-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement client-side version checking #79
Conversation
return "Conduit is up to date"; | ||
} else { | ||
return (<div> | ||
A new version ({this.state.latest}) is available<br /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know anything about react. What ensures that this is safe w.r.t. xss? I.e. let's say this.state.latest
is "<script>alert("hi");</script>"
, does this syntax do the escaping to make that safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And you're correct @briansmith -- the {...}
syntax has built in escaping, documented here: https://reactjs.org/docs/jsx-in-depth.html#string-literals-1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😻 thanks for taking this on!
I haven't done as much investigation into you as this, but I was wondering whether fetch
allows us to do this without adding another library?
web/app/css/version.css
Outdated
text-decoration: none; | ||
} | ||
& a.button:active { | ||
background-color: #2F80ED; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would advise you to use the color var from styles.css since we're importing that file anyway.... also looking at that file, we have that color defined twice :/ we should probably consolidate. (though if we want to have a separate file for styles directly copied, we can)
web/app/js/components/Version.jsx
Outdated
} | ||
|
||
loadFromServer() { | ||
if (this.state.done) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
variable naming nit: we've been using pendingRequests
for this elsewhere, it'd be nice to use the same name
web/app/test/VersionTest.jsx
Outdated
it('renders update message when versions do match', () => { | ||
loadFromServer = setResponse(null, {responseText: "{\"version\": \"v2.3.4\"}"}); | ||
|
||
// must wrap Version in a BrowserRouter because this test case renders a Link, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@franziskagoltz added a routerWrap
function in testHelpers, maybe we can use that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i could not find a way to make routerWrap
work with properties, so leaving this as is.
web/app/css/version.css
Outdated
|
||
/* from https://conduit.io/ */ | ||
|
||
& a.button { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we probably want to use the same styles everywhere if we add future buttons, I'd put the a.button styles in styles.css (or create a buttons.css, if we want to just have an isolated "coped this from conduit.io styles" file)
web/app/test/VersionTest.jsx
Outdated
let loadFromServer; | ||
|
||
function setResponse(err, resp) { | ||
return sinon.stub(Version.prototype, 'loadFromServer').callsFake(function fakeFn() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
whoa, cool
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup... though removing this because fetch does what we need!
d8ea95c
to
1d0e6ae
Compare
My main interest in this is the security-critical stuff, which seems to have been addressed so +1 from me. However, I wonder where the best place to format the output really is. It seems like with the proposed change we have less flexibility than if we were to do the formatting on our own host. For example, how would we indicate in the web UI the update's urgency, e.g. a critical security update vs. a "whenever you get around to it" update? It seems like it would be good to let the server give us some free-form text to describe the urgency, at least. |
@briansmith I agree some kind of richer free-form messaging here is a good idea. I'd like to defer it for a subsequent PR. As our version check endpoint is json (kevin's bright recommendation), we can iterate on it and add fields in a backwards compatible way. I've filed #90 to track this. |
3d77b9b
to
b3b9478
Compare
versioncheck.conduit.io/update is public domain, could you please consider enterprise-level environment, it can't directly access internet directly. |
@xiaods fair point. i think for this initial PR we'll hit the public URL. i could imagine future versions supporting some kind of proxy setting to enable outside internet access (or something else entirely). if you have more thoughts, please summarize them in a Github issue so we can consider it for our roadmap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🌟 🙌 🚀 yayy! thanks for doing this!
Just had a couple small comments.
web/app/js/components/Version.jsx
Outdated
super(props); | ||
this.loadFromServer = this.loadFromServer.bind(this); | ||
this.handleApiError = this.handleApiError.bind(this); | ||
this.state = {err: null, latest: null, loaded: false, pendingRequests: false,}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra trailing comma
web/app/css/version.css
Outdated
.version { | ||
padding: 0 0 0 9px; | ||
font-size: 13px; | ||
font-weight: 700; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: --font-weight-bold
web/app/js/components/Version.jsx
Outdated
this.setState({ | ||
loaded: true, | ||
pendingRequests: false, | ||
err: e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: in other places we do this we use "error" and I'd prefer us to be consistent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🐑 thanks for updating!
Previously Conduit would render an iframe, received from versioncheck.conduit.io. Modify the client to retrieve the latest released version, via CORS. Signed-off-by: Andrew Seigner <andrew@sig.gy>
a5a7395
to
5493601
Compare
In preparation for further simplifications to HTTP telemetry, this change consolidates all HTTP-specific logic under the `telemetry::http` module. Specifically, the following modules have been moved: - `telemetry::event`; - `telemetry::metrics::labels`; - `telemetry::metrics::record`; - `telemetry::sensors`; and - `telemetry::sensors::http`. This change takes pains to avoid changing any implementation details, so some types and methods have been made public temporarily while the interface boundaries are not well defined. This will be fixed in a subsequent change.
Previously Conduit would render an iframe, received from
versioncheck.conduit.io.
Modify the client to retrieve the latest released version, via CORS.