Conversation
BCMOHAM-26040: Adding new HA ID login option into backend and frontend code
* Cleaned up several unnecessary scripts that were added during the introduction of the TypeScript compile step. * Update the CronJob YAML files to match the current OpenShift configuration
… for BCeID users. (#1114) It causes a display issue on the Employer welcome page for BCeID users (first name and last name not displayed). We now display the BCeID username instead.
Updated ha id option + Fix for First name and Last name variables are not sent from Keycloak anymore for BCeID users
…low and add steps to appry cronjob changes (#1116)
No code change (Test openshift workflow: add comment to trigger cronjob deployment)
…mation Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-c74456f1-c0e9-4400-bb7b-221d0a16a618
…rkflow Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-c74456f1-c0e9-4400-bb7b-221d0a16a618
Update deployment documentation on README
Update deployment documentation on README
* Update deployment documentation to reflect infrastructure change automation * Complete production deployment documentation based on promote-prod workflow * Upgrade root package.json dependencies to latest compatible versions * MAJOR UPGRADE: Node.js engines, Express 5.x, React 19.x * COMPATIBILITY FIX: Downgrade React Router to v5.3.4 * Downgrade React from v19 to v18 for Material-UI v4 * Replace body-parser with express.json() for Express v5 upgrade * Nodejs upgrade from v20 to v24 * Fix root npm dependencies and npm-run-all script syntax * Update docker versions on Docker files and fix the statusFilters * Global and Frontend modules upgrades * Update nodejs version on format check workflow * Fix errors and warnings scanned by Format check workflow, and update eslint to v9 on server code * adding regex to support dev and test domains * updating new cert in documents and pipelines --------- Co-authored-by: Dinh Nguyen Pham <nguyenphamswork@gmail.com> Co-authored-by: Dinh Nguyen Pham <63203684+npham49@users.noreply.github.com>
Removing freshworks.club references in front-end code and replacing with new prefixes.
Updating string replacement for double quotes
Updating nonce to be inserted by webpack
Fix Pagination issues on tables and adding Docs for DEV TEST Certs
* client js upgrade and fix * fix on JSU-224 * fix JSU-225 * remove debug comments
* backend library upgrades and mongodb version update * add scripts for mongo db upgrade * remove MongoDB migration scripts (not needed as production uses Helm-managed MongoDB 4.4.6) * rollback mongo.yml
* fix the email validation on participant info edit pop-up * update email validation check
… column (#1139) * fix: resolve 'a few seconds ago' display for participant Last Updated column * update comment
Fixing seeding script
* JSU-422 remove 'Add Non-Portal Hire' button for MOH Admin accounts * JSU-416 Correct the Health Authority dropdown option for employers under the 'My Sites' tab
* JSU3-global and frontend JS upgrade (#1122) * Update deployment documentation to reflect infrastructure change automation * Complete production deployment documentation based on promote-prod workflow * Upgrade root package.json dependencies to latest compatible versions * MAJOR UPGRADE: Node.js engines, Express 5.x, React 19.x * COMPATIBILITY FIX: Downgrade React Router to v5.3.4 * Downgrade React from v19 to v18 for Material-UI v4 * Replace body-parser with express.json() for Express v5 upgrade * Nodejs upgrade from v20 to v24 * Fix root npm dependencies and npm-run-all script syntax * Update docker versions on Docker files and fix the statusFilters * Global and Frontend modules upgrades * Update nodejs version on format check workflow * Fix errors and warnings scanned by Format check workflow, and update eslint to v9 on server code * adding regex to support dev and test domains * updating new cert in documents and pipelines --------- Co-authored-by: Dinh Nguyen Pham <nguyenphamswork@gmail.com> Co-authored-by: Dinh Nguyen Pham <63203684+npham49@users.noreply.github.com> * update node version on workflow files (#1124) * Dockerfile update to include .npmrc to client container (#1126) * fixing npm build error on server which triggered by nodejs upgrade (#1127) * fixing server errors (#1128) * Fix SPA catch-all route for Express 5 / path-to-regexp v6 (#1129) * removing more freshworks.cluib references * updating string replacement for double quotes * updating nonce to be inserted by webpack * fixing the CSP violations issue related to nonce (#1133) * adding docs for cert and table fixes * fixing seeding script not connecting properly * Frontend js upgrade & fix (#1135) * client js upgrade and fix * fix on JSU-224 * fix JSU-225 * remove debug comments * backend library upgrades and mongodb version update (#1137) * backend library upgrades and mongodb version update * add scripts for mongo db upgrade * remove MongoDB migration scripts (not needed as production uses Helm-managed MongoDB 4.4.6) * rollback mongo.yml * fix the email validation on participant info edit pop-up (#1138) * fix the email validation on participant info edit pop-up * update email validation check * fix: resolve 'a few seconds ago' display for participant Last Updated column (#1139) * fix: resolve 'a few seconds ago' display for participant Last Updated column * update comment * JSU-414: hide the 'Edit' button to non_mohadmin accounts * Jsu 416 employer site fix (#1140) * JSU-422 remove 'Add Non-Portal Hire' button for MOH Admin accounts * JSU-416 Correct the Health Authority dropdown option for employers under the 'My Sites' tab * vulnerability fix (#1142) --------- Co-authored-by: Dinh Nguyen Pham <nguyenphamswork@gmail.com> Co-authored-by: Dinh Nguyen Pham <63203684+npham49@users.noreply.github.com> Co-authored-by: npham49 <brian.1.pham@gov.bc.ca>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+112
to
+114
| app.get(/^(?!\/api\/v1).*/, (req, res) => { | ||
| res.sendFile(path.join(__dirname, '../client/build', 'index.html')); | ||
| }); |
Check failure
Code scanning / CodeQL
Missing rate limiting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
The best way to fix this problem is to introduce a rate-limiting middleware into the Express pipeline prior to the route which performs file system access, specifically before the route handler serving index.html. The express-rate-limit package is a well-known, maintained library for this scenario and offers an easy-to-use API. We should install and import express-rate-limit, configure a limiter (e.g., 100 requests per 15 minutes), and apply it only to the route serving index.html. This ensures that requests to index.html are throttled and protected from abuse without effecting other API endpoints or static content.
We need to:
- import
express-rate-limitat the top, - instantiate a rate limiter,
- apply it to the SPA wildcard route (lines 112-114).
These changes should only involve code that we've seen in server/server.ts.
Suggested changeset
2
server/server.ts
| @@ -3,6 +3,7 @@ | ||
| import express from 'express'; | ||
| import helmet from 'helmet'; | ||
| import { v4 as uuidv4 } from 'uuid'; | ||
| import rateLimit from 'express-rate-limit'; | ||
|
|
||
| import path from 'path'; | ||
| import apiRouter from './routes'; | ||
| @@ -108,8 +109,13 @@ | ||
| // Client app | ||
|
|
||
| if (process.env.NODE_ENV === 'production') { | ||
| // serve index.html for any GET that doesn't start with /api/v1 | ||
| app.get(/^(?!\/api\/v1).*/, (req, res) => { | ||
| // Rate limiter for SPA entry point | ||
| const spaLimiter = rateLimit({ | ||
| windowMs: 15 * 60 * 1000, // 15 minutes | ||
| max: 100 // limit each IP to 100 requests per windowMs | ||
| }); | ||
| // serve index.html for any GET that doesn't start with /api/v1 with rate limiting | ||
| app.get(/^(?!\/api\/v1).*/, spaLimiter, (req, res) => { | ||
| res.sendFile(path.join(__dirname, '../client/build', 'index.html')); | ||
| }); | ||
| } |
server/package.json
Outside changed files
| @@ -74,7 +74,8 @@ | ||
| "uuid": "^9.0.1", | ||
| "winston": "^3.17.0", | ||
| "winston-mongodb": "^6.0.0", | ||
| "yup": "^1.7.0" | ||
| "yup": "^1.7.0", | ||
| "express-rate-limit": "^8.1.0" | ||
| }, | ||
| "devDependencies": { | ||
| "@eslint/js": "^9.17.0", |
This fix introduces these dependencies
| Package | Version | Security advisories |
| express-rate-limit (npm) | 8.1.0 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Replace Bitnami Mongodb to official MongoDB image
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Global (Root Project)
Node.js: v20 → v24
npm: v7 -> v10
ESLint: 8.34.0 → 9.18.0
cypress: 13.3.1 -> 14.5.3
dotenv: 8.2.0 -> 17.2.1
husky: 6.0.0 -> 9.1.7
lint-staged: 11.0.0 -> 15.2.10
prettier: 2.3.0 -> 3.6.2
pretty-quick: 3.1.0 -> 4.2.2
Client (Front-end)
Node.js: v20 → v24
npm: v7 -> v10
date-io/dayjs: v1.3.13 -> ^3.0.0
material-ui v4 - > mui v5
classnames: v2.2.6 -> v2.5.1
cross-fetch: v3.1.5 -> v^4.0.0
dayjs: v1.11.1 -> ^1.11.13
dom-to-image: ^2.6.0 -> html-to-image: ^1.11.11
material-ui-dropzone v3.5.0 -> mui-file-dropzone v4.0.2
react v16.13.1 -> ^18.3.1
react-router-dom: v5.2.0 ->^7.8.1
formik: v2.1.5 -> ^2.4.6
yup: v0.29.3 -> v^1.7.0
jspdf: v2.3.1 -> v^3.0.3
keycloak-js: v24.0.0 -> ^26.2.0
eslint v^8.57.1-> ^9.18.0
Server (Back-end)
Node.js: v20 → v24
npm: v7 -> v10
express: v4.18.2 -> v^4.21.2
Axios: v0.21.4 -> v1.12.2
Dotenv: v8.2.0 -> v^16.4.7
Helmet: v4.1.1 -> v^8.0.0
Jsonwebtoken: v9.0.0 -> v^9.0.2
fast-xml-parser: v3.17.4 -> v^4.5.0
winston: v3.3.3 -> v^3.17.0