@flowerforce/flowerbase 1.2.0 → 1.2.1-beta.3

package/src/services/mongodb-atlas/utils.ts

@@ -37,7 +37,7 @@ export const getValidRule = <T extends Role | Filter>({
     // checkRule valuta se i campi del record soddisfano quella condizione. 
     // Quindi le regole vengono effettivamente rispettate.
     const valid = rulesMatcherUtils.checkRule(
-      conditions,
+      conditions as Parameters<typeof rulesMatcherUtils.checkRule>[0],
       {
         ...(record ?? {}),
         '%%user': user,
@@ -57,10 +57,16 @@ export const getFormattedQuery = (
 ) => {
   const preFilter = getValidRule({ filters, user })
   const isValidPreFilter = !!preFilter?.length
-  return [
-    isValidPreFilter && expandQuery(preFilter[0].query, { '%%user': user }),
-    query
-  ].filter(Boolean).filter(r => Object.keys(r).length > 0)
+  const formatted: FilterMongoDB<Document>[] = []
+  if (isValidPreFilter) {
+    formatted.push(
+      expandQuery(preFilter[0].query, { '%%user': user }) as FilterMongoDB<Document>
+    )
+  }
+  if (query && Object.keys(query).length > 0) {
+    formatted.push(query as FilterMongoDB<Document>)
+  }
+  return formatted
 }
 
 export const getFormattedProjection = (
@@ -90,61 +96,111 @@ export const applyAccessControlToPipeline = (
       roles?: Role[]
     }
   >,
-  user: User
+  user: User,
+  collectionName: string,
+  options?: {
+    isClientPipeline?: boolean
+  }
 ): AggregationPipeline => {
+  const { isClientPipeline = false } = options || {}
+  const hiddenFieldsForCollection = isClientPipeline
+    ? getHiddenFieldsFromRulesConfig(rules[collectionName])
+    : []
+
   return pipeline.map((stage) => {
     const [stageName] = Object.keys(stage)
     const value = stage[stageName as keyof typeof stage]
 
-    // CASE LOOKUP
     if (stageName === STAGES_TO_SEARCH.LOOKUP) {
       const lookUpStage = value as LookupStage
       const currentCollection = lookUpStage.from
+      checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const lookupRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(lookupRules.filters, {}, user)
       const projection = getFormattedProjection(lookupRules.filters)
 
+      const nestedPipeline = applyAccessControlToPipeline(
+        lookUpStage.pipeline || [],
+        rules,
+        user,
+        currentCollection,
+        { isClientPipeline }
+      )
+
+      const lookupPipeline = [
+        ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
+        ...(projection ? [{ $project: projection }] : []),
+        ...nestedPipeline
+      ]
+
+      const pipelineWithHiddenFields = isClientPipeline
+        ? prependUnsetStage(lookupPipeline, getHiddenFieldsFromRulesConfig(lookupRules))
+        : lookupPipeline
+
       return {
         $lookup: {
           ...lookUpStage,
-          pipeline: [
-            ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
-            ...(projection ? [{ $project: projection }] : []),
-            ...applyAccessControlToPipeline(lookUpStage.pipeline || [], rules, user)
-          ]
+          pipeline: pipelineWithHiddenFields
         }
       }
     }
 
-    // CASE LOOKUP
     if (stageName === STAGES_TO_SEARCH.UNION_WITH) {
       const unionWithStage = value as UnionWithStage
       const isSimpleStage = typeof unionWithStage === 'string'
       const currentCollection = isSimpleStage ? unionWithStage : unionWithStage.coll
+      checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const unionRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(unionRules.filters, {}, user)
       const projection = getFormattedProjection(unionRules.filters)
 
-      const nestedPipeline = isSimpleStage ? [] : unionWithStage.pipeline || []
+      if (isSimpleStage) {
+        return stage
+      }
+
+      const nestedPipeline = unionWithStage.pipeline || []
+
+      const sanitizedNestedPipeline = applyAccessControlToPipeline(
+        nestedPipeline,
+        rules,
+        user,
+        currentCollection,
+        { isClientPipeline }
+      )
+
+      const unionPipeline = [
+        ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
+        ...(projection ? [{ $project: projection }] : []),
+        ...sanitizedNestedPipeline
+      ]
+
+      const pipelineWithHiddenFields = isClientPipeline
+        ? prependUnsetStage(unionPipeline, getHiddenFieldsFromRulesConfig(unionRules))
+        : unionPipeline
 
       return {
         $unionWith: {
-          coll: currentCollection,
-          pipeline: [
-            ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
-            ...(projection ? [{ $project: projection }] : []),
-            ...applyAccessControlToPipeline(nestedPipeline, rules, user)
-          ]
+          ...unionWithStage,
+          pipeline: pipelineWithHiddenFields
         }
       }
     }
 
-    // CASE FACET
     if (stageName === STAGES_TO_SEARCH.FACET) {
       const modifiedFacets = Object.fromEntries(
         (Object.entries(value) as [string, AggregationPipelineStage[]][]).map(
           ([facetKey, facetPipeline]) => {
-            return [facetKey, applyAccessControlToPipeline(facetPipeline, rules, user)]
+            const sanitizedFacetPipeline = applyAccessControlToPipeline(
+              facetPipeline,
+              rules,
+              user,
+              collectionName,
+              { isClientPipeline }
+            )
+            const facetPipelineWithHiddenFields = isClientPipeline
+              ? prependUnsetStage(sanitizedFacetPipeline, hiddenFieldsForCollection)
+              : sanitizedFacetPipeline
+            return [facetKey, facetPipelineWithHiddenFields]
           }
         )
       )
@@ -210,3 +266,83 @@ export const getCollectionsFromPipeline = (pipeline: Document[]) => {
     return acc
   }, [])
 }
+
+const CLIENT_STAGE_BLACKLIST = new Set([
+  '$replaceRoot',
+  '$merge',
+  '$out',
+  '$function',
+  '$where',
+  '$accumulator',
+  '$graphLookup'
+])
+
+export function ensureClientPipelineStages(pipeline: AggregationPipeline) {
+  pipeline.forEach((stage) => {
+    const [stageName] = Object.keys(stage)
+    if (!stageName) return
+
+    if (CLIENT_STAGE_BLACKLIST.has(stageName)) {
+      throw new Error(`Stage ${stageName} is not allowed in client aggregate pipelines`)
+    }
+
+    const value = stage[stageName as keyof typeof stage]
+
+    if (stageName === STAGES_TO_SEARCH.LOOKUP) {
+      ensureClientPipelineStages((value as LookupStage).pipeline || [])
+      return
+    }
+
+    if (stageName === STAGES_TO_SEARCH.UNION_WITH) {
+      if (typeof value === 'string') {
+        throw new Error('$unionWith must provide a pipeline when called from the client')
+      }
+      const unionStage = value as { pipeline?: AggregationPipeline }
+      ensureClientPipelineStages(unionStage.pipeline || [])
+      return
+    }
+
+    if (stageName === STAGES_TO_SEARCH.FACET) {
+      Object.values(value as Record<string, AggregationPipeline>).forEach((facetPipeline) =>
+        ensureClientPipelineStages(facetPipeline)
+      )
+    }
+  })
+}
+
+export function getHiddenFieldsFromRulesConfig(rulesConfig?: { roles?: Role[] }) {
+  if (!rulesConfig) {
+    return []
+  }
+  return collectHiddenFieldsFromRoles(rulesConfig.roles)
+}
+
+function collectHiddenFieldsFromRoles(roles: Role[] = []) {
+  const hiddenFields = new Set<string>()
+
+  const collectFromFields = (
+    fields?: Role['fields'] | Role['additional_fields']
+  ) => {
+    if (!fields) return
+    Object.entries(fields).forEach(([fieldName, permissions]) => {
+      const canRead = Boolean(permissions?.read || permissions?.write)
+      if (!canRead) {
+        hiddenFields.add(fieldName)
+      }
+    })
+  }
+
+  roles.forEach((role) => {
+    collectFromFields(role.fields)
+    collectFromFields(role.additional_fields)
+  })
+
+  return Array.from(hiddenFields)
+}
+
+export function prependUnsetStage(pipeline: AggregationPipeline, hiddenFields: string[]) {
+  if (!hiddenFields.length) {
+    return pipeline
+  }
+  return [{ $unset: hiddenFields }, ...pipeline]
+}

package/src/shared/handleUserRegistration.ts

@@ -1,4 +1,3 @@
-import { FastifyMongoObject } from "@fastify/mongodb/types"
 import { AUTH_CONFIG, DB_NAME } from "../constants"
 import { hashPassword } from "../utils/crypto"
 import { HandleUserRegistration } from "./models/handleUserRegistration.model"
@@ -18,7 +17,7 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
     }
 
     const { authCollection } = AUTH_CONFIG
-    const mongo: FastifyMongoObject = app?.mongo
+    const mongo = app?.mongo
     const db = mongo.client.db(DB_NAME)
     const hashedPassword = await hashPassword(password)
 
@@ -31,6 +30,7 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
         email,
         password: hashedPassword,
         status: skipUserCheck ? 'confirmed' : 'pending',
+        createdAt: new Date(),
         custom_data: {
             // TODO: aggiungere dati personalizzati alla registrazione
         },
@@ -62,4 +62,4 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
 
 }
 
-export default handleUserRegistration
+export default handleUserRegistration

package/src/shared/models/handleUserRegistration.model.ts

@@ -1,5 +1,4 @@
 import { FastifyInstance } from "fastify/types/instance"
-import { InsertOneResult } from "mongodb/mongodb"
 import { User } from "../../auth/dtos"
 import { Rules } from "../../features/rules/interface"
 
@@ -16,12 +15,18 @@ export type Options = {
   run_as_system?: boolean
 }
 
+type RegistrationResult = {
+  insertedId?: {
+    toString: () => string
+  }
+}
+
 export type HandleUserRegistration = (
   app: FastifyInstance,
   opt: Options
-) => (params: RegistrationParams) => Promise<InsertOneResult<Document>>
+) => (params: RegistrationParams) => Promise<RegistrationResult>
 
 export enum PROVIDER {
   LOCAL_USERPASS = "local-userpass",
   CUSTOM_FUNCTION = "custom-function"
-}
+}

package/src/types/fastify-raw-body.d.ts

@@ -0,0 +1,22 @@
+import 'fastify'
+import type { FastifyJWT } from '@fastify/jwt'
+import { Db, MongoClient } from 'mongodb'
+
+declare module 'fastify' {
+  interface FastifyRequest {
+    rawBody?: string
+    user?: FastifyJWT['user']
+  }
+
+  interface FastifyContextConfig {
+    rawBody?: boolean
+  }
+
+  interface FastifyInstance {
+    mongo?: {
+      client: MongoClient
+      db?: Db
+      ObjectId: typeof import('mongodb').ObjectId
+    }
+  }
+}

package/src/utils/__tests__/STEP_B_STATES.test.ts

@@ -11,7 +11,7 @@ const {
   evaluateDocumentsFiltersWrite
 } = STEP_B_STATES
 
-jest.mock('../roles/machines/B/validators', () => ({
+jest.mock('../roles/machines/read/B/validators', () => ({
   evaluateDocumentFiltersReadFn: jest.fn(),
   evaluateDocumentFiltersWriteFn: jest.fn()
 }))

package/src/utils/__tests__/STEP_C_STATES.test.ts

@@ -12,7 +12,7 @@ const endValidation = jest.fn()
 const goToNextValidationStage = jest.fn()
 const next = jest.fn()
 
-jest.mock('../roles/machines/C/validators', () => ({
+jest.mock('../roles/machines/read/C/validators', () => ({
   evaluateTopLevelReadFn: jest.fn(),
   checkFieldsPropertyExists: jest.fn(),
   evaluateTopLevelWriteFn: jest.fn()

package/src/utils/__tests__/STEP_D_STATES.test.ts

@@ -76,7 +76,7 @@ describe('STEP_D_STATES', () => {
     })
     expect(next).toHaveBeenCalledWith('evaluateRead')
   })
-  it('checkIsValidFieldName should end a failed validation, with an empty document', async () => {
+  it('checkIsValidFieldName should end a successful validation, with a document', async () => {
     const mockedLogInfo = jest
       .spyOn(Utils, 'logMachineInfo')
       .mockImplementation(() => 'Mocked Value')
@@ -95,7 +95,7 @@ describe('STEP_D_STATES', () => {
       next,
       initialStep: null
     })
-    expect(endValidation).toHaveBeenCalledWith({ success: false, document: {} })
+    expect(endValidation).toHaveBeenCalledWith({ success: true, document: { name: 'test' } })
     expect(mockedLogInfo).toHaveBeenCalledWith({
       enabled: mockContext.enableLog,
       machine: 'D',

package/src/utils/__tests__/checkIsValidFieldNameFn.test.ts

@@ -32,7 +32,12 @@ describe('checkIsValidFieldNameFn', () => {
     }
 
     const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ name: 'Alice', email: 'alice@example.com', _id: mockId })
+    expect(result).toEqual({
+      _id: mockId,
+      name: 'Alice',
+      email: 'alice@example.com',
+      age: 25
+    })
   })
   it("should exclude _id if role doesn't allows it", () => {
     const mockedRole = {
@@ -127,7 +132,7 @@ describe('checkIsValidFieldNameFn', () => {
 
     const result = checkIsValidFieldNameFn(context as MachineContext)
 
-    expect(result).toEqual({})
+    expect(result).toEqual({ email: 'charlie@example.com' })
   })
 
   it('should handle additional_fields correctly for read permission', () => {
@@ -147,7 +152,7 @@ describe('checkIsValidFieldNameFn', () => {
     }
 
     const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ _id: mockId, phone: '123456789' })
+    expect(result).toEqual({ _id: mockId, phone: '123456789', address: 'Unknown' })
   })
   it('should handle additional_fields correctly for write permission', () => {
     const mockedRole = {
@@ -186,6 +191,6 @@ describe('checkIsValidFieldNameFn', () => {
     }
 
     const result = checkIsValidFieldNameFn(context as MachineContext)
-    expect(result).toEqual({ _id: mockId })
+    expect(result).toEqual({ _id: mockId, phone: '123456789', address: 'Unknown' })
   })
 })

package/src/utils/__tests__/registerPlugins.test.ts

@@ -2,6 +2,8 @@ import cors from '@fastify/cors'
 import fastifyMongodb from '@fastify/mongodb'
 import { authController } from '../../auth/controller'
 import jwtAuthPlugin from '../../auth/plugins/jwt'
+import fastifyRawBody from 'fastify-raw-body'
+import { customFunctionController } from '../../auth/providers/custom-function/controller'
 import { localUserPassController } from '../../auth/providers/local-userpass/controller'
 import { Functions } from '../../features/functions/interface'
 import { registerPlugins } from '../initializer/registerPlugins'
@@ -34,7 +36,7 @@ describe('registerPlugins', () => {
     })
 
     // Check Plugins Registration
-    expect(registerMock).toHaveBeenCalledTimes(5)
+    expect(registerMock).toHaveBeenCalledTimes(7)
     expect(registerMock).toHaveBeenCalledWith(cors, {
       origin: '*',
       methods: ['POST', 'GET']
@@ -50,10 +52,22 @@ describe('registerPlugins', () => {
     expect(registerMock).toHaveBeenCalledWith(localUserPassController, {
       prefix: `${MOCKED_API_VERSION}/app/:appId/auth/providers/local-userpass`
     })
+    expect(registerMock).toHaveBeenCalledWith(fastifyRawBody, {
+      field: 'rawBody',
+      global: false,
+      encoding: 'utf8',
+      runFirst: true,
+      routes: [],
+      jsonContentTypes: []
+    })
+    expect(registerMock).toHaveBeenCalledWith(customFunctionController, {
+      prefix: `${MOCKED_API_VERSION}/app/:appId/auth/providers/custom-function`
+    })
   })
 
   it('should handle errors in the catch block', async () => {
     const errorLog = jest.spyOn(console, 'error').mockImplementation(() => {})
+    const logSpy = jest.spyOn(console, 'log').mockImplementation(() => {})
 
     await registerPlugins({
       register: errorMock,
@@ -67,5 +81,6 @@ describe('registerPlugins', () => {
       'Plugin registration failed'
     )
     errorLog.mockRestore()
+    logSpy.mockRestore()
   })
 })

package/src/utils/context/helpers.ts

@@ -27,6 +27,9 @@ export const generateContextData = ({
   console: {
     log: (...args: Arguments) => {
       console.log(...args)
+    },
+    error: (...args: Arguments) => {
+      console.error(...args)
     }
   },
   context: {

package/src/utils/context/index.ts

@@ -29,6 +29,7 @@ export async function GenerateContext({
   enqueue,
   request
 }: GenerateContextParams) {
+  if (!currentFunction) return
 
   const functionsQueue = StateManager.select("functionsQueue")
 

package/src/utils/initializer/exposeRoutes.ts

@@ -13,12 +13,21 @@ import { hashPassword } from '../crypto'
  */
 export const exposeRoutes = async (fastify: FastifyInstance) => {
   try {
-    fastify.get(`${API_VERSION}/app/:appId/location`, async (req) => ({
-      deployment_model: 'LOCAL',
-      location: 'IE',
-      hostname: `${DEFAULT_CONFIG.HTTPS_SCHEMA}://${req.headers.host}`,
-      ws_hostname: `${DEFAULT_CONFIG.HTTPS_SCHEMA === 'https' ? 'wss' : 'ws'}://${req.headers.host}`
-    }))
+    fastify.get(`${API_VERSION}/app/:appId/location`, async (req) => {
+      const schema = DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
+      const headerHost = req.headers.host ?? 'localhost:3000'
+      const hostname = headerHost.split(':')[0]
+      const port = DEFAULT_CONFIG?.PORT ?? 3000
+      const host = `${hostname}:${port}`
+      const wsSchema = 'wss'
+
+      return {
+        deployment_model: 'LOCAL',
+        location: 'IE',
+        hostname: `${schema}://${host}`,
+        ws_hostname: `${wsSchema}://${host}`
+      }
+    })
 
     fastify.get('/health', async () => ({
       status: 'ok',
@@ -77,5 +86,3 @@ export const exposeRoutes = async (fastify: FastifyInstance) => {
     console.error('Error while exposing routes', (e as Error).message)
   }
 }
-
-

package/src/utils/initializer/registerPlugins.ts

@@ -2,6 +2,7 @@ import cors from '@fastify/cors'
 import fastifyMongodb from '@fastify/mongodb'
 import { FastifyInstance } from 'fastify'
 import fastifyRawBody from 'fastify-raw-body'
+import { CorsConfig } from '../../'
 import { authController } from '../../auth/controller'
 import jwtAuthPlugin from '../../auth/plugins/jwt'
 import { customFunctionController } from '../../auth/providers/custom-function/controller'
@@ -17,6 +18,7 @@ type RegisterPluginsParams = {
   mongodbUrl: string
   jwtSecret: string
   functionsList: Functions
+  corsConfig?: CorsConfig
 }
 
 type RegisterConfig = {
@@ -36,12 +38,14 @@ export const registerPlugins = async ({
   register,
   mongodbUrl,
   jwtSecret,
-  functionsList
+  functionsList,
+  corsConfig
 }: RegisterPluginsParams) => {
   try {
     const registersConfig = await getRegisterConfig({
       mongodbUrl,
       jwtSecret,
+      corsConfig,
       functionsList
     })
 
@@ -52,6 +56,7 @@ export const registerPlugins = async ({
       } catch (e) {
         console.log('Registration FAILED --->', pluginName)
         console.log('Error --->', e)
+        throw e
       }
     })
   } catch (e) {
@@ -67,18 +72,21 @@ export const registerPlugins = async ({
  */
 const getRegisterConfig = async ({
   mongodbUrl,
-  jwtSecret
-}: Pick<RegisterPluginsParams, 'jwtSecret' | 'mongodbUrl' | 'functionsList'>): Promise<
+  jwtSecret,
+  corsConfig
+}: Pick<RegisterPluginsParams, 'jwtSecret' | 'mongodbUrl' | 'functionsList' | 'corsConfig'>): Promise<
   RegisterConfig[]
 > => {
+  const corsOptions = corsConfig ?? {
+    origin: '*',
+    methods: ['POST', 'GET']
+  }
+
   return [
     {
       pluginName: 'cors',
       plugin: cors,
-      options: {
-        origin: '*',
-        methods: ['POST', 'GET', 'DELETE']
-      }
+      options: corsOptions
     },
     {
       pluginName: 'fastifyMongodb',

package/src/utils/roles/helpers.ts

@@ -22,7 +22,7 @@ export const evaluateExpression = async (
     '%%true': true
   }
   const conditions = expandQuery(expression, value)
-  const complexCondition = Object.entries<Record<string, any>>(conditions).find(([key]) =>
+  const complexCondition = Object.entries(conditions as Record<string, any>).find(([key]) =>
     functionsConditions.includes(key)
   )
   return complexCondition
@@ -37,12 +37,29 @@ const evaluateComplexExpression = async (
 ) => {
   const [key, config] = condition
 
-  const { name } = config['%function']
+  const functionConfig = config['%function']
+  const { name, arguments: fnArguments } = functionConfig
   const functionsList = StateManager.select('functions')
   const app = StateManager.select('app')
   const currentFunction = functionsList[name]
+
+  const expansionContext = {
+    ...params.expansions,
+    ...params.cursor,
+    '%%root': params.cursor,
+    '%%user': user,
+    '%%true': true,
+    '%%false': false
+  }
+
+  const expandedArguments =
+    fnArguments && fnArguments.length
+      ? ((expandQuery({ args: fnArguments }, expansionContext) as { args: unknown[] })
+          .args ?? [])
+      : [params.cursor]
+
   const response = await GenerateContext({
-    args: [params.cursor],
+    args: expandedArguments,
     app,
     rules: StateManager.select("rules"),
     user,

package/src/utils/roles/machines/commonValidators.ts

@@ -3,7 +3,7 @@ import { evaluateExpression } from '../helpers'
 import { DocumentFiltersPermissions } from '../interface'
 import { MachineContext } from './interface'
 
-const readOnlyPermissions = ['read']
+const readOnlyPermissions = ['read', 'search']
 const readWritePermissions = ['write', 'delete', 'insert', ...readOnlyPermissions]
 
 export const evaluateDocumentFiltersFn = async (
@@ -23,11 +23,16 @@ export const evaluateTopLevelPermissionsFn = async (
   { params, role, user }: MachineContext,
   currentType: MachineContext['params']['type']
 ) => {
-  return role[currentType]
-    ? await evaluateExpression(params, role[currentType], user)
-    : undefined
+  const permission = role?.[currentType]
+  if (typeof permission === 'undefined') {
+    return undefined
+  }
+
+  return await evaluateExpression(params, permission, user)
 }
 
 export const checkFieldsPropertyExists = ({ role }: MachineContext) => {
-  return !!Object.keys(role.fields ?? {}).length
+  const hasFields = !!Object.keys(role?.fields ?? {}).length
+  const hasAdditional = !!Object.keys(role?.additional_fields ?? {}).length
+  return hasFields || hasAdditional
 }

package/src/utils/roles/machines/read/B/validators.ts

@@ -0,0 +1,8 @@
+import { MachineContext } from '../../interface'
+import { evaluateDocumentFiltersFn } from '../../commonValidators'
+
+export const evaluateDocumentFiltersReadFn = (context: MachineContext) =>
+  evaluateDocumentFiltersFn(context, 'read')
+
+export const evaluateDocumentFiltersWriteFn = (context: MachineContext) =>
+  evaluateDocumentFiltersFn(context, 'write')