~akiva/user-profiles-api-demo

Simple MVP demonstration of a vanilla node.js RESTful CRUD API for user profiles
Fix authorization header typo in tests
Add API endpoints to documentation
Initial commit

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~akiva/user-profiles-api-demo
read/write
git@git.sr.ht:~akiva/user-profiles-api-demo

You can also use your local clone with git send-email.

#user-profiles-crud-api

A minimal demonstration of a CRUD API for user profiles

For the sake of minimising the technical scope and time spent on this MVP, various featurs are not implemented, preventing this from being considered remotely close to production-ready. These are listed below, under the TODO heading.

#Install

After cloning the repository locally, simply install the sparse number of dependencies for the project via npm, npm install.

#Usage

In your local directory containing the cloned project, you may run npm start as you usually would to run the project using npm directly. However, do note that the application currently uses an environment variable, JWT_SECRET, to assign an HMAC secret for the purpose of the JSON Web Token functionality. You can simply set this at run time via JWT_SECRET=somesecret npm start.

Once running, you may connect to the service in whichever method you prefer. As I prefer using curl, let's use that for the example:

curl -i -X POST \
  -d '{"username":"foo","name":"Foo McBar","email":"foo@bar.com","password":"Password123!"}' \
  -H "Content-Type: application/json" \
  http://localhost:8000/auth/register

Which returns a corresponding JSON response, such as:

{"id":"fZcp8B4l6xYjiJnwfbQNi","username":"foo","email":"foo@bar.com","name":"Foo McBar"}

You may now log into the auth controller to retrieve your JWT token:

curl -i -X POST \
  -d '{"username":"foo","password":"Pasword123!"}' \
  -H "Content-Type: application/json" \
  http://localhost:8000/auth/login

Which returns a corresponding JSON response, such as:

{"username":"foo","email":"foo@bar.com","name":"Foo McBar","accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Im4zeW9XU3o2VUNEdlpUN21USFNFayIsImlhdCI6MTY0MDMzNTk5NSwiZXhwIjoxNjQwNDIyMzk1fQ.N6Yks1ZvJxy7qIV_W1xAwCKLDcPrahW7aYeLwA3lJ2o"}

This token is set to expire 24 hours after time it was issued. Using this token, you may now pass the authentication necessary to view user profiles, as well as updating or deleting your own profile.

curl -i \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJLbk94NHd6bnFZbzFzLW5PSEp5cyIsImlhdCI6MTY0MDMzNjc0MSwiZXhwIjoxNjQwNDIzMTQxfQ.Fj-5n5ABSYFfRxwc_ti7TkvHgmSIO0_PaSrs38e_vlQ" \
  http://localhost:8000/users

Returning:

[{"key":"2KnOx4wznqYo1s-nOHJys","value":"{\"username\":\"foo\",\"hashedPassword\":\"$2b$10$QCE2DWZfwiYhzmvdX7BR.OQpfJUhuSGTjzMJV9kt148z/mnzrIcd6\",\"email\":\"foo@bar.com\",\"name\":\"Foo McBar\"}"}]

#Endpoints

The API consists of the following endpoints:

  • POST /auth/register(/): register a user
  • POST /auth/login(/): log in with a username and password
  • GET /users(/): * list users
  • POST /users(/): * register a new user (redundant, to be removed)
  • GET /users/<user-id>(/): * view a user profile
  • DELETE /users/<user-id>(/): * delete user profile (only if the profile is your own)
  • PUT /auth/register(/): * update user profile (only if the profile is your own)

* Request requires authentication via JWT.

#Tests

To run the test suite, run via npm, npm t.

#TODO and other missing features

  • implement unique constraints to user profile data (ie. username, email)
  • hardening of any sort, such as CSRF, CORS, DDoS prevention, etc.
  • performance enhancement of any sort, such as caching, code minimisation, etc.
  • robust error-handling
  • special header tags
  • a dockerfile for easy containerisation
  • thorough tests including:
    • controller responses, incoming request properties and data types, duplicate records, etc.
    • status codes
    • validate request and response streams and properties in routes files
  • better developer documentation
  • robust jwt implementation
  • configuration of process environment variables
  • code coverage (nyc, for example)
  • jwt token invalidation