DineConnect

DineConnect Documentation

NLayer Architecture

DineConnect follows the principles of Domain Driven Design.There are four fundamental layers in Domain Driven Design (DDD):

Presentation Layer: Provides an interface to the user. Uses the Application Layer to achieve user interactions.

Application Layer: Mediates between the Presentation and Domain Layers. Orchestrates business objects to perform specific application tasks.

Domain Layer: Includes business objects and their rules. This is the heart of the application.

Infrastructure Layer: Provides generic technical capabilities that support higher layers mostly using 3rd-party libraries.

DineConnect Application Architecture Model
In addition to DDD, there are also other logical and physical layers in a modern architected application. The model below is suggested and implemented for DineConnect. DineConnect not only makes implementing this model easier by providing base classes and services.

Client Applications
These are remote clients that use the application as a service via HTTP APIs (API Controllers, OData Controllers, maybe even a GraphQL endpoint). A remote client can be a SPA (Single Page App), a mobile application, or a 3rd-party consumer. Localization and Navigation can be done inside these applications.

Presentation Layer
ASP.NET [Core] MVC (Model-View-Controller) can be considered to be the presentation layer. It can be a physical layer (uses the application via HTTP APIs) or a logical layer (directly injects and uses application services). In either case, it can include Localization, Navigation, Object Mapping, Caching, Configuration Management, Audit Logging and so on. It also deals with Authorization, Session, Features (for multi-tenant applications) and Exception Handling.

Distributed Service Layer
This layer is used to serve application/domain functionality via remote APIs like REST, OData, GraphQL... They don't contain business logic but only translate HTTP requests to domain interactions, or can use application services to delegate the operation. This layer generally includes Authorization, Caching, Audit Logging, Object Mapping, Exception Handling, Session and so on...

Application Layer
The application layer mainly includes Application Services that use domain layer and domain objects (Domain Services, Entities...) to perform requested application functionalities. It uses Data Transfer Objects to get data from and return data to the presentation or distributed service layer. It can also deal with Authorization, Caching, Audit Logging, Object Mapping, the Session and so on...

Domain Layer
This is the main layer that implements our domain logic. It includes Entities, Value Objects, and Domain Services to perform business/domain logic. It can also include Specifications and trigger Domain Events. It defines Repository Interfaces to read and persist entities from the data source (generally a DBMS).

Infrastructure Layer
The infrastructure layer makes other layers work: It implements the repository interfaces (using Entity Framework Core for example) to actually work with a real database. It may also include an integration to a vendor to send emails and so on. This is not a strict layer below all layers but actually supports other layers by implementing the abstract concepts of them.

OTHERS

Common Information about DineConnect

OTHERS

API - Ticket Modeling

Here is the Data Modeling of DineConnect Tickets API

Entity Attribute DataType Description
Ticket tenantId Number Tenant Id Assigned 
  locationName Text Name of the Location the Ticket belongs to
  location Id Number Id For the Corresponding Location
  ticketId Number Location Created Id (This is not Unique) and You have to consider Ticket Number
  ticketCreatedTime datetime Ticket Created Date and Time 
  lastUpdateTime datetime Last Update Ticket Date and Time 
  lastOrderTime datetime Last Order Created Date and Time 
  lastPaymentTime datetime Last Payment when it was made to the Ticket
  isClosed boolean Status of  the Tickets (Opened or Closed)
1 -> Closed
0 -> Open

In DineConnect, Only the Closed Ticket will come 
  isLocked boolean Locked Status
If the Pre-Settlement is requested for the Ticket, It will be True.
In DineConnect, only the False will be reflected
  remainingAmount Number Remaining Amount in the Ticket. It will always be 0
  totalAmount Number Total Amount of the Ticket
  departmentName Text Name of the Department, the Ticket is created

(Dine In, Take Away)
  ticketTypeName Text Name of the Ticket Type, the Ticket is Created

(Sales, Credit, etc)
  note Text Ticket Note attached to the Ticket
  lastModifiedUserName Text Name of User who last modified the Ticket
(It could be the Adding Order , Adding Payment, etc)
  ticketTags Text It will have the Information about the PAX, Gender, etc)
  ticketStates Text States of the Ticket. (Paid, Refund, Closed, etc)
  ticketLogs Text Logs Created For the Tickets
  taxIncluded boolean Tax Included (or) Excluded in Total Amount of the Ticket
  terminalName Text Terminal where the Ticket is Created
  preOrder boolean It determines, the Ticket is not settled. In DineConnect, we will always have a Settled Ticket
  ticketEntities Text JSON Array, it has information about the Table, Member and Customer
Orders   Number  
  orderId Number Id Created for each Order Created
  locationName Text Name Of the Location order Created
  location_Id Number Corresponding Location Id
  ticketId Number Ticket Id in which the Order Belongs to
  departmentName Text Department in Which the Order is Created
  aliasCode Text Alias Code of the Menu Item for the Order. It could be the External System Id 
  menuItemId Number DineConnect MenuItem Id of the Order
  menuItemName Text DineConnect MenuItem Name of the Order
  portionName Text Portion name in MenuItem
  price Number Price of the MenuItem
  costPrice Number Cost Price of the MenuItem if it is defined
  quantity Number Quantity of Menuitems Ordered
  portionCount Number Quantity of the Portion Ordered
  note Text Note For Particular Order
  locked boolean Status of Order
  calculatePrice boolean It determines whether the price should be calculated or not
In case of Void, Gift, Comp, the Calculate Price will be false
  increaseInventory boolean It determines whether the inventory should be Increased or not
  decreaseInventory boolean It determines whether the inventory should be Decreased or not
  orderNumber Number Order Number created for each order
  creatingUserName Text The User ordered was created
  orderCreatedTime datetime Date and Time of the Order Created which is order sent to the Kitchen
  priceTag Text Price Tag of the Order.
Price Tag determines where we should have a different price for the Menu Item
  taxes Text Tax for Particular Order
  orderTags Text Order Tag Details for Order
(Less Oil, More Salt, etc)
  orderStates Text Status of Order (Void, Comp, Gift, Refund, Submitted)
  isPromotionOrder boolean Where the Order is Promotion Order or not 
  promotionAmount Number Total of the Promotion Amount
  menuItemPortionId Number Portion Id of Menu Item
  creationTime datetime The time when the Order is clicked and added to the POS
  creatorUserId Number Id of User Who Created the Order
  id Number Location Reference ID
Payments      
  paymentTypeId Number Id for PaymentType
  paymentTypeName Text Name of PaymentType 
  ticketId Number Ticket Id For Which Payment Done
  paymentCreatedTime datetime Time and Date when the Payment is Performed
  tenderedAmount Number Tendered amount 
  terminalName Text Name of the terminal where Payment is done
  amount Number Total Amount Settled
  paymentUserName Text Name of User Who Settled the Ticket
  accountCode Text Account Code of the Payment Type
  paymentTags Text Corresponding Payment Tag
(Includes the Last 4 Digits of the Card or other Information relates to the Ticket)
  creationTime datetime Date and Time when the Payment is created
  creatorUserId Number The user who created the Payment
  id Number Internal Id
Transactions      
  transactionTypeId Number Id of TransactionType
  transactionTypeName Text Name of Transaction Type
  ticketId Number Corresponding Ticket Id
  amount Number Amount For Particular Transaction (Sales, Discount, Tax, Payment, etc)
  accountCode Text Account code of the Transaction
  creationTime datetime Date and Time when the Payment is Created
  creatorUserId Number Userid who created the transaction
  id Number Internal Id
  isDeleted boolean  
  deleterUserId number  
  deletionTime datetime  
  lastModificationTime datetime  
  lastModifierUserId number  
  creationTime datetime  
  creatorUserId number  
OTHERS

API - Product Modeling

Entity Attribute DataType Description
Categories Id Number Id of MenuItem Category
  Name Text Name of Category Name
  TenantId Number TenantId given by DinePlan team
  IsDeleted Boolean  
  DeleterUserId Number Name of User who last deleted the Category
  Deletion Time DateTime Date and Time when the Category is Deleted
  LastModificationTime DateTime Date and Time when the Category is Modified
  LastModifierUserId Number Name of User who last modified the Category Names 
  Creation Time DateTime Date and Time when the Category is Created
  CreatorUserId Number UserId who created the Categories
  Code Number  
  Oid Number  
MenuItems Id Number Id of MenuItem
  Name Text Name of MenuItem
  BarCode Number BarCode of MenuItem
  AliasCode Number AliasCode of MenuItem
  AliasName Text AliasName of MenuItem
  ItemDescription Text ItemDescription of MenuItem
  ForceQuantity Boolean Whether the products need to ask Quantity or Not
0 -> No
1 -> Yes
 
  ForceChangePrice Boolean Whether the products need to ask Price or Not
0 -> No
1 -> Yes
 
  CategoryId Number Id of MenuItem Category
  TenantId Number TenantId given by DinePlan team
  IsDeleted Boolean  
  DeleterUserId Number Name of User who deleted the MenuItem
  Deletion Time DateTime Date and Time when the MenuItem is Deleted
  LastModification Time DateTime Date and Time when the MenuItem is Modified
  LastModifierUserId Number Name of User who last modified the MenuItem Names
  Creation Time DateTime Date and Time when the MenuItem is Created
  CreatorUserId Number UserId who created the MenuItems
  Product Type Number Product Type of MenuItems
1 -> MenuItem
2 -> Combo
 
  Tag Text  
  Transaction TypeId Number  
  Locations Text  
  Files Text  
  Group Boolean  
  Oid Number  
  DownloadImage    
  Uom Text  
  RestrictPromotion Boolean Where the MenuItem need Promotion or not
0 -> Promotion
1 -> RestrictPromotion
  No Tax Boolean Where the MenuItem have Tax or not
0 ->
1 ->
  NonLocations Text  
MenuItemPortions Id Number Id of MenuItemPortions
  Name Text Name of MenuItemPortions
  MenuItemId Number Id of MenuItem
  Multiplier Number  
  Price Number Price of MenuItemPortions
  Creation Time DateTime Date and Time when the MenuItemPortion is Created
  CreatorUserId Number UserId who created the MenuItemPortions
  IsDeleted Boolean  
  DeleterUserId Number  
  Deletion Time DateTime  
  LastModificationTime DateTime Date and Time when the MenuItemPortion is Modified
  LastModifierUserId Number  
OrderTagGroups Id Number  
  Name Text  
  MaxSelectedItems Number Select Maximum Quantity of OrderTags
  MinSelectedItems Number Select Minimum Quantity of OrderTags
  SortOrder Number SortOrder of OrderTags
  AddTagPriceToOrderPrice Boolean Add Price for the OrderTags
  SaveFree Tags Boolean SaveFree Tags save the Free Tagging
  Free Tagging Boolean Can enter the custom Free Tags
  TaxFree Boolean Where the OrderTag  have Tax or not
0 ->
1 -> 
  TenantId Number TenantId given by DinePlan team
  IsDeleted Boolean  
  DeleterUserId Number Name of User who last deleted the OrderTagGroups
  Deletion Time DateTime Date and Time when the OrderTagGroup is Deleted
  LastModification Time DateTime Date and Time when the OrderTagGroup is Modified
  LastModifierUserId Number Name of User who last modified the OrderTagGroups
  Creation Time DateTime Date and Time when the OrderTagGroup is Created
  CreatorUserId Number UserId who created the OrderTagGroups
  Prefix Text Can add the Prefix for the OrderTagGroups.
(Less,More,No,etc)
  Locations Text Name of the Location the OrderTagGroup belogs to
  Group Boolean  
  Oid Number  
  NonLocations Text  
OrderTags Id Number Id of OrderTags
  Name Text Name of OrderTags
  SortOrder Number  
  Price Number Price of OrderTag
  OrderTagGroupId Number Id of OrderTagGroup
  MenuItemId Number Id of MenuItem
  Creation Time DateTime Date and Time when the OrderTag is Created
  CreatorUserId Number UserId who created the OrderTags
  MaxQuantity Number  
  AlternateName Text AlternateName of OrderTags
OrderTagMaps Id Number Id of OrderTagMaps
  OrderTagGroupId Number Id of OrderTagGroup
  CategoryId Number Id of Category
  MenuItemId Number Id of MenuItem
  Creation Time DateTime Date and Time when the OrderTagMap is Created
  CreatorUserId Number UserId who created the OrderTagMaps
ProductComboes Id Number Id of ProductComboes
  MenuItemId Number Id of MenuItem
  AddPriceToOrderPrice Boolean Add the price for the Combo Items
  Creation Time DateTime Date and Time when the ProductComboes is Created
  CreatorUserId Number UserId who created the ProductComboes
  Name Text Name of ProductComboes
ProductComboGroups Id Number Id of ProductComboGroups
  Name Text Name of ProductComboGroups
  SortOrder Number  
  Minimum Number  
  ProductComboId Number Id of ProductCombo
  Creation Time DateTime Date and Time when the ProductComboGroup is Created
  CreatorUserId Number UserId who created the ProductComboGroups
  Maximum Number  
ProductComboItems Id Number Id of ProductComboItems
  Name Text Name of ProductComboItems
  ProductComboGroupId Number Id of ProductComboGroup
  MenuItemId Number Id of MenuItem
  AutoSelect Boolean Its Auto select the ComboItems
  Price Number Price of ProductComboItems
  SortOrder Number  
  Creation Time DateTime Date and Time when the ProductComboItems is Created
  CreatorUserId Number UserId who created the ProductComboItems
  Count Number  
  AddSeperately Boolean  

DineConnect Penetration Test Report

DineConnect (v2.0) has been scanned for vulnerabilities with the latest version of OWASP ZAP (v2.9.0). The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular security tools and is actively maintained by hundreds of international volunteers.

The automated scanner has been reported several alerts. DineConnect Team has fixed the positive alerts regarding the report. On the other hand, most of the alerts can be stated as false-positive. The reasons for the false-positive alerts that are subject to these issues are clearly stated below.

Summary of Alerts

Path Traversal, Risk: High

Description

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory.

Comment

This request is false-positive because the tool is checking whether a request can get data with unexpected parameters. Since admin role has all permissions as a default, the response always has an admin role.

Recommendation

If your application has to accept input file names, file paths, or URL paths, you need to validate that the path is in the correct format and that it points to a valid location within the context of your application. To prevent a malicious user manipulating your code's file operations, avoid writing code that accepts user-supplied file or path input.

If you use MapPath to map a supplied virtual path to a physical path on the server, use the overload of Request.MapPath that accepts a bool parameter so that you can prevent cross-application mapping.

Application Error Disclosure

Risk: Medium

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Comment

This request is false-positive because the tool is checking whether the response contains "internal error" text. The response of GetScripts contains translations that include "internal error" text.

This request is false-positive because the tool is checking whether the response contains "internal error" text. The response contains that but without sensitive information.

DineConnect never returns error details, if the only the developer sends it deliberatively. When the project runs on development, exceptions are being sent to the client. But publishing application in release mode prevents exception details to be sent. While the MVC project shows a custom error page, the Host project sends a JSON with a message "An internal error occurred during your request!"

Absence of Anti-CSRF Tokens

Risk: Low

Description

In short, CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack.

Comment

DineConnect uses ajax to post most of the forms. All URLs listed is false-positive. DineConnect posts them via using ajax and their ajax requests has X-XSRF-TOKEN header.

Application Error Disclosure

Risk: Low

Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Comment

DineConnect has its own built-in exception handling system. When an exception happens DineConnect catches it and throws a user-friendly exception. These requests are false-positive because the tool is checking whether the response return "HTTP 501 (Internal Server Error)". But returned errors don't contain an internal error.

Risk: Low

Description

Comment

Solved on https://github.com/aspnetzero/aspnet-zero-core/issues/2950

Web Browser XSS Protection Not Enabled

Risk: Low

Description

Web Browser XSS Protection is not enabled or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the webserver

Comment

DineConnect framework v3.4.X adds the X-XSS-Protection header to all responses with the value 1; mode=block. If you want to remove the header you can do it via UseAbp() options in Configure method of Startup class.

This requests are false-positive because the tool is checking whether the response has X-XSS-Protection. Response don't have X-XSS-Protection because request gets 404.15 - Not Found.

Low (Medium)

Description

Comment

DineConnect uses the HttpOnly flag wherever it needs. In some cases, the tool reports false-positive alerts. See the following instances to understand why they are false-positive.

In the above request, idsrv. session cookie is being set by Microsoft Identity Server. By design this is not HttpOnly . It is required by the OIDC session management spec for SPA clients. For the related spec see https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification .

Setting XSRF-TOKEN as HttpOnly is pointless because in Angular UI client must access this cookie.

Reference

For all the other OWASP standardizations, download the OWASP sheet.

Open Web Application Security Project (OWASP) - Application Security Verification Standard 3.0 PDF sheet

https://owasp.org/www-community/Anti_CRSF_Tokens_ASP-NET