What’s an API?
Application Programming Interface (API) is a piece of software that can be used by another piece of software, in order to allow applications to talk to each other.
What is REST Achitecture?
REpresentational State Transfer is a way of building web API’s in a logical way, making them easy to consume.
- Separate API into logical resources (Resource - Object or representation of something, which has data associated to it. Any information that can be named can be a resource.)
- Expose structured, resource-based URLs (API will have many endpoints, which will perform different actions)
- Use HTTP methods (endpoints should only contain resources, not actions that can be performed on them).
- Send data as JSON (usually)
- Be stateless (all state is handled on the client - That means that the server should not have to remember pervious requests. All the information necessary to process a certain request has to be included in the request.)
What are the meanings for HTML status codes, that we sent when setting up API responses?
- 200 OK - The request has succeeded. The meaning of the success depends on the HTTP method: GET: The resource has been fetched and is transmitted in the message body, PUT or Patch: The resource describing the result of the action is transmitted in the message body.
- 201 Created - The request has succeeded and a new resource has been created as a result. This is typically the response sent after POST requests, or some PUT requests.
- 204 No Content - There is no content to send for this request, but the headers may be useful. The user-agent may update its cached headers for this resource with the new ones. Usually sent as success of DELETE request.
- 401 Unauthorized - Although the HTTP standard specifies “unauthorized”, semantically this response means “unauthenticated”. That is, the client must authenticate itself to get the requested response.
- 403 Forbidden - The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client’s identity is known to the server.
- 404 Not Found - The server can not find the requested resource. In the browser, this means the URL is not recognized. In an API, this can also mean that the endpoint is valid but the resource itself does not exist. Servers may also send this response instead of 403 to hide the existence of a resource from an unauthorized client. This response code is probably the most famous one due to its frequent occurrence on the web.
- 500 Server errors responses
What is the difference between application and business logic?
One of the big goals of MVC pattern is to separate business logic from the application logic.
Application logic:
- all the code that is concerned about applications implementation, not the underlying business problem we’re trying to solve.
- managing requests and responses
Business logic:
- code that actually solves the business problem we set to solve
- directly related to business rules, how the business works and business needs.
How can we make a distinction when it comes to error types?
- Operational errors (Problems that we can predict will happen at some point, so we just need to handle them in advance.)
- Invalid path accessed
- Invalid user input (validator from mongoose)
- Failed to connect to server
- Failed to connect to database
- Request timeout
- Programming errors (Bugs that developers introduce into code. Difficult to find and handle)
- Reading properties on undefined
- Passing a number where an object is expected
- Using await without async
- Using req.query instead of req.body
How JSON Web Token (JWT) Authentication works?
JWT are a stateless solution for authentication, there is no need to store any session state on the server.
When a user logs in into the app
1. Users client, through the app makes a post request
POST /login {email, password}
2. The server creates an unique JWT (using a secret string) if user && password match
3. The server sends the JWT back to the client
4. The client will store the JWT either in cookie or in localStorage.
5. The user is authenticated and logged into our application, without leaving any state on the server.
6. Each time the user requests some protected route, the server will check if the JWT is valid, if it is - it will allow access.
In fact, the server does not know which users are logged in into the system.
How is JWT created?
JWT consists of
HEADER
PAYLOAD
and SECRET
The whole process is called signing. Because of the Secret that is stored on the server, ew are ensured that the token is safe from being altered by a 3rd party.
What is the standard of sending a JWT token in http headers?
The standard is to set
Authorization: ‘Bearer JSON_WEB_TOKEN_LONG_STRING’
What are the steps to protect a route by verifying JWT web tokens?
- We should check the Authorization header and if it starts with ‘Bearer’. Then we can get the webtoken.
If there is no token, we should throw an error. - Verify the token use
const decoded = await promisify(jwt.verify)(token, process.env.JWT_SECRET); - Check if user still exists. In case he was deleted between the token was issued and its expiry date.
- Check if the password was changed. If the user changed his password, then the JWT should also be invalid!
What are the known email services that can be used in order to send emails in your production apps?
Sendgrid,
mailgun
What are the security best practices to defend from different type of attacks?
DataBase:
- strongly encrypt password with salt and hash (bcrypt)
- strongly encrypt password reset tokens (SHA256 algorithm available in crypto module)
Brute force attacks:
- implement rate limiting (express-rate-limit)
- implement maximum login attempts
- use bcrypt (to make login requests slow)
CROSS-SITE SCRIPTING (XSS) Attacks (the attacker tries to inject their scripts in our app to run their malicious code)
- Store JWT in HTTPOnly cookie (NEVER store JWT in localStorage) (HTTPOnly cookie makes it that the browser can only receive or send the cookie, but cannot modify the cookie in any way).
- Sanitize user input data ()
- Set special HTTP headers (helmet package)
DENIAL OF SERVICE DOS Attack
- implement rate limiting
- limit body payload (in body parser)
- avoid evil regular expressions
NOSQL QUERY INJECTION
- use mongoose for mongodb (because of schema types)
- sanitize user input data
Other best known security practices and suggestions
- Always use HTTPS
- Create random password reset tokens with expiry dates
- deny acces s to jwt after password change
- dont commit sensitivie config data to git
- dont send error details to clients
- prevennt cross-site request forgery (csurf package)
- require re-authentication before a high-value action
- implement a blacklist of untrusted JWT
- confirm user email address after first creating account
- keep user logge in with refrhsh tokens
- implement two factor authentication
- prevent parameter pollution causing uncaught exceptions.
What is a cookie?
Cookie is a small piece of text that a server can send to clients, when a client receives the cookie, it will automatically store it and automatically send it along with all future requests to that server.
What is data modelling?
Data modelling is a process of taking unstructured data generated by the real world scenario and modelling it into structured model that is put in the database. We do that according to a set of criteria.
Why is it important to include in the mail options, text version of the file along with the HTML?
We want to attach text version of the email into the email, because it’s better for email delivery rates and spam filters.
To do this in express, we need a package called: html-to-text
In the mail options, we should pass:
const mailOptions = {
from: this.from,
to: this.to,
subject,
html,
text: htmlToText.fromString(html)
};
