Web service#

Modules and blueprints#

The web service supports the management of user accounts with varying permissions. This feature is optional and not enabled by default, meaning the web service operates in read-only mode initially. To enable user accounts, set the value of user_accounts to true in the config/generic.json file. This will result in the activation of the blueprints responsible of the management of users (authentication, session, edition of CVE, etc.).

Initialization of the database:

$ poetry run flask --app website.app db_init

As explained in a previous section.

The views of the application are structured in Blueprints.

Security considerations#

Vulnerabilities are imported through various feeders that are not connected to the web service.

Two-factor authentication can be enforced for users of the platform. Additionally, each user can generate an API key to use the API programmatically.

Permissions#

admin: full access to everything including update of other comments or bundles or vulnerabilities.
commenter: allow to create new comment or edit their own comments.
reporter: is also a commenter but can also submit vulnerabilities or their own vulnerabilities.

Authentication workflows#

Sign-up#

Table 1 Sign-up workflow#
Step	Endpoint	Methods	Rule	Comment
1	user_bp.signup	GET, POST	/user/signup	Sign-up with login and email. A confirmation email is sent to the user with a token in a URL.
2	user_bp.confirm_account	GET, POST	/user/confirm_account/<string:token>	token: from the received emal. The user can now chose a password.
3	user_bp.login	GET, POST	/user/login	Authentication with login and password
4	user_bp.setup_two_factor_auth	GET	/user/setup-2fa	Set-up TFA with QRCode (or token) provided by the server
5	user_bp.verify_two_factor_auth	GET	GET, POST /user/verify-2fa	Verify TFA with token provided but the client app

Endpoint	Methods	Rule
user_bp.login	GET, POS	/user/login
user_bp.verify_two_factor_auth	GET, POST	/user/verify-2fa

Web service

Contents