Build a REST API with ExpressJS with Presentation Layer, Business Logic Layer and Database Layer
Authenticate users and secure access to backend data
Limit user access to resources
- Install existing packages with
npm installnpm install
- Add NPM packages
mongoose,dotenvandexpressnpm install --save mongoose npm install --save dotenv npm install --save express
- Put your database credentials and your JSON Web Token secret in a file named
.envlike:MONGO_URI=mongodb://username:password@host:port/database JWTSECRET=ceciestmonsecretdejwt
API requests according to the different routes (http://localhost:3000)
GET /users --> to get all users
POST /users/register --> send JSON with username and password
POST /users/login --> give username and password in your query || you'll receive a token to have access to other routes according to your role level
GET /users/me --> see the user logged in
PUT /users/me --> update current user (send JSON of modification)
DEL /users/me --> delete current user
GET /locations --> to get all locations
POST /locations --> create location (JSON)
GET /locations/:id --> to get one location by id
DEL /locations/:id --> delete one location by id
Once a registration request is received, the password is hashed with bcrypt and a salt, and the user is stored with this hashed
password in database.
Once a login request is received, the backend will hash the password and compare it with the hash stored on the user. If hashes match, the backend will deliver a JSON Web Token (JWT), a proof of authentication containing the user's ID.
In this project, a normal user can only GET locations and manage his account. You need to have the role "admin" to get all users or create, modify or delete locations.
I tried the JWT breach when "alg": "none" but the library is already protecting us from this attack
Still no httpS and no query limit to protect from denial of service
Shouldn't trust user input in case of noSQL injection