neonexus
diff --git a/‎.idea/dictionaries/neonexusdemortis.xml
Lines changed: 2 additions & 1 deletion b/‎.idea/dictionaries/neonexusdemortis.xml
Lines changed: 2 additions & 1 deletion
diff --git a/‎CHANGELOG.md
Lines changed: 3 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎Dockerfile
Lines changed: 2 additions & 2 deletions b/‎Dockerfile
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 6 additions & 1 deletion b/‎README.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎api/controllers/admin/edit-user.js
Lines changed: 102 additions & 0 deletions b/‎api/controllers/admin/edit-user.js
Lines changed: 102 additions & 0 deletions
diff --git a/‎api/controllers/admin/get-deleted-users.js
Lines changed: 2 additions & 2 deletions b/‎api/controllers/admin/get-deleted-users.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/controllers/common/login.js
Lines changed: 5 additions & 2 deletions b/‎api/controllers/common/login.js
Lines changed: 5 additions & 2 deletions
diff --git a/‎api/helpers/is-password-valid.js
Lines changed: 4 additions & 2 deletions b/‎api/helpers/is-password-valid.js
Lines changed: 4 additions & 2 deletions
diff --git a/‎api/helpers/paginate-for-json.js
Lines changed: 1 addition & 1 deletion b/‎api/helpers/paginate-for-json.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/helpers/paginate-for-query.js
Lines changed: 5 additions & 2 deletions b/‎api/helpers/paginate-for-query.js
Lines changed: 5 additions & 2 deletions
@@ -1,12 +1,14 @@
 # Changelog
 
-## [v3.1.2](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.1.2) (2022-10-24)
+## [v3.2.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.2.0) (2022-11-16)
 
 ### Features
 
 * Built out PnwedPasswords.com (HaveIBeenPwned.com) API functionality into `is-password-valid` helper.
+  * Can be disabled in [config/security.js](config/security.js).
 * FINALLY removed the usage of `res._headers`, so no more annoying deprecation message.
 * Simplified stored session data.
+* Updated dependencies.
 
 ## [v3.1.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.0...v3.1.1) (2022-09-08)
 
 
@@ -1,4 +1,4 @@
-FROM node:16.17
+FROM node:18.12
 MAINTAINER NeoNexus DeMortis
 
 RUN apt-get update && apt-get upgrade -y
@@ -22,7 +22,7 @@ COPY assets /var/www/myapp/assets
 COPY webpack /var/www/myapp/webpack
 RUN npm run build
 
-# Copy the reset of the app
+# Copy the rest of the app
 COPY . /var/www/myapp/
 
 # Expose the compiled public assets, so Nginx can route to them, instead of using Sails to do the file serving.
 
@@ -13,7 +13,7 @@ Need help? Want to hire me to build your next app or prototype? You can contact
 * Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
 * Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
 * Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
-* Can enforce password creation isn't found in [PwnedPasswords]()
+* New passwords can be checked against the [PwnedPasswords API](https://haveibeenpwned.com/API/v3#PwnedPasswords). If there is a single hit for the password, an error will be given, and the user will be forced to choose another. See [PwnedPasswords integration](#pwnedpasswordscom-integration) for more info.
 
 ## Branch Warning
 The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
@@ -116,6 +116,11 @@ module.exports.bootstrap = function(next) {
 };
 ```
 
+## PwnedPasswords.com Integration
+When a new password is being created, it is checked with the [PwnedPasswords.com API](https://haveibeenpwned.com/API/v3#PwnedPasswords). This API uses a k-anonymity model, so the password that is searched for is never exposed to the API. Basically, the password is hashed, then the first 5 characters are sent to the API, and the API returns any hashes that start with those 5 characters, including the amount of times that hash (aka password) has been found in known security breaches.
+
+This functionality is turned on by default, and can be shutoff per-use, or globally throughout the app. `sails.helpers.isPasswordValid` can be used with `skipPwned` option set to `true`, to disable the check per use. Inside of [`config/security.js`](config/security.js), the variable `checkPwned` can be set to `false` to disable it globally.
+
 ## What about SEO?
 I recommend looking at [prerender.io](https://prerender.io). They offer a service (free up to 250 pages) that caches the end result of a JavaScript-rendered view (React, Vue, Angular), allowing search engines to crawl otherwise un-crawlable web views. You can use the service in a number of ways. One way, is to use the [prerender-node](https://www.npmjs.com/package/prerender-node) package. To use it with Sails, you'll have to add it to the [HTTP Middleware](https://sailsjs.com/documentation/concepts/middleware#?http-middleware). Here's a quick example:
 
 
@@ -0,0 +1,102 @@
+module.exports = {
+    friendlyName: 'Edit User',
+
+    description: 'Edit an active user.',
+
+    inputs: {
+        id: {
+            type: 'string',
+            required: true,
+            isUUID: true
+        },
+
+        firstName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        lastName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        password: {
+            type: 'string',
+            maxLength: 70
+        },
+
+        email: {
+            type: 'string',
+            isEmail: true,
+            required: true,
+            maxLength: 191
+        },
+
+        role: {
+            type: 'string',
+            defaultsTo: 'user',
+            isIn: [
+                'user',
+                'admin'
+            ]
+        },
+
+        setPassword: {
+            type: 'boolean',
+            defaultsTo: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'created'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits) => {
+        let isPasswordValid = true;
+        const foundUser = await sails.models.user.findOne({id: inputs.id});
+
+        if (!foundUser) {
+            return exits.badRequest('There is no user with that ID.');
+        }
+
+        if (foundUser.deletedAt !== null) {
+            return exits.badRequest('This user has been deleted, and can not be edited until reactivated.');
+        }
+
+        if (inputs.setPassword) {
+            isPasswordValid = await sails.helpers.isPasswordValid.with({
+                password: inputs.password,
+                user: {firstName: inputs.firstName, lastName: inputs.lastName, email: inputs.email}
+            });
+        }
+
+        if (isPasswordValid !== true) {
+            return exits.badRequest(isPasswordValid);
+        }
+
+        let updatedUser = {
+            firstName: inputs.firstName,
+            lastName: inputs.lastName,
+            role: inputs.role,
+            email: inputs.email
+        };
+
+        if (inputs.setPassword) {
+            updatedUser.password = inputs.password;
+        }
+
+        const user = await sails.models.user.updateOne({id: inputs.id}).set(updatedUser);
+
+        return exits.ok({user});
+    }
+};
@@ -39,7 +39,7 @@ module.exports = {
             where: {
                 deletedAt: {'!=': null} // get all soft-deleted users
             },
-            sort: [{deletedAt: 'ASC'}, {createdAt: 'DESC'}]
+            sort: 'deletedAt DESC'
         });
 
         let out = await sails.helpers.paginateForJson.with({
@@ -50,7 +50,7 @@ module.exports = {
 
         // We assign the users to the object afterward, so we can run our safety checks.
         // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
-        out.users = await sails.models.user.find(_.omit(pagination, ['page'])).populate('deletedBy');
+        out.users = await sails.models.user.find(_.omit(query, ['page'])).populate('deletedBy');
 
         return exits.ok(out);
     }
 
@@ -36,14 +36,17 @@ module.exports = {
         }
 
         const badEmailPass = 'Bad email / password combination.';
+
+        if (await sails.helpers.isPasswordValid.with({password: inputs.password, skipPwned: true}) !== true) {
+            return exits.badRequest(badEmailPass);
+        }
+
         const foundUser = await sails.models.user.findOne({email: inputs.email, deletedAt: null});
 
         if (!foundUser) {
             return exits.badRequest(badEmailPass);
         }
 
-        await sails.helpers.isPasswordValid(inputs.password);
-
         if (!await sails.models.user.doPasswordsMatch(inputs.password, foundUser.password)) {
             return exits.badRequest(badEmailPass);
         }
 
@@ -90,13 +90,15 @@ module.exports = {
                     }
 
                     if (res.text && res.text.length) {
-                        const chunks = res.text.replaceAll('\r', '').split('\n');
+                        const chunks = res.text.split('\r\n');
                         const matches = chunks.filter(s => s.includes(passChunk2));
 
                         if (matches.length) {
                             const bits = matches[0].split(':');
 
-                            return exits.success(['Provided password has been found in ' + bits[1] + ' known breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']);
+                            return exits.success(
+                                ['Provided password has been found in ' + bits[1] + ' known security breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']
+                            );
                         }
 
                         return exits.success(true);
 
@@ -11,7 +11,7 @@ module.exports = {
             // this is a custom validator, which returns true or false
             custom: (thisQuery) => (
                 _.isObject(thisQuery) && _.isNumber(thisQuery.limit) &&
-                _.isNumber(thisQuery.page) && _.isString(thisQuery.sort) &&
+                _.isNumber(thisQuery.page) && (_.isString(thisQuery.sort) || _.isArray(thisQuery.sort)) &&
                 _.isObject(thisQuery.where)
             )
         },
 
@@ -15,8 +15,11 @@ module.exports = {
             defaultsTo: 25
         },
         sort: {
-            type: 'string',
-            defaultsTo: 'createdAt DESC'
+            type: 'ref',
+            defaultsTo: 'createdAt DESC',
+            custom: (val) => { // custom validator
+                return _.isString(val) || _.isArray(val);
+            }
         },
         where: {
             type: 'ref', // JavaScript reference to an object
Original file line number	Diff line number	Diff line change
`@@ -36,14 +36,17 @@ module.exports = {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`const badEmailPass = 'Bad email / password combination.';`
	`39`	`+`
	`40`	`+ if (await sails.helpers.isPasswordValid.with({password: inputs.password, skipPwned: true}) !== true) {`
	`41`	`+ return exits.badRequest(badEmailPass);`
	`42`	`+ }`
	`43`	`+`
`39`	`44`	`const foundUser = await sails.models.user.findOne({email: inputs.email, deletedAt: null});`
`40`	`45`
`41`	`46`	`if (!foundUser) {`
`42`	`47`	`return exits.badRequest(badEmailPass);`
`43`	`48`	`}`
`44`	`49`
`45`		`- await sails.helpers.isPasswordValid(inputs.password);`
`46`		`-`
`47`	`50`	`if (!await sails.models.user.doPasswordsMatch(inputs.password, foundUser.password)) {`
`48`	`51`	`return exits.badRequest(badEmailPass);`
`49`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,13 +90,15 @@ module.exports = {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`if (res.text && res.text.length) {`
`93`		`- const chunks = res.text.replaceAll('\r', '').split('\n');`
	`93`	`+ const chunks = res.text.split('\r\n');`
`94`	`94`	`const matches = chunks.filter(s => s.includes(passChunk2));`
`95`	`95`
`96`	`96`	`if (matches.length) {`
`97`	`97`	`const bits = matches[0].split(':');`
`98`	`98`
`99`		`- return exits.success(['Provided password has been found in ' + bits[1] + ' known breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']);`
	`99`	`+ return exits.success(`
	`100`	`+ ['Provided password has been found in ' + bits[1] + ' known security breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']`
	`101`	`+ );`
`100`	`102`	`}`
`101`	`103`
`102`	`104`	`return exits.success(true);`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ module.exports = {`
`11`	`11`	`// this is a custom validator, which returns true or false`
`12`	`12`	`custom: (thisQuery) => (`
`13`	`13`	`_.isObject(thisQuery) && _.isNumber(thisQuery.limit) &&`
`14`		`- _.isNumber(thisQuery.page) && _.isString(thisQuery.sort) &&`
	`14`	`+ _.isNumber(thisQuery.page) && (_.isString(thisQuery.sort) \|\| _.isArray(thisQuery.sort)) &&`
`15`	`15`	`_.isObject(thisQuery.where)`
`16`	`16`	`)`
`17`	`17`	`},`