@intranefr/superbackend 1.4.4 → 1.5.1

package/src/controllers/uiComponentsPublic.controller.js

@@ -0,0 +1,118 @@
+const UiComponent = require('../models/UiComponent');
+const UiComponentProject = require('../models/UiComponentProject');
+const UiComponentProjectComponent = require('../models/UiComponentProjectComponent');
+
+const { verifyKey } = require('../services/uiComponentsCrypto.service');
+
+function extractProjectKey(req) {
+  const headerToken = req.headers['x-project-key'] || req.headers['x-api-key'];
+  if (headerToken) return String(headerToken).trim();
+  return null;
+}
+
+async function loadAndAuthorizeProject(req, res, projectId) {
+  const project = await UiComponentProject.findOne({ projectId: String(projectId), isActive: true }).lean();
+  if (!project) {
+    res.status(404).json({ error: 'Project not found' });
+    return null;
+  }
+
+  if (!project.isPublic) {
+    const key = extractProjectKey(req);
+    const ok = project.apiKeyHash && verifyKey(key, project.apiKeyHash);
+    if (!ok) {
+      res.status(401).json({ error: 'Invalid project key' });
+      return null;
+    }
+  }
+
+  return project;
+}
+
+exports.getManifest = async (req, res) => {
+  try {
+    const { projectId } = req.params;
+    const project = await loadAndAuthorizeProject(req, res, projectId);
+    if (!project) return;
+
+    const assignments = await UiComponentProjectComponent.find({ projectId: project.projectId, enabled: true }).lean();
+    const codes = assignments.map((a) => a.componentCode);
+
+    const components = await UiComponent.find({
+      code: { $in: codes },
+      isActive: true,
+    })
+      .sort({ code: 1 })
+      .lean();
+
+    const docsOnly = String(req.query.docs || '').toLowerCase() === 'true';
+
+    const out = components.map((c) => {
+      const base = {
+        code: c.code,
+        name: c.name,
+        version: c.version,
+      };
+      if (docsOnly) {
+        base.usageMarkdown = c.usageMarkdown;
+      } else {
+        base.html = c.html;
+        base.js = c.js;
+        base.css = c.css;
+      }
+      return base;
+    });
+
+    return res.json({
+      project: {
+        projectId: project.projectId,
+        name: project.name,
+        isPublic: project.isPublic,
+        allowedOrigins: project.allowedOrigins || [],
+      },
+      components: out,
+    });
+  } catch (error) {
+    console.error('UI Components getManifest error:', error);
+    return res.status(500).json({ error: 'Failed to load manifest' });
+  }
+};
+
+exports.getComponent = async (req, res) => {
+  try {
+    const { projectId, code } = req.params;
+    const project = await loadAndAuthorizeProject(req, res, projectId);
+    if (!project) return;
+
+    const componentCode = String(code || '').trim().toLowerCase();
+
+    const assignment = await UiComponentProjectComponent.findOne({
+      projectId: project.projectId,
+      componentCode,
+      enabled: true,
+    }).lean();
+
+    if (!assignment) return res.status(404).json({ error: 'Component not enabled for this project' });
+
+    const component = await UiComponent.findOne({ code: componentCode, isActive: true }).lean();
+    if (!component) return res.status(404).json({ error: 'Component not found' });
+
+    return res.json({
+      project: {
+        projectId: project.projectId,
+        isPublic: project.isPublic,
+      },
+      component: {
+        code: component.code,
+        name: component.name,
+        version: component.version,
+        html: component.html,
+        js: component.js,
+        css: component.css,
+      },
+    });
+  } catch (error) {
+    console.error('UI Components getComponent error:', error);
+    return res.status(500).json({ error: 'Failed to load component' });
+  }
+};

package/src/middleware/auth.js

@@ -19,6 +19,7 @@ const authenticate = async (req, res, next) => {
     req.user = user;
     next();
   } catch (error) {
+    console.error("api authenticate error:", error);
     return res
       .status(401)
       .json({ error: error.message || "Authentication failed" });
@@ -45,6 +46,12 @@ const basicAuth = (req, res, next) => {
   if (username === adminUsername && password === adminPassword) {
     next();
   } else {
+    console.error("api basicAuth error:", {
+      username,
+      password,
+      adminUsername,
+      adminPassword,
+    });
     res.setHeader("WWW-Authenticate", 'Basic realm="Admin Area"');
     return res.status(401).json({ error: "Invalid credentials" });
   }

package/src/middleware/internalCronAuth.js

@@ -0,0 +1,29 @@
+const globalSettingsService = require('../services/globalSettings.service');
+const { INTERNAL_CRON_TOKEN_SETTING_KEY } = require('../services/blogCronsBootstrap.service');
+
+async function requireInternalCronToken(req, res, next) {
+  try {
+    const header = String(req.headers.authorization || '');
+    if (!header.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+
+    const token = header.slice('Bearer '.length).trim();
+    const expected = String(
+      await globalSettingsService.getSettingValue(INTERNAL_CRON_TOKEN_SETTING_KEY, ''),
+    ).trim();
+
+    if (!expected || token !== expected) {
+      return res.status(403).json({ error: 'Forbidden' });
+    }
+
+    next();
+  } catch (error) {
+    console.error('internal cron auth error:', error);
+    res.status(500).json({ error: 'Internal auth failed' });
+  }
+}
+
+module.exports = {
+  requireInternalCronToken,
+};

package/src/middleware/rbac.js

@@ -0,0 +1,62 @@
+const rbacService = require('../services/rbac.service');
+
+function isBasicAuthSuperAdmin(req) {
+  const authHeader = req.headers?.authorization || '';
+  if (!authHeader.startsWith('Basic ')) return false;
+
+  try {
+    const credentials = Buffer.from(authHeader.substring(6), 'base64').toString('utf-8');
+    const [username, password] = credentials.split(':');
+
+    const adminUsername = process.env.ADMIN_USERNAME || 'admin';
+    const adminPassword = process.env.ADMIN_PASSWORD || 'admin';
+
+    return username === adminUsername && password === adminPassword;
+  } catch (e) {
+    return false;
+  }
+}
+
+function requireRight(requiredRight, options = {}) {
+  const getOrgId = options.getOrgId || ((req) => req.params?.orgId || req.query?.orgId || req.body?.orgId);
+
+  return async (req, res, next) => {
+    try {
+      if (isBasicAuthSuperAdmin(req)) {
+        return next();
+      }
+
+      if (!req.user) {
+        return res.status(401).json({ error: 'Authentication required' });
+      }
+
+      const orgId = getOrgId(req);
+      if (!orgId) {
+        return res.status(400).json({ error: 'orgId is required for RBAC checks' });
+      }
+
+      const result = await rbacService.checkRight({
+        userId: req.user._id,
+        orgId,
+        right: requiredRight,
+      });
+
+      if (!result.allowed) {
+        return res.status(403).json({
+          error: 'Access denied',
+          reason: result.reason,
+        });
+      }
+
+      return next();
+    } catch (error) {
+      console.error('RBAC requireRight error:', error);
+      return res.status(500).json({ error: 'Failed to evaluate RBAC rights' });
+    }
+  };
+}
+
+module.exports = {
+  requireRight,
+  isBasicAuthSuperAdmin,
+};