Security

Security Role Form

Security admin access user can access this tab.
Security user will be able to grant or revoke admin and security admin access from all the list of users.
User can also archive particular listed user.

URLS

Dev URL: https://tdm-dev.azurewebsites.net/roles
Prod URL: https://tdm.ladot.lacity.org/roles
GitHub location:
Figma Design:
- WIKI TDM Calculator Figma Pages and Structure
- Figma [TDM Calculator Figma Pages and Structure, User-Facing Screens]
- Figma [TDM Calculator Handoff, User-Facing Screens]

Issue label

Issue Label on Issue tab: p-feature: Security Admin page
Issue label on Project Board: p-feature: Security Admin page

Screen shots of page

Technical Details

Endpoints with Authentication Requirements

GET /api/accounts (requires isSecurityAdmin role)
PUT /:id/unarchiveaccount (requires isSecurityAdmin role)
GET /archivedaccounts (requires isSecurityAdmin role)
DELETE /:id/deleteaccount (requires isSecurityAdmin role)
PUT /:id/roles (requires isSecurityAdmin role)
PUT /updateaccount (requires user authentication)
POST /login (requires user authentication)
GET /logout (requires user authentication)

Endpoints with Authorization Requirements

isSecurityAdmin role:
- GET /api/accounts
- PUT /:id/unarchiveaccount
- GET /archivedaccounts
- DELETE /:id/deleteaccount
- PUT /:id/roles
isAdmin role:
- None explicitly mentioned in the provided code snippets

Endpoints with Potential Security Concerns

POST /register (may be vulnerable to brute-force attacks or email enumeration attacks)
POST /forgotPassword (may be vulnerable to brute-force attacks or email enumeration attacks)
POST /resetPassword (may be vulnerable to brute-force attacks or password enumeration attacks)

Additional Security Considerations

The use of JWT tokens for authentication and authorization is a good practice, but it's essential to ensure that the tokens are properly validated and verified on each request.
The jwtSession.validateRoles middleware function is used to validate roles, but its implementation is not provided in the code snippets. It's crucial to ensure that this function is correctly implemented to prevent unauthorized access.
The poolConnect function is used to connect to a database, but its implementation is not provided in the code snippets. It's essential to ensure that this function is correctly implemented to prevent SQL injection attacks.

Please note that this analysis is based on the provided code snippets and may not be comprehensive. A more thorough review of the codebase would be necessary to provide a complete security assessment.

Home

Introduction to the Project

Joining the TDM Calculator Team

After you have read the info for all joining team members, read the pages for your practice area

Uh oh!

Security

Security Role Form

URLS

Issue label

Screen shots of page

Technical Details

Endpoints with Authentication Requirements

Endpoints with Authorization Requirements

Endpoints with Potential Security Concerns

Additional Security Considerations

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!