- Security: Minimize XSS vectors by using safer jQuery methods

- Enhancement: Database abstraction layer
- Enhancement: Autocomplete hints
- Enhancement: `localScripts` option for using non-CDN copies
- Enhancement: Use native form validation
- Enhancement: Make `fromText` and `fromURL` of password reset emails
  configurable
- Enhancement: Upon signup, ask for password confirmation
- Enhancement: Require email link verification code (inspired by
  <braitsch#11>)
- Fix: Requiring of `account.js`
- Fix: Pass on CLI args properly
- Fix: Add proper plain text for plain text email
- i18n: Client-side i18n
- Docs: Add Change log for unreleased
- Docs: Indicate planned to-dos
- Docs: Some further CLI documentation
- Refactoring: Further separation of view logic out of controllers
- Refactoring: Switch to Jamilih templates
- Refactoring: Add scripts to head with `defer`
- Refactoring: Use variables in place of selectors where possible
- Linting (ESLint): As per latest ash-nazg
- npm: Update mongodb, jamilih, jsdom, and devDeps

Author: brettz9

.editorconfig

@@ -10,11 +10,3 @@ insert_final_newline = true
 indent_style = space
 indent_size = 2
 trim_trailing_whitespace = true
-
-[app/public/css/**.styl]
-indent_style = tab
-indent_size = 2
-
-[app/server/views/**.pug]
-indent_style = tab
-indent_size = 1

.eslintignore

@@ -1,3 +1,4 @@
 node_modules
 instrumented/**
 coverage/**
+!.ncurc.js

.eslintrc.js

@@ -4,9 +4,6 @@ module.exports = {
       "plugin:node/recommended-script",
       "plugin:cypress/recommended"
     ],
-    "plugins": [
-      "pug"
-    ],
     "env": {
       "es6": true
     },
@@ -46,11 +43,6 @@ module.exports = {
         "ecmaVersion": 2018,
         "sourceType": "module"
       }
-    }, {
-      files: ["*.pug"],
-      rules: {
-        'eol-last': 0
-      }
     }],
     "rules": {
       "import/no-commonjs": 0,

.ncurc.js

@@ -0,0 +1,13 @@
+'use strict';
+
+module.exports = {
+  // Whitelist all for checking besides `peer` which indicates
+  //   somewhat older versions of `eslint` we still support even
+  //   while our devDeps point to a more recent version
+  dep: 'prod,dev,optional,bundle',
+  reject: [
+    // Todo[bootstrap@>4.4.1]: See if updated for css, js, and popper.js at https://github.com/twbs/bootstrap/blob/master/config.yml
+    'bootstrap',
+    'popper.js'
+  ]
+};

.pug-lintrc.js

@@ -1,82 +1,130 @@
-**v1.7.2** –– 11-18-2018
+# CHANGES for node-login
+
+## ?
+
+- Breaking enhancement: Avoid `process.env` (`app.js` accepts CLI now instead)
+- Breaking enhancement: Allow app to pass in own countries list
+- Breaking refactoring: `EmailDispatcher` and `AccountManager` are now classes;
+  routes accepts config
+- Security: Add PBKDF2 hashing (@SCG82)
+- Security: Make "secret" private and configurable; add
+  integrity/cross-origin=anonymous for jquery.form and font-awesome
+  (switching to same CDN); add also for github-fork-ribbon-css, but comment
+  out as not in apparent use
+- Security: Use signed cookie
+- Security: Pass secret to cookie parser as otherwise potentially problematic
+- Security: Rate-limiting (for DoS)
+- Security: Minimize XSS vectors by using safer jQuery methods
+- Fix: Accessibility (except for `color-contrast` whose check we are
+    temporarily disabling until may have time to fix)
+- Fix: Add proper plain text for plain text email
+- Update: Use now required Mongodb APIs
+- Update: CDN for bootstrap (CSS and JS), jquery, popper
+- Enhancement: Database abstraction layer
+- Enhancement: Autocomplete hints
+- Enhancement: More configurabiity
+- Enhancement: i18n (server-side, client-side, and CLI)
+- Enhancement: Make available as binary (with help/version and
+  update-notifier)
+- Enhancement: Add `use strict`
+- Enhancement: `localScripts` option for using non-CDN copies
+- Enhancement: Use native form validation
+- Enhancement: Make `fromText` and `fromURL` of password reset emails
+  configurable
+- Enhancement: Require email link verification code (inspired by
+  <https://github.com/braitsch/node-login/pull/11>)
+- Fix: Requiring of `account.js`
+- Fix: Pass on CLI args properly
+- Docs: Add Change log for unreleased
+- Docs: Indicate planned to-dos
+- Docs: Some further CLI documentation
+- Docs: CLI
+- Linting (ESLint): Apply eslint-config-ash-nazg
+- Refactoring: Destructuring; arrow functions for handlers;
+  utilize succincter stylus features
+- Refactoring: convert further APIs to (async/await) Promises
+- Refactoring: Avoid inline styles
+- Refactoring: Further separation of view logic out of controllers
+- Refactoring: Switch to Jamilih templates
+- Refactoring: Add scripts to head with `defer`
+- Refactoring: Use variables in place of selectors where possible
+- Linting (ESLint): As per latest ash-nazg
+- Testing: Cypress testing, including axe accessibility testing;
+  add sourcemaps to stylus; coverage
+- Maintenance: Add `.editorconfig`
+- npm: Mongodb and server start scripts
+- npm: Add recommended `package.json` fields; allow Node >= 10.4.0 in `engines`
+- npm: Update deps and devDeps
+
+## v1.7.2 –– 11-18-2018
+
+- auto-login & password-reset now validating against UUIDs and the user's last recorded IP address
+
+## v1.7.1 –– 11-18-2018
+
+- updating mongodb calls to latest driver
+- [fix for #12](https://github.com/braitsch/node-login/pull/12)
+
+## v1.7.0 –– 11-18-2018
+
+- updated dependencies to latest versions
+- bootstrap v4.1.3 & jquery v3.3.1
+- style.css completely rewritten
+- [fix for #36](https://github.com/braitsch/node-login/issues/36)
+
+## v1.6.0 –– 06-10-2018
+
+- updated dependencies to latest versions
+- updated mongodb connection scheme
+- replaced jade templating engine with pug
+
+## v1.5.0 –– 04-21-2016
+
+- redesigned login window
+- improved error handling on password reset
+- updating client side libraries:
+  - jQuery –– v2.2.3
+  - jQuery.form –– v3.51.0
+  - Twitter Bootstrap –– v3.3.6
+
+## v1.4.1 –– 02-27-2016
+
+- calls to logout now route to /logout instead of /home
+- accounts are now looked up by session.id instead of username
+- reset-password modal window fixes
+- updating emailjs to v1.0.4
+- switching to environment variables for email settings
+
+## v1.4.0 –– 06-14-2015
+
+- updating to Express v4.12.4
+- adding connect-mongo for db session store
+
+## v1.3.2 –– 03-11-2013
+
+- fixed bug on password reset
+
+## v1.3.1 –– 03-07-2013
+
+- adding MIT license
+
+## v1.3.0 –– 01-10-2013
+
+- updating to Express v3.0.6
+
+## v1.2.1 –– 01-03-2013
 
-* auto-login & password-reset now validating against UUIDs and the user's last recorded IP address
+- moving vendor libs to /public/vendor
 
-**v1.7.1** –– 11-18-2018
+## v1.2.0 –– 12-27-2012
 
-* updating mongodb calls to latest driver
-* [fix for #12](https://github.com/braitsch/node-login/pull/12)
+- updating MongoDB driver to 1.2.7
+- replacing bcrypt module with native crypto
 
-**v1.7.0** –– 11-18-2018
+## v1.1.0 –– 08-12-2012
 
-* updated dependencies to latest versions
-* bootstrap v4.1.3 & jquery v3.3.1
-* style.css completely rewritten
-* [fix for #36](https://github.com/braitsch/node-login/issues/36)
+- adding /print & /reset methods
 
-**v1.6.0** –– 06-10-2018
+## v1.0.0 –– 08-07-2012
 
-* updated dependencies to latest versions
-* updated mongodb connection scheme
-* replaced jade templating engine with pug
-
-**v1.5.0** –– 04-21-2016
-
-* redesigned login window
-* improved error handling on password reset
-* updating client side libraries: 
-	* jQuery –– v2.2.3
-	* jQuery.form –– v3.51.0
-	* Twitter Bootstrap –– v3.3.6
-
-**v1.4.1** –– 02-27-2016
-
-* calls to logout now route to /logout instead of /home
-* accounts are now looked up by session.id instead of username
-* reset-password modal window fixes
-* updating emailjs to v1.0.4
-* switching to environment variables for email settings
-
---
-**v1.4.0** –– 06-14-2015
-
-* updating to Express v4.12.4
-* adding connect-mongo for db session store 
-
---
-**v1.3.2** –– 03-11-2013
-
-* fixed bug on password reset
-
---
-**v1.3.1** –– 03-07-2013
-
-* adding MIT license
-
---
-**v1.3.0** –– 01-10-2013
-
-* updating to Express v3.0.6
-
---
-**v1.2.1** –– 01-03-2013
-
-* moving vendor libs to /public/vendor
-
---
-**v1.2.0** –– 12-27-2012
-
-* updating MongoDB driver to 1.2.7
-* replacing bcrypt module with native crypto
-
---
-**v1.1.0** –– 08-12-2012
-
-* adding /print & /reset methods
-
---
-**v1.0.0** –– 08-07-2012
-
-* initial release
-
---
+- initial release

CHANGES.md

@@ -4,12 +4,12 @@
 
 ### A basic account management system built in Node.js with the following features:
 
-* New User Account Creation
-* Secure Password Reset via Email
-* Ability to Update / Delete Account
-* Session Tracking for Logged-In Users
-* Local Cookie Storage for Returning Users
-* Blowfish-based Scheme Password Encryption
+- New User Account Creation
+- Secure Password Reset via Email
+- Ability to Update / Delete Account
+- Session Tracking for Logged-In Users
+- Local Cookie Storage for Returning Users
+- Blowfish-based Scheme Password Encryption
 
 ## Live Demo
 
@@ -23,17 +23,23 @@ For testing purposes you can view a [database dump of all accounts here](https:/
 
 2. Clone this repository and install its dependencies.
 
-		> git clone git://github.com/braitsch/node-login.git node-login
-		> cd node-login
-		> npm install
+```sh
+git clone git://github.com/braitsch/node-login.git node-login
+cd node-login
+npm install
+```
 
 3. In a separate shell start MongoDB.
 
-		> mongod
+```sh
+mongod
+```
 
 4. From within the node-login directory start the server.
 
-		> node app
+```sh
+node app
+```
 
 5. Open a browser window and navigate to: [http://localhost:3000](http://localhost:3000)
 
@@ -43,9 +49,11 @@ To enable the password retrieval feature it is recommended that you create envir
 
 To do this on OSX you can simply add them to your `.profile` or `.bashrc` file.
 
-	export NL_EMAIL_HOST='smtp.gmail.com'
-	export NL_EMAIL_USER='your.email@gmail.com'
-	export NL_EMAIL_PASS='1234'
+```sh
+export NL_EMAIL_HOST='smtp.gmail.com'
+export NL_EMAIL_USER='your.email@gmail.com'
+export NL_EMAIL_PASS='1234'
+```
 
 [![node-login](./readme_includes/retrieve-password.jpg?raw=true)](https://nodejs-login.herokuapp.com)
 
@@ -74,3 +82,44 @@ On the Mac, you can follow these steps to resolve:
 ## Contributing
 
 Questions and suggestions for improvement are welcome.
+
+## To-dos
+
+1. **Testing** coverage:
+    1. Try to get testing coverage between client and server integrated,
+        so can see any total missing coverage
+    1. Specific issues
+        1. Figure out why `print` page still shows an account upon (first)
+            deletion
+        1. Get validation to reset on change or input events
+    1. Get to 100% coverage
+1. Update **docs** above
+
+1. Role-based **privileges** (esp. for reset/delete!) with **admin screens**
+    1. Groups allowing multiple roles, including user-customizable ones in
+        addition to built-in ones such as login
+    1. See to-dos in code for methods needing these!
+    1. Update docs for any privilege additions/config
+
+1. **Theme switching**?
+1. Publish **release**
+
+## Medium priorities
+
+1. **Captchas** ([svg-captcha](https://www.npmjs.com/package/svg-captcha)
+  (doesn't use easily breakable SVG text, and could convert to image))
+1. **Security** CSRF protection
+1. Provide **option for integration** within an existing page to avoid need
+    for separate login page
+1. See about **`passport-next`** integration
+1. **BrowserID** - Implement browser add-on (or work with existing Persona)
+    to use with a server-side validation
+1. Link to **resend verification**
+
+## Lower priorities
+
+1. Switch from `jsdom` to **`dominum`** (once latter may be capable) and add
+    tests within `jamilih` for the integration
+1. See about minor **to-dos in code** along the way
+1. Review **client-side validation** for any other opportunities (e.g., for
+    any missing `required` fields, etc.)