Update instructions

* Heroku section includes database set up instructions * "Remote MongoDB" sections cover Atlas instead of mLab * "Remote MongoDB" sections use MONGODB_URI env var (don't commit DB password) * Adjusted layout and fixed some typos
angelwn · Nov 1, 2020 · ddca594 · ddca594
1 parent 1af3c64
commit ddca594
Showing 1 changed file with 86 additions and 59 deletions.
diff --git a/README.md b/README.md
@@ -9,89 +9,116 @@ OWASP Top 10 for Node.js web applications:
 [Tutorial Guide](http://nodegoat.herokuapp.com/tutorial) explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
 
 ### Do it!
-[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-setup-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
+[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-set-up-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
 ##### Default user accounts
 The database comes pre-populated with these user accounts created as part of the seed data -
 * Admin Account - u:admin p:Admin_123
 * User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
 * New users can also be added using the sign-up page.
 
-## How to Setup Your Copy of NodeGoat
+## How to Set Up Your Copy of NodeGoat
 
-### OPTION 1 - One click install on Heroku
-The the quickest way to get running with NodeGoat is to click the button below to deploy it on Heroku.
+### OPTION 1 - Run NodeGoat on your machine
 
-Even though it is not essential, but recommended that you fork this repository and deploy the forked repo.
-This would allow you to fix vulnerabilities in your own forked version, and deploy and test it on heroku.
+1) Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above
 
-[![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
+2) Clone the github repository:
+   ```
+   git clone https://github.com/OWASP/NodeGoat.git
+   ```
 
-This Heroku instance uses Free ($0/month) node server and MongoLab add-on.
+3) Go to the directory:
+   ```
+   cd NodeGoat
+   ```
 
-### OPTION 2 - Run NodeGoat on your machine
+4) Install node packages:
+   ```
+   npm install
+   ```
 
-If you do not wish to run NodeGoat on Heroku, please follow these steps to setup and run it locally -
-* Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above
+5) Set up MongoDB. You can either install MongoDB locally or create a remote instance:
 
-* Clone the github repository
-```
-git clone https://github.com/OWASP/NodeGoat.git
-```
+   * Using local MongoDB:
+     1) Install [MongoDB Community Server](https://docs.mongodb.com/manual/administration/install-community/)
+     2) Start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod)
 
-*go to the directory
-```
-cd NodeGoat
-```
+   * Using remote MongoDB instance:
+     1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)
+     2) [Enable network access](https://docs.atlas.mongodb.com/security/add-ip-address-to-list/) to the cluster from your current IP address
+     3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster
+     4) Set the `MONGODB_URI` environment variable to the connection string of your cluster. Your connection string can be viewed in the cluster's [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster), and will be in the form:
+        <br>`mongodb+srv://<username>:<password>@<cluster>/<dbname>?retryWrites=true&w=majority`
 
-* Install node modules
-```
-npm install
-```
+6) Populate MongoDB with the seed data required for the app:
+   ```
+   npm run db:seed
+   ```
+   By default this will use the "development" configuration, but the desired config can be passed as an argument if required.
 
-* Create Mongo DB:
-    You can create a remote MongoDB instance or use local mongod installation
-    * A. Using Remote MongoDB
-        * Create a sandbox mongoDB instance (free) at [mLab](https://mlab.com/plans/pricing/#plan-sandbox)
-        * Create a new database.
-        * Create a user.
-        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://<username>:<password>@<databasename>`)
-    * OR B.Using local MongoDB
-        * If using local Mongo DB instance, start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod).
-        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://localhost:27017/<databasename>`)
+7) Start the server. You can run the server using node or nodemon:
+   * Start the server with node. This starts the NodeGoat application at [http://localhost:4000/](http://localhost:4000/):
+     ```
+     npm start
+     ```
+   * Start the server with nodemon, which will automatically restart the application when you make any changes. This starts the NodeGoat application at [http://localhost:5000/](http://localhost:5000/):
+     ```
+     npm run dev
+     ```
 
-* Populate MongoDB with seed data required for the app
-    * Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, "development" is the default:
-```
-npm run db:seed
-```
-* Start server, this starts the NodeGoat application at url [http://localhost:4000/](http://localhost:4000/)
-```
-npm start
-```
+#### Customizing the Default Application Configuration
+By default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables `PORT` and `MONGODB_URI`.
 
-* Start server with nodemon, this starts the NodeGoat application at url [http://localhost:5000/](http://localhost:5000/)
-```
-npm run dev
-```
+Other settings can be changed by updating the [config file](https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
 
-### OPTION 3 - Run NodeGoat on Docker
 
-**You need to install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) to be able to use this option**
+### OPTION 2 - Run NodeGoat on Docker
 
-The repo includes the Dockerfile and docker-compose.yml necessary to setup the app and the db instance then connect them together.
+The repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.
 
-* Build the images:
-```
-docker-compose build
-```
-* Run the app:
-```
-docker-compose up
-```
+1) Install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) 
 
+2) Clone the github repository:
+   ```
+   git clone https://github.com/OWASP/NodeGoat.git
+   ```
+
+3) Go to the directory:
+   ```
+   cd NodeGoat
+   ```
+
+4) Build the images:
+   ```
+   docker-compose build
+   ```
+
+5) Run the app, this starts the NodeGoat application at http://localhost:4000/:
+   ```
+   docker-compose up
+   ```
+
+
+### OPTION 3 - Deploy to Heroku
+
+This option uses a free ($0/month) Heroku node server.
+
+Though not essential, it is recommended that you fork this repository and deploy the forked repo.
+This will allow you to fix vulnerabilities in your own forked version, then deploy and test it on Heroku.
+
+1) Set up a publicly accessible MongoDB instance:
+   1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)
+   2) [Enable network access](https://docs.atlas.mongodb.com/security/ip-access-list/#add-ip-access-list-entries) to the cluster from anywhere (CIDR range 0.0.0.0/0)
+   3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster
+
+2) Deploy NodeGoat to Heroku by clicking the button below:
+
+   [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
+
+   In the Create New App dialog, set the `MONGODB_URI` config var to the connection string of your MongoDB Atlas cluster.
+   Your connection string can be viewed in the cluster's [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster), and will be in the form:
+   <br>`mongodb+srv://<username>:<password>@<cluster>/<dbname>?retryWrites=true&w=majority`
 
-#### Customizing the Default Application Configuration
-The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
 
 ## Report bugs, Feedback, Comments
 *  Open a new [issue](https://github.com/OWASP/NodeGoat/issues) or contact team by joining chat at [Slack](https://owasp.slack.com/messages/project-nodegoat/) or [![Join the chat at https://gitter.im/OWASP/NodeGoat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/OWASP/NodeGoat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)