辅导 The Back-End Engine Secure Recipe Book程序
Assignment 2: Secure Recipe Book API
Course: Web Data Management and Application – The Back-End Engine
Chapters Covered: 5-8 (Mongoose for Structured Data Modeling, API Structure and Error Handling, User Authentication, Authorization and Protected Routes)
Due Date: [Insert Due Date Here]
1. Objective
This assignment builds upon the first by introducing professional-grade development practices. You will refactor a server to use Mongoose for elegant data modeling and validation, restructure the application using the Model-View-Controller (MVC) pattern, and implement a complete, secure user authentication and authorization system.
2. Case Study: "CulinaryCanvas" Personal Recipe Book
"CulinaryCanvas" is a new platform where users can store and manage their personal recipe collections. A user must be able to register an account, log in, and then create, view, update, and delete only their own recipes. The API must be secure, well-structured, and provide clear error messages.
3. Core Requirements
You will build a secure API with two main resources: users and recipes.
3.1 Data Models (Mongoose Schemas)
●User:
○username (String, required, unique)
○email (String, required, unique)
○password (String, required) - Will be hashed
●Recipe:
○title (String, required)
○ingredients (Array of Strings, required)
○instructions (String, required)
○prepTime (Number, in minutes)
○author (ObjectId, ref: 'User', required) - Links the recipe to a user
3.2 API Endpoints
●Authentication:
○POST /api/users/register: Registers a new user. Passwords must be hashed with bcrypt.
○POST /api/users/login: Logs in a user. If successful, returns a JSON Web Token (JWT).
●Recipes (CRUD):
○POST /api/recipes: Creates a new recipe. Protected route. The new recipe must be associated with the logged-in user.
○GET /api/recipes: Gets all recipes created by the currently logged-in user. Protected route.
○PUT /api/recipes/:id: Updates a recipe by its _id. Protected route. A user must only be able to update their own recipes.
○DELETE /api/recipes/:id: Deletes a recipe by its _id. Protected route. A user must only be able to delete their own recipes.
4. Technical Specifications
●You must use Mongoose for all data modeling, validation, and database interaction.
●Your application structure must follow the Model-View-Controller (MVC) pattern (separate folders for models, routes, and controllers).
●Implement a robust, centralized error-handling middleware to catch and format all errors.
●Passwords must be hashed using bcrypt.
●Authentication must be handled using JSON Web Tokens (JWT).
●Create a custom authentication middleware to protect routes and identify the logged-in user.
●Authorization logic must be implemented in the update and delete controllers to ensure users can only modify their own data.
5. Submission Guidelines
●Submit a link to a private GitHub repository.
●The repository should have a clean MVC structure.
●Include a README.md file that explains how to run the project and test the protected endpoints.
6. Evaluation Criteria
Category Weight Details
Functionality 40% All user and recipe endpoints work as specified.
Authentication & Authorization 30% Secure registration/login, route protection, and ownership checks are correctly implemented.
Code Structure & Quality 20% Code is well-organized into an MVC pattern with a central error handler.
Mongoose Implementation 10% Models are correctly defined with appropriate validation and references.