Stage 1

[talantbekov123]

Summary:

I can not see changes in the project, all previous comments are not fixed. Please take a look, I attached screenshots below comments where applicable. Hope they will be easy to fix.

Note: I may attach only one screen, but you need to find all similar cases inside the project and fix them to receive points.

Backend

Performance Criteria

• [x] The repository contains all the necessary infrastructure files:

  • [x] A package.json file.
  • [x] An .editorconfig file.
  • [x] An .eslintrc file, which extends the airbnb-base configuration, and devDependencies required for the linter.
  • [x] A .gitignore file.
  • [x] Additionally, an exception for _id is added in .eslintrc. The following rules are forbidden: eslint-disable, eslint-disable-line, and eslint-disable-next-line

• [x] No linting errors.

• [x] The scripts section of the package.json file contains the following:

  • [x] An npm run start command that starts the server on localhost:3000.
  • [x] An npm run dev command that starts the server on localhost:3000 with hot reloading.

• [x] When all dependencies are installed, the application starts with npm run dev without errors.

• [ ] The following routes function as described:

  • [x] A request to GET /users/me returns information about the user (email and name).
  • [x] GET /articles returns all articles saved by the user.
  • [x] POST /articles creates an article with the data passed inside the request body.
  • [x] DELETE /articles/articleId deletes the saved article using _id.
  • [x] POST /signup creates a user with the data passed inside the request body.
  • [ ] POST /signin returns a JWT when the correct email and password are passed in the request body.

    https://snipboard.io/oFqYni.jpg please provide default value as well, for example like this process.env.JWT_SECRET || 'dev'

• [x] All routes are protected with authorization, except for /signin and /signup.

• [x] User routes and article routes are described in separate files.

• [x] API errors are handled:

  • [x] If something is wrong with the request, the server returns a response with an error message and a corresponding status.
  • [x] Asynchronous handlers end with a catch() block.
  • [x] The API does not return standard database or Node.js errors.

• [x] In production mode, the database address is taken from process.env.

• [x] Safe password storage has been implemented:

  • [x] Passwords are stored in an encrypted format.
  • [x] The API does not return a password hash to the client.

• [x] Data is validated before being added to the database.

  https://snipboard.io/RHvoez.jpg According to project requirement Server request bodies should be validated prior to submitting them to controllers for processing. please use celebrate library to validate requests. Here is a link to the documentation https://www.npmjs.com/package/celebrate. Router validation example below

  app.post('/signin', celebrate({ 
  body: Joi.object().keys({ 
    email: Joi.string().email(), 
     password: Joi.string().required().min(8), 
  }) 
  }), login);

• [x] Users can't delete saved cards from other user profiles. When the user tries to delete someone else's card, an error with a 403 status should be returned. If you've forgotten something, or have some doubts, you can check this reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

• [x] The server can be accessed via HTTPS using the domain specified in README.md.

• [x] Storing the private key for creating a JWT is implemented correctly:

  • [x] For the production build, it is stored in an .env file, and this file should not be added to Git.
  • [x] In development mode (process.env.NODE_ENV !== 'production'), the code runs and works fine and an error won't occur if there is no .env file present.

    please provide default value as well, for example like this process.env.JWT_SECRET || 'dev'

    Best Practices

• [x] Asynchronous operations are implemented using promises or async/await.

• [ ] Requests are validated before being passed to the controller. The body and (where applicable) headers and parameters are checked against the corresponding schemas. If a request doesn't match the schema, the processing is not passed to the controller and the client receives a validation error.

  According to project requirement Server request bodies should be validated prior to submitting them to controllers for processing. please use celebrate library to validate all routes, including cards and users. Please note that It is necessary to validate the ObjectID not just as a sequence of characters with 24 symbols, but as a hex sequence with 24 symbols (fortunately, Joi has a built-in hex validator). Note: all routes except GET \users and GET /cards and GET /users/me

• [ ] Logging is set up:

  no logs, please provide logging.

  • [x] All requests and responses are logged to the request.log file.
  • [x] All errors are logged to the error.log file.
  • [x] Log files aren't added to the git repository.

• [x] Errors are handled by a centralized handler.

• [ ] Centralized error handling is described inside a separate module.

  https://snipboard.io/kI81XQ.jpg

• [x] In case of an error, the API returns a response status that matches the error type.

• [x] The server can be accessed via HTTPS using the domain specified in README.md.

• [x] The application API is located on a domain with a name of the following format: name.zone/api (not just name.zone).

  • [x] Correct: news-explorer.tk/api
  • [x] Incorrect: news-explorer.tk

• [ ] All routes are connected to the index.js file, which is located in the routes folder, and app.js contains one main route handled by routes.

Recommendations

• [ ] For API errors, classes have been created to extend the Error constructor.
• [x] The Helmet module is used to set security-related headers.
• [x] Configuration and constants are stored in separate files:
  • [x] The Mongo server address and the private key for the JWT in development mode are stored inside a separate configuration file.
  • [ ] Application constants (response and error messages) are stored inside a separate file with constants.

    https://snipboard.io/Kt0Ael.jpg

• [x] A rate limiter is set up: the number of requests from a single IP address is limited to a particular value in a given amount of time.
• [ ] The rate limiter is configured in a separate file and imported into app.js.

  https://snipboard.io/0uynCq.jpg

• [x] The API is hosted on a separate subdomain, e.g. api.news-explorer.tk.

Number of points: 60

[talantbekov123]

Summary:

You've done a really good job! Glad to say that your project has been accepted

Backend

Performance Criteria

• [x] The repository contains all the necessary infrastructure files:
  • [x] A package.json file.
  • [x] An .editorconfig file.
  • [x] An .eslintrc file, which extends the airbnb-base configuration, and devDependencies required for the linter.
  • [x] A .gitignore file.
  • [x] Additionally, an exception for _id is added in .eslintrc. The following rules are forbidden: eslint-disable, eslint-disable-line, and eslint-disable-next-line
• [x] No linting errors.
• [x] The scripts section of the package.json file contains the following:
  • [x] An npm run start command that starts the server on localhost:3000.
  • [x] An npm run dev command that starts the server on localhost:3000 with hot reloading.
• [x] When all dependencies are installed, the application starts with npm run dev without errors.
• [x] The following routes function as described:
  • [x] A request to GET /users/me returns information about the user (email and name).
  • [x] GET /articles returns all articles saved by the user.
  • [x] POST /articles creates an article with the data passed inside the request body.
  • [x] DELETE /articles/articleId deletes the saved article using _id.
  • [x] POST /signup creates a user with the data passed inside the request body.
  • [x] POST /signin returns a JWT when the correct email and password are passed in the request body.
• [x] All routes are protected with authorization, except for /signin and /signup.
• [x] User routes and article routes are described in separate files.
• [x] API errors are handled:
  • [x] If something is wrong with the request, the server returns a response with an error message and a corresponding status.
  • [x] Asynchronous handlers end with a catch() block.
  • [x] The API does not return standard database or Node.js errors.
• [x] In production mode, the database address is taken from process.env.
• [x] Safe password storage has been implemented:
  • [x] Passwords are stored in an encrypted format.
  • [x] The API does not return a password hash to the client.
• [x] Data is validated before being added to the database.
• [x] Users can't delete saved cards from other user profiles.
• [x] The server can be accessed via HTTPS using the domain specified in README.md.
• [x] Storing the private key for creating a JWT is implemented correctly:
  • [x] For the production build, it is stored in an .env file, and this file should not be added to Git.
  • [x] In development mode (process.env.NODE_ENV !== 'production'), the code runs and works fine and an error won't occur if there is no .env file present.

    Best Practices

• [x] Asynchronous operations are implemented using promises or async/await.
• [x] Requests are validated before being passed to the controller. The body and (where applicable) headers and parameters are checked against the corresponding schemas. If a request doesn't match the schema, the processing is not passed to the controller and the client receives a validation error.
• [ ] Logging is set up:

  no logs, please provide logging.

  • [x] All requests and responses are logged to the request.log file.
  • [x] All errors are logged to the error.log file.
  • [x] Log files aren't added to the git repository.
• [x] Errors are handled by a centralized handler.
• [ ] Centralized error handling is described inside a separate module.

  https://snipboard.io/kI81XQ.jpg

• [x] In case of an error, the API returns a response status that matches the error type.
• [x] The server can be accessed via HTTPS using the domain specified in README.md.
• [x] The application API is located on a domain with a name of the following format: name.zone/api (not just name.zone).
  • [x] Correct: news-explorer.tk/api
  • [x] Incorrect: news-explorer.tk
• [ ] All routes are connected to the index.js file, which is located in the routes folder, and app.js contains one main route handled by routes.

Recommendations

• [x] For API errors, classes have been created to extend the Error constructor.
• [x] The Helmet module is used to set security-related headers.
• [x] Configuration and constants are stored in separate files:
  • [x] The Mongo server address and the private key for the JWT in development mode are stored inside a separate configuration file.
  • [ ] Application constants (response and error messages) are stored inside a separate file with constants.

    https://snipboard.io/Kt0Ael.jpg

• [x] A rate limiter is set up: the number of requests from a single IP address is limited to a particular value in a given amount of time.
• [ ] The rate limiter is configured in a separate file and imported into app.js.

  https://snipboard.io/0uynCq.jpg

• [x] The API is hosted on a separate subdomain, e.g. api.news-explorer.tk.

Number of points: 95