this project creates two POST endpoints
/signin
- accepts json in the form of {username: String, password: String}
and returns {token}
where token is a UUID
/signout
- accepts an "Authorization"
header in the form of "Bearer UUID"
where UUID is the {token}
returned from /signin
$ npm install
$ npm start
curl --location --request POST 'http://localhost:8080/signin' \ --header 'Content-Type: application/json' \ --data-raw '{ "username": "user1", "password": "123" }'
- assert return value is in the form
{token: UUID}
- assert the file
/db/sessions.json
should contain the UUID curl --location --request POST 'http://localhost:8080/signout' \ --header 'Authorization: Bearer UUID'
where UUID is the UUID asserted above- assert that the file
/db/sessions.json
now has a record with the UUID and a fieldsigned_out_at
If a second call to /signin with the same username/password is made, a second session will not be created and a token will not be returned, until the first session is signed out by calling /signout
with the previous session's token.
I've used the express
package to handle the HTTP requests, the uuid
package to generate random session tokens not tied to the user's data, and the diskdb
package as a database. diskdb
has an API that's analagous to mongodb
so replacing it with an external MongoDB server should be trivial.
- The sessions collection will grow indefinitely. I'd reccommend deleting old sessions if feasible.
- The current number of allowed sessions is only one, but that could be increased.
- I am currently returning the same HTTP status code for a mismatched password, and too manay sessions. The client will likely want to distinguish between these to provide better messaging.