Feature: Lerna

.gitignore

@@ -20,4 +20,4 @@ Icon?
 report*.html
 
 # e2e
-test/e2e/screenshots/
+**/test/e2e/screenshots/

.travis.yml

@@ -24,17 +24,18 @@ cache:
 
   override:
     # use the new "ci" command for fastest installs on CI
-    - npm ci
-    - npm run cy:verify
+    - npm install
+    - npm run all:cy:verify
 
 before_script:
   ## we use the '&' ampersand which tells
   ## travis to run this process in the background
   ## else it would block execution and hang travis
-  - docker run -d -p 27017:27017 mongo:4.0
-  - docker ps -a
-  - NODE_ENV=test npm start -- --silent &
+  - npm run all:deps-ci
+  - NODE_ENV=test npm run all:infra-start --silent &
+  # FIXME: Wait until infra is ready (300s)
+  - sleep 300
 
 script:
-  - npm run test:ci
+  - npm run all:test-ci
 

apps/server-render/README.md

@@ -0,0 +1,119 @@
+# NodeGoat
+
+Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
+
+## Getting Started
+OWASP Top 10 for Node.js web applications:
+
+### Know it!
+[Tutorial Guide](http://nodegoat.herokuapp.com/tutorial) explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
+
+### Do it!
+[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-setup-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
+##### Default user accounts
+The database comes pre-populated with these user accounts created as part of the seed data -
+* Admin Account - u:admin p:Admin_123
+* User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
+* New users can also be added using the sign-up page.
+
+## How to Setup Your Copy of NodeGoat
+
+### OPTION 1 - One click install on Heroku
+The the quickest way to get running with NodeGoat is to click the button below to deploy it on Heroku.
+
+Even though it is not essential, but recommended that you fork this repository and deploy the forked repo.
+This would allow you to fix vulnerabilities in your own forked version, and deploy and test it on heroku.
+
+[![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
+
+This Heroku instance uses Free ($0/month) node server and MongoLab add-on.
+
+### OPTION 2 - Run NodeGoat on your machine
+
+If you do not wish to run NodeGoat on Heroku, please follow these steps to setup and run it locally -
+* Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above
+
+* Clone the github repository
+```
+git clone https://github.com/OWASP/NodeGoat.git
+```
+
+*go to the directory
+```
+cd NodeGoat
+```
+
+* Install node modules
+```
+npm install
+```
+
+* Create Mongo DB:
+    You can create a remote MongoDB instance or use local mongod installation
+    * A. Using Remote MongoDB
+        * Create a sandbox mongoDB instance (free) at [mLab](https://mlab.com/plans/pricing/#plan-sandbox)
+        * Create a new database.
+        * Create a user.
+        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://<username>:<password>@<databasename>`)
+    * OR B.Using local MongoDB
+        * If using local Mongo DB instance, start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod).
+        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://localhost:27017/<databasename>`)
+
+* Populate MongoDB with seed data required for the app
+    * Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, "development" is the default:
+```
+npm run db:seed
+```
+* Start server, this starts the NodeGoat application at url [http://localhost:4000/](http://localhost:4000/)
+```
+npm start
+```
+
+* Start server with nodemon, this starts the NodeGoat application at url [http://localhost:5000/](http://localhost:5000/)
+```
+npm run dev
+```
+
+### OPTION 3 - Run NodeGoat on Docker
+
+**You need to install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) to be able to use this option**
+
+The repo includes the Dockerfile and docker-compose.yml necessary to setup the app and the db instance then connect them together.
+
+* Change the db config in `config/env/development.js` to point to the respective Docker container.
+```
+db: "mongodb://mongo:27017/nodegoat",
+```
+* Build the images:
+```
+docker-compose build
+```
+* Run the app:
+```
+docker-compose up
+```
+
+
+#### Customizing the Default Application Configuration
+The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
+
+## Report bugs, Feedback, Comments
+*  Open a new [issue](https://github.com/OWASP/NodeGoat/issues) or contact team by joining chat at [Slack](https://owasp.slack.com/messages/project-nodegoat/) or [![Join the chat at https://gitter.im/OWASP/NodeGoat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/OWASP/NodeGoat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+
+## Contributing
+
+Please Follow [the contributing guide](CONTRIBUTING.md)
+
+## Code Of Conduct (CoC)
+
+This project is bound by a [Code of Conduct](CODE_OF_CONDUCT.md).
+
+## Contributors
+Here are the amazing [contributors](https://github.com/OWASP/NodeGoat/graphs/contributors) to the NodeGoat project.
+
+## Supports
+- Thanks to JetBrains for providing licenses to fantastic [WebStorm IDE](https://www.jetbrains.com/webstorm/) to build this project.
+
+## License
+Code licensed under the [Apache License v2.0.](http://www.apache.org/licenses/LICENSE-2.0)

app/data/allocations-dao.js → apps/server-render/app/data/allocations-dao.js

@@ -1,7 +1,7 @@
 const UserDAO = require("./user-dao").UserDAO;
 
 /* The AllocationsDAO must be constructed with a connected database object */
-const AllocationsDAO = function(db){
+const AllocationsDAO = function(db) {
 
     "use strict";
 
@@ -90,7 +90,7 @@ const AllocationsDAO = function(db){
             let doneCounter = 0;
             const userAllocations = [];
 
-            allocations.forEach( alloc => {
+            allocations.forEach(alloc => {
                 userDAO.getUserById(alloc.userId, (err, user) => {
                     if (err) return callback(err, null);
 

app/data/benefits-dao.js → apps/server-render/app/data/benefits-dao.js

@@ -40,4 +40,6 @@ function BenefitsDAO(db) {
     };
 }
 
-module.exports = { BenefitsDAO };
+module.exports = {
+    BenefitsDAO
+};

app/data/contributions-dao.js → apps/server-render/app/data/contributions-dao.js

@@ -26,7 +26,7 @@ function ContributionsDAO(db) {
         };
 
         contributionsDB.update({
-            userId
+                userId
             },
             contributions, {
                 upsert: true
@@ -83,4 +83,6 @@ function ContributionsDAO(db) {
     };
 }
 
-module.exports = { ContributionsDAO };
+module.exports = {
+    ContributionsDAO
+};

app/data/memos-dao.js → apps/server-render/app/data/memos-dao.js

@@ -36,4 +36,6 @@ function MemosDAO(db) {
 
 }
 
-module.exports = { MemosDAO };
+module.exports = {
+    MemosDAO
+};

app/data/profile-dao.js → apps/server-render/app/data/profile-dao.js

@@ -110,4 +110,6 @@ function ProfileDAO(db) {
     };
 }
 
-module.exports = { ProfileDAO };
+module.exports = {
+    ProfileDAO
+};

app/data/research-dao.js → apps/server-render/app/data/research-dao.js

@@ -24,4 +24,6 @@ function ResearchDAO(db) {
     }
 }
 
-module.exports = { ResearchDAO };
+module.exports = {
+    ResearchDAO
+};

app/data/user-dao.js → apps/server-render/app/data/user-dao.js

@@ -116,8 +116,10 @@ function UserDAO(db) {
             }, {
                 new: true
             },
-            (err, data) =>  err ? callback(err, null) : callback(null, data.value.seq));
+            (err, data) => err ? callback(err, null) : callback(null, data.value.seq));
     };
 }
 
-module.exports = { UserDAO };
+module.exports = {
+    UserDAO
+};

app/routes/allocations.js → apps/server-render/app/routes/allocations.js

@@ -1,6 +1,6 @@
 const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO;
 
-function AllocationsHandler (db) {
+function AllocationsHandler(db) {
     "use strict";
 
     const allocationsDAO = new AllocationsDAO(db);
@@ -10,12 +10,19 @@ function AllocationsHandler (db) {
         // Fix for A4 Insecure DOR -  take user id from session instead of from URL param
         const { userId } = req.session;
         */
-        const {userId} = req.params;
-        const { threshold } = req.query
+        const {
+            userId
+        } = req.params;
+        const {
+            threshold
+        } = req.query
 
         allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => {
             if (err) return next(err);
-            return res.render("allocations", { userId, allocations });
+            return res.render("allocations", {
+                userId,
+                allocations
+            });
         });
     };
 }

app/routes/benefits.js → apps/server-render/app/routes/benefits.js

@@ -1,6 +1,8 @@
-const { BenefitsDAO } = require("../data/benefits-dao");
+const {
+    BenefitsDAO
+} = require("../data/benefits-dao");
 
-function BenefitsHandler (db) {
+function BenefitsHandler(db) {
     "use strict";
 
     const benefitsDAO = new BenefitsDAO(db);
@@ -21,7 +23,10 @@ function BenefitsHandler (db) {
     };
 
     this.updateBenefits = (req, res, next) => {
-        const { userId, benefitStartDate } = req.body;
+        const {
+            userId,
+            benefitStartDate
+        } = req.body;
 
         benefitsDAO.updateBenefits(userId, benefitStartDate, (error) => {
 

app/routes/contributions.js → apps/server-render/app/routes/contributions.js

@@ -1,13 +1,15 @@
 const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO;
 
 /* The ContributionsHandler must be constructed with a connected db */
-function ContributionsHandler (db) {
+function ContributionsHandler(db) {
     "use strict";
 
     const contributionsDAO = new ContributionsDAO(db);
 
     this.displayContributions = (req, res, next) => {
-        const { userId } = req.session;
+        const {
+            userId
+        } = req.session;
 
         contributionsDAO.getByUserId(userId, (error, contrib) => {
             if (error) return next(error);
@@ -31,7 +33,9 @@ function ContributionsHandler (db) {
         const afterTax = parseInt(req.body.afterTax);
         const roth = parseInt(req.body.roth);
         */
-        const { userId } = req.session;
+        const {
+            userId
+        } = req.session;
 
         //validate contributions
         const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0]

app/routes/error.js → apps/server-render/app/routes/error.js

@@ -1,6 +1,6 @@
 // Error handling middleware
 
-const errorHandler = (err, req, res,next) => {
+const errorHandler = (err, req, res, next) => {
 
     "use strict";
 
@@ -12,4 +12,6 @@ const errorHandler = (err, req, res,next) => {
     });
 };
 
-module.exports = { errorHandler };
+module.exports = {
+    errorHandler
+};

app/routes/index.js → apps/server-render/app/routes/index.js

@@ -76,9 +76,11 @@ const index = (app, db) => {
     app.get("/tutorial", (req, res) => {
         return res.render("tutorial/a1");
     });
-    
+
     app.get("/tutorial/:page", (req, res) => {
-        const { page } = req.params
+        const {
+            page
+        } = req.params
         return res.render(`tutorial/${page}`);
     });
 

app/routes/memos.js → apps/server-render/app/routes/memos.js

@@ -1,6 +1,6 @@
 const MemosDAO = require("../data/memos-dao").MemosDAO;
 
-function MemosHandler (db) {
+function MemosHandler(db) {
     "use strict";
 
     const memosDAO = new MemosDAO(db);
@@ -15,7 +15,9 @@ function MemosHandler (db) {
 
     this.displayMemos = (req, res, next) => {
 
-        const { userId } = req.session;
+        const {
+            userId
+        } = req.session;
 
         memosDAO.getAllMemos((err, docs) => {
             if (err) return next(err);