Merge branch 'main' into mntor-5029

Author: kschelonka

.env

@@ -9,7 +9,7 @@ NEXTAUTH_URL=http://localhost:6060
 DISABLE_DOCKERFLOW=
 
 # Database server
-DATABASE_URL=postgres://postgres@localhost:5432/blurts
+DATABASE_URL=postgres://blurts:blurts@localhost:5432/blurts
 # How many seconds can unverified subscribers remain in the database
 DELETE_UNVERIFIED_SUBSCRIBERS_TIMER=86400
 
@@ -145,9 +145,9 @@ MONTHLY_SCANS_QUOTA=
 STATS_TOKEN=
 
 # GCP PubSub Project ID and subscription name
-GCP_PUBSUB_PROJECT_ID=
-GCP_PUBSUB_TOPIC_NAME=
-GCP_PUBSUB_SUBSCRIPTION_NAME=
+GCP_PUBSUB_PROJECT_ID=your-project-name
+GCP_PUBSUB_TOPIC_NAME=hibp-breaches
+GCP_PUBSUB_SUBSCRIPTION_NAME=hibp-cron
 
 # Randomly-generated UUIDv5 namespace, until/unless we are approved to use FxA UID for Nimbus User ID.
 NIMBUS_UUID_NAMESPACE=00000000-0000-0000-0000-000000000000
@@ -169,7 +169,5 @@ SENTRY_AUTH_TOKEN=
 # Whether GA4 sends data or not. NOTE: must be set in build environment.
 NEXT_PUBLIC_GA4_DEBUG_MODE=true
 
-GA4_API_SECRET=unsafe-default-secret-for-dev
-
 # Data broker removal estimates data
 DATA_BROKER_REMOVAL_ESTIMATES_DATA=[]

.env.ci

@@ -0,0 +1,180 @@
+# local, heroku, stage, production
+APP_ENV=local
+SERVER_URL=http://localhost:6060
+PORT=6060
+NEXTAUTH_URL=http://localhost:6060
+NODE_ENV=development
+
+# 1: disables the dockerflow endpoints
+# see: https://github.com/mozilla-services/Dockerflow#containerized-app-requirements
+DISABLE_DOCKERFLOW=
+
+# Database server
+DATABASE_URL=postgres://blurts:blurts@localhost:5432/test-blurts
+# How many seconds can unverified subscribers remain in the database
+DELETE_UNVERIFIED_SUBSCRIBERS_TIMER=86400
+
+# How many seconds until page tokens expire?
+PAGE_TOKEN_TIMER=0
+
+# Email server
+SMTP_URL=
+# From: address used in emails
+EMAIL_FROM=
+# https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-configuration-sets.html
+SES_CONFIG_SET=
+# 1: only log messages coming back from SES
+SES_NOTIFICATION_LOG_ONLY=
+
+# s3 bucket for cdn
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_REGION=
+S3_BUCKET=
+
+# Firefox Accounts OAuth
+FXA_SETTINGS_URL=https://accounts.stage.mozaws.net/settings
+
+OAUTH_CLIENT_ID=edd29a80019d61a1
+OAUTH_CLIENT_SECRET=get-this-from-groovecoder-or-fxmonitor-engineering
+OAUTH_AUTHORIZATION_URI=https://accounts.stage.mozaws.net/authorization
+OAUTH_METRICS_FLOW_URI=https://accounts.stage.mozaws.net/metrics-flow
+OAUTH_PROFILE_URI=https://profile.stage.mozaws.net/v1/profile
+OAUTH_TOKEN_URI=https://oauth.stage.mozaws.net/v1/token
+OAUTH_ACCOUNT_URI="https://api-accounts.stage.mozaws.net/v1"
+
+# HIBP API for breach data
+# How many seconds to wait before refreshing upstream breach data from HIBP
+HIBP_RELOAD_BREACHES_TIMER=600
+# HIBP API for range search and subscription
+HIBP_KANON_API_ROOT=https://enterprise.stage-api.haveibeenpwned.com
+HIBP_KANON_API_TOKEN=
+HIBP_API_ROOT=https://haveibeenpwned.com/api/v2
+HIBP_API_TOKEN=
+# How many milliseconds to wait before retrying an HIBP request
+HIBP_THROTTLE_DELAY=2000
+# Max number of times to try an HIBP request before throwing error
+HIBP_THROTTLE_MAX_TRIES=5
+# Authorization token for HIBP to present to /hibp/notify endpoint
+HIBP_NOTIFY_TOKEN=unsafe-default-token-for-dev
+# Domains we prefer to not link to
+HIBP_BREACH_DOMAIN_BLOCKLIST=a-blocked-domain.com,another-blocked-domain.org
+
+# OneRep API for exposure scanning
+ONEREP_API_BASE=https://mozilla.api.onerep.com
+ONEREP_API_KEY=
+ONEREP_WEBHOOK_SECRET="unsafe-default-secret-for-dev"
+
+# Firefox Remote Settings
+FX_REMOTE_SETTINGS_WRITER_SERVER=https://settings-writer.prod.mozaws.net/v1
+FX_REMOTE_SETTINGS_WRITER_USER=
+FX_REMOTE_SETTINGS_WRITER_PASS=
+
+# DSN for Sentry error and event capturing
+# e.g., SENTRY_DSN=https://{key}@sentry.prod.mozaws.net/408
+SENTRY_DSN=
+SENTRY_DSN_LEGACY=
+
+BREACH_RESOLUTION_ENABLED=1
+PRODUCT_PROMOS_ENABLED=1
+
+# Experiment Flag
+EXPERIMENT_ACTIVE=0
+
+REDIS_URL=redis://redis.mock
+
+SUPPORTED_LOCALES=cs,cy,da,de,el,en,en-CA,en-GB,es-AR,es-CL,es-ES,es-MX,fi,fr,fy-NL,gn,hu,kab,ia,id,it,ja,ko,nl,nn-NO,pt-BR,pt-PT,ru,sk,sl,sq,sv-SE,th,tr,uk,vi,zh-CN,zh-TW
+
+# Locales blocked from viewing Mozilla VPN promos. Use CSV without whitespace.
+VPN_PROMO_BLOCKED_LOCALES=zh-CN
+
+# MaxMind GeoLite2 geolocation service used for VPN Banner
+# For Heroku deploys, the following 3 vars are generated automatically via Buildpack https://github.com/HiMamaInc/heroku-buildpack-geoip-geolite2
+# Staging and production environments will need variables set manually
+# Local environment uses a test database with limited data (preset here)
+GEOIP_GEOLITE2_PATH=./tests/mmdb/
+GEOIP_GEOLITE2_CITY_FILENAME=GeoLite2-City-Test.mmdb
+GEOIP_GEOLITE2_COUNTRY_FILENAME=GeoLite2-Country-Test.mmdb
+
+# Educational video src urls, hosted by SRE team on a CDN
+EDUCATION_VIDEO_URL_RELAY=https://monitor.cdn.mozilla.net/videos/FF_Relay_version_02.mp4
+EDUCATION_VIDEO_URL_VPN=https://monitor.cdn.mozilla.net/videos/Mozilla_VPN.mp4
+
+# Email addresses that are allowed to test and send emails
+ADMINS=
+
+# Enable monthly cron-job, currently for sending unresolved breach reminder emails
+MONTHLY_CRON_ENABLED=
+
+# Functional tests
+E2E_TEST_ENV=ci # need to not be 'local' because of imports
+E2E_TEST_SECRET=test-secret
+E2E_TEST_ACCOUNT_BASE_EMAIL=test-account
+E2E_TEST_ACCOUNT_BASE_PASSWORD=test-password
+
+# Monitor Premium features
+# Link to start user on the subscription process. PREMIUM_ENABLED must be set to `true`.
+SUBSCRIPTION_BILLING_AMOUNT_MONTHLY_US=42.42
+SUBSCRIPTION_BILLING_AMOUNT_BUNDLE_INDIVIDUAL_MONTHLY_US=424
+SUBSCRIPTION_BILLING_AMOUNT_BUNDLE_MONTHLY_US=42
+
+# SubPlat 2.0 URL, product and plan IDs, used for Plus subscriptions:
+FXA_SUBSCRIPTIONS_URL=https://accounts.stage.mozaws.net/subscriptions
+PREMIUM_PRODUCT_ID=prod_NErZh679W62lai
+PREMIUM_PLAN_ID_MONTHLY_US=price_1MUNq0Kb9q6OnNsL4BoJgepf
+PREMIUM_PLAN_ID_YEARLY_US=price_1NvqawKb9q6OnNsLRTnYrtrV
+
+# SubPlat 3.0 URL and offering ID, used for Plus subscriptions:
+SUBPLAT_SUBSCRIPTIONS_URL=https://payments-next.stage.fxa.nonprod.webservices.mozgcp.net
+SUBPLAT_MONITOR_OFFERING_ID=monitorplusstage
+SUBPLAT_BUNDLE_OFFERING_ID=privacyprotectionplan/yearly
+SUBPLAT_BUNDLE_PRODUCT_ID=prod_SFb8iVuZIOPREe
+SUBPLAT_BUNDLE_PRICE_ID=price_1RMAopKb9q6OnNsLSGe1vLtt
+
+# Mozilla privacy product URLs
+FIREFOX_RELAY_LANDING_URL=https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net
+MOZILLA_VPN_LANDING_URL=https://www-dev.allizom.org/products/vpn
+
+# This date is used to direct users who signed up after data broker scanning
+# was released to the welcome flow. Users who had signed up before and thus
+# have seen data breach results before, will be able to see their known breaches
+# first:
+BROKER_SCAN_RELEASE_DATE=2024-02-06
+
+MONTHLY_SUBSCRIBERS_QUOTA=
+MONTHLY_SCANS_QUOTA=
+STATS_TOKEN=
+
+# GCP PubSub Project ID and subscription name
+GCP_PUBSUB_PROJECT_ID=your-project-name
+GCP_PUBSUB_TOPIC_NAME=hibp-breaches
+GCP_PUBSUB_SUBSCRIPTION_NAME=hibp-cron
+PUBSUB_HOST=localhost
+PUBSUB_PORT=8085
+PUBSUB_EMULATOR_HOST="${PUBSUB_HOST}:${PUBSUB_PORT}"
+
+
+# Randomly-generated UUIDv5 namespace, until/unless we are approved to use FxA UID for Nimbus User ID.
+NIMBUS_UUID_NAMESPACE=00000000-0000-0000-0000-000000000000
+NIMBUS_SIDECAR_URL=http://localhost:8001
+
+# The maximum number of jobs that the email breach alert worker will process.
+EMAIL_BREACH_ALERT_MAX_MESSAGES = 10000
+
+# The maximum number of scans and profiles allowed. May be used for alerts, and for redirecting to waitlist.
+MAX_MANUAL_SCANS=100
+MAX_INITIAL_SCANS=100
+MAX_PROFILES_ACTIVATED=100
+MAX_PROFILES_CREATED=100
+
+# Used during CI to upload sourcemaps to Sentry.
+UPLOAD_SENTRY_SOURCEMAPS=false
+SENTRY_AUTH_TOKEN=
+
+# Whether GA4 sends data or not. NOTE: must be set in build environment.
+NEXT_PUBLIC_GA4_DEBUG_MODE=true
+
+GA4_API_SECRET=unsafe-default-secret-for-dev
+
+# Data broker removal estimates data
+DATA_BROKER_REMOVAL_ESTIMATES_DATA=[]

.github/workflows/build.yaml

@@ -15,7 +15,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: "20.19.x"
       - run: npm ci

.github/workflows/docker_build_deploy.yml

@@ -59,7 +59,8 @@ jobs:
       - name: Deploy to Dockerhub
         env:
           DOCKERHUB_REPO: ${{ env.DOCKERHUB_REPO }}
+          TAGS: ${{ steps.meta.outputs.tags }}
         run: |
           # deploy main
-          docker tag blurts-server ${{ steps.meta.outputs.tags }}
-          docker push ${{ steps.meta.outputs.tags }}
+          docker tag blurts-server $TAGS
+          docker push $TAGS

.github/workflows/docker_build_deploy_v2.yml

@@ -68,13 +68,15 @@ jobs:
 
       - name: Build and push Docker image to GAR
         id: build-and-push
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
         uses: docker/build-push-action@v6
         with:
           context: .
           # Push is true to push to GAR after build
           push: true
           # Tags generated by the metadata action (only GAR tag)
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ env.TAGS }}
           # Pass build arguments
           build-args: |
             SENTRY_RELEASE=${{ github.sha }} # Use full SHA for Sentry release clarity
@@ -87,5 +89,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Print Image URI
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-          echo "Pushed GAR image: ${{ steps.meta.outputs.tags }}" 
+          echo "Pushed GAR image: $TAGS"

.github/workflows/functional_tests_cron.yml

@@ -34,7 +34,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: 20.19.x
 
@@ -67,13 +67,13 @@ jobs:
           E2E_TEST_SECRET: ${{ secrets.E2E_TEST_SECRET }}
           E2E_TEST_ACCOUNT_BASE_EMAIL: ${{ secrets.E2E_TEST_ACCOUNT_BASE_EMAIL }}
           E2E_TEST_ACCOUNT_BASE_PASSWORD: ${{ secrets.E2E_TEST_ACCOUNT_BASE_PASSWORD }}
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: playwright-report-${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}
           path: playwright-report/
           retention-days: 30
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: test-results-${{ github.event_name == 'workflow_dispatch' && inputs.test_env || matrix.test_env }}

.github/workflows/functional_tests_pr.yml

@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: 20.19.x
 
@@ -86,13 +86,13 @@ jobs:
           PREMIUM_PLAN_ID_YEARLY_US: ${{ secrets.STAGE_PREMIUM_PLAN_ID_YEARLY_US }}
           PREMIUM_PRODUCT_ID: ${{ secrets.STAGE_PREMIUM_PRODUCT_ID }}
           REDIS_URL: "redis://redis.mock"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: playwright-report
           path: playwright-report/
           retention-days: 30
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: always()
         with:
           name: test-results

.github/workflows/lighthouse_cron.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js 20.19.x
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 20.19.x
       - name: Run Lighthouse CI

.github/workflows/lint.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Use Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: '20.19.x'
       - run: npm ci

.github/workflows/production_deploy.yml

@@ -63,19 +63,19 @@ jobs:
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - name: Pull Docker Hub image
-        run: docker pull "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_IMAGE_TAG }}"
+        run: docker pull "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG"
 
       - name: Retag Docker Hub image
-        run: docker tag "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_IMAGE_TAG }}" "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_ENVIRONMENT }}-${{ env.SAFE_IMAGE_TAG }}"
+        run: docker tag "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG" "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
 
       - name: Push Docker Hub image
-        run: docker push "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_ENVIRONMENT }}-${{ env.SAFE_IMAGE_TAG }}"
+        run: docker push "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
 
       - name: Pull GAR image
-        run: docker pull "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_IMAGE_TAG }}"
+        run: docker pull "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG"
 
       - name: Retag GAR image
-        run: docker tag "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_IMAGE_TAG }}" "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_ENVIRONMENT }}-${{ env.SAFE_IMAGE_TAG }}"
+        run: docker tag "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG" "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
 
       - name: Push GAR image
-        run: docker push "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_ENVIRONMENT }}-${{ env.SAFE_IMAGE_TAG }}"
+        run: docker push "$GAR_IMAGE_BASE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"