Skip to content

Updated readme + fixed test suite #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
HardMax71 merged 39 commits into from
Sep 16, 2025
Merged

Updated readme + fixed test suite #3

Show file tree
Hide file tree
Changes from 38 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
9e81510
- ui improvements (better logo, styles, meta tags)
Jul 27, 2025
00db7c8
fixes
Jul 27, 2025
8617439
fixes 2 - for CI, took another version of setup-k8s.sh
Jul 27, 2025
29c8a20
JWT_SECRET_KEY fix: added validation, + updated .env + added tests
Jul 28, 2025
0e4cce4
JWT_SECRET_KEY fix 2: naming
Jul 28, 2025
7551313
JWT_SECRET_KEY fix 3: key length
Jul 28, 2025
7c0e36e
JWT_SECRET_KEY fix 4: regex instead of separate function
Jul 28, 2025
d624a52
JWT_SECRET_KEY fix 4: regex instead of separate function
Jul 28, 2025
597e209
JWT_SECRET_KEY fix 5: added key to ci/cd
Jul 28, 2025
8ee6bbd
SEC 1.2: added char limits for script length
Jul 28, 2025
8a343b0
SEC 1.3: rate limits for auth routes
Jul 28, 2025
b2ea506
SEC 1.4: mitigation of (possible) XSS in frontend ( -> added `dompuri…
Jul 28, 2025
95eef81
SEC 1.5: better security policy in nginx.conf
Jul 28, 2025
611e75d
SEC 1.6: mongodb login creds added
Jul 28, 2025
904b452
rewrite: using `kubernetes`' watch
Jul 28, 2025
8d0feed
v2: added kafka instead of polling, more details to add sooner
Aug 13, 2025
33d0114
rewrite: using `kubernetes`' watch
Aug 13, 2025
9897abc
v2.1: no globals/magic/xxattr methods, updated code to use DI correctly
Aug 15, 2025
b89a916
v2.0:
Sep 7, 2025
80e763f
- fix of trivy errors (docker scan)
Sep 7, 2025
a02ea4c
v2.1: 80% coverage, updated tests, updated readmes
Sep 15, 2025
d1d0b63
CI pipeline fix
Sep 15, 2025
0c3ddb7
CI pipeline fix 2
Sep 15, 2025
66ff9a8
CI pipeline fix 3 | Disabling SASL Kafka auth for CI
Sep 15, 2025
da4e25c
CI fix 4 | disabling SASL for Kafka+Zookeper
Sep 15, 2025
b01b5a7
CI fix 5 | SASL simplification
Sep 15, 2025
05ff7c1
CI fix 6 | added secrets for mongouser/pass
Sep 15, 2025
66f1c18
CI fix 7 | cert-gen IP fix
Sep 15, 2025
4a822c0
CI fix 8 | cert-gen IP fix
Sep 15, 2025
b299428
CI fix 9 | since tests are only for API, turning off checks for fron…
Sep 15, 2025
9d6cc8b
CI fix 10 | added mongodb creds
Sep 15, 2025
288e37a
CI fix 11 | mongodb conn string in conftest
Sep 15, 2025
def453a
CI fix 12 | mongodb sha fix
Sep 15, 2025
1b99088
CI fix 13
Sep 15, 2025
0ec021c
CI fix 14
Sep 15, 2025
da3076b
CI fix 1 - simplified creds
Sep 15, 2025
08a9dc6
Merge remote-tracking branch 'origin/main' into dev
Sep 15, 2025
dc7ba3f
sonarqube fixes
Sep 15, 2025
7c62572
updated readme + moved arch .md file to /files_for_readme + updated i…
Sep 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
58 changes: 38 additions & 20 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,22 +35,39 @@ jobs:
- name: Modify Docker Compose for CI
run: |
cp docker-compose.yaml docker-compose.ci.yaml
# For the backend service
yq eval '.services.backend.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml
# Drop the frontend service for backend-only tests
yq eval 'del(.services.frontend)' -i docker-compose.ci.yaml
# For the backend service (extra_hosts already exists, skip it)
# Note: backend.environment is a list in docker-compose.yaml
yq eval '.services.backend.environment += ["TESTING=true"]' -i docker-compose.ci.yaml
yq eval '.services.backend.environment += ["MONGO_ROOT_USER=testroot"]' -i docker-compose.ci.yaml
yq eval '.services.backend.environment += ["MONGO_ROOT_PASSWORD=testpassword"]' -i docker-compose.ci.yaml
yq eval '.services.backend.environment += ["MONGO_ROOT_USER=root"]' -i docker-compose.ci.yaml
yq eval '.services.backend.environment += ["MONGO_ROOT_PASSWORD=rootpassword"]' -i docker-compose.ci.yaml
# Disable OpenTelemetry SDK during tests to avoid exporter retries
yq eval '.services.backend.environment += ["OTEL_SDK_DISABLED=true"]' -i docker-compose.ci.yaml

# For the mongo service
yq eval '.services.mongo.environment += ["MONGO_ROOT_USER=testroot"]' -i docker-compose.ci.yaml
yq eval '.services.mongo.environment += ["MONGO_ROOT_PASSWORD=testpassword"]' -i docker-compose.ci.yaml

# MongoDB service already has defaults in docker-compose.yaml (root/rootpassword)
# No need to override them

# Disable SASL authentication for Kafka and Zookeeper in CI
yq eval 'del(.services.kafka.environment.KAFKA_OPTS)' -i docker-compose.ci.yaml
yq eval 'del(.services.zookeeper.environment.KAFKA_OPTS)' -i docker-compose.ci.yaml
yq eval 'del(.services.zookeeper.environment.ZOOKEEPER_AUTH_PROVIDER_1)' -i docker-compose.ci.yaml
yq eval '.services.kafka.volumes = [.services.kafka.volumes[] | select(. | contains("jaas.conf") | not)]' -i docker-compose.ci.yaml
yq eval '.services.zookeeper.volumes = [.services.zookeeper.volumes[] | select(. | contains("/etc/kafka") | not)]' -i docker-compose.ci.yaml

# Simplify Zookeeper for CI
yq eval '.services.zookeeper.environment.ZOOKEEPER_4LW_COMMANDS_WHITELIST = "ruok,srvr"' -i docker-compose.ci.yaml
# Disable zookeeper healthcheck in CI (use service_started instead)
yq eval 'del(.services.zookeeper.healthcheck)' -i docker-compose.ci.yaml
# Make Kafka start as soon as Zookeeper starts (not healthy)
yq eval '.services.kafka.depends_on.zookeeper.condition = "service_started"' -i docker-compose.ci.yaml

# For the cert-generator service
yq eval '.services.cert-generator.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml
yq eval '.services.cert-generator.environment += ["CI=true"]' -i docker-compose.ci.yaml
yq eval '.services.cert-generator.volumes += ["$HOME/.kube/config:/root/.kube/config:ro"]' -i docker-compose.ci.yaml
# Check if extra_hosts exists, if not create it as a list
yq eval 'select(.services."cert-generator".extra_hosts == null).services."cert-generator".extra_hosts = []' -i docker-compose.ci.yaml
yq eval '.services."cert-generator".extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.ci.yaml
yq eval '.services."cert-generator".environment += ["CI=true"]' -i docker-compose.ci.yaml
yq eval '.services."cert-generator".volumes += [env(HOME) + "/.kube/config:/root/.kube/config:ro"]' -i docker-compose.ci.yaml

echo "--- Modified docker-compose.ci.yaml ---"
cat docker-compose.ci.yaml
Expand Down Expand Up @@ -89,13 +106,7 @@ jobs:
done'
echo "Backend is healthy!"

- name: Wait for frontend to be ready
run: |
timeout 120 bash -c 'until curl -k https://127.0.0.1:5001 -o /dev/null; do \
echo "Retrying frontend check..."; \
sleep 5; \
done'
echo "Frontend is ready!"
# Frontend is excluded in backend-only CI; skip UI readiness

- name: Check K8s setup status after startup
run: |
Expand All @@ -121,10 +132,18 @@ jobs:
- name: Run backend tests with coverage
env:
BACKEND_BASE_URL: https://127.0.0.1:443
# Use default MongoDB credentials for CI
MONGO_ROOT_USER: root
MONGO_ROOT_PASSWORD: rootpassword
MONGODB_HOST: 127.0.0.1
MONGODB_PORT: 27017
# Explicit URL with default credentials
MONGODB_URL: mongodb://root:rootpassword@127.0.0.1:27017/?authSource=admin
Comment on lines +135 to +141
Copy link

@coderabbitai coderabbitai bot Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Hardcoded DB credentials in CI env (secret leak risk).

MONGO_ROOT_PASSWORD and MONGODB_URL embed credentials in the repo, tripping secret scanners and exposing them in logs. Use GitHub Secrets.

-          # Use default MongoDB credentials for CI
-          MONGO_ROOT_USER: root
-          MONGO_ROOT_PASSWORD: rootpassword
+          # Use GitHub Secrets for credentials (avoid committing secrets)
+          MONGO_ROOT_USER: root
+          MONGO_ROOT_PASSWORD: ${{ secrets.MONGO_ROOT_PASSWORD }}
           MONGODB_HOST: 127.0.0.1
           MONGODB_PORT: 27017
-          # Explicit URL with default credentials
-          MONGODB_URL: mongodb://root:rootpassword@127.0.0.1:27017/?authSource=admin
+          # Explicit URL without hardcoded password
+          MONGODB_URL: mongodb://root:${{ secrets.MONGO_ROOT_PASSWORD }}@127.0.0.1:27017/?authSource=admin

🏁 Script executed:

#!/bin/bash
# Find other hardcoded 'mongodb://' credentials to scrub.
rg -nP --glob '!.git' 'mongodb:\/\/[^:\s]+:[^@\s]+@' -C2

Length of output: 148

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Searching repository (excluding .git) for hardcoded MongoDB credentials and related env vars..."

rg -nP -g '!.git/**' 'mongodb:\/\/[^:\s]+:[^@\s]+@' -C2 || true
rg -nP -g '!.git/**' '\bMONGO_ROOT_PASSWORD\b|\bMONGODB_URL\b|\bMONGO_ROOT_USER\b|\bMONGODB_HOST\b|\bMONGODB_PORT\b' -n -C3 || true
rg -nP -g '!.git/**' 'rootpassword' -n -C2 || true

echo
echo "Printing .github/workflows/tests.yml lines 120-150 if file exists:"
if [ -f ".github/workflows/tests.yml" ]; then
  sed -n '120,150p' .github/workflows/tests.yml || true
else
  echo ".github/workflows/tests.yml not found"
fi

Length of output: 1790

Replace hardcoded MongoDB credentials in CI with GitHub Secrets

Confirmed .github/workflows/tests.yml contains plaintext MongoDB credentials (lines 135–141). Move the password into GitHub Secrets and reference it in the workflow. Add the secret MONGO_ROOT_PASSWORD to the repository's GitHub Secrets.

Location: .github/workflows/tests.yml lines 135–141

-          # Use default MongoDB credentials for CI
-          MONGO_ROOT_USER: root
-          MONGO_ROOT_PASSWORD: rootpassword
+          # Use GitHub Secrets for credentials (avoid committing secrets)
+          MONGO_ROOT_USER: root
+          MONGO_ROOT_PASSWORD: ${{ secrets.MONGO_ROOT_PASSWORD }}
           MONGODB_HOST: 127.0.0.1
           MONGODB_PORT: 27017
-          # Explicit URL with default credentials
-          MONGODB_URL: mongodb://root:rootpassword@127.0.0.1:27017/?authSource=admin
+          # Explicit URL without hardcoded password
+          MONGODB_URL: mongodb://root:${{ secrets.MONGO_ROOT_PASSWORD }}@127.0.0.1:27017/?authSource=admin
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Use default MongoDB credentials for CI
MONGO_ROOT_USER: root
MONGO_ROOT_PASSWORD: rootpassword
MONGODB_HOST: 127.0.0.1
MONGODB_PORT: 27017
# Explicit URL with default credentials
MONGODB_URL: mongodb://root:rootpassword@127.0.0.1:27017/?authSource=admin
# Use GitHub Secrets for credentials (avoid committing secrets)
MONGO_ROOT_USER: root
MONGO_ROOT_PASSWORD: ${{ secrets.MONGO_ROOT_PASSWORD }}
MONGODB_HOST: 127.0.0.1
MONGODB_PORT: 27017
# Explicit URL without hardcoded password
MONGODB_URL: mongodb://root:${{ secrets.MONGO_ROOT_PASSWORD }}@127.0.0.1:27017/?authSource=admin
🤖 Prompt for AI Agents 
In .github/workflows/tests.yml around lines 135–141 the MongoDB password is
hardcoded; add a repository secret named MONGO_ROOT_PASSWORD in GitHub Settings
→ Secrets and replace the plaintext value with a reference to that secret in the
workflow (use the GitHub Actions secrets interpolation for MONGO_ROOT_PASSWORD),
update any derived values such as MONGODB_URL to construct the connection string
using the secret instead of embedding the literal password, and ensure no other
credentials remain in plaintext (keep MONGO_ROOT_USER and host/port as needed or
move them to secrets if required).

run: |
cd backend
echo "Using BACKEND_BASE_URL=$BACKEND_BASE_URL"
python -m pytest tests/integration tests/unit -v --cov=app --cov-report=xml --cov-report=term
echo "MongoDB connection will use default CI credentials"
python -m pytest tests/integration tests/unit -v --cov=app --cov-branch --cov-report=xml --cov-report=term --cov-report=term-missing

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
Expand All @@ -143,7 +162,6 @@ jobs:
docker compose -f docker-compose.ci.yaml logs > logs/docker-compose.log
docker compose -f docker-compose.ci.yaml logs cert-generator > logs/cert-generator.log
docker compose -f docker-compose.ci.yaml logs backend > logs/backend.log
docker compose -f docker-compose.ci.yaml logs frontend > logs/frontend.log
docker compose -f docker-compose.ci.yaml logs mongo > logs/mongo.log
kubectl get events --sort-by='.metadata.creationTimestamp' > logs/k8s-events.log
kubectl get pods -A -o wide > logs/k8s-pods-final.log
Expand Down
Loading
Loading