README.md
# TigerTrade
[![Build Status](https://travis-ci.org/casey-chow/tigertrade.svg?branch=master)](https://travis-ci.org/casey-chow/tigertrade) [![codecov](https://codecov.io/gh/casey-chow/tigertrade/branch/master/graph/badge.svg?token=KOR6D8zVh3)](https://codecov.io/gh/casey-chow/tigertrade) [![Code Climate](https://codeclimate.com/github/casey-chow/tigertrade/badges/gpa.svg)](https://codeclimate.com/github/casey-chow/tigertrade)
The Princeton COS333 Project of Andrew Casey Evan Maryam Perry.
# 1. Running the server
This assumes you have initialized and migrated the database, and have Go and NPM installed.
```sh
make dev # this installs dev dependencies
make install
make serve
```
# 2. Running the client
In another terminal, build and run with
```sh
make serve-client
```
# Development
**Server**
```
make install Install all dependencies
make build Builds the server
make serve Runs a hot-reloading server for development
make test Runs the test suite
make test-server Runs a pretty testing server
```
**Client**
```
yarn start Runs an auto-reloading dev server
yarn build Builds the client code
yarn test Runs the test suite
```
**Both**
```
make dev Builds a development environment
make clean Removes all temporary files
make purge Uninstalls all dependencies, removes temp files
```
For dependency management, we use
[govendor](https://github.com/kardianos/govendor). Their documentation isn't
all that clear, so here's a quick cheat sheet of relevant commands:
```
govendor fetch [github_url] Installs a package into the vendor folder.
govendor sync Downloads all indicated dependencies.
govendor list List all installed packages
```
## Stack
- Go [Language]
- `net/http` [Web Server]
- Postgres [Database]
- AWS S3 [Image Storage]
- Cloudflare [DNS, CDN]
- Heroku [Server]
- Sentry [Error Reporting]
- React [Frontend]
- `create-react-app` for boilerplate
- Wordnet
## Sentry
We use Sentry to track errors. If you would like this, set the `SENTRY_DSN`
environment variable.
In Go:
```go
import "github.com/getsentry/raven-go"
_, err := DoSomeOperation()
if err != nil {
raven.CaptureError(err, nil)
log.Warning(err)
}
```
In Javascript:
```js
import raven from 'raven-js';
callback(function(err, res) {
if (err) {
raven.captureException(err);
}
});
```
## Code Layout
```
client/ client code
server/ server code
hooks/ useful development hooks
node_modules/ Javascript dependencies
vendor/ Go dependencies
```
# Security
We aim for Security by Simplicity--that is, taking simple approaches to
development that make it as obvious as possible whether we have security
issues.
**Cross-Site Scripting**: Since React doesn't actually parse HTML, our site
is inherently XSS-resistant as long as everything we do is rendered using
React (which we believe it is).
**Cross-Site Request Forgery**: We prevent CSRF attacks using the [Origin and
referrer headers][owasp], which is the simplest valid way to do so with a
RESTful API.
[owasp]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Verifying_Same_Origin_with_Standard_Headers
**SQL Injection**: We prevent SQL injection by using prepared statements in
our SQL.
**Resource Overload**: Rather than trying to secure the system against abusive
use for images, we decided to set up our storage to log who uploads what image
and delete images after a year. We have notifications set up if the amount
stored exceeds a certain threshold, and can restrict photo uploads from there.
We also reduce photo usage by resizing and compressing all photos.
Additionally, we validate the filetypes of the uploaded images.