CS5331 Submission

.gitignore

@@ -0,0 +1,2 @@
+.idea/
+venv/

Dockerfile

@@ -2,13 +2,24 @@ FROM ubuntu:latest
 RUN apt-get update
 RUN apt-get install -y python-pip
 RUN apt-get install -y apache2
+RUN apt-get install -y vim
+RUN apt-get install -y build-essential libffi-dev
 RUN pip install -U pip
 RUN pip install -U flask
 RUN pip install -U flask-cors
+RUN pip install flask-sqlalchemy
+RUN pip install flask_marshmallow
+RUN pip install bcrypt
+RUN pip install marshmallow-sqlalchemy
+RUN pip install python-dateutil
+RUN easy_install --upgrade pytz
+
 RUN echo "ServerName localhost  " >> /etc/apache2/apache2.conf
 RUN echo "$user     hard    nproc       20" >> /etc/security/limits.conf
+
 ADD ./src/service /service
 ADD ./src/html /var/www/html
 EXPOSE 80
 EXPOSE 8080
+
 CMD ["/bin/bash", "/service/start_services.sh"]

README.md

@@ -2,142 +2,105 @@
 
 CS5331 Assignment 1 Project Reference Repository
 
-## Instructions
-
-Your objective is to implement a web application that provides the endpoints
-specified here: https://cs5331-assignments.github.io/rest-api-development/.
-
-The project has been packaged in an easy to set-up docker container with the
-skeleton code implemented in Python Flask. You are not restricted in terms of
-which language, web stack, or database you desire to use. However, please note
-that very limited support can be given to those who decide to veer off the
-beaten path.
-
-You may be required to modify the following files/directories:
-
-- Dockerfile - contains the environment setup scripts to ensure a homogenous
-  development environment
-- src/ - contains the front-end code in `html` and the skeleton Flask API code
-  in `service`
-- img/ - contains images used for this README
-
-Assuming you're developing on an Ubuntu 16.04 machine, the quick instructions
-to get up and running are:
-
-```
-# Install Docker
-
-sudo apt-get update
-sudo apt-get install \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    software-properties-common
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-sudo add-apt-repository \
-   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-   $(lsb_release -cs) \
-   stable"
-sudo apt-get update
-sudo apt-get install docker-ce
-
-# Verify Docker Works
-
-sudo docker run hello-world
-
-# Run the skeleton implementation
-
-sudo ./run.sh
-```
-
-(Docker CE installation instructions are from this
-[link](https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository).)
-
-**Please consult your assignment hand-out for detailed setup information.**
-
-## Grading
-
-The implementation will be graded in an automated fashion on an Ubuntu 16.04
-virtual machine by building the docker container found in your repository and
-running it. The grading script will interact with your API.
-
-The following ports are expected to be accessible:
-
-1. 80, on which static HTML content, including the front-end, is served.
-2. 8080, on which the API is exposed.
-
-To verify this, please run the following commands:
+## Screenshots
 
-```
-sudo ./run.sh
-```
+![Login Screenshot](./img/login_page.png)
 
-On a different window:
+![Register Screenshot](./img/register_page.png)
 
-```
-curl http://localhost:80
-curl http://localhost:8080
-```
+![Create Diary Screenshot](./img/create_diary.png)
 
-If a response is received, you're good to go.
+![Public Diary Screenshot](./img/public_diary.png)
 
-**Please replace the details below with information relevant to your team.**
+![Private Diary Screenshot](./img/private_diary.png)
 
-## Screenshots
+![Logout Screenshot](./img/logout.png)
 
-Please replace the example screenshots with screenshots of your completed
-project. Feel free to include more than one.
-
-![Sample Screenshot](./img/samplescreenshot.png)
 
 ## Administration and Evaluation
 
-Please fill out this section with details relevant to your team.
-
 ### Team Members
 
-1. Member 1 Name
-2. Member 2 Name
-3. Member 3 Name
-4. Member 4 Name
+1. Cai Guoyuan Aaron
+2. Jin Tianma
+3. Rakkappan Lakshmanan
+4. Sun Zelun
 
 ### Short Answer Questions
 
 #### Question 1: Briefly describe the web technology stack used in your implementation.
 
-Answer: Please replace this sentence with your answer.
+Answer: 
+Backend:
+
+1. Python+Flask
+2. Sqlite3
+3. flask-sqlalchemy for database interaction / ORM
+4. marshmallow-sqlalchemy for input validation
+5. bcrypt for password hashing
+
+Frontend:
+1. JavaScript
+2. HTML
+3. Bootstrap 4
+
+Security:
+1. DOMPurifier
 
 #### Question 2: Are there any security considerations your team thought about?
 
-Answer: Please replace this sentence with your answer.
+Implemented
+1. Access Control for pages (prevent users who have not logged from accessing sensitive pages)
+2. Use DOMPurifier to escape output string before displaying
+3. bcrypt for password hashing, which makes use of random salt, and even with the same input, the output hash will be different. This kind of protect against brute-forcing.
+
+Not Implemented:
+1) Set timer for token expiry date 
 
 #### Question 3: Are there any improvements you would make to the API specification to improve the security of the web application?
 
-Answer: Please replace this sentence with your answer.
+Answer: 
+The documentation does not follow RESTful API.
+E.g. The api for deleting a diary should use 'DELETE' method instead of 'POST' 
+and the api for changing permission should use 'PUT' method instead of 'POST'
 
 #### Question 4: Are there any additional features you would like to highlight?
 
-Answer: Please replace this sentence with your answer.
+Answer: We have access control on front end pages, only logged in user can view create and private diary pages.
 
 #### Question 5: Is your web application vulnerable? If yes, how and why? If not, what measures did you take to secure it?
 
-Answer: Please replace this sentence with your answer.
+Answer: 
+Yes, there are some vulnerabilities in our web application.
+1) The app does not use SSL so the website can be tampered. (MIM attack, network attacks)
+2) The token is stored in localStorage which is vulnerable to XSS
+3) We rely a lot on third party libraries, therefore, the website is as vulnerable as the strength of the libraries used. 
+4) We rely on JavaScript to control page redirection which will encounter some issues if user's browser disabled javascript.
 
 #### Feedback: Is there any other feedback you would like to give?
 
-Answer: Please replace this sentence with your answer.
+Answer: Consider to include vagrant in this assignment, since most of us are not using ubuntu OS as our daily drive, so it might be useful to introduce vm concept to kick start our assignment.  
 
 ### Declaration
 
 #### Please declare your individual contributions to the assignment:
 
-1. Member 1 Name
-    - Integrated feature x into component y
-    - Implemented z
-2. Member 2 Name
-    - Wrote the front-end code
-3. Member 3 Name
-    - Designed the database schema
-4. Member 4 Name
-    - Implemented x
+1. Cai Guoyuan Aaron
+    - Wrote Front-end pages
+    - Wrote documentation
+    - Wrote RESTApi
+2. Jin Tianma
+    - Wrote Front-end pages
+    - Wrote RESTApi
+3. Rakkappan Lakshmanan
+    - Wrote Front-end pages
+    - Implement DOMPurifier to escape user input when displaying
+    - Wrote documentation
+    - Wrote RESTApi
+4. Sun Zelun
+    - Wrote dockerfile
+    - Wrote RESTApi
+    - Wrote Front-end pages
+    - Designed database
+    - Wrote documentation
 

run.sh

@@ -9,4 +9,5 @@ TEAMID=`md5sum README.md | cut -d' ' -f 1`
 docker kill $(docker ps -q)
 docker rm $(docker ps -a -q)
 docker build . -t $TEAMID
-docker run -p 80:80 -p 8080:8080 -t $TEAMID
+#docker run -p 3306:3306 -p 80:80 -p 8080:8080 -v /home/vagrant/public/public/rest-api-development/src/html:/var/www/html -v /home/vagrant/public/public/rest-api-development/src/service:/service -t $TEAMID
+docker run -p 80:80 -p 8080:8080 -v /home/vagrant/public/rest-api-development/src/html:/var/www/html -v /home/vagrant/public/rest-api-development/src/service:/service -t $TEAMID