neonexus
diff --git a/‎.idea/dictionaries/neonexusdemortis.xml
+2-1 b/‎.idea/dictionaries/neonexusdemortis.xml
+2-1
diff --git a/‎CHANGELOG.md
+10 b/‎CHANGELOG.md
+10
diff --git a/‎Dockerfile
+2-2 b/‎Dockerfile
+2-2
diff --git a/‎README.md
+22-16 b/‎README.md
+22-16
diff --git a/‎api/README.md
+1-1 b/‎api/README.md
+1-1
diff --git a/‎api/controllers/admin/create-user.js
+1-1 b/‎api/controllers/admin/create-user.js
+1-1
diff --git a/‎api/controllers/admin/delete-user.js
+4 b/‎api/controllers/admin/delete-user.js
+4
diff --git a/‎api/controllers/admin/edit-user.js
+102 b/‎api/controllers/admin/edit-user.js
+102
diff --git a/‎api/controllers/admin/get-deleted-users.js
+57 b/‎api/controllers/admin/get-deleted-users.js
+57
diff --git a/‎api/controllers/admin/get-users.js
+2-4 b/‎api/controllers/admin/get-users.js
+2-4
diff --git a/‎api/controllers/common/login.js
+5-7 b/‎api/controllers/common/login.js
+5-7
diff --git a/‎api/helpers/create-log.js
-2 b/‎api/helpers/create-log.js
-2
diff --git a/‎api/helpers/finalize-request-log.js
+1-1 b/‎api/helpers/finalize-request-log.js
+1-1
@@ -1,5 +1,15 @@
 # Changelog
 
+## [v3.2.0](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.1...v3.2.0) (2022-11-16)
+
+### Features
+
+* Built out PnwedPasswords.com (HaveIBeenPwned.com) API functionality into `is-password-valid` helper.
+  * Can be disabled in [config/security.js](config/security.js).
+* FINALLY removed the usage of `res._headers`, so no more annoying deprecation message.
+* Simplified stored session data.
+* Updated dependencies.
+
 ## [v3.1.1](https://github.com/neonexus/sails-react-bootstrap-webpack/compare/v3.1.0...v3.1.1) (2022-09-08)
 
 ### Features
 
@@ -1,4 +1,4 @@
-FROM node:16.17
+FROM node:18.12
 MAINTAINER NeoNexus DeMortis
 
 RUN apt-get update && apt-get upgrade -y
@@ -22,7 +22,7 @@ COPY assets /var/www/myapp/assets
 COPY webpack /var/www/myapp/webpack
 RUN npm run build
 
-# Copy the reset of the app
+# Copy the rest of the app
 COPY . /var/www/myapp/
 
 # Expose the compiled public assets, so Nginx can route to them, instead of using Sails to do the file serving.
 
@@ -8,11 +8,12 @@ Need help? Want to hire me to build your next app or prototype? You can contact
 
 ## Main Features
 
-+ Automatic (incoming) request logging (manual outgoing), via Sails models / hooks.
-+ Setup for Webpack auto-reload dev server.
-+ Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
-+ Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
-+ Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
+* Automatic (incoming) request logging (manual outgoing), via Sails models / hooks.
+* Setup for Webpack auto-reload dev server.
+* Setup so Sails will serve Webpack-built bundles as separate apps (so, a marketing site, and an admin site can live side-by-side).
+* Includes [react-bootstrap](https://www.npmjs.com/package/react-bootstrap) to make using Bootstrap styles / features with React easier.
+* Schema validation and enforcement for `PRODUCTION`. This repo is set up for `MySQL`. If you plan to use a different datastore, you will likely want to disable the schema validation and enforcement feature inside [`config/bootstrap.js`](config/bootstrap.js). See [schema validation and enforcement](#schema-validation-and-enforcement) for more info.
+* New passwords can be checked against the [PwnedPasswords API](https://haveibeenpwned.com/API/v3#PwnedPasswords). If there is a single hit for the password, an error will be given, and the user will be forced to choose another. See [PwnedPasswords integration](#pwnedpasswordscom-integration) for more info.
 
 ## Branch Warning
 The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
@@ -70,10 +71,10 @@ If you DO NOT like this behavior, and would prefer the variables stay the same a
 |-------------------------------------------------------------------------|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|
 | ASSETS_URL                                                              | "" (empty string)                                                     | Webpack is configured to modify static asset URLs to point to a CDN, like CloudFront. MUST end with a slash " / ", or be empty. |
 | BASE_URL                                                                | https://myapi.app                                                     | The address of the Sails instance.                                                                                              |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_HOST<br />**PROD:**&nbsp;DB_HOSTNAME | localhost                                                             | The hostname of the datastore.                                                                                                  |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_USER<br />**PROD:**&nbsp;DB_USERNAME | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;root <br /> **PROD:**&nbsp;produser   | Username of the datastore.                                                                                                      |
-| **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;DB_PASS<br />**PROD:**&nbsp;DB_PASSWORD | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;mypass <br /> **PROD:**&nbsp;prodpass | Password of the datastore.                                                                                                      |
-| DB_NAME                                                                 | **DEV:**&nbsp;&nbsp;&nbsp;&nbsp;myapp <br /> **PROD:**&nbsp;prod      | The name of the database inside the datastore.                                                                                  |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_HOST<br />**PROD:**&nbsp;DB_HOSTNAME | localhost                                                             | The hostname of the datastore.                                                                                                  |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_USER<br />**PROD:**&nbsp;DB_USERNAME | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;root <br /> **PROD:**&nbsp;produser   | Username of the datastore.                                                                                                      |
+| &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;DB_PASS<br />**PROD:**&nbsp;DB_PASSWORD | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;mypass <br /> **PROD:**&nbsp;prodpass | Password of the datastore.                                                                                                      |
+| DB_NAME                                                                 | &nbsp;&nbsp;&nbsp;**DEV:**&nbsp;myapp <br /> **PROD:**&nbsp;prod      | The name of the database inside the datastore.                                                                                  |
 | DB_PORT                                                                 | 3306                                                                  | The port number for the datastore.                                                                                              |
 | DB_SSL                                                                  | true                                                                  | If the datastore requires SSL, set this to "true".                                                                              |
 | SESSION_SECRET                                                          | "" (empty string)                                                     | Used to sign cookies, and SHOULD be set, especially on PRODUCTION environments.                                                 |
@@ -115,6 +116,11 @@ module.exports.bootstrap = function(next) {
 };
 ```
 
+## PwnedPasswords.com Integration
+When a new password is being created, it is checked with the [PwnedPasswords.com API](https://haveibeenpwned.com/API/v3#PwnedPasswords). This API uses a k-anonymity model, so the password that is searched for is never exposed to the API. Basically, the password is hashed, then the first 5 characters are sent to the API, and the API returns any hashes that start with those 5 characters, including the amount of times that hash (aka password) has been found in known security breaches.
+
+This functionality is turned on by default, and can be shutoff per-use, or globally throughout the app. `sails.helpers.isPasswordValid` can be used with `skipPwned` option set to `true`, to disable the check per use. Inside of [`config/security.js`](config/security.js), the variable `checkPwned` can be set to `false` to disable it globally.
+
 ## What about SEO?
 I recommend looking at [prerender.io](https://prerender.io). They offer a service (free up to 250 pages) that caches the end result of a JavaScript-rendered view (React, Vue, Angular), allowing search engines to crawl otherwise un-crawlable web views. You can use the service in a number of ways. One way, is to use the [prerender-node](https://www.npmjs.com/package/prerender-node) package. To use it with Sails, you'll have to add it to the [HTTP Middleware](https://sailsjs.com/documentation/concepts/middleware#?http-middleware). Here's a quick example:
 
@@ -142,13 +148,13 @@ middleware: {
 
 ### Useful Links
 
-+ [Sails Framework Documentation](https://sailsjs.com/get-started)
-+ [Sails Deployment Tips](https://sailsjs.com/documentation/concepts/deployment)
-+ [Sails Community Support Options](https://sailsjs.com/support)
-+ [Sails Professional / Enterprise Options](https://sailsjs.com/enterprise)
-+ [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app/)
-+ [Webpack Documentation](https://webpack.js.org/)
-+ [Simple data fixtures for testing Sails.js (the npm package `fixted`)](https://www.npmjs.com/package/fixted)
+* [Sails Framework Documentation](https://sailsjs.com/get-started)
+* [Sails Deployment Tips](https://sailsjs.com/documentation/concepts/deployment)
+* [Sails Community Support Options](https://sailsjs.com/support)
+* [Sails Professional / Enterprise Options](https://sailsjs.com/enterprise)
+* [`react-bootstrap` Documentation](https://react-bootstrap.netlify.app/)
+* [Webpack Documentation](https://webpack.js.org/)
+* [Simple data fixtures for testing Sails.js (the npm package `fixted`)](https://www.npmjs.com/package/fixted)
 
 
 ### Version info
 
@@ -10,7 +10,7 @@ See: [Actions and Controllers](https://sailsjs.com/documentation/concepts/action
 
 ## Helpers
 
-Helpers are generic, reusable functions used by multiple controllers (or hooks, policies, etc).
+Helpers are generic, reusable functions that can be used by controllers, hooks, models, policies, or responses.
 
 See: [Helpers](https://sailsjs.com/documentation/concepts/helpers)
 
 
@@ -60,7 +60,7 @@ module.exports = {
         let isPasswordValid;
 
         if (inputs.setPassword) {
-            isPasswordValid = sails.helpers.isPasswordValid.with({
+            isPasswordValid = await sails.helpers.isPasswordValid.with({
                 password: inputs.password,
                 user: {firstName: inputs.firstName, lastName: inputs.lastName, email: inputs.email}
             });
 
@@ -26,6 +26,10 @@ module.exports = {
     },
 
     fn: async (inputs, exits, env) => {
+        if (inputs.id === env.req.session.user.id) {
+            return exits.badRequest('One does not simply delete themselves...');
+        }
+
         const foundUser = await sails.models.user.findOne({id: inputs.id, deletedAt: null});
 
         if (!foundUser) {
 
@@ -0,0 +1,102 @@
+module.exports = {
+    friendlyName: 'Edit User',
+
+    description: 'Edit an active user.',
+
+    inputs: {
+        id: {
+            type: 'string',
+            required: true,
+            isUUID: true
+        },
+
+        firstName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        lastName: {
+            type: 'string',
+            required: true,
+            maxLength: 70
+        },
+
+        password: {
+            type: 'string',
+            maxLength: 70
+        },
+
+        email: {
+            type: 'string',
+            isEmail: true,
+            required: true,
+            maxLength: 191
+        },
+
+        role: {
+            type: 'string',
+            defaultsTo: 'user',
+            isIn: [
+                'user',
+                'admin'
+            ]
+        },
+
+        setPassword: {
+            type: 'boolean',
+            defaultsTo: true
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'created'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits) => {
+        let isPasswordValid = true;
+        const foundUser = await sails.models.user.findOne({id: inputs.id});
+
+        if (!foundUser) {
+            return exits.badRequest('There is no user with that ID.');
+        }
+
+        if (foundUser.deletedAt !== null) {
+            return exits.badRequest('This user has been deleted, and can not be edited until reactivated.');
+        }
+
+        if (inputs.setPassword) {
+            isPasswordValid = await sails.helpers.isPasswordValid.with({
+                password: inputs.password,
+                user: {firstName: inputs.firstName, lastName: inputs.lastName, email: inputs.email}
+            });
+        }
+
+        if (isPasswordValid !== true) {
+            return exits.badRequest(isPasswordValid);
+        }
+
+        let updatedUser = {
+            firstName: inputs.firstName,
+            lastName: inputs.lastName,
+            role: inputs.role,
+            email: inputs.email
+        };
+
+        if (inputs.setPassword) {
+            updatedUser.password = inputs.password;
+        }
+
+        const user = await sails.models.user.updateOne({id: inputs.id}).set(updatedUser);
+
+        return exits.ok({user});
+    }
+};
@@ -0,0 +1,57 @@
+module.exports = {
+    friendlyName: 'Get Deleted Users',
+
+    description: 'Get paginated list of soft-deleted users',
+
+    inputs: {
+        page: {
+            description: 'The page number to return',
+            type: 'number',
+            defaultsTo: 1,
+            min: 1
+        },
+
+        limit: {
+            description: 'The amount of users to return',
+            type: 'number',
+            defaultsTo: 25,
+            min: 1,
+            max: 500
+        }
+    },
+
+    exits: {
+        ok: {
+            responseType: 'ok'
+        },
+        badRequest: {
+            responseType: 'badRequest'
+        },
+        serverError: {
+            responseType: 'serverError'
+        }
+    },
+
+    fn: async (inputs, exits) => {
+        const query = sails.helpers.paginateForQuery.with({
+            limit: inputs.limit,
+            page: inputs.page,
+            where: {
+                deletedAt: {'!=': null} // get all soft-deleted users
+            },
+            sort: 'deletedAt DESC'
+        });
+
+        let out = await sails.helpers.paginateForJson.with({
+            model: sails.models.user,
+            objToWrap: {users: []}, // this is the object that will be output to "out", and will contain additional pagination info,
+            query
+        });
+
+        // We assign the users to the object afterward, so we can run our safety checks.
+        // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
+        out.users = await sails.models.user.find(_.omit(query, ['page'])).populate('deletedBy');
+
+        return exits.ok(out);
+    }
+};
@@ -15,7 +15,7 @@ module.exports = {
             description: 'The amount of users to return',
             type: 'number',
             defaultsTo: 25,
-            min: 10,
+            min: 1,
             max: 500
         }
     },
@@ -38,8 +38,6 @@ module.exports = {
             page: inputs.page
         });
 
-        const users = await sails.models.user.find(_.omit(pagination, ['page']));
-
         let out = await sails.helpers.paginateForJson.with({
             model: sails.models.user,
             query: pagination,
@@ -48,7 +46,7 @@ module.exports = {
 
         // We assign the users to the object afterward, so we can run our safety checks.
         // Otherwise, if we were to put the users object into "objToWrap", they would be transformed, and the "customToJSON" feature would no longer work, and hashed passwords would leak.
-        out.users = users;
+        out.users = await sails.models.user.find(_.omit(pagination, ['page']));
 
         return exits.ok(out);
     }
 
@@ -36,6 +36,11 @@ module.exports = {
         }
 
         const badEmailPass = 'Bad email / password combination.';
+
+        if (await sails.helpers.isPasswordValid.with({password: inputs.password, skipPwned: true}) !== true) {
+            return exits.badRequest(badEmailPass);
+        }
+
         const foundUser = await sails.models.user.findOne({email: inputs.email, deletedAt: null});
 
         if (!foundUser) {
@@ -51,13 +56,6 @@ module.exports = {
             id: 'c', // required, auto-generated
             user: foundUser.id,
             data: {
-                user: {
-                    id: foundUser.id,
-                    firstName: foundUser.firstName,
-                    lastName: foundUser.lastName,
-                    email: foundUser.email,
-                    role: foundUser.role
-                },
                 _csrfSecret: csrf.secret
             }
         }).fetch();
 
@@ -25,13 +25,11 @@ module.exports = {
 
     fn: function(inputs, exits){
         const user = (inputs.req.session && inputs.req.session.user) ? inputs.req.session.user.id : null,
-            account = (inputs.req.session && inputs.req.session.account) ? inputs.req.session.account.id : null,
             request = (inputs.req.requestId) ? inputs.req.requestId : null;
 
         const newLog = {
             data: inputs.data,
             user,
-            account,
             request,
             description: inputs.description
         };
 
@@ -33,7 +33,7 @@ module.exports = {
     fn: async function(inputs, exits) {
         if (inputs.req.requestId) {
             let out = _.merge({}, inputs.body),
-                headers = _.merge({}, inputs.res._headers), // copy the object
+                headers = _.merge({}, inputs.res.getHeaders()), // copy the object
                 bleep = '*******';
 
             if (!sails.config.logSensitiveData) { // a custom configuration option, for the request logger hook