Description
When sending a post request to the login page (/identity/api/auth/login), bad credentials result in an exception raised (From springframework?), in function authenticateUser (Raised from calling authenticateUserLogin)

One more issue is that you actually mean to return 500 for an unsuccessful login. i.e

return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(jwtToken);

Which doesn't make much sense, but is never reached anyways. The 500 actually derives from an exception, and you have no control over it.

You should wrap the JwtResponse in a try/catch block, and return an HttpStatus.UNAUTHORIZED response accordingly. You also have a string for bad credentials so better use that in the response.

To Reproduce
Send a POST request to /identity/api/auth/login with fake credentials

Expected behavior
An 403 or 401 should've been returned by you and not by an exception raised from the authentication management library.

Runtime Environment
Docker version 20.10.12, build e91ed57
Linux 5.14.0-1033-oem #36-Ubuntu SMP Mon Apr 4 15:15:49 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

When accessing the forum, a GET request to /community/api/v2/community/posts/recent is done to receive information about posts and comments. There are 3 existing posts made by the 3 default users, however there is no information about their vehicles.

Which is honestly not a big deal, you can simply create two users, post something and use their vehicle guids for the challenges. However, I think it would be nice to already have some pre-built vehicleids so the challenge progress feels more natural. I think the vehicles are already created because there is mechanic reports for the default users, so I'm not sure if this is the expected behaviour.

Both last stable and development versions have this behaviour. Environment: Macbook M1, macOS Monterey 12.4, Docker 4.7.1 (77678).

Describe the bug
A clear and concise description of what the bug is.
For some reason I am unable to connect to the mechanic API when attempting to send a message to the mechanic. I have no failures on the deployment
I can log in with no issue
I can add a vehicle
Post the community

To Reproduce
Steps to reproduce the behavior.
If applicable, add screenshots to help explain your problem.
Add a vehicle PIN and VIN
Then attempt to connect a mechanic I get an error
All pods are up with no log errors. All services are up
You can see the errors when you look at the crapiweb logs from kubernetes

Expected behavior
A clear and concise description of what you expected to happen.
I should be able to contact a mechanic

Runtime Environment
K8s 1.21 on EKS
deployed with helm 3.7.1

After running the command:

$ deploy/docker/build-all.sh

The setup freezes at some point (see attached image). It alerts me that caniuse-lite is outdated, and it requests me to run a certain command. Whether I run that command or not, it's as if nothing happens. Kindly check on this.

Is your feature request related to a problem? Please describe.
Curious to know if crAPI's configuration allows it to be used as Capture-the-flag (CTF) event

Describe the solution you'd like
A way to configure crAPI to return (e.g in the HTTP response body) a user configured custom flag when particular challenges are solved

Describe alternatives if any you've considered
None at the moment..

Additional context
Add any other context/screenshots/rough sketchs about the feature request here.

It looks like the reason is that crapi-community container fails to start with the following log:

crapi-community    | docker-compose-wait - Everything's fine, the application can now start!
crapi-community    | 2021/09/13 19:57:59 sad .env file found
crapi-community    | qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Here is my system info:

MacBook Pro (13-inch, M1, 2020)
Docker version 20.10.8, build 3967b7d

Is your feature request related to a problem? Please describe.
Users sometimes face problems with getting started with docker, Kubernetes, etc. May it be resource constraints, may it be configs, may it issues specific to some database or start-up. We should have a troubleshooting guide with all the known issues and their solutions.

Describe the solution you'd like
A troubleshooting document that lists down all the known issues we all have faced and also documents solutions for them.

Describe alternatives if any you've considered
Refer to the juice shop troubleshooting guide: https://pwning.owasp-juice.shop/appendix/troubleshooting.html

Additional context
NA

When I attempt to build images using the docker deployment method I am getting the following error
deploy/docker/build-all.sh

root@ubuntu:~$ sudo crAPI/deploy/docker/build-all.sh

• set -e
• dirname crAPI/deploy/docker/build-all.sh
• cd crAPI/deploy/docker
• find ../../services/ -name build-image*
• scripts=../../services/community/build-image.sh
  ../../services/web/build-image.sh
  ../../services/identity/build-image.sh
  ../../services/workshop/build-image.sh
• echo Executing ../../services/community/build-image.sh
  Executing ../../services/community/build-image.sh
• bash -x ../../services/community/build-image.sh
• set -x
  ++ dirname ../../services/community/build-image.sh
• cd ../../services/community
• docker build -t crapi-community .
  Sending build context to Docker daemon 5.622 MB
  Step 1 : FROM golang:alpine AS builder
  Error parsing reference: "golang:alpine AS builder" is not a valid repository/tag

I have all the docker-compose dependencies installed.

Describe the bug
I cannot get crAPI to start up. The error message is:

ERROR: for crapi-community  Container "1b2afedad26d" is unhealthy.
ERROR: Encountered errors while bringing up the project.

I'm not an expert at docker, so I borrowed steps from another filed issue.

A look at what the last gasp of the container was...

$ sudo docker ps -a | grep 1b2afedad26d
1b2afedad26d   crapi/crapi-identity:latest   "/bin/sh -c 'java -j…"   3 minutes ago   Exited (1) 2 minutes ago                                              crapi-identity

The log file, a result of docker log 1b2afedad26d
docker_log_1b2afedad26d.txt

To Reproduce
I executed the following commands:

$ curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
$ sudo docker-compose pull
$ docker-compose -f docker-compose.yml --compatibility up -d

Expected behavior
A clear and concise description of what you expected to happen.

I'm following direction in Hacking APIs_, by Corey Ball and the project's instructions.

I'm expecting a service to be running on port 8000, and others.

Runtime Environment

$ docker -v Docker version 20.10.14, build a224086349
$ uname -a
Linux infra 5.13.0-44-generic #49-Ubuntu SMP Wed May 18 13:28:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Please let me know if there's additional information you need.

when i use docker to create the image show me an error "docker container is unhealthy".
in vagrant I can not enter to the crAPI application only to mailhog in port (8025).

1. Describe the bug
== A clear and concise description of what the bug is ==
.
Running docker-compose command always crashes my Amazon AWS EC2 server!

• July 2022

• Amazon AWS EC2: Ubuntu 22.04 LTS

• crapi-identity container memory: 512M

$ export COMPOSE_HTTP_TIMEOUT=120;

$ printenv | grep COM
COMPOSE_HTTP_TIMEOUT=120

.
Then starting docker-compose always crashes my Amazon AWS EC2 server. Also it still complains that my current COMPOSE_HTTP_TIMEOUT value is 60 seconds even though I have set it to 120 seconds.

$ sudo docker-compose -f docker-compose.yml --compatibility up -d

Starting postgresdb ... done
Starting mongodb    ... done
Starting mailhog    ... done
Recreating crapi-identity ... done

# ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
# If you encounter this issue regularly because of slow network conditions,
# consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).

--- Server ALWAYS crash here! ---

How do I properly set my COMPOSE_HTTP_TIMEOUT value. Do I need to run a certain command to update my export command, before running docker-compose?

2. To Reproduce
== Steps to reproduce the behavior. If applicable, add screenshots to help explain your problem. ==

# Amazon AWS EC2: Ubuntu 22.04 LTS

$ sudo ufw status
Status: inactive

$ curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

$ sudo docker-compose pull

# Quote from a different ticket:
"Issue fixed by increasing the memory for the 'crapi-identity' block in 'docker-compose.yml' to be 512M, from 256M."

$ nano docker-compose.yml

$ export COMPOSE_HTTP_TIMEOUT=120;

$ printenv | grep COMPOSE
COMPOSE_HTTP_TIMEOUT=120

.

$ sudo docker-compose -f docker-compose.yml --compatibility up -d

Starting postgresdb ... done
Starting mongodb    ... done
Starting mailhog    ... done
Recreating crapi-identity ... done

# ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
# If you encounter this issue regularly because of slow network conditions,
# consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).

3. Expected behavior
== A clear and concise description of what you expected to happen. ==
.
I'm expecting the COMPOSE_HTTP_TIMEOUT value to be 120 seconds in the ERROR message before the Amazon AWS EC2 server crashes.

# ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
# If you encounter this issue regularly because of slow network conditions,
# consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).

4. Runtime Environment
== Sytem/Environemnt information (e.g Output of docker -v and uname -a) ==

$ docker -v
Docker version 20.10.17, build 100c701

$ uname -a
Linux ip-xxx-xx-xx-xxx 5.15.0-1015-aws
#19-Ubuntu SMP Wed Jun 22 17:44:56 UTC 2022
x86_64 x86_64 x86_64 GNU/Linux

when i run build.sh i get this error
sudo ./build-all.sh 1 ⨯

• set -e
• dirname ./build-all.sh
• cd .
• find ../../services/ -name build-image*
• scripts=../../services/identity/build-image.sh
  ../../services/web/build-image.sh
  ../../services/community/build-image.sh
  ../../services/workshop/build-image.sh
• echo Executing ../../services/identity/build-image.sh
  Executing ../../services/identity/build-image.sh
• bash -x ../../services/identity/build-image.sh
• set -x
  ++ dirname ../../services/identity/build-image.sh
• cd ../../services/identity
• docker build -t crapi-identity .
  Sending build context to Docker daemon 341kB
  Step 1/14 : FROM maven:3.6-jdk-11 AS javabuild
  Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

running the docker compose command as listed in the readme results in the following:

docker-compose -f deploy/docker/docker-compose.yml --compatibility up -d
[+] Running 3/4
 ⠿ Container mailhog         Running                                                                 0.0s
 ⠿ Container postgresdb      Healthy                                                                 1.1s
 ⠿ Container mongodb         Healthy                                                                 1.1s
 ⠿ Container crapi-identity  Waiting                                                                13.6s
container for service "crapi-identity" is unhealthy

OS information: Arch linux kernel 5.15.36-1-lts
Docker Compose version 2.4.1
Docker version 20.10.14, build a224086349

I ran docker-compose without -d, and got the following output:

crapi-identity   | 2022-04-29 19:20:33.521  INFO 7 --- [           main] com.crapi.CRAPIBootApplication           : Starting CRAPIBootApplication v1.0-SNAPSHOT on 8e8201870c71 with PID 7 (/app/user-microservices-1.0-SNAPSHOT.jar started by root in /)
crapi-identity   | 2022-04-29 19:20:33.536  INFO 7 --- [           main] com.crapi.CRAPIBootApplication           : No active profile set, falling back to default profiles: default
crapi-identity   | Killed
container for service "crapi-identity" is unhealthy
crapi-identity exited with code 137

Based on my research, 137 is the out of memory killer, which is very strange because I have 32 GB of ram, and there is no noticable change before or during the docker-compose up process.

I'm happy to help troubleshoot, but I'm not sure where to look.

Describe the bug
Application is available from the machine but not from internet.

To Reproduce

1. Deploy EC2 instance with docker-compose
2. Check the Ec2 security group and open 8888 to access from outside
3. Follow steps provided in readme to install application
4. Try to access application using http:::8888

Expected behavior
Application should be available from outside world but observed crAPI-web is mapped to 127.0.0.1 instead of 0.0.0.0 causing this issue.

Runtime Environment
Docker-compose: v2.9.0

Is your feature request related to a problem? Please describe.
Build an IAM module that can centrally manage the vulnerabilities like JWT/Access Key etc
There are many JWT-based vulnerabilities that need we need to target.
Algorithm confusion, signature tampering, header tampering, JWT expiry, JWKS
Similarly, target Client ID/Secret forms.

Describe the solution you'd like
Build an IAM module that can centrally manage the vulnerabilities and remove dependency on services.

Describe alternatives if any you've considered
N/A

Additional context
TODO

Is your feature request related to a problem? Please describe.
Currently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection.

Describe the solution you'd like
@piyushroshan , can you guide us here for a solution?

I am receiving a Continue with the new image? [yN]y Pulling crapi-identity (crapi-identity:)... ERROR: pull access denied for crapi-identity, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Please assist as its unable to find the repo

Is your feature request related to a problem? Please describe.
People can explore the challenges but always good to provide final solutions as well.

Describe the solution you'd like
Some doc or youtube videos will definitely help for novice member like me

Describe alternatives if any you've considered
Doc or Video reference

Additional context
Add any other context/screenshots/rough sketchs about the feature request here.

Is your feature request related to a problem? Please describe.
Currently, when we start crAPI, we don't know where to click or where to look to generate specific vulnerabilities. We should document a "happy path" or principal workflow which will help people to actually understand the working of the crAPI application.

Describe the solution you'd like
A document with "happy path" and link it in main README.

Describe alternatives if any you've considered
NA

Additional context
NA

Is your feature request related to a problem? Please describe.
crAPI currently doesn't demonstrate CWE-798. We want to add capability in crAPI which will help in demoing CWE-798.

Describe the solution you'd like
https://cwe.mitre.org/data/definitions/798.html

Describe alternatives if any you've considered
NA

Additional context
NA

Describe the bug
Links in docs overview are broken

To Reproduce

1. Go to https://github.com/OWASP/crAPI/blob/develop/docs/overview.md
2. Try Clicking on - For deployment options, visit [the setup instructions] and
   To know more about [challenges] in crAPI, visit challenges.
3. You will see 404 error page

Is your feature request related to a problem? Please describe.
A documentation page around all the vulnerabilities that currently exist in crAPI will be very helpful. This will provide an easy way to evaluate if crAPI is right for our use cases.

Describe the solution you'd like
A table in README or a separate markdown file that lists down all the vulnerabilities crAPI has and maps them to OWASP API Top 10, OWASP Top 10 and CWEs.

Additional context
Not needed

On 'develop' branch, last commit is
`commit 3231797 (HEAD -> develop, origin/develop, origin/HEAD)
Merge: edf286c e36040f
Author: Roshan Piyush [email protected]
Date: Tue Jul 20 22:48:13 2021 +0530

Merge pull request #3 from PauloASilva/fix/typos

fix: typos on signup form & welcome email`

starting with
$ docker-compose -f deploy/docker/docker-compose.yml --compatibility up -d

after 1-2 minutes, crapi-web and crapi-community fail and complain that crapi-identity isn't available
Host crapi-identity:8080 not yet available...

log of crapi-identity:
`--------------------------------------------------------
docker-compose-wait 2.7.3

Starting with configuration:

• Hosts to be waiting for: [postgresdb:5432,mongodb:27017]
• Timeout before failure: 120 seconds
• TCP connection timeout before retry: 5 seconds
• Sleeping time before checking for hosts availability: 0 seconds
• Sleeping time once all hosts are available: 0 seconds
• Sleeping time between retries: 5 seconds

Checking availability of postgresdb:5432
Host postgresdb:5432 is now available!

Checking availability of mongodb:27017
Host mongodb:27017 is now available!

docker-compose-wait - Everything's fine, the application can now start!

. ____ _ __ _ _
/\ / ' __ _ () __ __ _ \ \ \
( ( )__ | '_ | '| | ' / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
' || .__|| ||| |_, | / / / /
=========||==============|/=////
:: Spring Boot :: (v2.3.0.RELEASE)

2021-07-27 12:43:20.820 INFO 8 --- [ main] com.crapi.CRAPIBootApplication : Starting CRAPIBootApplication v1.0-SNAPSHOT on 90c9d95461f0 with PID 8 (/app/user-microservices-1.0-SNAPSHOT.jar started by root in /)
2021-07-27 12:43:21.004 INFO 8 --- [ main] com.crapi.CRAPIBootApplication : No active profile set, falling back to default profiles: default
2021-07-27 12:43:43.504 INFO 8 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFERRED mode.
2021-07-27 12:43:44.220 INFO 8 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 700ms. Found 8 JPA repository interfaces.
Killed`

Is your feature request related to a problem? Please describe.
Provide an easy way to set up crAPI along with monitoring setup. For example, with Kubernetes setup, I should be able to monitor golden signals for my Kubernetes setup with Kube-state metrics.

Describe the solution you'd like
Way to deploy an application with Prometheus and Grafana. The user should be able to create a Grafana dashboard out of the infra metrics from crAPI. We can also provide a dashboard template.

Is your feature request related to a problem? Please describe.
If you make a post in the community, your current avatar, email address, nickname, etc are all saved in Mongo at that moment. This causes a few issues:

• If the author modifies any of their information, this isn't reflect in the community
• Saving the image data in mongo creates overhead + the UI is less responsive when returning base64encoded image data.

Describe the solution you'd like
Change author information to be return dynamically. Additionally, don't save any image information in mongo or return image data as base64encoded info. Instead add a new endpoint that dynamically returns the correct user's avatar. Less overhead, less storage, plus caching rules can be set up for the images that the browser can handle.

Is your feature request related to a problem? Please describe.
A guide that helps in understanding steps to reproduce a current set of vulnerabilities that exist in crAPI.

Describe the solution you'd like
A document that lists down solutions to the challenges in crAPI. Something similar to what Juice shop has here: https://pwning.owasp-juice.shop/appendix/solutions.html

Describe alternatives if any you've considered
NA

Additional context
NA

ERROR: Invalid interpolation format for "crapi-identity" option in service "services": "crapi/crapi-identity:${VERSION:-latest}"

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6013  100  6013    0     0   6919      0 --:--:-- --:--:-- --:--:--  6911
/home/hunter/.local/lib/python3.9/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.9) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
ERROR: Invalid interpolation format for "crapi-identity" option in service "services": "crapi/crapi-identity:${VERSION:-latest}"
/home/hunter/.local/lib/python3.9/site-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.9) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
ERROR: Invalid interpolation format for "crapi-identity" option in service "services": "crapi/crapi-identity:${VERSION:-latest}"

http://localhost:8025 is working and the docker image is up and running but i cant access the http:8888 path.

Is your feature request related to a problem? Please describe.
We need a clear and concise document that has an architecture diagram for crAPI and explain architecture and caveats.

Describe the solution you'd like
Separate architecture diagram and document linked to README.

Is there a plan to make a non-Minikube K8s version to deploy? If this is possible in this deployment please advise. Thanks all for this great website for testing.

Is your feature request related to a problem? Please describe.
We should be able to demo security misconfiguration vulnerabilities with crAPI. Security misconfiguration falls under API7:2019 Security Misconfiguration.

Describe the solution you'd like
There are CWEs which fall under security misconfigs:

• CWE-2: Environmental Security Flaws
• CWE-16: Configuration
• CWE-388: Error Handling

We want to add capability in crAPI to be able to demo all three of them.

Describe alternatives if any you've considered
NA

Additional context
NA

When I run the docker-compose command listed in the readme across 3 different machines, the instructions provided do not work. In many of the cases, I was seeing different errors each time, but lately it's been a fairly standard error:

crapi-identity exits with status code 137.

As you can see, crapi-identity finishes starting, but then crashes later on.

output of docker logs:

I was able to get the docker-compose command to finish twice out of maybe 60 attempts, so while it won't always fail, it almost always does.

Platforms tested on, all 64 bit:

• AWS Linux
• Ubuntu hosted in AWS, fresh instance spun up entirely for this debugging.
  ** Linux redacted 5.15.0-1004-aws #6-Ubuntu SMP Thu Mar 31 09:44:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
• Kali Linux VM hosted on Windows
  ** This was the host that docker-compose finished twice on.

This error occurred on both the main and develop branches.

Steps to reproduce:

• Create an Ubuntu t2.micro in AWS or equivalent.
• Run the steps listed in the README under the Docker Quick Start section to reproduce.

This problem is similar to #9.

After a lot of troubleshooting, I determined that updating the max memory limit for the crapi-identity to be 384M from 256M gave it enough headroom to consistently start and run the crapi-identity container.

Originally posted by @willmccardell in #54 (comment)

I started using crAPI on 2022-05-17 and pulled the the newest version in a separate directory, but was unable to start it

$ docker-compose -f deploy/docker/docker-compose.yml --compatibility up -d
Creating network "docker_default" with the default driver
Creating postgresdb ... done
Creating mailhog    ... done
Creating mongodb    ... done
Creating crapi-identity ... done

ERROR: for crapi-community  Container "7912aa65db4b" is unhealthy.
ERROR: Encountered errors while bringing up the project.

$ docker ps -a
CONTAINER ID   IMAGE                         COMMAND                  CREATED          STATUS                             PORTS                                NAMES
4510cceac9c9   crapi/crapi-identity:latest   "/bin/sh -c 'java -j…"   16 seconds ago   Up 15 seconds (health: starting)                                        crapi-identity
7912aa65db4b   mongo:4.4                     "docker-entrypoint.s…"   33 seconds ago   Exited (62) 24 seconds ago                                              mongodb

docker logs 7912aa65db4b

{"t":{"$date":"2022-06-03T11:35:47.742+00:00"},"s":"I",  "c":"STORAGE",  "id":4366408, "ctx":"initandlisten","msg":"No table logging settings modifications are required for existing WiredTiger tables","attr":{"loggingEnabled":true}}
{"t":{"$date":"2022-06-03T11:35:47.829+00:00"},"s":"I",  "c":"STORAGE",  "id":22262,   "ctx":"initandlisten","msg":"Timestamp monitor starting"}
{"t":{"$date":"2022-06-03T11:35:48.051+00:00"},"s":"F",  "c":"CONTROL",  "id":20573,   "ctx":"initandlisten","msg":"Wrong mongod version","attr":{"error":"UPGRADE PROBLEM: Found an invalid featureCompatibilityVersion document (ERROR: BadValue: Invalid value for version, found 5.0, expected '4.4' or '4.2'. Contents of featureCompatibilityVersion document in admin.system.version: { _id: \"featureCompatibilityVersion\", version: \"5.0\" }. See https://docs.mongodb.com/master/release-notes/4.4-compatibility/#feature-compatibility.). If the current featureCompatibilityVersion is below 4.2, see the documentation on upgrading at https://docs.mongodb.com/master/release-notes/4.4/#upgrade-procedures."}}
{"t":{"$date":"2022-06-03T11:35:48.053+00:00"},"s":"I",  "c":"REPL",     "id":4784900, "ctx":"initandlisten","msg":"Stepping down the ReplicationCoordinator for shutdown","attr":{"waitTimeMillis":10000}}

Is your feature request related to a problem? Please describe.
Currently, crAPI only supports REST endpoints. We can only identify and demo REST vulnerabilities with crAPI. We should add a GraphQL service which will make it easier to demo GraphQL vulnerabilities.

Describe the solution you'd like
A GraphQL API using which we can demonstrate Authorization, Introspection, Batching, Injection, CSRF and other GraphQL attacks.

Is your feature request related to a problem? Please describe.
crAPI lacks messaging services. Adding some Kafka pipelines will help in demoing Kafka vulnerabilities as well.

Describe the solution you'd like
@inonshk ,@piyushroshan would like to hear your thoughts about doing this as well as solutions around it.

when I tryin to see my past orders it pop up a failed message, it's part of the challenge?

Is your feature request related to a problem? Please describe.
Currently, crAPI only supports REST endpoints. We can only identify and demo REST vulnerabilities with crAPI. We should add a GRPC service which will make it easier to demo GRPC vulnerabilities.

Describe the solution you'd like
@piyushroshan, can you please add more context on a plausible solution here?

Hello, would it be possible to please provide an OAS or Swagger specification for the APIs in /crAPI/blob/develop/services/web/src/constants/APIConstant.js?

This would help in deploying and managing the APIs in this project with an API gateway.

According to the error message, password should meet the following requirements: "Password should contain at least one digit, one small letter and one capital letter and should at least contain 8 characters."

Password is validated using the following regular expression: /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,16}$/.

Although used regular expression matches A123456c as a valid password, it fails for A123456ç.

We can either change password requirements/error message or fix validation.
OWASP Password Strength Test is something we can used to address the later.

Is your feature request related to a problem? Please describe.
The current crAPI postman collection is 5 months old and there have been some enhancements afterward. Some of the changes might be in API specs and will need updates in API specs as well as postman collections.

Describe the solution you'd like
Can we have a GitHub workflow which runs on every PR or every week, checks for a diff of postman collection, and updates the postman collection if necessary?

I am experiencing problems building the criapi application. crapi-workshop image will not build. Are there detailed instructions on how to get the application up and running.

getting this error "/bin/sh: /app/runner.sh: not found"

sudo docker-compose pull
Pulling postgresdb ... done
Pulling mongodb ... done
Pulling crapi-identity ... downloading
Pulling crapi-community ... done
Pulling crapi-workshop ... done
Pulling crapi-web ... done
Pulling mailhog ... done

ERROR: for crapi-identity unauthorized: authentication required
ERROR: unauthorized: authentication required

This is not a bug or a feature request. But I'm just wondering how do you stop the crAPI web app from running on the server?

# Start crAPI web app!
$ sudo docker-compose -f docker-compose.yml --compatibility up -d

# Stop crAPI web app?
???

Hi,

I followed the instructions to clone the repository, the docker install then run it in docker but I am unable to connect to the web server on port 8888.

I can connect to the mail client on port 8025.

I've run netstat -antp and port 8888 is listening but when I try and connect either using firefox or curl the connection is refused.

port 8888 isn't listening when I tried netstat -antp but port 8025 is listening i.e I can localhost:8025 for mailhog is working on my web browser but localhost:8888 is not working... I tried to uncomment everywhere I saw ports in the yaml file but it as to be commented before it can run it's docker container. After checking the state using docker inspect crapi-web, the result states that it is in an unhealthy state. I can't open the logs folder /var/lib/docker...

Successfully install crAPI on docker , but it's not running on localhost.
Any suggestion ??

Hi!

I'm able to change my profile picture on the my-profile page. However, when I then comment on a post on the Community page and/or create a new post, I'm not seeing my profile picture load. Is this a bug? Part of any challenge?

Thanks!
Chris

Running in docker

Traceback (most recent call last):

File "manage.py", line 36, in

main()

File "manage.py", line 32, in main

execute_from_command_line(sys.argv)

File "/usr/local/lib/python3.8/site-packages/django/core/management/init.py", line 381, in execute_from_command_line

utility.execute()

File "/usr/local/lib/python3.8/site-packages/django/core/management/init.py", line 357, in execute

django.setup()

File "/usr/local/lib/python3.8/site-packages/django/init.py", line 24, in setup

apps.populate(settings.INSTALLED_APPS)

File "/usr/local/lib/python3.8/site-packages/django/apps/registry.py", line 91, in populate

app_config = AppConfig.create(entry)

File "/usr/local/lib/python3.8/site-packages/django/apps/config.py", line 116, in create

mod = import_module(mod_path)

File "/usr/local/lib/python3.8/importlib/init.py", line 127, in import_module

return _bootstrap._gcd_import(name[level:], package, level)

File "", line 1014, in _gcd_import

File "", line 991, in _find_and_load

File "", line 975, in _find_and_load_unlocked

File "", line 671, in _load_unlocked

File "", line 843, in exec_module

File "", line 219, in _call_with_frames_removed

File "/app/crapi/apps.py", line 22, in

import bcrypt

File "/usr/local/lib/python3.8/site-packages/bcrypt/init.py", line 25, in

from . import _bcrypt

ImportError: Error loading shared library libffi.so.7: No such file or directory (needed by /usr/local/lib/python3.8/site-packages/_cffi_backend.cpython-38-x86_64-linux-gnu.so)

Hi, I managed to setup and run crAPI without any problems on PC-1 using IP address 192.168.2.10 in my home network.

With PC-2 having IP address 192.168.2.20 I try to reach crAPI web app from my web browser by typing 192.168.2.10:8888. But the crAPI website can't be found.

When I just type 192.168.2.10 in web browser I can reach PC-1 apache2 web server.
Also I can ping PC-1 from PC-2 in my terminal.

What do I have to do, in order to be able to surf to the crAPI server in my home network from another computer?