@internetderdinge/api 1.224.2

package/src/iotdevice/iotdevice.validation.ts

@@ -0,0 +1,61 @@
+import { extendZodWithOpenApi } from '@asteasolutions/zod-to-openapi';
+import { z } from 'zod';
+import { objectId } from '../validations/custom.validation';
+import { zGet, zObjectId, zPagination } from '../utils/zValidations';
+
+extendZodWithOpenApi(z);
+
+export const getDevice = {
+  params: z.object({
+    deviceId: zObjectId.openapi({ description: 'Device ObjectId' }),
+  }),
+  body: z.object({
+    deviceId: z.array(zObjectId).openapi({ description: 'Array of device IDs' }),
+  }),
+};
+export const iotDevicesSchema = {
+  ...zPagination,
+  query: zPagination.query.extend({
+    patient: zObjectId.optional(),
+  }),
+};
+
+export const getDeviceSchema = {};
+export const getEntrySchema = {
+  params: z.object({
+    deviceId: z.string(),
+  }),
+};
+export const getEventsSchema = {
+  params: z.object({
+    deviceId: zObjectId.openapi({ description: 'Device ObjectId' }),
+  }),
+  query: z.object({
+    DateStart: z.string().openapi({ description: 'Start date (ISO‐string)', example: '2025-05-01T00:00:00Z' }),
+    DateEnd: z.string().openapi({ description: 'End date (ISO‐string)', example: '2025-05-31T23:59:59Z' }),
+    TypeFilter: z.string().openapi({ description: 'Optional type filter', example: '' }).optional().default(''),
+  }),
+};
+export const updateEntrySchema = {};
+
+export const pingDeviceSchema = {
+  params: z.object({
+    deviceId: zObjectId.openapi({ description: 'Device ObjectId' }),
+  }),
+  query: z.object({
+    dataResponse: z.string().openapi({ description: 'Data response', example: 'false' }),
+  }),
+};
+
+export const shadowAlarmValidationSchema = {
+  params: z.object({
+    nrfId: z.string().openapi({ description: 'Device ID', example: 'nrf-22343' }),
+    shadowName: z.string().openapi({ description: 'Shadow name', example: 'alarm' }),
+  }),
+};
+
+export const apiStatusRequestSchema = {
+  params: z.object({
+    kind: z.string().openapi({ description: 'Kind of API status', example: 'iot' }),
+  }),
+};

package/src/middlewares/auth.ts

@@ -0,0 +1,110 @@
+import passport from "passport";
+import httpStatus from "http-status";
+import { expressjwt as jwt } from "express-jwt";
+import crypto from "crypto";
+import jwksRsa from "jwks-rsa";
+import type { Request, Response, NextFunction } from "express";
+import ApiError from "../utils/ApiError";
+import Token from "../tokens/tokens.model";
+import { roleRights } from "../config/roles";
+
+interface AuthRequest extends Request {
+  auth?: {
+    id: string;
+    tokenId: string;
+    type: string;
+    [key: string]: any; // Additional user data
+  };
+}
+
+type VerifyCallback = (
+  req: AuthRequest,
+  resolve: () => void,
+  reject: (error: ApiError) => void,
+  requiredRights: string[],
+) => (err: any, user: any, info: any) => Promise<void>;
+
+const verifyCallback: VerifyCallback =
+  (req, resolve, reject, requiredRights) => async (err, user, info) => {
+    if (err || info || !user) {
+      return reject(
+        new ApiError(httpStatus.UNAUTHORIZED, "Please authenticate"),
+      );
+    }
+    req.user = user;
+
+    if (requiredRights.length) {
+      const userRights = roleRights.get(user.role) || [];
+      const hasRequiredRights = requiredRights.every((requiredRight) =>
+        userRights.includes(requiredRight),
+      );
+      if (!hasRequiredRights && req.params.userId !== user.id) {
+        return reject(new ApiError(httpStatus.FORBIDDEN, "Forbidden"));
+      }
+    }
+
+    resolve();
+  };
+
+const auth = function authFactory(...requiredRights: string[]) {
+  return async function authMiddleware(
+    req: AuthRequest,
+    res: Response,
+    next: NextFunction,
+  ): Promise<void> {
+    try {
+      // Check for custom token in X-API-Key header
+      const apiKey = req.headers["x-api-key"] as string | undefined;
+      if (apiKey && apiKey.length === 64) {
+        // 32 bytes hex encoded
+        const hashedToken = crypto
+          .createHash("sha256")
+          .update(apiKey)
+          .digest("hex");
+        const tokenDoc: any = await Token.findOne({
+          value: hashedToken,
+        }).select("+owner");
+
+        if (tokenDoc) {
+          const ownerId = tokenDoc.owner as string;
+          const roles = ["api"];
+
+          req.auth = {
+            id: ownerId,
+            tokenId: tokenDoc._id,
+            type: "api",
+            // For API-key auth, we can treat the token owner as the subject.
+            // Avoid fetching user profile from Auth0 Management API on every request.
+            sub: ownerId,
+            "https://memo.wirewire.de/roles": roles,
+          };
+          return next();
+        }
+      }
+
+      // Fallback to Auth0 JWT validation
+      jwt({
+        secret: jwksRsa.expressJwtSecret({
+          cache: true,
+          rateLimit: true,
+          jwksRequestsPerMinute: 5,
+          jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
+        }),
+        issuer: `https://${process.env.AUTH0_DOMAIN}/`,
+        algorithms: ["RS256"],
+      })(req, res, (err) => {
+        if (err) {
+          const status = err.status || 500;
+          const message =
+            err.message || "Sorry we were unable to process your request.";
+          return res.status(status).send({ message });
+        }
+        next();
+      });
+    } catch (error) {
+      next(error);
+    }
+  };
+};
+
+export default auth;

package/src/middlewares/checkJwt.cjs

@@ -0,0 +1,19 @@
+const jwt = require('express-jwt');
+const jwtAuthz = require('express-jwt-authz');
+const jwksRsa = require('jwks-rsa');
+
+const checkJwt = jwt({
+  secret: jwksRsa.expressJwtSecret({
+    cache: true,
+    rateLimit: true,
+    jwksRequestsPerMinute: 5,
+    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`,
+  }),
+
+  // Validate the audience and the issuer.
+  audience: process.env.AUTH0_AUDIENCE,
+  issuer: `https://${process.env.AUTH0_DOMAIN}/`,
+  algorithms: ['RS256'],
+});
+
+module.exports = checkJwt;

package/src/middlewares/error.js.legacy

@@ -0,0 +1,44 @@
+const mongoose = require('mongoose');
+const httpStatus = require('http-status');
+const config = require('../config/config.js');
+const logger = require('../config/logger.js');
+const ApiError = require('../utils/ApiError.js');
+
+const errorConverter = (err, req, res, next) => {
+  let error = err;
+  if (!(error instanceof ApiError)) {
+    const statusCode =
+      error.statusCode || error instanceof mongoose.Error ? httpStatus.BAD_REQUEST : httpStatus.INTERNAL_SERVER_ERROR;
+    const message = error.message || httpStatus[statusCode];
+    error = new ApiError(statusCode, message, false, err.stack);
+  }
+  next(error);
+};
+
+// eslint-disable-next-line no-unused-vars
+const errorHandler = (err, req, res, next) => {
+  let { statusCode, message } = err;
+  if (config.env === 'production' && !err.isOperational) {
+    statusCode = httpStatus.INTERNAL_SERVER_ERROR;
+    message = httpStatus[httpStatus.INTERNAL_SERVER_ERROR];
+  }
+
+  res.locals.errorMessage = err.message;
+
+  const response = {
+    code: statusCode,
+    message,
+    ...(config.env === 'development' && { stack: err.stack }),
+  };
+
+  if (config.env === 'development') {
+    logger.error(err);
+  }
+
+  res.status(statusCode).send(response);
+};
+
+module.exports = {
+  errorConverter,
+  errorHandler,
+};

package/src/middlewares/error.ts

@@ -0,0 +1,41 @@
+import mongoose from 'mongoose';
+import httpStatus from 'http-status';
+import config from '../config/config';
+import logger from '../config/logger';
+import ApiError from '../utils/ApiError';
+
+import type { Request, Response, NextFunction } from 'express';
+
+export const errorConverter = (err: any, req: Request, res: Response, next: NextFunction): void => {
+  let error = err;
+  if (!(error instanceof ApiError)) {
+    const statusCode =
+      error.statusCode || (error instanceof mongoose.Error ? httpStatus.BAD_REQUEST : httpStatus.INTERNAL_SERVER_ERROR);
+    const message = error.message || httpStatus[statusCode];
+    error = new ApiError(statusCode, message, false, err.stack);
+  }
+  next(error);
+};
+
+// eslint-disable-next-line no-unused-vars
+export const errorHandler = (err: ApiError, req: Request, res: Response, next: NextFunction): void => {
+  let { statusCode, message } = err;
+  if (config.env === 'production' && !err.isOperational) {
+    statusCode = httpStatus.INTERNAL_SERVER_ERROR;
+    message = httpStatus[httpStatus.INTERNAL_SERVER_ERROR];
+  }
+
+  res.locals.errorMessage = err.message;
+
+  const response = {
+    code: statusCode,
+    message,
+    ...(config.env === 'development' && { stack: err.stack }),
+  };
+
+  if (config.env === 'development') {
+    logger.error(err);
+  }
+
+  res.status(statusCode).send({ ...response, raw: err.raw || null });
+};

package/src/middlewares/mongooseValidations/ensureSameOrganization.ts

@@ -0,0 +1,15 @@
+/**
+ * Throws if patient doesn’t exist or isn’t in the given org.
+ */
+export async function ensureSameOrganization(
+  patientId: Types.ObjectId,
+  organizationId: Types.ObjectId,
+  UserModel: Model<any>,
+) {
+  // console.log('ensureSameOrganization', patientId, organizationId);
+  const user = await UserModel.findById(patientId).select('organization');
+  if (!user) throw new Error('Patient not found');
+  if (!user.organization.equals(organizationId)) {
+    throw new Error('Patient must belong to the same organization');
+  }
+}

package/src/middlewares/rateLimiter.ts

@@ -0,0 +1,10 @@
+import rateLimit from 'express-rate-limit';
+import type { Options } from 'express-rate-limit';
+
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 20,
+  skipSuccessfulRequests: true,
+} as Options);
+
+export { authLimiter };

package/src/middlewares/validate.ts

@@ -0,0 +1,25 @@
+import Joi from 'joi';
+import httpStatus from 'http-status';
+import pick from '../utils/pick';
+import ApiError from '../utils/ApiError';
+
+import type { Request, Response, NextFunction } from 'express';
+
+const validate =
+  (schema: Record<string, any>) =>
+  (req: Request, res: Response, next: NextFunction): void => {
+    const validSchema = pick(schema, ['params', 'query', 'body']);
+    const object = pick(req, Object.keys(validSchema));
+    const { value, error } = Joi.compile(validSchema)
+      .prefs({ errors: { label: 'key' } })
+      .validate(object);
+
+    if (error) {
+      const errorMessage = error.details.map((details) => details.message).join(', ');
+      return next(new ApiError(httpStatus.BAD_REQUEST, errorMessage));
+    }
+    Object.assign(req, value);
+    return next();
+  };
+
+export default validate;

package/src/middlewares/validateAction.ts

@@ -0,0 +1,41 @@
+import httpStatus from 'http-status';
+import ApiError from '../utils/ApiError';
+import { isAdmin } from './validateAdmin';
+
+import type { Request, Response, NextFunction } from 'express';
+
+export const validateOrganizationUpdate = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+  if (isAdmin(res.req.auth)) {
+    next();
+  } else {
+    if (!req.currentUser) {
+      next(new ApiError(httpStatus.INTERNAL_SERVER_ERROR, 'Current user not set in request'));
+      return;
+    }
+
+    if (req.currentUser.role && req.currentUser.role === 'onlyself') {
+      next(new ApiError(httpStatus.FORBIDDEN, 'User does not have sufficient permissions in the organization to update'));
+      return;
+    }
+
+    next();
+  }
+};
+
+export const validateOrganizationDelete = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+  if (isAdmin(res.req.auth)) {
+    next();
+  } else {
+    if (!req.currentUser) {
+      next(new ApiError(httpStatus.INTERNAL_SERVER_ERROR, 'Current user not set in request'));
+      return;
+    }
+
+    if (req.currentUser.role && req.currentUser.role === 'onlyself') {
+      next(new ApiError(httpStatus.FORBIDDEN, 'User does not have sufficient permissions in the organization to update'));
+      return;
+    }
+
+    next();
+  }
+};

package/src/middlewares/validateAdmin.ts

@@ -0,0 +1,21 @@
+import httpStatus from 'http-status';
+import ApiError from '../utils/ApiError';
+import type { Request, Response, NextFunction } from 'express';
+
+const isAdmin = (user: Record<string, any> | undefined): boolean => {
+  //return false;
+  if (!user) return false;
+
+  // return false; // TODO: Remove this line when the user object is properly defined
+  return user['https://memo.wirewire.de/roles'] ? user['https://memo.wirewire.de/roles'].includes('admin') : false;
+};
+
+const validateAdmin = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+  if (isAdmin(req.auth)) {
+    next();
+  } else {
+    next(new ApiError(httpStatus.FORBIDDEN, 'User is not part of the admin group (validateAdmin)'));
+  }
+};
+
+export { isAdmin, validateAdmin };

package/src/middlewares/validateAi.ts

@@ -0,0 +1,24 @@
+import httpStatus from 'http-status';
+import ApiError from '../utils/ApiError'; // keep .cjs import
+import expressPkg from 'express';
+const { Request, Response, NextFunction } = expressPkg;
+
+interface User {
+  'https://memo.wirewire.de/roles'?: string[];
+}
+
+// you can adjust the User source if your auth payload differs
+export const isAiRole = (user?: User): boolean => {
+  if (!user) return false;
+  return user['https://memo.wirewire.de/roles']?.includes('ai') ?? false;
+};
+
+export const validateAiRole = async (req: Request & { auth?: User }, res: Response, next: NextFunction): Promise<void> => {
+  // assuming the auth payload is attached to req.auth
+
+  console.log('Validating AI role for user:', req.auth);
+  if (isAiRole(req.auth)) {
+    return next();
+  }
+  return next(new ApiError(httpStatus.FORBIDDEN, 'User is not part of the ai group (validateAi)'));
+};

package/src/middlewares/validateCurrentAuthUser.ts

@@ -0,0 +1,23 @@
+import httpStatus from 'http-status';
+import ApiError from '../utils/ApiError';
+import type { Request, Response, NextFunction } from 'express';
+
+const getCurrentAuthUser = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+  if (res.req.auth.sub !== req.params.notificationId) {
+    next(new ApiError(httpStatus.BAD_REQUEST, 'Not allowed to access'));
+    return;
+  }
+
+  next();
+};
+
+export const validateParamsAccount = async (req: Request, res: Response, next: NextFunction): Promise<void> => {
+  if (res.req.auth.sub !== req.params.accountId) {
+    next(new ApiError(httpStatus.BAD_REQUEST, 'Not allowed to access'));
+    return;
+  }
+
+  next();
+};
+
+export default getCurrentAuthUser;

package/src/middlewares/validateCurrentUser.ts

@@ -0,0 +1,35 @@
+import httpStatus from "http-status";
+import ApiError from "../utils/ApiError";
+import userService from "../users/users.service";
+
+import type { Request, Response, NextFunction } from "express";
+
+const getCurrentUser = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> => {
+  try {
+    // TODO: Check if the user is logged in
+    const currentUser = await userService.getUserByOwner(
+      res.req.auth.sub,
+      req.body.organization,
+    );
+    if (!currentUser) {
+      next(new ApiError(httpStatus.BAD_REQUEST, "User does not exist"));
+      return;
+    }
+    req.currentUser = currentUser;
+    next();
+  } catch (error) {
+    console.error("Error validating user service:", error);
+    next(
+      new ApiError(
+        httpStatus.INTERNAL_SERVER_ERROR,
+        "Failed to validate user service",
+      ),
+    );
+  }
+};
+
+export default getCurrentUser;

package/src/middlewares/validateDevice.ts

@@ -0,0 +1,191 @@
+import httpStatus from "http-status";
+import ApiError from "../utils/ApiError";
+import devicesService from "../devices/devices.service";
+import { isAdmin } from "./validateAdmin";
+import usersService from "../users/users.service";
+
+import type { Request, Response, NextFunction } from "express";
+import type { User } from "../users/users.types";
+import type { Device } from "../devices/devices.types";
+
+const validateDeviceIsInOrganization = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> => {
+  const deviceId = (req.body?.deviceId ||
+    req.params?.deviceId ||
+    req.query?.deviceId) as string | undefined;
+
+  if (!deviceId) {
+    next();
+    return;
+  }
+
+  const device = await devicesService.getById(deviceId);
+
+  if (!device) {
+    next(new ApiError(httpStatus.NOT_FOUND, "Device not found"));
+    return;
+  }
+
+  if (isAdmin(res.req.auth)) {
+    next();
+    return;
+  }
+
+  const currentUser: User | null = await usersService.getUserByOwner(
+    res.req.auth.sub,
+    device.organization,
+  );
+
+  if (!currentUser) {
+    next(
+      new ApiError(
+        httpStatus.FORBIDDEN,
+        "User is not part of the organization for this device",
+      ),
+    );
+    return;
+  }
+
+  if (
+    req.body?.organization &&
+    req.body.organization.toString() !== device.organization?.toString()
+  ) {
+    next(
+      new ApiError(
+        httpStatus.FORBIDDEN,
+        "Device is not part of the provided organization",
+      ),
+    );
+    return;
+  }
+
+  req.currentUser = currentUser;
+  next();
+};
+
+const validateDevice = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> => {
+  if (isAdmin(res.req.auth)) {
+    next();
+  } else {
+    const currentDevice: Device | null = await devicesService.getById(
+      req.params.deviceId,
+    );
+    if (!currentDevice) {
+      next(new ApiError(httpStatus.NOT_FOUND, "Device not found"));
+      return;
+    }
+
+    const currentUser: User | null = await usersService.getUserByOwner(
+      res.req.auth.sub,
+      currentDevice.organization,
+    );
+    if (!currentUser) {
+      next(
+        new ApiError(
+          httpStatus.FORBIDDEN,
+          "User is not part of the organization which has access to the device (validateDevice)",
+        ),
+      );
+      return;
+    }
+
+    req.currentUser = currentUser;
+    next();
+  }
+};
+
+const validateDeviceQuery = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> => {
+  if (isAdmin(res.req.auth)) {
+    next();
+  } else {
+    // console.log('Validating device query for user:', res.req.auth.sub, req.query);
+    const currentDevice: Device | null = await devicesService.getById(
+      req.query.deviceId as string,
+    );
+    if (!currentDevice) {
+      next(new ApiError(httpStatus.NOT_FOUND, "Device not found"));
+      return;
+    }
+
+    const currentUser: User | null = await usersService.getUserByOwner(
+      res.req.auth.sub,
+      currentDevice.organization,
+    );
+    if (!currentUser) {
+      next(
+        new ApiError(
+          httpStatus.FORBIDDEN,
+          "User is not part of the organization (validateDeviceOrOrganizationQuery)",
+        ),
+      );
+      return;
+    }
+
+    req.currentUser = currentUser;
+    next();
+  }
+};
+
+const validateDeviceOrOrganizationQuery = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> => {
+  if (isAdmin(res.req.auth)) {
+    next();
+    return;
+  }
+
+  const deviceId = req.query.deviceId as string;
+  const organizationId = req.query.organization as string;
+
+  if (deviceId) {
+    return validateDeviceQuery(req, res, next);
+  }
+
+  if (organizationId) {
+    const currentUser: User | null = await usersService.getUserByOwner(
+      res.req.auth.sub,
+      organizationId,
+    );
+
+    if (!currentUser) {
+      next(
+        new ApiError(
+          httpStatus.FORBIDDEN,
+          "User is not part of the organization which has access to the device (validateDeviceQuery)",
+        ),
+      );
+      return;
+    }
+
+    req.currentUser = currentUser;
+    next();
+    return;
+  }
+
+  next(
+    new ApiError(
+      httpStatus.BAD_REQUEST,
+      "deviceId or organization is required",
+    ),
+  );
+};
+
+export {
+  validateDevice,
+  validateDeviceQuery,
+  validateDeviceOrOrganizationQuery,
+  validateDeviceIsInOrganization,
+};