@carbonorm/carbonnode 4.0.0 → 5.0.0

package/dist/api/executors/SqlExecutor.d.ts

@@ -11,6 +11,11 @@ export declare class SqlExecutor<G extends OrmGenerics> extends Executor<G> {
         [key: string]: any;
     }): string;
     private formatValue;
+    private stripRequestMetadata;
+    private normalizeRequestPayload;
+    private extractRequestBody;
+    private extractPrimaryKeyValues;
+    private broadcastWebsocketIfConfigured;
     runQuery(): Promise<{
         rest: any;
         sql: {
@@ -26,4 +31,5 @@ export declare class SqlExecutor<G extends OrmGenerics> extends Executor<G> {
             values: any;
         };
     }>;
+    private validateSqlAllowList;
 }

package/dist/api/handlers/ExpressHandler.d.ts

@@ -1,7 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { Pool } from "mysql2/promise";
 import { iC6Object } from "../types/ormInterfaces";
-export declare function ExpressHandler({ C6, mysqlPool }: {
+export declare function ExpressHandler({ C6, mysqlPool, sqlAllowListPath, }: {
     C6: iC6Object;
     mysqlPool: Pool;
+    sqlAllowListPath?: string;
 }): (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/dist/api/orm/builders/ConditionBuilder.d.ts

@@ -27,6 +27,8 @@ export declare abstract class ConditionBuilder<G extends OrmGenerics> extends Ag
     private serializeOperand;
     private isPlainArrayLiteral;
     private isPlainObjectLiteral;
+    private resolveColumnDefinition;
+    private isJsonColumn;
     protected serializeUpdateValue(value: any, params: any[] | Record<string, any>, contextColumn?: string): string;
     private ensurePlainObject;
     private resolveExistsInnerColumn;

package/dist/api/types/ormInterfaces.d.ts

@@ -135,6 +135,16 @@ export interface iGetC6RestResponse<ResponseDataType extends {
 export type DetermineResponseDataType<Method extends iRestMethods, RestTableInterface extends {
     [key: string]: any;
 }, ResponseDataOverrides = {}> = (Method extends 'POST' ? iPostC6RestResponse<RestTableInterface> : Method extends 'GET' ? iGetC6RestResponse<RestTableInterface, ResponseDataOverrides> : Method extends 'PUT' ? iPutC6RestResponse<RestTableInterface> : Method extends 'DELETE' ? iDeleteC6RestResponse<RestTableInterface> : never);
+export type iRestWebsocketPayload = {
+    REST: {
+        TABLE_NAME: string;
+        TABLE_PREFIX: string;
+        METHOD: iRestMethods;
+        REQUEST: Record<string, any>;
+        REQUEST_PRIMARY_KEY: Record<string, any> | null;
+    };
+};
+export type tWebsocketBroadcast = (payload: iRestWebsocketPayload) => void | Promise<void>;
 export interface iRest<RestShortTableName extends string = any, RestTableInterface extends Record<string, any> = any, PrimaryKey extends keyof RestTableInterface & string = keyof RestTableInterface & string> {
     C6: iC6Object;
     axios?: AxiosInstance;
@@ -146,7 +156,9 @@ export interface iRest<RestShortTableName extends string = any, RestTableInterfa
     requestMethod: iRestMethods;
     clearCache?: () => void;
     skipPrimaryCheck?: boolean;
+    websocketBroadcast?: tWebsocketBroadcast;
     verbose?: boolean;
+    sqlAllowListPath?: string;
 }
 export interface iConstraint {
     TABLE: string;

package/dist/api/utils/sqlAllowList.d.ts

@@ -0,0 +1,2 @@
+export declare const normalizeSql: (sql: string) => string;
+export declare const loadSqlAllowList: (allowListPath: string) => Promise<Set<string>>;

package/dist/index.cjs.js

@@ -1827,8 +1827,9 @@ var ConditionBuilder = /** @class */ (function (_super) {
         }
         throw new Error('Unsupported operand type in SQL expression.');
     };
-    ConditionBuilder.prototype.isPlainArrayLiteral = function (value) {
+    ConditionBuilder.prototype.isPlainArrayLiteral = function (value, allowColumnRefs) {
         var _this = this;
+        if (allowColumnRefs === void 0) { allowColumnRefs = false; }
         if (!Array.isArray(value))
             return false;
         return value.every(function (item) {
@@ -1838,14 +1839,15 @@ var ConditionBuilder = /** @class */ (function (_super) {
             if (type === 'string' || type === 'number' || type === 'boolean')
                 return true;
             if (Array.isArray(item))
-                return _this.isPlainArrayLiteral(item);
+                return _this.isPlainArrayLiteral(item, allowColumnRefs);
             if (item && typeof item === 'object')
-                return _this.isPlainObjectLiteral(item);
+                return _this.isPlainObjectLiteral(item, allowColumnRefs);
             return false;
         });
     };
-    ConditionBuilder.prototype.isPlainObjectLiteral = function (value) {
+    ConditionBuilder.prototype.isPlainObjectLiteral = function (value, allowColumnRefs) {
         var _this = this;
+        if (allowColumnRefs === void 0) { allowColumnRefs = false; }
         if (!value || typeof value !== 'object' || Array.isArray(value))
             return false;
         if (value instanceof Date)
@@ -1864,17 +1866,37 @@ var ConditionBuilder = /** @class */ (function (_super) {
         })) {
             return false;
         }
-        if (entries.some(function (_a) {
-            var key = _a[0];
-            return typeof key === 'string' && (_this.isColumnRef(key) || key.includes('.'));
-        })) {
-            return false;
+        if (!allowColumnRefs) {
+            if (entries.some(function (_a) {
+                var key = _a[0];
+                return typeof key === 'string' && (_this.isColumnRef(key) || key.includes('.'));
+            })) {
+                return false;
+            }
         }
         return true;
     };
+    ConditionBuilder.prototype.resolveColumnDefinition = function (column) {
+        var _a, _b, _c, _d;
+        if (!column || typeof column !== 'string' || !column.includes('.'))
+            return undefined;
+        var _e = column.split('.', 2), prefix = _e[0], colName = _e[1];
+        var tableName = (_a = this.aliasMap[prefix]) !== null && _a !== void 0 ? _a : prefix;
+        var table = (_c = (_b = this.config.C6) === null || _b === void 0 ? void 0 : _b.TABLES) === null || _c === void 0 ? void 0 : _c[tableName];
+        if (!(table === null || table === void 0 ? void 0 : table.TYPE_VALIDATION))
+            return undefined;
+        return (_d = table.TYPE_VALIDATION[colName]) !== null && _d !== void 0 ? _d : table.TYPE_VALIDATION["".concat(tableName, ".").concat(colName)];
+    };
+    ConditionBuilder.prototype.isJsonColumn = function (column) {
+        var columnDef = this.resolveColumnDefinition(column);
+        var mysqlType = columnDef === null || columnDef === void 0 ? void 0 : columnDef.MYSQL_TYPE;
+        return typeof mysqlType === 'string' && mysqlType.toLowerCase().includes('json');
+    };
     ConditionBuilder.prototype.serializeUpdateValue = function (value, params, contextColumn) {
         var normalized = value instanceof Map ? Object.fromEntries(value) : value;
-        if (this.isPlainArrayLiteral(normalized) || this.isPlainObjectLiteral(normalized)) {
+        var allowColumnRefs = this.isJsonColumn(contextColumn);
+        if (this.isPlainArrayLiteral(normalized, allowColumnRefs)
+            || this.isPlainObjectLiteral(normalized, allowColumnRefs)) {
             return this.addParam(params, contextColumn !== null && contextColumn !== void 0 ? contextColumn : '', JSON.stringify(normalized));
         }
         var _a = this.serializeOperand(normalized, params, contextColumn), sql = _a.sql, isReference = _a.isReference, isExpression = _a.isExpression, isSubSelect = _a.isSubSelect;
@@ -2941,6 +2963,63 @@ function normalizeSingularRequest(requestMethod, request, restModel, removedPrim
     return tslib.__assign(tslib.__assign({}, normalized), { dataInsertMultipleRows: dataInsertMultipleRows, cacheResults: cacheResults, fetchDependencies: fetchDependencies, debug: debug, success: success, error: error });
 }
 
+var allowListCache = new Map();
+var normalizeSql = function (sql) {
+    return sql.replace(/\s+/g, " ").trim();
+};
+var parseAllowList = function (raw, sourcePath) {
+    var parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " is not valid JSON."));
+    }
+    if (!Array.isArray(parsed)) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must be a JSON array of strings."));
+    }
+    var sqlEntries = parsed
+        .filter(function (entry) { return typeof entry === "string"; })
+        .map(normalizeSql)
+        .filter(function (entry) { return entry.length > 0; });
+    if (sqlEntries.length !== parsed.length) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must contain only string entries."));
+    }
+    return sqlEntries;
+};
+var loadSqlAllowList = function (allowListPath) { return tslib.__awaiter(void 0, void 0, void 0, function () {
+    var readFile, raw, sqlEntries, allowList;
+    return tslib.__generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (allowListCache.has(allowListPath)) {
+                    return [2 /*return*/, allowListCache.get(allowListPath)];
+                }
+                if (!isNode()) {
+                    throw new Error("SQL allowlist validation requires a Node runtime.");
+                }
+                return [4 /*yield*/, import('node:fs/promises')];
+            case 1:
+                readFile = (_a.sent()).readFile;
+                _a.label = 2;
+            case 2:
+                _a.trys.push([2, 4, , 5]);
+                return [4 /*yield*/, readFile(allowListPath, "utf-8")];
+            case 3:
+                raw = _a.sent();
+                return [3 /*break*/, 5];
+            case 4:
+                _a.sent();
+                throw new Error("SQL allowlist file not found at ".concat(allowListPath, "."));
+            case 5:
+                sqlEntries = parseAllowList(raw, allowListPath);
+                allowList = new Set(sqlEntries);
+                allowListCache.set(allowListPath, allowList);
+                return [2 /*return*/, allowList];
+        }
+    });
+}); };
+
 var SqlExecutor = /** @class */ (function (_super) {
     tslib.__extends(SqlExecutor, _super);
     function SqlExecutor() {
@@ -2973,10 +3052,10 @@ var SqlExecutor = /** @class */ (function (_super) {
                         switch (_a) {
                             case 'GET': return [3 /*break*/, 1];
                             case 'POST': return [3 /*break*/, 3];
-                            case 'PUT': return [3 /*break*/, 5];
-                            case 'DELETE': return [3 /*break*/, 7];
+                            case 'PUT': return [3 /*break*/, 6];
+                            case 'DELETE': return [3 /*break*/, 9];
                         }
-                        return [3 /*break*/, 9];
+                        return [3 /*break*/, 12];
                     case 1: return [4 /*yield*/, this.runQuery()];
                     case 2:
                         rest = _b.sent();
@@ -2984,16 +3063,25 @@ var SqlExecutor = /** @class */ (function (_super) {
                     case 3: return [4 /*yield*/, this.runQuery()];
                     case 4:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 5:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 5: return [4 /*yield*/, this.runQuery()];
-                    case 6:
+                    case 6: return [4 /*yield*/, this.runQuery()];
+                    case 7:
                         result = _b.sent();
-                        return [2 /*return*/, result];
-                    case 7: return [4 /*yield*/, this.runQuery()];
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
                     case 8:
+                        _b.sent();
+                        return [2 /*return*/, result];
+                    case 9: return [4 /*yield*/, this.runQuery()];
+                    case 10:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 11:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 9: throw new Error("Unsupported request method: ".concat(method));
+                    case 12: throw new Error("Unsupported request method: ".concat(method));
                 }
             });
         });
@@ -3054,6 +3142,149 @@ var SqlExecutor = /** @class */ (function (_super) {
             return "'".concat(val.toISOString().slice(0, 19).replace('T', ' '), "'");
         return "'".concat(JSON.stringify(val), "'");
     };
+    SqlExecutor.prototype.stripRequestMetadata = function (source) {
+        var ignoredKeys = new Set([
+            C6Constants.SELECT,
+            C6Constants.UPDATE,
+            C6Constants.DELETE,
+            C6Constants.WHERE,
+            C6Constants.JOIN,
+            C6Constants.PAGINATION,
+            C6Constants.INSERT,
+            C6Constants.REPLACE,
+            "dataInsertMultipleRows",
+            "cacheResults",
+            "fetchDependencies",
+            "debug",
+            "success",
+            "error",
+        ]);
+        var filtered = {};
+        for (var _i = 0, _a = Object.entries(source); _i < _a.length; _i++) {
+            var _b = _a[_i], key = _b[0], value = _b[1];
+            if (!ignoredKeys.has(key)) {
+                filtered[key] = value;
+            }
+        }
+        return filtered;
+    };
+    SqlExecutor.prototype.normalizeRequestPayload = function (source) {
+        var _a;
+        var columns = this.config.restModel.COLUMNS;
+        var validColumns = new Set(Object.values(columns));
+        var normalized = {};
+        for (var _i = 0, _b = Object.entries(source); _i < _b.length; _i++) {
+            var _c = _b[_i], key = _c[0], value = _c[1];
+            var shortKey = (_a = columns[key]) !== null && _a !== void 0 ? _a : (key.includes(".") ? key.split(".").pop() : key);
+            if (validColumns.has(shortKey)) {
+                normalized[shortKey] = value;
+            }
+        }
+        return normalized;
+    };
+    SqlExecutor.prototype.extractRequestBody = function () {
+        var _a, _b;
+        var request = this.request;
+        if (this.config.requestMethod === C6Constants.POST) {
+            if (Array.isArray(request.dataInsertMultipleRows) && request.dataInsertMultipleRows.length > 0) {
+                return request.dataInsertMultipleRows[0];
+            }
+            if (C6Constants.INSERT in request) {
+                return (_a = request[C6Constants.INSERT]) !== null && _a !== void 0 ? _a : {};
+            }
+            if (C6Constants.REPLACE in request) {
+                return (_b = request[C6Constants.REPLACE]) !== null && _b !== void 0 ? _b : {};
+            }
+            return this.stripRequestMetadata(request);
+        }
+        if (this.config.requestMethod === C6Constants.PUT) {
+            if (request[C6Constants.UPDATE] && typeof request[C6Constants.UPDATE] === "object") {
+                return request[C6Constants.UPDATE];
+            }
+            return this.stripRequestMetadata(request);
+        }
+        return {};
+    };
+    SqlExecutor.prototype.extractPrimaryKeyValues = function () {
+        var _a, _b, _c;
+        var request = this.request;
+        var where = request === null || request === void 0 ? void 0 : request[C6Constants.WHERE];
+        var sources = [request, (where && typeof where === "object" && !Array.isArray(where)) ? where : undefined];
+        var columns = this.config.restModel.COLUMNS;
+        var primaryShorts = (_a = this.config.restModel.PRIMARY_SHORT) !== null && _a !== void 0 ? _a : [];
+        var primaryFulls = (_b = this.config.restModel.PRIMARY) !== null && _b !== void 0 ? _b : [];
+        var pkValues = {};
+        var _loop_1 = function (pkShort) {
+            var value = undefined;
+            for (var _d = 0, sources_1 = sources; _d < sources_1.length; _d++) {
+                var source = sources_1[_d];
+                if (source && pkShort in source) {
+                    value = source[pkShort];
+                    break;
+                }
+            }
+            if (value === undefined) {
+                var fullKey = (_c = primaryFulls.find(function (key) { return key.endsWith("." + pkShort); })) !== null && _c !== void 0 ? _c : Object.keys(columns).find(function (key) { return columns[key] === pkShort; });
+                if (fullKey) {
+                    for (var _e = 0, sources_2 = sources; _e < sources_2.length; _e++) {
+                        var source = sources_2[_e];
+                        if (source && fullKey in source) {
+                            value = source[fullKey];
+                            break;
+                        }
+                    }
+                }
+            }
+            if (value !== undefined) {
+                pkValues[pkShort] = value;
+            }
+        };
+        for (var _i = 0, primaryShorts_1 = primaryShorts; _i < primaryShorts_1.length; _i++) {
+            var pkShort = primaryShorts_1[_i];
+            _loop_1(pkShort);
+        }
+        if (primaryShorts.length > 0 && Object.keys(pkValues).length < primaryShorts.length) {
+            return null;
+        }
+        return Object.keys(pkValues).length > 0 ? pkValues : null;
+    };
+    SqlExecutor.prototype.broadcastWebsocketIfConfigured = function () {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var broadcast, payload, error_1;
+            var _a, _b;
+            return tslib.__generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        broadcast = this.config.websocketBroadcast;
+                        if (!broadcast || this.config.requestMethod === C6Constants.GET)
+                            return [2 /*return*/];
+                        payload = {
+                            REST: {
+                                TABLE_NAME: this.config.restModel.TABLE_NAME,
+                                TABLE_PREFIX: (_b = (_a = this.config.C6) === null || _a === void 0 ? void 0 : _a.PREFIX) !== null && _b !== void 0 ? _b : "",
+                                METHOD: this.config.requestMethod,
+                                REQUEST: this.normalizeRequestPayload(this.extractRequestBody()),
+                                REQUEST_PRIMARY_KEY: this.extractPrimaryKeyValues(),
+                            },
+                        };
+                        _c.label = 1;
+                    case 1:
+                        _c.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, broadcast(payload)];
+                    case 2:
+                        _c.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        error_1 = _c.sent();
+                        if (this.config.verbose) {
+                            console.error("[SQL EXECUTOR] websocketBroadcast failed", error_1);
+                        }
+                        return [3 /*break*/, 4];
+                    case 4: return [2 /*return*/];
+                }
+            });
+        });
+    };
     SqlExecutor.prototype.runQuery = function () {
         return tslib.__awaiter(this, void 0, void 0, function () {
             var TABLE_NAME, method, builder, QueryResult, formatted, toUnnamed, _a, sql, values;
@@ -3085,6 +3316,9 @@ var SqlExecutor = /** @class */ (function (_super) {
                         this.config.verbose && console.log("[SQL EXECUTOR] \uD83E\uDDE0 Formatted ".concat(method.toUpperCase(), " SQL:"), formatted);
                         toUnnamed = namedPlaceholders();
                         _a = toUnnamed(QueryResult.sql, QueryResult.params), sql = _a[0], values = _a[1];
+                        return [4 /*yield*/, this.validateSqlAllowList(sql)];
+                    case 1:
+                        _b.sent();
                         return [4 /*yield*/, this.withConnection(function (conn) { return tslib.__awaiter(_this, void 0, void 0, function () {
                                 var result;
                                 return tslib.__generator(this, function (_a) {
@@ -3109,7 +3343,29 @@ var SqlExecutor = /** @class */ (function (_super) {
                                     }
                                 });
                             }); })];
-                    case 1: return [2 /*return*/, _b.sent()];
+                    case 2: return [2 /*return*/, _b.sent()];
+                }
+            });
+        });
+    };
+    SqlExecutor.prototype.validateSqlAllowList = function (sql) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var allowListPath, allowList, normalized;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        allowListPath = this.config.sqlAllowListPath;
+                        if (!allowListPath) {
+                            return [2 /*return*/];
+                        }
+                        return [4 /*yield*/, loadSqlAllowList(allowListPath)];
+                    case 1:
+                        allowList = _a.sent();
+                        normalized = normalizeSql(sql);
+                        if (!allowList.has(normalized)) {
+                            throw new Error("SQL statement is not permitted by allowlist (".concat(allowListPath, ")."));
+                        }
+                        return [2 /*return*/];
                 }
             });
         });
@@ -3126,7 +3382,7 @@ var SqlExecutor$1 = /*#__PURE__*/Object.freeze({
 // note sure how it would help anyone actually...
 function ExpressHandler(_a) {
     var _this = this;
-    var C6 = _a.C6, mysqlPool = _a.mysqlPool;
+    var C6 = _a.C6, mysqlPool = _a.mysqlPool, sqlAllowListPath = _a.sqlAllowListPath;
     return function (req, res, next) { return tslib.__awaiter(_this, void 0, void 0, function () {
         var incomingMethod, table, primary, methodOverrideRaw, methodOverride, treatAsGet, method, payload, restModel, primaryKeys_1, primaryShortKeys_1, columnMap_1, resolveShortKey_1, hasPrimaryKeyValues, primaryKeyName, response, err_1;
         var _a, _b, _c, _d, _e, _f, _g;
@@ -3212,6 +3468,7 @@ function ExpressHandler(_a) {
                     return [4 /*yield*/, restRequest({
                             C6: C6,
                             mysqlPool: mysqlPool,
+                            sqlAllowListPath: sqlAllowListPath,
                             requestMethod: method,
                             restModel: C6.TABLES[table]
                         })(payload)];
@@ -3374,7 +3631,9 @@ exports.isLocal = isLocal;
 exports.isNode = isNode;
 exports.isTest = isTest;
 exports.isVerbose = isVerbose;
+exports.loadSqlAllowList = loadSqlAllowList;
 exports.normalizeSingularRequest = normalizeSingularRequest;
+exports.normalizeSql = normalizeSql;
 exports.onError = onError;
 exports.onSuccess = onSuccess;
 exports.removeInvalidKeys = removeInvalidKeys;