Merge to production: 12 Aug 2021

.env-example

@@ -5,6 +5,7 @@ export NODE_ENV="LOCAL_DEV"
 export COOKIE_DOMAIN="localhost"
 export AUTH_TOKEN_EXPIRY_DURATION_IN_MILLISECONDS=3600000
 export JWT_SECRET=mysecretblah
+export ENCRYPTION_SECRET=anothersecretblah
 export FRONTEND_URL='http://localhost:8081'
 export GITHUB_ORG_NAME="isomerpages"
 export GITHUB_BUILD_ORG_NAME="opengovsg"

classes/MediaFile.js

@@ -4,9 +4,11 @@ const {
   ConflictError,
   inputNameConflictErrorMsg,
 } = require("@errors/ConflictError")
+const { MediaTypeError } = require("@errors/MediaTypeError")
 const { NotFoundError } = require("@errors/NotFoundError")
 
 const validateStatus = require("@utils/axios-utils")
+const { validateAndSanitizeFileUpload } = require("@utils/file-upload-utils")
 
 // Import error
 
@@ -73,9 +75,7 @@ class MediaFile {
     if (resp.status !== 200) return {}
 
     return resp.data
-      .filter((object) => {
-        return object.type === "file"
-      })
+      .filter((object) => object.type === "file")
       .map((object) => {
         const pathNameSplit = object.path.split("/")
         const fileName = pathNameSplit[pathNameSplit.length - 1]
@@ -88,15 +88,20 @@ class MediaFile {
   }
 
   async create(fileName, content) {
-    try {
-      const endpoint = `${this.baseEndpoint}/${fileName}`
+    const sanitizedContent = await validateAndSanitizeFileUpload(content)
+    if (!sanitizedContent) {
+      throw new MediaTypeError(`File extension is not within the approved list`)
+    }
 
-      const params = {
-        message: `Create file: ${fileName}`,
-        content,
-        branch: "staging",
-      }
+    const endpoint = `${this.baseEndpoint}/${fileName}`
 
+    const params = {
+      message: `Create file: ${fileName}`,
+      content: sanitizedContent,
+      branch: "staging",
+    }
+
+    try {
       const resp = await axios.put(endpoint, params, {
         headers: {
           Authorization: `token ${this.accessToken}`,

classes/NetlifyToml.js

@@ -16,7 +16,7 @@ class NetlifyToml {
   }
 
   async read() {
-    const endpoint = `https://api.github.com/repos/${GITHUB_BUILD_ORG_NAME}/${GITHUB_BUILD_REPO_NAME}/contents/netlify.toml`
+    const endpoint = `https://api.github.com/repos/${GITHUB_BUILD_ORG_NAME}/${GITHUB_BUILD_REPO_NAME}/contents/overrides/netlify.toml`
 
     const resp = await axios.get(endpoint, {
       validateStatus,

errors/MediaTypeError.js

@@ -0,0 +1,12 @@
+// Import base error
+const { BaseIsomerError } = require("@errors/BaseError")
+
+class MediaTypeError extends BaseIsomerError {
+  constructor(message) {
+    super(415, message)
+  }
+}
+
+module.exports = {
+  MediaTypeError,
+}

middleware/auth.js

@@ -23,7 +23,7 @@ const verifyJwt = (req, res, next) => {
       access_token: retrievedToken,
       user_id: retrievedId,
     } = jwtUtils.verifyToken(isomercms)
-    req.accessToken = retrievedToken
+    req.accessToken = jwtUtils.decryptToken(retrievedToken)
     req.userId = retrievedId
   } catch (err) {
     logger.error("Authentication error")
@@ -43,7 +43,8 @@ const whoamiAuth = (req, res, next) => {
   let retrievedToken
   try {
     const { isomercms } = req.cookies
-    retrievedToken = jwtUtils.verifyToken(isomercms).access_token
+    const { access_token: verifiedToken } = jwtUtils.verifyToken(isomercms)
+    retrievedToken = jwtUtils.decryptToken(verifiedToken)
   } catch (err) {
     retrievedToken = undefined
   } finally {
@@ -55,7 +56,7 @@ const whoamiAuth = (req, res, next) => {
 // Login and logout
 auth.get("/v1/auth/github-redirect", noVerify)
 auth.get("/v1/auth", noVerify)
-auth.get("/v1/auth/logout", noVerify)
+auth.delete("/v1/auth/logout", noVerify)
 auth.get("/v1/auth/whoami", whoamiAuth)
 
 // Index