adds feature flag to protect dev api endpoints (#268)

Author: remy-mazerolle-esdc

frontend/app/.server/environment/dev-endpoints.ts

@@ -0,0 +1,13 @@
+import * as v from 'valibot';
+
+import { stringToBooleanSchema } from '../validation/string-to-boolean-schema';
+
+export type DevEndpoints = Readonly<v.InferOutput<typeof devEndpoints>>;
+
+export const defaults = {
+  DEV_ENDPOINTS_ENABLED: 'false',
+} as const;
+
+export const devEndpoints = v.object({
+  DEV_ENDPOINTS_ENABLED: v.optional(stringToBooleanSchema(), defaults.DEV_ENDPOINTS_ENABLED),
+});

frontend/app/.server/environment/server.ts

@@ -1,6 +1,7 @@
 import * as v from 'valibot';
 
 import { client, defaults as clientDefaults } from '~/.server/environment/client';
+import { devEndpoints, defaults as devEndpointsDefaults } from '~/.server/environment/dev-endpoints';
 import { logging, defaults as loggingDefaults } from '~/.server/environment/logging';
 import { redis, defaults as redisDefaults } from '~/.server/environment/redis';
 import { session, defaults as sessionDefaults } from '~/.server/environment/session';
@@ -15,6 +16,7 @@ export const defaults = {
   NODE_ENV: 'development',
   PORT: '3000',
   ...clientDefaults,
+  ...devEndpointsDefaults,
   ...loggingDefaults,
   ...redisDefaults,
   ...sessionDefaults,
@@ -28,6 +30,7 @@ export const defaults = {
 export const server = v.pipe(
   v.object({
     ...client.entries,
+    ...devEndpoints.entries,
     ...logging.entries,
     ...redis.entries,
     ...session.entries,

frontend/app/routes/dev/debug-session.tsx

@@ -1,8 +1,10 @@
 import type { Route } from './+types/debug-session';
 
+import { serverEnvironment } from '~/.server/environment';
+
 export function loader({ context }: Route.LoaderArgs) {
-  /*if (process.env.NODE_ENV !== 'test' && process.env.NODE_ENV !== 'dev') {
+  if (!serverEnvironment.DEV_ENDPOINTS_ENABLED) {
     throw new Response('Forbidden', { status: 403 });
-  }*/
+  }
   return Response.json(context.session);
 }

frontend/app/routes/dev/error.tsx

@@ -1,12 +1,19 @@
+import type { Route } from './+types/error';
+
+import { serverEnvironment } from '~/.server/environment';
 import { AppError } from '~/errors/app-error';
 import { ErrorCodes } from '~/errors/error-codes';
 
+export function loader({ context }: Route.LoaderArgs) {
+  if (!serverEnvironment.DEV_ENDPOINTS_ENABLED) {
+    throw new Response('Forbidden', { status: 403 });
+  }
+  return;
+}
+
 /**
  * An error route that can be used to test error boundaries.
  */
 export default function Error() {
-  /*if (process.env.NODE_ENV !== 'test' && process.env.NODE_ENV !== 'dev') {
-    throw new Response('Forbidden', { status: 403 });
-  }*/
   throw new AppError('This is a test error', ErrorCodes.TEST_ERROR_CODE);
 }

frontend/app/routes/dev/stage-session.tsx

@@ -1,10 +1,11 @@
 import type { Route } from './+types/stage-session';
 
+import { serverEnvironment } from '~/.server/environment';
+
 export async function action({ context, request }: Route.ActionArgs) {
-  /*console.log(process.env.NODE_ENV);
-  if (process.env.NODE_ENV !== 'test' && process.env.NODE_ENV !== 'dev') {
+  if (!serverEnvironment.DEV_ENDPOINTS_ENABLED) {
     throw new Response('Forbidden', { status: 403 });
-  }*/
+  }
 
   const json = await request.json();
 

frontend/e2e/__supports/session-supports.ts

@@ -1,5 +1,5 @@
 import type { Page } from '@playwright/test';
 
 export async function seedSessionData(page: Page, data: object) {
-  await page.request.post('/stage-session', { data: data });
+  return await page.request.post('/stage-session', { data: data });
 }

frontend/e2e/estimator/results.spec.ts

@@ -26,22 +26,27 @@ const stagedSession = {
 };
 
 test('Navigating to /en/results renders the english results page', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
 
   await page.goto('/en/results');
 
   expect(await formatHtml(await page.locator('main').innerHTML())).toMatchSnapshot();
 });
 
 test('Navigating to /fr/resultats renders the french results page', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/fr/resultats');
 
   expect(await formatHtml(await page.locator('main').innerHTML())).toMatchSnapshot();
 });
 
 test('/en/results passes a11y checks', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/en/results');
   await page.locator('main').waitFor();
 
@@ -51,7 +56,9 @@ test('/en/results passes a11y checks', async ({ page }) => {
 });
 
 test('/fr/resultats passes a11y checks', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/fr/resultats');
   await page.locator('main').waitFor();
 

frontend/e2e/estimator/step-income.spec.ts

@@ -11,7 +11,8 @@ const stagedSession = {
 };
 
 test('Navigating to /en/income renders the english income page', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
 
   await page.goto('/en/income');
   expect(page.url()).toContain('/en/income');
@@ -20,14 +21,18 @@ test('Navigating to /en/income renders the english income page', async ({ page }
 });
 
 test('Navigating to /fr/revenus renders the french income page', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/fr/revenus');
   expect(page.url()).toContain('/fr/revenus');
   expect(await formatHtml(await page.locator('main').innerHTML())).toMatchSnapshot();
 });
 
 test('/en/income passes a11y checks', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/en/income');
   expect(page.url()).toContain('/en/income');
   await page.locator('main').waitFor();
@@ -38,7 +43,9 @@ test('/en/income passes a11y checks', async ({ page }) => {
 });
 
 test('/fr/revenus passes a11y checks', async ({ page }) => {
-  await seedSessionData(page, stagedSession);
+  const resp = await seedSessionData(page, stagedSession);
+  expect(resp.status()).toBe(200);
+
   await page.goto('/fr/revenus');
   expect(page.url()).toContain('/fr/revenus');
   await page.locator('main').waitFor();

frontend/package.json

@@ -8,12 +8,12 @@
     "build": "npm run build:application && npm run build:server",
     "build:application": "react-router build",
     "build:server": "vite build --config ./vite.server.config.ts",
-    "dev": "nodemon --config nodemon.json",
+    "dev": "cross-env DEV_ENDPOINTS_ENABLED=true nodemon --config nodemon.json",
     "preview": "npm run build && cross-env NODE_ENV=production SESSION_COOKIE_SECURE=false node --env-file-if-exists=.env --import ./build/server/telemetry.js ./build/server/server.js",
     "start": "cross-env NODE_ENV=production node --import ./build/server/telemetry.js ./build/server/server.js",
     "checks": "node --experimental-strip-types ./scripts/checks-runner.ts",
-    "test": "vitest",
-    "test:e2e": "playwright test",
+    "test": "cross-env DEV_ENDPOINTS_ENABLED=true vitest ",
+    "test:e2e": "cross-env DEV_ENDPOINTS_ENABLED=true playwright test",
     "format:check": "prettier --cache --check .",
     "format:write": "prettier --write .",
     "lint:check": "eslint --cache ./",

gitops/overlays/dev/configs/cdb-estimator-frontend/config.conf

@@ -134,4 +134,6 @@ OTEL_TRACES_ENDPOINT=https://dynatrace.dev-dp.admin.dts-stn.com/e/21a07aef-852b-
 OTEL_USE_CONSOLE_METRIC_EXPORTER=
 
 # Enable the console trace exporter (default: false).
-OTEL_USE_CONSOLE_TRACE_EXPORTER=
+OTEL_USE_CONSOLE_TRACE_EXPORTER=
+
+DEV_ENDPOINTS_ENABLED=true