Lesson 8: OAuth

Overview

Introduction

Welcome to lesson eight! This lesson focuses on authorization, and how to use OAuth to effectively authenticate users.

Topics for this lesson:

OAuth and Swagger
JSON Web Tokens (JWT)
JWT meets OAuth

Have Feedback?

Learning Material

Resources for this lesson are accessible to you in this repository

The following learning material may be helpful but is not required. Please reference the syllabus for more details.

The remainder of the reading for this lesson is just for your information. You are not required to use JWTs at all in this course, but it is important for you to be at least somewhat familiar with what they are and why they exist. In fact, many OAuth providers use JWTs behind the scenes to make their services work. With that said, JWTs are a large focus point in CSE340. The following resources are here to simply introduce you to these concepts, and also to help you see how JWTs and OAuth can be used together.

For the sake of authentication purposes, your API does not need to use both OAuth and JWTs. For your project, you will include both just to understand how both work. With that said, there are some use cases for using both in the real world.

Team Assignment

Overview

Purpose: Research, learn, and share industry standards, best practices, and helpful resources.
Task: Complete the assignment.

The team activity for this lesson will consist of participating in a developer forum. Each person in this class will learn from different resources, try different things, and end up with a unique knowledge base. This forum is an opportunity for you to share industry standards and best practices regarding the technologies that we are using and that you're learning about in this lesson. To receive full credit for this assignment, you must do the following:

Use the channel in Teams called Developer Forum for this assignment.
Pick a topic from this lesson and write a post that teaches at least one best practice or industry standard for that topic.
Include the lesson number at the top of your post along with your title (for example: L03 - POST requests in Node.js)
The post should consist of at least 200 words.
Include at least two sources to site your claims.
The post should be informative, accurate, relevant, and not just a copy and paste of another post.
Respond to at least two peers before the end of the lesson.
Finally, use the I-Learn quiz to report your participation in the forum.

Personal Assignment

Overview

Purpose: Implement an authentication system.
Task: Complete the assignment.

Learning Objectives

By the end of this assignment the student will be able to do the following:

Deploy Node.js API to the web
Incorporate authentication system with OAuth into Node.js application
Host GET, POST, PUT and DELETE endpoints in application
Produce API documentation that allows API testing
Validate all data before processing API requests
Handle errors in application

Assignment Description

For your personal assignment you will complete your project that you started in lesson 5. You should already have all of your routes set up with documentation, validation, error handling, and so on. Now, you will also add security either through JWTs or some from of OAuth.

Please be sure to review the project requirements and rubric.
For this assignment (if you have not done so already), you will add security measures to your personal project using OAuth. The user should be able to create an account, log in and log out successfully, and view things that aren't available if they are not logged in.
If you store user credentials in MongoDB, be sure to use bcrypt (or a package of your choosing) to hash passwords so no plain-text passwords are ever stored in the database.
Be sure your Swagger documentation is accurate, including all of your security measures (and routes that have been effected by these measures).
Once completed, push any changes to GitHub and verify changes in Render.
Record a brief video demonstration that shows you using the Swagger documentation successfully sending requests to each route. Also include evidence that your MongoDB cluster is being updated.
Post this video to YouTube (public or unlisted are both fine, whatever you prefer).
Submit the following links in I-Learn (Your assignment will receive a zero if these three links are not included)
- GitHub repo
- Render site API Contracts (it should be formatted like this: https://cse341-code-student.onrender.com//api-docs)
- YouTube video

Rubric

Criteria	Weight	Mastery	Proficient	Developing	Beginning	Missing/Incomplete
		100%	90%	78%	65%	0%
Deployed to the Web (Graded via YouTube)	20%	Meets Proficient criteria and video shows use of Render CONFIG VARS to connect to MongoDB	Meets Developing criteria and app connects to MongoDB	Meets Beginning criteria and Render url can be opened without any errors	Node.js app deployed to Render	Render link or YouTube link not submitted
OAuth (Graded via YouTube)	20%	Meets Proficient criteria and the video shows that each protected route (needs authentication) requires authentication before access	Meets Developing criteria and user can log out using OAuth	Meets Beginning criteria and user can log in using OAuth	Evidence of OAuth is in the Node.js project	GitHub link or YouTube link not submitted, or No evidence of OAuth in project
Database (Graded via YouTube)	15%	Meets Proficient criteria and at least one collection features documents with at least 7 fields	Meets Developing criteria and database has at least 2 collections	Meets Beginning criteria and database has a single collection	Database exists and is shown in the video	GitHub link or YouTube link not submitted, or No evidence of Database in project
HTTP Requests (Graded via YouTube)	15%	Meets Proficient criteria plus at least 2 collections have a PUT or DELETE request (MongoDB change is shown in video)	Meets Developing criteria plus at least 2 collections have a POST request (MongoDB change is shown in video)	Meets Beginning criteria plus at least one HTTP Request is present for each collection in the database	Several HTTP Requests are in the project and work (shown in video)	GitHub link, Render link or YouTube link not submitted
API Documentation (Graded via Render)	10%	Meets Proficient criteria and the documentation can test each endpoint (GET, POST, PUT, DELETE are all modified when testing from the documentation)	Meets Developing criteria and the documentation is published (either to Render at "/api-docs" route, or to apollo server)	Meets Beginning criteria and documentation is organized by collection	The swagger.json file is present (or Apollo server is shown in video for graphql extra credit)	Render link, GitHub link, or YouTube link not submitted. Or no evidence of API documentation
Data Validation (Graded via GitHub)	10%	Meets Proficient criteria and each route has data validation, and returns some type of 400 or 500 error if data requirements aren't met	Meets Developing criteria and data validation is being used for each PUT and DELETE route	Meets Beginning criteria and data validation is being used for each GET and POST route	Node project has evidence of data validation (for example: checks for at least one variable's existence before continuing)	GitHub link or Render link not submitted
Error Handling (Graded via GitHub)	10%	Meets Proficient criteria and each route has error handling, and returns some type of 400 or 500 status when errors get thrown	Meets Developing criteria and error handling is being used for each PUT and DELETE route	Meets Beginning criteria and error handling is being used for each GET and POST route	Node project has evidence of error handling (for example: at least one try/catch)	GitHub link or Render link not submitted
Extra Credit GraphQL instead of REST (Graded via YouTube)	20%	Meets Proficient criteria and REST is not used at all, only GraphQL (should be shown in YouTube video)	Meets Developing criteria and project uses GraphQL to access and modify MongoDB (should be shown in YouTube video)	Meets Beginning criteria and project uses GraphQL for some aspects (should be shown in YouTube video)	GitHub link (perhaps in previous commits) and YouTube video show that GraphQL was attempted	GitHub link, Render link, or YouTube link not submitted
Extra Credit TypeScript (Graded via YouTube)	20%	Meets Proficient criteria and there is not a single file in project with ".js" extension. All JavaScript files have been replaced with error-free TypeScript (.ts) files	Meets Developing criteria and project uses TypeScript for all files in "controllers" folder	Meets Beginning criteria and project uses TypeScript for some aspects (should be shown in YouTube video and evident in GitHub repository)	GitHub link (perhaps in previous commits) and YouTube video show that TypeScript was attempted	GitHub link, Render link, or YouTube link not submitted

Lesson 8: OAuth

Overview

Introduction

Topics for this lesson:

Learning Material

The following learning material may be helpful but is not required. Please reference the syllabus for more details.

OAuth and Swagger

JSON Web Tokens (JWT)

JWT meets OAuth

Team Assignment

Overview

Personal Assignment

Overview

Learning Objectives

Assignment Description

Rubric

Deployed to the Web

OAuth

Database

HTTP Requests

API Documentation

Data Validation

Error Handling

Extra CreditGraphQL instead of REST

Extra CreditTypeScript

Extra Credit
GraphQL instead of REST

Extra Credit
TypeScript