Croodle is a web application to schedule a date or to do a poll on a general topics.
JavaScript PHP HTML CSS
Clone or download
jelhan upgrade ember-cli-build-info to fix deprecation warning
Fixes deprecation warning:
  DEPRECATION: Ember CLI addons manage their own module transpilation during
  the `treeForAddon` processing. `ember-cli-build-info` has overridden the
  `this.options.babel` options which conflicts with the addons ability to
  transpile its `addon/` files properly. Falling back to default babel
  configuration options.
Latest commit acd2ec2 Nov 2, 2017
Permalink
Failed to load latest commit information.
api do not hardcode another DATA_DIR if php built-in webserver is used Aug 13, 2017
app Fixes "TypeError: attempted to assign to readonly property" in Safari… Aug 31, 2017
config Fix: do not link assets with absolut paths to support serving from su… Aug 31, 2017
lib ensure that only non dev api dependencies are included in build (#138) Aug 25, 2017
mirage use ember-cli-mirage to mock api Aug 1, 2017
public make CSP even a little bit more restrictive Sep 3, 2016
tests show expiration date and warn if poll will expire in next days (#140) Aug 26, 2017
.bowerrc first steps to ember-cli Oct 30, 2014
.editorconfig update ember to 2.8 and ember-cli to 2.9.0-beta.1 Sep 20, 2016
.ember-cli first steps to ember-cli Oct 30, 2014
.eslintrc.js use ember-cli-mirage to mock api Aug 1, 2017
.gitignore updates dependencies and fixes property modified twice in a single re… Aug 1, 2017
.jscsrc update ember-suave and fix some coding style Aug 11, 2016
.travis.yml remove duplicate `yarn global add bower` call in .travis.yml Aug 1, 2017
.watchmanconfig upgrade ember-cli to 1.13.13 Dec 7, 2015
LICENSE Starting to move to Ember App Kit Jul 6, 2014
README.md ensure that only non dev api dependencies are included in build (#138) Aug 25, 2017
bower.json replace jstimezonedetect by moment.tz.guess() (#139) Aug 25, 2017
ember-cli-build.js replace jstimezonedetect by moment.tz.guess() (#139) Aug 25, 2017
package.json upgrade ember-cli-build-info to fix deprecation warning Nov 2, 2017
testem.js updates dependencies and fixes property modified twice in a single re… Aug 1, 2017
testem.json run test against safari latest in SauceLab Aug 31, 2017
yarn.lock upgrade ember-cli-build-info to fix deprecation warning Nov 2, 2017

README.md

croodle

Build Status Code Climate devDependency Status

Sauce Test Status

Croodle is a web application to schedule a date or to do a poll on a general topics. Stored content data like title and description, number and labels of options and available answers and names of users and there selections is encrypted/decrypted in the browser using 256 bits AES.

This is an alpha version. Changes could brake backward compatibility. Also it is not well tested and some features are missing. It is not ment for productive use yet.

Croodle is inspired by PrivateBin and, of course, by Doodle.

Security notice

As any other web application based end-to-end encryption Croodle could be attacked by an injection of malicious code on serverside or threw a man-in-the-middle attack. If an attacker could inject for example JavaScript, he would be able to read decrypted content in the browser or the encryption key used and send it to a server under his controll.

Therefore you have to

  • use an encrypted connection to the server hosting Croodle. In most use cases this will be an httpS connection. We strongly recomend people hosting Croodle to force an encrypted connection.
  • trust the server.

You could check for an attack like this by analysing the source code retrieved from server and/or using developer tools of your browser and check what data is send over the network or stored in cookies, localStorage or similar browser techniques.

Requirements

Croodle is designed to have as few as possible requirements on the server it is running on. Croodle runs on almost every web space with PHP >= 5.6. Croodle stores the data in textfiles, so there is no need for a database server like mySQL.

Due to security reasons you should have SSL encryption enabled and provide a valid certificate.

Build process and installation

Production builds are provided as github release assets.

If you like to build yourself you have to install yarn, bower, ember-cli and composer before.

git clone git@github.com:jelhan/croodle.git
cd croodle
yarn install
bower install
cd api/ && composer install --no-dev && cd ..
ember build --prod

Afterwards copy all files in /dist folder to your werbserver.

Configuration

Api could be configured by creating a config.php inside api/ folder which returns an associative array. Have a look at api/config.default.php for available options.

Webserver configuration

  • data/ folder has to be writeable by web server, but must not be accessible publicy. Protect it in your webserver configuration or move it out of webroot by changing dataDir api option.
  • Croodle uses subresource integrity (SRI) for assets. Therefore you must not tamper with build output (e.g. you have to disable cloudflare Auto Minify feature). If that's not an option for you, you have to disable SRI and build yourself.
  • HTTPS connection should be forced. You should consider using HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP).
  • Content-Security-Policy (CSP) should be used. Default CSP headers are provided in .htaccess file but commented out.
  • Execute php api/cron.php on a regular basis to delete outdated polls. A cronjob running once a day should be fine.

Development

ember serve generates a development build of croodle and starts a server listening on http://localhost:4200 which is serving it. If source files are changing, a rebuild and reload is triggered.

By default croodle uses an api mock in development. Since that one does not persist records all polls are gone after a reload.

If you like to test against real api, run api via php built-in web server: php -S 127.0.0.1:8080 -t dist/ Afterwards start ember-cli development server using --proxy option: ember server --proxy http://127.0.0.1:8080.

Ember-cli clears dist folder on each rebuild. If you like to keep created polls over rebuild, configure api to use a non default folder to save your polls: CROODLE__DATA_DIR=/tmp/croodle_data php -S 127.0.0.1:8080 -t dist/

Running tests

Ember

Prefered way is to run tests against PhantomJS, Chrome and Firefox by ember test --server. Results are reported in command-line and browser. Files are watched for changes.

If you only like to run tests ones against PhantomJS in command-line you could use ember test. This is also used in CI.

Test are run against a mock-api provided by ember-cli-mirage.

Api

Api tests are provided by Codeception. To run them change current directory to /api and execute ./vendor/bin/codecept run. You have to install composer development requirements before (composer install without --no-dev option).

License

croodle is MIT Licensed.