DEV Community

Cover image for MovieDex - My first React project!

MovieDex - My first React project!

Abhijit Hota on August 06, 2020

A React and Node.js app that searches for movies using the TMDB and OMDB database ⚛✨🎥. Try it out here: MovieDex The Project ...
Collapse
 
ecyrbe profile image
ecyrbe

Hi,

Nice work. Here is a succinct review.

  • in server.js try to follow REST resource naming conventions : restfulapi.net/resource-naming/
  • to not have your heroku instance spammed, you should protect your server APIs with jwt access with resource limiting for each distinct user. Refuse to answer requests without a jwt. Jwt : jwt.io/
  • in client, you are using the same pattern everytime with fetch/abortController. I would create a new hook called useAbortableFetch to wrap and reuse this Idea.
Collapse
 
kretaceous profile image
Abhijit Hota

Hello and thanks a lot for the points!

  • I did not know about the REST API naming conventions. I'll surely follow the guidelines. Most of my requests are verbs like getMovies and getMovieDetails like functions. I'll change them to nouns as per the guidelines. (I haven't read the guidelines fully so I may come up with something more appropriate).

  • I do not understand why would I need JWTs here.

Refuse to answer requests without a JWT.

But can you elaborate why would I need that? What exactly does "not have your Heroku instance spammed" mean?

Any pointers will be appreciated. 😄

  • Yes. I agree that part of the code is little WET. I was thinking the same while coding that part. A custom hook is a very good way indeed!

Thanks again for digging deep into the code and writing this! 😄

Collapse
 
ecyrbe profile image
ecyrbe

I do not understand why would I need JWTs here

OK. Imagine that i'm a hacker wanting to shut down your website and deny to all your users the ability to request anything.

How would i do that ? as your project is open source i can see that your APIs are not protected. So if i spam your server with requests, i will for sure encounter the limits that where granted to you via your API key.

So ONE user can deny access to your APIs to ALL your users.

To mitigate that, what you usually want is to only deny the spamming user access to your APIs. for this you need to give the user a unique id and require each user to access your API with this id.

  • You can rate limit users based on their IP address (but if many different users are behind the same adress you will block all the legitimate users behind the adress),
  • You can rate limit users based on a unique id for each user behind the same IP adress by giving them a distinct JWT. In server side you create an id for a user (with IP inside as payload for exemple) and sign it by encapsulating it in a JWT. You then just check that this JWT is valid, and you should also give this JWT an expiration time (5 minutes to 20 minutes might be a good idea). Note that you need to use asymetric algorithm (like RS256) to really protect an API with JWTs.

Using the user IP for starting is fine, so you are rigth, you don't need JWT, but for more fine grained propection i would use a JWT that combine IP/expiration date to protect you APIs.

Now for your API you can plug a rate limiter middleware, like this : github.com/animir/node-rate-limite...

  • You can use a memory store instead of redis to not need another server.
  • You can use a jwt instead of user ip to check access.
Thread Thread
 
kretaceous profile image
Abhijit Hota

Thanks for the detailed explanation.
I understood what you are saying. I'll start implementing the said method of JWTs along with the IP as a payload. I'll figure out a good way.

I'll check the mentioned middleware too.

Thanks a lot again!

Collapse
 
sanjeed__ profile image
Sanjeed • Edited

Good one!

Collapse
 
albertopdrf profile image
Alberto Pérez de Rada Fiol

Wow, the site is wonderful! Congrats :)

Collapse
 
kretaceous profile image
Abhijit Hota

Thank you, Alberto! 😁

Collapse
 
mutale85 profile image
Mutale85

Nice works and great article.

Collapse
 
kretaceous profile image
Abhijit Hota

Thank you!

Collapse
 
monalizadsg profile image
Mona Dasig

Great project. This is inspiring! :) Thanks for sharing the article.

Collapse
 
kretaceous profile image
Abhijit Hota

Thanks a lot, Mona. Glad you found it inspiring! 😄

Collapse
 
viniciusrio profile image
Vinicius Rio

This is motivating. I will follow the idea of the article too! Thanks, man!

Collapse
 
kretaceous profile image
Abhijit Hota

Glad you found it motivating 😇! Thanks a lot and all the best! 😁

Collapse
 
khalby786 profile image
khaleel gibran • Edited

Wow, I liked the UI very much (and the logo). I also noticed that it had skeleton loading, which was really cool!

Collapse
 
kretaceous profile image
Abhijit Hota

Thanks Khaleel! 😊

Collapse
 
explicitgeek profile image
Tim Berti

Awesome post ....loved those skeleton loading UI

Collapse
 
kretaceous profile image
Abhijit Hota

Thanks Tim! I like the loaders too 😁!