Description
Now that we have a CLI Command to turn users into admins, let's create a socket.io Admin room , named admins
which sends them some statistics of the available Jobs.
Only users who have been previously turned into admins must join the admins
room.
One particular important point to consider is the authentication of the requiring user. Sending for example just the user id to during the Web Socket connection (i.e. when calling io.connect()
from the client) is not enough, since the back end has no way to check whether the client user sending the request is really the user corresponding to the received id.
For that reason, when setting up the Web Socket connection, the access token of the authenticated user must also be sent, as a simply query parameter (i.e. http://localhost:3000/random-jobs/?token=mylongandrandomtoken
). The backend then will check the validity of the received token and, provided it belongs to an Admin user, it will let the socket connection to join the admins
room.
Testing
At this point, testing our backend API without a frontend becomes challenging.
We can still use serve to use the simple front end located in the index.html
file of the lesson folder.
However, since in this case the front end will have to perform Cross Origin requests, we need to configure CORS on our server, otherwise the browsers will block our requests, for example the one we use to login.
In order to do so, we just need to use cors in our Express server and configure it to allow the Authorization
header to be exposed.
We also need to allow Options
calls to our server, in order to allow "not simple" requests (e.g. POST request) to be handled.
The code is straightforward:
// index.js
[...]
const cors = require('cors');
[...]
/**
* Use CORS and enable pre-flight accross all routes.
*/
app.use(cors({
allowedHeaders: ['Content-Type', 'Authorization'],
exposedHeaders: ['Content-Type', 'Authorization']
}));
app.options('*', cors({
allowedHeaders: ['Content-Type', 'Authorization'],
exposedHeaders: ['Content-Type', 'Authorization']
}));
[...]
Goals
- Add a private socket.io room for Admin users, used to require the total available jobs
Allowed Npm Packages
axios
: http client used to perform http requestsbcryptjs
: password hasherbody-parser
: Express middleware to parse the body requestscommander
: library to build Node.js CLI commandscors
: CORS configuration for Expressexpress
: web serverjsonwebtoken
: create and verify Json Web Tokensmoment
: date managermongoose
: MongoDB clientnconf
: configuration files managernode-uuid
: library to generate uuidsredis
: Node.js Redis clientsocket.io
: Web Socket management libraryvalidator
: string validation librarywinston
: logger
Requirements
-
The results must be saved in
userdata/data.json
-
The logs must be saved under
storage/logs/nodeJobs.log
-
The Data Logger must reside into
libraries/dataLogger.js
-
The File Logger must reside into
libraries/fileLogger.js
-
The MongoDB configuration variables must reside into
config/secrets.json
, which MUST be gitignored -
A
config/secrets.json.example
file must be provided, with the list of supported keys and example values of theconfig/secrets.json
file -
Configuration values must be loaded by using
nconf
directly at the beginning of theindex.js
-
The Mongoose configuration must reside into a
mongoose.js
file, loaded directly from theindex.js
-
The Mongoose client must be made available in Express under the
mongooseClient
key -
The Users Model must be saved into
models/users.js
and have the following Schema :- username: String, required, unique
- email: String, unique
- password: string, required
- admin: boolean, default: false
-
The Users Model must be made available in Express under the
usersModel
key -
The
/users
routes must be defined in theservices/users/users.router.js
file by using the Express router -
Middlewares used in the
/users
endpoints must reside in theservices/users/middlewares/
folder -
Optionally use only
async
/await
instead of pure Promises in all/services/
files -
User input validation errors must return a
422
Json response with{ hasError: 1/0
,error: <string>
} as response data (payload) -
User passwords must be
bcrypt
hashed before being saved into the database -
JWT management (creation and verification) must be handled in
libraries/jwtManager.js
, which must export a Javascript Class. It must be available in Express under thejwtManager
key -
The Secret Key used to create the tokens must be stored in the
secrets.json
file -
/sessions
routes must be defined inservices/sessions/sessions.router.js
-
/users
API Endpoints must check for authenticated users through the use of aservices/sessions/middlewares/auth.check.js
middleware -
HTTP Status Codes must be coherent: 401 is no authentication is provided, 403 is the token is expired or invalid
-
Communication with Redis server must happen entirely inside
libraries/redis.js
which must export a Javascript Class. It must be available in Express under theredisClient
key -
The
Redis
class constructor must take the Redis password as an argument, which must be saved into theconfig/secrets.json
file. All methods insidelibraries/redis.js
must return a Promise -
The second argument of the
JwtManager
must be the aRedis
instance, in order to perform token invalidation -
The
auth.check.js
middleware must also check if the token has been invalidated -
The token invalidation of the
(DELETE) /sessions
route must happen inside atoken.invalidation.js
middleware -
All the Web Sockets code (i.e. the use of the
socket.io
package) must reside intoservices/randomjobs/randomjobs.js
-
The
/random-jobs
endpoint must periodically emit arandomJob
event with a random job data -
The
/random-jobs
endpoint must listen for ajobRequest
endpoint and alocation
data and emit arandomJob
event with a random job data for the requested location -
All CLI Commands must reside into the
/commands
folder and build withcommander
-
There must be a CLI Command with signature
user-make-admin -u <email>
which turns existing users into admins -
The private socket.io room for Admin users must be named
admins
, which listens foradminStatisticsRequest
events and sendsadminStatistics
events with the number of total available jobs, read from thedata.json
file -
The
admins
room must verify a valid authentication token, before granting access to the private room
Suggestions
- Upon connection, the query parameters received by socket.io are available under
socket.handshake.query
:
io.on('connection', (socket) => {
// query parameters are available under 'socket.handshake.query'
[...]
});
- Joining an
admins
room is as simple as callingsocket.join('admins');