@clairejs/server 3.24.0 → 3.25.0

package/README.md

@@ -1,5 +1,9 @@
 ## Change Log
 
+#### 3.25.0
+
+-   add other security access condition classes
+
 #### 3.24.0
 
 -   add ApiInfo class and @PublicAccess, @TfaRequired decorators

package/dist/common/request/endpoint-metadata.d.ts

@@ -1,8 +1,10 @@
 import { type Constructor, type ObjectFieldMetadata } from "@clairejs/core";
 import { type RequestDataSource } from "./types";
 import { ApiInfo } from "../../http/common/dto";
+import { AbstractAccessCondition } from "../../http/security/abstract-access-condition";
 export interface EndpointMetadata extends ApiInfo, ObjectFieldMetadata {
     controller: any;
+    accessConditionCls?: Constructor<AbstractAccessCondition<any>>[];
     params?: {
         [index: number]: {
             source?: RequestDataSource;

package/dist/http/common/dto.d.ts

@@ -1,4 +1,5 @@
 import { HttpMethod, SocketMethod, DtoMetadata } from "@clairejs/core";
+import { AccessConditionMetadata } from "../security/access-condition-metadata";
 export declare class ApiInfo {
     id: string;
     apiGroup?: string;
@@ -15,6 +16,7 @@ export declare class ApiInfo {
     downstreamMessageDtos?: DtoMetadata[];
     publicAccess?: boolean;
     tfaRequired?: boolean;
+    accessConditions?: AccessConditionMetadata[];
 }
 export declare class ApiInfoResponse {
     apis: ApiInfo[];

package/dist/http/common/dto.js

@@ -8,6 +8,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 import { Data, Field, HttpMethod, Enum, getObjectMetadata, DataType } from "@clairejs/core";
+import { AccessConditionMetadata } from "../security/access-condition-metadata";
 let ApiInfo = class ApiInfo {
     id;
     apiGroup;
@@ -24,6 +25,7 @@ let ApiInfo = class ApiInfo {
     downstreamMessageDtos;
     publicAccess;
     tfaRequired;
+    accessConditions;
 };
 __decorate([
     Field({
@@ -121,6 +123,14 @@ __decorate([
     }),
     __metadata("design:type", Boolean)
 ], ApiInfo.prototype, "tfaRequired", void 0);
+__decorate([
+    Field({
+        description: "The configurable access condition of this permission",
+        vectorProps: {},
+        elementDto: getObjectMetadata(AccessConditionMetadata),
+    }),
+    __metadata("design:type", Array)
+], ApiInfo.prototype, "accessConditions", void 0);
 ApiInfo = __decorate([
     Data()
 ], ApiInfo);

package/dist/http/controller/AbstractHttpRequestHandler.js

@@ -53,9 +53,11 @@ export class AbstractHttpRequestHandler {
                     this.logger?.warn(`Implicit overriding endpoint: ${overridingEndpoint.method}:${overridingEndpoint.mount} of ${overridingEndpoint.controller?.constructor.name}:${overridingEndpoint.name}`, `Ignore ${endpointInfo.method}:${endpointInfo.mount} of ${endpointInfo.controller?.constructor.name}:${endpointInfo.name}`);
                 }
                 else {
+                    endpointInfo.accessConditions = endpointInfo.accessConditionCls?.map((cls) => injector.resolve(cls).getConditionMetadata());
                     mountedEndpointInfo.push(endpointInfo);
                 }
             }
+            await injector.initInstances();
             this.mountedEndpointInfo = mountedEndpointInfo;
         }
         return this.mountedEndpointInfo;

package/dist/http/security/abstract-access-condition.d.ts

@@ -0,0 +1,7 @@
+import { HttpRequest } from "../common/HttpRequest";
+import { AccessConditionMetadata } from "./access-condition-metadata";
+export declare abstract class AbstractAccessCondition<T> {
+    abstract resolveConditionValue(req: HttpRequest): Promise<T>;
+    abstract validate(conditionValue: T, permittedConditionValue: unknown): Promise<boolean>;
+    abstract getConditionMetadata(): AccessConditionMetadata;
+}

package/dist/http/security/abstract-access-condition.js

@@ -0,0 +1,2 @@
+export class AbstractAccessCondition {
+}

package/dist/http/security/access-condition-metadata.d.ts

@@ -0,0 +1,7 @@
+import { AccessConditionValueType } from "./access-condition-value-type";
+export declare class AccessConditionMetadata {
+    name: string;
+    valueType: AccessConditionValueType;
+    valueConstraint?: any;
+    description?: string;
+}

package/dist/http/security/access-condition-metadata.js

@@ -0,0 +1,49 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { Data, Enum, Field } from "@clairejs/core";
+import { AccessConditionValueType } from "./access-condition-value-type";
+let AccessConditionMetadata = class AccessConditionMetadata {
+    name;
+    valueType;
+    valueConstraint;
+    description;
+};
+__decorate([
+    Field({
+        description: "Distinguishable name of this condition type.",
+        isRequired: true,
+    }),
+    __metadata("design:type", String)
+], AccessConditionMetadata.prototype, "name", void 0);
+__decorate([
+    Field({
+        description: "Type of condition value.",
+        isRequired: true,
+        ...Enum(AccessConditionValueType),
+    }),
+    __metadata("design:type", String)
+], AccessConditionMetadata.prototype, "valueType", void 0);
+__decorate([
+    Field({
+        description: "Constraint for the condition value.",
+        isRequired: false,
+    }),
+    __metadata("design:type", Object)
+], AccessConditionMetadata.prototype, "valueConstraint", void 0);
+__decorate([
+    Field({
+        description: "Description of the condition.",
+    }),
+    __metadata("design:type", String)
+], AccessConditionMetadata.prototype, "description", void 0);
+AccessConditionMetadata = __decorate([
+    Data()
+], AccessConditionMetadata);
+export { AccessConditionMetadata };

package/dist/http/security/access-condition-value-type.d.ts

@@ -0,0 +1,30 @@
+export declare enum AccessConditionValueType {
+    /**
+     * Any string value. Constraint is a regex.
+     */
+    STRING = "STRING",
+    /**
+     * Numerical value. Constraint is {from: number, to: number, integer: boolean} encoded into string.
+     */
+    NUMBER = "NUMBER",
+    /**
+     * Yes or No. No constraint.
+     */
+    BOOLEAN = "BOOLEAN",
+    /**
+     * An unlimited list of string values. Constraint is whether emptiness is allowed.
+     */
+    LIST = "LIST",
+    /**
+     * A list of choices. Constraint is the list of choices.
+     */
+    CHOICES = "CHOICES",
+    /**
+     * A list of mutual exclusive choices. Constraint is the list of choices.
+     */
+    MUTEXCHOICES = "MUTEXCHOICES",
+    /**
+     * And DtoMetadata that validates an data object. Constraint is the information of dto fields.
+     */
+    DTO = "DTO"
+}

package/dist/http/security/access-condition-value-type.js

@@ -0,0 +1,31 @@
+export var AccessConditionValueType;
+(function (AccessConditionValueType) {
+    /**
+     * Any string value. Constraint is a regex.
+     */
+    AccessConditionValueType["STRING"] = "STRING";
+    /**
+     * Numerical value. Constraint is {from: number, to: number, integer: boolean} encoded into string.
+     */
+    AccessConditionValueType["NUMBER"] = "NUMBER";
+    /**
+     * Yes or No. No constraint.
+     */
+    AccessConditionValueType["BOOLEAN"] = "BOOLEAN";
+    /**
+     * An unlimited list of string values. Constraint is whether emptiness is allowed.
+     */
+    AccessConditionValueType["LIST"] = "LIST";
+    /**
+     * A list of choices. Constraint is the list of choices.
+     */
+    AccessConditionValueType["CHOICES"] = "CHOICES";
+    /**
+     * A list of mutual exclusive choices. Constraint is the list of choices.
+     */
+    AccessConditionValueType["MUTEXCHOICES"] = "MUTEXCHOICES";
+    /**
+     * And DtoMetadata that validates an data object. Constraint is the information of dto fields.
+     */
+    AccessConditionValueType["DTO"] = "DTO";
+})(AccessConditionValueType || (AccessConditionValueType = {}));

package/dist/http/security/access-conditions/filter-model-fields.d.ts

@@ -0,0 +1,4 @@
+import { type Constructor } from "@clairejs/core";
+import { HttpRequest } from "../../common/HttpRequest";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+export declare const FilterModelFieldAccessCondition: <T extends Constructor<any>>(model: T, name: string, requestedConditionValueResolver: (context: HttpRequest) => string[] | undefined) => Constructor<AbstractAccessCondition<string[] | undefined>>;

package/dist/http/security/access-conditions/filter-model-fields.js

@@ -0,0 +1,31 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { getObjectMetadata, Register } from "@clairejs/core";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+import { AccessConditionValueType } from "../access-condition-value-type";
+export const FilterModelFieldAccessCondition = (model, name, requestedConditionValueResolver) => {
+    let _ = class _ extends AbstractAccessCondition {
+        async resolveConditionValue(context) {
+            return requestedConditionValueResolver(context);
+        }
+        getConditionMetadata() {
+            return {
+                name,
+                valueType: AccessConditionValueType.CHOICES,
+                valueConstraint: getObjectMetadata(model).fields.map((f) => f.name),
+            };
+        }
+        async validate(requestedConditionValue, permittedConditionValue) {
+            return (!!requestedConditionValue &&
+                requestedConditionValue.every((value) => permittedConditionValue.includes(value)));
+        }
+    };
+    _ = __decorate([
+        Register()
+    ], _);
+    return _;
+};

package/dist/http/security/access-conditions/max-query-limit.d.ts

@@ -0,0 +1,8 @@
+import { HttpRequest } from "../../common/HttpRequest";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+import { AccessConditionMetadata } from "../access-condition-metadata";
+export declare class MaximumQueryLimit extends AbstractAccessCondition<number> {
+    resolveConditionValue(context: HttpRequest): Promise<number>;
+    validate(conditionValue: number, permittedConditionValue: number): Promise<boolean>;
+    getConditionMetadata(): AccessConditionMetadata;
+}

package/dist/http/security/access-conditions/max-query-limit.js

@@ -0,0 +1,29 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { Register } from "@clairejs/core";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+import { AccessConditionValueType } from "../access-condition-value-type";
+let MaximumQueryLimit = class MaximumQueryLimit extends AbstractAccessCondition {
+    async resolveConditionValue(context) {
+        const queries = context.getQuery();
+        return queries.limit || 0;
+    }
+    async validate(conditionValue, permittedConditionValue) {
+        return conditionValue > 0 && conditionValue <= permittedConditionValue;
+    }
+    getConditionMetadata() {
+        return {
+            name: "maximum_query_limit",
+            valueType: AccessConditionValueType.NUMBER,
+            valueConstraint: JSON.stringify({ min: 1 }),
+        };
+    }
+};
+MaximumQueryLimit = __decorate([
+    Register()
+], MaximumQueryLimit);
+export { MaximumQueryLimit };

package/dist/http/security/access-conditions/socket-read-write.d.ts

@@ -0,0 +1,13 @@
+import { HttpRequest } from "../../common/HttpRequest";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+import { AccessConditionMetadata } from "../access-condition-metadata";
+export declare class SocketReadCondition extends AbstractAccessCondition<boolean> {
+    resolveConditionValue(request: HttpRequest): Promise<any>;
+    validate(conditionValue: any): Promise<boolean>;
+    getConditionMetadata(): AccessConditionMetadata;
+}
+export declare class SocketWriteCondition extends AbstractAccessCondition<boolean> {
+    resolveConditionValue(request: HttpRequest): Promise<any>;
+    validate(conditionValue: any): Promise<boolean>;
+    getConditionMetadata(): AccessConditionMetadata;
+}

package/dist/http/security/access-conditions/socket-read-write.js

@@ -0,0 +1,50 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { Register } from "@clairejs/core";
+import { AbstractAccessCondition } from "../abstract-access-condition";
+import { AccessConditionValueType } from "../access-condition-value-type";
+const SOCKET_ACTION_HEADER = "x-socket-action";
+const SOCKET_ACTION_READ = "read";
+const SOCKET_ACTION_WRITE = "write";
+let SocketReadCondition = class SocketReadCondition extends AbstractAccessCondition {
+    async resolveConditionValue(request) {
+        return request.headers[SOCKET_ACTION_HEADER] === SOCKET_ACTION_READ;
+    }
+    async validate(conditionValue) {
+        return !!conditionValue;
+    }
+    getConditionMetadata() {
+        return {
+            name: "disable_write",
+            description: "Disable send message to channel",
+            valueType: AccessConditionValueType.BOOLEAN,
+        };
+    }
+};
+SocketReadCondition = __decorate([
+    Register()
+], SocketReadCondition);
+export { SocketReadCondition };
+let SocketWriteCondition = class SocketWriteCondition extends AbstractAccessCondition {
+    async resolveConditionValue(request) {
+        return request.headers[SOCKET_ACTION_HEADER] === SOCKET_ACTION_WRITE;
+    }
+    async validate(conditionValue) {
+        return !!conditionValue;
+    }
+    getConditionMetadata() {
+        return {
+            name: "disable_read",
+            description: "Disable receive message from channel",
+            valueType: AccessConditionValueType.BOOLEAN,
+        };
+    }
+};
+SocketWriteCondition = __decorate([
+    Register()
+], SocketWriteCondition);
+export { SocketWriteCondition };

package/dist/http/security/decorators.d.ts

@@ -1,3 +1,10 @@
+import { Constructor, Identifiable } from "@clairejs/core";
 import { AbstractHttpController } from "../controller/AbstractHttpController";
+import { CrudHttpController } from "../controller/CrudHttpController";
+import { AbstractSocketController } from "../../socket/AbstractSocketController";
+import { AbstractAccessCondition } from "./abstract-access-condition";
 export declare const PublicAccess: () => (prototype: AbstractHttpController, propertyKey: string) => void;
 export declare const TfaRequired: () => (prototype: AbstractHttpController, propertyKey: string) => void;
+export declare const AccessCondition: (conditions: Constructor<AbstractAccessCondition<any>>[]) => <T extends AbstractHttpController | AbstractSocketController>(prototype: T, propertyKey: keyof T) => void;
+export declare const DefaultHttpAccessConditions: <K extends Identifiable>(model: Constructor<K>) => <T extends CrudHttpController<K>>(constructor: Constructor<T>) => void;
+export declare const DefaultSocketAccessConditions: <T extends AbstractSocketController>() => (constructor: Constructor<T>) => void;

package/dist/http/security/decorators.js

@@ -1,4 +1,7 @@
-import { initFieldMetadata } from "@clairejs/core";
+import { initFieldMetadata, leanData, uniqueReducer, } from "@clairejs/core";
+import { FilterModelFieldAccessCondition } from "./access-conditions/filter-model-fields";
+import { MaximumQueryLimit } from "./access-conditions/max-query-limit";
+import { SocketReadCondition, SocketWriteCondition } from "./access-conditions/socket-read-write";
 export const PublicAccess = () => (prototype, propertyKey) => {
     const endpointMetadata = initFieldMetadata(prototype, propertyKey);
     endpointMetadata.publicAccess = true;
@@ -7,3 +10,36 @@ export const TfaRequired = () => (prototype, propertyKey) => {
     const endpointMetadata = initFieldMetadata(prototype, propertyKey);
     endpointMetadata.tfaRequired = true;
 };
+export const AccessCondition = (conditions) => (prototype, propertyKey) => {
+    const endpointMetadata = initFieldMetadata(prototype, propertyKey);
+    endpointMetadata.accessConditionCls = [...(endpointMetadata.accessConditionCls || []), ...conditions];
+};
+export const DefaultHttpAccessConditions = (model) => (constructor) => {
+    //-- for getMany
+    AccessCondition([
+        FilterModelFieldAccessCondition(model, "model_projection", (request) => request.getQuery().projection),
+        MaximumQueryLimit,
+    ])(constructor.prototype, "getMany");
+    //-- for update many
+    AccessCondition([
+        FilterModelFieldAccessCondition(model, "restrict_update_fields", (request) => {
+            const updateBody = request.getBody().update;
+            if (!updateBody) {
+                return [];
+            }
+            return Object.keys(leanData(updateBody));
+        }),
+    ])(constructor.prototype, "updateMany");
+    //-- for update records
+    AccessCondition([
+        FilterModelFieldAccessCondition(model, "restrict_update_fields", (request) => {
+            const updates = request.getBody();
+            return updates.records
+                .flatMap(({ id, ...update }) => Object.keys(leanData(update) || {}))
+                .reduce(uniqueReducer, []);
+        }),
+    ])(constructor.prototype, "updateRecords");
+};
+export const DefaultSocketAccessConditions = () => (constructor) => {
+    AccessCondition([SocketReadCondition, SocketWriteCondition])(constructor.prototype, "getChannelName");
+};

package/dist/http/utils.d.ts

@@ -1,2 +1,2 @@
-import { type ApiInfoResponse } from "@clairejs/core";
+import { ApiInfoResponse } from "./common/dto";
 export declare const getApiInfo: () => Promise<ApiInfoResponse>;

package/dist/http/utils.js

@@ -6,9 +6,13 @@ export const getApiInfo = async () => {
     const httpHandler = injector.resolveOptional(AbstractHttpRequestHandler);
     const socketManager = injector.resolveOptional(AbstractServerSocketManager);
     await injector.initInstances();
-    const httpInfo = httpHandler ? await httpHandler.getMountedEndpointInfo() : [];
-    const socketInfo = socketManager ? await socketManager.getMountedEndpointInfo() : [];
-    return {
-        apis: [...httpInfo, ...socketInfo].map(({ controller, params, injecteeSuperClass, ...api }) => api),
+    const [httpInfo, socketInfo] = await Promise.all([
+        httpHandler ? httpHandler.getMountedEndpointInfo() : Promise.resolve([]),
+        socketManager ? socketManager.getMountedEndpointInfo() : Promise.resolve([]),
+    ]);
+    const result = {
+        apis: [...httpInfo, ...socketInfo].map(({ controller, params, injecteeSuperClass, accessConditionCls, ...api }) => api),
     };
+    await injector.initInstances();
+    return result;
 };

package/dist/index.d.ts

@@ -15,6 +15,12 @@ export * from "./http/controller/AbstractHttpRequestHandler";
 export * from "./http/controller/AbstractHttpMiddleware";
 export * from "./http/security/cors";
 export * from "./http/security/decorators";
+export * from "./http/security/access-conditions/filter-model-fields";
+export * from "./http/security/access-conditions/max-query-limit";
+export * from "./http/security/access-conditions/socket-read-write";
+export * from "./http/security/abstract-access-condition";
+export * from "./http/security/access-condition-metadata";
+export * from "./http/security/access-condition-value-type";
 export * from "./http/auth/AbstractHttpAuthorizer";
 export * from "./http/repository/ModelRepository";
 export * from "./http/repository/DtoRepository";

package/dist/index.js

@@ -17,6 +17,12 @@ export * from "./http/controller/AbstractHttpRequestHandler";
 export * from "./http/controller/AbstractHttpMiddleware";
 export * from "./http/security/cors";
 export * from "./http/security/decorators";
+export * from "./http/security/access-conditions/filter-model-fields";
+export * from "./http/security/access-conditions/max-query-limit";
+export * from "./http/security/access-conditions/socket-read-write";
+export * from "./http/security/abstract-access-condition";
+export * from "./http/security/access-condition-metadata";
+export * from "./http/security/access-condition-value-type";
 export * from "./http/auth/AbstractHttpAuthorizer";
 export * from "./http/repository/ModelRepository";
 export * from "./http/repository/DtoRepository";

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@clairejs/server",
-    "version": "3.24.0",
+    "version": "3.25.0",
     "description": "Claire server NodeJs framework written in Typescript.",
     "types": "dist/index.d.ts",
     "main": "dist/index.js",
@@ -34,8 +34,8 @@
     },
     "peerDependencies": {
         "@clairejs/client": "^3.4.6",
-        "@clairejs/core": "^3.8.10",
-        "@clairejs/orm": "^3.16.25"
+        "@clairejs/core": "^3.8.13",
+        "@clairejs/orm": "^3.16.28"
     },
     "devDependencies": {
         "@types/cookie-parser": "^1.4.3",