================================================================ LAB 7 — Authentication: Add Login to Your API ================================================================ Course: Web Technologies Topic: Lecture 9 (Auth & Security) Time: 3 hours lab + 4 hours self-study ---------------------------------------------------------------- LEARNING GOALS ---------------------------------------------------------------- - Hash passwords with bcrypt - Implement signup + login + logout endpoints - Issue and verify JWT tokens - Protect routes so only authenticated users may access them - Apply OWASP Top-10 mitigations ---------------------------------------------------------------- PROJECT ---------------------------------------------------------------- Extend Lab 6 (Spring Boot students-api), OR build a parallel Node/Express or Django version -- your choice. Endpoints below assume Spring Boot syntax; adapt as needed. ---------------------------------------------------------------- TASKS ---------------------------------------------------------------- TASK 1 — User entity + signup - User: id, email (unique), password_hash, role ("USER"|"ADMIN"), createdAt - POST /api/auth/signup -> create user; hash password with bcrypt; never return the hash in responses TASK 2 — Login + JWT - POST /api/auth/login -> verify email + password - On success: return { token: "" } - JWT signed with HS256; payload includes sub (user id), role, exp (1 hour) - Use a strong secret loaded from an environment variable TASK 3 — Protected routes - Middleware/filter checks Authorization: Bearer - GET /api/students (list) -> requires authenticated user - DELETE /api/students/{id} -> requires role=ADMIN - Return 401 if no/invalid token, 403 if wrong role TASK 4 — Hardening - Rate-limit /api/auth/login (e.g., 5 attempts / minute / IP) - Apply CORS with explicit allowed origin (your frontend URL) - Set security headers (Spring Security defaults are good) - HSTS in production profile TASK 5 — Test Update requests.http with: signup, login, list with token, list without token (expect 401), admin delete with normal user (expect 403) ---------------------------------------------------------------- DELIVERABLES ---------------------------------------------------------------- - GitHub repo - README explains how to run + how to obtain a token - requests.http with the 6 scenarios above ---------------------------------------------------------------- GRADING (10 marks) ---------------------------------------------------------------- Signup hashes password ............ 2 Login issues JWT correctly ........ 2 Protected route requires token .... 2 Role-based access works ........... 2 Rate limit + CORS + headers ....... 2