMaITABKBd0DIrZFwS_G_PlFo30agJhZqFUpVxNOicUmP8T076OSUK8rOW3Jt7CmgvUc0W8uvksxtde86_joOtQGHMwtW6xp4c2uinkKE2Wj_BYMC-tcqFsKPywD5O0un5adbaP2SBbgan-5oOFG8n1r-7wb7g_KI8vtgI_gaLNtTD0DBnEaVcDeFi2CKUkF13wPaKZy-OmduWSXhVrr18lyaAvDCGj2xTknSUtyoygXuxtPJQbZ3O1gCxvM-TUNu__dZL0-0Xo6ScR4v4aD4BuHdzLBPIfHObe-6HKKEkLeBopUpos_BOT0ILnDUUJ_87eHQ" target="_blank">Verify my email</a></p>\n </td>\n </tr>\n\n <tr>\n <td align="left" valign="bottom" style="background-color: #FFFFFF;border-top: 1px solid #fbfbfb;" height="120">\n <p style="font-family: arial, helvetica, sans-serif;font-size:14px;background-color: #FFFFFF; color:#252525;">CitizenOS Team</p>\n </td>\n </tr>\n\n </tbody>\n </table>\n </td>\n </tr>\n </tbody>\n </table>\n </td>\n </tr>\n\n </tbody>\n </table>\n </td>\n </tr>\n\n <tr>\n <td align="center" valign="top" height="70">\n <table border="0" cellpadding="0" cellspacing="0" id="templateFooter" style="background-color: #f6f6f6;margin: 0;padding: 0;" width="600">\n <tbody>\n <tr>\n <td align="center" height="70" style="border-collapse: collapse" valign="middle">\n <p style="font-family: arial, helvetica, sans-serif;font-size:12px;background-color: #f6f6f6; color:#828282;">Learn more on <a href="https://dev.toru.ee:3001" target="_blank" style=" color:#828282; text-decoration:underline;">https://dev.toru.ee:3001</a></p>\n </td>\n </tr>\n </tbody>\n </table>\n </td>\n </tr>\n <tr>\n <td align="center" valign="top" height="100%">\n <br>\n </td>\n </tr>\n\n</tbody>\n <div style="margin-top: 20px; padding: 10px; border: 3px solid red; background-color: #ffd2d2; color: #384c53;">\n <div>\n <b>Recipients</b>\n </div>\n <pre>\n <code>{\n "to": [\n "[email protected]"\n ],\n "merge": {}\n}</code>\n </pre>\n </div>\n </table>\n </body>\n</html>',
text: 'logo [cid:logo]Hi Test 1496746632256!\n\nTo activate your account please verify your e-mail address by clicking the link below.\n\nVerify my email\n[https://dev.toru.ee:3001/api/auth/verify/bdbd054f-3d5e-43df-a310-6c1b8aed9cf5?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJyZWRpcmVjdFN1Y2Nlc3MiOiJodHRwczovL2Rldi50b3J1LmVlOjMwMDEiLCJpYXQiOjE0OTY3NDY2MzJ9.i3rQ3eeZXR8OOU2T8oMaITABKBd0DIrZFwS_G_PlFo30agJhZqFUpVxNOicUmP8T076OSUK8rOW3Jt7CmgvUc0W8uvksxtde86_joOtQGHMwtW6xp4c2uinkKE2Wj_BYMC-tcqFsKPywD5O0un5adbaP2SBbgan-5oOFG8n1r-7wb7g_KI8vtgI_gaLNtTD0DBnEaVcDeFi2CKUkF13wPaKZy-OmduWSXhVrr18lyaAvDCGj2xTknSUtyoygXuxtPJQbZ3O1gCxvM-TUNu__dZL0-0Xo6ScR4v4aD4BuHdzLBPIfHObe-6HKKEkLeBopUpos_BOT0ILnDUUJ_87eHQ]\n\nCitizenOS Team\n\nLearn more on https://dev.toru.ee:3001 [https://dev.toru.ee:3001]\n\n\nRecipients{\n "to": [\n "[email protected]"\n ],\n "merge": {}\n}',
inline:
[ Attachment {
data: <Buffer 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 ed 00 00 00 2b 08 06 00 00 00 94 fc 0f 26 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 ... >,
filename: 'logo',
contentType: 'image/png',
knownLength: undefined } ],
'o:tag': [ '(dynamic)' ],
'o:tracking': true,
'o:tracking-clicks': true,
'o:tracking-opens': true,
'recipient-variables': {} }
TODO
Overview
Somehow I thought it was a good idea to send emails in a form of "fire and forget", but that is a bad idea cause User needs feedback if e-mail was successfully sent. Specially password reset, account creation etc.
TODO
As per comments - 7b95c9e#diff-d12ae772f9826d4096efd4221a1874c9R572
Overview
When executing authentication, it's a best practice to generate a SPChallenge
and validate it on successful authentication - http://sk-eid.github.io/dds-documentation/api/api_docs/#mobileauthenticate.
Related API routes:
POST /api/auth/mobile/init
GET /api/auth/mobile/status
TODO
SPChallenge
generation and validation for MID authenticationSPChallenge
. IF there is, make sure it's used.Migrations introduced new way of creating the DB
Overview
We issue restricted use JWT tokens for very specific authorization:
Problem
The restricted use token format varies quite a bit in the system and creates significant amount of complexity/confusion/overhead in the code-base. It calls for a rewrite so that we can reuse the issuing and validation code.
What token formats are present, where are they issued?
Token usually contains JWT standard parts + Citizen OS extras. The variance is in the Citizen OS extras. For example path
(string), paths
(Array) where there may or may not be req.method
prefix.
Different path/method format used:here that format is used.
path
- string - Path, NO request method (GET, POST..) limitation. Example: "path": "/api/users/self/topics/:topicId/votes/:voteId/downloads/bdocs/final"
paths
- Array - Array of paths with REST methods (GET, POST...). Example: "paths": ["POST_/api/...", "GET_/api/..."]
sendCommentReport
- https://github.com/citizenos/citizenos-api/blob/master/libs/email.js#L570Proposed solution
aud
) to specify the scope of use:
aud
(was path/paths
) - Array - with REST method everywhere. Separated by space instead of "_". For example: "aud": ["GET /api/users/self/topics/:topicId/votes/:voteId/downloads/bdocs/final"]
authTokenRestrictedUse
.
I as a User may want to get email notification for specific activities.
I as a User want to set these notifications on global and entity (Topic, Group) level.
For example:
Related tasks:
Overview
For in case of significant amount of signatures the final BDOC generation times out.
25 Oct 2017 15:39:22.5101048 <158>1 2017-10-25T12:39:21.942192+00:00 host heroku router - at=error code=H12 desc="Request timeout" method=GET path="/api/topics/78ba564c-9843-4dc1-8e79-dcad2941537c/votes/6f0ef16d-067c-4034-be36-9ab32dcda9f0/downloads/bdocs/final?token=x&accept=application%2Fx-7z-compressed" host=api.citizenos.com request_id=68252540-6ca7-4466-88ea-1c294c9ea8f3 fwd="x" dyno=web.1 connect=0ms service=30000ms status=503 bytes=0 protocol=https
TODO
Overview
Sometimes Mailgun delivers e-mails too slowly.
It took 8 min from accepting to delivery for an email below:
10/19/16 08:35 AM Delivered: [email protected] → [email protected] 'Rahvaalgatus.ee kasutaja John Smith kutsub Sind kooslooma arutelu/algatust'
10/19/16 08:27 AM Accepted: [email protected] → [email protected] 'Rahvaalgatus.ee kasutaja John Smith kutsub Sind kooslooma arutelu/algatust'
It is way too long for password reset and signup emails.
Reading
TODO
Overview
SHA256-s time is over and a person with an access to Citizen OS database can figure out the actual password with a reasonable effort.
TODO
bcrypt
OR something else. There is a whitepaper on the subject by RIA - https://www.ria.ee/sites/default/files/content-editors/publikatsioonid/cryptoreport2021.pdfSHA256
to bcrypt
.
bcrypt
in the DB. IF allowed, we can e-mail Users that we did it. The solution is the easisest and does not clutter the code.SHA256
use bcrypt
to hash the password and store it to DB. The problem with this solution is that we have to support parallel hashes for a while.Overview
Our Social Mentions feature currently only shows results from Twitter. It is so because FB, Twitter and other social platforms protect their data - no or very limited search by hashtag.
I looked into using Google search and found out that if you use the advanced search, we can compile a search that returns results from all major platforms. But we dropped the investigation as the price of Google Search API usage seemed a bit high at the time.
TODO
Overview
We want to raise vote participation by reminding Users that a vote is about to end.
TODO
As a Topic author I would like to know what exact User is a member of a Topic.
For this I need to see the e-mail that was used for the invite.
Problems:
Related issues:
Base64 images in EP documents crash DOCX generation.
How do base64 images end up in EP documents?
Overview
When a Moderator moderates an argument, there is no info about it in the activity feed.
You can read how moderation works in Citizen OS from here - https://github.com/citizenos/citizenos-api/wiki/Content-moderation
TODO
*/activities
outputs.Human readable slug support needed in API because:
API will still use the system ID, but way may need to move to BIGINT id-s from UUID because the "slug+ID" would look really long and awkward.
Related tasks:
Overview
Citizen OS API right now uses e-mail returned by FB and Google from their respective OAuth login APIs as a unique ID from the source and the basis of logging in to Citizen OS.
We assume, that FB and Google are good at verifying e-mails and we can trust the e-mail address. There is no extra verification of the address.
It may make sense to use Google / FB user ID instead as the unique.
TODO
Overview
When User updates e-mail in the profile, it does not get verified.
PANIC!? I don't think so, but definitely not nice.
What vector does it open up?
Credits
Related code:
TODO
Overview
campaign-mailgun
uses Mailgun API, but Mailgun can be used over SMTP so it provides no extra value.
Rather, it provides extra problems - the Campaign switches on e-mail tracking which rewrites links in the e-mails.
TODO
campaign-mailgun
Overview
Activity fees shows 1 upvote 3 times.
Reproduce
Result
TODO
Overview
Calling POST /api/users/:userId/topics/:topicId/votes/:voteId
logs Can't set headers after they are sent.
on error. There is probably some error in the Promise chain.
NOTE: Does not break functionality, but shows bad coding.
TODO
POST /api/auth/id
- Support passing client certificate in the header
The need:
Implementation notes:
X-SSL-Client-Cert
headerBackground
The way DDSClient subclasses error results in non informative errors.
The need
We want DDSClient errors to contain stack trace and other useful info.
TODO
There are 2 ways:
BONUS POINTS
Reproduce
ab -n 1000 -c 10 "http://citizenos-citizenos-api-prod.herokuapp.com/api/activities"
Result
05 Sep 2018 11:38:47.607226 <190>1 2018-09-05T08:38:46.917613+00:00 host app web.2 - �[31m[2018-09-05T08:38:46.912] [ERROR] production - �[39mEndpoint GET "/api/activities" failed miserably. Status: undefined Stack: SequelizeDatabaseError: out of memory
05 Sep 2018 11:38:47.60781 <190>1 2018-09-05T08:38:46.903537+00:00 host app web.2 - severity: 'ERROR',
05 Sep 2018 11:38:47.60681 <190>1 2018-09-05T08:38:46.903458+00:00 host app web.2 - severity: 'ERROR',
05 Sep 2018 11:38:47.476123 <132>1 2018-09-05T08:38:46+00:00 host app postgres.2097 - [DATABASE] [135-1] sql_error_code = 53200 ERROR: out of memory
05 Sep 2018 11:38:47.476122 <132>1 2018-09-05T08:38:46+00:00 host app postgres.2088 - [DATABASE] [75-1] sql_error_code = 53200 ERROR: out of memory
05 Sep 2018 11:38:47.273123 <132>1 2018-09-05T08:38:46+00:00 host app postgres.2112 - [DATABASE] [106-1] sql_error_code = 53200 ERROR: out of memor
Reading
Support public note for Topic so that people can insert extra public info.
Tech:
Related tasks:
Hey,
For both security and reproducible installations, please add a npm-shrinkwrap.json
file with known-to-be-working dependency versions (generate it with npm shrinkwrap
). Having versions in package.json is insufficient as nested dependencies still get upgraded. Having versions in package.json
given npm-shrinkwrap.json
is then redundant and unnecessary.
Overview
Partners want their own email layouts and texts, current system is quite bad in that.
Related to:
TODO
Find a better e-mail templating solution taking into account:
Overview
One can configure their own logo for the e-mails (https://github.com/citizenos/citizenos-api/blob/master/config/emails/README.md).
Problem
There is no Citizen OS branding in the e-mail, if a custom logo is used.
Why? Help spread spread the word of Citizen OS OSS existence.
TODO
Overview
Starting 2019 there will be new ID-cards issued by a new company.
It changes the information format returned by the cards.
Reading:
TODO:
Overview
POST /api/auth/password/reset
- passwordResetCode never expires and can be used until new code is generated using POST /api/auth/password/reset/send
TODO:
passwordResetCode
to have an expiry (for ex 1hr)passwordResetCode
Using public and private keys for JWT is a bit overkill right now. One could just configure JWT to use symmetric methods, but app.js
explicitly prevents that through https://github.com/citizenos/citizenos-api/blob/master/app.js#L205. I propose that limitation be removed.
Related issue:
Related to:
TODO
governmentNotification.mu
is NOT translated and is in ET by default.grep "e-mail" | grep -c "ERROR"
and expect 0 which means e-mail sending code worked, but I dont check the payloads that were sent. The possible problems that this kind of testing does not catch are wrong language, wrong partner, wrong template, wrong receiver, wrong subject etc.Overview
Group
model has parentId
in the model definition which is not used - https://github.com/citizenos/citizenos-api/blob/master/db/models/Group.js#L32
This is probably a copy-paste mishap.
TODO
parentId
from Group
model - https://github.com/citizenos/citizenos-api/blob/master/db/models/Group.js#L32Overview
Initial implementation of PUT /topics/:topicId/members/users
and PUT /groups/:groupId/members/users
just ignore invalid UUID-s and e-mails. The shortcoming of this is that if you insert invalid e-mail/UUID, you will never know if the invites actually succeeded.
To provide adequate feedback, he input data should be validated and an error code returned.
TODO
PUT /topics/:topicId/members/users
to return HTTP 422 IF any of the userId
is invalid e-mail or UUID. Update tests.PUT /groups/:groupId/members/users
to return HTTP 422 IF any of the userId
is invalid e-mail or UUID. Update tests.Hey!
Thought I'd open up your GitHub issues page with a question. Once the app's database is initialized (which I believe happened on the first run), how do you handle further database changes? Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.