# Users management Users component designed to help administrators manage all users using the agent. ## Users table Users table consist of six columns: * Username * Email * Roles * Edit * Remove * Resend ### Username Username represents the account/profile name that user can use to login to the agent and access profile page (not implemented yet) ### Email Email is the core element of the user record. The user gets a confirmation email with the link for the [account setup](https://accsetup.process) and can [reset password](https://reset.password) with it. ### Roles Roles is an essential element of the user record. It allows the user to get access to certain views and features based on the [RBAC rules](https://rbac.rules). ### Edit See [Edit user](https://edit.user) ### Remove See [Edit user](https://remove.user) ### Resend See [Edit user](https://re-send.confirmation.email) ## List of users component features * Add new user * Edit user * Remove user * Re-send confirmation email (new user created) ## Features explained ### Add new user The round blue button in the bottom right corner allows the user with the role of "admin" to create a new user. #### Requirements * User email address * One or more roles #### Validation * Email address must match this pattern: ```javascript= /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ ``` * Admin needs to submit both roles and email. * There should be no duplicate email in the users database. * The field is required on the front-end. * The pattern validation is happening on the backend. #### Notes * Admin won't be able to create a new user unless admin set up the SMTP configuration in the [Settings component](https://settings.link). * On user record creation, a JWT (JSON Web Token) is being generated that consist of **user id**, **secret** and **expiration time**. ```javascript= const token = jwt.sign({id: user.user_id}, process.env.JWT_SECRET, { expiresIn: '24h', }) ``` * The user gets 24 hours to set up his/her account after receiving a confirmation email. * After 24 hours the admin can re-send confirmation email that will regenerate JWT. * The JWT secret is an environment variable that is set in docker-compose.yml file for this docker. * User creation triggers a confirmation email to be sent to the user with the [account setup](https://accsetup.process) instructions. ### Edit user The blue icon under the "Edit" column allows the user with the role of "admin" to create a new user. #### Requirements * User email address * Username * One or more roles #### Validation * Email address must match this pattern: ```javascript= /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ ``` * Username must match this pattern: ```javascript= /^[a-zA-Z0-9]{3,}$/ ``` * You can't submit an empty string for the username or email. * The fields are required on the front-end. * The pattern validation is happening on the backend. #### Notes * The admin can add a username to a new user who didn't go through registration. * The admin can't change his/her own roles. * The admin can change other admins roles. * If the admin changes the username without letting the user know, the user won't be able to reset his/her username unless asks the admin. ### Remove user The red icon under the "Remove" column allows the user with the role of "admin" to remove a user. #### Requirements * Users, except for self #### Validation * N/A #### Notes * Admin won't be able to remove itself; however any user with "admin" roles can remove other admins. * At least one user with role "admin" must remain in the list of users. * There is no limit to how many users admin can remove (time or amount limits). ### Re-send confirmation email The blue icon under the "Resend" column allows the user with the role of "admin" to re-send a confirmation email for a new user. #### Requirements * Users, except for self #### Validation * N/A #### Notes * Admin can re-send one confirmation per user per session. * The icon will be available only for those users who have not go through the [account setup process](https://accsetup.process). * Re-send confirmation email will regenerate JWT for this user record. It is set to 24 hours. * Session will refresh on a new login or per page refresh. ## Account setup ### Features explained When an admin creates a new user, the user will receive a confirmation email with the account setup instructions. The instructions consist of the url that includes the URL to the account setup page and the JWT. The JWT is set up to expire in 24 hours from user creation. ``` https://localhost/account-setup/#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwiaWF0IjoxNjMxOTA5NDg5LCJleHAiOjE2MzE5OTU4ODl9.k10biSCdSpK7EiuMHgk4Z2dbM7dfkNabV9CkbFua-lA ``` ### List of account setup form fields * Email * Username * Password * Confirm Password ### Requirements * The url link with valid token (JWT) ### Validation * Front-end will validate the JWT first. If valid, it will render the content, otherwise it will redirect to the login page with notification "The link has expired" or "The user doesn't exist or the link has expired." * If the JWT was successfully validated on the front-end it would be sent to the back-end. Same validation is performed there too for extra security. * All form fields are required. * Password and confirm password must match * The empty strings for the fields are not accepted and are being validated on the back-end. * Email address must match this pattern: ```javascript= /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ ``` * Username must match this pattern: ```javascript= /^[a-zA-Z0-9]{3,}$/ ``` * The pattern validation is happening on the backend. * There should be no duplicate email in the users database. * There should be no duplicate username in the users database. ### Notes * The user must be logged-out to be able to access the account setup page. * If the JWT is expired, the user can request the admin to re-send the confirmation email which will generate the new link with valid JWT. * On successfull form submission the user will be redirected to the login page with success message of accout creation. * The password is being hasshed before storing into the database using sha256 algorithm with 10 salt rounds. ## Forgot password ### Features explained The "forgot password" page allows the user to send a request for password reset. It can be accessed from the login page. The link is located under the "log in" button. #### Validation * Provided email must match a user database record email. * The pattern validation is happening on the backend. * The empty string for the email field is not accepted and is being validated on the back-end. * Email address must match this pattern: ```javascript= /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ ``` #### Notes * If the user submits the email to reset the password and it doesn't match any of the user records emails the user will see the error notification stating that "The user was not found." * The user can send as many requests as possible. * The user can continue loggin in using it's old password even when the reqest to change the password was sent. * The new link with a valid JWT is generated and sent with an email to the provided email address. ``` https://localhost/password-reset/#eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwiaWF0IjoxNjMxOTA5NDg5LCJleHAiOjE2MzE5OTU4ODl9.k10biSCdSpK7EiuMHgk4Z2dbM7dfkNabV9CkbFua-lA ``` * JWT expires in 10 minutes in case of password reset. ## Password reset ### Features explained Reset password page allows the user to reset it's password in case it was lost, forgotten or compromised. ### Validation * All form fields are required. * Password and confirm password must match * The password must be at least: 1 digit, 1 lowercase, 1 uppercase, 1 special characters, 8 characters. * The password must match this pattern: ```javascript= /^(?=.*\d)(?=.*[!@#$%^&*])(?=.*[a-z])(?=.*[A-Z]).{8,}$/ ``` * The empty strings for the fields are not accepted and are being validated on the back-end. ### Notes * Once the user submits new password it will redirect with the success message to the login page where the login can be performed. ## Login ### Features explained Login page allows the user to authenticate itself to the agent using username and password that were set during the account setup process. ### Validation * All form fields are required. * The username must match a users database record username. * Username must match this pattern: ```javascript= /^[a-zA-Z0-9]{3,}$/ ``` * The password must be at least: 1 digit, 1 lowercase, 1 uppercase, 1 special characters, 8 characters. * The password must match this pattern: ```javascript= /^(?=.*\d)(?=.*[!@#$%^&*])(?=.*[a-z])(?=.*[A-Z]).{8,}$/ ``` * The empty strings for the fields are not accepted and are being validated on the back-end along with patterns. ### Notes * User autherntification via login process generates a session and a user cookie. * The session is responsible for keeping the user logged in, but set to expire in 60 minutes. It will reset if the user activelly uses the agent. See [session provider](link) to get more information on how it's managed. * The user cookie allows the agent to enforce [RBAC](link) rules and give use authorization to view or interact with the agent and it's components.. ## Logout ### Features explained Logout button can be located right below the the user's username on the menu bar. On click it will log the user out of the agent. ### Validation N/A ### Notes * The session is destroyed on logout. * The user cookie is destroyed on logout.