Workspaces

[KSJaay]

⚠️ BREAKING CHANGES

IF YOU ARE USING THE API ONLY YOU WILL NEED TO MAKE CHANGES. API endpoints will now require workspaceId when updating any monitors, incidents, notifications, etc... For more information checkout the documentation, and keep reading to find out why we're making change.

📚Summary

Organisation and restricting access to certain projects has always been something I wanted to do, I thought about doing this system about two years ago but always prioritised some other features. But this time, I've spent the last 4-5 months reworking most of the logic behind the whole application to support workspaces.

✨New Features

• Workspaces
  • Workspaces allow users to create a space that seperates their monitors/notifications/status pages/incidents etc, and restrict access further so only specific users can access a workspace
  • Created new pages to select, join, and create workspaces
  • Users can be added to workspaces using an invite code
  • Added the following new endpoints for workspaces, for more information please read the documentation
    • /api/workspace/create - Create a new workspace
    • /api/workspace/members/@me - Fetches workspace information about the current user
    • /api/workspace/members - List of all the workspace members
    • /api/workspace/monitors - List of monitors within the workspace
    • /api/workspace/notifications - List of notifications within the workspace
    • /api/workspace/incidents - List of incidents within the workspace
    • /api/workspace/status-pages - List of status pages within the workspace
    • /api/workspace/api-tokens - List of API tokens within the workspace
• Members
  • Each workspace will now have members, and only workspace members will be able to access that worksapce
  • All users can create new workspaces and invite other users to that workspace
  • Members have their own permissions separate from their user permissions. Permission bit flags for members can be found below

CHANGE BEFORE RELEASE

• Added a lot of new endpoints, more information available in the documentation
  • /api/user/workspaces - Fetches all workspaces the user is a member of
  • Add details about new connection endpoints
  • Add details about new invite endpoints for workspaces
  • Add details about new endpoints for admin panel
• Changed how users users within the application
  • Users are now more of admins of the application instead of a user, they'll be able to manage the application settings, workspaces, team members, invites, and various other things.
    • Introduced a new UI to allow admin users to manage everything
  • User permissions have been converted from the old bit flag system to the new one
    • If a user doesn't meet specific requirement their permissions will be set to 0, which means they can no longer manage anything and only work within a workspace
  • User permission bit flags can be found below
• Importing/exporting data
  • Uptime Kuma
    • Users can import using JSON or SQLite
      • This uses sql.js which is a WASM based library to read and process the data, this means the file is temporarily stored in browser RAM. So you may have issues with large files being loaded properly.
      • Going to create a server side script in the future to allow users to load using a script instead
  • Custom JSON importing
    • Up to date validation for importing is available in the documentation. Importing currently only supports the following:
      • Monitors
      • Notifications
      • Heartbeats
• Added support for DNS records monitoring
• Add support for monitoring using GameDig for servers
  • Added a component that allows users to search through all the supported games
• Migration scripts will now automatically apply instead of having users manually run them
  • Users can still override this through the config, but going forward it will automatically set to automatic when setting up the application

🛠Updates

• Docker monitoring now supports custom socket path
  • Default path is /var/run/docker.sock
  • This is currently experimental and there will be updates to this feature to make your life a little bit easier when using a custom socket path
• Overhaul of how endpoints are defined and created
  • You can create a new endpoint using npm run create:route and this will add information about the endpoint in all required locations
  • New createRoute function creates documentation in the OpenAPI format, this makes it so that documentation is now always up to date with the application
    • Going to keep adding information and validators to the endpoints to improve OpenAPI documentation
• Moving various sections of validation scripts to Zod
  • Zod validations are automatically converted into the OpenAPI format, making documentation more accurate and reliable
  • Also updated some validation checks to be more thorough, along with also relaxing some other validations
• Created a centralised system for error messages
  • Errors across the API/codebase are now more consistent and have unique codes
  • All errors will be added to documentation soon, this will hopefully make debugging issues easier for users
  • I've centralised errors so we can add translations for all errors in the future
• Removes the following endpoints:
  • /api/incident/all - This has been replaced with /api/workspace/incidents
  • /api/notification - This has been replaced with /api/workspace/notifications
  • /api/status-pages - This has been replaced with /api/workspace/status-pages
  • /api/tokens - This has been replaced with /api/workspace/tokens
  • /api/user/monitors - This has been replaced with /api/workspace/monitors
• Slowly but surely migrating from JavaScript to TypeScript
  • I want to keep it TypeScript as simple as possible so it's still maintainable and I don't start hating the project...
• Refactored how state management works
  • Broke the gloabl store down into individual stores to make management a bit easier and cleaning up the codebase
• Rewrote the handlers for notifications to help with TypeScript
• A lot of UI improvements:
  • New reusable menu component which makes mobile navigation through settings a lot easier
  • New components for when fetching from API, more of a skeleton rather than just a logo spinning
  • Settings menu has been moved to the new menu component
  • Compressed various images to load faster
  • Made navigation across mobile devices abit easier
    • Going to be expanding on mobile UI a lot more soon

🐛Bug Fixes

• Users were able to use expired invites
• Cookies now match the expiry date of session tokens
• Validation wasn't working as expected when users were attempting to login
• Made validation a bit more strict across some endpoints
  • Going to become a lot more strict based on what rules users will have enabled in the future
• Fixed bugs with OAuth callback functions not working as expected
• Issues with status page not rendering all monitors that were expected to render

🚀 Performance Improvements

• Reworked how requests on initial load were being made to speed up page load
  • Going more indepth in future updates to add pagination to improve page loading speeds
  • Going to seperate loading depending on pages, this will temporarily remove quick view in the future. But plan on bringing it back at some point.
• Started breaking down the monolithic cache system to make it a bit more readable
• Moved from single store to global store to reduce unnecessary re-renders
• Compressed images to be much more efficient (reduced by ~95%)
• Docker compose has been optimised to be 18% smaller in size
• Removed old code that was no longer used

🔒Security Fixes

• Users were able to use session_token as authorization header
  • This didn't introduce any vulnerabilities but shouldn't have been possible in the first place
• Added validation for state parameter for OAuth providers
• Sessions are now fully invalidated when users logout
  • They were only deleted from user cookies before, now they are also deleted from the database
• All /api/auth endpoints now have heavy rate limiting to stop brute force
  • 15 request per 15 minutes
  • /api/auth/setup/exists is the only endpoint not being ratelimited
• Requests now have CSRF protection
  • Cookie named csrf_token is now set on GET, HEAD, and OPTIONS requests
  • All other request methods now require x-csrf-token to match csrf_token value
• Implemented Helmet to add some extra security checks
  • Will most likely expand on these in the future
• Started using DOMPurify when rendering HTML on status pages to prevent XSS attacks
• Removed unnecessary use of dangerouslySetInnerHTML to prevent XSS
• Session tokens are now rotated during the session lifetime
  • Session tokens are now stored as JWTs as a bit of extra security
  • Going to be expanding further on this to add more security around session token storage
• npm run reset:password script now generates a more secure password
• Update npm packages to fix security bugs

Permission bit flags

Member:

const MemberPermissionBits = {
  ADMINISTRATOR: 1 << 0,
  VIEW_MONITORS: 1 << 1,
  MANAGE_MONITORS: 1 << 2,
  VIEW_NOTIFICATIONS: 1 << 3,
  MANAGE_NOTIFICATIONS: 1 << 4,
  VIEW_STATUS_PAGES: 1 << 5,
  MANAGE_STATUS_PAGES: 1 << 6,
  VIEW_INCIDENTS: 1 << 7,
  MANAGE_INCIDENTS: 1 << 8,
  MANAGE_TEAM: 1 << 9,
  CREATE_INVITE: 1 << 10,
};

User

const UserPermissionBits ={
  ADMINISTRATOR: 1 << 0,
  MANAGE_TEAM: 1 << 1,
  MANAGE_WORKSPACES: 1 << 2,
  MANAGE_INVITES: 1 << 3,
};