Welcome to the Node wiki! Here you will find various information about this repo.
- Mindset and what we would like to create
- How to start a project and maintain updates from stacks
- Global roadmap and ideas about stacks
- How to contribute and help us
responses.success(res, 'task created')({});
body :
{
type: 'success',
message: 'task created'
data: {}
}
responses.error(res, 422, 'Unprocessable Entity', 'task creation failed')({err});
body :
{
code: 422,
message: 'Unprocessable Entity'
description: 'task creation failed'
type: 'error',
error: '{err}'
}
responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))({err});
body :
{
code: 422,
message: 'Unprocessable Entity'
description: 'Title must be a string. Name must be a string.',
type: 'error',
error: '{
original: {
title: 2,
description: 'do something about something else'
},
details: [{
message: 'title must be a string',
type: 'string.base'
},
{
message: 'name must be a string',
type: 'string.base'
}]
}'
}
throw new AppError('invalid user or password.', { code: 'SERVICE_ERROR', details: [] });
body :
{
type: 'error',
message: 'invalid user or password.',
error: {
code: 'SERVICE_ERROR',
details: []
}
}
status : 401 error :
{
text: 'Unauthorized'
}
As explained in Readme, we are curently using JWT Stateless, the server is unaware of who sends the request, it don’t maintain the state.
- First, you need to signin (or signup) with a post request :
Post : http://localhost:3000/api/auth/signin
with json body :
{
"email": "user@localhost.com",
"password": "F5FSpvRGBvtwQWCQJY2Y"
}
The answer will be something like this :
{
"user": {
"roles": [
"user"
],
"_id": "5cdfd9a18da698bacb4ca448",
"provider": "local",
"email": "user@localhost.com",
"firstName": "User",
"lastName": "Local",
"displayName": "User Local",
"password": "$2b$10$gmrfSq32PolvXKgAxt8BK.ic/mliTT3FU5/jE85HlJVjbNYlwjoga",
"__v": 0,
"id": "5cdfd9a18da698bacb4ca448"
},
"tokenExpiresIn": 1558263105423
}
with and header set Cookie like this :
Set-Cookie →TOKEN=aaaaaaaaaaaaa.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.ccccccc; Path=/; HttpOnly
-
Second, you need to set this cookie for api request, it's ok !
-
third, You can renew the token before it expires as you wish, thanks to the signin you know the expiration date. You can also check the status of the token regularly, via
/users/me
for example. Or simply redirect the user to the sign once the token has expired.
Two options are available in config/default/development.js
for the default and production.js
if you want to override the default values in produciton.
// jwt is for token authentification
jwt: {
secret: 'test', // secret for hash
expiresIn: 7 * 24 * 60 * 60, // token expire in x sec
},
we use the package zxcvbn to check package security
// zxcvbn is used to manage password security
zxcvbn: {
minimumScore: 3,
},
There are two ways to set up https, the most used way is to set up a reverse proxy in front of the server node, and enable let's encrypt.
The second is to set up https directly at the node server.
Both are possible with the stack.
We recommend this method, however we will not explain it. Many tutorials already exist, and it depends on what you use, apache, nginx, traeffik, Let's Encrypt ...
To run your application in a secure manner with express you'll need to use OpenSSL and generate a set of self-signed certificates.
- Unix-based users can use the following command:
npm run generate-ssl-certs
this will create cert and key files and place them in config/sslcerts folder.
- Windows users can follow instructions found here. After you've generated the key and certificate, place them in the config/sslcerts folder.
Finally, uncomment and activate ssl in configuration (config/defaults/development.js) :
// SSL on express server (FYI : Wiki)
secure: {
ssl: true,
key: './config/sslcerts/key.pem',
cert: './config/sslcerts/cert.pem',
},