Skip to content

nkhil/leaderboard-api

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

133 Commits

.github/workflows

.github/workflows

 
 

docs

docs

 
 

openapi

openapi

 
 

public/images

public/images

 
 

src

src

 
 

terraform

terraform

 
 

test

test

 
 

.commitlintrc.json

.commitlintrc.json

 
 

.dockerignore

.dockerignore

 
 

.env.example

.env.example

 
 

.eslintignore

.eslintignore

 
 

.eslintrc.js

.eslintrc.js

 
 

.gitignore

.gitignore

 
 

.versionrc.json

.versionrc.json

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

docker-compose.yaml

docker-compose.yaml

 
 

index.js

index.js

 
 

local.sh

local.sh

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

test.sh

test.sh

 
 

Repository files navigation

main-workflow

Leaderboard API

Setup

Local development

You will need an .env file with the following environment variables:

MONGO_CONNECTION_STRING=your-mongo-atlas-connection-string
TOKEN_SECRET=your-token-secret-used-to-sign-and-verify-tokens

(see included .env.example file)

To run the app locally:

npm install
npm run develop # npm run dev also works

When running npm run develop locally, if you'd like the app to connect to a mongo db instance running in Docker, you will need to configure this manually. See the docker-compose.yml file for the service using mongo.

Tests

To run all tests using Docker, please use:

npm run test:docker

This will spin up a an application container, a test container, and a database container to run the tests.

Design

Objective

My motivation was to create a secure and fast API using nodejs while learning best practices including:

API design

Best practices in creating a 'sensible', performant and secure API endpoints while remaining RESTful.

Understand stateless authorization using bearer tokens (JWTs)

Understanding how JWTs work. Specifically, they're not encrypted (i.e. anyone is able to read them) but only guarantee that they have not been tampered with.

Best practives while creating, hashing, storing and verifying user credentials (in this case, clientId and clientSecret)

The clientSecret is hashed using a asymetric hashing algorithm before being stored in the database. When an API user requests a new token with a clientId and a clientSecret. The clientSecret is hashed and compared to the value stored in the database to validate the user credentials before a valid JWT access token is issued.

Using swagger definitions to auto-validate requests and responses

This project uses express-openapi-validator to automatically validate requests and responses using an OpenAPI 3.0 specification.

This project also uses OpenApiValidator Middleware Options to use security middleware that validates api keys (user credentials) and JWT bearer tokens.

Experiment with using a logging strategy to help debug quicker

Implement integration tests in Docker to improve confidence in features

Implement CI & CD using Github actions

Enforce by good code quality practices by enforcing conventional commits and linting rules

Understand rate-limiting and other application security features mentioned in the OWASP cheat #### eet series

Understand & implement request monitoring in order to allow tiered usage based on

Introduction

The leaderboard API a simple REST API that helps with CRUDing (create, read, update and delete) leaderboards, players and their scores.

For the latest swagger endpoints, visit https://api.leaderboardapi.com/swagger

Data model

Data model

About

An api to keep score for teams

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages