The url to my application is https://cscloud702.lnu.se
Routes that should only be accessed if a user is authenticated or logged in are checked by a middleware to ensure that they are actually logged in
To minimize the risk of a csurf attack, A token is generated on each request and sent to the client which the client then sends in each post request. If the token does not match or the token is missing the server sends a 403 to the client.
Using a module called Helmet js i was able to set a content security policy for which scripts are allowed to run on the server. This reduces the risk of XSS attacks.
Instead of using normal HTTP i used https which creates a secure connection between the server and the client. Since HTTPS uses TLS it also provides message authentication and message verification so you can be certain that the sender or receiver is who he says is and that the message has not been tampered with while on transfer.
Using a module called express-github-webhook i was able to verify that the hooks i receive actually come from github. I pass it a secret and it does a hash och the body and it makes sure that the hash matches the x-hub signature or it throws an error.
A reverse proxy acts as a load balancer. It takes request from the internet and then forwards them to one of the web servers behind the proxy as can be seen in the picture below
A process manager is a tool that constantly monitors a process to ensure that the process or script runs continuously
TLS stands for Transport Layer Security and it is a security protocol that provides privacy and data integrity over. In order to use tls one needs a certificate. A certificate can be gotten in two ways, A self signed one which is generated by yourself or one from a CA. If it is gotten from a CA it is then important that the CA is a trusted one that most browsers recognise
An environment variable is a variable whose value is set outside of the program. It consist of a key value pair, and the values of the keys can be referenced at any time
My extra modules are
- body-parser
- connect-redis
- cookie
- csurf
- dotenv
- express-github-webhook
- express-session
- helmet
- jquey
- moment
- passport
- passport-github2
- redis
- socket.io
- webpack
It provides the ability to receive data from forms and such
I had a redis database which i used to save all the sessions. This is used to be able to connect to that database
Specifies where my .env file is
Used for my webhook
Integrated with passport to be able to create a session
Used for csp and to remove powered-by
Does the oath part of the authentication and creates a session for the authenticate user
A lightweight version of websocket
For pages that have multiple client scripts I used webpack to bundle them into one file instead.
Express caches things in production
I have implemented lots of extra features
- Got a certificate via lets encrypt instead of using a self signed one
- Ability to close an issue
- Ability to delete a comment
- Ability to to create a comment
- Ability to view and monitor comments as well
- Created an oath App where a user can login and view all their resources
- Ability to create a webhook through the api
- Ability to delete a webhook through the api
- Ability to listen to events on multiple repos at the same time
- Implementented sessions using passport
- Saved the Sessions in a redis database instead of using memory storage
- Used Sessionstorage to save notifications on the client.
- Used the notification api to push notifications when the users tab is not in focus