Phase 5: Validating the Request Body

Understanding the Problem

In the previous phase, we implemented the core authentication routes for our application. However, these routes currently accept any data provided in the request body without validation. This can lead to several issues:

Users might submit incomplete or invalid data.
Malicious users could exploit vulnerabilities by sending unexpected data.
Database operations might fail due to validation constraints.
User experience suffers when errors occur without clear feedback.

To address these issues, we need to implement request body validation for our authentication routes, particularly for login and signup operations where user input is critical.

Think of validation as a security guard at the entrance of a building. The guard checks everyone's ID and ensures they meet certain criteria before letting them in. Similarly, validation middleware examines incoming requests and ensures they contain valid data before letting them reach our route handlers.

Why Validation Matters: Input validation is a critical security practice that helps protect against several types of attacks:

Injection Attacks: Without validation, users could inject malicious code (SQL injection, NoSQL injection, etc.)
Overflow Attacks: Extremely large inputs could crash your server or database
Data Poisoning: Invalid data could corrupt your database or application state

Defense in Depth: While our Sequelize models already have validations, adding validation at the API level provides several benefits:

Catches errors before hitting the database (better performance)
Provides more user-friendly error messages
Prevents malformed requests from causing unexpected errors
Follows the principle of "never trust user input"

Planning the Solution

We'll use the express-validator package to validate request bodies in our application. This package provides middleware functions that check request data against specified rules and collect validation errors.

Our validation plan includes:

Installing the express-validator package
Creating a reusable validation error handler
Implementing login validation
Implementing signup validation
Testing both validations

For each validation implementation, we'll follow our feature-branch Git workflow to keep our code organized and easier to test.

express-validator Overview: The express-validator package is a set of Express.js middleware functions that wraps the validator.js library, providing a convenient way to validate and sanitize HTTP request data.

Key components we'll use:

check(): Creates a validation chain for a specific field
validationResult(): Extracts validation errors from a request

The validation process follows this flow:

Define validation rules for each field
Apply these rules as middleware
Check for validation errors
If errors exist, return them; otherwise, continue to the route handler

This approach centralizes validation logic, making it easier to maintain and ensuring consistent validation across your application.

Creating Validation Middleware

Setting Up the Feature Branch

Let's start by creating a new feature branch for the login validation:

git checkout dev                          # Switch to dev branch
git checkout -b validate-login-inputs     # Create new feature branch

Installing Dependencies

First, we need to install the express-validator package:

cd backend
npm install express-validator

Creating a Validation Utility

Now, let's create a utility file to handle validation errors. Create a new file at backend/utils/validation.js:

// backend/utils/validation.js
const { validationResult } = require('express-validator');   // Import from express-validator

// middleware for formatting errors from express-validator middleware
// (to customize, see express-validator's documentation)
const handleValidationErrors = (req, _res, next) => {
  const validationErrors = validationResult(req);            // Get validation errors from request

  if (!validationErrors.isEmpty()) {                         // Check if errors exist
    const errors = {};
    validationErrors
      .array()                                              // Convert errors to array
      .forEach(error => errors[error.path] = error.msg);    // Format errors as key-value pairs

    const err = Error("Bad request.");                       // Create error object
    err.errors = errors;                                     // Attach formatted errors
    err.status = 400;                                        // Set HTTP status code to 400 (Bad Request)
    err.title = "Bad request.";                              // Set error title
    next(err);                                               // Pass error to error-handling middleware
  }
  next();                                                    // Proceed if no errors
};

module.exports = {
  handleValidationErrors                                    // Export the middleware
};

This utility function does the following:

Uses validationResult to gather validation errors from previous middleware.
Checks if there are any validation errors.
If errors exist, it formats them into a user-friendly object where keys are field names and values are error messages.
Creates a standardized error object with a 400 status code (Bad Request).
Passes the error to the next error-handling middleware.
If no errors exist, it simply calls next() to proceed to the next middleware or route handler.

This pattern of separating the error-handling logic into a dedicated function follows the principle of separation of concerns, making our code more modular and easier to maintain.

Error Formatting: Let's break down how we're formatting validation errors:

The raw validation errors from validationResult(req).array() look like this:

[
  { 
    path: "email", 
    msg: "Please provide a valid email.", 
    location: "body" 
  },
  { 
    path: "password", 
    msg: "Password must be 6 characters or more.", 
    location: "body" 
  }
]

We transform this into a more user-friendly format:

{
  "email": "Please provide a valid email.",
  "password": "Password must be 6 characters or more."
}

This format makes it easier for frontend code to display specific errors next to the corresponding form fields.

Error Flow: When validation fails, we create an error that follows the same format as our error handling middleware from Phase 2. This ensures consistent error responses throughout the application.

Implementing Login Validation

Creating Login Validation Middleware

Next, let's modify the backend/routes/api/session.js file to add validation for the login route:

// backend/routes/api/session.js
// ... existing imports
const { check } = require('express-validator');                    // Import check function
const { handleValidationErrors } = require('../../utils/validation');  // Import validation handler

// ... existing code

const validateLogin = [                                           // Create array of middleware
  check('credential')                                             // Validate credential field
    .exists({ checkFalsy: true })                                // Must exist and not be falsy
    .notEmpty()                                                  // Must not be empty
    .withMessage('Please provide a valid email or username.'),   // Error message
  check('password')                                              // Validate password field
    .exists({ checkFalsy: true })                                // Must exist and not be falsy
    .withMessage('Please provide a password.'),                  // Error message
  handleValidationErrors                                         // Process validation results
];

// Log in
router.post(
  '/',
  validateLogin,                                                // Apply validation middleware
  async (req, res, next) => {
    // ... existing login route handler
  }
);

// ... rest of the file

Let's break down the validation middleware we've created:

The validateLogin array contains multiple middleware functions that will be executed in sequence.
The check('credential') middleware validates the credential field:
- exists({ checkFalsy: true }) ensures the field exists and is not falsy (empty string, null, etc.)
- notEmpty() ensures the field is not an empty string
- withMessage() specifies the error message to show if validation fails
The check('password') middleware similarly validates the password field.
Finally, handleValidationErrors collects any validation errors and formats them into a response.

This validation approach is similar to how form validation works in the real world. When you fill out a paper form, there might be requirements for each field (e.g., "must be filled in," "must be a valid email format"). If you submit the form without meeting these requirements, it gets returned to you with error messages. Our validation middleware functions in the same way, checking each field against requirements and returning errors if needed.

Validation Chain Explained:

Each check() call creates a validation chain that can have multiple rules. Let's break down what each validation method does:

exists({ checkFalsy: true }): Ensures the field exists in the request body and is not falsy (rejects null, undefined, empty string, etc.)
notEmpty(): Specifically checks that the string is not empty (length > 0)
withMessage(): Customizes the error message for the preceding validator

Middleware Flow: When the route is accessed, Express processes the middleware in sequence:

First, each check() middleware validates its respective field and stores any errors in the request object
Then, handleValidationErrors middleware checks if any errors were found:
- If errors exist, it formats them and passes to the error handler
- If no errors, it calls next() to proceed to the route handler

This creates a validation "gate" that requests must pass through before reaching your actual business logic.

Testing Login Validation

Let's test our login validation to ensure it's working correctly. Start your server if it's not already running:

npm start

First, test with an empty credential:

fetch('/api/session', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",               // Specify JSON content type
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`      // Include CSRF token
  },
  body: JSON.stringify({ credential: '', password: 'password' })  // Empty credential
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about providing a valid email or username.

Next, test with an empty password:

fetch('/api/session', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`
  },
  body: JSON.stringify({ credential: 'Demo-lition', password: '' })  // Empty password
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about providing a password.

Expected Error Responses:

When validation fails for the empty credential, you should see:

{
  "title": "Bad request.",
  "message": "Bad request.",
  "errors": {
    "credential": "Please provide a valid email or username."
  },
  "stack": "..." // only in development mode
}

When validation fails for the empty password, you should see:

{
  "title": "Bad request.",
  "message": "Bad request.",
  "errors": {
    "password": "Please provide a password."
  },
  "stack": "..." // only in development mode
}

Testing Strategy: It's important to test each validation rule individually to ensure they all work as expected. For complex validations, you might want to test edge cases like:

Empty strings
Strings with only whitespace
Values that are just below or above length requirements
Malformed inputs (like invalid email formats)

Committing and Merging the Login Validation Branch

Once you've confirmed that the login validation is working, commit your changes and merge them into the dev branch:

git add .                                                # Stage all changes
git commit -m "Add User input validation on user login backend endpoint"  # Commit with message
git checkout dev                                          # Switch to dev branch
git pull origin dev                                       # Pull latest changes (if collaborating)
git merge validate-login-inputs                           # Merge feature branch
git push origin dev                                       # Push to remote repository

Implementing Signup Validation

Setting Up the Feature Branch

Let's create a new feature branch for the signup validation:

git checkout dev
git checkout -b validate-signup-inputs

Creating Signup Validation Middleware

Now, let's modify the backend/routes/api/users.js file to add validation for the signup route:

// backend/routes/api/users.js
// ... existing imports
const { check } = require('express-validator');
const { handleValidationErrors } = require('../../utils/validation');

// ... existing code

const validateSignup = [
  check('email')
    .exists({ checkFalsy: true })                      // Email must exist and not be falsy
    .isEmail()                                         // Must be valid email format
    .withMessage('Please provide a valid email.'),
  check('username')
    .exists({ checkFalsy: true })                      // Username must exist and not be falsy
    .isLength({ min: 4 })                              // Must be at least 4 characters
    .withMessage('Please provide a username with at least 4 characters.'),
  check('username')
    .not()                                             // Username must NOT...
    .isEmail()                                         // ...be an email
    .withMessage('Username cannot be an email.'),
  check('password')
    .exists({ checkFalsy: true })                      // Password must exist and not be falsy
    .isLength({ min: 6 })                              // Must be at least 6 characters
    .withMessage('Password must be 6 characters or more.'),
  handleValidationErrors                               // Process validation results
];

// Sign up
router.post(
  '/',
  validateSignup,                                      // Apply validation middleware
  async (req, res) => {
    // ... existing signup route handler
  }
);

// ... rest of the file

Let's break down the validation middleware we've created for signup:

The check('email') middleware:
- Ensures the email exists and is not falsy
- Validates that it's a properly formatted email address
The first check('username') middleware:
- Ensures the username exists and is not falsy
- Validates that it's at least 4 characters long
The second check('username') middleware:
- Ensures the username is not an email address
- This is a business rule specific to our application: we want usernames and emails to be distinct
The check('password') middleware:
- Ensures the password exists and is not falsy
- Validates that it's at least 6 characters long for security

These validation rules represent best practices for user registration. For example, requiring a minimum password length helps ensure security, validating email formats helps ensure communications can be delivered, and preventing usernames from being emails helps maintain a clear distinction between these identifiers.

Multiple Validations on Same Field: Notice that we have two separate check('username') validations. This is intentional and shows the flexibility of express-validator:

We can apply multiple distinct validation rules to the same field
Each validation can have its own specific error message
This creates more precise and helpful error messages for users

Validation Methods: express-validator provides many validation methods, including:

isEmail(): Checks if the string is a valid email
isLength({ min, max }): Checks if the string's length falls in a range
not(): Negates the result of the next validator
matches(): Checks if string matches a regex pattern
isNumeric(): Checks if string contains only numbers
isAlphanumeric(): Checks if string contains only letters and numbers

These are just a few examples - the library has dozens of validators for different data types and formats.

Security Considerations: Our password validation only checks length (minimum 6 characters). In a production application, you might want to implement more robust password requirements like:

Requiring mixed case letters
Requiring numbers and special characters
Checking against commonly used passwords
Preventing passwords that match or contain the username or email

Testing Signup Validation

Let's test our signup validation to ensure it's working correctly:

Test with an empty password:

fetch('/api/users', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`
  },
  body: JSON.stringify({
    email: 'firestar@spider.man',
    username: 'Firestar',
    password: ''                        // Empty password
  })
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about the password being too short.

Test with an invalid email format:

fetch('/api/users', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`
  },
  body: JSON.stringify({
    email: 'not-an-email',              // Invalid email format
    username: 'Firestar',
    password: 'password'
  })
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about providing a valid email.

Test with a short username:

fetch('/api/users', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`
  },
  body: JSON.stringify({
    email: 'firestar@spider.man',
    username: 'Fir',                    // Too short (less than 4 characters)
    password: 'password'
  })
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about providing a username with at least 4 characters.

Test with a username that's an email:

fetch('/api/users', {
  method: 'POST',
  headers: {
    "Content-Type": "application/json",
    "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>`
  },
  body: JSON.stringify({
    email: 'firestar@spider.man',
    username: 'user@example.com',       // Username is an email format
    password: 'password'
  })
}).then(res => res.json()).then(data => console.log(data));

You should receive a "Bad request" error with a message about the username not being an email.

Comprehensive Testing: These tests cover various validation scenarios:

Empty password test: Checks both exists({ checkFalsy: true }) and isLength({ min: 6 }) validators
Invalid email test: Checks the isEmail() validator
Short username test: Checks the isLength({ min: 4 }) validator
Username-as-email test: Checks the not().isEmail() validator

Additional tests you might consider:

Testing multiple validation errors simultaneously
Testing edge cases (username exactly 4 characters, password exactly 6 characters)
Testing with missing fields (omitting email, username, or password entirely)

Error Priority: Note that express-validator stops at the first validation error for each field. If a field fails multiple validations, only the first error message will be returned. This is intentional to avoid overwhelming users with multiple error messages for a single field.

Committing and Merging the Signup Validation Branch

Once you've confirmed that the signup validation is working, commit your changes and merge them into the dev branch:

git add .
git commit -m "Add User input validation on user signup backend endpoint"
git checkout dev
git pull origin dev
git merge validate-signup-inputs
git push origin dev

Understanding Request Validation

The Importance of Validation

Request validation is a critical aspect of web application security and user experience. Here's why it matters:

Security: Validation helps prevent injection attacks and other security vulnerabilities by ensuring that inputs conform to expected formats.
Data Integrity: It ensures that the data stored in your database is consistent and valid, preventing corruption or inconsistencies.
User Experience: By validating inputs early and providing clear error messages, you help users understand and correct their mistakes quickly.
Server Efficiency: It's more efficient to validate inputs before performing database operations or complex processing.

Validation vs. Sanitization: It's important to understand the difference:

Validation checks if data conforms to expected formats and rules
Sanitization modifies input data to make it safe for use

For example:

Validation would reject an email without an @ symbol
Sanitization would remove dangerous characters from a string to prevent XSS attacks

express-validator supports both, though we've focused on validation in this tutorial.

OWASP Recommendations: The Open Web Application Security Project (OWASP) lists improper input validation as one of the top security risks. Their recommendations include:

Validate all inputs on the server side (even if client-side validation exists)
Define strict schemas for all inputs
Validate type, length, format, and business rules
Reject invalid input rather than attempting to sanitize potentially malicious content

Validation Layers

In a robust application, validation typically occurs at multiple layers:

Client-side validation: Provides immediate feedback to users and improves the user experience.
API validation: Ensures that all incoming requests meet your requirements, regardless of the client (which we've implemented in this phase).
Database constraints: Provides a final layer of protection for your data.

By implementing validation at each layer, you create a defense-in-depth approach that ensures data quality and security.

Validation Layers in Detail:

1. Client-side Validation:

Purpose: Provide immediate feedback to users
Implementation: JavaScript form validation, HTML5 form attributes
Advantages: Better user experience, reduces server load
Limitations: Can be bypassed easily, not reliable for security

2. API Validation (what we've implemented):

Purpose: Ensure all inputs meet requirements before processing
Implementation: Middleware validation (express-validator)
Advantages: Centralized, consistent, applies to all clients
Security: Critical for protecting against malicious inputs

3. Database Constraints:

Purpose: Last line of defense for data integrity

Implementation: Database schema constraints, ORM validations

Advantages: Ensures data integrity even if application logic has bugs

Limitations: Limited to data type and format constraints, less helpful error messages

Example Validation Flow:

User submits form with password "123" ↓ 1. Client-side validation: "Password must be at least 6 characters" ↓ User bypasses client validation and sends request directly to API ↓ 2. API validation: Returns 400 Bad Request with error message ↓ Hacker attempts to modify database directly ↓ 3. Database constraint: Column definition requires min length

Real-world Examples

Request validation is used extensively in real-world applications:

E-commerce platforms validate payment information to ensure it's in the correct format before processing transactions.

Social media sites validate posts and comments to prevent spam and enforce content policies.

Banking applications validate transfer amounts and account numbers to prevent errors and fraud.

Email services validate email addresses to ensure deliverability.

In each case, validation helps protect both the application and its users from errors, security issues, and poor user experiences.

Real-world Validation Examples in Detail:

Payment Processing:

Credit card number format and Luhn algorithm check

Expiration date validation (must be in future)

CVV length and format validation

Postal code format validation (country-specific)

User Registration:

Password strength requirements (complexity rules)

Username availability and format checks

Age verification (for age-restricted services)

Address validation against postal databases

Content Submission:

Maximum and minimum length checks

Prohibited content filtering (profanity, spam patterns)

File upload type, size, and content validation

Rate limiting to prevent abuse

These examples demonstrate how validation isn't just about security—it also improves reliability, data quality, and user experience.

Enhancing the User Model

Adding firstName and lastName Attributes

Now that we have validation in place, let's enhance our User model by adding firstName and lastName attributes. This requires changes to our migration files, model definitions, and route handlers.

Updating the Migration File

First, let's create a new migration to add these columns to the Users table:

npx sequelize migration:generate --name add-first-last-name-to-users

Edit the newly created migration file to add the new columns:

// backend/db/migrations/XXXXXXXXXXXXXX-add-first-last-name-to-users.js 'use strict'; let options = {}; if (process.env.NODE_ENV === 'production') { options.schema = process.env.SCHEMA; // define your schema in options object } module.exports = { async up(queryInterface, Sequelize) { await queryInterface.addColumn('Users', 'firstName', { // Add firstName column type: Sequelize.STRING, allowNull: true // Make it optional }, options); await queryInterface.addColumn('Users', 'lastName', { // Add lastName column type: Sequelize.STRING, allowNull: true // Make it optional }, options); }, async down(queryInterface, Sequelize) { options.tableName = "Users"; await queryInterface.removeColumn(options, 'firstName'); // Remove in down migration await queryInterface.removeColumn(options, 'lastName'); // Remove in down migration } };

Run the migration to add these columns to the database:

npx dotenv sequelize db:migrate

Database Migration Process:

This migration demonstrates how to evolve a database schema over time without disrupting existing data:

Generate a migration file that describes the changes

Define "up" function that applies the changes (adds columns)

Define "down" function that reverses the changes (removes columns)

Run the migration to apply changes to the database

Design Considerations:

We set allowNull: true so these new fields are optional. This is important because:

Existing user records won't have these fields

We may not want to require users to provide this information

We don't specify a length constraint as we did with username and email, using the default STRING length

Production Support: The options object and schema handling ensure this migration works properly in both development (SQLite) and production (PostgreSQL) environments.

Updating the User Model

Now, let's update the User model to include these new attributes:

// backend/db/models/user.js 'use strict'; const { Model, Validator } = require('sequelize'); module.exports = (sequelize, DataTypes) => { class User extends Model { static associate(models) { // define association here } } User.init( { username: { type: DataTypes.STRING, allowNull: false, unique: true, validate: { len: [4, 30], isNotEmail(value) { if (Validator.isEmail(value)) { throw new Error('Cannot be an email.'); } }, }, }, email: { type: DataTypes.STRING, allowNull: false, unique: true, validate: { len: [3, 256], isEmail: true, }, }, hashedPassword: { type: DataTypes.STRING.BINARY, allowNull: false, validate: { len: [60, 60], }, }, firstName: { // Add firstName attribute type: DataTypes.STRING, allowNull: true, // Optional field }, lastName: { // Add lastName attribute type: DataTypes.STRING, allowNull: true, // Optional field }, }, { sequelize, modelName: 'User', defaultScope: { attributes: { exclude: ['hashedPassword', 'createdAt', 'updatedAt'], // Exclude sensitive fields }, }, } ); return User; };

Model Updates vs. Migrations:

It's important to understand how these two components work together:

Migrations change the database schema (adding columns)

Model updates change how Sequelize interacts with the database

Both must be kept in sync for the application to work correctly.

Model Implementation Details:

We don't add any special validations to firstName and lastName

The defaultScope still excludes sensitive fields, but firstName and lastName will be included by default

We could add validations if needed, such as:

Maximum length constraints

Character set restrictions (e.g., letters only)

Capitalization rules

Note: When adding new fields to an existing model, consider whether you need to update existing records. In this case, we're making the fields optional, so no updates to existing records are required.

Updating the Route Handlers

Finally, let's update our route handlers to include these new attributes. First, update the signup route in backend/routes/api/users.js:

// backend/routes/api/users.js // ... existing code // Sign up router.post( '/', validateSignup, async (req, res) => { const { email, password, username, firstName, lastName } = req.body; // Extract new fields const hashedPassword = bcrypt.hashSync(password); const user = await User.create({ email, username, hashedPassword, firstName, // Include firstName lastName // Include lastName }); const safeUser = { id: user.id, email: user.email, username: user.username, firstName: user.firstName, // Include in response lastName: user.lastName // Include in response }; await setTokenCookie(res, safeUser); return res.json({ user: safeUser }); } ); // ... rest of the file

Next, update the login route in backend/routes/api/session.js:

// backend/routes/api/session.js // ... existing code // Log in router.post( '/', validateLogin, async (req, res, next) => { // ... existing code to find the user const safeUser = { id: user.id, email: user.email, username: user.username, firstName: user.firstName, // Include firstName lastName: user.lastName // Include lastName }; await setTokenCookie(res, safeUser); return res.json({ user: safeUser }); } ); // ... existing code // Restore session user router.get( '/', (req, res) => { const { user } = req; if (user) { const safeUser = { id: user.id, email: user.email, username: user.username, firstName: user.firstName, // Include firstName lastName: user.lastName // Include lastName }; return res.json({ user: safeUser }); } else return res.json({ user: null }); } ); // ... rest of the file

Remember to also update the setTokenCookie function in backend/utils/auth.js to include these new attributes in the JWT payload:

// backend/utils/auth.js // ... existing code // Sends a JWT Cookie const setTokenCookie = (res, user) => { // Create the token. const safeUser = { id: user.id, email: user.email, username: user.username, firstName: user.firstName, // Include firstName in token lastName: user.lastName // Include lastName in token }; // ... rest of the function }; // ... rest of the file

JWT Payload Considerations:

When adding fields to the JWT token, consider these factors:

Token Size: JWTs are included in every request, so keeping them small improves performance

Data Sensitivity: Only include non-sensitive information that's needed by the client

Data Staleness: Information in the token won't update until a new token is issued

In this case, including firstName and lastName makes sense because:

They're relatively small fields

They're not sensitive information

The client likely needs them for displaying user information

Route Handler Updates: We update all three key endpoints:

Signup: Accept and store new fields from request

Login: Include new fields in response

Get Session User: Include new fields in response

This ensures consistent handling of these fields throughout the authentication flow.

Testing the Changes

Let's test our changes to ensure they're working correctly. First, try signing up a new user with first and last names:

fetch('/api/users', { method: 'POST', headers: { "Content-Type": "application/json", "XSRF-TOKEN": `<value of XSRF-TOKEN cookie>` }, body: JSON.stringify({ email: 'thor@avengers.com', username: 'ThunderGod', password: 'mjolnir', firstName: 'Thor', // Include first name lastName: 'Odinson' // Include last name }) }).then(res => res.json()).then(data => console.log(data));

Then, check if you can retrieve the user's information including the first and last names:

fetch('/api/session') .then(res => res.json()) .then(data => console.log(data));

You should see the user's information including the firstName and lastName attributes.

Testing Enhanced Model:

When testing, verify that:

Signup response includes firstName and lastName in the returned user object

JWT token includes the new fields (check with a JWT debugger like jwt.io)

Session endpoint returns the new fields when logged in

Existing users still work correctly (fields may be null)

Test Different Scenarios:

Create user with firstName and lastName

Create user with only firstName (omitting lastName)

Create user with neither (should still work since they're optional)

Database Verification: You can also directly verify the database using the SQLite command:

sqlite3 db/dev.db "SELECT id, username, firstName, lastName FROM Users WHERE username = 'ThunderGod';"

Wrapping Up the Backend

Congratulations! You've now completed the backend implementation of your authentication system. Let's summarize what you've accomplished:

Set up a robust Express application structure

Implemented database models with Sequelize

Added error handling middleware

Created authentication utilities using JWT

Implemented login, logout, signup, and session retrieval routes

Added validation to ensure data integrity and security

Enhanced the User model with additional attributes

Your backend now provides a solid foundation for building the frontend of your application. It includes all the necessary endpoints for user authentication and incorporates best practices for security and data validation.

Architecture Review:

Let's review the architecture we've built:

┌───────────────────────────────────────────────────────────┐ │ Express App │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Routes │ │ Middlewares │ │ Utilities │ │ │ │ │ │ │ │ │ │ │ │ /api/users │ │ Error │ │ JWT Auth │ │ │ │ /api/session│ │ CSRF │ │ Validation │ │ │ │ │ │ Validation │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ Sequelize ORM │ │ │ │ │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Models │ │ Migrations │ │ │ │ │ │ │ │ │ │ │ │ │ │ User │ │ Create User │ │ │ │ │ │ │ │ Add fields │ │ │ │ │ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ └───────────────────────────────────────────────────────────┘ ▲ │ │ ▼ ┌───────────────────────┐ ┌─────────────────────────┐ │ Client Application │ │ Database │ │ (Frontend) │ │ SQLite (Dev) │ └───────────────────────┘ │ PostgreSQL (Prod) │ └─────────────────────────┘

Key Components:

API Routes: Handle client requests for authentication

Middlewares: Provide security, validation, and error handling

Utilities: Implement JWT authentication and validation logic

Sequelize ORM: Manages database interactions and schema

Models: Define data structure and validations

Migrations: Manage database schema evolution

Security Measures Implemented:

Password hashing with bcrypt

JWT authentication with secure cookies

CSRF protection

Input validation

Proper error handling

Protection of sensitive fields

Next Steps

With the backend complete, here are some possible next steps:

Deploy the backend: Set up your application on a cloud platform like Render.

Build the frontend: Create a user interface that interacts with your backend API.

Add more features: Implement additional functionality like user profiles, permissions, or content management.

Enhance security: Consider adding features like rate limiting, account lockouts, or multi-factor authentication.

Remember to keep the POST /api/test route in your backend/routes/api/index.js file for now. You'll use it later when setting up your frontend.

Advanced Features to Consider:

1. Email Verification:

Add a verified flag to the User model

Generate verification tokens

Send verification emails

Create an endpoint to verify tokens

2. Password Reset:

Create a reset token model

Implement a "forgot password" endpoint

Send reset emails with secure tokens

Create an endpoint to process reset requests

3. Role-based Authorization:

Add roles to the User model

Create role-checking middleware

Apply middleware to protected routes

4. Account Management:

Profile updates

Password changes

Account deletion

Session management across devices

5. Security Enhancements:

Rate limiting to prevent brute force attacks

API key management for third-party integrations

Two-factor authentication

Login attempt tracking and account lockouts

Final Thoughts

Building a robust authentication system is a significant accomplishment. The concepts and patterns you've learned in this tutorial are widely used in professional web development and will serve as a foundation for more complex applications in the future.

Remember that authentication is just one aspect of application security. As you continue to develop your application, be mindful of other security considerations such as authorization (controlling what authenticated users can do), data protection, and secure communication.

Authentication vs. Complete Security:

While we've built a solid authentication system, complete application security involves many other aspects:

Authorization: Determining what authenticated users can access and do

Data Security: Encrypting sensitive data at rest and in transit

API Security: Rate limiting, IP restrictions, and usage monitoring

Infrastructure Security: Server hardening, network security, regular updates

Security Auditing: Logging, monitoring, and regular security reviews

Professional Growth: As you continue to develop your skills, consider exploring:

OAuth and OpenID Connect for third-party authentication

Security standards like OWASP Top 10

Advanced database security techniques

Compliance requirements for different industries (GDPR, HIPAA, etc.)

The authentication system you've built is a great foundation that can be extended to incorporate these more advanced security features as your application grows.