This repository was archived on 2020-12-18 in favour of a new website repository.
The behind-the-scenes hard-working backend that powers the MasterMovies website!
Visit MasterMovies »
Try the API »
API spec »
Welcome to the open-source repository for the MasterMovies domain. Feel free to explore the inner workings of the website and see if you can find a way to break it!
This repository may be forced-pushed at any time.
The repository is a self-contained package that allows you to install required dependencies with npm, and build your own local copy to try out.
- Node.js runtime (+npm)
- Postgres database
- (PM2 for easy process management)
- (nginx as a TLS-termination reverse proxy)
The database data is private, everything else is public.
- Clone the repository
- Install dependencies
- Build the API
- (create and populate a .env file)
- Launch!
$ git clone https://github.com/MarcusCemes/mastermovies-api.git
$ npm ci
$ echo "PGHOST=/var/run/postgresql\nPGUSER=nodejs\nPGDATABASE=mastermovies" > .env
$ node -r dotenv/config ./build/main/index.jsThe secure aspects of MasterMovies are handled using JSON Web Tokens for secure session exchange and resource authorisation, providing the best balance between benefits and drawbacks.
The session is communicated to the server via the Authorisation header (Bearer scheme). State-changing requests (e.g. POST) may return an updated and renewed session token via the JSON response payload.
The session JWT is archived in a path-restricted secure cookie so that the session may be resumed after an initial synchronisation with the API.
Credentials are submitted to the API via secure endpoints via a POST request. If the request is validated, the session token or additional authorisation tokens will be returned in the response payload.
Session updates are non-atomic and may result in an overwrite conflict. It is up to the client to intelligently manage their session tokens.
To prevent session hijacking, each token also posses a unique jti field, which is the hash of a secret stored as a secure HTTP-Only cookie. HTTP-Only cookies are protected against client-side access. To retrieve the secret, low-level access to the browser/filesystem is necessary.
The JWT is included in the Authorisation header (Bearer scheme). This is secure and conforms to standards.
To authorise a browser download (that does not support headers), a initial XHR request must be made to authorise a unique authorisation token in the form of a signed URL.
The signed URL provides an extended window in which the resource may be access that cannot be revoked. The signed URL is exposed in the address bar and stored in the browser history.
+ Requests are short and efficient, while providing reusable sessions
+ Downloads stay validated after logout
+ Conforms to HTTP standards, no cookie/URL size limitation
- Requires an extra download authorisation step
- The session is not legibly stored on the client, and must be restored from the API before any authorised requestDistributed under the Apache 2.0 License. See LICENSE for more information.
Marcus Cemes - @MarcusCemes - marcus@mastermovies.uk
Project Link: https://mastermovies.uk - https://api.mastermovies.uk