fix: upgrade nodejs version, fix security hotspots in tests, dockerfi…

…le (#306)
gonzaloplaza · Feb 9, 2024 · 0de3752 · 0de3752
1 parent e02240a
commit 0de3752
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 48 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,43 +1,43 @@
 name: ci
 on:
-    pull_request:
-        types: [opened, synchronize, reopened]
-    push:
-        branches:
-            - "master"
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - 'master'
 jobs:
-    test:
-        name: Express-TS (Node ${{ matrix.node-version }} on ${{ matrix.operating-system }})
-        runs-on: ${{ matrix.operating-system }}
-        strategy:
-            fail-fast: false
-            matrix:
-                operating-system: [ubuntu-latest]
-                node-version: [16.x]
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v3
-              with:
-                fetch-depth: 0
-            - name: Node.js
-              uses: actions/setup-node@v3
-              with:
-                  node-version: ${{ matrix.node-version }}
-            - run: npm install -g yarn
-            - name: Install dependencies with Yarn
-              run: yarn install
-            - name: Generate Prisma Client
-              run: yarn prisma generate
-            - name: Build/Transpile TypeScript files to dist
-              run: yarn build
-            - name: Run tests
-              run: yarn test --coverage
-              env:
-                COGNITO_USER_POOL: ${{ secrets.COGNITO_USER_POOL }}
-                COGNITO_CLIENT_ID: ${{ secrets.COGNITO_CLIENT_ID }}
-                COGNITO_REGION: ${{ secrets.COGNITO_REGION }}
-            - name: SonarCloud Scan
-              uses: SonarSource/sonarcloud-github-action@master
-              env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  test:
+    name: Express-TS (Node ${{ matrix.node-version }} on ${{ matrix.operating-system }})
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: false
+      matrix:
+        operating-system: [ubuntu-latest]
+        node-version: [18.x]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm install -g yarn
+      - name: Install dependencies with Yarn
+        run: yarn install --ignore-scripts
+      - name: Generate Prisma Client
+        run: yarn prisma generate
+      - name: Build/Transpile TypeScript files to dist
+        run: yarn build
+      - name: Run tests
+        run: yarn test --coverage
+        env:
+          COGNITO_USER_POOL: ${{ secrets.COGNITO_USER_POOL }}
+          COGNITO_CLIENT_ID: ${{ secrets.COGNITO_CLIENT_ID }}
+          COGNITO_REGION: ${{ secrets.COGNITO_REGION }}
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:14-alpine AS ts-build
+FROM node:18-alpine AS ts-build
 
 RUN mkdir -p /app
 
@@ -7,7 +7,7 @@ COPY package.json yarn.lock /app/
 WORKDIR /app
 
 # Install Node dependencies
-RUN yarn install
+RUN yarn install --ignore-scripts
 
 # Copy source files
 COPY ./src /app/src
@@ -24,7 +24,7 @@ RUN yarn build
 
 # Generate build container
 
-FROM node:16-alpine
+FROM node:18-alpine
 
 LABEL Maintainer="Gonzalo Plaza <gonzalo@verize.com>" \
       Description="Lightweight container with Node 16 based on Alpine Linux"
@@ -59,7 +59,7 @@ WORKDIR /app
 COPY package.json yarn.lock /app/
 
 # Install production Node dependencies
-RUN yarn install --production
+RUN yarn install --ignore-scripts --production
 
 # Copy nodels build from previous stage
 COPY --from=ts-build /app/dist /app/

diff --git a/package.json b/package.json
@@ -58,6 +58,7 @@
     "@types/uuid": "^9.0.0",
     "@typescript-eslint/eslint-plugin": "^5.50.0",
     "@typescript-eslint/parser": "^5.50.0",
+    "crypto": "^1.0.1",
     "eslint": "^8.33.0",
     "jest": "^29.4.1",
     "jest-mock-extended": "^3.0.1",

diff --git a/tests/__fixtures__/randomTextFixture.ts b/tests/__fixtures__/randomTextFixture.ts
@@ -0,0 +1,5 @@
+import * as crypto from 'crypto';
+
+export const randomTextFixture = (max = 18): string => {
+  return crypto.randomBytes(max).toString('hex');
+};
diff --git a/tests/src/api/application/authentication/AuthenticationService.spec.ts b/tests/src/api/application/authentication/AuthenticationService.spec.ts
@@ -1,6 +1,7 @@
 import { IAuthenticator } from '../../../../../src/api/domain/model/authentication/IAuthenticator';
 import { ILogger } from '../../../../../src/shared/domain/ILogger';
 import { createMock } from 'ts-auto-mock';
+import { randomTextFixture } from '../../../../__fixtures__/randomTextFixture';
 import {
   AuthenticationService,
   AuthenticationResponse
@@ -16,9 +17,10 @@ describe('AuthenticatorService', () => {
 
   it('should return an AuthenticationResponse object', async () => {
     // given
+    const randomUsername = randomTextFixture(12);
     const authenticationRequest = {
-      username: 'test@test.com',
-      password: 'test'
+      username: `${randomUsername}@test.com`,
+      password: randomTextFixture(18)
     };
     const expectedAuthenticationResponse = { accessToken: 'testToken', expiresIn: 12345 };
     mockedAuthenticatorResponse.mockResolvedValueOnce(expectedAuthenticationResponse);

diff --git a/tests/src/api/infrastructure/authentication/cognito/CognitoAuthenticator.spec.ts b/tests/src/api/infrastructure/authentication/cognito/CognitoAuthenticator.spec.ts
@@ -2,6 +2,7 @@ import { CognitoAuthenticator } from '../../../../../../src/api/infrastructure/a
 import { config } from '../../../../../../config';
 import { CognitoClient } from '../../../../../../src/api/infrastructure/authentication/cognito/CognitoClient';
 import { createMock } from 'ts-auto-mock';
+import { randomTextFixture } from '../../../../../__fixtures__/randomTextFixture';
 
 describe('CognitoAuthenticator', () => {
   const mockedAuthenticateUserResponse = jest.fn().mockResolvedValue({});
@@ -13,14 +14,15 @@ describe('CognitoAuthenticator', () => {
 
   it('should rejects an UserNotFoundException object', async () => {
     //given
+    const randomUsername = randomTextFixture(10);
     const userDoesNotExistError = new Error('User does not exist.');
     mockedAuthenticateUserResponse.mockRejectedValue(userDoesNotExistError);
 
     // then
     await expect(
       cognitoAuthenticator.auth({
-        username: 'example@example.com',
-        password: 'test'
+        username: `${randomUsername}@test.com`,
+        password: randomTextFixture(18)
       })
     ).rejects.toThrow(userDoesNotExistError);
   });

diff --git a/yarn.lock b/yarn.lock
@@ -1640,6 +1640,11 @@ cross-spawn@^7.0.2, cross-spawn@^7.0.3:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
+crypto@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/crypto/-/crypto-1.0.1.tgz#2af1b7cad8175d24c8a1b0778255794a21803037"
+  integrity sha512-VxBKmeNcqQdiUQUW2Tzq0t377b54N2bMtXO/qiLa+6eRRmmC4qT3D4OnTGoT/U6O9aklQ/jTwbOtRMTTY8G0Ig==
+
 debug@2.6.9:
   version "2.6.9"
   resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f"