@lenne.tech/nest-server 8.3.0 → 8.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "8.3.0",
+  "version": "8.5.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -61,8 +61,8 @@
     "@nestjs/mongoose": "9.0.3",
     "@nestjs/passport": "8.2.1",
     "@nestjs/platform-express": "8.4.4",
-    "apollo-server-core": "3.6.8",
-    "apollo-server-express": "3.6.8",
+    "apollo-server-core": "3.7.0",
+    "apollo-server-express": "3.7.0",
     "bcrypt": "5.0.1",
     "class-transformer": "0.5.1",
     "class-validator": "0.13.2",
@@ -98,7 +98,7 @@
     "@typescript-eslint/eslint-plugin": "5.22.0",
     "@typescript-eslint/parser": "5.22.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.14.0",
+    "eslint": "8.15.0",
     "eslint-config-prettier": "8.5.0",
     "find-file-up": "2.0.1",
     "grunt": "1.5.2",
@@ -107,7 +107,7 @@
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "7.0.4",
-    "jest": "28.0.3",
+    "jest": "28.1.0",
     "pm2": "5.2.0",
     "prettier": "2.6.2",
     "pretty-quick": "3.1.3",

package/src/core/common/decorators/restricted.decorator.ts

@@ -1,47 +1,73 @@
 import 'reflect-metadata';
 import { UnauthorizedException } from '@nestjs/common';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { equalIds, getStringIds } from '../helpers/db.helper';
-import { IdsType } from '../types/ids.type';
+import { getIncludedIds } from '../helpers/db.helper';
+import { RequireAtLeastOne } from '../types/required-at-least-one.type';
 
 /**
  * Restricted meta key
  */
 const restrictedMetaKey = Symbol('restricted');
 
+/**
+ * Restricted type
+ */
+export type RestrictedType = (
+  | string
+  | RequireAtLeastOne<
+      { memberOf?: string | string[]; roles?: string | string[]; processType?: ProcessType },
+      'memberOf' | 'roles'
+    >
+)[];
+
 /**
  * Decorator for restricted properties
  *
- * If the decorator is used it will be checked if the current user has one of the included roles.
- * If this is not the case, the property is removed from the return object.
+ * The restricted decorator can include roles as strings or object with property `roles`
+ * and memberships as objects with property `memberOf`.
  *
- * Activation of the CheckResponseInterceptor is necessary for use.
+ * Roles:
+ *    If one or more Role(Enum)s are set, the user must have at least one of it in his `role` property.
+ *
+ * Memberships:
+ *    If one or more membership objects are set, the ID of the user must be included in one of the
+ *    properties of the processed item, which is specified by the value of `memberOf`
+ *    Via processType the restriction can be set for input or output only
  */
-export const Restricted = (...roles: string[]): PropertyDecorator => {
-  return Reflect.metadata(restrictedMetaKey, roles);
+export const Restricted = (...rolesOrMember: RestrictedType): ClassDecorator & PropertyDecorator => {
+  return Reflect.metadata(restrictedMetaKey, rolesOrMember);
 };
 
 /**
- * Get restricted
+ * Get restricted data for (property of) object
  */
-export const getRestricted = (object: unknown, propertyKey: string) => {
+export const getRestricted = (object: unknown, propertyKey?: string): RestrictedType => {
+  if (!propertyKey) {
+    return Reflect.getMetadata(restrictedMetaKey, object);
+  }
   return Reflect.getMetadata(restrictedMetaKey, object, propertyKey);
 };
 
 /**
  * Check data for restricted properties (properties with `Restricted` decorator)
- *
- * If restricted roles includes RoleEnum.S_CREATOR, `creator` (createdBy) from current (DB) data must be set in options
- * If restricted roles includes RoleEnum.S_OWNER, `ownerIds` from current (DB) data must be set in options
+ * For special Roles and member of group checking the dbObject must be set in options
  */
 export const checkRestricted = (
   data: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options: { creator?: IdsType; ignoreUndefined?: boolean; ownerIds?: IdsType; throwError?: boolean } = {},
+  options: {
+    dbObject?: any;
+    ignoreUndefined?: boolean;
+    processType?: ProcessType;
+    removeUndefinedFromResultArray?: boolean;
+    throwError?: boolean;
+  } = {},
   processedObjects: any[] = []
 ) => {
   const config = {
     ignoreUndefined: true,
+    removeUndefinedFromResultArray: true,
     throwError: true,
     ...options,
   };
@@ -60,60 +86,131 @@ export const checkRestricted = (
   // Array
   if (Array.isArray(data)) {
     // Check array items
-    return data.map((item) => checkRestricted(item, user, config, processedObjects));
+    let result = data.map((item) => checkRestricted(item, user, config, processedObjects));
+    if (!config.throwError && config.removeUndefinedFromResultArray) {
+      result = result.filter((item) => item !== undefined);
+    }
+    return result;
   }
 
-  // Object
-  for (const propertyKey of Object.keys(data)) {
-    // Check undefined
-    if (data[propertyKey] === undefined && config.ignoreUndefined) {
-      continue;
-    }
+  // Check function
+  const validateRestricted = (restricted) => {
+    let valid = true;
+    if (restricted?.length) {
+      valid = false;
 
-    // Get roles
-    const roles = getRestricted(data, propertyKey);
+      // Get roles
+      const roles: string[] = [];
+      restricted.forEach((item) => {
+        if (typeof item === 'string') {
+          roles.push(item);
+        } else if (
+          item?.roles?.length &&
+          (config.processType && item.processType ? config.processType === item.processType : true)
+        ) {
+          if (Array.isArray(item.roles)) {
+            roles.push(...item.roles);
+          } else {
+            roles.push(item.roles);
+          }
+        }
+      });
 
-    // If roles are specified
-    if (roles && roles.some((value) => !!value)) {
-      // Check user and user roles
-      if (!user || !user.hasRole(roles)) {
-        // Check special creator role
-        if (user?.id && roles.includes(RoleEnum.S_CREATOR) && equalIds(user.id, config.creator)) {
-          continue;
+      // Check roles
+      if (roles.length) {
+        // Check roles
+        if (
+          user?.hasRole(roles) ||
+          (user?.id && roles.includes(RoleEnum.S_USER)) ||
+          (roles.includes(RoleEnum.S_CREATOR) && getIncludedIds(config.dbObject?.createdBy, user))
+        ) {
+          valid = true;
         }
+      }
 
-        // Check special owner role
-        else if (user && roles.includes(RoleEnum.S_OWNER)) {
-          const userId = getStringIds(user);
-          const ownerIds = config.ownerIds ? getStringIds(config.ownerIds) : null;
-
-          if (
-            // No owner IDs
-            !ownerIds ||
-            // User is not the owner
-            !(ownerIds === userId || (Array.isArray(ownerIds) && ownerIds.includes(userId)))
-          ) {
-            // The user does not have the required rights and is not the owner
-            if (config.throwError) {
-              if (!config.ownerIds) {
-                throw new UnauthorizedException('Lack of ownerIds to verify ownership of ' + propertyKey);
+      if (!valid) {
+        // Get groups
+        const groups = restricted.filter((item) => {
+          return (
+            typeof item === 'object' &&
+            // Check if object is valid
+            item.memberOf.length &&
+            // Check if processType is specified and is valid for current process
+            (config.processType && item.processType ? config.processType === item.processType : true)
+          );
+        }) as { memberOf: string | string[] }[];
+
+        // Check groups
+        if (groups.length) {
+          // Get members from groups
+          const members = [];
+          for (const group of groups) {
+            let properties: string[] = group.memberOf as string[];
+            if (!Array.isArray(group.memberOf)) {
+              properties = [group.memberOf];
+            }
+            for (const property of properties) {
+              const items = config.dbObject?.[property];
+              if (items) {
+                if (Array.isArray(items)) {
+                  members.concat(items);
+                } else {
+                  members.push(items);
+                }
               }
-              throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
             }
-            continue;
           }
-        } else {
-          // The user does not have the required rights
-          if (config.throwError) {
-            throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
+
+          // Check if user is a member
+          if (getIncludedIds(members, user)) {
+            valid = true;
           }
-          continue;
+        }
+
+        // Check if there are no limitations
+        if (!roles.length && !groups.length) {
+          valid = true;
         }
       }
     }
+    return valid;
+  };
 
-    // Check property data
-    data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+  // Check object
+  const objectRestrictions = getRestricted(data.constructor);
+  const objectIsValid = validateRestricted(objectRestrictions);
+  if (!objectIsValid) {
+    // Throw error
+    if (config.throwError) {
+      throw new UnauthorizedException('The current user has no access rights for ' + data.constructor?.name);
+    }
+    return null;
+  }
+
+  // Check properties of object
+  for (const propertyKey of Object.keys(data)) {
+    // Check undefined
+    if (data[propertyKey] === undefined && config.ignoreUndefined) {
+      continue;
+    }
+
+    // Check restricted
+    const restricted = getRestricted(data, propertyKey);
+    const valid = validateRestricted(restricted);
+
+    // Check rights
+    if (valid) {
+      // Check deep
+      data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+    } else {
+      // Throw error
+      if (config.throwError) {
+        throw new UnauthorizedException('The current user has no access rights for ' + propertyKey);
+      }
+
+      // Remove property
+      delete data[propertyKey];
+    }
   }
 
   // Return processed data

package/src/core/common/enums/process-type.enum.ts

@@ -0,0 +1,7 @@
+/**
+ * Current process type for data input or data output
+ */
+export enum ProcessType {
+  INPUT = 'input',
+  OUTPUT = 'output',
+}

package/src/core/common/enums/role.enum.ts

@@ -1,31 +1,28 @@
 /**
- * Enums for role decorator
+ * Enums for Resolver @Role and Model @Restricted decorator and for roles property in ServiceOptions
  */
 export enum RoleEnum {
   // ===================================================================================================================
-  // Real roles (integrated into user.roles), which can be used via @Roles for Models (properties)
-  // and Resolvers (methods)
+  // Real roles (integrated into user.roles), which can be used via @Restricted for Models (properties),
+  // via @Roles for Resolvers (methods) and via ServiceOptions for Resolver methods.
   // ===================================================================================================================
 
   // User must be an administrator (see roles of user)
   ADMIN = 'admin',
 
   // ===================================================================================================================
-  // Special system roles, which can be used via @Roles for Models (properties) and Resolvers (methods)
+  // Special system roles, which can be used via @Restricted for Models (properties), via @Roles for Resolvers (methods)
   // and via ServiceOptions for Resolver methods. This roles should not be integrated into user.roles!
   // ===================================================================================================================
 
-  // User must be signed in (see context user, e.g. @GraphQLUser)
+  // User must be logged in (see context user, e.g. @GraphQLUser)
   S_USER = 's_user',
 
   // ===================================================================================================================
-  // Special system roles that check rights for DB objects and can be used via @Roles for Models (properties)
+  // Special system roles that check rights for DB objects and can be used via @Restricted for Models (properties)
   // and via ServiceOptions for Resolver methods. These roles should not be integrated in user.roles!
   // ===================================================================================================================
 
   // User must be the creator of the processed object(s) (see createdBy property of object(s))
   S_CREATOR = 's_creator',
-
-  // User must be an owner of the processed object(s) (see owners property of object(s))
-  S_OWNER = 's_owner',
 }

package/src/core/common/helpers/db.helper.ts

@@ -84,7 +84,7 @@ export function addIds(
  */
 export function equalIds(...ids: IdsType[]): boolean {
   if (!ids) {
-    return true;
+    return false;
   }
   const compare = getStringIds(ids[0]);
   if (!compare) {
@@ -93,10 +93,51 @@ export function equalIds(...ids: IdsType[]): boolean {
   return ids.every((id) => getStringIds(id) === compare);
 }
 
+/**
+ * Get included ids
+ * @param includes IdsType, which should be checked if it contains the ID
+ * @param ids IdsType, which should be included
+ * @param convert If set the result array will be converted to pure type String array or ObjectId array
+ * @return IdsType with IDs which are included, undefined if includes or ids are missing or null if none is included
+ */
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'string'): string[];
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'object'): Types.ObjectId[];
+export function getIncludedIds<T = IdsType>(
+  includes: IdsType,
+  ids: T | IdsType,
+  convert?: 'string' | 'object'
+): T[] | null | undefined {
+  if (!includes || !ids) {
+    return undefined;
+  }
+
+  if (!Array.isArray(includes)) {
+    includes = [includes];
+  }
+
+  if (!Array.isArray(ids)) {
+    ids = [ids];
+  }
+
+  let result = [];
+  const includesStrings = getStringIds(includes);
+  for (const id of ids) {
+    if (includesStrings.includes(getStringIds(id))) {
+      result.push(id);
+    }
+  }
+
+  if (convert) {
+    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
+  }
+
+  return result.length ? result : null;
+}
+
 /**
  * Get indexes of IDs in an array
  */
-export function getIndexesViaIds(ids: any | any[], array: any[]): number[] {
+export function getIndexesViaIds(ids: IdsType, array: IdsType): number[] {
   // Check and prepare parameters
   if (!ids) {
     return [];
@@ -301,55 +342,6 @@ export function getJSONClone<T = any>(obj: T): Partial<T> {
   return JSON.parse(JSON.stringify(obj));
 }
 
-/**
- * Check if ID is included
- * @param includes String, ObjectId or array with both, which should be checked if it contains the ID
- * @param ids String, ObjectId or array with both, which should be included
- * @param convert If set the result array will be converted to pure type String array or ObjectId array
- * @return StringOrObjectId[] Array with IDs which are included or null if none is included
- */
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'string'
-): string[];
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'object'
-): Types.ObjectId[];
-export function includesIds<T = StringOrObjectId>(
-  includes: StringOrObjectId | StringOrObjectId[] | any | any[],
-  ids: T | StringOrObjectId[],
-  convert?: 'string' | 'object'
-): T[] | null {
-  if (!includes || !ids) {
-    return null;
-  }
-
-  if (!Array.isArray(includes)) {
-    includes = [includes];
-  }
-
-  if (!Array.isArray(ids)) {
-    ids = [ids] as any;
-  }
-
-  let result = [];
-  const includesStrings = getStringIds(includes);
-  for (const id of ids as StringOrObjectId[]) {
-    if (includesStrings.includes(getStringIds(id))) {
-      result.push(id);
-    }
-  }
-
-  if (convert) {
-    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
-  }
-
-  return result.length ? result : null;
-}
-
 /**
  * Convert all ObjectIds to strings
  */

package/src/core/common/helpers/input.helper.ts

@@ -3,9 +3,9 @@ import { plainToInstance } from 'class-transformer';
 import { validate } from 'class-validator';
 import * as _ from 'lodash';
 import { checkRestricted } from '../decorators/restricted.decorator';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { IdsType } from '../types/ids.type';
-import { equalIds, getStringIds } from './db.helper';
+import { equalIds } from './db.helper';
 
 /**
  * Helper class for inputs
@@ -18,7 +18,13 @@ export default class InputHelper {
   public static async check(
     value: any,
     user: { id: any; hasRole: (roles: string[]) => boolean },
-    options?: { creator?: IdsType; metatype?: any; ownerIds?: IdsType; roles?: string | string[] }
+    options?: {
+      dbObject?: any;
+      metatype?: any;
+      processType?: ProcessType;
+      roles?: string | string[];
+      throwError?: boolean;
+    }
   ): Promise<any> {
     return check(value, user, options);
   }
@@ -182,7 +188,13 @@ export default class InputHelper {
 export async function check(
   value: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options?: { creator?: IdsType; metatype?: any; ownerIds?: IdsType; roles?: string | string[]; throwError?: boolean }
+  options?: {
+    dbObject?: any;
+    metatype?: any;
+    processType?: ProcessType;
+    roles?: string | string[];
+    throwError?: boolean;
+  }
 ): Promise<any> {
   const config = {
     throwError: true,
@@ -196,18 +208,15 @@ export async function check(
       roles = [roles];
     }
     let valid = false;
-    if (roles.includes(RoleEnum.S_USER) && user?.id) {
-      valid = true;
-    } else if (user.hasRole(roles)) {
+    if (
+      // check if user is logged in
+      (roles.includes(RoleEnum.S_USER) && user?.id) ||
+      // check if the user has at least one of the required roles
+      user.hasRole(roles) ||
+      // check if the user is the creator
+      (roles.includes(RoleEnum.S_CREATOR) && equalIds(config.dbObject?.createdBy, user))
+    ) {
       valid = true;
-    } else if (roles.includes(RoleEnum.S_CREATOR) && user?.id && equalIds(user.id, config.creator)) {
-      valid = true;
-    } else if (roles.includes(RoleEnum.S_OWNER) && user?.id && config.ownerIds) {
-      let ownerIds: string | string[] = getStringIds(config.ownerIds);
-      if (!Array.isArray(ownerIds)) {
-        ownerIds = [ownerIds];
-      }
-      valid = ownerIds.includes(getStringIds(user.id));
     }
     if (!valid) {
       throw new UnauthorizedException('Missing rights');

package/src/core/common/helpers/service.helper.ts

@@ -1,5 +1,6 @@
 import { UnauthorizedException } from '@nestjs/common';
 import * as bcrypt from 'bcrypt';
+import { plainToInstance } from 'class-transformer';
 import * as _ from 'lodash';
 import { RoleEnum } from '../enums/role.enum';
 
@@ -54,6 +55,7 @@ export async function prepareInput<T = any>(
     clone?: boolean;
     getNewArray?: boolean;
     removeUndefined?: boolean;
+    targetModel?: new (...args: any[]) => T;
   } = {}
 ): Promise<T> {
   // Configuration
@@ -86,6 +88,15 @@ export async function prepareInput<T = any>(
     }
   }
 
+  // Map input if target model exist
+  if (config.targetModel && !(input instanceof config.targetModel)) {
+    if ((config.targetModel as any)?.map) {
+      input = await (config.targetModel as any).map(input);
+    } else {
+      input = plainToInstance(config.targetModel, input);
+    }
+  }
+
   // Remove undefined properties to avoid unwanted overwrites
   if (config.removeUndefined) {
     Object.keys(input).forEach((key) => input[key] === undefined && delete input[key]);
@@ -171,8 +182,12 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
   }
 
   // Map output if target model exist
-  if (config.targetModel) {
-    output = await (config.targetModel as any).map(output);
+  if (config.targetModel && !(output instanceof config.targetModel)) {
+    if ((config.targetModel as any)?.map) {
+      output = await (config.targetModel as any).map(output);
+    } else {
+      output = plainToInstance(config.targetModel, output);
+    }
   }
 
   // Remove password if exists

package/src/core/common/interfaces/service-options.interface.ts

@@ -1,6 +1,5 @@
-import { Model, Types } from 'mongoose';
+import { Model } from 'mongoose';
 import { FieldSelection } from '../types/field-selection.type';
-import { IdsType } from '../types/ids.type';
 
 /**
  * General service options
@@ -14,7 +13,7 @@ export interface ServiceOptions {
   // If truly (default): input data will be checked
   checkRights?: boolean;
 
-  // Current user to set ownership, check roles and other things
+  // Current user to set ownership, check rights and other things
   currentUser?: {
     [key: string]: any;
     id: string;
@@ -27,8 +26,8 @@ export interface ServiceOptions {
   // Overwrites type of input (array items)
   inputType?: new (...params: any[]) => any;
 
-  // Owner IDs
-  ownerIds?: IdsType;
+  // Overwrites type of output (array items)
+  outputType?: new (...params: any[]) => any;
 
   // Process field selection
   // If {} or not set, then the field selection runs with defaults
@@ -63,9 +62,6 @@ export interface ServiceOptions {
   // Whether to publish action via GraphQL subscription
   pubSub?: boolean;
 
-  // Overwrites type of result (array items)
-  resultType?: new (...params: any[]) => any;
-
   // Roles (as string) to check
   roles?: string | string[];
 }

package/src/core/common/models/core-persistence.model.ts

@@ -59,16 +59,6 @@ export abstract class CorePersistenceModel extends CoreModel {
   @Prop([String])
   labels: string[] = undefined;
 
-  /**
-   * IDs of the Owners
-   */
-  @Field((type) => [String], {
-    description: 'Users who own the object',
-    nullable: true,
-  })
-  @Prop([String])
-  ownerIds: string[] = undefined;
-
   /**
    * Tags for the object
    */
@@ -97,7 +87,6 @@ export abstract class CorePersistenceModel extends CoreModel {
     super.init();
     this.createdAt = this.createdAt === undefined ? new Date() : this.createdAt;
     this.labels = this.labels === undefined ? [] : this.labels;
-    this.ownerIds = this.ownerIds === undefined ? [] : this.ownerIds;
     this.tags = this.tags === undefined ? [] : this.tags;
     this.updatedAt = this.tags === undefined ? this.createdAt : this.updatedAt;
     return this;