Built out PnwedPasswords.com API functionality into is-password-valid helper. FINALLY removed the usage of res._headers, so no more annoying deprecation message. Simplified stored session data.

Author: neonexus

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [v3.1.2](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.1.2) (2022-10-24)
+
+### Features
+
+* Built out PnwedPasswords.com (HaveIBeenPwned.com) API functionality into `is-password-valid` helper.
+* FINALLY removed the usage of `res._headers`, so no more annoying deprecation message.
+* Simplified stored session data.
+
 ## [v3.1.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.0...v3.1.1) (2022-09-08)
 
 ### Features

README.md

@@ -8,11 +8,12 @@ Need help? Want to hire me to build your next app or prototype? You can contact
 
 ## Main Features
 
-+ Automatic (incoming) request logging (manual outgoing), via Sails models / hooks.
-+ Setup for Webpack auto-reload dev server.
-+ Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
-+ Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
-+ Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
+* Automatic (incoming) request logging (manual outgoing), via Sails models / hooks.
+* Setup for Webpack auto-reload dev server.
+* Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
+* Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
+* Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
+* Can enforce password creation isn't found in [PwnedPasswords]()
 
 ## Branch Warning
 The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
@@ -70,10 +71,10 @@ If you DO NOT like this behavior, and would prefer the variables stay the same a
 |-------------------------------------------------------------------------|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|
 | ASSETS_URL                                                              | "" (empty string)                                                     | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ", or be empty. |
 | BASE_URL                                                                | https://myapi.app                                                     | The address of the Sails instance.                                                                                              |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_HOST<br />**PROD:**&nbsp;DB_HOSTNAME | localhost                                                             | The hostname of the datastore.                                                                                                  |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_USER<br />**PROD:**&nbsp;DB_USERNAME | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;root <br /> **PROD:**&nbsp;produser   | Username of the datastore.                                                                                                      |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_PASS<br />**PROD:**&nbsp;DB_PASSWORD | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;mypass <br /> **PROD:**&nbsp;prodpass | Password of the datastore.                                                                                                      |
-| DB_NAME                                                                 | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;myapp <br /> **PROD:**&nbsp;prod      | The name of the database inside the datastore.                                                                                  |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_HOST<br />**PROD:**&nbsp;DB_HOSTNAME | localhost                                                             | The hostname of the datastore.                                                                                                  |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_USER<br />**PROD:**&nbsp;DB_USERNAME | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;root <br /> **PROD:**&nbsp;produser   | Username of the datastore.                                                                                                      |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_PASS<br />**PROD:**&nbsp;DB_PASSWORD | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;mypass <br /> **PROD:**&nbsp;prodpass | Password of the datastore.                                                                                                      |
+| DB_NAME                                                                 | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;myapp <br /> **PROD:**&nbsp;prod      | The name of the database inside the datastore.                                                                                  |
 | DB_PORT                                                                 | 3306                                                                  | The port number for the datastore.                                                                                              |
 | DB_SSL                                                                  | true                                                                  | If the datastore requires SSL, set this to "true".                                                                              |
 | SESSION_SECRET                                                          | "" (empty string)                                                     | Used to sign cookies, and SHOULD be set, especially on PRODUCTION environments.                                                 |
@@ -142,13 +143,13 @@ middleware: {
 
 ### Useful Links
 
-+ [Sails Framework Documentation](https://sailsjs.com/get-started)
-+ [Sails Deployment Tips](https://sailsjs.com/documentation/concepts/deployment)
-+ [Sails Community Support Options](https://sailsjs.com/support)
-+ [Sails Professional / Enterprise Options](https://sailsjs.com/enterprise)
-+ [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app/)
-+ [Webpack Documentation](https://webpack.js.org/)
-+ [Simple data fixtures for testing Sails.js (the npm package `fixted`)](https://www.npmjs.com/package/fixted)
+* [Sails Framework Documentation](https://sailsjs.com/get-started)
+* [Sails Deployment Tips](https://sailsjs.com/documentation/concepts/deployment)
+* [Sails Community Support Options](https://sailsjs.com/support)
+* [Sails Professional / Enterprise Options](https://sailsjs.com/enterprise)
+* [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app/)
+* [Webpack Documentation](https://webpack.js.org/)
+* [Simple data fixtures for testing Sails.js (the npm package `fixted`)](https://www.npmjs.com/package/fixted)
 
 
 ### Version info

api/README.md

@@ -10,7 +10,7 @@ See: [Actions and Controllers](https://sailsjs.com/documentation/concepts/action
 
 ## Helpers
 
-Helpers are generic, reusable functions used by multiple controllers (or hooks, policies, etc).
+Helpers are generic, reusable functions that can be used by controllers, hooks, models, policies, or responses.
 
 See: [Helpers](https://sailsjs.com/documentation/concepts/helpers)
 

api/controllers/admin/create-user.js

@@ -60,7 +60,7 @@ module.exports = {
         let isPasswordValid;
 
         if (inputs.setPassword) {
-            isPasswordValid = sails.helpers.isPasswordValid.with({
+            isPasswordValid = await sails.helpers.isPasswordValid.with({
                 password: inputs.password,
                 user: {firstName: inputs.firstName, lastName: inputs.lastName, email: inputs.email}
             });

api/controllers/admin/delete-user.js

@@ -26,6 +26,10 @@ module.exports = {
     },
 
     fn: async (inputs, exits, env) => {
+        if (inputs.id === env.req.session.user.id) {
+            return exits.badRequest('One does not simply delete themselves...');
+        }
+
         const foundUser = await sails.models.user.findOne({id: inputs.id, deletedAt: null});
 
         if (!foundUser) {

api/controllers/admin/get-deleted-users.js

@@ -0,0 +1,57 @@
+module.exports = {
+    friendlyName: 'Get Deleted Users',
+
+    description: 'Get paginated list of soft-deleted users',
+
+    inputs: {
+        page: {
+            description: 'The page number to return',
+            type: 'number',
+            defaultsTo: 1,
+            min: 1
+        },
+
+        limit: {
+            description: 'The amount of users to return',
+            type: 'number',
+            defaultsTo: 25,
+            min: 1,
+            max: 500
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits) => {
+        const query = sails.helpers.paginateForQuery.with({
+            limit: inputs.limit,
+            page: inputs.page,
+            where: {
+                deletedAt: {'!=': null} // get all soft-deleted users
+            },
+            sort: [{deletedAt: 'ASC'}, {createdAt: 'DESC'}]
+        });
+
+        let out = await sails.helpers.paginateForJson.with({
+            model: sails.models.user,
+            objToWrap: {users: []}, // this is the object that will be output to "out", and will contain additional pagination info,
+            query
+        });
+
+        // We assign the users to the object afterward, so we can run our safety checks.
+        // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
+        out.users = await sails.models.user.find(_.omit(pagination, ['page'])).populate('deletedBy');
+
+        return exits.ok(out);
+    }
+};

api/controllers/admin/get-users.js

@@ -15,7 +15,7 @@ module.exports = {
             description: 'The amount of users to return',
             type: 'number',
             defaultsTo: 25,
-            min: 10,
+            min: 1,
             max: 500
         }
     },
@@ -38,8 +38,6 @@ module.exports = {
             page: inputs.page
         });
 
-        const users = await sails.models.user.find(_.omit(pagination, ['page']));
-
         let out = await sails.helpers.paginateForJson.with({
             model: sails.models.user,
             query: pagination,
@@ -48,7 +46,7 @@ module.exports = {
 
         // We assign the users to the object afterward, so we can run our safety checks.
         // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
-        out.users = users;
+        out.users = await sails.models.user.find(_.omit(pagination, ['page']));
 
         return exits.ok(out);
     }

api/controllers/common/login.js

@@ -42,6 +42,8 @@ module.exports = {
             return exits.badRequest(badEmailPass);
         }
 
+        await sails.helpers.isPasswordValid(inputs.password);
+
         if (!await sails.models.user.doPasswordsMatch(inputs.password, foundUser.password)) {
             return exits.badRequest(badEmailPass);
         }
@@ -51,13 +53,6 @@ module.exports = {
             id: 'c', // required, auto-generated
             user: foundUser.id,
             data: {
-                user: {
-                    id: foundUser.id,
-                    firstName: foundUser.firstName,
-                    lastName: foundUser.lastName,
-                    email: foundUser.email,
-                    role: foundUser.role
-                },
                 _csrfSecret: csrf.secret
             }
         }).fetch();

api/helpers/create-log.js

@@ -25,13 +25,11 @@ module.exports = {
 
     fn: function(inputs, exits){
         const user = (inputs.req.session && inputs.req.session.user) ? inputs.req.session.user.id : null,
-            account = (inputs.req.session && inputs.req.session.account) ? inputs.req.session.account.id : null,
             request = (inputs.req.requestId) ? inputs.req.requestId : null;
 
         const newLog = {
             data: inputs.data,
             user,
-            account,
             request,
             description: inputs.description
         };

api/helpers/finalize-request-log.js

@@ -33,7 +33,7 @@ module.exports = {
     fn: async function(inputs, exits) {
         if (inputs.req.requestId) {
             let out = _.merge({}, inputs.body),
-                headers = _.merge({}, inputs.res._headers), // copy the object
+                headers = _.merge({}, inputs.res.getHeaders()), // copy the object
                 bleep = '*******';
 
             if (!sails.config.logSensitiveData) { // a custom configuration option, for the request logger hook