- Use Express middleware to ensure requests are authenticated
- Use cookies to store user data
- Use JWTs for storing user data in cookies
- Sign & verify JWTs to ensure validitity
You’ve been hired by the Department of Defense to build a new service for their intranet: an API for storing top secret, confidential information. Your first task is to build an API and database schema for storing user emails & (hashed) passwords, as well as endpoints for creating and listing notes that can only be accessed by authenticated users. No UI is required; everything can be done via an API.
| field | type |
|---|---|
id |
bigint (generated) |
title |
text (required) |
description |
text (required) |
created_at |
timestamp (autogenerated) |
Approach this deliverable vertically, meaning that you should write a test and any model/controller methods for a single route (i.e. not writing all the tests, then all the models, then all the controllers). Your git commit history needs to show a vertical approach.
-
Git history shows a vertical approach
-
Users can register using email & password
-
Users can log in using email & password
-
Passwords are hashed when stored in the database
-
User information is stored in a cookie when signed in
-
Cookie contains a signed JWT of the user record
- The User model instance should be an object with an id & email, but without the password hash!
-
Logged in users can view top secrets by visiting /api/v1/secrets
-
Logged in users can create new secrets by POSTing to /api/v1/secrets
-
STRETCH: Only allow user sign ups if their email ends with @defense.gov
-
STRETCH: User model stores the user’s first and last name as well
Points
| Task | Points |
|---|---|
POST { email, password } to /api/v1/users/sessions logs in a user |
4 |
DELETE /api/v1/users/sessions logs out a user |
4 |
POST { email, password } to /api/v1/users creates a new user |
4 |
GET /api/v1/secrets returns a list of secrets ([{ title, description, createdAt }]) |
2 |
| Each route is tested | 2 |
| Git history shows vertical approach | 4 |
| Password is stored in plaintext/password hash is stored in the JWT | -5 |