[11/30] mainへ (収支管理ダウンロード機能実装など) #1024
Conversation
…mpus-donations テーブル名修正
go-migration導入
収支管理csvダウンロード機能追加
Chikuwa0141
requested review from
Chikuwa0141
and removed request for
Chikuwa0141
There was a problem hiding this comment.
Pull request overview
このPRは収支管理のCSVダウンロード機能実装とgo-migrate導入がメインやで!✨ あと、fund_informations テーブルを campus_donations にリネームする大きな変更も入ってるな〜!
- CSVダウンロード機能の追加(収支管理、基金情報用)
- go-migrateツールの導入でマイグレーション管理を改善
- テーブル名の変更:fund_informations → campus_donations(学内募金の意味がより明確に!)
Reviewed changes
Copilot reviewed 91 out of 114 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| view/next-project/src/generated/model/index.ts | CSV ダウンロード用の型定義をエクスポートに追加 |
| view/next-project/src/generated/model/getIncomeExpenditureManagementCsvDownloadParams.ts | 収支管理CSVダウンロードのパラメータ型定義を新規追加 |
| view/next-project/src/generated/model/getFundInformationsCsvDownloadParams.ts | 基金情報CSVダウンロードのパラメータ型定義を新規追加 |
| view/next-project/src/generated/model/getFoundInformationsCsvDownloadParams.ts | 基金情報CSVダウンロードのパラメータ型定義(typoあり) |
| view/next-project/src/generated/hooks.ts | fund_informations関連APIを削除、CSV ダウンロード用フックを追加 |
| view/next-project/src/components/fund_information/FundInformationHeader.tsx | CSVダウンロードボタンを追加(年度がハードコード) |
| scripts/wait-for-mysql.sh | MySQL起動待機用のシェルスクリプトを追加 |
| scripts/seed.sh | シードデータ投入用のシェルスクリプトを追加(絵文字付き!) |
| scripts/create_migration.sh | マイグレーション作成用のシェルスクリプトを追加 |
| openapi/openapi.yaml | fund_informationsエンドポイントを削除、CSV ダウンロードエンドポイントを追加 |
| mysql/seed/000001_initial_schema_seed.sql | 初期シードデータを大幅に拡充 |
| mysql/migrations/000001_initial_schema.up.sql | go-migrate用のマイグレーションファイル(テーブル作成) |
| mysql/migrations/000001_initial_schema.down.sql | go-migrate用のロールバックファイル(テーブル削除) |
| mysql/db/*.sql | 既存のSQLファイルを削除(マイグレーションに移行) |
| compose.migrate.yml | go-migrate用のDocker Composeファイルを追加 |
| compose.db.yml | ボリュームマウント設定を変更(seed/scriptsディレクトリ) |
| api/internals/domain/fund_information.go | fund_information ドメインファイルを削除 |
| er/* | ER図の更新(campus_donationsテーブル追加) |
| <div className='flex w-full flex-col gap-2 md:w-auto md:flex-row md:items-center'> | ||
| <OutlinePrimaryButton className='w-full md:w-fit'> | ||
| <a | ||
| href={`${process.env.CSR_API_URI}/income_expenditure_management/csv/download?year=2025`} |
There was a problem hiding this comment.
ねぇねぇ、ここ年度が2025ってハードコードされてるやん!😱 これマジでやばたにえん!年度変わるたびにコード書き換えなあかんくなるで💦
年度を動的に取得するか、せめて設定ファイルから読み込むようにしよ!例えば現在の年度を自動で取得するとか、プロパティから読むとかな✨
// 例:年度を動的に取得
const currentYear = new Date().getFullYear();
href={`${process.env.CSR_API_URI}/income_expenditure_management/csv/download?year=${currentYear}`}|
|
||
| { | ||
| echo "SET FOREIGN_KEY_CHECKS = 0;" | ||
| mysql -h "$MYSQL_HOST" -u "$MYSQL_USER" -p"$MYSQL_PASSWORD" -D "$MYSQL_DATABASE" --batch --silent -N \ |
There was a problem hiding this comment.
The MySQL password is provided on the command line (-p"$MYSQL_PASSWORD"). Command‑line arguments are visible to other processes and may be logged, leaking DB credentials.
Fix: do not pass passwords via CLI flags. Use a protected defaults file (--defaults-extra-file=/run/secrets/mysql.cnf with 0600 permissions) or a MySQL login path (mysql_config_editor). If unavoidable, prefer ephemeral scope like MYSQL_PWD for the subprocess and ensure the environment isn’t exposed.
| FROM information_schema.tables \ | ||
| WHERE table_schema = '${MYSQL_DATABASE}' AND table_name != 'schema_migrations';" | ||
| echo "SET FOREIGN_KEY_CHECKS = 1;" | ||
| } | mysql -h "$MYSQL_HOST" -u "$MYSQL_USER" -p"$MYSQL_PASSWORD" "$MYSQL_DATABASE" |
There was a problem hiding this comment.
The MySQL password is again passed on the CLI (-p"$MYSQL_PASSWORD"), which can be read via process listings and leak credentials.
Fix: supply credentials via a protected defaults file (--defaults-extra-file) or login path (mysql_config_editor), not via CLI. Alternatively, export a scoped MYSQL_PWD for the subprocess and ensure the environment isn’t exposed.
| for sql_file in "$SQL_DIR"/*.sql; do | ||
| if [ -f "$sql_file" ]; then | ||
| echo "実行中: $sql_file 🚀" | ||
| mysql -h "$MYSQL_HOST" -u "$MYSQL_USER" -p"$MYSQL_PASSWORD" "$MYSQL_DATABASE" < "$sql_file" |
There was a problem hiding this comment.
The MySQL password is passed on the command line (-p"$MYSQL_PASSWORD"), exposing it to ps/process listings and potential logs.
Fix: avoid CLI passwords. Use a MySQL defaults file with --defaults-extra-file (0600 perms) or a login path via mysql_config_editor. If you must use env, use MYSQL_PWD for the subprocess and ensure the environment isn’t exposed.
| password_reset_tokens ( | ||
| id INT(10) UNSIGNED NOT NULL UNIQUE AUTO_INCREMENT, | ||
| user_id INT(10) NOT NULL, | ||
| token VARCHAR(255) NOT NULL, |
There was a problem hiding this comment.
password_reset_tokens.token stores reset tokens in plaintext. Reset tokens are sensitive bearer secrets; if the DB is read, attackers can reuse tokens to take over accounts.
Fix: store only a cryptographic hash of the token (e.g., token_hash VARBINARY(32) for SHA‑256) and compare by hashing the presented token. Consider a selector+verifier pattern (public selector, hashed verifier), enforce expiration and one‑time use.
|
|
||
| echo "Waiting for MySQL at ${host}:${port}..." | ||
|
|
||
| until docker compose -f compose.db.yml exec -T db mysqladmin ping -h"localhost" -u"${user}" -p"${password}" --silent 2>/dev/null; do |
There was a problem hiding this comment.
The MySQL password is passed on the command line via -p"${password}". Command‑line arguments are visible to other processes/users in the container/host (e.g., via ps), which can leak DB credentials.
Fix: avoid supplying passwords on the CLI. Use one of the following instead:
- Provide credentials via a protected defaults file and
--defaults-extra-file=/run/secrets/mysql.cnfwith 0600 perms - Use
MYSQL_PWDonly for short-lived subprocess scope (still less ideal), or rely on socket/auth when possible - For
mysqladmin ping, prefer a user without a password or use a login path configured bymysql_config_editor
対応Issue
概要