Signup, Login & Authorization

Objective

The objective of this assignment is to extend the Address Book application developed in last lab task (Assignment 3) by implementing a user authentication system and role-based access control. Students will create a Signup and Login system and ensure that only authenticated users can perform Create, Update, and Delete operations.

Application Requirements

1. Users Data Storage

Create a new JSON file named auth-users.json
This file will store registered users as an array of objects.

You can also use mongodb database to store users data.

Each user object must contain:

  • id

  • name

  • email

  • password

Password hashing is not required for this assignment.

2. Signup (Registration) Feature

  • Create /signup route.

  • On GET request, display a signup form.

  • Form fields:

    • Name

    • Email

    • Password

    • Confirm Password

  • On POST request:

    • Validate password and confirm password.

    • Check if email already exists in auth-users.json.

    • If validation fails, show an error message on signup page.

    • If successful, save user data and redirect to /login with message:

      “Signup successful. Please login.”

3. Login System

  • Create /login route.

  • On GET request, display login form.

  • On POST request:

    • Validate email and password from auth-users.json.

    • If invalid, redirect back with message:

      “Invalid email or password.”

    • If valid:

      • Store user information in session.

      • Redirect to /home.

4. Logout

  • Create /logout route.

  • Destroy the session.

  • Redirect to /login with message:

    “You have been logged out successfully.”

5. Authorization Rules

Only logged-in users are allowed to:

  • Add new contact

  • Update contact

  • Delete contact

If user is not logged in:

  • /home should display contacts list only

  • Do not show Add, Update, or Delete options

6. Secure Routes (Server-Side)

Hiding buttons is not sufficient.
All protected routes must be secured on server side.

Create a middleware (e.g. checkLogin) that:

  • Checks session for logged-in user

  • If not logged in:

    • Redirects to /login

    • Displays message:

      “You are not authorized to perform this operation. Please login.”

Apply this middleware to:

  • /add

  • /update

  • /delete

7. AJAX Delete (Continuation from Assignment 3)

  • Delete operation must:

    • Be allowed only for logged-in users

    • Use AJAX

    • Send DELETE request to server

    • Remove record from users.json

    • Remove table row on /home without page refresh

8. UI Requirements

  • Use Bootstrap or Tailwind for:

    • Forms

    • Buttons

    • Tables

    • Alerts/messages

Comments

Post a Comment