A request to create a user on the /users endpoint returns a verification code on the response.
This makes email verification pretty useless at the moment as I can register with any email account and get verified easily.

https://github.com/zurichat/zc_core/blob/6d57d932a43d253c6bd46f308a1f669d416e3de5/user/user.go#L97-L99

-Created an end point to generate Agora RTC token base on users

• Channelname *role *tokenType *uid

• Fixed token expiration of 2 hours
• Endpoint = {{url}}/rtc/{channelName}/{role}/{tokentype}/{uid}/
• role = "publisher" or "subscriber" string
• tokentype = "userAccount" or "uid" string
• uid= integer
• channelName = string

PR - https://github.com/zurichat/zc_core/pull/188

Slack - HOD

Link - https://api.zuri.chat/users/6133d00e0366b6816a0b75c1

The link shows the details of a user created successfully

Another test link which I worked on is a form that accepts details and implements the create user logic is https://api.zuri.chat/usersform from PR - https://github.com/zurichat/zc_core/pull/238 but not currently live. It has been merged but my team (Newton) is currently experiencing problems with auto deployment probably due to the dev branch we introduced again.

Updated the blog workflow backend @DavidHODs @Aminujb @UfiairENE

• Modified the models.go folder to add new models for likes and comments. Separated likes and comments into different collections to minimize data sent to the client
• Modified the create blog function to allow creation of like and comments documents whilst creating a new blog
• Implemented the like function. User can like and unlike using the same endpoint. If user hasn't liked, we like, store the userId in the blog document in the bloglikes collection and increment the like count by 1. Else, the userId is removed from the document and the like count is decremented
• Implemented the comment function. User can comment. We store the comment in the blog document in the blogcomments collection and increment the comment count by 1
• Created a function to estimate reading time in minutes of a blog post
• Added a Generic update method in utils/db.go to allow generic updates like array increment, object field setting etc.

Some of the changes are increases in whitespace caused by code editor formatting Haven't used authentication of routes yet, need to know admin role and authentication of admin

Endpoints that require authentication should not allow a user to access them without a valid token that was provided by the login endpoint. the middleware checks the token against the secret key and signing algorithm. issue #234 /v1/welcome is protected so you need an authorization token to access it.

I created a handler for the auth/register endpoint. It creates a MongoDB doc for "Users". Let me know if there are any corrections or additions to be made. Issue #114

I should be able to login without a password, only email address

Payload:

• organisation id
• email address

Flow:

• Check if user email exists
• Generate a auto_login token with user information e.g email, organisation id, user id
• Send magic link to user email address

Endpoint: api.zuri.chat/auth/:organisation_id/login

Issue description

The multiple file upload endpoint returns all previously uploaded files as a part of the response for the current upload.

Fix

The issue was a package level variable that was been used every time a user uploads a file, on subsequent uploads, the same variable contains the state of the previous uploads, the fix is to make the variable local. I also fixed the successful empty upload bug, an invalid filter query (checking for a field that does not exist in the user struct), make server name configurable and some minor refactoring of the err variable.

CVE-2021-43565 - High Severity Vulnerability

Vulnerable Library - golang.org/x/crypto-v0.0.0-20210921155107-089bfa567519

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20210921155107-089bfa567519.zip

Dependency Hierarchy:

• :x: golang.org/x/crypto-v0.0.0-20210921155107-089bfa567519 (Vulnerable Library)

Found in HEAD commit: 296953fdf7b1766daf9ff2839a0e0a7b0d3f371e

Found in base branch: dev

Vulnerability Details

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

Publish Date: 2022-09-06

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43565

Release Date: 2021-11-10

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20211202.5770296-1;golang-go.crypto-dev - 1:0.0~git20211202.5770296-1

Step up your Open Source Security Game with Mend here

CVE-2022-27191 - High Severity Vulnerability

Vulnerable Library - golang.org/x/crypto-v0.0.0-20210921155107-089bfa567519

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20210921155107-089bfa567519.zip

Dependency Hierarchy:

• :x: golang.org/x/crypto-v0.0.0-20210921155107-089bfa567519 (Vulnerable Library)

Found in HEAD commit: 296953fdf7b1766daf9ff2839a0e0a7b0d3f371e

Found in base branch: dev

Vulnerability Details

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191

Release Date: 2022-03-18

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1

Step up your Open Source Security Game with Mend here

CVE-2022-32149 - High Severity Vulnerability

Vulnerable Library - golang.org/x/text-v0.3.7

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip

Dependency Hierarchy:

• github.com/spf13/VIPER-v1.9.0 (Root Library)
  • github.com/spf13/aferO-v1.6.0
    • :x: golang.org/x/text-v0.3.7 (Vulnerable Library)

Found in HEAD commit: 296953fdf7b1766daf9ff2839a0e0a7b0d3f371e

Found in base branch: dev

Vulnerability Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

Publish Date: 2022-10-14

URL: CVE-2022-32149

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149

Release Date: 2022-10-14

Fix Resolution: v0.3.8

Step up your Open Source Security Game with Mend here

• Zuri Task
• Shorten the Url to slugs instead
• Organisations slugs have '-org'
• User's Id have -users there

Now you can find by Users. The system checks if the Id contains -org or a - then handles the request based on the output.

Still in Testing, can’t test because we don’t have access to the full system or the DB.

CVE-2022-37315 - High Severity Vulnerability

Vulnerable Library - github.com/graphql-go/graphql-v0.8.0

An implementation of GraphQL for Go / Golang

Library home page: https://proxy.golang.org/github.com/graphql-go/graphql/@v/v0.8.0.zip

Dependency Hierarchy:

• :x: github.com/graphql-go/graphql-v0.8.0 (Vulnerable Library)

Found in HEAD commit: 296953fdf7b1766daf9ff2839a0e0a7b0d3f371e

Found in base branch: dev

Vulnerability Details

graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

Publish Date: 2022-08-01

URL: CVE-2022-37315

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Hi, I noticed that if u delete an account on zuri.chat, it's not actually deleted.

You can't signup again using that account because it already exists and when you try to login, u get a not verified error.

So when the account is trying to recreate it should reactivate it and not have verification problem or even reverify it