CS5331 Submission

Dockerfile

@@ -1,14 +1,45 @@
 FROM ubuntu:latest
-RUN apt-get update
-RUN apt-get install -y python-pip
-RUN apt-get install -y apache2
-RUN pip install -U pip
-RUN pip install -U flask
-RUN pip install -U flask-cors
-RUN echo "ServerName localhost  " >> /etc/apache2/apache2.conf
-RUN echo "$user     hard    nproc       20" >> /etc/security/limits.conf
+
+ENV MYSQL_USER=root \
+    MYSQL_PASSWORD= \
+    MYSQL_HOST=localhost \
+    MYSQL_DATABASE=GROUP5_SECRET_DIARY \
+    TZ=Asia/Singapore
+
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN apt-get update \
+    && apt-get install -y python-pip \
+    && apt-get install -y apache2
+
+ADD ./src/db /tmp/
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y mysql-server && \
+    rm -rf /var/lib/apt/lists/* && \
+    sed -i 's/^\(bind-address\s.*\)/# \1/' /etc/mysql/my.cnf && \
+    sed -i 's/^\(log_error\s.*\)/# \1/' /etc/mysql/my.cnf && \
+    service mysql start && \
+    mysql -u root -e "CREATE DATABASE IF NOT EXISTS GROUP5_SECRET_DIARY CHARACTER SET utf8 COLLATE utf8_general_ci; FLUSH PRIVILEGES;" && \
+    mysql -u root -e "SHOW DATABASES" && \
+    mysql -u root "GROUP5_SECRET_DIARY" < "/tmp/schema.sql"
+
+RUN mkdir -p /var/run/mysqld && chown mysql:mysql /var/run/mysqld
+VOLUME ["/etc/mysql", "/var/lib/mysql"]
+WORKDIR /data
+
+RUN apt-get update && \
+    apt-get install -y libmysqlclient-dev
+
+RUN pip install -U pip flask flask-cors Flask-SQLAlchemy MySQL-python flask-bcrypt flask-marshmallow marshmallow-sqlalchemy
+
+RUN echo "ServerName localhost" >> /etc/apache2/apache2.conf
+RUN echo "$user    hard    nproc    20" >> /etc/security/limits.conf
+
 ADD ./src/service /service
 ADD ./src/html /var/www/html
+
 EXPOSE 80
 EXPOSE 8080
+
 CMD ["/bin/bash", "/service/start_services.sh"]

README.md

@@ -88,56 +88,65 @@ If a response is received, you're good to go.
 Please replace the example screenshots with screenshots of your completed
 project. Feel free to include more than one.
 
-![Sample Screenshot](./img/samplescreenshot.png)
+![Sample Screenshot](./img/group5.png)
 
 ## Administration and Evaluation
 
 Please fill out this section with details relevant to your team.
 
-### Team Members
+### Team Members (Group 5)
 
-1. Member 1 Name
-2. Member 2 Name
-3. Member 3 Name
-4. Member 4 Name
+1. Member 1 Hu Shuchen
+2. Member 2 Wang Zhuochun
+3. Member 3 Arvee Vergara Valmores
 
 ### Short Answer Questions
 
 #### Question 1: Briefly describe the web technology stack used in your implementation.
 
-Answer: Please replace this sentence with your answer.
+Answer: We have used Flask web framework, MySQL for database schema, Vue.js for front-end development.
 
 #### Question 2: Are there any security considerations your team thought about?
 
-Answer: Please replace this sentence with your answer.
+Answer: We have enforced user password strength with minimum length of 8 characters, containing both small and capitals letters as well as at one number. We have also implemented account lockout policy where the user account will be locked for 1 hour after 3 failed login attempts.
+As we are using MySQL for our database, we have also made use of the mature library SQLAlchemy, and utilized prepared statements in the backend codes to enforce our protection against SQL injection attacks.
 
 #### Question 3: Are there any improvements you would make to the API specification to improve the security of the web application?
 
-Answer: Please replace this sentence with your answer.
+Answer: - Enforce authentication token expiry for certain duration or inactivity. This can reduce the risk of stolen tokens through XSS or other types of attacks.
+        - Allow password reset or change of password with security measures
+        - Implement 2-factor or multi-factor user authentication
+        - Implement HTTPS to encrypt JSON requests and responses over the network
 
 #### Question 4: Are there any additional features you would like to highlight?
 
-Answer: Please replace this sentence with your answer.
+Answer: Not other than the password strength and account lockout policy. Password requirements are shown in the user interface as well when users try to set their passwords.
 
 #### Question 5: Is your web application vulnerable? If yes, how and why? If not, what measures did you take to secure it?
 
-Answer: Please replace this sentence with your answer.
+Answer: We did not find our application vulnerable. In our development, we have made sure to use of mature libraries with functions to render user inputs like their diaries just as text rather than scripts. We have tested possibilities of cross-site scripting as shown in the screenshot below and our application is not vulnerable to those.
+
+![Sample Screenshot](./img/XSS%20test.png)
+
 
 #### Feedback: Is there any other feedback you would like to give?
 
-Answer: Please replace this sentence with your answer.
+Answer: No.
 
 ### Declaration
 
 #### Please declare your individual contributions to the assignment:
 
-1. Member 1 Name
-    - Integrated feature x into component y
-    - Implemented z
-2. Member 2 Name
-    - Wrote the front-end code
-3. Member 3 Name
-    - Designed the database schema
-4. Member 4 Name
-    - Implemented x
+1. Member 1 Hu Shuchen
+    - Wrote the front-end code and integrated with the API features developed by teammates
+    - Tested and checked the work done by teammates
+    - Logistics (set up Github organization, README documentation & short answer questions)
+2. Member 2 Wang Zhuochun
+    - Developed the Users API
+    - Designed the database schema for Users
+    - Tested and checked the work done by teammates
+3. Member 3 Arvee Vergara Valmores
+    - Developed the Diary API
+    - Designed the database schema for Diary entries
+    - Tested and checked the work done by teammates
 

init.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ -n "$MYSQL_PASSWORD" ] ; then
+
+	TEMP_FILE='/service/schema.sql'
+	cat > "$TEMP_FILE" <<-EOSQL
+		DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
+		CREATE USER 'root'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}' ;
+		GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ;
+		FLUSH PRIVILEGES ;
+	EOSQL
+
+	# set this as an init-file to execute on startup
+	set -- "$@" --init-file="$TEMP_FILE"
+fi
+
+# execute the command supplied
+exec "$@"

run-mac.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+docker kill $(docker ps -q)
+docker rm $(docker ps -a -q)
+docker build . -t cs5331
+docker run -p 1888:80 -p 8080:8080 -t cs5331

src/db/init_db.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+service mysql start
+
+sleep 3
+
+mysql -u root -e "CREATE DATABASE IF NOT EXISTS GROUP5_SECRET_DIARY CHARACTER SET utf8 COLLATE utf8_general_ci; FLUSH PRIVILEGES;"
+mysql -u root -e "SHOW DATABASES"
+mysql -u root "GROUP5_SECRET_DIARY" < "/tmp/schema.sql"
+mysql -u root -e "USE GROUP5_SECRET_DIARY; SHOW TABLES"

src/db/schema.sql

@@ -0,0 +1,39 @@
+# Create a separate user from root, if necessary
+# CREATE USER 'new_user'@'%' IDENTIFIED BY PASSWORD 'password';
+# Grant privileges on new_user
+# GRANT ALL PRIVILEGES ON cs5331_secret_diary.* TO 'new_user'@'%' WITH GRANT OPTION;
+
+DROP TABLE IF EXISTS `user`;
+
+CREATE TABLE `user` (
+  `id` INT(11) NOT NULL AUTO_INCREMENT,
+  `username` VARCHAR(255) COLLATE utf8_unicode_ci NOT NULL,
+  `encrypted_password` VARCHAR(255) COLLATE utf8_unicode_ci NOT NULL,
+  `fullname` VARCHAR(255) COLLATE utf8_unicode_ci NOT NULL,
+  `age` INT(11) NOT NULL DEFAULT 0,
+  `sign_in_count` INT(11) NOT NULL DEFAULT 0,
+  `locked_at` TIMESTAMP NULL DEFAULT NULL,
+  `session_token` VARCHAR(255) COLLATE utf8_unicode_ci NOT NULL,
+  `session_created_at` TIMESTAMP NULL DEFAULT NULL,
+  `created_at` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `updated_at` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `index_user_on_username` (`username`),
+  UNIQUE KEY `index_user_on_session_token` (`session_token`)
+) ENGINE=INNODB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+
+DROP TABLE IF EXISTS `diary`;
+
+CREATE TABLE `diary` (
+  `id` INT NOT NULL AUTO_INCREMENT,
+  `author` VARCHAR(255) COLLATE utf8_unicode_ci NOT NULL,
+  `publish_date` TIMESTAMP NULL DEFAULT NULL,
+  `title` VARCHAR(100) COLLATE utf8_unicode_ci,
+  `text` TEXT COLLATE utf8_unicode_ci,
+  `public` BOOL NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `index_user_on_id` (`id`)
+) ENGINE=INNODB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
+
+

src/html-src/.gitignore

@@ -0,0 +1 @@
+node_modules

src/html-src/gulpfile.js

@@ -0,0 +1,40 @@
+var gulp = require("gulp");
+var pug = require("gulp-pug");
+var uglify = require('gulp-uglify');
+var livereload = require('gulp-livereload');
+var http = require('http');
+var st = require('st');
+
+gulp.task("html", function() {
+  gulp.src("pages/*.pug")
+    .pipe(pug())
+    .pipe(gulp.dest("../html/"))
+    .pipe(livereload());
+});
+
+gulp.task("js", function() {
+  gulp.src("js/*.js")
+    .pipe(uglify())
+    .pipe(gulp.dest("../html/js"))
+    .pipe(livereload());
+});
+
+gulp.task("server", function(done) {
+  http.createServer(
+    st({
+      path: "../html",
+      cache: false
+    })
+  ).listen(1889, done);
+});
+
+gulp.task("watch", ["default", "server"], function() {
+  livereload.listen({
+    basePath: "../html/"
+  });
+
+  gulp.watch(["layouts/**/*.pug", "pages/**/*.pug"], ["html"]);
+  gulp.watch(["js/**/*.js"], ["js"]);
+});
+
+gulp.task("default", ["js", "html"]);