Minor tweaks.

Author: neonexus

CHANGELOG.md

@@ -1,15 +1,15 @@
 # Changelog
 
-## [v5.1.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v5.0.0...v5.1.0) (2023-12-22)
+## [v5.1.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v5.0.0...v5.1.0) (2024-01-06)
 ### Features
 
-* Minor tweaks / fixes.
-* Created the datastore wipe script, to reset LOCAL / DEVELOPMENT datastore. Will **not** run on PRODUCTION (or when migrate = "safe").
+* Created the datastore wipe script, to clear LOCAL / DEVELOPMENT datastore(s). It's just like `DROP`ing the database. Will **not** run on PRODUCTION (or when `migrate = 'safe'`).
 * Converted `.mocharc.yml` -> `.mocharc` (JSON) to be more consistent.
 * Made the Ngrok script capable of installing [`@ngrok/ngrok`](https://npmjs.com/package/@ngrok/ngrok) when needed.
 * Minor visual fix in security settings page.
 * Built the "reactivate user" endpoint.
 * Corrected "edit" and "delete" user routes to use ID in the route.
+* Fixed issue in 2FA backup token generation, where it was possible to generate a pure number backup token. Now will ALWAYS have at least 1 letter.
 * Updated dependencies.
 
 ## [v5.0.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v4.3.1...v5.0.0) (2023-12-05)

README.md

@@ -9,7 +9,17 @@
 
 [![Discord Server](https://img.shields.io/badge/Discord_server-silver?logo=discord)](http://discord.gg/Y5K73E84Tc)
 
-Kick-start your project with this startup in a box.
+This is a starter application, built on [Sails v1](https://sailsjs.com), [React](https://react.dev), [Bootstrap](https://getbootstrap.com), and [Webpack](https://webpack.js.org). It is designed
+so that multiple front-ends (a customer front-end, and an admin panel perhaps; more if need be) can live side-by-side, and use the same API. It even has built-in [Ngrok support](#working-with-ngrok).
+A virtual start-up in a box!
+
+## Quick Install
+
+```shell
+npx drfg neonexus/sails-react-bootstrap-webpack my-new-site
+npm run setup
+npm run start   OR   npm run ngrok
+```
 
 ## Table of Contents
 
@@ -53,7 +63,7 @@ Kick-start your project with this startup in a box.
 * Automatic (incoming) request logging (manual outgoing), via Sails models / hooks.
 * Setup for Webpack auto-reload dev server. Build; save; auto-reload.
 * Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
-* More than a few custom [helper functions](api/helpers) to make life a little easier.
+* More than a few custom [API helper functions](api/helpers) to make life a little easier.
 * Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
 * Schema validation and enforcement for `PRODUCTION`. See [schema validation and enforcement](#schema-validation-and-enforcement).
 * New passwords will be checked against the [PwnedPasswords API](https://haveibeenpwned.com/API/v3#PwnedPasswords). If there is a single hit for the password, an error will be given, and the user will

api/controllers/admin/create-user.js

@@ -25,7 +25,7 @@ module.exports = {
             type: 'string',
             isEmail: true,
             required: true,
-            maxLength: 191
+            maxLength: 191 // Max size of an utf8mb4 varchar in MySQL.
         },
 
         role: {
@@ -69,7 +69,7 @@ module.exports = {
             isPasswordValid = true;
             password = sails.helpers.generateToken().substring(0, 42);
 
-            // should probably send password somehow; it will be scrubbed in the custom response (would be hashed anyway...)
+            // should probably send password somehow; it will be scrubbed in the response (would be hashed anyway...)
         }
 
         if (isPasswordValid !== true) {
@@ -99,7 +99,7 @@ module.exports = {
             }
 
             /**
-             * TODO: We should probably email the new user their new account info here if the password was generated (!inputs.setPassword)...
+             * TODO: We should probably email the new user their new account info here if the password was generated (inputs.generatePassword)...
              */
 
             return exits.created({user});

api/helpers/generate-backup-tokens.js

@@ -14,11 +14,21 @@ module.exports = {
     exits: {},
 
     fn: (inputs, exits) => {
-        const token = sails.helpers.generateToken();
+        let token = sails.helpers.generateToken();
         let backupTokens = [];
 
+        let last = null;
         for (let i = 0; i < 10; ++i) {
-            backupTokens[i] = token.substring(i * 8, (i * 8) + 8);
+            do {
+                // Regenerate the token if this is our second time around in the do...while loop.
+                if (last === i) {
+                    token = sails.helpers.generateToken();
+                } else {
+                    last = i;
+                }
+
+                backupTokens[i] = token.substring(i * 8, (i * 8) + 8);
+            } while (!isNaN(backupTokens[i])); // Don't let pure number tokens through. They MUST have at least 1 letter.
         }
 
         return exits.success(backupTokens);

api/models/Log.js

@@ -20,7 +20,7 @@ module.exports = {
 
         description: {
             type: 'string',
-            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 charset
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         data: {

api/models/OTP.js

@@ -21,7 +21,7 @@ module.exports = {
 
         secret: {
             type: 'string',
-            columnType: 'varchar(191)',
+            columnType: 'varchar(191)', // 191 is the max length to safely use the utf8mb4 varchar.
             encrypt: true,
             required: true
         },

api/models/RequestLog.js

@@ -34,13 +34,13 @@ module.exports = {
         host: {
             type: 'string',
             required: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         path: {
             type: 'string',
             required: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         headers: {

api/models/User.js

@@ -53,7 +53,7 @@ module.exports = {
             isEmail: true,
             required: true,
             // unique: true, // can NOT be unique, if we are using soft-deleted users; controller must deal with uniqueness
-            columnType: 'varchar(191)'
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         firstName: {
@@ -71,7 +71,7 @@ module.exports = {
         password: {
             type: 'string',
             allowNull: true,
-            columnType: 'varchar(191)',
+            columnType: 'varchar(191)', // 191 is the max length to safely use the utf8mb4 varchar.
             // see: https://sailsjs.com/documentation/reference/waterline-orm/queries/decrypt
             // You will need to "decrypt" the user object before you can check if the password is valid.
             // encrypt: true // currently, does not work as intended, as password is encrypted before we can hash it
@@ -80,13 +80,13 @@ module.exports = {
         verificationKey: { // placeholder for something like email verification
             type: 'string',
             allowNull: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         avatar: {
             type: 'string',
             isURL: true,
-            columnType: 'varchar(191)'
+            columnType: 'varchar(191)' // 191 is the max length to safely use the utf8mb4 varchar.
         },
 
         isGravatar: {

assets/src/Admin/Login.jsx

@@ -48,7 +48,7 @@ class Login extends Component {
                 return done(body.user);
             }
 
-            // This should not happen, as the error handler below should display the error from the server.
+            // This should not happen, as the `defaultAPIErrorHandler` should display the error from the server.
             alert('Unknown error. Please try again. If this error persists, please contact support.');
             console.error('Something is wrong in the handleLogin API post...');
         }, defaultAPIErrorHandler);

config/ngrok.js

@@ -5,7 +5,7 @@
  */
 
 module.exports.ngrok = {
-    // Set an HTTP basic-auth wall for the app.
+    // Set an HTTP basic-auth wall for the app. Optional.
     auth: process.env.NGROK_BASIC || undefined, // Use a string of 'username:password' style (raw password)
 
     // Default Ngrok authtoken, to tie to your account.
@@ -15,10 +15,10 @@ module.exports.ngrok = {
     // Whether to build assets by default or not.
     buildAssets: true,
 
-    // The static domain to use for the Ngrok tunnel. Something like: 'running-grey-gazelle.ngrok-free.app'
+    // The static domain to use for the Ngrok tunnel. Something like: 'running-grey-gazelle.ngrok-free.app'. Optional; Ngrok can generate a single-use random domain.
     domain: process.env.NGROK_DOMAIN || undefined,
 
-    // The default region for the Ngrok tunnel.
+    // The default region for the Ngrok tunnel. Optional.
     region: process.env.NGROK_REGION || undefined,
 
     // The default port to start Sails for the Ngrok tunnel.