@lenne.tech/nest-server 10.2.14 → 10.2.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "10.2.14",
+  "version": "10.2.15",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/config.env.ts

@@ -89,7 +89,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },
@@ -196,7 +203,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },
@@ -292,7 +306,14 @@ const config: { [env: string]: IServerOptions } = {
     },
     port: 3000,
     security: {
-      checkResponseInterceptor: true,
+      checkResponseInterceptor: {
+        checkObjectItself: false,
+        debug: false,
+        ignoreUndefined: true,
+        mergeRoles: true,
+        removeUndefinedFromResultArray: true,
+        throwError: false,
+      },
       checkSecurityInterceptor: true,
       mapAndValidatePipe: true,
     },

package/src/core/common/decorators/restricted.decorator.ts

@@ -67,15 +67,20 @@ export const checkRestricted = (
     dbObject?: any;
     debug?: boolean;
     ignoreUndefined?: boolean;
+    mergeRoles?: boolean;
     processType?: ProcessType;
     removeUndefinedFromResultArray?: boolean;
     throwError?: boolean;
   } = {},
   processedObjects: any[] = [],
 ) => {
+  // Act like Roles handling: checkObjectItself = false & mergeRoles = true
+  // For Input: throwError = true
+  // For Output: throwError = false
   const config = {
-    checkObjectItself: true,
+    checkObjectItself: false,
     ignoreUndefined: true,
+    mergeRoles: true,
     removeUndefinedFromResultArray: true,
     throwError: true,
     ...options,
@@ -220,7 +225,8 @@ export const checkRestricted = (
 
     // Check restricted
     const restricted = getRestricted(data, propertyKey) || [];
-    const valid = validateRestricted(restricted);
+    const concatenatedRestrictions = config.mergeRoles ? _.uniq(objectRestrictions.concat(restricted)) : restricted;
+    const valid = validateRestricted(concatenatedRestrictions);
 
     // Check rights
     if (valid) {

package/src/core/common/interceptors/check-response.interceptor.ts

@@ -4,12 +4,29 @@ import { map } from 'rxjs/operators';
 
 import { checkRestricted } from '../decorators/restricted.decorator';
 import { getContextData } from '../helpers/context.helper';
+import { ConfigService } from '../services/config.service';
 
 /**
  * Interceptor to check the response data for current user
  */
 @Injectable()
 export class CheckResponseInterceptor implements NestInterceptor {
+  config = {
+    checkObjectItself: false,
+    debug: false,
+    ignoreUndefined: true,
+    mergeRoles: true,
+    removeUndefinedFromResultArray: true,
+    throwError: false,
+  };
+
+  constructor(private readonly configService: ConfigService) {
+    const configuration = this.configService.getFastButReadOnly('security.checkResponseInterceptor');
+    if (typeof configuration === 'object') {
+      this.config = { ...this.config, ...configuration };
+    }
+  }
+
   /**
    * Interception
    */
@@ -21,7 +38,7 @@ export class CheckResponseInterceptor implements NestInterceptor {
     return next.handle().pipe(
       map((data) => {
         // Prepare response data for current user
-        return checkRestricted(data, currentUser, { throwError: false });
+        return checkRestricted(data, currentUser, this.config);
       }),
     );
   }

package/src/core/common/interfaces/server-options.interface.ts

@@ -410,9 +410,47 @@ export interface IServerOptions {
     /**
      * Check restrictions for output (models and output objects)
      * See @lenne.tech/nest-server/src/core/common/interceptors/check-response.interceptor.ts
-     * default = true
      */
-    checkResponseInterceptor?: boolean;
+    checkResponseInterceptor?:
+      | {
+          /**
+           * Check the object itself for restrictions
+           * (the class restriction is not only default for properties but object itself)
+           * default = false (to act like Roles)
+           */
+          checkObjectItself?: boolean;
+
+          /**
+           * Whether to log if a restricted field is found
+           * default = false
+           */
+          debug?: boolean;
+
+          /**
+           * Whether to ignore fields with undefined values
+           * default = true
+           */
+          ignoreUndefined?: boolean;
+
+          /**
+           * Merge roles of object and properties
+           * default = true (to act like Roles)
+           */
+          mergeRoles?: boolean;
+
+          /**
+           * Remove undefined values from result array
+           * default = true
+           */
+          removeUndefinedFromResultArray?: boolean;
+
+          /**
+           * Whether to throw an error if a restricted field is found
+           * default = false (for output objects)
+           */
+          throwError?: boolean;
+        }
+      | boolean;
 
     /**
      * Process securityCheck() methode of Object before response

package/src/core/common/models/core-persistence.model.ts

@@ -2,6 +2,8 @@ import { Field, ID, ObjectType } from '@nestjs/graphql';
 import { Prop, Schema } from '@nestjs/mongoose';
 import { Types } from 'mongoose';
 
+import { Restricted } from '../decorators/restricted.decorator';
+import { RoleEnum } from '../enums/role.enum';
 import { CoreModel } from './core-model.model';
 
 /**
@@ -26,6 +28,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   // Getter
   // ===========================================================================
 
+  @Restricted(RoleEnum.S_EVERYONE)
   get _id() {
     return new Types.ObjectId(this.id);
   }
@@ -37,6 +40,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * ID of the persistence object as string
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => ID, {
     description: 'ID of the persistence object',
     nullable: true,
@@ -46,6 +50,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Created date, is set automatically by mongoose
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Created date', nullable: true })
   @Prop({ onCreate: () => new Date() })
   createdAt: Date = undefined;
@@ -53,6 +58,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Labels of the object
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => [String], {
     description: 'Labels of the object',
     nullable: true,
@@ -63,6 +69,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Tags for the object
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field(type => [String], {
     description: 'Tags for the object',
     nullable: true,
@@ -73,6 +80,7 @@ export abstract class CorePersistenceModel extends CoreModel {
   /**
    * Updated date is set automatically by mongoose
    */
+  @Restricted(RoleEnum.S_EVERYONE)
   @Field({ description: 'Updated date', nullable: true })
   @Prop({ onUpdate: () => new Date() })
   updatedAt: Date = undefined;