Implement a new method for changing user passwords the secure way.
The method requires the old password to be provided before a new
password can be used.
REST API:
POST /api/users/change-password
Authorization: your-token-id
Content-Type: application/json
{"oldPassword":"old-pass", "newPassword": "new-pass"}
JavaScript API:
User.changePassword(userId, oldPassword, newPassword[, cb])
There is also an instance-level (prototype) method that can be used
from JavaScript:
userInstance.changePassword(oldPassword, newPassword[, cb])
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.
The authorizedRoles object for example looks like:
{
$everyone: true,
$authenticated: true,
myRole: true
}
NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
Allow custom properties to be added to Change Model,
and make change filter customizable through mixins
to allow to add the custom property to the filter
used to look up relevant changes during change replication.
Applications using MongoDB connectors typically have `user.id`
property of type ObjectID.
This commit fixes the code building the verification URL to
correctly convert the user id value into string.
Enhance User.prototype.verify to pass the generated token
to the templating function in addition to other existing properties.
This allows application to build multiple URLs in the email template,
for example in order to provide a different URL for desktop and
mobile browsers.
Fixing server/middleware/token.js to handle correctly the
setup of a custom AccessToken model by name in either
middleware.json or using any of :
app.use(loopback.token({...}));
app.middlewareFromConfig(loopback.token, {...})
app.middleware('auth', loopback.token({...})
Modify `app.enableAuth()` to verify that (custom) User and AccessToken
models have correctly configured their hasMany/belongsTo relations
and print a warning otherwise.
Fix the code loading builtin models to always clone the JSON object
used as model settings/definition. This is needed to allow applications
to modify model settings while not affecting settings of new models
created in the local registry of another app.
Fix the code invalidating access tokens on user email/password changes
to correctly handle the case when the relation
"AccessToken belongs to (subclassed) user" is not configured.
Add a new model-level setting "replicationChunkSize" which allows
users to configure change replication algorithm to issue several
smaller requests to fetch changes and upload updates.
* Fix Role.isOwner() for multiple user models (ebarault)
* Update ISSUE_TEMPLATE.md (Simon Ho)
* Upgrade supertest to 3.x (Miroslav Bajtoš)
* Fix creation of verification links (Miroslav Bajtoš)
* Enable multiple user models (Eric)
* Babelify juggler for Karma tests (Miroslav Bajtoš)
* Fix Karma config to babelify node_modules too (Miroslav Bajtoš)
* Add promise support to built-in model RoleMapping (ebarault)
* Add promise support to built-in model ACL (ebarault)
* Add nyc coverage, report data to coveralls.io (Miroslav Bajtoš)
* Upgrade eslint config, fix linter errors (Miroslav Bajtoš)
* Add missing type to Role properties definition (David Hernandez)
* Preserve sessions on User.save() making no changes (Miroslav Bajtoš)
* Fix logout to handle no or missing accessToken (Ritchie Martori)
* Promise-ify built-in Role model (Miroslav Bajtoš)
* Remove .jscsrc that's no longer used (Miroslav Bajtoš)
* Enable ES6/ES2015 goodness (Miroslav Bajtoš)
* Remove test/support.js from karma config (Miroslav Bajtoš)
* Use English when running Mocha tests (Miroslav Bajtoš)
* Update ISSUE_TEMPLATE (Simon Ho)
* Updating README - add cli and remove arc (Joe Sepi)
* Fix User methods to use correct Primary Key (Aris Kemper)
* Fix User.resetPassword to call createAccessToken() (João Ribeiro)
* Role model: resolves related models by name (Benjamin Kroeger)
Fix `Role.isOwner()` to check both principalId and principalType.
This fixes a bug where users from different User model were treated
as owners as long as their user id was the same as owner's id.
Fix User.prototype.verify to call `querystring.stringify` instead
of concatenating query-string components directly.
In particular, this fixes the bug where `options.redirect` containing
a hash fragment like `#/home?arg1=value1&arg2=value2` produced incorrect
URL, because the `redirect` value was not correctly encoded.
Allow LoopBack applications to configure multiple User models and share
the same AccessToken model.
To enable this feature:
1) In your custom AccessToken model:
- add a new property "principalType" of type "string".
- configure the relation "belongsTo user" as polymorphic,
using "principalType" as the discriminator
2) In your User models:
- Configure the "hasMany accessTokens" relation as polymorphic,
using "principalType" as the discriminator
When creating custom Role and Principal instances, set your
User model's name as the value of "prinicipalType".
Fix configuration of Karma:
- Disable ES6 modules. The ES6 module transpiler is adding
"use strict" to all source files, this breaks e.g. chai or juggler
- Relax "ignore" setting to exclude only strong-task-emitter,
thus bring back Babel transpilation for chai and juggler.