search

indigotech / onboard-jorge-risco

0 stars 0 forks source link

[Track 6/9] Create user mutation #20

Open taki-tiler-server[bot] opened 3 years ago

taki-tiler-server[bot] commented 3 years ago

In this track, you will implement a CreateUser mutation. This mutation allows authenticated users to create other users.

Step 1/3 - The authentication

Estimated time: 2 hours

Let's start by exploring the authentication. This mutation is considered an authenticated one, which means that the whoever uses it must be allowed to. The permission is granted by the token we were talking about on last track.

Create the CreateUser mutation prototype and check client authentication (again: without integrating with database, for now). Follow the steps:

  1. The prototype: it can be something like this.
mutation CreateUser($user: CreateUserInput!) {
  CreateUser(user: $user) {
    // Your return
  }
}
  1. The input. It can be something like this:
{
  "name": "User Name",
  "email": "User e-mail",
  "birthDate": "04-25-1990",
  "cpf": "XXXXXXXXXXX",
  "password": "1234qwer"
}
  1. The response: you can return either the created user or only a success message.
  2. The first thing your mutation should do after called is checking user authentication. Check the Authorization header: the client must have sent a JWT token and it should be a valid one. It's important to check if:
    • It is a JWT token
    • It has all the payload data you designed earlier
    • It's not expired
    • Its signature is correct.

NOTE: have in mind that anyone can create a JWT token with any payload data they want (remember jwt.io?), but only those who have the secret can generate the right signature. Only the server should know this secret.

  1. If the JWT token has any problem, you should return an authentication error with a message.

If everything is ok with the authentication, you can return a mocked user and go to next step to integrate with database.

jorgemrisco commented 3 years ago

Finish

taki-tiler-server[bot] commented 3 years ago

Step 2/3 - Integrate with the database

Estimated time: 4 hours

After checking the authentication, it's time to fully integrate your mutation with the database. If provided token is valid, the server should validate the given input, and if everything is right, create a user on database. Wait, validate what? 🧐

  1. The system should not allow two or more users with the same e-mail
  2. The system should not allow a very weak password. Follow these rules:
    • It should have at least 7 characters
    • It should have at least 1 letter and 1 digit.

You can add some validations if you want. For example, minimum and maximum birth date. But the most important are those two above.

NOTE: as we discussed, remember not to save the password as plain text on database. Use at least a good hash algorithm (with salt system, optionally). Ask your tutor if you got stuck 👍