- List all the parties in the database
- Display all public parties
- Pagination
- Limit number of results
- Search by Party name or ID
- Filter by tags
- Get single party
- Get single private
- Authentication Required
- Must have a role of Admin, Host, Co-host or guest
- Get single private
- Create new party
- Authentication Required
- Must have a role of Admin or Host
- add list item for party
- Host and Co-host
- upload photo for party
- Host and Co-host
- Update parties
- Host and Co-host only
- Validation on update
- Delete Party
- Host only
- List all dishes for party
- List all dishes in general
- Pagination, filtering, etc
- Get single dish
- Create new dish
- Authentication Required
- Must have the role of Admin, Host, Co-Host, Guest (while in a party)
- Update dish
- Owner only
- Delete dish
- Owner only
- Authenticate using JWT/cookies
- expires in 30 days
- User registration
- register as a guest or Host
- Token will be sent along with a cookie after registration
- Password will be hashed
- two-factor added later
- Google and Facebook Registration will be added.
- will need email
- User login
- User can login with email and password
- Google and Facebook will be added.
- Plain text password will compare with stored hashed password
- After logged in, token will be sent along with a cookie (token = xxx)
- User can login with email and password
- User logout
- Cookie will be sent to set token = none
- Get user
- Route to get the currently logged in user (via token)
- Password reset (lost password)
- User can request to reset password
- A hashed token will be emailed to users registered email address
- A PUT request can be made to the generated url to reset password
- The token will expire after 10 minutes
- Update user info
- Authenticated user only
- Separate route to update password
- User CRUD
- Admin only
- Encrypt passwords and reset tokens
- Prevent NoSQL Injections
- Add headers for security (helmet)
- Prevent cross site scripting - XSS
- Add a rate limits for requests of 100 requests per 10 minutes
- Protect against http param pollution
- Use cors to make API public (for now)
- Use Postman to create documentation
- Use docgen to create HTML files from Postman
- Add HTML files as the / route for the api
- Docker
- AWS or GDC