Welcome to the Best Authentication Challenge ever existed.
This challenge's goal is to learn and practice building a User Authentication and Authorization System in your project.
In order to pass this challenge successfully you should follow all of the requirements detailed below.
- It is recommended to review the resources bellow before starting the challenge.
- Install Node.js (if you haven't already).
- Install a code editor of your choice (recommended: Visual Studio Code).
- Fork this Github repository to your computer.
- Run
npm install
on your terminal, both in the main directory and client folder. - Please notice that most of the tests can only be resolved whene the /users/register and /users/login APIs will work properly.
After these steps, you are good to go. Good Luck!
express
- Server framework.jsonwebtoken
- For user validation.bcrypt
- For password hashing and comparing.morgan
- For easy request/response logging.nodemon
- Auto restarts server onSave.jest
- Tests library.supertest
- Backend test addition.
- HTTP Status Codes - Rest API Tutorials, MDN
jwt
- https://jwt.io/introduction/.jwt
- https://www.youtube.com/watch?v=mbsmsi7l3r4&list=PLZlA0Gpn_vH9yI1hwDVzWqu5sAfajcsBQ&index=3.jwt
- https://www.youtube.com/watch?v=7Q17ubqLfaM.jwt
- https://www.youtube.com/watch?v=2jqok-WgelI&t=472s.jwt
- https://www.youtube.com/watch?v=Ud5xKCYQTjM.bcrypt
- https://www.youtube.com/watch?v=O6cmuiTBZVs.bcrypt
- https://www.youtube.com/watch?v=rYdhfm4m7yg.options method
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS.express
- https://medium.com/@onejohi/building-a-simple-rest-api-with-nodejs-and-express-da6273ed7ca9.nodemon
- https://www.youtube.com/watch?v=kV6MJ9W4whM.morgan
- https://www.youtube.com/watch?v=IdsdQuC13P0.
- Do Not try to change dependencies in
package.json
/package.json.lock
, the initial libraries are the only libraries allowed to use in order to pass the challenge successfully, it will be Tested.
- Server must contain the following variables:
const USERS = [...{email, name, password, isAdmin}...],
const INFORMATION = [...{email, info}...]
const REFRESHTOKENS = []
- Passwords cannot be stored as plain-text - only as hash+salt(10!)
- USERS array on server must have an admin user with the props mentioned bellow:
{ email: "[email protected]", name: "admin", password: "**hashed password**", isAdmin: true }.
admin's password must be Rc123456!
.
-
Server must work with content/type: application/JSON
-
Access tokens should expire after 10 seconds.
-
Server must have an unknown endpoint handler (status 404 "unknown endpoint").
-
REST-Full API requirements:
-
POST
path:"/users/register"
, description: sign up to the server.- request template:
body: {email, user, password}
- server responses: status 201 "Register Success" | status 409 "user already exists".
- When a user registers, the INFORMATION variable is updated with new info {email: ${email}, info: "${name} info"}
-
POST
path:"/users/login"
, description: Login.- request template:
body: {email ,password}
- server responses: status 200, body {accessToken, refreshToken , email, name, isAdmin} | status 404 "cannot find user" | status 403 "User or Password incorrect".
-
POST
path:"/users/tokenValidate"
, description: Access Token Validation, Required:- request template
header: {Authorization: "Bearer -access token-"}
- server responses: status 200, body: {valid:
true
} | status 401 "Access Token Required" | status 403 "Invalid Access Token".
-
GET
path:"/api/v1/information"
, description: Access user's information, Required: header: {Authorization: "Bearer -access token-"}- request template:
header {Authorization: "Bearer -access token-"}
- server responses: status 200, body: {email, info} | status 401 "Access Token Required" | status 403 "Invalid Access Token".
-
POST
path:"/users/token"
, description: Renew access token,- request template:
body: {token: -refresh token-}.
- server responses: status 200, body: {accessToken} | status 401 "Refresh Token Required" | status 403 "Invalid Refresh Token".
-
POST
path:"/users/logout"
, description: Logout Session.- Request template:
body: {token: -refresh token-"}
- server responses: status 200 "User Logged Out Successfully" | status 400 "Refresh Token Required" | status 400 "Invalid Refresh Token".
-
GET
path:/api/v1/users
, description: Get users DB (admin only),- Request template:
header {Authorization: "Bearer -access token-"}
- Server Responses: status 200, body: {USERS: [...[{email, name, password, isAdmin}]} | status 401 "Access Token Required" | status 403 "Invalid Access Token".
-
OPTIONS
path:"/"
, description: returns an array of all APIs and endpoints. (sends only the available options for the currnet logged user premissions)- Request template:
optional
header {Authorization: "Bearer -access token-"}
- Server Response: status 200, header: {Allow: "OPTIONS, GET, POST"},
body: returns an array of all the server's APIs:
- client with no token gets only register and login APIs.
- client with invalid token can use register, login and refresh token APIs.
- authenticated user can access login, register, refresh token, information and logout APIs.
- admin user can see all the server's APIs (including the get api/v1/users)
- options array:
- Request template:
[ { method: "post", path: "/users/register", description: "Register, Required: email, name, password", example: { body: { email: "[email protected]", name: "user", password: "password" } } }, { method: "post", path: "/users/login", description: "Login, Required: valid email and password", example: { body: { email: "[email protected]", password: "password" } } }, { method: "post", path: "/users/token", description: "Renew access token, Required: valid refresh token", example: { headers: { token: "\*Refresh Token\*" } } }, { method: "post", path: "/users/tokenValidate", description: "Access Token Validation, Required: valid access token", example: { headers: { Authorization: "Bearer \*Access Token\*" } } }, { method: "get", path: "/api/v1/information", description: "Access user's information, Required: valid access token", example: { headers: { Authorization: "Bearer \*Access Token\*" } } }, { method: "post", path: "/users/logout", description: "Logout, Required: access token", example: { body: { token: "\*Refresh Token\*" } } }, { method: "get", path: "api/v1/users", description: "Get users DB, Required: Valid access token of admin user", example: { headers: { authorization: "Bearer \*Access Token\*" } } } ]
-
- Run all tests (tokenExpire.test takes 10s) - CLI command - npm run test.
- Run single test suite - CLI command - npm run test -- SomeTestFileToRun.