tipbox icon indicating copy to clipboard operation
tipbox copied to clipboard

Published 20 hours ago verified publisher icon xdamman

WIP: Refactor mdp

Open mdp opened this issue 5 years ago • 0 comments

Big refactor over the holidays to get this up and running again and in a working again.

  • Updated all the node packages to the latest versions. yarn audit is now clean
  • Used 'yarn' to build a lockfile for future ease of development
  • Updated Gulpfile.js to work with the latest version of Gulp
  • Moved from SKS to OpenPGP.org keyservers
    • SKS servers suffered an attack and most people now have numerous 'fake' keys tied to their accounts.
    • SKS servers are pretty slow and unreliable due to said attack.
    • OpenPGP seems to be faster, but it does require that the person upload their PGP key again
  • Cleaned up our CSP Policy, which meant some other changes needed to happen
    • Removed Stripe and the donation page from the site, and just pointed people to OpenCollective.
    • Fixed an SVG that didn't load properly with the CSP ruleset
    • CSP ruleset is very strict now, nothing inline, only assets from the current host
  • Updated loaded assets with their own SRI hashes.
    • This means any JS or CSS loaded will have it's sha256 hash attached, and it can't be altered.
    • Added Gulp task to create these hashes and append them to the resources on build.
    • Gives us the ability to 'shasum' the index.html and see if anything changes.
  • Reproducible builds
    • Because of the above SRI hashes, it's possible for anyone to build the project and compare the output index.html with what the server is presenting. To do this you'll need the servers public key, because it's included in the JS, which also means you're able to see if a server changes it's key because it's hash will change.
  • ESLint'ed all the JS files and now it's part of the tests passing.
  • Created a docker-compose.yml file for running the project
    • Uses Caddy as a front-end server, which automatically pulls in SSL certs from LetsEncrypt, and keeps them up to date automatically. Also uses the 1.2 and 1.3 TLS.
    • SMTP server is baked into the docker-compose services, so you no longer have to set one up on the server. It's only accessible from inside the docker system.
    • All the build steps for Node can be run in Docker, which means reproducible builds and easier for someone to come back in at a later date and start developing.
  • Cleaned up the settings a bit. Took out some stuff like Mailgun, but I don't think it was being used anyways.
  • Updated the copy to reflect current security environment. Also removed explicit mentions of Tipbox.is to make this more generic, in case anyone wants to run it on their own server.

TODO:

  • Reenable Nightwatch tests

mdp avatar Dec 03 '19 17:12 mdp