Force Lowercase & Remove Sensitive Data

almegdad · almegdad · commit aafa5e69cfb6 · 2015-09-01T21:09:20.000+03:00
* add directive to force username &amp; email lowercase
* remove sensitive data in password reset
* 2 space indentation  in reset &amp; forgot password views
diff --git a/modules/users/client/directives/users.client.directive.js b/modules/users/client/directives/users.client.directive.js
@@ -0,0 +1,14 @@
+﻿'use strict';
+
+// Users directive used to force lowercase input
+angular.module('users').directive('lowercase', function () {
+  return {
+    require: 'ngModel',
+    link: function (scope, element, attrs, modelCtrl) {
+      modelCtrl.$parsers.push(function (input) {
+        return input ? input.toLowerCase() : '';
+      });
+      element.css('text-transform', 'lowercase');
+    }
+  };
+});
diff --git a/modules/users/client/views/authentication/signin.client.view.html b/modules/users/client/views/authentication/signin.client.view.html
@@ -5,7 +5,7 @@ <h3 class="col-md-12 text-center">Or with your account</h3>
       <fieldset>
         <div class="form-group" show-errors>
           <label for="username">Username</label>
-          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username" required>
+          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username" lowercase required>
           <div ng-messages="userForm.username.$error" role="alert">
             <p class="help-block error-text" ng-message="required">Username is required.</p>
           </div>
diff --git a/modules/users/client/views/authentication/signup.client.view.html b/modules/users/client/views/authentication/signup.client.view.html
@@ -19,15 +19,15 @@ <h3 class="col-md-12 text-center">Or sign up using your email</h3>
         </div>
         <div class="form-group" show-errors>
           <label for="email">Email</label>
-          <input type="email" id="email" name="email" class="form-control" ng-model="credentials.email" placeholder="Email" required>
+          <input type="email" id="email" name="email" class="form-control" ng-model="credentials.email" placeholder="Email" lowercase required>
           <div ng-messages="userForm.email.$error" role="alert">
             <p class="help-block error-text" ng-message="required">Email address is required.</p>
             <p class="help-block error-text" ng-message="email">Email address is invalid.</p>
           </div>
         </div>
         <div class="form-group" show-errors>
           <label for="username">Username</label>
-          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username" required>
+          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username" lowercase required>
           <div ng-messages="userForm.username.$error" role="alert">
             <p class="help-block error-text" ng-message="required">Username is required.</p>
           </div>
diff --git a/modules/users/client/views/password/forgot-password.client.view.html b/modules/users/client/views/password/forgot-password.client.view.html
@@ -1,22 +1,22 @@
 <section class="row" ng-controller="PasswordController">
-    <h3 class="col-md-12 text-center">Restore your password</h3>
-    <p class="small text-center">Enter your account username.</p>
-    <div class="col-xs-offset-2 col-xs-8 col-md-offset-5 col-md-2">
-        <form ng-submit="askForPasswordReset()" class="form-horizontal" autocomplete="off">
-            <fieldset>
+  <h3 class="col-md-12 text-center">Restore your password</h3>
+  <p class="small text-center">Enter your account username.</p>
+  <div class="col-xs-offset-2 col-xs-8 col-md-offset-5 col-md-2">
+    <form ng-submit="askForPasswordReset()" class="form-horizontal" autocomplete="off">
+      <fieldset>
         <div class="form-group">
-          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username">
+          <input type="text" id="username" name="username" class="form-control" ng-model="credentials.username" placeholder="Username" lowercase>
         </div>
-                <div class="text-center form-group">
-                    <button type="submit" class="btn btn-primary">Submit</button>
-                </div>
-                <div ng-show="error" class="text-center text-danger">
-                    <strong>{{error}}</strong>
-                </div>
-                <div ng-show="success" class="text-center text-success">
-                    <strong>{{success}}</strong>
-                </div>
-            </fieldset>
-        </form>
-    </div>
+        <div class="text-center form-group">
+          <button type="submit" class="btn btn-primary">Submit</button>
+        </div>
+        <div ng-show="error" class="text-center text-danger">
+          <strong>{{error}}</strong>
+        </div>
+        <div ng-show="success" class="text-center text-success">
+          <strong>{{success}}</strong>
+        </div>
+      </fieldset>
+    </form>
+  </div>
 </section>
diff --git a/modules/users/client/views/password/reset-password.client.view.html b/modules/users/client/views/password/reset-password.client.view.html
@@ -1,26 +1,26 @@
 <section class="row" ng-controller="PasswordController">
-    <h3 class="col-md-12 text-center">Reset your password</h3>
-    <div class="col-xs-offset-2 col-xs-8 col-md-offset-5 col-md-2">
-        <form ng-submit="resetUserPassword()" class="signin form-horizontal" autocomplete="off">
-            <fieldset>
-                <div class="form-group">
-                    <label for="newPassword">New Password</label>
-                    <input type="password" id="newPassword" name="newPassword" class="form-control" ng-model="passwordDetails.newPassword" placeholder="New Password">
-                </div>
-                <div class="form-group">
-                    <label for="verifyPassword">Verify Password</label>
-                    <input type="password" id="verifyPassword" name="verifyPassword" class="form-control" ng-model="passwordDetails.verifyPassword" placeholder="Verify Password">
-                </div>
-                <div class="text-center form-group">
-                    <button type="submit" class="btn btn-lg btn-primary">Update Password</button>
-                </div>
-                <div ng-show="error" class="text-center text-danger">
-                    <strong>{{error}}</strong>
-                </div>
-                <div ng-show="success" class="text-center text-success">
-                    <strong>{{success}}</strong>
-                </div>
-            </fieldset>
-        </form>
-    </div>
+  <h3 class="col-md-12 text-center">Reset your password</h3>
+  <div class="col-xs-offset-2 col-xs-8 col-md-offset-5 col-md-2">
+    <form ng-submit="resetUserPassword()" class="signin form-horizontal" autocomplete="off">
+      <fieldset>
+        <div class="form-group">
+          <label for="newPassword">New Password</label>
+          <input type="password" id="newPassword" name="newPassword" class="form-control" ng-model="passwordDetails.newPassword" placeholder="New Password">
+        </div>
+        <div class="form-group">
+          <label for="verifyPassword">Verify Password</label>
+          <input type="password" id="verifyPassword" name="verifyPassword" class="form-control" ng-model="passwordDetails.verifyPassword" placeholder="Verify Password">
+        </div>
+        <div class="text-center form-group">
+          <button type="submit" class="btn btn-lg btn-primary">Update Password</button>
+        </div>
+        <div ng-show="error" class="text-center text-danger">
+          <strong>{{error}}</strong>
+        </div>
+        <div ng-show="success" class="text-center text-success">
+          <strong>{{success}}</strong>
+        </div>
+      </fieldset>
+    </form>
+  </div>
 </section>
diff --git a/modules/users/client/views/settings/edit-profile.client.view.html b/modules/users/client/views/settings/edit-profile.client.view.html
@@ -18,15 +18,15 @@
         </div>
         <div class="form-group" show-errors>
           <label for="email">Email</label>
-          <input type="email" id="email" name="email" class="form-control" ng-model="user.email" placeholder="Email" required>
+          <input type="email" id="email" name="email" class="form-control" ng-model="user.email" placeholder="Email" lowercase required>
           <div ng-messages="userForm.email.$error" role="alert">
             <p class="help-block error-text" ng-message="required">Email address is required.</p>
             <p class="help-block error-text" ng-message="email">Email address is invalid.</p>
           </div>
         </div>
         <div class="form-group" show-errors>
           <label for="username">Username</label>
-          <input type="text" id="username" name="username" class="form-control" ng-model="user.username" placeholder="Username" required>
+          <input type="text" id="username" name="username" class="form-control" ng-model="user.username" placeholder="Username" lowercase required>
           <div ng-messages="userForm.username.$error" role="alert">
             <p class="help-block error-text" ng-message="required">Username is required.</p>
           </div>
diff --git a/modules/users/server/config/strategies/local.js b/modules/users/server/config/strategies/local.js
@@ -15,7 +15,7 @@ module.exports = function () {
     },
     function (username, password, done) {
       User.findOne({
-        username: username
+        username: username.toLowerCase()
       }, function (err, user) {
         if (err) {
           return done(err);
diff --git a/modules/users/server/controllers/users/users.password.server.controller.js b/modules/users/server/controllers/users/users.password.server.controller.js
@@ -30,7 +30,7 @@ exports.forgot = function (req, res, next) {
     function (token, done) {
       if (req.body.username) {
         User.findOne({
-          username: req.body.username
+          username: req.body.username.toLowerCase()
         }, '-salt -password', function (err, user) {
           if (!user) {
             return res.status(400).send({
@@ -144,7 +144,10 @@ exports.reset = function (req, res, next) {
                   if (err) {
                     res.status(400).send(err);
                   } else {
-                    // Return authenticated user
+                    // Remove sensitive data before return authenticated user
+                    user.password = undefined;
+                    user.salt = undefined;
+
                     res.json(user);
 
                     done(err, user);
diff --git a/modules/users/server/models/user.server.model.js b/modules/users/server/models/user.server.model.js
@@ -51,15 +51,17 @@ var UserSchema = new Schema({
   },
   email: {
     type: String,
-    trim: true,
     unique: true,
+    lowercase: true,
+    trim: true,
     default: '',
     validate: [validateLocalStrategyEmail, 'Please fill a valid email address']
   },
   username: {
     type: String,
     unique: 'Username already exists',
     required: 'Please fill in a username',
+    lowercase: true,
     trim: true
   },
   password: {
@@ -139,7 +141,7 @@ UserSchema.methods.authenticate = function (password) {
  */
 UserSchema.statics.findUniqueUsername = function (username, suffix, callback) {
   var _this = this;
-  var possibleUsername = username + (suffix || '');
+  var possibleUsername = username.toLowerCase() + (suffix || '');
 
   _this.findOne({
     username: possibleUsername
