FairRide is a security-driven ride price comparison system designed to demonstrate Secure Software Development and STDD principles. The application combines a secure Python FastAPI backend with a React Native mobile frontend, allowing users to securely authenticate, submit trip requests, retrieve real-time ride prices from external providers, and compute the best available option in a transparent and auditable way.
The system prioritizes security from design to implementation by integrating access control, encryption, integrity validation, availability safeguards, and auditability into its core functionality.
DDSS-Project/
βββ frontend/ # React Native mobile app (Expo)
β βββ src/ # Source code
β β βββ screens/ # UI screens
β β βββ navigation/ # App routing
β β βββ services/ # API integration
β β βββ config/ # Configuration
β βββ assets/ # Images & resources
β βββ package.json # Frontend dependencies
βββ sud/ # Security utilities & database
βββ tests/ # Backend unit tests
βββ Z_docs/ # Architecture documentation
βββ app.py # FastAPI main application
βββ requirements.txt # Python dependencies
authenticate_user()- Access control + confidentialitycreate_trip_request_secure()- Secure data handling + encryptionget_real_time_prices_secure()- Integrity + availability + resiliencecompute_best_price_secure()- Transparency + auditability + fairness
Objective: Ensure that only authorized users can access the FairRide system while protecting user credentials from disclosure, misuse, or impersonation.
Domain Knowledge:
- Users authenticate using credentials
- Credentials are sensitive data
- Authentication precedes any system interaction
- Sessions are established after successful login
Security Pattern: Access Control with Confidential Credential Handling
This pattern enforces authentication before access and protects credentials through secure handling mechanisms.
Tests: Reject invalid credentials, reject missing credentials, ensure credentials are never exposed in logs.
Objective: Ensure that trip requests are created only by authenticated users and that sensitive trip data is securely handled and protected against leakage or manipulation.
Domain Knowledge:
- TripRequest includes origin, destination, timestamp, and userId
- Location data is sensitive
- Only authenticated users may create trips
- Trip data is securely stored
Security Pattern: Secure Data Handling with Encryption
This pattern ensures that trip data is validated and encrypted to prevent unauthorized access or disclosure.
Tests: Reject trip creation without authentication, reject malformed input, verify encrypted storage.
Objective: Ensure that real-time price data obtained from external providers is accurate, available, and protected against manipulation or service disruption.
Domain Knowledge:
- Prices are retrieved from multiple external providers
- External data sources are untrusted
- Price data must be continuously available
- System must tolerate partial provider failures
Security Pattern: Integrity and Resilient Communication Pattern
This pattern ensures data integrity, availability, and resilience when interacting with external services.
Tests: Reject data failing integrity validation, ensure availability on provider failure, detect abnormal responses.
Objective: Ensure that the best ride price is computed in a transparent, auditable, and fair manner, preventing manipulation or biased outcomes.
Domain Knowledge:
- Multiple validated price quotes are compared
- Comparison logic must be deterministic
- Results must be traceable and explainable
- Users rely on the correctness of the result
Security Pattern: Auditable Decision and Transparency Pattern
This pattern ensures that price computation is traceable, verifiable, and free from hidden manipulation.
Tests: Verify identical inputs produce identical outputs, ensure auditability, detect inconsistent data.
- β Beautiful dark theme UI with orange brand accents
- β Secure authentication with encrypted API communication
- β Real-time price comparison across ride providers
- β Cross-platform (iOS & Android via Expo)
- β Responsive design with keyboard handling
- React Native - Mobile framework
- Expo - Development platform
- React Navigation - Screen routing
- Axios - Secure HTTP client
# Install dependencies
pip install -r requirements.txt
# Run tests
python -m pytest -qUse Docker Compose for easy setup:
# Start PostgreSQL and Redis
docker-compose up -d
# Set environment variables
export FAIRRIDE_DB_URL="postgresql://fairride_user:fairride_dev_password@localhost: 5432/fairride"
export FAIRRIDE_REDIS_URL="redis://localhost:6379/0"
export FAIRRIDE_AT_REST_KEY="<base64-encoded-key>"
export FAIRRIDE_SESSION_SECRET="<base64-encoded-secret>"
export FAIRRIDE_PROVIDER_HMAC_KEY="<base64-encoded-key>"
# Run health check
python healthcheck.py
# Initialize database
python init_db.py
# Start backend server
python app.pyBackend runs on: http://localhost:8000
API Docs: http://localhost:8000/docs
See DEPLOYMENT.md for detailed production setup.
cd frontend
# Install dependencies
npm install
# Start Expo development server
npx expo startScan QR code with Expo Go app on your phone!
Windows:
ipconfigLook for "IPv4 Address" (e.g., 192.168.1.37)
Mac/Linux:
ifconfig | grep "inet "Edit frontend/src/services/api.js:
const API_BASE_URL = 'http://YOUR_LOCAL_IP:8000/api';
// Example: 'http://192.168.1.37:8000/api'# Activate virtual environment
venv\Scripts\activate # Windows
source venv/bin/activate # Mac/Linux
# Run backend
python app.pyβ
Backend running on http://localhost:8000
New terminal:
cd frontend
npx expo startβ Scan QR code with Expo Go app!
Username: test
Password: test123
β
Complete: All 4 core security functions implemented and tested.
β
All tests passing: python -m pytest tests/ -v β 30 passed
β
Encryption: Fernet AEAD implemented in sud/security.py
β
Environment secrets: Env-based config in sud/config.py
β
Mobile App: React Native frontend with secure API integration
Key Files:
- Backend:
sud/services. py,sud/security.py,sud/createuserID.py,sud/providers.py - Frontend:
frontend/src/screens/,frontend/src/services/api.js
Note: In-memory storage (InMemoryDB, RateLimiter) is suitable for development; production deployments should use persistent stores (PostgreSQL, Redis).
cryptography>=41.0.0- Fernet AEAD encryptionpytest>=7.0.0- Unit testing frameworkfastapi- Web frameworkuvicorn- ASGI server
Install with: pip install -r requirements.txt
react-native- Mobile frameworkexpo- Development platformaxios- HTTP client@react-navigation/native- Routing
Install with: cd frontend && npm install
python -m pytest tests/ -vcd frontend
npm test| Feature | Implementation |
|---|---|
| Password Hashing | PBKDF2-SHA256 (100k iterations) |
| Data Encryption | Fernet AEAD (at-rest) |
| Provider Integrity | HMAC-SHA256 verification |
| Rate Limiting | 5 failed login attempts β lockout |
| Session Management | Redis-backed secure sessions |
| SQL Injection | SQLAlchemy ORM protection |
| API Communication | HTTPS/TLS encrypted transport |
- Security Audit: SECURITY_AUDIT.md
- Deployment Guide: DEPLOYMENT.md
- Production Setup: PRODUCTION_SETUP.md
- Test Summary: TEST_SUMMARY.md
- Architecture Diagrams:
Z_docs/(PlantUML)
- β Replace educational cipher with AEAD (Fernet AEAD implemented)
- β Implement server-side session store (Redis implemented)
- β
Move secrets to environment variables (implemented in
sud/config.py) - β Persist user data and rate-limiting (PostgreSQL + Redis implemented)
- β Add TLS guidance, structured audit logging with correlation IDs, CI/CD pipeline
- β Mobile frontend (React Native + Expo)
- Automated key rotation for cryptographic secrets
- Enhanced monitoring and observability (metrics, distributed tracing)
- Load balancer integration and horizontal scaling
- Advanced threat detection and anomaly alerting
- Biometric authentication (fingerprint/Face ID)
- Push notifications for price alerts
This is an educational project demonstrating Security-Driven Development principles.
Educational Use Only
Built with β€οΈ implementing Security-Driven Development principles