thegameofcode / cipherlayer Goto Github PK
View Code? Open in Web Editor NEWSecurity layer based on use of ciphertoken
Security layer based on use of ciphertoken
This project has lots of cool features but no documentation. We should add simple descriptions and an API Blueprint file.
Hello,
I'm seing a warning from redis when running test:
node_redis: Using .end() without the flush parameter is deprecated and throws from v.3.0.0 on.
Please check the doku (https://github.com/NodeRedis/node_redis) and explictly use flush.
You can see the method documented here: redis.end(flush)
the flush param now is mandatory, so we need to either add the flush param or to change the .end() for .quit() that allows all pending operations to end.
Is it possible to have the phone field to be optional in registration process?
If you are not using Pin Validation feature, maybe this field could also be optional.
review the salesforce return of phone numbers to improve the match of country codes
After discussing about configuration in #88, I think we should also make the service works with a more solid default configuration.
The idea is to have a really basic config and check features on service start and enable only the features that are correctly setup. Something like this:
{
"features": {
"pinValidation": true,
"facebookLogin": true,
"emailValidation": true,
"magicLink": true
/* features not explicitly set defaults to false */
}
}
This way is really easy to start using the service and you know right away what to expect of it.
Also, what are your thoughts on allowing either config.json
or a more readable config.yml
file?
Add a way to do a redirect to a webpage after the mail verification process, with parameters to show success or failure.
If you click in the email activation link two (or more) times you are redirected to a screen with a JSON error
{"err":"auth_proxy_error","des":"user already exists"}
I think an "user already exists" when trying to verify your account is not an error and instead it should follow the redirect flow
We are using a very old version of the driver and we should update the code to a newer one. This means a wide refactor so it would be nice to throw lots of test while we do that.
userId and deviceId are required on logout, so a valid user can impersonate another user to remove a linked device for him
Hello there,
After using Cipherlayer for some time, a bug related to the user login endpoint was spotted. There exists a function named getFromUsernamePassword
which looks up a user via a username and password combination on the Mongo database.
This way of searching users seems out of place, since a regular expression is used for the username, as follows:
username = new RegExp(escapeRegexp(username.toLowerCase()), "i");
Perhaps the main point of this search behaviour would be finding a username in a case insensitive way. However, during user signup process, the username is set to lowercase before saving the new user into the database.
Therefore, when looking up a user via a username/password combination, the previous line could be replaced with the following one:
username = username.toLowerCase()
As an example, consider I have two users in my Mongo database with the following emails, and the same password:
[email protected]
[email protected]
Login attempts with the following emails return access and refresh tokens associated to the [email protected]
username:
[email protected]
[email protected]
nicolas.jaremek@limonade.
nicolas.jaremek@limonade
nicolas.jaremek@limonad
nicolas.jaremek@limona
However, using any of the following usernames returns the tokens associated to [email protected]
:
nicolas.jaremek@limon
nicolas.jaremek@limo
nicolas.jaremek@lim
and so...
It feels more consistent to search users via an exact match of the username.
Could you shed some light on why the regular expression is used for the user search? Was it due to some particular requirement?
I could send a PR to fix this issue, but knowing your opinion on this matter first would be helpful.
We should add an .editorconfig file to simplify the merging process after we set up our IDE of choice with this config.
We are using this .editorconfig
file on other projects:
# EditorConfig helps developers define and maintain consistent
# coding styles between different editors and IDEs
# editorconfig.org
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
[*.md]
trim_trailing_whitespace = false
[{*.json,*.yml}]
indent_style = space
indent_size = 2
I didn't add PR directly so we can choose spaces or tabs and stuffs. What do you guys think?
currently is using the same lifetime as the refresh token
Use the existing rule for password strength as default, but make it optional and configurable in config.json
All paths to config.json should be relative to process.cwd() otherwise when using cipherlayer as a dependency the config.json file is not found in the project root, instead you need to put it in the node_modules directory inside cipherlayer.
In the commit commit all references to config.json was changed to be relative to chiperlayer.
Is there a reason to not make the config.json relative to process.cwd() instead of cipherlayer? if not i can make a pull request to change them again.
Hi, I'm having problems to upload images through cipherlayer. The reciving endpoint gets the file headers modified and it isn't recognized as an image.
I'm using a mime lookup validation to check the image file beeing uploaded, and I get "application/octect-stream" instead of "image/jpeg".
Do you have any idea how to solve this? Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.