This is a Web Security project developed as part of a university course, focusing on building a secure University Management System using Laravel. The system manages various university roles, authentication flows, and APIs for mobile interaction. The project emphasizes security practices, role-based access control, and collaborative development. All team members will work on all aspects of the project to ensure everyone gains comprehensive experience across the entire development process.
- Mohamed Saied
- Ahmed Essam Eldin
- Omar Ahmed Mohamed
- Mohamed Tarek Sayed
The system must include:
- Core Functionality: A university management system with features for managing students, faculty, and administrative tasks.
- Roles and Permissions:
- At least 5 roles: Admissions, DRs (Professors), TAs (Teaching Assistants), Students, and IT Support.
- Role-based access control using the Spatie Laravel Permission package.
- A role editor for admins to define and manage roles dynamically.
- Authentication:
- Login, registration, email verification, and password reset.
- Social login support (e.g., Google, GitHub, LinkedIn) using Laravel Socialite.
- Unified authentication experience with dark/light mode support.
- Secure OAuth integration with providers following best practices.
- Security:
- Hosted locally with SSL for secure communication.
- Secure APIs for mobile interaction (customer-facing, i.e., for students).
- APIs:
- RESTful APIs for mobile app integration, accessible only to students.
- API documentation published on Postman.
- Additional Features:
- To be defined as the project progresses.
- Backend: Laravel (PHP framework)
- Frontend: Blade templates (default) with optional Vue.js for dynamic components
- Database: MySQL (via XAMPP)
- Role Management: Spatie Laravel Permission
- Social Login: Laravel Socialite
- API Documentation: Postman
- Local Development: XAMPP with SSL enabled
- Version Control: Git (hosted on GitHub)
- XAMPP: Ensure Apache and MySQL are installed and running.
- PHP: Version 8.1 or higher (compatible with Laravel 10/11).
- Composer: For managing PHP dependencies.
- Node.js/NPM: If using Vue.js for frontend components.
- Git: For version control.
- Postman: For testing and documenting APIs.
-
Clone the Repository:
git clone https://github.com/Black1hp/Web-Security-Project.git cd university-management-system -
Install Dependencies:
composer install npm install
-
Configure Environment:
-
Copy
.env.exampleto.env:cp .env.example .env
-
Update
.envwith your database credentials (MySQL via XAMPP) and other configurations (e.g., mail driver, social login keys). -
Generate an application key:
php artisan key:generate
-
Setting up OAuth Providers:
-
Google OAuth:
- Go to the Google Cloud Console
- Create a new project
- Navigate to "APIs & Services" > "Credentials"
- Configure the OAuth consent screen
- Create OAuth 2.0 credentials
- Add the redirect URI as
http://project.localhost.com/auth/google/callback - Copy the Client ID and Secret to your
.envfile
-
GitHub OAuth:
- Go to your GitHub Developer Settings
- Create a new OAuth App
- Set the Authorization callback URL to
http://project.localhost.com/auth/github/callback - Copy the Client ID and Client Secret to your
.envfile
-
LinkedIn OAuth:
- Go to the LinkedIn Developer Portal
- Create a new app
- Request the necessary permissions
- Add the redirect URL:
http://project.localhost.com/auth/linkedin/callback - Copy the Client ID and Client Secret to your
.envfile
-
-
-
Set Up Database:
-
Create a MySQL database (e.g.,
university_system) in phpMyAdmin. -
Run migrations and seed the database:
php artisan migrate --seed
-
-
Enable SSL Locally:
- Use XAMPP's Apache configuration to enable HTTPS.
- Generate a self-signed SSL certificate using OpenSSL or a tool like
mkcert. - Update
.envto reflect the HTTPS URL (e.g.,APP_URL=https://localhost).
-
Run the Application:
php artisan serve
- Access the app at
https://localhost:8000(or your configured port).
- Access the app at
-
Optional Vue.js Setup:
-
If using Vue.js, compile frontend assets:
npm run dev
-
The following tasks need to be completed by the team:
-
Email Verification
- Implement a robust email verification system for new users
- Add verification expiry and resend functionality
- Create email templates for verification messages
-
Social Media Login
- Finish implementing OAuth login with Google, GitHub, and LinkedIn
- Link student accounts with social media profiles for multi-login options
- Create consistent UI for all social login options
-
User Profiles
- Add profile picture upload functionality with image validation and resizing
- Create profile edit pages for all user roles
- Implement avatar display throughout the application
-
RESTful API
- Build comprehensive API endpoints for all core functionality
- Implement proper authentication and authorization for API access
- Create detailed API documentation in Postman
-
Mobile Integration
- Ensure all APIs are compatible with future mobile applications
- Test API performance and optimize response times
-
Student Dashboard Customization
- Create personalized dashboards based on student programs and courses
- Add quick access widgets for common student tasks
- Implement notifications system for important updates
-
UI/UX Improvements
- Ensure consistent styling across all application pages
- Optimize UI for both desktop and mobile devices
- Implement dark/light mode toggle
-
Branch: All changes are committed directly to the
mainbranch. -
Force Pushes: Strictly prohibited to avoid overwriting team changes.
-
Daily Updates: All team members must push updates to GitHub daily to ensure consistent progress and collaboration.
-
Steps for Contributing:
-
Pull the latest changes from
main:git pull origin main
-
Make changes locally.
-
Commit changes with a descriptive message:
git commit -m "Add feature X or fix issue Y" -
Push to
maindaily:git push origin main
-
Resolve any merge conflicts locally before pushing.
-
- All team members will contribute to every part of the project, including backend, frontend, authentication, APIs, and security features.
- Use GitHub Issues to track tasks, bugs, and feature requests.
- Duration: 5 weeks (ending approximately mid-May 2025).
- Milestones:
- Week 1: Set up Laravel, database, and initial roles/permissions.
- Week 2: Implement authentication (login, register, email verification, password reset).
- Week 3: Develop role editor and social login.
- Week 4: Build and test APIs, publish to Postman, and enable SSL.
- Week 5: Finalize features, test thoroughly, and prepare for submission.
- Use Laravel's built-in security features (e.g., CSRF protection, input validation).
- Sanitize all user inputs to prevent XSS and SQL injection.
- Secure APIs with Laravel Sanctum or API tokens for student access.
- Store sensitive data (e.g., API keys, social login credentials) in
.env. - Ensure SSL is enabled for all local and production environments.
- APIs will be built for student-facing mobile interactions (e.g., view courses, grades).
- Use Laravel Resource Controllers for RESTful endpoints.
- Example endpoints:
GET /api/courses: List available courses.GET /api/grades: Retrieve student grades.
- Document all APIs in a Postman Collection and publish publicly.
- Test authentication flows, role permissions, and API endpoints.
- Manually test the application in a browser with SSL enabled.
- Use Postman to test APIs before publishing.
- Daily updates to GitHub are mandatory to keep the project on track.
- Regularly communicate via team channels (e.g., WhatsApp, Discord) to coordinate tasks.
- Update this README as new features or processes are added.
- If issues arise (e.g., merge conflicts, setup problems), consult the team immediately.
For questions or clarifications, reach out to any team member or create a GitHub Issue.
Happy coding!