-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
73 lines (68 loc) · 5.32 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
== StatTrader
StatTrader (www.stattrader.com) is a startup company that will provide
a statistic trading service wherein users will anonymously "trade"
statistics into our network in exchange for the processed results of all
similar trades. For example, a user will be able to compare the statistics
from their own private company or private investments to the averages of
all other private companies in specific industries and/or regions.
== List of features
A. User Accounts and Security
1. New users and updating user information
- The user's email address must be unique to our database and be in an email address format ([email protected])
- User passwords must be confirmed (entered in twice) and must contain at least 4 characters
- Users must select their type from the dropdown, which detrmines their user type
- For new users, clicking an email confirmation link is required for account activation. This confirms they have access to the email address they are using.
- Email confirmation links are generated using a large unique token string - these are very difficult to guess
- An email confirmation link can only be requested once per 5 minutes
2. Password reset
- A user can initiate the password reset process by clicking the password reset link and providing their email address
- A link containing a large unique token is then generated sent to the user's email address
- This link with token would be very difficult to guess, and only exists for a limited time after the password reset process is started
- Clinking the link brings the user to a unique page in which they can change their password as needed. The 4 character lower limit still applies
3. Authentication
- Authentication is the process by which we confirm a user is who they say they are. We simply use a password for this.
- A user sharing or using an easily guessable password is the only issue here.
4. Authorization
- Authorization deals with what users are authorized to see and/or what they have access to
- Users are only authorized to see data that applies to them
- Manual manipulation of the stattrader app URLs is possible, but ACCESS DENIED messages and redirections will occur when trying to access something that a user does not have authorization to view.
- Some users have authorization for special pages based on user type. This will include admin type users and licensees
5. Login, Logout, Cookies, Sessions, and "Remember Me"
- To Login, a user provides email and password. For more information please see "Authentication" above
- Successful login provides the user with a session cookie that contains the user's unique auth token
- This cookie is encrypted and stored on the user's machine. The cookie is encrypted so that if the user's machine is compromised, the user's unique auth token is not compromised.
- The cookie expires after a certain amount of time. This amount of time is increased to infinite if the "remember me" box is checked on login
- The cookie expiration checks happen server-side such that manipulation of this would require decryption and re-encryption if the encrypted cookie.
- On logout cookies are expired/deleted
6. SQL Injection prevention - query sanitization
- SQL Injection is the method of an attacker manipulating a SQL query in some way - basically gaining some or full access to the database
- All queries are automatically sanitized and/or coded such that manipulation is not possible
7. CAPTCHA
- CAPTCHA is the method of confirming a user is an actual human and not an automated bot or script
- StatTrader does not use CAPTCHA at this time
- CAPTCHA would be useful for the new user page, and possibly the login page after a certain number of failed login attempts.
8. SSL
- SSL or Secure Sockets Layer is a method of encrypting information going to and from a website. This prevents "man in the middle" attacks (someone listening in or wire-tapping)
- StatTrader does not use SSL at this time but should in the future.
- SSL changes the URL of a website to https rather than http (the s stands for secure)
B. Company Data and Statistics
1. Database Storage
- Company data is stored in two database tables "Secure Stats" and "Trade Stats", secure being only theirs, and trade being traded anonymously in our network
- Each row of company data corresponds to a particular year (NOW, CY, 2Y, etc.)
- Reasoning for this was because of the different fields in the "Secure" data and "Trade" statistics, and because statistics would be compared on a per-year basis
2. "Data Sheet" page
- A table for the company's Secure data and Trade stats appears, as well as the ccompany's profile information
- Initially the 4Y and 5Y columns are hidden, but can be shown by clicking a button
- Changes to the CY's reporting scale or FYE date will propogate appropriate changes across the other years
- Clicking update&save will calculate and fill in appropriate trade statistics
- Exporting to an Excel spreadsheet is possible. It will show the company profile information and Secure Data and Trade Statistics tables
3. Statistic Calculation
- Trade Statistics are calculated and saved when a user clicks the update&save button
- If sufficient data to calculate a particular statistic does not exist, it is left blank
C. Network Statistics
1. Filters
2. Network Stats
3. Graphs
D. Other
1. User Emails
2.