thegameofcode / cipherlayer Goto Github PK

This project has lots of cool features but no documentation. We should add simple descriptions and an API Blueprint file.

Hello,

I'm seing a warning from redis when running test:

node_redis: Using .end() without the flush parameter is deprecated and throws from v.3.0.0 on.
Please check the doku (https://github.com/NodeRedis/node_redis) and explictly use flush.

You can see the method documented here: redis.end(flush)

the flush param now is mandatory, so we need to either add the flush param or to change the .end() for .quit() that allows all pending operations to end.

Is it possible to have the phone field to be optional in registration process?

If you are not using Pin Validation feature, maybe this field could also be optional.

review the salesforce return of phone numbers to improve the match of country codes

After discussing about configuration in #88, I think we should also make the service works with a more solid default configuration.

The idea is to have a really basic config and check features on service start and enable only the features that are correctly setup. Something like this:

{
   "features": {
      "pinValidation": true,
      "facebookLogin": true,
      "emailValidation": true,
      "magicLink": true
      /* features not explicitly set defaults to false */
   }
}

This way is really easy to start using the service and you know right away what to expect of it.

Also, what are your thoughts on allowing either config.json or a more readable config.yml file?

Add a way to do a redirect to a webpage after the mail verification process, with parameters to show success or failure.

If you click in the email activation link two (or more) times you are redirected to a screen with a JSON error
{"err":"auth_proxy_error","des":"user already exists"}

I think an "user already exists" when trying to verify your account is not an error and instead it should follow the redirect flow

We are using a very old version of the driver and we should update the code to a newer one. This means a wide refactor so it would be nice to throw lots of test while we do that.

userId and deviceId are required on logout, so a valid user can impersonate another user to remove a linked device for him

Hello there,

After using Cipherlayer for some time, a bug related to the user login endpoint was spotted. There exists a function named getFromUsernamePassword which looks up a user via a username and password combination on the Mongo database.

This way of searching users seems out of place, since a regular expression is used for the username, as follows:
username = new RegExp(escapeRegexp(username.toLowerCase()), "i");

Perhaps the main point of this search behaviour would be finding a username in a case insensitive way. However, during user signup process, the username is set to lowercase before saving the new user into the database.

Therefore, when looking up a user via a username/password combination, the previous line could be replaced with the following one:
username = username.toLowerCase()

As an example, consider I have two users in my Mongo database with the following emails, and the same password:
[email protected]
[email protected]

Login attempts with the following emails return access and refresh tokens associated to the [email protected] username:

  [email protected]
  [email protected]
  nicolas.jaremek@limonade.
  nicolas.jaremek@limonade
  nicolas.jaremek@limonad
  nicolas.jaremek@limona

However, using any of the following usernames returns the tokens associated to [email protected]:

  nicolas.jaremek@limon
  nicolas.jaremek@limo
  nicolas.jaremek@lim
  and so...

It feels more consistent to search users via an exact match of the username.

Could you shed some light on why the regular expression is used for the user search? Was it due to some particular requirement?

I could send a PR to fix this issue, but knowing your opinion on this matter first would be helpful.

We should add an .editorconfig file to simplify the merging process after we set up our IDE of choice with this config.

We are using this .editorconfig file on other projects:

# EditorConfig helps developers define and maintain consistent
# coding styles between different editors and IDEs
# editorconfig.org

root = true

[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true

[*.md]
trim_trailing_whitespace = false

[{*.json,*.yml}]
indent_style = space
indent_size = 2

I didn't add PR directly so we can choose spaces or tabs and stuffs. What do you guys think?

currently is using the same lifetime as the refresh token

Use the existing rule for password strength as default, but make it optional and configurable in config.json

All paths to config.json should be relative to process.cwd() otherwise when using cipherlayer as a dependency the config.json file is not found in the project root, instead you need to put it in the node_modules directory inside cipherlayer.

In the commit commit all references to config.json was changed to be relative to chiperlayer.

Is there a reason to not make the config.json relative to process.cwd() instead of cipherlayer? if not i can make a pull request to change them again.

Hi, I'm having problems to upload images through cipherlayer. The reciving endpoint gets the file headers modified and it isn't recognized as an image.

I'm using a mime lookup validation to check the image file beeing uploaded, and I get "application/octect-stream" instead of "image/jpeg".

Do you have any idea how to solve this? Thanks!