# Web service ## Modules and blueprints The web service supports the management of user accounts with varying permissions. This feature is optional and not enabled by default, meaning the web service operates in read-only mode initially. To enable user accounts, set the value of `user_accounts` to `true` in the `config/generic.json` file. This will result in the activation of the blueprints responsible of the management of users (authentication, session, edition of CVE, etc.). Initialization of the database: ```bash $ poetry run flask --app website.app db_init ``` As explained in a previous section. The views of the application are structured in Blueprints. ## Security considerations Vulnerabilities are imported through various feeders that are not connected to the web service. Two-factor authentication can be enforced for users of the platform. Additionally, each user can generate an API key to use the API programmatically. ## Permissions - admin: full access to everything including update of other comments or bundles or vulnerabilities. - commenter: allow to create new comment or edit their own comments. - reporter: is also a commenter but can also submit vulnerabilities or their own vulnerabilities. ## Authentication workflows ### Sign-up | Step | Endpoint | Methods | Rule | Comment | |------|----------|---------|------|---------| | 1 | user_bp.signup | GET, POST | /user/signup | Sign-up with login and email. A confirmation email is sent to the user with a token in a URL. | | 2 | user_bp.confirm_account | GET, POST | /user/confirm_account/\ | token: from the received email. The user can now choose a password. | | 3 | user_bp.login | GET, POST | /user/login | Authentication with login and password | | 4 | user_bp.setup_two_factor_auth | GET | /user/setup-2fa | Set-up TFA with QRCode (or token) provided by the server | | 5 | user_bp.verify_two_factor_auth | GET | GET, POST /user/verify-2fa | Verify TFA with token provided by the client app | ### Login | Endpoint | Methods | Rule | |----------|---------|------| | user_bp.login | GET, POST | /user/login | | user_bp.verify_two_factor_auth | GET, POST | /user/verify-2fa |