Security

If you are developing a web application,you should be very careful about security. This challenge aims to give some fundamental knowledge about security in web applications. Here are some topics that is expected to learn in this challenge:

  • OAuth2.0
  • OpenID Connect
  • JWT
  • Authorization Policy
  • Rate Limiting
  • JSON Schema
  • Validation

Authentication

Authentication is the process of verifying the identity of a user, system, or entity attempting to access a computer system, network, or application. In the web applications this process typically involves the use of usernames and passwords, multi-factor authentication, or other security measures to ensure that only authorized individuals gain access to web-based resources, protecting user data and maintaining system security. Not only for securing the sensitive data, but also for matching a data with a user, a user can only access their own data.

TLS (Transport Layer Security)

CSRF Attack

Cross-Site Request Forgery (CSRF) is a security vulnerability in computer engineering where an attacker tricks a user's web browser into making unauthorized and unintended actions on a different website where the user is authenticated. This occurs when the victim, who is already logged into a web application, visits a malicious website that initiates requests to the target site on the victim's behalf, potentially leading to actions such as changing account settings or making financial transactions without the user's consent. CSRF exploits the trust between the user and the web application, highlighting the importance of proper request validation and the use of security tokens to prevent such attacks.

Encryption

Symmetric encyption Asymmetric encryption

Hashing

Validation

Validation is the process of checking the provided data is in the expected or correct format. For example, if you have a form that takes an email address, you should check if the provided email address is in the correct format. Or you may want to check whether the provided age is a positive number and less than 100. Also, a given json field may contain an in correct type. For example, a field that should be a number may be a string.

In order to check these kind of validations, there are multiple approaches. For instance, you can use assert function provided by Node.js which throws an error if a given condition is not met. Or you can use a library for validating the data. In its simplest form you can use if statements to check the data.

if ((!'name') in req.body) throw new Error('Name is required');
if (typeof req.body.name !== 'string') throw new Error('Name should be a string');
if (req.body.name.length < 3) throw new Error('Name should be at least 3 characters');

Or, you can implement validation by using assert function provided by Node.js which looks a bit cleaner.

import assert from "assert";

...

assert("name" in req.body, "Name is required");
assert(typeof req.body.name === "string", "Name should be a string");
assert(req.body.name.length >= 3, "Name should be at least 3 characters");

JSON Schema

Authorization

Authorization is the process of verifying that a user has access to a resource. This means that, it should not be possible to access a resource which belongs to another user. For example, if you have a task, it should not be possible to delete it if you are not the owner of the task. In order to do that, you need to implement a simple authorization system.

JWT

OAuth2.0

API Rate Limiting

Everything in this world is built with finite resources. if access to the API is unlimited, anyone (or anything) can use the API as much as they want at any time, potentially preventing other legitimate users from accessing the API. Here comes the API rate limiting. API rate limiting is a technique that limits the number of requests that can be made to an API within a specified time period. Here are the general steps conceptually:

  1. Identification: Identify the requester. This can typically be done using the IP address, API key, or token.

  2. Count Requests: Count the requests made by the identified user or system in a specific time window.

  3. Set Limits: Define a limit for the number of requests that can be made in that time window.

  4. Block/Allow: Allow: If the number of requests is below the limit, allow the request. Block: If the number of requests exceeds the limit, block the request and send an error message like 429 Too Many Requests.

There are helper libraries that handles all above steps for you. ('express-rate-limit' for Express.js) You can use them in the future.