Merge branch 'main' into dependabot/bundler/sidekiq-8.0.1

Author: sampoder

app/controllers/application_controller.rb

@@ -29,6 +29,11 @@ class ApplicationController < ActionController::Base
     cookies.permanent[:first_visit] = 1
   end
 
+  before_action do
+    # Disallow indexing
+    response.set_header("X-Robots-Tag", "noindex")
+  end
+
   # Force usage of Pundit on actions
   after_action :verify_authorized, unless: -> { controller_path.starts_with?("doorkeeper/") || controller_path.starts_with?("audits1984/") }
 

app/controllers/donations_controller.rb

@@ -172,7 +172,7 @@ def refund
   end
 
   def export
-    authorize @event.donations.first
+    authorize @event.donations.build
 
     respond_to do |format|
       format.csv { stream_donations_csv }
@@ -181,7 +181,7 @@ def export
   end
 
   def export_donors
-    authorize @event.donations.first
+    authorize @event.donations.build
 
     respond_to do |format|
       format.csv { stream_donors_csv }

app/controllers/logins_controller.rb

@@ -10,6 +10,11 @@ class LoginsController < ApplicationController
 
   layout "login"
 
+  after_action only: [:new] do
+    # Allow indexing login page
+    response.delete_header("X-Robots-Tag")
+  end
+
   # view to log in
   def new
     render "users/logout" if current_user

app/controllers/static_pages_controller.rb

@@ -7,6 +7,11 @@ class StaticPagesController < ApplicationController
   skip_before_action :signed_in_user, only: [:branding, :roles]
   skip_before_action :redirect_to_onboarding, only: [:branding, :roles]
 
+  after_action only: [:index, :branding] do
+    # Allow indexing home and branding pages
+    response.delete_header("X-Robots-Tag")
+  end
+
   def index
     if signed_in?
       @service = StaticPageService::Index.new(current_user:)

app/lib/credentials.rb

@@ -8,9 +8,9 @@
 module Credentials
   NESTING_DELIMITER = "__"
 
-  def self.fetch(*key_segments)
+  def self.fetch(*key_segments, fallback: nil)
     key = key_segments.join(NESTING_DELIMITER).upcase
-    ENV[key] || Rails.application.credentials.dig(*key_segments)
+    ENV[key] || Rails.application.credentials.dig(*key_segments) || fallback
   end
 
   def self.load

app/models/canonical_event_mapping.rb

@@ -26,6 +26,8 @@
 #  fk_rails_...  (event_id => events.id)
 #
 class CanonicalEventMapping < ApplicationRecord
+  include HasBalanceMonitoring
+
   broadcasts_refreshes_to ->(mapping) { [mapping.event, :transactions] }
 
   belongs_to :canonical_transaction

app/models/canonical_pending_event_mapping.rb

@@ -23,6 +23,8 @@
 #  fk_rails_...  (event_id => events.id)
 #
 class CanonicalPendingEventMapping < ApplicationRecord
+  include HasBalanceMonitoring
+
   broadcasts_refreshes_to ->(mapping) { [mapping.event, :transactions] }
 
   belongs_to :canonical_pending_transaction

app/models/concerns/has_balance_monitoring.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module HasBalanceMonitoring
+  extend ActiveSupport::Concern
+
+  included do
+    after_save do
+      Airbrake.notify("#{event.name} has a negative balance: #{ApplicationController.helpers.render_money event.balance}") if event.balance.negative?
+    end
+  end
+end

app/services/partners/plaid/transactions/get.rb

@@ -55,7 +55,7 @@ def fetch_transactions(offset: 0)
 
             results
           rescue ::Plaid::ApiError => e
-            Rails.error.report(e, context: { message: "plaid_client.transactions.get failed for bank_account #{bank_account.id} with access token #{access_token}. #{error.message}" })
+            Rails.error.report(e, context: { message: "plaid_client.transactions.get failed for bank_account #{bank_account.id} with access token #{access_token}." })
 
             mark_plaid_item_failed!
 

app/services/twilio_verification_service.rb

@@ -9,7 +9,7 @@ class TwilioVerificationService
   )
 
   # This isn't private/sensitive so it's okay to keep here
-  VERIFY_SERVICE_ID = Rails.env.production? || ENV["USE_PROD_CREDENTIALS"]&.downcase == "true" ? "VAa06a66dad4c1ca3c199a46334ff11945" : "VAe30d49e92f634419aacdc8648948dc75"
+  VERIFY_SERVICE_ID = Credentials.fetch(:TWILIO, :SMS_VERIFY, :SERVICE_ID, fallback: "VAe30d49e92f634419aacdc8648948dc75")
 
   def send_verification_request(phone_number)
     CLIENT.verify

app/views/users/logout.html.erb

@@ -1,8 +1,5 @@
 <% title "You’re currently signed in as #{current_user.name}" %>
 <% @home_size = 50 %>
-<div class="flex items-center justify-between">
-  <%= render partial: "application/logo" %>
-</div>
 
 <div class="flex flex-col flex-1 justify-center max-w-md w-full">
   <%= render "header", label: "Hack Club" do %>

config/application.rb

@@ -16,12 +16,6 @@ class Application < Rails::Application
 
     Credentials.load if ENV["DOPPLER_TOKEN"]
 
-    if ENV["USE_PROD_CREDENTIALS"]&.downcase == "true"
-      config.credentials.content_path = Rails.root.join("config/credentials/production.yml.enc")
-      config.credentials.key_path = Rails.root.join("config/credentials/production.key")
-      raise StandardError, "USE_PROD_CREDENTIALS is set to true but config/credentials/production.key is missing" unless File.file?(config.credentials.key_path)
-    end
-
     config.action_mailer.default_url_options = {
       host: Credentials.fetch(:LIVE_URL_HOST)
     }

config/credentials/production.yml.enc

@@ -5,6 +5,35 @@
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
+  # We don't use Rails' default encrypted credentials in Production. However,
+  # Rails doesn't provide an explicit way to disable encrypted credentials.
+  # As a workaround, we set `content_path` and `key_path` to an invalid path.
+  #
+  # Without this workaround, Rails will fallback to `config/credentials.yml.enc`
+  # which is NOT used for production. It will then attempt to decrypt that file,
+  # resulting in `ActiveSupport::MessageEncryptor::InvalidMessage` on boot.
+  #
+  # `content_path` and `key_path` are used to create an
+  # `ActiveSupport::EncryptedConfiguration` object which is
+  # `Rails.application.credentials`. When `EncryptedConfiguration`
+  # (subclass of `EncryptedFile`) has either an invalid key or content path,
+  # Rails will internally just use an empty string as the decrypted contents of
+  # the file.
+  #
+  # REFERENCES
+  # * Where `Rails.application.credentials` is set:
+  #   https://github.com/rails/rails/blob/f575fca24a72cf0631c59ed797c575392fbbc527/railties/lib/rails/application.rb#L497-L499
+  # * `EncryptedFile#read` raises `MissingContentError`
+  #   when missing either a key or content_path.
+  #   https://github.com/rails/rails/blob/f575fca24a72cf0631c59ed797c575392fbbc527/activesupport/lib/active_support/encrypted_file.rb#L70-L76
+  # * `EncryptedConfiguration#read` (overrides `EncryptedFile#read`) rescues
+  #   `MissingContentError` and returns an empty string.
+  #   https://github.com/rails/rails/blob/f575fca24a72cf0631c59ed797c575392fbbc527/activesupport/lib/active_support/encrypted_configuration.rb#L64-L66
+  #
+  # ~ @garyhtou
+  config.credentials.content_path = "noop"
+  config.credentials.key_path = "noop"
+
   # Prepare the ingress controller used to receive mail
   config.action_mailbox.ingress = :sendgrid
 

config/environments/production.rb

@@ -143,7 +143,7 @@ documents.
 
 We've transitioned to using development keys and seed data in development, but historically have used production keys and data on dev machines. It is recommended to not roll back to using production data & keys in development, but if absolutely necessary the following steps can be taken:
 
-- Set environment variable `USE_PROD_CREDENTIALS=true` in your docker container (usually via `.env.development`). N.B. this does not set [`RAILS_ENV=production`](https://guides.rubyonrails.org/configuring.html#rails-environment-settings), which you should **never** do on a development machine.
+- Set environment variables `DOPPLER_TOKEN=<a doppler token with production access>`, `DOPPER_PROJECT=hcb`, `DOPPLER_CONFIG=production` in your docker container (usually via `.env.development`). N.B. this does not set [`RAILS_ENV=production`](https://guides.rubyonrails.org/configuring.html#rails-environment-settings), which you should **never** do on a development machine.
 - Put the production key in `config/credentials/production.key`. If you have heroku access you can get this from the `RAILS_MASTER_KEY` environment variable. If not then ask a team member (ping `@creds` in Slack). [DO NOT CHECK THIS INTO GIT](https://github.com/hackclub/hcb/blob/99fab73deb27a09a9424847e02080cb3ea5d09cf/.gitignore#L29)
     - If you need to edit [`config/credentials/production.yml.enc`](./config/credentials/production.yml.enc), you can now run `bin/rails credentials:edit --environment=production`.
 - Run the [docker_setup.sh](https://github.com/hackclub/hcb/docker_setup.sh) script to set up a local environment with Docker using a dump of the production database.

dev-docs/development.md

@@ -3,16 +3,6 @@
 # installs all the dependencies for using HCB with Docker
 # reach out to Max Wofford ([email protected]) if you have any questions or issues
 
-echo "
-$(tput setaf 9)HCB:$(tput sgr0) Step 0/7: Checking for config/credentials/production.key"
-
-if [ ! -e ./config/credentials/production.key ]; then
-    echo "No config/credentials/production.key found; please get one from a HCB dev team member."
-    exit 0
-fi
-
-echo "$(tput setaf 9)HCB:$(tput sgr0) $(tput setaf 10)Done$(tput sgr0)"
-
 echo "
 $(tput setaf 9)HCB:$(tput sgr0) Step 1/7: Install Heroku (Quiet)"
 if ! command -v heroku &> /dev/null

docker_setup.sh

@@ -1,8 +1,9 @@
-User-agent: Twitterbot
-Disallow:
+# To disallow indexing of pages, use the `noindex` <meta/> tag or the
+# `X-Robots-Tag` header. Disallowing in Robots.txt does not guarantee no
+# indexing and may actually prevent the crawler from seeing the `noindex` meta
+# tag/header.
+#
+# https://support.google.com/webmasters/answer/7440203#indexed_though_blocked_by_robots_txt
 
 User-agent: *
-Disallow: /
-Allow: /$
-Allow: /users/auth
-Allow: /branding
+Allow: /