guardians-dsc / iarl-nodejs Goto Github PK

I think we could start opening issues and resolving them with our PRs. What do you guys think?

winston is a great module for doing this.

There are still files in the project related to the front, I deleted and adapted the project to get leaner.

Convert content-type 'text/plan' provided by the request header to json.

This issue aims to remember us to add the IARL description to documentation.

We need to block user navigation to your home directory.

That issue aims at remember us that we must use documentation in our project sooner or later.

``

To avoid any kind of brute force attack when logging into the application, we should put a delay of 200ms for each attempt of login. This value may change in future, but it's a good start.
it is also a good time to think and review the code searching for some vulnerability.

it would be nice if we track the code quality of this repository.
there are some GitHub apps that review the code automatically after every PR or commit, I recommend CodeBeat. it searches the code for bad smells and report them.
if this suggestion is well accepted, i can easily configure it for this repository.

node update allows populate req.body using the json() function.

We must ensure security and increase performance to put the application into production.
Good pratices for production: http://expressjs.com/pt-br/advanced/best-practice-performance.html

How will we list the directories of an user? The real client of our back-end application is our front-end. How will be the json of directory listing returned to the front?

Endpoint to get the LCCs servers.

GET method documentation from /api/download endpoint.

We must ensure security so we need to review the temporary fix of regex verification at this commit

An efficient way to test the code is with automatic testing. mocha and chai are simple and efficient modules for testing. This site explains about them https://medium.com/@hbarcelos/bdd-para-iniciantes-com-node-js-mocha-and-chai-649d13f9564

The file can be very large and take up a lot of memory space. Using Streams, the file can be processed and sent in small chuncks, saving resources and increasing performance.

We need to think a better way to solve the problems with vulnerable dependencies. We should not do it manually.

As discussed, ldap validation seems to be better than ssh, since it is faster and more stable.

Add a path variable in the response to indicate the current path.

"path": "/home/Documents/",
"items": [
    {
        "name": "dir1",
        "isFile": false
    }
]

The following keywords, followed by an issue number, will close the issue:

• close
• closes
• closed
• fix
• fixes
• fixed
• resolve
• resolves
• resolved

see https://help.github.com/en/articles/closing-issues-using-keywords for more details.

This issue aim at remember us to review the session feature and hide the secret key using environment variables, if after the review that key still exist.

Since that application already has a dockerfile configuration, I think we should ensure that we are using it.

We should update our Dockefile to use Guardians' DockerHub, just like iarl-vue does.

How will we handle the downloads? Is it easy to download from the server that is running the application, but the other two?

To reduce some lines of code and turn it more legible we could implement the cors module.

Kind of a continuation of #31, this issue proposes that this project should use continuous integration. To do it, we need to seach how it is often done by other developers for each intern project here. For example travis-CI offers support to JavaScript using nodejs, but not to TypeScript...

Update module

Because the application will run on three servers, the session can not be used. Because the data is saved in server memory, when he changes server, session data will not be available and the client will need to sign in again. The token solves this problem, since it contains the required data and will be on the client side

What should we do when our application receives an invalid json?

To be more maintainable, the application needs a configuration directory to store the "development" and "production" variables (as well as environment variables). This can be make using the config module.

I thought about using standardjs + semicolons.

• Currently, the directory listing endpoint allows the client to access other directories that should not have access.
• Adapt to REST pattern

After a successful authentication via ldap, what will we do with the login and password of the client? Should we save it in some place to use later?

Sometimes the browser makes an OPTIONS request before making the expected request. The server does not support this type of request.

https://github.com/Guardians-DSC/iarl/blob/c7f5c6d9d0f78e13468acbab8200cd2fed15a775/controllers/login.js#L7
In javascript, empty strings have a false boolean type, as well as undefined and null data.
In this case, an expression that would cover the undefined and null cases would be:
if (req.body.username || req.body.password) {

GET method documentation from /api/servers endpoint.

Analyzing the IARL repositories, we can see the absence of a standardized language in the README.md files.

While the iarl-who and iarl-nodejs repositories have a description in Brazilian Portuguese, iarl-vue, iarl-angular, and iarl-react have a description in English.

To standardize the descriptions, which language will be used?

Refact this line:

Pass the directory path to be listed in the format: 127.0.0.1:3000/api/directory-list/path/directory instead of passing the parameters in the GET request (ex. 127.0.0.1:3000/api/directory-list?path=paht/directory).

As the project is open-source, it would be interesting to adopt a style guide. Well known is StandardJS, it automatically corrects the code.

It's time to think how can we test this application. This issue aims at remeber that and also propose to do it using some application to calculate code coverage.