website address:
https://qingshan-cloud-security.ue.r.appspot.com/
GitHub address:
https://github.com/Giotto12138/Cloud-Computing-Security
Basic functions
- A simple event management website based on Flask + GCP. Except for Google login page, all HTML and JavaScript is served statically to keep secure.
- Users can upload events and dates, or delete events.
- The website could update the remaining time of the event in real time and delete expired events.
- Yearless dates work, showing time to next occurrence of a matching date (e.g., 03-01 means “every March 1st”)
Password-Based Authentication
- Added authentication to the website. All of the events are tied to one and only one user; every user manages a unique set of data just for them. When not logged in, the user is automatically directed to a login page.
- All interactions are over HTTPS to secure data transmitting.
- Provided a registration page that allows the user to provide a username and password, then immediately logs them in and redirects them to the main page. If the username already exists, the user needs to input a new username.
- Provided a login page that allows the user to provide a username and password. If the username and password are valid, let the user log in.
- Users must login with an opaque session token. Implemented this function without built-in functions like flask.session or flask.login. Users could register, login, and logout with a session token. Session tokens expire after 1 hour. Enforce this by deleting the cookie when an expired session token is used.
- Added a logout button that invalidates the session token, removes the cookie, and redirects the user to the login page.
- Only secure derivatives of passwords are stored in the database. Used Bcypt library for key stretching.
- built a migration function, which could migrate old data to the first user (or a user that you want to have the original data).
- Check the login status of users in real time. JSON calls will redirect the entire browser window to the login page when they fail due to a missing (or expired) session token.
Implement an OpenID Connect Client
- Implemented an OpenID Connect Client to login with Google. Users could click a third-party OpenID Connect button to their login page.
- Added CSRF protection by double cookie verification.