mitre

Create a Simple Sticky Note CRUD App

Create a simple sticky note CRUD application using basic HTML, CSS, and HTTP. Use any language you'd like.

Working Agreement
link

A working agreement is essentially a promise to you or to your team on habits and processes you agree to follow while working on a project.

Tip: Try to incorporate as many of these habits as possible, as is they aim to reflect a real-world workflow vs just hacking away at something. They are designed to keep you organized and ensure you deliver a quality product.

optional
circle
SimpleStickies Specification Review

Detailed descriptions of the routes, pages, and validation requirements can be found here.

optional
all_inclusive
circle
Error Handling and Feedback

As a developer, I agree to handle errors gracefully and provide feedback to the user.

Key Points
  • Implement error messages for invalid commands, missing arguments, or other user errors.
  • Ensure success messages for operations such as adding tasks or creating lists are distinct and easily visible.
  • Provide suggestions for correcting common errors to guide users in the right direction.
optional
all_inclusive
circle
Stories Must be Properly Tested

As a developer, I agree to ensure each story is properly tested. (A lot of times it can be a pain to test a CLI's tool main function, you'll understand when you get there, try your best, 100% code coverage is not required)

Key Points
  • Each story includes necessary unit testing.
  • Tests are run upon completion of a story.
  • All tests should pass before merge.
optional
all_inclusive
circle
Use Story Branches

As a developer, I agree to create a new git branch for each story I work on.

Key Points
  • Checkout a new branch for each story.
  • Development for a story is committed to the story branch.
  • Upon completion, create a PR to merge a story branch back into main.
  • If you are doing this project solo, you will be merging your own PRs.
Phase 1 - MVP
link

Minimum Viable Product CRUD interface.

Server Initialization and Home Page
link

Set up the basic structure and configuration for the server, including initializing the server, defining the home route, and creating the homepage.

optional
circle
Initialize Server

As a user, I want the server to be up and running, so that I can access the application through my web browser.

Key Points
  • The server should be configured to listen on a specified port.
  • The server should handle incoming requests and route them to the appropriate handlers.
optional
circle
Define Home Route

As a user, I want to access the application by navigating to the homepage, so that I can learn about the app and find my way around.

Key Points
  • The server should recognize and respond to requests at the root URL ("/").
  • The server should call the appropriate handler function to generate the homepage.
optional
circle
Create Homepage

As a user, I want to see a homepage that introduces the application, so that I can understand what the app does and navigate to other pages.

Key Points
  • The homepage should include a brief description of the application.
  • The homepage should provide links to view all sticky notes and to create a new note.
  • The homepage content should be generated dynamically when a request is received.
optional
circle
Implement Basic Error Handling

As a user, I want the server to handle errors gracefully, so that I receive helpful feedback if something goes wrong.

Key Points
  • The server should handle common errors such as missing routes or server issues.
  • The server should return user-friendly error messages or status codes in response to errors.
Create Sticky Note
link

Implement the functionality to create a new sticky note. Define the route for creating notes and create a page with a form to input the note's title and content.

optional
circle
Define Create Route

As a user, I want to access a form to create a new sticky note, so that I can easily add my notes to the application.

Key Points
  • The server should recognize and respond to requests at `/notes/new` to serve the creation form.
  • The server should call the appropriate handler function to generate the form page.
optional
circle
Create Note Form

As a user, I want to see a simple form for entering a note's title and content, so that I can create a new sticky note.

Key Points
  • The form should include fields for the note's title and content.
  • The form should have a submit button to create the note.
  • There should be a cancel button that redirects the user back to the list of notes.
optional
circle
Handle Note Creation

As a user, I want the server to save my new note when I submit the form, so that my note is stored and can be accessed later.

Key Points
  • The server should handle form submissions from `/notes/new` and create a new note file.
  • The server should validate the note's title and content according to the defined rules.
  • If validation passes, the note should be saved, and the user should be redirected to the list of notes.
  • If validation fails, the user should be redirected back to the form with the submitted values pre-populated.
optional
circle
Display Success or Error Message

As a user, I want to see a confirmation when my note is created or an error if something goes wrong, so that I know the outcome of my action.

Key Points
  • The server should display a success message if the note is created successfully.
  • The server should display an error message if there is an issue with creating the note, along with details on how to correct it.
List Sticky Notes
link

Implement the functionality to list all existing sticky notes. Define the route to display all notes and create a page that lists the titles of all stored notes.

optional
circle
Define List Route

As a user, I want to access a page that lists all my sticky notes, so that I can easily see and access the notes I have created.

Key Points
  • The server should recognize and respond to requests at `/notes` to serve the list of sticky notes.
  • The server should call the appropriate handler function to generate the list page.
optional
circle
Generate List of Notes

As a user, I want to see a list of all my sticky notes, so that I can quickly find and view a specific note.

Key Points
  • The server should retrieve the titles of all stored sticky notes.
  • The list should be displayed in a grid or column layout.
  • Each note title should be a clickable link that takes the user to the detailed view of that note.
optional
circle
Display Empty State

As a user, I want to see a message if there are no sticky notes, so that I know I need to create one.

Key Points
  • If no sticky notes exist, the server should display a message indicating that no notes have been created yet.
  • The page should include a link or button to create a new sticky note.
optional
circle
Provide Navigation

As a user, I want to easily navigate back to the home page or create a new sticky note from the list page, so that I can manage my notes efficiently.

Key Points
  • The list page should include navigation links back to the home page and to the new note creation form.
  • The navigation should be clear and accessible from the list of notes.
Show Sticky Note
link

Implement the functionality to display a specific sticky note. Define the route to view an individual note and create a page that shows the note's title and content.

optional
circle
Define Show Route

As a user, I want to click on a note title from the list and view the full content of that sticky note, so that I can read or review the details of my note.

Key Points
  • The server should recognize and respond to requests at `/notes?name=<name>` to serve the specific note.
  • The server should call the appropriate handler function to generate the detailed view page.
optional
circle
Display Note Content

As a user, I want to see the full content of my sticky note along with its title, so that I can review the information I saved.

Key Points
  • The server should retrieve the content of the specified sticky note file.
  • The page should display the note's title prominently, followed by the note's content.
  • The layout should be clear and readable, ensuring the note's content is easily accessible.
optional
circle
Provide Edit and Delete Options

As a user, I want to see options to edit or delete the note while viewing it, so that I can make changes or remove it if needed.

Key Points
  • The page should include a button or link to edit the note, which redirects the user to the update page.
  • The page should also include a button or link to delete the note, with appropriate confirmation to avoid accidental deletion.
optional
circle
Handle Missing Notes Gracefully

As a user, I want to see a helpful message if the note I’m trying to view doesn’t exist, so that I understand what happened and what I can do next.

Key Points
  • If the specified note does not exist, the server should display a friendly error message.
  • The error message should include links to go back to the list of notes or to create a new note.
Update Sticky Note
link

Implement the functionality to update an existing sticky note. Define the route for updating notes and create a page with a form pre-populated with the current note's data for editing.

optional
circle
Define Edit Route

As a user, I want to access a form to edit my sticky note, so that I can make changes to the title or content.

Key Points
  • The server should recognize and respond to requests at `/notes/edit?name=<name>` to serve the edit form.
  • The server should call the appropriate handler function to generate the edit page with the note's current data.
optional
circle
Pre-populate Form with Note Data

As a user, I want the form to be pre-filled with my note's current title and content, so that I can easily make and save my changes.

Key Points
  • The edit form should be pre-populated with the existing title and content of the sticky note.
  • The user should be able to modify both the title and content before submitting the changes.
optional
circle
Handle Note Update

As a user, I want the server to save my changes when I submit the form, so that my updated note is stored and accessible.

Key Points
  • The server should handle form submissions from `/notes/edit?name=<name>` and update the existing note file with the new data.
  • The server should validate the updated title and content according to the defined rules.
  • If validation passes, the note should be updated, and the user should be redirected to the updated note's page.
  • If validation fails, the user should be redirected back to the form with the submitted values pre-populated.
optional
circle
Provide Cancel Option

As a user, I want the option to cancel editing and return to the previous page, so that I can leave the note unchanged if I change my mind.

Key Points
  • The edit page should include a cancel button that redirects the user back to the list of notes or the note's detail page without making any changes.
Delete Sticky Note
link

Implement the functionality to delete a sticky note. Define the route for deleting notes and ensure users can remove a note from the system.

optional
circle
Define Delete Route

As a user, I want to delete a sticky note, so that I can remove it permanently if it's no longer needed.

Key Points
  • The server should recognize and respond to requests at `/notes?name=<name>&method=DELETE` to delete the specified note.
  • The server should call the appropriate handler function to perform the deletion.
optional
circle
Confirm Deletion

As a user, I want to confirm before deleting a sticky note, so that I don't accidentally remove important information.

Key Points
  • The server should display a confirmation prompt before deleting the note.
  • The user should be able to confirm or cancel the deletion action.
optional
circle
Handle Note Deletion

As a user, I want the server to permanently delete my sticky note when I confirm the action, so that it is removed from the system.

Key Points
  • The server should delete the specified note file from the filesystem upon confirmation.
  • After deletion, the user should be redirected to the list of all notes with a success message.
optional
circle
Provide Feedback on Deletion

As a user, I want to receive feedback after deleting a note, so that I know the action was successful.

Key Points
  • The server should display a success message once the note is successfully deleted.
  • If the note could not be deleted (e.g., if it no longer exists), the server should provide an appropriate error message.
Phase 2 - Boards
link

Phase 2 introduces a board management features and the introduction of a SQL DB

Implement SQL Database and Schema
link

Transition from using filesystem-based storage to a SQL database for storing sticky notes and boards. Implement the defined database schema to support the storage and management of notes and boards.

optional
circle
Set Up SQL Database Connection

As a developer, I want to establish a connection to the SQL database, so that I can store and retrieve data for notes and boards.

Key Points
  • Configure the database connection settings (e.g., database name, user, password, etc.).
  • Implement a method to open and close the database connection.
  • Ensure that the database connection is available for use throughout the application.
optional
circle
Implement Database Schema

As a developer, I want to implement the database schema, so that the application can properly store notes and boards.

Key Points
  • Create the necessary SQL `CREATE TABLE` commands for notes and boards.
  • Execute the SQL commands to set up the database tables.
  • Verify that the tables are correctly created and ready for use.
optional
circle
Refactor Filesystem Logic to SQL Equivalents

As a developer, I want to refactor the existing filesystem-based logic to use SQL equivalents, so that notes and boards are managed through the SQL database.

Key Points
  • Replace file-based read and write operations with SQL queries.
  • Test the refactored logic to confirm that it functions correctly with the SQL database.
Implement Board Management
link

Create functionality to allow users to create, update, and delete boards, including managing the notes associated with each board.

optional
circle
Implement Create Board Functionality

As a user, I want to create a new board, so that I can organize my notes within specific categories.

Key Points
  • Implement a form for users to input a board name.
  • Validate the board name to ensure it meets the required criteria.
  • Save the new board to the SQL database and redirect the user to the board index page.
optional
circle
Implement Update Board Functionality

As a user, I want to update the name of an existing board, so that I can correct mistakes or better organize my notes.

Key Points
  • Provide an interface to edit the board name.
  • Validate the updated board name before saving.
  • Update the board in the SQL database and redirect the user to the updated board's detail page.
optional
circle
Implement Delete Board Functionality

As a user, I want to delete a board, so that I can remove unwanted or unused categories, provided no notes are associated with it.

Key Points
  • Implement logic to check if a board has any associated notes.
  • Allow deletion only if the board has no associated notes.
  • Delete the board from the SQL database and redirect the user to the board index page.
optional
circle
Implement List All Boards Functionality

As a user, I want to view a list of all boards, so that I can see the available categories and the number of notes in each.

Key Points
  • Implement the `INDEX BOARD` route to display all boards.
  • The page should show the name of each board and the count of associated notes.
  • Each board name should be a clickable link that redirects to the `SHOW BOARD` page.
optional
circle
Implement Show Board Functionality

As a user, I want to view the details of a specific board, so that I can see all the notes associated with it.

Key Points
  • Implement the `SHOW BOARD` route to display a single board's details.
  • The page should display the board name and a list of all associated notes.
  • Each note in the list should be a clickable link that redirects to the note's detail page.
Update Existing Pages and Routes
link

Update the note creation and editing processes to include board selection. Ensure all relevant pages and routes display and manage board information appropriately throughout the application.

optional
circle
Update Note Creation Page to Include Board Selection

As a user, I want to select a board when creating a new note, so that I can organize my notes within specific categories.

Key Points
  • Update the `NEW` note page to include a dropdown or selection input for choosing a board.
  • Ensure the `CREATE` route handles the board selection and associates the new note with the selected board in the database.
  • Validate that the board selection is saved correctly and the user is redirected to the appropriate page.
optional
circle
Update Note Editing Page to Allow Board Changes

As a user, I want to change the board of an existing note, so that I can reorganize my notes as needed.

Key Points
  • Update the `EDIT` note page to include the current board selection and allow the user to change it.
  • Ensure the `UPDATE` route handles the updated board selection and correctly updates the note’s board association in the database.
  • Validate that the changes are saved correctly and the user is redirected to the updated note’s detail page.
optional
circle
Update Note Display to Show Associated Board

As a user, I want to see the associated board when viewing a note, so that I know which category it belongs to.

Key Points
  • Update the `SHOW` note page to display the note's associated board along with the title and content.
  • Ensure the `INDEX` page lists all notes with their associated boards displayed next to the titles.
  • Validate that the board information is displayed correctly across all relevant pages.
Phase 3 - Search
link

Introduce a basic search capability.

Implement Search Functionality
link

Add search functionality to allow users to find notes based on keywords in titles, content, or associated boards. Ensure the search is intuitive and returns relevant results.

optional
circle
Implement Search Page

As a user, I want to access a search page where I can enter keywords, so that I can find specific notes quickly.

Key Points
  • Implement the `SEARCH PAGE` route to display a form where users can enter search terms.
  • Create a search input field and a submit button on the search page.
  • Ensure the page is accessible from the main navigation menu.
optional
circle
Implement Search Query Handling

As a user, I want the application to process my search query and find matching notes, so that I can easily locate the information I need.

Key Points
  • Implement the `SEARCH RESULTS` route to handle search queries submitted from the search page.
  • Parse the search query and execute a database search for notes that match the keywords in their title, content, or associated boards.
  • Ensure the search function is optimized for performance, especially with large datasets.
optional
circle
Implement Search Results Page

As a user, I want to see a list of notes that match my search query, so that I can quickly access the relevant information.

Key Points
  • Display the search results on a dedicated results page, listing the note titles, associated boards, and a snippet of the content.
  • Ensure each result includes a link to the full note detail page.
  • Implement pagination if the number of results exceeds a certain threshold to improve usability.
optional
circle
Integrate Search Across the Application

As a user, I want the search functionality to be integrated throughout the application, so that I can easily search from anywhere.

Key Points
  • Add a search bar to the main navigation, accessible from all pages.
  • Ensure the search functionality is consistent and returns accurate results across different contexts (e.g., searching within a specific board vs. global search).
  • Validate that the search results are displayed correctly and that links to notes work as expected.
Phase 4 - REST API
link

Implement a basic API which accepts and returns JSON.

Implement JSON API
link

Develop a JSON API to allow programmatic access to notes and boards, enabling operations such as creating, updating, retrieving, and deleting notes and boards via RESTful API endpoints.

optional
circle
Implement GET All Notes API Endpoint

As a developer, I want to implement an API endpoint to retrieve all notes in JSON format, so that I can access the notes programmatically.

Key Points
  • Create a `GET /api/notes` route that returns a JSON array of all notes.
  • Ensure each note includes its title, content, and associated board.
  • Test the endpoint to verify it returns the correct data.
optional
circle
Implement GET Note by ID API Endpoint

As a developer, I want to implement an API endpoint to retrieve a specific note by its ID, so that I can access detailed information about a single note.

Key Points
  • Create a `GET /api/notes/{id}` route that returns the specified note as a JSON object.
  • Ensure the note includes its title, content, and associated board.
  • Test the endpoint to verify it returns the correct note data.
optional
circle
Implement CREATE Note API Endpoint

As a developer, I want to implement an API endpoint to create a new note via a JSON payload, so that I can add notes programmatically.

Key Points
  • Create a `POST /api/notes` route that accepts a JSON payload to create a new note.
  • Ensure the payload includes the note's title, content, and associated board ID.
  • Return the newly created note as a JSON object, including its assigned ID.
  • Test the endpoint to verify that notes can be created successfully.
optional
circle
Implement UPDATE Note API Endpoint

As a developer, I want to implement an API endpoint to update an existing note via a JSON payload, so that I can modify notes programmatically.

Key Points
  • Create a `PUT /api/notes/{id}` route that accepts a JSON payload to update the specified note.
  • Ensure the payload can modify the note's title, content, and associated board ID.
  • Return the updated note as a JSON object.
  • Test the endpoint to verify that notes can be updated successfully.
optional
circle
Implement DELETE Note API Endpoint

As a developer, I want to implement an API endpoint to delete a specific note by its ID, so that I can remove notes programmatically.

Key Points
  • Create a `DELETE /api/notes/{id}` route that deletes the specified note.
  • Ensure the endpoint returns a confirmation message in JSON format.
  • Test the endpoint to verify that notes can be deleted successfully.
optional
circle
Implement GET All Boards API Endpoint

As a developer, I want to implement an API endpoint to retrieve all boards in JSON format, so that I can access the boards programmatically.

Key Points
  • Create a `GET /api/boards` route that returns a JSON array of all boards.
  • Ensure each board includes its name and the count of associated notes.
  • Test the endpoint to verify it returns the correct data.
optional
circle
Implement GET Board by ID API Endpoint

As a developer, I want to implement an API endpoint to retrieve a specific board by its ID, so that I can access detailed information about a single board.

Key Points
  • Create a `GET /api/boards/{id}` route that returns the specified board as a JSON object.
  • Ensure the board includes its name and a list of associated notes.
  • Test the endpoint to verify it returns the correct board data.
optional
circle
Implement CREATE Board API Endpoint

As a developer, I want to implement an API endpoint to create a new board via a JSON payload, so that I can add boards programmatically.

Key Points
  • Create a `POST /api/boards` route that accepts a JSON payload to create a new board.
  • Ensure the payload includes the board's name.
  • Return the newly created board as a JSON object, including its assigned ID.
  • Test the endpoint to verify that boards can be created successfully.
optional
circle
Implement UPDATE Board API Endpoint

As a developer, I want to implement an API endpoint to update an existing board via a JSON payload, so that I can modify boards programmatically.

Key Points
  • Create a `PUT /api/boards/{id}` route that accepts a JSON payload to update the specified board.
  • Ensure the payload can modify the board's name.
  • Return the updated board as a JSON object.
  • Test the endpoint to verify that boards can be updated successfully.
optional
circle
Implement DELETE Board API Endpoint

As a developer, I want to implement an API endpoint to delete a specific board by its ID, so that I can remove boards programmatically.

Key Points
  • Create a `DELETE /api/boards/{id}` route that deletes the specified board.
  • Ensure the endpoint returns a confirmation message in JSON format.
  • Test the endpoint to verify that boards can be deleted successfully.
optional
circle
Implement GET Notes by Board API Endpoint

As a developer, I want to implement an API endpoint to retrieve all notes associated with a specific board, so that I can filter notes by their board programmatically.

Key Points
  • Create a `GET /api/boards/{id}/notes` route that returns a JSON array of notes associated with the specified board.
  • Ensure each note includes its title, content, and associated board ID.
  • Test the endpoint to verify it returns the correct notes data.
Phase 5 - Authentication and Authorization
link

Phase 5 introduces a user registration and login capability and the ability for users to set the privacy settings of the notes they create.

HTML Authentication
link

Implement the core authentication functionality for the HTML routes, allowing users to register, log in, change passwords, and log out securely.

optional
circle
Implement User Registration

As a user, I want to register with a username and password, so that I can create an account and access the application.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary routes and handlers
  • Implement required HTML pages and templates
optional
circle
Implement User Login

As a user, I want to log in with my username and password, so that I can securely access my account.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary routes and handlers
  • Implement required HTML pages and templates
optional
circle
Implement Change Password

As a user, I want to change my password, so that I can maintain the security of my account.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary routes and handlers
  • Implement required HTML pages and templates
optional
circle
Implement User Logout

As a user, I want to log out, so that I can end my session and protect my account.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary routes and handlers
  • Implement required HTML pages and templates
HTML Authorization and Access
link

Implement authorization controls to ensure that only authenticated users can create, update, or delete boards and notes, and to enforce ownership and privacy rules for notes.

optional
circle
Restrict Board Creation to Authenticated Users

As an authenticated user, I want to create boards, so that I can organize my notes.

Key Points
  • Update the `CREATE BOARD` route to check if the user is authenticated.
  • Ensure that the board creation form is only accessible to logged-in users.
  • Update the UI to display an error or redirect to the login page if accessed by an unauthenticated user.
optional
circle
Restrict Board Updates to Authenticated Users

As an authenticated user, I want to update boards that I own, so that I can manage my content.

Key Points
  • Update the `UPDATE BOARD` route to check if the user is authenticated.
  • Ensure that the board update form is only accessible to the board owner.
  • Update the UI to prevent unauthorized access to board update forms.
optional
circle
Restrict Board Deletion to Authenticated Users

As an authenticated user, I want to delete boards that I own, so that I can manage my content.

Key Points
  • Update the `DELETE BOARD` route to check if the user is authenticated.
  • Ensure that the board deletion action is only available to the board owner.
  • Update the UI to prevent unauthorized users from deleting boards.
optional
circle
Restrict Note Creation to Authenticated Users

As an authenticated user, I want to create notes and associate them with boards, so that I can manage my content.

Key Points
  • Update the `CREATE NOTE` route to check if the user is authenticated.
  • Ensure that the note creation form includes the option to select a board and set privacy (public or private).
  • Update the UI to restrict note creation to logged-in users and show an error or redirect to the login page if accessed by an unauthenticated user.
optional
circle
Restrict Note Updates to Authenticated Users

As an authenticated user, I want to update notes that I own, so that I can manage my content.

Key Points
  • Update the `UPDATE NOTE` route to check if the user is authenticated.
  • Ensure that the note update form is only accessible to the note owner.
  • Update the UI to prevent unauthorized access to note update forms.
optional
circle
Restrict Note Deletion to Authenticated Users

As an authenticated user, I want to delete notes that I own, so that I can manage my content.

Key Points
  • Update the `DELETE NOTE` route to check if the user is authenticated.
  • Ensure that the note deletion action is only available to the note owner.
  • Update the UI to prevent unauthorized users from deleting notes.
optional
circle
Enforce Note Privacy Settings

As a user, I want to control the visibility of my notes, so that I can keep some notes private and others public.

Key Points
  • Ensure that public notes are visible to all users.
  • Ensure that private notes are only visible to the note owner.
  • Update the UI to clearly display whether a note is public or private.
API Authentication
link

Implement the core authentication functionality for the API routes, allowing users to log in, receive a JWT, and log out securely.

optional
circle
Implement API Login

As a user, I want to log in through the API with my username and password, so that I can receive a JWT for authenticated access to other API routes.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary API routes and handlers
  • Implement JWT generation and return in the response
optional
circle
Implement API Logout

As a user, I want to log out through the API, so that my JWT is invalidated and my session is securely terminated.

Key Points
  • Implement the referenced sequence diagram
  • Implement necessary API routes and handlers
  • Implement JWT invalidation and return a confirmation response
optional
circle
Validate JWT for API Requests

As a user, I want my API requests to be validated using the JWT, so that only authenticated requests are processed.

Key Points
  • Implement logic to validate the JWT on API requests
  • Ensure that valid JWTs allow access to protected API routes
  • Return appropriate error messages for invalid or missing JWTs
optional
circle
Implement JWT Refresh Mechanism

As a user, I want to refresh my JWT before it expires, so that I can maintain access to the API without re-authenticating.

Key Points
  • Implement a route to refresh the JWT before it expires
  • Ensure that the refresh route requires a valid JWT
  • Return a new JWT with an extended expiration time
API Authorization and Access
link

Implement authorization controls for the API to ensure that only authenticated users can perform actions like creating, updating, or deleting boards and notes, and to enforce ownership and privacy rules for notes.

optional
circle
Restrict API Board Creation to Authenticated Users

As an authenticated user, I want to create boards via the API, so that I can organize my notes programmatically.

Key Points
  • Ensure the `POST /api/boards` route checks for a valid JWT
  • Restrict board creation to authenticated users
  • Return appropriate error messages if the user is not authenticated
optional
circle
Restrict API Board Updates to Authenticated Users

As an authenticated user, I want to update boards I own via the API, so that I can manage my content programmatically.

Key Points
  • Ensure the `PUT /api/boards/{id}` route checks for a valid JWT
  • Restrict board updates to authenticated users who own the board
  • Return appropriate error messages if the user is not authorized
optional
circle
Restrict API Board Deletion to Authenticated Users

As an authenticated user, I want to delete boards I own via the API, so that I can manage my content programmatically.

Key Points
  • Ensure the `DELETE /api/boards/{id}` route checks for a valid JWT
  • Restrict board deletion to authenticated users who own the board
  • Return appropriate error messages if the user is not authorized
optional
circle
Restrict API Note Creation to Authenticated Users

As an authenticated user, I want to create notes via the API and associate them with boards, so that I can manage my content programmatically.

Key Points
  • Ensure the `POST /api/notes` route checks for a valid JWT
  • Restrict note creation to authenticated users
  • Allow notes to be associated with a board and set as public or private
  • Return appropriate error messages if the user is not authenticated
optional
circle
Restrict API Note Updates to Authenticated Users

As an authenticated user, I want to update notes I own via the API, so that I can manage my content programmatically.

Key Points
  • Ensure the `PUT /api/notes/{id}` route checks for a valid JWT
  • Restrict note updates to authenticated users who own the note
  • Allow users to update the note content, privacy setting, and associated board
  • Return appropriate error messages if the user is not authorized
optional
circle
Restrict API Note Deletion to Authenticated Users

As an authenticated user, I want to delete notes I own via the API, so that I can manage my content programmatically.

Key Points
  • Ensure the `DELETE /api/notes/{id}` route checks for a valid JWT
  • Restrict note deletion to authenticated users who own the note
  • Return appropriate error messages if the user is not authorized
optional
circle
Enforce API Note Privacy Settings

As a user, I want to control the visibility of my notes via the API, so that I can keep some notes private and others public.

Key Points
  • Ensure public notes are accessible to all users via the API
  • Ensure private notes are only accessible to the note owner via the API
  • Return appropriate error messages if a user tries to access a private note they do not own
Phase 6 - Vulnerability Management and Mitigation
link

Account for common web security vulnerabilities and mitigate them with security best practices.

Vulnerability Management and Mitigation
link

Implement practices to identify, manage, and mitigate common web vulnerabilities in the application. Ensure that the application is secure from known attack vectors and follows best practices for security.

optional
circle
Implement SQL Injection Protection

As a developer, I want to protect the application from SQL injection attacks, so that the database remains secure from unauthorized access and data manipulation.

Key Points
  • Use parameterized queries with `database/sql` or `sqlx` to prevent SQL injection
  • Validate and sanitize all user inputs before using them in database queries
optional
circle
Implement Cross-Site Scripting (XSS) Protection

As a developer, I want to prevent XSS attacks, so that users' data and sessions are protected from malicious scripts.

Key Points
  • Use the `html/template` package to automatically escape HTML
  • Sanitize user-generated content using the `bluemonday` package
optional
circle
Implement Cross-Site Request Forgery (CSRF) Protection

As a developer, I want to protect the application from CSRF attacks, so that unauthorized actions cannot be performed on behalf of users.

Key Points
  • Implement CSRF tokens using the `gorilla/csrf` middleware
  • Ensure that all forms and state-changing actions include a CSRF token
optional
circle
Implement Insecure Direct Object Reference (IDOR) Protection

As a developer, I want to prevent unauthorized access to internal objects like files and records, so that sensitive data is only accessible to authorized users.

Key Points
  • Implement access control checks for every request to internal objects
  • Use an authorization library like `casbin` to manage permissions and ensure that users can only access resources they are authorized to view
Contents