/babys-first-auth

Putting together my first authorization system using MongoDB Vue and Express. Following along and learning tons with Coding Garden! https://www.youtube.com/watch?v=JNAjjHwPFIw&t=8822s

Primary LanguageVue

Auth for Newbs

Add JWT-based authentication to a Node/Express/Mongo app.

Authentication

  • Create Server
  • Add auth router
  • Create user with POST /auth/signup
    • validate required fields
    • Check if username is unique
    • hash password with bcrypt
    • insert into db
  • Create Landing Page
    • Link to Sign Up Page
  • Create Sign Up Page
    • Form with: username and password
    • When form is submitted
      • Validate username
        • Display errors
      • Validate password
        • Display errors
      • POST request to server
        • Display errors
        • If succesful sign up
          • Redirect to login page
  • Login user with POST /auth/login
    • validate the user
    • check if username in db
      • compare password with hashed password in db
      • Create and sign a JWT
        • Respond with JWT
  • Create Login Page
    • Form with: username and password
    • When form is submitted
      • Validate username
        • Display errors
      • Validate password
        • Display errors
      • POST request to server /auth/login
        • Display errors
        • If succesful login
          • Store the token in localStorage
          • Redirect to the "dashboard"
  • If a logged in user visits the signup or login page, redirect them to the dashboard
  • If a non logged in user visits the dashboard, redirect to the login page
  • After sign up, immediately login
  • Show username on dashboard
  • On homepage, show go to dashboard button instead of signup/login button
  • If logged in:
    • Show logout button in header
    • Show user icon and username in header

Authorization:

  • Visitors can only see the homepage
    • checkTokenSetUser middleware
      • get token from Authorization header
        • if defined ---
          • Verify the token with the token secret
          • Set req.user to be the decoded verified payload
        • else - move along
    • isLoggedIn middleware
      • if req.user is set - move along
      • else - send an unauthorized error message
    • redirect to login form
  • Logged in users can only see their page
  • Create notes form on client
    • Title
    • Description
  • POST /api/v1/notes
    • Must be logged in
    • Logged in Users Can Create Notes
      • Title
      • Description -- markdown
      • Set user_id on server with logged in users id
  • GET /api/v1/notes
    • Must be logged in
    • Logged in Users Can request all their notes
      • Get all notes in DB with logged in users user_id
  • List all notes on client
    • Render description with Markdown

STRETCH

  • Store date of note in DB
    • Sort notes by date created.
  • View user profile
  • Users can mark notes as public
    • Notes show up on profile

Admin Page:

  • Admin page that lists all users
    • admin table with user_id
    • de-activate users
  • Admin can see any page on site
  • Rate limiting
    • Prevent brute force logins
    • Lock out account after too many login attempts
  • Password strength meter!
  • reCaptcha for signup/login
  • Password reset with email
  • Forgot password
    • Reset with email
    • Reset by answering security questions
  • Testing...

To deploy everything to the same heroku instance

  • Move the server package.json to the root of the folder
  • Update start script for server to be a relative path
  • post-deploy script to server that will build Vue.js
  • Add a static serve to the server that serves '../client/dist'
  • Environment variable for DB connection and token secret
  • Update calls in client from localhost:5000 to be your-app.herokuapp.com