Added a few more comments. Updated NPM packages. Built better testing for project hook. Added Dockerfile.

Author: neonexus

.dockerignore

@@ -0,0 +1,9 @@
+node_modules
+.git
+.gitignore
+config/local.js
+.tmp
+.idea
+
+README.md
+LICENSE

.idea/dictionaries/neonexusdemortis.xml

@@ -3,7 +3,7 @@ async-only: true # require use of "done" cb or an async function (a Promise)
 require:
     - 'test/hooks.js'
 spec:  'test/**/*.test.js'
-timeout: 5000 # Give Sails some breathing room... We are building schemas / data fixtures.
+timeout: 10000 # Give Sails some breathing room... We are building schemas / data fixtures.
 checkLeaks: true
 global:
     - '_'

.mocharc.yaml

@@ -9,6 +9,7 @@
     "hooks": {
         "grunt": false,
         "session": false,
-        "csrf": false
+        "csrf": false,
+        "blueprints": false
     }
 }

.sailsrc

@@ -0,0 +1,23 @@
+FROM node:12.18
+MAINTAINER NeoNexus DeMortis
+
+RUN apt-get update && apt-get upgrade -y
+RUN apt-get install -y curl ntp nano
+RUN mkdir /var/www && mkdir /var/www/myapp
+WORKDIR /var/www/myapp
+
+EXPOSE 1337
+# REMEMBER! NEVER STORE SECRETS, DEK's, PASSWORDS, OR ANYTHING OF A SENSITIVE NATURE IN SOURCE CONTROL! USE ENVIRONMENT VARIABLES!
+ENV PORT=1337 DB_HOSTNAME=localhost DB_USERNAME=user DB_PASSWORD=pass DB_NAME=myappdb DB_PORT=3306 DB_SSL=true DATA_ENCRYPTION_KEY=1234abcd4321asdf0987lkjh SESSION_SECRET=0987poiuqwer1234zxcvmnbv
+
+# This keeps builds more efficient, because we can use cache more effectively.
+COPY package.json /var/www/myapp/package.json
+RUN npm install
+
+COPY . /var/www/myapp/
+RUN npm run build
+
+# Expose the compiled public assets, so Nginx can route to them, instead of using Sails to do the file serving.
+VOLUME /var/www/myapp/.tmp/public
+
+CMD NODE_ENV=production node app.js --max-stack-size 32000

Dockerfile

@@ -1,8 +1,8 @@
 # sails-react-bootstrap-webpack
 
-[![Join the chat at https://gitter.im/sails-react-bootstrap-webpack/community](https://badges.gitter.im/sails-react-bootstrap-webpack/community.svg)](https://gitter.im/sails-react-bootstrap-webpack/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+This is an opinionated base [Sails v1](https://sailsjs.com) application, using Webpack to handle Bootstrap (SASS) and React builds. It is designed such that, one can build multiple React frontends (an admin panel, and a customer site maybe), that use the same API backend. This allows developers to easily share React components across different frontends / applications. Also, because the backend and frontend are in the same repo (and the frontend is compiled before it is handed to the end user), they can share NPM libraries, like [Moment.js](https://momentjs.com)
 
-This is an opinionated base [Sails v1](https://sailsjs.com) application, using Webpack to handle Bootstrap (SASS) and React.
+Need help? Want to hire me to build your next app or prototype? You can contact me any time via Gitter: [![Join the chat at https://gitter.im/sails-react-bootstrap-webpack/community](https://badges.gitter.im/sails-react-bootstrap-webpack/community.svg)](https://gitter.im/sails-react-bootstrap-webpack/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
 # Branch Warning
 The `master` branch is experimental, and the [release branch](https://github.com/neonexus/sails-react-bootstrap-webpack/tree/release) (or the [`releases section`](https://github.com/neonexus/sails-react-bootstrap-webpack/releases)) is where one should base their use of this template.
@@ -22,6 +22,9 @@ The `master` branch is experimental, and the [release branch](https://github.com
 ## How to Use
 This repo is not installable via `npm`. Instead, Github provides a handy "Use this template" (green) button at the top of this page. That will create a special fork of this repo (so there is a single, init commit, instead of the commit history from this repo).
 
+### Configuration
+In the `config` folder, there is `local.js.sample` file, which is meant to be copied to `local.js`. This file is ignored by Git, and intended for use in local development, not remote servers.
+
 ### Scripts built into [`package.json`](package.json):
 
 | Command       | Description

README.md

@@ -6,22 +6,34 @@ This is where all API controllers, custom hooks, helpers, models, policies and r
 
 Controllers handle API requests, and decide how to respond, using the custom responses, which track API requests in our datastore.
 
+See: [Actions and Controllers](https://sailsjs.com/documentation/concepts/actions-and-controllers)
+
 ## Helpers
 
 Helpers are generic, reusable functions used by multiple controllers (or hooks, policies, etc).
 
+See: [Helpers](https://sailsjs.com/documentation/concepts/helpers)
+
 ## Hooks
 
 Custom hooks (currently only the 1), are used to tap into different parts of a request. The custom hook setup in this repo, is designed to start recording an API request, while the custom responses finalize the record.
 
+See: [Project Hooks](https://sailsjs.com/documentation/concepts/extending-sails/hooks/project-hooks)
+
 ## Models
 
 The data models inform Sails (really Waterline) how to create / modify tables (if `sails.config.models.migrate === 'alter'`), or our custom [schema validation and enforcement](../README.md#schema-validation-and-enforcement) on how it should behave.
 
+See: [Models](https://sailsjs.com/documentation/concepts/models-and-orm/models)
+
 ## Policies
 
 Policies are simple functions, that determine if a request should continue, or fail. These are configured in [`config/policies.js`](../config/policies.js)
 
+See: [Policies](https://sailsjs.com/documentation/concepts/policies)
+
 ## Responses
 
 These custom responses handle the final leg of request logging. They are responsible for ensuring data isn't leaked, by utilizing the `customToJSON` functionality of models.
+
+See: [Custom Responses](https://sailsjs.com/documentation/concepts/extending-sails/custom-responses)

api/README.md

@@ -63,6 +63,7 @@ module.exports = {
         }).fetch();
 
         return exits.ok({
+            // Cookies are automatically handled in our custom response `ok`.
             cookies: [
                 {
                     name: sails.config.session.name,

api/controllers/admin/login.js

@@ -11,6 +11,7 @@ module.exports = {
     inputs: {
         extra: {
             type: 'string',
+            description: 'A bit of random, extra bits to change up the hash.',
             defaultsTo: 'Evil will always triumph, because good is dumb. -Lord Helmet'
         }
     },
@@ -23,7 +24,7 @@ module.exports = {
             .update(
                 crypto.randomBytes(21)
                 + moment(new Date()).format()
-                + 'I am a little tea pot'
+                + 'I am a tea pot' // The best HTTP status code
                 + inputs.extra
                 + crypto.randomBytes(21)
             )

api/helpers/generate-csrf-token.js renamed to api/helpers/generate-csrf-token-and-secret.js

@@ -1,7 +1,7 @@
 module.exports = {
-    friendlyName: 'Keep Model Safe',
+    friendlyName: 'Keep Models Safe',
 
-    description: 'Enforce custom .toJSON() is called recursively.',
+    description: 'Enforce custom .toJSON(), called recursively on the input data object to prevent data leaking to outside world.',
 
     sync: true, // function is not async
 
@@ -17,17 +17,18 @@ module.exports = {
     },
 
     fn: (inputs, exits) => {
-        const dataCopy = _.merge({}, inputs.data);
+        const dataCopy = _.merge({}, inputs.data); // don't modify the object given
 
-        // force all objects to their JSON formats, if it has said function
-        // this prevents accidental leaking of sensitive data, by utilizing customToJSON on models
+        // Force all objects to their JSON formats, if it has .toJSON() function.
+        // This prevents accidental leaking of sensitive data, by utilizing .customToJSON() in model definitions.
         (function findTheJson(data) {
             _.forEach(data, (val, key) => {
                 if (_.isObject(val)) {
                     return findTheJson(val);
                 }
 
                 if (val && val.toJSON && typeof val.toJSON === 'function') {
+                    // If this is a moment.js object, force it to .format() instead of .toJSON().
                     if (val.toDate && typeof val.toDate === 'function' && typeof val.format === 'function') {
                         data[key] = val.format();
                     } else {

api/helpers/generate-token.js

@@ -18,7 +18,17 @@ module.exports = {
     },
 
     exits: {
-        success: {}
+        success: {
+            description: 'Returns `data` input, minus the cookies object.'
+        },
+
+        missingName: {
+            description: 'Cookie name is missing.'
+        },
+
+        missingValue: {
+            description: 'Cookie value is not defined.'
+        }
     },
 
     fn: function(inputs, exits) {
@@ -31,10 +41,18 @@ module.exports = {
                         : [inputs.data.cookies];
 
         cookies.map((cookie) => {
+            if (!_.isDefined(cookie.name) || !_.isString(cookie.name) || _.isEmpty(cookie.name)) {
+                throw 'missingName';
+            }
+
+            if (!_.isDefined(cookie.value)) {
+                throw 'missingValue';
+            }
+
             const defaultCookie = {
-                signed: true,
-                httpOnly: true,
-                secure: sails.config.session.cookie.secure
+                signed: true, // Sign the cookie to prevent tampering.
+                httpOnly: true, // Prevent JS from being able to read / write to this cookie in most browsers.
+                secure: sails.config.session.cookie.secure // Only allow over HTTPS.
             };
 
             if (cookie.value === null) {

api/helpers/keep-models-safe.js

@@ -15,16 +15,27 @@ module.exports = {
         }
     },
 
-    exits: {},
+    exits: {
+        success: {},
+
+        serverError: {}
+    },
 
     fn: async (inputs, exits) => {
+        // Do nothing if we don't have a session, or this is a GET request.
         if (inputs.req.method === 'GET' || !inputs.req.session || !inputs.req.session.user || !inputs.req.session.id) {
             return exits.success(inputs.data);
         }
 
         const foundSession = await Session.findOne({id: inputs.req.session.id});
 
-        const csrf = sails.helpers.generateCsrfToken();
+        if (!foundSession) {
+            throw new exits.serverError('Session could not be found in Update CSRF helper.');
+        }
+
+        const csrf = sails.helpers.generateCsrfTokenAndSecret();
+
+        // Update stored session data, so we can compare our token to the secret on the next request (handled in the isLoggedIn policy).
         const newData = _.merge({}, foundSession.data, {_csrfSecret: csrf.secret});
 
         Session.update({id: inputs.req.session.id}).set({

api/helpers/set-cookies.js renamed to api/helpers/set-or-remove-cookies.js

@@ -9,7 +9,7 @@ module.exports = {
         },
 
         user: {
-            model: 'user',
+            model: 'User',
             required: true
         },
 

api/helpers/update-csrf.js

@@ -2,7 +2,7 @@ module.exports = async function(req, res, next) {
     const sessionId = req.signedCookies[sails.config.session.name] || null;
 
     if (sessionId) {
-        const foundSession = await Session.findOne({id: sessionId});
+        const foundSession = await sails.models.session.findOne({id: sessionId});
 
         if (foundSession && foundSession.data.user) {
             req.session = {id: sessionId, user: foundSession.data.user};
@@ -18,6 +18,7 @@ module.exports = async function(req, res, next) {
             }
         }
 
+        // Doesn't look like this session is valid, remove the cookie.
         res.clearCookie(sails.config.session.name, {signed: true, httpOnly: true, secure: sails.config.session.cookie.secure});
     }
 

api/models/Session.js

@@ -0,0 +1,5 @@
+# Custom Responses
+
+Here are the custom responses, used to capture the final leg of a request for logging, including run time.
+
+These responses are also responsible for running the [`keepModelsSafe`](../helpers/keep-models-safe.js) helper, to prevent leaking of sensitive info, by utilizing the `customToJSON` functionality of models.

api/policies/isLoggedIn.js

@@ -10,8 +10,13 @@ module.exports = async function sendOK(data) {
         data = {message: data};
     }
 
+    // ensure our models stay safe out there
     data = sails.helpers.keepModelsSafe(data);
-    data = sails.helpers.setCookies(data, res);
+
+    // set or remove cookies
+    data = sails.helpers.setOrRemoveCookies(data, res);
+
+    // handle CSRF tokens
     data = await sails.helpers.updateCsrf(data, req);
 
     const out = _.merge({success: true}, data);

api/responses/README.md

@@ -73,31 +73,25 @@ class AdminRouter extends React.Component {
         }
 
         return (
-            <Router>
-                <Route
-                    render={({location}) => (
-                        <APIProvider>
-                            <UserProvider>
-                                <RenderOrLogin location={location}>
-                                    <SidebarNav>
-                                        <Switch>
-                                            <Route path="/admin/dashboard">
-                                                <Dashboard />
-                                            </Route>
-                                            <Route path="/admin/upgrade">
-                                                <Upgrade />
-                                            </Route>
-                                            <Route>
-                                                <Redirect to="/admin/dashboard" />
-                                            </Route>
-                                        </Switch>
-                                    </SidebarNav>
-                                </RenderOrLogin>
-                            </UserProvider>
-                        </APIProvider>
-                    )}
-                />
-            </Router>
+            <APIProvider>
+                <UserProvider>
+                    <RenderOrLogin>
+                        <SidebarNav>
+                            <Switch>
+                                <Route path="/admin/dashboard">
+                                    <Dashboard />
+                                </Route>
+                                <Route path="/admin/upgrade">
+                                    <Upgrade />
+                                </Route>
+                                <Route>
+                                    <Redirect to="/admin/dashboard" />
+                                </Route>
+                            </Switch>
+                        </SidebarNav>
+                    </RenderOrLogin>
+                </UserProvider>
+            </APIProvider>
         );
     }
 }

api/responses/ok.js

@@ -10,6 +10,9 @@ import AdminRouter from './Admin/AdminRouter';
 import MainRouter from './Main/MainRouter';
 
 function IndexApp() {
+    // This file is here mainly for Webpack's dev server; not used in remote settings.
+    // Webpack is configured to build the individual apps in their own folders in `.tmp/public` via `npm run build`.
+    // Sails will handle the webapp redirects in remote configurations.
     return (
         <Router>
             <Switch>

assets/src/Admin/AdminRouter.jsx

@@ -4,6 +4,10 @@ The majority of configuration files live in this folder. `local.js.sample` is in
 
 ## Things to keep in-mind
 
-NEVER store credentials, security keys, session secrets, etc in Git-tracked files!
+* NEVER store credentials, security keys, session secrets, etc in Git-tracked files!
+* `bootstrap.js` Has nothing to do with the CSS framework Bootstrap. It is actually the last file Sails runs before being fully "lifted". Currently, this repo uses this file for schema validation and enforcement on production servers. Read more about this in the main [README](../README.md#schema-validation-and-enforcement).
 
-`bootstrap.js` Has nothing to do with the CSS framework Bootstrap. It is actually the last file Sails runs before being fully "lifted". Currently, this repo uses this file for schema validation and enforcement on production servers. Read more about this in the main [README](../README.md#schema-validation-and-enforcement).
+### Useful Links
+
+* [Sails documentation for configuration](https://sailsjs.com/documentation/concepts/configuration)
+* [Sails bootstrap documentation](https://sailsjs.com/documentation/reference/configuration/sails-config-bootstrap)

assets/src/index.jsx

@@ -170,7 +170,10 @@ module.exports = {
          * > (For a full list, see https://sailsjs.com/plugins/sessions)            *
          *                                                                          *
          ***************************************************************************/
-        adapter: 'express-mysql-session',
+
+        // We are handling sessions without Sails' middleware, and using Models directly.
+
+        //adapter: 'express-mysql-session',
         // adapter: '@sailshq/connect-redis',
         // url: 'redis://user:password@localhost:6379/databasenumber',
         //--------------------------------------------------------------------------
@@ -208,18 +211,12 @@ module.exports = {
          ***************************************************************************/
         cookie: {
             secure: true,
+            // this age is when we choose not to use "session" cookies, and want max-age instead.
             maxAge: 24 * 60 * 60 * 1000  // 24 hours
         },
 
         // https://jsfiddle.net/fsbd3ey5/1/
         secret: process.env.SESSION_SECRET, // DO NOT STORE THIS IN SOURCE CONTROL!!!
-
-        host: process.env.DB_HOSTNAME || 'localhost',
-        user: process.env.DB_USERNAME || 'produser',
-        password: process.env.DB_PASSWORD || 'myprodpassword',
-        database: process.env.DB_NAME || 'proddatabase',
-        port: process.env.DB_PORT || 3306,
-        ssl: (process.env.DB_SSL === 'true')
     },