hammy275 / comp-status Goto Github PK

API endpoints should be in /api/, and have much more sensible names.

The setTimeout should only be setup once!

In preparation for future use, a timestamp exists (and is sent to clients) of when the given server information was generated. This should be used, changing the color of the name of the PC as the time gets older and older (specifying the time since last request if longer than 30 secs or a minute have passed).

Turbo boost knowledge just doesn't work on Windows, so it should be hidden from view in the Web-UI, and not sent to the central-server by the server.

Image of the UI on the README

To prevent the server manager and the central-server itself from trying to compete over the database file, a lock should be implemented so both programs can't access it at the same time.

This issue is being opened even though the bug has already been patched.

Long story short, since implementing the authentication system, when central-server would store the data associated with a computer as received from server, it would also store that server's token! A patch was released a couple hours earlier today, but the vulnerability itself was pretty bad; anyone with a valid login could use client to obtain any token used by a server!

Issue has been patched, this will be closed as soon as its opened.

Items that come after the modal button will still be interactable and not be grayed out when bringing up a modal. This should seriously be fixed!

We should use a login page instead of a page to punch it in alongside computer information. Additionally, there should be a Navigation Bar at the top for navigating pages and showing the status that used to be in the status box.

Will be needed for #34.

Will probably stick with Bulma, just going to try to tune the dark mode to look nicer, and really polish out the layout of everything.

If a temporary-token expires through a central-server restart, the web UI reports an invalid username/password. This needs to be replaced with an error stating the need to retrieve a temporary-token, or not displaying anything to the user.

Ping on boot. If it fails, ask for IP address. There should also be the ability to "lock" the IP address, so the prompt won't occur unless "settings.json" is deleted or corrupted, even if several pings fail.

Since permanent tokens literally last forever, we need to take some measures to prevent a giant amount of them from being generated. Ideas include:

• Allowing an auth flow of username/password --> temp-token --> comp-status requests, so people not using cookies on the web client don't need to worry about creating a ton of tokens. Note that on cookie switch, we should attempt to automatically delete our token.
• 1 permanent token per account. This way, the token represents the user, and can be deleted easily instead of guessing the token in the case of an attack on the user's permanent token.

There are literally no instructions to set this up, they should be made and put on the Wiki!!

Add LICENSE information at the top of source files and stuff. Probably also add a copyright notice or something.

On some systems, psutil.sensors_temperatures() won't return a coretemp, this needs to be accounted for.

The original purpose of this project was to have an app that could allow monitoring of computer usage at a quick glance. Now that security is done with to the best of my abilities, it's time I get this done.

Need a new permission for this.
Would also be nice for server manager to have the ability to change permissions of users.

The colors for high CPU usage and such are reversed

• Let the delete button actually stay on the side of the dropdown menu
• For the permanent tokens, show the user said token is assigned to
• On token delete, remove it from the dropdown menu client-side without having to refresh.

A user should be a "computer user" (can only send data to central-server), "regular user" (takes computer data from central-server), or "both". This won't be a type thing, rather will use the permissions system

If one logs in without a custom IP, the custom IP field isn't cleared. This means on refresh, the site assumes that we DO want to use a custom IP if we ever used one in the past!

Now that the API is refactored to make more sense (#40), some API docs should be made.

We should allow the removal of computers from the computer dictionary when they are offline (probably manually)

Or at least a dark background, like seriously.

Attempt login if we have a perma token already from cookies.

To my knowledge, this is fixing a regression.

Should hopefully lead to a much cleaner web UI.

This would require users to be able to delete their own tokens. Put simply, this would prevent tons of temporary tokens from polluting the list of tokens.

Username + password gets permanent token. Permanent token retrieves 24 hour lasting tokens. 24 hour lasting tokens used for doing things. Both types are revokable.

Permanent tokens are labeled the assigned user in the web UI. The same should be done for temporary tokens.

Requires completion of #10

With the DOCKERFILE (most likely) coming soon, it would be pretty nice to not have to launch a shell in the container to do first time setup.

As such, the web UI should present a first time setup if the database is not configured, and hasn't been previously configured.

Right now, comp-status releases purely by commit. There needs to be releases!

Central server needs some configuration options like a custom port!

If not specified, just send API requests to /endpoint.

We should move everything to Local Storage. This way, we aren't sending the cookies to the server when the server doesn't even care about them.

Usernames aren't passwords, they don't need to be case-sensitive.

Currently, any information being sent to central-server has to be a Python dict. This should be changed to JSON to make writing clients for languages other than Python easier.

I'll probably make a simple username and password authentication. For both the server and client, a username and password is sent to the central-server, which returns a token for future use.

Since I don't have the technical nor mathematical knowledge currently to create tokens that properly decrypt server-side, they will instead be a randomly generated string of characters, which expire when the central-server shuts down.

No way I'm going to do this right, but there's a first time for everything.