Nodewood
Build with Nodewood

# User Authentication & Management

The users feature is where all user authentication and management code is located. It is largely split between public actions that users can take (login, signup, reset password, etc.) and private actions (retrieve info about currently logged-in user, update user info, send support request, etc.).

# Enabling

This feature is enabled by default, and should remain enabled. Users are the basic access primitive used throughout the app, and everything will break if you attempt to disable this feature.

# Important URLs

Most URLs are already linked from obvious locations in the app (/profile is visited by clicking the "Profile" link in the user drop-down), but there are two especially-important URLs that you will need to set up links to:

  • /app/login: Displays the login form for your application.
  • /app/signup: Displays the signup form for you application.

Each provides a link to the other for convenience, but you will want to provide a link from your sales website to one or both, so that users can begin using your app.

# Authentication & Security

User passwords are hashed using bcryptjs (opens new window) and never stored in plaintext.

Session/state management is handled through secure JWTs. The issuer and expiry days of which can be set in the security.js configuration file. Additionally, a global and user-specific "series" field is set on each JWT. Increasing the user-specific jwt_series field will cause all of that user's JWTs with old series values to be invalid, logging out all instances of that user. Changing the JWT_GLOBAL_SERIES environment variable will cause all JWTs for all users to become invalid, logging out all users.

Additionally, when a user logs in, they are given a CSRF (opens new window) token, which is attached via JavaScript as a header to all API requests. Requests without this header (or an invalid token) are ignored.

# User Management

The user management feature is contained in the admin feature, since it is a part of the Admin Panel. A user with user_type set to admin will have the 'Admin Panel' option available as part of their user dropdown menu, and then can click on 'Users' in the sidebar to see a list of users. From here, you can edit the user, send then a password reset email, or delete them.

To change the list of fields displayed for users in this list, first ensure the field you wish to display is available as a property of UserModel, then modify userListFields in config/admin.js. Alternatively, removing properties from this list will remove it from the list of fields displayed.

Modifying the actions in the action dropdown will require creating and modifying your own copy of admin/ui/pages/UserListPage.vue and modifying the collection of dropdown-menu-item objects.

# UserModel

The UserModel represents a single user in your application, and has the following properties:

  • id: The internal ID of the user. This isn't ever sent directly to the application. Instead, Hashids (opens new window) are used to obfuscate this value before it is sent via the API.
  • name: The user's name.
  • email: The user's email address.
  • emailConfirmed: If the user has confirmed their email address by replying to a test email sent to it.
  • accountType: Always either user or admin. Users with user are normal users, while users with admin can access the Admin Panel. (Generally, you will want to change your user to an admin user.)
  • lastLoggedInAt: A timestamp that tells when the user last logged in.
  • createdAt: A timestamp that tells when the user was created.
  • updatedAt: A timestamp that tells when the user row in the table was last updated.
  • flags: A JSONB object that can store any value. Should be used to store values that a user may only occasionally have set, like a special login token. More-permanent values should have their own columns defined. These values can be queried either from the database (opens new window) or directly off the model with the hasFlag() function.
  • secureFlags: A JSONB object that can store any value, similar to flags. However, these values are not serialized in toJSON() and thus will never be sent over the API. These values can be queried either from the database (opens new window) or directly off the model with the hasFlag() function.
  • jwtSeries: Increasing this field will cause all of that user's JWTs with old series values to be invalid, logging out all instances of that user.
  • teams: A collection of TeamModel objects for all the teams this user is on.

Teams