$ git clone git@github.com:desoleary/lend-desk-coding-challenge-rails.git
$ cd lend-desk-coding-challenge-rails
$ bundle install
$ bin/rspec
$ bin/rake rswag:specs:swaggerize # Optionally re-generates API Docs
$ brew install redis # Optional
$ redis-server # runs redis server on port 6379
$ bin/rails s # Ensure you have OS redis installed and running under port 6379
$ open http://0.0.0.0:3000/api-docs # opens Swagger API Docs
- URL: http://0.0.0.0:3000/api-docs
- Regenerate API:
bin/rake rswag:specs:swaggerize
- JWT encode/decode is not involved
- Uses
JWT naming conventions
to demonstrate an approach for recording data related to calculating inactivity viainitiated_at
andexpires_at
Encryption
used was to make use ofMessageEncryptor
which can be helpful in storing cookies that might span more than one or more services
Introduced validation contracts via dry-validation
library
- Uses
SimpleRedisOrm::ApplicationEntry
in order to simplify redis model storage interactions - Attributes declared making use of dry-struct
- redis interactions encapsulated inside of RedisStore::Entry
Service layer introduced to promote re-use and focus on single responsibilities via action classes.
- Context obj returned from
Organizers
exposes the likes of.success?
.errors
.params
add_params
~ adds key value pairs to contextparams
add_errors
~ adds key value pairs to contexterrors
- fails the context ensuring that subsequent actions do not get called
- Adds
login_state
based on session entry added via Redis - Caller adds value of
login_state
tosecure_session
cookie
- Checks username and password
- Error handling
- Creates entry with encrypted password via
BCrypt::Password
- redis key
user-<email>
- Stores
session token
as a simple SecureRandom.hex - redis key
session-<random-hex>
- Investigate why the need for
without_invalid_characters
via Swagger API calls - Fix
BCrypt::Errors::InvalidHash:invalid hash
error encountered via Swagger API call/users/sign_in
- Uncomment
CSRF
protect_from_forgery
and fix Swagger API calls - Hide the likes of below from organizer params/input
- password
- password_confirmation
- Implement reset password endpoints
POST /users/password
creates reset password tokenPUT /users/password
updates password when provided validtoken
- Ensure password is reset within a certain amount of time e.g. 6 hours
- Send notification emails
- Implement
lock account
via max invalid credential attempts - logging ~ remove any sensitive data
- non api only
- Implement reset session after configured inactivity e.g. after 30 minutes
- CAPTCHA on failed logins
- Implement rate limiting based client identifier e.g. max 1000 requests per hour
- Complete
CORS
configuration - Ensure Redis interactions cannot be maliciously accessed via the likes of Cross Site Scripting
(XSS)
- Run bundle audit prior via git remote push