initial commit

Author: cornflourblue

.gitignore

@@ -0,0 +1,38 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules
+jspm_packages
+typings
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Jason Watmore
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# node-mongo-signup-verification-api
+
+NodeJS + MongoDB API for Email Sign Up with Verification, Authentication & Forgot Password

_helpers/authorize.js

@@ -0,0 +1,32 @@
+const expressJwt = require('express-jwt');
+const { secret } = require('config.json');
+const accountService = require('accounts/account.service');
+
+module.exports = authorize;
+
+function authorize(roles = []) {
+    // roles param can be a single role string (e.g. Role.User or 'User') 
+    // or an array of roles (e.g. [Role.Admin, Role.User] or ['Admin', 'User'])
+    if (typeof roles === 'string') {
+        roles = [roles];
+    }
+
+    return [
+        // authenticate JWT token and attach user to request object (req.user)
+        expressJwt({ secret }),
+
+        // authorize based on user role
+        async (req, res, next) => {
+            const account = await accountService.getById(req.user.id);
+            
+            if (!account || (roles.length && !roles.includes(account.role))) {
+                // account no longer exists or role not authorized
+                return res.status(401).json({ message: 'Unauthorized' });
+            }
+
+            // authentication and authorization successful
+            req.user.role = account.role;
+            next();
+        }
+    ];
+}

_helpers/db.js

@@ -0,0 +1,9 @@
+const config = require('config.json');
+const mongoose = require('mongoose');
+const connectionOptions = { useCreateIndex: true, useNewUrlParser: true, useUnifiedTopology: true, useFindAndModify: false };
+mongoose.connect(process.env.MONGODB_URI || config.connectionString, connectionOptions);
+mongoose.Promise = global.Promise;
+
+module.exports = {
+    Account: require('../accounts/account.model')
+};

_helpers/error-handler.js

@@ -0,0 +1,21 @@
+module.exports = errorHandler;
+
+function errorHandler(err, req, res, next) {
+    if (typeof (err) === 'string') {
+        // custom application error
+        return res.status(400).json({ message: err });
+    }
+
+    if (err.name === 'ValidationError') {
+        // mongoose validation error
+        return res.status(400).json({ message: err.message });
+    }
+
+    if (err.name === 'UnauthorizedError') {
+        // jwt authentication error
+        return res.status(401).json({ message: 'Invalid Token' });
+    }
+
+    // default to 500 server error
+    return res.status(500).json({ message: err.message });
+}

_helpers/role.js

@@ -0,0 +1,4 @@
+module.exports = {
+    Admin: 'Admin',
+    User: 'User'
+}

_helpers/send-email.js

@@ -0,0 +1,9 @@
+const nodemailer = require('nodemailer');
+const config = require('config.json');
+
+module.exports = sendEmail;
+
+function sendEmail({ to, subject, html, from = config.emailFrom }) {
+    const transporter = nodemailer.createTransport(config.smtpOptions);
+    transporter.sendMail({ from, to, subject, html });
+}

accounts/account.model.js

@@ -0,0 +1,30 @@
+const mongoose = require('mongoose');
+const Schema = mongoose.Schema;
+
+const schema = new Schema({
+    email: { type: String, unique: true, required: true },
+    passwordHash: { type: String, required: true },
+    title: { type: String, required: true },
+    firstName: { type: String, required: true },
+    lastName: { type: String, required: true },
+    acceptTerms: { type: Boolean },
+    role: { type: String, required: true },
+    verificationToken: { type: String },
+    isVerified: { type: Boolean, default: false },
+    resetToken: { type: String },
+    resetTokenExpiry: { type: Date },
+    dateCreated: { type: Date, default: Date.now },
+    dateUpdated: { type: Date }
+});
+
+schema.set('toJSON', {
+    virtuals: true,
+    versionKey: false,
+    transform: function (doc, ret) {
+        // remove these props when object is serialized
+        delete ret._id;
+        delete ret.passwordHash;
+    }
+});
+
+module.exports = mongoose.model('Account', schema);

accounts/account.service.js

@@ -0,0 +1,190 @@
+const config = require('config.json');
+const jwt = require('jsonwebtoken');
+const bcrypt = require('bcryptjs');
+const crypto = require("crypto");
+const sendEmail = require('_helpers/send-email');
+const db = require('_helpers/db');
+const Role = require('_helpers/role');
+const Account = db.Account;
+
+module.exports = {
+    authenticate,
+    register,
+    verifyEmail,
+    forgotPassword,
+    validateResetToken,
+    resetPassword,
+    getAll,
+    getById,
+    create,
+    update,
+    delete: _delete
+};
+
+async function authenticate({ email, password }) {
+    const account = await Account.findOne({ email, isVerified: true });
+    if (account && bcrypt.compareSync(password, account.passwordHash)) {
+        const token = jwt.sign({ sub: account.id, id: account.id }, config.secret);
+        return {
+            ...account.toJSON(),
+            token
+        };
+    }
+}
+
+async function register(params, origin) {
+    // validate
+    if (await Account.findOne({ email: params.email })) {
+        // send already registered notification in email to prevent account enumeration
+        return sendEmail({
+            to: params.email,
+            subject: 'Sign-up Verification API - Email Already Registered',
+            html: `<h4>Email Already Registered</h4>
+                   <p>Your email <strong>${params.email}</strong> is already registered.</p>
+                   <p>If you don't know your password please visit the <a href="${origin}/account/forgot-password">forgot password</a> page.</p>`
+        });
+    }
+
+    const account = new Account(params);
+
+    // first registered account is an admin
+    const isFirstAccount = (await Account.countDocuments({})) === 0;
+    account.role = isFirstAccount ? Role.Admin : Role.User;
+    account.verificationToken = generateToken();
+    account.isVerified = false;
+
+    // hash password
+    if (params.password) {
+        account.passwordHash = hash(params.password);
+    }
+
+    // save account
+    await account.save();
+
+    // send verification email
+    const verifyUrl = `${origin}/account/verify-email?token=${account.verificationToken}`;
+    return sendEmail({
+        to: params.email,
+        subject: 'Sign-up Verification API - Verify Email',
+        html: `<h4>Verify Email</h4>
+               <p>Thanks for registering!</p>
+               <p>Please click the below link to verify your email address:</p>
+               <p><a href="${verifyUrl}">${verifyUrl}</a></p>`
+    });
+}
+
+async function verifyEmail({ token }) {
+    const account = await Account.findOne({ verificationToken: token });
+    
+    if (!account) throw 'Verification failed';
+    
+    account.isVerified = true;
+    await account.save();
+}
+
+async function forgotPassword({ email }, origin) {
+    const account = await Account.findOne({ email });
+    
+    // always return ok response to prevent email enumeration
+    if (!account) return;
+    
+    // create reset token that expires after 24 hours
+    account.resetToken = generateToken();
+    account.resetTokenExpiry = new Date(Date.now() + 24*60*60*1000).toISOString();
+    account.save();
+
+    // send password reset email
+    const resetUrl = `${origin}/account/reset-password?token=${account.resetToken}`;
+    sendEmail({
+        to: email,
+        subject: 'Sign-up Verification API - Reset Password',
+        html: `<h4>Reset Password Email</h4>
+               <p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
+               <p><a href="${resetUrl}">${resetUrl}</a></p>`
+    })
+}
+
+async function validateResetToken({ token }) {
+    const account = await Account.findOne({ 
+        resetToken: token,
+        resetTokenExpiry: { $gt: new Date() }
+    });
+    
+    if (!account) throw 'Invalid token';
+}
+
+async function resetPassword({ token, password }) {
+    const account = await Account.findOne({ 
+        resetToken: token,
+        resetTokenExpiry: { $gt: new Date() }
+    });
+    
+    if (!account) throw 'Invalid token';
+    
+    // update password and remove reset token
+    account.passwordHash = hash(password);
+    account.isVerified = true;
+    account.resetToken = undefined;
+    account.resetTokenExpiry = undefined;
+    await account.save();
+}
+
+async function getAll() {
+    return await Account.find();
+}
+
+async function getById(id) {
+    return await Account.findById(id);
+}
+
+async function create(params) {
+    // validate
+    if (await Account.findOne({ email: params.email })) {
+        throw 'Email "' + params.email + '" is already registered';
+    }
+
+    const account = new Account(params);
+    account.isVerified = true;
+
+    // hash password
+    if (params.password) {
+        account.passwordHash = hash(params.password);
+    }
+
+    // save account
+    await account.save();
+}
+
+async function update(id, params) {
+    const account = await Account.findById(id);
+
+    // validate
+    if (!account) throw 'Account not found';
+    if (account.email !== params.email && await Account.findOne({ email: params.email })) {
+        throw 'Email "' + params.email + '" is already taken';
+    }
+
+    // hash password if it was entered
+    if (params.password) {
+        params.passwordHash = hash(params.password);
+    }
+
+    // copy params to account and save
+    Object.assign(account, params);
+    await account.save();
+    return account.toJSON();
+}
+
+async function _delete(id) {
+    await Account.findByIdAndRemove(id);
+}
+
+// helper functions
+
+function hash(password) {
+    return bcrypt.hashSync(password, 10);
+}
+
+function generateToken() {
+    return crypto.randomBytes(40).toString('hex');
+}