A User extension is being implemented to handle user registration and login forms, user authentication and role based permission system.

This will potentially rely on PassportJS to provide authentication for over 140 services.

Forms are being implemented as a type, so they can be added through JSON files and form() hooks. A very simple login form will look like this:

sign-in.form.json

{
  "title": "Sign in",
  "fields": [
    {
      "name": "username",
      "title": "Username",
      "type": "text",
      "required": true
    },
    {
      "name": "password",
      "title": "Password",
      "type": "password",
      "required": true
    },
    {
      "name": "submit",
      "title": "Sign in",
      "type": "submit",
      "url": "/user/sign-in"
    }
  ]
}

Forms can be inserted in both panels and pages, using the rendering type ("type" property) set to "form" and setting the "formName" property to the name of the form instance. E.g. a page that renders the login form above would look like this:

sign-in.page.json

{
  "path": "/sign-in",
  "title": "Sign in",
  "description": "Login using the form below.",
  "access": "sign in",
  "type": "form",
  "formName": "sign-in"
}

Forms have fields whose types, on this first cut, will be directly tied to a angular templates that render and are responsible for controlling them. Each field type must have a angular template for rendering it named [field.type].html.

To be able to remove the "#/" from URLs and to pave the way for SEO. we need to enable what they call 'html5mode' in AngularJS. This means all ordinary requests should resolve to index.html. Here are some directions on how to enable such feature:

http://seankenny.me/blog/2013/08/05/angularjs-in-html5-mode-with-expressjs/

Write tests for all core functionality. Decide on a front end test framework.

Add pagination support for both backend and front-end.

To be able to reference types with each other we need a reference field. This field should be able to get from the REST API a list of options to show. This field should support multiple values. Eventually a option should be available for adding a item directly from it's referring type and also an autocomplete when there are too much values to fit a select box or a group of checkboxes.

When the database (or any other storage strategy chosen by the developer) is down or inacessible for some reason, the Choko gives an error which doesn't inform the user what really happened. The framework must present a nice maintenance page to the user understand that some technical errors happened during the request.

As of now, you need to create an application specific extension to be able to add/override things.

We need a way to load resources/overrides directly from a folder to ease development.

Make sure we return the most appropriate status codes when possible.

http://httpstatus.es/

SEO is always a concern with SPAs. To overcome this, Choko must be able to render simple HTML output for search engine bots as well as Facebook, Google+ and other web resource crawlers and clients that don't actually display the page nor parses javascript.

The HTML page can be a simple list of linked items with auto generated meta tags based on content and context.

This can be implemented by checking the headers those bots send and use them to switch response rendering to HTML instead of JSON. The context system should be changed so context reactions can add in their bits.

Make possible to add/remove css/js files through contexts.

We need to make sure our code is well documented, since this is a good thing in the first place and also to generate good API documentations.

At least we need all .js files to have a comment on the top like this (no double stars after the slash on block openings). For an extension this may use this template:

/*
 * The [extension_name_in_lowercase] extension.
 */

For library files it may have a short description and an optional long description like this:

/*
 * Short description of this js code.
 *
 * Long description of this js code this should wrap at column 80.
 */

Each hook should be documented as:

/**
 * The [hook_name]() hook.
 */

And each library/class method should be documented properly, i.e. having a reasonable description and all parameters documented.

Once we decide on what api docs generator to use, we can them add some tags, such as @class, @constructor, @static, etc.

Standardize callback argument names to a. callback() when not in a asynchronous loop or b. next() when on an explicit asynchronous loop.

Add file field for file uploads.

Implement something like Swagger for Choko APIs:

http://developers.helloreverb.com/swagger/

Implement HEAD method that returns only the headers, with and empty response body and 204 status code.

I tried to login in Choko example app with a misc (not yet existing) username. The server response was OK but the front-end doesn't show any message to inform the user that an invalid username error happened.

There's the server response:

{
  "status": {
    "code": 400
  },
  "data": {
    "message": "Invalid username or password."
  }
}

When the user creates an account at Choko, he is redirected to the home page on it's standard status, without any successful message. It becomes difficult for the user to understand that your account was successfully created and are ready to use.

Define strategy for localization. There are these two nodejs modules we could use:

https://github.com/naholyr/node-jus-i18n
https://github.com/ricardobeat/node-polyglot

Add basic user management interface.

To be able to manipulate the application settings through the installer, settings.js file needs to be a JSON file.

A rule extension may be provided to do things like sending an email and other jobs that can be done asynchronously.

Rules will be made of events, conditions and actions. Resource data from events can be used in e.g. email templates variables (tokens) and other action related things.

A rule may look like this:

{
  "event": "user-save",
  "conditions": [
    {
      "user.new": "true"
    }
  ],
  "actions": [
    {
      "action": "send-email",
      "template": "new-user"
    }
  ]
}

The theme extension will create the "theme" type, and will implement the "theme" reaction that's used to set the theme on contexts.

On /manage/theme a list of available themes with a small screenshot for each is presented.

Choko may ship with all bootswatch.com open source themes.

There's no real need for the envelope we wrap the data both for the REST server and the application state service. We should make the envelope optional, added only when a query parameter (e.g. envelope=true) is passed along with the request.

Not using an envelope is considered a best practice for design REST services. But maintaining it as optional we still allow limited systems to head the response code.

This is implemented in RouteController respond() method.

In order to be able to make Choko installable through npm, we need to move applications folder out of the choko folder. So we can do:

npm install -g choko
choko [some-folder]

And have the applications directory tree created at 'some-folder' automatically, if nothing is there yet.

We need to add a session controller to be able to store session data in the database so we don't lose all sessions during server restart.

In the long run we may need to be able to have a revisions history of changes made to resources for the types that enable this feature.

To implement this we can have a "_revision" or "_history" suffixed type, or just a new collection in mongodb and other persistent storages, for every type that have revisioning feature enabled.

I tried to install the latest Choko code this morning but I got this error message: Failed to load c++ bson extension, using pure JS version. I'm using Mac OS Mavericks with Node.js v0.10.24. The steps I've made was those described in the README.md, available in the main Choko's Github page.

The output from the terminal was:

❯ node server.js
Failed to load c++ bson extension, using pure JS version
26 Jan 11:08:14 - Choko server started on port 3000.
26 Jan 11:08:14 - Application "Example" started at "localhost".

And when I try to access http://localhost:3000/ I got the error message: "Cannot GET /".

I tried to sign out from Choko example app, but it seems like nothing happened.

In fact, if I click on the Example link, which drives me to the home page, I'll see the user menu like an anonymous user. But I can see it only if I click to go to another page.

Server response:

{
  "status": {
    "code": 200
  },
  "data": true
}

Use .less files instead of .css for bootstrap and theme styles. Express.js already support this through the less middleware:

var lessMiddleware = require('less-middleware');

var app = express.createServer();

app.configure(function () {
    // Other configuration here...

    app.use(lessMiddleware({
        src: __dirname + '/public',
        compress: true
    }));

    app.use(express.static(__dirname + '/public'));
});

This will enable us to override bootstrap variables and will help with including the the bootswatch themes without the need to remove css files from the page.

To be able to manipulate the enabled applications through the installer, applications.js file needs to be a JSON file.

To be able to enable adding some resources directly from the administration pages, the ones that use the memory storage should be persisted to JSON files. We can do this by implementing a save() hook and intercepting whenever we save a memory storage item, and save this to the application resources/override folder we will create on #33.

Add image field and image variations (thumbnails, scale, crop, etc) feature. The image element should allow previewing the image on resource adding forms.

The roles Anonymous and Authenticated are both programmatic roles, used to identify the current user state. They also serves as holders for state-related permissions, since permissions are attached to roles by default. They cannot be selectable when the administrator is creating a new user, just because it does not makes sense.

This nodejs module may be useful:

https://github.com/jaredhanson/oauth2orize

From the Passport documentation page for OAuth:

"OAuth2orize, a sibling project to Passport, provides a tookit for implementing OAuth 2.0 authorization servers.
...
As a toolkit, OAuth2orize does not attempt to make implementation decisions. This guide does not cover these issues, but does highly recommended that services deploying OAuth 2.0 have a complete understanding of the security considerations involved."

Make possible to load a item along with it's type form for editing.

When the user click in the Sign out in the user menu item your session is destroyed, but there's no message informing what happened. There must be a message informing the action, the user menu must be updated to reflect the anonymous menu options.

For fields that references types with large datasets (e.g. post author), we need an element to accommodate that.

We can have a typeahead/autocomplete field, that you search for a item and have it added to a list when pressing enter. Each item on the list should have a remove link next to it.

http://twitter.github.io/typeahead.js/
https://github.com/Siyfion/angular-typeahead

To be able to link resources to stuff related to it we can add a basic HATEOAS (Hypertext As The Engine Of Application State) implementation so that types can declare and return generated links.

To do one-to-one and one-to-many relationships to types that aren't standalone we need to be able to edit the referenced resource inline.

Implement OPTIONS method returning available methods for a resource.

Standardize error variables as 'error' instead of 'err'.

Add a WYSIWYG element for the text field.

http://jhollingworth.github.io/bootstrap-wysihtml5/

We need to make the page title a region and the actual page title a panel, so we can ad toolbars and other stuff to page titles.

Make possible to set permissions on fields level. It should allow the control for each operation on resources.

Add a basic date field and element.

Report when the API returns errors 403, 404, 500, etc.

Add basic navigation management.