Web service

Web service#

Modules and blueprints#

The web service supports the management of user accounts with varying permissions. This feature is optional and not enabled by default, meaning the web service operates in read-only mode initially. To enable user accounts, set the value of user_accounts to true in the config/generic.json file. This will result in the activation of the blueprints responsible of the management of users (authentication, session, edition of CVE, etc.).

Initialization of the database:

$ poetry run flask --app website.app db_init

As explained in a previous section.

Blueprints#

The views of the application are structured in several blueprints:

  • Bluepring Core

  • Blueprint API

  • Blueprints User and Admin

Security considerations#

By default, the web service is read-only. Vulnerabilities are imported through various feeders that are not connected to the web service. The web interface (HTML and API) is only used to consult data. When the user accounts feature is activated, two-factor authentication is mandatory. Additionally, each user can generate an API key to use the API programmatically.

Permissions#

  • admin: full access to everything including update of other comments or bundles or vulnerabilities

  • commenter: allow to create new comment or edit their own comments

  • reporter: is also a commenter but can also submit vulnerabilities or their own vulnerabilities

Authentication workflows#

Table 1 Sign-up workflow#

Step

Endpoint

Methods

Rule

Comment

1

user_bp.signup

GET, POST

/user/signup

Sign-up with login and email. A confirmation email is sent to the user with a token in a URL.

2

user_bp.confirm_account

GET, POST

/user/confirm_account/<string:token>

token: from the received emal. The user can now chose a password.

3

user_bp.login

GET, POST

/user/login

Authentication with login and password

4

user_bp.setup_two_factor_auth

GET

/user/setup-2fa

Set-up TFA with QRCode (or token) provided by the server

5

user_bp.verify_two_factor_auth

GET

GET, POST /user/verify-2fa

Verify TFA with token provided but the client app
Table 2 Login workflow#

Endpoint

Methods

Rule

user_bp.login

GET, POS

/user/login

user_bp.verify_two_factor_auth

GET, POST

/user/verify-2fa