JOB API - GitHub repository: https://github.com/cholakovit/jobApi
This is a demo Job API, users are able to create jobs and user accounts. It is not completed yet, but I am adding features regularly!
A user is able to create a job post and tags for each job after he is authenticated. To achieve this i used Many-to-Many with Two-way Referencing Strategy, To speed up the response, I used compression dependency. The API has good security features implemented, like: CORS, request sanitazation against XSS attacks, CSURF, enforce HTTPS, JWT, logging, rate limiter against brute-force attack and etc.
Indexes have been strategically added to key fields in the database schemas to improve query performance and ensure data integrity, such as indexing job titles, locations, and employment types, as well as ensuring unique usernames and job-tag pairs.
Additionally, a histogram metric has been implemented to track API request durations, enabling performance monitoring and optimization.
Features:
- CRUD module for jobs
- Tags for jobs using Many-to-Many with Two-way Referencing Strategy
- CRUD module for users
- User registration and authentication
- Security
- Indexing
- Monitoring - Prometheus and Grafana
Click here to read How to optimize Mongo DB Query (Linear VS Exponential Change) to achieve higher performance
Click here to read about different stratigies for search items based on tags
Main Technologies:
- ExpressJS
- TypeScript
- Mongoose
- MongoDB
- JWT
- argon2: Argon2 is a password hashing algorithm that is widely recognized for its security and efficiency. It was chosen as the winner of the Password Hashing Competition in 2015, a contest aimed at identifying a new standard for hashing passwords securely.
- compression: This is a middleware that compresses response bodies using various algorithms, such as gzip, deflate, or Brotli. When the client supports one of these compression methods, the server can compress the response before sending it to the client. This reduces the amount of data transferred over the network, which can improve load times and reduce bandwidth usage.
- CSURF: One common and effective method to prevent CSRF attacks is using CSRF tokens. A CSRF token is a unique, secret, and unpredictable value that is generated by the server and included in requests that alter the state on the server.
- snyk: Regularly updating your dependencies is crucial for mitigating vulnerabilities in your application. Tools like npm audit and Snyk can help you identify and fix security issues in your dependencies.
Screenshot of Snyk code analysis showing an open redirect vulnerability in the ExpressJS application code. - cors: (Cross-Origin Resource Sharing) is a security feature that allows web applications to control and restrict which external domains can access their resources by specifying allowed origins and HTTP methods.
- dompurify: Is a JS library that sanitizes HTML and prevents XSS (cross-site scripting) attacks by cleaning and sanitizing user-generated content in web applications.
- jsdom: Is a JS implementation of the DOM (Document Object Model) that enables server-side manipulation and parsing of HTML and XML documents in Node.js.
- dotenv: Is a zero-dependency module that loads environment variables from a .env file into process.env, allowing you to manage sensitive configuration data separately from your codebase.
- express-rate-limit: Is a middleware for ExpressJS that helps to limit repeated requests to public APIs and/or endpoints, protecting against brute-force attacks.
- helmet: Is an ExpressJS middleware that helps secure your app by setting various HTTP headers to protect against common web vulnerabilities, such as cross-site scripting (XSS), clickjacking, content security policy, and other common attacks that can exploit web application security flaws.
- enforce HTTPS: Use Helmet’s HSTS module to ensure that browsers only access your server over HTTPS, preventing SSL stripping attacks.
- http-status-codes: Is a Node.js module that provides a comprehensive list of HTTP status codes and their associated messages for easy use in web applications.
- jsonwebtoken: Is a library used for generating and verifying JSON Web Tokens (JWT) to securely transmit information between parties as a JSON object. Your JWT_SECRET should be a long and complex string. A strong secret typically includes a mix of uppercase and lowercase letters, numbers, and special characters. Consider using a shorter expiration time and implementing refresh tokens for maintaining user sessions.
- log4js: Is a logging library for Node.js, inspired by Apache Log4j, that provides a flexible and powerful logging framework to capture, format, and manage log messages.
- mongoose: Is an Object Data Modeling (ODM) library for MongoDB and Node.js that provides a schema-based solution to model your application data, including built-in type casting, validation, query building, and business logic hooks.
- nodemon: Is a development tool that automatically restarts your Node.js application when it detects file changes, enhancing the development workflow.
- Grafana: Is an open-source analytics and monitoring platform used to visualize and analyze data collected from various sources.
Grafana dashboard interface displaying data visualizations and metrics from various data sources. - Prometheus: Is an open-source monitoring and alerting toolkit designed for reliability and scalability. It is primarily used for time-series data collection and analysis, especially in cloud-native and microservices environments.
Prometheus, representing the open-source monitoring and alerting toolkit designed for time-series data collection and analysis.