The stack that we used
HTTP/S Security Headers rating. Essential for security
SSL security rating
We we're attempting to spin good ideas for this hackathon. We mulled over a few at first but eventually this one jumped out as us. Both of us having applied for jobs prior and using linkedin were sick of the bloat and "user features" that were offered. We decided to utilize the Agora API to streamline this process.
What it does
InternetView is an Internet Interviewing platform. It connects job applicants and employers together quickly. Rather than providing too much information to recruiters. We simply provide the ability to upload a resume/cover letter to communicate a potential hires ability. Applicants are able to view current job postings and subsequently apply to them. Upon receiving applications recruiters may schedule a meeting time to complete a video interview using the Agora API.
How we built it
Our stack was built with mostly JS. The frontend utilized React to provide the user interface. We tied in the Agora SDK for video call functionality to the react application. Our backend was written in Typescript and used Koa as the http server. Koa provided the authentication API for both types of clients(user, corporate) through JSON web tokens. It as well interfaced to a Postgresql database with TypeORM. This was used to create the API middlware. In turn the react application makes calls to both the auth api and the actual api. The client and corporate pages are protected from the outside and as well from each other by the JWT tokens at the middleware level. Both the react and koa server are protected by NGINX. NGINX performs a proxy_pass to both of the services to provide access outside of the LAN.
Security is crucial when deploying a web application due to the data harbored by it. User data, passwords and personal information can be accessed if not taken with great care. Protecting API endpoints and scoping data to those that need it is a must. As mentioned prior we used JSON web tokens to scope access to not only the API but as well the the pages accessible. We as well implemented bcrypt with 10 salt cycles to hash accounts passwords. Not only required by the Agora SDK due to HTML5's constraints on sharing UserMedia data we implemented HTTPS to protect data in transit. Our certificates are generated through LetsEncrypt. Internetview.online recieved an A+ on ssllabs.com from hardening our NGINX configuration files and as well by generating a stronger Diffie-Hellman key with openssl. We as well implemented the recommended security headers to protect clients from various attacks(XSS, Clickjacking). Our HTTP Headers received an A on securityheaders.com's scan. Our site only supports HTTPS. Lastly our server only supports SSH key authentication as password authentication is disabled. Overall attack surface is relatively low.
Challenges we ran into
It was my first time using nodejs so there was a bit of a learning curve(M)
This was annoying actually. https://github.com/kelektiv/node.bcrypt.js/issues/656
The most difficult challenge was debugging remotely and not working physically together. Having to explain errors over https://jit.si only has so much verbosity. It was pretty time consuming connecting the backend and the frontend remotely. We ended up pushing the backend to the webserver and developed the frontend on localhost.
Accomplishments that we're proud of
- Working remotely successfully
- The complexity of the project
- Working with WebRTC
- Implementing the Agora API
What we learned
- Agora API
- JSON web tokens
- Remote Development
What's next for InternetView
- Build out API
- Clean the code (It's alright but it's also a hackathon)
- Implement more Agora features.