- Docker
- Nginx
- Gunicorn
- Flask
- Flask-restx
- Flask-marshmallow
- Flask-SQLAlchemy
- Flask-JWT-Extended
- PostgreSQL
- Create a simple customer data model,
- Implement an API that will perform CRUD operations on the customer data model, and
- Prepare documentation to guide a user on how to get the above running, and how to use it
- List Action - Youngest N Customers
- JWT Authentication
- Design against Replay Attack
- Dockerize
CUSTOMER : Customers ( id, name, dob, updated_at )
Create RESTful API endpoints returning JSON so that a user can perform CRUD (create, read, update, delete) actions to the customers table. In addition, also implement a list action. List should take in a number n as a GET parameter that returns n youngest customers ordered by date of birth.
The API endpoints should not be publicly accessible, use JWT to implement authentication.
Replay attacks are possible with JWT since the auth data is stored client-side. Implement a simple method to block the recycling (replays) of old sessions. This process need not be comprehensive, just share an explanation of the potential pitfalls of what you’ve designed.
Solution :
To prevent replay attacks, we have taken the following steps
- Short expiration time for each access token, currently set to 10 minutes
- Use of Refresh Token to refresh the access token, this reduces the chances of continuation fo the replay attack
- Blacklist Token once Logout is performed
Prepare a docker image or docker-compose file that provides a means of easy deployment. The build process should include the necessary initialization of Postgres and any misc. configuration.
git clone https://github.com/aswincsekar/flask-customers.git
cd flask-customers
docker-compose -f docker-compose.yml build
docker-compose -f docker-compose.yml up -d
- Open Browser
- Go to localhost
- Test APIs on the swagger interface
User should get the JWT token at
http://localhost/api/v1/authentication/login
METHOD : POST
Access Credentials
username : test
password : test
RESPONSE :
{
access_token : {token},
refresh_token : {token}
}
User should get the JWT token at
http://localhost/api/v1/authentication/refresh
METHOD : POST
AUTHORIZATION : Bearer Token
RESPONSE :
{
access_token : {token},
refresh_token : {token}
}
http://localhost/api/v1/customers/customers
METHOD : GET
AUTHORIZATION : Bearer Token
http://localhost/api/v1/customers/customers
METHOD : POST
AUTHORIZATION : Bearer Token
BODY :
{
"updated_at": "2020-07-08T12:55:49.930Z",
"name": "string",
"dob": "2020-07-08"
}
http://localhost/api/v1/customers/nyoungest?n=1
METHOD : GET
PARAMS : n -> int
AUTHORIZATION : Bearer Token
http://localhost/api/v1/customers/customers/{customer_id}
METHOD : PUT
AUTHORIZATION : Bearer Token
BODY :
{
"updated_at": "2020-07-08T12:55:49.930Z",
"name": "string",
"dob": "2020-07-08"
}
http://localhost/api/v1/customers/customers/{customer_id}
METHOD : DELETE
AUTHORIZATION : Bearer Token
Use the following postman collection to test the API. All the requests are given the pre-request scripts to fetch the access token
Postman Collection Link : https://documenter.getpostman.com/view/892323/T17Kbkus