[09/11/2022] - Backend API description - Authentication

[RealRichi3]

Sub issue from #5

Description

Open Science Community would like to develop Massive Open Online Courses (MOOCs), which are free online courses available for anyone to enroll in. We have developed our own materials and will also reuse materials from Open Life Sciences and Turing Way. In order to do that, we need to develop a platform where a participant can log in, and view videos and written materials as lessons. This will be similar to Udemy and other platforms for MOOCs.
The task is to create a backend API of the website using any backend technology.

AUTHENTICATION

The authentication process uses cookie and token based authentication.

Signup

• For /signup user data required are firstname, lastname, email, role, password and confirmpassword
• Role allows for signup from endusers and admin, extra level of authentication can be required for signup process for Admins
• A verification token would be attached to a link, this would be sent to the users email after signup action
• All accounts will be unverified until email verification is complete
• Duplicate signup are not allowed

Verify email

• Hashed verification token will be extracted from the request parameter, after verifying if it's valid, the users account status will be set to verified

Login

• /login request required users email and password
• The passwords would be hashed and compared with the saved hash in the database, if it matches, an access token would be sent in the response body.
• The access token should be attached in the cookie when making post-login requests

Google signin

• Id token is retrieved from the request header
• Id token is then verified
• Payload is then extracted
• User email is collected and code checks for a matching user in database
• If no matching user, it creates a new user using the data in the payload
• For signup with google, a random password is created to make the db model uniform, this password will not be required since the auth process will be handled by google.
• After successful signin, an access token is then sent in the response body

Forgot password

• /forgotpassword requires users email in the request body
• A hashed reset token will be created
• The hashed token will be attached to a password reset link
• The reset link would be sent to the users email, this link would point to the /resetpassword route
• The password reset token will have an expiry, if the reset link isn't clicked before the expiry a new /forgotpassword request should be made.

Reset password

• The password reset token will be retrieved from the request params
• The reset token is then hashed and compared to the saved record in the database
• If it matches, it should check if the token has not expired
• After all checks pass, the password will be updated

Permission handler

• The permission handler is an express JS router level middleware
• It is attached to each route, and the user role allowed for that specific route should be passed in.
• Once a user makes a request is to that route, the middleware checks for the users record in the database and confirms if the role is allowed to access the particular route