Issue 1426 - Source validation on the claim form #1428
Conversation
…making a GET request. - Backend: Created new route /api/source/check-source to handle URL validation and return link status. - Frontend: Updated ClaimSourceListItem component to call API for link verification and handle valid/invalid links.
…nd return link status.
…ion, handle valid/invalid links and created message feedback for user
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
thesocialdev
force-pushed
the
stage
branch
6 times, most recently
from
05f8912 to
864c35e
Compare
|
@lucaslobatob cypress tests are failing after this changes |
| @@ -103,6 +103,23 @@ export class SourceController { | |||
| ); | |||
| } | |||
|
|
|||
| @ApiTags("source") | |||
| @Get("/check-source") | |||
There was a problem hiding this comment.
issue(blocking): now that I'm thinking, this is a DDOS vector and we should not continue. We can consider a few options like putting this behind RBAC for logged-in users.
But why aren't we just requesting from the client-side? Why we need to create a new endpoint for this?
There was a problem hiding this comment.
The endpoint was needed because of CORS restrictions, many sources block client-side requests. After, I can look with @lucaslobatob at some ways to make it more secure.
There was a problem hiding this comment.
I'm still not satisfied with the current solution, there are still too many vulnerabilities. Let's sync and create an epic documentation before proceeding.
server/source/source.controller.ts
Outdated
| @@ -103,6 +103,23 @@ export class SourceController { | |||
| ); | |||
| } | |||
|
|
|||
| @ApiTags("source") | |||
| @Get("/check-source") | |||
| async checkSpurce(@Query() query) { | |||
…egular User Ability for permissions control
… API to check the validity of a URL before opening it
|
| @@ -142,7 +142,7 @@ export class ClaimController { | |||
| : path, | |||
| }; | |||
| } catch (error) { | |||
| return error; | |||
There was a problem hiding this comment.
issue: if you're doing this the try/catch is not needed.
| @ApiTags("source") | ||
| @Get("/check-source") | ||
| @UseGuards(AbilitiesGuard) | ||
| @CheckAbilities(new RegularUserAbility()) |
There was a problem hiding this comment.
issue: this should be a FactChecker, regular users can't create resource anyway.
| @@ -103,6 +103,23 @@ export class SourceController { | |||
| ); | |||
| } | |||
|
|
|||
| @ApiTags("source") | |||
| @Get("/check-source") | |||
There was a problem hiding this comment.
I'm still not satisfied with the current solution, there are still too many vulnerabilities. Let's sync and create an epic documentation before proceeding.
Description
BaseClaimForm.tsx: Creating source validation on the claim form
Fixes #1426
Type of change
Please delete options that are not relevant.
Testing
When placing an invalid source in the claim creation form, the form is not created and remains on the page until it has a valid source.
First test: Tested with one source valid, the user can send the form and create claim
Second test: Tested with one source valid and one source invalid, the user is unable to proceed with the creation of a claim, as it has an invalid source and the feedback: "A fonte não está mais disponível"
Third test: Tested with one source invalid, the user is unable to proceed with the creation of a claim, as it has an invalid source and the feedback: "A fonte não está mais disponível"
Developer Checklist
General
console.logor related logging is added.Frontend Changes
Tests
Merge Request Review Checklist