Details below

Links in the profile section are not sanitized and a user can therefore put an arbitrary URL in the field. This is dangerous as it can lead to tracking or phishing.

Describe the bug
There's inconsistency in the location of users and jobs.
By default, it's "Beirut, Lebanon". But, when editing, location is depending only on countries.

Direction

1. Go to https://devalopers.herokuapp.com/
2. Login as talent
   • Username: [email protected]
   • Password: Dev-Talent1@devapp
3. Go to talent profile > edit profile information below the profile pic > the default location is "Beirut, Lebanon"
4. when editing > in location list there is only the country name without the city name

expected behavior
We must let the user type or choose a city along with a country.

PS
added 3 methods in the backend by @salahawad
/api/company/countries for getting all current system company's locations
/api/country/cities for getting specific country cities
/api/cities/list for getting all cities
/api/countries/list for getting all countries

Describe the bug
When an applicant has applied for a job with matching skills, it's showing as "no matching skills" for all applicants.

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
3. Go to "applicants" in the banner http://devalopers.herokuapp.com/company/applicantslist
4. Recognize the matching skills in the below screenshot, they all look as "no matching skills" although there is matching skills
   

Expected behavior
Matching skills number must appear like (1/5) for 1 matched skill from 5, (4/5) for 4 matched skills from 5.

For both frontend and backend

The profile picture can be uploaded with any extension. The default behavior of the web app is to rename with the given extension. This is a very dangerous behavior as this allows the user to upload all types of malicious files (malformed names, potential directory traversal, large files for DoS attacks, invalid file names to leak error message information...)

Describe the bug
When posting a job and attaching a file, the file is opening an error 404 page, when trying to edit the job and delete the attached file, it's not being deleted

Steps to Find the bug

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
3. Go to the green button "post a job"
4. Try posting a job with PDF attachment using (+add file) blue button
   
5. After posting the job, you will be directed to the job page, http://devalopers.herokuapp.com/viewjobinfo/ , try to open the job attachment, you will be directed to an error 404 page as attached below:
   
6. When trying to edit the attached file and delete the file, then save the changes, it's not deleted.

Expected behavior
File should load normally, and attached file should be deleted upon editing and deleting it.
Common in backend and frontend

Requirement
Description: in the landing page, contact us-support email need to check if it is working!!!

some directions

1. Go to https://devalopers.herokuapp.com/
2. in the landing page > click on "contact us" tab
3. will be directed to a form to enter your information to send a message

Need for verification
check if the Contact us-support email address is working or not!

Description:
Upon editing a company profile, default profile picture can be deleted to another default picture, while default picture shouldn't have the possibility to be deleted

Steps to find this issue:
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login

2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123

3. Go to profile in the banner

4. You fill find a default profile picture like the below, you can find a trash bin label and an edit pen in a box label
   

5. When pressing on the delete button (trash bin label) , you fill find that the profile picture has changed to this one (another type of default picture)
   

Expected behavior
Default profile picture should not have the possibility to be deleted

Description:
Upon editing a company profile, profile info and profile picture aren't being saved, and an error alert is showing

Steps to find this issue:

1. Go to http://devalopers.herokuapp.com/login

2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123

3. Go to profile in the banner

4. Try to edit the company info (using the pen in a box label)
   

5. Once editing the (Company type, Description, address, website, location, social media...), then trying to save them using the same button (drive like label), you can recognize that nothing changes, the info edited are not saved

6. Same for the profile picture, once editing the profile picture and adding a new one, it is not placed, default picture does not change

7. An error alert is showing and not going off until the page is refreshed
   

Expected behavior:
Profile info and profile picture should be saved, no error message should appear except if the necessary blanks were not filled (company name, email address)

NOTE that the issue is only present in the staging website http://devalopers.herokuapp.com/ while is it functioning in the main website https://devalopers.com/

Requirement
Apply paginations to Job List

Bug High-Severity
Description: When a new user (who authenticated with LinkedIn) clicks on edit profile info under the profile picture is experiencing an empty page.

Direction
When you want to log in with LinkedIn, hit "Login with Github" (even though it's not working) to successfully authenticate with LinkedIn. What's happening is that you change information in the cookies that indicates that you're doing authentication and not registration while clicking on Login with Github.

Any user can have access to other users' information given their publicly available user id. It provides very sensitive information such as email addresses and password hash. If a user has a weak password then his account can be very easily hacked. Example

Requirement
Description: CV attachment is only accepted as a pdf
Adobe Pdf isn't for free and it's subscription is now is usd, not everyone has a pdf creator especially fresh grads

Direction

1. Go to https://devalopers.herokuapp.com/
2. Login as talent
   • Username: [email protected]
   • Password: Dev-Talent1@devapp
3. Go to talent profile > edit profile > add your cv
4. will accept only pdf version

Solution requested
CV must accept a pdf and word file as an attached document

Describe the bug
As a company, I want to view the status of each applicant in applicant list section

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
   Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
2. Go to http://devalopers.herokuapp.com/company/applicantslist and the applicant list in the landing home page, we prefer to have the application status beside each applicant as attached below:
   

Expected result:
Status in red color the below 3 options:
-Rejected
-Pending
-To be interviewed
-Accepted

Requires backend and frontend

In the publicly available folder, critically sensitive credentials are displayed.

Solution: Modify the credentials. Then delete the files from the repo and its history then ignore them with .gitignore and force push the new version. See this link

**Upon creating a new account, you can directly login in without verifying the email **

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://devalopers.herokuapp.com/'
2. Click on 'Create Account'
3. Click 'I want to hire Talent' or I'm looking for job Opportunities
4. Fill the Forum
5. Submit
6. You are directly directed to the Home Page

Expected behavior
Regarding to a screen stating the " Kindly verify your email by clicking on the link sent to your email"

Additional context
This requires Backend and Front End Work

Bug low severity
Description: Upon creating a new account, you can directly login in without verifying the email

Direction

1. Go to https://devalopers.herokuapp.com/
2. Create new account by clicking on "create new account" button
3. Click on "I am looking for job opportunity" to create new talent account
4. Sign up by entering your email and password
5. The issue that after creating your account you can easily login without any request for verifying the email

Expected behavior
We need to verify the email address to remove spam
We need to have only verified emails to register to forbid other users to use email that doesn't belong to them

Bug High-Severity
Description: an error occurs on staging Environment when update the email for a company account profile

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
3. Go to profile
4. Update email
5. Error occurs

Expected behavior
A clear and concise description of what you expected to happen.

Describe the bug
Once an account is created, it doesn't have the possibility to be deleted

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
3. Go to the profile page in the banner http://devalopers.herokuapp.com/company/profile/
4. A "Delete" button should be found in the profile page

Expected behavior
A company must have the possibility to delete it's profile

For both frontend and backend

bug critical-severity

Description: Should not be able to download cvs unless he authenticates

Requirement
Description: In the list of countries we should perhaps limit the list to the counties who actually exist in the jobs and sort them alphabetically instead of having a long list of values that 90% of them will return nothing

Direction
Steps to reproduce the behavior:

1. Go to https://devalopers.herokuapp.com/
2. Click on "Jobs" tab in the landing page
3. Check the list of country in the filtering

behavior required
limit the list of countries to the names who actually exist in the jobs and sort them alphabetically

The expiry date of the JWT is 99999999 seconds (about 3 years) so if a cookie is forged/stolen it will be valid for a very long period of time.

Solution: Set a shorter expiry date and use refresh tokens. See Refresh Tokens:

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a company with the below credentials:
   Email: [email protected]
   Password: Company@123
3. Go to the "message" button in the banner http://devalopers.herokuapp.com/company/messages
4. You will recognize empty profiles in the messaging section as below:
   

Expected behavior
Messages page should be empty when no messages are present, no empty profiles should be present

Describe the bug
Once an account is created, it doesn't have the possibility to be deleted

To Reproduce
Steps to reproduce the behavior:

1. Go to http://devalopers.herokuapp.com/login
2. Log in as a talent with the below credentials:
   Username: [email protected]
   Password: Dev-Talent1@devapp
3. Go to the profile page in the banner http://devalopers.herokuapp.com/dev/profile/
4. A "Delete" button should be found in the profile page

Expected behavior
A logged in user as talent must have the possibility to delete it's profile

For both frontend and backend

I am thinking to add a docker-compose.yml to the project which includes the used service(s) (e.g Mongo,...), This can provide another alternative for contributors to easily deploy the project locally.

Let me know what you think @salahawad

Coverage Testing

Add testing coverage using Jest and super tests to cover all APIs found in
app\routes\api.js

You can user faker for emails and strings

Tests will include the below

• Integration
• Unit

For controllers mainly

By changing the cookie value from 'developer' to 'company' you can post jobs as a developer which is a behavior that shouldn't happen and could potentially crash the app.