This is the first of a bunch of posts that are going to be copy paste dumps of notes I jot down to myself as I bootstrap portions of my app, learning as I go.
As rough notes to myself, they may not make much sense to another reader. BUT, they may contain some useful wayfinders if you're a first-timer who learns the way a generalist does.
the graphiql app that comes with express-graphql doesn't have a panel for setting headers / bearer tokens. Had to download a standalone client (graphiql-app). Got the windows binary here. You have to explicitly populate the header boxes with "authorization", "Bearer xxx" in the UI.
Ok so it turns out that
crypto(node built-in is for allpurpose crypto and
bcryptis for crypto that is compuationally expensive, for sensitive stuff like passwords etc). see SO.
cipherivactually means "initialization vector", and it's basically a salt. It's not as big a secret as the secret that it's salting, so no need to freak out about where to store it.
Algorithms: candidates I've come across are the 2 discussed here. Per discussion, went with the
base64 vs hex encoding: the former is just more compact is all (base 64, so 3 source bytes get encoded into 4 bytes, unlike base 16 hex where 1 source byte gets encoded to 2 bytes). Btw the only encodings nodejs supports are:
- ascii. - base64. - hex. - ucs2/ucs-2/utf16le/utf-16le. - utf8/utf-8. - binary/latin1 (ISO8859-1, latin1 only in node 6.4. 0+)
rem this for generating aes encryption key which HAS to be 256 bits long:
// 256 bits = 32 bytes so crypto.randomBytes(32) import crypto from 'crypto' console.log(crypto.randomBytes(32).toString('base64'))
Diff between encryption and hashing: Encryption is a two-way function; what is encrypted can be decrypted with the proper key. Hashing, however, is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password bcrypt is an adaptive hasher. Hashes are rather lossy even if len(m) < len(hash(m). Great stackexchange Q&A here
Great discussion of salts and their function here
What's done so far: This could be a useful template if you're building out a backend of your own. As this was done mainly as a learning project, I left out several key aspects that I will have to come back and wire in later. Notably typescript, unit tests, and continuous integration. Watch for future posts.
postgres-migrationsto project https://www.npmjs.com/package/postgres-migrations
signupapi (stub) => signup mutation
loginapi (stub) => login mutation
tasksapi - all tasks
yarn add bcrypt. But I'd uninstalled python and a bunch of other build tools during some cleanup, and
node-gypwould not run. So on windows, workaround was to:
Microsoft build toolsdownload from: https://www.microsoft.com/en-us/download/confirmation.aspx?id=48159
yarn add email@example.com
contextoption based on the token that the middleware has verified, decrypted and stuffed into the
requestobject. See api docs here
tasksquery as authed query (currently authed user's tasks only)
tasksmutation by updating the query to only use the user id from a valid token