Kings Backend API
Overview
Kings Backend API is a RESTful API for managing teams, publishing match/show results, and handling admin authentication. It also includes a simple in-memory caching mechanism, input sanitization, and rate limiting for security.
Prerequisites
- Node.js (v14 or higher)
- MySQL
Installation
-
Clone the Repository
git clone <repository_url> cd kingproject/bazar3 -
Install Dependencies
cd server npm install
Configuration
-
Environment Variables
Create a
.envfile in the/serverdirectory with the following variables:DB_HOST=localhost DB_USER=user DB_PASS=password DB_NAME=kingdb_prod IP_PEPPER=your_ip_pepper JWT_SECRET=<your_jwt_secret> PORT=3000
Database Setup
-
Import Schema
Run the following command in your MySQL client to create the database and tables:
mysql -u user -p < server/schema.sqlThis creates the
kingdb_proddatabase and the required tables:teams,results, andadmins.
Admin Account Setup
To create an admin account, run:
npm run create-admin -- <your_password>
This script will output an Access Key for admin login.
Running the Server
Start the API server by running:
npm start
The server will listen on the port specified in your .env file (default is 3000).
API Endpoints
Public Endpoints
- GET /api/results?team=<TEAM_NAME>&date=<YYYY-MM-DD>
Retrieve the result for a specified team and date. - GET /api/today
Retrieve all results for the current day. - GET /api/health
Health check endpoint to verify server and database connectivity. - POST /api/results/monthly
Get monthly results for a team.
Request Body Example:{ "team": "BIKANER SUPER", "month": "2025-03" } - GET /api/results/daily?date=<YYYY-MM-DD>
Get daily results for all teams.
Admin Endpoints
- POST /admin/login
Log in usingaccessKeyandpasswordto receive a session token.
Request Body Example:{ "accessKey": "<ACCESS_KEY>", "password": "<PASSWORD>" } - POST /admin/results
Publish a result. Requires an authorization header with the session token.
Request Body Example:{ "team": "NEW TEAM", "date": "2025-03-12", "result": "45" }
Team Endpoints
-
GET /api/teams
Retrieve all teams (public). -
POST /api/teams
Create a new team (admin only, requires Bearer token).
Request Body Example:{ "name": "NEW TEAM", "announcement_time": "02:30:00" } -
PUT /api/teams/:id
Update a team (admin only, requires Bearer token). -
DELETE /api/teams/:id
Delete a team (admin only, requires Bearer token).
Testing Sanitization
A sample endpoint (POST /api/teams) will sanitize HTML input. For example, sending:
{
"name": "<script>alert('xss');</script>",
"announcement_time": "02:30:00"
}
will have the < and > characters escaped to protect against XSS.
Testing the API
-
Using Postman
Import the Postman collection from
/server/postman_collection.jsonto test all endpoints, including admin authentication, team management, result retrieval, and sanitization. -
Using the Test Script
A test script is available that performs a sequence of API calls:
npm run test-apiThis script uses
axiosto:- Log in as an admin.
- Create, fetch, update, and delete teams.
- Publish a result.
Caching
- Results are cached in memory for 5 minutes.
- Any write operations (POST, PUT, DELETE) clear the cache automatically.
Rate Limiting and Security
- Rate Limiting:
The API allows 100 requests per minute per anonymized IP, using SHA3-256 based IP anonymization. - Input Sanitization:
The middleware sanitizes incoming data (body, query, params) by escaping HTML characters to prevent XSS. - SQL Injection Protection:
SQL queries use prepared statements with parameterized queries, ensuring inputs and queries remain separate.
Additional Notes
- Input validation is implemented using Joi.
- Keep your environment variables secure.
- Modify configurations as necessary when upgrading dependency versions.
License
Please include your project's license details here.
Happy Coding!