Security

biotrack employs a variety of different security tactics, but here are some of the decisions that were made in the design of the system.

Officers

Officers are users that are allowed to non-destructively interact with the biotrack dashboard. They can manage relatively any aspect of the database, as long as it doesn't delete any information, as the project is aimed in data analysis - it would be a shame to lose any data.

Officers have two tiers:

• Regular, where they can add and manage players, and manage queuing and sessions for games.
• Admins, who can manage and create other officers, and create and archive games.

Officers are able to log in through the dashboard, and all passwords are hashed and salted using pbkdf2.

Game Tokens

Game tokens are used to authenticate a game to the biotrack server. They are generated by the server and are used to authenticate all API requests.

Orchestrator

With the current model, there would be no way to log into the system on a fresh database. Thus, if you are on the local computer (i.e. you can access the site via localhost), you are allowed to manage administraive officers and create new officers, giving you access of the site from other computers.

Orchestrator is a tool on https://localhost:5000/orchestrator that allows the host to manage all officers (editing, archiving, demoting) and create new officers.

To limit power of orchestrator, to manage games, the orchestrator must create an officer account to control the games. This is to prevent the orchestrator from being a single point of attack.