search

cve-search / vulnerability-lookup

Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).
https://cve-search.github.io/vulnerability-lookup/
GNU Affero General Public License v3.0
108 stars 13 forks source link

User management #43

Closed cedricbonhomme closed 3 months ago

cedricbonhomme commented 4 months ago

This is a draft pull request with basic management of users. I still need to make checks, clean various stuff. Check if I did not forget to precise the types (with mypy), the logs, configurations, etc.

I made sure that when the project is started with the command start (with all the backend) everything works as before.

The user account creation is working. With confirmation via email: a time-based token is sent in an URL. The user must follow the URL in the email. The TOKEN_VALIDITY_PERIOD is set by default to 3600 seconds.

Two-Factor Authentication is implemented. Setup-up with QRCode or token from the server. Nothing special...

An admin can change roles of users, activate or deactivate accounts, delete accounts, etc. There is a simple dashboard dedicated to the admin in order to check the sate of the user accounts.

For more details on 2FA and the roles of users: https://vulnerability-lookup.readthedocs.io/en/latest/webservice.html

There is a new setting, here, which can disable the 2 blueprints related to the user management (future related features). This is the only new config I added.

The other configurations dedicated to the webservice are here. Where we can configure SMPT connection and if users can create an account (self sign-up). If not, an admin must create the accounts (via the web interface or command line).

When the user management is not enabled there are only two blueprints. It's the same code than before, I changed nothing in the views. We have:

No changes.

Ah, and as you can see I started a documentation.

Rafiot commented 4 months ago

Can you document how to upgrade the bundled-in vulnogram code? It will make maintenance long term a lot easier I think.

(and sorry if it's already there and I missed it)

cedricbonhomme commented 4 months ago

Can you document how to upgrade the bundled-in vulnogram code? It will make maintenance long term a lot easier I think.

(and sorry if it's already there and I missed it)

Yes, I will document it. For the moment I was more testing it. I removed a lot of useless stuff for us. Consequently in the current state this is not something easy to update (the bundle). The goal was to check if the idea will work. And it seems that yes... It's possible to get the data on backend, update the metadata field with information related to the reporter, and store in kvrocks. But yes I must find a better solution for the future upgrade of this bundle. I guess I will use a templates and we will update only the bumdle.

The generated bundle contains a lot of JavaScript code in order to let the user authenticate to his/her CVE.org account and sync data. I mainly removed stuff related to this. Of course we could decide that we do not remove this JavaScript code and just cut and paste the content of the bundle in our template. It would be way more easier. I'll try to make it really easy and then document it.

adulau commented 3 months ago

Thanks a lot for the work!