Closed pushyamig closed 3 months ago
This PR is up to date with the recent features commits
Following the local testing steps you listed, everything behaves as expected. Removing CSRF token in the API causes errors. Code looks good, only thing left is the three codacy errors of unused imports, if you want to clear those warnings.
only thing left is the three codacy errors of unused imports, if you want to clear those warnings.
I looked at those error, I don't think those warning are accurate. So I don't know why that is warning. So I left as it
For example:
import { APP_FILTER } from '@nestjs/core'
APP_FILTER is used in the auth.module.ts
as part of NestJS module declaration. So I don't think i am doing any different or syntactically wrong.
only thing left is the three codacy errors of unused imports, if you want to clear those warnings.
I looked at those error, I don't think those warning are accurate. So I don't know why that is warning. So I left as it
For example:
import { APP_FILTER } from '@nestjs/core'
APP_FILTER is used in the
auth.module.ts
as part of NestJS module declaration. So I don't think i am doing any different or syntactically wrong.
I see, that's a little strange. Ok otherwise this looks good I'll approve
@jaydonkrooss , Thanks for the review. I will let @jonespm take a look as well before merging it.
I'm not sure if it's possible to fix this check with Codacy but I think we could add to ignore it in the .eslintrc.js.
"no-unused-vars": "off"
or declaring everything that's a global.
That's probably a separate issue. I'm not sure if there's a better workaround that works as I haven't configured this.
I'm not going to be able to re-test this and will rely on Jaydons feedback. It looks like you've done the most research on this and I don't know how it could have been done any differently here.
I'm not sure if it's possible to fix this check with Codacy but I think we could add to ignore it in the .eslintrc.js. "no-unused-vars": "off"
In this example I described above the variable is being used in the file. So I don't know having no-unused-vars: off would do anything. Plus I did not configure the Codacy for it. WHen I looked at it I see ESlint and ESlint(Old) and bunch of other linters (which I never heard of) may be added by default by Codacy. Sam did this and don't know how much he configured and/or added by COdacy.
I need to comeback to Codacy configuration CCM. I will create an issue but will deal with it separately. We do have local linting from VsCodeeslintrc.js
I'm not going to be able to re-test this and will rely on Jaydons feedback. It looks like you've done the most research on this and I don't know how it could have been done any differently here.
Thanks @jonespm for considering for review. I will take that as approval from you if you don't want to click the approve button.
This PR has being a learning curve so I wanted more people looking at it and aware of the implementation.
@pushyamig I think Codacy is also in "Configuration file" mode and also using that file. But Sam set it up and I haven't tested or tried to change anything. But I also see what you mean about it being used.
Maybe need to use the plugin it suggests @typescript-eslint/no-unused-vars
? But yeah can experiment on a separate issue. These aren't the only 3 instances of that warning in this code.
I looked at the Myla Codacy configuration for FE seems very similar to what CCM has https://app.codacy.com/gh/tl-its-umich-edu/my-learning-analytics/patterns/list
I would assume we might need to come up with the approach for Codacy configuration for FE. Both project has linter configured as part of the code and VSCode integration. So Don't know how much is same/different with either of these configuration.
Fixes #410 (Test Plan is updated in the Issue https://github.com/tl-its-umich-edu/canvas-course-manager-next/issues/410 Latest Build from this PR https://github.com/pushyamig/canvas-course-manager-next/actions)
The approach taken here is the double csrf library is setting the
CSRF token cookie
(with hash) and also HttpOnly flag is enabled so that FE code doesn't read the cookie. TheCSRF token
is then passed in as part of GET call as response object (As lib author recommendation) and stored in the react state (As props). The token is then sent with POST/PUT/DELETE call and double csrf validate it and then those https calls are processed. please refer to step#4 for the example implementation..env
have a property added calledCSRF_SECRET
. For local development if is not set it has default. This is something in line withTOKEN_SECRET
and 'COOKIE_SECRET`. Non-Prod and Prod will always be set with this tokenNote: For Local development you will see 2 call in Network as this is by Design when running React In StrictMode, So you won't see this behavior in CCMDev or Prod https://stackoverflow.com/questions/72238175/why-useeffect-running-twice-and-how-to-handle-it-well-in-react