steemit / faucet Goto Github PK

We need a health check for the aws alb. Should be served on /.well-known/healthcheck.json and respond with {"ok": true, "date": "2017-12-27T13:13:09.373Z"} or similar

Call to conveyor are not working anymore since 3 days are breaking the steps in signup flow. Is something changed? We are using salut in localhost actually + https://conveyor.steemitdev.com . Here is error from steem-js:
RPCError: Unauthorized: Verification failed (Invalid signature)

i did

Using the last login / password provided by @bonustrack for the conveyor calls I have this error:

Error: Checksums do not match

when I call the conveyor.is_email_registered endpoint on the check email step for instance.

Nothing changed in the code, it's the error I have since this morning.
The STEEMJS_URL is configured to use : https://api.steemit.com

With complete details:

Error: Checksums do not match
    at Object.toBits (D:\Dev\Projects\Steemit\faucet\node_modules\@steemit\libcrypto\lib\crypto.js:3166:13)
    at Object.deserializePrivateKey (D:\Dev\Projects\Steemit\faucet\node_modules\@steemit\libcrypto\lib\crypto.js:3387:42)
    at Function.PrivateKey.from (D:\Dev\Projects\Steemit\faucet\node_modules\@steemit\libcrypto\lib\crypto.js:3463:26)
    at sign (D:\Dev\Projects\Steemit\faucet\node_modules\@steemit\rpc-auth\lib\index.js:114:42)
    at Steem.signedCall (D:\Dev\Projects\Steemit\faucet\node_modules\@steemit\steem-js\lib\api\index.js:215:45)
    at Steem.signedCall (internal/util.js:227:26)

IPs originating from China should not require captcha verification.

Refs #109

App config should not be baked into bundle

Serve it in the template as window.config or something

Currently we are setup to only run the node tests, circle test runner should build the docker image (which includes running the tests)

Docker build fails with:

Step 7/8 : RUN yarn run test
 ---> Running in 96e29a120072
yarn run v1.3.2
$ yarn run lint && nsp check --output summary
$ eslint "src/**/*.js" "routes/**/*.js" "helpers/**/*.js"
/bin/sh: eslint: not found
error Command failed with exit code 127.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
The command '/bin/sh -c yarn run test' returned a non-zero code: 1

When NODE_ENV=production, eslint is not an installed node_module so it's not available. The yarn run test needs to still succeed after installing in production mode.

I believe the fix will need to happen here: https://github.com/steemit/faucet/blob/master/webpack/makeConfig.js

Client should use same rpc node as configured for backend

We need to support signups from China, the GFW blocks the google captcha we use. Our options are:

1. Switch captcha provider (yinxiangma.com was suggested)
2. Skip the captcha for ip addresses originating from China
3. Roll our own solution (using something like svg-captcha)

Both 2. and 3. are gamble by an determined attacker (chinese vpn, train ann on easily generated dataset).

I'm in favour of 3. since it provides some level of protection and we will not be relying on a third party.

cc @bonustrack @sneak @goldibex

Padding on mobile should be smaller, 20px is enought

Also now there is a padding of 50px left and 60px right, there should not be a difference between left and right.

To avoid concurrent requests to api/create_account we should set user status as pending_creation in the database in the begin of the request. We should return an error if the user send a request and has already a status of pending_creation. If the account creation failed we can set the user back to approved status so he can start the account creation process again.

Related to #155

Going through the process the last step fails with:

{"error":"error_api_create_account","detail":{"cause":{},"isOperational":true}}

Logs empty

Condenser supports autofill in the login form, we should use that when redirecting:

https://steemit.com/login.html#account=billbonds

And we also need the ability to pass along identifiers that are carried along trough the process and sent to the DEFAULT_REDIRECT_URI

Spec:

1. Values passed via query strings to first step are carried through the signup process
2. Redirect uri is resolved via templating
   1. Variables in template look like: {{variable_name}}
   2. username is special and is populated by newly created username and not overridable by first step query strings

Example: With DEFAULT_REDIRECT_URI set to https://example.com/{{username}}?foo={{bar}} and an initial entry point to step1 with ?bar=man and new username baz the redirect url should resolve to: https://example.com/baz?foo=man

Tests:

• Template: DEFAULT_REDIRECT_URI="http://localhost:1234/{{username}}/foo?u={{username}}&id={{id}}
  • New username: monika
  • Step 1 query string: ?id=1234
  • Result: http://localhost:1234/monika/foo?u=monika&id=1234
• Template: DEFAULT_REDIRECT_URI="https://example.com
  • New username: monika
  • Step 1 query string: ?id=1234
  • Result: https://example.com
• Template: DEFAULT_REDIRECT_URI="https://example.com#{{username}}
  • New username: monika
  • Step 1 query string: ?username=hax
  • Result: https://example.com#monika

1. add prettier to dev deps
2. use steemit standard config: https://github.com/steemit/condenser/blob/58ef60baefbb0310b62f8d9e8da2a35a001cd9e1/.prettierrc
3. add precommit hook: steemit/condenser@b3e67d4

Faucet translation keys should be translated in additional languages

In check_username I'm intermittently getting timeouts, logs show:

UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 17): SequelizeDatabaseError: Table 'faucet.users' doesn't exist

Might be a configuration error as we just got this setup but we should never time out, return 500 on all unexpected errors.

After submitting email on step 2 the button spins forever and console shows:

Both RECAPTCHA_CLIENT_ID and RECAPTCHA_SECRET are set

[Error] Error: Missing required parameters: sitekey
	Gq (recaptcha__en.js:365:337)
	jr (recaptcha__en.js:375:467)
	xr (recaptcha__en.js:381:205)
	explicitRender (app.min.js:94:625)
	componentDidMount (app.min.js:94:1089)
	notifyAll (app.min.js:64:25902)
	close (app.min.js:93:12948)
	closeAll (app.min.js:32:12042)
	perform (app.min.js:32:11535)
	perform (app.min.js:32:11448)
	C (app.min.js:23:26591)
	C
	closeAll (app.min.js:32:12042)
	perform (app.min.js:32:11535)
	dispatchEvent (app.min.js:93:8636)
	dispatchEvent
[Error] Error: Missing required parameters: sitekey
	Gq (recaptcha__en.js:365:337)
	jr (recaptcha__en.js:375:467)
	xr (recaptcha__en.js:381:205)
	explicitRender (app.min.js:94:625)
	componentDidUpdate (app.min.js:94:1154)
	(anonymous function)
	notifyAll (app.min.js:64:25902)
	close (app.min.js:93:12948)
	closeAll (app.min.js:32:12042)
	perform (app.min.js:32:11535)
	perform (app.min.js:32:11448)
	C (app.min.js:23:26591)
	C
	closeAll (app.min.js:32:12042)
	perform (app.min.js:32:11535)
	dispatchEvent (app.min.js:93:8636)
	dispatchEvent
[Error] Error: Invalid ReCAPTCHA client id: undefined
	rethrowCaughtError (app.min.js:39:12352)
	processEventQueue (app.min.js:31:21548)
	r (app.min.js:93:7245)
	handleTopLevel (app.min.js:93:7330)
	o (app.min.js:93:7774)
	perform (app.min.js:32:11448)
	dispatchEvent (app.min.js:93:8636)
	dispatchEvent

Unless we explicitly need them here we should move that list and check to gatekeeper

so we don't unintentonally include an update & introduce un-audited code

https://github.com/steemit/faucet/blob/master/package.json#L13

Currently all api handlers are async and wrapped in try/catch, a better solution would be to create an async wrapper that returns unexpected errors as 500 or using something like https://github.com/spatools/express-async-router

Refs #135

We have both false positives and false negatives in our local validator. We should remove the local validator and just do a basic check that it looks like a phone number, then let the twillo do the validation for us. They return code 21614 or 21211 for invalid numbers.

API endpoints are all GET requests, we should be using POST to send data

Possible provider: http://www.yinxiangma.com (bad omen them not serving their site over https...)

Anyone know of other captcha solutions that work in China?

Blocked by #120
Refs #109

Should also use --frozen-lockfile to ensure we only use dependencies from the checked in yarn.lock

On the blocktrade's steem account creator, we block the creation of names similar to the names of existing services such as bittrex, poloniex, blocktrades, etc (e.g bitttrex, bloktrades). It'd be nice if the steemit faucet did the same: it might discourage casual creation of such names if there was a cost associated with their creation.

We should add Chinese translations to the signup process as well

Files are in: src/locales

cc @bonustrack @originated

Need instructions on how to init the database, or even better would be if the app handles that automagically when run.

We should remove any dependency in package.json that is not used

Also anything that is not needed by the server runtime should be in devDependencies (react, babel, webpack, nodemon etc)

https://github.com/steemit/faucet/blob/master/routes/api.js#L261

https://github.com/steemit/faucet/blob/master/routes/api.js#L419

link should be create_account not create-account

package.json name says sc2-signup, should be faucet, private should also be set to true

It seem to be a common issue that user forgot about their username. Actually on the step 2 we are showing the username when he complete the signal with a message: "Welcome @username". But once user close the page he don't have access to it anymore. It's better if we can send him an email telling him "Welcome @username, your account has been successfully created...". so his username is saved somewhere in his mails, he can get back this info easier if he forgot.

Phone number with prefix should look like this +66823242526 but now it show +66 0823242526

Was able to create an account without verifying email address, is this intentional? Phone verification was required and worked

and write the tests, also :)

some possible test scenarios:

• account creation works as expected
• if an account creation fails, the user's db row should still exist so the user can retry
• only the first of any concurrent requests using the same token should be accepted, and the additional requests should be logged / flagged

Our logging system does not support ansi escape codes for colours, need to be able to disable it for more readable logs.

#033[0mGET /api/check_username?username=dooonnkkk&email= #033[0m- #033[0m- ms - -#033[0m

as a visitor to the signup.steemit.com, i expect the steemit logo to show up somewhere so i trust the site, even if i don't supply the ref=steemit query string.

We need to switch from MailGun to SendGrid for sending email. SendGrid add-on is already activated on Heroku.

Instead of reading process.env['VAR'] everywhere we should rely on a central config

Faucets generated passwords does not follow the P5 prefixed "master password" convention condenser has.

This is bad since we use that to detect if users accidentally post their passwords and save them from shooting themselves in the foot

CC @sneak @goldibex @bonustrack

We need to verify if username is valid on server side before insert user on db. Using validateAccountName

Until we replace the account recovery endpoints in condenser we need to forward data to the old db so that the recovery support can use the exiting tooling.

We are setting up an endpoint in condenser at /create_user that faucet needs to hit after creating a new account with the params:

• name - account name
• email - verified email
• owner_key - public owner key of the new account
• secret - creation password, will be set in service config

Refs steemit/condenser#2259

To make signup smoother on mobile we should use the correct input types for all fields, also all autocorrecting features should be disabled for the username field:
autocomplete="off" autocorrect="off" autocapitalize="off" type="text" spellcheck="false"

http://mobileinputtypes.com

Actually user only receive email in english language, we should workout internationalisation for email templates. User language should be stored on the db so we can send him email in his language.

@sneak , input on this? it's being used server-side not client-side

In the faucet locales script, it says: Account name should contain only letters, digits, and dashes. Periods are allowed as well. Is excluding periods done on purpose or a limitation of the faucet application, or is it just missing information from the string?