nicolasauler / finnish Goto Github PK
View Code? Open in Web Editor NEWFinnish is your secure software for financial management
Home Page: https://finnish.shuttleapp.rs
Finnish is your secure software for financial management
Home Page: https://finnish.shuttleapp.rs
Data API has been disprioritized in favor of Hypermedia API.
That means that a lot of functions are currently missing, like:
Currently, can't do it, due to Shuttle way of starting the axum service.
Should be done like:
https://github.com/maxcountryman/axum-login/blob/main/examples/sqlite/src/web/app.rs
But we need to somehow start the task after axum is served, so, maybe, try to ask the guys at Shuttle.
Unsafe inline option was added to script-src-elem in Content Security Policy, because htmx.min.js was breaking with only 'self' in that header attribute.
Htmx was breaking only with showing plotly, but otherwise working fine.
This is a fix of the feature added in #28
https://observatory.mozilla.org/analyze/finnish.shuttleapp.rs
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
After #48 , 2fa setup screen was created.
However, I couldn't get it to work in htmx (hx-target to an id further than the direct parent was causing breakage in the error return with hx-target-error and the message div) to overwrite the entire article tag.
So it is buggy, inside of a sign_in tab.
Also, show top nav bar with logout in pseudo-user.
Also: maybe it's buggy if user is logged in, then closes (in the qr code page) and opens app (by going to root). Where will he be?
Currently, the data plot doesn't calculate a median of the day's expenses, and simply plots them all, which makes for a confusing piece of information when a day has a vertical bar.
Currently, there are no tests
Write tests
Add test coverage to CI
add test coverage badge to readme
Add functionality of changing the user password, since we will now have a confirmed user email.
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
Similar to #32
Maybe check relevant sources for this:
The benefit I could see is privacy, as in, number of objects of whatever it is we are talking about remain private to whomever the owner is.
Add a user logout button to a top nav
Follow strucuture: https://github.com/maxcountryman/axum-login/blob/main/examples/sqlite/src/web/auth.rs
❗ hotfix
add validations made in htmx for each of the fields like passwords strengh and matches to the signup and change password endpoints
To make application more robust, we must send a confirmation email to the user.
This way we avoid a bit of user spamming.
For this, we must have a smtp provider.
For what I've seen: using lettre with sendinblue (now brevo) is a good option. And maybe mailtrap for dev testing.
Maybe useful links:
https://cloudmaker.dev/email-verification/
https://www.brevo.com/products/transactional-email/
https://codevoweb.com/rust-api-user-registration-and-email-verification/
https://codevoweb.com/how-to-send-html-emails-in-rust-via-smtp/#smtp-provider-to-send-development-emails
https://medium.com/swlh/sending-emails-with-rust-162667ee40f6
https://mailtrap.io/blog/rust-send-email/
https://www.programonaut.com/how-to-set-up-sendinblue-smtp-for-pocketbase-step-by-step/
https://www.youtube.com/watch?v=Yghvxeoa6AI
https://help.brevo.com/hc/en-us/articles/209462765-What-is-Brevo-SMTP-
https://help.brevo.com/hc/en-us/articles/7924908994450
https://help.brevo.com/hc/en-us/articles/208589409#h_01GFR30H5V0MPZJ40VKG3B5BHH
After basic authentication implemented, add a 2 Factor Authentication method
I don't really know how hard this will be, but well...
As said in #60 :
To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:
This issue is implementing the rate limiting
Add to CI workflow.
Before launching of working version 0.2, assess security aspects of it, with auth + 2FA, etc.
Pentest
Test spamming with captcha
Also test sec headers
Test with static and dynamic code analysis
Mirai and miri
This is to make the app more production ready and easier for contributions
Thinking of spam prevention / security issues, captcha would be a good addition.
Currently, there is no concept of user in the app, nor authentication.
However, we need to segregate what expenses belong to each user, since the data which will be displayed is sensitive and should be secured.
Maybe do the zskcsxc whatever thing
where a password is suggested
github repo name style (Diceware)
As stated in #60 :
To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:
This issue should implement the consistent timings when user exists and when they don't.
https://github.com/maxcountryman/axum-login/releases/tag/v0.13.1
https://github.com/maxcountryman/axum-login/pull/160/files
https://docs.rs/axum/latest/axum/middleware/index.html#ordering
tokio-rs/axum#1706
https://docs.rs/tower-http/latest/tower_http/trace/index.html
https://github.com/tokio-rs/tracing/blob/master/examples/examples/fmt-pretty.rs
https://docs.rs/tracing/latest/tracing/
https://blog.devgenius.io/adding-logging-and-tracing-to-an-axum-app-rust-d7935693bc3c
Change CI workflows from github actions to circle ci.
Reasons:
Currently, data api's only layer of security is the basic auth, without 2FA.
I have to think of the architecture to implement it.
Currently, data insert is manual.
We want it to be automatic from an exposed API from the financial institution, i.e.: Nubank.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.