CS5331 Submission

Dockerfile

@@ -2,9 +2,11 @@ FROM ubuntu:latest
 RUN apt-get update
 RUN apt-get install -y python-pip
 RUN apt-get install -y apache2
+RUN apt-get install -y sqlite3
 RUN pip install -U pip
 RUN pip install -U flask
 RUN pip install -U flask-cors
+RUN pip install pyOpenSSL
 RUN echo "ServerName localhost  " >> /etc/apache2/apache2.conf
 RUN echo "$user     hard    nproc       20" >> /etc/security/limits.conf
 ADD ./src/service /service

README.md

@@ -88,56 +88,88 @@ If a response is received, you're good to go.
 Please replace the example screenshots with screenshots of your completed
 project. Feel free to include more than one.
 
-![Sample Screenshot](./img/samplescreenshot.png)
+**1. Main Page with Public Entries**
+
+![Main Page with Public Entries](./img/main.png)
+
+**2. Authenticated User Page**
+
+![Authenticated User Page](./img/authenticated_user.png)
+
+**3. Private Diary Entry**
+
+![Private Diary Entry](./img/private_entry.png)
+
+**4. Mark Private Entry Public**
+
+![Mark Private Entry Public](./img/public_entry.png)
 
 ## Administration and Evaluation
 
 Please fill out this section with details relevant to your team.
 
 ### Team Members
 
-1. Member 1 Name
-2. Member 2 Name
-3. Member 3 Name
-4. Member 4 Name
+1. Tan Chee Chun
+2. Loh Jing Lun
+3. Kwek Xianzhi
+4. Xie Yaocong Gilbert
 
 ### Short Answer Questions
 
 #### Question 1: Briefly describe the web technology stack used in your implementation.
 
-Answer: Please replace this sentence with your answer.
+Answer: SQlite for database. Python Flask for backend. Html and Javascript for front end.
 
 #### Question 2: Are there any security considerations your team thought about?
 
-Answer: Please replace this sentence with your answer.
+Answer: 
+
+1. Usage of HTTP. Traffic is unencrypted and third party can sniff it and even modify it. No data authenticity and integrity...  
+2. Password is sent in clear when submitting forms
+3. User input in authentication form fields are not sanitized.
 
 #### Question 3: Are there any improvements you would make to the API specification to improve the security of the web application?
 
-Answer: Please replace this sentence with your answer.
+Answer: 
+1. We do not assemble sql query string using Python’s string operations because it is vulnerable to an SQL injection attack. Instead, we use the DB-API’s parameter substitution.
 
 #### Question 4: Are there any additional features you would like to highlight?
 
-Answer: Please replace this sentence with your answer.
+Answer:
+1. We note that CORS is explictly enabled inside app.py to overcome Same Origin Policy (SOP) restriction, where API requests from http://localhost:80 to http://localhost:8080 may be prevented from running.
 
 #### Question 5: Is your web application vulnerable? If yes, how and why? If not, what measures did you take to secure it?
 
-Answer: Please replace this sentence with your answer.
+Answer:
+1. The json web service on port 8080 might be vulnerable as there are no authentication measures in place to verify the authenticity of the POST and GET messages it receives.
+
+2. The messages are also sent in clear without any encryption, which means senstive information like password or secret diary post can still be seen.
 
 #### Feedback: Is there any other feedback you would like to give?
 
-Answer: Please replace this sentence with your answer.
+Answer:
+1. Always ensure the security principles of Confidentiality, Integrity and Availability are followed when developing a web application.
 
 ### Declaration
 
 #### Please declare your individual contributions to the assignment:
 
-1. Member 1 Name
-    - Integrated feature x into component y
-    - Implemented z
-2. Member 2 Name
-    - Wrote the front-end code
-3. Member 3 Name
-    - Designed the database schema
-4. Member 4 Name
-    - Implemented x
+1. Tan Chee Chun
+	- Develop Back-end Server API
+	- Design and implement Web frontend 
+	- Answer Short question
+2. Loh Jing Lun
+	- Develop Back-end Server API
+	- Design and implement Web frontend 
+	- Answer Short question
+3. Kwek Xianzhi
+	- Develop Back-end Server API
+	- Design and implement Web frontend 
+	- Answer Short question
+4. Xie Yaocong Gilbert
+	- Develop Back-end Server API
+	- Design and implement Web frontend 
+	- Answer Short question
+
 

run.sh

@@ -3,7 +3,7 @@
 if [ "$EUID" -ne 0 ]
   then echo "Please run as root"
   exit
-fi
+fi 
 
 TEAMID=`md5sum README.md | cut -d' ' -f 1`
 docker kill $(docker ps -q)

src/html/cookie.js

@@ -0,0 +1,24 @@
+function createCookie(name,value,days) {
+	if (days) {
+		var date = new Date();
+		date.setTime(date.getTime()+(days*24*60*60*1000));
+		var expires = "; expires="+date.toGMTString();
+	}
+	else var expires = "";
+	document.cookie = name+"="+value+expires+"; path=/";
+}
+
+function readCookie(name) {
+	var nameEQ = name + "=";
+	var ca = document.cookie.split(';');
+	for(var i=0;i < ca.length;i++) {
+		var c = ca[i];
+		while (c.charAt(0)==' ') c = c.substring(1,c.length);
+		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
+	}
+	return null;
+}
+
+function eraseCookie(name) {
+	createCookie(name,"",-1);
+}

src/html/index.html

@@ -1,26 +1,65 @@
 <html>
-    <head>
-    </head>
-    <body>
-        <h1>Secret Diary Front End</h1>
-        <p>Requirements for the front end are as follows:</p>
-        <ul>
-            <li>Register a user</li>
-            <li>Login</li>
-            <li>Logout</li>
-            <li>Display all public diary entries</li>
-            <li>Display an authenticated user's diary entries</li>
-            <li>Create a new diary entry</li>
-            <li>Delete an existing diary entry</li>
-            <li>Toggle the permissions on an existing diary entry</li>
-        </ul>
-        <!-- the following is a demo on how you may display data retrieved from
-             the API
-        -->
-        <div id="demo_heartbeat">
-        </div>
-        <div id="demo_members">
-        </div>
-        <script src="./demo.js"></script>
-    </body>
+<head>
+   <title>Team 1 Secret Diary</title>
+   <link rel="stylesheet" href="styles.css">
+</head>
+
+<body>
+
+<table align="right">
+<tr>
+   <td>
+      <center><h2>Register new user</h2></center>
+      <form id="registerform">
+      <div><label for="name">Username:</label><input type="text" id="username" name="username" required><br>
+      </div>
+      <div><label for="password">Password:</label><input type="password" id="password" name="password" required><br>
+      </div>
+      <div><label for="fullname">Full name:</label><input type="text" id="fullname" name="fullname" required><br>
+      </div>
+      <div><label for="age">Age:</label><input type="number" id="age" name="age" required><br>
+      </div>
+      <div class="button"><button type="submit" value="Submit">Register</button>
+      </div>
+      </form>
+      <div id="register_results">
+      </div>
+      <br><br>
+   </td>
+</tr>
+<tr>
+   <td>
+      <center><h2>Login existing user</h2></center>
+      <form id="loginform">
+      <div><label for="name">Username:</label><input type="text" id="name" name="username" required><br>
+      </div>
+      <div><label for="password">Password:</label><input type="password" id="password" name="password" required><br>
+      </div>
+      <div class="button"><button type="submit" value="Submit">Login</button>
+      </div>
+      </form>
+      <div id="login_results">
+      </div>
+      <br><br>
+   </td>
+</tr>
+</table>
+
+<h1>Welcome to Team 1 Secret Diary Front End</h1>
+
+<h2>Public Diary Entries</h2>
+
+<div id="listpublicentries">
+</div>
+
+<div class="footer">
+   <p><div id="demo_heartbeat"></div><div id="demo_members"></div></p>
+</div>
+
+<script src="./jquery-latest.min.js"></script>
+<script src="./jquery.serializejson.js"></script>
+<script src="./main.js"></script>
+<script src="./meta.js"></script>
+
+</body>
 </html>