$\text{Oncology Quest}$

A web app architected to aid Medical Oncology trainees and rotation directors.

Important

This app is only meant for trainees. If that is not you, then please do not try using this service as it will place unnecassary load on the webserver and illegitimate accounts will be removed.

Note

This application is no longer in use. Previously hosted here.

Table of Contents

• Features
• Security Measures
• API Testing
• Deployment Details
• Building
• Environment Variables
• Screenshots

Features

• Straightforward user registration and authentication
• Management dashboard for administrative users
• Responsive and dark themed front end user interface
• Caching and memoization of frequently accessed data to reduce server and database load

Security Measures

• Role based authentication for admins and regular users
• Access code for ensuring only intended users can register
• Password hashing with BCRYPT combined with 64-bit integer nonce used as a salt
• Simple rate limiter on sensitive API routes
• HTTPS connection in production with appropriate cookies and CORS policies
• REGEX patterns that filter every user input to prevent XSS attacks as well as SQL injection but the backend already uses prepared statements anyway
• Writing the backend in Rust is a security feature in itself

Warning

While the security measures in place are sufficient for the data sensitivity of this app, be smart with choosing passwords. Use one that is unique to this service.

API Integration and Penetration Testing

• There is a seperate Rust crate in this repository that handles integration testing for the API endpoint of this web app
• The integration tests send automated requests to the API and assert the expected responses (as if to simulate a real user)
• These tests are executed by orchestrating 3 containers via Docker Compose
  • Database container running a PostgreSQL instance
    • This serves as a disposable database for pure testing purposes
    • It is easily instantiated and destroyed since it is running in a container
  • Endpoint container running an instance of the backend server
  • Penetration/Integration container
    • This is the container that sends requests to the endpoint

Deployment Details

• This web app is deployed for users on AWS via Elastic Container Service
• An Application Load Balancer as well as Route 53 DNS services are employed to route users to the registered domain name

Building API for production

cargo build --release --features "production"

When building for production, it is essential to enable the production feature as that will enable the specialized cookie and CORS policies as well as the rate limiter.

Additionally, for single container monolith use with the API also serving the static frontend files, use the monolith feature.

cargo build --release --features "production monolith"

Next, to containerize the compiled binary run:

docker build -t oncology-quest-api:latest .

in the oncology-quest-api directory.

If the frontend is to be run as a seperate NGINX webserver, build the front end with:

docker build -t oncology-quest-web:latest .

in the oncology-quest-web directory.

To containerize as a monolith (assuming API was compiled with monolith feature) run:

docker build -t oncology-quest-monolith:latest . -f monolith.dockerfile

in the root project directory.

Backend Development Environment Variables

.env file sample for backend

HOST_IP=127.0.0.1
HOST_PORT=8080
DATABASE_URL=postgres://admin:password@localhost:5432/bqdev
JWT_SECRET=...
ACCESS_CODE=...

Screenshots

Developed and Tested by Connell Reffo in 2024.