Inspiration

Our inspiration came from the desire to address the issue of food waste and to help those in need. We decided to create an online platform that connects people with surplus food to those who need to address the problem of food insecurity and food waste, which is a significant environmental and economic problem. We also hoped to highlight the importance of community-based solutions, where individuals and organizations can come together to make a positive impact. We believed in the power of technology and how it can be used to create innovative solutions to social issues.

What it does

Users can create posts about their surplus perishable food (along with expiration date+time) and other users can find those posts to contact the poster and come pick up the food. We thought about it as analogous to Facebook Marketplace but focused on surplus food.

How we built it

We used React + Vite for the frontend and Express + Node.js for the backend. For infrastructure, we used Cloudflare Pages for the frontend and Microsoft Azure App Service for backend.

Security Practices

Strict repository access permissions

(Some of these were lifted temporarily to quickly make changes while working with the tight deadline in a hackathon environment):

  • Pull Request with at least 1 review required for merging to the main branch so that one of our team members' machines getting compromised doesn't affect our service.
  • Reviews on pull requests must be after the latest commit is pushed to the branch to avoid making malicious changes after a review
  • Status checks (build + successful deployment) must pass before merging to the main branch to avoid erroneous commits in the main branch
  • PR branches must be up to date with the main branch to merge to make sure there are no incompatibilities with the latest commit causing issues in the main branch
  • All conversations on the PR must be marked as resolved to make sure any concerns (including security) concerns someone may have expressed have been dealt with before merging
  • Admins of the repository are not allowed to bypass any of these rules to avoid accidental downtime or malicious commits due to the admin's machine being compromised

Infrastructure

  • Use Cloudflare's CDN (able to mitigate the largest DDoS attacks in the world) to deploy our static files for the frontend
  • Set up SPF, DMARC and DKIM records on our domain so that someone spoofing our domain in emails doesn't work
  • Use Microsoft Azure's App Service for CI/CD to have a standard automated procedure for deployments and avoid mistakes as well as avoid the responsibility of having to keep up with OS security updates since Microsoft would do that regularly for us
  • We worked on using DNSSEC for our domain to avoid DNS-related attacks but domain.com (the hackathon sponsor) requires contacting their support to enable it. For my other projects, I implement it by adding a DS record on the registrar's end using the nameserver-provided credentials
  • Set up logging on Microsoft Azure

Other

  • Use environment variables to avoid disclosing any secret credentials
  • Signed up with Github dependabot alerts to receive updates about any security vulnerabilities in our dependencies
  • We were in the process of implementing an Authentication service using an open-source service called Supabase to let users sign in using multiple OAuth methods and implement 2FA with TOTP (instead of SMS)
  • For all the password fields required for our database and Azure service, we used Bitwarden password generator to generate 20-character random passwords as well as used 2FA with TOTP to login to all services that support it
  • Used SSL for all communication between our resources

Challenges we ran into

  • Getting the Google Maps API to work
  • Weird errors deploying on Azure
  • Spending too much time trying to make CockroachDB work. It seemed to require certificates for connection even for testing. It seemed like their docs for using sequalize with their DB were not updated since this requirement was put into place.

Accomplishments that we're proud of

Winning the security award by CSE!

What we learned

We learned to not underestimate the amount of work required and do better planning next time. Meanwhile, maybe go to fewer activities though they are super fun and engaging! Don't take us wrong as we did not regret doing them! XD

What's next for Food Share

Food Share is built within a limited time. Some implementations that couldn't be included in time:

  • Location of available food on the interactive map
  • More filters for the search for available food
  • Accounts and authentication method
  • Implement Microsoft Azure live chat called Azure Web PubSub
  • Cleaner UI
Share this project:

Updates