- Basic Authentication which requires username and password
- A POST JSON request with format
{
"input" : "[YOUR SENTENCE HERE]"
}
- A JSON response with format
{
"count" : [int: NUMBER OF UNIQUE WORDS IN THE SENTENCE],
"words" : {
"[UNIQUE WORDS #1]" : [int: NUMBER OF TIMES APPEARED IN THE SENTENCE],
"[UNIQUE WORDS #2]" : [int: NUMBER OF TIMES APPEARED IN THE SENTENCE],
...
}
}
- "404 Not Found" by default if access other routes / using wrong http option (e.g. GET/PUT)
- "401 Unauthorized" if the Basic Authentication Username/Password is incorrect or is not provided
- "400 Bad Request" if the POST data is not a valid JSON
- "200 OK" Otherwise
- Install Docker
- Build image:
docker build -t secops-challenge-server .
- Start Container:
docker run -itdit --restart unless-stopped --env CERT=[PATH TO CERT FILE] --env KEY=[PATH TO KEY FILE] --env BASIC_USER=[BASIC AUTH USERNAME] --env BASIC_PASS=[BASIC AUTH PASSWORD] -p 0.0.0.0:443:443/tcp secops-challenge-server
- It'd be nice to support other alphabets outside english, e.g. French / Greek / Vietnamese alphabets.
- Might need to exclude Eastern-Asian characters since it's more complicated to decide what forms a word
- As for a simple API, native libraries are sufficient at this stage
- Also lowers the risks (not eliminate) of vulnerabilities coming from third-parties
- For Digest Auth, I could go with either using a Golang package such as "go-http-auth" or use Nginx with Digest auth. However, both of them lack popularity and seem somewhat obsecure and could potentially be vulnerable in production.
- Hence my best option for Digest auth would be to implement one myself. However, given that the time limit for this challenge is only one week and I will probably not be able to work on this much during weekdays, using Basic auth for now and migrating the project to Digest auth in the future would be a better option.
- On the other hand, I'm already using HTTPS, Basic auth would be sufficient. It's also more widely supported compare to Digest auth.
- I wasn't sure if I'm authorized to provide the SSH key of the server to a third-party (e.g. Bamboo/CircleCI) as this could be considered unsecure. However, that can be done if needed in the future.
- Because it's Portable, Consistent, Clean, and Friendly to automation tools.
- Can easily setup autostart containers when the server reboots or crashes.