# Assignment Handout

## Assignment Scope

{% hint style="warning" %}
**Due Date:** Monday 4/8, 11:59pm EST
{% endhint %}

You will be building a Venmo-style peer-to-peer payment app. For now, this app will have users that can send money to each other.

### 1. Download Starter Code

We have provided the starting files you will need to complete this assignment for your convenience. This also simplifies your submission by just having to zip this same folder.

{% file src="<https://3452473873-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Lu9Zw53dmTuhqAq-8K8%2Fuploads%2FUVAA5Mga6RclHE9dSPbe%2Fpa2_starter.zip?alt=media&token=a4c56e2c-a104-4f99-94b5-21aef81a93d1>" %}

### 2. Implement API Specification

We have shown you how to use the Flask framework to set up routes and respond to network requests. Your assignment is to implement a series of routes following the provided specification for responding to sample requests. If you are struggling with the assignment, we recommend referring to the Demo to see a concrete example.

{% content-ref url="api" %}
[api](https://backend-course.cornellappdev.com/chapters/databases/api)
{% endcontent-ref %}

#### 2a. Implement DatabaseDriver class in `db.py`

Reference the Demo for specifics on connecting to our Sqlite3 database file, `venmo.db`, and writing SQL command executions with the `sqlite3` package import. Implement methods for initializing the DatabaseDriver (`__init__(self)`), creating your user table, querying, inserting, updating, and deleting from the user table.

Note: we have examples of SQL syntax in both the Lecture and Demo of this chapter!

#### 2b. Implement routes in `app.py`

Reference the Demo for specifics on defining route syntax. We recommend approaching routes in the order they appear in the API Specification. After defining your route and function to return a response, open up Postman and test your route. Testing with Postman simply involves creating a new request tab, entering your server's URL, choosing a request method, and clicking the `Send` button.

#### 2c. Test your routes with testing script

After creating all of your routes to satisfy API Specification (and checking with Postman as you create each route), you should run our testing script to confirm that everything is working properly.

{% file src="<https://3452473873-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Lu9Zw53dmTuhqAq-8K8%2Fuploads%2FSeBo47zB6Fp6htYk5r7X%2Fpa2_test.py?alt=media&token=5a12392d-375a-41d5-871e-ffa4fadb91a6>" %}

For instructions on running the test script and common errors, look at the assignment handout for PA1.

### 3. Submit Assignment

#### 3a. Fill out your README.txt

A `README.txt` file is included in the starter code for you to fill out after completing the assignment. Also note that you will not receive extra credit for extra credit challenges you complete if you do not let us know for when we grade!

{% code title="README.txt" %}

```
Name: Jane Smith
NetID: js123

Challenges Attempted: <all the Tiers you completed here>
```

{% endcode %}

#### 3b. Make sure you have proper Python styling in your code

Common mistakes in styling are:

* NOT HAVING documentation/comments in each of your methods
* Naming variables with CamelCase instead of snake\_case
* Too much/too little empty spaces/empty lines
* Leaving in commented code

#### 3c. **Verify your routes using** [**Postman Tests**](https://www.youtube.com/watch?v=V2ZWdPMBwSA) **and submit an exported JSON of them**

Take some time looking through the guide to learn how to make tests using Postman. You should submit your Postman collection along with your CMS submission. The best way to get full credit for your tests is to ensure that you check that the response from your API matches what the API specification is expecting to receive. Please make sure that all your tests pass when we run your collection (make sure to clear your database before running to ensure you get the result we will get).

While that should be enough to get full credit, your tests can be cleaner and easier to change if you use [variables](https://learning.postman.com/docs/sending-requests/variables/) or [environments](https://learning.postman.com/docs/sending-requests/managing-environments/). It's up to you how much you want to learn and incorporate into your tests - the better you get at it the easier the assignments will be in the future and the likelier your API will pass the test cases we release on the first try.

If you'd prefer to learn how to use Postman through a video, [here](https://youtu.be/V2ZWdPMBwSA) is a link to everything you'll need to know for this class; however, the audio quality is quite poor due to a technical error. If you think you would benefit from a re-recording of a Postman demo, indicate that on the [feedback form](https://docs.google.com/forms/d/e/1FAIpQLSfRXyPmpfSkEQjDHtAPqSTbBCV47cR6O0363TgbxhzUsT9WHQ/viewform?usp=sf_link) and we will be happy to record one.

#### 3d. Zip and submit your assignment files

Next, zip the starter folder and submit on CMS. For reference, your directory structure should look like the following:&#x20;

```
pa2/
 |-README.txt
 |-postman_collection.json
 |-src/
    |-app.py
    |-db.py
    |-requirements.txt
```

For clarification, this means that you **SHOULD NOT** include your virtual environment, pycache, or .db file in your final submission. Doing so will lose you a few points on the project.

#### 3e. Submit Feedback Form&#x20;

To receive credit for your assignment, you **must** fill out the feedback form (link on the left sidebar of the textbook) so that we can better understand how effectively we are teaching and how long students are spending on assignments.

### 4. Prepare for Next Lecture

Students will most benefit from our class time if they come in with a few things done.

{% content-ref url="../relational-databases/pre-class" %}
[pre-class](https://backend-course.cornellappdev.com/chapters/relational-databases/pre-class)
{% endcontent-ref %}

## Optional Challenges

### **Tier I**

**+0.5 points for implementation**\
**+0.5 points for README explanation**

**Passwords**

We don’t want users to have unauthorized access to other users' balances. Please **change how you model your database** and **add extra credit routes to support users having passwords**. Require a user’s password in the request’s body when&#x20;

* attempting to create a user **`POST`**`/api/extra/users/`
* getting a user **`POST`**`/api/extra/user/{id}/`
* sending money **`POST`**`/api/extra/send/`

Include proper error handling (**401 Unauthorized**) if no password is sent or if it's incorrect. In addition, include in your `README.txt`why it is important that these routes require authorization.

### **Tier II**

**+0.5 points for implementation**\
**+0.5 points for README explanation**\
**+1 point more if all of Tier I completed**

**Password Hashing**

You probably saved your passwords in plain text in the tier I challenge. That’s a big no-no in industry! Research what password hashing is and add the functionality to previous routes requiring a password (some suggested libraries include [hashlib](https://docs.python.org/3/library/hashlib.html)). In addition include in your `README.txt` why password hashing is important.

### **Tier III**

**+0.75 points for implementation**\
**+0.75 points for environment setup**\
**+0.5 points for README explanation**\
**+1 point more if all of Tier I & II completed**

**Securer Passwords**

While hashing passwords is a good step towards having our passwords be stored more securely, it's not enough. Try to hash a simple password (like "*password123"*) using [this](https://appzaza.com/password-hasher) and then try to crack the password using [this](https://crackstation.net/). Do some research to answer the following questions in your `README.txt`

* What are [rainbow tables](https://cyberhoot.com/cybrary/rainbow-tables/) and how do they work?
* What is password salting and how can it protect against rainbow tables?
* What is iterative hashing and how can it protect against rainbow tables?

Once you've done your research, actually add salting and iterative hashing functionality to previous routes requiring a singly-hashed password. One thing to keep in mind is that if we were to expose our codebase to the public (like our open-source apps), our salt and number of iterations are visible and our hashed passwords are vulnerable to being cracked. We can resolve this issue by having a **secrets environment file** which will contain this sensitive information.

For our project to recognize our secrets file, we need a way to load the environment file when inside our directory to access our defined variables and to unload the environment file when outside our directory to clean up our environment. To accomplish this, install [direnv](https://direnv.net/) which takes care of this for you (and can be used for every language). Once you've installed this successfully, create a file named **.env** and write the following

```
PASSWORD_SALT=???
NUMBER_OF_ITERATIONS=???
```

where **PASSWORD\_SALT** is some text that is at least 32 characters long and **NUMBER\_OF\_ITERATIONS** is at least 500. Now, to access these environment variables you can refer to [this](https://stackoverflow.com/questions/4906977/how-to-access-environment-variable-values) in your project to retrieve the values.&#x20;

With your new secrets file, you can now make your code open-source (e.g. a public repository on [GitHub](https://techcrunch.com/2012/07/14/what-exactly-is-github-anyway/) which you will learn about later in the semester) since it pulls from your **.env** file which you store in a secure location! Please include your **.env** in your submission (you can trust us) so we can run your code.

### Total Points to Gain: 6