Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confirm that each route that should be public or private actually is #54143

Open
ojeytonwilliams opened this issue Mar 19, 2024 · 2 comments
Open

Confirm that each route that should be public or private actually is #54143

ojeytonwilliams opened this issue Mar 19, 2024 · 2 comments
Labels
platform: api Server application that needs familiarity with Express, Loopback, MongoDB etc.
Milestone
Backend API MVP

Comments

@ojeytonwilliams
Copy link
Contributor

As Tom pointed out in #53997 (comment), some routes that need to be public are not. We should make sure that all the routes are public/private as determined by
https://github.com/freeCodeCamp/freeCodeCamp/blob/main/api-server/src/server/middlewares/request-authorization.js

It should also be completely unambiguous what any given route is. For example, we could separate routes into folders: /routes/public and /routes/private
@ojeytonwilliams ojeytonwilliams added this to the Backend API MVP milestone Mar 19, 2024
@moT01
Copy link
Member

moT01 commented Mar 19, 2024
edited

Here's a few endpoints that need to be open I believe:

freeCodeCamp/api-server/src/server/middlewares/csurf.js

Line 17 in c1137b0

/^\/hooks\/update-paypal$|^\/donate\/charge-stripe$|^\/coderoad-challenge-completed$/.test(

The two donate ones haven't been created yet.

@gikf gikf added the platform: api Server application that needs familiarity with Express, Loopback, MongoDB etc. label Mar 19, 2024
@zeffanine-aimen
Copy link

Hi @ojeytonwilliams and the freeCodeCamp team,

I've been reviewing the issue #54143 regarding the visibility of routes and have some suggestions that I believe could enhance the clarity and maintainability of the route authorization logic.

Proposed Changes:

  • Separate Public and Private Routes: Create two new directories within the routes folder: public and private. This will make it easier for contributors to understand which routes are accessible without authentication.
  • Refactor the isAllowedPath Function: Update the function to dynamically build the list of public paths based on the files present in the public routes directory. This approach could reduce the complexity of the current regex-based system and improve scalability.

Benefits:

  • Clarity: Having a clear separation of public and private routes in the file structure will make it easier for new contributors to understand the codebase.
  • Maintainability: By dynamically generating the list of public routes, we can avoid potential errors that might arise from manually updating regex patterns as new routes are added or changed.

Next Steps:
I would like to implement these changes and submit a PR for review. However, before proceeding, I wanted to discuss with you to ensure that these changes align with the project's goals and standards.

I'm looking forward to your feedback and any suggestions you might have.
note : "I am a beginner"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
platform: api Server application that needs familiarity with Express, Loopback, MongoDB etc.
Projects
Backend API
Status: Discussing
Milestone
Backend API MVP
Development

No branches or pull requests
4 participants
@ojeytonwilliams @moT01 @gikf @zeffanine-aimen