What is Worth the Weight?

A web application for tracking food consumption. You can also record whether you exercised on any given day.

Note: this will not work out of the box as db bootstrapping still needs to be setup.

Testing

When in a development environment, dev mode can be disabled with ?DEBUG=0

PHASE 1

sprint 1

• Add form to submit quantity of food, fractional measurement unit, food item, and date.
• Add sqlite database support to store form data.
• Add front end button to delete record.
• Import food data
• Invisibly add time
• Display food name, not id when appending via js
• Append action cell via JS too
• Enable search
• content enter not just tab
• Make sure all db queries are prepared before executed
• Finish integrating pop-up notices https://notifyjs.jpillora.com/

sprint 2

• integrate htmx for handling requests on client and updatin UI
• add pagination to journal view
• show point count for selected date in journal view
• Show basic daily summary
• click date to load view for today
• validate (right form) and verify (sensical) data inputs
• fix htmx conflict with displaying notifications
• fix reactivity of deleting items for offcanvas journal
• fix 'next page' bug
• reset form after submit

sprint 3

• rework submit food log
• remove cell editing
• deleting from journal should update 'big picture'
• use Eloqent models instead of PDO style
• update code to use more fully html application state management
• fix rounding error in big-picture display
• when adding food, it should update journal properly
• fix stats calculations
• make sure carbon is using localtime
• signed urls to prevent arbitrary access to resources
• add a calendar that summarizes progress
• webroot is wrong!
• optimize resource loading (js/css)
• finish swapping weird html solution for header triggered events (htmx)
• click date to jump to page state
• fix bug that causes wrong date to be highlighted on calendar
• multiuser support with login system

sprint 4

• why is path deps triggering same elements multiple times??
• dont send form data to views
• have forms target iframes when JS not allowed
• basic functionality without javascript
• fix cant scroll button on small screens
• use HX-Trigger to handle other actions stored in global App object
• querystring for management of certain states
• add tooltip with 'multiplier' explaination
• reduce redundant queries
• going through query log help me to find redudnant db queries
• some kind of effect is needed to show page changing
• fixed big hole in fuzzing block (redirects to urls with querystring were not signed and were not required to be signed)
• iframe could be more helpful. present more information
• datatable gets messed up after adding new data. needs to be reinited

Security and fault tolerance sprint

• use signed urls (makes it difficult for endpoints to be abused)
• doorway to manage walks (handled by HATEOS approach).
  • these are /home and /login
• ensure that one user's records cannot be deleted by another user by only accessing through a user model (can happen through form manipulation)

• OWASP Zap (passive scan)

  • X-Frame-Options Header Not Set
  • Server Leaks Information via "X-Powered-By" HTTP Response Header Field
  • X-Content-Type-Options Header Missing

PHASE 2

Security again

• Instead of indicating that a username is unrecognized, say 'email will be received if this account exists'
• Password reset via email (Follow this design guide: https://blog.prototypr.io/ux-guide-password-reset-user-flow-bfa35a16e527)
  • Get email to go through on dev machine
  • Distinguish between plain text and HTML emails
  • Get email to go through on live site.
• Test if the user is a superadmin ()
• Retool the 'delete food log' button so that only active (test) user's log is nuked
• Determine if URL signature should be updated periodically, automatically
• ensure enviroment fallbacks work properly
• Deal with Insecure Direct Object References vulnerability (IDOR)
  • uuid can't be generated by eloquent model for user since those records are created by php-auth library
  • Use https://github.com/webpatser/laravel-uuid
• need to sanitize all form inputs BEFORE trying to validate
• When it comes to validation, need to also know that real records are being referenced!
• tables should be shown in columns that can be collapsed if in mobile view

More features

• Allow to add a point goals
• Is it necessary to have all these log statements if using the log regeister log?

other

• use tracy's PSR adapter to incorporate monolog.
• new user, autocreate new settings entry, new user goals
• figure out flash messages
• use validation library
• update migration
  • When creating users table, should also create record in users_settings table

docker

• find that docker multistage document that explained how to keep local vendor and docker vendor separated
• use multi-stage builds to for creating images for dev and prod
  • create separate vendor and node_modules dirs? https://www.sentinelstand.com/article/docker-with-node-in-development-and-production
• where is tracy bar??
• make sure read/write permissions in place for backend/appcache
• "php artisan config:cache figure out"
• should node_modules be included or excluded?
• Sort this database confusion out
  • run database boostrap after build and store db in named volume
  • ...
• use environment file
• build should not include database
• move db to beside backend/
• should the docker envs and laravel envs be distinct?
• where does laravel's config caching fit in?
• handle case without .env file
• figure out how to setup php logging separately from apache logging
• php ini instructions from docker image page
• can i integrate my local development more tightly?
• why aren't file changes syncing?? (was caused by some permissions issue on macos)
• how do you update docker deployment without nuking database???
  • make sure works in local dev

---

• Docker env and app env should not be mixed!

  cd /opt/local/lib/apache2/modules sudo /opt/local/bin/apxs -a -e -n php7 mod_php74.so

add user to www group

not clear what permissions should be for db to allow editing, and reading, and etc

.

• Popup telling user to select plan before proceeding

Reach goals

• Should check if query value exists before making query
• separate service for npm stuff
• test phinx for bootstrapping database
• when it comes to dockerizing, make sure the database has correct permissions
• preview amount of points to be added
• dockerize (option)
• Allow individual cell editing
• Allow for storing and tracking goals
• Allow for submitting new foods
• show popup after login when user's been a way for a while
• Write script to bootstrap fresh database
• cross site request forgery protection (security)
• Add help page
• Add a new-user link to help page.

y

Resources

• https://observatory.mozilla.org/ (security)
• https://blog.logrocket.com/the-ultimate-guide-to-iframes/ (iframes)
• https://github.com/shopsys/project-base/blob/master/docker/php-fpm/Dockerfile
• https://www.sentinelstand.com/article/docker-with-node-in-development-and-production
• https://blog.prototypr.io/ux-guide-password-reset-user-flow-bfa35a16e527)