hof 20.0.0-beta.7 → 20.0.0-beta.8

package/frontend/themes/gov-uk/client-js/govuk-cookies.js

@@ -1,6 +1,7 @@
+/* eslint-disable no-undef, no-param-reassign, no-unused-vars */
 (function () {
-  "use strict"
-  var root = this;
+  'use strict';
+  const root = this;
   if(typeof root.GOVUK === 'undefined') { root.GOVUK = {}; }
 
   /*
@@ -19,37 +20,35 @@
       GOVUK.cookie('hobnob', null);
   */
   GOVUK.cookie = function (name, value, options) {
-    if(typeof value !== 'undefined'){
+    if(typeof value !== 'undefined') {
       if(value === false || value === null) {
         return GOVUK.setCookie(name, '', { days: -1 });
-      } else {
-        return GOVUK.setCookie(name, value, options);
       }
-    } else {
-      return GOVUK.getCookie(name);
+      return GOVUK.setCookie(name, value, options);
     }
+    return GOVUK.getCookie(name);
   };
   GOVUK.setCookie = function (name, value, options) {
     if(typeof options === 'undefined') {
       options = {};
     }
-    var cookieString = name + "=" + value + "; path=/";
+    let cookieString = name + '=' + value + '; path=/';
     if (options.days) {
-      var date = new Date();
+      const date = new Date();
       date.setTime(date.getTime() + (options.days * 24 * 60 * 60 * 1000));
-      cookieString = cookieString + "; expires=" + date.toGMTString();
+      cookieString = cookieString + '; expires=' + date.toGMTString();
     }
-    if (document.location.protocol == 'https:'){
-      cookieString = cookieString + "; Secure";
+    if (document.location.protocol === 'https:') {
+      cookieString = cookieString + '; Secure';
     }
     document.cookie = cookieString;
   };
   GOVUK.getCookie = function (name) {
-    var nameEQ = name + "=";
-    var cookies = document.cookie.split(';');
-    for(var i = 0, len = cookies.length; i < len; i++) {
-      var cookie = cookies[i];
-      while (cookie.charAt(0) == ' ') {
+    const nameEQ = name + '=';
+    const cookies = document.cookie.split(';');
+    for(let i = 0, len = cookies.length; i < len; i++) {
+      let cookie = cookies[i];
+      while (cookie.charAt(0) === ' ') {
         cookie = cookie.substring(1, cookie.length);
       }
       if (cookie.indexOf(nameEQ) === 0) {
@@ -60,33 +59,33 @@
   };
 }).call(this);
 (function () {
-  'use strict'
-  var root = this
-  if (typeof root.GOVUK === 'undefined') { root.GOVUK = {} }
+  'use strict';
+  const root = this;
+  if (typeof root.GOVUK === 'undefined') { root.GOVUK = {}; }
 
   GOVUK.addCookieMessage = function () {
-    var message = document.getElementById('global-cookie-message')
+    const message = document.getElementById('global-cookie-message');
 
-    var hasCookieMessage = (message && GOVUK.cookie('seen_cookie_message') === null)
+    const hasCookieMessage = (message && GOVUK.cookie('seen_cookie_message') === null);
 
     if (hasCookieMessage) {
-      message.style.display = 'block'
-      GOVUK.cookie('seen_cookie_message', 'yes', { days: 28 })
+      message.style.display = 'block';
+      GOVUK.cookie('seen_cookie_message', 'yes', { days: 28 });
 
       document.addEventListener('DOMContentLoaded', function (event) {
         if (GOVUK.analytics && typeof GOVUK.analytics.trackEvent === 'function') {
           GOVUK.analytics.trackEvent('cookieBanner', 'Cookie banner shown', {
             value: 1,
             nonInteraction: true
-          })
+          });
         }
-      })
-    };
-  }
+      });
+    }
+  };
 }).call(this)
 ;
-(function() {
-  "use strict"
+(function () {
+  'use strict';
 
   // add cookie message
   if (window.GOVUK && GOVUK.addCookieMessage) {
@@ -94,28 +93,28 @@
   }
 
   // header navigation toggle
-  if (document.querySelectorAll && document.addEventListener){
-    var els = document.querySelectorAll('.js-header-toggle'),
-        i, _i;
-    for(i=0,_i=els.length; i<_i; i++){
-      els[i].addEventListener('click', function(e){
+  if (document.querySelectorAll && document.addEventListener) {
+    const els = document.querySelectorAll('.js-header-toggle');
+    let i; let _i;
+    for(i = 0, _i = els.length; i < _i; i++) {
+      els[i].addEventListener('click', function (e) {
         e.preventDefault();
-        var target = document.getElementById(this.getAttribute('href').substr(1)),
-            targetClass = target.getAttribute('class') || '',
-            sourceClass = this.getAttribute('class') || '';
+        const target = document.getElementById(this.getAttribute('href').substr(1));
+        const targetClass = target.getAttribute('class') || '';
+        const sourceClass = this.getAttribute('class') || '';
 
-        if(targetClass.indexOf('js-visible') !== -1){
+        if(targetClass.indexOf('js-visible') !== -1) {
           target.setAttribute('class', targetClass.replace(/(^|\s)js-visible(\s|$)/, ''));
         } else {
-          target.setAttribute('class', targetClass + " js-visible");
+          target.setAttribute('class', targetClass + ' js-visible');
         }
-        if(sourceClass.indexOf('js-visible') !== -1){
+        if(sourceClass.indexOf('js-visible') !== -1) {
           this.setAttribute('class', sourceClass.replace(/(^|\s)js-visible(\s|$)/, ''));
         } else {
-          this.setAttribute('class', sourceClass + " js-visible");
+          this.setAttribute('class', sourceClass + ' js-visible');
         }
-        this.setAttribute('aria-expanded', this.getAttribute('aria-expanded') !== "true");
-        target.setAttribute('aria-hidden', target.getAttribute('aria-hidden') === "false");
+        this.setAttribute('aria-expanded', this.getAttribute('aria-expanded') !== 'true');
+        target.setAttribute('aria-hidden', target.getAttribute('aria-hidden') === 'false');
       });
     }
   }

package/frontend/themes/gov-uk/client-js/index.js

@@ -8,12 +8,14 @@ var formFocus = toolkit.formFocus;
 var characterCount = toolkit.characterCount;
 var validation = toolkit.validation;
 
-var GOVUK = require('govuk-frontend')
-GOVUK.initAll();
-window.GOVUK = GOVUK;
+var GOVUK = require('govuk-frontend');
+// eslint-disable-next-line no-unused-vars
 var skipToMain = require('./skip-to-main');
+// eslint-disable-next-line no-unused-vars
 var cookie = require('./govuk-cookies');
 var cookieSettings = require('./cookieSettings');
+GOVUK.initAll();
+window.GOVUK = GOVUK;
 
 toolkit.detailsSummary();
 

package/frontend/themes/gov-uk/client-js/skip-to-main.js

@@ -1,18 +1,19 @@
 const skipToMain = function () {
-    const skipToMainLink = document.getElementById("skip-to-main");
-    const firstControlId = skipToMainLink.hash.split('#')[1] ? skipToMainLink.hash.split('#')[1] : "main-content";
-    if(firstControlId === "main-content"){
-      skipToMainLink.setAttribute("href", "#main-content");
-    }
-    if(firstControlId) {
-      skipToMainLink.onclick = function(e) {
-        //here timeout added just to make this functionality asynchronous 
-        //to focus on form as well as non form contents
-        setTimeout(() => {
-          const firstControl = document.getElementById(firstControlId);
-          firstControl.focus();
-        }, 10);      
-      }
-    }
-  };
-  skipToMain();
+  const skipToMainLink = document.getElementById('skip-to-main');
+  const firstControlId = skipToMainLink.hash.split('#')[1] ? skipToMainLink.hash.split('#')[1] : 'main-content';
+  if(firstControlId === 'main-content') {
+    skipToMainLink.setAttribute('href', '#main-content');
+  }
+  if(firstControlId) {
+    // eslint-disable-next-line no-unused-vars
+    skipToMainLink.onclick = function (e) {
+      // here timeout added just to make this functionality asynchronous
+      // to focus on form as well as non form contents
+      setTimeout(() => {
+        const firstControl = document.getElementById(firstControlId);
+        firstControl.focus();
+      }, 10);
+    };
+  }
+};
+skipToMain();

package/index.js

@@ -120,8 +120,9 @@ const getContentSecurityPolicy = (config, res) => {
  * @param options.getTerms {boolean} Optional boolean - whether to mount the /terms endpoint
  * @param options.getCookies {boolean} Optional boolean - whether to mount the /cookies endpoint
  * @param options.noCache {boolean} Optional boolean - whether to disable caching
- * @param options.getAccessibilityStatement {boolean} Optional boolean - whether to mount the /accessibility-statement endpoint
- * 
+ * @param options.getAccessibilityStatement {boolean} Optional boolean - whether to mount the
+ * /accessibility-statement endpoint
+ *
  * @returns {object} A new HOF application using the configuration supplied in options
  */
 function bootstrap(options) {
@@ -205,9 +206,13 @@ function bootstrap(options) {
   }));
   app.use(mixins());
   app.use(markdown(config.markdown));
-  
+  // rate limits have to be loaded before all routes so it is applied to them
+  if (config.rateLimits.requests.active) {
+    app.use(hofMiddleware.rateLimiter(config, 'requests'));
+  }
+
   // Set up routing so <YOUR-SITE-URL>/assets are served from /node_modules/govuk-frontend/govuk/assets
-  app.use('/assets', express.static(path.join(__dirname, '/node_modules/govuk-frontend/govuk/assets')))
+  app.use('/assets', express.static(path.join(__dirname, '/node_modules/govuk-frontend/govuk/assets')));
 
   if (config.getAccessibility === true) {
     deprecate(

package/lib/router.js

@@ -19,7 +19,8 @@ function getWizardConfig(config) {
   const wizardConfig = {
     name: config.route.name || (config.route.baseUrl || '').replace('/', ''),
     protocol: config.protocol,
-    env: config.env
+    env: config.env,
+    sanitiseInputs: config.sanitiseInputs
   };
 
   if (config.appConfig) {

package/lib/settings.js

@@ -7,19 +7,20 @@ const hoganExpressStrict = require('hogan-express-strict');
 const expressPartialTemplates = require('express-partial-templates');
 const bodyParser = require('body-parser');
 
-const filterEmptyViews = (views) => {
-  return views.filter(view => dirExists(view))
-}
-
-const dirExists = (dir) => {
+const dirExists = dir => {
   try {
     if (fs.existsSync(dir)) {
       return true;
     }
+    return false;
   } catch(err) {
-    throw new Error(`${err}: Cannot check if the directory path exists`)
+    throw new Error(`${err}: Cannot check if the directory path exists`);
   }
-}
+};
+
+const filterEmptyViews = views => {
+  return views.filter(view => dirExists(view));
+};
 
 module.exports = async (app, config) => {
   const viewEngine = config.viewEngine || 'html';
@@ -31,7 +32,7 @@ module.exports = async (app, config) => {
 
   app.use(config.theme());
 
-  const filteredViews = filterEmptyViews(config.theme.views)
+  const filteredViews = filterEmptyViews(config.theme.views);
   const viewPaths = [].concat(filteredViews);
   app.set('view engine', viewEngine);
   app.enable('view cache');

package/middleware/errors.js

@@ -1,6 +1,8 @@
 /* eslint-disable no-unused-vars */
 'use strict';
 
+const rateLimitsConfig = require('../config/rate-limits');
+
 const errorTitle = code => `${code}_ERROR`;
 const errorMsg = code => `There is a ${code}_ERROR`;
 // eslint-disable-next-line complexity
@@ -21,6 +23,36 @@ const getContent = (err, translate) => {
     content.message = (translate && translate('errors.cookies-required.message'));
   }
 
+  if (err.code === 'DDOS_RATE_LIMIT') {
+    err.status = 429;
+    err.template = 'rate-limit-error';
+    err.title = (translate && translate('errors.ddos-rate-limit.title'));
+    err.message = (translate && translate('errors.ddos-rate-limit.message'));
+    err.preTimeToWait = (translate && translate('errors.ddos-rate-limit.pre-time-to-wait'));
+    err.timeToWait = rateLimitsConfig.rateLimits.requests.windowSizeInMinutes;
+    err.postTimeToWait = (translate && translate('errors.ddos-rate-limit.post-time-to-wait'));
+    content.title = (translate && translate('errors.ddos-rate-limit.title'));
+    content.message = (translate && translate('errors.ddos-rate-limit.message'));
+    content.preTimeToWait = (translate && translate('errors.ddos-rate-limit.pre-time-to-wait'));
+    content.timeToWait = rateLimitsConfig.rateLimits.requests.windowSizeInMinutes;
+    content.postTimeToWait = (translate && translate('errors.ddos-rate-limit.post-time-to-wait'));
+  }
+
+  if (err.code === 'SUBMISSION_RATE_LIMIT') {
+    err.status = 429;
+    err.template = 'rate-limit-error';
+    err.title = (translate && translate('errors.submission-rate-limit.title'));
+    err.message = (translate && translate('errors.submission-rate-limit.message'));
+    err.preTimeToWait = (translate && translate('errors.submission-rate-limit.pre-time-to-wait'));
+    err.timeToWait = rateLimitsConfig.rateLimits.submissions.windowSizeInMinutes;
+    err.postTimeToWait = (translate && translate('errors.submission-rate-limit.post-time-to-wait'));
+    content.title = (translate && translate('errors.submission-rate-limit.title'));
+    content.message = (translate && translate('errors.submission-rate-limit.message'));
+    content.preTimeToWait = (translate && translate('errors.submission-rate-limit.pre-time-to-wait'));
+    content.timeToWait = rateLimitsConfig.rateLimits.submissions.windowSizeInMinutes;
+    content.postTimeToWait = (translate && translate('errors.submission-rate-limit.post-time-to-wait'));
+  }
+
   err.code = err.code || 'UNKNOWN';
   err.status = err.status || 500;
 

package/middleware/index.js

@@ -4,5 +4,6 @@ module.exports = {
   cookies: require('./cookies'),
   errors: require('./errors'),
   notFound: require('./not-found'),
-  deepTranslate: require('./deep-translate')
+  deepTranslate: require('./deep-translate'),
+  rateLimiter: require('./rate-limiter')
 };

package/middleware/rate-limiter.js

@@ -0,0 +1,98 @@
+
+const moment = require('moment');
+const redis = require('redis');
+const config = require('./../config/hof-defaults');
+
+module.exports = (options, rateLimitType) => {
+  // eslint-disable-next-line no-console
+  const logger = options.logger || { log: (func, msg) => console[func](msg) };
+  const rateLimits = options.rateLimits[rateLimitType];
+  const timestampName = `${rateLimitType}TimeStamp`;
+  const countName = `${rateLimitType}Count`;
+
+  const WINDOW_SIZE_IN_MINUTES = rateLimits.windowSizeInMinutes;
+  const MAX_WINDOW_REQUEST_COUNT = rateLimits.maxWindowRequestCount;
+  const WINDOW_LOG_INTERVAL_IN_MINUTES = rateLimits.windowLogIntervalInMinutes;
+  const ERROR_CODE = rateLimits.errCode;
+
+  return async (req, res, next) => {
+    const redisClient = redis.createClient(config.redis);
+
+    // check that redis client exists
+    if (!redisClient) {
+      logger.log('error', 'Redis client does not exist!');
+      return next();
+    }
+
+    const closeConnection = async err => {
+      await redisClient.quit();
+      return next(err);
+    };
+
+    try {
+      // fetch records of current user using IP address, returns null when no record is found
+      return await redisClient.get(req.ip, async (err, record) => {
+        if (err) {
+          logger.log('error', `Error with requesting redis session for rate limiting: ${err}`);
+          return await closeConnection();
+        }
+        const currentRequestTime = moment();
+        const windowStartTimestamp = moment().subtract(WINDOW_SIZE_IN_MINUTES, 'minutes').unix();
+        let oldRecord = false;
+        let data;
+        //  if no record is found , create a new record for user and store to redis
+        if (record) {
+          data = JSON.parse(record);
+          oldRecord = data[data.length - 1][timestampName] < windowStartTimestamp;
+        }
+
+        if (!record || oldRecord) {
+          const newRecord = [];
+          const requestLog = {
+            [timestampName]: currentRequestTime.unix(),
+            [countName]: 1
+          };
+          newRecord.push(requestLog);
+          await redisClient.set(req.ip, JSON.stringify(newRecord));
+          return await closeConnection();
+        }
+        // if record is found, parse it's value and calculate number of requests users has made within the last window
+        const requestsWithinWindow = data.filter(entry => entry[timestampName] > windowStartTimestamp);
+
+        const totalWindowRequestsCount = requestsWithinWindow.reduce((accumulator, entry) => {
+          return accumulator + entry[countName];
+        }, 0);
+
+        if (!options.rateLimits.env || options.rateLimits.env === 'development') {
+          const requestsRemaining = MAX_WINDOW_REQUEST_COUNT - totalWindowRequestsCount;
+          const msg = `Requests made by client: ${totalWindowRequestsCount}\nRequests remaining: ${requestsRemaining}`;
+          logger.log('info', msg);
+        }
+        // if number of requests made is greater than or equal to the desired maximum, return error
+        if (totalWindowRequestsCount >= MAX_WINDOW_REQUEST_COUNT) {
+          return await closeConnection({ code: ERROR_CODE });
+        }
+        // if number of requests made is less than allowed maximum, log new entry
+        const lastRequestLog = data[data.length - 1];
+        const potentialCurrentWindowIntervalStartTimeStamp = currentRequestTime
+          .subtract(WINDOW_LOG_INTERVAL_IN_MINUTES, 'minutes')
+          .unix();
+        //  if interval has not passed since last request log, increment counter
+        if (lastRequestLog[timestampName] > potentialCurrentWindowIntervalStartTimeStamp) {
+          lastRequestLog[countName]++;
+          data[data.length - 1] = lastRequestLog;
+        } else {
+          //  if interval has passed, log new entry for current user and timestamp
+          data.push({
+            [timestampName]: currentRequestTime.unix(),
+            [countName]: 1
+          });
+        }
+        await redisClient.set(req.ip, JSON.stringify(data));
+        return await closeConnection();
+      });
+    } catch (err) {
+      return await closeConnection(err);
+    }
+  };
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "20.0.0-beta.7",
+  "version": "20.0.0-beta.8",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",
@@ -70,10 +70,9 @@
     "lodash": "^4.17.21",
     "markdown-it": "^12.3.2",
     "minimatch": "^3.0.3",
-    "minimist": "^1.2.0",
+    "minimist": "^1.2.6",
     "mixwith": "^0.1.1",
-    "mkdirp": "^0.5.1",
-    "moment": "^2.24.0",
+    "moment": "^2.29.2",
     "morgan": "^1.10.0",
     "mustache": "^2.3.0",
     "nodemailer": "^6.6.3",
@@ -88,8 +87,8 @@
     "serve-static": "^1.14.1",
     "uglify-js": "^3.14.3",
     "underscore": "^1.12.1",
-    "urijs": "^1.19.10",
-    "winston": "^3.3.3"
+    "urijs": "^1.19.11",
+    "winston": "^3.7.2"
   },
   "devDependencies": {
     "@cucumber/cucumber": "^7.3.0",

package/sandbox/apps/sandbox/fields.js

@@ -100,7 +100,7 @@ module.exports = {
     formatter: ['trim', 'hyphens'],
     labelClassName: ['govuk-label--l'],
     // attributes here are passed to the field element
-    validate: ['required', { type: 'maxlength', arguments: 100 }],
+    validate: ['required', { type: 'maxlength', arguments: 10 }],
     attributes: [{
       attribute: 'rows',
       value: 8

package/sandbox/server.js

@@ -8,5 +8,10 @@ bootstrap({
   routes: [
     require('./apps/sandbox')
   ],
+  rateLimits: {
+    requests: {
+      active: true
+    }
+  },
   getAccessibility: true
 });

package/transpiler/lib/write-files.js

@@ -2,7 +2,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const mkdir = require('mkdirp').sync;
 const rm = require('rimraf').sync;
 
 const debug = require('debug')('hof:transpiler');
@@ -16,7 +15,7 @@ module.exports = (dir, data) => {
     const outputDir = path.resolve(dir, '..', lang);
     rm(outputDir);
     debug(`Emptied directory ${outputDir}`);
-    mkdir(outputDir);
+    fs.mkdirSync(outputDir);
     debug(`Made directory ${outputDir}`);
     Object.keys(data[lang]).forEach(namespace => {
       fs.writeFileSync(path.resolve(outputDir, `${namespace}.json`), JSON.stringify(data[lang][namespace], null, '  '));

package/utilities/helpers/index.js

@@ -94,7 +94,7 @@ module.exports = class Helpers {
   /**
    * utility function which returns undefined on
    * failed translations instead of returning the key
-   * @param {Function} translate - the translate funtion
+   * @param {Function} translate - the translate function
    * @param {String} key - the key to translate
    * @returns {String|undefined} the string result if successful, undefined if not
    */
@@ -131,4 +131,19 @@ module.exports = class Helpers {
       `pages.${key}.header`
     ]) || key;
   }
+  /**
+   * utility function which returns true or false on
+   * forks depending on whether a value exists on the page
+   * @param {Object} req - an http request object
+   * @param {Object} res - an http response object
+   * @param {Function|Object} condition - a field condition that is either a function or object
+   * @returns {Boolean} the boolean result of whether a field value is set on the page or session for a fork
+   */
+  static isFieldValueInPageOrSessionValid(req, res, condition) {
+    return _.isFunction(condition) ?
+      condition(req, res) :
+      condition.value === (req.form.values[condition.field] ||
+      (!Object.keys(req.form.values).includes(condition.field) &&
+      _.get(req, `form.historicalValues[${condition.field}]`)));
+  }
 };

package/wizard/index.js

@@ -69,6 +69,7 @@ const Wizard = (steps, fields, setts) => {
     options.confirmStep = settings.confirmStep;
     options.clearSession = options.clearSession || false;
     options.fieldsConfig = _.cloneDeep(fields);
+    options.sanitiseInputs = settings.sanitiseInputs;
 
     options.defaultFormatters = [].concat(settings.formatters);