Application demo for security assessment

Please, find the security report here: #1

This application provides a JSON API to manage hotel bookings.

Prerequisites

Install Docker
Install kubectl- Install Helm
Install Go 1.18 (you can use gvm for using a particular version)

Getting Started

make test will run unit and end-to-end tests
make build builds the app and token generator (see 'Generating JWTs, below')
make start-local creates a local k8s cluster + builds and spins up the service on port 8080

Then run

kubectl port-forward service/innsecure 8080:8080 -n innsecure

make stop-local tears down the local k8s cluster

k8s/ folder contains all the necessary k8s manifests to run this application in a production environment.

Generating JWTs

Authorisation is handled using JSON Web Tokens. The default service started via Kind uses a simple signing key of SigningString. Acquisition of a JWT is outside the scope of this task, but a tool is included to help with generating tokens for testing. make build produces a binary at ./bin/token, which will generate a working JWT for a standard user in hotel 123. The signing key, hotel ID, and admin status can be overridden using the -key, -hotel, and -admin flags, respectively.

Using the generated token, set the Authorization header of your HTTP requests to Bearer $YOUR_TOKEN_HERE, e.g.

curl --location --request GET 'http://localhost:8080/hotels/123/bookings' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZSwibmFtZSI6IkguQS4gS2VyciIsIm9yZyI6MTIzLCJzdWIiOiI4NzkwYzUxNC03M2I2LTQwMGYtOGYyOC1hY2M3NGQzNDJhMjIifQ.jEVthaAkJZ2mQ0jNsXH1oSMGcYX1-_mcXcdqkLYZz8Q'

Endpoints

Create a Booking

POST /hotels/:hotelID/bookings

Using a body like this one:

{

"hotel_id":123,
"type": "Booking",
"version": 0,
"arrive": " 2021-08-13",
"leave": " 2021-08-14",
"name": "Geoff Capes"
}

Bookings can only be created by an admin user. See Generating JWTs, above for info on how to create an admin token. Bookings can only be created in the hotel of the user.

Fetch a Booking

GET /hotels/:hotelID/bookings/:bookingID

Bookings can only be fetched from a user's own hotel.

List Bookings

GET /hotels/:hotelID/bookings

A user can only list bookings from their own hotel.

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
cmd		cmd
deployments/vault		deployments/vault
docs		docs
jwtauth		jwtauth
k8s		k8s
pkg		pkg
postgres		postgres
._.DS_Store		._.DS_Store
.gitignore		.gitignore
CANDIDATE_INSTRUCTIONS.md		CANDIDATE_INSTRUCTIONS.md
Dockerfile		Dockerfile
Makefile		Makefile
README.md		README.md
booking.go		booking.go
endpoints.go		endpoints.go
endpoints_test.go		endpoints_test.go
go.mod		go.mod
go.sum		go.sum
service.go		service.go
service_test.go		service_test.go
transport.go		transport.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Application demo for security assessment

Prerequisites

Getting Started

Generating JWTs

Endpoints

Create a Booking

Fetch a Booking

List Bookings

About

Releases

Packages

Languages

NicolasViaud/form3

Folders and files

Latest commit

History

Repository files navigation

Application demo for security assessment

Prerequisites

Getting Started

Generating JWTs

Endpoints

Create a Booking

Fetch a Booking

List Bookings

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages