From aafa5e69cfb6786dd1cf38b6cdfe12c1d2e4dab3 Mon Sep 17 00:00:00 2001 From: almegdad Date: Mon, 31 Aug 2015 14:58:40 +0300 Subject: [PATCH] Force Lowercase & Remove Sensitive Data * add directive to force username & email lowercase * remove sensitive data in password reset * 2 space indentation in reset & forgot password views --- .../directives/users.client.directive.js | 14 ++++++ .../authentication/signin.client.view.html | 2 +- .../authentication/signup.client.view.html | 4 +- .../password/forgot-password.client.view.html | 36 +++++++------- .../password/reset-password.client.view.html | 48 +++++++++---------- .../settings/edit-profile.client.view.html | 4 +- .../users/server/config/strategies/local.js | 2 +- .../users/users.password.server.controller.js | 7 ++- .../users/server/models/user.server.model.js | 6 ++- 9 files changed, 71 insertions(+), 52 deletions(-) create mode 100644 modules/users/client/directives/users.client.directive.js diff --git a/modules/users/client/directives/users.client.directive.js b/modules/users/client/directives/users.client.directive.js new file mode 100644 index 0000000000..8fbaae6573 --- /dev/null +++ b/modules/users/client/directives/users.client.directive.js @@ -0,0 +1,14 @@ +'use strict'; + +// Users directive used to force lowercase input +angular.module('users').directive('lowercase', function () { + return { + require: 'ngModel', + link: function (scope, element, attrs, modelCtrl) { + modelCtrl.$parsers.push(function (input) { + return input ? input.toLowerCase() : ''; + }); + element.css('text-transform', 'lowercase'); + } + }; +}); diff --git a/modules/users/client/views/authentication/signin.client.view.html b/modules/users/client/views/authentication/signin.client.view.html index ff0f8c49f8..fd6a2cd4e1 100644 --- a/modules/users/client/views/authentication/signin.client.view.html +++ b/modules/users/client/views/authentication/signin.client.view.html @@ -5,7 +5,7 @@

Or with your account

- +

Username is required.

diff --git a/modules/users/client/views/authentication/signup.client.view.html b/modules/users/client/views/authentication/signup.client.view.html index 842d77a8ac..60c42b9ee3 100644 --- a/modules/users/client/views/authentication/signup.client.view.html +++ b/modules/users/client/views/authentication/signup.client.view.html @@ -19,7 +19,7 @@

Or sign up using your email

- +

Email address is required.

Email address is invalid.

@@ -27,7 +27,7 @@

Or sign up using your email

- +

Username is required.

diff --git a/modules/users/client/views/password/forgot-password.client.view.html b/modules/users/client/views/password/forgot-password.client.view.html index 9e39699118..0ca779335c 100644 --- a/modules/users/client/views/password/forgot-password.client.view.html +++ b/modules/users/client/views/password/forgot-password.client.view.html @@ -1,22 +1,22 @@
-

Restore your password

-

Enter your account username.

-
-
-
+

Restore your password

+

Enter your account username.

+
+ +
- +
-
- -
-
- {{error}} -
-
- {{success}} -
-
- -
+
+ +
+
+ {{error}} +
+
+ {{success}} +
+
+ +
diff --git a/modules/users/client/views/password/reset-password.client.view.html b/modules/users/client/views/password/reset-password.client.view.html index acbf0629be..07f1a0b5f0 100644 --- a/modules/users/client/views/password/reset-password.client.view.html +++ b/modules/users/client/views/password/reset-password.client.view.html @@ -1,26 +1,26 @@
-

Reset your password

-
- -
+

Reset your password

+
+ +
diff --git a/modules/users/client/views/settings/edit-profile.client.view.html b/modules/users/client/views/settings/edit-profile.client.view.html index c263587870..8fe25b605d 100644 --- a/modules/users/client/views/settings/edit-profile.client.view.html +++ b/modules/users/client/views/settings/edit-profile.client.view.html @@ -18,7 +18,7 @@
- +

Email address is required.

Email address is invalid.

@@ -26,7 +26,7 @@
- +

Username is required.

diff --git a/modules/users/server/config/strategies/local.js b/modules/users/server/config/strategies/local.js index 684e7a8582..a72510f496 100644 --- a/modules/users/server/config/strategies/local.js +++ b/modules/users/server/config/strategies/local.js @@ -15,7 +15,7 @@ module.exports = function () { }, function (username, password, done) { User.findOne({ - username: username + username: username.toLowerCase() }, function (err, user) { if (err) { return done(err); diff --git a/modules/users/server/controllers/users/users.password.server.controller.js b/modules/users/server/controllers/users/users.password.server.controller.js index d59c73975a..aa51169403 100644 --- a/modules/users/server/controllers/users/users.password.server.controller.js +++ b/modules/users/server/controllers/users/users.password.server.controller.js @@ -30,7 +30,7 @@ exports.forgot = function (req, res, next) { function (token, done) { if (req.body.username) { User.findOne({ - username: req.body.username + username: req.body.username.toLowerCase() }, '-salt -password', function (err, user) { if (!user) { return res.status(400).send({ @@ -144,7 +144,10 @@ exports.reset = function (req, res, next) { if (err) { res.status(400).send(err); } else { - // Return authenticated user + // Remove sensitive data before return authenticated user + user.password = undefined; + user.salt = undefined; + res.json(user); done(err, user); diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js index e7c0af0861..87fd11d9d2 100644 --- a/modules/users/server/models/user.server.model.js +++ b/modules/users/server/models/user.server.model.js @@ -51,8 +51,9 @@ var UserSchema = new Schema({ }, email: { type: String, - trim: true, unique: true, + lowercase: true, + trim: true, default: '', validate: [validateLocalStrategyEmail, 'Please fill a valid email address'] }, @@ -60,6 +61,7 @@ var UserSchema = new Schema({ type: String, unique: 'Username already exists', required: 'Please fill in a username', + lowercase: true, trim: true }, password: { @@ -139,7 +141,7 @@ UserSchema.methods.authenticate = function (password) { */ UserSchema.statics.findUniqueUsername = function (username, suffix, callback) { var _this = this; - var possibleUsername = username + (suffix || ''); + var possibleUsername = username.toLowerCase() + (suffix || ''); _this.findOne({ username: possibleUsername