search

mike-goodwin / owasp-threat-dragon

An open source, online threat modelling tool from OWASP
http://mike-goodwin.github.io/owasp-threat-dragon/
Apache License 2.0
483 stars 130 forks source link

How to deploy it on local.[enviroment variables] #154

Closed ZhangK123 closed 4 years ago

ZhangK123 commented 4 years ago

After i try to deploy for 3 days, i can't stall not deploy it on my computer. I don't know how to deploy enviroment variables.

After i seted these process.env.SESSION_STORE = 'local'; process.env.NODE_ENV = development

it shows:

{"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":17136,"level":50,"msg":"owasp threat dragon failed to start up","time":"2020-06-21T12:40:43.293Z","v":0} {"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":17136,"level":50,"msg":"OAuth2Strategy requires a clientID option","time":"2020-06-21T12:40:43.293Z","v":0} Error: secret option required for sessions at session (D:\CodeSpace\Final_project\node_modules\express-session\index.js:200:12) at Layer.handle [as handle_request] (D:\CodeSpace\Final_project\node_modules\express\lib\router\layer.js:95:5) at trim_prefix (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:317:13) at D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:284:7 at Function.process_params (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:335:12) at next (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:275:10) at csp (D:\CodeSpace\Final_project\node_modules\helmet-csp\dist\index.js:53:13) at Layer.handle [as handle_request] (D:\CodeSpace\Final_project\node_modules\express\lib\router\layer.js:95:5) at trim_prefix (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:317:13) at D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:284:7

ZhangK123 commented 4 years ago

D:\CodeSpace\ow\owasp-threat-dragon> set SESSION_SIGNING_KEY=local & set NODE_ENV=development & npm start

owasp-threat-dragon@1.2.0 start D:\CodeSpace\ow\owasp-threat-dragon node server.js

{"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"DESKTOP-5O3JJ6D","pid":2780,"level":50,"security":true,"msg":"local session store used - should only happen in dev environments","time":"2020-06-21T20:16:09.056Z","v":0} {"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":2780,"level":50,"msg":"owasp threat dragon failed to start up","time":"2020-06-21T20:16:09.085Z","v":0} {"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":2780,"level":50,"msg":"OAuth2Strategy requires a clientID option","time":"2020-06-21T20:16:09.085Z","v":0}

ZhangK123 commented 4 years ago

this is how i run the code, i try to edit session.config.js, and try to run the code with command line, but they all doesn't works. I don't know how to set "OAuth2Strategy requires a clientID option",

jgadsden commented 4 years ago

Hello @ZhangK123 , you need to set up all these environment variables:

I agree the documentation is not very explicit, and it probably needs documenting more fully.

Once you have all the steps in https://github.com/settings/applications/new then you end up with entering these exports to set up your env vars:

export GITHUB_CLIENT_ID=XXXX (your github OAuth client ID)
export GITHUB_CLIENT_SECRET=XXXX (your github OAuth Client Secret)
export SESSION_SIGNING_KEY=XXXX(32 byte long random key)
export SESSION_ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "XXXX(32 byte key)"}, {"isPrimary": false, "id": 1, "value": "XXXX(32 byte key)"}]'
export SESSION_STORE=local
export NODE_ENV=development
ZhangK123 commented 4 years ago

OK Thank you i will try it now.

jgadsden commented 4 years ago

I will try and give a step-by-step guide sometime in the next day or so, but in the meantime do you want to try the desktop application first? It is easier to set up and once you have evaluated it you can then move on to using github to store your model files.

Threat Dragon Desktop version is here https://github.com/owasp/threat-dragon-desktop and the install is easy once you have downloaded the source: https://github.com/owasp/threat-dragon-desktop/archive/main.zip or cloned it:

git clone https://github.com/owasp/threat-dragon-desktop
npm install
npm run start

There is also version 1.2 installers at https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/v1.2

ZhangK123 commented 4 years ago

I will try it. Thank you.

jgadsden commented 4 years ago

Hello @ZhangK123

here are the steps to set up the environment variables:

You now have all the info to set up the environment variables:

you should now be able to start the threat dragon webapp using npm run-script start and then navigate in a browser to "http://localhost:3000/"

Hope this works OK for you, if not then get back to me

ZhangK123 commented 4 years ago

Thank for your help. I finally successfully set up the enviroment variables

This is how i set these variables in Win10:

Add these lines to ./td/app.js: 6 try { 7 process.env.GITHUB_CLIENT_ID = 'a12345bc123aa123bb12 '; 8 process.env.GITHUB_CLIENT_SECRET = '0123456789abcdef0123456789abcdef01234567'; 9 process.env.NODE_ENV = 'development'; 10 process.env.SESSION_STORE = 'local'; 11 process.env.SESSION_SIGNING_KEY = '11223344556677889900aabbccddeeff'; 12 process.env.SESSION_ENCRYPTION_KEYS = '[{"isPrimary": true, "id": 0, "value": "11223344556677889900aabbccddeeff"}]' ......

Save then run the code in the cmd with "npm start"

jgadsden commented 4 years ago

Hello @ZhangK123 - good news that you are now running Threat Dragon, I hope you like it. I realise that I had sent you the example commands for Linux / MacOS, not Windows ... I am a linux sort of guy myself. I will make sure I updated the instructions with Windows commands as well