Back-end repository / web service for my blog sharing social media website using NodeJS/Express, MongoDB & Mongoose / Fly.io
Link to deployed site: https://blog-list-app-backend.fly.dev
- Express back-end for a blog sharing mini social media site. The project follows best practices regarding folder structure and uses
REST-ful
API standards for serving data.
- Integration testing was implemented using
JEST
and theSupertest
package. - Tests can be found in
/tests/blog.test.js
alongside the helper test functions which allow us to test our application in almost any way we want. - Basic API testing was also done using
Postman
- Linting was setup using
ESlint
- Contains all of our relevant routes and resources
- Contains the shape and full validation of our Mongoose objects ( User and Blog )
- Contains a lot of our logic and utility functions/middlewares.
config.js
sets up all of our enviroment variables, ports, and secrets from our.env
filelogger.js
contains a more concise way of displaying informational or error messages throughout our app.rateLimitMiddleware.js
contains a rate limiter for our app using theexpress-rate-limit
package. Currently it is setup as a global route limiter, ensuring our application can't be infinitely spammed/brute-forced with requests.
middleware.js
contains most of our important middlewares, such as arequestLogger
which displays basic information for every incoming request.getTokenFrom
which is a function used to resolve token in requestsuserExtractorMiddleware
which runs on our protected / authenticated routes, and finds out whichUser
is making the request.unknownEndpoint
which handles unknown endpoint requests.errorHandler
which is the first error-handler in our app, handles our potential errors by theerror.name
property
- handles the biggest part of our app logic, establishes a connection to our database, and handles middleware ordering.
- Starts the express application using
app.listen
, and listens for requests on our designatedPORT
-
When a user is creating an account, a strong minimum 15 character password with atleast: 1 capital letter, 1 number and 1 special character is enforced.
-
All of our inputs/forms are sanitized/validated both on the front-end repository, and this one, using
mongoose
and themongoose-unique-validator
package -
Passwords are hashed and salted/encrypted using the
bycrypt
package. -
When a user attempts to log in, we first make sure the password is correct using
bcrypt.compare
function. If the credentials are good, the user will receive back a JSON web token which has a 1 hour expiry date, and contains his username and id. The front-end will then be able to work with the authenticated user and his information. -
Each token is signed/checked against our secret variable.
-
When working with JSON web tokens XSS attacks(cross-site-scripting, malicious script injections) are always a cause for concern. In order to best secure my application and prevent those attacks, our app uses the 'helmet` package which is recommended by Express to mitigate some well-known web vulnerabilities by setting HTTP headers appropriately, including cross-site scripting attacks.