@ditojs/server 1.4.2 → 1.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ditojs/server",
-  "version": "1.4.2",
+  "version": "1.5.1",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
   "repository": "https://github.com/ditojs/dito/tree/master/packages/server",
@@ -21,22 +21,22 @@
     "node >= 16"
   ],
   "dependencies": {
-    "@ditojs/admin": "^1.4.2",
-    "@ditojs/router": "^1.4.1",
-    "@ditojs/utils": "^1.4.1",
-    "@koa/cors": "^3.2.0",
+    "@ditojs/admin": "^1.5.0",
+    "@ditojs/build": "^1.5.0",
+    "@ditojs/router": "^1.5.0",
+    "@ditojs/utils": "^1.5.0",
+    "@koa/cors": "^3.3.0",
     "@koa/multer": "^3.0.0",
     "@originjs/vite-plugin-commonjs": "^1.0.3",
     "ajv": "^8.11.0",
     "ajv-formats": "^2.1.1",
-    "aws-sdk": "^2.1098.0",
+    "aws-sdk": "^2.1106.0",
     "axios": "^0.26.1",
     "bcryptjs": "^2.4.3",
     "bytes": "^3.1.2",
     "data-uri-to-buffer": "^4.0.0",
     "eventemitter2": "^6.4.5",
     "file-type": "^17.1.1",
-    "find-up": "^6.3.0",
     "fs-extra": "^10.0.1",
     "image-size": "^1.0.1",
     "is-svg": "^4.3.2",
@@ -55,31 +55,31 @@
     "mime-types": "^2.1.35",
     "multer": "^1.4.4",
     "multer-s3": "^2.10.0",
-    "nanoid": "^3.3.1",
+    "nanoid": "^3.3.2",
     "parse-duration": "^1.0.2",
     "passport-local": "^1.0.0",
     "passthrough-counter": "^1.0.0",
     "picocolors": "^1.0.0",
     "picomatch": "^2.3.1",
     "pino": "^7.9.2",
-    "pino-pretty": "^7.5.4",
+    "pino-pretty": "^7.6.0",
     "pluralize": "^8.0.0",
     "repl": "^0.1.3",
     "uuid": "^8.3.2",
-    "vite": "^2.8.6",
+    "vite": "^2.9.1",
     "vite-plugin-vue2": "^1.9.3",
     "vue": "^2.6.14",
     "vue-template-compiler": "^2.6.14"
   },
   "peerDependencies": {
-    "knex": "^0.21.0",
-    "objection": "^2.2.0"
+    "knex": "^1.0.4",
+    "objection": "^3.0.1"
   },
   "devDependencies": {
-    "knex": "^0.21.21",
-    "objection": "^2.2.18",
+    "knex": "^1.0.4",
+    "objection": "^3.0.1",
     "pg": "^8.7.3",
     "sqlite3": "^5.0.2"
   },
-  "gitHead": "1790e50f979322b47a53421e9facddb86f6eff86"
+  "gitHead": "40731960cf8b528f4f40f8b7e43e2e966138337c"
 }

package/src/app/Application.js

@@ -1,11 +1,13 @@
+import os from 'os'
+import path from 'path'
+import util from 'util'
+import zlib from 'zlib'
+import fs from 'fs-extra'
 import Koa from 'koa'
 import Knex from 'knex'
-import util from 'util'
 import axios from 'axios'
 import pico from 'picocolors'
-import zlib from 'zlib'
 import pino from 'pino'
-import os from 'os'
 import parseDuration from 'parse-duration'
 import bodyParser from 'koa-bodyparser'
 import cors from '@koa/cors'
@@ -46,11 +48,10 @@ import {
   handleUser,
   logRequests
 } from '../middleware/index.js'
-import objection, {
+import {
   Model,
   BelongsToOneRelation,
-  // TODO: Import directly once we can move to Objection 3
-  // knexSnakeCaseMappers,
+  knexSnakeCaseMappers,
   ref
 } from 'objection'
 
@@ -626,7 +627,7 @@ export class Application extends Koa {
       if (snakeCaseOptions) {
         knex = {
           ...knex,
-          ...objection.knexSnakeCaseMappers(snakeCaseOptions)
+          ...knexSnakeCaseMappers(snakeCaseOptions)
         }
       }
       this.knex = Knex(knex)
@@ -853,23 +854,38 @@ export class Application extends Koa {
             if (file.data || file.url) {
               let { data } = file
               if (!data) {
+                const { url } = file
+                if (!storage.isImportSourceAllowed(url)) {
+                  throw new AssetError(
+                    `Unable to import asset from foreign source: '${
+                      file.name
+                    }' ('${
+                      url
+                    }'): The source needs to be explicitly allowed.`
+                  )
+                }
                 console.info(
                   `${
                     pico.red('INFO:')
                   } Asset ${
                     pico.green(`'${file.name}'`)
                   } is from a foreign source, fetching from ${
-                    pico.green(`'${file.url}'`)
+                    pico.green(`'${url}'`)
                   } and adding to storage ${
                     pico.green(`'${storage.name}'`)
                   }...`
                 )
-                const response = await axios.request({
-                  method: 'get',
-                  url: file.url,
-                  responseType: 'arraybuffer'
-                })
-                data = response.data
+                if (url.startsWith('file://')) {
+                  const filepath = path.resolve(url.substring(7))
+                  data = await fs.readFile(filepath)
+                } else {
+                  const response = await axios.request({
+                    method: 'get',
+                    responseType: 'arraybuffer',
+                    url
+                  })
+                  data = response.data
+                }
               }
               const importedFile = await storage.addFile(file, data)
               await this.createAssets(storage, [importedFile], 0, trx)

package/src/controllers/AdminController.js

@@ -1,5 +1,4 @@
 import path from 'path'
-import fs from 'fs'
 import Koa from 'koa'
 import serve from 'koa-static'
 import { defineConfig, createServer } from 'vite'
@@ -7,8 +6,10 @@ import { createVuePlugin } from 'vite-plugin-vue2'
 import {
   viteCommonjs as createCommonJsPlugin
 } from '@originjs/vite-plugin-commonjs'
-import picomatch from 'picomatch'
-import { findUpSync } from 'find-up'
+import {
+  createRollupImportsResolver,
+  testModuleIdentifier
+} from '@ditojs/build'
 import { merge } from '@ditojs/utils'
 import { Controller } from './Controller.js'
 import { handleConnectMiddleware } from '../middleware/index.js'
@@ -135,16 +136,11 @@ export class AdminController extends Controller {
   getViteConfig(config = {}) {
     const development = this.mode === 'development'
 
-    const cwd = path.resolve('.')
+    const cwd = process.cwd()
     const root = this.getPath('root')
     const base = `${this.url}/`
     const views = path.join(root, 'views')
 
-    // Read `package.json` from the closest package.json, so we can emulate
-    // ESM-style imports mappings in rollup / vite.
-    const pkg = findUpSync('package.json', { cwd: root })
-    const { imports = {} } = JSON.parse(fs.readFileSync(pkg, 'utf8'))
-
     return defineConfig(merge({
       root,
       base,
@@ -185,7 +181,7 @@ export class AdminController extends Controller {
                     return 'common'
                   } else {
                     const module = id.match(/node_modules\/([^/$]*)/)?.[1] || ''
-                    return picomatch.isMatch(module, CORE_DEPENDENCIES)
+                    return testModuleIdentifier(module, CORE_DEPENDENCIES)
                       ? 'core'
                       : 'vendor'
                   }
@@ -210,27 +206,7 @@ export class AdminController extends Controller {
             find: '@',
             replacement: root
           },
-          {
-            // Use a custom rollup resolver to emulate ESM-style imports
-            // mappings in vite, as read from `package.json` above:
-            find: /^#/,
-            replacement: '#',
-            customResolver(id) {
-              for (const [find, replacement] of Object.entries(imports)) {
-                picomatch.isMatch(id, find.replace('*', '**'), {
-                  capture: true,
-                  onMatch({ input, regex }) {
-                    const replacementPath = path.resolve(replacement)
-                    const match = input.match(regex)?.[1]
-                    id = match
-                      ? replacementPath.replace('*', match)
-                      : replacementPath
-                  }
-                })
-              }
-              return id
-            }
-          }
+          createRollupImportsResolver({ cwd: root })
         ]
       }
     }, config))

package/src/controllers/CollectionController.js

@@ -68,17 +68,18 @@ export class CollectionController extends Controller {
     return this.extendContext(ctx, { memberId })
   }
 
-  getCollectionIds(ctx) {
+  getModelId(model) {
     const idProperty = this.modelClass.getIdProperty()
     // Handle both composite keys and normal ones.
-    const getId = isArray(idProperty)
-      ? model => idProperty.reduce(
-        (id, key) => {
-          id.push(model[key])
-          return id
-        }, [])
-      : model => model[idProperty]
-    return asArray(ctx.request.body).map(model => this.validateId(getId(model)))
+    return isArray(idProperty)
+      ? idProperty.map(property => model[property])
+      : model[idProperty]
+  }
+
+  getCollectionIds(ctx) {
+    return asArray(ctx.request.body).map(
+      model => this.validateId(this.getModelId(model))
+    )
   }
 
   getIds(ctx) {
@@ -219,9 +220,9 @@ export class CollectionController extends Controller {
           .modify(getModify(modify, trx))
         )
         : await this.executeAndFetch('insert', ctx, modify)
-      ctx.status = 201
+      ctx.status = 201 // Created
       if (isObject(result)) {
-        ctx.set('Location', this.getUrl('collection', result.id))
+        ctx.set('Location', this.getUrl('collection', this.getModelId(result)))
       }
       return result
     },

package/src/middleware/handleUser.js

@@ -17,6 +17,10 @@ export function handleUser() {
       const { user } = ctx.state
       await user?.$emit('before:logout', options)
       await logout.call(this) // No options in passport's logout()
+      // Clear the session after logout, apparently koa-passport doesn't take
+      // care of this itself:
+      // https://stackoverflow.com/questions/55818887/koa-passport-logout-is-not-clearing-session
+      ctx.session = null
       await user?.$emit('after:logout', options)
     }
 

package/src/models/Model.js

@@ -929,11 +929,9 @@ export class Model extends objection.Model {
         )
         : assetDataPaths
 
-      // `dataPaths` will be empty in the case of an update/insert that do not
+      // `dataPaths` is empty in the case of an update/insert that does not
       // affect the assets.
-      if (dataPaths.length === 0) {
-        return
-      }
+      if (dataPaths.length === 0) return
 
       // Load the model's asset files in their current state before the query is
       // executed.
@@ -972,7 +970,7 @@ export class Model extends objection.Model {
           if (modifiedFiles.length > 0) {
             // TODO: `modifiedFiles` should be restored as well, but that's far
             // from trivial since no backup is kept in `handleModifiedAssets`
-            console.info(
+            console.warn(
               `Unable to restore these already modified files: ${
                 modifiedFiles.map(file => `'${file.name}'`)
               }`

package/src/query/QueryBuilder.js

@@ -216,24 +216,19 @@ export class QueryBuilder extends objection.QueryBuilder {
       this._allowScopes = query._allowScopes ? { ...query._allowScopes } : null
       this._ignoreScopes = { ...query._ignoreScopes }
     }
+    const scopes = isChildQuery
+      // When copying scopes for child-queries, we also need to take the already
+      // applied scopes into account and copy those too.
+      ? { ...query._appliedScopes, ...query._scopes }
+      : { ...query._scopes }
     // If the target is a child query of a graph query, copy all scopes, graph
     // and non-graph. If it is a child query of a related or eager query,
     // copy only the graph scopes.
     const copyAllScopes =
       isSameModelClass && isChildQuery && query.has(/GraphAndFetch$/)
-    // When copying scopes for child-queries, we also need to take the already
-    // applied scopes into account and copy those too.
-    const scopes = isChildQuery
-      ? { ...query._appliedScopes, ...query._scopes }
-      : query._scopes
-    this._scopes = this._filterScopes(scopes, (scope, graph) =>
-      copyAllScopes || graph)
-  }
-
-  _filterScopes(scopes, callback) {
-    return Object.fromEntries(Object.entries(scopes).filter(
-      ([scope, graph]) => callback(scope, graph)
-    ))
+    this._scopes = copyAllScopes
+      ? scopes
+      : filterScopes(scopes, (scope, graph) => graph) // copy graph-scopes only.
   }
 
   _applyScope(scope, graph) {
@@ -797,6 +792,12 @@ for (const key of [
   }
 }
 
+function filterScopes(scopes, callback) {
+  return Object.fromEntries(Object.entries(scopes).filter(
+    ([scope, graph]) => callback(scope, graph)
+  ))
+}
+
 // The default options for insertDitoGraph(), upsertDitoGraph(),
 // updateDitoGraph() and patchDitoGraph()
 const insertDitoGraphOptions = {

package/src/schema/relations.test.js

@@ -5,7 +5,7 @@ import {
   HasManyRelation,
   ManyToManyRelation
 } from 'objection'
-import { Model } from '../models.js'
+import { Model } from '../models/index.js'
 import {
   getRelationClass, convertRelation, addRelationSchemas
 } from './relations.js'

package/src/storage/Storage.js

@@ -1,8 +1,9 @@
 import path from 'path'
+import { URL } from 'url'
 import multer from '@koa/multer'
+import picomatch from 'picomatch'
 import imageSize from 'image-size'
 import { PassThrough } from 'stream'
-import { URL } from 'url'
 import { hyphenate, toPromiseCallback } from '@ditojs/utils'
 import { AssetFile } from './AssetFile.js'
 
@@ -57,6 +58,10 @@ export class Storage {
     return AssetFile.getUniqueKey(name)
   }
 
+  isImportSourceAllowed(url) {
+    return picomatch.isMatch(url, this.config.allowedImports || [])
+  }
+
   convertAssetFile(file) {
     return AssetFile.convert(file, this)
   }