Identifying Flaws

app.ts

- error handling is absent when dealing with REST along the whole module. It is
mandatory to use an error handling mechanism for the function like get
products, log in, etc. HIGH
- all urls should be moved to separate file or to env variables MEDIUM
- token should be sent in the auth header after login but in fact it is not
- app.ts module should be refactored according to SOLID, KISS, DRY, etc. It is
not maintainable and scalable at all. HIGH
- unused Product reference in import LOW
- app.use() routing is not set at all. You should handle and route sessions, cookie
parsers, etc. HIGH
- functions are declared but not complete. Instead of having an almost empty
function it is better to stub it with the ‘Not ready yet’ exception. HIGH
- request validations are missed HIGH
- Hello world (“/”) endpoint is not reachable at all. MEDIUM
- you should use OOP. There is no OOP at all. HIGH
- 404 error is send with every request because it is inside app.use MEDIUM
- /cart endpoint doesn’t have a URL to call. it sends only the request. HIGH

types.ts
- not enough entities. Should be Address, Card, 3rdParty payment added. LOW
- it is only type TS entities inside and you don’t create new type at all. Need to
consider class or interface instead of only type usage. Since types are not in a
runtime. When you use type only you don’t use OOP. HIGH
- should use namespaces LOW
- consider global scope - declare global? MEDIUM

script.js
- line75: product doesn’t have a rating field. corrupted reference. MEDIUM
- line 48: weak isAuthenticated verification. it should be grant checks, scopes,
claims, expiration time, refresh time, etc. HIGH
- baseUrl should be moved out from the js file. Better to put it in the config file.
- no checks for 403 error HIGH
- let's say the rest is ok as long as it is a test application to check the skills.
- line 71: should not add product id to the UI as id at all. Sensitive information.
MEDIUM

index.html
- Forgot link is without href attribute. Dummy placeholder. HIGH
- Remember me is also a dummy button. MEDIUM
 - line 23 and line 19: markup contains username and password HIGH

for all html

- css styles should be defined and extracted to separated part LOW
 Security Concerns

npm audit indicates there are 3 vulnerabilities in dependencies:

1 critical and 2 moderate LOW

token expiration time is not set and not checked in isAuthenticated

in scripts.js HIGH

dependencies version should be specified with the certain version

and not the range of it. This is smth should be controlled
because of the vulnerabilities and it is always being reviewed
MEDIUM

urls should be placed in env variables or any other places since

it is restricted information but not in the code. There are many
ways of doing it MEDIUM

products endpoint should request a token as the validation. HIGH

input user data validation should be implemented on the client

side. Such as empty username, password, invalid data format, long
values of the credentials. Eventually, the web server can not
handle long input values since it is limited by it. MEDIUM

token has default expiration time. Log out just removed it from
the application browser sandbox. You can still use a token for
the endpoints. Need to consider own expiration time MEDIUM

input data in forms should be filtered out for special chars,

commands and queries because it it the way of hacker attacks to
get an access to database or web server folders HIGH

403 permission errors are not present and data and operations are
still permitted when doing /products or /cart endpoint invocation
with browser not being logged in or with some other tool like
curl or postman without token HIGH

Provided users should be eliminated since it is breached.

passwords should be treated in 0 secure tolerance way HIGH

username and password authentication is not safe. MFA must be

included then at least. HIGH
consider API keys usage when frontend working with 3rd party
instead of username password based auth MEDIUM
Test Cases and defect linked to it

All the test cases and defects are logged in a simplified way since it is a testing task
and no need to have a defect tracking system and or test case management.

1.0 User logs in successfully, products page is displayed [automated] defect 4,8

2.0 User logs out successfully, log in page is displayed [automated]

3.0 Product items are displayed in the product page successfully [automated] defect
7

4.0 User gets ‘invalid username/password’ validation error when submitting invalid
credentials in the login form [automated] defect 16,15

5.0 Permission 403 error is displayed and the products are not displayed when trying
to list all the items without log in [not automated] defect 2,1

6.0 User can not press Login button (it is grayed out) when username and password
are not filled [not automated] defect 19

7.0 Pagination allows user to display the product items page by page or select
amount to be displayed [not automated] defect 14

8.0 User sorts the product by price, rating [not automated] defect 11

9.0 User can zoom in/out the product images [not automated] defect 12

10.0 User gets the list of the products sorted by default [not automated] defect 13

11.0 Application is being rendered well in mobile, browser, tablets without the need
to adjust the size of the window (responsive design) [not automated] defect 17

12.0 Log in layout [not automated] ] defect 18

13.0 products page layout [not automated] ] defect 14,7

14.0 User can recreate forgotten password [not automated] ] defect 9,3

15.0 User can remember its credentials [not automated] ] defect 10

16.0 User can navigate to landing/root page [not automated] ] defect 6
17.0 User can add products to shopping cart [not automated] ] defect 5
Defects
1 Products are being fetched without auth token when doing GET /products endpoint
HIGH [backend]

2 Products is being displayed without log in in the browser HIGH [frontend]

3 Change your password google chrome alert is displayed after log in to the app
HIGH [backend]

4 “Welcome <username>” should be displayed instead of “Welcome User” after login

on the products page. LOW [frontend]

5 POST /cart endpoint doesn’t have URL in implementation CRITICAL [backend]

6 Hello world (“/”) root endpoint is not reachable MEDIUM [frontend]

7 Sensitive information like product id should not be revealed in frontend LOW

[frontend]

8 Do log in and then return to http://localhost:3000/. Login form is displayed again

despite the user logged in successfully. LOW [frontend]

9 Forgot password is not clickable HIGH [frontend]

10 Remember me option doesn’t remember HIGH [frontend]

11 Sorting functionality by price/rating should be added to the table of the products

MEDIUM [frontend]

12 Zoom in/out functionality for pictures should be added MEDIUM [frontend]

13 sorting by accessing when products items are being displayed should be added
by default MEDIUM [frontend]

14 pagination should be implemented to display items by chosen batch instead of

listing all the products MEDIUM [frontend]

15 Application is failed and can’t be reached with correct credentials after submitting
at least 1 time incorrect username/password in the login form CRITICAL [frontend]
[backend]
16 ”Network error. Please check your internet connection.” is displayed instead of
“invalid username/password” when incorrect credentials are set in the login form
HIGH [frontend] [backend]

17 Application is not designed and implemented for different kind of screens such as
mobile, tablets, etc. HIGH [frontend]

18 Username and password is filled by default when user opens log in page
CRITICAL [frontend]

19 Login button is not grayed out when username and password are empty LOW
[frontend]
 Quality summary report

Overall pass rate is calculated by formula P

= ( passed tests or with LOW
defects ÷ total number of tests) × 100

overall pass rate is around 25%

19 defects were introduced at this stage:

- 4 LOW
- 3 CRITICAL
- 5 MEDIUM
- 7 HIGH

17 test cases were executed per next feature. Please find the quality status of each
feature:
- log in PASSED
- log in layout, validation FAILED
- log out PASSED
- products PASSED
- products layout FAILED
- products sorting, zoom in/ out FAILED
- forgot password FAILED
- remember me FAILED
- shopping cart - shopping cart is designed but not working at all FAILED
- pagination FAILED

Automated tests
Suggestions and observations
 ● Add the usage of the linter to the project.
● username and password authentication is not safe at all.
● Need to consider HTTPS instead of HTTP.
● password should not be stored in plaintext form in your
server-side Instead, you usually store a salted/hashed
form.
● The user interface of the application should support
responsive design but in fact in this actual state it is
not supported and it means it won’t be working in a user-
friendly way for different resolutions and screens
including mobile.
● Get your own database because it is not reliable to
depend on 3rd party service always and fully.
● use own CDN provider configuration for static data
● add unit tests to the project and CI.
● should add swagger or similar to the endpoints
● .gitignore file is missed
● add jest configuration file
● you can add aliases command to package.json to the
scripts section to build and run applications.

I have many more items to be concerned about but I need to stop not having endless
evaluation test interview tasks. There are no boundaries for perfection :)
We can talk about each item in detail if any.