jedireza / frame Goto Github PK

What and where is the best place to add directory of static content
that the server will using http?

I wanted to ask that you might add a general description to the top of the documents about what they do and control flow to and from the documents. I'm new to the industry and we are using hapi for a webservice project but i would like more information to help the learning process. Especially considering this is an example posted directly on Hapi's site.

Let's say a Dev wanted to extend frame to support oauth and client management? Any suggestions on the best practices for this?

Also, kinda related, I don't understand the meaning behind your usage of the word "pivot."

I saw how it's used in your aqua framework, and I assume it's the identical idea in frame. I get what it does, but the feature comes off a little weird to me. Can you elaborate on it?

Hi jedireza, thanks for building frame. I dig it!

I wanted to ask you, What's your rationale for the eccentric indentation style for stuff in the models folder, and functions in general? Everything is flattened, like statements inside functions and stuff... they're vertically aligned with the function definition, etc.

I like the stuff you make, and thought you may have some wisdom on why you do this.

https://github.com/jedireza/frame/wiki/Users,-Roles-&-Groups

I reorganized it, added a graphic, and made stylistic changes. I'm not sure if you get notifications for this, so just putting this here.

Let me know if I was wrong about something, and I'll fix it!

[Error: failed to connect to [localhost:27017]]

Running setup.js seems to be failing when calling the BaseModel.connect function. The url does not appear to be getting passed into haps-mongo-models property. Using the default for the mongodb url.

/Users/chad/Documents/Development/example-code/frame/node_modules/mongodb/lib/mongodb/connection/url_parser.js:14
  if(url.indexOf("mongodb://") != 0)
         ^
TypeError: Cannot call method 'indexOf' of undefined
    at exports.parse (/Users/chad/Documents/Development/example-code/frame/node_modules/mongodb/lib/mongodb/connection/url_parser.js:14:10)
    at Function.MongoClient.connect (/Users/chad/Documents/Development/example-code/frame/node_modules/mongodb/lib/mongodb/mongo_client.js:164:16)
    at Function.BaseModel.connect (/Users/chad/Documents/Development/example-code/frame/node_modules/hapi-mongo-models/lib/base-model.js:16:25)
    at Array.Async.auto.connect [as 0] (/Users/chad/Documents/Development/example-code/frame/setup.js:121:27)
    at /Users/chad/Documents/Development/example-code/frame/node_modules/async/lib/async.js:487:38
    at Array.forEach (native)
    at _each (/Users/chad/Documents/Development/example-code/frame/node_modules/async/lib/async.js:46:24)
    at Object.async.auto (/Users/chad/Documents/Development/example-code/frame/node_modules/async/lib/async.js:458:9)
    at Array.Async.auto.setupRootUser [as 1] (/Users/chad/Documents/

On /api/signup if nodemailer call fails to make the outbound mail send call the client gets a 500 error but the account was created.

Since the account was created this should return a successful response.

Suppose it gets tricky if you are requiring email confirmation... if the mailer fails should you NOT create and throw a generic error?

I've noticed that when you log in multiple times, the previous logins are removed and hence invalidated. This means that you can't log in from different locations. Is this intentional or just something left for the implementor to add?

It seems the invalidation happens in Session.create, where you clear out other sessions from the same user apart from the one just created.

It seems to make sense for when there is only 1 client for the api, but if there multiple clients, each login will invalidate the login of other clients. Just wondering what the rationale was for this?

Thanks!

events.js:72
throw er; // Unhandled 'error' event
^
Error: listen EADDRINUSE
at errnoException (net.js:901:11)
at Server._listen2 (net.js:1039:14)
at listen (net.js:1061:10)
at net.js:1135:9
at dns.js:72:18
at process._tickDomainCallback (node.js:459:13)

I'm starting out trying to be a Legit Programmer, and I read some tutorials on how to design REST apis.

My question, Why are most of the endpoints pluralized? I get the impression that there aren't hard and fast rules, but it seems like people consider singular noun endpoints as the "right" way to do it. I'm thinking about reformulating your endpoints as singular nouns. I can send you a PR if you want for this.

More important, I'd like to hear your rationale behind this design decision.

Would this be beyond the scope of this project?

To keep new projects simple it's probably best to just create one server. In order to do that effectively, we also need to configure a base path for the api plugins.

Instead of using:

plugin.route({
    method: 'GET',
    path: '/route',
    config: {
        auth: 'simple',
        pre: [
            authPlugin.preware.ensureUserRole('admin'), // changing this
            authPlugin.preware.ensureAdminGroup('root')
        ]
    },
    handler: function (request, reply) {

        reply(...);
    }
});

we could use something like:

plugin.route({
    method: 'GET',
    path: '/route',
    config: {
        auth: {
            strategy: 'simple',
            scope: 'admin' // to this
        },
        pre: [
            authPlugin.preware.ensureAdminGroup('root')
        ]
    },
    handler: function (request, reply) {

        reply(...);
    }
});

For more details on scope see: http://hapijs.com/api#serverrouteoptions

Checkout the alternative: https://github.com/markdown-it/markdown-it

Just a question.

I can see that hapi-auth-basic and hapi-auth-cookie provide very similar security level as you generate password per session for auth-basic.

Also I see advantage that session model can be easily extended for additional data that are useful to keep in session, no need to use https://github.com/hapijs/yar for session data.

So basically just wondering what was your thought process to go for basic-authentication. I can also see using auth-basic in frame as beneficial :-).. just basically trying to make sure that I don't miss something as I considered hapi-auth-cookie as more common and secure option before.

I can see from the code, when you create a user, there is also an account that is created within the user model. The full name is stored in account and the username is stored in user.

What is the intention of the separation? It appears that a user would have multiple accounts, so say I want to add twitter/facebook logins, would the best way be to add these as accounts to the user?

Generally, when extending the codebase, what would you put in User and what would you put in Account?

Would love to have some documentation to clear this up =)

Since Frame has no example front end like Drywall, I need some specs I can work against.

I have trouble getting the basic auth working. What does the simple auth expect from the user/front end.

The auth informations in hapi.js:

request.auth // session with user and token

In my expectation I should just need to send my auth header like this:
Delete /logout/

Authorization:username "myUser" token "§#token$%"

And hapi or frame would write this to request.auth, but this is not the case, so frames auth informations are not not coming from the http authorisation header.. I guess?

More informations would be great and helpful.

Hi,

After upgrading to the latest version of frame (v3.1.1) i'm having an issue when running npm test any ideas what this could be?

Failed tests:

  3) App it composes a server:

      Unknown authentication strategy: simple in path: /api/users

Just going through the source code to familiarize more with the project. Its looks really great!

Noticed one small thing:
https://github.com/jedireza/frame/blob/master/server/auth.js#L9
You are using connection.auth.strategy, I don't think you are supposed to use connection api directly as it is hidden behind server api. So I think it should be just server.auth.strategy and it will be applied for all connections for you.

Just a list of things I have not addressed that Drywall has:

• account signup email verification
• helmet helmet(app);
• csrf app.use(csrf({ cookie: { signed: true } }));
  • use crumb
• compression app.use(require('compression')());
• social signup and login (via Passport.js)

Are they out, or still on your ToDo list?

Reference: jedireza/hapi-mongo-models#8

https://github.com/jedireza/frame/blob/master/test/server/models/user.js#L142

Can I access the user role from somewhere, or can I add it to the login response object and ask for a pull request. Its hard to guess what the user is permitted to.

https://github.com/jedireza/frame/blob/master/server/api/signup.js#L160

Need to remove the array index just like in jedireza/aqua#19

Hi,

I was just wandering what would be best practice with regards to git committing the config.js obviously it holds some sensitive data but not quite sure how this would fit into using a CI tool with automated deploys.

What should I deploy to heroku? which file should be run first
what changes should I do in the configs
Should I run the setup with with params for the production environment ?
which file should i call in "web: node index.js"?

Thanks
Amit Shvil

Currently an admin could change the identity of their user record via a PUT to /api/users/:id where the :id is their User._id. And during a subsequent request, the Session check will fail if their username (and possibly email) have changed.

On Account Update request, the name object will be overwritten by the firstname.

Payload:

payload: {
  name: Joi.object().keys({
    first: Joi.string().required(),
    middle: Joi.string().allow(''),
    last: Joi.string().required()
  }).required()
}

Update:

var update = {

  $set: {
    name: request.payload.name.first // must be 'request.payload.name'
  }
};

Line

We need to ensure that usernames and email addresses are stored and compared in a case-insensitive fashion.

I ran my fork for frame through an analyzer and found a couple interesting things about some of the dependencies that I thought you might want to be aware of.

screen shot: http://screencast.com/t/luXxtnEcu

Hey,
I'm about to add permissions and groups to ngFrame, but there is one problem.

In Drywall, according to the schemas you have an Array of groups and permissions.
In Frame you can push whatever to permissions and the groups are not an array after all.
I also don't see a way to update/delete permissions.

So what I actually want:

/admins/{id}/permissions:

A way to delete and update (update for permit true/false).
A solid schema, so I cant override the permission array and add any attributes.

/admins/{id}/groups:

Should be an array, is an object and can also be overridden (this could be anything groups: Joi.object().required()).

If you got any questions ask me any time :)

hey jedireza,
i think the link/unlink handlers stated below don't return the result of the successful operation. they return just empty. if you wanted to return the updated account

reply(results.account[0]) 

should be

reply(results.account); 

---
server.route({
    method: 'DELETE',
    path: options.basePath + '/accounts/{id}/user',

server.route({
    method: 'PUT',
    path: options.basePath + '/accounts/{id}/user',

Just letting you know.

We need to add an extra check after we get credentials, incase the user property is null.

var credentials = request.auth.credentials || { user: {} };
var user = credentials.user || {}; // this is the fix

I branched from master [2cf0d23] and logout doesn't work. I see that the logout code looks for 'username' in sessions but the key, i believe, should be 'userId' and the value shouldn't be the username it should be userId: user._id.toString()

Whats with the session being created on signup with the userId set to the username?

https://github.com/jedireza/frame/wiki/Issues-using-Gmail-SMTP

Potential #3
Setting in your Google Account>Signing In>Access for less secure apps

Set to 'Allowed' instead of 'Blocked'

Hello,

when i run "npm run setup" under C:\dev\js\frame that is cloned from github on 14-04-2015, i get the following error. Please advise and many thanks in advance.

0 info it worked if it ends with ok
1 verbose cli [ 'c:\\Program Files\\nodejs\\node.exe',
1 verbose cli   'c:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js',
1 verbose cli   'run',
1 verbose cli   'setup' ]
2 info using [email protected]
3 info using [email protected]
4 verbose run-script [ 'presetup', 'setup', 'postsetup' ]
5 info presetup [email protected]
6 info setup [email protected]
7 verbose unsafe-perm in lifecycle true
8 info [email protected] Failed to exec setup script
9 error [email protected] setup: `./setup.js`
9 error Exit status 1
10 error Failed at the [email protected] setup script.
10 error This is most likely a problem with the frame package,
10 error not with npm itself.
10 error Tell the author that this fails on your system:
10 error     ./setup.js
10 error You can get their info via:
10 error     npm owner ls frame
10 error There is likely additional logging output above.
11 error System Windows_NT 6.2.9200
12 error command "c:\\Program Files\\nodejs\\node.exe" "c:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "run" "setup"
13 error cwd c:\dev\js\frame
14 error node -v v0.10.35
15 error npm -v 1.4.28
16 error code ELIFECYCLE
17 verbose exit [ 1, true ]

Still a lot to do, I just started and wanted to publish early.

Here we go: https://github.com/Silom/ngFrame

We have to give up sudo, so, if we don't need that we should be good.

the code with promises is far more readable than with async. if we do not lose anything by using promises, move to promises.

hey jedireza,
great project! in the latest version starting the server fails due to missing mongodb url in hapi-mongo-models:

TypeError: Cannot read property 'url' of undefined
at Function.BaseModel.connect (frame/node_modules/hapi-mongo-models/lib/base-model.js:16:39)

the mongodb object is undefined at frame/node_modules/hapi-mongo-models/index.js:16:15

BaseModel.connect(mongodb, function (err, db) {

if i hardcode it here, everything works like expected

hapi uses good. would be good to have default file and console loggers as part of the build.

thanks

These api endpoints need a default sort option during query validation:

server/api/accounts.js
server/api/admin-groups.js
server/api/admins.js
server/api/auth-attempts.js
server/api/sessions.js
server/api/statuses.js
server/api/users.js

Example:

validate: {
    query: {
        // ...
        sort: Joi.string().default('_id'),
        // ...
    }
},

How should we deal with CORS?

Since we register two server, one for gui components and another for the api, we have to deal with http header manipulation at some point.

I will read more about this topic now, but from what I can tell now we have to add some flags to hapi.

CORS Cross-Origin Resource Sharing