Tracking issue for:

• https://github.com/SubsurfaceStudios/CompensationAPI/security/code-scanning/241

In order for the Exception Logging feature to automatically report errors, users must opt-in manually. The same goes for allowing us to see who submitted logs.

However, these two features require an update to the Privacy Policy (https://compensationvr.tk/legal/privacy-policy) so that we are legally allowed to collect this information without manual intervention from the user. (See WIP Section 6 - Automatic Exception Reporting).

Therefore, any addition of features relating to AER, no matter how small, cannot be merged into a non-test environment until the privacy policy is updated and USERS ARE NOTIFIED.

Tracking issue for:

• https://github.com/bubby932/VigorXRAPI/security/code-scanning/47

This is a crucial step in supporting dedicated servers (#477) as players cannot easily modify the API without a thorough understanding of how it works.

• Finalize where documentation should be hosted.
• Move documentation into this repository.
• Document all endpoints, including WebSockets and developer endpoints such as Force Pull.
• Fully remove WSv1, it is outdated, unreliable, and inefficient.

administrator_dashboard.js hasn't been used in well over 6 months, and most of our database schemas are either set in stone or easy to update with the MongoDB shell. For that reason, I don't think the Administrator Dashboard is necessary anymore, and any functionality we lose by removing it can be made up for by the web dashboard.

@averyocean65 what are your thoughts on this?

Tracking issue for:

• https://github.com/bubby932/VigorXRAPI/security/code-scanning/240

adgsfghfgdh

After 2.1.0 this repository will likely become extremely inactive, so it is critical that the API remains secure, even in an unmaintained state. This can be somewhat assisted by a thorough audit of the entire current codebase, as well as performing any necessary updates to dependencies.

• Bump all dependencies to their most recent iteration.
• Resolve any known dependency vulnerabilities.
• Fuzz or manually pentest all endpoints. This includes those reserved for developers and those accessible through the WebSocket system.

2.1.0 will contain dedicated server support for Compensation Social. For this reason, the API and its supporting code needs to be cleaned up and improved such that outside parties can easily modify it to suit their needs. This will become especially important if/when the main Compensation API is shut down.

• Resolve security & authentication concerns associated with exposing Photon data.
• Implement a Photon custom authentication system.
• Improve configuration options and clean up some keys to be more consistent.
• Improve code maintainability.
  • Place comments throughout code.
  • Document functions with JSDoc.
  • Finish documentation of all endpoints, restricted or not.
• Write a basic Dockerfile for easy self-hosting.