Web App Design: Authentication, Security, and Top-N Active Users

Context: Build a browser-based web application where a user signs in and the page displays "Hello, <username>". Assume JSON over HTTPS, a single-page web client, and a backend service. Design the APIs, authentication, and a service that returns the top N active users over a recent time window.

Tasks

1. Client–Server APIs

• Define REST endpoints for sign-up, sign-in, sign-out, and fetching the greeting.
• Include request/response JSON shapes, HTTP status codes, and error handling.

2. Authentication Approach

• Choose between stateful server-side sessions and stateless tokens (e.g., JWT).
• Detail password storage, optional MFA, TLS requirements, CSRF protection, and XSS mitigations.

3. Post Sign-In Impersonation Risks

• Explain how to prevent impersonation via reusing/guessing a user ID.
• Cover session identifiers or tokens, entropy, rotation/expiration, storage (cookie flags, SameSite), token binding, refresh flows, and defenses against fixation, replay, and theft.

4. Top N Active Users Service

• Design an endpoint/service that returns the top N active users over a recent window.
• Define "active" and the signals counted (e.g., requests, actions).
• Propose a data model and an efficient computation approach (e.g., sliding-window counters, stream processing, precomputed aggregations).
• Include scalability, consistency tradeoffs, rate limiting, and back-of-the-envelope capacity planning.