Built basic login / logout. Updated policies.

Author: neonexus

.sailsrc

@@ -1,12 +1,14 @@
 {
-  "generators": {
-    "modules": {}
-  },
-  "_generatedWith": {
-    "sails": "1.2.3",
-    "sails-generate": "1.16.13"
-  },
-  "hooks": {
-    "grunt": false
-  }
+    "generators": {
+        "modules": {}
+    },
+    "_generatedWith": {
+        "sails": "1.2.3",
+        "sails-generate": "1.16.13"
+    },
+    "hooks": {
+        "grunt": false,
+        "session": false,
+        "csrf": false
+    }
 }

README.md

@@ -4,8 +4,8 @@
 
 This is an opinionated base [Sails v1](https://sailsjs.com) application, using Webpack to handle Bootstrap (SASS) and React.
 
-# Preface
-The `master` branch is experimental, and the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases) is where one should base their use of this template (or simply change the tag to the most recent, stable release in the top left). `master` is **volatile**, likely to change at any time, for any reason; this includes `git push --force`.
+# Branch Warning
+The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template. `master` is **volatile**, likely to change at any time, for any reason; this includes `git push --force` updates.
 
 **FINAL WARNING: DO NOT RELY ON THE MASTER BRANCH!**
 
@@ -36,16 +36,18 @@ This repo is not installable via `npm`. Instead, Github provides a handy "Use th
 |npm run coverage | Runs [NYC](https://www.npmjs.com/package/nyc) coverage reporting of the Mocha tests, which generates HTML in `test/coverage`.
 
 ### Environment Variables used for remote servers:
-| Variable   | DEV default          | PROD default            | Description
-|------------|----------------------|-------------------------|----------------------
-| ASSETS_URL | "" (empty string)    | "" (empty string)       | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ", or be empty.
-| BASE_URL   | https://myapi.app    | https://myapi.app       | The address of the Sails instance.
-| DB_HOST    | localhost            | localhost               | The hostname of the datastore.
-| DB_USER    | root                 | produser                | Username for the datastore.
-| DB_PASS    | mypass               | myprodpassword          | Password for the datastore.
-| DB_NAME    | myapp                | proddatabase            | The name of the database inside the datastore.
-| DB_PORT    | 3306                 | 3306                    | The port number for datastore.
-| DB_SSL     | false                | false                   | If the datastore requires SSL, set this to "true".
+| Variable              | DEV default       | PROD default      | Description
+|-----------------------|-------------------|-------------------|----------------------
+| ASSETS_URL            | "" (empty string) | "" (empty string) | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ", or be empty.
+| BASE_URL              | https://myapi.app | https://myapi.app | The address of the Sails instance.
+| DB_HOST               | localhost         | localhost         | The hostname of the datastore.
+| DB_USER               | root              | produser          | Username for the datastore.
+| DB_PASS               | mypass            | myprodpassword    | Password for the datastore.
+| DB_NAME               | myapp             | proddatabase      | The name of the database inside the datastore.
+| DB_PORT               | 3306              | 3306              | The port number for datastore.
+| DB_SSL                | false             | false             | If the datastore requires SSL, set this to "true".
+| SESSION_SECRET        | "" (empty string) | "" (empty string) | This is used to sign cookies, and SHOULD be set, especially on PRODUCTION environments.
+| DATA_ENCRYPTION_KEY   | "" (empty string) | "" (empty string) | **Currently unused; intended for future use.**
 
 ## Request Logging
 Automatic incoming request logging, is a 2 part process. First, the [`request-logger` hook](api/hooks/request-logger.js) gathers info from the request, and creates a new [`RequestLog` record](api/models/RequestLog.js), making sure to mask anything that may be sensitive, such as passwords. Then, a custom response gathers information from the response, again, scrubbing sensitive data (using the [customToJSON](https://sailsjs.com/documentation/concepts/models-and-orm/model-settings?identity=#customtojson) feature of Sails models) to prevent leaking of password hashes, or anything else that should never be publicly accessible. The [`keepModelsSafe` helper](api/helpers/keep-models-safe.js) and the custom responses (such as [ok](api/responses/ok.js) or [serverError](api/responses/serverError.js)) are responsible for the final leg of request logs.

api/controllers/admin/create-user.js

@@ -18,7 +18,8 @@ module.exports = {
 
         password: {
             type: 'string',
-            required: true
+            required: true,
+            maxLength: 70
         },
 
         email: {
@@ -31,7 +32,7 @@ module.exports = {
 
     exits: {
         ok: {
-            responseType: 'ok'
+            responseType: 'created'
         },
         badRequest: {
             responseType: 'badRequest'
@@ -51,7 +52,13 @@ module.exports = {
             return exits.badRequest(isPasswordValid);
         }
 
-        sails.models.user.create({
+        const foundUser = await User.findOne({email: inputs.email});
+
+        if (foundUser) {
+            return exits.badRequest('Email is already in-use.');
+        }
+
+        User.create({
             id: 'c', // required, but auto-generated
             firstName: inputs.firstName,
             lastName: inputs.lastName,

api/controllers/admin/get-me.js

@@ -0,0 +1,30 @@
+module.exports = {
+    friendlyName: 'Get me',
+
+    description: 'Get the currently logged in user.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundUser = await User.findOne({id: env.req.session.user.id}); // req.session.user is filled in by the isLoggedIn policy
+
+        if (!foundUser) {
+            // this should not happen
+            return exits.serverError();
+        }
+
+        return exits.ok({user: foundUser});
+    }
+};

api/controllers/admin/login.js

@@ -8,13 +8,13 @@ module.exports = {
             type: 'string',
             required: true,
             isEmail: true,
-            maxLength: 191 // max length of UTF8MB4 varchar
+            maxLength: 191 // max length of UTF8-MB4 varchar
         },
 
         password: {
             type: 'string',
             required: true,
-            maxLength: 191
+            maxLength: 70
         }
     },
 
@@ -30,9 +30,47 @@ module.exports = {
         }
     },
 
-    fn: (inputs, exits) => {
+    fn: async (inputs, exits, env) => {
+        if (env.req.signedCookies[sails.config.session.name]) {
+            return exits.badRequest('Already logged in.');
+        }
+
+        const badEmailPass = 'Bad email / password combination.';
+        const foundUser = await User.findOne({email: inputs.email});
+
+        if (!foundUser) {
+            return exits.badRequest(badEmailPass);
+        }
+
+        if (!await User.doPasswordsMatch(inputs.password, foundUser.password)) {
+            return exits.badRequest(badEmailPass);
+        }
 
+        const csrf = sails.helpers.generateCsrfToken();
+        const newSession = await Session.create({
+            id: 'c', // required, auto-generated
+            user: foundUser.id,
+            data: {
+                user: {
+                    id: foundUser.id,
+                    firstName: foundUser.firstName,
+                    lastName: foundUser.lastName,
+                    email: foundUser.email,
+                    role: foundUser.role
+                },
+                _csrfSecret: csrf.secret
+            }
+        }).fetch();
 
-        return exits.ok();
+        return exits.ok({
+            cookies: [
+                {
+                    name: sails.config.session.name,
+                    value: newSession.id,
+                    isSession: true
+                }
+            ],
+            _csrf: csrf.token
+        });
     }
 };

api/controllers/admin/logout.js

@@ -0,0 +1,39 @@
+module.exports = {
+    friendlyName: 'Logout',
+
+    description: 'Destroy current user session.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundSession = await Session.findOne({id: env.req.session.id});
+
+        if (!foundSession) {
+            return exits.ok();
+        }
+
+        await Session.destroy({id: foundSession.id});
+
+        return exits.ok({
+            cookies: [
+                {
+                    name: sails.config.session.name,
+                    value: null, // setting null will tell sails.helpers.setCookies to remove it
+                    isSession: true
+                }
+            ]
+        });
+    }
+};

api/helpers/generate-csrf-token.js

@@ -0,0 +1,37 @@
+const Tokens = require('csrf');
+
+module.exports = {
+    sync: true,
+
+    friendlyName: 'Generate CSRF token',
+
+    description: 'Generate a CSRF token, and a secret.',
+
+    inputs: {
+        saltLength: {
+            type: 'number',
+            defaultsTo: 8
+        },
+
+        secretLength: {
+            type: 'number',
+            defaultsTo: 18
+        }
+    },
+
+    exits: {},
+
+    fn: (inputs, exits) => {
+        const tokens = new Tokens({
+            saltLength: inputs.saltLength,
+            secretLength: inputs.secretLength
+        });
+
+        const secret = tokens.secretSync();
+
+        return exits.success({
+            token: tokens.create(secret),
+            secret
+        });
+    }
+};

api/helpers/set-cookies.js

@@ -0,0 +1,54 @@
+module.exports = {
+    sync: true, // this is a synchronous helper
+
+    friendlyName: 'Set Cookies',
+
+    description: 'Removes `cookies` from `data`, and attaches them to `res`.',
+
+    inputs: {
+        data: {
+            type: 'ref',
+            required: true
+        },
+
+        res: {
+            type: 'ref',
+            required: true
+        }
+    },
+
+    exits: {
+        success: {}
+    },
+
+    fn: function(inputs, exits) {
+        if (!inputs.data.cookies) {
+            return exits.success(inputs.data);
+        }
+
+        const cookies = (_.isArray(inputs.data.cookies))
+                        ? inputs.data.cookies
+                        : [inputs.data.cookies];
+
+        cookies.map((cookie) => {
+            const defaultCookie = {
+                signed: true,
+                httpOnly: true,
+                secure: sails.config.session.cookie.secure
+            };
+
+            if (cookie.value === null) {
+                return inputs.res.clearCookie(cookie.name, defaultCookie);
+            }
+
+            const newCookie = (cookie.isSession)
+                              ? _.merge({}, defaultCookie, {maxAge: sails.config.session.cookie.maxAge})
+                              : defaultCookie;
+
+            return inputs.res.cookie(cookie.name, cookie.value, newCookie);
+        });
+
+        return exits.success(_.omit(inputs.data, ['cookies']));
+    }
+};
+

api/helpers/verify-csrf-token.js

@@ -0,0 +1,42 @@
+const Tokens = require('csrf');
+
+module.exports = {
+    sync: true,
+
+    friendlyName: 'Verify CSRF token',
+
+    description: 'Verify a CSRF token, given a secret.',
+
+    inputs: {
+        token: {
+            type: 'string',
+            required: true
+        },
+
+        secret: {
+            type: 'string',
+            required: true
+        },
+
+        saltLength: {
+            type: 'number',
+            defaultsTo: 8
+        },
+
+        secretLength: {
+            type: 'number',
+            defaultsTo: 18
+        }
+    },
+
+    exits: {},
+
+    fn: (inputs, exits) => {
+        const tokens = new Tokens({
+            saltLength: inputs.saltLength,
+            secretLength: inputs.secretLength
+        });
+
+        return exits.success(tokens.verify(inputs.secret, inputs.token));
+    }
+};

api/models/User.js

@@ -57,13 +57,13 @@ module.exports = {
         firstName: {
             type: 'string',
             allowNull: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(70)'
         },
 
         lastName: {
             type: 'string',
             allowNull: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(70)'
         },
 
         password: {