A User Backup web application built with Flask and integrating Keycloak for authentication and Two Factor Authentication (Complies Data Privacy)

 

Backend Application (Python with Flask):

Key Components:

  • Environment Variables and Configuration: The application is configured using environment variables. These are crucial for security, as they keep sensitive data like passwords and secret keys out of the source code.
  • Flask App Initialization and Configuration: The Flask web application is initiated, and configurations like 'UPLOAD_FOLDER' and security features are set up.
  • Database Setup: SQLAlchemy is used to set up a database to store user information, including their TOTP secrets.
  • Routes: Various routes are defined for functionalities like TOTP setup, file upload, file deletion, and download.
  • Encryption & Decryption Utilities: Utilizing pyAesCrypt for encrypting and decrypting data ensuring data security.

2. User Authentication:

Backend (Python):

  • Uses Keycloak, an open-source Identity and Access Management tool. It's integrated using environment variables and configurations files.
  • JWT tokens are used for secure, token-based user authentication.

Frontend (HTML/JS):

  • Login Page: Utilizes Keycloak's JavaScript adapter to initialize the authentication process. It redirects users based on their 2FA setup status.
  • Error Handling: Displays error messages if the Keycloak initialization or user authentication fails.

3. Two-Factor Authentication (2FA) with TOTP:

TOTP Setup (HTML):

  • Users scan a QR code with an authenticator app and enter the TOTP to enable 2FA.
  • The secret key for generating TOTPs is stored encrypted in the database.

TOTP Verification (HTML):

  • Users input the TOTP from their authenticator app for verification during login.

4. File Management:

Backend (Python):

  • Users can upload, delete, and download files. Files are stored in an encrypted format, enhancing security.

Frontend (HTML):

  • File Upload and Deletion: Forms for uploading and selecting files to delete. Includes client-side validation to ensure file selection before submission.
  • File Listing and Pagination: Displays uploaded files with download links, implementing pagination to manage the display of a large number of files.

5. User Logout:

Backend (Python):

  • A route that handles user logout, ensuring only authenticated users can log out and logging each logout activity.

Frontend (HTML/JS):

  • A styled logout page with a button that triggers the logout function, logs the user out from both the app and Keycloak, and then redirects the user to a specified URI or homepage.

6. Security Measures:

  • Content Security Policy (CSP): Implemented to prevent cross-site scripting and data injection attacks.
  • Encryption: Files and TOTP secrets are encrypted before being stored.

7. Logging:

  • Utilizes Python’s logging module to log information and potential security issues, aiding in monitoring and debugging.

Closing Thoughts:

Understanding the coordination between frontend and backend, security practices like encryption, 2FA, and secure user authentication through tools like Keycloak is vital. Analyze and experiment with these codes, focus on enhancing security, user experience, and explore adding new features to broaden your learning.

Feel free to delve into each part, experiment, and understand how each piece contributes to the whole, keeping in mind the significance of security, user experience, and efficient code structure in web development.

Install, Configure and Test:

Use Ubuntu 22.04 LTS.

Install 'pip' and other packages for this application ================================= sudo apt install python3-pip pip install requests pip install pyAesCrypt pip install PyJWT pip install flask pip install flask-login pip install flask_sqlalchemy pip install pyotp pip install qrcode[pil] pip install flask-talisman pip install flask-cors

Directories to note or create , /root/ , /root/static/ , /root/templates/ and /etc/systemd/system/

Now download the Zip file from https://drive.google.com/file/d/1rLcSac_MvmZJIbi-cUYrTbFfVUsqkzBo/view?usp=sharing

The Zip file has ,


After unzipping, read the pdf to create a 'testclient' client in keycloak server.From there only we download the keycloak.json file.

After unzipping the file , place keycloak.json,selfsigned.pem and totp6.py in /root/ directory.

*selfsigned.pem is a selfsigned certificate used in https://172.105.253.137:8443/ (Keycloak Server)

Place keycloak.json in /root , /root/static/ and /root/templates/ directory.

Place all html files in /root/templates/ directory.

Place keycloakqr service file in /etc/systemd/system/ directory.

Now issue the below linux commands,

sudo systemctl daemon-reload

systemctl start keycloakqr.service

systemctl enable keycloakqr.service

systemctl status keycloakqr.service

After the application starts , you can monitor the logs at 'app.log' file created in /root/ directory.You can use 'tail -f app.log' to monitor live logs within /root/ directory.

!!!Enjoy User Backup that complies Good security and Data Privacy!!!

Note : If someone lost the phone after Google/Microsoft Authenticator registration, as an admin considering security, login to application server /root/instance/ directory and delete the respective users TOTP secret using the command echo "UPDATE User SET secret=NULL WHERE name='a4982669-c121-4a30-974a-61cc077819bc';" | sqlite3 users.db

where a4982669-c121-4a30-974a-61cc077819bc is the respective user account name.







For Support, support@cybersecuritysolutions.raiseaticket.com

Comments

Post a Comment

Popular posts from this blog