Refactor createTier, createSponsor, createCompany + add logging (VandyHacks#526)

cktang88 · web-flow · commit a7c794dd0061 · 2019-12-06T15:11:42.000-06:00
* Small refactor
* Update logging, some logic
* Add unique name checks to tier/company
* Add httpOnly cookies setting
* Set more cookie options
diff --git a/src/client/routes/dashboard/OrganizerDash.tsx b/src/client/routes/dashboard/OrganizerDash.tsx
@@ -3,7 +3,7 @@ import { Bar, Pie, ChartData } from 'react-chartjs-2';
 import { Link } from 'react-router-dom';
 import gql from 'graphql-tag';
 import styled from 'styled-components';
-import chartjs, { ChartOptions } from 'chart.js';
+import { ChartData as OldChartData, ChartOptions } from 'chart.js';
 
 import Spinner from '../../components/Loading/Spinner';
 import { GraphQLErrorMessage } from '../../components/Text/ErrorMessage';
@@ -111,7 +111,7 @@ const colorPalette = STRINGS.COLOR_PALETTE.slice(1);
 const generateColor = (n: number): string[] =>
 	[...Array(n).keys()].map((i: number) => colorPalette[i % colorPalette.length]);
 
-const barStatusData = (data: { [key: string]: number }): ChartData<chartjs.ChartData> => {
+const barStatusData = (data: { [key: string]: number }): ChartData<OldChartData> => {
 	const statusData = Object.values(data).slice(0, -1);
 	const statusLabels = Object.keys(data).slice(0, -1);
 	return {
@@ -164,7 +164,7 @@ const barStatusOptions: ChartOptions = {
 	},
 };
 
-const pieShirtData = (data: { [key: string]: number }): ChartData<chartjs.ChartData> => {
+const pieShirtData = (data: { [key: string]: number }): ChartData<OldChartData> => {
 	const shirtLabels = Object.keys(data).slice(0, -1);
 	const shirtData = Object.values(data).slice(0, -1);
 
@@ -193,7 +193,7 @@ const pieShirtOptions = {
 	},
 };
 
-const pieGenderData = (data: { [key: string]: number }): ChartData<chartjs.ChartData> => {
+const pieGenderData = (data: { [key: string]: number }): ChartData<OldChartData> => {
 	const genderLabels = Object.keys(data).slice(0, -1);
 	const genderData = Object.values(data).slice(0, -1);
 
diff --git a/src/client/routes/manage/SponsorHackerView.tsx b/src/client/routes/manage/SponsorHackerView.tsx
@@ -48,7 +48,7 @@ export const SponsorHackerView: FunctionComponent = (): JSX.Element => {
 	}
 
 	if (false && !viewHackerTable) {
-		// TODO: FIX
+		// TODO: handle sponsor permissions properly
 		return <p>You dont have permissions to view hacker information</p>;
 	}
 
diff --git a/src/server/auth/helpers.ts b/src/server/auth/helpers.ts
@@ -8,30 +8,30 @@ import DB, { Models } from '../models';
 import { fetchUser } from '../resolvers/helpers';
 import logger from '../logger';
 
-export async function getUserFromDb(email: string, userType?: string): Promise<UserDbInterface> {
-	const { Hackers, Organizers, Sponsors } = await new DB().collections;
-
-	let user: UserDbInterface | null = null;
-	switch (userType) {
-		case UserType.Hacker:
-			user = await Hackers.findOne({ email });
-			break;
-		case UserType.Organizer:
-			user = await Organizers.findOne({ email });
-			break;
-		case UserType.Sponsor:
-			user = await Sponsors.findOne({ email });
-			break;
-		default:
-			throw new Error(`invalid userType '${userType}'`);
-	}
-
-	if (!user) {
-		throw new Error(`couldn't find user (${user}) with email ${email}`);
-	}
-
-	return user;
-}
+// export async function getUserFromDb(email: string, userType?: string): Promise<UserDbInterface> {
+// 	const { Hackers, Organizers, Sponsors } = await new DB().collections;
+
+// 	let user: UserDbInterface | null = null;
+// 	switch (userType) {
+// 		case UserType.Hacker:
+// 			user = await Hackers.findOne({ email });
+// 			break;
+// 		case UserType.Organizer:
+// 			user = await Organizers.findOne({ email });
+// 			break;
+// 		case UserType.Sponsor:
+// 			user = await Sponsors.findOne({ email });
+// 			break;
+// 		default:
+// 			throw new Error(`invalid userType '${userType}'`);
+// 	}
+
+// 	if (!user) {
+// 		throw new Error(`couldn't find user (${user}) with email ${email}`);
+// 	}
+
+// 	return user;
+// }
 
 export const verifyCallback = async (
 	models: Models,
diff --git a/src/server/events/index.ts b/src/server/events/index.ts
@@ -1,4 +1,4 @@
-import ical, { CalendarResponse, CalendarComponent, VEvent } from 'node-ical';
+import { fromURL, CalendarResponse, CalendarComponent, VEvent } from 'node-ical';
 import { AuthenticationError, UserInputError } from 'apollo-server-express';
 import { ObjectID } from 'mongodb';
 import { EventUpdateInput, EventDbObject, CompanyDbObject } from '../generated/graphql';
@@ -54,7 +54,7 @@ export const transformCalEventToDBUpdate = (event: Record<string, string>): Even
 export async function pullCalendar(calendarID: string | undefined): Promise<EventUpdate[] | null> {
 	if (calendarID) {
 		const url = `https://www.google.com/calendar/ical/${calendarID}/public/basic.ics`;
-		const cal = await ical.fromURL(url).catch(err => {
+		const cal = await fromURL(url).catch(err => {
 			throw new Error(`Could not fetch calendar at URL: ${url}; Error: ${err.message}`);
 		});
 		const calKeys = Object.keys(cal);
diff --git a/src/server/index.ts b/src/server/index.ts
@@ -46,11 +46,16 @@ export const schema = makeExecutableSchema({
 			store: new (MongoStore(session))(({
 				clientPromise: dbClient.client,
 			} as unknown) as MongoUrlOptions),
-			/*
-			can't use secure cookies b/c only HTTP connection between dyno and Heroku servers, 
-			but don't need it as long as connection as Heroku servers and client are HTTPS
-			*/
-			// cookie: { secure: IS_PROD },
+			cookie: {
+				/*
+					can't use secure cookies b/c only HTTP connection between dyno and Heroku servers, 
+					but don't need it as long as connection as Heroku servers and client are HTTPS
+				*/
+				// secure: IS_PROD,
+				httpOnly: true, // protects against XSS attacks
+				signed: true,
+				sameSite: true,
+			},
 		})
 	);
 	app.use(passport.initialize());
diff --git a/src/server/nfc/index.ts b/src/server/nfc/index.ts
@@ -2,6 +2,7 @@ import { ObjectID } from 'mongodb';
 import { AuthenticationError, UserInputError } from 'apollo-server-express';
 import { HackerDbObject, UserDbInterface } from '../generated/graphql';
 import { Models } from '../models';
+import logger from '../logger';
 
 // TODO: (kenli/timliang) Expand functions for Organizers, Mentors collections
 
@@ -68,6 +69,8 @@ export async function registerNFCUIDWithUser(
 		{ returnOriginal: false }
 	);
 
+	logger.info(`registered user ${userID} with NFC id ${nfcID}`);
+
 	if (ret.value) {
 		if (ret.value.secondaryIds.length > 1) {
 			throw new Error(`Associated new NFC ID with user overriding the old NFC ID`);
@@ -106,8 +109,10 @@ export async function removeUserFromEvent(
 			}
 		),
 	]);
-
 	if (ret[0].result.ok && ret[1].result.ok) {
+		logger.info(
+			`removed user ${userID} (${user.firstName} ${user.lastName}) from event ${eventID}`
+		);
 		return user;
 	}
 
@@ -156,7 +161,10 @@ export async function checkInUserToEvent(
 		},
 		{ returnOriginal: false }
 	);
-	if (retEvent.ok && retUsr.ok && retUsr.value) return retUsr.value;
+	if (retEvent.ok && retUsr.ok && retUsr.value) {
+		logger.info(`checked in user ${userID} to event ${eventID}`);
+		return retUsr.value;
+	}
 
 	throw new Error(`failed checking user <${userID}> into event <${eventID}>`);
 }
diff --git a/src/server/resolvers/index.ts b/src/server/resolvers/index.ts
@@ -11,6 +11,8 @@ import {
 	HackerDbObject,
 	SponsorStatus,
 	SponsorDbObject,
+	TierDbObject,
+	CompanyDbObject,
 } from '../generated/graphql';
 import Context from '../context';
 import {
@@ -27,6 +29,7 @@ import { checkInUserToEvent, removeUserFromEvent, registerNFCUIDWithUser, getUse
 import { addOrUpdateEvent, assignEventToCompany, removeAbsentEvents } from '../events';
 import { getSignedUploadUrl, getSignedReadUrl } from '../storage/gcp';
 import { sendStatusEmail } from '../mail/aws';
+import logger from '../logger';
 
 // added here b/c webpack JSON compilation with 'use-strict' is broken (10/31/19)
 const DEADLINE_TS = 1572497940000;
@@ -191,36 +194,33 @@ export const resolvers: CustomResolvers<Context> = {
 			root,
 			{ input: { email, name, companyId } },
 			{ models, user }: Context
-		) => {
-			if (!user || user.userType !== UserType.Organizer)
-				throw new AuthenticationError(`user '${JSON.stringify(user)}' must be organizer`);
-			const sponsor = await models.Sponsors.findOne({ email });
+		): Promise<SponsorDbObject> => {
+			checkIsAuthorized(UserType.Organizer, user);
 			const company = await models.Companies.findOne({ _id: new ObjectID(companyId) });
 			if (!company) throw new UserInputError(`Company with '${companyId}' doesn't exist.`);
-			if (!sponsor) {
-				await models.Sponsors.insertOne({
-					_id: new ObjectID(),
-					company,
-					createdAt: new Date(),
-					email,
-					firstName: name,
-					lastName: '',
-					logins: [],
-					phoneNumber: '',
-					dietaryRestrictions: '',
-					emailUnsubscribed: false,
-					eventsAttended: [],
-					preferredName: '',
-					secondaryIds: [],
-					status: SponsorStatus.Added,
-					userType: UserType.Sponsor,
-				});
-			} else {
-				throw new UserInputError(`sponsor with '${email}' is already added.`);
-			}
-			const sponsorCreated = await models.Sponsors.findOne({ email });
-			if (!sponsorCreated) throw new AuthenticationError(`sponsor not found: ${email}`);
-			return sponsorCreated;
+			const sponsor = await models.Sponsors.findOne({ email });
+			if (sponsor) throw new UserInputError(`sponsor with '${email}' is already added.`);
+
+			const newSponsor: SponsorDbObject = {
+				_id: new ObjectID(),
+				company,
+				createdAt: new Date(),
+				email,
+				firstName: name,
+				lastName: '',
+				logins: [],
+				phoneNumber: '',
+				dietaryRestrictions: '',
+				emailUnsubscribed: false,
+				eventsAttended: [],
+				preferredName: '',
+				secondaryIds: [],
+				status: SponsorStatus.Added,
+				userType: UserType.Sponsor,
+			};
+			logger.info(`creating new sponsor ${JSON.stringify(newSponsor)}`);
+			await models.Sponsors.insertOne(newSponsor);
+			return newSponsor;
 		},
 		confirmMySpot: async (root, _, { models, user }) => {
 			const { _id, status } = checkIsAuthorized(UserType.Hacker, user) as HackerDbObject;
@@ -256,33 +256,46 @@ export const resolvers: CustomResolvers<Context> = {
 			// no email sent if declined
 			return value;
 		},
-		createTier: async (root, { input: { name, permissions } }, { models, user }: Context) => {
-			if (!user || user.userType !== UserType.Organizer)
-				throw new AuthenticationError(`user '${JSON.stringify(user)}' must be organizer`);
-			await models.Tiers.insertOne({
+		createTier: async (
+			root,
+			{ input: { name, permissions } },
+			{ models, user }: Context
+		): Promise<TierDbObject> => {
+			checkIsAuthorized(UserType.Organizer, user);
+			const tier = await models.Tiers.findOne({ name });
+			// currently does not support updating
+			if (tier) throw new UserInputError(`Tier ${name} already exists, no action performed.`);
+
+			const newTier: TierDbObject = {
 				_id: new ObjectID(),
 				name,
 				permissions: permissions || [],
-			});
-			const tierCreated = await models.Tiers.findOne({ name });
-			if (!tierCreated) throw new AuthenticationError(`tier not found: ${name}`);
-			return tierCreated;
+			};
+			logger.info(`creating tier ${JSON.stringify(newTier)}`);
+			await models.Tiers.insertOne(newTier);
+			return newTier;
 		},
-		createCompany: async (root, { input: { name, tierId } }, { models, user }: Context) => {
-			if (!user || user.userType !== UserType.Organizer)
-				throw new AuthenticationError(`user '${JSON.stringify(user)}' must be organizer`);
-
+		createCompany: async (
+			root,
+			{ input: { name, tierId } },
+			{ models, user }: Context
+		): Promise<CompanyDbObject> => {
+			checkIsAuthorized(UserType.Organizer, user);
 			const tier = await models.Tiers.findOne({ _id: new ObjectID(tierId) });
 			if (!tier) throw new UserInputError(`Tier with id ${tierId}' doesn't exist.`);
-			await models.Companies.insertOne({
+			// currently does not support updating
+			const comp = await models.Companies.findOne({ name });
+			if (comp) throw new UserInputError(`Company ${name} already exists, no action performed.`);
+
+			const newCompany: CompanyDbObject = {
 				_id: new ObjectID(),
 				name,
 				tier,
 				eventsOwned: [],
-			});
-			const companyCreated = await models.Companies.findOne({ name });
-			if (!companyCreated) throw new AuthenticationError(`company not found: ${name}`);
-			return companyCreated;
+			};
+			logger.info(`creating company ${JSON.stringify(newCompany)}`);
+			await models.Companies.insertOne(newCompany);
+			return newCompany;
 		},
 		checkInUserToEventByNfc: async (root, { input }, { models, user }) => {
 			checkIsAuthorizedArray([UserType.Organizer, UserType.Volunteer, UserType.Sponsor], user);
@@ -419,7 +432,6 @@ export const resolvers: CustomResolvers<Context> = {
 				}))
 			);
 
-			// TODO: Update this to set the hacker's profile fields (name, school, gender, etc.) with application data.
 			if (!result.ok) {
 				throw new UserInputError(
 					`error inputting user application input for user "${id}" ${JSON.stringify(result)}`

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ export const SponsorHackerView: FunctionComponent = (): JSX.Element => {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`if (false && !viewHackerTable) {`
`51`		`- // TODO: FIX`
	`51`	`+ // TODO: handle sponsor permissions properly`
`52`	`52`	`return <p>You dont have permissions to view hacker information</p>;`
`53`	`53`	`}`
`54`	`54`