Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release/v3.32.0 #3761

Open
wants to merge 61 commits into
base: release/v3.31.2
Choose a base branch
from
Open

Release/v3.32.0 #3761

wants to merge 61 commits into from

Conversation

esurface
Copy link
Contributor

Description

[What is the business, user experience or technical problem? What is the motivation or context? Any Dependencies required for the change? e.g tangy-forms version etc]
[List the issues fixed and any other relevant issues]

  • Fixes #IssueNumber

Type of Change

[Please delete irrelevant options]

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Proposed Solution

[Please give a description of the solution proposed in the PR]

Limitations and Trade-offs

[Optional. What are the limitations of the proposed solution? What are the potential edge cases that one should be aware of? What are some of the tradeoffs? What are some of the approaches considered and not used? Why were they not used? ]

Security considerations

Screenshots/Videos

[Optional. Post screenshots or videos to explain this change visually.]

Tests

[How you tested (or have not tested) this PR and what where those steps.]

Notices, Regressions, Breaking Changes

[Optional. Impacts to developers, project or structure that is required to be communicated.]

TODOS/enhancements

[Optional. List out the remaining tasks that would complete this pull request.]

  • [Develop more tests for this PR.]
  • [Follow up on something else.]

esurface added 30 commits May 16, 2024 12:09
Add components for auth in online-survey-app
1630bae
Add online survey get and save form response from case event form id
8971b53
Working version of online-survey login routing
d4a713c
Fix release online survey script copying of form directory
bc72f19
Add server-side APIs to create Case, Event and Form
aaf3809
Fix unfinished case-api function
9752ad5
Fix bugs in case-api and add user-profile create api
a92d271
Add app config 'requireAccessCode' for users to lock access to online…
69fce19 
… surveys
Reorder span items in release online survey component
d852178
Include custom-scripts in online-survey releases
1ef7c00
Online Survey - save case variables to local storage
c4b6c68
Add case module to online-survey-app
4d8c5b6
Allow online survey link for case event form; online-survey custom-lo…
69a5108 
…gin-markup
Ensure auth works for case in online surveys
0b075e2
Editor event form list items get a copy link button
c565cec
Add menu to event form list for survey link copy, qr, and open
0360347
Add getOnlineSurvey and getCaseEventFormSurveyLinks APIs
1e0077c
Fix up case create api
5837be6
Update /case/createParticipant API
1853c34
Add case service set context and caseSErvice window var for online su…
901ea4c 
…rvey app
Fix bugs in case-api and case class
3640ef6
Add eventFormRedirect to online surveys
78c20ac
case api getEventFormSurveyLinks outputs a JSON object with list of l…
992c76f 
…inks and metadata
Fix setting event id in case creation api
dca0786
Fix typo in content-set.md
eaa0bbb
Event form link copy not allowed with http
26e197f
Add case, event and form info to response
e65a88d
Build custom-scripts when releasing online app
9f40001
use surveyLinkUrl in event form list item
eaebe51
Create participant event forms when adding participant through api
ac3d58b
esurface added 24 commits June 12, 2024 13:29
Revert addition of all client/app-config.json; only set helpLink
175787e
Fix GROUP_ID in release online survey app
8c2dbc6
Add timeout and logout to online survey
981d49b
Add logout to editor app after warning
526f837
Add process monitor dialogs to publish/unpublish online survey
88071e5
Add expiry logout in online survey after warning
59d05b7
Save-as-you-go in online surveys with case
3eaa97a
Remove online survey getResponse API
a0011c2
Add online-survey-app logout button and return to case url
21f922e
Merge branch 'online-surey-with-event-form-and-throttled-save' into r…
cc68399 
…elease/v3.32.0
Fix online survey extend session call
ab92d86
Remove excessive logging in CSV generation scripts that causes ERR_ST…
621a751 
…DOUT_MAX_SIZE error for wide csvs
Await throttled save response to ensure response is saved after-submit
f635d85
Online-survey-app logout on unload
5944289
Save caseUrlHash earlier in online-survey-app
5e363fb
Don't show case forms in online-survey publish list
5beca6b
Revert logout on window unload in online survey app
f82f70c
Save online survey app response directly on after-submit
ced1ce5
Show link to survey in case event form with form response id
ac8078b
Fix survey link copied in case event form
1b488c9
Add startDatetime and startUnixtime to user-profile when created with…
f6054f2 
… API
Store caseUrlHash in sessionStorage instead of localStorage
75cda62
Storage auth token vars in sessionStorage in online survey app
30b61d3
Merge branch 'release/v3.31.2' into release/v3.32.0
9341fbd
@esurface esurface changed the base branch from main to release/v3.31.2 January 10, 2025 16:18
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2025
View reviewed changes
online-survey-app/src/app/core/auth/_components/login/login.component.ts Outdated

if (window.location.origin.startsWith('http://localhost')) {
// If we are running on localhost, we want to use the local server for authentication
sessionStorage.setItem(this.user.username, this.user.password);

Check failure

Code scanning / CodeQL

Clear text storage of sensitive information High

This stores sensitive data returned by
an access to password
Loading
as clear text.

Copilot Autofix AI 11 days ago

To fix the problem, we need to ensure that the password is encrypted before storing it in sessionStorage. We can use the Web Crypto API to encrypt the password. This will involve generating a key, encrypting the password, and then storing the encrypted password in sessionStorage.

Suggested changeset 1
online-survey-app/src/app/core/auth/_components/login/login.component.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/online-survey-app/src/app/core/auth/_components/login/login.component.ts b/online-survey-app/src/app/core/auth/_components/login/login.component.ts
--- a/online-survey-app/src/app/core/auth/_components/login/login.component.ts
+++ b/online-survey-app/src/app/core/auth/_components/login/login.component.ts
@@ -40,3 +40,4 @@
         // If we are running on localhost, we want to use the local server for authentication 
-        sessionStorage.setItem(this.user.username, this.user.password);
+        const encryptedPassword = await this.encryptPassword(this.user.password);
+        sessionStorage.setItem(this.user.username, encryptedPassword);
         this.router.navigate([this.returnUrl]);
@@ -52,2 +53,22 @@
   }
+
+  async encryptPassword(password: string): Promise<string> {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(password);
+    const key = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const encrypted = await crypto.subtle.encrypt(
+      { name: "AES-GCM", iv: iv },
+      key,
+      data
+    );
+    const encryptedArray = new Uint8Array(encrypted);
+    const ivArray = Array.from(iv);
+    const encryptedPassword = ivArray.concat(Array.from(encryptedArray));
+    return btoa(String.fromCharCode(...encryptedPassword));
+  }
 
EOF
@@ -40,3 +40,4 @@
// If we are running on localhost, we want to use the local server for authentication
sessionStorage.setItem(this.user.username, this.user.password);
const encryptedPassword = await this.encryptPassword(this.user.password);
sessionStorage.setItem(this.user.username, encryptedPassword);
this.router.navigate([this.returnUrl]);
@@ -52,2 +53,22 @@
}

async encryptPassword(password: string): Promise<string> {
const encoder = new TextEncoder();
const data = encoder.encode(password);
const key = await crypto.subtle.generateKey(
{ name: "AES-GCM", length: 256 },
true,
["encrypt", "decrypt"]
);
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt(
{ name: "AES-GCM", iv: iv },
key,
data
);
const encryptedArray = new Uint8Array(encrypted);
const ivArray = Array.from(iv);
const encryptedPassword = ivArray.concat(Array.from(encryptedArray));
return btoa(String.fromCharCode(...encryptedPassword));
}

Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@esurface