An opinionated lab management system for academic labs, now available as a CLI tool.
labman/: Main package directorylib/: Backend modulestemplates/: HTML templatesstatic/: Static assetsserver.py: Flask applicationcli.py: CLI entry point
- Python 3.10+
uv(recommended) orpip
pip install ra-labmangit clone https://github.com/lokeshmohanty/labman.git
cd labman
uv pip install -e .Run this command to create the .env configuration file interactively:
labman initThis will ask for:
- Lab Name
- Network Config (
HOST_IP,SERVER_PORT,ALLOWED_HOSTS) - SMTP settings
Development mode (default):
labman serve
# OR
labman serve devStarts Flask development server.
Production mode:
labman serve prod
# OR
labman serve prod --host 0.0.0.0 --port 9000- Starts
gunicornin daemon mode (background). - Logs output to
logs/YYYY-MM-DD.log.
Check Status:
labman status- Shows if the server is running (PID) and the latest log entry.
Stop Production Server:
labman serve stop- Stops the running gunicorn process (using
gunicorn.pidor matching process name).
View Logs:
labman logShows the latest log file and follows it (tail -f).
Backup Database:
labman backup
# OR
labman backup nowCreates a copy of the database in backup/YYYY-MM-DD.db.
Automated Backup:
labman backup auto daily
# Options: daily, weekly, monthlySets up a cron job to backup the database automatically.
Stop Automated Backup:
labman backup stopRemoves the automated backup cron job.
Open your browser at http://<HOST_IP>:<SERVER_PORT> (default: http://localhost:9000).
Default Login (first run):
- Email: Checks
.envSMTP_USERNAME oradmin@example.com - Password:
admin123(Change immediately!)
- User Management: Admin/User roles, secure auth with email activation.
- Research Groups: Hierarchical organization with member management.
- Meeting Management: Scheduling, RSVP, email notifications.
- Content Library: File sharing with access control and notifications.
- Inventory: Equipment and server tracking.
- Email Notifications: Automatic notifications with retry mechanism and background queue.
- CLI Tools: Built-in server management, logging, and backup.
- Security: Comprehensive protection against SQL injection, XSS, CSRF, brute force attacks, and more.
The system includes a robust email notification system with:
- Automatic Retry: Failed emails are automatically retried up to 3 times with exponential backoff
- Background Queue: Mass notifications (meetings, content) are sent asynchronously to avoid blocking
- Failure Logging: Failed emails are logged to database for manual review and retry
- Graceful Degradation: Application continues to work even if email server is unavailable
The application includes comprehensive security measures:
- ✅ SQL Injection: All queries use parameterized statements
- ✅ XSS (Cross-Site Scripting): Input validation and sanitization
- ✅ CSRF (Cross-Site Request Forgery): Token-based protection
- ✅ Brute Force Attacks: Rate limiting on sensitive endpoints
- ✅ Session Hijacking: Secure cookies with HttpOnly, Secure, and SameSite flags
- ✅ Malicious File Uploads: Whitelist-based file type validation
- Rate Limiting:
- Login: 5 attempts per 15 minutes
- Password reset: 3 attempts per hour
- Default: 200 requests/day, 50/hour
- Input Validation: Email, filename, file extension, password strength
- Session Security: 60-minute timeout, automatic regeneration on login
- Security Headers: CSP, HSTS, X-Frame-Options (configurable)
- Password Requirements: Minimum 6 characters with letters and numbers
Add these to your .env file:
# Session Security
SESSION_COOKIE_SECURE=False # Set to True in production with HTTPS
SESSION_TIMEOUT_MINUTES=60 # Auto-logout after inactivity
# CSRF Protection
CSRF_ENABLED=True # Enable CSRF validation
# Rate Limiting
RATE_LIMIT_STORAGE_URL=memory:// # Use redis://localhost:6379 in production
# Security Headers (Flask-Talisman)
TALISMAN_ENABLED=False # Set to True in production with HTTPSFor complete security documentation, see:
SECURITY.md- Configuration and best practicesSECURITY_AUDIT.md- Detailed security audit report
For Users:
- Password: 6+ characters with letters AND numbers
- Rate limits: 5 login attempts per 15 minutes
- Session timeout: 60 minutes of inactivity
- Blocked files: .exe, .sh, .bat (executables)
For Admins:
- Development:
SESSION_COOKIE_SECURE=False,TALISMAN_ENABLED=False - Production:
SESSION_COOKIE_SECURE=True,TALISMAN_ENABLED=True - Testing:
pytest labman/tests/test_security.py -v - See
SECURITY.mdfor complete deployment checklist
To contribute:
- Install in editable mode:
uv pip install -e . - Run tests:
pytest - Check code quality:
ruff check labman/
Run included tests and utilities:
# Test Email Configuration
labman test email
# Populate Test Data
labman test data
# Clear Test Data
labman test clear-
Check SMTP Configuration:
labman test emailThis will test your SMTP settings and show any errors.
-
Verify
.envSettings:SMTP_SERVER: Your SMTP server address (e.g.,smtp.gmail.com)SMTP_PORT: Usually587for TLS or465for SSLSMTP_USERNAME: Your email addressSMTP_PASSWORD: Your email password or app-specific passwordSENDER_EMAIL: Email address to send from (usually same as SMTP_USERNAME)
-
Gmail Users: You may need to:
- Enable "Less secure app access" OR
- Generate an "App Password" if using 2FA
-
Check Failed Emails: Failed emails are logged in the database and can be retried manually by an admin.
If you encounter database errors:
# Backup current database
labman backup now
# Check database integrity
sqlite3 data/your_lab.db "PRAGMA integrity_check;"-
Check if port is already in use:
lsof -i :9000 # Replace 9000 with your port -
Check logs:
labman log