diff --git a/CHANGELOG.md b/CHANGELOG.md index c0d1f6b44a..b4dda47291 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ ## Improvements - Fetch child identifier in view record +- Home screen application’s name and icons are to be configured from country configuration package as manifest.json and app icon files are moved from core to country config (check `opencrvs-countryconfig/src/client-static` folder) ## Bug fixes @@ -60,6 +61,19 @@ ## 1.5.0 (TBD) +### New features + +- Certificate handlebar for registration fees `registrationFees` [#6817](https://github.com/opencrvs/opencrvs-core/issues/6817) +- Logged in user details handlebar `loggedInUser` [#6529](https://github.com/opencrvs/opencrvs-core/issues/6529) +- Supporting document fields can now be made required +- If there is only one option in the document uploader select, then it stays hidden and only the upload button is showed with the only option being selected by default + +* **ElasticSearch reindexing** + +Allows reindexing ElasticSearch via a new search-service endpoint `reindex`. We're replacing the original `ocrvs` index with timestamped ones. This is done automatically when upgrading and migrating, but this is an important architectural change that should be noted. More details in [#7033](https://github.com/opencrvs/opencrvs-core/pull/7033). + +- Introduce a new certificate handlebar "preview" which can be used to conditionally render some svg element when previewing the certificate e.g. background image similar to security paper + ## Breaking changes - #### Upgrade node version to 18 diff --git a/packages/client/Dockerfile b/packages/client/Dockerfile index b27a87cbaa..49ff21f2fd 100644 --- a/packages/client/Dockerfile +++ b/packages/client/Dockerfile @@ -19,7 +19,7 @@ RUN apt-get update && apt-get upgrade -y COPY --from=0 /app/packages/client/build/ /usr/share/nginx/html/ COPY infrastructure/nginx-deploy-config.sh / -COPY infrastructure/nginx-default.conf /etc/nginx/conf.d/default.conf +COPY packages/client/nginx.conf /etc/nginx/conf.d/default.conf RUN chmod +x /nginx-deploy-config.sh CMD ["bash", "-c", "'./nginx-deploy-config.sh'"] diff --git a/packages/client/nginx.conf b/packages/client/nginx.conf new file mode 100644 index 0000000000..7493faefd3 --- /dev/null +++ b/packages/client/nginx.conf @@ -0,0 +1,76 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# OpenCRVS is also distributed under the terms of the Civil Registration +# & Healthcare Disclaimer located at http://opencrvs.org/license. +# +# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. + + +# config to don't allow the browser to render the page inside an frame or iframe +# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking +# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri +# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options +add_header X-Frame-Options SAMEORIGIN; + +# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# to disable content-type sniffing on some browsers. +# https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx +# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx +# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 +add_header X-Content-Type-Options nosniff; + +# The 'HTTP Strict Transport Security' (Strict-Transport-Security) HTTP header +# is used to control if the browser is allowed to only access a site over a +# secure connection and how long to remember the server response for thus forcing +# continued usage.Secure configuration: Return the 'Strict-Transport-Security' header +# with an appropriate timeout over a secure connection. +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;"; + +# A cross-domain policy file is an XML document that grants a web client, +# such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), +# permission to handle data across domains. When clients request content hosted on +# a particular source domain and that content make requests directed towards a domain +# other than its own, the remote domain needs to host a cross-domain policy file +# that grants access to the source domain, allowing the client to continue the transaction. +add_header X-Permitted-Cross-Domain-Policies master-only; + +# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), +# you can tell the browser that it can only download content from the domains you explicitly allow +# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ +# https://www.owasp.org/index.php/Content_Security_Policy +# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' +# directives for css and js(if you have inline css or js, you will need to keep it too). +# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful +add_header Content-Security-Policy "default-src 'self' {{CONTENT_SECURITY_POLICY_WILDCARD}} *.sentry.io/ sentry.io/; font-src fonts.gstatic.com {{CONTENT_SECURITY_POLICY_WILDCARD}}; object-src 'none'; script-src 'self' 'unsafe-eval' blob: https: http: storage.googleapis.com/workbox-cdn/ sentry.io/api/embed/error-page/; style-src 'self' fonts.googleapis.com 'unsafe-inline'; img-src 'self' data: http: https: "; + +server { + listen 80; + server_name localhost; + server_tokens off; + + # country-config related proxy since client's manifest.json is served from country-config + location /manifest.json { + proxy_pass http://countryconfig:3040/static/manifest.json; + } + + # country-config related proxy since client's icon files are served from country-config + location /images/ { + proxy_pass http://countryconfig:3040/static/images/; + } + + location / { + root /usr/share/nginx/html; + # allows fallback to /index.html so SPAs work + try_files $uri $uri/ /index.html; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } +} diff --git a/packages/client/vite.config.ts b/packages/client/vite.config.ts index 1a4a7accc2..bfde73b40e 100644 --- a/packages/client/vite.config.ts +++ b/packages/client/vite.config.ts @@ -103,6 +103,19 @@ export default defineConfig(({ mode }) => { coverage: { reporter: ['text', 'json', 'html'] } + }, + server: { + // to get the manifest.json and images from country-config during development time + proxy: { + '/manifest.json': { + target: 'http://localhost:3040/static/', + changeOrigin: true + }, + '/images/': { + target: 'http://localhost:3040/static/', + changeOrigin: true + } + } } } })