Welcome to the Node wiki! Here you will find various information about this repo.
responses.success(res, 'task created')({});
body :
{
type: 'success',
message: 'task created'
data: {}
}
responses.error(res, 422, 'Unprocessable Entity', 'task creation failed')({err});
body :
{
code: 422,
message: 'Unprocessable Entity'
description: 'task creation failed'
type: 'error',
error: '{err}'
}
responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))({err});
body :
{
code: 422,
message: 'Unprocessable Entity'
description: 'Title must be a string. Name must be a string.',
type: 'error',
error: '{
original: {
title: 2,
description: 'do something about something else'
},
details: [{
message: 'title must be a string',
type: 'string.base'
},
{
message: 'name must be a string',
type: 'string.base'
}]
}'
}
throw new AppError('invalid user or password.', { code: 'SERVICE_ERROR', details: [] });
body :
{
type: 'error',
message: 'invalid user or password.',
error: {
code: 'SERVICE_ERROR',
details: []
}
}
status : 401 error :
{
text: 'Unauthorized'
}
As explained in Readme, we are curently using JWT Stateless, the server is unaware of who sends the request, it don’t maintain the state.
- First, you need to signin (or signup) with a post request :
Post : http://localhost:3000/api/auth/signin
with json body :
{
"email": "user@localhost.com",
"password": "F5FSpvRGBvtwQWCQJY2Y"
}
The answer will be something like this :
{
"user": {
"roles": [
"user"
],
"_id": "5cdfd9a18da698bacb4ca448",
"provider": "local",
"email": "user@localhost.com",
"firstName": "User",
"lastName": "Local",
"displayName": "User Local",
"password": "$2b$10$gmrfSq32PolvXKgAxt8BK.ic/mliTT3FU5/jE85HlJVjbNYlwjoga",
"__v": 0,
"id": "5cdfd9a18da698bacb4ca448"
},
"tokenExpiresIn": 1558263105423
}
with and header set Cookie like this :
Set-Cookie →TOKEN=aaaaaaaaaaaaa.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb.ccccccc; Path=/; HttpOnly
-
Second, you need to set this cookie for api request, it's ok !
-
third, You can renew the token before it expires as you wish, thanks to the signin you know the expiration date. You can also check the status of the token regularly, via
/users/mefor example. Or simply redirect the user to the sign once the token has expired.
Two options are available in config/default/development.js for the default and production.js if you want to override the default values in produciton.
// jwt is for token authentification
jwt: {
secret: 'test', // secret for hash
expiresIn: 7 * 24 * 60 * 60, // token expire in x sec
},
we use the package zxcvbn to check package security
// zxcvbn is used to manage password security
zxcvbn: {
minimumScore: 3,
},
There are two ways to set up https, the most used way is to set up a reverse proxy in front of the server node, and enable let's encrypt.
The second is to set up https directly at the node server.
Both are possible with the stack.
We recommend this method, however we will not explain it. Many tutorials already exist, and it depends on what you use, apache, nginx, traeffik, Let's Encrypt ...
To run your application securely with express, generate self-signed certificates using openssl directly:
mkdir -p config/sslcerts
openssl req -newkey rsa:4096 -nodes -keyout config/sslcerts/key.pem -x509 -days 365 -out config/sslcerts/cert.pem -subj "/CN=localhost"Then activate SSL in your project config (config/defaults/{project}.config.js):
secure: {
ssl: true,
key: './config/sslcerts/key.pem',
cert: './config/sslcerts/cert.pem',
},