nhsuk / connecting-to-services Goto Github PK

This is specifically referring to the views used for the open only results and all results. They are largely the same but are currently duplicated

Provide more address details in the link for google maps in order to get the start and destination as accurate as possible

At the moment we just have a general catch all error page.

Should handle 404 separately.

Load a page and check the console for errors. A number of resources are not available i.e. not found due to the path in the .css file not having the variable that is used in the SCCS replaced.

This needs sorting so that the font files are being mapped to the correct CDN host.

At the moment there is no validation on the /results route. The input needs to be validated in the same way as /results-open

The application can be passed a context e.g. ?context=stomach-ache to which it responds with content specifically for that thing. This should be documented in the readme (or some other place) so that it is accessible without having to read the code.

Need to address this by having a mechanism to mock current time.

I'm guessing it's a time issue again but no time to investigate (pun intended!).

Some info about preferred style of coding e.g. readability > succinctness, etc.

The beta content site uses helmet to add protection.

We need to consider when to add this or similar.

https://travis-ci.org/nhsuk/connecting-to-services/builds/162109811

The code requires calls to 100 pharmacy overview pages and, even when mocked, this takes longer on travis than the test timeout parameter.

The tests were previously passing as only the first 10 calls were mocked. After that the code was failing silently, opening times were therefore not parsed and, as an unintended consequence, the tests ran faster. The new tests do not allow this to happen and all 100 calls are mocked resulting in slower test execution.

I'll give it some thought but any suggestions welcome.

connecting-to-services readme describes the env vars required

Include eslint

During testing I was blocked by the API - I assume for too high a request rate. Having not seen this previously, I wonder if there are more requests being submitted in this version and if so how can this be reduced to prevent the API blocking.

If nothing can be done perhaps the local data storage solution needs to be brought forward...

The error message displayed for an invalid or empty postcode is displayed after it has been shown previously and the page is navigated back to from the results page. The message should not be shown in this scenario.

Steps to reproduce:

1. Enter an invalid postcode - see the error message
2. Replace invalid postcode with valid postcode. Submit form, see results page
3. Use browser back button to navigate back to the postcode entry page. Note that the error message is displayed - it should not be displayed

This is happening due to the way the browser is not reloading the load and is just serving it out of cache. And the page with the error message just happens to be last version it had in its cache. See https://webkit.org/blog/427/webkit-page-cache-i-the-basics/

In order to get rid of the message the page needs to either forceably reloaded or the error message removed on the client or, using https should solve the problem also (which all pages are going to be using).

This is effectively handling the scenario when there are no results for a given location. There is a difference between a valid postcode and one that isn't known. However, the current API being used doesn't differentiate this.

In simulating what would happen if postcode.io was unavailable (by disconnecting wifi) the behaviour of the post code search was not as expected.

It returns a 'Postcode Error' message ('Use a valid postcode') on the search page.

If that is agreed to be the case
/cc @neilbmclaughlin

Currently only a full postcode will be validated. Outcodes will work with the API and should be allowed to perform a search.

Ensure all traffic if redirected to https

Basically it just needs to have the existing JS used on the Beta added.

The functionality is to only show the message once every 30 days.

As part of this - make the results file route be default

The URL is hard coded in express config and in the css files.
Should be in an env var.

Search for hg2 - the second result 'Day Lewis Pharmacy' has no opening times.

As part of my investigations into the failing build yesterday I was looking at the package versioning we employ.

Looking at the meaning of ^ in package versioning, it only fixes the major version [1]. This means that, for a given package, we are exposed to bad semantic versioning on the part of a publisher or simply a bug in a later minor version. This applies to our direct dependencies and, importantly, the chain of dependencies below them. The end result could be subtle differences between our environments.

We need to consider where using shrinkwrap [2] in our deployment pipeline would help.

[1] http://stackoverflow.com/questions/22343224/difference-between-tilde-and-caret-in-package-json
[2] See npm help shrinkwrap

A Content-Security-Policy has been added. This restricts where it is acceptable to load content from. Scripts have been allowed from inline. This is not allowed by default, for the reason of being an easy to prevent the effects of XSS. However, this exception to the rule has been added as there are a number of script blocks used for analytics mainly that include dynamic values.

In order for these blocks to be removed into external files some work is required to ensure that the files are generated as the application starts up (because the contain values set in environment variables). The files will also need their names to include hashes to avoid issues with caching. At the moment, none of the code infrastructure exists to do this.

This issue is done when the Content-Security-Policy has been altered to not allow unsafe-inline.

The address data has duplicate information e.g. HG5

This should be tackled at the source

Which banner(s) should be on which page?
Should the cookie banner be dynamic ? If so, frontend of backend?

Since the environment variables have been added they need to be setup for the Azure instances:

• NHSCHOICES_SYNDICATION_APIKEY
• NHSCHOICES_SYNDICATION_BASEURL

Concern over the lack of security headers has been raised by others.

While I don't think we have any security vulnerabilities, since we have no exposure to XSS (nunjucks sanitises input) and do not have sensitive data or sessions tokens, it seems prudent to introduce these best practice measures sooner rather than later.

The application should handle the routing in the way it will be presented to users rather than relying on lots of rewriting rules.

• The same as an invalid postcode?
• The same as not having supplied a postcode in the first instance?
• Something else?