chore: merge release v4.39.0 into master

.eslintrc

@@ -21,7 +21,8 @@
         "sourceType": "module",
         "ecmaFeatures": {
           "modules": true
-        }
+        },
+        "project": "./tsconfig.json"
       },
       "plugins": ["@typescript-eslint", "import", "simple-import-sort"],
       "extends": ["plugin:@typescript-eslint/recommended"],
@@ -50,7 +51,8 @@
         "import/order": "off",
         "import/first": "error",
         "import/newline-after-import": "error",
-        "import/no-duplicates": "error"
+        "import/no-duplicates": "error",
+        "@typescript-eslint/no-floating-promises": 2,
       }
     },
     { "files": ["*.spec.ts"], "extends": ["plugin:jest/recommended"] }

.github/pull_request_template.md

@@ -1,12 +1,10 @@
 ## Problem
-
-_What problem are you trying to solve? What issue does this close?_
+<!-- What problem are you trying to solve? What issue does this close? -->
 
 Closes [insert issue #]
 
 ## Solution
-
-_How did you solve the problem?_
+<!-- How did you solve the problem? -->
 
 **Features**:
 
@@ -23,19 +21,17 @@ _How did you solve the problem?_
 ## Before & After Screenshots
 
 **BEFORE**:
-[insert screenshot here]
+<!-- [insert screenshot here] -->
 
 **AFTER**:
-[insert screenshot here]
+<!-- [insert screenshot here] -->
 
 ## Tests
-
-_What tests should be run to confirm functionality?_
+<!-- What tests should be run to confirm functionality? -->
 
 ## Deploy Notes
-
-_Notes regarding deployment of the contained body of work. These should note any
-new dependencies, new scripts, etc._
+<!-- Notes regarding deployment of the contained body of work.  -->
+<!-- These should note any new dependencies, new scripts, etc. -->
 
 **New environment variables**:
 

.template-env

@@ -104,4 +104,8 @@ FORMSG_SDK_MODE=
 # CORPPASS_IDP_ID=https://saml.corppass.gov.sg/FIM/sps/CorpIDPFed/saml20
 
 # IS_SP_MAINTENANCE=
-# IS_CP_MAINTENANCE=
+# IS_CP_MAINTENANCE=
+
+## Per-minute, per-IP request limits applied to specific endpoints
+# SUBMISSIONS_RATE_LIMIT=
+# SEND_AUTH_OTP_RATE_LIMIT=

CHANGELOG.md

@@ -4,8 +4,49 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [v4.39.0](https://github.com/opengovsg/formsg/compare/v4.37.1...v4.39.0)
+
+- fix: early return when validating empty email string [`#433`](https://github.com/opengovsg/formsg/pull/433)
+- fix(deps): bump angular-cookies from 1.8.0 to 1.8.1 [`#419`](https://github.com/opengovsg/formsg/pull/419)
+- * /billing [`#426`](https://github.com/opengovsg/formsg/pull/426)
+- chore: merge release v4.38.1 into develop [`#430`](https://github.com/opengovsg/formsg/pull/430)
+- feat: soft-launch rate-limiting of API endpoints [`#389`](https://github.com/opengovsg/formsg/pull/389)
+- refactor: use res.json or sendStatus for objects or empty body [`#424`](https://github.com/opengovsg/formsg/pull/424)
+- refactor: migrate CaptchaFactory to Typescript [`#397`](https://github.com/opengovsg/formsg/pull/397)
+- chore: key cleanup [`#326`](https://github.com/opengovsg/formsg/pull/326)
+- chore(deps-dev): remove eslint-plugin-html [`#402`](https://github.com/opengovsg/formsg/pull/402)
+- chore: use comments for PR template guiding questions [`#420`](https://github.com/opengovsg/formsg/pull/420)
+- feat: add analytics module to handle /analytics endpoints [`#403`](https://github.com/opengovsg/formsg/pull/403)
+- chore(deps-dev): bump axios-mock-adapter from 1.18.1 to 1.18.2 [`#411`](https://github.com/opengovsg/formsg/pull/411)
+- feat: add trace to logs [`#405`](https://github.com/opengovsg/formsg/pull/405)
+- chore: add lint rule to prevent floating promises [`#404`](https://github.com/opengovsg/formsg/pull/404)
+- refactor: migrate SmsFactory to Typescript [`#387`](https://github.com/opengovsg/formsg/pull/387)
+- fix: transfer form toastr [`#379`](https://github.com/opengovsg/formsg/pull/379)
+- fix(deps): bump @sentry/browser from 5.22.3 to 5.24.2 [`#407`](https://github.com/opengovsg/formsg/pull/407)
+- fix: only show exclamation in navbar if sms feature is enabled [`#383`](https://github.com/opengovsg/formsg/pull/383)
+- fix(deps): bump nodemailer from 6.4.11 to 6.4.12 [`#399`](https://github.com/opengovsg/formsg/pull/399)
+- fix(deps): bump multiparty from 4.2.1 to 4.2.2 [`#406`](https://github.com/opengovsg/formsg/pull/406)
+- chore(deps-dev): bump eslint from 7.9.0 to 7.10.0 [`#401`](https://github.com/opengovsg/formsg/pull/401)
+- refactor: use validator's isEmail for validating email domains [`#386`](https://github.com/opengovsg/formsg/pull/386)
+- style: fix squished styling when user emails are too long [`#382`](https://github.com/opengovsg/formsg/pull/382)
+- fix(deps): bump aws-sdk from 2.734.0 to 2.763.0 [`#393`](https://github.com/opengovsg/formsg/pull/393)
+- chore(deps-dev): bump @types/express from 4.17.6 to 4.17.8 [`#392`](https://github.com/opengovsg/formsg/pull/392)
+- fix(deps): bump helmet from 4.1.0 to 4.1.1 [`#390`](https://github.com/opengovsg/formsg/pull/390)
+- chore: merge Release v4.37.1 back into develop [`#391`](https://github.com/opengovsg/formsg/pull/391)
+- fix: invalid key reference in retrieving form submissions [`#385`](https://github.com/opengovsg/formsg/pull/385)
+- chore: merge release v4.37.0 back into develop [`#384`](https://github.com/opengovsg/formsg/pull/384)
+- chore(deps-dev): bump @types/uuid from 8.0.0 to 8.3.0 [`#375`](https://github.com/opengovsg/formsg/pull/375)
+- fix(deps): bump twilio from 3.46.0 to 3.49.3 [`#367`](https://github.com/opengovsg/formsg/pull/367)
+- chore(deps-dev): bump @types/node from 14.0.13 to 14.11.2 [`#374`](https://github.com/opengovsg/formsg/pull/374)
+- test: update tests [`2aa9e24`](https://github.com/opengovsg/formsg/commit/2aa9e24811ceeeb837e60d434b852fcf84a458f2)
+- chore: bump version to v4.38.0 [`e940ef9`](https://github.com/opengovsg/formsg/commit/e940ef9f666a74b26944d3111ebccb95babffdd8)
+- chore: bump version to 4.38.1 [`118257c`](https://github.com/opengovsg/formsg/commit/118257c5828fefcf101efa1eca032fa021571edc)
+
 #### [v4.37.1](https://github.com/opengovsg/formsg/compare/v4.37.0...v4.37.1)
 
+> 30 September 2020
+
+- chore: bump version to v4.37.1 [`ac6389d`](https://github.com/opengovsg/formsg/commit/ac6389dfcc790a6dbccb0f22d505f8daa1100cbe)
 - fix: correct form header padding when no banner is available [`421a117`](https://github.com/opengovsg/formsg/commit/421a117b096d7053bb93e39091a528a9707bb105)
 
 #### [v4.37.0](https://github.com/opengovsg/formsg/compare/v4.36.0...v4.37.0)

docker-compose.yml

@@ -30,6 +30,8 @@ services:
       - AWS_SECRET_ACCESS_KEY=fakeSecret
       - SESSION_SECRET=thisisasecret
       - AWS_ENDPOINT=http://localhost:4566
+      - SUBMISSIONS_RATE_LIMIT=200
+      - SEND_AUTH_OTP_RATE_LIMIT=60
       - GA_TRACKING_ID
       - SENTRY_CONFIG_URL
       - TWILIO_ACCOUNT_SID

docs/DEPLOYMENT_SETUP.md

@@ -212,6 +212,14 @@ SITE_BANNER_CONTENT=hello:This is an invalid banner type, and the full text will
 | `CHROMIUM_BIN`        | Filepath to chromium binary. Required for email autoreply PDF generation with Puppeteer.                                                                                                                             |
 | `BOUNCE_LIFE_SPAN`    | Time in milliseconds that bounces are tracked for each form. Defaults to 86400000ms or 24 hours. Only relevant if you have set up AWS to send bounce and delivery notifications to the /emailnotifications endpoint. |
 
+#### Rate limits at specific endpoints
+
+The app applies per-minute, per-IP rate limits at specific API endpoints as a security measure. The limits can be specified with the following environment variables.
+| Variable | Description |
+| :-------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `SUBMISSIONS_RATE_LIMIT` | Per-minute, per-IP request limit for each submissions endpoint. The limit is applied separately for the email mode and encrypt mode endpoints. |
+| `SEND_AUTH_OTP_RATE_LIMIT` | Per-minute, per-IP request limit for the endpoint which requests for new login OTPs for the admin console. |
+
 ### Additional Features
 
 The app supports a number of additional features like Captcha protection, Sentry reporting and Google Analytics. Each of these features requires specific environment variables which are detailed below. To deploy a bare bones application without these additional features, one can safely exclude the respective environment variables without any extra configuration.