Heroku - mLab MongoDB Add-on Discontinued

[alejandrosaenz117]

The mLab MongoDB Add-on will be shutting down on November 10th and may inadvertently affect the Deploy to Heroku functionality. The following documentation contains specific information.

https://docs.mlab.com/shutdown-of-heroku-add-on/

[ckarande]

@Whamo12 Thanks for the information. We should migrate to MongoDB Atlas as suggested here:
https://docs.mlab.com/how-to-migrate-sandbox-heroku-addons-to-atlas/

[rcowsill]

Something to bear in mind is that the Atlas M0 tier doesn't support server-side javascript (from: Atlas M0 (Free Tier)... Limitations).

There's currently a $where query in allocations-dao.js, which is used to demonstrate NoSQL injection vulnerabilities:

NodeGoat/app/data/allocations-dao.js

Line 78 in 5b6a307

$where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'`

EDIT: By the way, mongolab has already been removed from the addons list on the heroku dashboard. It can be added to apps using the CLI, but not the dashboard.

The NodeGoat deploy button still works, despite a spurious warning that mongolab wasn't found. Ignore the warning and mongolab gets provisioned correctly.

[rcowsill]

I've made a task list for the work to resolve this issue. Feedback is welcome on whether this is the right approach, or if I missed anything important.

The work to fix the "Deploy to Heroku" button can be done by any contributor (done, see PR #215):

• Remove mongolab:sandbox addon from app.json
• Add a MONGODB_URI env variable to app.json (required, default "")
• Remove reference to the current mLab database from config/env/all.js
• Remove support for MONGOLAB_URI in config/env/all.js (only needed for the mongolab addon)
• Upgrade mongodb driver to v3.x (required to connect to Atlas M0) (Tested, works with current version)
• Update heroku deploy instructions in README.md to cover database setup
• Update tutorial for A1 - Injection to say NoSQL injection is blocked on deployments using Atlas M0

These tasks can only be done by members of the core project team:

• Create a new Atlas account, database and user for http://nodegoat.herokuapp.com/
• Update http://nodegoat.herokuapp.com/ to use the new Atlas DB and user
• Once the tasks above and docker_compose.yml doesn't set MONGODB_URI #213 are resolved, shut down the mLab database

I'd be happy to make a PR for the first set of tasks (if no-one's already lined up to do it).

[rcowsill]

Reminder: mongolab heroku addons are due to be deleted on Tuesday, November 10th. When that happens, any mLab databases still attached to a mongolab heroku addon will be deleted.

Hopefully the database for http://nodegoat.herokuapp.com/ has already been detached from its addon, otherwise the app will go down when the database gets deleted on Tuesday.

[ckarande]

@rcowsill Thank you for staying on top of this and the PR. @Whamo12, appreciate your reporting this issue.

Merged the PR. I wanted to provide default Altas DB URL for a quick start for those who don't have it or willing to create an account on Atlas. Hence restored the all.js as before except with Atlas DB URL. We can revise this logic, if any suggestions.

Closing this issue.