Web service#
Modules and blueprints#
The web service supports the management of user accounts with varying permissions.
This feature is optional and not enabled by default, meaning the web service operates in read-only mode initially.
To enable user accounts, set the value of user_accounts
to true
in the config/generic.json
file. This will
result in the activation of the blueprints responsible of the management of users (authentication, session, edition of CVE, etc.).
Initialization of the database:
$ poetry run flask --app website.app db_init
As explained in a previous section.
Blueprints#
The views of the application are structured in several Blueprints:
Blueprint API (structured in namespaces)
Bluepring Home
Blueprint Admin
Blueprint User
Blueprint Comment
Blueprint Bundle
Blueprint Sighting
Blueprint Documentation (serves the static files generated by Sphinx)
Security considerations#
By default, the web service is read-only. Vulnerabilities are imported through various feeders that are not connected to the web service. The web interface (HTML and API) is only used to consult data. When the user accounts feature is activated, two-factor authentication is mandatory. Additionally, each user can generate an API key to use the API programmatically.
Permissions#
admin: full access to everything including update of other comments or bundles or vulnerabilities
commenter: allow to create new comment or edit their own comments
reporter: is also a commenter but can also submit vulnerabilities or their own vulnerabilities
Authentication workflows#
Step |
Endpoint |
Methods |
Rule |
Comment |
---|---|---|---|---|
1 |
user_bp.signup |
GET, POST |
/user/signup |
Sign-up with login and email. A confirmation email is sent to the user with a token in a URL. |
2 |
user_bp.confirm_account |
GET, POST |
/user/confirm_account/<string:token> |
token: from the received emal. The user can now chose a password. |
3 |
user_bp.login |
GET, POST |
/user/login |
Authentication with login and password |
4 |
user_bp.setup_two_factor_auth |
GET |
/user/setup-2fa |
Set-up TFA with QRCode (or token) provided by the server |
5 |
user_bp.verify_two_factor_auth |
GET |
GET, POST /user/verify-2fa |
Verify TFA with token provided but the client app |
Endpoint |
Methods |
Rule |
---|---|---|
user_bp.login |
GET, POS |
/user/login |
user_bp.verify_two_factor_auth |
GET, POST |
/user/verify-2fa |