BNMOBOXD REST Service is a backend service for BNMOBOXD - Curators. This Service provides backend for handling Curators' Authentication, Reviews Creation, and Subscription Management. This Service is built with Expressjs and uses postgresql database along with Redis for caching.
This service should be used along with:
| User |
|---|
| id |
| username |
| password |
| firstName |
| lastName |
| isAdmin |
| reviewCount |
| profileImage |
| bio |
| Review |
| CuratorReview |
|---|
| id |
| rating |
| review |
| filmId |
| userId |
| createdAt |
| updatedAt |
FK:
CuratorReview(userId) -> user(id)
| UserVerification |
|---|
| userId |
| status |
| createdAt |
FK:
UserVerification(userId) -> user(id)
This service provides the following API endpoints
| METHOD | ENDPOINT | ROLE |
|---|---|---|
| POST | /auth/login | public |
| POST | /auth/register | public |
| GET | /curator | admin |
| GET | /curator/:id | admin |
| GET | /curator-review | curator |
| GET | /curator-review/:id | curator |
| POST | /curator-review | curator |
| PUT | /curator-review/:id | curator |
| DELETE | /curator-review/:id | curator |
| GET | /film | public |
| GET | /subscription | admin |
| PUT | /subscription | admin |
| GET | /user-verification | admin |
| PUT | /user-verification/:id/verify | admin |
| PUT | /user-verification/:id/reject | admin |
- Docker
- Install requirements
- Clone repository
- By default, this app uses port
3000, 8003, 6379but it can be modified throughdocker-compose.yml.
cdto repository's root- Make a env file
.env.production - Fill the file
.env.productionreferring toenv.example, make sure to include the correct endpoint for the other services - Open terminal and run
docker compose up -d - From the docker terminal do
npx prisma db seedor alternativelypnpm run prisma:seed
| 13521044 | 13521047 | 13521107 |
|---|---|---|
| Curator Review CRUD | User Verification Service | Get subscriptions from SOAP |
| GET films from PHP | User Verification Controller | Update subscriptions on SOAP |
| Auth | Review and Testing | Review and Testing |
| Project Initialization | ||
| Middlewares | ||
| Error Handling | ||
| Docker | ||
| User Verification Repository | ||
| PHP Client | ||
| SOAP Client | ||
| Upload Profile Picture | ||
| Edit Profile |
- Docker
- Redis Cache
| Nama | NIM |
|---|---|
| Rachel Gabriela Chen | 13521044 |
| Muhammad Equilibrie Fajria | 13521047 |
| Jericho Russel Sebastian | 13521107 |
1. HTTP Parameter Pollution
This app is secure from HTTP Parameter Pollution Attack.
HPP (HTTP Parameter Pollution) is a vulnerability that arises when multiple values are assigned to the same parameter in an HTTP request, leading to unexpected behavior in the application. This can occur due to the way the application processes and interprets the input parameters.
This service uses the library hpp to prevent HPP attack.
In the image below, the service only reads the last parameter for page which is 2
2. JWT Attack
This app is secure from JWT Attack. JWT injection occurs when an attacker manipulates the content of a JWT to tamper with the claims or inject additional data. For example, an attacker might modify the user ID claim to impersonate another user. There are other types of JWT Attack as well, such as Brute Force etc.
This app uses:
- JWT verify to authenticate user instead of JWT decode
- Hashed secret key that can't be brute forced
