Used cosmos as db

[lilyjma]

App is working but with following problems:

1. A logged in user can mark other user's tasks as complete or not and can delete other user's tasks
   (it can't add tasks on behalf of other users though)

(UPDATE 11/7: this might've been a problem that existed in the original forked repo)
2. Tasks have correct owners when a new user creates an account and log in, but wrong owners if an existing user logs in; however, refreshing the page corrects the problem. (Still trying to figure out what went wrong as the front end is getting the right data.)

(UPDATE 11/7: new bug introduced)
3. A user making a new account with an existing email should trigger an error message saying there's an existing user with that email--the error message is sent to the browser but not displayed for some reason.

After fixing these two issues, the next steps are:

1. Use Key Vault to manage the key to Cosmos and other creds. (UPDATE 11/7: DONE)
2. Use Identity as way to authorize log in
3. Host the app using Azure App Service

Please feel free to suggest other services to use, other ways to doing things, and best practices in general for app building.

[jongio]

Cosmos SQL is subject to SQL injection.

Read this: https://en.wikipedia.org/wiki/SQL_injection and this https://michaelhowardsecure.blog/2019/03/05/cosmosdb-and-sql-injection/
And then re-write these queries as parameterized queries: https://azuresdkdocs.blob.core.windows.net/$web/python/azure-cosmos/4.0.0b5/index.html?highlight=parameterized%20queries#query-the-database

[lilyjma]

Done.

[jongio]

Seems like this would be a different sample. So let's chat before you attempt to merge back into this repo. We'll likely create a new one.

[lilyjma]

Okay. I'll keep it as is for now and change after we chat.

[jongio]

I suggest using https://create-react-app.dev/ to help setup the app, wire up dependencies, and so on.

[lilyjma]

Hi Jon,

I'm not quite sure what you mean by this. My understanding is that since this is not purely a React app so I can't really just follow the code structure given on that site. From what I've read there, I haven't found any material on integrating React with a framework like Flask; I only came across something on integration with an API backend. Upon Googling 'flask react boilerplate', one of the Github repos that came up was the the one that joshgav used to base his Flask-React-Postgres app on.

Could you elaborate on what you mean here? I'm probably misunderstanding you or missing some pieces of info here.

Thanks!

-Lily

[jongio]

Create react app is kind of a standard these days for creating react apps, it handles a lot of the stuff that I'm seeing issues with above, like css/js dependency managements, etc. It sets you up with a good base to work from. You can put this on the backlog to do later if you'd like.

[jongio]

I'm not crazy about having the cosmos client as a global variable for the app. I would like all the "cosmos" stuff to be encapsulated so the app is only coupled to that encapsulation versus directly to cosmos.

[lilyjma]

Done, I think. Added a db.py in /utils and kept cosmos things there. Imported the db in models.py to use. I thought this way, if in the future, we want to use other db, we can keep all db things there and just import the appropriate dbs to use in models.py or other scripts.

[lilyjma]

More changes. Invited Maggie to be collaborator.

[maggiepint]

I would think Cosmos has a way to generate random identifiers for documents - what happens if you just don't assign an id? I would think it would auto generate one.

[jongio]

Also, randint doesn't guarantee unique across all items, so please switch over to using Guid for ids. If you don't provide an "id" field, then Cosmos should auto create an id field and insert a guid.

[lilyjma]

You have to add an id to each item you insert into the container according to the docs here.
https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cosmos/azure-cosmos#insert-data

I'll try to use Guid.

[jongio]

This references your fork directly. Make a relative path please.

[lilyjma]

I thought this should be in a repository of its own, because I created a repository called 'azurethings' to store small tutorials/things that I learned about Azure.

[jongio]

Anytime you use 'cosmos' it should be "Cosmos DB" to adhere to branding

[jongio]

I like to include the CLI commands along side the portal instructures or a section which is

Azure Portal

1. Portal steps here

Azure CLI

1. CLI steps here

[lilyjma]

The CLI commands are also executed on Portal though--in the Cloud Shell. You could also execute CLI commands on your local machine but that requires some extra configuration so I thought it'd be the easiest to just do it on Cloud Shell.

[jongio]

What do you mean use your web apps url? In the above or below? Please be explicit in everything you ask the user to do.

[jongio]

I don't think this path is right, but doesn't matter for now

[jongio]

Just @ email and @ password should be ok.

[jongio]

Also, randint doesn't guarantee unique across all items, so please switch over to using Guid for ids. If you don't provide an "id" field, then Cosmos should auto create an id field and insert a guid.

[jongio]

Let's do some research on how we want to handle error messages from the model. Typically the UI doesn't want to show the error details, but something to consider, versus just returning false.

[lilyjma]

Oh the UI wouldn't just show 'False.' It'll have an error message that's appropriate for the specific situation. Please take a look at the routes.py script.

[jongio]

Create react app is kind of a standard these days for creating react apps, it handles a lot of the stuff that I'm seeing issues with above, like css/js dependency managements, etc. It sets you up with a good base to work from. You can put this on the backlog to do later if you'd like.

[jongio]

We should be using OAuth to manage users and permissions. Having a method with email and password basically means that your app controls user access, permissions, etc and storing of credentials in the database. Typically you avoid with this access tokens and OAuth. It's a bigger more complicated implementation that you should learn, but we can discuss later.

[lilyjma]

Yes, I'd love to have a discussion on this. Right now, one problem I'm seeing is that when a user is logged in, he/she can edit other people's tasks, instead of just his/her own. So basically, a logged in user has access to the whole database, instead of just part of it that stores his/her own info. I don't know if this can be solved by OAuth, but the way this works now is not ideal.

Also, can we discuss the create-react-app too, like how to make it integrate with Flask? I didn't change the structure of the code at all. I think the original app is based on this boilerplate that combines Flask and React, which I guess is not ideally structured.