Security, Pen Testing & Scaling

[kmturley]

Need to check:

• Inputs are sanitized/escaped (no xss)
• File uploads are restricted to safe formats
• CSP whitelist (only allow specific domains)
• User/admin permissions are correct, no holes
• Firebase read/write rules are correct, no holes
• Firebase data schema is scalable (don't load whole lists at once, structure into separate lists)
• Application can scale on firebase hosting, email sending, uploads
• Estimate costs at scale, compared to static hosting, and Python hosting

[ankemp]

Some things to consider:
angular/angular-cli#3430
&&
angular/angular-cli#6872

[alexabbott]

@kmturley

• Inputs are sanitized/escaped (no xss)
  DONE

• File uploads are restricted to safe formats
  DONE - restricted on FE and in Storage Rules

• CSP whitelist (only allow specific domains)
  DONE - had to add 'unsafe-inline' for CSS + 'unsafe-eval' for JS based on the articles @ankemp commented, then 'unsafe-inline' for JS because of CKeditor (WYSIWYG)

• User/admin permissions are correct, no holes
  DONE

• Firebase read/write rules are correct, no holes
  DONE

• Firebase data schema is scalable (don't load whole lists at once, structure into separate lists)
  DONE

• Application can scale on firebase hosting, email sending, uploads
  DONE -- email sending is via gmail, so it is limited. Scaling email sending would require use of third-party email service like Mailgun

• Estimate costs at scale, compared to static hosting, and Python hosting
  TODO

[kmturley]

Getting some permissions errors now when I view the admin area:

• /admins/-473942351
• /approvals
• /approvals/products
• /users
• /orders
• etc

Am I an admin?

[alexabbott]

@kmturley yes, you are a super-admin, but it says your account has not logged in yet? I've updated some of the admin functionality recently so you may have to re-login via /login

The paths you've listed should have /admin in front of them and a couple of them are invalid:

• /admins/-473942351- INVALID - should be /admin/admins/edit-admin/ADMINKEY
• /approvals - should be /admin/approvals
• /approvals/products - INVALID - there is no separate view for product approvals, all approvals live at /admins/approvals
• /users - INVALID - should be /admin/customers
• /orders - should be /admin/orders