@lenne.tech/nest-server 8.2.0 → 8.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "8.2.0",
+  "version": "8.4.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -61,8 +61,8 @@
     "@nestjs/mongoose": "9.0.3",
     "@nestjs/passport": "8.2.1",
     "@nestjs/platform-express": "8.4.4",
-    "apollo-server-core": "3.6.7",
-    "apollo-server-express": "3.6.7",
+    "apollo-server-core": "3.7.0",
+    "apollo-server-express": "3.7.0",
     "bcrypt": "5.0.1",
     "class-transformer": "0.5.1",
     "class-validator": "0.13.2",
@@ -75,7 +75,7 @@
     "mongodb": "4.5.0",
     "mongoose": "6.3.2",
     "multer": "1.4.4",
-    "node-mailjet": "3.3.13",
+    "node-mailjet": "3.4.1",
     "nodemailer": "6.7.5",
     "nodemon": "2.0.16",
     "passport": "0.5.2",
@@ -98,7 +98,7 @@
     "@typescript-eslint/eslint-plugin": "5.22.0",
     "@typescript-eslint/parser": "5.22.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.14.0",
+    "eslint": "8.15.0",
     "eslint-config-prettier": "8.5.0",
     "find-file-up": "2.0.1",
     "grunt": "1.5.2",
@@ -107,7 +107,7 @@
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "7.0.4",
-    "jest": "28.0.3",
+    "jest": "28.1.0",
     "pm2": "5.2.0",
     "prettier": "2.6.2",
     "pretty-quick": "3.1.3",

package/src/core/common/decorators/restricted.decorator.ts

@@ -1,42 +1,55 @@
 import 'reflect-metadata';
 import { UnauthorizedException } from '@nestjs/common';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { getStringIds } from '../helpers/db.helper';
-import { IdsType } from '../types/ids.type';
+import { getIncludedIds } from '../helpers/db.helper';
+import { RequireAtLeastOne } from '../types/required-at-least-one.type';
 
 /**
  * Restricted meta key
  */
 const restrictedMetaKey = Symbol('restricted');
+export type RestrictedType = (
+  | string
+  | RequireAtLeastOne<
+      { memberOf?: string | string[]; roles?: string | string[]; processType?: ProcessType },
+      'memberOf' | 'roles'
+    >
+)[];
 
 /**
  * Decorator for restricted properties
  *
- * If the decorator is used it will be checked if the current user has one of the included roles.
- * If this is not the case, the property is removed from the return object.
+ * The restricted decorator can include roles as strings or object with property `roles`
+ * and memberships as objects with property `memberOf`.
  *
- * Activation of the CheckResponseInterceptor is necessary for use.
+ * Roles:
+ *    If one or more Role(Enum)s are set, the user must have at least one of it in his `role` property.
+ *
+ * Memberships:
+ *    If one or more membership objects are set, the ID of the user must be included in one of the
+ *    properties of the processed item, which is specified by the value of `memberOf`
+ *    Via processType the restriction can be set for input or output only
  */
-export const Restricted = (...roles: string[]): PropertyDecorator => {
-  return Reflect.metadata(restrictedMetaKey, roles);
+export const Restricted = (...rolesOrMember: RestrictedType): PropertyDecorator => {
+  return Reflect.metadata(restrictedMetaKey, rolesOrMember);
 };
 
 /**
  * Get restricted
  */
-export const getRestricted = (object: unknown, propertyKey: string) => {
+export const getRestricted = (object: unknown, propertyKey: string): RestrictedType => {
   return Reflect.getMetadata(restrictedMetaKey, object, propertyKey);
 };
 
 /**
  * Check data for restricted properties (properties with `Restricted` decorator)
- *
- * If restricted roles includes RoleEnum.OWNER, ownerId(s) from current data (in DB) must be set in options.
+ * For special Roles and member of group checking the dbObject must be set in options
  */
 export const checkRestricted = (
   data: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options: { ignoreUndefined?: boolean; ownerIds?: IdsType; throwError?: boolean } = {},
+  options: { dbObject?: any; ignoreUndefined?: boolean; processType?: ProcessType; throwError?: boolean } = {},
   processedObjects: any[] = []
 ) => {
   const config = {
@@ -69,45 +82,99 @@ export const checkRestricted = (
       continue;
     }
 
-    // Get roles
-    const roles = getRestricted(data, propertyKey);
-
-    // If roles are specified
-    if (roles && roles.some((value) => !!value)) {
-      // Check user and user roles
-      if (!user || !user.hasRole(roles)) {
-        // Check special role for owner
-        if (user && roles.includes(RoleEnum.OWNER)) {
-          const userId = getStringIds(user);
-          const ownerIds = config.ownerIds ? getStringIds(config.ownerIds) : null;
-
-          if (
-            // No owner IDs
-            !ownerIds ||
-            // User is not the owner
-            !(ownerIds === userId || (Array.isArray(ownerIds) && ownerIds.includes(userId)))
-          ) {
-            // The user does not have the required rights and is not the owner
-            if (config.throwError) {
-              if (!config.ownerIds) {
-                throw new UnauthorizedException('Lack of ownerIds to verify ownership of ' + propertyKey);
+    // Check restricted
+    const restricted = getRestricted(data, propertyKey);
+    let valid = true;
+    if (restricted?.length) {
+      valid = false;
+
+      // Get roles
+      const roles: string[] = [];
+      restricted.forEach((item) => {
+        if (typeof item === 'string') {
+          roles.push(item);
+        } else if (
+          item?.roles?.length &&
+          (config.processType && item.processType ? config.processType === item.processType : true)
+        ) {
+          if (Array.isArray(item.roles)) {
+            roles.push(...item.roles);
+          } else {
+            roles.push(item.roles);
+          }
+        }
+      });
+
+      // Check roles
+      if (roles.length) {
+        // Check roles
+        if (
+          user?.hasRole(roles) ||
+          (roles.includes(RoleEnum.S_CREATOR) && getIncludedIds(config.dbObject?.createdBy, user))
+        ) {
+          valid = true;
+        }
+      }
+
+      if (!valid) {
+        // Get groups
+        const groups = restricted.filter((item) => {
+          return (
+            typeof item === 'object' &&
+            // Check if object is valid
+            item.memberOf.length &&
+            // Check if processType is specified and is valid for current process
+            (config.processType && item.processType ? config.processType === item.processType : true)
+          );
+        }) as { memberOf: string | string[] }[];
+
+        // Check groups
+        if (groups.length) {
+          // Get members from groups
+          const members = [];
+          for (const group of groups) {
+            let properties: string[] = group.memberOf as string[];
+            if (!Array.isArray(group.memberOf)) {
+              properties = [group.memberOf];
+            }
+            for (const property of properties) {
+              const items = config.dbObject?.[property];
+              if (items) {
+                if (Array.isArray(items)) {
+                  members.concat(items);
+                } else {
+                  members.push(items);
+                }
               }
-              throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
             }
-            continue;
           }
-        } else {
-          // The user does not have the required rights
-          if (config.throwError) {
-            throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
+
+          // Check if user is a member
+          if (getIncludedIds(members, user)) {
+            valid = true;
           }
-          continue;
+        }
+
+        // Check if there are no limitations
+        if (!roles.length && !groups.length) {
+          valid = true;
         }
       }
     }
 
-    // Check property data
-    data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+    // Check rights
+    if (valid) {
+      // Check deep
+      data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+    } else {
+      // Throw error
+      if (config.throwError) {
+        throw new UnauthorizedException('The current user has no access rights for ' + propertyKey);
+      }
+
+      // Remove property
+      delete data[propertyKey];
+    }
   }
 
   // Return processed data

package/src/core/common/enums/process-type.enum.ts

@@ -0,0 +1,7 @@
+/**
+ * Current process type for data input or data output
+ */
+export enum ProcessType {
+  INPUT = 'input',
+  OUTPUT = 'output',
+}

package/src/core/common/enums/role.enum.ts

@@ -1,13 +1,28 @@
 /**
- * Enums for role decorator
+ * Enums for Resolver @Role and Model @Restricted decorator and for roles property in ServiceOptions
  */
 export enum RoleEnum {
-  // User must be an administrator
+  // ===================================================================================================================
+  // Real roles (integrated into user.roles), which can be used via @Restricted for Models (properties),
+  // via @Roles for Resolvers (methods) and via ServiceOptions for Resolver methods.
+  // ===================================================================================================================
+
+  // User must be an administrator (see roles of user)
   ADMIN = 'admin',
 
-  // User must be the owner of the processed object(s)
-  OWNER = 'owner',
+  // ===================================================================================================================
+  // Special system roles, which can be used via @Restricted for Models (properties), via @Roles for Resolvers (methods)
+  // and via ServiceOptions for Resolver methods. This roles should not be integrated into user.roles!
+  // ===================================================================================================================
+
+  // User must be logged in (see context user, e.g. @GraphQLUser)
+  S_USER = 's_user',
+
+  // ===================================================================================================================
+  // Special system roles that check rights for DB objects and can be used via @Restricted for Models (properties)
+  // and via ServiceOptions for Resolver methods. These roles should not be integrated in user.roles!
+  // ===================================================================================================================
 
-  // User must be signed in
-  USER = 'user',
+  // User must be the creator of the processed object(s) (see createdBy property of object(s))
+  S_CREATOR = 's_creator',
 }

package/src/core/common/helpers/db.helper.ts

@@ -4,6 +4,7 @@ import { Document, Model, PopulateOptions, Query, SchemaType, Types } from 'mong
 import { ResolveSelector } from '../interfaces/resolve-selector.interface';
 import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
+import { IdsType } from '../types/ids.type';
 import { StringOrObjectId } from '../types/string-or-object-id.type';
 
 // =====================================================================================================================
@@ -78,10 +79,65 @@ export function addIds(
   return result;
 }
 
+/**
+ * Checks if all IDs are equal
+ */
+export function equalIds(...ids: IdsType[]): boolean {
+  if (!ids) {
+    return false;
+  }
+  const compare = getStringIds(ids[0]);
+  if (!compare) {
+    return false;
+  }
+  return ids.every((id) => getStringIds(id) === compare);
+}
+
+/**
+ * Get included ids
+ * @param includes IdsType, which should be checked if it contains the ID
+ * @param ids IdsType, which should be included
+ * @param convert If set the result array will be converted to pure type String array or ObjectId array
+ * @return IdsType with IDs which are included, undefined if includes or ids are missing or null if none is included
+ */
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'string'): string[];
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'object'): Types.ObjectId[];
+export function getIncludedIds<T = IdsType>(
+  includes: IdsType,
+  ids: T | IdsType,
+  convert?: 'string' | 'object'
+): T[] | null | undefined {
+  if (!includes || !ids) {
+    return undefined;
+  }
+
+  if (!Array.isArray(includes)) {
+    includes = [includes];
+  }
+
+  if (!Array.isArray(ids)) {
+    ids = [ids];
+  }
+
+  let result = [];
+  const includesStrings = getStringIds(includes);
+  for (const id of ids) {
+    if (includesStrings.includes(getStringIds(id))) {
+      result.push(id);
+    }
+  }
+
+  if (convert) {
+    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
+  }
+
+  return result.length ? result : null;
+}
+
 /**
  * Get indexes of IDs in an array
  */
-export function getIndexesViaIds(ids: any | any[], array: any[]): number[] {
+export function getIndexesViaIds(ids: IdsType, array: IdsType): number[] {
   // Check and prepare parameters
   if (!ids) {
     return [];
@@ -97,7 +153,7 @@ export function getIndexesViaIds(ids: any | any[], array: any[]): number[] {
   const indexes: number[] = [];
   ids.forEach((id) => {
     array.forEach((element, index) => {
-      if (getStringIds(id) === getStringIds(element)) {
+      if (equalIds(id, element)) {
         indexes.push(index);
       }
     });
@@ -286,55 +342,6 @@ export function getJSONClone<T = any>(obj: T): Partial<T> {
   return JSON.parse(JSON.stringify(obj));
 }
 
-/**
- * Check if ID is included
- * @param includes String, ObjectId or array with both, which should be checked if it contains the ID
- * @param ids String, ObjectId or array with both, which should be included
- * @param convert If set the result array will be converted to pure type String array or ObjectId array
- * @return StringOrObjectId[] Array with IDs which are included or null if none is included
- */
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'string'
-): string[];
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'object'
-): Types.ObjectId[];
-export function includesIds<T = StringOrObjectId>(
-  includes: StringOrObjectId | StringOrObjectId[] | any | any[],
-  ids: T | StringOrObjectId[],
-  convert?: 'string' | 'object'
-): T[] | null {
-  if (!includes || !ids) {
-    return null;
-  }
-
-  if (!Array.isArray(includes)) {
-    includes = [includes];
-  }
-
-  if (!Array.isArray(ids)) {
-    ids = [ids] as any;
-  }
-
-  let result = [];
-  const includesStrings = getStringIds(includes);
-  for (const id of ids as StringOrObjectId[]) {
-    if (includesStrings.includes(getStringIds(id))) {
-      result.push(id);
-    }
-  }
-
-  if (convert) {
-    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
-  }
-
-  return result.length ? result : null;
-}
-
 /**
  * Convert all ObjectIds to strings
  */

package/src/core/common/helpers/input.helper.ts

@@ -3,9 +3,9 @@ import { plainToInstance } from 'class-transformer';
 import { validate } from 'class-validator';
 import * as _ from 'lodash';
 import { checkRestricted } from '../decorators/restricted.decorator';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { IdsType } from '../types/ids.type';
-import { getStringIds } from './db.helper';
+import { equalIds } from './db.helper';
 
 /**
  * Helper class for inputs
@@ -18,7 +18,13 @@ export default class InputHelper {
   public static async check(
     value: any,
     user: { id: any; hasRole: (roles: string[]) => boolean },
-    options?: { metatype?: any; ownerIds?: IdsType; roles?: string | string[] }
+    options?: {
+      dbObject?: any;
+      metatype?: any;
+      processType?: ProcessType;
+      roles?: string | string[];
+      throwError?: boolean;
+    }
   ): Promise<any> {
     return check(value, user, options);
   }
@@ -182,7 +188,13 @@ export default class InputHelper {
 export async function check(
   value: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options?: { metatype?: any; ownerIds?: IdsType; roles?: string | string[]; throwError?: boolean }
+  options?: {
+    dbObject?: any;
+    metatype?: any;
+    processType?: ProcessType;
+    roles?: string | string[];
+    throwError?: boolean;
+  }
 ): Promise<any> {
   const config = {
     throwError: true,
@@ -196,16 +208,15 @@ export async function check(
       roles = [roles];
     }
     let valid = false;
-    if (roles.includes(RoleEnum.USER) && user?.id) {
+    if (
+      // check if user is logged in
+      (roles.includes(RoleEnum.S_USER) && user?.id) ||
+      // check if the user has at least one of the required roles
+      user.hasRole(roles) ||
+      // check if the user is the creator
+      (roles.includes(RoleEnum.S_CREATOR) && equalIds(config.dbObject?.createdBy, user))
+    ) {
       valid = true;
-    } else if (user.hasRole(roles)) {
-      valid = true;
-    } else if (roles.includes(RoleEnum.OWNER) && user?.id && config.ownerIds) {
-      let ownerIds: string | string[] = getStringIds(config.ownerIds);
-      if (!Array.isArray(ownerIds)) {
-        ownerIds = [ownerIds];
-      }
-      valid = ownerIds.includes(getStringIds(user.id));
     }
     if (!valid) {
       throw new UnauthorizedException('Missing rights');

package/src/core/common/interfaces/service-options.interface.ts

@@ -1,6 +1,5 @@
-import { Model, Types } from 'mongoose';
+import { Model } from 'mongoose';
 import { FieldSelection } from '../types/field-selection.type';
-import { IdsType } from '../types/ids.type';
 
 /**
  * General service options
@@ -14,7 +13,7 @@ export interface ServiceOptions {
   // If truly (default): input data will be checked
   checkRights?: boolean;
 
-  // Current user to set ownership, check roles and other things
+  // Current user to set ownership, check rights and other things
   currentUser?: {
     [key: string]: any;
     id: string;
@@ -27,9 +26,6 @@ export interface ServiceOptions {
   // Overwrites type of input (array items)
   inputType?: new (...params: any[]) => any;
 
-  // Owner IDs
-  ownerIds?: IdsType;
-
   // Process field selection
   // If {} or not set, then the field selection runs with defaults
   // If falsy, then the field selection will not be automatically executed

package/src/core/common/models/core-persistence.model.ts

@@ -59,16 +59,6 @@ export abstract class CorePersistenceModel extends CoreModel {
   @Prop([String])
   labels: string[] = undefined;
 
-  /**
-   * IDs of the Owners
-   */
-  @Field((type) => [String], {
-    description: 'Users who own the object',
-    nullable: true,
-  })
-  @Prop([String])
-  ownerIds: string[] = undefined;
-
   /**
    * Tags for the object
    */
@@ -97,7 +87,6 @@ export abstract class CorePersistenceModel extends CoreModel {
     super.init();
     this.createdAt = this.createdAt === undefined ? new Date() : this.createdAt;
     this.labels = this.labels === undefined ? [] : this.labels;
-    this.ownerIds = this.ownerIds === undefined ? [] : this.ownerIds;
     this.tags = this.tags === undefined ? [] : this.tags;
     this.updatedAt = this.tags === undefined ? this.createdAt : this.updatedAt;
     return this;

package/src/core/common/services/module.service.ts

@@ -1,11 +1,11 @@
 import { Document, Model, Types } from 'mongoose';
+import { ProcessType } from '../enums/process-type.enum';
 import { getStringIds, popAndMap } from '../helpers/db.helper';
 import { check } from '../helpers/input.helper';
 import { prepareInput, prepareOutput } from '../helpers/service.helper';
 import { ServiceOptions } from '../interfaces/service-options.interface';
 import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
-import { IdsType } from '../types/ids.type';
 
 /**
  * Module service class to be extended by concrete module services
@@ -39,8 +39,9 @@ export abstract class ModuleService<T extends CoreModel = any> {
     input: any,
     currentUser: { id: any; hasRole: (roles: string[]) => boolean },
     options?: {
+      dbObject?: any;
       metatype?: any;
-      ownerIds?: IdsType;
+      processType?: ProcessType;
       roles?: string | string[];
       throwError?: boolean;
     }
@@ -86,24 +87,19 @@ export abstract class ModuleService<T extends CoreModel = any> {
       await this.prepareInput(config.input, config.prepareInput);
     }
 
-    // Get owner IDs
-    let ownerIds = undefined;
-    if (config.checkRights && this.checkRights) {
-      ownerIds = getStringIds(config.ownerIds);
-      if (!ownerIds?.length) {
-        if (config.dbObject) {
-          if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
-            ownerIds = (await this.get(getStringIds(config.dbObject)))?.ownerIds;
-          } else {
-            ownerIds = config.dbObject.ownerIds;
-          }
+    // Get DB object
+    if (config.dbObject && config.checkRights && this.checkRights) {
+      if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
+        const dbObject = await this.get(getStringIds(config.dbObject));
+        if (dbObject) {
+          config.dbObject = dbObject;
         }
       }
     }
 
     // Check rights for input
     if (config.input && config.checkRights && this.checkRights) {
-      const opts: any = { ownerIds, roles: config.roles };
+      const opts: any = { dbObject: config.dbObject, processType: ProcessType.INPUT, roles: config.roles };
       if (config.inputType) {
         opts.metatype = config.resultType;
       }
@@ -129,7 +125,12 @@ export abstract class ModuleService<T extends CoreModel = any> {
 
     // Check output rights
     if (config.checkRights && this.checkRights) {
-      const opts: any = { ownerIds, roles: config.roles, throwError: false };
+      const opts: any = {
+        dbObject: config.dbObject,
+        processType: ProcessType.OUTPUT,
+        roles: config.roles,
+        throwError: false,
+      };
       if (config.resultType) {
         opts.metatype = config.resultType;
       }

package/src/core/common/types/require-only-one.type.ts

@@ -0,0 +1,6 @@
+/**
+ * Require only one of the optional properties
+ * See https://stackoverflow.com/a/49725198
+ */
+export type RequireOnlyOne<T, Keys extends keyof T = keyof T> = Pick<T, Exclude<keyof T, Keys>> &
+  { [K in Keys]-?: Required<Pick<T, K>> & Partial<Record<Exclude<Keys, K>, undefined>> }[Keys];

package/src/core/common/types/required-at-least-one.type.ts

@@ -0,0 +1,6 @@
+/**
+ * Require at least on of optional properties
+ * See https://stackoverflow.com/a/49725198
+ */
+export type RequireAtLeastOne<T, Keys extends keyof T = keyof T> = Pick<T, Exclude<keyof T, Keys>> &
+  { [K in Keys]-?: Required<Pick<T, K>> & Partial<Pick<T, Exclude<Keys, K>>> }[Keys];

package/src/core/modules/auth/guards/roles.guard.ts

@@ -8,7 +8,8 @@ import { AuthGuard } from './auth.guard';
  * Role guard
  *
  * The RoleGuard is activated by the Role decorator. It checks whether the current user has at least one of the
- * specified roles. If this is not the case, an UnauthorizedException is thrown.
+ * specified roles or is logged in when the S_USER role is set.
+ * If this is not the case, an UnauthorizedException is thrown.
  */
 @Injectable()
 export class RolesGuard extends AuthGuard('jwt') {
@@ -41,11 +42,8 @@ export class RolesGuard extends AuthGuard('jwt') {
       // Get args
       const args: any = GqlExecutionContext.create(context).getArgs();
 
-      // Check special role for user or owner
-      if (
-        user &&
-        (roles.includes(RoleEnum.USER) || (roles.includes(RoleEnum.OWNER) && user.id.toString() === args.id))
-      ) {
+      // Check special user role (user is logged in)
+      if (user && roles.includes(RoleEnum.S_USER)) {
         return user;
       }