Merge pull request #2 from neonexus/master

Fixed webpack merge issue; started using React context; updates to API handling on frontend; created "sails run create-admin" console function.

Author: neonexus

.sailsrc

@@ -1,12 +1,14 @@
 {
-  "generators": {
-    "modules": {}
-  },
-  "_generatedWith": {
-    "sails": "1.2.3",
-    "sails-generate": "1.16.13"
-  },
-  "hooks": {
-    "grunt": false
-  }
+    "generators": {
+        "modules": {}
+    },
+    "_generatedWith": {
+        "sails": "1.2.3",
+        "sails-generate": "1.16.13"
+    },
+    "hooks": {
+        "grunt": false,
+        "session": false,
+        "csrf": false
+    }
 }

README.md

@@ -4,6 +4,13 @@
 
 This is an opinionated base [Sails v1](https://sailsjs.com) application, using Webpack to handle Bootstrap (SASS) and React.
 
+# Branch Warning
+The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
+
+`master` is **volatile**, likely to change at any time, for any reason; this includes `git push --force` updates.
+
+**FINAL WARNING: DO NOT RELY ON THE MASTER BRANCH!**
+
 ## Main Features
 
 + Automatic (incoming) request logging, via Sails models / hooks.
@@ -31,16 +38,18 @@ This repo is not installable via `npm`. Instead, Github provides a handy "Use th
 |npm run coverage | Runs [NYC](https://www.npmjs.com/package/nyc) coverage reporting of the Mocha tests, which generates HTML in `test/coverage`.
 
 ### Environment Variables used for remote servers:
-| Variable   | DEV default          | PROD default            | Description
-|------------|----------------------|-------------------------|----------------------
-| ASSETS_URL | "" (empty string)    | "" (empty string)       | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ".
-| BASE_URL   | https://myapi.app    | https://myapi.app       | The address of the Sails instance.
-| DB_HOST    | localhost            | localhost               | The hostname of the datastore.
-| DB_USER    | root                 | produser                | Username for the datastore.
-| DB_PASS    | mypass               | myprodpassword          | Password for the datastore.
-| DB_NAME    | myapp                | proddatabase            | The name of the database inside the datastore.
-| DB_PORT    | 3306                 | 3306                    | The port number for datastore.
-| DB_SSL     | false                | false                   | If the datastore requires SSL, set this to "true".
+| Variable              | DEV default       | PROD default      | Description
+|-----------------------|-------------------|-------------------|----------------------
+| ASSETS_URL            | "" (empty string) | "" (empty string) | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ", or be empty.
+| BASE_URL              | https://myapi.app | https://myapi.app | The address of the Sails instance.
+| DB_HOST               | localhost         | localhost         | The hostname of the datastore.
+| DB_USER               | root              | produser          | Username for the datastore.
+| DB_PASS               | mypass            | myprodpassword    | Password for the datastore.
+| DB_NAME               | myapp             | proddatabase      | The name of the database inside the datastore.
+| DB_PORT               | 3306              | 3306              | The port number for datastore.
+| DB_SSL                | false             | false             | If the datastore requires SSL, set this to "true".
+| SESSION_SECRET        | "" (empty string) | "" (empty string) | This is used to sign cookies, and SHOULD be set, especially on PRODUCTION environments.
+| DATA_ENCRYPTION_KEY   | "" (empty string) | "" (empty string) | **Currently unused; intended for future use.**
 
 ## Request Logging
 Automatic incoming request logging, is a 2 part process. First, the [`request-logger` hook](api/hooks/request-logger.js) gathers info from the request, and creates a new [`RequestLog` record](api/models/RequestLog.js), making sure to mask anything that may be sensitive, such as passwords. Then, a custom response gathers information from the response, again, scrubbing sensitive data (using the [customToJSON](https://sailsjs.com/documentation/concepts/models-and-orm/model-settings?identity=#customtojson) feature of Sails models) to prevent leaking of password hashes, or anything else that should never be publicly accessible. The [`keepModelsSafe` helper](api/helpers/keep-models-safe.js) and the custom responses (such as [ok](api/responses/ok.js) or [serverError](api/responses/serverError.js)) are responsible for the final leg of request logs.

api/README.md

@@ -0,0 +1,27 @@
+# API
+
+This is where all API controllers, custom hooks, helpers, models, policies and responses live.
+
+## Controllers
+
+Controllers handle API requests, and decide how to respond, using the custom responses, which track API requests in our datastore.
+
+## Helpers
+
+Helpers are generic, reusable functions used by multiple controllers (or hooks, policies, etc).
+
+## Hooks
+
+Custom hooks (currently only the 1), are used to tap into different parts of a request. The custom hook setup in this repo, is designed to start recording an API request, while the custom responses finalize the record.
+
+## Models
+
+The data models inform Sails (really Waterline) how to create / modify tables (if `sails.config.models.migrate === 'alter'`), or our custom [schema validation and enforcement](../README.md#schema-validation-and-enforcement) on how it should behave.
+
+## Policies
+
+Policies are simple functions, that determine if a request should continue, or fail. These are configured in [`config/policies.js`](../config/policies.js)
+
+## Responses
+
+These custom responses handle the final leg of request logging. They are responsible for ensuring data isn't leaked, by utilizing the `customToJSON` functionality of models.

api/controllers/admin/create-api-token.js

@@ -0,0 +1,24 @@
+module.exports = {
+    friendlyName: 'Create API Token',
+
+    description: 'Get an API token, which replaces CSRF token usage.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: (inputs, exits) => {
+
+        return exits.ok();
+    }
+};

api/controllers/admin/create-user.js

@@ -18,7 +18,8 @@ module.exports = {
 
         password: {
             type: 'string',
-            required: true
+            required: true,
+            maxLength: 70
         },
 
         email: {
@@ -31,7 +32,7 @@ module.exports = {
 
     exits: {
         ok: {
-            responseType: 'ok'
+            responseType: 'created'
         },
         badRequest: {
             responseType: 'badRequest'
@@ -51,7 +52,13 @@ module.exports = {
             return exits.badRequest(isPasswordValid);
         }
 
-        sails.models.user.create({
+        const foundUser = await User.findOne({email: inputs.email, deletedAt: null});
+
+        if (foundUser) {
+            return exits.badRequest('Email is already in-use.');
+        }
+
+        User.create({
             id: 'c', // required, but auto-generated
             firstName: inputs.firstName,
             lastName: inputs.lastName,

api/controllers/admin/delete-user.js

@@ -0,0 +1,44 @@
+const moment = require('moment-timezone');
+
+module.exports = {
+    friendlyName: 'Delete User',
+
+    description: 'Delete a user, give its ID',
+
+    inputs: {
+        id: {
+            type: 'string',
+            required: true,
+            isUUID: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundUser = await User.findOne({id: inputs.id, deletedAt: null});
+
+        if (!foundUser) {
+            return exits.badRequest('User does not exist');
+        }
+
+        await Session.destroy({user: foundUser.id}); // force logout any active sessions user might have
+
+        await User.update({id: foundUser.id}).set(_.merge({}, foundUser, {
+            deletedAt: moment.tz(sails.config.datastores.default.timezone).toDate(),
+            deletedBy: env.req.session.user.id
+        }));
+
+        return exits.ok();
+    }
+};

api/controllers/admin/get-me.js

@@ -0,0 +1,30 @@
+module.exports = {
+    friendlyName: 'Get me',
+
+    description: 'Get the currently logged in user.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundUser = await User.findOne({id: env.req.session.user.id}); // req.session.user is filled in by the isLoggedIn policy
+
+        if (!foundUser) {
+            // this should not happen
+            return exits.serverError();
+        }
+
+        return exits.ok({user: foundUser});
+    }
+};

api/controllers/admin/login.js

@@ -0,0 +1,77 @@
+module.exports = {
+    friendlyName: 'Admin Login',
+
+    description: 'Basic authentication for admin panel.',
+
+    inputs: {
+        email: {
+            type: 'string',
+            required: true,
+            isEmail: true,
+            maxLength: 191 // max length of UTF8-MB4 varchar
+        },
+
+        password: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        if (env.req.signedCookies[sails.config.session.name]) {
+            return exits.badRequest('Already logged in.');
+        }
+
+        const badEmailPass = 'Bad email / password combination.';
+        const foundUser = await User.findOne({email: inputs.email, deletedAt: null});
+
+        if (!foundUser) {
+            return exits.badRequest(badEmailPass);
+        }
+
+        if (!await User.doPasswordsMatch(inputs.password, foundUser.password)) {
+            return exits.badRequest(badEmailPass);
+        }
+
+        const csrf = sails.helpers.generateCsrfToken();
+        const newSession = await Session.create({
+            id: 'c', // required, auto-generated
+            user: foundUser.id,
+            data: {
+                user: {
+                    id: foundUser.id,
+                    firstName: foundUser.firstName,
+                    lastName: foundUser.lastName,
+                    email: foundUser.email,
+                    role: foundUser.role
+                },
+                _csrfSecret: csrf.secret
+            }
+        }).fetch();
+
+        return exits.ok({
+            cookies: [
+                {
+                    name: sails.config.session.name,
+                    value: newSession.id,
+                    isSession: true
+                }
+            ],
+            user: foundUser,
+            _csrf: csrf.token
+        });
+    }
+};

api/controllers/admin/logout.js

@@ -0,0 +1,39 @@
+module.exports = {
+    friendlyName: 'Logout',
+
+    description: 'Destroy current user session.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const foundSession = await Session.findOne({id: env.req.session.id});
+
+        if (!foundSession) {
+            return exits.ok();
+        }
+
+        await Session.destroy({id: foundSession.id});
+
+        return exits.ok({
+            cookies: [
+                {
+                    name: sails.config.session.name,
+                    value: null, // setting null will tell sails.helpers.setCookies to remove it
+                    isSession: true
+                }
+            ]
+        });
+    }
+};

api/helpers/generate-csrf-token.js

@@ -0,0 +1,37 @@
+const Tokens = require('csrf');
+
+module.exports = {
+    sync: true,
+
+    friendlyName: 'Generate CSRF token',
+
+    description: 'Generate a CSRF token, and a secret.',
+
+    inputs: {
+        saltLength: {
+            type: 'number',
+            defaultsTo: 8
+        },
+
+        secretLength: {
+            type: 'number',
+            defaultsTo: 18
+        }
+    },
+
+    exits: {},
+
+    fn: (inputs, exits) => {
+        const tokens = new Tokens({
+            saltLength: inputs.saltLength,
+            secretLength: inputs.secretLength
+        });
+
+        const secret = tokens.secretSync();
+
+        return exits.success({
+            token: tokens.create(secret),
+            secret
+        });
+    }
+};