Right now our API is not always returning an error message only sending an error code. It will be very useful for development if we had an error message everytime something fails so that we can quickly look it up instead of reverse engineering the whole process flow.

Implement this error messages throughout the code

The link that is displayed in the emails sent to users about changing their passwords or emails is displaying an incorrect formar. However the redirect value is correct.

This means that they work if clicked on, but won't work if copy and pasted into the browser.

When we fetch mentor information the backend is sending us the right field at "mentor" but both the "ok" and the "code" fields are wrong. They are being sent as if an error happened yet the information in the mentor part is on point. Someone needs to investigate this.

We have to define how the slots are saved in the database, what that piece of data is contains and how it works.

When a mentor receives the email regarding the booked slot, the meetup time in the email is one hour in advance.

Currently, the database saves the meetup time in 0 GMT timezone.

Quick search endpoint. Three types of results

It is important for us to keep our data safe. We need to make sure we are not vulnerable to any of the following attacks. Add some more for our audit.

• SQL Injection (do we escape all char entrances? the API only accepts requests from connect.upframe.io and beta.upframe.io but this can be easily spoofed...)
• Brute forcing (add timers)
• Are hashes complex enough? (make sure we are up to date in the difficulty stage. Our hashing algo is safe, but our steps are a little low I believe)

Coordinate an S3 Bucket with this request so that we can upload pictures.

Right now we are using emails as a way to identify mentors... This is cool and easy but once you want to change the email in the SQL table things start to get a little wild. It's a better idea to have a UID that does not change while emails can be freely changed.

When you change this you gotta change the information used in the JWT located at /router/auth.js and /services/token.js

This will help in front end development

For some reason the JWT or the authentication cookie expires before the time.

When someone is trying to register with a name that will be converted to a keycode already in use, the API will fail to do so explaining that the email trying to register is already in use. Actually what's happening is that the keycode generator is not smart enough (yet) to detect an already in use keycode and generate another one.

We need this fix because sooner or later there will be people whose keycodes generated from their names will be the same.

Description

A new Upframe Calendar is created every time a user syncs his account. When a user connects his account to Google Calendar for the second time, the first calendar created beforehand should be used instead.

Steps to Reproduce

1. Go to settings/mycalendar.
2. Connect your google calendar account.
3. Disconnect your google calendar account.
4. Connect your google calendar again.
5. Go to calendar.google.com and you will see more than one Upframe Calendar.

Screenshots

Men can you help me setup the lint? For some reason the config isn't working. I already setup everything in Travis all you have to do is make the config in the right format / install ESLint correctly

https://travis-ci.com/ulissesferreira/api

If you try to login with empty fields the API will throw a UnhandledPromiseRejectionWarning and will not respond to the request. This can break the front end (waiting for a response)

Due to the fact that sometimes we are lazy 😎 we are using SELECT * FROM ... and not handling the information leak that this causes. We are basically dumping all the information from a user without handling what is useful or not. We shouldn't send hashed passwords back and forth for example xD even though we are using SSL... It's just not a good practice.

TODO: go through all our requests and either stop using SELECT * and specify what we need OR take care of the extra information before we send it 👍

Easy fix and not a priority but must be taken care of before we launch.

I'm not sure if we need this ASSUMING we implement the email change in the correct way. If someone wants to change their password it's a good idea to have a quick change. However, maybe we should send an email confirming this change...

Both ways work... It's a matter of personal preference and not about security (I think...)
So what do you say Fabio? Should we send a verification email? Or since we already have a safe email change we allow passwords to be changed easily and if someone is hacked all they have to do is request a reset?

Endpoint to verify onboarding URLs AND UniqueIDs. Depending on the request we need to be able to verify both the options

There isn't an endpoint to fetch all the available mentor slots.

This is related to the meetup creation.

Make sure we are not vulnerable to SQL injection. This includes escaping all text entrances. The mysql2 module has a special way of escaping chars (using the ?) but I don't think we have implemented it everywhere. Best way to test this is to attack every corner and see how the API reacts

Currently we don't support email changes in a clean way. The way we would do it now is to start using UIDs to identify people and change the email using a POST to /profile/me... This is fast and reliable but in the future it's a better idea to send an email to the mentor wanting to change it. Otherwise someone who hijacks an account has unlimited power over it.

Announce a new meetup request to the API. We need to send the appropriate emails and add the info to everyone's Google Calendars

We want to welcome our platform mentors by creating a special subdomain for them. In this group of pages, our incredible UX will guide them through:

• What is Connect and Upframe
• Password setting
• Email setting
• Time slots setting

This issue will be updated during the implementation of all these pages (in Connect Frontend Repository, ) and its corresponding API support.

Mentor search using the user text

Right now we are estimating a meetup time of 1 hour when we add the slot to the mentor's Google Calendar. If a mentor adds slots that don't last one hour, the event added to Google Calendar will be incorrect. We should fix this ASAP.

Right now this endpoint is expecting 3 inputs: email, new password and the token sent via email. We don't want to depend the current email to perform the change since this is an extra step for the user.

Let's make the tokens harder to crack (implement bruteforce protection or had an expiration time or max attempts) and remove the need to input the email address of the account they want to change the email of.

Right now we are sending the image that the user uploads and storing it temporarily on the server. After the whole upload is complete we create a File System Stream to read the file from disk and upload it (as a stream) to S3. This process is good because it uses streams.

However, storing the file on the server is VERY ineficient since it's an unnecessary IO operation. The ideal flow would be to receive the file as a stream and redirect this stream directly to the S3 Upload function.
Although this is not a priority we should take a look at this.