1. Introduction
This assignment required creating a secure e-commerce web application using Node.js, Express, MongoDB, and Auth0. The main focus was on implementing user authentication, access control, and preventing common security vulnerabilities as described in the OWASP Top 10. The application allows users to purchase products, view their orders, and ensures all actions are restricted to the authenticated user only.
2. Features Implemented
The main functionalities implemented in this project include:
Login and logout using Auth0 → Users can securely log in and log out via a cloud-based Identity Provider.
Purchase form to order products → Users can select date, delivery time, location, product, quantity, and add a message.
Orders page to view your own orders → Each user can only see and manage their own orders.
Orders saved in MongoDB → All purchase data is securely stored in a database.
Input validation and date restrictions → Prevents selection of past dates or Sundays.
3. Security Measures
To ensure the application is secure, the following measures were implemented:
XSS prevention → All user inputs are escaped before being displayed to prevent malicious scripts.
CSRF protection → Added csurf middleware with hidden form tokens to prevent unauthorized form submissions.
Input validation → Only allowed products, time slots, locations, and quantities are accepted to prevent invalid or malicious data.
Authenticated-only routes → The requiresAuth middleware ensures only logged-in users can access /purchase and /myorders.
Sensitive data protection → Secrets like Auth0 credentials and MongoDB connection strings are stored in .env files and not exposed in code.
4. Challenges Faced
During the development process, the following challenges were encountered:
Integrating Auth0 login/logout → Understanding OIDC flow and mapping user information to the app.
Validating purchase dates → Ensuring users cannot select past dates or Sundays required additional date logic.
Setting up CSRF protection → Learning how to implement csurf and include tokens in forms.
Filtering orders per user → Making sure each user only sees their own orders required proper middleware and database queries.
5. Learning Outcomes
From this assignment, I gained the following knowledge and skills:
Secure web development practices → How to protect applications from XSS, CSRF, and authentication bypass.
Working with Node.js, Express, and MongoDB → Building a secure backend and managing database operations safely.
Understanding and mitigating OWASP Top 10 vulnerabilities → Applying preventive measures in real-world scenarios.
Integrating cloud-based authentication → Using Auth0 for secure login and access control.
- Conclusion / Blog Closure
This assignment provided hands-on experience in building a secure web application from scratch while following best practices for authentication, access control, and input validation. By combining Node.js, Express, MongoDB, and Auth0, I was able to implement a functional e-commerce system that meets the security standards required in modern web development.
Top comments (0)