A simple (and lightweight) service to observe the accessibility of web systems.
- node LTS
- mongoDb
cp .env.example .env
<edit .env file>
npm i
start mongo db:
npm run startDb
or if you're into Docker:
docker run -p 27017:27017 --rm mongo:3.4
for ephemeral/testing purpose
start application:
npm start
npm run watch
access control business logic:
- frontend should only be accessible from ironshark local network (and VPN)
- API endpoints should only be accessible via frontend
- API endpoint
/api/v1/siteInfoshould also be accessable from public, but with some kind of authentication
The route / is protected by a middleware (see src/backend/index.js). The middleware checks for request header "x-forwarded-for" and compares to ironshark network public IPs. The authorized IPs are configured in src/backend/config/index.js.
Note: You may have to change the configured IPs in the config when the ironshark public IPs change.
For local development this protection is bypassed b/c "x-forwarded-for" header is not set.
The routes below (and including) /api are protected by a middleware (see src/backend/index.js). The middleware checks for request header "x-auth" that should contain the admin token. The token is configured in src/backend/config/index.js.
The frontends API requests are done with "x-auth" header so the frontend has full access to the API.
The API endpoint /api/v1/siteInfo is NOT protected by the "x-auth" header. If the "x-auth" header is NOT set it checks for the URL query parameter token.
Client tokens can be configured via the frontend ("Add Client")
Add the configured token as query param to the API request to get public access.
Public services should not use the "x-auth" header method to gain access. They should use the token query param method.
Eyewitness also ships with a Slackbot.
Just take the token from the Bot created in Slack and add it to the env variable SLACK_TOKEN.
See all Slackbot commands by typing ey, help.