Merge branch 'master' into dependabot/hex/ex_aws_s3-2.5.2

Author: RichDom2185

.github/workflows/cd.yml

@@ -21,12 +21,12 @@ on:
 jobs:
   ci:
     name: Build release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       MIX_ENV: prod
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      ELIXIR_VERSION: 1.13.4
-      OTP_VERSION: 25.3.2
+      ELIXIR_VERSION: 1.18.3
+      OTP_VERSION: 27.3.3
     steps:
       - uses: rlespinasse/[email protected]
       - uses: actions/checkout@v4

.github/workflows/ci.yml

@@ -19,7 +19,7 @@ on:
 jobs:
   ci:
     name: Run CI
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       MIX_ENV: test
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -20,6 +20,16 @@ Cadet is the web application powering Source Academy.
 
 It is probably okay to use a different version of PostgreSQL or Erlang/OTP, but using a different version of Elixir may result in differences in e.g. `mix format`.
 
+> ## Setting up PostgreSQL
+>
+> The simplest way to get started is to use Docker. Simply [install Docker](https://docs.docker.com/get-docker/) and run the following command:
+> 
+> ```bash
+> $ docker run --name sa-backend-db -e POSTGRES_HOST_AUTH_METHOD=trust -e -p 5432:5432 -d postgres
+> ```
+>
+> This configures PostgreSQL on port 5432. You can then connect to the database using `localhost:5432` as the host and `postgres` as the username. Note: `-e POSTGRES_HOST_AUTH_METHOD=trust` is used to disable password authentication for local development; since we are only accesing the database locally from our own machine, it is safe to do so.
+
 ### Setting up your local development environment
 
 1. Set up the development secrets (replace the values appropriately)
@@ -29,8 +39,6 @@ It is probably okay to use a different version of PostgreSQL or Erlang/OTP, but
    $ vim config/dev.secrets.exs
    ```
 
-   - To use NUSNET authentication, specify the NUS ADFS OAuth2 URL. (Ask for it.) Note that the frontend will supply the ADFS client ID and redirect URL (so you will need that too, but not here).
-
 2. Install Elixir dependencies
 
    ```bash
@@ -49,19 +57,6 @@ It is probably okay to use a different version of PostgreSQL or Erlang/OTP, but
    $ mix ecto.setup
    ```
 
-   If you encounter error message about invalid password for the user "postgres".
-   You should reset the "postgres" password:
-
-   ```bash
-   $ sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';"
-   ```
-
-   and restart postgres service:
-
-   ```bash
-   $ sudo service postgresql restart
-   ```
-
    By default, the database is populated with 10 students and 5 assessments. Each student will have a submission to the corresponding submission. This can be changed in `priv/repo/seeds.exs` with the variables `number_of_students`, `number_of_assessments` and `number_of_questions`. Save the changes and run:
 
    ```bash

config/config.exs

@@ -25,7 +25,9 @@ config :cadet, Cadet.Jobs.Scheduler,
     # Compute rolling leaderboard every 2 hours
     {"0 */2 * * *", {Cadet.Assessments, :update_rolling_contest_leaderboards, []}},
     # Collate contest entries that close in the previous day at 00:01
-    {"1 0 * * *", {Cadet.Assessments, :update_final_contest_entries, []}}
+    {"1 0 * * *", {Cadet.Assessments, :update_final_contest_entries, []}},
+    # Clean up expired exchange tokens at 00:01
+    {"1 0 * * *", {Cadet.TokenExchange, :delete_expired, []}}
   ]
 
 # Configures the endpoint

config/dev.secrets.exs.example

@@ -36,6 +36,8 @@ config :cadet,
     #    %{
     #      assertion_extractor: Cadet.Auth.Providers.NusstuAssertionExtractor,
     #      client_redirect_url: "http://cadet.frontend:8000/login/callback"
+    #      vscode_redirect_url_prefix: "vscode://source-academy.source-academy/sso",
+    #      client_post_exchange_redirect_url: "http://cadet.frontend:8000/login/vscode_callback",
     #    }},
 
     "test" =>

lib/cadet/code_exchange.ex

@@ -0,0 +1,60 @@
+defmodule Cadet.TokenExchange do
+  @moduledoc """
+  The TokenExchange entity stores short-lived codes to be exchanged for long-lived auth tokens.
+  """
+  use Cadet, :model
+
+  import Ecto.Query
+
+  alias Cadet.Repo
+  alias Cadet.Accounts.User
+
+  @primary_key {:code, :string, []}
+  schema "token_exchange" do
+    field(:generated_at, :utc_datetime_usec)
+    field(:expires_at, :utc_datetime_usec)
+
+    belongs_to(:user, User)
+
+    timestamps()
+  end
+
+  @required_fields ~w(code generated_at expires_at user_id)a
+
+  def get_by_code(code) do
+    case Repo.get_by(__MODULE__, code: code) do
+      nil ->
+        {:error, "Not found"}
+
+      struct ->
+        if Timex.before?(struct.expires_at, Timex.now()) do
+          {:error, "Expired"}
+        else
+          struct = Repo.preload(struct, :user)
+          Repo.delete(struct)
+          {:ok, struct}
+        end
+    end
+  end
+
+  def delete_expired do
+    now = Timex.now()
+
+    Repo.delete_all(from(c in __MODULE__, where: c.expires_at < ^now))
+  end
+
+  def changeset(struct, attrs) do
+    struct
+    |> cast(attrs, @required_fields)
+    |> validate_required(@required_fields)
+  end
+
+  def insert(attrs) do
+    changeset =
+      %__MODULE__{}
+      |> changeset(attrs)
+
+    changeset
+    |> Repo.insert()
+  end
+end

lib/cadet/courses/assessment_config.ex

@@ -18,6 +18,8 @@ defmodule Cadet.Courses.AssessmentConfig do
     field(:early_submission_xp, :integer, default: 0)
     field(:hours_before_early_xp_decay, :integer, default: 0)
     field(:is_grading_auto_published, :boolean, default: false)
+    # marks an assessment type as a minigame (with different submission and testcase behaviour)
+    field(:is_minigame, :boolean, default: false)
 
     belongs_to(:course, Course)
 
@@ -26,7 +28,7 @@ defmodule Cadet.Courses.AssessmentConfig do
 
   @required_fields ~w(course_id)a
   @optional_fields ~w(order type early_submission_xp
-    hours_before_early_xp_decay show_grading_summary is_manually_graded has_voting_features has_token_counter is_grading_auto_published)a
+    hours_before_early_xp_decay show_grading_summary is_manually_graded has_voting_features has_token_counter is_grading_auto_published is_minigame)a
 
   def changeset(assessment_config, params) do
     assessment_config

lib/cadet_web/admin_views/admin_courses_view.ex

@@ -10,6 +10,7 @@ defmodule CadetWeb.AdminCoursesView do
       assessmentConfigId: :id,
       type: :type,
       displayInDashboard: :show_grading_summary,
+      isMinigame: :is_minigame,
       isManuallyGraded: :is_manually_graded,
       earlySubmissionXp: :early_submission_xp,
       hasVotingFeatures: :has_voting_features,

lib/cadet_web/controllers/auth_controller.ex

@@ -5,9 +5,9 @@ defmodule CadetWeb.AuthController do
   use CadetWeb, :controller
   use PhoenixSwagger
 
-  alias Cadet.Accounts
-  alias Cadet.Accounts.User
+  alias Cadet.{Accounts, Accounts.User}
   alias Cadet.Auth.{Guardian, Provider}
+  alias Cadet.TokenExchange
 
   @doc """
   Receives a /login request with valid attributes.
@@ -85,9 +85,87 @@ defmodule CadetWeb.AuthController do
     send_resp(conn, :bad_request, "Missing parameter")
   end
 
-  @spec create_user_and_tokens(Provider.authorise_params()) ::
-          {:ok, %{access_token: String.t(), refresh_token: String.t()}} | Plug.Conn.t()
-  defp create_user_and_tokens(
+  @doc """
+  Exchanges a short-lived code for access and refresh tokens.
+  """
+  def exchange(
+        conn,
+        %{
+          "code" => code,
+          "provider" => provider
+        }
+      ) do
+    case TokenExchange.get_by_code(code) do
+      {:error, _message} ->
+        conn
+        |> put_status(:forbidden)
+        |> text("Invalid code")
+
+      {:ok, struct} ->
+        tokens = generate_tokens(struct.user)
+
+        {_provider, %{client_post_exchange_redirect_url: client_post_exchange_redirect_url}} =
+          Application.get_env(:cadet, :identity_providers, %{})[provider]
+
+        conn
+        |> put_resp_header(
+          "location",
+          URI.encode(
+            client_post_exchange_redirect_url <>
+              "?access_token=" <> tokens.access_token <> "&refresh_token=" <> tokens.refresh_token
+          )
+        )
+        |> send_resp(302, "")
+        |> halt()
+    end
+  end
+
+  @doc """
+  Alternate callback URL which redirect to VSCode via deeplinking.
+  """
+  def saml_redirect_vscode(
+        conn,
+        %{
+          "provider" => provider
+        }
+      ) do
+    code_ttl = 60
+
+    case create_user(%{
+           conn: conn,
+           provider_instance: provider,
+           code: nil,
+           client_id: nil,
+           redirect_uri: nil
+         }) do
+      {:ok, user} ->
+        code = generate_code()
+
+        TokenExchange.insert(%{
+          code: code,
+          generated_at: Timex.now(),
+          expires_at: Timex.add(Timex.now(), Timex.Duration.from_seconds(code_ttl)),
+          user_id: user.id
+        })
+
+        {_provider, %{vscode_redirect_url_prefix: vscode_redirect_url_prefix}} =
+          Application.get_env(:cadet, :identity_providers, %{})[provider]
+
+        conn
+        |> put_resp_header(
+          "location",
+          vscode_redirect_url_prefix <> "?provider=" <> provider <> "&code=" <> code
+        )
+        |> send_resp(302, "")
+        |> halt()
+
+      conn ->
+        conn
+    end
+  end
+
+  @spec create_user(Provider.authorise_params()) :: {:ok, User.t()} | Plug.Conn.t()
+  defp create_user(
          params = %{
            conn: conn,
            provider_instance: provider
@@ -96,7 +174,7 @@ defmodule CadetWeb.AuthController do
     with {:authorise, {:ok, %{token: token, username: username}}} <-
            {:authorise, Provider.authorise(params)},
          {:signin, {:ok, user}} <- {:signin, Accounts.sign_in(username, token, provider)} do
-      {:ok, generate_tokens(user)}
+      {:ok, user}
     else
       {:authorise, {:error, :upstream, reason}} ->
         conn
@@ -121,6 +199,18 @@ defmodule CadetWeb.AuthController do
     end
   end
 
+  @spec create_user_and_tokens(Provider.authorise_params()) ::
+          {:ok, %{access_token: String.t(), refresh_token: String.t()}} | Plug.Conn.t()
+  defp create_user_and_tokens(params) do
+    case create_user(params) do
+      {:ok, user} ->
+        {:ok, generate_tokens(user)}
+
+      conn ->
+        conn
+    end
+  end
+
   @doc """
   Receives a /refresh request with valid attribute.
 
@@ -170,6 +260,14 @@ defmodule CadetWeb.AuthController do
     %{access_token: access_token, refresh_token: refresh_token}
   end
 
+  @spec generate_code :: String.t()
+  defp generate_code do
+    16
+    |> :crypto.strong_rand_bytes()
+    |> Base.url_encode64(padding: false)
+    |> String.slice(0, 22)
+  end
+
   swagger_path :create do
     post("/auth/login")
 

lib/cadet_web/controllers/chat_controller.ex

@@ -6,6 +6,7 @@ defmodule CadetWeb.ChatController do
   use PhoenixSwagger
 
   alias Cadet.Chatbot.{Conversation, LlmConversations}
+  @max_content_size 1000
 
   def init_chat(conn, %{"section" => section, "initialContext" => initialContext}) do
     user = conn.assigns.current_user
@@ -21,7 +22,8 @@ defmodule CadetWeb.ChatController do
             "conversation_init.json",
             %{
               conversation_id: conversation.id,
-              last_message: conversation.messages |> List.last()
+              last_message: conversation.messages |> List.last(),
+              max_content_size: @max_content_size
             }
           )
 
@@ -51,13 +53,15 @@ defmodule CadetWeb.ChatController do
     response(200, "OK")
     response(400, "Missing or invalid parameter(s)")
     response(401, "Unauthorized")
+    response(422, "Message exceeds the maximum allowed length")
     response(500, "When OpenAI API returns an error")
   end
 
   def chat(conn, %{"conversationId" => conversation_id, "message" => user_message}) do
     user = conn.assigns.current_user
 
-    with {:ok, conversation} <-
+    with true <- String.length(user_message) <= @max_content_size || {:error, :message_too_long},
+         {:ok, conversation} <-
            LlmConversations.get_conversation_for_user(user.id, conversation_id),
          {:ok, updated_conversation} <-
            LlmConversations.add_message(conversation, "user", user_message),
@@ -85,6 +89,13 @@ defmodule CadetWeb.ChatController do
           send_resp(conn, 500, error_message)
       end
     else
+      {:error, :message_too_long} ->
+        send_resp(
+          conn,
+          :unprocessable_entity,
+          "Message exceeds the maximum allowed length of #{@max_content_size}"
+        )
+
       {:error, {:not_found, error_message}} ->
         send_resp(conn, :not_found, error_message)
 
@@ -107,4 +118,6 @@ defmodule CadetWeb.ChatController do
 
     conversation.prepend_context ++ messages_payload
   end
+
+  def max_content_length, do: @max_content_size
 end

lib/cadet_web/router.ex

@@ -51,6 +51,8 @@ defmodule CadetWeb.Router do
     post("/auth/login", AuthController, :create)
     post("/auth/logout", AuthController, :logout)
     get("/auth/saml_redirect", AuthController, :saml_redirect)
+    get("/auth/saml_redirect_vscode", AuthController, :saml_redirect_vscode)
+    get("/auth/exchange", AuthController, :exchange)
   end
 
   scope "/v2", CadetWeb do

lib/cadet_web/views/assessments_view.ex

@@ -53,6 +53,7 @@ defmodule CadetWeb.AssessmentsView do
         longSummary: :summary_long,
         hasTokenCounter: :has_token_counter,
         missionPDF: &Cadet.Assessments.Upload.url({&1.mission_pdf, &1}),
+        isMinigame: & &1.config.is_minigame,
         questions:
           &Enum.map(&1.questions, fn question ->
             map =