How to optimize database design? - node.js

I am working on an ecommerce app. This app will have login/signup with phone no. only.
My partner does not want to create user without mobile verification. To avoid duplicate data in the database if a user doesn't proceed with OTP verification.
My aproach is to create user table and user otp table.
users:
id
name,
phone,
email
user_resources:
id,
user_id(foreign key),
otp
so as you can see otp cannot be create without a user_id.
The other idea is to create everything seprate like below. I think this design is more prone to false database. It will be defficult to create database reports.
users:
id
name,
# only two columns in users table
user_resources:
id,
user_id(users table),
otp
verify_phone:
user_id(foreign key users)
phone
is_phone_verified
verify_email:
user_id(foreign key users)
email
is_email_verified
Is the second approach good?

Related

how to create a survey app only allow the invited person visit only in a secure way

I have one Node.js app and database is MSSQL. I have implement the basic functionality like register, login and others like adding users. The authentication of the api is using JWT, so when a user login, he will receive a token saved on the cookie, just like normal app.
I'm going to add a new survey functionality to the app. With the survey, it does not require user login and does not ask to create a new user account, but only the person receive the invitation link can visit. What I current save on the survey main table is the email address and person name going to receive the survey and one auto generated UUID. The survey link may be /survey/UUID.
How should I do it and how to secure the survey form?
What I was thinking is to create a new token for each survey use only and attchecd with the invitation link, and then validate that token. But because it does not ask the login, I cannot validate the token with email. Should I need a Recaptcha only? Or I need to the login here, or at least need to the user confirm his email address so the token can be verify?
You could use id (primary key) AUTO increment on the main table, and 10-15 char as password. you generate token based on your format such as url/id+password. Id is always unique so its guarantee that each user will have their own token.

Session between REST calls with node.js for mobile

I have to do registration for a mobile app with node.js (express.js) backend. The registration process involves sevaral steps:
1. provide email
2. verify email
3. provide personal details
4. upload photo
For each of these steps there should be a separate call to the server API ( possibly through REST ).
How to keep the session so that the server knows that the consecutive calls come from the same client ? This is a mobile app so cookie based session won't work I think. Could you guide me somehow ? Is using a JWT token the right way to go ?
I'm not an expert but...
So here you need to firstly answear a question:
How much time does user have to create such account? For example, if you won't store information that user had started to create account and server restarted ( for whatever reason. eg error ), you will lose this info. So it would be worth to store this in some db.
You can use redis, mongodb, some sql db or just system files (not recommended ) it's up to you.
Assuming you want to persist such info, you can create REST endpoints.
So for example, you can have entry in MongoDB (which basically stores JSON structures).
NewAccount { id: <unique_id> , email, info, images }
So each endpoint you create will set info in this MongoDB entry.
Example:
1) POST /user/create -> this would create entry in MongodDB
2) PUT /user/create { body: { field: 'email', value: 'p#pp.pl' }}
3) POST /user/create/finish
We have one more question -> how to identify user? You can try to identify it by IP address. If it's mobile app, you have different ways to store info (eg user token) eg:
https://developer.android.com/guide/topics/data/data-storage
As per your step given :
sevaral steps: 1. provide email 2. verify email 3. provide personal details 4. upload photo
1.Register by email and password
Suggestion: You need to ask for email and password.
i) When a user enters the email and password check user exists with email if not then send a verified email and redirect to login.
2. Once User verified. Now user tries to log in.
i) When a user tries to login check email and password is correct or not.
ii) If correct then generate JWT Token on the backend and send back to APP.
ii) Now using JWT Token you can manage the user session on the app.

How to integrate Google or Facebook login with my database?

I want to understand how to integrate auth of Google or Facebook with my database.
I have a login system with email and password, users table and messages table for that represent messages of users.
When someone registers, a new user with userID is created.
When a user login to the system with email and password he gets an auth token,
and for each action the user makes, like POST or GET requests for fetching or creating a new message, he sends the token he got and the system finds the userID by this token, and then finds his own messages.
Now I want to add Google and Facebook login, how should I do it now?
I can get from each of them a token. but the user isn't actually exists in my user table, so when I search the user by his token, I won't get anything, because he is not exists in the user table, and when I want to insert him to this table, I need to fill the password field there but I can't get it from google.
What should be the approach to do thing like this?
Thank you.
When they first login, you can request their email from Facebook or google, the user will give your application access to see their email address.
At this point you could create a new user with that email and add a flag to say they came from facebook/google.
The rest works as normal, they would get a token from your application and so on.
In case they come back and login again, you don't need to register them as they are already in your database.
In case you need extra info from them, (more then just the info you can request from facebook/google) you could redirect them to a special form, for their first login.

Storing facebook account and email account in db

I have followed this tutorial: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/ in order for me to get a user to register with his email. I have also allowed users to login with their facebook account. The people who registers through email gets put into a table which looks like:
The problem is that if I create another table which is called "Post", how will i be able to store the userId of a person authenticated through facebook? Will I have to add them to the Account table as well if they are not found when logging in through facebook? If so, how will my table be structured to account for that?

what is the best practice for forgot password process?

I am currently developing a c# web application that allows users to login with a password. A feature that I need to include is a forgot password function.
What is the recommended process for forgot password?
I was considering this:
User clicks forgot password, enter email address
Email sent
Click on link in email (link only valid once and within time period)
Taken to the site and asked to enter new password (should they also give answer to security question?)
Password changed, email sent to user of such
User now can log in with new password
Your idea looks solid, but I would add some other considerations:
Be sure that the token you are generating in the email using is using a the .Net Framework crypto classes designed for randomization, not something that seems random but is not designed for that purpose.
Take no action on the account from the sending of the reset email (otherwise people will be able to lock other people's accounts if they know their email)
Add a rate limiter on how many resets per hour can be generated for a given email. Otherwise somebody could DOS a user by: (a) using x bad passwords to lock the account and then (b) generating reset emails for them faster than the email system can deliver.
Where possible defer to other systems such as OpenID. It's easy to get things wrong when you roll your own.
We have two ways to retrieve the forgot password:
1. Through registered email id
2. Through registered mobile number
Registered Email id:
a. Ask the user to provide the registered email id
b. The system checks the provided email id is available in the DB or not
c. If Email ID is there in the DB then system send the Email to reset the password but if Email id is not there in the DB then system show the alert messaged.
d. The user must provide strong password while resetting the forgot password.
e. Password reset successfully and is also change in the DB with respect to the Email ID.
Registered Mobile number:
The process is almost same as the email but in this case, OTP will be sent over the registered mobile number.
We need to integrate the 3rd part SDK for this or we can use the imessage in IOS.

Resources