staart / api Goto Github PK

Regular expressions could be for Name (only alpha letters), Password (strong password with special characters, minimum length), Domain name (occurrence of dot) etc.

Better if we display the Password Strength meter.

Check if user is admin and redeploy

When performing actions like deleting your account, deleting your team, canceling a subscription, etc., the popup should ask for the user's password, and the API should check for password.

A helper function can be built and used:@Middleware(ConfirmPassword)

For instance, Settings > Name Just Enter the whitespace characters and it allows them.

I believe we need to trim almost every input field.

Currently, TypeScript with Babel throws this warning during compilation:

☐  pending   Compiling TypeScript
.staart/src/__staart.ts(2,34): error TS7016: Could not find a declaration file for module 'regenerator-runtime'. '/Users/smoujami/projects/dukketta/staart/migration/api/.staart/node_modules/regenerator-runtime/runtime.js' implicitly has an 'any' type.
  Try `npm install @types/regenerator-runtime` if it exists or add a new declaration (.d.ts) file containing `declare module 'regenerator-runtime';`
✔  success   Listening on 8080

Originally reported in #1046 by @simoami

Tables that have username, like organization and user, already have a human-readable key (apart from autoincrementing ID).

• All tables apart from those can have cuid as the column name and default value cuid()
• The default value for username can also be cuid unless a better one is available
• API keys can use cuid instead of JWT etc.

Release: 1.0.130

I get an error REFERRER_CHECK_FAIL error when verifying the JWT Token.

Contents of apiKeyToken.referrerRestrictions:

0:"staart-demo.o15y.com"
1:"localhost"
2:"oswaldlabs.com"
3:"staart-ui.o15y.now.sh"

It tries to match 127.0.0.1 but fails.

What I don't understand is how and where these are set, since I can't find them searching the codebase.

Leaving this for any user who comes across this (using MySQL 8.0=<). Be aware that the backend might throw the following error:

Error: ER_NOT_SUPPORTED_AUTH_MODE: Client does not support authentication protocol requested by server; consider upgrading MySQL client

You'll have to switch over to mysql_native_password

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
FLUSH PRIVILEGES;

Use the same Redis queue for storing logs in ElasticSearch and calling webhooks

Like this: https://github.com/icapps/tree-house#validateschemaschema-options

I have noticed that this leaks email hashes to gravatar. Given Gravatar is quite a old service, I wonder if it better to just allow users to upload thier own profile images (or not).

In a Redis queue, if an email fails to send or an ElasticSearch record fails to be added, put it in an "error" queue and try again. If it still doesn't work, discard it and log the error

Hi @AnandChowdhary

Is there way to debug why the frontend is not sending the signup emails? We're sure we've got Production access setup in AWS and the email is verified and the keys are correct.

Send emails to uses based on things like "card about to expire"

Hi Anand, here is the behaviour we're seeing now

User registers and verifies email - works fine now
User tries to login - immediately presented with a "You dont have permission to perform this action"....
Press F5 to refresh and it looks like the user is logged in -
However, when I start to click on the user icon the top right and select team or user settings - it keeps presenting us with this "You dont have permission".

Must be something we are not doing?

Parse controllers for joiValidate functions, HTTP verbs, and TypeDoc comments to generate a schema

I just install Staart and i get this error when i register the first user.

{"error":"From is required"}

I think is linked to problem with email. It is normal that the row primaryEmail have int(12) in staart-users ?

Hi @AnandChowdhary
Thanks for your great implementation! One area I was wondering about is the ability to merge 2 user accounts belonging to the same user. There are 2 scenarios in which a merge can apply.

1. Before joining an invite

You already have this covered through the email record resolution.

2. After joining an invite

Two or more user records would have been created by then. so it would be great to have to ability to allow the user to merge into one of the user records.

Coincidentally, I found a saas app with similar concept but I'm not convinced that their approach works in consolidating user data. From their steps, I guess they only map an email back to the first user. But that still leave the second user as a disconnected record.

https://help.clubhouse.io/hc/en-us/articles/211154966-Merging-User-Accounts-in-Clubhouse

Would love to hear your thoughts!

There is some mention of a super user login, from what I can see this seems to allow this user to login and access all 'teams' is that correct?

Is there any plan to create a admin dashboard where members of the team can view summery data and make changes on behalf of users?

I have this error after fresh install

Backup error Typejoi_1.default.validate is not a function

Hi there,

I am working on extending some business logic so that resellers can be supported. In this case a Reseller can create a org, invite the end customer to be the org owner and then the reseller picks up the bill with billing disabled for the end user.

I noticed references to the naming of a role as reseller. I am curious if others are already doing something similar are if there are plans to build in reseller logic and roles which I can work on rather than starting from scratch.

Invite a team member whose email address is let's say, [email protected]
Invitation is sent successfully.
Delete that team member from the list.
Invite the same team member again ie use [email protected]. Error: An account with this email already exists

As per the suggestion of @victorlap, methods which create a new organization/user/membership/etc., should return the newly created object.

This, combined with the right HTTP status code 201, can be better than just returning { created: true }.

Would be great if you could add a getting started guide for developing on staart ui with the staart backend wired up, maybe docker?

Hi

Looks like the work is in progress. Good job!

I believe an important feature is missing, There should be a flag in config file, namely, Trial Period. Let us say, we set it to 15 days. So the app should be accessible for free for that period.

Also, the system should notify (by email and instant notification both) that your subscription is about to expire in DAYS_LEFT time.

Thanks

Here is the error during yarn install using Node 10:

error [email protected]: The engine "node" is incompatible with this module. Expected version ">= 12.10.0". Got "10.19.0"

Hi @AnandChowdhary I am a logo designer.

I contribute to open source projects that do not have logo. I have designed a logo for staart. The logo idea also represents the function of the software. What do you think?

Use a Node.js caching library (like node-cache or node-cache-manager) for JWT invalidation, etc., instead of Redis directly, with Redis as the primary kv-store with in-memory as fallback

Under the GDPR, it's a good idea to delete logs periodically, especially when they have information like IP address and user agent.

We use the same logs as both server logs for admins and API key logs for end users, and they can be limited to the past 3 months. A cron job to delete all logs before 3 months can run every day or every week etc.

@AnandChowdhary
My requests are hanging.

curl -X POST http://localhost:8080/v1/auth/login -H 'Content-Type: application/json' -d '{"email":"[email protected]","password":"..."}'

Not sure if this is work in progress for the migration to Nest, but currently returning payload causes requests to time out. Using the latest in master.

Overnightjs expects this response:

@Post()
private handler(req: Request, res: Response) {
  return res.status(200).json({
    message: 'test',
  });
}

but the current code returns the raw payload:

@Post()
private handler(req: Request, res: Response) {
  return {
    message: 'test',
  }
}

Email domain: Enter your company's domain, eg. oswaldlabs.com
We'll allow people with emails from this domain to join this organization automatically

Do not allow the public domains to be included in this list like gmail, hotmail, rediffmail, and many others.

https://www.npmjs.com/package/helmet

express-brute has a moderate vulnerability, and we should use something else until v2 is out: AdamPflug/express-brute#83

Make a @staart/scripts package that contains something like react-scripts, which has all the scripts about generating controllers, updates, etc.

Instead of sending in a CORS *, allow API keys to have a list of allowed referrers, and only allow those in Access-Control-Allow-Origin

Invite a team member [email protected]
A verification link is sent successfully and he verifies the link.
He is taken to a Login page where he is asked to enter a password but he doesn't have any password so far.

Probable Solution: Create another page where he can set his "new" password.

When using getPaginatedData(), add support for ?q=Hello&after=2489

Hi @AnandChowdhary ,

At the moment the permissions hierarchy isn't well enforced as for example: when creating a new user on a organisation a manager can create an owner - so at any point anyone with permissions to CRUD team members can escalate themselves to owner by inviting one of their other email addresses. Would it be a reasonable idea to add some logic which says that users can only invite new members to a team with a permission level of lower than their own permission level, unless they are a team owner in which case that logic doesn't apply (i.e they can create other owners too)? This would mean say.. a business owner authorises/creates all new manager accounts, a manager authorises/creates all new 'basic employee' accounts? A business owner can add other business owners as they see fit, but a manager cannot add another manager or escalate himself or others to owner.

Also the edit member ui on that page is broken, I was thinking of coming back to that after I discussed the permissions with you.

hello

I've tried to install. First the use my template buttom gave an error about files being more than 10mb so I downloaded to my desktop and went through the manual process to get it setup;

I get this error though and npm run build stage. Any ideas?

root@staartsaas:/srv/staartapp# sudo npm run build

[email protected] build /srv/staartapp
touch .env && mkdir -p dist && cp .env dist/.env && npm run generate-routes && tsc && cp -r lfs dist/src

[email protected] generate-routes /srv/staartapp
node setup/controllers.js

✖ error Error in setup [Error: ENOENT: no such file or directory, scandir '/srv/staartapp/src/controllers'] {
errno: -2,
code: 'ENOENT',
syscall: 'scandir',
path: '/srv/staartapp/src/controllers'
}

I get the following error:

Altough it is easy to understand from the config.ts file which options are available, i always really like an example configuration file for clarity

Instead of querying, using entities and TypeORM

Click on "Login" and enter your email -> A magic link goes to your email to log you in

Hi there,
Thank you for all your work so far on this project.

I have come across a few issues with some security features that are included not functioning.
For example;

IP address restrictions - These are not actually restricting access to specified IP ranges (For example on the team view).
Invalidate session - Does not seem to 'log you out of this session in the next few minutes'.

The view for editing a users permissions with relation to a team also seems to not exist. Has anyone else come across these issues? If not I will examine in further detail and submit a PR for fixes, but I don't want to waste time if this is a known issue and someone else is working on a fix or it is a common config issue my side.

Hi @AnandChowdhary
It took me a while to get the app set up locally after the recent updates. The issue was that all xhr requests were failing because CORS couldn't be enabled even with proper config.

curl -v 'http://localhost:8080/v1/auth/login' -X OPTIONS -H 'Access-Control-Request-Method: POST'
--
< HTTP/1.1 200 OK
< X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Download-Options: noopen
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Api-Version: 1.3.147
< X-RateLimit-Limit-Type: public
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 59
< Date: Mon, 16 Mar 2020 17:36:24 GMT
< X-RateLimit-Reset: 1584380244
< Allow: POST
< Content-Type: text/html; charset=utf-8
< Content-Length: 4
< ETag: W/"4-Yf+Bwwqjx254r+pisuO9HfpJ6FQ"
< X-Response-Time: 6.500ms
< Connection: keep-alive

didn't return the necessary headers to allow requests to be sent from the UI.

My .env config:

# Remove CORS headers without API key
DISALLOW_OPEN_CORS = false

Upon close inspection, it looks like the value false was coming in as a string so it failed the condition here: https://github.com/staart/packages/blob/master/packages/server/index.ts#L52

Also a side issue during compilation:

☐  pending   Compiling TypeScript
.staart/src/__staart.ts(2,34): error TS7016: Could not find a declaration file for module 'regenerator-runtime'. '/Users/smoujami/projects/dukketta/staart/migration/api/.staart/node_modules/regenerator-runtime/runtime.js' implicitly has an 'any' type.
  Try `npm install @types/regenerator-runtime` if it exists or add a new declaration (.d.ts) file containing `declare module 'regenerator-runtime';`
✔  success   Listening on 8080

Use rsmq to queue ongoing Nodemailer messages if Redis is available, otherwise directly send!