Closed loleg closed 2 years ago
I have replaced the HTTP link on that old form in PR #108.
For the HTTP -> HTTPS redirection to work, however, it would be necessary to change the application code. But this is ancient node.js, and before changing it it would be advisable to upgrade it to a more recent node.js version. That also means updating / getting rid of all those deprecated and obsolete dependencies:
npm WARN deprecated less-middleware@0.1.15: Updated API and improved functionality.
npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
> leveldown@6.0.0 install /home/node/portal/node_modules/leveldown
> node-gyp-build
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN publicbodies@0.1.0 license should be a valid SPDX license expression
added 159 packages from 149 contributors and audited 160 packages in 11.598s
13 packages are looking for funding
run `npm fund` for details
found 29 vulnerabilities (10 low, 11 moderate, 7 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
I tried to do it, but then got an error:
internal/modules/cjs/loader.js:818
throw err;
^
Error: Cannot find module '/home/node/portal/express'
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:815:15)
at Function.Module._load (internal/modules/cjs/loader.js:667:27)
at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)
at internal/main/run_main_module.js:17:47 {
code: 'MODULE_NOT_FOUND',
requireStack: []
}
which is strange, as the express
package is installed.
I suspect that to modernize Javascript and node.js on this application would require rewriting a good chunk of it and would also be beyond my current ability in this area.
I created issue #110 and drafted PR #111 to try to solve this. Once we can get the site running on modern code, I think adding the HTTP -> HTTPS redirect should be easy.
While an SSL certificate is present on the site (thanks Augusto in #102 for checking), HTTP is not redirected to HTTPS as it should. Furthermore, the site is shown as not completely secure because the absolute link to the newsletter sign-up is to an HTTP resources. We should probably just point this to the GitHub issues and appropriate Discourse forum.
The specific error in the dev console is:
Mixed Content: The page at 'https://publicbodies.org/' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://lists.okfn.org/mailman/subscribe/okfn-labs'. This endpoint should be made available over a secure connection.