This commit adds:
- user.prototype.verify(verifyOptions, options, cb)
- remote method /user/:id/verify
- User.getVerifyOptions()
The remote method can be used to replay the sending of a user
identity/email verification message.
`getVerifyOptions()` can be fully customized programmatically
or partially customized using user model's `.settings.verifyOptions`
`getVerifyOptions()` is called under the hood when calling the
/user/:id/verify remote method
`getVerifyOptions()` can also be used to ease the building
of identity verifyOptions:
```js
var verifyOptions = {
type: 'email',
from: 'noreply@example.com'
template: 'verify.ejs',
redirect: '/',
generateVerificationToken: function (user, options, cb) {
cb('random-token');
}
};
user.verify(verifyOptions);
```
NOTE: the `User.login()` has been modified to return the userId when
failing due to unverified identity/email. This userId can then be used
to call the /user/:id/verify remote method.
Implement a new method for changing user password with password-reset
token but without the old password.
REST API
POST /api/users/reset-password
Authorization: your-password-reset-token-id
Content-Type: application/json
{"newPassword": "new-pass"}
JavaScript API
User.setPassword(userId, newPassword[, cb])
userInstance.setPassword(newPassword[, cb])
Note: the new REST endpoint is not protected by scopes yet, therefore
any valid access token can invoke it (similarly to how any valid access
token can change the password via PATCH /api/users/:id).
Implement a new method for changing user passwords the secure way.
The method requires the old password to be provided before a new
password can be used.
REST API:
POST /api/users/change-password
Authorization: your-token-id
Content-Type: application/json
{"oldPassword":"old-pass", "newPassword": "new-pass"}
JavaScript API:
User.changePassword(userId, oldPassword, newPassword[, cb])
There is also an instance-level (prototype) method that can be used
from JavaScript:
userInstance.changePassword(oldPassword, newPassword[, cb])
Use local registry in test fixtures to prevent collision in globally
shared models.
Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
*Re-mapping `updateAttributes` endpoint to use
`PATCH` and `PUT`(configurable) verb
*Exposing `replaceById` and `replaceOrCreate` via
`POST` and `PUT`(configurable) verb
Enable authentication for all User unit-tests to check that the ACLs are
correctly configured.
Fix the rule for `confirm` - the correct permission is `ALLOW`, not
`ACL.ALLOW`.