A few more tweaks before we update.

Author: neonexus

.idea/dictionaries/neonexusdemortis.xml

@@ -1,12 +1,14 @@
 # Changelog
 
-## [v3.1.2](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.1.2) (2022-10-24)
+## [v3.2.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.2.0) (2022-11-16)
 
 ### Features
 
 * Built out PnwedPasswords.com (HaveIBeenPwned.com) API functionality into `is-password-valid` helper.
+  * Can be disabled in [config/security.js](config/security.js).
 * FINALLY removed the usage of `res._headers`, so no more annoying deprecation message.
 * Simplified stored session data.
+* Updated dependencies.
 
 ## [v3.1.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.0...v3.1.1) (2022-09-08)
 

CHANGELOG.md

@@ -1,4 +1,4 @@
-FROM node:16.17
+FROM node:18.12
 MAINTAINER NeoNexus DeMortis
 
 RUN apt-get update && apt-get upgrade -y
@@ -22,7 +22,7 @@ COPY assets /var/www/myapp/assets
 COPY webpack /var/www/myapp/webpack
 RUN npm run build
 
-# Copy the reset of the app
+# Copy the rest of the app
 COPY . /var/www/myapp/
 
 # Expose the compiled public assets, so Nginx can route to them, instead of using Sails to do the file serving.

Dockerfile

@@ -13,7 +13,7 @@ Need help? Want to hire me to build your next app or prototype? You can contact
 * Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
 * Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
 * Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
-* Can enforce password creation isn't found in [PwnedPasswords]()
+* New passwords can be checked against the [PwnedPasswords API](https://haveibeenpwned.com/API/v3#PwnedPasswords). If there is a single hit for the password, an error will be given, and the user will be forced to choose another. See [PwnedPasswords integration](#pwnedpasswordscom-integration) for more info.
 
 ## Branch Warning
 The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
@@ -116,6 +116,11 @@ module.exports.bootstrap = function(next) {
 };
 ```
 
+## PwnedPasswords.com Integration
+When a new password is being created, it is checked with the [PwnedPasswords.com API](https://haveibeenpwned.com/API/v3#PwnedPasswords). This API uses a k-anonymity model, so the password that is searched for is never exposed to the API. Basically, the password is hashed, then the first 5 characters are sent to the API, and the API returns any hashes that start with those 5 characters, including the amount of times that hash (aka password) has been found in known security breaches.
+
+This functionality is turned on by default, and can be shutoff per-use, or globally throughout the app. `sails.helpers.isPasswordValid` can be used with `skipPwned` option set to `true`, to disable the check per use. Inside of [`config/security.js`](config/security.js), the variable `checkPwned` can be set to `false` to disable it globally.
+
 ## What about SEO?
 I recommend looking at [prerender.io](https://prerender.io). They offer a service (free up to 250 pages) that caches the end result of a JavaScript-rendered view (React, Vue, Angular), allowing search engines to crawl otherwise un-crawlable web views. You can use the service in a number of ways. One way, is to use the [prerender-node](https://www.npmjs.com/package/prerender-node) package. To use it with Sails, you'll have to add it to the [HTTP Middleware](https://sailsjs.com/documentation/concepts/middleware#?http-middleware). Here's a quick example:
 

README.md

@@ -0,0 +1,102 @@
+module.exports = {
+    friendlyName: 'Edit User',
+
+    description: 'Edit an active user.',
+
+    inputs: {
+        id: {
+            type: 'string',
+            required: true,
+            isUUID: true
+        },
+
+        firstName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        lastName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        password: {
+            type: 'string',
+            maxLength: 70
+        },
+
+        email: {
+            type: 'string',
+            isEmail: true,
+            required: true,
+            maxLength: 191
+        },
+
+        role: {
+            type: 'string',
+            defaultsTo: 'user',
+            isIn: [
+                'user',
+                'admin'
+            ]
+        },
+
+        setPassword: {
+            type: 'boolean',
+            defaultsTo: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'created'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits) => {
+        let isPasswordValid = true;
+        const foundUser = await sails.models.user.findOne({id: inputs.id});
+
+        if (!foundUser) {
+            return exits.badRequest('There is no user with that ID.');
+        }
+
+        if (foundUser.deletedAt !== null) {
+            return exits.badRequest('This user has been deleted, and can not be edited until reactivated.');
+        }
+
+        if (inputs.setPassword) {
+            isPasswordValid = await sails.helpers.isPasswordValid.with({
+                password: inputs.password,
+                user: {firstName: inputs.firstName, lastName: inputs.lastName, email: inputs.email}
+            });
+        }
+
+        if (isPasswordValid !== true) {
+            return exits.badRequest(isPasswordValid);
+        }
+
+        let updatedUser = {
+            firstName: inputs.firstName,
+            lastName: inputs.lastName,
+            role: inputs.role,
+            email: inputs.email
+        };
+
+        if (inputs.setPassword) {
+            updatedUser.password = inputs.password;
+        }
+
+        const user = await sails.models.user.updateOne({id: inputs.id}).set(updatedUser);
+
+        return exits.ok({user});
+    }
+};

api/controllers/admin/edit-user.js

@@ -39,7 +39,7 @@ module.exports = {
             where: {
                 deletedAt: {'!=': null} // get all soft-deleted users
             },
-            sort: [{deletedAt: 'ASC'}, {createdAt: 'DESC'}]
+            sort: 'deletedAt DESC'
         });
 
         let out = await sails.helpers.paginateForJson.with({
@@ -50,7 +50,7 @@ module.exports = {
 
         // We assign the users to the object afterward, so we can run our safety checks.
         // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
-        out.users = await sails.models.user.find(_.omit(pagination, ['page'])).populate('deletedBy');
+        out.users = await sails.models.user.find(_.omit(query, ['page'])).populate('deletedBy');
 
         return exits.ok(out);
     }

api/controllers/admin/get-deleted-users.js

@@ -36,14 +36,17 @@ module.exports = {
         }
 
         const badEmailPass = 'Bad email / password combination.';
+
+        if (await sails.helpers.isPasswordValid.with({password: inputs.password, skipPwned: true}) !== true) {
+            return exits.badRequest(badEmailPass);
+        }
+
         const foundUser = await sails.models.user.findOne({email: inputs.email, deletedAt: null});
 
         if (!foundUser) {
             return exits.badRequest(badEmailPass);
         }
 
-        await sails.helpers.isPasswordValid(inputs.password);
-
         if (!await sails.models.user.doPasswordsMatch(inputs.password, foundUser.password)) {
             return exits.badRequest(badEmailPass);
         }

api/controllers/common/login.js

@@ -90,13 +90,15 @@ module.exports = {
                     }
 
                     if (res.text && res.text.length) {
-                        const chunks = res.text.replaceAll('\r', '').split('\n');
+                        const chunks = res.text.split('\r\n');
                         const matches = chunks.filter(s => s.includes(passChunk2));
 
                         if (matches.length) {
                             const bits = matches[0].split(':');
 
-                            return exits.success(['Provided password has been found in ' + bits[1] + ' known breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']);
+                            return exits.success(
+                                ['Provided password has been found in ' + bits[1] + ' known security breaches. Please choose a new one for safety. We HIGHLY recommend using a password manager!']
+                            );
                         }
 
                         return exits.success(true);

api/helpers/is-password-valid.js

@@ -11,7 +11,7 @@ module.exports = {
             // this is a custom validator, which returns true or false
             custom: (thisQuery) => (
                 _.isObject(thisQuery) && _.isNumber(thisQuery.limit) &&
-                _.isNumber(thisQuery.page) && _.isString(thisQuery.sort) &&
+                _.isNumber(thisQuery.page) && (_.isString(thisQuery.sort) || _.isArray(thisQuery.sort)) &&
                 _.isObject(thisQuery.where)
             )
         },

api/helpers/paginate-for-json.js

@@ -15,8 +15,11 @@ module.exports = {
             defaultsTo: 25
         },
         sort: {
-            type: 'string',
-            defaultsTo: 'createdAt DESC'
+            type: 'ref',
+            defaultsTo: 'createdAt DESC',
+            custom: (val) => { // custom validator
+                return _.isString(val) || _.isArray(val);
+            }
         },
         where: {
             type: 'ref', // JavaScript reference to an object