Inventory
A web based inventory management solution for the lab, adapted from an undergraduate student project. Split into a front end interface built with react and a back end using express and sqlite, both hosted on the droplet in slightly different ways (see deployment).
Back End - droplet.bci4kids.ca/inventory
The core application, providing a public API retrofitted with token authentication to enable a secure service over the open web. Code structure has also been overhauled to optimize future development.
Endpoints
Available endpoints are split into express routers implemented in separate scripts mapped to specific routes. Each router then specifies and implements relevant methods using imported database methods and helper functions.
Database Methods
Any queries ran on the database are split off into their own scripts which are imported and used by endpoints. These methods are structured largely as single SQL statements executed by helper functions. This structure is intended to maximize maintainability
Documentation
All implemented endpoints are documented in markdown files structured by the routes they document, including a central index and internal links, all served publicly at the back end address as pain html. These documents act as an outline for back end development, a source of truth for the repository, and a helpful reference guide for front end development. I highly recommend this or any similar approach when developing your own applications.
Authentication1
Other than logging in, out, or creating an account, access to API methods is restricted to users who have been verified by a site administrator. This is enforced through use of javascript web tokens. When a user logs in with their account credentials, the server responds with an access token signed with a secret code. The client application must then sends this access token with subsequent requests to protected endpoints, which the server can validate with the same secret code. User roles are also encoded into the token, which allows the server to easily restrict endpoints according to permissions.
However, this access token is, by necessity, fully exposed to the client application. Limiting the lifetime of this token limits security concerns introduced by this exposure. To streamline the user experience, we can store another “refresh” token in client cookies, encoded and only accessible to the back end. This token can be used implicitly in place of the user’s credentials to obtain a fresh access token.
Scripts
There are a couple scripts included in the back end to run maintenance or recovery tasks:
node scripts/createAdminAccount <name> <email> <password>
- creates a new account, granting admin access
- intended to create a temporary account for maintenance or recovery - please delete it from the site when you are finished
node scripts/runSQL <filepath>
- executes arbitrary statements from a file on the live database
- USE WITH CAUTION
Issues
- No test suite
- Edge case handling
The primary development concern of this application is the lack of a test suite.
Front End - inventory.bci4kids.ca
The client side interface, providing buttons, input fields, and informative displays for back end methods. Pages are defined explicitly for each view/add/edit operation in their own scripts.
User Access Context
Authentication requirements from the back end are facilitated by a react context and custom fetch hooks which save and use an access token. Custom fetch hooks also handle response bodies and handle errors.