Security - hackforla/tdm-calculator GitHub Wiki

Security Role Form

• Security admin access user can access this tab.
• Security user will be able to grant or revoke admin and security admin access from all the list of users.
• User can also archive particular listed user.

URLS

• Dev URL: https://tdm-dev.azurewebsites.net/roles
• Prod URL: https://tdm.ladot.lacity.org/roles
• GitHub location:
• Figma Design:
  • WIKI TDM Calculator Figma Pages and Structure
  • Figma [TDM Calculator Figma Pages and Structure, User-Facing Screens]
  • Figma [TDM Calculator Handoff, User-Facing Screens]

Issue label

• Issue Label on Issue tab: feature: security testing
• Issue label on Project Board: feature: security testing

Screen shots of page

Technical Details

Endpoints with Authentication Requirements

• GET /api/accounts (requires isSecurityAdmin role)
• PUT /:id/unarchiveaccount (requires isSecurityAdmin role)
• GET /archivedaccounts (requires isSecurityAdmin role)
• DELETE /:id/deleteaccount (requires isSecurityAdmin role)
• PUT /:id/roles (requires isSecurityAdmin role)
• PUT /updateaccount (requires user authentication)
• POST /login (requires user authentication)
• GET /logout (requires user authentication)

Endpoints with Authorization Requirements

• isSecurityAdmin role:
  • GET /api/accounts
  • PUT /:id/unarchiveaccount
  • GET /archivedaccounts
  • DELETE /:id/deleteaccount
  • PUT /:id/roles
• isAdmin role:
  • None explicitly mentioned in the provided code snippets

Endpoints with Potential Security Concerns

• POST /register (may be vulnerable to brute-force attacks or email enumeration attacks)
• POST /forgotPassword (may be vulnerable to brute-force attacks or email enumeration attacks)
• POST /resetPassword (may be vulnerable to brute-force attacks or password enumeration attacks)

Additional Security Considerations

• The use of JWT tokens for authentication and authorization is a good practice, but it's essential to ensure that the tokens are properly validated and verified on each request.
• The jwtSession.validateRoles middleware function is used to validate roles, but its implementation is not provided in the code snippets. It's crucial to ensure that this function is correctly implemented to prevent unauthorized access.
• The poolConnect function is used to connect to a database, but its implementation is not provided in the code snippets. It's essential to ensure that this function is correctly implemented to prevent SQL injection attacks.

Please note that this analysis is based on the provided code snippets and may not be comprehensive. A more thorough review of the codebase would be necessary to provide a complete security assessment.