Versions Compared

Version Old Version 2 New Version Current
Changes made by

Joshua Smee

Garvi Poudyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security issue

How dealt with

User security

  • Each user is required to register an account.

Their details

    • Details are then stored on the database.

We are hashing

  • Hashing the passwords using sha256 to keep the users password secure.

    • Users are allocated sessions when they wish to interact with the service.

    • These sessions then expire after 1 hour.

  • Interactions with the server are tracked with “/

sendInvoice”

  • sendInvoicerequiring the user to be logged in.

  • All “/

sendInvoice”

  • sendInvoicecalls are logged, with details as to

who

  • :

    • Who sent the request

and who

    • Who was emailed.

Secrets security

  • Our service requires a number of secrets to operate, which are kept private and never published into the GitHub repo. These include:

    • logins for the email server

and

    • the secret used to encrypt the jwt tokens.

To keep these private we made sure to never publish them to the github repo.

  • We kept them in a number of secure places.

    • When developing locally we kept a file which was added to git ignore.

    • We also kept them on github in its

“secrets”

    • secretssection.

    • This is an encrypted part of github that allowed us to use the variables within our testing with github actions.

  • For access during deployment, they were added to the deployment environment on heroku.

  • The login for our postgres database was also automatically added to the deployment enviorment.

Server security

  • The secret_key to secure the flask server is a randomly generated key that’s only stored on the heroku deployment server

to keep it as private as possible.

  • , ensuring privacy

  • The server is also deployed on heroku with 2 step verification enabled to keep the database login and server admin tools secure.