Last active
July 20, 2025 19:06
-
Star
(100)
You must be signed in to star a gist -
Fork
(35)
You must be signed in to fork a gist
-
-
Save bradtraversy/01adb248df70fb29e98c30cf659042cf to your computer and use it in GitHub Desktop.
Revisions
-
bradtraversy revised this gist
Oct 11, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -84,11 +84,11 @@ Create the backend for a bootcamp directory website. The frontend/UI will be cre ## Security - Encrypt passwords and reset tokens - Prevent NoSQL injections - Add headers for security (helmet) - Prevent cross site scripting - XSS - Add a rate limit for requests of 100 requests per 10 minutes - Protect against http param polution - Use cors to make API public (for now) ## Documentation -
Sep 24, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,117 @@ # DevCamper Backend API Specifications Create the backend for a bootcamp directory website. The frontend/UI will be created by another team (future course). The html/css template has been created and can be used as a reference for functionality. All of the functionality below needs to be fully implmented in this project. ### Bootcamps - List all bootcamps in the database * Pagination * Select specific fields in result * Limit number of results * Filter by fields - Search bootcamps by radius from zipcode * Use a geocoder to get exact location and coords from a single address field - Get single bootcamp - Create new bootcamp * Authenticated users only * Must have the role "publisher" or "admin" * Only one bootcamp per publisher (admins can create more) * Field validation via Mongoose - Upload a photo for bootcamp * Owner only * Photo will be uploaded to local filesystem - Update bootcamps * Owner only * Validation on update - Delete Bootcamp * Owner only - Calculate the average cost of all courses for a bootcamp - Calculate the average rating from the reviews for a bootcamp ### Courses - List all courses for bootcamp - List all courses in general * Pagination, filtering, etc - Get single course - Create new course * Authenticated users only * Must have the role "publisher" or "admin" * Only the owner or an admin can create a course for a bootcamp * Publishers can create multiple courses - Update course * Owner only - Delete course * Owner only ### Reviews - List all reviews for a bootcamp - List all reviews in general * Pagination, filtering, etc - Get a single review - Create a review * Authenticated users only * Must have the role "user" or "admin" (no publishers) - Update review * Owner only - Delete review * Owner only ### Users & Authentication - Authentication will be ton using JWT/cookies * JWT and cookie should expire in 30 days - User registration * Register as a "user" or "publisher" * Once registered, a token will be sent along with a cookie (token = xxx) * Passwords must be hashed - User login * User can login with email and password * Plain text password will compare with stored hashed password * Once logged in, a token will be sent along with a cookie (token = xxx) - User logout * Cookie will be sent to set token = none - Get user * Route to get the currently logged in user (via token) - Password reset (lost password) * User can request to reset password * A hashed token will be emailed to the users registered email address * A put request can be made to the generated url to reset password * The token will expire after 10 minutes - Update user info * Authenticated user only * Separate route to update password - User CRUD * Admin only - Users can only be made admin by updating the database field manually ## Security - Encrypt passwords and reset tokens - Prevent cross site scripting - XSS - Prevent NoSQL injections - Add a rate limit for requests of 100 requests per 10 minutes - Protect against http param polution - Add headers for security (helmet) - Use cors to make API public (for now) ## Documentation - Use Postman to create documentation - Use docgen to create HTML files from Postman - Add html files as the / route for the api ## Deployment (Digital Ocean) - Push to Github - Create a droplet - https://m.do.co/c/5424d440c63a - Clone repo on to server - Use PM2 process manager - Enable firewall (ufw) and open needed ports - Create an NGINX reverse proxy for port 80 - Connect a domain name - Install an SSL using Let's Encrypt ## Code Related Suggestions - NPM scripts for dev and production env - Config file for important constants - Use controller methods with documented descriptions/routes - Error handling middleware - Authentication middleware for protecting routes and setting user roles - Validation using Mongoose and no external libraries - Use async/await (create middleware to clean up controller methods) - Create a database seeder to import and destroy data