search

kasvith / express-mongo-jwt-boilerplate

Express Mongo JsonWebToken boilerplate
103 stars 43 forks source link

Email confirmation after registration #15

Closed d0peCode closed 5 years ago

d0peCode commented 5 years ago

I implemented email confirmation feature in my fork but before I create new PR I have question.

What does this code do?

userSchema.method({
  transform () {
    const transformed = {}
    const fields = ['id', 'name', 'email', 'createdAt', 'activationKey', 'role']

    fields.forEach((field) => {
      transformed[field] = this[field]
    })

    return transformed
  },

  passwordMatches (password) {
    return bcrypt.compareSync(password, this.password)
  }
})

I'm sending mail in .post mongoose hook and I don't know if I should add following code to it:

if (!this.isModified('activationKey')) {
  console.log('Not modified.. but what does it mean?')
  return next()
}

Also second question - because currently I'm sending email and have /cofirm endpoint to set active to true but I'm not checking if user active when login. What is most convienient place to check it?In controller or in findAndGenerateToken function? Or maybe somewhere else?

While waiting for reply, for now I just added this line

if (!user.active) throw new APIError(`User not activated`, httpStatus.UNAUTHORIZED)

to findAndGenerateToken function.

d0peCode commented 5 years ago

@kasvith I created new PR, take a look #16

kasvith commented 5 years ago 
userSchema.method({
  transform () {
    const transformed = {}
    const fields = ['id', 'name', 'email', 'createdAt', 'activationKey', 'role']

    fields.forEach((field) => {
      transformed[field] = this[field]
    })

    return transformed
  },

  passwordMatches (password) {
    return bcrypt.compareSync(password, this.password)
  }
})

This method is dropping unwanted fields from the schema when used elsewhere. For example, to retrieve user information, we don't need his password. You can see this only returns an object w/o a password.

d0peCode commented 5 years ago

We definitely don't want to send activationKey in response to user. We want them to click mail.

kasvith commented 5 years ago

Just remove it from the array and it will not be shown to the user Also, I think we should keep activation codes in one mongo collection with userID and Activation Code also a timestamp.

Then we can add an expiration to email activation codes.

kasvith commented 5 years ago

I think we should use invert logic here. Will make a PR for that once your one is merged :)

Then we check for keys that needed to be removed from the user model when requested for outside

d0peCode commented 5 years ago

I think we should use invert logic here. Will make a PR for that once your one is merged :)

I'm working on #12 bug. Solution will have breaking changes. Maybe it's good idea to wait for it with your new PR.