The admin dashboard page should only be accessible by an authenticated admin user. Write a unit test to verify that the page (and the relevant API endpoints) are secure.

Looking forward for reporting a security issue:
Please report security issues by following our security policy: https://contribute.freecodecamp.org/#/security

To Reproduce
Steps to reproduce the behavior:

1. Go to “Create class” or “Edit Class” page, and change the selections of certifications
2. Click on “Cancel”
3. Go back to the “Create class” or “Edit Class” page and open the drop-down certifications drop-down menu
4. The canceled changes are pre-selected.

Expected behavior
Make sure the Certifications drop-down shows the correct previously saved certifications selections

Right now, here is the flow:

1. the student clicks the "join" link.
2. Student is taken to the Join page on the classroom app.
3. Request to the mock API endpoint which returns the uuid

Ideally, after the student clicks the join link, auth0 redirects to freecodecamp.org. The student gives permissions to share information with the classroom app. Student is redirected to the classroom app.

Edit (Mrugesh):

Every user (student) of freeCodeCamp should opt-in to sharing their data with the Classroom app. It requires some development work on the freeCodeCamp (main) project as well. Here is a list of action items that we want to do:

1. Classroom app gets a verified user from our IdP (which is Auth0) and hands off the request to Classroom's backend API.
2. The backend API checks with freeCodeCamp API if the user has opted-in for sharing data with the Classroom app (more on this later).
3. The freeCodeCamp API can respond with status as the case may be.
4. The Classroom UI app can display a message which is either the user had opted-in already or a link to the settings page on freeCodeCamp where they can check off a box to opt-in.
5. The Classroom UI and Backend can repeat step 2 as many times as needed to confirm when the user has opted-in.

We'll need to complete Issue #56 before we can work on this issue.

Teacher can edit the classroom metadata.

Steps to reproduce the behavior:

1. Create a new classroom. Select at least one topic for the freeCodeCamp curriculum.
2. Go to the edit page for a class
3. Click on the drop down for the classroom topics
4. Note that it does not remember which classes were previously selected.

A lot of our code has references to localhost:3000. In certain places like the .env files it's fine to have this reference but any javascript files should not have localhost:3000 written because in production the port will be different. Any hardcoded links will also not link to correct spot in prod as well.

Anything written like localhost:3000/classes should be changed to /classes

Describe the issue
When running tests, we need to be able to test them independently. Currently, when we are running tests to render a page we need to check if a session exists which is not what the test is for. Because of this, we should make a component for our main content on each page where you don't need to log in to view the content (index, join, etc) since they should all independently be able to render without a session.

To Reproduce
Steps to reproduce the behavior:

1. Go to /pages tests.
2. Delete the mock session inside the test
3. The test will fail due to a lack of a session even though we only want to render some HTML.

Expected behavior
Pages should be able to render correctly regardless of if a session exists or not. Making components should allow us to do this since it gives us greater control over what we can test by making everything independent.

Umbrella issue to track all the user stories for the MVP. Anything in this list should be considered to be build before the first release

• #2
• #3
• #4

As a teacher I should be able to:

• Visit the classroom app and request to sign up.
• Confirm and verify my email, etc.
• Add details to my profile:
  • Name
  • University
  • ...

...

Describe the bug
Currently, if you have an account signed in using Google OAuth and you try to sign in using that same email, but through a different OAuth provider (Github), you are not allowed to sign in despite it being the same email. For ease of use, we want to enable account linking (so long as they are the same email under different Auth providers) for development experience only.

Steps to reproduce:

1. Must build locally (do not use the Gitpod setup)
2. Please use this guide to set up the dev environment locally.
3. Sign in and make an account using the Google provider option
4. Sign out
5. Sign in to the Classroom App again using a different provider option, but make sure it still falls under the auth0 options (for example, Github). The Github account must be associated with the same Gmail address as when you signed in on step 3. (For example, your Gmail used in step 3 is [email protected], and your GitHub account also needs to have the email address:[email protected]

Current Behavior:

• Step 5 fails with an unclear error message: "Cannot verify identity" (I don't remember the exact error message).

Desired Behavior:

• Allow account linking between different providers but only for development experience. If the need arises (through user feedback), we can attempt to implement a much safer option for end-users to also have this experience.

This document also explains how to reproduce

We have two main mock API endpoints:

1. The dashboard gets its data from the /getProfileData endpoint.
2. The join page fetches the student uuid from the /getStudentProfile endpoint

For Rob's mentees/micro-internship, do NOT assign to anyone else
Currently, the alerts we have set in place are vanilla JS alerts that can be seen as less user-friendly/cumbersome.

We want to be able to produce banner alerts or some other alert form that is more modern and sleek but still gets the overarching message across.
Perhaps something like this:

Current alert view:

To reproduce:

• Sign in with a Teacher account
• Go to the classes page
• Create class
• Select different courses from the drop-down menu.

See Mrugesh's comment.

Instead of documenting the correct react version numbers in the README.md, let's pin the versions in the package.json.

Dependabot may be continually updating the package.json with the latest version numbers of all libraries. We may need to somehow disable /modify the behavior of dependabot so that we can pin the version numbers.

Change NextAuth to Auth0 in order to have the same authentication with freeCodeCamp.

We are currently generating error messages in the client-side (for example, see pages/join/[...joinCode].js). Ideally, the server-side logic should generate the error messages and pass the messages along to the client-side (perhaps as an array). The client-side should then check if the server generated any error messages and display the messages accordingly.

Hello,

I was apart of the first integration for a classroom for teachers: https://github.com/freeCodeCamp/classroom-mode-archived and one of the things that blocked us from completing was the fact that we had no way of getting previous attempts. The discussion was with @ojongerius and @QuincyLarson that storing previous attempts was expensive.

I see the goals are still the same. Have we came up with something to achieve that? How are you tracking progress?

Should we create a student-details view for the MVP?

Link to wireframes

We can potentially create some sample data and stub the endpoint until we have the finished FCC endpoint. Currently have mock APIs based on this library:

https://github.com/freeCodeCamp/classroom/tree/main/mock-json-server

Delete our old ones, make new one based on: https://gist.github.com/roberthuskins/04d8c767e1e6a0994440c94c2a00ece8

Readme has instructions on how to run the old ones

Describe the bug
There are two warnings related to the Navbar component:

1. "Warning : Encountered two children with the same key..."
2. "Warning: validateDOMNesting(…) <div> cannot appear as a descendant of <p> ..."

To Reproduce

1. Go to localhost:3000
2. Open the browser console, the warnings will show.

Expected behavior
No warnings

Screenshots

Looking forward for reporting a security issue:
Please report security issues by following our security policy: https://contribute.freecodecamp.org/#/security

Describe the bug
When the user signs out of the ADMIN page, their session is null so an error is thrown.

To Reproduce
Steps to reproduce the behavior:

1. Go to '/admin' while signed in
2. Sign out.

Expected behavior
It should redirect to the home page

For the sake of UX, we can start to show normal titles (non-dashed) rather than dashed names when creating classrooms inside of our modal.

Current view of the modal:

We store the non-dashed names inside of the same block where we store the dashed names so we can simply pass them along inside of our props when creating the modal.

Assigning this to Rob

Right now query the curriculum structure from freeCodeCamp via the following API endpoints:

1. https://www.freecodecamp.org/curriculum-data/v1/2022/responsive-web-design.json
2. https://www.freecodecamp.org/curriculum-data/v1/available-superblocks.json

The second API endpoint provides a complex format that is confusing to parse. We can write some logic to restructure this in a more intuitive way. Create some helper functions to help us access the block names / challenge ID's. Perhaps make a seperate file (api_utils.js) which take in the URL responses and provide a better interface for accessing the data to the dashboard page.

We would also need to refactor the dashboard page to work with the new helper functions.

Assigning this to Edgar.

NextJS has some new changes that could heavily impact the way the application works, following good practice we'll be pinning the Next version so we can slowly implement our changes to accommodate it.

Read more on Next13's changes here

We would like to add a red/yellow/green label to each student on the dashboard page for the classroom. The red-zone students are least enaged; green-zone students are most engaged.

TODO: We will post a design mock-up showing what the new UI should look like with the color codes. Or, if any contributors want to propose a mock-up, please do so.

Level 2: consider adding filtering functionality so that the Teacher can quickly select the students who are in the red-zone or yellow/green zones.

Most of the API endpoints are not secure. We should add checks to ensure that only authorized users have access to specific endpoints. Take a look at this file

Describe the bug
Admin can change roles for other people. But currently, they can also change their own roles. If an Admin changes his/her role to another role, the admin will be locked out of the app, with the screen showing “access denied”. The user cannot undo the change easily.

Expected behavior
Don’t allow admins to change the role of other admins through the UI.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• chore(deps): update dependency eslint to v9
• chore(deps): update dependency eslint-config-next to v14
• chore(deps): update dependency eslint-config-prettier to v9
• chore(deps): update dependency eslint-plugin-cypress to v3
• chore(deps): update dependency eslint-plugin-jest to v28
• chore(deps): update dependency husky to v9
• chore(deps): update dependency lint-staged to v15
• chore(deps): update dependency prettier to v3
• chore(deps): update github actions to v4 (major) (actions/checkout, actions/setup-node)
• chore(deps): update node.js to v20
• chore(deps): update npm to v10
• chore(deps): update testing-library monorepo (major) (@testing-library/jest-dom, @testing-library/react)
• fix(deps): update dependency @headlessui/react to v2
• fix(deps): update dependency flowbite to v2
• fix(deps): update dependency react-tabs to v6
• fix(deps): update dependency react-toastify to v10
• fix(deps): update dependency styled-components to v6
• fix(deps): update prisma monorepo to v5 (major) (@prisma/client, prisma)
• 🔐 Create all pending approval PRs at once 🔐

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• fix(deps): update dependency @headlessui/react to v1.7.19
• fix(deps): update dependency next-auth to v4.24.7
• chore(deps): update dependency @testing-library/react to v14.3.1
• chore(deps): update dependency eslint to v8.57.0
• chore(deps): update dependency eslint-plugin-jest to v27.9.0
• chore(deps): update dependency tailwindcss to v3.4.4
• fix(deps): update dependency react-data-table-component to v7.6.2
• fix(deps): update react monorepo to v18.3.1 (react, react-dom, react-test-renderer)
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): replace dependency npm-run-all with npm-run-all2 5.0.0
• chore(deps): update dependency autoprefixer to v10.4.19
• chore(deps): update dependency eslint-plugin-cypress to v2.15.2
• chore(deps): update dependency postcss to v8.4.38
• fix(deps): update dependency json-server to v0.17.4
• Click on this checkbox to rebase all open PRs at once

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• fix(deps): update dependency react-toastify to v9.1.3

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This task is a pre-requisite for Issue #114

Currently we give contributors the credentials (not ideal because we want to keep these private)
Solution 1: Add instructions for how contributors can create their own Auth0 credentials (not ideal because it may too daunting/complex). Or maybe this is manageable? Let's investigate.
Solution 2: Create a Dev Log-in setup (simpler than Auth0)

Currently, it is a pain for new users to create a new Auth0 account and set up their credentials in order to login to the classroom app. We should have an easier login flow for developers.

The plan is to create a secondary pathway for logging in using Github oAuth. The user would need to create a Github App, which should be a much easier setup process than Auth0.

Assigning this to Rob.

There are 2 warning messages at the terminal while running, clearing these warnings could help a developer to see new error/warning messages easier.

1. Warning: Received true for a non-boolean attribute crossOrigin.
   This one is from next.js google font loading

2. [next-auth][warn][NO_SECRET]
   This one is from next-auth.js and warns about no defined random string secret for hashing tokens, sign/encrypt cookies
   REF. https://next-auth.js.org/configuration/options#secret

To Reproduce
run npm run develop

Expected behavior
no warnings, clearly logging messages at the terminal

Screenshots

Warning: Received `true` for a non-boolean attribute `crossOrigin`.

If you want to write it to the DOM, pass a string instead: crossOrigin="true" or crossOrigin={value.toString()}.
    at link
    at head
    at Head (webpack-internal:///./node_modules/next/dist/pages/_document.js:239:1)
    at html
    at Html (webpack-internal:///./node_modules/next/dist/pages/_document.js:204:73)
    at MyDocument (webpack-internal:///./pages/_document.js:11:1)
[next-auth][warn][NO_SECRET] 
https://next-auth.js.org/warnings#no_secret

Just a minor question. Where is this hosted? Thanks. :)

Write down a proposal for what changes we should introduce into the codebase:

• Are we changing any existing models? Creating new models?
• Will we have 1 button that supports both the sign-in and sign-up functionality, or split up the behavior into separate buttons?
• Are we creating any new pages, classes, controllers?

People on small screens cannot see the full dropdown menu because the size of the modal is hard coded (presumably).

Users have a workaround in minimizing their screen, but this is not ideal.

Describe the bug
The bug has been temporarily patched with this commit: 40e7ab1

However, this is a temp fix as we should look into why there is a CORS issue when using this API on Firefox. The issue does not appear on Chrome and has not been tested on Microsoft Edge.

To Reproduce
Steps to reproduce the behavior:

1. Go to '/pages/join/[...joincode].js'
2. Remove/comment out event.preventDefault()
3. Attempt to invite someone to the classroom
4. See error (TypeError: NetworkError when attempting to fetch resource)

Additional context

The bug is currently patched, but we should look into the underlying cause to fix it without bypassing CORS the way we did.

Workflow:

1. User clicks on join link
2. User lands on the Join page
3. User clicks on the "Join" button
4. User is assigned a role of "student"
5. User is added to the correct classroom (based on the ID in the join url)

Describe the bug

We only support one teacher/instructor per class, however, this may not fit all use cases. We would like to be able to have multiple teachers (limit yet to be discussed). The first step would require us to change the Prisma schema / database to support multiple teachers for a given classroom.

Here is how you can approach this task:

1. Open schema.prisma
2. Update the Classroom model ==> classroomTeacherId should take an array of Strings. Afterwards you will need to do a prisma migration or wipe the DB and start from scratch.
3. Search the codebase for all references to classroomTeacherId in javascript files. Update the code so that works with an array. For example, you may want to append to the classroomTeacherId array instead of setting it directly.

When there are more than one class on classes page, a warning: 'Each child in a list should have a unique "key" prop' showed.

To Reproduce

1. Sign in with a Teacher account
2. Go to the classes page
3. Add classes if you have less than two classes.
4. The warning will show at the terminal

Expected behavior
No warning

Screenshots

Assigning this to Josue

Get the login credentials from @utsab

The /pages/api/modifyuser.js expects a JSON object, whereas the other api endpoints expect a string. Can we make all of the api endpoints consistent?

Check out components/updateUserForm.js as a good place to start investigating.

Originally posted by @utsab in #56 (comment)

We need to create a "role-based access control (RBAC)" implementation for separating things that regular student and teacher users of the app can do.

This needs some additional investigation and proposals.

We would like to add additional support materials to help new contributors become more familiar with the codebase:

1. A description (ideally with a visual diagram) of the key technologies in the project's technology stack
2. A recommended sequence of learning resources someone can work through to get some experience with the tech stack.

All of the information you need to answer the above two question is contained in this slide deck. For the tech stack diagram, look at slide 29. For the learning resources, take a look at slides 36 - 51.

For a model example of how an open source project can clearly document its technology stack, take a look at Open Energy Dashboard (see the "Built with" section). Then take a look at their more detailed helper page which lists out specific learning resources.

We are currently using a pattern of fetching as much data as we can on the server. For example, on the classes page, we fetch the following info on the server: the the user info from the database, the list of classrooms, the freeCodeCamp API data. We then pass this info along to the React component when it renders on the client-side. Is this a reasonable pattern?

We currently follow the freeCodeCamp style guide when styling the Classroom App: https://design-style-guide.freecodecamp.org/

Add a comment somewhere in README.md that documents the style guide.