[AB#47252] fix various CVEs by bumping dependencies (#156)

* fix: various CVEs

* feat: rate limiting

* chore: updated dependabot config

* fix: pr name validation pipeline

.adops/pr-name-validation.yml

@@ -5,6 +5,9 @@ pr:
     include:
       - main
 
+variables:
+  - group: github-automation
+
 jobs:
   - job: VerifyPrName
     pool:
@@ -19,6 +22,8 @@ jobs:
           echo "Pull Request Number: $prNumber"
 
           repoUrl=$(System.PullRequest.SourceRepositoryURI)
+          # remove .git from repoUrl if present (when raising PRs from vscode, this can happen)
+          repoUrl="${repoUrl%.git}"
 
           # extract org and repo name from repoUrl
           orgRepo=$(echo "$repoUrl" | sed -e 's/.*github.com\/\(.*\)/\1/')
@@ -43,5 +48,5 @@ jobs:
               exit 1
           fi
         env:
-          GITHUB_TOKEN: $(GITHUB_TOKEN)
+          GITHUB_TOKEN: $(GH_TOKEN) # from the variable group
         displayName: 'Verify Pull Request Name'

.github/dependabot.yml

@@ -9,3 +9,11 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    target-branch: "dev"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "docker" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    target-branch: "dev"
+    open-pull-requests-limit: 0

package.json

@@ -34,7 +34,7 @@
     "build:payment-frontend:prod": "yarn && wsrun -trm -p frontend-service -c build && yarn install --prod"
   },
   "devDependencies": {
-    "@axinom/mosaic-cli": "0.18.4",
+    "@axinom/mosaic-cli": "^0.41.0",
     "@types/jest": "^29.5.1",
     "@types/node": "^18.14.1",
     "@typescript-eslint/eslint-plugin": "^5.59.5",

services/frontend-service/service/package.json

@@ -27,9 +27,9 @@
     "token": "yarn util:load-vars ts-node --files -r dotenv/config scripts/end-user-token.ts"
   },
   "dependencies": {
-    "@axinom/mosaic-id-guard": "0.22.0",
-    "@axinom/mosaic-id-link-be": "0.13.8",
-    "@axinom/mosaic-service-common": "0.39.0",
+    "@axinom/mosaic-id-guard": "0.40.0",
+    "@axinom/mosaic-id-link-be": "0.29.0",
+    "@axinom/mosaic-service-common": "0.57.0",
     "dotenv": "^16.0.3",
     "env-var": "^7.3.0",
     "express": "^4.18.2",
@@ -52,4 +52,4 @@
     "ts-node": "^10.9.1",
     "tsc-watch": "^6.0.4"
   }
-}
+}

services/payment-connector/service/package.json

@@ -30,15 +30,16 @@
     "codegen": "yarn util:load-vars graphql-codegen --config codegen.yml"
   },
   "dependencies": {
-    "@axinom/mosaic-id-guard": "0.22.0",
-    "@axinom/mosaic-id-link-be": "0.13.8",
-    "@axinom/mosaic-service-common": "0.39.0",
+    "@axinom/mosaic-id-guard": "0.40.0",
+    "@axinom/mosaic-id-link-be": "0.29.0",
+    "@axinom/mosaic-service-common": "0.57.0",
     "ajv": "^8.12.0",
     "cors": "^2.8.5",
     "dotenv": "^16.0.3",
     "env-cmd": "^10.1.0",
     "env-var": "^7.3.0",
     "express": "^4.18.2",
+    "express-rate-limit": "^7.5.0",
     "graphile-build": "^4.13.0",
     "graphile-build-pg": "^4.13.0",
     "graphile-utils": "4.13.0",
@@ -50,7 +51,7 @@
   },
   "devDependencies": {
     "@babel/core": "^7.0.0-0",
-    "@graphql-codegen/cli": "^3.2.0",
+    "@graphql-codegen/cli": "^4.0.1",
     "@graphql-codegen/typescript": "^3.0.1",
     "@graphql-codegen/typescript-graphql-request": "^4.5.8",
     "@graphql-codegen/typescript-operations": "^3.0.1",
@@ -77,4 +78,4 @@
     "tsc-watch": "^6.0.4",
     "typescript": "^4.9.5"
   }
-}
+}

services/payment-connector/service/src/generated/graphql/billing.ts

@@ -414,7 +414,6 @@ export type DeletePaymentProviderPayload = {
    * unchanged and unused. May be used by a client to track mutations.
    */
   clientMutationId?: Maybe<Scalars['String']>;
-  deletedPaymentProviderNodeId?: Maybe<Scalars['ID']>;
   /** The `PaymentProvider` that was deleted by this mutation. */
   paymentProvider?: Maybe<PaymentProvider>;
   /** An edge for our `PaymentProvider`. May be used by Relay 1. */
@@ -451,7 +450,6 @@ export type DeletePaypalSettingPayload = {
    * unchanged and unused. May be used by a client to track mutations.
    */
   clientMutationId?: Maybe<Scalars['String']>;
-  deletedPaypalSettingNodeId?: Maybe<Scalars['ID']>;
   /** Reads a single `PaymentProvider` that is related to this `PaypalSetting`. */
   paymentProvider?: Maybe<PaymentProvider>;
   /** The `PaypalSetting` that was deleted by this mutation. */
@@ -1075,7 +1073,6 @@ export type Mutation = {
   deletePaymentProvider?: Maybe<DeletePaymentProviderPayload>;
   /** Deletes a single `PaypalSetting` using a unique key. */
   deletePaypalSetting?: Maybe<DeletePaypalSettingPayload>;
-  populateSubscriptions?: Maybe<PopulatePayload>;
   setSettings?: Maybe<SetSettingsPayload>;
   /** Updates a single `PaymentProvider` using a unique key and a patch. */
   updatePaymentProvider?: Maybe<UpdatePaymentProviderPayload>;
@@ -1124,12 +1121,6 @@ export type MutationDeletePaypalSettingArgs = {
 };
 
 
-/** The root mutation type which contains root level fields which mutate data. */
-export type MutationPopulateSubscriptionsArgs = {
-  input: PopulateInput;
-};
-
-
 /** The root mutation type which contains root level fields which mutate data. */
 export type MutationSetSettingsArgs = {
   input: SetSettingsInput;
@@ -1997,18 +1988,6 @@ export type PeriodUnitFilter = {
   notIn?: InputMaybe<Array<PeriodUnit>>;
 };
 
-export type PopulateInput = {
-  count: Scalars['Int'];
-  includeStatusChanges?: InputMaybe<Scalars['Boolean']>;
-  includeTransactions?: InputMaybe<Scalars['Boolean']>;
-};
-
-export type PopulatePayload = {
-  __typename?: 'PopulatePayload';
-  count: Scalars['Int'];
-  query?: Maybe<Query>;
-};
-
 /** The root query type which gives access points into the data universe. */
 export type Query = {
   __typename?: 'Query';
@@ -3354,9 +3333,23 @@ export type SubscriptionTypeFilter = {
   userId?: InputMaybe<UuidFilter>;
 };
 
+export enum SubscriptionTypeSubscriptionEventKey {
+  SubscriptionChanged = 'SUBSCRIPTION_CHANGED',
+  SubscriptionCreated = 'SUBSCRIPTION_CREATED',
+  SubscriptionDeleted = 'SUBSCRIPTION_DELETED',
+  SubscriptionStatusChangeChanged = 'SUBSCRIPTION_STATUS_CHANGE_CHANGED',
+  SubscriptionStatusChangeCreated = 'SUBSCRIPTION_STATUS_CHANGE_CREATED',
+  SubscriptionStatusChangeDeleted = 'SUBSCRIPTION_STATUS_CHANGE_DELETED',
+  SubscriptionTransactionChanged = 'SUBSCRIPTION_TRANSACTION_CHANGED',
+  SubscriptionTransactionCreated = 'SUBSCRIPTION_TRANSACTION_CREATED',
+  SubscriptionTransactionDeleted = 'SUBSCRIPTION_TRANSACTION_DELETED'
+}
+
 export type SubscriptionTypeSubscriptionPayload = {
   __typename?: 'SubscriptionTypeSubscriptionPayload';
+  /** @deprecated Use 'eventKey' instead. */
   event?: Maybe<Scalars['String']>;
+  eventKey?: Maybe<SubscriptionTypeSubscriptionEventKey>;
   id: Scalars['UUID'];
   subscription?: Maybe<SubscriptionType>;
 };

services/payment-connector/service/src/stripe-domain/customer-overview-route.ts

@@ -2,6 +2,7 @@ import { assertError, Logger } from '@axinom/mosaic-service-common';
 import cors from 'cors';
 import { Application, Request, Response } from 'express';
 import { Config, parseAuthenticationTokenValue } from '../common';
+import { limiter } from './rate-limit';
 import { getStripe } from './stripe-init';
 
 /**
@@ -52,6 +53,6 @@ export const customerOverviewRoute = (
       res.status(400).send([]);
     }
   };
-  app.get('/customer-overview', [cors(), customerOverviewMiddleware]);
+  app.get('/customer-overview', [cors(), limiter, customerOverviewMiddleware]);
   app.options('/customer-overview', [cors()]);
 };

services/payment-connector/service/src/stripe-domain/rate-limit.ts

@@ -0,0 +1,7 @@
+import rateLimit from 'express-rate-limit';
+
+export const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+  message: 'Too many requests from this IP, please try again after 15 minutes',
+});

services/payment-connector/service/src/stripe-domain/start-checkout-route.ts

@@ -4,6 +4,7 @@ import { Application, json, Request, Response } from 'express';
 import { Config, parseAuthenticationTokenValue } from '../common';
 import { getMosaicBillingClient } from '../mosaic-domain';
 import { ensureCustomerExists } from './ensure-customer-exists';
+import { limiter } from './rate-limit';
 import { getStripe } from './stripe-init';
 
 /**
@@ -73,6 +74,11 @@ export const startCheckoutRoute = (app: Application, config: Config): void => {
       res.status(400).send({ subscriptionId: null, redirectUrl: null });
     }
   };
-  app.post('/start-checkout', [json(), cors(), startCheckoutMiddleware]);
+  app.post('/start-checkout', [
+    json(),
+    cors(),
+    limiter,
+    startCheckoutMiddleware,
+  ]);
   app.options('/start-checkout', [cors()]);
 };