cgm616 / pupil-server Goto Github PK

This should prevent the user from getting into dashboard without being confirmed. This probably has some sort of hole that lets people get through (like the user navigating to /dash by themselves). This all needs to be fixed.

Lots of functionality is needed for this. This is the main page of the app.

Tutors

• accept jobs
• see list of upcoming jobs
• manage possible subjects
• access tutoring advice
• ability to respond to past jobs

Students

• create new tutoring sessions
• respond to past sessions

All of these are still in flux!

Right new it has a bunch of types that are very specific. These could probably be changed to something like:

pub enum ThresholdField {
    User,
    Pass,
    Name,
    Email,
}

pub enum FieldIssue {
    Taken,
    TooShort,
    NotValid,
}

pub enum Error {
    FieldError(ThresholdField, FieldIssue),
    ...
}

This would allow people to use their browser's back functionality and click out to re-login. Possibly not a good idea. I haven't decided yet.

We need to somehow ask users to confirm their emails to activate their accounts. At the same time, we want to be able to send emails periodically to people, and when we need to confirm new tutoring sessions.

Base component (Bulma): Panel
Links to : appointment database and filters it
Add to details by editing this comment
will filter by subject, date.
panel will parse database to only show appointments that are available

These are definite security improvements, to prevent an attacker from quickly trying many passwords. This is already partially implemented through the use of a time-intensive hashing function, but it could be improved with various other techniques other than making our server crunch numbers in the meantime.

Right now, it is possible to insert all spaces into our db, which should not be possible. There should be both a clientside and a server side check for bad input, with some type of process to make sure SQL attacks can't be used.

When logging in, if the username is not in the database the response will come back almost immediately, because the database call takes relatively less time than hashing a password to see if it is correct. Therefore, an attacker can mine our database for usernames by testing to see what combinations of login usernames go fast compared to waiting for hashing.

To prevent this, the server should wait a random-but-plausable amount of time after deciding that a username is bad before sending a response.

Title and Nav Bar done see commit 5a274d0

Base component (Bulma) : Menu
Links to : profile database, public profile. Secure transaction history
Add to details by editing this comment
Will show transactions and payments
profile with about section, education, etc.

This will greatly improve the security per user, and thus of the Pupil "network".

This needs to be resolved in elm. The button is here.

According to Bulma docs, the 'is-active' class needs to be added to the element.

To do this, most of the code needs to be ported to Elm.

This would prevent the same function being declared in multiple files.

This is almost definitely a problem with the Elm client side code. Probably easily fixable by checking if responses have a redirect error code then leaving the rest to the browser.

Honestly, I'm unsure as to the differences. However, it seems like it makes more semantic sense and looking at the Rocket source it seems to do some security things that are useful.

As the very least, deal with this type of stuff: https://github.com/SergioBenitez/Rocket/blob/master/lib/src/http/session.rs#L46.

Index (greeting page for new users) needs to be finished before launch. It should have information concerning what Pupil is and how it works, as well as the mission and how to get started.

This needs to be done in Travis. Some sort of expected response from the db must be used. In addition, a travis.env file should be used.

Right now, almost none of the app is tested.

When clicked, the user is scrolled to just above the start of the section. This should be fixed so that the top of the viewport is exactly the top of the section when scrolling.

This not only moves everything important about index into the same file, it also allows scrolling with links and other parts of the page to be implemented.

I think a button on the far right of the nav bar would be good. When clicked, it could open up the login widget in a modal.

Base component (Bulma): Form
Links to : appointment database
Add to details by editing this comment

This makes MUCH more semantic sense. This would include changing the frontend app to parse JSON responses from the server while paying attention to different fields.

As an example, this:
{ "redirect":"dash" }
would redirect the website to the dashboard page while something like this:
{ "msg":"You are successfully registered." }
would show the message to the user.

Base component (Bulma) : List with Panel?
Links to : appointment database, will only show appoints that contain/are linked to user
Add to details by editing this comment
Sort able by date, subject.

Should be a simple formatting issue

I think this will be v0.3.0 of rocket. This depends then on https://github.com/SergioBenitez/Rocket/milestone/3.

The jwt crate we use requires rustc_serialize, while Rocket requires serde. The new version of this crate has switched to serde, and so that crate needs to be updated to remove this extra dependency.

Server errors should redirect to an error page. Confirmation errors on requests should redirect too. Login and registration errors should return a json encoded string (maybe in a struct) to display to the user in the info box. Bad cookie errors should redirect to the homepage with a logout notice, or something like that.

For registration, username and email already exist messages are never sent, because they aren't actually checked for. For login, bad user or pass isn't actually sent for a bad username, which presents a security flaw.

Base component (Bulma) : Menu
Links to : n/a (probably user info)
Add to details by editing this comment

Title and Nav Bar done see commit 5a274d0