upframe / api Goto Github PK
View Code? Open in Web Editor NEW๐ฅ The API for our platform and services.
Home Page: https://api.upframe.io
License: GNU General Public License v3.0
๐ฅ The API for our platform and services.
Home Page: https://api.upframe.io
License: GNU General Public License v3.0
Right now we are estimating a meetup time of 1 hour when we add the slot to the mentor's Google Calendar. If a mentor adds slots that don't last one hour, the event added to Google Calendar will be incorrect. We should fix this ASAP.
I'm not sure if we need this ASSUMING we implement the email change in the correct way. If someone wants to change their password it's a good idea to have a quick change. However, maybe we should send an email confirming this change...
Both ways work... It's a matter of personal preference and not about security (I think...)
So what do you say Fabio? Should we send a verification email? Or since we already have a safe email change we allow passwords to be changed easily and if someone is hacked all they have to do is request a reset?
When someone is trying to register with a name that will be converted to a keycode already in use, the API will fail to do so explaining that the email trying to register is already in use. Actually what's happening is that the keycode generator is not smart enough (yet) to detect an already in use keycode and generate another one.
We need this fix because sooner or later there will be people whose keycodes generated from their names will be the same.
For some reason the JWT or the authentication cookie expires before the time.
Men can you help me setup the lint? For some reason the config isn't working. I already setup everything in Travis all you have to do is make the config in the right format / install ESLint correctly
Announce a new meetup request to the API. We need to send the appropriate emails and add the info to everyone's Google Calendars
Coordinate an S3 Bucket with this request so that we can upload pictures.
Mentor search using the user text
A new Upframe Calendar is created every time a user syncs his account. When a user connects his account to Google Calendar for the second time, the first calendar created beforehand should be used instead.
It is important for us to keep our data safe. We need to make sure we are not vulnerable to any of the following attacks. Add some more for our audit.
There isn't an endpoint to fetch all the available mentor slots.
This is related to the meetup creation.
Currently we don't support email changes in a clean way. The way we would do it now is to start using UIDs to identify people and change the email using a POST to /profile/me... This is fast and reliable but in the future it's a better idea to send an email to the mentor wanting to change it. Otherwise someone who hijacks an account has unlimited power over it.
Endpoint to verify onboarding URLs AND UniqueIDs. Depending on the request we need to be able to verify both the options
Right now our API is not always returning an error message only sending an error code. It will be very useful for development if we had an error message everytime something fails so that we can quickly look it up instead of reverse engineering the whole process flow.
Implement this error messages throughout the code
Right now we are using emails as a way to identify mentors... This is cool and easy but once you want to change the email in the SQL table things start to get a little wild. It's a better idea to have a UID that does not change while emails can be freely changed.
When you change this you gotta change the information used in the JWT located at /router/auth.js and /services/token.js
Right now this endpoint is expecting 3 inputs: email, new password and the token sent via email. We don't want to depend the current email to perform the change since this is an extra step for the user.
Let's make the tokens harder to crack (implement bruteforce protection or had an expiration time or max attempts) and remove the need to input the email address of the account they want to change the email of.
The link that is displayed in the emails sent to users about changing their passwords or emails is displaying an incorrect formar. However the redirect value is correct.
This means that they work if clicked on, but won't work if copy and pasted into the browser.
Due to the fact that sometimes we are lazy ๐ we are using SELECT * FROM ... and not handling the information leak that this causes. We are basically dumping all the information from a user without handling what is useful or not. We shouldn't send hashed passwords back and forth for example xD even though we are using SSL... It's just not a good practice.
TODO: go through all our requests and either stop using SELECT * and specify what we need OR take care of the extra information before we send it ๐
Easy fix and not a priority but must be taken care of before we launch.
When a mentor receives the email regarding the booked slot, the meetup time in the email is one hour in advance.
Currently, the database saves the meetup time in 0 GMT timezone.
We want to welcome our platform mentors by creating a special subdomain for them. In this group of pages, our incredible UX will guide them through:
This issue will be updated during the implementation of all these pages (in Connect Frontend Repository, ) and its corresponding API support.
Quick search endpoint. Three types of results
We have to define how the slots are saved in the database, what that piece of data is contains and how it works.
When we fetch mentor information the backend is sending us the right field at "mentor" but both the "ok" and the "code" fields are wrong. They are being sent as if an error happened yet the information in the mentor part is on point. Someone needs to investigate this.
This will help in front end development
Make sure we are not vulnerable to SQL injection. This includes escaping all text entrances. The mysql2 module has a special way of escaping chars (using the ?) but I don't think we have implemented it everywhere. Best way to test this is to attack every corner and see how the API reacts
Right now we are sending the image that the user uploads and storing it temporarily on the server. After the whole upload is complete we create a File System Stream to read the file from disk and upload it (as a stream) to S3. This process is good because it uses streams.
However, storing the file on the server is VERY ineficient since it's an unnecessary IO operation. The ideal flow would be to receive the file as a stream and redirect this stream directly to the S3 Upload function.
Although this is not a priority we should take a look at this.
If you try to login with empty fields the API will throw a UnhandledPromiseRejectionWarning and will not respond to the request. This can break the front end (waiting for a response)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.