Open ctmbl opened 1 year ago
great idea!
will probably not have time to help, but looking forward to it :+1:
That's an amazing idea. I didn't implemented any logs at the moment for the backend, and I don't think node does it automatically. Do you want to add it to the v0.0.2 milestone or maybe another one? It doesn't seems to be related to the changes of v0.0.2
Some useful links:
Great! I can look at these subject, I have a (little) bit of logging experience since my internship of the past summer so even if it's a new language and framework I can look into it :wink:
Thank you! Don't hesitate if you have questions about the framework! I assigned this feature to the v0.0.2 milestone!
I just discovered that nginx
already logs every connection attempt, maybe we should build or configure on top of it a tool to monitor it?
I don't think there is traffic that isn't logged by nginx given that any attempt from a browser to reach the backend will eventually pass by nginx? but @atxr I'd like your advices
see sudo docker logs iscscfr-nginx-1 | tac | less
on the iscsc remote server
https://www.digitalocean.com/community/tutorials/nginx-access-logs-error-logs should help regarding this issue
will wait for #86 and #95
Context: The #2 PR from @atxr has introduced User Authentication to our website: a mandatory feature to develop other services around the website. However this PR also brought many security concerns.. and we, as students, aren't fully capable of designing an entirely safe website, even a small one, despite all our interest towards cyber-security. At least that's what I think.
Problem: Even with our best effort we can't design a safe website.
Solution: I then want to propose a complementary solution, that I think is also widely used in the industry and is quite an interesting challenge. Because we can't guarantee that the website is safe we could monitor the traffic and log it. That would allow to detect as early as possible breaking-in attempts. I don't know what kind of security and monitoring the current website and framework offers (defense against brute-forcing, automatic log to a file etc) but I'm interested in looking deeper into the subject!