Merge branch 'develop' into main

.env.example

@@ -14,6 +14,9 @@ ROLLBAR_ENV=development
 DATABASE_URL=postgres://postgres@localhost:5432/buy-for-your-school-development
 REDIS_URL=redis://localhost:6379
 
+# Miscellaneous
+DAYS_A_JOURNEY_CAN_BE_INACTIVE_FOR=30
+
 # Contentful
 CONTENTFUL_URL=cdn.contentful.com
 CONTENTFUL_SPACE=
@@ -31,4 +34,4 @@ DFE_SIGN_IN_ISSUER=https://test-oidc.signin.education.gov.uk:443
 DFE_SIGN_IN_IDENTIFIER=buyforyourschool
 DFE_SIGN_IN_SECRET=
 DFE_SIGN_IN_REDIRECT_URL=http://localhost:3000/auth/dfe/callback
-DFE_SIGN_IN_ENABLED=true
+DFE_SIGN_IN_ENABLED=false

CHANGELOG.md

@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog 1.0.0].
 
 ## [Unreleased]
 
+## [release-007] - 2021-05-19
+
+- Add `noindex,nofollow` meta tag to all pages, as per Gov.UK guidance
+- fix API auth by switching mechanism from Basic to Token
+- remove `Returning to this specification` URL from task list
+- Add Tasks to the database when iterating through Sections from Contentful
+- fix XSS vulnerability by sanitising all user answers
+
 ## [release-006] - 2021-04-01
 
 - specification templates are now sourced from the Contentful Category entry
@@ -55,6 +63,7 @@ The format is based on [Keep a Changelog 1.0.0].
 - add new dashboard page with the ability to create new specifications
 - users can only see their past journeys from the dashboard
 - new API endpoint to allow Contentful to invalidate cached entries, allowing caching to stay on which prevents the app from being very slow/crashing on journey start
+- automatically delete Journey and associated records if we deem it to have become stale, to reclaim the unused database rows
 
 ## [release-005] - 2021-1-19
 
@@ -113,7 +122,8 @@ Contentful fixture
 - Contentful can redirect users to preview endpoints
 - users can be asked to answer a long text question
 
-[unreleased]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-006...HEAD
+[unreleased]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-007...HEAD
+[release-007]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-006...release-007
 [release-006]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-005...release-006
 [release-005]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-004...release-005
 [release-004]: https://github.com/DFE-Digital/buy-for-your-school/compare/release-003...release-004

Gemfile

@@ -7,8 +7,8 @@ ruby "2.6.6"
 gem "bootsnap", ">= 1.1.0", require: false
 gem "climate_control"
 gem "coffee-rails", "~> 5.0"
-gem "contentful", "~> 2.15"
-gem "govuk_design_system_formbuilder", "~> 2.2"
+gem "contentful", "~> 2.16"
+gem "govuk_design_system_formbuilder", "~> 2.5"
 gem "high_voltage"
 gem "htmltoword"
 gem "jbuilder", "~> 2.11"
@@ -33,7 +33,7 @@ gem "tzinfo-data", platforms: %i[mingw mswin x64_mingw jruby]
 gem "uglifier", ">= 1.3.0"
 
 group :development do
-  gem "listen", ">= 3.0.5", "< 3.5"
+  gem "listen", ">= 3.0.5", "< 3.6"
   gem "spring"
   gem "spring-watcher-listen", "~> 2.0.0"
   gem "web-console", ">= 3.3.0"

Gemfile.lock

@@ -99,7 +99,7 @@ GEM
     coffee-script-source (1.12.2)
     concurrent-ruby (1.1.8)
     connection_pool (2.2.3)
-    contentful (2.15.4)
+    contentful (2.16.0)
       http (> 0.8, < 5.0)
       multi_json (~> 1)
     crack (0.4.5)
@@ -111,6 +111,7 @@ GEM
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
+    deep_merge (1.2.1)
     diff-lcs (1.4.4)
     docile (1.3.4)
     domain_name (0.5.20190701)
@@ -130,7 +131,7 @@ GEM
       railties (>= 5.0.0)
     faker (2.17.0)
       i18n (>= 1.6, < 2)
-    ffi (1.14.2)
+    ffi (1.15.0)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
@@ -139,10 +140,11 @@ GEM
       raabro (~> 1.4)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    govuk_design_system_formbuilder (2.2.0)
-      actionview (>= 5.2)
-      activemodel (>= 5.2)
-      activesupport (>= 5.2)
+    govuk_design_system_formbuilder (2.5.0)
+      actionview (>= 6.0)
+      activemodel (>= 6.0)
+      activesupport (>= 6.0)
+      deep_merge (~> 1.2.1)
     hashdiff (1.0.1)
     hashie (4.1.0)
     high_voltage (3.1.2)
@@ -158,10 +160,10 @@ GEM
     http-cookie (1.0.3)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
-    http-parser (1.2.1)
+    http-parser (1.2.3)
       ffi-compiler (>= 1.0, < 2.0)
     httpclient (2.8.3)
-    i18n (1.8.9)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
     jbuilder (2.11.2)
       activesupport (>= 5.0.0)
@@ -175,12 +177,12 @@ GEM
       bindata
     launchy (2.5.0)
       addressable (~> 2.7)
-    libv8 (8.4.255.0)
-    liquid (5.0.0)
-    listen (3.4.1)
+    libv8-node (15.14.0.0)
+    liquid (5.0.1)
+    listen (3.5.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.9.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -189,15 +191,15 @@ GEM
     method_source (1.0.0)
     mini_mime (1.0.3)
     mini_portile2 (2.5.0)
-    mini_racer (0.3.1)
-      libv8 (~> 8.4.255)
+    mini_racer (0.4.0)
+      libv8-node (~> 15.14.0.0)
     minitest (5.14.4)
     mock_redis (0.27.3)
       ruby2_keywords
     msgpack (1.4.2)
     multi_json (1.15.0)
     nio4r (2.5.7)
-    nokogiri (1.11.2)
+    nokogiri (1.11.3)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
     omniauth (1.9.1)
@@ -221,10 +223,10 @@ GEM
       validate_url
       webfinger (>= 1.0.1)
     parallel (1.20.1)
-    parser (3.0.0.0)
+    parser (3.0.1.0)
       ast (~> 2.4.1)
     pg (1.2.3)
-    pry (0.14.0)
+    pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
@@ -278,7 +280,7 @@ GEM
     redis-namespace (1.8.1)
       redis (>= 3.0.4)
     regexp_parser (2.1.1)
-    rexml (3.2.4)
+    rexml (3.2.5)
     rollbar (3.1.2)
     rspec-core (3.10.1)
       rspec-support (~> 3.10.0)
@@ -297,7 +299,7 @@ GEM
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
     rspec-support (3.10.2)
-    rubocop (1.11.0)
+    rubocop (1.12.1)
       parallel (~> 1.10)
       parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
@@ -329,7 +331,7 @@ GEM
       rubyzip (>= 1.2.2)
     shoulda-matchers (4.5.1)
       activesupport (>= 4.2.0)
-    sidekiq (6.2.0)
+    sidekiq (6.2.1)
       connection_pool (>= 2.2.2)
       rack (~> 2.0)
       redis (>= 4.2.0)
@@ -355,8 +357,8 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    standard (1.0.4)
-      rubocop (= 1.11.0)
+    standard (1.0.5)
+      rubocop (= 1.12.1)
       rubocop-performance (= 1.10.1)
     swd (1.2.0)
       activesupport (>= 3)
@@ -390,7 +392,7 @@ GEM
     webfinger (1.1.0)
       activesupport
       httpclient (>= 2.4)
-    webmock (3.12.1)
+    webmock (3.12.2)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -413,19 +415,19 @@ DEPENDENCIES
   capybara (>= 2.15)
   climate_control
   coffee-rails (~> 5.0)
-  contentful (~> 2.15)
+  contentful (~> 2.16)
   database_cleaner
   dotenv-rails
   factory_bot_rails
   faker
-  govuk_design_system_formbuilder (~> 2.2)
+  govuk_design_system_formbuilder (~> 2.5)
   high_voltage
   htmltoword
   jbuilder (~> 2.11)
   jquery-rails
   launchy
   liquid
-  listen (>= 3.0.5, < 3.5)
+  listen (>= 3.0.5, < 3.6)
   mini_racer
   mock_redis
   omniauth

README.md

@@ -6,6 +6,7 @@ A service to help school buying professionals create tender documents that compl
 1. [Release process](/doc/release-process.md)
 1. [Managing environment variables](/doc/managing-environment-variables.md)
 1. [DfE Sign-in](/doc/dfe-sign-in.md)
+1. [Console access](/doc/console-access.md)
 
 ## Making changes
 

app/assets/stylesheets/components/_specification.scss

@@ -15,4 +15,28 @@
     @extend .govuk-list;
     @extend .govuk-list--number;
   }
+
+  table {
+    @extend .govuk-table !optional;
+  }
+
+  thead {
+    @extend .govuk-table__head !optional;
+  }
+
+  tbody {
+    @extend .govuk-table__body !optional;
+  }
+
+  tr {
+    @extend .govuk-table__row !optional;
+  }
+
+  th {
+    @extend .govuk-table__header !optional;
+  }
+
+  td {
+    @extend .govuk-table__cell !optional;
+  }
 }

app/controllers/answers_controller.rb

@@ -14,11 +14,7 @@ def create
     @answer = AnswerFactory.new(step: @step).call
     @answer.step = @step
 
-    result = SaveAnswer.new(answer: @answer).call(
-      further_information_params: further_information_params,
-      answer_params: answer_params,
-      date_params: date_params
-    )
+    result = SaveAnswer.new(answer: @step.answer).call(params: prepared_params(step: @step))
     @answer = result.object
 
     if result.success?
@@ -33,11 +29,7 @@ def update
     @step = Step.find(step_id)
     @step_presenter = StepPresenter.new(@step)
 
-    result = SaveAnswer.new(answer: @step.answer).call(
-      further_information_params: further_information_params,
-      answer_params: answer_params,
-      date_params: date_params
-    )
+    result = SaveAnswer.new(answer: @step.answer).call(params: prepared_params(step: @step))
     @answer = result.object
 
     if result.success?
@@ -57,6 +49,17 @@ def step_id
     params[:step_id]
   end
 
+  def prepared_params(step:)
+    case step.contentful_type
+    when "checkboxes", "radios"
+      further_information_params
+    when "single_date"
+      date_params
+    else
+      answer_params
+    end
+  end
+
   def answer_params
     params.require(:answer).permit(:response, :further_information)
   end

app/controllers/api/contentful/entries_controller.rb

@@ -1,6 +1,8 @@
 class Api::Contentful::EntriesController < ApplicationController
+  before_action :authenticate_api_user!
+
   skip_before_action :authenticate_user!
-  http_basic_authenticate_with name: "api", password: ENV["CONTENTFUL_WEBHOOK_API_KEY"]
+  skip_before_action :verify_authenticity_token
 
   def changed
     Cache.delete(key: cache_key)
@@ -14,4 +16,10 @@ def changed
   private def changed_params
     params.permit("entityId")
   end
+
+  private def authenticate_api_user!
+    authenticate_or_request_with_http_token do |token, _options|
+      token == ENV["CONTENTFUL_WEBHOOK_API_KEY"]
+    end
+  end
 end

app/controllers/preview/entries_controller.rb

@@ -1,4 +1,6 @@
 class Preview::EntriesController < ApplicationController
+  before_action :check_app_is_running_in_preview_env
+
   def show
     @journey = Journey.create(
       category: "catering",
@@ -19,4 +21,9 @@ def show
   def entry_id
     params[:id]
   end
+
+  def check_app_is_running_in_preview_env
+    return if ENV["CONTENTFUL_PREVIEW_APP"].eql?("true")
+    render file: "public/404.html", status: :not_found, layout: false
+  end
 end

app/jobs/delete_stale_journeys_job.rb

@@ -0,0 +1,9 @@
+class DeleteStaleJourneysJob < ApplicationJob
+  queue_as :default
+
+  def perform
+    DeleteStaleJourneys.new.call
+
+    Rollbar.info("Delete stale journeys task complete.")
+  end
+end

app/jobs/warm_entry_cache_job.rb

@@ -2,19 +2,23 @@ class WarmEntryCacheJob < ApplicationJob
   include CacheableEntry
 
   queue_as :caching
-  sidekiq_options retry: 5
 
   def perform
     category = GetCategory.new(category_entry_id: ENV["CONTENTFUL_DEFAULT_CATEGORY_ENTRY_ID"]).call
     sections = GetSectionsFromCategory.new(category: category).call
-    steps = sections.map { |section| GetStepsFromSection.new(section: section).call }
+    steps = begin
+      sections.map { |section| GetStepsFromSection.new(section: section).call }
+    rescue GetStepsFromSection::RepeatEntryDetected
+      cache.extend_ttl_on_all_entries
+      return
+    end
 
     # TODO: Cache category and sections too
     [steps].flatten.each do |entry|
       store_in_cache(cache: cache, key: "contentful:entry:#{entry.id}", entry: entry)
     end
-  rescue GetStepsFromSection::RepeatEntryDetected
-    cache.extend_ttl_on_all_entries
+
+    Rollbar.info("Cache warming task complete.")
   end
 
   private