Idea proposed by @sparshy #1204
Suggestions, rules and tests from Trustroots @simison
Added validations on user server model
Added client side validations
Added relevant tests on user server tests
Added relevant tests on user e2e tests
Fixes#1204
Fixes an issue with an empty/missing/null Email coming from GitHub's
OAuth call response.
Also, introduces the `sparse` index option on the User model's Email
field. This will ensure that we can have multiple User documents without
the Email field.
Adds a server-side User model test for the sparse index setting on the
email field.
Confirms that User documents without the email field are not indexed,
illustrating the sparse option on the schema's email field works
properly.
Added the dropdb task to the Gulp test:client & test:server tasks, to
ensure we have a clean database & that any indexes are rebuilt; this
will ensure any Schema changes (in this case the email index is rebuilt using
the sparse index option) are reflected when the database is started again.
Added a UPGRADE.md for tracking important upgrade information for our
user's to be aware of, when we introduce potentially breaking changes.
Included an explanation of the Sparse index being added, and how to apply it
to an existing MEANJS application's database.
Adds a script for dropping the `email` field's index from the User
collection.
Related #1145
Changed some bad comments referencing the Articles module in other modules.
Typo fixed in xxx.client.modules.js files ("Application" => "Applicaion")
Full stop character removed at the end of line comments
This solves the issue of the User model's pre('validate') method,
attempting to validate against a password that was not modified.
Adds the this.isModified('password') check to the condition.
Fixes the database seeding bug with the password not passing the owasp
test.
Adds a UserSchema static method that generates a random passphrase that passes
the owasp test.
Performed minor refactoring of the database seed configuration to
implement the new UserSchema method.
Added model test for the UserSchema generateRandomPassphrase static method.
These changes make the role field required in the User model. Changes to
the Admin user edit view were added to provide validation for the role
field.
As an added enhancement, the user's roles are displayed in the Admin
user list view.
Emails are made unique. When user attempts to sign in through a provider in which his email is one that is already registered, user is redirected to the signin page with an error passed as a query string parameter.
The user password salt should be encoded with Base64 before being saved
to the database.
The current code adds an unecessary step of converting the result of
crypto.randomBytes() (which already returns a SlowBuffer) to a Base64
string and back again to a Buffer, and misses the final step of
converting the Buffer's bytes back to a Base64 string.
Because of this, the salt stored in the database is garbled. This is
inconvenient when manipulating the data in a terminal or text editor.
When generating the password hash, the crypto.pbkdf2Sync() method
creates a new Buffer directly from the data supplied. Due to the
incorrect encoding of the salt, entropy is lost at this step,
weakening the security of stored passwords against brute force attacks.
The executable bit is set for a lot of files where it is not necessary
to have the executable bit set. This PR removes the executable bit from
those files.
