Design a simple login user interface that enables a user to enter their user ID and password.
Observability:
I used HTTPS encrypted communication between the client and the server. To verify that this was the case, I sniffed the packets on Wireshark to verify that I could not read the messages sent.
implement defenses against repeated online attacks, implement timer on the client-side that locks clients out for a certain period of time -> Defends against online guessing attack
Implement timer on the server-side that rate-limits IP/port after failed # of guesses -> Defends against online attack
implement auto-generated TLS certificate in server -> Using a new TLS key on-startup reduces the value of information acquired by the attacker if they break in
implement auto-updating TLS certificate refresh every time interval in server? -> what if TLS key gets cracked? Reduces the value of information acquired by the attacker
find alternative to storing certificates in the repo? Maybe its in own little folder so it doesn't mix with the code?
Q: is it possible to test successful login?
Other TODO:
setup dotenv environment variables
make all user input interactions mockable in order to be able to test
Design a simple login user interface that enables a user to enter their user ID and password.
Observability:
I used HTTPS encrypted communication between the client and the server. To verify that this was the case, I sniffed the packets on Wireshark to verify that I could not read the messages sent.