@ditojs/server 2.85.2 → 2.87.0

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@ditojs/server",
-  "version": "2.85.2",
+  "version": "2.87.0",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
-  "repository": "https://github.com/ditojs/dito/tree/master/packages/server",
+  "repository": "https://github.com/ditojs/dito/tree/main/packages/server",
   "author": "Jürg Lehni <juerg@scratchdisk.com> (http://scratchdisk.com)",
   "license": "MIT",
   "main": "./src/index.js",
@@ -19,17 +19,16 @@
     "dito": "./src/cli/index.js"
   },
   "engines": {
-    "node": ">= 20.0.0",
-    "yarn": ">= 4.0.0"
+    "node": ">= 20.0.0"
   },
   "browserslist": [
     "node >= 18"
   ],
   "dependencies": {
-    "@ditojs/admin": "^2.85.2",
-    "@ditojs/build": "^2.85.0",
-    "@ditojs/router": "^2.85.0",
-    "@ditojs/utils": "^2.85.0",
+    "@ditojs/admin": "^2.87.0",
+    "@ditojs/build": "^2.87.0",
+    "@ditojs/router": "^2.87.0",
+    "@ditojs/utils": "^2.87.0",
     "@koa/cors": "^5.0.0",
     "@koa/etag": "^5.0.2",
     "@koa/multer": "^4.0.0",
@@ -38,7 +37,7 @@
     "ajv-formats": "^3.0.1",
     "bcryptjs": "^3.0.3",
     "bytes": "^3.1.2",
-    "data-uri-to-buffer": "^6.0.2",
+    "data-uri-to-buffer": "^7.0.0",
     "eventemitter2": "^6.4.9",
     "file-type": "^21.3.1",
     "helmet": "^8.1.0",
@@ -56,7 +55,7 @@
     "leather": "^3.0.3",
     "mime-types": "^3.0.2",
     "multer": "^2.1.1",
-    "multer-s3": "https://github.com/ditojs/multer-s3#dito",
+    "multer-s3": "github:ditojs/multer-s3#dito",
     "nanoid": "^5.1.6",
     "parse-duration": "^2.1.5",
     "passport-local": "^1.0.0",
@@ -77,18 +76,19 @@
     "objection": "^3.0.1"
   },
   "devDependencies": {
-    "@aws-sdk/client-s3": "^3.832.0",
-    "@aws-sdk/lib-storage": "^3.832.0",
+    "@aws-sdk/client-s3": "^3.1006.0",
+    "@aws-sdk/lib-storage": "^3.1006.0",
     "@types/koa-bodyparser": "^4.3.13",
     "@types/koa-compress": "^4.0.7",
     "@types/koa-response-time": "^2.1.5",
     "@types/koa-session": "^6.4.5",
     "@types/koa-static": "^4.0.4",
     "@types/koa__cors": "^5.0.1",
-    "@types/node": "^25.3.5",
+    "@types/koa__multer": "^2.0.8",
+    "@types/node": "^25.4.0",
     "knex": "^3.1.0",
     "objection": "^3.1.5",
     "typescript": "^5.9.3"
   },
-  "gitHead": "5df899baaf437537dced07893eeb4f06c1797c53"
+  "gitHead": "cbd05e604a1d212dfc91f9686b43bef75815a409"
 }

package/src/cli/db/createMigration.js

@@ -1,7 +1,6 @@
 import path from 'path'
 import fs from 'fs/promises'
 import pico from 'picocolors'
-import { getRelationClass, isThroughRelationClass } from '@ditojs/server'
 import {
   isObject,
   isArray,
@@ -9,6 +8,10 @@ import {
   deindent,
   capitalize
 } from '@ditojs/utils'
+import {
+  getRelationClass,
+  isThroughRelationClass
+} from '../../schema/relations.js'
 import { exists } from '../../utils/fs.js'
 
 const typeToKnex = {

package/src/controllers/Controller.js

@@ -534,8 +534,12 @@ export class Controller {
     } else if (isFunction(authorize)) {
       return async (ctx, member) => {
         const res = await authorize(ctx, member)
-        // Pass res through `processAuthorize()` to support strings & arrays.
-        return this.processAuthorize(res)(ctx, member)
+        // Deny access if the function forgot to return a value.
+        // Otherwise pass res through `processAuthorize()` to
+        // support strings & arrays.
+        return res === undefined
+          ? false
+          : this.processAuthorize(res)(ctx, member)
       }
     } else if (isString(authorize) || isArray(authorize)) {
       return async (ctx, member) => {

package/src/mixins/AssetMixin.js

@@ -66,11 +66,13 @@ export const AssetMixin = mixin(
       }
 
       // @override
-      $parseJson(json) {
+      $parseJson(json, { trusted = false } = {}) {
         const { file, storage } = json
         // Convert `AssetMixin#file` to an `AssetFile` instance:
         if (file && storage) {
-          this.constructor.app.getStorage(storage)?.convertAssetFile(file)
+          this.constructor.app
+            .getStorage(storage)
+            ?.convertAssetFile(file, { trusted })
         }
         return json
       }

package/src/models/Model.js

@@ -609,11 +609,11 @@ export class Model extends objection.Model {
     }
     // Also run through normal $parseJson(), for handling of `Date` and
     // `AssetFile`.
-    return this.$parseJson(json)
+    return this.$parseJson(json, { trusted: true })
   }
 
   // @override
-  $parseJson(json) {
+  $parseJson(json, { trusted = false } = {}) {
     const { constructor } = this
     for (const key of constructor.dateAttributes) {
       const date = json[key]
@@ -634,7 +634,7 @@ export class Model extends objection.Model {
               if (isArray(data)) {
                 data.forEach(convertToAssetFiles)
               } else {
-                storage.convertAssetFile(data)
+                storage.convertAssetFile(data, { trusted })
               }
             }
           }

package/src/storage/AssetFile.js

@@ -58,6 +58,8 @@ export class AssetFile {
   }
 
   static convert(object, storage) {
+    // Signature must never be persisted.
+    delete object.signature
     Object.setPrototypeOf(object, AssetFile.prototype)
     setHiddenProperty(object, SYMBOL_STORAGE, storage)
   }

package/src/storage/Storage.js

@@ -1,11 +1,13 @@
 import path from 'path'
 import { URL } from 'url'
+import crypto from 'crypto'
 import multer from '@koa/multer'
 import picomatch from 'picomatch'
 import { PassThrough } from 'stream'
 import { readMediaAttributes } from 'leather'
 import { hyphenate, toPromiseCallback } from '@ditojs/utils'
 import { AssetFile } from './AssetFile.js'
+import { AssetError } from '../errors/AssetError.js'
 
 const storageClasses = {}
 
@@ -76,7 +78,17 @@ export class Storage {
     return picomatch.isMatch(url, this.config.allowedImports || [])
   }
 
-  convertAssetFile(file) {
+  convertAssetFile(file, { trusted = false } = {}) {
+    if (
+      !trusted &&
+      !this._verifyAssetKey(file.key, file.signature)
+    ) {
+      throw new AssetError(
+        `Invalid asset signature for file '${
+          file.name ?? file.key
+        }'`
+      )
+    }
     AssetFile.convert(file, this)
   }
 
@@ -90,7 +102,8 @@ export class Storage {
       url: this._getFileUrl(storageFile),
       // In case `config.readDimensions` is set:
       width: storageFile.width,
-      height: storageFile.height
+      height: storageFile.height,
+      signature: this._signAssetKey(storageFile.key)
     }
   }
 
@@ -104,7 +117,7 @@ export class Storage {
     file.url = this._getFileUrl(file)
     // TODO: Support `config.readDimensions`, but this can only be done once
     // there are separate storage instances per model assets config!
-    this.convertAssetFile(file)
+    this.convertAssetFile(file, { trusted: true })
     return file
   }
 
@@ -128,6 +141,30 @@ export class Storage {
     return this._getFileUrl(file)
   }
 
+  _signAssetKey(key) {
+    const secret = (
+      this.app.keys?.[0] ??
+      (Storage._fallbackSecret ??= crypto.randomBytes(32))
+    )
+    return crypto
+      .createHmac('sha256', secret)
+      .update(key)
+      .digest('hex')
+  }
+
+  _verifyAssetKey(key, signature) {
+    if (!key || !signature) return false
+    const expected = this._signAssetKey(key)
+    try {
+      return crypto.timingSafeEqual(
+        Buffer.from(expected, 'hex'),
+        Buffer.from(signature, 'hex')
+      )
+    } catch {
+      return false
+    }
+  }
+
   _getUrl(...parts) {
     return this.url
       ? new URL(path.posix.join(...parts), this.url).toString()

package/src/storage/Storage.test.js

@@ -0,0 +1,58 @@
+import { Storage } from './Storage.js'
+
+function createStorage(keys = ['test-secret']) {
+  const app = { keys }
+  return new Storage(app, { name: 'test' })
+}
+
+function simulateUpload(storage, key, originalname) {
+  return storage.convertStorageFile({
+    key,
+    originalname,
+    mimetype: 'image/png',
+    size: 2048
+  })
+}
+
+describe('Storage: asset key signature verification', () => {
+  it('preserves the key through a full upload-then-save cycle', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'real-key.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect(fromClient.key).toBe('real-key.png')
+  })
+
+  it('throws when a forged key is submitted', () => {
+    const storage = createStorage()
+    const file = { key: 'victim-key.png', name: 'photo.png' }
+    expect(() => {
+      storage.convertAssetFile(file, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('throws when a valid signature is paired with a swapped key', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'legit.png', 'legit.png')
+    const forged = { ...uploaded, key: 'victim-file.png' }
+    expect(() => {
+      storage.convertAssetFile(forged, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('does not throw when addFile() converts a server-created file', async () => {
+    const storage = createStorage()
+    const file = { key: 'imported.png', name: 'import.png' }
+    const data = Buffer.from('fake-image-data')
+    await storage.addFile(file, data)
+    expect(file.key).toBe('imported.png')
+  })
+
+  it('strips signature after conversion', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'upload.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect('signature' in fromClient).toBe(false)
+  })
+})