Use braces with all multi-line blocks. (https://github.com/airbnb/javascript#blocks--braces)

Don't use iterators. Use .forEach instead. (https://github.com/airbnb/javascript#iterators--nope)

General feedback.

In order to be maintainable, this function create needs some improvements. The function is too large. With 88 lines, it is so long that the developer found it necessary to comment each block ending. That is a bad sign.

Use Promises instead of callbacks

In this functions, there are three callbacks inside of each other. That can quickly create a mess - and all of your code disappears out of the screen to the right, because of all the indentation. This problem is largely solved if you make use of Promises.

Use forEach, map, filter and reduce instead of iterators

Javascript has excellent built-in functions for dealing with arrays - amongst them are forEach, map, filter and reduce. Learning those functions and when to use them would create more readable and maintainable code.

Split the function into several smaller functions

Every function should ideally fit into one computer screen, and should only do one thing. This function could be split into several smaller functions. One for finding the user. One for finding the products. One for calculating the price of a product based on sales. And one for creating an order. Then the next developer who sees this code would easier understand what is going on here.

Use more brackets

Many if statements in this functions does not use brackets. While somewhat frowned upon, dropping the brackets in small one-liners is ok - but it is important that the entire statement is on one line. Otherwise it can be easy to create confusing code, like this:

if (x > 3)
    x = 5;
    y = 2;

What would happen if req.params.id is not an int?

What would happen if req.params.id is not an int?

What is really being checked here? With this check, you could still pass inn undefined for id, email and isAdmin, and this would return true.

const user = {
    id: undefined,
    email: undefined,
    isAdmin: undefined
};

user.hasOwnProperty('id') && user.hasOwnProperty('email') && user.hasOwnProperty('isAdmin')
> true

Ternary statements can be useful sometimes.

const url = product.id ? `/api/product/${product.id}` : '/api/product';
return this.http.post<ProductModel>(url, product);

What does do do? I have never seen it before in this context.

A better solution could have been made here.

Does not check for quantity > 0. Numerical values received from users should always be validated.
Also does not do a strict check on the quantity, allowing arrays and null to be used.

Does not do strict type checking, allowing ["a", "b", "c", "d", "e", "f", "g", "h"] as a password, which turns into "a,c,b,d,e,f,g,h" when logging in. It won't happen from a well-written client, but can be abused.

Data validation in database structures

While it is quite convenient to use Sails for a lot of the validation, it does not catch obvious type coercions that happen in Javascript. Most notably is the coercion of arrays into strings.

Apart from that, most of the data validation works as expected.

Fetching the first element of an array regardless of its size puts burden on outside code, and should generally be avoided.

When is this callback unsubscribed?