Upgrade bcrypt to use node v16 (#666)

* Upgrade bcrypt to use node v16

* Update Dockerfile and versions

* Update test Dockerfile to match production image

* Install git because it is used by scripts

* Copy version file

* Update user permissions

* Create image folder

* Remove unused files and folders

* Update test Dockerfile

* Update restify to v7.7.0

* Update nodejs base image to latest v16

Author: mpfeil

.dockerignore

@@ -13,7 +13,7 @@ version.js
 *.md
 *-dev.sh
 *.log
-.github
 tests
 apidoc
 apidoc.json
+images

Dockerfile

@@ -1,33 +1,44 @@
-FROM node:14.18-alpine as build
+# Image selected based on https://snyk.io/blog/choosing-the-best-node-js-docker-image/
+# Used best practices from https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker/
 
-ENV NODE_ENV=production
+# --------------> The build image
+FROM node:16.19.0-bullseye-slim as build
 
-RUN apk --no-cache --virtual .build add build-base python2 git
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends git dumb-init
 
-# taken from node:6-onbuild
-#RUN mkdir -p /usr/src/app
 WORKDIR /usr/src/app
 
-# copy in main package.json and yarn.lock
+# Copy in main package.json and yarn.lock
 COPY package.json /usr/src/app/
 COPY yarn.lock /usr/src/app/
-# copy in workspace package.json files
+
+# Copy in workspace package.json files
 COPY packages/api/package.json /usr/src/app/packages/api/
 COPY packages/models/package.json /usr/src/app/packages/models/
 
 RUN yarn install --pure-lockfile --production
 
 COPY . /usr/src/app
 
-RUN yarn create-version-file \
-  && rm -rf .git .scripts
+RUN yarn create-version-file
 
-# Final stage
-FROM node:14.18-alpine
+# --------------> The production image
+FROM node:16.19.0-bullseye-slim
 
 ENV NODE_ENV=production
+COPY --from=build /usr/bin/dumb-init /usr/bin/dumb-init
+USER node
 
 WORKDIR /usr/src/app
-COPY --from=build /usr/src/app /usr/src/app
 
-CMD [ "yarn", "start" ]
+COPY --chown=node:node --from=build /usr/src/app/node_modules /usr/src/app/node_modules
+COPY --chown=node:node --from=build /usr/src/app/version.js /usr/src/app/version.js
+COPY --chown=node:node . /usr/src/app
+
+# Remove unused files and folders
+RUN rm -rf .git .scripts
+
+# Create and change ownership of folder to store uploaded images
+RUN mkdir -p /usr/src/app/dist/userimages && chown node:node /usr/src/app/dist/userimages
+
+CMD ["dumb-init", "node", "packages/api/app.js"]

packages/api/app.js

@@ -23,7 +23,9 @@ const log = bunyan.createLogger({ name: 'opensensemap-api', serializers: bunyan.
 
 const server = restify.createServer({
   name: `opensensemap-api (${getVersion})`,
-  log
+  log,
+  onceNext: true,
+  strictNext: false,
 });
 
 // We're using caddy as proxy. It supplies a 'X-Forwarded-Proto' header

packages/api/lib/routes.js

@@ -116,7 +116,6 @@ const routes = {
     { path: `${managementPath}/boxes/:boxId`, method: 'get', handler: managementController.getBox, reference: 'api-Admin-getBox' },
     { path: `${managementPath}/boxes/:boxId`, method: 'put', handler: managementController.updateBox, reference: 'api-Admin-updateBox' },
     { path: `${managementPath}/boxes/delete`, method: 'post', handler: managementController.deleteBoxes, reference: 'api-Admin-deleteBoxes' },
-
     { path: `${managementPath}/users`, method: 'get', handler: managementController.listUsers, reference: 'api-Admin-listUsers' },
     { path: `${managementPath}/users/:userId`, method: 'get', handler: managementController.getUser, reference: 'api-Admin-getUser' },
     { path: `${managementPath}/users/:userId`, method: 'put', handler: managementController.updateUser, reference: 'api-Admin-updateUser' },
@@ -136,16 +135,21 @@ const initRoutes = function initRoutes (server) {
   }
 
   // Attach secured routes (needs authorization through jwt)
-  server.use(verifyJwt);
-
+  // The .use() method runs now for all routes
+  // https://github.com/restify/node-restify/issues/1685
   for (const route of routes.auth) {
-    server[route.method]({ path: route.path }, route.handler);
+    server[route.method]({ path: route.path }, [verifyJwt, route.handler]);
   }
 
-  server.use(checkPrivilege);
-
+  // Attach verifyJwt and checkPrivilage routes (needs authorization through jwt)
+  // The .use() method runs now for all routes
+  // https://github.com/restify/node-restify/issues/1685
   for (const route of routes.management) {
-    server[route.method]({ path: route.path }, route.handler);
+    server[route.method]({ path: route.path }, [
+      verifyJwt,
+      checkPrivilege,
+      route.handler,
+    ]);
   }
 };
 

packages/api/package.json

@@ -31,7 +31,7 @@
     "millify": "^5.0.1",
     "moment": "^2.29.4",
     "ms": "^2.1.3",
-    "restify": "^5.2.0",
+    "restify": "7.7.0",
     "restify-errors": "^8.0.2",
     "simple-statistics": "^7.7.0",
     "stringify-stream": "^1.0.5",

packages/models/package.json

@@ -9,7 +9,7 @@
     "@grpc/proto-loader": "^0.6.4",
     "@sensebox/osem-protos": "^1.1.0",
     "@sensebox/sketch-templater": "1.12.1",
-    "bcrypt": "^5.0.1",
+    "bcrypt": "^5.1.0",
     "bunyan": "^1.8.15",
     "config": "^3.3.6",
     "got": "^11.8.2",

tests/tests-Dockerfile

@@ -1,25 +1,21 @@
-FROM node:14.18-alpine
+FROM node:16.19.0-bullseye-slim
 
 # YARN_PRODUCTION=false is a workaround for https://github.com/yarnpkg/yarn/issues/4557
 ENV NODE_ENV=production \
   YARN_PRODUCTION=false
 
-# taken from node:6-onbuild
-RUN mkdir -p /usr/src/app
+RUN apt-get update \
+  && apt-get upgrade -y \
+  && apt-get install -y --no-install-recommends git dumb-init
+
 WORKDIR /usr/src/app
 
 # COPY in dev versions
 COPY . /usr/src/app
 
-RUN apk --no-cache --virtual .build add build-base python2 git \
-  && yarn install --pure-lockfile --production=false \
-  && apk del .build
-COPY . /usr/src/app
+RUN yarn install --pure-lockfile --production=false
 
-# for git 2.1.4
-RUN apk --no-cache --virtual .git add git \
-  && yarn create-version-file \
-  && rm -rf .git \
-  && apk del .git
+RUN yarn create-version-file \
+  && rm -rf .git
 
-CMD [ "yarn", "start" ]
+CMD ["dumb-init", "yarn", "start"]

tests/tests/004-users-test.js

@@ -129,6 +129,8 @@ describe('openSenseMap API Routes: /users', function () {
   });
 
   it('should deny to change email and password at the same time', function () {
+    this.timeout(120000);
+
     return chakram.put(`${BASE_URL}/users/me`, { email: '[email protected]', newPassword: '87654321' }, { headers: { 'Authorization': `Bearer ${jwt}` } })
       .then(function (response) {
         expect(response).to.have.status(400);