Merge branch 'improveLogin' into dev

Author: gondzo

README.md

@@ -14,15 +14,45 @@ DRONE SERIES - WEBAPI IMPLEMENT PRODUCER API
 3. To create random test data run `npm run testdata`
 4. run server `npm start`
 
+## Configuration
+
+Configuration files are located under `config` dir.
+See https://github.com/lorenwest/node-config/wiki/Configuration-Files
+
+|Name|Description|
+|----|-----------|
+|`LOG_LEVEL`| The logging level for the api's|
+|`PORT`| The port to listen|
+|`AUTH0_CLIENT_ID`| The auth0 client id |
+|`JWT_SECRET`| The jwt secret |
+|`mail.SMTP_HOST`| The smtp hostname |
+|`mail.SMTP_PORT`| The smtp port |
+|`mail.SMTP_USERNAME`| The smtp username |
+|`mail.SMTP_PASSWORD`| The smtp password |
+
+## Mail service configuration
+
+[mailgun](https://mailgun.com) is used as mail service.
+
+- Create an account on mailgun.
+- By default a sandbox domain is created. Click on sandbox domain and copy the `Default SMTP Login`
+  and `Default Password` and set them as environment variables.
+  export SMTP_USERNAME=<copied from mailgun sandbox domain>
+  export SMTP_PASSWORD=<copied from mailgun sandbox domain>
+- The host and port are configured for mailgun.
+
+
+When we create an account on mailgun, by default only sandbox domain is enabled.
+To successfully send email from this sandbox domain you have to add the user to authorized recipients list.
 
 #test
-1. open postman 
+1. open postman
 2. import `test/Provider-dsp.postman_collection` , `test/Provider-dsp-env.postman_environment.json`.
 3. test data create 6 provider with user , use username `provider1` - `provder6`, password `123456` login , when login success ,the token will be injected to postman env.
 4. test other api endpoints.
 
 # test nfx
-import `test/NFZ.postman_collection.json`  
+import `test/NFZ.postman_collection.json`
 it contains only endpoints for No Fly Zone endpoints
 
 # env

common/Auth.js

@@ -14,7 +14,8 @@ const jwt = require('express-jwt');
 const config = require('config');
 
 const jwtCheck = jwt({
-  secret: new Buffer(config.JWT_SECRET, 'base64'),
+  // the auth0 doesn't base 64 encode the jwt secret now
+  secret: config.JWT_SECRET,
   audience: config.AUTH0_CLIENT_ID,
   requestProperty: 'auth',
   getToken: function fromHeaderOrQuerystring(req) {

config/default.js

@@ -14,18 +14,27 @@ module.exports = {
 
   LOG_LEVEL: process.env.LOG_LEVEL || 'debug',
   PORT: process.env.PORT || 3500,
-  AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID || 'nope',
+  AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID || 'h7p6V93Shau3SSvqGrl6V4xrATlkrVGm',
   JWT_SECRET: process.env.JWT_SECRET || 'JWT_SECRET',
   SALT_WORK_FACTOR: 2,
   TOKEN_EXPIRES: 10 * 60 * 60,
   API_VERSION: 1,
   RESET_CODE_EXPIRES: 60 * 60,
-
-
   db: {
     url: process.env.MONGOLAB_URI || 'mongodb://localhost:27017/drones',
     poolSize: 5,
   },
-
-
+  mail: {
+    SMTP_HOST: 'smtp.mailgun.org',
+    SMTP_PORT: 587,
+    FROM_EMAIL: '[email protected]',
+    SMTP_USERNAME: process.env.SMTP_USERNAME,
+    SMTP_PASSWORD: process.env.SMTP_PASSWORD,
+  },
+  RESET_PASSWORD_SUBJECT: 'Reset your password',
+  RESET_PASSWORD_TEMPLATE: 'You received this email because you send a reset password request to us, ' +
+    'if you never registered, please ignore. ' +
+    'To reset your password <a href=":link">click here</a><br><br> -- Dsp Server Team',
+  // this is a frontend url, the user is redirected to this url from user's mailbox
+  RESET_PASSWORD_LINK: 'http://localhost:3000/reset-password?token=:token',
 };

controllers/UserController.js

@@ -50,7 +50,7 @@ function* register(req, res) {
  * @param res the response
  */
 function* registerSocialUser(req, res) {
-  res.json(yield UserService.registerSocialUser(req.body));
+  res.json(yield UserService.registerSocialUser(req.auth, req.body));
 }
 
 /**

enum.js

@@ -7,8 +7,8 @@
  * Contains app enums and constants
  */
 const SocialType = {
-  GOOGLE: 'Google',
-  FACEBOOK: 'Facebook',
+  GOOGLE: 'google-oauth2',
+  FACEBOOK: 'facebook',
 };
 
 const DroneStatus = {

package.json

@@ -37,6 +37,7 @@
     "mongoose-auto-increment": "^5.0.1",
     "mongoose-timestamp": "^0.6.0",
     "nodemailer": "^2.6.4",
+    "nodemailer-smtp-transport": "^2.7.2",
     "socket.io": "^1.5.1",
     "swagger-ui-express": "^1.0.2",
     "winston": "^2.2.0"

routes.js

@@ -29,6 +29,7 @@ module.exports = {
   '/login/social': {
     post: {
       controller: 'UserController',
+      middleware: [auth()],
       method: 'registerSocialUser',
     },
   },

services/MailService.js

@@ -12,25 +12,25 @@
 
 const nodemailer = require('nodemailer');
 const logger = require('../common/logger');
+const smtpTransport = require('nodemailer-smtp-transport');
+const config = require('config');
 
 // create reusable transporter object using the default SMTP transport
 const transporter = nodemailer.createTransport({
-  service: 'qq',
-  port: 465,
-  host: 'smtp.qq.com',
-  secureConnection: true,
+  port: config.mail.SMTP_PORT,
+  host: config.mail.SMTP_HOST,
   auth: {
-    user: '[email protected]',
-    pass: 'vafsjkvrnyakbjfh',
+    user: config.mail.SMTP_USERNAME,
+    pass: config.mail.SMTP_PASSWORD,
   },
 });
 
-function* sendMessage(mailTo, html, text) {
+function* sendMessage(mailTo, html, text, subject) {
     // setup e-mail data with unicode symbols
   const mailOptions = {
-    from: '"do not reply" <[email protected]>', // sender address
+    from: config.mail.FROM_EMAIL, // sender address
     to: mailTo, // list of receivers
-    subject: 'Reset your password please', // Subject line
+    subject, // Subject line
     text, // plaintext body
     html, // html body
   };

services/UserService.js

@@ -76,6 +76,7 @@ register.schema = {
 
 // the joi schema for register user via social login
 registerSocialUser.schema = {
+  auth: joi.object().required(),
   entity: joi.object().keys({
     name: joi.string().required(),
     email: joi.string().email().required(),
@@ -125,16 +126,22 @@ function* register(entity) {
 /**
  * Register a user via social login
  *
+ * @param {Object}  auth          the currently logged in user context
  * @param {Object}  entity        the post entity from the client
  */
-function* registerSocialUser(entity) {
+function* registerSocialUser(auth, entity) {
   // make sure the email is unique
-  const existingUser = yield User.findOne({email: entity.email});
-
+  // we don't need to check here for social network type, as social network id itself
+  // embed the social network type
+  const existingUser = yield User.findOne({ $or: [{email: entity.email}, {socialNetworkId: auth.sub}] });
   let user;
   if (existingUser) {
-    user = existingUser;
+    // update social network type
+    existingUser.socialNetworkType = auth.sub.substring(0, auth.sub.indexOf('|'));
+    user = yield existingUser.save();
   } else {
+    entity.socialNetworkId = auth.sub;
+    entity.socialNetworkType = auth.sub.substring(0, auth.sub.indexOf('|'));
     entity.role = Role.CONSUMER;
     user = yield User.create(entity);
   }
@@ -211,24 +218,26 @@ forgotPassword.schema = {
  */
 function* forgotPassword(entity) {
   const code = Math.floor(Math.random() * 100000).toString(16);
-  // print out code for debug purpose
-  logger.debug(`reset password code is ${code}`);
-  const text = 'You received this email because you send a reset password request to us, ' +
-    'if you never registered, please ignore. ' +
-    `The verify code is ${code}\n -- example.com`;
+  const subject = config.RESET_PASSWORD_SUBJECT;
+  const link = config.RESET_PASSWORD_LINK.replace(':token', code);
+  const text = config.RESET_PASSWORD_TEMPLATE.replace(':link', link);
   const html = `<p>${text}</p>`;
 
   const user = yield User.findOne({email: entity.email});
   if (!user) {
     throw new errors.NotFoundError('user not found with the specified email');
   }
+  // check if the user is social network user, and if yes than don't allow forgot password
+  if (user.socialNetworkId) {
+    throw new errors.ValidationError('social network user cannot reset password', httpStatus.BAD_REQUEST);
+  }
 
   user.resetPasswordCode = code;
   const date = new Date();
   user.resetPasswordExpiration = date.setSeconds(date.getSeconds() + config.RESET_CODE_EXPIRES);
   yield user.save();
 
-  yield MailService.sendMessage(user.email, html, text);
+  yield MailService.sendMessage(user.email, html, text, subject);
 }
 
 // the joi schema for resetPassword
@@ -254,6 +263,10 @@ function* resetPassword(entity) {
     user.resetPasswordExpiration.getTime() - new Date().getTime() < 0) {
     throw new errors.HttpStatusError(400, 'invalid code');
   }
+  // check if the user is social network user, and if yes than don't allow forgot password
+  if (user.socialNetworkId) {
+    throw new errors.ValidationError('social network user cannot reset password', httpStatus.BAD_REQUEST);
+  }
 
   user.password = yield helper.hashString(entity.password, config.SALT_WORK_FACTOR);
   user.resetPasswordCode = null;