Read these instructions carefully. Understand exactly what is expected before starting this Sprint Challenge.
This challenge allows you to practice the concepts and techniques learned over the past sprint and apply them in a concrete project. This sprint explored Authentication and Testing. During this sprint, you studied authentication, JSON web tokens, unit testing, and backend testing. In your challenge this week, you will demonstrate your mastery of these skills by creating a dad jokes app.
This is an individual assessment. All work must be your own. All projects will be submitted to Codegrade for automated review. You will also be given feedback by code reviewers on Monday following the challenge submission. For more information on the review process click here.
You are not allowed to collaborate during the sprint challenge.
- Run
npm install
to install your dependencies. - Build your database executing
npm run migrate
. - Run tests locally executing
npm test
.
Dad jokes are all the rage these days! In this challenge, you will build a real wise-guy application.
Users must be able to call the [POST] /api/auth/register
endpoint to create a new account, and the [POST] /api/auth/login
endpoint to get a token.
We also need to make sure nobody without the token can call [GET] /api/jokes
and gain access to our dad jokes.
We will hash the user's password using bcryptjs
, and use JSON Web Tokens and the jsonwebtoken
library.
Your finished project must include all of the following requirements (further instructions are found inside each file):
- An authentication workflow with functionality for account creation and login, implemented inside
api/auth/auth-router.js
. - Middleware used to restrict access to resources from non-authenticated requests, implemented inside
api/middleware/restricted.js
. - A minimum of 2 tests per API endpoint, written inside
api/server.test.js
.
IMPORTANT Notes:
- Do not exceed 2^8 rounds of hashing with
bcryptjs
. - If you use environment variables make sure to provide fallbacks in the code (e.g.
process.env.SECRET || "shh"
). - You are welcome to create additional files but do not move or rename existing files or folders.
- Do not alter your
package.json
file except to install extra libraries. Do not update existing packages. - The database already has the
users
table, but if you run into issues, the migration is available. - In your solution, it is essential that you follow best practices and produce clean and professional results.
- Schedule time to review, refine, and assess your work and perform basic professional polishing.
- Submit via Codegrade by pushing commits to your
main
branch on Github. - Check Codegrade before the deadline to compare its results against your local tests.
- Check Codegrade on the days following the Sprint Challenge for reviewer feedback.
- New commits will be evaluated by Codegrade if pushed before the sprint challenge deadline.
Be prepared to demonstrate your understanding of this week's concepts by answering questions on the following topics.
- Differences between using sessions or JSON Web Tokens for authentication.
Authentication with sessions: The server creates a session for the user after the user logs in. The session id is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the memory to verify user’s identity and sends response with the corresponding state.
Authentication with token (JWT)
The server creates JWT with a secret and sends the JWT to the client. The client stores the JWT (usually in local storage) and includes JWT in the header with every request. The server would then validate the JWT with every request from the client and sends response.
The biggest difference here is that the user's state is not stored on the server, as the state is stored inside the token on the client side instead.
- What does
bcryptjs
do to help us store passwords in a secure manner?
The bcrypt hashing function allows us to build a password security platform that scales with computation power and always hashes every password with a salt.
- How are unit tests different from integration and end-to-end testing?
Unit Testing - Test the smaller units at a software in isolation. Great for testing functions or methods.
Integration Testing - Several units of a software are tested as a group to ensure they work together. Great for testing endpoints because they test how different parts work together. (supertest)
End-to-end - Where the whole application is tested simulating real user scenarios closely. (slower and more expensive)
- How does Test Driven Development change the way we write applications and tests?
TDD makes the code more assertive, you focus on the requirements and code what is needed than better and drier code comes.