[Track 3] Login mutation

[taki-tiler-server[bot]]

In this track, you will implement a login mutation fully integrated with the database. There are many ways of implementing an authentication. The way we're doing it is: the user sends a password to prove that he is who he claims, and then the server provides a token that allows him to access some data on future requests. This token generally have an expiration, after which the user has to login again to get a new one.

Step 1 - The mutation setup

Estimated time: 1 hour

Let's start with baby steps, by creating the mutation prototype, with no integration with the dabatase (yet).

Let's call the mutation Login. It should receive an e-mail and a password as parameters and return the following structure on body:

{
  "data": {
    "Login": {
      "user": {
        "name": "User Name",
        "email": "User e-mail"
        // More user fields
      },
      "token": "the_token"
    }
  } 
}

Note: Did you notice that there is a data object wrapping the Login response? Don't worry, it's the GraphQL response format. It wraps all the successful response data inside the data object and all the errors in an errors array of objects. You can read more about it here.

For now, you can return the above structure populated with some mock data.

[alanraso]

Finish

[taki-tiler-server[bot]]

Step 2 - Integrating with the database

Estimated time: 3 hours

Now you're going to fully integrate the Login mutation with the database. Since we don't have a mutation to create users (yet), we should create one directly on the database, so we have the conditions to test it properly.

NOTE: One of the required data to create a user is the password. You should have read or heard already that storing users password as plain text in the database is a bad idea. If not, you're reading now: it is a bad idea 🤦‍. The minimum security we should have on this case is to use a hash algorithm to store the password. This is not a 100% secure method, but it helps already. Interested in this security matter? Check this post for additional details. Since this is only an onboard server, you don't need to have a ultra-master-blaster security method. Our main goal here is to show you some levels of security and prevent you from beginning your projects with an ultra-master-blaster insecure method.

After creating a user, you should implement your mutation as follows:

1. Get the input e-mail received on the mutation and try to find one on database.
2. Check if the given password is correct. Remember that, in order to comapre them properly, the input password should be submitted to the same process of transformation that the ones stored on Database.
3. If everything is right, return the user info and a token. For now, the token can be only an empty string. You're going to implement it on next step.

On each of these steps, some error may occur. It's important in these cases to provide a good description to the client of what went wrong. For example, if the password is wrong, you could return an error message like Invalid credentials, please check your e-mail and password.

[alanraso]

Finish

[taki-tiler-server[bot]]

Step 3 - The token

Estimated time: 2 hours

Now you're going to finish your Login mutation returning a proper token instead of an empty string. Take a look at an example of the token you're going to implement:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This may look like a random string, but this token has a lot of power, because there are some information encoded on it. The server can know only with a token, for example:

1. When it was created
2. When it expires
3. Which user is sending

This is an example of the famous JWT token. You're going to build these tokens and return on your mutation. This link has some information about token absed authentication, jwt tokens and an example of how to imnplement it on code.

Your task now is to implement a model of JWT tokens for your server and return them on your Login mutation.

[alanraso]

Finish

[taki-tiler-server[bot]]

Step 4 - The test 🤓

Estimated time: 4 hours

This is another super-important concept on the process of building your own server. Have you ever stopped to think about how you would test if your code works? 🤔 If you thought about performing the query/mutation on one of those applications (browser, graphiql, graphql playground) and checking if it works as expected, that's one way of doing it. But we have a more solid proposal: writing more code for tests! The principle is simple: you give an entrance and check if the response is the expected. Why is it better? Well, some advantages:

1. The time gain: you write your test once, and then you can run it whenever you want.
2. While you develop other features, you can keep running the tests for all the previous implemented queries/mutation to make sure they are still working.
3. Test codes can serve as a kind of documentation as well. People who read them are able to know all the particular scenarios of a query/mutation.

If you search on the Internet, you'll find out there are many ways to test a code. Depending on the project, people decide to use one, or several of them. Here, we're going to write Integration tests. For each query/mutation of your server, you're going to setup the database for them, provide some input scenarios, and then check if the response is given as expected.

Let's talk about another libraries (we use a lot of them!) that helps us to test our code: mocha, for test setup; chai, for the assetions; and supertest, to simulate a server running.

Your task now is to install these libraries and write one test for your recently implemented Login mutation. Some important things to have on mind:

1. You can either create an instance of your server with supertest, or just create an agent and send requests to your localhost:3000/. If the second option is chosen, you should run your server along with the tests.
2. Remember how you connected your server with the database? We said at the time about having a second container for tests with docker. That's right, we're going to use a second database for the tests, so we don't interfere with our normal database on the process. Before actually running your tests, you should connect with this test dabatase, just like you did when running the server locally.
3. Try to write a test script on package.json, so you can just run npm run test on terminal to perform them.
4. Your test should predict as much scenarios as possible. In case of the Login mutation, some examples are:
   1. "Success case": an existing e-mail with the right password is given to the system.
   2. "Wrong password": the input has a valid existing e-mail, but the password is not right.
   3. "User not found": e-mail sent on input is not present on database.
   4. "E-mail with invalid format": e-mail sent on input has an invalid format.

[alanraso]

Finish

[taki-tiler-server[bot]]

Step 5 - Challenge: the token duration

Estimated time: 2 hours

NOTE: some steps on this onboard are classified as "challenges". They are meant to be some additional tasks that add some bonus features, but are not necessarily core of the server. Try not to loose too much time on them 🙃

After implementing the login, you must have noticed that one of the possible parameters for creating a JWT token is the expiration. This parameter allows us set an expiration timestamp coded on the token. The challenge consists of:

1. Adding an aditional optional parameter on the Login mutation called remeberMe. It's a boolean.
2. If rememberMe was sent and its value is true, you should increase the expiration of the returned token. 1 week is good for the context.
3. Create a test for this case, evaluating if the token actually has the increased duration.

[alanraso]

Finish

[taki-tiler-server[bot]]

Click here for your next track