BasicBank: Secure API - Githubissues

GuildCrafts / web-development-js

Craft repository for Web Development with JavaScript

http://jsdev.learnersguild.org/

Other

1 stars 1 forks source link

BasicBank: Secure API #198

Open tannerwelsh opened 7 years ago

tannerwelsh commented 7 years ago

Build an API for a simple bank. Support deposits, withdrawals, and internal transfers between two account holders. Must be secure! You'll have to learn about cryptography, web security, authentication & authorization, and transactional integrity.

nicosesma commented 7 years ago

👍

nicosesma commented 7 years ago

going to start working on this

jlopker commented 7 years ago

@tannerwelsh I discussed this goal idea with Jared and jrob and here are some of our thoughts

learning about transactional integrity doesn't seem like a need-to-know aka the 3 of us know very little about the mechanics of it
it is valuable to learn about implementing authentication/authorization but that doesn't require the premise of a bank-themed app so i'm going to punt on this issue for now unless you feel strongly about it

tannerwelsh commented 7 years ago

sounds good. @nicosesma if you're actively working on this, let me know. gonna move it back to the ideas & suggestions for now.

nicosesma commented 7 years ago

I must admit that I have begun researching about the differences between ACID and BASE transactions, and think that it is something very important to know if one wants to work with data. I have started using Cassandra a NoSQL Database, that is considered to have both ACID and BASE properties depending on how it is configured, in order to learn how a database cluster can be used to scale an application throughout the cloud. I must admit, I am getting a bit overwhelmed by the amount of information available, but think that it is worth knowing about most certainly.

nicosesma commented 7 years ago

I think that this could actually be a great goal for learning about securing an API's endpoints and ensuring the integrity of data, given x amount of requests. I would be happy to continue working on this, perhaps with some guidance in order to properly articulate the specs for the project. What are your thoughts though, @tannerwelsh @jlopker ?

nicosesma commented 7 years ago

I'm going to start working on this and see if I can create a rough draft of this goal.

tannerwelsh commented 7 years ago

@nicosesma if you think there's something here that is worth knowing, then by all means feel free to keep going!

I'm happy to answer whatever questions I can.

In terms of direction, I'd suggest focusing less on the API design and more on the concepts that the project is meant to allow practice in: encryption, transactional integrity, and authorization. There seem to be three key questions that come up when thinking about secure transactions like this:

How do we know that the people involved are who they say they are?
How can we ensure that the transaction has a zero chance of failing into an incorrect state? (for example: only transferring money out, but not depositing into the recipient account)
How can we ensure that no third parties can see the details of the transaction?

If I were writing this goal, those are the questions that I'd hope would drive the learning.