From 593256e4797f450d1c3a7098976b82d933c3df93 Mon Sep 17 00:00:00 2001 From: Soumya Ray Date: Fri, 13 Apr 2018 15:17:37 +0800 Subject: [PATCH] Update filestore API --- README.md | 2 +- descriptions/010_filestore_api.md | 59 ++++++++++++++++++------------- 2 files changed, 35 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index ed0e4a7..68953ea 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Follow the activities below as the semester progresses. ## Weekly breakdown of the semester project: - [A: Brainstorming and Setup](descriptions/005_brainstorm_setup.md) -- [B: Basic File Store API](descriptions/010_filestore_api.md) +- [B: Basic File Store Web API](descriptions/010_filestore_api.md) - [C: Relational Databases and Testing](descriptions/020_db_testing.md) - [D: Database Hardening](descriptions/030_db_hardening.md) - [E: Secure User Accounts](descriptions/040_secure_accounts.md) diff --git a/descriptions/010_filestore_api.md b/descriptions/010_filestore_api.md index a35f392..2219f4b 100644 --- a/descriptions/010_filestore_api.md +++ b/descriptions/010_filestore_api.md @@ -1,32 +1,41 @@ ## Basic File Store API -This week your team will create the beginnings of an API to perform your service. Make sure you create a Github repo for your team that all members can work on (store the repo under your team's organization and try to ensure that your teammates all contribute in some way). For this week's coding, you can refer to the [`0_filestore_api` branch of the demo code we saw in class](https://github.com/ISS-Security/configshare-api/tree/0_filestore_api). +This week your team will create the beginnings of an API to perform your service. For this week's coding, you can refer to the `0_api_filestore` branch of the demo project we are seeing in class. -1. Create a basic resource entity class - - Choose the most important resource or entity related to your project idea - - e.g., File, Image, URL, etc. - - Do NOT pick 'User' for now (we will discuss users in class later) - - Create the appropriate resource class for your project in the `models/` folder - - the `initialize` method should create new objects of this resource - - make sure your model has methods to `save` a new entity, `find` an existing entity, find `all` entitites, and to convert the entire resource `to_json`. - - Store and retrieve resources as json text files in a `db/` folder - - You might have to encode some attributes (e.g., large text) as Base64 +### 0. Notes +- Make sure all your classes belong to a module that bears the name of your project (e.g., `Credence` or `Wallet`, etc.) +- Make sure you create a Github repo for your team that all members can work on (store the repo under your team's organization and try to ensure that your teammates all contribute in some way). -2. Create a Web API - - Create an appropriately named Sinatra-based API class in `app.rb` - - Create the appropriate setup files (`Gemfile`, `config.ru`) we discussed in class - - create one POST route to create a new resource, given json information about it (e.g., `POST /api/v1/[resources]`), where '[resources]' is the name of your particular resources: files/pictures, etc.) - - create one GET route to return details of a specific resource (e.g., `GET /api/v1/[resources]/[ID].json`) to return jsonified resource with ID (metadata + data) - - create one GET route to return an index of all resources (e.g., `GET /api/v1/[resources]` would return IDs of all resources as json) - - Create a helpful README.md with instructions on how to use your API, including all routes (keep this README up-to-date throughout the project) +### 1. Create a basic domain resource entity class (demo example: `Credence::Document`) +- Choose the most important resource or entity related to your project idea + - e.g., File, Image, URL, etc. + - Do NOT pick 'User' for now (we will discuss users in class later) +- Create the appropriate resource class for your project in the `models/` folder + - The `initialize` method should create a new object of this resource + - Create a `#new_id` for new objects + - Make sure your model has instance methods to `#save` a new entity and to convert the entire resource `#to_json` + - Make sure your model has class methods to `::find` an existing entity and find `::all` entitites + - Store and retrieve resources as json text files in a `db/` folder + - You might have to encode some attributes (e.g., large text) as Base64 -3. Identify security issues your application currently faces - - Think about weaknesses in confidentiality, integrity, authentication, authorization, availability, non-repudiation - - in particular, think how a hacker might try to infiltrate the Web API you have created so far - - Create **Github Issues** for these vulnerabilities - - create one issue for each vulnerability - - detail what the vulnerability is (what is at risk) - - explain how it can be exploited (what an attacker might do to execute an attack) - - we will try to resolve these vulnerabilities in future weeks +### 2. Create a Web API +- Create an appropriately named Roda-based API class in `app.rb` +- Create the appropriate setup files (`Gemfile`, `config.ru`) we discussed in class +- `.gitignore` files in `db/*.*` (this means files with extensions in the `db/` folder, but not in subfolders) +- Create a root route (`/`) that returns a basic json message (outside resources often check this route to see if your service is alive) +- Create one POST route to create a new resource, given json information about it (e.g., `POST /api/v1/[resources]`), where '[resources]' is the name of your particular resources: files/pictures, etc.) +- create one GET route to return details of a specific resource (e.g., `GET /api/v1/[resources]/[ID].json`) to return jsonified resource with ID (metadata + data) +- create one GET route to return an index of all resources (e.g., `GET /api/v1/[resources]` would return IDs of all resources as json) +- Create a helpful `README.md` with instructions on how to use your API, including all routes (keep this README up-to-date throughout the project) +- Create a `LICENSE` file with terms of how your code can be adapted by others (see [choosealicense.com](https://choosealicense.com) for help on picking a license) + +### 3. Identify security issues your application currently faces +- Think about weaknesses in confidentiality, integrity, authentication, authorization, availability, non-repudiation + - in particular, think how a hacker might try to infiltrate the Web API you have created so far +- Create **Github Issues** for these vulnerabilities + - create one issue for each vulnerability + - detail what the vulnerability is (what is at risk) + - explain how it can be exploited (what an attacker might do to execute an attack) + - we will try to resolve these vulnerabilities in future weeks We will demo some of the apps and discuss your Github issues in class!