Merge branch 'main' into stepsecurity_remediation_1719436239

.github/ISSUE_TEMPLATE/feature_request.md

@@ -8,7 +8,7 @@ assignees: ''
 ---
 
 **Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+A clear and concise description of what the problem is. Example: I'm always frustrated when [...]
 
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.

.github/dependabot.yml

@@ -3,30 +3,46 @@
 # See https://docs.github.com/en/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts
 version: 2
 updates:
- # Updates Elixir dependencies
- - package-ecosystem: mix
- directory: server/
+ # Updates GHA dependencies
+ - package-ecosystem: github-actions
+ directory: /
  schedule:
  interval: weekly
  day: monday
  time: "05:00"
  timezone: America/Los_Angeles
- # Will only open a maximum of 3 PRs
+ groups:
+ actions:
+ patterns:
+ - "*"
  open-pull-requests-limit: 3
- # Updates GHA dependencies
- - package-ecosystem: github-actions
+
+ # Updates Docker dependencies
+ - package-ecosystem: docker
  directory: /
  schedule:
  interval: weekly
  day: monday
  time: "05:00"
  timezone: America/Los_Angeles
  open-pull-requests-limit: 3
+
+ # Updates Elixir dependencies
+ - package-ecosystem: mix
+ directory: server/
+ schedule:
+ interval: weekly
+ day: monday
+ time: "05:00"
+ timezone: America/Los_Angeles
+ # Will only open a maximum of 3 PRs
+ open-pull-requests-limit: 3
+
  # Updates JavaScript dependencies
  - package-ecosystem: npm
  directory: /ui
  schedule:
- interval: daily
+ interval: weekly
  time: "05:00"
  timezone: America/Los_Angeles
  open-pull-requests-limit: 3
@@ -69,17 +85,8 @@ updates:
  misc:
  patterns:
  - "*"
- # Open individual PRs for the following packages
  exclude-patterns:
+ # Open individual PRs for the following packages
  - "typescript"
  - "phoenix"
  - "@types/node"
- # Updates Docker dependencies
- - package-ecosystem: docker
- directory: /
- schedule:
- interval: weekly
- day: monday
- time: "05:00"
- timezone: America/Los_Angeles
- open-pull-requests-limit: 3

.github/workflows/ci.yaml

@@ -13,7 +13,7 @@ jobs:
  test:
  runs-on: ubuntu-latest
  steps:
- - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
  with:
  egress-policy: audit
 

.github/workflows/fast-forward.yaml

@@ -20,7 +20,7 @@ jobs:
  issues: write
 
  steps:
- - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
  with:
  egress-policy: audit
 

.github/workflows/heroku.yaml

@@ -17,7 +17,7 @@ jobs:
  || (contains(github.event.comment.body, '/refresh-heroku-status') && github.event.issue.pull_request) }}
 
  steps:
- - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
  with:
  egress-policy: audit
 
@@ -45,7 +45,7 @@ jobs:
 
  # Check that the deployed app returns successful HTTP response.
  steps:
- - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
  with:
  egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -31,7 +31,7 @@ jobs:
  # actions: read
 
  steps:
- - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+ - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
  with:
  egress-policy: audit
 
@@ -41,7 +41,7 @@ jobs:
  persist-credentials: false
 
  - name: "Run analysis"
- uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+ uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
  with:
  results_file: results.sarif
  results_format: sarif
@@ -63,7 +63,7 @@ jobs:
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
  - name: "Upload artifact"
- uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+ uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
  with:
  name: SARIF file
  path: results.sarif
@@ -72,6 +72,6 @@ jobs:
  # Upload the results to GitHub's code scanning dashboard (optional).
  # Commenting out will disable upload of results to your repo's Code Scanning dashboard
  - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+ uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
  with:
  sarif_file: results.sarif

CONTRIBUTING.md

@@ -11,10 +11,10 @@ We recommend following these steps if you'd like to contribute to the repo.
 
 0. Check out the [Trello board](https://trello.com/b/hRFh7Sc1/orcasite-development) for an overview of features being worked on.
  - This [public roadmap](https://trello.com/b/wBg0qhss/orcasound-roadmap) has a higher level view.
-1. Fork the Orcasite repo
-2. Develop on a [feature branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow)
+1. Fork the Orcasite repo.
+2. Develop on a [feature branch](https://www.atlassian.com/git/tutorials/comparing-workflows/feature-branch-workflow).
 3. Submit a PR (don't review your own)!
-  - To maintain a consistent style, we recommend running [Prettier](https://github.com/prettier/prettier) on js, and `mix format` before submission
+  - To maintain a consistent style, we recommend running [Prettier](https://github.com/prettier/prettier) on js, and `mix format` before submission.
 4. Once a PR is merged, we can throw it up onto the dev server to see how things look!
 
 ### Questions?
@@ -51,6 +51,6 @@ If you're new to Elixir (or JS and React), that's no problem! Here are some reso
 - [Apollo GraphQL](https://www.apollographql.com/docs/react/) - Javascript library for GraphQL
 
 ### Example codebases
-Some of these are convenient for reference
+Some of these are convenient for reference:
 
-- [Evercam](https://github.com/evercam/evercam-server/) - Good example of supervision trees
+- [Evercam](https://github.com/evercam/evercam-server/) - Good example of supervision trees

README.md

@@ -147,7 +147,7 @@ Once everything finishes starting up, you'll be able to access the UI at [`http:
 
 ### UI
 
-The new version (v3) is currently under development, rapidly changing, and has no tests yet
+The new version (v3) is currently under development, rapidly changing, and has no tests yet.
 
 ## Deployment
 

server/config/config.exs

@@ -73,13 +73,11 @@ config :orcasite, OrcasiteWeb.Auth.AuthAccessPipeline,
  error_handler: OrcasiteWeb.Auth.AuthErrorHandler
 
 config :orcasite, :ecto_repos, [Orcasite.Repo]
-config :orcasite, :ash_apis, [Orcasite.Notifications, Orcasite.Accounts, Orcasite.Radio]
+config :orcasite, :ash_domains, [Orcasite.Notifications, Orcasite.Accounts, Orcasite.Radio]
 config :orcasite, :ash_uuid, migration_default?: true
-config :ash, :use_all_identities_in_manage_relationship?, false
 config :ash, :custom_types, geometry: Orcasite.Types.Geometry
 config :ash_graphql, :default_managed_relationship_type_name_template, :action_name
 config :ash_graphql, :json_type, :json
-config :ash, :utc_datetime_type, :datetime
 
 config :mime, :types, %{
  "application/vnd.api+json" => ["json"]
@@ -93,7 +91,7 @@ config :orcasite, Oban,
  repo: Orcasite.Repo,
  # 7 day job retention
  plugins: [{Oban.Plugins.Pruner, max_age: 7 * 24 * 60 * 60}],
- queues: [default: 10, email: 10, feed_segments: 10]
+ queues: [default: 10, email: 10, feeds: 10]
 
 config :spark, :formatter,
  remove_parens?: true,

server/lib/orcasite/accounts/accounts.ex

@@ -1,8 +1,9 @@
 defmodule Orcasite.Accounts do
- use Ash.Api, extensions: [AshAdmin.Api, AshGraphql.Api]
+ use Ash.Domain, extensions: [AshAdmin.Domain, AshGraphql.Domain]
 
  resources do
- registry Orcasite.Accounts.Registry
+ resource Orcasite.Accounts.User
+ resource Orcasite.Accounts.Token
  end
 
  admin do

server/lib/orcasite/accounts/token.ex

@@ -1,11 +1,12 @@
 defmodule Orcasite.Accounts.Token do
  use Ash.Resource,
+ domain: Orcasite.Accounts,
  data_layer: AshPostgres.DataLayer,
  extensions: [AshAuthentication.TokenResource],
  authorizers: [Ash.Policy.Authorizer]
 
  token do
- api Orcasite.Accounts
+ domain Orcasite.Accounts
  end
 
  postgres do

server/lib/orcasite/accounts/user.ex

@@ -1,5 +1,6 @@
 defmodule Orcasite.Accounts.User do
  use Ash.Resource,
+ domain: Orcasite.Accounts,
  data_layer: AshPostgres.DataLayer,
  extensions: [AshAuthentication, AshAdmin.Resource, AshGraphql.Resource],
  authorizers: [Ash.Policy.Authorizer]
@@ -16,14 +17,15 @@ defmodule Orcasite.Accounts.User do
 
  attributes do
  uuid_primary_key :id
- attribute :email, :ci_string, allow_nil?: false
+ attribute :email, :ci_string, allow_nil?: false, public?: true
  attribute :hashed_password, :string, allow_nil?: false, sensitive?: true
- attribute :first_name, :string
- attribute :last_name, :string
- attribute :admin, :boolean, default: false, allow_nil?: false
- attribute :moderator, :boolean, default: false, allow_nil?: false
+ attribute :first_name, :string, public?: true
+ attribute :last_name, :string, public?: true
+ attribute :admin, :boolean, default: false, allow_nil?: false, public?: true
+ attribute :moderator, :boolean, default: false, allow_nil?: false, public?: true
 
  attribute :username, :string do
+ public? true
  allow_nil? true
  constraints allow_empty?: false, trim?: true
  end
@@ -33,7 +35,7 @@ defmodule Orcasite.Accounts.User do
  end
 
  authentication do
- api Orcasite.Accounts
+ domain Orcasite.Accounts
 
  strategies do
  password :password do
@@ -93,7 +95,7 @@ defmodule Orcasite.Accounts.User do
  end
 
  actions do
- defaults [:read, :create, :update, :destroy]
+ defaults [:read, :destroy, create: :*, update: :*]
 
  read :by_email do
  get_by :email
@@ -106,7 +108,7 @@ defmodule Orcasite.Accounts.User do
  end
 
  code_interface do
- define_for Orcasite.Accounts
+ domain Orcasite.Accounts
 
  define :register_with_password
  define :sign_in_with_password
@@ -133,7 +135,6 @@ defmodule Orcasite.Accounts.User do
 
  graphql do
  type :user
- hide_fields [:hashed_password]
 
  queries do
  read_one :current_user, :current_user

server/lib/orcasite/global_setup.ex

@@ -2,12 +2,12 @@ defmodule Orcasite.GlobalSetup do
  def populate_feed_streams do
  Orcasite.Radio.Feed
  |> Ash.Query.for_read(:read)
- |> Orcasite.Radio.read!()
+ |> Ash.read!()
  |> Stream.map(fn feed ->
  Orcasite.Radio.AwsClient.list_timestamps(feed, fn timestamps ->
  timestamps
  |> Enum.map(&%{feed: feed, playlist_timestamp: &1})
- |> Orcasite.Radio.bulk_create(Orcasite.Radio.FeedStream, :create)
+ |> Ash.bulk_create(Orcasite.Radio.FeedStream, :create)
  end)
  :ok
  end)

server/lib/orcasite/notifications.ex

@@ -1,8 +1,13 @@
 defmodule Orcasite.Notifications do
- use Ash.Api, extensions: [AshAdmin.Api, AshJsonApi.Api, AshGraphql.Api]
+ use Ash.Domain, extensions: [AshAdmin.Domain, AshJsonApi.Domain, AshGraphql.Domain]
 
  resources do
- registry Orcasite.Notifications.Registry
+ resource Orcasite.Notifications.Notification
+ resource Orcasite.Notifications.Subscriber
+ resource Orcasite.Notifications.Subscription
+ resource Orcasite.Notifications.NotificationInstance
+ resource Orcasite.Notifications.Token
+ resource Orcasite.Notifications.Job
  end
 
  admin do

server/lib/orcasite/notifications/changes/extract_notification_instance_meta.ex

@@ -1,7 +1,6 @@
 defmodule Orcasite.Notifications.Changes.ExtractNotificationInstanceMeta do
  use Ash.Resource.Change
 
- alias Orcasite.Notifications
  alias Orcasite.Notifications.{Notification, Subscription}
 
  def change(
@@ -19,9 +18,9 @@ defmodule Orcasite.Notifications.Changes.ExtractNotificationInstanceMeta do
  # body based on event type
 
  with {:get_sub, {:ok, subscription}} <-
- {:get_sub, Notifications.get(Subscription, changeset.arguments.subscription)},
+ {:get_sub, Ash.get(Subscription, changeset.arguments.subscription)},
  {:get_notif, {:ok, notification}} <-
- {:get_notif, Notifications.get(Notification, changeset.arguments.notification)} do
+ {:get_notif, Ash.get(Notification, changeset.arguments.notification, authorize?: false)} do
  changeset
  |> Ash.Changeset.change_attribute(:meta, %{
  email: Map.get(subscription.meta, "email"),

server/lib/orcasite/notifications/event.ex

@@ -1,8 +1,4 @@
 defmodule Orcasite.Notifications.Event do
- def types do
- [:confirmed_candidate, :new_detection]
- end
-
  def humanize(event_type, plural \\ false)
  def humanize(:confirmed_candidate, false), do: "confirmed candidate"
  def humanize(:confirmed_candidate, true), do: "confirmed candidates"

server/lib/orcasite/notifications/manual_read_notifications_since.ex

@@ -1,7 +1,6 @@
 defmodule Orcasite.Notifications.ManualReadNotificationsSince do
  use Ash.Resource.ManualRead
 
- alias Orcasite.Notifications
  alias Orcasite.Notifications.Notification
 
  require Ash.Query
@@ -14,13 +13,13 @@ defmodule Orcasite.Notifications.ManualReadNotificationsSince do
 
  notification =
  Notification
- |> Notifications.get!(notification_id)
+ |> Ash.get!(notification_id, authorize?: false)
 
  Notification
  |> Ash.Query.filter(
  event_type == ^notification.event_type and
  inserted_at > ^notification.inserted_at
  )
- |> Notifications.read()
+ |> Ash.read(authorize?: false)
  end
 end