Today I want to create a simple TODO list web app that can have nested lists, and support many users. Sounds simple, right?
I start the development with the definition of my models. Right now I just need two: users and lists. Fortunately for me, the Django admin app already has a user model defined so I can reuse it. My list model requires nested list, I need a way to emulate a graph structure in a flat table. I can use a field in my list structure to points to its father id, and when the list is in the root, it can has a father id of 0. To get all the root lists for a given user I can define an endpoint
/api/lists and the model will query the database to get all the lists with user id equal to... wait, how do I get the user id?
It seems that Django by default uses cookie authentication expecting a form post, since I'm using a React app with... Damn, I forgot to add a library for API communication. Again I can choose from XmlHTTPRequest, jQuery ajax, the new fetch API, Axios, etc. I go with Axios. Ok, let's continue. Since I'm using a React app with Axios to consume a REST API, I need an authentication endpoint. Combine form posts with REST API is a little cumbersome, so my authentication endpoint will just return an authentication token, and this token will be saved in the browser for future requests. How can I generate this token? I can use OAuth, JWT, my own implementation, etc. For OAauth I need new tables in my database, with JWT I just need a secret key or a SSL file, for commodity I chose JWT. Finally I have my authentication endpoint and I can send the user id in the authentication token.
Hey wait, how can I prevent that having the user id, a second user can see the lists of the first user? Gosh, I need to check in every endpoint that the accessing list belongs only to the authenticated user. It is a easy implementation but I need to remember to do this for every endpoint in my API. And I'm not yet done with the list creation! I am exhausted...
To be continued...