This is the Nova server to create an embeddable passport widget. This widget lives on the lender server (https://kevins-lender-server.herokuapp.com/), which renders a Nova Credit Passport form on the lender's web page.
This is built using React, Redux and Express.
You will need Node installed. This program expects Node to be installed at /usr/bin/node. This was tested working on Node v5.10.1 on OSX but is likely to work on most other configurations as well.
Clone this repo and install the dependencies.
git clone https://github.com/kevinsuh/nova-server.git
cd nova-server
npm install
This app uses a sqlite DB. Once you have your node dependencies installed, run:
npm run database
This will create a database.sqlite in your root directory with 3 tables: requests, responses and lenders. This is where we store each API request / response.
Next, we need to transpile our React app using webpack and babel-loader:
npm run bundle
To recompile on any saved changes (for development purposes), you can run:
npm run bundle:watch
If you run this watch, you will need a separate terminal to run the Express server.
To run this locally, you will also need to go to client/passport-initialize.js and change the novaSource variable to localhost:8080. Once you have made this change, you can run the server using:
npm run start
You can now access the app at localhost:8080, but it will be a blank page. This is because the react app only renders on the lender's server via postMessage. To get the full experience, you will need to install the lender-server and have both servers running locally. You can then go to the lender's server (at localhost:3000) to see this app's embedded form.
We use mocha and supertest to run our tests. First, install mocha as global package:
npm install -g mocha
To run mocha, this server must be running. Load the server, then call mocha on a separate terminal to run the tests:
npm start
mocha // on a separate terminal
We store our test files in /test. Currently there is only one file test.js, which runs tests to validate the API calls to retrieve our form and to submit the form. It makes sure that requests without a public_key get a 401 unauthorized error. It will make sure that valid data returns country-specific form data and returns a public_token on form submission.
-
Create two servers: The lender server is a very simple Express server. Its main purpose is to run a
scriptto create an iframe that loads the form from Nova's server. Thescriptcomes withdata-keyanddata-countryattributes because we need to know the country in order to produce a country-specific form, and the public_key to associate API calls with a specific lender. -
Front-end widget code: The lender server runs
passport-initialize.js, which creates an iframe and loads the Nova react app viapostMessage. When our react app receives the message, it makes an API call to render the country-specific passport form. The backend API will return objects that map to specific form fields (labels and values). Right now, the country is South Korea and demo form inputs are simplyname,emailandpassport. -
The endpoint on the Nova server: On form submit, Nova's server will take the values and fake a 500ms data compilation. We fake-generate a
creditScorevalue to represent the private data that we get. We store thiscreditStorealong with other respones values, and send back apublic_tokenandmessage. -
Persistence: Our
requeststable holds theLenderIdthat associates withpublic_key. It also holds the IP address of the request, to look back in case of fraud. Theresponsestable holds thestatusof the data compilation (always200in this demo), as well aspublic_tokenandcreditScore. The credit score represents private data that we do not want to send over the browser. Instead of sending back private data, we send back a public token, which the lender will then have to exchange server-side (along with theirclientand secret) for the private data. We use Sequelize to speed up our implementation of the DB. -
Parent-child DOM Interaction: We have a redux state
PassportFormwith a{ response: { status } }property that initializes asnull. It gets updated with the200status on valid form submission. When this happens, our app sends a public message to the lender viawindow.parent.postMessage. We added an eventListener to the lender's browser in our JS file, so that the lender's webpage can respond to this. The message ("Congratulations, you now have a Nova Credit Passport!") will only display on a200status. -
Comment the code: We use
doccoand the HTML renders of our code can be found indocs. -
Create small test suites: We created some tests using
mochaandsupertest. Instructions on how to test can be found above. The main things we test are the API calls. We want to make sure the React app properly generates a form on validpublic_key, and that we handle the form submission.
The Nova server requires a public_key to identify the lender. This allows the lender to keep their client and secret private. We then are able to render a non-sensitive Nova Credit Passport form on their web page and handle submission. When the lender's client submits the form, we take those values to get the private data, store it in our database, and return back a public_token. This public_token is associated with the call, but is not able to be used for anything. This allows us to communicate back with the lender without having to pass sensitive data over the browser.
The final process would have the lender using the public_token to make a server-side request along with its client and secret to get the data.
We also store the IP address of each request, to have in case of fraud.
One thing I would implement next is sanitizing the form inputs. We allow any input to be submitted because this is a demo, but this is a major security concern and will lead to invalid data formatting.