Added way to soft-delete users. Added minor improvements to CSRF.

neonexus · neonexus · commit ccc3ddfa1c00 · 2020-08-01T01:46:16.000-05:00
diff --git a/README.md b/README.md
@@ -5,7 +5,9 @@
 This is an opinionated base [Sails v1](https://sailsjs.com) application, using Webpack to handle Bootstrap (SASS) and React.
 
 # Branch Warning
-The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template. `master` is **volatile**, likely to change at any time, for any reason; this includes `git push --force` updates.
+The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
+
+`master` is **volatile**, likely to change at any time, for any reason; this includes `git push --force` updates.
 
 **FINAL WARNING: DO NOT RELY ON THE MASTER BRANCH!**
 
diff --git a/api/controllers/admin/create-user.js b/api/controllers/admin/create-user.js
@@ -52,7 +52,7 @@ module.exports = {
             return exits.badRequest(isPasswordValid);
         }
 
-        const foundUser = await User.findOne({email: inputs.email});
+        const foundUser = await User.findOne({email: inputs.email, deletedAt: null});
 
         if (foundUser) {
             return exits.badRequest('Email is already in-use.');
diff --git a/api/controllers/admin/delete-user.js b/api/controllers/admin/delete-user.js
@@ -0,0 +1,44 @@
+const moment = require('moment-timezone');
+
+module.exports = {
+    friendlyName: 'Delete User',
+
+    description: 'Delete a user, give its ID',
+
+    inputs: {
+        id: {
+            type: 'string',
+            required: true,
+            isUUID: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundUser = await User.findOne({id: inputs.id, deletedAt: null});
+
+        if (!foundUser) {
+            return exits.badRequest('User does not exist');
+        }
+
+        await Session.destroy({user: foundUser.id}); // force logout any active sessions user might have
+
+        await User.update({id: foundUser.id}).set(_.merge({}, foundUser, {
+            deletedAt: moment.tz(sails.config.datastores.default.timezone).toDate(),
+            deletedBy: env.req.session.user.id
+        }));
+
+        return exits.ok();
+    }
+};
diff --git a/api/controllers/admin/login.js b/api/controllers/admin/login.js
@@ -36,7 +36,7 @@ module.exports = {
         }
 
         const badEmailPass = 'Bad email / password combination.';
-        const foundUser = await User.findOne({email: inputs.email});
+        const foundUser = await User.findOne({email: inputs.email, deletedAt: null});
 
         if (!foundUser) {
             return exits.badRequest(badEmailPass);
@@ -70,6 +70,7 @@ module.exports = {
                     isSession: true
                 }
             ],
+            user: foundUser,
             _csrf: csrf.token
         });
     }
diff --git a/api/helpers/set-cookies.js b/api/helpers/set-cookies.js
@@ -41,7 +41,7 @@ module.exports = {
                 return inputs.res.clearCookie(cookie.name, defaultCookie);
             }
 
-            const newCookie = (cookie.isSession)
+            const newCookie = (!cookie.isSession) // if we don't want to use the default "session" to expire the cookie, we use the maxAge
                               ? _.merge({}, defaultCookie, {maxAge: sails.config.session.cookie.maxAge})
                               : defaultCookie;
 
diff --git a/api/helpers/update-csrf.js b/api/helpers/update-csrf.js
@@ -0,0 +1,40 @@
+module.exports = {
+    friendlyName: 'Update CSRF',
+
+    description: 'Update the CSRF secret, and append the token to the res.',
+
+    inputs: {
+        data: {
+            type: 'ref',
+            required: true
+        },
+
+        req: {
+            type: 'ref',
+            required: true
+        }
+    },
+
+    exits: {},
+
+    fn: async (inputs, exits) => {
+        if (inputs.req.method === 'GET' || !inputs.req.session || !inputs.req.session.user || !inputs.req.session.id) {
+            return exits.success(inputs.data);
+        }
+
+        const foundSession = await Session.findOne({id: inputs.req.session.id});
+
+        const csrf = sails.helpers.generateCsrfToken();
+        const newData = _.merge({}, foundSession.data, {_csrfSecret: csrf.secret});
+
+        Session.update({id: inputs.req.session.id}).set({
+            data: newData
+        }).exec((err) => {
+            if (err) {
+                throw new Error(err);
+            }
+
+            return exits.success(_.merge({}, inputs.data, {_csrf: csrf.token}));
+        });
+    }
+};
diff --git a/api/models/User.js b/api/models/User.js
@@ -50,7 +50,7 @@ module.exports = {
             type: 'string',
             isEmail: true,
             required: true,
-            unique: true,
+            // unique: true,
             columnType: 'varchar(191)'
         },
 
diff --git a/api/responses/created.js b/api/responses/created.js
@@ -12,6 +12,7 @@ module.exports = async function created(data) {
 
     data = sails.helpers.keepModelsSafe(data);
     data = sails.helpers.setCookies(data, res);
+    data = await sails.helpers.updateCsrf(data, req);
 
     const out = _.merge({success: true}, data);
 
diff --git a/api/responses/ok.js b/api/responses/ok.js
@@ -12,6 +12,7 @@ module.exports = async function sendOK(data) {
 
     data = sails.helpers.keepModelsSafe(data);
     data = sails.helpers.setCookies(data, res);
+    data = await sails.helpers.updateCsrf(data, req);
 
     const out = _.merge({success: true}, data);
 
diff --git a/config/policies.js b/config/policies.js
@@ -14,6 +14,7 @@ module.exports.policies = {
     AdminController: {
         '*': 'isLoggedIn',
         'login': true,
-        'create-user': ['isLoggedIn', 'isAdmin']
+        'create-user': ['isLoggedIn', 'isAdmin'],
+        'delete-user': ['isLoggedIn', 'isAdmin']
     }
 };
diff --git a/config/routes.js b/config/routes.js
@@ -75,6 +75,7 @@ module.exports.routes = {
     'POST /api/v1/login': {action: 'admin/login', skipAssets: true},
     'GET /api/v1/logout': {action: 'admin/logout', skipAssets: true},
     'GET /api/v1/me': {action: 'admin/get-me', skipAssets: true},
+    'DELETE /api/v1/user': {action: 'admin/delete-user', skipAssets: true},
 
     'GET /_ping': (req, res) => {
         return res.ok('pong');

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ module.exports = {`
`52`	`52`	`return exits.badRequest(isPasswordValid);`
`53`	`53`	`}`
`54`	`54`
`55`		`- const foundUser = await User.findOne({email: inputs.email});`
	`55`	`+ const foundUser = await User.findOne({email: inputs.email, deletedAt: null});`
`56`	`56`
`57`	`57`	`if (foundUser) {`
`58`	`58`	`return exits.badRequest('Email is already in-use.');`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ module.exports = {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`const badEmailPass = 'Bad email / password combination.';`
`39`		`- const foundUser = await User.findOne({email: inputs.email});`
	`39`	`+ const foundUser = await User.findOne({email: inputs.email, deletedAt: null});`
`40`	`40`
`41`	`41`	`if (!foundUser) {`
`42`	`42`	`return exits.badRequest(badEmailPass);`
`@@ -70,6 +70,7 @@ module.exports = {`
`70`	`70`	`isSession: true`
`71`	`71`	`}`
`72`	`72`	`],`
	`73`	`+ user: foundUser,`
`73`	`74`	`_csrf: csrf.token`
`74`	`75`	`});`
`75`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ module.exports = {`
`41`	`41`	`return inputs.res.clearCookie(cookie.name, defaultCookie);`
`42`	`42`	`}`
`43`	`43`
`44`		`- const newCookie = (cookie.isSession)`
	`44`	`+ const newCookie = (!cookie.isSession) // if we don't want to use the default "session" to expire the cookie, we use the maxAge`
`45`	`45`	`? _.merge({}, defaultCookie, {maxAge: sails.config.session.cookie.maxAge})`
`46`	`46`	`: defaultCookie;`
`47`	`47`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ module.exports.policies = {`
`14`	`14`	`AdminController: {`
`15`	`15`	`'*': 'isLoggedIn',`
`16`	`16`	`'login': true,`
`17`		`- 'create-user': ['isLoggedIn', 'isAdmin']`
	`17`	`+ 'create-user': ['isLoggedIn', 'isAdmin'],`
	`18`	`+ 'delete-user': ['isLoggedIn', 'isAdmin']`
`18`	`19`	`}`
`19`	`20`	`};`