Rename DB password to password_hash
Check npx npm-check-updates - https://github.com/raineorshine/npm-check-updates
- Change email
- Change password
- Delete account
- Send welcome email after registering, alert email after login etc
- Verify email after registering
- Forgot/recover/reset password
- https://medium.com/@SigniorGratiano/express-authentication-and-security-dac99e6b33c
- https://github.com/platzi/curso-nodejs-auth/blob/13-step/services/auth.service.js#L37-L54
- https://www.simplecode.io/blog/create-a-rest-api-part-7-forgot-reset-password-routes/
- Adds CSRF token at the view new-password.ejs https://github.com/PacktPublishing/Node.js-The-Complete-Guide/tree/main/S17 - https://www.packtpub.com/product/node-js-the-complete-guide/9781838826864
- Reset password token saved to database: https://github.com/PacktPublishing/Node.js-API-Masterclass-with-Express-and-MongoDB/blob/3129725fa9582011f1e9db3b94e1dda2aafa9f0f/models/User.js#L62 - https://www.packtpub.com/product/node-js-api-masterclass-with-express-and-mongodb/9781800569638
- If email is not verified, restrict what you can do (eg do not allow to publish recipes)
- Can be easily done with a middleware that runs after AuthMiddleware.requireLoggedUser, checking
email_verified - We have to show a pop-up to the user after registering, see:
- https://ux.stackexchange.com/questions/109958/best-way-to-handle-new-user-registration-when-email-verification-is-required
- https://ux.stackexchange.com/questions/29145/limiting-access-before-email-address-is-confirmed
- https://ux.stackexchange.com/questions/12367/when-to-explain-email-verification-process-to-the-user
- Can be easily done with a middleware that runs after AuthMiddleware.requireLoggedUser, checking
- When the user changes the email, verify it before overriding the old one. We'll need to store the 2 emails (old and new) temporarily
- Changing an e-mail sends a verification mail to the user's mailbox, and only after verification - the new email overwrites the old one. source
- What is the suggested best practice for changing a user's email address? - https://security.stackexchange.com/questions/234060/what-is-the-suggested-best-practice-for-changing-a-users-email-address
- After changing the email, send an informative email to the previous account explaining that someone has changed the email
- https://www.drupal.org/project/drupal/issues/85494 See point 2: "Sends a notification E-mail to the old address"
- Similarly, after changing the password, also send an alert email?
- Replace JWT with opaque token or session id saved in cookie + session store (Redis/Postgres)
- React Cookies: https://www.npmjs.com/package/react-cookie
- Client-side caching in Redis: https://redis.io/docs/manual/client-side-caching
- Authentication: https://redis.io/docs/manual/patterns/twitter-clone/#authentication
- JWT blacklist: https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/expirejwt.md
- https://fusionauth.io/learn/expert-advice/authentication/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies
- Compatible Session Stores: https://github.com/expressjs/session#compatible-session-stores
- JWT vs. Opaque Tokens - https://news.ycombinator.com/item?id=33018135
- https://github.com/PacktPublishing/Node.js-The-Complete-Guide/tree/main/S14 - https://www.packtpub.com/product/node-js-the-complete-guide/9781838826864
- JWT saved in cookie
- https://medium.com/@SigniorGratiano/express-authentication-and-security-dac99e6b33c
- https://github.com/kriasoft/node-starter-kit/blob/main/auth/session.ts
- https://github.com/PacktPublishing/Node.js-API-Masterclass-with-Express-and-MongoDB/blob/master/controllers/auth.js - https://www.packtpub.com/product/node-js-api-masterclass-with-express-and-mongodb/9781800569638
- https://www.pluralsight.com/courses/securing-javascript-rest-api-json-web-tokens
- Refresh token on cookie
- https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id
- https://mannharleen.github.io/2020-04-10-handling-jwt-securely-part-2/
- https://medium.com/@brakdemir/jwt-authentication-with-csrf-prevention-on-node-js-express-b805504c2829 Code: https://github.com/kbrk/express_csrf_jwt_study
- On logout, expire session at the server. Requires having a session store and adding a new route /logout
- If the session expires, do a logout on the client?
- Changing the password or resetting the password should invalidate all existing sessions of that user? See https://medium.com/@SigniorGratiano/express-authentication-and-security-dac99e6b33c as an example
- Once we have a session store, at the Settings page, show a list of the active sessions like in https://github.com/settings/security
- Pictures
- Upload recipe pictures
- User avatar picture
- https://github.com/PacktPublishing/The-Complete-Node.js-Developer-Course-3rd-Edition-/tree/master/14.%20File%20Uploads%20(Task%20App) - https://www.packtpub.com/product/the-complete-node-js-developer-course/9781789955071
- https://www.pluralsight.com/courses/uploading-files-javascript-rest-api
- https://www.pluralsight.com/courses/managing-files-node-js
- S3
- https://betterprogramming.pub/how-to-upload-files-to-amazon-s3-from-nextjs-app-b7ef1909976b
- https://medium.com/@teogoulois/image-uploader-with-nextjs-typescript-and-aws-s3-211b38a0af10
- https://create-react-app.dev/docs/deployment#s3-and-cloudfront
- https://wolovim.medium.com/deploying-create-react-app-to-s3-or-cloudfront-48dae4ce0af
- https://medium.com/dailyjs/a-guide-to-deploying-your-react-app-with-aws-s3-including-https-a-custom-domain-a-cdn-and-58245251f081
- Chapter 7 - https://www.amazon.com/Hands-Full-Stack-Development-GraphQL-React/dp/1789134528/ - https://www.packtpub.com/product/full-stack-web-development-with-graphql-and-react/9781801077880
- User, add fields:
- Bio - see https://github.com/AlbertVilaCalvo
- Link to Instagram - see https://github.com/AlbertVilaCalvo
- Recipe, add fields:
- Season
- Description or steps
- Ingredients
- Like recipes from other users
- Comment to recipes
- Data validation (using zod). Possible options:
- Add created at & updated at Recipe and User table
- XSS
- HelmetJS
- Paginate GET /recipe
- https://stackoverflow.com/questions/776448/pagination-in-a-rest-web-application
- https://github.dev/hagopj13/node-express-boilerplate/blob/master/src/models/plugins/paginate.plugin.js
- https://github.com/PacktPublishing/The-Complete-Node.js-Developer-Course-3rd-Edition-/tree/master/13.%20Sorting%2C%20Pagination%2C%20and%20Filtering%20(Task%20App) - https://www.packtpub.com/product/the-complete-node-js-developer-course/9781789955071
- Re-usable data validation middleware, instead of putting repetitive code at each RequestHandler
- https://github.com/hagopj13/node-express-boilerplate/blob/master/src/middlewares/validate.js
- https://github.com/goldbergyoni/nodebestpractices/blob/master/sections/security/validation.md
- https://github.com/platzi/curso-nodejs-postgres/blob/main/middlewares/validator.handler.js (uses joi)
- Swagger:
- https://github.com/danielkhan/todolist-backend/blob/master/utils/swagger.js
- https://github.com/hagopj13/node-express-boilerplate/blob/master/src/routes/v1/auth.route.js - Search for swagger
- https://blog.logrocket.com/documenting-your-express-api-with-swagger/
- https://www.manning.com/books/designing-apis-with-swagger-and-openapi
- Full text search of recipes
- Use PostgreSQL's full-text search functionality to perform natural-language searches of your data. https://lets-go-further.alexedwards.net/
- Rate limit:
- Database migrations
- GitHub action to run backend tests on push
- Curso de Node.js: Autenticación, Microservicios y Redis - https://platzi.com/cursos/nodejs-microservicios - https://github.com/CodingCarlos/proyecto-backend-node-platzi
- https://github.com/guardian/gateway/search?q=redis
- https://github.com/lesterfernandez/react-live-messenger/search?q=redisClient
- https://www.packtpub.com/product/node-js-web-development/9781838987572 - https://github.com/PacktPublishing/Node.js-Web-Development-Fifth-Edition
- https://github.com/CodingCarlos/proyecto-backend-node-platzi/blob/master/store/redis.js - https://platzi.com/cursos/nodejs-microservicios/
- Fulltext Search with Redis and Next.js - https://fireship.io/lessons/redis-nextjs/
- https://news.ycombinator.com/item?id=33021424
- We moved from jwt to opaque tokens and it's been fantastic. We also moved from using redis as our token store to using postgres (aurora).
- Add an error boundary
- Footer add my name and link to source code
- Check navigation with keyboard at forms
- Why did you render: https://github.com/welldone-software/why-did-you-render
- Setup requires many extra steps for Create React App :/
- This alternative seems somewhat similar: https://github.com/shuding/tilg
- Introducción al Testing desde Cero con JEST - https://www.youtube.com/watch?v=_DzBez4qMi0&list=PLV8x_i1fqBw0Kn_fBIZTa3wS_VZAqddX7&index=11
- TESTING en REACT ¡Aprende DESDE CERO! Con react-testing-library y Jest- https://www.youtube.com/watch?v=KYjjtRgg_H0&list=PLV8x_i1fqBw0Kn_fBIZTa3wS_VZAqddX7&index=21
- https://github.com/midudev/pokedex-for-ci/tree/main/test
[ ] GitHub action to run UI tests on push
- Aprende Testing en Cypress como lo hace un Senior en la vida real - https://www.youtube.com/watch?v=HDFNjDKKO6A&list=PLV8x_i1fqBw0Kn_fBIZTa3wS_VZAqddX7&index=22
- https://github.com/AJarombek/saints-xctf-web/tree/master/cypress
- https://www.coursera.org/search?query=cypress&
[ ] GitHub action to run Cypress tests on push - Important: see https://youtu.be/sIhm4YOMK6Q?t=2246 for how to do it - repo: https://github.com/midudev/pokedex-for-ci/blob/main/.github/workflows/pipeline.yml
Resources:
- https://www.udemy.com/course/react-fullstack-with-nodeexpress-psql-and-aws/ - React, VPC, EC2, PM2
- Amazon EKS cluster using Terraform, ArgoCD - https://www.manning.com/liveproject/deploy-to-Amazon-Web-Services
- Learn Containerization & Server Deployment - https://www.udacity.com/course/server-deployment-and-containerization--cd0157
- https://stackoverflow.com/questions/41250087/how-to-deploy-a-react-nodejs-express-application-to-aws
- Node.js Web Development - Fifth Edition – Docker Swarm AWS EC2 ECR Terraform - https://www.packtpub.com/product/node-js-web-development/9781838987572 - https://github.com/PacktPublishing/Node.js-Web-Development-Fifth-Edition
- Adding HTTP headers to CloudFront responses - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
- Use https://pentest-tools.com/website-vulnerability-scanning/website-scanner to check the headers
- https://workshops.aws/?tag=EC2
- Deploy a Node.js Web App (uses Elastic Beanstalk) - https://aws.amazon.com/getting-started/hands-on/deploy-nodejs-web-app/
- Deploying a React/Node/MySQL app to Amazon EC2 (2022) - https://towardsdev.com/deploying-a-react-node-mysql-app-to-aws-ec2-2022-1dfc98496acf
- Deploying a Basic Express API on Amazon EC2 - https://betterprogramming.pub/deploying-a-basic-express-api-on-amazon-ec2-eea0b54a825
- https://www.pluralsight.com/courses/aws-managing-ec2-instances
- Deploy NodeJS APP on AWS EC2 Instance - https://www.youtube.com/watch?v=S45jZCvd2M8
- https://cloudacademy.com/lab/create-your-first-amazon-rds-database/
- https://learn.acloud.guru/course/aws-rds/overview
- Migrating from PostgreSQL to Amazon RDS - https://www.amazon.com/Migrating-PostgreSQL-Database-Training-Certification/dp/B09HY8TQH7/ref=sr_1_86?qid=1665666086&s=courseware&sr=1-86
- Migrating from MySQL to Amazon RDS - https://www.amazon.com/Migrating-Amazon-Database-Training-Certification/dp/B09HY1YT5S/ref=sr_1_68?qid=1665665854&s=courseware&sr=1-68
- Deploy with Terraform
- Deploy with CloudFormation
Resources
- Deploy a Static Website to Amazon S3: https://www.manning.com/liveproject/deploy-a-static-website-to-amazon-s3
- https://frontendmasters.com/courses/aws-v2/ - Creates two S3 buckets
- https://www.edx.org/search?q=s3
- Automate react application deployment on aws, mohamed labouardy https://livevideo.manning.com/module/536_1_1/automate-react-application-deployment-on-aws-mohamed-labouardy/author-talk/automate-react-application-deployment-on-aws?
- https://www.docker.com/blog/how-to-use-the-node-docker-official-image/
- Sample https://github.com/docker/awesome-compose/tree/master/react-express-mysql
- https://cloudonaut.io/rapid-docker-on-aws/
- Docker in Motion - https://www.manning.com/livevideo/docker-in-motion
- https://github.com/platzi/curso-nodejs-auth/blob/13-step/docker-compose.yml
- https://github.com/hagopj13/node-express-boilerplate
- https://mentorcruise.com/blog/how-to-dockerize-a-react-app-and-deploy-it-easily/ - https://github.com/victorgrubio/blog-projects/tree/main/react-nginx-dockerization
- https://github.com/FaztWeb/pern-stack
- https://www.packtpub.com/product/restful-web-api-design-with-node-js-12-video/9781838648770 - https://github.com/PacktPublishing/RESTful-Web-API-Design-with-Node.js-12 - https://github.com/PacktPublishing/RESTful-Web-API-Design-with-Node.js-12-contact-api
- https://www.linkedin.com/feed/update/urn:li:activity:6985936585028444160/ - https://blog.gruntwork.io/a-comprehensive-guide-to-terraform-b3d32832baca
- https://developer.hashicorp.com/terraform/tutorials/aws-get-started (new) - https://learn.hashicorp.com/collections/terraform/aws-get-started (old)
- Introduction to Infrastructure as Code with Terraform - https://www.karanpratapsingh.com/blog/introduction-to-iac-terraform
- Terraform Basics: Automate Provisioning of AWS EC2 Instances - https://www.coursera.org/projects/terraform-devops-aws-cloud-iac-ec2
- Terraform for absolute beginners - https://www.coursera.org/projects/terraform-for-absolute-beginners
- https://github.com/AJarombek/global-aws-infrastructure
- https://github.com/AJarombek/jarombek-com-infrastructure
- https://github.com/AJarombek/saints-xctf-infrastructure
- Upload files to S3 with Terraform - https://gmusumeci.medium.com/how-to-upload-files-to-private-or-public-aws-ec2-instances-using-terraform-e62d3c4dd3a6
Test your web service and its DB in your workflow by simply adding some docker-compose to your workflow file. From https://github.com/features/actions
- ESLint GitHub action on push
- Replace AWS IAM User with Role at the workflow web-deploy-cli as recommended at https://github.com/aws-actions/configure-aws-credentials#assuming-a-role
- Change AWS Policy to have less "Action" as seen here: https://www.alexhyett.com/github-actions-deploy-to-s3
- Cache node_modules with actions/cache? We use the actions/setup-node cache now, but we can do more as explained at https://stackoverflow.com/questions/67136614/cache-node-modules-in-github-actions#comment130767778_73800704
- https://stackoverflow.com/questions/67136614/cache-node-modules-in-github-actions
- https://www.jonathan-wilkinson.com/github-actions-cache-everything
- https://www.voorhoede.nl/en/blog/super-fast-npm-install-on-github-actions/
- https://stackoverflow.com/questions/64226272/caching-npm-dependency-with-github-action
- https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows
- https://stackoverflow.com/questions/55110729/how-do-i-cache-steps-in-github-actions
Resources
- GitHub Actions TUTORIAL Desde Cero - Integración continua (CI/CD) - https://www.youtube.com/watch?v=sIhm4YOMK6Q&list=PLV8x_i1fqBw0Kn_fBIZTa3wS_VZAqddX7&index=57
- Deploy a React App to Amazon S3 using GitHub Actions And Bitbucket Pipelines - https://blog.devgenius.io/deploy-a-react-app-to-amazon-s3-using-github-actions-and-bitbucket-pipelines-74791ae10a7c
- https://frontendmasters.com/courses/aws-v2/ - https://frontendmasters.com/courses/aws-v2/integrate-github-action/
- https://workshops.aws/?tag=EKS
- EKS Immersion Workshop - https://catalog.workshops.aws/eks-immersionday/en-US
- https://www.eksworkshop.com
- EKS Terraform Workshop - https://tf-eks-workshop.workshop.aws/
- Web Application Hosts on EKS Workshop - https://catalog.us-east-1.prod.workshops.aws/workshops/a1101fcc-c7cf-4dd5-98c4-f599a65056d5/en-US
- Deploy a Container Web App on Amazon EKS - https://aws.amazon.com/getting-started/guides/deploy-webapp-eks
- https://www.coursera.org/learn/containerized-applications-on-aws
- Terraform infrastructure for building an EKS cluster. Infrastructure includes a VPC, EKS cluster, and EC2 worker nodes: https://github.com/AJarombek/global-aws-infrastructure/tree/master/eks
- Amazon EKS cluster using Terraform, ArgoCD - https://www.manning.com/liveproject/deploy-to-Amazon-Web-Services
- Amazon EKS cluster using Terraform, ArgoCD - https://www.manning.com/liveproject/deploy-to-Amazon-Web-Services
Read PDF 'JWT Handbook' from Auth0