Homework 4 Reflection

Authentication

  1. The main issue I had with authentication for the back end was getting the root path to work in production. I kept running into an issue where when I opened the browser and went to the root path, it would give me a 404 error. I had to change the order of the middleware so that the root path was handled first.
  2. I didn't have too many issues with authentication for the front end, but I did have to wire the login and create-account flows to the API and keep the UI in sync with auth state.

Deployment

  1. I had a lot of issues with deployment. When I first tried to deploy and run the build script, I didn't get a server.js file in the dist folder. I had to change the tsconfig.json file to include the src folder. After that, I struggled with having the app run locally but not in production which was caused by not copying the code onto the server.

Security Audit

  1. During the audit I found that user input (e.g. usernames, book titles) could have been rendered as raw HTML and executed as script. I fixed this by rendering all user data only through React’s normal JSX so it is escaped by default, and by validating input with Zod on the server. I avoided `dangerouslySetInnerHTML` for user content.
  2. I thought about the case where an attacker tricks a logged-in user into clicking a link that sends a request to my app with their cookies. To prevent that, I set the session cookie with sameSite: 'strict' so the browser won't send it on cross-site requests, and all state-changing actions (login, register, add/edit/delete)se POST, PUT, or DELETE, so you can't trigger them with a simple link or image.
  3. I added rate limiting in the code using the 'express-rate-limit' package, which limits the number of requests to 100 requests per 15 minutes per IP. This helps slow down brute-force login attempts and general abuse without having to mess with the firewall.
  4. I used Helmet for security headers. CSP is turned off since it was causing issues when running the app locally, but Helmet still sets things like X-Content-Type-Options: nosniff and X-Frame-Options: SAMEORIGIN to cut down on MIME sniffing and clickjacking.
  5. I hashed the passwords with Argon2 and set the session cookie to be httpOnly, sameSite: 'strict', and secure in production. Every add/edit/delete endpoint requires a valid session, and for books we check that the user actually created the book before allowing edit or delete. Request bodies are also validated with Zod, and we reject duplicate usernames on register.