-
UI
- What did you struggle with when adding logins and authorization to your front-end?
What I struggled with most was having features be only allowed when logged in, as I needed to pass down variables from the main component down to the specific where the buttons live. Maybe that means I needed a better design for my components, but at this point I was too far in and for the learning purposes I thought it was enough. I also ended up creating another end point that I had not thought of needing where I would check if the user is logged in or not from checking for the token in the tokenstore, as when I did Auth for my CS 375 project, only the pages were blocked by if you were logged in, and not the functionality of the page.
- What did you struggle with when adding logins and authorization to your front-end?
-
Login endpoint
- What did you struggle with when adding logins and authorization to your back-end?
In terms of adding log in functionality to the backend, I didn't particularly struggle since for my CS 375 project I had done the log in functionality for that project so I was already generally aware of what was needed and how to go about it. I did need an extra endpoint for this assignment than needed for my other project, but overall the backend went smoothly.
- What did you struggle with when adding logins and authorization to your back-end?
-
Security audit
- If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn’t, explain why.
So I had tested if my app was vulnerable to XSS attacks by inputting <script>alert("XSS test")</script> into the book name field, and it just read that as a string and now is the first option shown on my live homework 4 which is fun.
- If your app was vulnerable to CSRF attacks, explain what you did to mitigate them. If it wasn’t, explain why.
In terms of CSRF attacks, the endpoints themselves do not have a check to see if an authorized user is calling it, so in that regard I suppose my app is vunerable to that. But, to be able to delete a book from the UI you must be logged in.
- If you added rate limiting with a firewall, include what commands you ran/packages you used. If you added rate limiting to your application code, indicate this.
I added the code provided in the instructions as well as installing express-rate-limit so that the code would work properly.
- Explain what HTTP headers you set, what they do, and why they’re useful.
For preventing brute force attacks I added the following: RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset. For protecting authentication tokens I set the following: Set-Cookie: token=...; HttpOnly; Secure; SameSite=Strict.
- If you did anything else to secure your app, explain what you did and why.
Besides what was suggested in the instructions I did not do anything else to secure the app purely because of timing. With midterms and such I just had a little less time than I would have liked for this assignment. I am not 100% sure what more I would have done, but most likely created a fake site to test against CSRF attacks at the very least.
- If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn’t, explain why.