为用户注册添加密码

Question

Please forgive any ignorance due to unfamiliarity with this framework and its components, I am learning by doing.

I have set up a basic app with angular-fullstack and am exploring some tasks I would like to know how to do. Specifically, I would like to add an additional form element to the user sign up process so that not just anyone can sign up, but only those who provide a pre-determined security code that is shared verbally. If the code entered is invalid, the new user should not be created and (optionally) some message is returned to the user.

In my server/config/environment/index.js file, I have added an additional item to the secrets key that I will use to check a valid code was entered

...

// Secret for session, you will want to change this and make it an environment variable
secrets: {
  session: 'myapp-secret',
  secretCode: 'my-secret' // pre-determined secret code
},

...

In my form, I add the additional field and assign ng-model="secret" . The form points to the controller's register function, so I also add in the new input's value to the argument being passed to Auth.createUser :

$scope.register = function(form){
    ...

    if (form.$valid) {
        Auth.createUser({
            name: $scope.user.name,
            email: $scope.user.email,
            password: $scope.user.password,
            secret: $scope.secret // My input field to pass to the user controller
        })
    }

    ...
}

Now I can go into the create function of server/api/user/user.controller.js and include my logic for checking the secret code.

/**
 * Creates a new user
 */
exports.create = function(req, res, next) {
  ...

  if (req.body.secret !== config.secrets.secretCode) {
     // cancel creating a new user
  };

  ...
};

My question now is how am I supposed to handle this inside my if statement? Snooping around the framework, it seems I can maybe just do a redirect or something back to the /signup page and include an error message, but I'm not sure what I should be doing here to handle that.

I have been looking at this from a number of different angles and I (so far as I can tell) haven't yet had the "Aha!" moment where I feel confident I am approaching this the right way. Am I going about this in an unconventional way?

Answer 1

I'm using the SRP principle to guide me here.

There are 2 red flags. In order to actually create a user, you dont need a secret key. The secret is required for security purposes for an actual person to create a user. So that key logic should be with the other actual-person-focused logic in the controller, not inside the Auth.create method.

Second red flag is that you want to keep the redirecting happening in the controller. It looks like you saw that red flag, so good work.

Have the controller perform the security and the redirects, so that your code will be more or less this:

// controller.js
if (key_matches)
   createUser();
else
   redirectUser()

// auth.js
exports.create = function(req) {
    create_user(req);
}