Rest Api for a survey management platform
Api to create, take and manage surveys, it operates on 5 main routes:
- Surveys (list, filter, create, update, delete, take, metrics/statistics)
- Questions (list, filter, create, update, delete, upload description image, metrics, statistics)
- Entries (results when taking a survey - same previous operations)
- Answers (same operations)
- Auth (admin only) (register, login, logout, forgot password, reset password + manipulation operations on all objects and protected routes)
Tech Stack
- NodeJS runtime environment
- Express.js back-end framework
- Mongodb database
- lowDB in-memory database
- Mongoose ODM
- CI/CD with GitHub Actions
- Containers registry and management with Docker Hub
- Deployment with Heroku server running Docker engine
Deployment Pipeline
- Chai, Mocha, Jest and supertest for unit and integration testing
- mongoose for data interaction with MongoDB
- jsonwebtoken for authentication and token management
- cookie-parser for session management
- rotating-file-stream for periodic logging info persistence
- swagger-ui-express for documentation generation
- nodemailer for server-side email sending
- cloudinary for images manipulation and storage
- bcryptjs for password hashing
- Swagger documentation and playground for the api are available here(make sure to set the server as "production environment" in swagger)
- Postman static api documentation is available here
-
Clone the repository
-
Install dependencies :
$ npm install
-
Start the server
$ npm run start
-
Open browser and head over to the link :
$ http://localhost:5000/api-docs
-
Swagger documentation interface :
- Select
Development environmentas shown below :
The Server is ready for local testing
The perceived latency and delay in requests time (particularly on production environment) can be linked to the following reasons:
- Hardware limitations since most of the components in the deployment pipeline uses the free-tier resources of their respective service provider which tend to be used for prototyping and not for testing.
- Third party services such as Cloudinary that is also using the free tier which has variant response time.
- Dyno cold start (Heroku server stops automatically when there are no requests to the server for a period of 30min and it take 5-10 seconds for the server to move from its idle state when a new request is initiated).
Here are all security considerations that are included in api:
- Protection from DOS attacks with rate limiting.
- Protection from NoSQL injections using express-mongo-sanitize which sanitizes mongodb queries against query selector injections.
- Protection from cross-site scripting with helmet and xss-clean.
- Setup indexing on mongodb and leverage denormalized data models to speed up queries.
- Swap lowDB with redis since the latter has better support for caching.
- Introduce end-to-end monitoring for the deployment pipeline.
- Extend the deployment setup to run multiple instances of the server and add load balancing.
- Conternize the mongodb server instance and include it in the deployment setup.