Coder Social home page Coder Social logo

servicecanada / cens Goto Github PK

View Code? Open in Web Editor NEW
1.0 10.0 9.0 261 KB

Canada.ca Email Notification Services - Subscription service to send mass mailing via the notification service from CDS.

Home Page: https://www.gcpedia.gc.ca/wiki/Principal_Publisher_at_Service_Canada

License: MIT License

JavaScript 92.74% Shell 0.62% Dockerfile 0.14% HTML 4.23% Mustache 2.28%

cens's Introduction

Canada.ca Email Notification Services

Subscription service to send mass mailing via the notification service from CDS.

How to do the setup

Tests

Load tests

Run bash script "load-run.sh" for load testing. More instructions in the file.

Start the application

node server.js

or

docker-compose up --build

Create topic

A topic could be compared to a mailing list.

Each topic is unilingual. They are created in pair.

For each topic you need:

  • Unique Notify API key: "team and safe senders"
  • Notify template ID that represent the confirmation email
  • Confirmation subscription link
  • Confirmation unsubscription link

Topic naming convention

{2-3 letter group name abbreviation}-{short topic name}{2 letter language}

database command sample

db.topics.insertOne( {
    _id: "test2",
    templateId: "<template id available in the template in Notify>",
    notifyKey: "<A valid Notify API key>",
    confirmURL: "https://canada.ca/en.html",
    unsubURL: "https://canada.ca/en.html",
    nTemplateMailingId: "<template ID for sending a corresponding mailing>"
})

Create a topic detail

db.topics_details.insertOne( {
    _id: "test2",
    accessCode: [ "123456" ],
	createdAt: ISODate( "2020-03-21T00:00:00.000-04:00" ),
	lastUpdated: ISODate( "2020-03-21T00:00:00.000-04:00" ),
	groupName: "Department Name",
	description: "Used for this service, related to request #",
	lang: "en",
	langAlt: [ "test" ],
	nServiceId: "test-serviceID-to-be-extracted-from-Notify-API-key"
})

(Optional) Create a topic for an app handling POST volume

You need to add the last three URLs for redirection

db.topics.insertOne( {
    _id: "test2",
    templateId: "<template id available in the template in Notify>",
    notifyKey: "<A valid Notify API key>",
    confirmURL: "https://canada.ca/en.html",
    unsubURL: "https://canada.ca/en.html",
	thankURL: "https://canada.ca/en.html",
    inputErrURL: "https://canada.ca/en.html",
    failURL: "https://canada.ca/en.html"
})

Same, but to update an existing topic

db.topics.updateOne( {
		_id: "test"
	},
	{
		$set: {
			thankURL: "https://canada.ca/en.html",
			inputErrURL: "https://canada.ca/en.html",
			failURL: "https://canada.ca/en.html"
		}
	}
);

To remove it

db.topics.updateOne( {
		_id: "test"
	},
	{
		$unset: {
			thankURL: "",
			inputErrURL: "",
			failURL: ""
		}
	}
);

Going live with a topic

You need to:

  • Do sucessfully the journey of a subscribing to a topic.
    1. Subscribe
    2. Subscribe confirmation
    3. Email confirmation
    4. Sending a email message update with a CSV
    5. Unsubscribe
  • Report any content anomaly, all subscription process should follow all best practice. At this stage you must let the client know + manager of any potential issue
  • Ensure it is paired with another language via "langAlt". Usually it is English + French
  • Ask the client to send us a Live Notify API Key via an encrypted communication
  • Replace the Notify API key

Updating an existing topic

  1. Run the appropriate MongoDB query
  2. Flush the cache: /api/v0.1/t-manager/{Private access code 1}/{Private access code 2}/flush-cache

Topic

A topic could be compared to a mailing list.

_id

Raw string identifier for a topic. Could be a keyword.

Updates when: A user fills out the form to subscribe to a topic.

templateId

Notify API key for the specific email template related to this topic confirmation email in a string.

notifyKey

Notify API key for this Service in string. Services in Notify are split by "From" emails amongst other things.

confirmURL

String of the URL to the page to which user is redirected when they confirmed their subscription by clicking the link in the confirmation email.

unsubURL

String of the URL to the page to which user is redirected when they unsubscribe from their subscription by clicking the unsubscribe link in an email.

(Optional) Create a topic for an app handling POST volume

You need to add the last three URLs for redirection

thankURL

String of the URL to the page to which user is redirected when they subscribe successfully with the POST activated

inputErrURL

String of the URL to the page to which user is redirected when they fill out the form with input errors with the POST activated

failURL

String of the URL to the page to which user is redirected when the subscription fails on the server side with the POST activated

Topics Details

Contains details about each topics.

_id

Raw string that matches the according topic ID.

accessCode

Simple string that adds a layer of validation to allow managing users to do restricted things like exporting topic emails list in CSV.

createdAt

Date of when the topic details are created.

lastUpdated

Date of last time a validation against the accessCode has been done.

Updates when: Every time a validation against the accessCode is done e.i. for export to CSV.

groupName

String containing name of a department responsible for the need to create such topic.

description

Description of the topic and its reason to exist, in a string.

lang

String that defines what language this topic is in abbrevation form.

langAlt

Array of pointers to other languages counterparts for the same topic. Needs ID in string of those other topics.

cens's People

Contributors

duboisp avatar gormfrank avatar luc-bertrand-hrsdc avatar jonasg-gc avatar bengregori avatar joshsommers avatar num3thod avatar ricokola avatar ctopcanada avatar shiva-sc avatar

Stargazers

Jimmy Royer avatar

Watchers

Jimmy Royer avatar James Cloos avatar avatar avatar Travis Tustian avatar avatar avatar avatar Cristian Oprisanu avatar avatar

Forkers

duboisp gormfrank luc-bertrand-hrsdc bengregori ctopcanada ricokola shiva-sc hongbinyu413 jonasg-gc

cens's Issues

Add OSS License

Adding an OSS license like MIT would help clarify legal parameters for other jurisdictions interested in replicating the x-notify system.

Info Exposure in confirmation link

Hey team,

Just wanted to raise this to your attention as we forgot to mention it yesterday in the check-in.

The code below that generates the confirmation link, is populating the recipients email address into the URL, which will create the potential for these pieces of PII to be registered in logs, browser caches, etc.

https://github.com/ServiceCanada/x-notify/blob/e282fc7752d4f6aa06c34570c81334b88ba54220/controllers/subscriptions.js#L512

I've linked to the relevant OWASP description of the issue below.

https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

Proposed Solution:

Generate a UUID and replace email with that token in the url, using the UUID as a query/insertion key accordingly.

Notify API Keys

@duboisp thanks for granting us access

After taking a quick look looks like the Notify API KEY is getting passed around and stored in a few spots:

Example:
https://github.com/ServiceCanada/x-notify/blob/5dea006de3e4d020aacf7a4318096822413050d6/controllers/subscriptions.js#L69

https://github.com/ServiceCanada/x-notify/blob/master/controllers/subscriptions.js#L79

The api key should be kept as secret (environment variable) and not stored. For example we may need to revoke the api key at our level or rotate the keys.

Also here:
https://github.com/ServiceCanada/x-notify/tree/master/test#database-command

I understand this might be used by multiple departs but we'll need to look at other ways of doing that.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.