neonexus
diff --git a/‎CHANGELOG.md
Lines changed: 22 additions & 3 deletions b/‎CHANGELOG.md
Lines changed: 22 additions & 3 deletions
diff --git a/‎README.md
Lines changed: 48 additions & 20 deletions b/‎README.md
Lines changed: 48 additions & 20 deletions
diff --git a/‎api/controllers/README.md
Lines changed: 5 additions & 0 deletions b/‎api/controllers/README.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎api/controllers/admin/create-api-token.js
Lines changed: 6 additions & 2 deletions b/‎api/controllers/admin/create-api-token.js
Lines changed: 6 additions & 2 deletions
diff --git a/‎api/controllers/admin/create-user.js
Lines changed: 8 additions & 7 deletions b/‎api/controllers/admin/create-user.js
Lines changed: 8 additions & 7 deletions
diff --git a/‎api/controllers/common/change-password.js
Lines changed: 67 additions & 0 deletions b/‎api/controllers/common/change-password.js
Lines changed: 67 additions & 0 deletions
diff --git a/‎api/controllers/common/enable-2fa.js
Lines changed: 44 additions & 0 deletions b/‎api/controllers/common/enable-2fa.js
Lines changed: 44 additions & 0 deletions
@@ -1,12 +1,31 @@
 # Changelog
 
+## [v4.2.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v4.1.1...v4.2.0) (2023-03-19)
+### Features
+
+* Built 2FA (2-Factor Authentication) capabilities.
+* Added `createdBy` to the [`User`](api/models/User.js) model.
+* Built session expiration handling.
+* Built password changing modal / API.
+* Made session data saving automatic, and work with both sessions / API tokens.
+* Fixed some README quirks.
+* Updated React links to use their new domain.
+* Updated dependencies.
+
+### Breaking Changes
+
+* Moved CSRF secret storage from the `data` column, to its own column, so it can easily be encrypted/decrypted in the [`Session`](api/models/Session.js) model.
+* Changed how API tokens are handled. So now, when using an API token, the ID must be given first, then the token, seperated by a colon.<br />Example: `Authorization` header is: `tokenID:apiToken` (or `Bearer tokenID:apiToken`).
+* Renamed `sails.helpers.updateCsrf` -> `sails.helpers.updateCsrfAndExpiry` to reflect the session expiry update.
+
 ## [v4.1.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v4.1.0...v4.1.1) (2023-03-14)
 ### Features
 
-* Fixed a stupid mistake in `api/controllers/get-users.js`.
+* Fixed a stupid mistake in [`api/controllers/admin/get-users.js`](api/controllers/admin/get-users.js).
 * Updated dependencies.
 
 ## [v4.1.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v4.0.1...v4.1.0) (2023-03-13)
+
 ### Features
 
 * Alphabetized the scripts in `package.json`.
@@ -48,7 +67,7 @@
 
 ### Breaking Changes
 
-* Renamed tests entry point (`hooks.js` -> `startTests.js`).
+* Renamed tests entry point (`test/hooks.js` -> `test/startTests.js`).
 
 ## [v3.2.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.2.0...v3.2.1) (2022-11-16)
 
@@ -119,7 +138,7 @@
 
 ### Breaking Changes
 
-* Updated to React v18. See: [the upgrade guide to React 18](https://reactjs.org/blog/2022/03/08/react-18-upgrade-guide.html).
+* Updated to React v18. See: [the upgrade guide to React 18](https://react.dev/blog/2022/03/08/react-18-upgrade-guide).
 * Updated to React Router DOM v6. See: [the v5 -> v6 migration guide](https://reactrouter.com/docs/en/v6/upgrading/v5). This requires a **MAJOR** overhaul of how routes are handled.
 * Moved some controllers into a "common" folder, instead of the "admin" folder (as they could be used outside of admin controls).
 
 
@@ -3,7 +3,7 @@
 [![Travis CI status](https://app.travis-ci.com/neonexus/sails-react-bootstrap-webpack.svg?branch=release)](https://app.travis-ci.com/github/neonexus/sails-react-bootstrap-webpack)
 
 This is an opinionated base [Sails v1](https://sailsjs.com) application, using [Webpack](https://webpack.js.org) to handle [Bootstrap](https://getbootstrap.com) (using [SASS](https://sass-lang.com))
-and [React](https://reactjs.org) builds. It is designed such that, one can build multiple React frontends (an admin panel, and a customer site maybe), that use the same API backend. This allows
+and [React](https://react.dev) builds. It is designed such that, one can build multiple React frontends (an admin panel, and a customer site maybe), that use the same API backend. This allows
 developers to easily share React components across different frontends / applications. Also, because the backend and frontend are in the same repo (and the frontend is compiled before it is handed to
 the end user), they can share [NPM](http://npmjs.com) libraries, like [Moment.js](https://momentjs.com)
 
@@ -46,6 +46,7 @@ Gitter: [![Join the chat at https://gitter.im/sails-react-bootstrap-webpack/comm
   feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
 * New passwords will be checked against the [PwnedPasswords API](https://haveibeenpwned.com/API/v3#PwnedPasswords). If there is a single hit for the password, an error will be given, and the user will
   be forced to choose another. See [PwnedPasswords integration](#pwnedpasswordscom-integration) for more info.
+* Google Authenticator-style OTP (One-Time Password) functionality.
 
 ## Branch Warning
 
@@ -58,25 +59,25 @@ the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpa
 
 ## Current Dependencies
 
-* [Sails](https://sailsjs.com/) **v1**
-* [React](https://reactjs.org/) **v18**
-* [React Router](https://reactrouter.com/) **v6**
-* [Bootstrap](https://getbootstrap.com/) **v5**
-* [React-Bootstrap](https://react-bootstrap.github.io/) **v2**
-* [Webpack](https://webpack.js.org/) **v5**
+* [Sails](https://sailsjs.com) **v1**
+* [React](https://react.dev) **v18**
+* [React Router](https://reactrouter.com) **v6**
+* [Bootstrap](https://getbootstrap.com) **v5**
+* [React-Bootstrap](https://react-bootstrap.github.io) **v2**
+* [Webpack](https://webpack.js.org) **v5**
 
 See the [`package.json` for more details](package.json).
 
 ## How to Use
 
-This repo is not installable via `npm`. Instead, GitHub provides a handy "Use this template" (green) button at the top of this page. That will create a special fork of this repo (so there is a single,
+This repo is not installable via `npm`. Instead, GitHub provides a handy "Use this template" (green) button at the top of this page. That will create a special clone of this repo (so there is a single,
 init commit, instead of the commit history from this repo).
 
 ## Configuration
 
 In the `config` folder, there is the [`local.js.sample`](config/local.js.sample) file, which is meant to be copied to `local.js`. This file (`local.js`, not the sample) is ignored by Git, and intended
 for use in local development, NOT remote servers. Generally one would use environment variables for remote server configuration (and this repo is already setup to handle environment variable
-configuration for both DEV and PROD). See: [config/env/development.js](config/env/development.js) and [config/env/production.js](config/env/production.js).
+configuration for both DEV and PROD). See [Environment Variables](#environment-variables) for more.
 
 ### Custom Configuration Options
 
@@ -94,11 +95,40 @@ option. If the option path is `sails.config.security.checkPwnedPasswords`, then
 
 ... to your `config/local.js` to overwrite the option on your local machine only.
 
-| Option Name (`sails.config.`)             | Initially Defined In                                                                                                                                                     | Default | Description                                                                                                                                                                                                                                                                              |
-|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `models.validateOnBootstrap`              | [`config/bootstrap.js`](config/bootstrap.js)                                                                                                                             | `true`  | When enabled, and `models.migrate === 'safe'` (aka PRODUCTION), then the SQL schemas of the default datastore will be validated against the model definitions. <br /><br />See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.                    |
-| `security.checkPwnedPasswords`            | [`config/security.js`](config/security.js)                                                                                                                               | `true`  | When enabled, [`sails.helpers.isPasswordValid()`](api/helpers/is-password-valid.js) will run it's normal checks, before checking with the PwnedPasswords.com API to verify the password has not been found in a known security breach. If it has, it will consider the password invalid. |
-| `security.requestLogger.logSensitiveData` | [`config/security.js`](config/security.js) <br /> [`config/env/development.js`](config/env/development.js) <br /> [`config/env/production.js`](config/env/production.js) | `false` | If enabled, and NOT a PRODUCTION environment, the [request logger](#request-logging) will log sensitive info, such as passwords. <br /><br /> This will ALWAYS be false on PRODUCTION. It is in the PRODUCTION configuration file only as a reminder.                                    |
+<table>
+    <thead>
+        <tr>
+            <th>Option Name (<code>sails.config.</code>)</th>
+            <th>Initially Defined In</th>
+            <th>Default</th>
+            <th>Description</th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td><code>models.validateOnBootstrap</code></td>
+            <td><a href="/neonexus/sails-react-bootstrap-webpack/blob/release/config/bootstrap.js"><code>config/bootstrap.js</code></a></td>
+            <td><code>true</code></td>
+            <td>When enabled, and <code>models.migrate === 'safe'</code> (aka PRODUCTION), then the SQL schemas of the default datastore will be validated against the model definitions. <br><br>See <a href="#schema-validation-and-enforcement">schema validation and enforcement</a> for more info.</td>
+        </tr>
+        <tr>
+            <td><code>security.checkPwnedPasswords</code></td>
+            <td><a href="/neonexus/sails-react-bootstrap-webpack/blob/release/config/security.js"><code>config/security.js</code></a></td>
+            <td><code>true</code></td>
+            <td>When enabled, <a href="/neonexus/sails-react-bootstrap-webpack/blob/release/api/helpers/is-password-valid.js"><code>sails.helpers.isPasswordValid()</code></a> will run it's normal checks, before checking with the PwnedPasswords.com API to verify the password has not been found in a known security breach. If it has, it will consider the password invalid.</td>
+        </tr>
+        <tr>
+            <td>
+                <code>security.</code><br/>
+                <code>requestLogger.</code><br/>
+                <code>logSensitiveData</code>
+            </td>
+            <td><a href="/neonexus/sails-react-bootstrap-webpack/blob/release/config/security.js"><code>config/security.js</code></a> <br> <a href="/neonexus/sails-react-bootstrap-webpack/blob/release/config/env/development.js"><code>config/env/development.js</code></a> <br> <a href="/neonexus/sails-react-bootstrap-webpack/blob/release/config/env/production.js"><code>config/env/production.js</code></a></td>
+            <td><code>false</code></td>
+            <td>If enabled, and NOT a PRODUCTION environment, the <a href="#request-logging">request logger</a> will log sensitive info, such as passwords. <br><br> This will ALWAYS be false on PRODUCTION. It is in the PRODUCTION configuration file only as a reminder.</td>
+        </tr>
+    </tbody>
+</table>
 
 ### Want to configure the `X-Powered-By` header?
 
@@ -322,9 +352,7 @@ middleware: {
         'favicon'       // default hook to serve favicon
     ],
 
-        prerender
-:
-    require('prerender-node').set('prerenderToken', 'YOUR_TOKEN')
+        prerender: require('prerender-node').set('prerenderToken', 'YOUR_TOKEN')
 
 }
 ```
@@ -335,9 +363,9 @@ middleware: {
 * [Sails Deployment Tips](https://sailsjs.com/documentation/concepts/deployment)
 * [Sails Community Support Options](https://sailsjs.com/support)
 * [Sails Professional / Enterprise Options](https://sailsjs.com/enterprise)
-* [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app/)
-* [Webpack Documentation](https://webpack.js.org/)
-* [React Documentation](https://beta.reactjs.org/)
+* [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app)
+* [Webpack Documentation](https://webpack.js.org)
+* [React Documentation](https://react.dev)
 * [Bootstrap Documentation](https://getbootstrap.com/docs/5.3/getting-started/introduction/)
 * [Simple data fixtures for testing Sails.js (the npm package `fixted`)](https://www.npmjs.com/package/fixted)
 
 
@@ -0,0 +1,5 @@
+# Controllers
+
+Here is where all of our API actions live. A controller in this context is a folder, and an action of the controller is an individual file. Each action is using the new "actions2" style, as opposed to the classic.
+
+See: https://sailsjs.com/documentation/concepts/actions-and-controllers
@@ -14,11 +14,15 @@ module.exports = {
     fn: async (inputs, exits, env) => {
         const newToken = await sails.models.apitoken.create({
             id: 'c', // required, auto-generated
-            user: env.req.session.user.id
-        }).fetch();
+            user: env.req.session.user.id,
+            token: sails.helpers.generateToken(),
+            data: {} // Used to store things that are temporary, or only apply to this session.
+        }).fetch().decrypt();
 
         return exits.created({
+            id: newToken.id,
             token: newToken.token,
+            header: 'Bearer ' + newToken.id + ':' + newToken.token,
             __skipCSRF: true // this tells our "created" response to ignore the CSRF token update
         });
     }
 
@@ -45,7 +45,7 @@ module.exports = {
     },
 
     exits: {
-        ok: {
+        created: {
             responseType: 'created'
         },
         badRequest: {
@@ -56,7 +56,7 @@ module.exports = {
         }
     },
 
-    fn: async (inputs, exits) => {
+    fn: async (inputs, exits, env) => {
         let password = inputs.password;
         let isPasswordValid;
 
@@ -69,7 +69,7 @@ module.exports = {
             isPasswordValid = true;
             password = sails.helpers.generateToken().substring(0, 42);
 
-            // should probably send password somehow; it will be scrubbed in the custom response
+            // should probably send password somehow; it will be scrubbed in the custom response (would be hashed anyway...)
         }
 
         if (isPasswordValid !== true) {
@@ -88,8 +88,9 @@ module.exports = {
             lastName: inputs.lastName,
             password,
             role: inputs.role,
-            email: inputs.email
-        }).meta({fetch: true}).exec((err, newUser) => {
+            email: inputs.email,
+            createdBy: env.req.session.user.id
+        }).fetch().exec((err, user) => {
             /* istanbul ignore if */
             if (err) {
                 console.error(err);
@@ -98,10 +99,10 @@ module.exports = {
             }
 
             /**
-             * We should probably email the new user their new account info here if the password was generated (!inputs.setPassword)...
+             * TODO: We should probably email the new user their new account info here if the password was generated (!inputs.setPassword)...
              */
 
-            return exits.ok({user: newUser});
+            return exits.created({user});
         });
     }
 };
@@ -0,0 +1,67 @@
+module.exports = {
+    friendlyName: 'Change Password',
+
+    description: 'Change password of currently logged-in user.',
+
+    inputs: {
+        currentPassword: {
+            type: 'string',
+            maxLength: 70,
+            required: true
+        },
+
+        newPassword: {
+            type: 'string',
+            maxLength: 70,
+            required: true
+        },
+
+        confirmPassword: {
+            type: 'string',
+            maxLength: 70,
+            required: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        if (inputs.newPassword !== inputs.confirmPassword) {
+            return exits.badRequest('New passwords do not match.');
+        }
+
+        if (inputs.currentPassword === inputs.newPassword) {
+            return exits.badRequest('New password can\'t be the same as the old password.');
+        }
+
+        const foundUser = await sails.models.user.findOne({id: env.req.session.user.id});
+
+        /* istanbul ignore if */
+        if (!foundUser) {
+            console.error('Could NOT find user while changing password!');
+
+            return exits.serverError('Unknown error occurred. Please contact support.');
+        }
+
+        if (!await sails.models.user.doPasswordsMatch(inputs.currentPassword, foundUser.password)) {
+            return exits.badRequest('Current password is incorrect.');
+        }
+
+        const isPasswordValid = await sails.helpers.isPasswordValid(inputs.newPassword, false, foundUser);
+
+        if (isPasswordValid !== true) {
+            return exits.badRequest(isPasswordValid);
+        }
+
+        await sails.models.user.update({id: env.req.session.user.id}).set({password: inputs.newPassword});
+
+        return exits.ok();
+    }
+};
@@ -0,0 +1,44 @@
+const {authenticator} = require('otplib');
+const qrcode = require('qrcode');
+
+module.exports = {
+    friendlyName: 'Enable 2-Factor Authentication',
+
+    description: 'Enable 2FA (2-Factor Authentication) for the current user.',
+
+    inputs: {},
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        }
+    },
+
+    fn: async (inputs, exits, env) => {
+        const secret = authenticator.generateSecret();
+        const image = await qrcode.toDataURL(authenticator.keyuri(env.req.session.user.email, 'My Service', secret));
+
+        const foundOTP = await sails.models.otp.findOne({user: env.req.session.user.id});
+
+        if (foundOTP) {
+            if (foundOTP.isEnabled) {
+                return exits.badRequest('OTP is already enabled.');
+            }
+
+            await sails.models.otp.update(foundOTP.id).set({secret});
+
+            return exits.ok({secret, image});
+        }
+
+        await sails.models.otp.create({
+            id: 'c', // required, auto-generated
+            user: env.req.session.user.id,
+            secret: secret
+        });
+
+        return exits.ok({secret, image});
+    }
+};