internetee / auction_center Goto Github PK

We are running on rails 5.2.1 that is marked vulnerable to the CVE-2019-5418.
Although we do not have file rendering on auction center it might still be a good idea to consider updating the rails version

Once the UI has been stabilized, remove unused Javascript modules from app/javascript/src/semantic-ui. We currently use only a few and there is no need to have them all in the repository.

This would be great even if your organization does not intend to use it to offer paypal as a means of payment in a code option

https://github.com/paypal/Checkout-Ruby-SDK

Certain aspects of the application, such as "how big should be the initial price of a domain" should be stored in Settings that are available to the administrator to change at any point in the running application.

Certain pages might need pagination:

• Domain list (admin, participant)
• Result list (admin, participant)
• Invoice list (admin)

Implement it either with some gem like Kaminari or by hand.

Invoice cancellation job tries to cancel invoices already in "cancelled" state. It should not do that.

The issue can be observed on staging.

We need some kind of staging deployment to make sure the functionality we develop is in order.

• Database
• Server
• Error tracking (Errbit or otherwise)
• Deployment script

The goal is to have it complete separate from registry. Can live on separate machine, separate database instance etc.

if a new user tries to make a bid with no billing profiles an error is returned. As all defined users are private persons and nationality is one of the mandatory parameters upon creating the user there is no need to require billing profile unless the user wants the invoice in the name of a company.

Also as discussed the billing profile is only related to invoicing and thus does not come into play before the user's bid has actually won. So the user should be able to set the billing data on the invoice and no such choice needs to be made on making the bid.

When a user creates an account she needs to:

• explicitly accept terms and conditions of the auction center and auctions
• be able to download the terms and conditions as pdf
• at any later point in time also be able to review terms and conditions and download the file again, if needed

Allow a user to edit their profile:

• Phone number
• Email address
• Password
• Billing data (needs more consideration)

Allow auctions to be ended at the end of the same calendar day in the application designated timezone.

When this is set up, auction should always end at 23:59:59, regardless of at what time they started.

adding phone number on creating a new user might get confusing as there is no hint on the required format. If user enters just the phone number part without the country code the error "moible phone is invalid" is returned but there is nothing that says what exaclty is the cause or what should the correct phone number look like.

Ideally there should be some hint in the UI that would help user to use the correct format to begin with. Also error message should indicate the what is the correct format.

There is an ietf epp allocation token draft that could work in our case:
https://datatracker.ietf.org/doc/draft-ietf-regext-allocation-token/?include_text=1

• We need to apply correct vat rates for clients from other EU member states that are not vat liable in their origin country. For this we would need to find a solution for querying the correct rate.
• generate invoice for the winner - invoice has due date configurable in admin
• winner gets automated message as sms and email with the link to the invoice in auctioning portal
• winner has two options for paying in the auctioning portal - credit card and banklink
• invoice is automatically canceled after the due date is passed and invoice is not paid - the domain will go back to the auction. The user that failed to pay the invoice is banned from bidding for the domain (in that and possible next rounds as well until the domain is registered)

Domain list view will be available on the web page:
short list in index: https://eis-dev.voog.com/
and full list on separate page: https://eis-dev.voog.com/domeenid/domeenioksjonid

so the blue domain list view of the auction center should be moved behind login barrier and painted green (should be the index page opened after logging in). https://auction.infra.tld.ee/auctions

From the full list view on the EIS web page will point directly to bidding view /uid/offers/new

Add a way to configure Airbrake/Errbit in environments

Domain must be registered x days after the invoice payment. Currently it is after the auction has finished.

Extracted from #1 as there's a lot of work to be done here.

Allow to:

• create a user account with digital identity document (eID or mobileID)
• sign in using the digital document

Require:

• password to be set for all users, even those that sign in with digital documents
• mobile phone number

Allow to:

• create a user account with email and password
• sign in using email and a password
• reset password via a link sent to an email
• Create new administrator accounts
• Manage users as an administrator
• Delete users as an administrator

Require:

• user's identity code to be unique for the combination of country of origin and the actual number.
• Country code to conform with ISO-3166 because of IEFT RFC 4519
• given names and surname fields
• unique email address, since it will be used for signing in.
• mobile phone number
• SMTP configuration for sending emails

Use:

• Devise gem
• CanCanCan gem (for permissions management)
• 2 tier roles: User and Administrator

By default highest bidder wins.
In the case of multiple identical highest bids the tiebreaker is required. Preferred solution here is random selection. Need a trustworthy random number generation.

Country selection in any form should be dropdown

/billing_profiles/new
/billing_profiles/1/edit

When a user reloads the search page, it loads a 404. Instead, it should re-send the same post request with a search form.

There should be some kind of message on user creation and user data email address editing notifying that confirmation letter has been sent and user has to go and confirm it before the user is activated or email address update finalized. Currently user is notified only on trying to login with unconfirmed user or going back to edit user view.

At any given point, a user can delete their account. We should delete that account, but retain related records such as history of offers that user made and auctions that user has won.

Currently, mobile/sidebar menu is disabled because it didn't work properly and did not use semantic ui functions. Needs to be fixed as soon as we get input from the contractor.

System does not allow adding multiple billing profiles with the same vat code in the system. While this is OK for a single user it is not for the whole system as every organisatsion can have multiple representatives.

At the same time adding a billing profile must not give access to any of the invoices assigned to that company (bids are done by a unique users and only that user has access to the billing and authorisation code related to the winning bid)

Also error handlung is missing for adding multiple profiles with the same vat code for the same user - error 500 is returned.

Create basis for WebSocket communication. It would allow us to do the following:

• Broadcast new domains that are available to auction
• Broadcast ended auctions results.
• Minimise instances of users bidding in an already finished auction.

In the email to the auction winner there is a link to the invoice, but the invoice that directs user to 404

example link: http://auction.infra.tld.ee/results/7

actual url uses uuid instead of the one char id to point to the invoice

The registration password is available once the user has won the bidding (regardless if the invoice has been paid or not)

Allow to:

• Submit an offer for a domain. The offer should be in Euros and should exclude the VAT tax. Minimum amount to be determined.
• Updating an offer for a domain. A user can make the offer smaller or bigger.
• Removing an offer for a domain.

description for registration_term parameter says:

Number of days before the auctioned domain must be registered, starting from the auction start. Default: 14

while in reality the count starts from the time resgistration code was issued/released

An administrator can:

• Set auction price globally, for all the new auctions.
• Override price for a specific auction when creating one via a webform

Starting price does not affect:

• Auctions in progress
• Finished auctions

Needs Money-like object class.

Use delayed_job for processing tasks that require background processing:

• Sending emails to winners of auctions
• Fetching the list of domains to auction
• Sending auction results to registry

The reason why we should go with delayed_job, and not sidekiq is that the latter does only support redis as backend, thus adding one more infrastructure element that needs to be managed and updated.

Allow to keep history of all the changes to database records that happen during the application lifecycle. Given the general discontent with paper_trail gem, we probably should use postgres triggers instead.

• keep history of changes in all objects as JSON
• create boilerplate migration or database function that allows to add the functionality to new tables when necessary.
• create UI for viewing data history

A user can have multiple billing profiles, for a private person as well as any company they might represent.

• A user can edit or create a profile that belong to them. Profile requires:
  • Business registry code / VAT code
  • Is the legal entity a VAT payer? (Boolean)
  • Address data

• Investigate what can be skipped from rails new
• Set up database configuration
• Set up docker confguration
• Set up Travis-CI
• Set up code climate
• Set up yarn
• Skip development environment file config
• Write setup instructions into Readme

Update delayed_job settings to retry 3 times, not 25. Investigate additional settings

Currently, users coming from electronic identity documents also need to set up password and then be allowed to log in with email and password. This should be reworked:

1. Passwords for TARA users should be automatically generated on user creation.
2. TARA users should not be asked for their passwords at any point when updating their data.

Send short registration codes to person's mobile phone number to confirm that their accounts are safe to activate.

Requires a feature flag (not all perspective users will need that) and an implementation that is blind to usage of a specific partner like Twilio, Messente or other.

• Display basic information about the domain in auction, such as the domain name and when does the auction end.

Tentative:

• Display auction type
• Display info how many people how submitted an offer for this domain

Any time I create new profile the form is perfilled name field with the users name.
Another problem is that the same happens on editing existing profile so that upon saving the profile edit the name is changed

Add the following email notifications, from start to finish of the process.

• Each user who who participated in an auction should receive notification when the auction ended, even if they are not the winner.
• When the registration code is available in the portal, a user should get an email about it.
• 5 days before the registration deadline, an email should be sent to urge the user to go to a registrar and register a domain.

Implement ban/block lists for users:

1. When a user wins an auction for domain test.ee, but does not pay invoice in time, he should be blocked from participating in future auction(s) of test.ee.
2. After a second unpaid invoice, the user should be blocked for a specified amount of days, configurable in the settings.
3. Administrators should have a possibility to block users from the UI i.e when that's a duplicate account for a known abuser.

When user creates or updates an account, validate that:

• His mobile phone is a valid mobile phone
• Her identity code is a valid identity code

Currently applicable only to Estonian data.

Based on data obtained from #2, allow to search by domain name.

When a non-e-IDAS customer wants to submit an offer, submit them to entering captcha.

Requires manual changes in staging.

Before going live, the billing profile's country code field needs to be set to not null.

Introduced in #40

Allow the table to display strings of at least 26 characters (IBAN).

Allow:

• Secure communication with the Registry (HTTPS, token or other type of security)
• Connect to Registry via RESTful API, and get a list of domains that are up for auction in the near future.

Actual implementation details to follow once the Registry API is decided.

We should provide the following search options:

• Auction by domain name for participants. Should return current AND past auctions, for historical reference.
• Auction by domain name for administrators
• Users by email for administrators
• Results by domain name for administrators
• Invoices by user email for administrators