Footing - A foundation for developing REST APIs with Express and Node.js.
source link: https://www.tuicool.com/articles/hit/qABnIvU
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Footing is a foundation for developing REST APIs with Express and Node.js. The project is designed in a way to make it easy for developers to build secure REST APIs with minimal setup. Footing provides the ability to define public or private routes with or without CSRF protection.
Routes that are predefined and come with Footing include ones that allow registering users, authenticating users, and deleting users. Routes for testing CSRF and authentication functionality are also included.
Footing's purpose is to enable developers to create REST APIs without needing to implement an authentication system.
Index
What's Included?
Footing includes...
- Environment variables for easy setup (provided by npm package
dotenv
). - An authentication system.
- CSRF protection (provided by npm package
csurf
). - SQL Injection protection ( for predefined routes only ).
- Two designated files for defining public and private routes,
src/routes/api/public.js src/routes/api/private.js
- Integration tests for predefined routes.
The Authentication System
Routes that are private will require a Bearer token in the authentication header of the request. Upon a successful login request, an authentication token will be stored as a cookie, and also returned in the form of a JSON response. The token is in the form of a JWT, and it's secret is a unique ID that is stored in the user's session. The authentication system protects routes by first verifying that the token in the authentication header matches that of the cookie. Secondly, the system verifies the token with the secret that is stored in the user's session.
It's important to note that upon a successful login request, the user's session is regenerated and a new CSRF token will be returned. The CSRF token used to make the login request will no longer be valid.
What's Not Included?
The following list serves to warn users of what is not included. It does not serve as a comprehensive list of what is not included with Footing.
Footing does not include ...
- Email verification for authentication system.
- Password restrictions for authentication system.
- XSS protection (data sanitization) for any input.
- SQL Injection prevention for routes that are defined by the developer.
- Anything else not listed.
Requirements
Requirements for developing REST APIs with Footing include...
- MySQL database.
- MongoDB database.
- Node.js ( >= v8.11.1, it's recommended to be used with v10.15.1)
Disclaimer:Integration tests have been tested for Node.js >= v10.15.1. The project was originally developed using Node.js v8.11.1; however, the integration tests will fail on v8.11.1 due to the version of npm package supertest
that v8.11.1 uses. That specific version of supertest
has an issue making requests and receiving responses that include more than one cookie.
Getting Set Up
- Clone the repository and
cd
into the root of the project directory. - Run
npm install
to install the dependencies. - Duplicate the
.env.dist
file and rename it to.env
- Open the
.env
file and set the values for the environment variables (suggested/default values are included). - Make sure that MySQL and MongoDB servers are running.
- (Optional) Run
npm test
to make sure the project is working correctly. - Run
npm start
to start the server.
Environment Variables
To configure environment variables, duplicate the .env.dist
file and rename it to .env
. Environment variables are predefined with default values. Change them as needed. The variables are used for...
- Defining the port to serve the application on.
- Setting up a connection to a MySQL database.
- Setting up a connection to a MongoDB database.
- Deciding on salt rounds for hashing passwords.
- Deciding on a secret for session data.
Note:The JWT_SECRET
environment variable is not used. It is there because it was previously used, and was not removed in case developers want to change the authentication system. Currently, Footing uses unique id secrets for each individual authentication token (JWT), and not a static secret. In this project, JWT is used to represent an authentication token, and not for all if its functional purposes.
Environment variables included are...
- PORT - Port the application will be served on.
- SQL_HOST - Host for MySQL connection.
- SQL_PORT - Port for MySQL connection. The default is 3306.
- SQL_USER - User for MySQL connection.
- SQL_PASS - Password for MySQL connection.
- SQL_DATABASE - Database name for MySQL database.
- SQL_USERS_TABLE - The name of the table that stores user entities in the MySQL database.
- MONGO_URL - The URL of the MongoDB database used for sessions.
- BCRYPT_SALT_ROUNDS - Salt rounds for Bcrypt to hash passwords.
- JWT_SECRET - Secret for authentication token (not used, see
note
above). - SESSION_SECRET - Secret for Express sessions.
Changing Default Routes
The routes that have already been defined are for...
/signup /login /delete_account /c/tkn /status /test/csrf /test/auth /test/auth_csrf
The routes above are defined in the src/config/routes.js
file. They are implemented in the src/routes/api/identification.js
file.
To change the routes, it is recommended that they are changed in the src/config/routes.js
file and not in the implementation file This is recommended because the integration tests rely on the src/config/routes.js
file to test the correct routes.
Changing the routes in the src/config/routes.js
file will ensure that the integration tests will still work correctly.
Defining New Routes
Footing is designed to allow developers to define public or private routes that include or do not include CSRF protection.
Public routescan be defined in the src/routes/api/public.js
file.
Private routescan be defined in the src/routes/api/private.js
file and use the predefined RequestAuthenticator
middleware.
Unprotected routes(routes that do not include CSRF protection) are used by the router variables routes.unprotected
. Protected routes (routes that include CSRF protection) are used by the router variables routes.protected
.
Example of defining a new PUBLIC route without CSRF protection in the src/routes/api/public.js
file:
routes.unprotected.post('/public_without_CSRF', function(res, req) { return res.status(200).json({"200":"Unathenticated"}); });
Example of defining a new PUBLIC route with CSRF protection in the src/routes/api/public.js
file:
routes.protected.post('/public_with_CSRF', function(res, req) { return res.status(200).json({"200":"Unathenticated"}); });
Example of defining a new PRIVATE route without CSRF protection in the src/routes/api/private.js
file:
routes.unprotected.post('/auth_without_CSRF', RequestAuthethenticator, function(res, req) { return res.status(200).json({"200":"Authenticated"}); });
Example of defining a new PRIVATE route with CSRF protection in the src/routes/api/private.js
file:
routes.protected.post('/auth_with_CSRF', RequestAuthethenticator, function(res, req) { return res.status(200).json({"200":"Authenticated"}); });
Making Requests
Obtaining a CSRF token: GET: http://localhost:port/c/tkn
User Signup:
POST: http://localhost:port/signup { "email": "[email protected]", "password": "password", "confirmPassword": "password", "_csrf": "N2MbkPwA-3cJSavajIlsW_61OPZ_5uoQr6QU" }
User Login:
POST: http://localhost:port/login { "email": "[email protected]", "password": "password", "_csrf": "N2MbkPwA-3cJSavajIlsW_61OPZ_5uoQr6QU" }
Private Route without CSRF protection:
POST: http://localhost:port/test/auth HEADER: Authorization - Bearer {jwtAuthTokenValueHere}
Private Route with CSRF protection:
POST: http://localhost:port/test/auth HEADER: Authorization - Bearer {jwtAuthTokenValueHere} { "_csrf": "N2MbkPwA-3cJSavajIlsW_61OPZ_5uoQr6QU" }
Adding XSS Protection
Due to the amount of npm packages that offer data sanitization, and the lack of regulation/validity that is available for such packages, Footing does not offer XSS protection/data sanitization functions. However, comments are available in suggested locations for sanitizing input data. These comments are located in the src/controllers/signup.js
and src/controllers/login.js
files.
It is recommended to implement a middleware function that sanitizes all input data for all requests.
Developer
Coming soon.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK