Skip to content

mrwaks/api-golivia-monolith

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
client
client
 
 
server
server
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
installation.md
installation.md
 
 

Repository files navigation

👷‍♂️ UNDER CONSTRUCTION 🚧

GOLIVIA API V1 DOCUMENTATION

This API is intended for developers, to allow them to submit forms without coding a backend.
This type of tool intended for front-end developers, as well as for back-end developers wishing to develop a simplistic application, already exists...
but most of them have a lot of security flaws. These security issues are:

  1. No DNS check is performed:

    This allows an attacker, among other things, to usurp the origin (domain name) of anyone.

  2. Ability to override a reCaptcha:

    This is possible by going either through a custom script with an api call on the form submission route, or directly from the devtools console.

  3. Very accessible spam:

    APIs are accessible through simple script in fetch/axios request.
    Thanks to certain sites like "https://builtwith.com/", it is quite possible to find all the sites and all the applications using a certain tool.
    From there, we can retrieve the link (containing the personal identifier) used to submit the form, from any site using the API.
    And therefore to create a simple DoS script, see DDoS using tools like Jmeter or Locust
    which are open-source and which can make it possible to do a lot of damage on both sides
    (flood of mailbox on the user side, server crash/slow server on admin side).

  4. No control of string lengths:

    The majority do not control the length of strings.
    This can be a risk of loss of reliability on the deliveries on the SMTP side.
    On the other hand, some sites offering this tool, set up the possibility of reading submitted emails,
    directly from their site, which confirms that the emails are recorded in their database.
    This allows, you will have understood, DoS and DDoS the admin server.


This API is developed, not with the aim of copying what has already been done,
but to improve user security, improve response performance and offer some nice features by the way :)

For Testing, Run:

npm run test

Account Registration:

Registration is done in two steps:

  1. Registration request with a valid email, and sending an email with a verification code.

    ROUTES:

    • /api/v1/signup/step1:

      Here we make a request to the API with a valid email as data,
      and receive in return a verification code by email.

      • METHOD: POST.
      • INPUTS:
        • accountEmail: type string.
      • STATUS CODE:
        • 200: OK, Verification code sent by email.
        • 400: Bad Request.
        • 409: Conflict.
        • 500: Internal Server Error.

  2. Verification of the code, edition of the password and creation of the account.

    ROUTES:

    • /api/v1/verification-code:

      Here we verify our verification code.
      Then the api returns a key and the timestamp of the creation of the verification code.
      These two elements are to be saved in the localStorage.

      • The key is will be used at the last registration stage to retrieve the email associated with the first registration request.

      • The timestamp is used to calculate the expiration time of the verification code which is: "5 minutes".
        It also allows if desired, in the event that a user leaves the page (inadvertently or not), to return to the second registration step.

        • METHOD: POST.
        • INPUTS:
          • verifCode: type string.
        • STATUS CODE:
          • 200: OK, Return elements used for the second registration step.
          • 400: Bad Request.
          • 500: Internal Server Error.

    • /api/v1/signup/step2:

      Here we enter the encrypted verification code (saved in the localStorage),
      as well as two passwords which must be identical, and containing at least 10 characters as well as at least
      one uppercase letter, one lowercase letter, one number and one special character.

      • METHOD: POST.
      • INPUTS:
        • verifCodeEncrypted: type string.
        • password1: type string.
        • password2: type string.
      • STATUS CODE:
        • 201: OK, Account Created.
        • 400: Bad Request.
        • 409: Conflict.
        • 500: Internal Server Error.

Account Authentication:

The connection is validated using email and password.
Once the connection is validated, a session is created to keep the session active.
Then different routes will have different "ADMIN" or "USER" permissions.
Some routes will have different permissions like "ADMIN" or "USER".
To access these routes with different "ADMIN" or "USER" type permissions, an authentication will check the session cookie, created during the connection.
To disconnect, you must obviously be connected beforehand.

  1. LOGIN:

  • /api/v1/account/login:

    • METHOD: POST.
    • INPUTS:
      • accountEmail: type string.
      • password: type string.
    • STATUS CODE:
      • 200: OK.
      • 400: Bad Request.
      • 401: Unauthorized.
  1. LOGOUT:

  • /api/v1/account/logout:

    • METHOD: GET.
    • STATUS CODE:
      • 200: OK.
      • 400: Bad Request.
      • 401: Unauthorized.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages