As Jane, a long time jogger I want to know that other users like my friend Ken cannot delete activities that I log.
As Zara, Head of Engineering at TrackIt I want to make sure that API endpoints that are “destructive” (deleting data) are protected so that only people who are authenticated and authorised (user who owns the activity) can take those actions.
Acceptance Criteria:
Given I am a developer who clones down the Activity API repo,
When I look at the DELETE controller (event handlers),
Then I should see that there is a custom function (write this) being used as middleware in front of the event handler that checks the request for a header called “Authorisation”, with the value of “Bearer TEST_TOKEN”. The middleware calls next with an error if needed.
Given I am a developer who has the Activity API running,
Then the API should check if I have a request header called “Authorisation”, with the value of “Bearer TEST_TOKEN”,
Then if I do, the request should succeed, responding with the correct status code and the deleted activity object in the response body (response.data).
Given I am a developer who has made an invalid DELETE request by not sending the “Authorisation” header,
When I inspect the API response,
Then the the API call should fail with the correct response code and a clear error message (response.error).
### Tasks for User Story 8
- [x] Develop a custom middleware function deletAuth.
- [x] The function should check if the request header Authorisation exists.
- [x] Verify that the value of the Authorisation header is Bearer TEST_TOKEN.
- [x] If the header is missing or the value is incorrect, call next with an error.
- [x] If the header is present and correct, call next without an error.
- [x] Apply the deleteAuth middleware to the DELETE endpoint for activities.
- [x] Ensure the middleware is used in front of the event handler for the DELETE request.
- [x] Test if all criteria is met!
faisalagood
commented
3 months ago
Description:
As Jane, a long time jogger I want to know that other users like my friend Ken cannot delete activities that I log.
As Zara, Head of Engineering at TrackIt I want to make sure that API endpoints that are “destructive” (deleting data) are protected so that only people who are authenticated and authorised (user who owns the activity) can take those actions.
Acceptance Criteria:
Given I am a developer who clones down the Activity API repo,
When I look at the DELETE controller (event handlers),
Then I should see that there is a custom function (write this) being used as middleware in front of the event handler that checks the request for a header called “Authorisation”, with the value of “Bearer TEST_TOKEN”. The middleware calls next with an error if needed.
Given I am a developer who has the Activity API running,
When I make a DELETE request to “http://localhost:3000/activity/activity_id_here”,
Then the API should check if I have a request header called “Authorisation”, with the value of “Bearer TEST_TOKEN”,
Then if I do, the request should succeed, responding with the correct status code and the deleted activity object in the response body (response.data).
Given I am a developer who has made an invalid DELETE request by not sending the “Authorisation” header,
When I inspect the API response,
Then the the API call should fail with the correct response code and a clear error message (response.error).