Closed cedricbonhomme closed 3 months ago
Can you document how to upgrade the bundled-in vulnogram code? It will make maintenance long term a lot easier I think.
(and sorry if it's already there and I missed it)
Can you document how to upgrade the bundled-in vulnogram code? It will make maintenance long term a lot easier I think.
(and sorry if it's already there and I missed it)
Yes, I will document it. For the moment I was more testing it. I removed a lot of useless stuff for us. Consequently in the current state this is not something easy to update (the bundle). The goal was to check if the idea will work. And it seems that yes... It's possible to get the data on backend, update the metadata field with information related to the reporter, and store in kvrocks. But yes I must find a better solution for the future upgrade of this bundle. I guess I will use a templates and we will update only the bumdle.
The generated bundle contains a lot of JavaScript code in order to let the user authenticate to his/her CVE.org account and sync data. I mainly removed stuff related to this. Of course we could decide that we do not remove this JavaScript code and just cut and paste the content of the bundle in our template. It would be way more easier. I'll try to make it really easy and then document it.
Thanks a lot for the work!
This is a draft pull request with basic management of users. I still need to make checks, clean various stuff. Check if I did not forget to precise the types (with mypy), the logs, configurations, etc.
I made sure that when the project is started with the command start (with all the backend) everything works as before.
The user account creation is working. With confirmation via email: a time-based token is sent in an URL. The user must follow the URL in the email. The
TOKEN_VALIDITY_PERIOD
is set by default to 3600 seconds.Two-Factor Authentication is implemented. Setup-up with QRCode or token from the server. Nothing special...
An admin can change roles of users, activate or deactivate accounts, delete accounts, etc. There is a simple dashboard dedicated to the admin in order to check the sate of the user accounts.
For more details on 2FA and the roles of users: https://vulnerability-lookup.readthedocs.io/en/latest/webservice.html
There is a new setting, here, which can disable the 2 blueprints related to the user management (future related features). This is the only new config I added.
The other configurations dedicated to the webservice are here. Where we can configure SMPT connection and if users can create an account (self sign-up). If not, an admin must create the accounts (via the web interface or command line).
When the user management is not enabled there are only two blueprints. It's the same code than before, I changed nothing in the views. We have:
search
,recent
,vulnerability_view
,No changes.
Ah, and as you can see I started a documentation.