Merge pull request #199 from HackYourFuture-CPH/58-backend-nodejs-week2

[Backend] NodeJS - week 2

Author: adamblanchard

SUMMARY.md

@@ -135,6 +135,25 @@
       - [Session Plan](courses/backend/databases/week2/session-plan.md)
       - [Assignment](courses/backend/databases/week2/assignment.md)
   - [Node](courses/backend/node/README.md)
+    - [Week 1](courses/backend/node/week1/README.md)
+      - [Session Materials](courses/backend/node/week1/session-materials/)
+        - [1. Server](courses/backend/node/week1/session-materials/01-server.md)
+        - [2. Schema](courses/backend/node/week1/session-materials/02-schema.md)
+        - [3. Routing](courses/backend/node/week1/session-materials/03-routing.md)
+        - [4. Database connection](courses/backend/node/week1/session-materials/04-database-connection.md)
+        - [5. GET endpoints](courses/backend/node/week1/session-materials/05-get-endpoints.md)
+        - [6. Auth](courses/backend/node/week1/session-materials/06-auth.md)
+      - [Preparation](courses/backend/node/week1/preparation.md)
+      - [Session Plan](courses/backend/node/week1/session-plan.md)
+      - [Assignment](courses/backend/node/week1/assignment.md)
+    - [Week 2](courses/backend/node/week2/README.md)
+      - [Session Materials](courses/backend/node/week2/session-materials/)
+        - [7. POST endpoints](courses/backend/node/week2/session-materials/07-post-endpoint.md)
+        - [8. PUT endpoints](courses/backend/node/week2/session-materials/08-put-endpoint.md)
+        - [9. DELETE endpoints](courses/backend/node/week2/session-materials/09-delete-endpoint.md)
+      - [Preparation](courses/backend/node/week2/preparation.md)
+      - [Session Plan](courses/backend/node/week2/session-plan.md)
+      - [Assignment](courses/backend/node/week2/assignment.md)
   - [Final Backend Project](courses/backend/final-project/README.md)
 
 - [Common Modules](shared-modules/README.md)

courses/backend/node/README.md

@@ -4,10 +4,10 @@ This module is part of the Backend specialism and focuses on using Node.js to bu
 
 ## Contents
 
-| Week | Topic                    | Preparation                         | Lesson Plan                         | Assignment                            |
-| ---- | ------------------------ | ----------------------------------- | ----------------------------------- | ------------------------------------- |
-| 1.   | Express                  | [Preparation](week1/preparation.md) | [Assignment](./week1/assignment.md) | [Session plan](week1/session-plan.md) |
-| 2.   | Database connection; API | [Preparation](week2/preparation.md) | [Assignment](./week1/assignment.md) | [Session plan](week2/session-plan.md) |
+| Week | Topic                    | Preparation                           | Session Plan                                          | Assignment                          |
+| ---- | ------------------------ | ------------------------------------- | ----------------------------------------------------- | ----------------------------------- |
+| 1.   | Express                  | [Preparation](./week1/preparation.md) | [Session plan](./week1/session-plan.md) (for mentors) | [Assignment](./week1/assignment.md) |
+| 2.   | Database connection; API | [Preparation](./week2/preparation.md) | [Session plan](./week2/session-plan.md) (for mentors) | [Assignment](./week1/assignment.md) |
 
 ## Module Learning Goals
 
@@ -16,6 +16,6 @@ By the end of this module, you will be able to:
 - [ ] Build web servers with Express.js
 - [ ] Design and implement APIs using HTTP methods following REST principles
 - [ ] Use middlewares for authentication, logging, and validation
-- [ ] Test APIs using Postman
 - [ ] Use logging and debugging tools to monitor and troubleshoot applications
 - [ ] Connect to databases and implement CRUD operations
+- [ ] Test APIs using Postman

courses/backend/node/week1/README.md

@@ -13,7 +13,7 @@ In this session we will focus on Express.js, which is an application framework f
 By the end of this session, you will be able to:
 
 - [ ] Explain what Express is and describe why it is used for building backend applications.
-- [ ] Implement routing in Express to handle different HTTP requests and endpoints.
+- [ ] Implement routing in Express to handle `GET` HTTP requests, endpoints and parameters.
 - [ ] Use logging and debugging tools to monitor and troubleshoot Node.js applications.
 - [ ] Apply middleware functions in Express to process requests and responses.
-- [ ] Use Postman to test and debug APIs you have built.
+- [ ] Understand the importance of Authentication and various methods for implementing it.

courses/backend/node/week1/session-materials/06-auth.md

@@ -116,4 +116,4 @@ It is left as an optional exercise to add the following routes:
 - `PUT /api/snippets/:id` to update a snippet
 - `DELETE /api/snippets/:id` to delete a snippet
 
-Also, it could be a good idea to deny the request if the user making the request is not confirmed
+Also, it could be a good idea to deny the request if the user making the request is not confirmed.

courses/backend/node/week1/session-plan.md

@@ -1,31 +1,30 @@
 # Session plan
 
-## Session Outline
-
-- Express
-  - What is Express (10 mins)
-    - [Live coding: setup a server](./session-materials/01-server.md)
-    - [Excercise: create a local project and database schema](./session-materials/02-schema.md)
-  - Routing in Express (20 mins)
-    - `app.use`
-    - `app.get`
-    - [Live coding: routing](#appget-vs-appuse)
-    - [Excercise: Setup routing](./session-materials/03-routing.md) (10 mins)
-  - URL parameters in Express (30 mins)
-    - [Explanation and live coding](#query-parameters-vs-url-parameters)
-    - [Excercise: connect to the database](./session-materials/04-database-connection.md)
-    - [Excercise: GET endpoints](./session-materials/05-get-endpoints.md)
-  - Route order (15 mins)
-    - [Live coding: why route order matters](#route-order)
-    - Logging and debugging
-  - Middleware (15 mins)
-    - [`next` method](https://expressjs.com/en/guide/using-middleware.html)
-    - Modifying `request` and `response`
-    - <https://fullstackopen.com/en/part3/node_js_and_express#express>
-    - [Live coding: basic middleware example](#middleware)
-  - Authentication (30 mins)
-    - [Authentication explanation](#authentication-explanation)
-    - [Excercise: implement authentication](./session-materials/06-auth.md)
+## Session outline
+
+- What is Express (10 mins)
+  - [Live coding: setup a server](./session-materials/01-server.md)
+  - [Excercise: create a local project and database schema](./session-materials/02-schema.md)
+- Routing in Express (20 mins)
+  - `app.use`
+  - `app.get`
+  - [Live coding: routing](#appget-vs-appuse)
+  - [Excercise: Setup routing](./session-materials/03-routing.md) (10 mins)
+- URL parameters in Express (30 mins)
+  - [Explanation and live coding](#query-parameters-vs-url-parameters)
+  - [Excercise: connect to the database](./session-materials/04-database-connection.md)
+  - [Excercise: GET endpoints](./session-materials/05-get-endpoints.md)
+- Route order (15 mins)
+  - [Live coding: why route order matters](#route-order)
+  - Logging and debugging
+- Middleware (15 mins)
+  - [`next` method](https://expressjs.com/en/guide/using-middleware.html)
+  - Modifying `request` and `response`
+  - <https://fullstackopen.com/en/part3/node_js_and_express#express>
+  - [Live coding: basic middleware example](#middleware)
+- Authentication (30 mins)
+  - [Authentication explanation](#authentication-explanation)
+  - [Excercise: implement authentication](./session-materials/06-auth.md)
 
 ## Exercises
 

courses/backend/node/week2/README.md

@@ -0,0 +1,26 @@
+# Node (Week 2)
+
+In this session we will focus on connecting to a database, building an API, and using Postman to test our API endpoints. We will also cover how to structure our code for better maintainability and scalability.
+
+## Contents
+
+- [Preparation](./preparation.md)
+- [Session Plan](./session-plan.md) (for mentors)
+- [Assignment](./assignment.md)
+
+## Session Learning goals
+
+By the end of this session, you will be able to:
+
+- [ ] Manage advanced database interactions in your service
+  - [ ] Understand what Knex is and why to use it
+  - [ ] Set up connections to your database using Knex
+  - [ ] Execute `select`, `create`, `delete` and `update` queries using Knex Query Builder
+- [ ] Implement all REST endpoints using Express
+  - [ ] `POST`, `DELETE`, `PUT`
+  - [ ] Use appropriate error handling to understand and debug issues
+- [ ] Configure Postman for advanced backend development
+  - [ ] Creating collections and saving requests
+  - [ ] Set up multiple environments
+  - [ ] Managing secrets
+  - [ ] Create basic test suites

courses/backend/node/week2/assignment.md

@@ -0,0 +1,131 @@
+# Assignment
+
+You'll set up and work with your own version of a simple Contacts API.
+
+It will start with one endpoint (and you will add more throughout the task):
+
+- `GET /api/contacts`
+
+This endpoint accepts a query parameter `sort`. Here's how it should be possible to use it:
+
+- `GET /api/contacts?sort=first_name%20ASC`
+  - Sorts contacts by first name, ascending
+- `GET /api/contacts?sort=last_name%20DESC`
+  - Sorts contacts by last name, descending
+
+## Setup
+
+1. Go to/create a `node/week2` directory in your `hyf-assignment` repo.
+2. Create yourself a new node application
+3. Create a database called `phonebook` with a `contacts` table, with the following schema and data:
+
+```sql
+CREATE TABLE `contacts` (
+  `id` int unsigned NOT NULL AUTO_INCREMENT,
+  `first_name` varchar(255) NOT NULL,
+  `last_name` varchar(255) NOT NULL,
+  `email` varchar(255) DEFAULT NULL,
+  `phone` varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- Sample data
+insert into contacts (id, first_name, last_name, email, phone) values (1, 'Selig', 'Matussov', '[email protected]', '176-630-4577');
+insert into contacts (id, first_name, last_name, email, phone) values (2, 'Kenny', 'Yerrington', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (3, 'Emilie', 'Gaitskell', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (4, 'Jordon', 'Tokell', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (5, 'Sallyann', 'Persse', '[email protected]', '219-157-2368');
+insert into contacts (id, first_name, last_name, email, phone) values (6, 'Berri', 'Bulter', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (7, 'Lanni', 'Ivanilov', '[email protected]', null);
+insert into contacts (id, first_name, last_name, email, phone) values (8, 'Dagny', 'Milnthorpe', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (9, 'Annadiane', 'Bansal', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (10, 'Tawsha', 'Hackley', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (11, 'Rubetta', 'Ozelton', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (12, 'Charles', 'Boughey', '[email protected]', '605-358-5664');
+insert into contacts (id, first_name, last_name, email, phone) values (13, 'Shantee', 'Robbe', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (14, 'Gleda', 'Peat', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (15, 'Arlinda', 'Ethersey', '[email protected]', '916-139-1300');
+insert into contacts (id, first_name, last_name, email, phone) values (16, 'Armando', 'Meachem', '[email protected]', '631-442-5339');
+insert into contacts (id, first_name, last_name, email, phone) values (17, 'Codi', 'Redhouse', null, '401-953-6897');
+insert into contacts (id, first_name, last_name, email, phone) values (18, 'Ann', 'Buncombe', '[email protected]', '210-338-0748');
+insert into contacts (id, first_name, last_name, email, phone) values (19, 'Louis', 'Matzkaitis', '[email protected]', '583-996-6979');
+insert into contacts (id, first_name, last_name, email, phone) values (20, 'Jessey', 'Pala', null, null);
+insert into contacts (id, first_name, last_name, email, phone) values (21, 'Archy', 'Scipsey', '[email protected]', '420-983-2426');
+insert into contacts (id, first_name, last_name, email, phone) values (22, 'Benoit', 'Mould', '[email protected]', '271-217-9218');
+insert into contacts (id, first_name, last_name, email, phone) values (23, 'Sherm', 'Girardey', '[email protected]', '916-999-2957');
+insert into contacts (id, first_name, last_name, email, phone) values (24, 'Raquel', 'Mudge', '[email protected]', '789-830-7473');
+insert into contacts (id, first_name, last_name, email, phone) values (25, 'Tabor', 'Reavey', null, null);
+```
+
+4. Set up Express and an Sqlite connection in your node application. In your knex instance, make sure to set: `multipleStatements: true` - this is important!
+
+5. Make sure you have an API router under the `/api` path set up like so:
+
+```js
+app.use("/api", apiRouter);
+```
+
+6. Create a contacts router at `/contacts`, and attach it to your API router.
+7. In your contacts API, create the following endpoint:
+
+```js
+contactsAPIRouter.get("/", async (req, res) => {
+  let query = knexInstance.select("*").from("contacts");
+
+  if ("sort" in req.query) {
+    const orderBy = req.query.sort.toString();
+    if (orderBy.length > 0) {
+      query = query.orderByRaw(orderBy);
+    }
+  }
+
+  console.log("SQL", query.toSQL().sql);
+
+  try {
+    const data = await query;
+    res.json({ data });
+  } catch (e) {
+    console.error(e);
+    res.status(500).json({ error: "Internal server error" });
+  }
+});
+```
+
+## The tasks
+
+### Task 1 - Solve the SQL injection
+
+The current implementation of the `sort` query parameter has introduced an SQL injection vulnerability.
+
+First, you should demonstrate the SQL injection and that, for instance, it is possible to drop/delete the `contacts` table with the `sort` query parameter. Capture this demonstration with a screen recording, and attach it to your PR when you submit your assignment.
+
+After having demonstrated the SQL injection vulnerability, your task is then to fix the issue. Your solution should be solved in the `app.js` file only. While the the `multipleStatements: true` configuration you used enables this vulnerability, it should not be changed in your solution.
+
+### Task 2 - Improve your API
+
+Create two additional endpoints to enable the following functionality:
+
+1. Create new contacts
+2. Delete an existing contact
+
+### Task 3 - Error handling
+
+Update your endpoints with appropriate error handling. You should, at least, handle the following cases:
+
+1. Successful requests
+2. Incorrect requests (e.g. an incorrectly formatted sort request)
+3. Server issues (e.g. a missing database table, or an offline database)
+4. A catch all for any other errors
+
+Remember to:
+
+1. Return the appropriate HTTP code
+2. Avoid sending any implementation or internal data to the client
+3. Log an appropriate message so you can debug issues that occur in your service
+
+### Task 3 - Postman
+
+1. Create a Postman collection to capture some example requests with your new API.
+2. Create a basic test suite that you can run to validate that everything is working correctly.
+
+Share both a link to your Collection and a link to a test run showing your tests passing in your pull request.

courses/backend/node/week2/preparation.md

@@ -0,0 +1,6 @@
+# Preparation
+
+- [NodeJS Web API with KNEX and Express](https://www.youtube.com/watch?v=QNw9q4YXR4E) (15 min)
+- <https://fullstackopen.com/en/part3/node_js_and_express#rest> up until the `The Visual Studio Code REST client` section (15 min)
+- Familiarise yourself with the [Knex Cheatsheet](https://devhints.io/knex) (especially Select, Scheme and Modifying sections)
+- <https://jsonplaceholder.typicode.com/> - Free API for testing and prototyping. (5 min)

…k2/session-materials/04-post-endpoint.md …k2/session-materials/07-post-endpoint.mdcourses/backend/node/week2/session-materials/04-post-endpoint.md renamed to courses/backend/node/week2/session-materials/07-post-endpoint.md courses/backend/node/week2/session-materials/04-post-endpoint.md renamed to courses/backend/node/week2/session-materials/07-post-endpoint.md

@@ -1,34 +1,20 @@
-# API
+# POST endpoint
 
 ## `POST /api/snippets`
 
 Let's start with a simplified version of the `POST /api/snippets` route. First we add the POST route to `api/snippets.js`:
 
 ```js
-// Contents of api/snippets.js
-
-import express from "express";
-import knex from "../database.js";
-
-const router = express.Router();
-
-// GET /api/snippets
-router.get("/", async (request, response) => {
-  // TODO
-});
+// ...
 
 // POST /api/snippets
 router.post("/", async (request, response) => {
   // TODO
 });
 
-// TODO: GET /api/snippets/:id
-
-export default router;
+// ...
 ```
 
----
-
 To be able to insert a row into the `snippets` table, we need to have data in the `users` table. Create a user and note what the user ID is.
 
 The POST request we want to make will look something like this:
@@ -42,9 +28,9 @@ POST /api/snippets
 }
 ```
 
----
+### Exercise: Implement the POST endpoint
 
-**Task:** when we now make a request like
+When we now make a request like:
 
 ```text
 POST /api/snippets
@@ -57,7 +43,4 @@ POST /api/snippets
 
 you should insert a new row into the `snippets` table with the data from the request body.
 
-Hints:
-
-- [Insert with Knex](https://knexjs.org/guide/query-builder.html#insert)
-- When creating a snippet we also need to specify a `user_id`. For now, you can just pass in the `user_id` in the request body (alongside the other snippet data)
+When creating a snippet we also need to specify a `user_id`. For now, you can just pass in the `user_id` in the request body (alongside the other snippet data).

courses/backend/node/week2/session-materials/08-put-endpoint.md

@@ -0,0 +1,3 @@
+# PUT endpoint
+
+TODO