In this lab, the basic functions to login and register have been implemented for you. What you need to do in this lab is to guard some of the routes that needs authentication. That is mainly to ensure:
- To post an article, the user needs to be signed in
- The user can't edit or delete an article unless it belongs to them
- Not signed-in users can only read articles, register, and log in
- The signed-in user has the option to sign out
The app will still test for correct implementation of sign in and sign up functions from previous lab.
Additionally, these tests will be run:
In order to persis a user's sign in, you need to use sessions and cookies. This lab will test:
- On login or register, the response have a valid cookie with the name
sidthat contains the session id - The cookie won't have an
Expiresattribute I.E. valid for 1 session only - On login with remember me, the response have a valid cookie with
Expiresattribute for 14 days - Subsequent request will have the user in the session after they login or register
- On registration, the cookie will be valid for 1 session only as well
- On logout, subsequent requests will not be authenticated
💡 TIP: You can use the library
express-session.
💡 TIP: For app secret, you can use
process.env.SECRET_KEYenvironment variable already set up for secure app secret
In order to guard a route, you need to have a middleware that redirects the user to login in case they need to access an authenticated only route like /articles/new. And for owner only routes, you need to check if article's author match current user.
This lab will test:
-
If there is no user in session, i.e. anonymous user:
- A GET request to
/articles/newwill redirect to/user/login - A GET request to
/articles/edit/:idwill redirect to/user/login - a GET request to
/articles/:slugwill correctly render the requested article - a GET request to
/will correctly render the list of all articles - A POST request to
/articles/will result in 403 status code and not create a new article - A PUT, DELETE request to
/articles/:idwill result in 403 status code and not update or delete any article - A GET request to
/user/logoutwill redirect to/ - A GET request to
/user/authenticatedwill redirect to/
- A GET request to
-
If there is a logged in user:
- All the previous requests would be served correctly
- A GET request to
/user/signinwill redirect to/user/authenticated - A GET request to
/user/signupwill redirect to/ - A PUT request to
/articles/:idof another user's article will result in 403 status code and not update article - A PUT request to
/articles/:idof current user's article will update the article and redirect the user to the article's slug/articles/:slug - A DELETE request to
/articles/:idof another user's article will result in 403 status code and not delete article - A DELETE request to
/articles/:idof current user's article will delete the article and redirect the user to home/
This app is bootstraped with docker and docker-compose. It containerize the server, as well as the database. The database comes with predefined data for testing purposes.
run the command yarn && yarn start. This will install all the dependencies and build the docker image
run the command yarn test. Make sure that the server is up and running as well as the database
when you run yarn add PACKAGE the package will be installed in docker as well automatically. However if you run into issues, you need to stop the server first with yarn run stop then you can run yarn run build to rebuild the docker image and start again.
⚠️ WARNING: This is a destructuve command that would delete the containers and all the data inside like database data, and uploads
you can run yarn run prune to shutdown the server and delete all the volumes associated with it. This serves as a start fresh command, that will return your server environment to original. It will not affect your code changes though.