search

mike-goodwin / owasp-threat-dragon

An open source, online threat modelling tool from OWASP
http://mike-goodwin.github.io/owasp-threat-dragon/
Apache License 2.0
481 stars 130 forks source link

Fail to deploy in MAC OSX #41

Closed windyzxcui closed 7 years ago

windyzxcui commented 7 years ago

Hi, I want to deploy locally in MAC OSX, but it fails , when I run npm start Terminal shows following error:

owasp-threat-dragon@0.3.2 start /Users/windycui/Desktop/windy/software/Threat_Dragon/owasp-threat-dragon node server.js {"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2017-05-03T03:43:02.937Z","v":0} {"name":"threatdragon","hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"msg":"owasp threat dragon failed to start up","time":"2017-05-03T03:43:02.941Z","v":0} {"name":"threatdragon","hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"msg":"Credentials must be provided when creating a service client.","time":"2017-05-03T03:43:02.942Z","v":0}

Any idea ?

mike-goodwin commented 7 years ago

Thanks for your interest!

Judging from this log message:

{"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2017-05-03T03:43:02.937Z","v":0}

You are correctly setting NODE_ENV to development, but this log:

{"name":"threatdragon","hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"msg":"Credentials must be provided when creating a service client.","time":"2017-05-03T03:43:02.942Z","v":0}

Says that you are trying to create an Azure table storage based session store without providing credentials. For local development you should set SESSION_STORE to equal local in your environment variables.This will tell the app to use the in-memory session store instead of the Azure table storage one. Obviously this is not suitable for production use, but it is perfect for local development. Alternatively,you could provide Azure storage account credentials, but probably the in-memory option is better for local development.

The logic for this can be found in session.config.js on line 25.

mike-goodwin commented 7 years ago

I just noticed that the README says SESSION_STORAGE instead of SESSION_STORE. Sorry for that - I just corrected it.

windyzxcui commented 7 years ago

Thanks @mike-goodwin , I add export SESSION_STORE=local in environment variables, when I run npm start again , terminal response following error:

owasp-threat-dragon@0.3.2 start /Users/windycui/Desktop/windy/software/Threat_Dragon/owasp-threat-dragon node server.js {"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"50.135.20.218.broad.gz.gd.dynamic.163data.com.cn","pid":2695,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2017-05-03T09:09:19.653Z","v":0} {"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"50.135.20.218.broad.gz.gd.dynamic.163data.com.cn","pid":2695,"level":50,"security":true,"msg":"local session store used - should only happen in dev environments","time":"2017-05-03T09:09:19.654Z","v":0} express-session deprecated req.secret; provide secret option td/config/session.config.js:32:13 {"name":"threatdragon","hostname":"50.135.20.218.broad.gz.gd.dynamic.163data.com.cn","pid":2695,"level":50,"msg":"owasp threat dragon failed to start up","time":"2017-05-03T09:09:19.680Z","v":0} {"name":"threatdragon","hostname":"50.135.20.218.broad.gz.gd.dynamic.163data.com.cn","pid":2695,"level":50,"msg":"OAuth2Strategy requires a clientID option","time":"2017-05-03T09:09:19.680Z","v":0}

How can I config the clientID option?

mike-goodwin commented 7 years ago

You need to register your local instance of the application with GitHub and then set some environment variables. This is described in the environment variables section of the README.

It is relatively complicated to set this up. As an alternative, depending on your needs, you could consider looking that the desktop app variant. It's much simpler to get started (git clone, npm install, run - no config required). I'm currently working on an installer for Macs, so it will soon get even easier to get started.

Of course, if you prefer to continue with the web app variant, I'm very happy to support you. Maybe a Skype/Zoom/Hangout call would be better than GH comments though :) let me know...

mike-goodwin commented 7 years ago

Also, the log message:

express-session deprecated req.secret; provide secret option td/config/session.config.js:32:13

is because you need to set a SESSION_SIGNING_KEY environment variable for session signing. You will also need one or more session encryption keys SESSION_ENCRYPTION_KEYS. This is all in the README.

As I said - it is fairly complicated...

windyzxcui commented 7 years ago

Thanks @mike-goodwin . I will wait for your installer for MAC :) This project is very useful, thanks for your effort 👍

mike-goodwin commented 7 years ago

The packaged version for Macs is available now. Due to a lack of code signing, auto-update does not work on Mac, but I hope to get this sorted shortly.