potential Assignment7

[zoe-1]

Below is an overview of assignment7. Please look it over and give your feed back! Feel free to make suggestions. After finalizing the general objectives described here, Assignment7 will be written.

---

Validation, Authentication, and Authorization

Configure the application to use hapi-auth-cookie for cookie-based session management. Every route will be black listed requiring authentication and authorization globally. Routes that do not require authenticated users and have no permissions restrictions will be white listed so anyone can access them. Additionally, the application will utilize two user roles for authorization which are:

• "admin" the super user
• and "user" basic user

There will be three types of authorization restrictions:

• "public" routes open to all
• "user" routes restricted to authenticated users with the role of "user" or "admin".
• "admin" routes restricted to authenticated users with the role "admin".

  Login Process

Create a login in page that utilizes AJAX to login. This route (/login) is open to the public. If the login AJAX POST request is successful, the login form will disappear and the user will be presented with links to access restricted content /account or /logout. At this stage the login process is complete, session cookies are set, and authorized users can begin to access restricted content. If the login AJAX request fails, an error message is displayed along with the login form.

Restricted Access Content

The /account route

After a successful login, user sees "My Account" link and "Logout" link. The "My Account" link goes to the /account route which is restricted to authenticated users with roles of "user" or "admin". The /account route will display a welcome message with the user name in it and displays the following links: "Logout", "Home", and "Admin Panel" (if user has admin privileges). Correspondingly, the previous mentioned links point to /logout, /home, and /admin.

The /admin route

The /admin route should display an admin welcome message with user's username displayed. Plus, there should be three links: "My Account", "Logout" , "Home". Only users with the role of "admin" should be able to access /admin route.

The /home route

If a logged in user goes to /home, "My Account" and "Logout" links are displayed along with the hapi university image. When a user clicks on "My Account" link they are taken to the /account route described above.

Logging Out

On /home, /account, and /admin routes there should be a logout button which links to /logout and destroys the session. Plus, the /login POST route should have a Logout link displayed after the AJAX requests successfully completes.

Technical Details:

Configure Application to Use hapi-auth-cookie

• Make plugin: ./lib/auth-cookie.js which:
  • Configures hapi-auth-cookie authentication strategy to project.
  • redirects to '/login' route if the user is not logged in.
  • Requires the use of tls.
  • Apply this auth strategy to every route in the application. White list the routes that do not require authentication or authorization.
  • When creating the session cookie with hapi-auth-cookie do not put sensitive user account data (i.e. passwords) in the session cookie. Before creating a session, use Hoek to clone the account data JSON object then delete passwords from the newly cloned object. Once secure data is removed create the user's session with: request.auth.session.set(account).
• Use scopes to control which authenticated users are authorized to use the specific routes. First steps toward RBAC.
  • Configure restricted routes to redirect to the /home, if the user is not authenticated or authorized to view the page.
• When handling /login POST requests use poeticninja 's style of using a JavaScript Promise to authenticate users.
  • Use boom to return authentication errors.
• Add bad route handling to project. Configure a server.ext('onPostHandler') to redirect to /home when routes do not exist. {"statusCode":404,"error":"Not Found"}
• joi validation All POST request payloads must be validated by joi.
• Last but not least, 100% test coverage required

  Questions:

  • Would moving the manifest JSON object to an external file complicate things too much? Would like to move the manifest jSON object into it's own file, but, concerned it may confuse people.
  • What about adding a HTML form submission requirement in addition to AJAX. Make two login routes one would be AJAX the other would be a traditional POST from an html form. Then, we could use server.ext(onPostHandler) to catch validation errors.

[ghost]

Can we not better use a normal login page which redirects to the home page. I think now using ajax makes things very complicated.

[ghost]

Is this what you want : http://www.andwecode.com/create-popup-login-and-signup-form/

[rutaihwa]

I'm all in for moving the manifest to its own separate file.

[zoe-1]

@rutaihwa Great! Glad you agree. Assignment will require the manifest to be in it's own file. @roelof1967 Assignment is going to require AJAX here. AJAX example will help other's see how hapi-auth-cookie works with AJAX.

[ghost]

@zoe-1 oke, then I have to google further on finding a good example.

[rutaihwa]

@zoe-1 Have you finalized the assignment?

[zoe-1]

@rutaihwa and community, currently finalizing the assignment, but planning to add some new parts:

• api label in server connections
• api directory ./lib/api.
• new plugin for api called login.js put new POST ./login route in login.js, in future want to place all user login logic there. GET ./login will be in home.js plugin associate with web-tls label.
• Considering adding jQuery to project to make client side work easier? What does everyone think about that? Originally, I was thinking to make the client side JavaScript just JS without any libraries. However, from reading comments it seems some people would like to add it.

What does everyone think about the above? Plus, if you have any last minute requests to place in the next assignment, please share them.

[rutaihwa]

@zoe-1 According to me, the library will simplify things a lot. Lets hear from the community. Thanks for adding api connection :smile: