added schema validation with @hapi/joi and swagger api docs

Author: cornflourblue

_helpers/authorize.js

@@ -1,6 +1,6 @@
 const expressJwt = require('express-jwt');
 const { secret } = require('config.json');
-const accountService = require('accounts/account.service');
+const db = require('./db');
 
 module.exports = authorize;
 
@@ -17,8 +17,8 @@ function authorize(roles = []) {
 
         // authorize based on user role
         async (req, res, next) => {
-            const account = await accountService.getById(req.user.id);
-            
+            const account = await db.Account.findById(req.user.id);
+
             if (!account || (roles.length && !roles.includes(account.role))) {
                 // account no longer exists or role not authorized
                 return res.status(401).json({ message: 'Unauthorized' });

_helpers/db.js

@@ -5,5 +5,10 @@ mongoose.connect(process.env.MONGODB_URI || config.connectionString, connectionO
 mongoose.Promise = global.Promise;
 
 module.exports = {
-    Account: require('../accounts/account.model')
-};
+    Account: require('../accounts/account.model'),
+    isValidId
+};
+
+function isValidId(id) {
+    return mongoose.Types.ObjectId.isValid(id);
+}

_helpers/error-handler.js

@@ -1,21 +1,19 @@
 module.exports = errorHandler;
 
 function errorHandler(err, req, res, next) {
-    if (typeof (err) === 'string') {
-        // custom application error
-        return res.status(400).json({ message: err });
+    switch (true) {
+        case typeof err === 'string':
+            // custom application error
+            const is404 = err.toLowerCase().endsWith('not found');
+            const statusCode = is404 ? 404 : 400;
+            return res.status(statusCode).json({ message: err });
+        case err.name === 'ValidationError':
+            // mongoose validation error
+            return res.status(400).json({ message: err.message });
+        case err.name === 'UnauthorizedError':
+            // jwt authentication error
+            return res.status(401).json({ message: 'Invalid Token' });
+        default:
+            return res.status(500).json({ message: err.message });
     }
-
-    if (err.name === 'ValidationError') {
-        // mongoose validation error
-        return res.status(400).json({ message: err.message });
-    }
-
-    if (err.name === 'UnauthorizedError') {
-        // jwt authentication error
-        return res.status(401).json({ message: 'Invalid Token' });
-    }
-
-    // default to 500 server error
-    return res.status(500).json({ message: err.message });
 }

_helpers/swagger.js

@@ -0,0 +1,9 @@
+const express = require('express');
+const router = express.Router();
+const swaggerUi = require('swagger-ui-express');
+const YAML = require('yamljs');
+const swaggerDocument = YAML.load('./swagger.yaml');
+
+router.use('/', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
+
+module.exports = router;

_helpers/validate-request.js

@@ -0,0 +1,16 @@
+module.exports = validateRequest;
+
+function validateRequest(req, next, schema) {
+    const options = {
+        abortEarly: false, // include all errors
+        allowUnknown: true, // ignore unknown props
+        stripUnknown: true // remove unknown props
+    };
+    const { error, value } = schema.validate(req.body, options);
+    if (error) {
+        next(`Validation error: ${error.details.map(x => x.message).join(', ')}`);
+    } else {
+        req.body = value;
+        next();
+    }
+}

accounts/account.service.js

@@ -24,27 +24,20 @@ module.exports = {
 async function authenticate({ email, password }) {
     const account = await Account.findOne({ email, isVerified: true });
     if (account && bcrypt.compareSync(password, account.passwordHash)) {
+        // return basic details and auth token
         const token = jwt.sign({ sub: account.id, id: account.id }, config.secret);
-        return {
-            ...account.toJSON(),
-            token
-        };
+        return { ...basicDetails(account), token };
     }
 }
 
 async function register(params, origin) {
     // validate
     if (await Account.findOne({ email: params.email })) {
-        // send already registered notification in email to prevent account enumeration
-        return sendEmail({
-            to: params.email,
-            subject: 'Sign-up Verification API - Email Already Registered',
-            html: `<h4>Email Already Registered</h4>
-                   <p>Your email <strong>${params.email}</strong> is already registered.</p>
-                   <p>If you don't know your password please visit the <a href="${origin}/account/forgot-password">forgot password</a> page.</p>`
-        });
+        // send already registered error in email to prevent account enumeration
+        return sendAlreadyRegisteredEmail(params.email, origin);
     }
 
+    // create account object
     const account = new Account(params);
 
     // first registered account is an admin
@@ -61,16 +54,8 @@ async function register(params, origin) {
     // save account
     await account.save();
 
-    // send verification email
-    const verifyUrl = `${origin}/account/verify-email?token=${account.verificationToken}`;
-    return sendEmail({
-        to: params.email,
-        subject: 'Sign-up Verification API - Verify Email',
-        html: `<h4>Verify Email</h4>
-               <p>Thanks for registering!</p>
-               <p>Please click the below link to verify your email address:</p>
-               <p><a href="${verifyUrl}">${verifyUrl}</a></p>`
-    });
+    // send email
+    sendVerificationEmail(account, origin);
 }
 
 async function verifyEmail({ token }) {
@@ -93,15 +78,8 @@ async function forgotPassword({ email }, origin) {
     account.resetTokenExpiry = new Date(Date.now() + 24*60*60*1000).toISOString();
     account.save();
 
-    // send password reset email
-    const resetUrl = `${origin}/account/reset-password?token=${account.resetToken}`;
-    sendEmail({
-        to: email,
-        subject: 'Sign-up Verification API - Reset Password',
-        html: `<h4>Reset Password Email</h4>
-               <p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
-               <p><a href="${resetUrl}">${resetUrl}</a></p>`
-    })
+    // send email
+    sendPasswordResetEmail(account, origin);
 }
 
 async function validateResetToken({ token }) {
@@ -130,11 +108,13 @@ async function resetPassword({ token, password }) {
 }
 
 async function getAll() {
-    return await Account.find();
+    const accounts = await Account.find();
+    return accounts.map(x => basicDetails(x));
 }
 
 async function getById(id) {
-    return await Account.findById(id);
+    const account = await getAccount(id);
+    return basicDetails(account);
 }
 
 async function create(params) {
@@ -153,13 +133,14 @@ async function create(params) {
 
     // save account
     await account.save();
+
+    return basicDetails(account);
 }
 
 async function update(id, params) {
-    const account = await Account.findById(id);
+    const account = await getAccount(id);
 
     // validate
-    if (!account) throw 'Account not found';
     if (account.email !== params.email && await Account.findOne({ email: params.email })) {
         throw 'Email "' + params.email + '" is already taken';
     }
@@ -171,20 +152,91 @@ async function update(id, params) {
 
     // copy params to account and save
     Object.assign(account, params);
+    account.dateUpdated = Date.now();
     await account.save();
-    return account.toJSON();
+
+    return basicDetails(account);
 }
 
 async function _delete(id) {
-    await Account.findByIdAndRemove(id);
+    const account = await getAccount(id);
+    await account.remove();
 }
 
 // helper functions
 
+async function getAccount(id) {
+    if (!db.isValidId(id)) throw 'Account not found';
+    const account = await Account.findById(id);
+    if (!account) throw 'Account not found';
+    return account;
+}
+
 function hash(password) {
     return bcrypt.hashSync(password, 10);
 }
 
 function generateToken() {
     return crypto.randomBytes(40).toString('hex');
+}
+
+function basicDetails(account) {
+    const { id, title, firstName, lastName, email, role, dateCreated, dateUpdated } = account;
+    return { id, title, firstName, lastName, email, role, dateCreated, dateUpdated };
+}
+
+function sendVerificationEmail(account, origin) {
+    let message;
+    if (origin) {
+        const verifyUrl = `${origin}/account/verify-email?token=${account.verificationToken}`;
+        message = `<p>Please click the below link to verify your email address:</p>
+                   <p><a href="${verifyUrl}">${verifyUrl}</a></p>`;
+    } else {
+        message = `<p>Please use the below token to verify your email address with the <code>/account/verify-email</code> api route:</p>
+                   <p><code>${account.verificationToken}</code></p>`;
+    }
+
+    sendEmail({
+        to: account.email,
+        subject: 'Sign-up Verification API - Verify Email',
+        html: `<h4>Verify Email</h4>
+               <p>Thanks for registering!</p>
+               ${message}`
+    });
+}
+
+function sendAlreadyRegisteredEmail(email, origin) {
+    let message;
+    if (origin) {
+        message = `<p>If you don't know your password please visit the <a href="${origin}/account/forgot-password">forgot password</a> page.</p>`;
+    } else {
+        message = `<p>If you don't know your password you can reset it via the <code>/account/forgot-password</code> api route.</p>`;
+    }
+
+    sendEmail({
+        to: email,
+        subject: 'Sign-up Verification API - Email Already Registered',
+        html: `<h4>Email Already Registered</h4>
+               <p>Your email <strong>${email}</strong> is already registered.</p>
+               ${message}`
+    });
+}
+
+function sendPasswordResetEmail(account, origin) {
+    let message;
+    if (origin) {
+        const resetUrl = `${origin}/account/reset-password?token=${account.resetToken}`;
+        message = `<p>Please click the below link to reset your password, the link will be valid for 1 day:</p>
+                   <p><a href="${resetUrl}">${resetUrl}</a></p>`;
+    } else {
+        message = `<p>Please use the below token to reset your password with the <code>/account/reset-password</code> api route:</p>
+                   <p><code>${account.resetToken}</code></p>`;
+    }
+
+    sendEmail({
+        to: account.email,
+        subject: 'Sign-up Verification API - Reset Password',
+        html: `<h4>Reset Password Email</h4>
+               ${message}`
+    });
 }