budget's People
budget's Issues
Implement local strategy (username/password) auth
- remove username field from schema
- checking for existing user should be find by email AND method = 'local'
- React component for login
- React component for signup
React app not refreshing on code change
nginx 502 bad gateway web socket
Auto-logout user of frontend on route change if token is expired
- Could check if JWT is expired each time a route renders its component
MongoDB model should contain CreatedBy and LastModifiedBy
Relationships need to be defined in both GraphQL schema and Mongoose model. GraphQL resolver must also pull user out of the context
Use access control library
Redirect flow after a user successfully logs in
User normally does not navigate directly to login screen. They either navigate to a protected route or they perform a secure action like click a "Delete" or a "Save" button that causes them to be redirected to login screen. After the user logs in, return the user to the page they were on
Would their state persist following a redirect? Example: User spends 30 minutes on an Edit Form. In that time, their JWT expires. When they click "Save", they get redirected to login screen. After they authenticate successfully, they should be redirected to the Edit Form with unsaved changes.
Attempting to Update or Delete an item that has already been deleted
Address potential security vulnerability
If user navigates to https://localhost:7000/index.html directly after authenticating with CAC, user should not be able to spoof headers in AJAX request to impersonate another user.
Typescript CRA
Relationship one-to-many or many-to-many with mongoose, graphql-compose
Research how-to
Explore usage of dynamic rules i.e. "directorates:edit" for non-admin
Reference Auth0 example "Edit Post":
https://auth0.com/blog/role-based-access-control-rbac-and-react-apps/
Investigate and/or provide sample for mongoose many-to-many
Intermediate collection with two "foreign keys"
const storeItemSchema = new Schema({
storeId: { type: Schema.Types.ObjectId, ref: 'Store', required: true },
itemId: { type: Schema.Types.ObjectId, ref: 'Item', required: true }
});
Upsert because insert is only allowed if combination of storeId and itemId is unique
await StoreItem.update(
{ storeId: store._id, itemId: toothpaste._id },
{ },
{ 'upsert': true }
);
Auto-logout user of front end if server detect expired token
- Should be able to accomplish with ApolloClient if a user performs a "secure" action without changing routes (i.e. clicking delete button) with an expired token, Apollo Server must send back an "expired token error"
Use dedicated HTTP POST route to seed data
Store Validation Schemas (yup), Rules logic (rules.js), and Role names in one place
Check if this is worthwhile effort. One implementation may be to serve this file from express server static folder. This way both the frontend and backend can reference it. And there is a single place to maintain this logic
User Profile screen
User should be able to edit First Name, Last Name, and Email
Use GraphQL shield to lockdown API
Store JWT token in cookie
Use Passport JWT strategies:
https://blog.usejournal.com/sessionless-authentication-withe-jwts-with-node-express-passport-js-69b059e4b22c
Running Docker-Compose up when node_modules on host is not empty
node-sass issue in client app
On my host I running v12 Node.js.
Container should be v13, so needs to use node-sass 4.13+
Explore usage of Can component for hiding parts of UI based on auth state and rules
This is already done via login/logout button. Would need to do this for edit and delete buttons, and sidebar menu items.
Can component expects two inputs "admin" and "directorates:edit". Is it possible to pass an array of strings for these two inputs?
docker-compose up sometimes results in error
UnixHttpConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value.
Display friendly message to user if CAC login fails
If user forgets to insert CAC and clicks "Login with CAC" button, hidden iframe will point to nginx error page. Iframe does not appear to support onError event: https://dzone.com/articles/fallback-for-blocked-iframes-a-crude-solution-with
Avoid passing Roles around as string
Could probably export from rules.js
Or use enum:
export const Role = {
Admin: 'Admin',
User: 'User'
}
Consider moving routes to /graphql
router.route('/signup_emailPassword')
.post(UsersController.signup_emailPassword);
router.route('/signin_emailPassword')
.post(passportSignIn, UsersController.generateToken);
router.route('/signin_cac')
.get(passportCacCertificate, UsersController.generateToken)
research React gridsheet controls
candidate:
https://github.com/nadbm/react-datasheet
Use Yup to validate on backend
Typescript GraphQL code generation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.