Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: use convict for configuration #190

Merged
merged 65 commits into from
Sep 3, 2020
Merged

refactor: use convict for configuration #190

merged 65 commits into from
Sep 3, 2020

Conversation

arshadali172
Copy link
Contributor

@arshadali172 arshadali172 commented Aug 21, 2020
edited
Loading

Problem

Closes #92

Solution

Refactoring

  • Move environment variable default and validation to convict
  • Refactor configuration values into compulsoryVarsSchema, optionalVarsSchema and prodOnlyVarsSchema to make clear which env vars are needed when
  • Add validation of AWS bucket Urls
  • Move config types into types/config.ts
  • Refactor configuration of nodemailer transport to be based on environment, not on existence of environment variables
  • Refactor configuration of dbHost to be based on environment and enforce format of mongodb uri

Clean-up

  • Remove SES_RATEDELTA and SES_RATE which are deprecated from nodemailer
  • Add default for chromiumBin
  • Move cspReportUri to sentry bonus feature, enforce url type and only add to helmet if defined

Documentation

  • Document IS_LOGIN_BANNER which weren't
  • Document CSP_REPORT_URI under sentry bonus feature
  • Move other env vars to sections where they should be

Security

  • Remove default for sessionSecret to prevent accidental non-specification

Tests

  • Test submission on all fields on email form in staging
  • Test submission on all fields on encrypt form in staging
  • Test submission on a SingPass form in staging

@arshadali172
Copy link
Contributor Author

arshadali172 commented Aug 21, 2020
edited
Loading

Discussion Points

  • DB_HOST should not be allowed to be an empty string. This might lead to production issues. Also, how can we enforce the format?
  • I don't think SESSION_SECRET should have a default. This may lead to production issues and is encouraging bad practice?Thoughts? @karrui
  • Can we have a better default for CSP_REPORT_URI? @liangyuanruo
  • Should we add a default for CHROMIUM_BIN?
  • Should we make it clearer which environment variables definitely need to be specified?

@arshadali172 arshadali172 changed the title Conviction refactor: use convict for configuration Aug 21, 2020
@liangyuanruo
Copy link
Contributor

DB_HOST should not be allowed to be an empty string. This might lead to production issues. Also, how can we enforce the format?

this library might be able to help

I don't think SESSION_SECRET should have a default. This may lead to production issues and is encouraging bad practice?

Yes definitely, please remove and have the server throw an exception if it is not supplied.

Can we have a better default for CSP_REPORT_URI?

Technically this is an optional environment variable, perhaps we can refactor to simply not include it in the CSP headers in the server response, if no value is supplied?

Should we add a default for CHROMIUM_BIN?

Sounds good to me, can provide the default alpine install location.

Should we make it clearer which environment variables definitely need to be specified?

If you mean readme, yes definitely.

@arshadali172
Copy link
Contributor Author

DB_HOST should not be allowed to be an empty string. This might lead to production issues. Also, how can we enforce the format?

this library might be able to help

I don't think SESSION_SECRET should have a default. This may lead to production issues and is encouraging bad practice?

Yes definitely, please remove and have the server throw an exception if it is not supplied.

Can we have a better default for CSP_REPORT_URI?

Technically this is an optional environment variable, perhaps we can refactor to simply not include it in the CSP headers in the server response, if no value is supplied?

Should we add a default for CHROMIUM_BIN?

Sounds good to me, can provide the default alpine install location.

Should we make it clearer which environment variables definitely need to be specified?

If you mean readme, yes definitely.

Addressed all concerns

mantariksh
mantariksh suggested changes Aug 27, 2020
View reviewed changes
src/config/schema.ts Outdated Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
src/config/schema.ts Outdated Show resolved Hide resolved
src/config/schema.ts Outdated Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
src/config/config.ts Outdated Show resolved Hide resolved
src/config/config.ts Outdated Show resolved Hide resolved
src/config/config.ts Show resolved Hide resolved
src/config/config.ts Show resolved Hide resolved
@liangyuanruo liangyuanruo removed their request for review August 28, 2020 02:25
mantariksh
mantariksh suggested changes Sep 2, 2020
View reviewed changes
Copy link
Contributor

@mantariksh mantariksh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some additional thoughts. I also noticed that there are some env vars is spcp-myinfo.factory.js. Should we be folding this into the new schema as well?

src/config/schema.ts Outdated Show resolved Hide resolved
src/shared/constants.ts Outdated Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
@arshadali172
Copy link
Contributor Author

some additional thoughts. I also noticed that there are some env vars is spcp-myinfo.factory.js. Should we be folding this into the new schema as well?

good catch. I didn't even notice them. MyInfo is its own beast? and those env vars should go into spcp-myinfo.config

@arshadali172 arshadali172 mentioned this pull request Sep 2, 2020
Merged
4 tasks
mantariksh
mantariksh suggested changes Sep 2, 2020
View reviewed changes
Copy link
Contributor

@mantariksh mantariksh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few minor nits remaining! also, don't we need to add AWS_ENDPOINT=http://localhost:4572 to docker-compose.yml so the dev environment doesn't break?

docs/DEPLOYMENT_SETUP.md Outdated Show resolved Hide resolved
docs/DEPLOYMENT_SETUP.md Outdated Show resolved Hide resolved
src/config/config.ts Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
src/config/schema.ts Show resolved Hide resolved
arshadali172 and others added 2 commits September 2, 2020 17:33
@arshadali172 @mantariksh
Update docs/DEPLOYMENT_SETUP.md
2f5c179 
Co-authored-by: Antariksh Mahajan <[email protected]>
@arshadali172 @mantariksh
Update docs/DEPLOYMENT_SETUP.md
8128ff9 
Co-authored-by: Antariksh Mahajan <[email protected]>
mantariksh
mantariksh approved these changes Sep 3, 2020
View reviewed changes
Copy link
Contributor

@mantariksh mantariksh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with one minor comment! thank you for accommodating all my requests!

src/config/schema.ts
doc: 'Endpoint for S3 buckets',
format: (val) =>
validateBucketUrl(val, { isDev, hasTrailingSlash: false, region }),
default: 'https://s3.ap-southeast-1.amazonaws.com', // NOTE NO TRAILING / AT THE END OF THIS URL!
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather add this as an env var in prod than rely on a default the code, since there is a higher chance of messing up the code. But small matter, up to you

@arshadali172 arshadali172 merged commit 68a9ea5 into develop Sep 3, 2020
@liangyuanruo liangyuanruo deleted the conviction branch September 6, 2020 07:56
liangyuanruo added a commit that referenced this pull request Sep 6, 2020
@liangyuanruo
revert(convict): "refactor: use convict for configuration (#190)"
a3513d4 
This reverts commit 68a9ea5.
liangyuanruo added a commit that referenced this pull request Sep 6, 2020
@liangyuanruo
revert(convict): "refactor: use convict for configuration (#190)" (#285)
3e61aca 
This reverts commit 68a9ea5.
@arshadali172 arshadali172 restored the conviction branch September 7, 2020 02:00
arshadali172 added a commit that referenced this pull request Sep 7, 2020
@arshadali172
Revert "revert(convict): "refactor: use convict for configuration (#190
6549ed6 
…)" (#285)"

This reverts commit 3e61aca.
This was referenced Sep 7, 2020
Closed
Merged
@snyk-bot snyk-bot mentioned this pull request Dec 31, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karrui karrui karrui left review comments

@mantariksh mantariksh mantariksh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use convict.js and type-checking for configuration management
4 participants
@arshadali172 @liangyuanruo @karrui @mantariksh