s-newman / skitter Goto Github PK

Test the /isAuthenticated API method to make sure unauthenticated users cannot access pages they shouldn't have access to.

The RIPS Scanner should be used to test for vulnerabilities in the PHP code. A test should be provided to make sure that all PHP code is up-to-spec.

A CSS validator script should be written to test all CSS against the W3C CSS standards.

The API gateway should check if a request is authorized to be made. Not all requests can be made from all contexts - for example, a SQL statement request should not be allowed from the general internet, only from the microservice hosts.

Users should be allowed to upload a new profile picture. This profile picture must be a certain format and within a certain size limit. Basic initial checks will be performed client-side before calling the API endpoint for this, /changeProfileImage.

Users should be allowed to make their account private, so that only their followers can see their tweets. The API endpoint /changeAccountPrivacy should be created for this.

Users should be able to remove Skits that they have created, and only Skits that they have created.

Users should be able to follow and unfollow other users as they please. Skits from followed users should appear on the user's dashboard.

Users should be able to sign up for accounts and sign into their accounts using their RIT username and password combination.

Once the user clicks the "logout" button, they should be linked to the logout confirmation page once the session ID has been deleted from the database.

Selenium tests should be created to ensure that functionality is consistent across all browsers, and that all user interactions function as they should.

Microservices will need access to the MySQL database, but they shouldn't be allowed direct access. Instead, a /sqlStatement endpoint will be provided by the API gateway only for the microservices. External hosts will not be authorized to access the /sqlStatement endpoint.

When users upload profile pictures, we will have to process them to ensure that they aren't trying to sneak in anything malicious. This should be done before reaching the microservices.

Once logging in, if a user doesn't have an account, they should be directed to a sign-up page that gathers basic information from them and stores information in the MySQL database. The API endpoint for this issue is /newUser.

We need to check if emails can be changed properly. This will test the /changeEmail API endpoint.

Given a session ID, we should be able to check if a user is currently authenticated. The API endpoint for this is /isAuthenticated.

Skitter's home page should be a landing page of sorts that prompts users to sign in/sign up. There should also be brief advertisement and branding for Skitter, to convince users that they need this in their lives.

Once users log in, they should be directed to their dashboard page. This page (shown roughly in the mockup) will display the latest tweets from their followed users. Static placeholder tweets should be created to give the page some "life". Functions for APIs (buttons, etc.) should be added, and alert() the user with the API endpoint that would be contacted for that function.

Users should be allowed to change their username if they don't like it. The /changeUsername endpoint should be implemented for this.

Users should be able to view other users' profiles, listing the users' past skits and basic profile information.

The API Gateway is a critical part of the infrastructure, since it is the first point of contact for all API calls. The gateway will perform server-side input sanitization to prevent dangerous requests from being forwarded to the microservices.

This should simply test that it is possible to upload profile pictures, and that files in the wrong format or files that are too large produce the proper client-side errors. This will test the /changeProfileImage endpoint.

A JavaScript validation script should be written to test all JavaScript against established standards.

Users should be able to add their own skits, limited to 140 characters. These skits will be stored and indexed using ElasticSearch. The API endpoint for this is /addSkit.

Users should be able to delete their accounts through the settings page. The API endpoint for this is /deleteUser.

Test the process of adding new users into Skitter. This should test the /signIn and /newUser API endpoints.

Users must be able to remove Skits that they created, if they choose to. The API Endpoint for this is /removeSkit.

We need to make sure that authenticated users can add Skits.

Basic API Endpoint routing should be created, allowing communication between microservices, databases, and the Internet. If an endpoint is not yet implemented, a 501 Not Implemented response should be returned.

A test should be written to validate all HTML against the W3C markup standards.

While not directly handled on the Settings page, users will still need to be able to log out of their account. This will be handled with the /logout API endpoint.

When users sign in, but have not yet created an account, they should be directed to a "create account page" with a few form fields to collect basic information for their account.

Users should be able to edit their account settings. This should not actually function yet, but provide the same alert() functionality as before - the frontend should work!

Users should be able to reply to Skits, and delete their own responses if they choose to.

Users should be able to change their account details on the Settings page.

Users must be able to add and remove their own Skits, and view Skits from others! That's the whole point of Skitter!

The API gateway should create and keep track of CSRF tokens for all pages. This should be taken care of for the microservices, so they don't have to worry about the additional layer of intent authentication. This will implement the /getCSRFToken and /validateCSRFToken API endpoints.

The User Interface should be created, and as much functionality as possible should be implemented. Any interactions with API endpoints should be replaced with console logging, but all other Javascript should be created.

Users should be able to view a live feed of their Skits on the dashboard. The dashboard page will regularly query the API Endpoint for this (/getSkits) to get the most recent skits.

Since CSRF tokens are implemented, it should be impossible to carry out a CSRF attack. A script should be created to attempt a few simple CSRF attacks.

Users should be able to change their email address if they wish. This will transfer control over their Skitter account to another RIT account, and will require confirmation emails to be sent to the involved email addresses. The API endpoint /changeEmail will be implemented for this.

When the user logs out, it should actually log them out. This should test the /logout API endpoint.

Attackers should not be able to brute force a user's password. We need to test for and guard against this kind of attack.

When the user navigates to their settings page, it should automatically populate with their current settings. The /getSettings API endpoint will be implemented for this feature.

All text input should be run through server-side sanitization before reaching the microservices.
We don't want any stored XSS...

All SQL statements must be properly sanitized before being passed to the database.

We need to ensure that username changes take place as expected. This will test the /changeUserName API endpoint.

We should be able to pass username/password pairs to the RIT LDAP server for authentication purposes. The API endpoint for this issue is /signIn.