Merge remote-tracking branch 'origin/master' into production

ushahidi · Jul 10, 2018 · f75deca · f75deca
2 parents 7d96f60 + 195d19a
commit f75deca
Show file tree

Hide file tree

Showing 11 changed files with 200 additions and 16 deletions.
diff --git a/.jshintrc b/.jshintrc
@@ -42,6 +42,9 @@
         "afterEach",
         "-event",
         "makeTestApp",
-        "BACKEND_URL"
+        "BACKEND_URL",
+        "RAVEN_URL",
+        "ENVIRONMENT",
+        "GIT_COMMIT"
     ]
 }
diff --git a/app/app.js b/app/app.js
@@ -22,15 +22,13 @@ require('angular-linkify');
 require('./common/common-module.js');
 require('./main/main-module.js');
 require('./settings/settings.module.js');
+import ravenModule from './common/raven/raven';
 
 // Load platform-pattern-library CSS
 require('ushahidi-platform-pattern-library/assets/fonts/Lato/css/fonts.css');
 require('ushahidi-platform-pattern-library/assets/css/style.min.css');
 require('../sass/vendor.scss');
 
-// Stub ngRaven module incase its not configured
-angular.module('ngRaven', []);
-
 // Make sure we have a window.ushahidi object
 window.ushahidi = window.ushahidi || {};
 
@@ -80,7 +78,7 @@ angular.module('app',
         'nvd3',
         'angular-cache',
         'linkify',
-        'ngRaven',
+        ravenModule,
         'ushahidi.common',
         'ushahidi.main',
         'ushahidi.settings',

diff --git a/app/common/raven/raven.js b/app/common/raven/raven.js
@@ -0,0 +1,66 @@
+import angular from 'angular';
+import ravenService from './raven.service';
+
+const ravenUrl = window.ushahidi.ravenUrl || false;
+let ravenModule;
+// Load raven if configured
+if (ravenUrl) {
+    let Raven = require('raven-js');
+
+    Raven
+        .config(ravenUrl, {
+            release: GIT_COMMIT,
+            environment: window.ushahidi.environment || ENVIRONMENT,
+            tags: {
+                git_commit: GIT_COMMIT
+            },
+            sanitizeKeys: [/Authorization/i, /password/i, /accessToken/i, /api_key/i, /client_secret/i],
+            dataCallback: (data) => {
+                // Replace stringified sensitive info
+                if (data.message) {
+                    data.message = data.message.replace(/"(Authorization|client_secret|password|accessToken)":"(.*?)"/, '"$1":"****"');
+                }
+
+                if (data.fingerprint) {
+                    data.fingerprint.forEach((value, index) => {
+                        data.fingerprint[index] = value.replace(/"(Authorization|client_secret|password|accessToken)":"(.*?)"/, '"$1":"****"');
+                    });
+                }
+
+                if (data.breadcrumbs && data.breadcrumbs.values) {
+                    data.breadcrumbs.values.forEach((value, index) => {
+                        if (value.message) {
+                            data.breadcrumbs.values[index].message = value.message.replace(/"(Authorization|client_secret|password|accessToken)":"(.*?)"/, '"$1":"****"');
+                        }
+                    });
+                }
+            }
+        })
+        .addPlugin(require('raven-js/plugins/angular'), angular)
+        .install();
+
+    ravenModule = angular.module('app.raven', [
+        'ngRaven'
+    ])
+
+    .factory('Raven', () => {
+        return Raven;
+    })
+
+    .service({
+        ravenService
+    })
+
+    .run(['ravenService', (ravenService) => {
+        if (ravenUrl) {
+            ravenService.init();
+        }
+    }])
+
+    .name;
+
+} else {
+    ravenModule = angular.module('app.raven', []).name;
+}
+
+export default ravenModule;
diff --git a/app/common/raven/raven.service.js b/app/common/raven/raven.service.js
@@ -0,0 +1,34 @@
+class RavenService {
+    constructor($rootScope, Session, Raven) {
+        'ngInject';
+        this.$rootScope = $rootScope;
+        this.Session = Session;
+        this.Raven = Raven;
+    }
+
+    init() {
+        this.$rootScope.$on('event:authentication:login:succeeded', this.handleLogin.bind(this));
+        this.$rootScope.$on('event:authentication:logout:succeeded', this.handleLogout.bind(this));
+
+        if (this.Session.getSessionDataEntry('userId')) {
+            this.handleLogin();
+        }
+    }
+
+    handleLogin() {
+        if (this.Session.getSessionDataEntry('userId')) {
+            this.Raven.setUserContext({
+                id: this.Session.getSessionDataEntry('userId')
+            });
+        } else {
+            this.Raven.setUserContext({});
+        }
+    }
+
+    handleLogout() {
+        this.Raven.setUserContext({});
+    }
+
+}
+
+export default RavenService;
diff --git a/app/index.html b/app/index.html
@@ -122,15 +122,6 @@
                 ga('send', 'pageview');
             }
         </script>
-        <script>
-            if (window.ushahidi && window.ushahidi.ravenUrl) {
-                (function(d, t, c, s) {
-                    var g = d.createElement(t);g.id = 'ravenScript';g.type = 'text/javascript';g.async = true; g.src = 'https://cdn.ravenjs.com/3.8.0/angular/raven.min.js';g.onload=c;g.onreadystatechange=c; s = d.getElementsByTagName(t)[0];s.parentNode.insertBefore(g, s);
-                }(document, 'script', function () {
-                    Raven.config(window.ushahidi.ravenUrl).install();
-                }));
-            }
-        </script>
         <script>
             if (window.ushahidi && window.ushahidi.googleMapsApiKey) {
                 (function(d, t, c, s) {

diff --git a/app/settings/plans/plans.controller.js b/app/settings/plans/plans.controller.js
@@ -25,7 +25,7 @@ function (
             $scope.specialPlan = site.tier;
         }
     });
-    $scope.username = ($rootScope.currentUser || {}).email;
+    $scope.username = encodeURIComponent(($rootScope.currentUser || {}).email);
     /* globals apiDomain, deploymentsDomain */
     $scope.cloudDomain = typeof deploymentsDomain !== 'undefined' ? deploymentsDomain : 'ushahidi.io' ;
     $scope.subdomain = typeof apiDomain !== 'undefined' ?

diff --git a/package.json b/package.json
@@ -118,6 +118,7 @@
     "ng-showdown": "^1.1.0",
     "ngGeolocation": "rjmackay/ngGeolocation",
     "nvd3": "^1.8.4",
+    "raven-js": "^3.26.3",
     "socket.io-client": "2.0.3",
     "sortablejs": "^1.7.0",
     "underscore": "^1.7.0",

diff --git a/server/nginx-site.conf b/server/nginx-site.conf
@@ -8,6 +8,8 @@ server {
 
     server_name ushahidi-client;
 
+    add_header X-XSS-Protection "1; mode=block";
+
     location / {
         try_files $uri $uri/ @missing;
     }

diff --git a/server/rewrite.htaccess b/server/rewrite.htaccess
@@ -1,3 +1,5 @@
 RewriteEngine on
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^.*$ /index.html  [PT,L]
+
+Header set X-XSS-Protection "1; mode=block"
diff --git a/test/unit/common/raven.spec.js b/test/unit/common/raven.spec.js
@@ -0,0 +1,77 @@
+import RavenService from 'app/common/raven/raven.service';
+
+describe('Raven service', () => {
+    let raven, $rootScope, Raven, Session;
+
+    beforeEach(() => {
+        $rootScope = {
+            $emit: (ev) => {},
+            $on: (ev) => {}
+        };
+
+        let mockedSessionData = {
+            email: '[email protected]',
+            name: 'Robbie',
+            userId: 10
+        };
+        Session =  {
+            getSessionDataEntry: function (key) {
+                return mockedSessionData[key];
+            },
+            setSessionDataEntry: function (key, value) {
+                mockedSessionData[key] = value;
+            }
+        };
+
+        Raven = {
+            setUserContext: jasmine.createSpy('setUserContext')
+        };
+
+        global.RAVEN_DSN = 'http://abc123';
+
+        spyOn($rootScope, '$emit');
+        spyOn($rootScope, '$on');
+
+        raven = new RavenService($rootScope, Session, Raven);
+    });
+
+    it('should listen to log in/out events', () => {
+        raven.init();
+
+        expect($rootScope.$on).toHaveBeenCalledWith('event:authentication:login:succeeded', jasmine.any(Function));
+        expect($rootScope.$on).toHaveBeenCalledWith('event:authentication:logout:succeeded', jasmine.any(Function));
+
+        expect(Raven.setUserContext).toHaveBeenCalled();
+    });
+
+    it('should set user at creation if logged in', () => {
+        Session.setSessionDataEntry('userId', 10);
+        raven.init();
+
+        expect(Raven.setUserContext).toHaveBeenCalled();
+    });
+
+    it('should not set user at creation if logged out', () => {
+        Session.setSessionDataEntry('userId', false);
+        raven.init();
+
+
+        expect(Raven.setUserContext).not.toHaveBeenCalled();
+    });
+
+    it('should set user on login', () => {
+        raven.init();
+        raven.handleLogin();
+
+        expect(Raven.setUserContext).toHaveBeenCalledWith({
+            id: 10
+        });
+    });
+
+    it('should clear user on logout', () => {
+        raven.init();
+        raven.handleLogout();
+
+        expect(Raven.setUserContext).toHaveBeenCalledWith({});
+    });
+});
diff --git a/webpack.config.js b/webpack.config.js
@@ -7,6 +7,14 @@ var imgPath = path.resolve('node_modules/ushahidi-platform-pattern-library/asset
 
 var extractCss = new ExtractTextPlugin('[name].[chunkhash].css');
 
+var GIT_COMMIT;
+// Try to get the current GIT COMMIT
+try {
+  GIT_COMMIT = require('child_process').execSync('git rev-parse HEAD').toString().trim();
+} catch (e) {
+  GIT_COMMIT = process.env.CI_COMMIT_ID || null;
+}
+
 module.exports = {
   devtool: 'source-map',
   entry: {'app': [
@@ -89,7 +97,9 @@ module.exports = {
     new webpack.IgnorePlugin(/^\.\/locale$/, /moment$/),
 
     new webpack.DefinePlugin({
-        BACKEND_URL: JSON.stringify(process.env.BACKEND_URL || 'http://backend.url.undefined')
+        BACKEND_URL: JSON.stringify(process.env.BACKEND_URL || 'http://backend.url.undefined'),
+        ENVIRONMENT: JSON.stringify(process.env.ENVIRONMENT || 'dev'),
+        GIT_COMMIT: JSON.stringify(GIT_COMMIT || false)
     }),
 
     // Injects bundles in your index.html instead of wiring all manually.