I converted the included .ejs "forgot password" mail template in the test directory to handlebars. The only variable used in the template is the code in the URL:

https://terms.raisingthefloor.org/api/users/reset?code={{user.code}}

Unfortunately, in the email sent, the question mark, ampersand, equals and other key characters are escaped. These are characters in the text of the template itself, and not values passed in a variable.

I went back and confirmed this also happens with ejs files. I'm hoping that the templating library offers a configuration option to control this behavior.

I needed to update to express 4 in an application and wanted to test express-couchUser in the new environment. In my testing it appears to work just fine without updating the local express dependency version or updating to use "express 4"isms.

I realized in working with POSTman and reviewing the raw JSON data returned to users that /api/user/:name is too free with what it shares.

Critically, it shares the "code" variable, meaning that anyone who knows a username can reset the password on someone else's account.

It also shares the new "verification_code" variable, meaning that spammers can bypass the verification mechanism.

Email is also a bit of a concern.

I would propose the following:

• Create a convenience function to strip sensitive variables (code, verification_code, salt, derived_key) from the raw user object returned by couch.
• Wrap any calls that return user data in that convenience function.

In that way we can decouple the required format coming from couch (which we need to see to verify logins, etc.) from the data users see. It's either that or make another view and make two calls for each request.

I would also propose requiring users to be logged in to poll /api/user/:name and other endpoints that expose user data. I'm thinking specifically of trawling for email addresses and valid usernames. Ideally we would add more protection for email addresses, but at least we will keep the data within the community of trust on a single site.

If you are happy with both I can put together the pull request.

It may be a good idea to update this module to support the latest and greatest from Node and Express. I'd be happy to assist with this process, too.

On the server side, req.session.user stores the current user. On the client side, the user object is returned on login, but users shouldn't have to log in repeatedly.

We need a way to tell which user is logged in on the client side based on their session cookie.

I propose adding /api/user/current as a GET interface that either returns the current user record from req.session.user, or throws a 401 status and asks the user to log in.

That will make it much easier to build client side calls that check the current user once and only require a login if needed.

@twilson63, if you're happy with this approach, I will create the pull request shortly.

Sometimes cookies are unacceptable. Is there any plans to support token auth easily? Or is it already available?

Thanks.

In addition to requiring logins for sensitive functions, we should also require that the user have a role to manipulate other user records. The check would be as follows.

• If the user is you, you can update your own record
• Otherwise, you have to belong to one of the allowed roles

The list of roles would be passed as config.adminRoles and default to [ "admin" ]. Setting config.adminRoles to false or undefined would disable the check and allow everyone access.

These checks would be added to the raw CRUD functions, but not to signup or other end-user self-service end points.

If you are OK with the proposed changes I will prepare another pull request.

When an upstream call to couch (for example) returns an error, the error is rethrown with error code 500. It would be better to pass along the upstream error code so that (for example) we can tell the difference between a server error when authenticating and an incorrect password.

As far as I can see, fixing this is simply a matter of replacing code like:

      if (err) { return res.send(500, err); }

With code like:

      if (err) { return res.send(err.status_code, err); }

I am putting together a pull request along those lines.

Hi there. Firstly - cool module, crazy that this hadn't already been done well.

Im trying to use some of the basic methods by following the readme, but so far im having no luck.

Every request I make is denied (500, 403), essentially saying I don't have access to the user's table. I have tried a signin method with my DB admin credentials and then a sign up request - didn't work.

The readme and its examples don't seem to make any any reference to where admin credentials go, so couchUser can execute the views from the init file on my _users database. There is two different usage examples at the top and bottom of the readme, and I have no idea what the bottom one refers to:

Top
var couchUser = require('express-couchUser');
var express = require('express');
var app = express();

// Required for session storage
app.use(express.cookieParser());
app.use(express.session({ secret: 'Use something else here.'}));

app.configure(function() {
app.use(couchUser({
users: 'http://localhost:5984/_users',
email: {
...
},
adminRoles: [ 'admin' ],
validateUser: function(data, cb) {...}
}));
});

Bottom
var user = require('express-user-couchdb');
var config = {
users: 'http://localhost:5984/_users',
email ....
};
app.config(function() {
// handle other requests first
app.use(express.router);
// handle core requests
app.use(user(config));
});
node init.js [couchdb users db]

So in simple terms, what is the minimum requirement to get this module up and running. Have I missed anything obvious?

Cheers

Attempting to sign in results in a server error that crashes express:

TypeError: Cannot call method 'regenerate' of undefined
    at /Users/duhrer/Source/rtf/rtf-terms-registry/express/node_modules/express-user-couchdb/index.js:63:21

This is because there is no check to see if the session already exists (and it doesn't for people who haven't yet logged in).

There is a similar problem with the signout call as well:

TypeError: Cannot call method 'destroy' of undefined
    at /Users/duhrer/Source/rtf/rtf-terms-registry/express/node_modules/express-user-couchdb/index.js:78:17

With angular, you cannot attach data to the body of the $http['delete] request call, so we cannot get the rev from req.body. Joel and I created a custom api call to delete users. Below is the code that worked for us.

From Angular

$http['delete']('/api/user/del/' + user.name, {params: { rev: user._rev} })
    .success(function(data) {
     //handle response
    });

Node API Call

app.del('/api/user/del/:name', function(req, res) {
  var db = nano(config.users);
 db.destroy('org.couchdb.user:' + req.params.name, req.query.rev).pipe(res);
});

Hey there,

I'm unable to get your node-email-templates integration working. In other projects I'm using node-email-templates, nodemailer and the node-mailer-smtp-transport plugin directly, so I know my credentials are fine. Is there something wrong with my setup? It is:

email: {
    service: 'SMTP',
    SMTP: {
        host: Config.email.host, // smtp.hostingprovider.com
        port: Config.email.port, // 587
        auth: {
            user: Config.email.user, // my email address
            pass: Config.email.pass // my password
        },
        ignoreTLS: true // got this from the node-simplesmtp npm page
    },
    templateDir: `${Config.root}/server/templates/` // verified correct
}

One the client side, I get this error:

{
     "message": "Can't send mail - all recipients were rejected",
     "stack": "RecipientError: Can't send mail - all recipients were rejected\n, // etc
     "name": "RecipientError",
     "data": "550 Administrative prohibition",
     "stage": "rcpt"
}

The process also crashes the node server, with this error:

POST /api/user/forgot 500 2626.020 ms - 695
events.js:142
      throw er; // Unhandled 'error' event
      ^

Error: 140735214301184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../deps/openssl/openssl/ssl/s3_pkt.c:362:

    at Error (native)

I'm on node 5.2.0 and npm 3.5.2 on OSX El Capitan. I've got the latest XCode and Command Line Tools. Python 2.7.11. I've tried using node-sass 3.4.2 and their latest beta release. I've updated node-gyp globally. I've removed the node_modules folder, cleaned the cache and ran npm install. I can install node-email-templates and node-sass without issue. I get the following errors when trying to install express-user-couchdb:

gyp ERR! build error 
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/usr/local/lib/node_modules/npm/node_modules/node-   gyp/lib/build.js:276:23)
gyp ERR! stack     at emitTwo (events.js:88:13)
gyp ERR! stack     at ChildProcess.emit (events.js:173:7)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:201:12)
gyp ERR! System Darwin 15.3.0
gyp ERR! command "/usr/local/bin/node" "/usr/local/lib/node_modules/npm/node_modules/node-   gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/Justin/Code/nec/kRaceSandbox/src/node_modules/express-user-couchdb/node_modules/node-sass
gyp ERR! node -v v5.2.0
gyp ERR! node-gyp -v v3.2.1
gyp ERR! not ok 
Build failed

and

npm ERR! Darwin 15.3.0
npm ERR! argv "/usr/local/bin/node" "/usr/local/bin/npm" "install" "--save" "express-user-couchdb"
npm ERR! node v5.2.0
npm ERR! npm  v3.5.2
npm ERR! code ELIFECYCLE

npm ERR! [email protected] install: `node build.js`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the [email protected] install script 'node build.js'.

I realize there could be a problem anywhere in the chain, so I'm just starting with the module I'm unable to install. Any help would be awesome. Let me know if you need additional info. Thanks!

Hi,

I installed this package from node. Package installed successful. But how can i run it?

when i run:

node ./node_modules/express-user-couchdb/init http://localhost:5984/_users

im getting the following error:

{ Error: Document update conflict.
    at Request._callback (/home/kabus/node_modules/nano/nano.js:319:39)
    at Request.self.callback (/home/kabus/node_modules/nano/node_modules/request/request.js:122:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/home/kabus/node_modules/nano/node_modules/request/request.js:888:14)
    at emitOne (events.js:101:20)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/home/kabus/node_modules/nano/node_modules/request/request.js:839:12)
    at emitNone (events.js:91:20)
  name: 'Error',
  scope: 'couch',
  status_code: 409,
  'status-code': 409,

How can i set the user credentials?

/api/user/verify appears to be the mechanism by which a user is allowed to reset their password, but it's not yet implemented.

Functions like /user/signin, /user/signup, etc. should check for required data and throw a sensible error message and status code.

I am testing the module with express 4 (more on that later). I was having trouble tracking down the root cause because of this pattern, which is used often:

if (err) { return res.send(err.status_code, err); }

There are cases in which err does not have a status code, which itself throws an error. I will prepare a pull request which defaults to 500 if status_code is undefined.

I'm struggling to get this to work.

In working on recent tests, I have noticed that nock is not entirely preventing connections to the local couch instance, which is still required to run many tests.

I would propose one of the following:

1. migrating to using pouchdb for testing. I have had good results using that to replace couch in other unit tests, as long as the views used are not too complex (ours aren't in this case).
2. firewalling nock by disabling connections using disableNetConnect() and fixing any tests that break (see below).

For the firewalling option, I tried using code like the following:

 nock.disableNetConnect();
 nock.enableNetConnect("(localhost|127.0.0.1):(?!5984).*");

In doing so, I discovered that nock appears to be shared across tests, which is hugely dangerous. I will file a separate bug on that.

Hi there,

So, the GET /api/user/?roles=roles and POST /api/user/signin return only the fields name, email and roles from the db. Obviously we don't want salts or hashes, but I have other fields in the db I'd like to get back in the response. Is there some configuration option I'm missing? I think my setup is pretty much standard boilerplate:

app.use(couchUser({
    users: `${Config.couchDb.uri}/_users`,
    request_defaults: {
        auth: {
            user: Config.couchDb.adminUser,
            pass: Config.couchDb.adminPass
        }
    },
    email: {
        service: 'SMTP',
        SMTP: {
            host: Config.email.host,
            port: Config.email.port,
            auth: {
                user: Config.email.user,
                pass: Config.email.pass
            },
            tls: {
                rejectUnauthorized: false
            }
        },
        templateDir: `${Config.root}/server/templates/`
    },
    adminRoles: [ 'admin' ]
}));

One database per user seems a popular approach for CouchDB. This project adds many features missing in CouchDB authentication. Perhaps it could also add creation of a database on a signup? Any plans along those lines?

When logging in, we seem to have a hybrid approach, and set our own cookies rather than letting express-session take care of it:

    req.session.regenerate(function() {
      req.session.user = user;
      req.session.save();

      res.writeHead(200, { 'set-cookie': headers['set-cookie']});
      res.end(JSON.stringify({ok:true, user: strip(user)}));
    });

In my testing, this fails outright with newer versions of express. Instead we need to stop setting the cookies and calling regenerate ourselves, which does work.

In working with the mocha tests recently, I discovered a disturbing behavior.

Configuring "nock" in one test file affects the instances of nock in other objects. I tried disabling connections from the signup tests using code like:

describe('User sign up', function() {
  var nock = require('nock');
  nock.disableNetConnect();
  nock.enableNetConnect("(localhost|127.0.0.1):(?!5984).*");

This somehow managed to break tests running in completely separate files, which should never happen. Either one of two things is happening:

1. The "nock" object is somehow shared between tests.
2. Disabling network connections in one test means that data created by the test no longer exists in couch itself.

Either of these is a problem. I was seeing cases in which three tests would fail and then would work again if you waited a few seconds. I suspect either the nock problem or the direct use of couch is causing this.

In addition to allowing password resets and "forgot" password links, it would be useful to require users to confirm that their email address is valid before allowing them to log in.

In testing the library with multiple users, I've discovered that the "forgot password" feature does not handle multiple accounts with the same email address sanely. Only the first account returned for a given email address is associated with the reset token. This makes it impossible to reset the password for any other accounts associated with the same email address.

I can see a few ways to address this:

1. Make the signup method check to see if a user with the suggested email address already exists and throw an error.
2. Make the "forgot password" function accept a username or an email address.
3. Do both.

Happy to make the changes and submit a pull request, just let me know what approach you'd prefer.