EDU-Camp API Specifications

EDU-Camp is the project where user can Create, Read, Update and delete Bootcamps, Courses, Reviews. User can get exact location and coords from single address field from geocoder. Frontend will be future project. All of the functionality below needs to be fully implmented in this project.

Bootcamps

• List all bootcamps in the database
  • Pagination
  • Select specific fields in result
  • Limit number of results
  • Filter by fields
• Search bootcamps by radius from zipcode
  • Use a geocoder to get exact location and coords from a single address field
• Get single bootcamp
• Create new bootcamp
  • Authenticated users only
  • Must have the role "publisher" or "admin"
  • Only one bootcamp per publisher (admins can create more)
  • Field validation via Mongoose
• Upload a photo for bootcamp
  • Owner only
  • Photo will be uploaded to local filesystem
• Update bootcamps
  • Owner only
  • Validation on update
• Delete Bootcamp
  • Owner only
• Calculate the average cost of all courses for a bootcamp
• Calculate the average rating from the reviews for a bootcamp

Courses

• List all courses for bootcamp
• List all courses in general
  • Pagination, filtering, etc
• Get single course
• Create new course
  • Authenticated users only
  • Must have the role "publisher" or "admin"
  • Only the owner or an admin can create a course for a bootcamp
  • Publishers can create multiple courses
• Update course
  • Owner only
• Delete course
  • Owner only

Reviews

• List all reviews for a bootcamp
• List all reviews in general
  • Pagination, filtering, etc
• Get a single review
• Create a review
  • Authenticated users only
  • Must have the role "user" or "admin" (no publishers)
• Update review
  • Owner only
• Delete review
  • Owner only

Users & Authentication

• Authentication will be ton using JWT/cookies
  • JWT and cookie should expire in 30 days
• User registration
  • Register as a "user" or "publisher"
  • Once registered, a token will be sent along with a cookie (token = xxx)
  • Passwords must be hashed
• User login
  • User can login with email and password
  • Plain text password will compare with stored hashed password
  • Once logged in, a token will be sent along with a cookie (token = xxx)
• User logout
  • Cookie will be sent to set token = none
• Get user
  • Route to get the currently logged in user (via token)
• Password reset (lost password)
  • User can request to reset password
  • A hashed token will be emailed to the users registered email address
  • A put request can be made to the generated url to reset password
  • The token will expire after 10 minutes
• Update user info
  • Authenticated user only
  • Separate route to update password
• User CRUD
  • Admin only
• Users can only be made admin by updating the database field manually

Security

• Encrypt passwords and reset tokens
• Prevent cross site scripting - XSS
• Prevent NoSQL injections
• Add a rate limit for requests of 100 requests per 10 minutes
• Protect against http param polution
• Add headers for security (helmet)
• Use cors to make API public (for now)

Code Related Suggestions

• NPM scripts for dev and production env
• Config file for important constants
• Use controller methods with documented descriptions/routes
• Error handling middleware
• Authentication middleware for protecting routes and setting user roles
• Validation using Mongoose and no external libraries
• Use async/await (create middleware to clean up controller methods)