0.10.0

Author: kanekoshoyu

TODO.md

@@ -97,77 +97,6 @@ tempDiv.innerHTML = `
 
 ## MEDIUM SECURITY ISSUES
 
-### 4. Placeholder Webhook URL
-
-**Severity**: MEDIUM
-**Location**: `src/constant.ts:8`
-
-```typescript
-webhook_url: "https://webhook.site/your-webhook-endpoint" // Replace with actual webhook endpoint
-```
-
-**Issue**: Placeholder webhook URL is checked into source code.
-
-**Impact**:
-- If not replaced, webhooks will fail silently or leak data to webhook.site
-- Webhook.site is a public service where anyone can view requests
-- Sensitive job description data could be exposed
-
-**Solution**:
-- [ ] Move webhook URL to environment variable
-- [ ] Set up actual webhook endpoint
-- [ ] Add validation to ensure webhook URL is properly configured
-- [ ] Consider webhook authentication/signing
-
----
-
-### 5. Missing Environment Variable Configuration
-
-**Severity**: MEDIUM
-**Location**: Project-wide
-
-**Issue**: No environment variables are used. All configuration is hardcoded in `src/constant.ts`.
-
-**Impact**:
-- Cannot have different configs for dev/staging/production
-- Secrets are exposed in git history forever
-- Makes it difficult to rotate keys or update endpoints
-
-**Current hardcoded values**:
-- `directus_url`: Should support different environments
-- `directus_key`: MUST be in environment variables
-- `guest_user_id`: Should be in environment variables
-- `auth_idp_key`: Could be environment-specific
-- `auth_idp_logput_url`: Could be environment-specific
-- `webhook_url`: MUST be in environment variables
-- `onboarding_form_url`: Could be environment-specific
-
-**Solution**:
-- [ ] Create `.env.example` file with all required variables
-- [ ] Add `.env` to `.gitignore` (already missing)
-- [ ] Update Astro config to load environment variables
-- [ ] Refactor `src/constant.ts` to use `import.meta.env.*`
-- [ ] Update deployment workflows to inject environment variables
-- [ ] Document all required environment variables in README
-
-Example `.env.example`:
-```env
-# Directus Configuration
-PUBLIC_DIRECTUS_URL=https://directus.bounteer.com
-DIRECTUS_GUEST_TOKEN=your-guest-token-here
-DIRECTUS_GUEST_USER_ID=your-guest-user-id
-
-# Authentication
-PUBLIC_AUTH_IDP_KEY=logto
-PUBLIC_AUTH_LOGOUT_URL=https://logto-app.bounteer.com/oidc/session/end
-
-# Integrations
-WEBHOOK_URL=https://your-webhook-endpoint.com
-PUBLIC_ONBOARDING_FORM_URL=https://form.typeform.com/to/FOz4fXGm
-```
-
----
-
 ### 6. Contact Form Without Authentication
 
 **Severity**: MEDIUM
@@ -226,48 +155,6 @@ const res = await fetch(`${EXTERNAL.directus_url}/items/message`, {
 
 ---
 
-## LOW SECURITY ISSUES
-
-### 8. TODO Comment About Authentication
-
-**Severity**: LOW
-**Location**: `src/lib/utils.ts:316`
-
-```typescript
-// TODO check if we are ussing the logged in user's session or a generic guest token
-```
-
-**Issue**: Uncertainty about authentication mechanism.
-
-**Solution**:
-- [ ] Review and document authentication flow
-- [ ] Clarify when session cookies vs guest token should be used
-- [ ] Update code comments with clear explanation
-
----
-
-### 9. Missing .env File Configuration
-
-**Severity**: LOW
-**Location**: `.gitignore:1-5`
-
-**Issue**: `.gitignore` doesn't explicitly include `.env*` files (though no .env files currently exist).
-
-**Current .gitignore**:
-```
-/.astro
-/node_modules
-.DS_Store
-/dist
-```
-
-**Solution**:
-- [ ] Add `.env` and `.env.*` to `.gitignore`
-- [ ] Add `*.env.local` pattern
-- [ ] Ensure `.env.example` is NOT ignored
-
----
-
 ## RECOMMENDATIONS
 
 ### Immediate Actions Required

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@bounteer/page",
   "type": "module",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "private": true,
   "scripts": {
     "dev": "astro dev",

src/components/interactive/RoleFitIndexForm.tsx

@@ -204,7 +204,6 @@ export default function RoleFitForm() {
       const filter = `filter[user_created][id][_eq]=${encodeURIComponent(userId)}`;
       const url = `${DIRECTUS_URL}/items/role_fit_index_submission?${fields}&${filter}&sort[]=-date_created&limit=1`;
 
-      // TODO the auth header is not using hte logged in user currently (using generic)
       const res = await fetch(url, {
         credentials: "include",
         headers: getAuthHeaders(me),
@@ -645,7 +644,7 @@ export default function RoleFitForm() {
       case "update":
         console.log("Record updated:", rec);
         if (!rec || String(rec.id) !== String(id)) return;
-        //  TODO check status
+
         console.log("received:" + rec);
         // Handle status updates
         if (rec.status) {

src/components/interactive/TopUpCard.tsx

@@ -143,7 +143,6 @@ export default function TopUpCard({
 
       });
 
-      // todo failed to fetch below
       const res = await fetch(`${webhookUrl}?${params.toString()}`, {
         method: "POST",
       });

src/lib/utils.ts

@@ -318,7 +318,6 @@ export async function loadCredits(directusUrl: string): Promise<{
   credits: Credits;
 }> {
   try {
-    // Check if user is logged in
     const user = await getUserProfile(directusUrl);
 
     if (!user) {
@@ -349,8 +348,6 @@ export async function loadCredits(directusUrl: string): Promise<{
   }
 }
 
-// TODO check if we are ussing the logged in user's session or a generic guest token
-// Helper function to get authorization headers
 export function getAuthHeaders(user: UserProfile | null = null): Record<string, string> {
   return user !== null
     ? {} // No auth header needed for authenticated users (using session cookies)

src/pages/logout.astro

@@ -53,8 +53,6 @@
         }
       }
 
-      // TODO check how I can enforce react client hyration
-      // Execute logout when page loads
       if (typeof window !== "undefined") {
         performLogout();
       }