Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
    • Design History File
      • Requirements
      • Test plans
        • PLAN-001 Users submit their credentials to receive an access token
        • PLAN_002 Token expiration in user authentication process
        • PLAN_003 Account lockout for user authentication
        • PLAN_004 Enforcing HTTPS protocol for API communications
        • PLAN_005 Valid SSL/TLS certificates
        • PLAN_006 Rate limiting for anonymous users
        • PLAN_007 Rate limiting for authenticated users
        • PLAN_008 Logging and monitoring of rate limit violations
        • PLAN_009 Validation of request and response data against FHIR schemas
        • PLAN_010 Base64 encoded images are accepted
        • PLAN_011 Non-Base64 encoded images are rejected
        • PLAN_012 Diagnosis support endpoint accepts multiple images
        • PLAN_013 Improved accuracy with multiple images
        • PLAN_014: Password hashing during user registration
        • PLAN_015: Password hash comparison during login
        • PLAN_016: Registration of a new user by authorized individuals
        • PLAN_017 Specification of body zone for scoring systems requiring zone factor
        • PLAN_018 The device's API maintains an uptime of at least 99% over a one-month period
        • PLAN_019 API penetration testing with Intruder.io
      • Test runs
      • Review meetings
      • REL-001 Version 1.1.0.0
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Grants
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Design History File
  • Test plans
  • PLAN_014: Password hashing during user registration

PLAN_014: Password hashing during user registration

Description​

This test verifies that when new users are registered on the device, their passwords are hashed before being stored in the database, instead of being saved as plaintext.

System requirements​

This test can be executed with standard hardware, and it is not necessary to use any specific software. Any commonly available system should be sufficient for the task.

Preconditions​

  • The entire system (including the reverse proxy, REST API, and all upstream services) is deployed, operational, and accessible online.
  • All communications with the REST API are conducted over HTTPS, either through a reverse proxy server or directly with the hosting server.

Input data​

For this test, a new test user needs to be created in the user management database utilizing the user registration service. The details for this test user are as follows:

  • Email: testuser123@legit.health
  • Institution: Legit.Health

Providing a password is not mandatory because the registration service will generate one for you. The password length can be specified, but if omitted, it defaults to 7 characters.

Steps​

  1. Launch the command-line interface of the user registration service (which is located in one of the top-level directories of the web API repository).
  2. When you start the application, a list of options will appear. Select the option to create a new institution and enter the test user's institution name. If the institution hasn't been created yet, this will register the institution in the database.
  3. Once the institution has been created, choose the appropriate command from the menu to add a new user. Enter the test user's email and associate it with the newly created institution. The program will also prompt you to enter a password. You can either skip this step and have a password generated automatically, enter your own password, or specify the length for the automatically generated password. For simplicity, just press "Enter" to skip this step. This action will add the new user (i.e. email, institution and password) to the database.
  4. Complete the registration and check for successful registration feedback.
  5. Access the database and retrieve the stored password for the newly registered user.

Expected outcome​

  • The stored password in the database is a hashed value, not the plaintext password.

Verifies software requirements​

  • REQ_005

Risk control for​

    1. Data breach or unauthorized access

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Tester: JD-017, JD-009, JD-004
  • Approver: JD-005
Previous
PLAN_013 Improved accuracy with multiple images
Next
PLAN_015: Password hash comparison during login
  • Description
  • System requirements
  • Preconditions
  • Input data
  • Steps
  • Expected outcome
  • Verifies software requirements
  • Risk control for
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)