Exercise 4

[NicolasTsc]

Unser Codereview: Systems-Development-and-Frameworks/AlElMo#7 (review)

[roschaefer]

I received an E-Mail from a member of your group, asking me to do a Feedback-Review until Wednesday. Please request a review from @mentors in the first week next time.

See my suggestions below.

[roschaefer]

Suggested change

	touch .env
	echo JWTSECRET=$JWTSECRET >> .env

[roschaefer]

If you use dotenv or dotenv-flow you can overwrite those values specified in .env with your current process.env.

Have you tried deleting .env and then run your sever with:

$ JWTSECRET=whatever yarn run dev

This should work.

[NicolasTsc]

Thanks for the review Robert. As I cant comment your review message I have to write it here. We actually did request a mentors-review in the first week of the exercise, so maybe the notification didnt work as expected.

[roschaefer]

That's the only necessary line of code.

[roschaefer]

You could also check in a .env.template with dummy secrets and then tell the user to

$ cp .env.template .env

this file.

[roschaefer]

Suggested change

	require('dotenv').config()
	const testContext = (testToken?) => {
	let token = testToken || ''
	token = token.replace('Bearer ', '')
	try {
	const decodedJwt = jwt.verify(
	token,
	process.env.JWTSECRET
	)
	return { decodedJwt }
	} catch (e) {
	return {}
	}
	}
	import context from './context'
	const reqMock
	const testContext = () => context({ req: reqMock })
	beforeEach(() => {
	reqMock = {} // by default
	})
	// later in your test cases that simulate a logged in user
	beforeEach(() => {
	reqMock = { headers: { authorization: `Bearer ${testToken}` } }
	})

[roschaefer]

See: apollographql/apollo-server#2277 (comment)

[roschaefer]

This will call testContext(testToken) when you run setupServer:

Suggested change

	context: testContext(testToken), // not sure if this is the correct way. but we didn`t find another solution to add the token as request (see https://github.com/apollographql/apollo-server/issues/2277)
	context: testContext(testToken),

This gives you extra flexibility, because it's called when you run query or mutate:

Suggested change

	context: testContext(testToken), // not sure if this is the correct way. but we didn`t find another solution to add the token as request (see https://github.com/apollographql/apollo-server/issues/2277)
	context: () => testContext(testToken),

[roschaefer]

Why do you require('dotenv').config() so often? I would expect only one file to require it and this file gets imported wherever needed.

[roschaefer]

Suggested change

	if (this.users.find(user => user.id === id)) {
	return true
	} else {
	return false
	}
	return this.users.find(user => user.id === id)

[roschaefer]

Suggested change

	return jwt.sign({ id: foundUser.id }, process.env.JWTSECRET, { algorithm: 'HS256' })
	return jwt.sign({ id: foundUser.id }, JWTSECRET, { algorithm: 'HS256' })

Your JWTSECRET could be a constant imported from src/import which is the file calling require('dotenv').config().

[roschaefer]

import { AuthenticationError } from 'apollo-server'
// ...
if (foundUser && foundUser.checkPassword(password)) return jwt.sign({ id: foundUser.id }, JWTSECRET)
throw new Error('Wrong email/password combination')

[roschaefer]

Prefer guard-clauses over nested if-clauses, for readability:

Suggested change

	if (password.length >= 8) {
	if (password.length < 8) throw new UserInputError('Password must have at least 8 characters')

[NicolasTsc]

Why is the thrown error in the tests or the graphql playground "Not Authorized" even if we throw different errors here?

[roschaefer]

I believe you must allowExternalErrors: true in graphql-shield.

[AlexHTW]

Well done! Looks like you successfully implemeted all the objectives.

[AlexHTW]

Great tests!
⭐ For a software-tested signup feature.

[AlexHTW]

One more:
⭐ For a software-tested login feature.

[AlexHTW]

You earned a
⭐ For unique email address validation.

[AlexHTW]

Now you even earned two at once!
⭐ For an implemented login feature using JWT.
⭐ For password validation.

[AlexHTW]

Good job.
⭐ For an implemented signup feature.

[AlexHTW]

⭐ For assigning the authenticated user to a post in write and upvote mutations.

[roschaefer]

Hey Felni, this is a great submission! You achieved all 10/10 ⭐ in
particular:

⭐ For an implemented signup feature.

⭐ For a software-tested signup feature.

⭐ For password validation.

⭐ For unique email address validation.

⭐ For not having security issues according to instructions.

⭐ For an implemented login feature using JWT.

⭐ For a software-tested login feature.

⭐ For assigning the authenticated user to a post in write and upvote mutations.

⭐ For requesting a review and reviewing another team's PR according to the instructions.

⭐ For a successful rebase on homework/main.

Since my last review, you haven't implemented all suggestions. So please have a
look. I think you could refactor your tests in general:

• Check what needs to be re-initialized. Only datasources and context needs
  to be re-initialized, usually.

• Prefer to use .toMatchObject expectation when checking GraphQL responses. You
  can check a lot more and it's easier to read.

• Move as much logic as possible from the test code into the imported code. You
  loose test coverage if you implement parts of the code in your tests (e.g.
  password hashing, schema setup).

[roschaefer]

Why is it necessary that you call hashSync in the test? Why don't you simply put that into the constructor?

[roschaefer]

A post should never have no author!

[roschaefer]

I think this should be below the outmost if statement. What if foundUser is falsy?