search

deckar01 / CTFd

CTFs as you need them
https://ctfd.io
Apache License 2.0
1 stars 2 forks source link

Event Feed #1

Open deckar01 opened 7 years ago

deckar01 commented 7 years ago

Setup a way to push system events to an external score board.

ShyftXero commented 7 years ago

Should this feature respect the settings in admin/appearance and admin/accounts regarding the visibility of the challenges? Should the end point be consumable by an admin account?

deckar01 commented 7 years ago

This should probably be an admin only API that requires the admin account to generate an API token for the requests.

What do you mean by "respect ... the visibility of challenges"?

ShyftXero commented 7 years ago

There are two settings that seem to pertain to when and who can view the challenges and scoreboard. I thought that if we're creating an endpoint that extends those features, we should possibly take the visibility settings into account. I didn't know what the plan was regarding securing the end point. I like the API token. Could we create a flag submission via API as well? (that'd be another enhancement post. )

If it's admin only and access is controlled via token, then there's no problem.

deckar01 commented 7 years ago

Could we create a flag submission via API as well?

Ya. Did you have a use case in mind?

Unless there is a reason to give the teams access to a scoreboard stream, I would prefer to keep it restricted to the admin.

ShyftXero commented 7 years ago

It would allow folks to submit flags via command line? They could build tooling around CTFd? It does make exploration of the scoreboard a bit more interesting to a player. We have to trust/ask players not to attack infrastructure.

Post request to /some/API/endpoint/

Post data in json format {team:'team_id', chall:'bonus' | 'chall_name', flag:'FLAG{flag_attempt}'

If challenge is 'bonus' , process it as if it has been input via bonus page.

Response {submission:'ok' | 'not ok'}

Just an idea. I believe this API could be implemented as a plug-in as well.

On Sep 27, 2017 2:03 PM, "Jared Deckard" notifications@github.com wrote:

Could we create a flag submission via API as well?

Ya. Did you have a use case in mind?

Unless there is a reason to give the teams access to a scoreboard stream, I would prefer to keep it restricted to the admin.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/deckar01/CTFd/issues/1#issuecomment-332623429, or mute the thread https://github.com/notifications/unsubscribe-auth/ABN3Qshhh1swF0DTO1eSLU8Lii7GtyoLks5smpwCgaJpZM4PZZdI .