@ditojs/server 1.4.3 → 1.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ditojs/server",
-  "version": "1.4.3",
+  "version": "1.5.0",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
   "repository": "https://github.com/ditojs/dito/tree/master/packages/server",
@@ -21,22 +21,22 @@
     "node >= 16"
   ],
   "dependencies": {
-    "@ditojs/admin": "^1.4.3",
-    "@ditojs/router": "^1.4.3",
-    "@ditojs/utils": "^1.4.3",
-    "@koa/cors": "^3.2.0",
+    "@ditojs/admin": "^1.5.0",
+    "@ditojs/build": "^1.5.0",
+    "@ditojs/router": "^1.5.0",
+    "@ditojs/utils": "^1.5.0",
+    "@koa/cors": "^3.3.0",
     "@koa/multer": "^3.0.0",
     "@originjs/vite-plugin-commonjs": "^1.0.3",
     "ajv": "^8.11.0",
     "ajv-formats": "^2.1.1",
-    "aws-sdk": "^2.1098.0",
+    "aws-sdk": "^2.1106.0",
     "axios": "^0.26.1",
     "bcryptjs": "^2.4.3",
     "bytes": "^3.1.2",
     "data-uri-to-buffer": "^4.0.0",
     "eventemitter2": "^6.4.5",
     "file-type": "^17.1.1",
-    "find-up": "^6.3.0",
     "fs-extra": "^10.0.1",
     "image-size": "^1.0.1",
     "is-svg": "^4.3.2",
@@ -55,31 +55,30 @@
     "mime-types": "^2.1.35",
     "multer": "^1.4.4",
     "multer-s3": "^2.10.0",
-    "nanoid": "^3.3.1",
+    "nanoid": "^3.3.2",
     "parse-duration": "^1.0.2",
     "passport-local": "^1.0.0",
     "passthrough-counter": "^1.0.0",
     "picocolors": "^1.0.0",
-    "picomatch": "^2.3.1",
     "pino": "^7.9.2",
-    "pino-pretty": "^7.5.4",
+    "pino-pretty": "^7.6.0",
     "pluralize": "^8.0.0",
     "repl": "^0.1.3",
     "uuid": "^8.3.2",
-    "vite": "^2.8.6",
+    "vite": "^2.9.1",
     "vite-plugin-vue2": "^1.9.3",
     "vue": "^2.6.14",
     "vue-template-compiler": "^2.6.14"
   },
   "peerDependencies": {
-    "knex": "^0.21.0",
-    "objection": "^2.2.0"
+    "knex": "^1.0.4",
+    "objection": "^3.0.1"
   },
   "devDependencies": {
-    "knex": "^0.21.21",
-    "objection": "^2.2.18",
+    "knex": "^1.0.4",
+    "objection": "^3.0.1",
     "pg": "^8.7.3",
     "sqlite3": "^5.0.2"
   },
-  "gitHead": "f2a544aef8ab0a12c7019650cd86558f8365b007"
+  "gitHead": "36a57512228cc233211bf6e4038123a9e775f5c5"
 }

package/src/app/Application.js

@@ -1,11 +1,13 @@
+import os from 'os'
+import path from 'path'
+import util from 'util'
+import zlib from 'zlib'
+import fs from 'fs-extra'
 import Koa from 'koa'
 import Knex from 'knex'
-import util from 'util'
 import axios from 'axios'
 import pico from 'picocolors'
-import zlib from 'zlib'
 import pino from 'pino'
-import os from 'os'
 import parseDuration from 'parse-duration'
 import bodyParser from 'koa-bodyparser'
 import cors from '@koa/cors'
@@ -46,11 +48,10 @@ import {
   handleUser,
   logRequests
 } from '../middleware/index.js'
-import objection, {
+import {
   Model,
   BelongsToOneRelation,
-  // TODO: Import directly once we can move to Objection 3
-  // knexSnakeCaseMappers,
+  knexSnakeCaseMappers,
   ref
 } from 'objection'
 
@@ -626,7 +627,7 @@ export class Application extends Koa {
       if (snakeCaseOptions) {
         knex = {
           ...knex,
-          ...objection.knexSnakeCaseMappers(snakeCaseOptions)
+          ...knexSnakeCaseMappers(snakeCaseOptions)
         }
       }
       this.knex = Knex(knex)
@@ -853,23 +854,38 @@ export class Application extends Koa {
             if (file.data || file.url) {
               let { data } = file
               if (!data) {
+                const { url } = file
+                if (!storage.isImportSourceAllowed(url)) {
+                  throw new AssetError(
+                    `Unable to import asset from foreign source: '${
+                      file.name
+                    }' ('${
+                      url
+                    }'): The source needs to be explicitly allowed.`
+                  )
+                }
                 console.info(
                   `${
                     pico.red('INFO:')
                   } Asset ${
                     pico.green(`'${file.name}'`)
                   } is from a foreign source, fetching from ${
-                    pico.green(`'${file.url}'`)
+                    pico.green(`'${url}'`)
                   } and adding to storage ${
                     pico.green(`'${storage.name}'`)
                   }...`
                 )
-                const response = await axios.request({
-                  method: 'get',
-                  url: file.url,
-                  responseType: 'arraybuffer'
-                })
-                data = response.data
+                if (url.startsWith('file://')) {
+                  const filepath = path.resolve(url.substring(7))
+                  data = await fs.readFile(filepath)
+                } else {
+                  const response = await axios.request({
+                    method: 'get',
+                    responseType: 'arraybuffer',
+                    url
+                  })
+                  data = response.data
+                }
               }
               const importedFile = await storage.addFile(file, data)
               await this.createAssets(storage, [importedFile], 0, trx)

package/src/controllers/AdminController.js

@@ -1,5 +1,4 @@
 import path from 'path'
-import fs from 'fs'
 import Koa from 'koa'
 import serve from 'koa-static'
 import { defineConfig, createServer } from 'vite'
@@ -7,8 +6,10 @@ import { createVuePlugin } from 'vite-plugin-vue2'
 import {
   viteCommonjs as createCommonJsPlugin
 } from '@originjs/vite-plugin-commonjs'
-import picomatch from 'picomatch'
-import { findUpSync } from 'find-up'
+import {
+  createRollupImportsResolver,
+  testModuleIdentifier
+} from '@ditojs/build'
 import { merge } from '@ditojs/utils'
 import { Controller } from './Controller.js'
 import { handleConnectMiddleware } from '../middleware/index.js'
@@ -135,16 +136,11 @@ export class AdminController extends Controller {
   getViteConfig(config = {}) {
     const development = this.mode === 'development'
 
-    const cwd = path.resolve('.')
+    const cwd = process.cwd()
     const root = this.getPath('root')
     const base = `${this.url}/`
     const views = path.join(root, 'views')
 
-    // Read `package.json` from the closest package.json, so we can emulate
-    // ESM-style imports mappings in rollup / vite.
-    const pkg = findUpSync('package.json', { cwd: root })
-    const { imports = {} } = JSON.parse(fs.readFileSync(pkg, 'utf8'))
-
     return defineConfig(merge({
       root,
       base,
@@ -185,7 +181,7 @@ export class AdminController extends Controller {
                     return 'common'
                   } else {
                     const module = id.match(/node_modules\/([^/$]*)/)?.[1] || ''
-                    return picomatch.isMatch(module, CORE_DEPENDENCIES)
+                    return testModuleIdentifier(module, CORE_DEPENDENCIES)
                       ? 'core'
                       : 'vendor'
                   }
@@ -210,27 +206,7 @@ export class AdminController extends Controller {
             find: '@',
             replacement: root
           },
-          {
-            // Use a custom rollup resolver to emulate ESM-style imports
-            // mappings in vite, as read from `package.json` above:
-            find: /^#/,
-            replacement: '#',
-            customResolver(id) {
-              for (const [find, replacement] of Object.entries(imports)) {
-                picomatch.isMatch(id, find.replace('*', '**'), {
-                  capture: true,
-                  onMatch({ input, regex }) {
-                    const replacementPath = path.resolve(replacement)
-                    const match = input.match(regex)?.[1]
-                    id = match
-                      ? replacementPath.replace('*', match)
-                      : replacementPath
-                  }
-                })
-              }
-              return id
-            }
-          }
+          createRollupImportsResolver({ cwd: root })
         ]
       }
     }, config))

package/src/controllers/CollectionController.js

@@ -68,17 +68,18 @@ export class CollectionController extends Controller {
     return this.extendContext(ctx, { memberId })
   }
 
-  getCollectionIds(ctx) {
+  getModelId(model) {
     const idProperty = this.modelClass.getIdProperty()
     // Handle both composite keys and normal ones.
-    const getId = isArray(idProperty)
-      ? model => idProperty.reduce(
-        (id, key) => {
-          id.push(model[key])
-          return id
-        }, [])
-      : model => model[idProperty]
-    return asArray(ctx.request.body).map(model => this.validateId(getId(model)))
+    return isArray(idProperty)
+      ? idProperty.map(property => model[property])
+      : model[idProperty]
+  }
+
+  getCollectionIds(ctx) {
+    return asArray(ctx.request.body).map(
+      model => this.validateId(this.getModelId(model))
+    )
   }
 
   getIds(ctx) {
@@ -219,9 +220,9 @@ export class CollectionController extends Controller {
           .modify(getModify(modify, trx))
         )
         : await this.executeAndFetch('insert', ctx, modify)
-      ctx.status = 201
+      ctx.status = 201 // Created
       if (isObject(result)) {
-        ctx.set('Location', this.getUrl('collection', result.id))
+        ctx.set('Location', this.getUrl('collection', this.getModelId(result)))
       }
       return result
     },

package/src/models/Model.js

@@ -929,11 +929,9 @@ export class Model extends objection.Model {
         )
         : assetDataPaths
 
-      // `dataPaths` will be empty in the case of an update/insert that do not
+      // `dataPaths` is empty in the case of an update/insert that does not
       // affect the assets.
-      if (dataPaths.length === 0) {
-        return
-      }
+      if (dataPaths.length === 0) return
 
       // Load the model's asset files in their current state before the query is
       // executed.
@@ -972,7 +970,7 @@ export class Model extends objection.Model {
           if (modifiedFiles.length > 0) {
             // TODO: `modifiedFiles` should be restored as well, but that's far
             // from trivial since no backup is kept in `handleModifiedAssets`
-            console.info(
+            console.warn(
               `Unable to restore these already modified files: ${
                 modifiedFiles.map(file => `'${file.name}'`)
               }`

package/src/schema/relations.test.js

@@ -5,7 +5,7 @@ import {
   HasManyRelation,
   ManyToManyRelation
 } from 'objection'
-import { Model } from '../models.js'
+import { Model } from '../models/index.js'
 import {
   getRelationClass, convertRelation, addRelationSchemas
 } from './relations.js'

package/src/storage/Storage.js

@@ -5,6 +5,7 @@ import { PassThrough } from 'stream'
 import { URL } from 'url'
 import { hyphenate, toPromiseCallback } from '@ditojs/utils'
 import { AssetFile } from './AssetFile.js'
+import { matchGlobPattern } from '../utils/glob.js'
 
 const storageClasses = {}
 
@@ -57,6 +58,14 @@ export class Storage {
     return AssetFile.getUniqueKey(name)
   }
 
+  isImportSourceAllowed(url) {
+    const { allowedImports = [] } = this.config
+    for (const pattern of allowedImports) {
+      if (matchGlobPattern(url, pattern)) return true
+    }
+    return false
+  }
+
   convertAssetFile(file) {
     return AssetFile.convert(file, this)
   }

package/src/utils/glob.js

@@ -0,0 +1,9 @@
+import { escapeRegexp } from '@ditojs/utils'
+
+export function matchGlobPattern(str, pattern) {
+  const exp = escapeRegexp(pattern).replace(
+    /\\([*?])/,
+    (_, chr) => chr === '*' ? '.*' : chr
+  )
+  return new RegExp(`^${exp}$`).test(str)
+}