Merge branch 'main' into dependabot/pip/mock_data/pip-aed9f6bbcd

.github/dependabot.yml

@@ -4,27 +4,47 @@ updates:
     directory: ./backend/
     schedule:
       interval: weekly
+    groups:
+      backend:
+        patterns:
+         - "*"
   - package-ecosystem: gomod
     directory: ./cli/
     schedule:
       interval: weekly
+    groups:
+      cli:
+        patterns:
+         - "*"
   - package-ecosystem: npm
     directory: ./frontend/mobile/
     schedule:
-      interval: weekly
+      interval: monthly
+    groups:
+      mobile:
+        patterns:
+         - "*"
   - package-ecosystem: npm
     directory: ./frontend/web/
     schedule:
-      interval: weekly
+      interval: monthly
+    groups:
+      web:
+        patterns:
+         - "*"
   - package-ecosystem: npm
     directory: ./frontend/dashboard/
     schedule:
-      interval: weekly
+      interval: monthly
+    groups:
+      dashboard:
+        patterns:
+         - "*"
   - package-ecosystem: npm
     directory: ./frontend/lib/
     schedule:
-      interval: weekly
-  - package-ecosystem: cargo
-    directory: ./scraper/clubs/
-    schedule:
-      interval: weekly
+      interval: monthly
+    groups:
+      lib:
+        patterns:
+         - "*"

.github/workflows/frontend_lib_release.yml

@@ -5,7 +5,10 @@ on:
     branches:
       - main
     paths:
-      - "frontend/lib/**"
+      - frontend/lib/**
+
+permissions:
+  contents: read
 
 jobs:
   build:
@@ -14,12 +17,11 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
-          registry-url: 'https://registry.npmjs.org'
-          scope: '@octocat'
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+          scope: "@octocat"
       - run: |
           cd frontend/lib
           yarn
           yarn build
-          NODE_AUTH_TOKEN=${{ secrets.NPM_AUTH_TOKEN }}
-          yarn publish --access public
+          NODE_AUTH_TOKEN=${{ secrets.NPM_AUTH_TOKEN }} yarn publish --access public

.gitignore

@@ -24,3 +24,4 @@ frontend/mobile/android/
 tmp/
 ios
 android
+.idea/modules.xml

CONTRIBUTING.md

@@ -16,6 +16,9 @@
 - [PostgreSQL](https://www.postgresql.org/)
   - Install through brew: `brew install postgresql@15`
   - It requires you to add all the exports to path so read the end of the installation carefully!
+- [Redis](https://redis.io/docs/latest/operate/oss_and_stack/install/install-stack/)
+  - Install through brew: `brew tap redis-stack/redis-stack`
+   - Then install: `brew install redis-stack`
 - [Trunk](https://marketplace.visualstudio.com/items?itemName=Trunk.io) (Recommended!)
   - Visual Studio Code extension for linting/formatting
 - [migrate](https://github.com/golang-migrate/migrate)

backend/DEPLOYMENT.md

@@ -0,0 +1,39 @@
+# Configuration
+
+SAC uses environment variables for configuration. SAC will, by default, pull the envvars from the process in which it was launched, but you can also pass in a .env file (using the --config flag) and use the values defined in there. See .env.template for an example .env file.
+
+| Name                                 | Group      | Description                           |
+|--------------------------------------|------------|---------------------------------------|
+| SAC_APPLICATION_PORT                 | app        | port to run the server on.            |
+| SAC_APPLICATION_HOST                 | app        | host to run the server on.            |
+| SAC_APPLICATION_BASE_URL             | app        | base url to run the server on.        |
+| SAC_DB_USERNAME                      | db         | username for database.                |
+| SAC_DB_PASSWORD                      | db         | password for database.                |
+| SAC_DB_PORT                          | db         | port for database.                    |
+| SAC_DB_HOST                          | db         | host for database.                    |
+| SAC_DB_NAME                          | db         | name of database.                     |
+| SAC_DB_REQUIRE_SSL                   | db         | if the db connection requires ssl.    |
+| SAC_REDIS_ACTIVE_TOKENS_USERNAME     | redis      | username for active tokens redis.     |
+| SAC_REDIS_ACTIVE_TOKENS_PASSWORD     | redis      | password for active tokens redis.     |
+| SAC_REDIS_ACTIVE_TOKENS_HOST         | redis      | host for active tokens redis.         |
+| SAC_REDIS_ACTIVE_TOKENS_PORT         | redis      | port for active tokens redis.         |
+| SAC_REDIS_ACTIVE_TOKENS_DB           | redis      | db for active tokens redis.           |
+| SAC_REDIS_BLACKLIST_USERNAME         | redis      | username for blacklist redis.         |
+| SAC_REDIS_BLACKLIST_PASSWORD         | redis      | password for blacklist redis.         |
+| SAC_REDIS_BLACKLIST_HOST             | redis      | host for blacklist redis.             |
+| SAC_REDIS_BLACKLIST_PORT             | redis      | port for blacklist redis.             |
+| SAC_REDIS_BLACKLIST_DB               | redis      | db for blacklist redis.               |
+| SAC_REDIS_LIMITER_USERNAME           | redis      | username for limiter redis.           |
+| SAC_REDIS_LIMITER_PASSWORD           | redis      | password for limiter redis.           |
+| SAC_REDIS_LIMITER_HOST               | redis      | host for limiter redis.               |
+| SAC_REDIS_LIMITER_PORT               | redis      | port for limiter redis.               |
+| SAC_REDIS_LIMITER_DB                 | redis      | db for limiter redis.                 |
+| SAC_SUDO_PASSWORD                    | superuser  | password for the superuser.           |
+| SAC_AUTH_ACCESS_KEY                  | auth       | access key for auth.                  |
+| SAC_AUTH_REFRESH_KEY                 | auth       | refresh key for auth.                 |
+| SAC_AWS_BUCKET_NAME                  | aws        | bucket name for aws s3.               |
+| SAC_AWS_ID                           | aws        | id for aws s3.                        |
+| SAC_AWS_SECRET                       | aws        | secret for aws s3.                    |
+| SAC_AWS_REGION                       | aws        | region for aws s3.                    |
+| SAC_RESEND_API_KEY                   | resend     | api key for resend.                   |
+| SAC_CALENDAR_MAX_TERMINATION_DATE    | calendar   | max termination date for calendar integrations. |

backend/auth/jwt.go

@@ -18,22 +18,6 @@ type CustomClaims struct {
 	Role string `json:"role"`
 }
 
-// From extracts the CustomClaims from the fiber context
-// Returns nil if the claims are not present
-func From(c *fiber.Ctx) (*CustomClaims, error) {
-	rawClaims := c.Locals("claims")
-	if rawClaims == nil {
-		return nil, utilities.Forbidden()
-	}
-
-	claims, ok := rawClaims.(*CustomClaims)
-	if !ok {
-		return nil, fmt.Errorf("claims are not of type CustomClaims. got: %T", rawClaims)
-	}
-
-	return claims, nil
-}
-
 type JWTType string
 
 const (
@@ -292,35 +276,22 @@ func copyCustomClaims(claims *jwt.MapClaims, customClaims map[string]interface{}
 	}
 }
 
-func GenerateRefreshCookie(value string) *fiber.Cookie {
-	return &fiber.Cookie{
+func SetResponseTokens(c *fiber.Ctx, tokens *Token) {
+	c.Set("Authorization", fmt.Sprintf("Bearer %s", tokens.AccessToken))
+	c.Cookie(&fiber.Cookie{
 		Name:     "refresh_token",
-		Value:    value,
+		Value:    string(tokens.RefreshToken),
 		Expires:  time.Now().Add(constants.REFRESH_TOKEN_EXPIRY),
 		HTTPOnly: true,
-	}
+	})
 }
 
-func SetResponseTokens(c *fiber.Ctx, tokens *Token) error {
-	// Set the tokens in the response
-	// should also blacklist the old refresh and access tokens
-
-	c.Set("Authorization", fmt.Sprintf("Bearer %s", tokens.AccessToken))
+func ExpireResponseTokens(c *fiber.Ctx) {
+	c.Set("Authorization", "")
 	c.Cookie(&fiber.Cookie{
 		Name:     "refresh_token",
-		Value:    string(tokens.RefreshToken),
-		Expires:  time.Now().Add(constants.REFRESH_TOKEN_EXPIRY),
+		Value:    "",
+		Expires:  time.Now().Add(-time.Hour),
 		HTTPOnly: true,
 	})
-
-	return nil
 }
-
-// func ExpireCookie(name string) *fiber.Cookie {
-// 	return &fiber.Cookie{
-// 		Name:     name,
-// 		Value:    "",
-// 		Expires:  time.Now().Add(-time.Hour),
-// 		HTTPOnly: true,
-// 	}
-// }

backend/auth/locals.go

@@ -0,0 +1,52 @@
+package auth
+
+import (
+	"fmt"
+
+	"github.com/GenerateNU/sac/backend/utilities"
+	"github.com/gofiber/fiber/v2"
+	"github.com/google/uuid"
+)
+
+type localsKey byte
+
+const (
+	claimsKey localsKey = 0
+	userIDKey localsKey = 1
+)
+
+func CustomClaimsFrom(c *fiber.Ctx) (*CustomClaims, error) {
+	rawClaims := c.Locals(claimsKey)
+	if rawClaims == nil {
+		return nil, utilities.Forbidden()
+	}
+
+	claims, ok := rawClaims.(*CustomClaims)
+	if !ok {
+		return nil, fmt.Errorf("claims are not of type CustomClaims. got: %T", rawClaims)
+	}
+
+	return claims, nil
+}
+
+func SetClaims(c *fiber.Ctx, claims *CustomClaims) {
+	c.Locals(claimsKey, claims)
+}
+
+func UserIDFrom(c *fiber.Ctx) (*uuid.UUID, error) {
+	userID := c.Locals(userIDKey)
+	if userID == nil {
+		return nil, utilities.Forbidden()
+	}
+
+	id, ok := userID.(*uuid.UUID)
+	if !ok {
+		return nil, fmt.Errorf("userID is not of type uuid.UUID. got: %T", userID)
+	}
+
+	return id, nil
+}
+
+func SetUserID(c *fiber.Ctx, id *uuid.UUID) {
+	c.Locals(userIDKey, id)
+}

backend/auth/password.go

@@ -16,6 +16,10 @@ func ValidatePassword(password string) error {
 		errs = append(errs, "must be at least 8 characters long")
 	}
 
+	if len(password) > 128 { // see https://github.com/OWASP/ASVS/issues/756
+		errs = append(errs, "must be at most 128 characters long")
+	}
+
 	if !hasDigit(password) {
 		errs = append(errs, "must contain at least one digit")
 	}

backend/config/app.go

@@ -0,0 +1,7 @@
+package config
+
+type ApplicationSettings struct {
+	Port    uint16 `env:"PORT"`
+	Host    string `env:"HOST"`
+	BaseUrl string `env:"BASE_URL"`
+}

backend/config/auth.go

@@ -1,7 +1,7 @@
 package config
 
 import (
-	"errors"
+	"fmt"
 
 	m "github.com/garrettladley/mattress"
 )
@@ -12,23 +12,23 @@ type AuthSettings struct {
 }
 
 type intermediateAuthSettings struct {
-	AccessKey  string `yaml:"accesskey"`
-	RefreshKey string `yaml:"refreshkey"`
+	accessKey  string `env:"ACCESS_KEY"`
+	refreshKey string `env:"REFRESH_KEY"`
 }
 
-func (int *intermediateAuthSettings) into() (*AuthSettings, error) {
-	accessToken, err := m.NewSecret(int.AccessKey)
+func (i *intermediateAuthSettings) into() (*AuthSettings, error) {
+	accessKey, err := m.NewSecret(i.accessKey)
 	if err != nil {
-		return nil, errors.New("failed to create secret from access key")
+		return nil, fmt.Errorf("failed to create secret from access key: %s", err.Error())
 	}
 
-	refreshToken, err := m.NewSecret(int.RefreshKey)
+	refreshKey, err := m.NewSecret(i.refreshKey)
 	if err != nil {
-		return nil, errors.New("failed to create secret from refresh key")
+		return nil, fmt.Errorf("failed to create secret from refresh key: %s", err.Error())
 	}
 
 	return &AuthSettings{
-		AccessKey:  accessToken,
-		RefreshKey: refreshToken,
+		AccessKey:  accessKey,
+		RefreshKey: refreshKey,
 	}, nil
 }