genyded
diff --git a/‎SUMMARY.md
Lines changed: 14 additions & 12 deletions b/‎SUMMARY.md
Lines changed: 14 additions & 12 deletions
diff --git a/‎authentication/readme.md
Lines changed: 34 additions & 2 deletions b/‎authentication/readme.md
Lines changed: 34 additions & 2 deletions
diff --git a/‎authorization/bundled-hooks.md
Lines changed: 26 additions & 0 deletions b/‎authorization/bundled-hooks.md
Lines changed: 26 additions & 0 deletions
diff --git a/‎authorization/readme.md
Lines changed: 117 additions & 23 deletions b/‎authorization/readme.md
Lines changed: 117 additions & 23 deletions
@@ -13,33 +13,36 @@
    * [Quick Start](getting-started/quick-start.md)
    * [Your First App](getting-started/your-first-app.md)
 * [Services](services/readme.md)
-* [Providers](providers/readme.md)
-   * [REST](providers/rest.md)
-   * [Real-Time](providers/real-time/readme.md)
-       * [Events](providers/real-time/events.md)
-       * [Socket.io](providers/real-time/socket-io.md)
-       * [Primus](providers/real-time/primus.md)
+* [REST](providers/rest.md)
+* [Real-Time](providers/real-time/readme.md)
+   * [Socket.io](providers/real-time/socket-io.md)
+   * [Primus](providers/real-time/primus.md)
+   * [Event Filtering](providers/real-time/event-filtering.md)
 * [Databases](databases/readme.md)
-   * [Querying and Pagination](databases/querying.md)
-   * [In Memory](databases/in_memory.md)
-   * [NeDB](databases/nedatabases/md)
+   * [Pagination and sorting](databases/pagination.md)
+   * [Querying](databases/querying.md)
+   * [Extending adapters](databases/extending.md)
+   * [In Memory](databases/memory.md)
+   * [NeDB](databases/nedb.md)
    * [Mongoose](databases/mongoose.md)
    * [Sequelize](databases/sequelize.md)
    * [KnexJS](databases/knexjs.md)
    * [Waterline](databases/waterline.md)
 * [Hooks](hooks/readme.md)
+   * [Bundled Hooks](hooks/bundled-hooks.md)
 * [Middleware](middleware/readme.md)
    * [Express middleware](middleware/express.md)
    * [Versioning](versioning.md)
 * [Routing](routing/readme.md)
    * [Versioning](routing/versioning.md)
 * [Authentication](authentication/readme.md)
    * [Local (username & password)](authentication/local.md)
-   * Oauth (Twitter, Facebook, etc)
+   * OAuth (Twitter, Facebook, etc)
    * Two-Factor (MFA)
 * [Authorization / Access Control](authorization/readme.md)
+   * [Bundled Auth Hooks](authorization/bundled-hooks.md)
 * [Front End Clients](clients/readme.md)
-* [API](api/readme.md)
+* [API Documentation](api/readme.md)
 * [Guides](guides/readme.md)
    * Creating a plugin
    * React and React Native
@@ -49,4 +52,3 @@
 * [Contributing](contributing.md)
 * [Changelog](changelog.md)
 * [License](license.md)
-
 
@@ -9,8 +9,40 @@ The [feathers-authentication](https://github.com/feathersjs/feathers-authenticat
 
 * [Setting Up Local Auth](local.md) (username and password)
 
+### Usage
+If you are using the default options, setting up JWT auth for your Feathers app is as simple as the below example.  Note: You must set up the `body-parser` module before setting up `feathers-authentication`.
 
-## Other Authentication Plugins
+```js
+var app = feathers()
+  .configure(feathers.rest())
+  .configure(feathers.socketio())
+  .configure(hooks())
+  .use(bodyParser.json())
+  .use(bodyParser.urlencoded({ extended: true }))
+  // Provide a config object to the feathers-authentication plugin
+  .configure(feathersAuth({
+    secret: 'feathers-rocks'
+  }));
+```
+
+
+### Options
+
+The following options are available:
+
+- __secret__ *required* - The secret used to create encrypted tokens.
+- __userEndpoint__ - The api endpoint used to look up the user service. The default is `'/api/users`.
+- __loginEndpoint__ - The url for posting the username and password during login. The default is `/api/login`.  You can also post a valid token here to receive a new one.  You might use this when the current auth token is about to expire to stay logged in on the client.
+- __usernameField__ The database field containing the username on the user service.  The default is `username`.
+- __passwordField__ The database field containing the password on the user service.  The default is `password`.
+- __loginError__ - The message to return for invalid login.  Default is 'Invalid login.'
+- __jwtOptions__ - Used to customize the configuration for the jsonwebtoken library.  [See the API](https://github.com/auth0/node-jsonwebtoken)
+- __jwtOptions.expiresIn__ - The number of **seconds** until the token expires.  Default is 36000 (10 hours).
+- __strategy__ - Allows you to pass a custom strategy to use for local auth.  The default strategy should fit most projects.
+- __passport__ (default: `require('passport')`) - The passport module
+
+
+## Other Authentication Solutions
 Feathers is based on Express. It's likely that an auth plugin used for Express can also work for Feathers.
 
-If you have an authentication method that you would like listed here, please [submit a pull request](../contributing.md).
+If you have an authentication solution that you would like listed here, please [submit a pull request](../contributing.md).
@@ -0,0 +1,26 @@
+# Bundled Authorization Hooks
+
+Implementing authorization is not automatic, but is easy to set up with the included hooks.  You can also create your own hooks to handle your app's custom business logic.  For more information about hooks, refer to the [chapter on hooks](hooks/readme.md).
+
+The `feathers-authentication` plugin includes the following hooks to help with the authorization process.
+
+## `hashPassword(passwordField)`
+The `hashPassword` hook will automatically hash the data coming in on the provided `passwordField`. It is intended to be used on the user service on the `create`, `update`, or `patch` methods.  The default field is `password`, but you can specify another field by providing its name as a string. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/hash-password.js)
+
+## `requireAuth()`
+The `requireAuth` hook throws an error if there's not a logged-in user by checking for the `hook.params.user` object. It can be used on any service method. It doesn't take any arguments. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/require-auth.js)
+
+## `queryWithUserId(idProp, idOnResource)`
+The `queryWithUserId` hook will automatically add the user's `idProp` as a parameter in the query. This is useful when you want to only return data that belongs to the logged-in user. The name of the key in the query params will be the string provided as the `idOnResource` variable.  The default `idOnResource` is `"userId"` and the default `idProp` is `"_id"`. This means that the `User._id` will be copied into `query.userId`. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/query-with-user-id.js)
+
+## `setUserId(sourceProp, destProp)`
+The `setUserId` is similar to the `queryWithUserId`, but works on the incoming data instead of the query params. It's useful for automatically adding the userId to any resource being created. The default `sourceProp` is `"_id"` and the default `destProp` is `"userId"`.  It can be used on `create`, `update`, or `patch`. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/set-user-id.js)
+
+## `requireAdminToSetAdmin(adminField)`
+The `requireAdminToSetAdmin` hook prevents users from making themselves an administrator. It deletes the `adminField` from any request to modify the user, so it's meant to be used on the User service.  It can be used on the `create`, `update`, or `patch` methods. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/require-admin-to-set-admin.js)
+
+## `restrictToSelf(idProp)`
+The `restrictToSelf` hook only allows the user to retrieve her own user data. It does this by setting up the `idProp` in the query params. It is meant to be used on the User service on either `find` or `get`. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/restrict-to-self.js)
+
+## `toLowerCase(fieldName)`
+The `toLowerCase` hook is useful for making sure things like email addresses and usernames are lowercased before saving them to the database. You wouldn't want, for example, "BabyGorilla" and "babygorilla" to be two different users, so normalizing them to lowercase will make keeping track of things easier. It can be used on `create`, `update`, or `patch`. [source code](https://github.com/feathersjs/feathers-authentication/blob/master/src/hooks/to-lower-case.js)
@@ -1,10 +1,8 @@
 # Authorization / Access Control
 
-TODO: This section needs review.
+Once we know which user is logged in, we need to know which parts of the app they can access. This is called Authorization, and it's where hooks really come in handy.
 
-Once we know which user we are working with, we need to know which parts of the app they have access to. This is called Authorization, and it's where hooks really come in handy.
-
-## Adding user information to requests.
+## Adding user information to requests
 The `feathers-authentication` plugin, upon login, gives back an encrypted token containing information about the user.  The auth plugin also includes a special middleware that decrypts any tokens coming found in the Authorization header of requests that come through the REST provider.  Here's an example of that middleware:
 
 ```js
@@ -30,27 +28,123 @@ app.use(function(req, res, next) {
 });
 ```
 
-## User authorization
-Since `feathers-authentication` adds the authenticated user information to requests with valid tokens, we can check for the user info in the hook and return with an error if the user is not authorized:
+If the token in any request is valid, the token will be unencrypted and the payload data is set up on `req.feathers.user`.  The `req.feathers` object is special because its attributes are made available inside feathers-hooks on the `hook.params` object. We will cover how you can use this data soon, but first let's talk about some guidelines for creating your `User` schema.
+
+## Getting your User schema just right
+Since `feathers-authentication` adds the authenticated user's info to requests, we can use it to implement our app's authorization logic. This also means that the authorization logic we will be able to put in place depends completely on the data that's available in the `User` service's schema. There is one general guideline to follow:
+
+> Keep your user schema simple.
+
+Remember, the more information you put in your `User` schema, the larger the JWT token will get. If you have a huge token, you're adding a huge payload to *every* authenticated request. It's not only an issue of having more bytes to transfer, though. Once it arrives at the server, the token will have to be unencrypted every time, so it requires more processing power, too. Try experimenting with the payload on [jwt.io](http://jwt.io) to get an idea of the impact your schema will have.
+
+The simplest `User` schema would look something like the one below.
 
 ```js
-app.service('todos').before({
-  create: function(hook, next) {
-    // We only allow creating todos with an authenticated user
-    if(!hook.params.user) {
-      return next(new Error('You need to be authenticated'));
-    }
-
-    // Check if the user belongs the `admin` group
-    var groups = hook.params.user.groups;
-    if(groups.indexOf('admin') === -1) {
-      // Return with an error if not
-      return next(new Error('User is not allowed to create a new Todo'));
-    }
-
-    // Otherwise just continue on to the
-    // next hook or the service method
-    next();
+{
+  "username": "LeanAndClean"
+}
+```
+
+**Pro Tip:** There could very likely be a password on your `User` schema. Read the [section on bundled auth hooks](bundled-hooks.md) to find out how to make sure passwords don't go out to the public or into the JWT token payload.
+
+But suppose we want to create an app with a more-expansive `User` schema like this one:
+
+```js
+{
+  "username": "ChunkyMonkey",
+  "email": "[email protected]"
+  "country": "Canada",
+  "city": "Alberta",
+  "favoriteWord": "Hoser",
+  "dateOfBirth": "4-24-1980",
+  "friends": [
+    "Larry",
+    "Curly",
+    "Moe",
+    "Bonnie",
+    "Clyde",
+    "Butch Cassidy",
+    "The Sundance Kid"
+  ]
+}
+```
+
+While all of the above attributes do have something to do with the user, they're not very useful for our authorization logic.  We can optimize the setup by splitting the large model into two.  We'll keep the most useful or identifying attributes in the `User` schema and move everything else out to a `profile` schema. Each application will potentially have different requirements, but here's an example split.
+
+```js
+// User schema
+{
+  "username": "ChunkyMonkey",
+  "email": "[email protected]"
+}
+
+// Profile schema
+{
+  "country": "Canada",
+  "city": "Alberta",
+  "favoriteWord": "Hoser",
+  "dateOfBirth": "4-24-1980",
+  "friends": [
+    "Larry",
+    "Curly",
+    "Moe",
+    "Bonnie",
+    "Clyde",
+    "Butch Cassidy",
+    "The Sundance Kid"
+  ]
+}
+```
+
+## Adapting your schema to your app
+
+Your `User` schema will change based on your how your application is structured. If you're making an app that will only be used by a single person, or if all users have the same permissions, the schema can probably stay as simple as in the previous examples.  However, if the specifications for your app require that some users are administrators with greater access, you will have options on how you are going to implement authorization.  If your application is more complex, you may want to put administrators in an `Admin` schema and create a separate administrative app.  But for smaller apps it might make sense to simply add an attribute to the `User` schema that flags certain users as administrators:
+
+```js
+// User schema
+{
+  "username": "ElJefe",
+  "admin": true
+}
+```
+
+Now you'll know when a user gets more access by checking for the `admin` attribute. Let's take a look at how to identify users and administrators by creating our first hooks.
+
+## Creating an authorization hook
+In the example below, only a logged-in user would be able to create a todo.  The other methods on the `todos` service continue to be unprotected.  The `orders` service requires an authenticated user to perform any of its methods because it uses the `all` key to register the hook.
+
+```js
+// Create a hook that requires that a user is logged in.
+var requireAuth = function(hook) {
+  if(!hook.params.user) {
+    throw new Error('You must be logged in to do that.');
+  }
+};
+// Create a hook that requires a user who is an admin.
+var requireAdmin = function(hook) {
+  if (!hook.params.user) {
+    throw new Error('You must be logged in to do that.');
   }
+  if(!hook.params.user.admin) {
+    throw new Error('Only admins can do that.');
+  }
+};
+
+
+// Must be logged in to create a todo.
+app.service('todos').before({
+  create: [requireAuth]
+});
+// Must be logged in to do anything with orders.
+app.service('orders').before({
+  all: [requireAuth]
+});
+// Must be a logged-in administrator to do anything with secrets.
+app.service('secrets').before({
+  all: [requireAdmin]
 });
 ```
+
+We created two simple hooks in the above example. The `requireAuth` hook simply checks for a logged-in user at `hook.params.user` and throws an error if there's no user data.  The `requireAdmin` hook is similar, but does an extra check for if the user has an `admin = true` attribute.
+
+We have prepared some useful hooks for you to use in your Authorization schema.  Keep reading to learn about them.