pcimino / nodejs-restify-mongodb Goto Github PK

from what I understand from this code:

function getUserByIdOrUsername(req, res, next) {
     var search = req.url;
     search = search.substring(search.lastIndexOf("/")+1);
      if (search !== null && search !== '') {
         var query = User.where( 'username', new RegExp('^'+search+'$', 'i') );
         query.findOne(function (err, user) {
            if (!err) {
               if (user) {
                  res.send(user);
               } else {
                 User.findById(search, function (err, user) {
                    if (!err) {
                      res.send(user);
                    } else {
                      res.send(new restify.MissingParameterError('User not found.'));
                    }
                    return next();
                 });
               }
            } else {
                  var errObj = err;
                  if (err.err) { errObj = err.err; }
                  return next(new restify.InternalError(errObj));
            }
         });
      } else {
         return next(new restify.MissingParameterError('Username or ID required.'));
      }
   }

this sends all of what concerns the searched user when entering the route /api/v1/user/:search, including hashed_password
I don't think anyone wants to send the hashed password to any random viewer, so this should be modified.

Had a code roast, here are some of the suggetions I want to work on next....

• Modularize Node methods, request and response shouldn't be passed all the way into functions, separate functional code from the REST API
• In the package.json, don't use latest for versions.
• To simplify version management: npm list (npm list -g for global installed). using tilde (e.g. "~1.01") allows updates for buig fixes but not major versions.
• Externalize npm module versions: One of the people from MeetMe described briefly how to put the version numbers in a file independent of the package.json, I need to reach out and get a better explanation from her
• Look into npm shrinkwrap for managing package dependencies
• Look into npm outdated

• IN routes.js and in the server for the ENyo project, replace the multi lines for the public GET with fstream.pipe(res)
• In routes.js, instead of passing all the instantiated singletons, create a module which exports an instance that can then be pulled into where it's needed instead of passing via signature

Local testing: npm install mail-fakeservers

Maybe try sendmail instead of SMTP
https://www.npmjs.org/package/nodemailer
http://askubuntu.com/questions/12917/how-to-send-mail-from-the-command-line
Maybe switch to simple smtp client
https://github.com/andris9/simplesmtp

Mock mail testing
https://github.com/mozilla-b2g/mail-fakeservers
npm install mail-fakeservers

Maybe use Amazon SES instead of trying to connect to my smtp server

https://www.npmjs.org/package/node-oauth

I've hit a point in my development where I've determined I need some global functions that all routes and app.js can have access too for startup routines and search routines.

I'm at an impasse for the best approach in this setup.

I was thinking about a /functions/functiongroup.js format where the functions could be compartmentalized by type into individual JS files and loaded with a wildcard setup like with models/* or required individually. This would also allow the functions that tend to pile up in the route definition files to be moved into a more logical location, and leave the route files purely for routing between requests and functions.

System Messages and T&C messages are essentially a join where one table holds the message and the other holds each user's flag if they marked it as archived. When the user selects 'archived' search, all messages come back but no differentiation between archived and current. Need an indicator.

Verify message thread API and user searches by non-admin users doesn't include email or other external contact info

Need to be case insensitive

Part of the point of this is for rapid prototyping, so add

• Beta flag
• Beta flag true then a beta code is required for signup
• Beta API to generate and email out a Beta code
• On signup, reture the Beta code

Or is this just feature creep?

Add a field to the user data for an Avatar, could be an image or link (i.e. Gravatar encoded link)

SOme methods incorrectly calling other methods when callbacks are required. Some methods nested 3 deep need to be cleaned up (chained) via Promises

I've taken your example and set it up so I can register new accounts, sign-in etc from your included interface. I have an interface I'd like to connect this to and I've managed to get login to work. However hitting the /auth endpoint or any other endpoint results in :

XMLHttpRequest cannot load http://localhost:3000/api/v1/auth. Origin http://localhost is not allowed by Access-Control-Allow-Origin.

I was trying this on a different hostname, however I notice the cookie wasn't created and thought it was responsible for this. However changing to localhost and test there revealed the same error despite the cookie being created.

Login page, submit a blank form, get existing email error.

Ran into an issue and had to rollback. Really need to prioritize unit testing.