General Instructions
Create and Use a new Branch hw10
We will create a new git branch called hw10 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.
Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 9. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw10. Review the section on submission for using push with a new branch.
Use README.md for Answers
You will modify the README.md file to contain the answers to this homework.
# Homework #10 Solution
**Your name**
**NetID: yourNetID**Questions
Question 1. (15 pts) Sessions/Login
(a) Add express-session to your clubServer
Modify the SessionID cookie name to have it start with your NetID, and also modify cookie signing secret. Create session state initialization middleware code with initial session state session.user = {role: "guest"}. Hints: see course slides, don’t forget express-session installation. Show additional code you added to your server for sessions here.
(b) Quick Test Session Cookies
To verify that sessions are working visit your site and take a screenshot when you visit the /activities path showing the cookie the session middleware sent to the browser. My screenshot looks like:
(c) Update login POST route
Update the login POST rout to use the session functionality (generate new session Id on change of role). Show your updated login code here.
(d) Create a logout GET path
As in the course slides.
Question 2. (10 pts) Protect Activity and Member Interfaces
(a) memberOnly Middleware
Create middleware that checks for the “member” (or “admin”) role and if it doesn’t find it returns a “Forbidden” code and JSON error message. Add that middleware to the APIs that should only be accessible to “members” or “admins”. Show your code here.
(b) adminOnly Middleware
Create middleware that checks for the “admin” role and if it doesn’t find it returns a “Forbidden” code and JSON error message. Add that middleware to the APIs that should only be accessible to “admins”.Show your code here.
Question 3. (15 pts) Testing Protected Interfaces
(a) Testing Get Members
Write a test program called membersTests.mjs that uses the node-fetch libraries to perform the following tests in order:
- Without logging in tries to
getthe member information. This should result in an error condition. - Login successfully as a club member and save and print out the cookie returned.
- Try to get all the member information. This should result in an error or not depending on how you want to restrict access to this information.
- Login successfully as the club admin and save and print out the cookie returned.
- Try to get all the member information. This should be successful. Print out the return code (but not all the member information.)
Show a screenshot of your test output and put your JavaScript code here.
(b) Add and Delete Activity Tests
Write a test program called activityTests.mjs that uses the node-fetch libraries to perform the following tests in order:
- Without logging in try to add an activity. This should result in an error condition.
- Without logging in try to delete an activity. This should result in an error condition.
- Login successfully as a club member and save and print out the cookie returned.
- try to add an activity. This should result in an error condition.
- try to delete an activity. This should result in an error condition.
- Login successfully as the club admin and save and print out the cookie returned.
- try to add an activity. This should be successful. Print out the return code.
- try to delete an activity. This should be successful. Print out the return code.
Show a screenshot of your test output and put your JavaScript code here.
Question 4. (10 pts) REST APIs
For our club server we need to handle at least three types of information:
- Activities
- Members
- Applicants (people that want to become members)
In this problem we are going to specify/design, but NOT IMPLEMENT interfaces for working with these information collections.
You are to use the resource naming guide and the HTTP methods guide to determine appropriate names, methods, and response codes (success and failure) to be used in for the following interfaces. Assume that each club activity and user has a unique id (like the database gives us). For each of the interfaces give the URL path, method to be used and return codes/information to be returned (if any) under success conditions. Indicate which roles can use the interface.
(a) Specify Activity Interfaces
Design the interfaces for getting all club activities, adding a new activity, and deleting a club activity. For each interface specify the HTTP method, the URL (path and parameters if any), success and error codes to be used, a sample of data to be sent and/or received, and who should be allowed to use this interface (guest, member, admin).
Show these interfaces here (path, method, status codes, not JavaScript).
(b) Specify Member Interfaces
Design the interfaces for getting all club members, adding a new member, updating, and deleting a club member. For each interface specify the HTTP method, the URL (path and parameters if any), success and error codes to be used, a sample of data to be sent and/or received, and who should be allowed to use this interface (guest, member, admin).
Show these interfaces here.
(c) Specify Applicant Interfaces
Design the interfaces for getting all club applicants, adding a new applicant, and deleting a club applicant. For each interface specify the HTTP method, the URL (path and parameters if any), success and error codes to be used, a sample of data to be sent and/or received, and who should be allowed to use this interface (guest, member, admin).
Show these interfaces here.