-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
break: secure file upload and download (public and private) #1084
Conversation
742c53c
to
a3eda03
Compare
Removed vultr server and associated DNS entries |
85acf77
to
486a265
Compare
469d10c
to
e81a8c1
Compare
This is now ready for review. Sorry for being trigger-happy with the review request earlier (ie asking review before tests were passing). |
c450cbd
to
8463075
Compare
Hey @jessicamcinchak, quick question. This PR requires adding a new env var. I've added it to
|
hey @gunar - without fully reviewing this PR yet, I'd suggest adding the new variable to the root .env file as well as the API's env.test and then it'll be available in the pizza's docker container and during local development. any variables defined like L347 lemme know if you have any issues with this approach though! |
That makes sense, and it worked! Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for all your work & patience on this one, apologies it's been a particularly slow review process as this one just touches so much & requires more cross-project communication than usual!
i'm happy with the code & went through a full test LDC service: file upload components, review page, and CSV all look good - but both submissions to Uniform & BOPS failed (you can see logs here). Once file conflicts are resolved here, I'm happy to try again - I think once we have a successful staging submission to both BOPS & Uniorm and can confirm that they are able to pick up the files as expected then this could merge 👍
Next steps:
|
f7215b5
to
154fc7e
Compare
Thank you for the review @jessicamcinchak—all good points. I believe I've addressed them. I've added the thing about how to rotate |
Pizza isn't building. I'll investigate. |
154fc7e
to
aad4b7f
Compare
aad4b7f
to
baae798
Compare
- prevents user uploads from being publicly accesible - makes all S3 routes go through the API - adds a new API Token concept to only allow BoPS to download user files - side-effect: prevents users from downloading their own files
baae798
to
98b543b
Compare
It's Friday I'm in… a ready-for-review state 😂 🎵 |
@@ -0,0 +1,27 @@ | |||
import S3 from "aws-sdk/clients/s3"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth noting that I had to change this otherwise tsc
would try to compile the whole sdk and the GH Action worker would run out of memory.
- import { S3 } from "aws-sdk";
+ import S3 from "aws-sdk/clients/s3";
In a separate PR I'll suggest increasing the maximum amount of memory available for the worker (just in case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth noting about the "worth noting" above that the Docker build would fail silently (ie the error message was there but it would return a Linux zero code) which made it hard for me to find the root cause at first.
Actually, we already had a plan for this PR didn't we? Sorry I forgot. @jessicamcinchak on Tuesday when you're back do you mind submitting an application from this Pizza into BOPS Staging? Happy to learn how to do it myself too but at this point I just want this PR to be over with 😅 |
Card: https://trello.com/c/cS7bfBXL/2019-restrict-access-to-user-uploaded-files-to-bops-uniform-only