I am new to NodeJs, and as a practice I am trying to build a blogging API using node and express. I am looking for a way to implement the following tasks :
Any user should be able to look at other user's profile, but not edit it.
Any user should be able to view any blog but edit only their own blogs
The way I was thinking of doing this is :
When a user logs in, store the user's id in a cookie (either a JWT token or something else), and whenever a profile / blog is to be displayed, check if the author of the blog / profile has the same Id as the one stored in cookie, if it is then allow the option to edit, else don't.
Would like to know if this is correct way to do it, also are there any better ways to achieve this ?
A better approach is to use an authentication middleware:
This blog post briefed it: https://medium.com/quick-code/handling-authentication-and-authorization-with-node-7f9548fedde8
The explanation of the concept is that you do not need to add the auth middleware to the user's profile GET endpoint (i.e the endpoints that gets user profile).
To edit a blog you need to do some checks if the id of the one who created the blog post matches.
I have a project you can check: https://github.com/razaqfatiu/Teamwork/blob/develop/api/controllers/article.js
The editArticle function on line 41 should be of help
Related
MERN stack
In my app, you can follow users and when those users make a post, you should get a notification.
Currently, my User model has an array that lists all the users they're following as well as users who are following them:
users_you_follow: [ <object_ids>... ],
users_who_follow_you: [ <object_ids>... ]
My current idea looks something like this:
When a user makes a post in the frontend, we pass in the array of users_who_follow_you as well as the post details into the backend.
Then, using mongoose, parse the users_who_follow_you and find the users with the same ID's.
Finally, within that User model, I would store the post details along with some other metadata.
Then in the frontend, I would have a setInterval call to check if there are any new notifications.
This method although might work seems very server intense with all the API calls to check notifications. Is there a better way around this?
I currently don't know how to start on this process. From my research, some people said to use websockets while others say web workers.
What would be the best way to achieve something like this?
A very similar system to compare it to would be StackOverflows inbox thing. If a user comments on your post, the header/navbar shows a notification without having you to refresh your screen.
Thank you.
So i have been struggling with this one question some time now:
How to handle details Page or deep linking on the Frontend.
So, say, we got a paged collection endpoint with user entities in it and a React App consuming the endpoint.
The flow would be, user authenticates, gets collections, clicks on an item and is either:
Redirected to a new Url say: webapp.com/users/userid
A modal opens with the user details.
Say we got a scenario were two people working with the webapp, Person 1 wants to share a link with Person 2. Person 2 should do some updates on a specific user, which is identified by the link.
The link should be something like : https://www.webapp.com/users/{slug or id}
With Option 2 this functionality is not mappable.
With Option 1 we got to expose the ids in the response to identify the resource, which may work, but we would still need to hardcode the url, as the findById method is not exported as a Uri Template.
So, my Solution would be to add a slug for the resources, implement a search method by the slug, and then get the user, if found, by its self-link.
Sounds like a good solution for me, but on the other hand, I would have to add an extra frontend id(the slug here) which would need to be also unique, to the database model.
So how do you guys handle a problem like this, or is there anybody using spring data rest in this way or in production mode where you have the handle situations like this?
Should mention that this isn’t a primary problem with spring data rest but rather with hateoas itself.
thanks in advance
Florian
You don't need to hardcode URL template. Spring data rest will generate links for each resource.
You can refer to it from front end by some format like: {your_user_object}._links.self.href
I heard that Instagram recently changed their APIs and I have a related question to that.
Let's assume I would like to build an "Instagram feed app of people I follow". So this app would just show me the pictures of all people I follow. From what I understand this would be possible, but I would always have same manual effort:
From the Instagram developer website I understand that I need the access_token from all my friends.
Do I understand that correctly?
This would mean every time I follow someone new, I would have to get his/her access_token manually and add it into my app.
Do I understand this correctly or is there a programmatic/automated way to get the needed access_token from the new followed person?
Yes, you are correct. This is not possible at the moment. I'm not sure how you would get the access token of friends. You would have to have them login as well. BTW: This seems to be the way facebook is going (since they now control Instagram). They require that both friends have authorized your app and then they will list their followers.
I am using the MeanJS stack to develop a web application. The issue I'm having, is that my regular signup process has some unique parameters that are not common to an Oauth user profile. So, when I have the user go to signup with facebook, I move them to a new Signup form, that has them fill in the extra parameters, and then click "signup with facebook."
The routes are the same as the common MeanJS routes found here:
https://github.com/meanjs/mean/blob/master/app/routes/users.server.routes.js
Specifically these lines:
app.route('/auth/facebook').get(passport.authenticate('facebook', {
scope: ['email']
}));
app.route('/auth/facebook/callback').get(users.oauthCallback('facebook'));
What I would like to do, is have the extra parameters attached to the request object, so that when the auth process reaches the exports.saveOAuthUserProfile inside of: https://github.com/meanjs/mean/blob/master/app/controllers/users/users.authentication.server.controller.js
this function will be able to access those parameters and save them as part of the user model.
I have tried attaching parameters to the Get request and accessing
req.params.paramId
but this will not work, because you cannot register a param loaded request with the facebook api (or at least it seems to be that way).
And I have read elsewhere on StackOverflow that you can load the request State, but that seems really odd to me. Here's the link for that: Facebook OAuth: custom callback_uri parameters
So, any guidance on how to load the extra data into the Oauth request, so that when I save the user profile I can access it and save it, would be great.
Thanks guys.
It's not really clear to me what you want to achieve. What are the "extra" fields, and why don't you derive the fields from the user's profile directly?. About 98% of the FB Login implementations I've seen just use the "Login with Facebook" button and get the user's data during the OAuth process itself, and not manually entered by the user.
With passport-facebook for example, it's possible that you
a) Configure custom scopes
https://github.com/jaredhanson/passport-facebook#extended-permissions
b) Enrich the profile object with the custom scope's data
https://github.com/jaredhanson/passport-facebook#profile-fields
The profile object will then contain the additional requested fields automatically, and you don't need to tweak the request object itself.
I have a widget for user to get information regarding books. The UX of the widget changes according to the fact that the user is logged in or not. Now I have a route for logged-in user(say, /user/getBookInfo) to get the book information(which includes sending sms n email logic). For users who are not logged-in I have created a different route(say, /public/getBookInfo), which includes some additional processing too. However retrieving the book information, sms and email logic etc is already present in '/user/getBookInfo'. I don't want to duplicate this function.
One option is call res.redirect('/user/getBookInfo') from /public/getBookInfo . However I want to avoid the redirect in this way.
So My question is How can I reuse this logic in /public/getBookInfo without using redirect??
Probably the best way in a Node.js application is to make a separate module, and put the common logic there. Then you can require the module in both routing files.