# RESTful Constraints

![image.png](attachment:image.png)

# CORS

![image.png](attachment:image.png)

Sure, let's go through an example of how Cross-Origin Resource Sharing (CORS) works using a practical scenario.

Suppose you have a web application hosted at `https://app.example.com`, and it wants to fetch data from an API hosted at `https://api.example.com`.

1. **Request Initiation**:
   - The web application at `https://app.example.com` wants to fetch data from the API at `https://api.example.com`.
   - This involves making an HTTP request, usually using JavaScript's `fetch` or `XMLHttpRequest`.

2. **Origin Check**:
   - The browser checks if the origins match. The origin for the web application is `https://app.example.com`, and the origin for the API is `https://api.example.com`.
   - Since the origins are different, the browser considers it a cross-origin request.

3. **Preflight Request** (Optional):
   - In this example, let's assume the request is a `PUT` request, which is considered a "complex" request.
   - The browser sends a preflight request (HTTP OPTIONS) to the API at `https://api.example.com` to ask for permission.
   - This preflight request includes headers like `Access-Control-Request-Method: PUT` and `Access-Control-Request-Headers: authorization`.
   - The API server examines these headers to decide whether the actual request should be allowed.

4. **Server Response to Preflight**:
   - The API server receives the preflight request and checks its CORS configuration.
   - If the server allows requests from `https://app.example.com` and permits `PUT` requests with the `authorization` header, it responds with appropriate CORS headers:
     - `Access-Control-Allow-Origin: https://app.example.com`
     - `Access-Control-Allow-Methods: PUT`
     - `Access-Control-Allow-Headers: authorization`

5. **Browser Evaluation**:
   - The browser evaluates the preflight response headers.
   - If the headers match the CORS configuration and indicate that the request is allowed, the browser proceeds.

6. **Actual Request**:
   - With the preflight request approved, the browser sends the actual `PUT` request to the API at `https://api.example.com`.
   - The request includes headers like `Origin: https://app.example.com` and `Authorization: Bearer <token>`.

7. **Server Response to Actual Request**:
   - The API server receives the actual `PUT` request and processes it.
   - It generates the response, which includes the requested data.

8. **Server Response Headers**:
   - The API server responds with headers that specify which origins are allowed to access the response:
     - `Access-Control-Allow-Origin: https://app.example.com`

9. **Browser Evaluation (Response)**:
   - The browser evaluates the response headers.
   - If the headers match the CORS configuration and indicate that the response can be accessed by `https://app.example.com`, the browser allows the web application to access the response data.

10. **Web Application Interaction**:
    - The web application at `https://app.example.com` can now access and process the data received from the API at `https://api.example.com`.

In this example, the CORS mechanism involves the browser and the server communicating through CORS-specific headers to determine whether cross-origin requests should be allowed. The browser enforces these rules to maintain security while enabling legitimate cross-origin interactions.

the client (web application) sends an OPTIONS request to check if a GET/POST/.. request with the authorization header is allowed from https://app.example.net to the /api/data resource on the server. The server responds by indicating that the requested combination is allowed.

Read about CORS

MongoDB as DATABASE <br>
Mongoose - to work with that database

Credentials
- av24aman
- MongoDB-2023

the `body-parser` middleware is not designed for handling file uploads. It's specifically designed to parse and extract data from the body of HTTP requests, primarily focusing on parsing data like JSON, URL-encoded forms, and other text-based data. 

For handling file uploads in a Node.js application, you should use a middleware like `multer` which is specifically designed to handle `multipart/form-data` requests, the content type used for sending file uploads.


![image.png](attachment:image.png)

![image.png](attachment:image.png)

Authentication: JWTs can be used as tokens to authenticate users. After a user logs in, the server generates a JWT that contains the user's identity and any relevant claims (such as roles or permissions). This JWT is then sent to the client, which includes it in the headers of subsequent requests to the server. The server can verify the authenticity and validity of the token to grant access to protected resources.

Authorization: Along with authentication, JWTs can also include authorization information. This means that the token can carry details about what a user is allowed to access or do within an application.

# JWT

A JSON Web Token (JWT) is a compact and self-contained way to represent information as a JSON object between two parties. It's often used for securely transmitting information between a client and a server, or between different services in a distributed system. JWTs are particularly popular for authentication and authorization purposes in web applications.

The structure of a JWT consists of three parts, each encoded as Base64Url strings and concatenated with periods (`.`):

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```

Here's what each part of the JWT contains:

1. **Header:**

   The header typically consists of two parts:
   - **alg (Algorithm):** This specifies the algorithm used to sign the token. Common algorithms include "HS256" (HMAC SHA-256), "RS256" (RSA SHA-256), and "ES256" (ECDSA SHA-256).
   - **typ (Type):** This is set to "JWT" to indicate that the token is a JSON Web Token.

   An example header in JSON format:
   ```json
   {
     "alg": "HS256",
     "typ": "JWT"
   }
   ```

2. **Payload (Claims):**

   The payload contains the claims, which are statements about an entity (usually the user) and additional metadata. Claims can be divided into three categories:
   - **Registered Claims:** These are predefined claims recommended by the JWT specification. They include standard claims like "iss" (issuer), "exp" (expiration time), "sub" (subject), "aud" (audience), and others.
   - **Public Claims:** These are custom claims that you define yourself to include additional information about the user or application.
   - **Private Claims:** These are custom claims that are agreed upon between parties, typically for sharing information in a private and secure manner.

   An example payload in JSON format:
   ```json
   {
     "sub": "1234567890",
     "name": "John Doe",
     "iat": 1516239022
   }
   ```

3. **Signature:**

   To create the signature part, the encoded header and encoded payload are concatenated, and a secret or private key is used to sign the result. The signature is used to verify the integrity and authenticity of the token. The exact process for generating the signature depends on the algorithm specified in the header.

   The signature is added as the third part of the JWT:
   ```
   HMACSHA256(
     base64UrlEncode(header) + "." +
     base64UrlEncode(payload),
     secret
   )
   ```

JWTs are often used in stateless authentication systems, where the server doesn't need to store session data. Instead, the server can verify the token's signature and extract necessary information from it. However, it's crucial to keep the secret key secure, as compromising the key could lead to unauthorized access.

Overall, JWTs provide a standardized and flexible way to securely exchange information between parties in a distributed environment.

Tokens are often used in web applications to authenticate and authorize users. These tokens are typically used to maintain a session or provide access to certain resources. When it comes to API authentication, tokens can be placed in both the headers and the body of an HTTP request, depending on the security requirements and design choices of the application. Let's explore both options:

**1. Placing Tokens in Headers:**
Putting tokens in the headers of an HTTP request is a common approach for API authentication. The most commonly used header for this purpose is the "Authorization" header. Tokens placed in headers are usually referred to as "Bearer tokens." This method offers several advantages:

- **Security:** The header is less likely to be accidentally logged or exposed in places like web server logs.
- **Standardization:** The "Authorization" header is a well-known standard in HTTP, making it easy to implement and understand.
- **Separation of Concerns:** Authentication information is separated from the request payload, enhancing clarity.

Here's an example of how a Bearer token is included in the header of an HTTP request:

```
GET /api/resource HTTP/1.1
Host: example.com
Authorization: Bearer <token>
```

**2. Placing Tokens in the Body:**
Tokens can also be included in the body of the HTTP request, especially for scenarios where the API requires the token as part of the request payload. This is less common compared to using headers, but it might be useful in certain situations. For instance, if you're designing an API where the token needs to be encrypted along with other data, placing it in the request body might be more appropriate.

Here's an example of how a token might be included in the body of a request:

```
POST /api/resource HTTP/1.1
Host: example.com
Content-Type: application/json

{
  "token": "<token>",
  "data": { ... }
}
```

In summary, the choice of whether to place tokens in headers or the body depends on factors such as security considerations, design patterns, and the specific requirements of the application. Placing tokens in headers is more common due to its security benefits and standardization, but there can be cases where placing tokens in the body is appropriate, such as when encryption or specific payload handling is needed.