@kalisio/kdk 2.4.0 → 2.5.1

package/core/api/application.js

@@ -99,10 +99,10 @@ export async function configureService (name, service, servicesPath) {
     }
   } catch (error) {
     debug('No ' + name + ' service hooks configured on path ' + servicesPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(filepath, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(filepath, error)
+    // }
     // As this is optionnal this require has to fail silently
   }
 
@@ -119,10 +119,10 @@ export async function configureService (name, service, servicesPath) {
     }
   } catch (error) {
     debug('No ' + name + ' service channels configured on path ' + servicesPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(filepath, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(filepath, error)
+    // }
     // As this is optionnal this require has to fail silently
   }
 
@@ -198,10 +198,10 @@ async function createService (name, app, options = {}) {
     }
   } catch (error) {
     debug('No ' + fileName + ' service model configured on path ' + serviceOptions.modelsPath)
-    if (error.code !== 'ERR_MODULE_NOT_FOUND') {
-      // Log error in this case as this might be linked to a syntax error in required file
-      debug(fileName, error)
-    }
+    // if (error.code !== 'ERR_MODULE_NOT_FOUND') {
+    // Log error in this case as this might be linked to a syntax error in required file
+    debug(fileName, error)
+    // }
     // As this is optionnal this require has to fail silently
   }
 

package/core/api/authentication.js

@@ -1,5 +1,6 @@
 import makeDebug from 'debug'
 import _ from 'lodash'
+import qs from 'qs'
 import 'winston-daily-rotate-file'
 // import { RateLimiter } from 'limiter'
 import HttpLimiter from 'express-rate-limit'
@@ -32,6 +33,23 @@ export class Authentication extends AuthenticationService {
 }
 
 export class AuthenticationProviderStrategy extends OAuthStrategy {
+  setAuthentication (auth) {
+    super.setAuthentication(auth)
+    const authConfig = this.authentication.configuration
+    const { oauth } = authConfig
+    // Single logout supported ?
+    const { logout_url: logoutUrl, post_logout_url: postLogoutUrl, key } = this.configuration
+    if (logoutUrl && key) {
+      // Cannot use oauth/:provider/logout route as oauth/:provider is already intercepted by feathers and this causes an error
+      this.app.get(`/oauth-logout/${this.name}`, (req, res) => {
+        return res.redirect(logoutUrl + '?' + qs.stringify({
+          post_logout_redirect_uri: postLogoutUrl || oauth.redirect,
+          client_id: key
+        }))
+      })
+    }
+  }
+
   async getEntityData (profile, entity) {
     const createEntity = _.isNil(entity)
     // Add provider Id
@@ -50,6 +68,13 @@ export class AuthenticationProviderStrategy extends OAuthStrategy {
   }
 
   async getEntityQuery (profile) {
+    // Ensure the profile is right before requesting based on it
+    // as when an error is raised the profile will not contain any ID or email
+    // and we might build a request retrieving any user
+    if (!_.has(profile, 'id') && !_.has(profile, 'sub') && !_.has(profile, this.emailFieldInProfile || 'email')) {
+      // This ensure no user will be retrieved
+      return { $limit: 0 }
+    }
     const query = {
       $or: [
         { [`${this.name}Id`]: profile.id || profile.sub },
@@ -76,6 +101,8 @@ export class AuthenticationProviderStrategy extends OAuthStrategy {
 export class JWTAuthenticationStrategy extends JWTStrategy {
   async authenticate (authentication, params) {
     const { accessToken } = authentication
+    const authConfig = this.authentication.configuration
+    const { identityFields } = authConfig
     const { entity } = this.configuration
     const renewJwt = _.get(this.configuration, 'renewJwt', true)
 
@@ -99,14 +126,31 @@ export class JWTAuthenticationStrategy extends JWTStrategy {
     // Second key trick
     // Return user attached to the token if any
     // Return basic information for a stateless token otherwise
-    // As we only target MongoDB now, check for a valid ID otherwise assume a stateless token as well
-    if (payload.sub && ObjectID.isValid(payload.sub)) {
-      const entityId = await this.getEntityId(result, params)
-      const value = await this.getEntity(entityId, params)
+    if (payload.sub) {
+      // Check for a valid MongoDB ID
+      if (ObjectID.isValid(payload.sub)) {
+        const entityId = await this.getEntityId(result, params)
+        const value = await this.getEntity(entityId, params)
 
-      return {
-        ...result,
-        [entity]: value
+        return {
+          ...result,
+          [entity]: value
+        }
+      } else if (identityFields) {
+        // Otherwise use others fields to identify the user if defined
+        const query = {
+          $or: _.reduce(identityFields, (or, field) => or.concat([{ [field]: payload.sub }]), []),
+          $limit: 1
+        }
+        const response = await this.entityService.find({ ...params, query })
+        const [value = null] = response.data ? response.data : response
+        // Otherwise assume a stateless token
+        if (value) {
+          return {
+            ...result,
+            [entity]: value
+          }
+        }
       }
     }
 

package/core/api/hooks/hooks.authentication.js

@@ -5,67 +5,9 @@ import local from '@feathersjs/authentication-local'
 const debug = makeDebug('kdk:core:authentication:hooks')
 const { discard } = common
 
-// Make it more easy to acces
+// Make it more easy to access
 export const hashPassword = local.hooks.hashPassword
 
-export async function verifyGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'verifyGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('verifyGuest hook called on ', user._id)
-
-  // Check whether the user has been inivted. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-
-  // Check whether has been already verified. If yes, nothing to do
-  if (user.isVerified) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-
-  // The user is a guest and need to be verified
-  debug('Verifying logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { isVerified: true })
-
-  return hook
-}
-
-export async function consentGuest (hook) {
-  if (hook.type !== 'after') {
-    throw new Error('The \'consentGuest\' hook should only be used as a \'after\' hook.')
-  }
-  const app = hook.app
-  const user = hook.result.user
-  if (!user) return hook
-  debug('consentGuest hook called on ', user._id)
-
-  // Check whether the user has been invited. If not, nothing to do
-  if (!user.sponsor) {
-    debug('Logged user is not a guest')
-    return hook
-  }
-
-  // Check whether consent has been already checked. If yes, nothing to do
-  if (user.consentTerms) {
-    debug('Logged guest is already verified')
-    return hook
-  }
-
-  // The user is a guest and need to be consent
-  debug('Consenting logged guest')
-  const userService = app.getService('users')
-  await userService.patch(user._id, { consentTerms: true, expireAt: null })
-
-  return hook
-}
-
 export function discardAuthenticationProviders (hook) {
   const providers = hook.app.authenticationProviders || []
 

package/core/api/hooks/hooks.authorisations.js

@@ -8,7 +8,6 @@ import {
   hasServiceAbilities, hasResourceAbilities, getQueryForAbilities,
   Roles, RoleNames, countSubjectsForResource
 } from '../../common/permissions.js'
-import { isTagEqual } from '../utils.js'
 
 const { getItems, replaceItems } = common
 const { Forbidden } = errors
@@ -25,7 +24,7 @@ export function createJWT (options = {}) {
     const accessTokens = await Promise.all(items.map(item => hook.app.getService('authentication').createAccessToken(
       // Provided function can be used to pick or omit properties in JWT payload
       (typeof options.payload === 'function' ? options.payload(user) : {}),
-      // Provided function can be used for custom options cdepending on the user,
+      // Provided function can be used for custom options depending on the user,
       // then we merge with default auth options for global properties like aud, iss, etc.
       _.merge({}, defaults, (typeof options.jwt === 'function' ? options.jwt(user) : options)))
     ))
@@ -186,13 +185,15 @@ export async function authorise (hook) {
   if (checkAuthorisation) {
     // Build ability for user
     const authorisationService = hook.app.getService('authorisations')
-    // If no user we allow for a stateless token with permissions inside
     let subject = hook.params.user
-    if (!subject) {
-      const payload = _.get(hook.params, 'authentication.payload')
-      // Token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)
-      if (payload && (payload.sub || payload.appId)) {
+    const payload = _.get(hook.params, 'authentication.payload')
+    if (payload) {
+      // If no user we allow for a stateless token with permissions inside, e.g.
+      // token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)
+      if (!subject && (payload.sub || payload.appId)) {
         subject = Object.assign({ _id: (payload.sub || payload.appId) }, payload)
+      } else if (subject) { // Otherwise we allow to "extend" user abilities by providing additional information in the token
+        subject = Object.assign(subject, _.omit(payload, ['aud', 'iss', 'exp', 'sub', 'iat', 'jti', 'nbf']))
       }
     }
     const abilities = await authorisationService.getAbilities(subject)
@@ -289,98 +290,3 @@ export function updateAbilities (options = {}) {
   }
 }
 
-export function preventRemovingLastOwner (resourceScope) {
-  return async function (hook) {
-    // By pass check ?
-    if (hook.params.force) return hook
-    const params = hook.params
-    const data = hook.data || {}
-    const query = params.query || {}
-    const scope = data.scope || query.scope
-    const grantedPermissions = data.permissions || query.permissions
-    const grantedRole = (grantedPermissions ? Roles[grantedPermissions] : undefined)
-    const resource = hook.params.resource
-    const subjects = hook.params.subjects
-    const subjectService = hook.params.subjectsService
-    // On create check if we try to downgrade permissions otherwise let pass through
-    if (!_.isUndefined(grantedRole) && (grantedRole === Roles.owner)) return hook
-
-    if ((scope === resourceScope) && resource && resource._id) {
-      // Count existing owners
-      const owners = await countSubjectsForResource(subjectService, resourceScope, resource._id, Roles.owner)
-      // Now count owners we change/remove permissions on
-      const removedOwners = subjects.reduce((count, subject) => {
-        const resources = _.get(subject, resourceScope, [])
-        const ownedResource = _.find(resources, { _id: resource._id, permissions: RoleNames[Roles.owner] })
-        return (ownedResource ? count + 1 : count)
-      }, 0)
-      // If none remains stop
-      if (removedOwners >= owners.total) {
-        debug('Cannot remove the last owner of resource ', resource)
-        const resourceName = resource.name ? resource.name : resource._id.toString()
-        throw new Forbidden('You are not allowed to remove the last owner of resource ' + resourceName, {
-          translation: {
-            key: 'CANNOT_REMOVE_LAST_OWNER',
-            params: { resource: resourceName }
-          }
-        })
-      }
-    }
-    return hook
-  }
-}
-
-export async function removeOrganisationGroupsAuthorisations (hook) {
-  const app = hook.app
-  const authorisationService = app.getService('authorisations')
-  const org = hook.params.resource
-  const user = hook.params.user
-  // Unset membership for the all org groups
-  const orgGroupService = app.getService('groups', org)
-  const groups = await orgGroupService.find({ paginate: false })
-  await Promise.all(groups.map(group => {
-  // Unset membership on group for the all org users
-    return authorisationService.remove(group._id.toString(), {
-      query: {
-        scope: 'groups'
-      },
-      user,
-      force: hook.params.force,
-      // Because we already have resource set it as objects to avoid populating
-      // Moreover used as an after hook the resource might not already exist anymore
-      subjects: hook.params.subjects,
-      subjectsService: hook.params.subjectsService,
-      resource: group,
-      resourcesService: orgGroupService
-    })
-  }))
-  debug('Authorisations unset on groups for organisation ' + org._id)
-  return hook
-}
-
-export async function removeOrganisationTagsAuthorisations (hook) {
-  const app = hook.app
-  const org = hook.params.resource
-  const subjectService = hook.params.subjectsService
-  const orgTagsService = app.getService('tags', org)
-  const subjects = hook.params.subjects || []
-  if (subjects.length === 0) return hook
-  // Retrieve org tags
-  const orgTags = await orgTagsService.find({ paginate: false })
-  const promises = []
-  subjects.forEach(subject => {
-    const tags = subject.tags || []
-    // Find tags from org
-    const fromOrg = _.intersectionWith(tags, orgTags, isTagEqual)
-    // Clear removed tags
-    const notFromOrg = _.differenceWith(tags, orgTags, isTagEqual)
-    // Update subject if required
-    if (fromOrg.length > 0) {
-      promises.push(subjectService.patch(subject._id.toString(), { tags: notFromOrg }))
-    }
-  })
-  // Perform subject updates in parallel
-  await Promise.all(promises)
-  debug(`Tags unset on ${promises.length} subjects for organisation ` + org._id)
-  return hook
-}

package/core/api/hooks/hooks.model.js

@@ -233,6 +233,10 @@ export async function distinct (hook) {
 // Check for already existing object according to given service/id field
 export function checkUnique (options = {}) {
   return async (hook) => {
+    if (hook.app) {
+      const serviceConfig = hook.app.get(hook.service.name)
+      if (serviceConfig && serviceConfig.checkUnique) options = serviceConfig.checkUnique
+    }
     const service = (options.service ? hook.app.getService(options.service) : hook.service)
     const field = options.field || 'name'
     const id = _.get(hook, `data.${field}`)

package/core/api/hooks/hooks.push.js

@@ -14,35 +14,41 @@ export async function sendNewSubscriptionEmail (hook) {
   if (hook.type !== 'after') {
     throw new Error('The \'sendNewSubscriptionEmail\' hook should only be used as a \'after\' hook.')
   }
-
   // Check for a new subscription if any
-  const updatedUser = hook.result
+  const currentUser = hook.result
   const previousUser = hook.params.user
   // If we can't compare abort, eg f-a-m might patch user to update tokens
-  if (!updatedUser || !previousUser) return hook
-  const newSubscription = _.differenceBy(_.get(updatedUser, 'subscriptions', []), _.get(previousUser, 'subscriptions', []), 'endpoint')
-  if (_.size(newSubscription) !== 1) return
-
-  // Data
+  if (!currentUser || !previousUser) return 
+  // Retrieve the last subscription
+  const lastSubscription = _.last(_.get(currentUser, 'subscriptions', []))
+  if (!lastSubscription) return
+  // Check whether the subscription has an existing fingerprint
+  const existingSubscription = _.find(_.get(previousUser, 'subscriptions', []), subscription => {
+    return _.isEqual(subscription.fingerprint, lastSubscription.fingerprint)
+  })
+  if (existingSubscription) {
+    debug('Last subscription uses an existing fingerprint')
+    return
+  }
+  debug('Last subscription uses uses a new fingerprint')
+  // Send an email to notify the user
   const app = hook.app
   const mailerService = app.getService('mailer')
   const domainPath = app.get('domain') + '/#/'
   const email = {
     subject: 'Security alert - new browser detected',
-    from: mailerService.options.auth.user,
-    // When changing email send to the new one so that it can be verified
-    to: updatedUser.email,
+    from: mailerService.options.from || mailerService.options.auth.user,
+    to: currentUser.email,
     link: domainPath,
     domainPath
   }
-
   // Build the subject & link to the app to perform the different actions
   const templateDir = path.join(mailerService.options.templateDir, 'newSubscription')
   const template = new emails.EmailTemplate(templateDir)
   // Errors does not seem to be correctly catched by the caller
   // so we catch them here to avoid any problem
   try {
-    const emailContent = await template.render({ email, user: updatedUser, subscription: _.first(newSubscription) }, updatedUser.locale || 'en-us')
+    const emailContent = await template.render({ email, user: currentUser, subscription: lastSubscription }, currentUser.locale || 'en-us')
     // Update compiled content
     email.html = emailContent.html
     debug('Sending email ', email)
@@ -51,6 +57,4 @@ export async function sendNewSubscriptionEmail (hook) {
     debug('Sending email failed', error)
     app.logger.error(error)
   }
-
-  return hook
 }

package/core/api/hooks/hooks.users.js

@@ -135,86 +135,6 @@ export function generatePassword (options = {}) {
   }
 }
 
-export function preventRemoveUser (hook) {
-  if (hook.type !== 'before') {
-    throw new Error('The \'preventRemoveUser\' hook should only be used as a \'before\' hook.')
-  }
-
-  // By pass check ?
-  if (hook.params.force) return hook
-  const user = hook.params.user
-  // Check if the target is the current user
-  if ((user._id.toString() === hook.id.toString()) && user.organisations) {
-    // We must ensure the user is no more a owner of an organisation
-    const owningOrganisations = _.filter(user.organisations, { permissions: RoleNames[Roles.owner] })
-    if (!_.isEmpty(owningOrganisations)) {
-      debug('Cannot remove the user: ', user)
-      throw new Forbidden('You are not allowed to delete the user ' + user.name, {
-        translation: {
-          key: 'CANNOT_REMOVE_USER',
-          params: { user: _.get(user, 'profile.name') }
-        }
-      })
-    }
-  }
-  return hook
-}
-
-export async function joinOrganisation (hook) {
-  const app = hook.app
-  const subject = getItems(hook)
-  const authorisationService = app.getService('authorisations')
-  const usersService = app.getService('users')
-
-  // Set membership for the created user
-  await authorisationService.create({
-    scope: 'organisations',
-    permissions: subject.sponsor.roleGranted, // Member by default
-    resource: subject.sponsor.organisationId,
-    resourcesService: 'organisations'
-  }, {
-    subjectsService: usersService,
-    subjects: [subject]
-  })
-  debug('Organisation membership set for user ' + subject._id)
-  return hook
-}
-
-export function leaveOrganisations (options = { skipPrivate: true }) {
-  return async function (hook) {
-    if (hook.type !== 'after') {
-      throw new Error('The \'leaveOrganisations\' hook should only be used as a \'after\' hook.')
-    }
-
-    const app = hook.app
-    const organisationsService = app.getService('organisations')
-    const authorisationService = app.getService('authorisations')
-    const usersService = app.getService('users')
-    const subject = getItems(hook)
-    const organisations = _.get(subject, 'organisations', [])
-
-    await Promise.all(organisations.map(organisation => {
-      // Unset membership on org except private org if required
-      if (options.skipPrivate && organisation._id.toString() === subject._id.toString()) return Promise.resolve()
-      return authorisationService.remove(organisation._id.toString(), {
-        query: {
-          scope: 'organisations'
-        },
-        user: hook.params.user,
-        // Because we already have resource set it as objects to avoid populating
-        // Moreover used as an after hook the subject might not already exist anymore
-        subjects: [subject],
-        subjectsService: usersService,
-        resource: organisation,
-        resourcesService: organisationsService
-      })
-    }))
-
-    debug('Membership unset for all organisations on user ' + subject._id)
-    return hook
-  }
-}
-
 export async function sendVerificationEmail (hook) {
   if (hook.type !== 'after') {
     throw new Error('The \'sendVerificationEmail\' hook should only be used as a \'after\' hook.')
@@ -230,17 +150,6 @@ export async function sendVerificationEmail (hook) {
   return hook
 }
 
-export async function sendInvitationEmail (hook) {
-  // Before because we need to send the clear password by email
-  if (hook.type !== 'before') {
-    throw new Error('The \'sendInvitationEmail\' hook should only be used as a \'before\' hook.')
-  }
-
-  const accountService = hook.app.getService('account')
-  await accountService.options.notifier('sendInvitation', hook.data)
-  return hook
-}
-
 export function addVerification (hook) {
   const accountService = hook.app.getService('account')
 

package/core/api/hooks/index.js

@@ -1,9 +1,7 @@
 export * from './hooks.authentication.js'
 export * from './hooks.authorisations.js'
-export * from './hooks.groups.js'
 export * from './hooks.logger.js'
 export * from './hooks.model.js'
-export * from './hooks.organisations.js'
 export * from './hooks.query.js'
 export * from './hooks.schemas.js'
 export * from './hooks.service.js'

package/core/api/services/account/account.service.js

@@ -42,7 +42,7 @@ export default function (name, app, options) {
     const mailerService = app.getService('mailer')
     const domainPath = app.get('domain') + '/#/'
     const email = {
-      from: mailerService.options.auth.user,
+      from: mailerService.options.from || mailerService.options.auth.user,
       // When changing email send to the new one so that it can be verified
       to: (type === 'identityChange' ? user.verifyChanges.email : user.email),
       domainPath

package/core/api/services/authorisations/authorisations.service.js

@@ -22,10 +22,6 @@ export default {
       const scope = _.get(subject, scopeName, [])
       // Then the target resource
       let resource = _.find(scope, resource => resource._id && (resource._id.toString() === params.resource._id.toString()))
-      if (!resource) {
-        // Fallback as name
-        resource = _.find(scope, resource => resource.name && (resource.name === params.resource.name))
-      }
       // On first authorisation create the resource in scope
       if (!resource) {
         resource = Object.assign({}, params.resource)
@@ -91,37 +87,40 @@ export default {
   setup (app) {
     const config = app.get('authorisation')
     if (config && config.cache) {
+      this.cacheConfig = config.cache
       // Store abilities of the N most active users in LRU cache (defaults to 1000)
-      const max = config.cache.maxUsers || 1000
+      const max = this.cacheConfig.maxUsers || 1000
       // LRU cache lib switched from positional parameters to options object at some point
       // so that now we directly pass the options to it while before we used the max argument
-      if (!config.cache.max && !config.cache.ttl && !config.cache.maxSize) config.cache.max = max
-      this.cache = new LRUCache(config.cache)
+      if (!this.cacheConfig.max && !this.cacheConfig.ttl && !this.cacheConfig.maxSize) this.cacheConfig.max = max
+      this.cache = new LRUCache(this.cacheConfig)
       debug('Using LRU cache for user abilities')
     } else {
       debug('Do not use LRU cache for user abilities')
     }
   },
 
+  getCacheKey (subject) {
+    if (!this.cache) return null
+    let cacheKey
+    // Compute cache key based on provided function or user ID
+    if (typeof this.cacheConfig.key === 'function') cacheKey = this.cacheConfig.key(subject)
+    if (!cacheKey && subject && subject._id) cacheKey = subject._id.toString()
+    return cacheKey || ANONYMOUS_USER
+  },
+
   // Compute abilities for a given user and set it in cache the first time
   // or get it from cache if found
   async getAbilities (subject) {
-    if (this.cache) {
-      if (subject && subject._id) {
-        if (this.cache.has(subject._id.toString())) return this.cache.get(subject._id.toString())
-      } else {
-        if (this.cache.has(ANONYMOUS_USER)) return this.cache.get(ANONYMOUS_USER)
-      }
-    }
+    const cacheKey = this.getCacheKey(subject)
+    if (cacheKey && this.cache.has(cacheKey)) return this.cache.get(cacheKey)
+    
     // Provide app for any complex use case requiring to make requests
     const abilities = await defineAbilities(subject, this.app)
 
-    if (this.cache) {
-      if (subject && subject._id) {
-        this.cache.set(subject._id.toString(), abilities)
-      } else {
-        this.cache.set(ANONYMOUS_USER, abilities)
-      }
+    if (cacheKey) {
+      debug('Updating user abilities of subject ' + (subject ? subject._id : ANONYMOUS_USER) + ' with cache key ' + cacheKey)
+      this.cache.set(cacheKey, abilities)
     }
 
     return abilities
@@ -129,20 +128,20 @@ export default {
 
   // Compute abilities for a given user and update it in cache
   async updateAbilities (subject) {
-    if (this.cache) {
-      if (subject && subject._id) {
-        this.cache.delete(subject._id.toString())
-      } else {
-        this.cache.delete(ANONYMOUS_USER)
-      }
-    }
-
+    const cacheKey = this.getCacheKey(subject)
+    
+    // Remove abilities from cache so that next call will populate it again
+    if (cacheKey && this.cache.has(cacheKey)) this.cache.delete(cacheKey)
+    
     const abilities = await this.getAbilities(subject)
     return abilities
   },
 
   // Clear abilities
   clearAbilities() {
-    if (this.cache) this.cache.clear()
+    if (this.cache) {
+      debug('Clearing user abilities cache')
+      this.cache.clear()
+    }
   }
 }