To set up the enviroment for this project you need to have installed on your system
Remember that on Windows to be able to use their commands, you need to add the Enviroment Variables.
Download the frontend at the frontend repository
https://github.com/ferrazzosito/unibz-infosec-frontend
using git clone
then run
npm install
then you are good to go. You can run
npm start
and find in at http://localhost:3000 the frontend but keep in mind that it needs also the backend to work, so it won't do anything now.
First of all create an empty database using postgres and give it the name you prefer. You can do so, first, by running the following command to open PSQL command-line tool
psql -U < pgsql_username >
where username is your username on postgresql.
Now when prompted, insert your postgresql password. Run a CREATE DATABASE command to create the new Database
CREATE DATABASE < database_name >;
Download the backend at the backend repository
https://github.com/ferrazzosito/unibz-infosec-backend
using git clone
then go in src/main/resources/ and create a file called application.properties if it's not there yet.
Insert the following configuration
spring.datasource.url=jdbc:postgresql://localhost:5432/< database_name >
spring.datasource.username=< pgsql_name >
spring.datasource.password=< pgsql_password >
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.show-sql=true
spring.jpa.hibernate.ddl-auto=update
Once you are done, execute
mvn clean compile install
and then
mvn clean compile spring-boot:run
Now if you followed the steps correctly you should be ready to start using the application, as everything is set up and linked.
In http://localhost:3000/sign-up you can sign up either as a vendor or as a customer.
After that, you'll be redirected to the http://localhost:3000/login in which you can sign in.
In http://localhost:3000/ you'll find the homepage for customer. You can search a name of a product
and find them. On the products you can buy, see their reviews, and see the account of the vendor just by clicking its name in
by vendor < name >
.
In the bottom part you can click on LOGOUT
to log out or on MY ACCOUNT
to go on your customer account page.
By clicking SEE REVIEWS
button you get redirected to http://localhost:3000/product?id=1 where the id is equal to the id of the product you'd like to see. In this page you can find a form to publish a review for this product and below you can read all of the reviews already present, which can maybe have a reply or not (the reply is an innerbox with a similar structure as a review). To come back to the previous page you can just go back with your browser.
By clicking MY ACCOUNT
button you get redirected to http://localhost:3000/my-profile-buyer in which you can see all the information related to your customer account. You can see at the very top your current balance and top it up for free in the form below that. You can see your past orders and know if they have been approved or not by the vendor. When approved the price of the product is subtracted from your account. You can also access the reviews page of the product of the order from these cards, as well as for the vendor's page.
By clicking by vendor < name >
text you get redirected to http://localhost:3000/vendor?id=1 in which you can find the email of the selected vendor and the button in the bottom right corner to chat with them in live.
In http://localhost:3000/selling you'll find the homepage for vendor. There's a form to add products. Below you can search a name of a product of yours and find them. On the products you can see their reviews and delete them only if they haven't been involved in a relationship yet, like orders, reviews and so on.
In the bottom part you can find the chat requests and click OPEN CHAT
to get connected to that customer and chat with them.
In the bottom part you can click on LOGOUT
to log out or on MY ACCOUNT
to go on your vendor account page.
By clicking MY ACCOUNT
button you get redirected to http://localhost:3000/my-profile-vendor in which you can see all the information related to your vendor account. You can, in fact, see all the orders of your products, their status and by whom they have been bought, and the reviews of your product related to that order. You can approve the order just by clicking APPROVE ORDER
.
To try the chat you need to open an icognito tab and login with another account having a counterpart role than the one you opened the chat with, so with a Vendor role.
The chat takes a bit to load, wait until input chat allows you to write.
The chat is from a frontend point of view a bit buggy, because it was meant for a slight different version of react. Nevertheless, if you use it properly, without particular edge cases, it works as it should.
Keep in mind that the insecure version doesn't use salt in the encryption therefore you have to access with different accounts to the safe/unsafe version.
The sign up of an account takes a while as well, as the RSA keys are generated at the sign up.
We managed to have the secure version and the insecure version as follows. Insecure version is vulnerable to
plus BONUS:
whilst the secure version implements mechanisms to overcome these vulnerabilities, the secure version