It is not sufficient to information on the front-end, you should protect your backend from unauthorised access!
This version implements server-side authentication for two different user roles:
- Normal/Ordinary users which can post comments and then edit (put method) or delete their own comments only.
- Admin users which can delete all comments and can also post, edit or delete dishes, leaders and promotions.
- Note that reading (get method) dishes, comments, leaders and promotions can be done without login.
Login is implemented using a JSON Web Token (JWT).
The passport npm package was used to implement support for user authentication using JWTs.
References include:
- Creating JWTs using jsonwebtoken npm package
- The passport local package to support local username/password credentials as opposed to logging in using Facebook through OAuth.
- The passport npm package that supports JWT authentication
- The passport-local-mongoose package to facilitate implementing password hashing when storing them in the MongoDB database.
- The JWT.io site a JSON Web Token.
Some principles for information modeling in relational database schema design can be applied for MongoDB databases.
This article coule prove useful when designing the MongoDB database schema. The main points are summarized below:
- To model relationships between connected data, you can reference a document using Mongoose populate or embed it in another document as a sub document.
- Referencing a document does not create a “real” relationship between these two documents as does with a relational database.
- Referencing documents is also known as normalization. It is good for data consistency but creates more queries in your system.
- Embedding documents is also known as denormalization. The benefit of this approach is getting all the data you need about a document and it’s sub document(s) with a single query. Therefore, this approach is very fast. The drawback is that data may not stay as consistent in the database.
Also, Object-Oriented-style inheritance with Mongoose is possible but somewhat complicated. It uses descriminators.
For development environments, it is sufficient to create your own self-signed certificate:
For Linux/UNIX or Mac:
cd bin
openssl genrsa 1024 > private.key
openssl req -new -key private.key -out cert.csr
openssl x509 -req -in cert.csr -signkey private.key -out certificate.pem
For Windows, you should first install ssl and/or see the below articles:
- https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/
- https://www.faqforge.com/windows/use-openssl-on-windows/
An easy alternative is to use an online genertor for self-signed certificates. If you ever want to mimic a certification authority, see https://hohnstaedt.de/xca/
For a production environment, you need a valid certificate issues by a known certification authority.
A free certification authority is https://letsencrypt.org/
Hosting services like Heroku also provide free certificates for your website.
CloudFlare also provides an alternative, as explained here.