At a time of unprecedented distancing, this web application aims to connect users by promoting famous SG spots all around Singapore. Favorite stargazing spots? You got it! Famous carpool routes? You got it too!
- SG Spots
- Table of Contents (To be updated)
- API-Design
- Security_Best_Practices
- Future-Features
- EnvironmentConfig
- Dependencies
- Slugify
- Validators
- Bcrypt
- Crypto
- Nodemailer
- HTMLtoText
- Pug
- Express
- Morgan
- Express-rate-limit
- Helmet
- Express-Mongo-Sanitize
- Hyperparameters-pollution
- XSS
- Path
- Cookie-parser
- Dotenv
- JsonWebToken
- Util
- Stripe
- Multer
- Sharp
- Axios
- Mapbox
The project has adopted the REST architectural style.
Read this if you are unclear what exactly is a REST API
A REST API (also known as RESTful API) is an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services. REST stands for representational state transfer and was created by computer scientist Roy Fielding.
Source:
In general, the API is expected to follow the following guidelines:
-
The API should be separated into logical resources.
- Tours, Reviews, Users etc.
-
Exposed structured, resource-based URLs.
- {API_URL}/api/v1/users/:id/address/:address
-
Data transfer via HTTP Methods
- GET, POST, PATCH, DELETE
-
Send data is JSON Format
-
Be stateless
- All state is handled on the client. This means that each request should contain all the information necessary in order to process a certain request. The API should have to remember previous requests.
- implemented within application: LoggedIn, Paginate
-
Compromised Database
- Strongly encrypt passwords with salt and hash (bcrypt)
- Strongly encrypt password reset tokens
-
Brute force Attacks
- Use bcrypt to make login requests slow
- Implemented rate limiting
-
Cross-site scripting attacks
- Store JWT in HTTPOnly cookies
- Sanitize user input data
- Set special HTTP headers (helmet package)
-
Denial of Service Attack
- Implemented rate limiting
- Limit body payload
- Avoid evil regular expressions
-
NoSQL Query Injection
- Use mongoose for MongoDB (because of SchemaTypes)
- Sanitize user input data
-
OTHER BEST PRACTICES
- Always use HTTPS
- Create random password reset tokens with expiry dates
- Deny access to JWT after password change
- Don’t commit sensitive config data to Git
- Don’t send error details to clients
- Prevent parameter pollution causing Uncaught Exception
- Currently exploring application integration with Stripe for payment services.
- Plans to build frontend with HTML and SASS, and convert it into a Pug template.
- Implement advanced authentication features: confirm user email, keep users logged in with refresh tokens, 2FA etc.
- Security Suggestions:
- Prevent Cross-Site Request Forgery (csurf package)
- Require re-authentication before a high-value action
- Implement a blacklist of untrusted JWT
- Confirm user email address after first creating account
- Keep user logged in with refresh tokens
- Implement two-factor authentication
- Implement maximum login attempts
Environment Configuration for the project.
NODE_ENV=development
PORT=3000
DATABASE_PASSWORD=
DATABASE=
DATABASE_LOCAL=
JWT_SECRET=
JWT_EXPIRES_IN=90d
JWT_COOKIE_EXPIRES_IN=90
EMAIL_USERNAME=
EMAIL_PASSWORD=
EMAIL_HOST=
EMAIL_PORT=
EMAIL_FROM=zxun2000@gmail.com
SENDGRID_USERNAME=apikey
SENDGRID_PASSWORD=
STRIPE_SECRET_KEY=
Dependencies for the project are stated below:
"dependencies": {
"@babel/polyfill": "^7.12.1",
"axios": "^0.21.1",
"bcryptjs": "^2.4.3",
"cookie-parser": "^1.4.5",
"core-js": "^3.6.4",
"dotenv": "^10.0.0",
"express": "^4.17.1",
"express-csp": "^0.1.3",
"express-mongo-sanitize": "^2.1.0",
"express-rate-limit": "^5.3.0",
"helmet": "^4.6.0",
"hpp": "^0.2.3",
"html-to-text": "^8.0.0",
"jsonwebtoken": "^8.5.1",
"mapbox-gl": "^2.4.0",
"mongoose": "^5.13.3",
"morgan": "^1.10.0",
"multer": "^1.4.2",
"nodemailer": "^6.6.3",
"pug": "^3.0.2",
"regenerator-runtime": "^0.13.7",
"sharp": "^0.28.3",
"slugify": "^1.6.0",
"stripe": "^8.168.0",
"validator": "^13.6.0",
"xss-clean": "^0.1.1"
},A URL slug is a part that comes at the very end of a URL and is the exact address of a specific page on your website. For example - in https://slugify.online/campaign-url-builder URL, "campaign-url-builder" is a slug. Composing a short but descriptive slug for a URL of the web page can positively affect your page's SEO. For more information
A library of string validators and sanitizers.
A library to help you hash passwords.
You can read about bcrypt in Wikipedia as well as in the following article: How To Safely Store A Password
JavaScript library of crypto standards.
Send e-mails from Node.js – easy as cake! 🍰✉️
Advanced converter that parses HTML and returns beautiful text.
Full documentation is at pugjs.org
Pug is a high performance template engine heavily influenced by Haml and implemented with JavaScript for Node.js and browsers. For bug reports, feature requests and questions, open an issue. For discussion join the chat room.
You can test drive Pug online here.
Fast, unopinionated, minimalist web framework for node.
HTTP request logger middleware for node.js
Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.
Plays nice with express-slow-down.
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.
Express middleware to protect against HTTP Parameter Pollution attacks
Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express, Restify, or any other Connect app.
The path module provides utilities for working with file and directory paths.
Documentation
Parse Cookie header and populate req.cookies with an object keyed by the cookie names. Optionally you may enable signed cookie support by passing a secret string, which assigns req.secret so it may be used by other middleware.
Dotenv is a zero-dependency module that loads environment variables from a .env file into process.env. Storing configuration in the environment separate from code is based on The Twelve-Factor App methodology.
An implementation of JSON Web Tokens.
This was developed against draft-ietf-oauth-json-web-token-08. It makes use of node-jws
This implements the Node.js util module for environments that do not have it, like browsers.
The Stripe Node library provides convenient access to the Stripe API from applications written in server-side JavaScript.
For collecting customer and payment information in the browser, use Stripe.js.
See the stripe-node API docs for Node.js.
See video demonstrations covering how to use the library.
Multer is a node.js middleware for handling multipart/form-data, which is primarily used for uploading files. It is written on top of busboy for maximum efficiency.
NOTE: Multer will not process any form which is not multipart (multipart/form-data).
The typical use case for this high speed Node.js module is to convert large images in common formats to smaller, web-friendly JPEG, PNG, WebP and AVIF images of varying dimensions.
Resizing an image is typically 4x-5x faster than using the quickest ImageMagick and GraphicsMagick settings due to its use of libvips.
Colour spaces, embedded ICC profiles and alpha transparency channels are all handled correctly. Lanczos resampling ensures quality is not sacrificed for speed.
As well as image resizing, operations such as rotation, extraction, compositing and gamma correction are available.
Most modern macOS, Windows and Linux systems running Node.js v10+ do not require any additional install or runtime dependencies.
Visit sharp.pixelplumbing.com for complete installation instructions, API documentation, benchmark tests and changelog.
Promise based HTTP client for the browser and node.js
A node.js and browser JavaScript client to Mapbox services.