nicolasauler / finnish Goto Github PK

Data API has been disprioritized in favor of Hypermedia API.
That means that a lot of functions are currently missing, like:

• Get expenses with filter
• Update expenses
• Delete expenses

Currently, can't do it, due to Shuttle way of starting the axum service.

Should be done like:
https://github.com/maxcountryman/axum-login/blob/main/examples/sqlite/src/web/app.rs

But we need to somehow start the task after axum is served, so, maybe, try to ask the guys at Shuttle.

Unsafe inline option was added to script-src-elem in Content Security Policy, because htmx.min.js was breaking with only 'self' in that header attribute.
Htmx was breaking only with showing plotly, but otherwise working fine.

This is a fix of the feature added in #28

https://observatory.mozilla.org/analyze/finnish.shuttleapp.rs
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html

After #48 , 2fa setup screen was created.
However, I couldn't get it to work in htmx (hx-target to an id further than the direct parent was causing breakage in the error return with hx-target-error and the message div) to overwrite the entire article tag.
So it is buggy, inside of a sign_in tab.

Also, show top nav bar with logout in pseudo-user.
⚠️
Also: maybe it's buggy if user is logged in, then closes (in the qr code page) and opens app (by going to root). Where will he be?
⚠️

Currently, the data plot doesn't calculate a median of the day's expenses, and simply plots them all, which makes for a confusing piece of information when a day has a vertical bar.

Currently, there are no tests
Write tests
Add test coverage to CI
add test coverage badge to readme

https://docs.codecov.com/docs/quick-start

Add functionality of changing the user password, since we will now have a confirmed user email.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
Similar to #32

Maybe check relevant sources for this:

• Is it worth it?

The benefit I could see is privacy, as in, number of objects of whatever it is we are talking about remain private to whomever the owner is.

Add a user logout button to a top nav

Follow strucuture: https://github.com/maxcountryman/axum-login/blob/main/examples/sqlite/src/web/auth.rs

❗ hotfix
add validations made in htmx for each of the fields like passwords strengh and matches to the signup and change password endpoints

To make application more robust, we must send a confirmation email to the user.
This way we avoid a bit of user spamming.

For this, we must have a smtp provider.
For what I've seen: using lettre with sendinblue (now brevo) is a good option. And maybe mailtrap for dev testing.

Maybe useful links:
https://cloudmaker.dev/email-verification/
https://www.brevo.com/products/transactional-email/
https://codevoweb.com/rust-api-user-registration-and-email-verification/
https://codevoweb.com/how-to-send-html-emails-in-rust-via-smtp/#smtp-provider-to-send-development-emails
https://medium.com/swlh/sending-emails-with-rust-162667ee40f6
https://mailtrap.io/blog/rust-send-email/
https://www.programonaut.com/how-to-set-up-sendinblue-smtp-for-pocketbase-step-by-step/
https://www.youtube.com/watch?v=Yghvxeoa6AI
https://help.brevo.com/hc/en-us/articles/209462765-What-is-Brevo-SMTP-
https://help.brevo.com/hc/en-us/articles/7924908994450
https://help.brevo.com/hc/en-us/articles/208589409#h_01GFR30H5V0MPZJ40VKG3B5BHH

After basic authentication implemented, add a 2 Factor Authentication method
I don't really know how hard this will be, but well...

As said in #60 :
To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:

• Consistent return when user/email exists and don't exist in sign up (implemented in this PR)
• Consistent timings for the above routes
• Clear user communication (sending forgot password email when user exists and doing the appropriate logic: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html)
• Forgot password functionality
• Rate limiting in these endpoints
• Captcha #20

This issue is implementing the rate limiting

1. Create roles: user and unconfirmed-user
2. Assign resend-verification to route an unconfirmed-user logged in can access.

Add to CI workflow.

Before launching of working version 0.2, assess security aspects of it, with auth + 2FA, etc.

Pentest

Test spamming with captcha

Also test sec headers
Test with static and dynamic code analysis
Mirai and miri

This is to make the app more production ready and easier for contributions

Thinking of spam prevention / security issues, captcha would be a good addition.

In #64 , security headers csp was dropped.
Reimplement it here, also taking in mind #29

Currently, there is no concept of user in the app, nor authentication.
However, we need to segregate what expenses belong to each user, since the data which will be displayed is sensitive and should be secured.

Maybe do the zskcsxc whatever thing
where a password is suggested
github repo name style (Diceware)

• https://en.wikipedia.org/wiki/Diceware
• https://observer.com/2016/09/eff-diceware-passwords/
• https://gitlab.com/timvisee/chbs, https://crates.io/crates/chbs
• https://www.reddit.com/r/1Password/comments/az5ftn/suggest_memorable_passwords_instead_of_jibberish/ and 1Password
• https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase
• https://www.reddit.com/r/rust/comments/142avuu/motus_a_dead_simple_commandline_password_generator/, https://github.com/oleiade/motus/tree/main
• https://github.com/healeycodes/niceware
• https://crates.io/crates/randompass, https://github.com/mihaigalos/randompass
• https://github.com/po0uyan/rust-secure-pass-gen

As stated in #60 :
To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:

• Consistent return when user/email exists and don't exist in sign up (implemented in this PR)
• Consistent timings for the above routes
• Clear user communication (sending forgot password email when user exists and doing the appropriate logic: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html)
• Forgot password functionality
• Rate limiting in these endpoints #61
• Captcha #20

This issue should implement the consistent timings when user exists and when they don't.

https://github.com/maxcountryman/axum-login/releases/tag/v0.13.1
https://github.com/maxcountryman/axum-login/pull/160/files

https://docs.rs/axum/latest/axum/middleware/index.html#ordering
tokio-rs/axum#1706
https://docs.rs/tower-http/latest/tower_http/trace/index.html
https://github.com/tokio-rs/tracing/blob/master/examples/examples/fmt-pretty.rs
https://docs.rs/tracing/latest/tracing/
https://blog.devgenius.io/adding-logging-and-tracing-to-an-axum-app-rust-d7935693bc3c

Change CI workflows from github actions to circle ci.
Reasons:

• Efficiency (?)
• More control
• Experimentation

Currently, data api's only layer of security is the basic auth, without 2FA.
I have to think of the architecture to implement it.

Currently, data insert is manual.
We want it to be automatic from an exposed API from the financial institution, i.e.: Nubank.