Anonymous Message Board - Code Feedback, Issues, and Comments

hi FCC,

I’ve completed the Anonymous Message Board project (span of multiple days, very frustrating sometimes) and achieved the Legacy InfoSec and QA Certificate.

Repl.it - Message Board FCC

A lot of follow-up comments on this one, regarding Mocha, SuperAgent, and Responses. I would definitely like to contribute and improve this project on the FCC side. Learners be warned ~ there are many missing FCC tests in this project, as pointed out in some other forum boards. But don’t despair ~ read the forum threads on this topic, and keep digging into req/res, async.

Core Testing Subjects

This project is a culmination of the QA and JavaScript section of InfoSec. By the time you get to this project, you have the skills to break down each piece of what the test is looking for: Helmet JS implementation, Mongoose/MongoDB database structures, API routing, and Functional Testing with Chai. Hints:

  • Read the HelmetJS docs on correct ContentSecurityPolicy implementation
  • Similar to “Issue Tracker”, this project is set up so that each individual “thread” is its own model, with independent documents. Don’t make the mistake of setting up ONE model for all threads. At least, this is the mongoose process - straight mongoDB would be different.
  • Be patient with functional testing. Because the tests are not written, be careful about how you testing PUT and DELETE. Particularly, Repl.it is a little fussy.

Some comments:

  1. scriptSrc- as part of contentSecurityPolicy, I needed to write these two lines of code to allow the boilerplate jQuery on the views sheets to display the information:
"styleSrc": ["'unsafe-inline'"],
"scriptSrc": ["'self'", "localhost", "'unsafe-inline'", "code.jquery.com", "https://code.jquery.com/jquery-2.2.1.min.js"],

I thought that having “unsafe-inline” defeats the purpose of contentSecurityPolicy, but it was the only way to allow the jQuery and AJAX calls on the html view pages to work and function. Why, and how can it be done better?

  1. Testing res.redirect in Chai - I scoured Google and the forum, and I can’t seem to find an answer to this. In some instances of the APi routing here, the response object is NOT a “res.send” or a “res.json” of the data object. It is a “res.redirect” to either board.html or thread.html. In these instances, how do you test the response object in Chai? Since it redirects to a html page, would the res.body ACTUALLY be the html page?

I would like to beef up my functional tests somehow, on these two POST redirects. I mean, you can’t just do assert.equal(res.body, process.cwd() + '/views/board.html'), right? And then, how do you test that the posted information exists on the redirected page?