User Creation and Login

[tonyz0909]

As a user, I want to create my account and login using that account:

• At the end of the user registration process (VolunteerOnboarding1.jsx), submit the user information to the mongo database as a user object
• Implement volunteer/admin login using user data retrieved from the mongo db (currently hardcoded to accept anything with password = "admin")

[jazeved0]

Added/modified the necessary routes for basic user login/registration via email/password. Related to #50 and implemented in https://github.com/GTBitsOfGood/bog-vms/commit/b2c442ac66d152aa08bd3b3f92d1fd227a4b1fb5.

Added/Revamped Routes

POST /api/register/begin

First stage in registration process (first page for user registration). Only used to give email/password. Requires form data sent in:

password: 12345678
bio.email: john.doe@gatech.edu

Validates password length (> 8) and email structure. Validates email being unique before continuing.

Status Codes

• 400 (bad request) for failing validation, includes error data
• 409 (conflict) for non-unique email
• 202 (accepted) for all passing checks

POST /api/register/finish

Second/last stage in registration process (for user registration). Used to actually perform registration/create new document in database. Requires form data sent in:

bio.email:john.doe@gatech.edu
password: 12345678
bio.first_name: John
bio.last_name: Doe
bio.date_of_birth: 2020-03-08T22:11:55+0000
bio.street_address: 10 Lane St.
bio.city: Atlanta
bio.state: GA
bio.zip_code: 35363
bio.phone_number: 5035041932

Same validations as /api/register/begin, with the addition of: DOB must be ISO 8601, state must be alphabetical, zipcode must be numeric and 5 characters long, with no symbols. In addition, all other fields must exist except for skills_interests. Accepts same schema format as user document. Strips out all other fields other than the above and those in skills_interests before sending the user data to MongoDB to prevent injection.

Status Codes

• 400 (bad request) for failing validation, includes error data
• 409 (conflict) for non-unique email
• 403 (forbidden) for failed user document creation
• 200 (ok) for successful user creation, user object returned in response as response.user

POST /auth/login

Note that this URL is not under /api. Mostly implemented already; uses passport to implement cookie-based authentication (tied to session cookie). Used with logging in existing users via email//password. Note that the route uses username instead of email as the param key.

username: john.doe.4@gatech.edu
password: 12345678

Status Codes

• 401 (unauthorized) for failed login
• 200 (ok) for successful login, returns email in response as response.email. User can now access restricted routes if authentication is enabled

GET /auth/logout

Already implemented; used to clear cookie/log out. Afterwards, user cannot access restricted routes if authentication is enabled until they sign back in.