Differences between upstream (red) and UKHSA's fork (green) #1337
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KLS Basic test form config
…lds (#384) - Fix timeout.html redirecting incorrectly to the /config route by using the injected referer instead. (See: https://github.com/ukhsa-collaboration/digital-form-builder/blob/801bc7de3d8f57d316bc46a67518ef07914f54c3/runner/src/server/plugins/router.ts#L263)) - Timeout now correctly redirects to the form's start page. - Add support for new serviceName form field. This may overlap with existing name field... May be removed based on feedback. Use new fullStartPage form field instead of the global serviceStartPage setting. (Overrides config at https://github.com/ukhsa-collaboration/digital-form-builder/blob/801bc7de3d8f57d316bc46a67518ef07914f54c3/runner/config/default.js#L59 )
* feat: Optional Security Headers added for webhook outputs - optional security header can be enabled by adding the following to your config: -"webhookHmacSharedKey": "SomeRandomHMACKey" (Replace "SomeRandomHMACKey" with your private HMAC secret key) - when ENABLED, the following headers will be included in the webhook request: x-hmac-time 1747750828 x-hmac-signature 7420964e60045e716a9b1d4fabcbc6a9cc913c7e63ac653b313d56a097a36d1a x-request-id 769164d0-5592-4a67-9932-038573732fdc (example values shown) -- NOTE: - THIS MUST USE **SHA-256** HASHING ALG - MESSAGE TO HASH is **x-hmac-time + x-request-id** (UTF-8 string, no seperators) - DIGEST OUTPUT is **HEX STRING** - x-hmac-time is **UNIX EPOCH TIME** - signature is computed using your shared **`webhookHmacSharedKey`** - You MUST validate that the timestamp is within an acceptable range (e.g. 5 minutes) *before* comparing the HMAC (do this on your backend) * Update statusService.ts remove redudant code. * Update types.ts made webhookHmacSharedKey optional
- Update server to dynamically inject analytics on a per-form basis,
replacing the previous global-only setting.
- Enables each form to have its own tracking analytics configuration.
- Note: This ignores the global server-wide config! Existing forms should
be updated to include analytics in their form definitions.
Format example:
analytics: {
gtmId1: string;
gtmId2: string;
matomoId: string;
matomoUrl: string;
}
This object is *optional*.
All items in this object are also *optional*.
* feat(magic-link): Implement domain whitelist for email validation Adds configuration options to the magic-link feature to restrict access based on email domain: - Introduces `allowedDomains` config: A list of allowed email domains - e.g: ["gmail.com", "example.com"] - Introduces `invalidDomainRedirect` config: A URL to redirect users with disallowed domains (i.e: Not in the allowedDomains list) * Modified functionality + added tests - Added whitespace trimming to email input - Added basic regex check for email format - Fixed bug allowing false-positives where partial domain matches allowed (notexample.com would incorrectly go through if example.com was in domain list) - Added tests
- Previously, all users were redirected to CareOBRA's form via a hardcoded config in MagicLinkRedirectController.ts - Updated the controller to allow each form to specify its own magicLinkConfig, enabling flexible redirects per form - Fallback remains for undefined, mainly for backwards compat purposes
- updated hmacurl construction to dynamically use the model's basepath instead of the hardcoded "magic-link" path. - enables different magic-link forms to send emails that link to their specific pages, improving flexibility and reusability.
- First version of the kls form complete.
- Update KLS config and fix empty <h2> causing accessibility issues - Updated KLS config (still work in progress) - Fixed bug where empty <h2 class="govuk-heading-m"></h2> tags were rendered causing accessibility problems
Updated KLS config and fix accessibility issues
- Reduced bugs in KLS Config - Magic links are now slightly more generalised per magic-config
Updated KLS-Config-v2 and generalised paths for expired magic links
Webhook change
- Minor bug fixes
- headers added to payload (see Commit d242c8c) - added schemas for HMAC keys for this specific features (diff teams can use different keys for signature generation) - Modified Upload service to take in more useful file types
- This allows fileupload feature to send data to KLS API - At this time, no other team is using this feature, so we will claim it - This is temporary and will be removed (hence seperate commit to track the change) - KLS promise to remove this or will implement a config based version at a later date
- Fix auth bug issue requiring authentication on non-allowed domain info redirect - Modified to env based hmacKey on magic-link - Modified KLS notify to be env variables - Minor spelling/issues fixed - Pen testing emails deployed - other Misc bug fixes
- This feature allows you to remove the back button on a given page with the following: "disableBackLink": true - This was added since the magic link feature redirects back to a form but still shows a back button
Feat: Option to remove back button:
Bypasses basic safelink check by outlook
patch: capitalisation fix on summary page
…close-contact Accessibility fixes
feature: remove rows from summary page
Feedback button rename
* fix: use DISABLE_V8_COMPILE_CACHE=1 so the designer can build via docker (XGovFormBuilder#1363) * fix: MiniSummaryPageController change link issue (XGovFormBuilder#1360) --------- Co-authored-by: Jen Duong <hi@jen.digital> Co-authored-by: calum-ukhsa <calum.hemphill@ukhsa.gov.uk>
…ionals-change Fix for bug relating to changing 'myself' to 'someone else' or vice versa
Add GA to close contacts
…ondon-in-report-an-outbreak-frontend RITM0182454 Enable London in Report An Outbreak Frontend
Change some numbers and replace the 'webforms' default title
* fix: use DISABLE_V8_COMPILE_CACHE=1 so the designer can build via docker (XGovFormBuilder#1363) * fix: MiniSummaryPageController change link issue (XGovFormBuilder#1360) * chore(ci): use GITHUB_TOKEN instead of GHCR_PAT for checkout action (XGovFormBuilder#1347) * Summary card button accessibility and consistency issues * The button was technically a link, which meant how it looked and how screen readers treated it was inconsistent. I have changed it so that it's a button that does a GET request to the page when clicked. * The word 'remove' has been changed to 'delete'. * The button text will now just say 'Add...' if there's only one entry, which is consistent with the functionality where you can't delete entries if only one is present. * Set base tag to Alpine and add symlink to fix SSL issue (XGovFormBuilder#1366) * feature: custom ConfirmationSessionTimeout per form setup (XGovFormBuilder#1359) --------- Co-authored-by: Jen Duong <hi@jen.digital> Co-authored-by: calum-ukhsa <calum.hemphill@ukhsa.gov.uk> Co-authored-by: Trevor Rea <trevorrea@users.noreply.github.com> Co-authored-by: SullyK <68860309+SullyK@users.noreply.github.com>
Co-authored-by: SullyK <68860309+SullyK@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Differences between upstream (red) and UKHSA's fork (green)