PentesterOPS Dashboard

A comprehensive penetration testing operations dashboard for managing projects, tasks, findings, clients, and assets. Built with Next.js, Express, and MongoDB.

🚀 Features

• Project Management: Organize penetration testing projects with tasks, pages, and team collaboration
• Task Management: Kanban board, table, and card views with filtering, search, and subtasks
• Finding Management: Track security findings with CWE database integration
• Client Management: Manage clients with photos, links, and metadata
• Asset Management: Track and manage assets linked to projects and tasks
• Rich Text Editor: Notion-like pages with Editor.js (headings, paragraphs, code, tables, callouts, toggles)
• Checklists: Create reusable checklists and link them to tasks
• Comments: Threaded comments on tasks and findings
• File Attachments: Upload PDFs, DOCX, XLSX, CSV, ZIP, and images
• Version History: Track changes with diff viewing and restore
• Global Search: Full-text search across all entities
• Dark Mode: Optimized dark theme for technical workflows
• Single Container Deployment: Easy deployment with Docker

📋 Table of Contents

• Tech Stack
• Prerequisites
• Quick Start
• Development
• Docker Deployment
• VPS Deployment
• Configuration
• API Documentation
• Project Structure
• Troubleshooting

🛠 Tech Stack

• Frontend: Next.js 14 (App Router), React, TypeScript, TailwindCSS
• Backend: Node.js, Express, TypeScript
• Database: MongoDB with Mongoose
• Authentication: JWT with refresh tokens
• Rich Text Editor: Editor.js with multiple plugins
• File Storage: Local filesystem with multer
• Containerization: Docker (single container)

📦 Prerequisites

• Node.js: 18+
• Docker: Latest version (for containerized deployment)
• MongoDB: 5.0+ (or use MongoDB Atlas)
• Git: For cloning the repository

🚀 Quick Start

Local Development

1. Clone the repository

   git clone https://github.com/yourusername/MyPentest-Dashboard.git
   cd MyPentest-Dashboard

2. Install dependencies

   # Install root dependencies
   npm install
   
   # Install frontend dependencies
   cd frontend && npm install && cd ..
   
   # Install backend dependencies
   cd backend && npm install && cd ..

3. Configure environment variables

   Create .env file in the root directory:

   # Backend
   NODE_ENV=development
   BACKEND_PORT=4000
   MONGODB_URI=mongodb://localhost:27017/pentest-dashboard
   JWT_SECRET=your-jwt-secret-key
   JWT_REFRESH_SECRET=your-refresh-secret-key
   CORS_ORIGIN=http://localhost:3000
   ALLOW_REGISTRATION=true
   MAX_FILE_SIZE=10485760
   UPLOAD_DIR=./backend/uploads
   
   # Frontend
   NEXT_PUBLIC_API_URL=http://localhost:4000

   Generate secure secrets:

   openssl rand -base64 32  # For JWT_SECRET
   openssl rand -base64 32  # For JWT_REFRESH_SECRET

4. Start MongoDB

   # Using Docker
   docker run -d --name mongodb -p 27017:27017 mongo:latest
   
   # Or use MongoDB Atlas (update MONGODB_URI in .env)

5. Run development servers

   # From root directory
   npm run dev

6. Access the application

   • Frontend: http://localhost:3000
   • Backend API: http://localhost:4000

7. Create admin user

   # Register via the UI at /login, or use seed script:
   node scripts/seed-admin.js

🐳 Docker Deployment

Single Container (Recommended)

The application uses a single Docker container that includes MongoDB, backend, and frontend.

Build and Run

# Build the image
docker build -t pentestops-dashboard:latest .

# Run the container
docker run -d \
  --name pentestops \
  --restart unless-stopped \
  -p 3000:3000 \
  -p 4000:4000 \
  -p 27017:27017 \
  -v pentestops-data:/data/db \
  -v pentestops-uploads:/app/uploads \
  -e JWT_SECRET=$(openssl rand -base64 32) \
  -e JWT_REFRESH_SECRET=$(openssl rand -base64 32) \
  -e NODE_ENV=production \
  -e CORS_ORIGIN=https://yourdomain.com \
  -e ALLOW_REGISTRATION=false \
  pentestops-dashboard:latest

Using Environment File

Create .env file:

NODE_ENV=production
BACKEND_PORT=4000
FRONTEND_PORT=3000
MONGODB_URI=mongodb://localhost:27017/pentest-dashboard
JWT_SECRET=your-super-secret-jwt-key
JWT_REFRESH_SECRET=your-super-secret-refresh-key
CORS_ORIGIN=https://yourdomain.com
ALLOW_REGISTRATION=false
MAX_FILE_SIZE=10485760
UPLOAD_DIR=/app/uploads
NEXT_PUBLIC_API_URL=https://yourdomain.com

Run with environment file:

docker run -d \
  --name pentestops \
  --restart unless-stopped \
  -p 3000:3000 \
  -p 4000:4000 \
  -v pentestops-data:/data/db \
  -v pentestops-uploads:/app/uploads \
  --env-file .env \
  pentestops-dashboard:latest

Container Management

# View logs
docker logs -f pentestops

# Stop container
docker stop pentestops

# Start container
docker start pentestops

# Restart container
docker restart pentestops

# Remove container
docker stop pentestops && docker rm pentestops

🌐 Deployment

1. Install Docker

   curl -fsSL https://get.docker.com -o get-docker.sh
   sudo sh get-docker.sh
   sudo systemctl start docker
   sudo systemctl enable docker

2. Clone and deploy

   cd /opt
   sudo git clone https://github.com/yourusername/MyPentest-Dashboard.git pentestops
   cd pentestops
   sudo chmod +x deploy.sh
   sudo ./deploy.sh

   The deploy.sh script will:

   • Create application directory
   • Generate secure JWT secrets
   • Build Docker image
   • Start container with all services

3. Access application

   • Frontend: http://your-vps-ip:3000
   • Backend API: http://your-vps-ip:4000

Domain & SSL Setup

1. Install Nginx and Certbot

   sudo apt update
   sudo apt install -y nginx certbot python3-certbot-nginx

2. Configure Nginx

   Create /etc/nginx/sites-available/pentestops:

   server {
       listen 80;
       server_name yourdomain.com www.yourdomain.com;
   
       location / {
           proxy_pass http://localhost:3000;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   }
   
   server {
       listen 80;
       server_name api.yourdomain.com;
   
       location / {
           proxy_pass http://localhost:4000;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           client_max_body_size 10M;
       }
   }

   Enable site:

   sudo ln -s /etc/nginx/sites-available/pentestops /etc/nginx/sites-enabled/
   sudo rm /etc/nginx/sites-enabled/default
   sudo nginx -t
   sudo systemctl reload nginx

3. Get SSL Certificate

   sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com

4. Update environment variables

   Edit /opt/pentestops/.env:

   CORS_ORIGIN=https://yourdomain.com
   NEXT_PUBLIC_API_URL=https://api.yourdomain.com

   Restart container:

   sudo docker restart pentestops

Security Hardening

1. Configure firewall

   sudo apt install -y ufw
   sudo ufw allow 22/tcp
   sudo ufw allow 80/tcp
   sudo ufw allow 443/tcp
   sudo ufw enable

2. Disable root SSH login

   sudo nano /etc/ssh/sshd_config
   # Set: PermitRootLogin no
   sudo systemctl restart sshd

3. Set up automatic backups

   # Create backup script
   sudo nano /opt/pentestops/backup.sh

   #!/bin/bash
   BACKUP_DIR="/opt/backups/pentestops"
   DATE=$(date +%Y%m%d_%H%M%S)
   mkdir -p $BACKUP_DIR
   docker exec pentestops mongodump --archive=/tmp/backup.archive --db=pentest-dashboard
   docker cp pentestops:/tmp/backup.archive $BACKUP_DIR/mongodb_$DATE.archive
   tar -czf $BACKUP_DIR/uploads_$DATE.tar.gz /opt/pentestops/uploads
   find $BACKUP_DIR -type f -mtime +7 -delete

   Make executable and schedule:

   chmod +x /opt/pentestops/backup.sh
   crontab -e
   # Add: 0 2 * * * /opt/pentestops/backup.sh

⚙️ Configuration

Environment Variables

Backend

Variable	Description	Default	Required
NODE_ENV	Environment mode	development	No
BACKEND_PORT	Backend API port	4000	No
MONGODB_URI	MongoDB connection string	mongodb://localhost:27017/pentest-dashboard	Yes
JWT_SECRET	JWT token secret	-	Yes
JWT_REFRESH_SECRET	Refresh token secret	-	Yes
CORS_ORIGIN	Allowed CORS origins	*	No
ALLOW_REGISTRATION	Allow public registration	true	No
MAX_FILE_SIZE	Max file upload size (bytes)	10485760 (10MB)	No
UPLOAD_DIR	Upload directory path	./uploads	No

Frontend

Variable	Description	Default	Required
NEXT_PUBLIC_API_URL	Backend API URL	http://localhost:4000	Yes
NODE_ENV	Environment mode	development	No

File Upload Types

The application supports the following file types:

• Images: JPG, JPEG, PNG, GIF, WebP
• Documents: PDF, DOC, DOCX
• Spreadsheets: XLS, XLSX, CSV
• Text: TXT
• Archives: ZIP

Maximum file size: 10MB (configurable via MAX_FILE_SIZE)

📚 API Documentation

Authentication

• POST /api/auth/register - Register new user
• POST /api/auth/login - Login
• POST /api/auth/refresh - Refresh access token
• GET /api/auth/profile - Get user profile
• PUT /api/auth/profile - Update user profile

Projects

• GET /api/projects - List all projects
• POST /api/projects - Create project
• GET /api/projects/:id - Get project details
• PUT /api/projects/:id - Update project
• DELETE /api/projects/:id - Delete project

Tasks

• GET /api/tasks - List all tasks
• POST /api/tasks - Create task
• GET /api/tasks/:id - Get task details
• PUT /api/tasks/:id - Update task
• DELETE /api/tasks/:id - Delete task

Findings

• GET /api/findings - List all findings
• POST /api/findings - Create finding
• GET /api/findings/:id - Get finding details
• PUT /api/findings/:id - Update finding
• DELETE /api/findings/:id - Delete finding

Clients

• GET /api/clients - List all clients
• POST /api/clients - Create client
• GET /api/clients/:id - Get client details
• PUT /api/clients/:id - Update client
• DELETE /api/clients/:id - Delete client

Pages (Checklists)

• GET /api/pages - List all pages
• POST /api/pages - Create page
• GET /api/pages/:slug - Get page details
• PUT /api/pages/:slug - Update page
• DELETE /api/pages/:slug - Delete page

CWE Database

• GET /api/cwes - List all CWEs
• GET /api/cwes/:id - Get CWE details
• POST /api/cwes/import - Import CWE database from CSV

Attachments

• POST /api/attachments - Upload file
• GET /api/attachments/:id/download - Download file
• GET /api/attachments/:id/view - View file (images)

Search

• GET /api/search?q=query - Global search

All API endpoints require authentication except:

• /api/auth/register (if ALLOW_REGISTRATION=true)
• /api/auth/login
• /api/attachments/:id/view (public images)

📁 Project Structure

MyPentest-Dashboard/
├── frontend/              # Next.js frontend application
│   ├── app/              # Next.js app router pages
│   ├── components/       # React components
│   ├── lib/              # Utilities and API client
│   ├── public/           # Static assets
│   └── types/            # TypeScript types
├── backend/              # Express backend API
│   ├── src/
│   │   ├── routes/       # API routes
│   │   ├── models/       # Mongoose models
│   │   ├── middleware/   # Express middleware
│   │   ├── config/       # Configuration files
│   │   └── utils/        # Utility functions
│   └── uploads/          # File uploads directory
├── scripts/              # Utility scripts
│   ├── seed-admin.js     # Create admin user
│   └── test-crud.js      # Test CRUD operations
├── Dockerfile            # Single container Dockerfile
├── docker-entrypoint.sh  # Container entrypoint script
├── deploy.sh             # VPS deployment script
└── README.md             # This file

📝 License

MIT License - see LICENSE file for details

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

📧 Support

For issues, questions, or contributions:

• Open an issue on GitHub
• Check the troubleshooting section
• Review the logs: docker logs pentestops

---

Built with ❤️ for penetration testing teams