CodeFellows-Curve/dotnet-api

GraphQL API and .NET back end for Curve CMS

Curve: Repository Name

DESCRIPTION

Contributors

Integrations Team Liaisons

• Jason Burns, Authentication Liaison (https://github.com/jasonb315)
• Andrew Curtis, GraphQL API Liaison (https://github.com/amjcurtis)

Authentication Team

• Tanner Percival, Lead Developer (https://github.com/Tanner253)
• Andrew Roska, Developer (https://github.com/Roketsu86)
• Ben Taylor, Developer (https://github.com/BenSTay)

GraphQL Team

• Daniel Logerstedt, Lead Developer (https://github.com/daniellogerstedt)
• Ian Gifford, Developer (https://github.com/IanGifford261)
• Michael Kelly, Developer (https://github.com/Michael-S-Kelly)
• Christopher Morton, Developer (https://github.com/cmorto02)

Authentication Team Goal

Utilize OAuth for Google and GitHub through Auth0 (Library of OAuth providers) to quickly and seamlessly allow users to register and use the site as intended. Note that with Auth0 there is a default and mandatory timeout for the access token where a new one is generated on login or register. This means that the access token is not persistant and so is challenging to validate.

GraphQL Team Goal

Build a responsive GraphQL API endpoint that has the ability to perform full CRUD operations with an attached database for storing professional competency reviews and comments based on the list of core competencies.

Repo Purpose

Authentication and GraphQL API server, and database code for the back-end portion of the Curve app prototype.

Client Requirements

Use Auth0 Use GraphQL Utilize multiple user roles Maximize security

Deployment Link

The API is deployed on Azure: https://cfcurve.azurewebsites.net/graphql

Frameworks and Tools Used

ASP.NET Core GraphQL JWT Auth0 Entity Framework SQL Server Swagger docs

Rationale for For Tool/Technology Choice

We chose to use Auth0 was because the client wanted the app to implement OAuth to allow multiple login services, and Auth0 handles the requests and responses of verification securely. We utilize a controller to handle the actions to and from Auth0 and a model to store the proper data to authenticate the user.

GraphQL was chosen for use in building the API because it was a hard requirement of the client. It was decided this would be used by the client because it allows dynamic and quick loading of data from the database that isn't restricted to a specific shape or type.

Getting Started

Clone this repository to your local machine.

$ git clone https://github.com/CodeFellows-Curve/dotnet-api.git

To run the program from Visual Studio:

1. Select File -> Open -> Project/Solution

2. Next navigate to the location you cloned the Repository.

3. Double click on the dotnet-api directory.

4. Then select and open curve-api.sln

5. Click the IIS Express button at the top.

Testing

1. Follow steps 1 - 4 of running.

2. Click Test menu

3. Select Run All Tests

UML

Backend UML

5-Way Handshake UML

Process flow

Auth Team

0900-0915: Debrief, assign work for the day 1000-1015: Meeting of all Curve project teams and clients 1100-1115: Standup meeting to sync with project manager and Integrations team 1600-1630 PM : Standup to sync and do daily retro

GraphQL Team Schedule

• 0900-0915: Meet up for internal team plan of the day.
• 1030-1045: Standup meeting.
• 1100-1130: Team leadership meeting.
• 1200-1300: Break for lunch as needed.
• 1300-1600: Work with other teams.
• 1600-1630: Standup meeting.
• 1630-1700: Work with other teams.
• 1700-1730: Scrum of Scrums.
• 1730-1800: End of day wrap up work.

Current functionality

The front end handles retrieval of the token and the authentication of a user.

GraphQL

The GraphQL endpoint can currently receive queries to GET, POST, and PUT data as requested.

Known bugs

Existing limitations, etc

• Cannot send user information over http requests (security vulnerability)
• CANNOT use GraphQL and a form of authentication through Auth0
• MUST validate access token with Auth0 at frequent intervals due to automatic token timeout. Every request generates a different token, so persistence is difficult to manage, though the necessity of renewing the token so often does offer a security advantage.

Tasks remaining

• Adding more roles to facilitate more or less accessibility per user.
• If we were not using GraphQL or this project was in one repo most of the issues would be solved more easily.

TODOs

Increase security for authorization for the data access from the front end

GraphQL Team

• Implement a return for delete functionality to prevent errors in GraphiQL and verify delete is properly completed
• More in-depth testing of GraphQL endpoint
• Build side-by-side REST API?
• Implement more policy controls and security

Recommendations for future development

Look into GraphQL Resource #2 thoroughly (see below).

Docs Referenced (links)

• Auth Resource #1:
• Auth Resource #2:
• GraphQL Resource #1
• GraphQL Resource #2

---

RAW DOCUMENTATION FOR AUTH - PLEASE READ!

https://github.com/CodeFellows-Curve/dotnet-api/blob/pre-staging/curve-api/curve-api/README-Auth.md

---