Endpoints

[RedJocker]

I'm opening this issue so that we can discuss which endpoint we need on our project and what to expect from each endpoint

[RedJocker]

I can see we both agree that there should be a POST /login/ endpoint that responds with a jwt token and a role. Roles are usually all upper case, so it should be TEACHER and STUDENT. We also both agree that the request for login should contain a unique username and a password. This password should be sent encrypted from the mobile client to the back end. You can see here what I'm thinking for they encryption scheme https://github.com/RedJocker/BlackboardReviewPrototype/blob/4da3e80268b71498e546fd42d99026dd399a84ca/Blackboard/stage1/src/main/java/org/hyperskill/blackboard/MainActivity.kt#L46-L53.

I was thinking about using bcrypt on this encryption scheme, but after researching more I found out that bcrypt is actually used on the server side for storing passwords in database. Since our backend is just for testing reasons we don't have to include bcrypt. (The reason why it is used on backend is that it salts the password so that even if two users have the same password the hash produced by bcrypt will be different and this protects the passwords on database against attacks based on frequency of occurrence of passwords another reason is that it is also computing intensive which makes brute-force attacks very expensive)

The jwt token should have the role included in the claims so that when the server receives a future request with that token it can verify on the token the role of the user and authorize or not the use of the endpoint for that role. I'm not sure about expiration date, it is usual to have it, but tests that include time can be painful because time emulation on tests has a lot of limitations. You can see here the jwt token what I wrote for tests backend https://github.com/RedJocker/BlackboardReviewPrototype/blob/4da3e80268b71498e546fd42d99026dd399a84ca/Blackboard/stage1/src/test/java/org/hyperskill/blackboard/internals/backend/model/User.kt#L18-L24

[RedJocker]

sumary:

• POST /login/
  • request
  • username
  • password with encryption
  • response
  • jwt token
  • role

[RedJocker]

I can also see you are planing to have a GET /students/ returning all students. I think it should be renamed to singular so it should be GET /student/. We know that it should be for all students because there is no path variable or query parameter for a single user. This endpoint should request role based authorization and only TEACHER should be able to use it. For this authorization the login jwt token should be included on the header. The token itself should contain the role in the claims, which the backend can verify.

[RedJocker]

summary:

• POST /login/
  • request
  • username
  • password with encryption
  • response
  • jwt token
  • role
• GET /student/
  • authorization
  • only TEACHER
  • request
  • jwt token on header
  • response
  • a list of all students with all their grades

[RedJocker]

I have included username on the response for POST /login, so that it is easier to use username as path variable when fetching grades. Also I am thinking that /student should be only for students and for teachers retrieving students should be GET /teacher/student

I have been doing the student screen and to retrieve grades I'm using GET /student/:username/grade

[RedJocker]

summary:

• POST /login/
  • request
  • username
  • password with encryption
  • response
  • username
  • jwt token
  • role
• GET /teacher/student/
  • authorization
  • only TEACHER
  • request
  • jwt token on header
  • response
  • a list of all students with all their grades
  • GET student/:username/grade
  • authorization
    • only STUDENT
    • only matching username (path x token subject)
  • request
    • jwt token on header
  • response
    • list of int (ex: [50, 75, 55, 90])