guidojw / arora-api Goto Github PK

The Trello webhook requests are currently not verified so anyone could send an action to the endpoint and it would show up in the Discord, fix this by verifying the requests using the provided code on the Trello API documentation.

Because none of the requests in Bloxy has disallowedStatusCodes: [403, ...], my PR at Bloxy doesn't change any functionality of the library. Bloxy thinks the status code for Token Validation Errors (403) is allowed and therefore that the request has been executed successfully.

Two possible solution to this problem:

• Add a new response handler to the RESTController that somehow checks if when the request needed a XCSRF token, it doesn't fail with Token Validation Errors.
• Add disallowedStatusCodes: [403, ...] to all requests, or find a way to specify this on one place only.

Test these things on my Bloxy fork and PR once it works.

This allows for fetching by group and will make implementing support for handling multiple groups easier.

Get the certificates worked out and then expose the API on port 443.

Currently I have to do this manually. The Bloxy library has a wrapper for the Roblox Economy API that will allow a system like this.

This is important to do right the first time so possible check the code several times before merging the PR that implements this system.

Probably because of the big influx of sales since release 0.2.0.

Currently the training shouts aren't really versatile.
Make them include more information and automatically announce them at a specific time every day.

Use the cookie pool system by grilme99 to refresh the cookies and have backup for when a cookie invalidates.

Link

Add a new training type table to the database and change the training.type's type from enum to a foreign key referencing this new table.

Days and seconds are getting mixed up in the code, it throws a HTTP 403.
It also interpreted it as a reason change, this is because a lack of proper conditionals.

Requires #272 to be merged first (so the npm explore ... stuff isn't used in package.json anymore).

Over a span of time several roles can have the same rank. Due to this, change all the rank columns in the database to roleIds.

Ever since enabling the automatic payouts in the train developer payouts job, the reports don't work and the payouts don't actually happen.

The promote endpoint (and probably others) randomly throw token validation errors.
Thought I fixed this in bloxy 🤔.

Sentry is a handy tool that can be used to monitor the application by for example having the errors in one place. It can also be connected to a Discord webhook so that people will be notified of errors immediately.

Add a duration column to the bans table and merge the suspensions system into the ban system. Rename the suspension_extensions table and make it point at bans instead.

Roblox will be migrating to 64 bit integer userIds soon. The database columns currently are of type Sequelize.INTEGER which is 32 bits, so problems may occur on actions of users with an id past this limit. Sequelize.BIGINT is a 64 bit integer which will fix these problems.

Roblox will start migrating at 7 December 10 PM CET.
https://devforum.roblox.com/t/userids-are-going-over-32-bit-on-december-7th/903982

Implement tests for the code and make Buildkite CI run these.

• models schema
• models validation
• services
• routes
• util

Reference

Already done this partially for the UserController before because of the bug where if you return a number in a controller method, it thinks that's the HTTP status code it should return.
According to the inversify-express-utils docs, doing this should make the controllers more easily testable.

Add websocket support and have the Discord bot connect to that so that when a person's rank changes, the API can tell the Discord bot.

This allows for specifying the order in which the trainings are shown in the trainings embed on arora-discord and the trainings list in the automatic shout.

The new endpoints of Roblox changed the way some of the methods functioned. The endpoint for getting join requests is one of these, this now uses pages so it only fetches the first page the way I utilise this now. Change so that it goes through all available pages.

For a maybe future UI, implement the following system:

Routes

POST /login/discord?code=AUTHORIZATION_CODE

For logging in with an authorization code retrieved from Discord OAuth2, returns HTTP 200 + HttpOnly cookie including sessionId.

POST /logout

Invalidates cookie.

Authentication

Check if header contains a bearer JWT of which the id is coupled to an application with scope "bot". If it does, authenticate successfully.
Otherwise, check if the request contains a cookie with a JWT token that is valid, then authenticate successfully.

The server currently uses a couple of Trello boards for storing the trainings, suspensions and bans. This is of course not what Trello should be used for. Moving to storing the data in the database removes the node-trello dependency and makes the application independent to Trello's rate limits.

Currently the authentication middleware checks the id and key sent in a request's body. This can however be improved to use the headers of the request so that the GET routes that currently have their required authentication body fields commented out can also be protected.

There are currently some unnecessary routes,. An example is the get join date route, the join date can also be fetched by using the get user route. Also change the promote endpoint to an update role endpoint that takes any rank.

Like suspensions and bans, exiles should have dates & reasons.
arora-discord already supports this since guidojw/arora-discord#244, but it doesn't have a command to edit exiles yet.

Something goes wrong on the server with error handling, see pictures. Looks like the express-async-errors is not working correctly/Sentry catches all errors.

Currently the changeRank function in GroupService will resolve successfully even if the rank argument is the same as the user's current rank and thus something like "ADMIN promoted USER from RANK to RANK" where the ranks are the same.
This log message is obviously not useful so check if the new and old rank are the same and don't log if they are.

Implement a system that automatically deletes backups from longer than X days ago to save some disk space.

Add a .editorconfig file to indicate editor configurations like what eol and indent-style is used.

Also make decisions about other style changes that can be indicated in the .eslintrc file.
Rules that I've been considering lately:

• the use of semi colons

This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

• Check this box to trigger a request for Renovate to run again on this repository

Bloxy got updated recently (with docs :D), so update it to the newest version and change the dependency version from linking directly to the dev repository to the actual version number.

I've found a bug with the new version already: the memberCount value is not included in the Group structure. Will submit a PR for that on the Bloxy repository soon.

Fix the validation chains so that null is allowed for optional parameters (where applicable).

A feature I've been wanting to do for a long time.
This feature would prevent issues like the recent issues with updating Bloxy to v5 from happening.

Options: TravisCI, CircleCI, Buildkite, ...
I think I wanna go for Buildkite as I'm most experienced with that and it seems like they have a free plan that provides my needs.

Steps:

• Linter
• Tests (non-existent now, need to work on that).
• Deploy

This can greatly be used coexistently with Docker.

Use the Bloxy npm in order to have access to more Roblox endpoints and to enable multiple clients to be logged in on the API.

The following problems need to be fixed:

• make user and author IDs columns not nullable again (regression from #170)
• remove Sequelize-level validations from migrations
• some date columns that default to Sequelize.NOW only have that set in the model definitions

Support query arguments for some of the endpoints that are used for getting resources. A query argument that would be nice is for example ?scope=name, which would only fetch resources from the database with given scope.

The time is shown but not the timezone, make it so that the timezone is given as well so people can actually know when a training will start.