@lenne.tech/nest-server 8.3.1 → 8.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "8.3.1",
+  "version": "8.4.0",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -98,7 +98,7 @@
     "@typescript-eslint/eslint-plugin": "5.22.0",
     "@typescript-eslint/parser": "5.22.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.14.0",
+    "eslint": "8.15.0",
     "eslint-config-prettier": "8.5.0",
     "find-file-up": "2.0.1",
     "grunt": "1.5.2",
@@ -107,7 +107,7 @@
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "7.0.4",
-    "jest": "28.0.3",
+    "jest": "28.1.0",
     "pm2": "5.2.0",
     "prettier": "2.6.2",
     "pretty-quick": "3.1.3",

package/src/core/common/decorators/restricted.decorator.ts

@@ -1,43 +1,55 @@
 import 'reflect-metadata';
 import { UnauthorizedException } from '@nestjs/common';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { equalIds, getStringIds } from '../helpers/db.helper';
-import { IdsType } from '../types/ids.type';
+import { getIncludedIds } from '../helpers/db.helper';
+import { RequireAtLeastOne } from '../types/required-at-least-one.type';
 
 /**
  * Restricted meta key
  */
 const restrictedMetaKey = Symbol('restricted');
+export type RestrictedType = (
+  | string
+  | RequireAtLeastOne<
+      { memberOf?: string | string[]; roles?: string | string[]; processType?: ProcessType },
+      'memberOf' | 'roles'
+    >
+)[];
 
 /**
  * Decorator for restricted properties
  *
- * If the decorator is used it will be checked if the current user has one of the included roles.
- * If this is not the case, the property is removed from the return object.
+ * The restricted decorator can include roles as strings or object with property `roles`
+ * and memberships as objects with property `memberOf`.
  *
- * Activation of the CheckResponseInterceptor is necessary for use.
+ * Roles:
+ *    If one or more Role(Enum)s are set, the user must have at least one of it in his `role` property.
+ *
+ * Memberships:
+ *    If one or more membership objects are set, the ID of the user must be included in one of the
+ *    properties of the processed item, which is specified by the value of `memberOf`
+ *    Via processType the restriction can be set for input or output only
  */
-export const Restricted = (...roles: string[]): PropertyDecorator => {
-  return Reflect.metadata(restrictedMetaKey, roles);
+export const Restricted = (...rolesOrMember: RestrictedType): PropertyDecorator => {
+  return Reflect.metadata(restrictedMetaKey, rolesOrMember);
 };
 
 /**
  * Get restricted
  */
-export const getRestricted = (object: unknown, propertyKey: string) => {
+export const getRestricted = (object: unknown, propertyKey: string): RestrictedType => {
   return Reflect.getMetadata(restrictedMetaKey, object, propertyKey);
 };
 
 /**
  * Check data for restricted properties (properties with `Restricted` decorator)
- *
- * If restricted roles includes RoleEnum.S_CREATOR, `creator` (createdBy) from current (DB) data must be set in options
- * If restricted roles includes RoleEnum.S_OWNER, `ownerIds` from current (DB) data must be set in options
+ * For special Roles and member of group checking the dbObject must be set in options
  */
 export const checkRestricted = (
   data: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options: { creator?: IdsType; ignoreUndefined?: boolean; ownerIds?: IdsType; throwError?: boolean } = {},
+  options: { dbObject?: any; ignoreUndefined?: boolean; processType?: ProcessType; throwError?: boolean } = {},
   processedObjects: any[] = []
 ) => {
   const config = {
@@ -70,50 +82,99 @@ export const checkRestricted = (
       continue;
     }
 
-    // Get roles
-    const roles = getRestricted(data, propertyKey);
+    // Check restricted
+    const restricted = getRestricted(data, propertyKey);
+    let valid = true;
+    if (restricted?.length) {
+      valid = false;
 
-    // If roles are specified
-    if (roles && roles.some((value) => !!value)) {
-      // Check user and user roles
-      if (!user || !user.hasRole(roles)) {
-        // Check special creator role
-        if (user?.id && roles.includes(RoleEnum.S_CREATOR) && equalIds(user.id, config.creator)) {
-          continue;
+      // Get roles
+      const roles: string[] = [];
+      restricted.forEach((item) => {
+        if (typeof item === 'string') {
+          roles.push(item);
+        } else if (
+          item?.roles?.length &&
+          (config.processType && item.processType ? config.processType === item.processType : true)
+        ) {
+          if (Array.isArray(item.roles)) {
+            roles.push(...item.roles);
+          } else {
+            roles.push(item.roles);
+          }
         }
+      });
+
+      // Check roles
+      if (roles.length) {
+        // Check roles
+        if (
+          user?.hasRole(roles) ||
+          (roles.includes(RoleEnum.S_CREATOR) && getIncludedIds(config.dbObject?.createdBy, user))
+        ) {
+          valid = true;
+        }
+      }
+
+      if (!valid) {
+        // Get groups
+        const groups = restricted.filter((item) => {
+          return (
+            typeof item === 'object' &&
+            // Check if object is valid
+            item.memberOf.length &&
+            // Check if processType is specified and is valid for current process
+            (config.processType && item.processType ? config.processType === item.processType : true)
+          );
+        }) as { memberOf: string | string[] }[];
 
-        // Check special owner role
-        else if (user && roles.includes(RoleEnum.S_OWNER)) {
-          const userId = getStringIds(user);
-          const ownerIds = config.ownerIds ? getStringIds(config.ownerIds) : null;
-
-          if (
-            // No owner IDs
-            !ownerIds ||
-            // User is not the owner
-            !(ownerIds === userId || (Array.isArray(ownerIds) && ownerIds.includes(userId)))
-          ) {
-            // The user does not have the required rights and is not the owner
-            if (config.throwError) {
-              if (!config.ownerIds) {
-                throw new UnauthorizedException('Lack of ownerIds to verify ownership of ' + propertyKey);
+        // Check groups
+        if (groups.length) {
+          // Get members from groups
+          const members = [];
+          for (const group of groups) {
+            let properties: string[] = group.memberOf as string[];
+            if (!Array.isArray(group.memberOf)) {
+              properties = [group.memberOf];
+            }
+            for (const property of properties) {
+              const items = config.dbObject?.[property];
+              if (items) {
+                if (Array.isArray(items)) {
+                  members.concat(items);
+                } else {
+                  members.push(items);
+                }
               }
-              throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
             }
-            continue;
           }
-        } else {
-          // The user does not have the required rights
-          if (config.throwError) {
-            throw new UnauthorizedException('Current user is not allowed to set ' + propertyKey);
+
+          // Check if user is a member
+          if (getIncludedIds(members, user)) {
+            valid = true;
           }
-          continue;
+        }
+
+        // Check if there are no limitations
+        if (!roles.length && !groups.length) {
+          valid = true;
         }
       }
     }
 
-    // Check property data
-    data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+    // Check rights
+    if (valid) {
+      // Check deep
+      data[propertyKey] = checkRestricted(data[propertyKey], user, config, processedObjects);
+    } else {
+      // Throw error
+      if (config.throwError) {
+        throw new UnauthorizedException('The current user has no access rights for ' + propertyKey);
+      }
+
+      // Remove property
+      delete data[propertyKey];
+    }
   }
 
   // Return processed data

package/src/core/common/enums/process-type.enum.ts

@@ -0,0 +1,7 @@
+/**
+ * Current process type for data input or data output
+ */
+export enum ProcessType {
+  INPUT = 'input',
+  OUTPUT = 'output',
+}

package/src/core/common/enums/role.enum.ts

@@ -15,7 +15,7 @@ export enum RoleEnum {
   // and via ServiceOptions for Resolver methods. This roles should not be integrated into user.roles!
   // ===================================================================================================================
 
-  // User must be signed in (see context user, e.g. @GraphQLUser)
+  // User must be logged in (see context user, e.g. @GraphQLUser)
   S_USER = 's_user',
 
   // ===================================================================================================================
@@ -25,7 +25,4 @@ export enum RoleEnum {
 
   // User must be the creator of the processed object(s) (see createdBy property of object(s))
   S_CREATOR = 's_creator',
-
-  // User must be an owner of the processed object(s) (see owners property of object(s))
-  S_OWNER = 's_owner',
 }

package/src/core/common/helpers/db.helper.ts

@@ -84,7 +84,7 @@ export function addIds(
  */
 export function equalIds(...ids: IdsType[]): boolean {
   if (!ids) {
-    return true;
+    return false;
   }
   const compare = getStringIds(ids[0]);
   if (!compare) {
@@ -93,10 +93,51 @@ export function equalIds(...ids: IdsType[]): boolean {
   return ids.every((id) => getStringIds(id) === compare);
 }
 
+/**
+ * Get included ids
+ * @param includes IdsType, which should be checked if it contains the ID
+ * @param ids IdsType, which should be included
+ * @param convert If set the result array will be converted to pure type String array or ObjectId array
+ * @return IdsType with IDs which are included, undefined if includes or ids are missing or null if none is included
+ */
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'string'): string[];
+export function getIncludedIds(includes: IdsType, ids: IdsType, convert?: 'object'): Types.ObjectId[];
+export function getIncludedIds<T = IdsType>(
+  includes: IdsType,
+  ids: T | IdsType,
+  convert?: 'string' | 'object'
+): T[] | null | undefined {
+  if (!includes || !ids) {
+    return undefined;
+  }
+
+  if (!Array.isArray(includes)) {
+    includes = [includes];
+  }
+
+  if (!Array.isArray(ids)) {
+    ids = [ids];
+  }
+
+  let result = [];
+  const includesStrings = getStringIds(includes);
+  for (const id of ids) {
+    if (includesStrings.includes(getStringIds(id))) {
+      result.push(id);
+    }
+  }
+
+  if (convert) {
+    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
+  }
+
+  return result.length ? result : null;
+}
+
 /**
  * Get indexes of IDs in an array
  */
-export function getIndexesViaIds(ids: any | any[], array: any[]): number[] {
+export function getIndexesViaIds(ids: IdsType, array: IdsType): number[] {
   // Check and prepare parameters
   if (!ids) {
     return [];
@@ -301,55 +342,6 @@ export function getJSONClone<T = any>(obj: T): Partial<T> {
   return JSON.parse(JSON.stringify(obj));
 }
 
-/**
- * Check if ID is included
- * @param includes String, ObjectId or array with both, which should be checked if it contains the ID
- * @param ids String, ObjectId or array with both, which should be included
- * @param convert If set the result array will be converted to pure type String array or ObjectId array
- * @return StringOrObjectId[] Array with IDs which are included or null if none is included
- */
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'string'
-): string[];
-export function includesIds(
-  includes: StringOrObjectId | StringOrObjectId[],
-  ids: StringOrObjectId | StringOrObjectId[],
-  convert?: 'object'
-): Types.ObjectId[];
-export function includesIds<T = StringOrObjectId>(
-  includes: StringOrObjectId | StringOrObjectId[] | any | any[],
-  ids: T | StringOrObjectId[],
-  convert?: 'string' | 'object'
-): T[] | null {
-  if (!includes || !ids) {
-    return null;
-  }
-
-  if (!Array.isArray(includes)) {
-    includes = [includes];
-  }
-
-  if (!Array.isArray(ids)) {
-    ids = [ids] as any;
-  }
-
-  let result = [];
-  const includesStrings = getStringIds(includes);
-  for (const id of ids as StringOrObjectId[]) {
-    if (includesStrings.includes(getStringIds(id))) {
-      result.push(id);
-    }
-  }
-
-  if (convert) {
-    result = convert === 'string' ? getStringIds(result) : getObjectIds(result);
-  }
-
-  return result.length ? result : null;
-}
-
 /**
  * Convert all ObjectIds to strings
  */

package/src/core/common/helpers/input.helper.ts

@@ -3,9 +3,9 @@ import { plainToInstance } from 'class-transformer';
 import { validate } from 'class-validator';
 import * as _ from 'lodash';
 import { checkRestricted } from '../decorators/restricted.decorator';
+import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
-import { IdsType } from '../types/ids.type';
-import { equalIds, getStringIds } from './db.helper';
+import { equalIds } from './db.helper';
 
 /**
  * Helper class for inputs
@@ -18,7 +18,13 @@ export default class InputHelper {
   public static async check(
     value: any,
     user: { id: any; hasRole: (roles: string[]) => boolean },
-    options?: { creator?: IdsType; metatype?: any; ownerIds?: IdsType; roles?: string | string[] }
+    options?: {
+      dbObject?: any;
+      metatype?: any;
+      processType?: ProcessType;
+      roles?: string | string[];
+      throwError?: boolean;
+    }
   ): Promise<any> {
     return check(value, user, options);
   }
@@ -182,7 +188,13 @@ export default class InputHelper {
 export async function check(
   value: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
-  options?: { creator?: IdsType; metatype?: any; ownerIds?: IdsType; roles?: string | string[]; throwError?: boolean }
+  options?: {
+    dbObject?: any;
+    metatype?: any;
+    processType?: ProcessType;
+    roles?: string | string[];
+    throwError?: boolean;
+  }
 ): Promise<any> {
   const config = {
     throwError: true,
@@ -196,18 +208,15 @@ export async function check(
       roles = [roles];
     }
     let valid = false;
-    if (roles.includes(RoleEnum.S_USER) && user?.id) {
-      valid = true;
-    } else if (user.hasRole(roles)) {
+    if (
+      // check if user is logged in
+      (roles.includes(RoleEnum.S_USER) && user?.id) ||
+      // check if the user has at least one of the required roles
+      user.hasRole(roles) ||
+      // check if the user is the creator
+      (roles.includes(RoleEnum.S_CREATOR) && equalIds(config.dbObject?.createdBy, user))
+    ) {
       valid = true;
-    } else if (roles.includes(RoleEnum.S_CREATOR) && user?.id && equalIds(user.id, config.creator)) {
-      valid = true;
-    } else if (roles.includes(RoleEnum.S_OWNER) && user?.id && config.ownerIds) {
-      let ownerIds: string | string[] = getStringIds(config.ownerIds);
-      if (!Array.isArray(ownerIds)) {
-        ownerIds = [ownerIds];
-      }
-      valid = ownerIds.includes(getStringIds(user.id));
     }
     if (!valid) {
       throw new UnauthorizedException('Missing rights');

package/src/core/common/interfaces/service-options.interface.ts

@@ -1,6 +1,5 @@
-import { Model, Types } from 'mongoose';
+import { Model } from 'mongoose';
 import { FieldSelection } from '../types/field-selection.type';
-import { IdsType } from '../types/ids.type';
 
 /**
  * General service options
@@ -14,7 +13,7 @@ export interface ServiceOptions {
   // If truly (default): input data will be checked
   checkRights?: boolean;
 
-  // Current user to set ownership, check roles and other things
+  // Current user to set ownership, check rights and other things
   currentUser?: {
     [key: string]: any;
     id: string;
@@ -27,9 +26,6 @@ export interface ServiceOptions {
   // Overwrites type of input (array items)
   inputType?: new (...params: any[]) => any;
 
-  // Owner IDs
-  ownerIds?: IdsType;
-
   // Process field selection
   // If {} or not set, then the field selection runs with defaults
   // If falsy, then the field selection will not be automatically executed

package/src/core/common/models/core-persistence.model.ts

@@ -59,16 +59,6 @@ export abstract class CorePersistenceModel extends CoreModel {
   @Prop([String])
   labels: string[] = undefined;
 
-  /**
-   * IDs of the Owners
-   */
-  @Field((type) => [String], {
-    description: 'Users who own the object',
-    nullable: true,
-  })
-  @Prop([String])
-  ownerIds: string[] = undefined;
-
   /**
    * Tags for the object
    */
@@ -97,7 +87,6 @@ export abstract class CorePersistenceModel extends CoreModel {
     super.init();
     this.createdAt = this.createdAt === undefined ? new Date() : this.createdAt;
     this.labels = this.labels === undefined ? [] : this.labels;
-    this.ownerIds = this.ownerIds === undefined ? [] : this.ownerIds;
     this.tags = this.tags === undefined ? [] : this.tags;
     this.updatedAt = this.tags === undefined ? this.createdAt : this.updatedAt;
     return this;

package/src/core/common/services/module.service.ts

@@ -1,11 +1,11 @@
 import { Document, Model, Types } from 'mongoose';
+import { ProcessType } from '../enums/process-type.enum';
 import { getStringIds, popAndMap } from '../helpers/db.helper';
 import { check } from '../helpers/input.helper';
 import { prepareInput, prepareOutput } from '../helpers/service.helper';
 import { ServiceOptions } from '../interfaces/service-options.interface';
 import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
-import { IdsType } from '../types/ids.type';
 
 /**
  * Module service class to be extended by concrete module services
@@ -39,9 +39,9 @@ export abstract class ModuleService<T extends CoreModel = any> {
     input: any,
     currentUser: { id: any; hasRole: (roles: string[]) => boolean },
     options?: {
-      creator?: IdsType;
+      dbObject?: any;
       metatype?: any;
-      ownerIds?: IdsType;
+      processType?: ProcessType;
       roles?: string | string[];
       throwError?: boolean;
     }
@@ -88,30 +88,18 @@ export abstract class ModuleService<T extends CoreModel = any> {
     }
 
     // Get DB object
-    const getDbObject = async () => {
-      if (config.dbObject) {
-        if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
-          const dbObject = await this.get(getStringIds(config.dbObject));
-          if (dbObject) {
-            config.dbObject = dbObject;
-          }
+    if (config.dbObject && config.checkRights && this.checkRights) {
+      if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
+        const dbObject = await this.get(getStringIds(config.dbObject));
+        if (dbObject) {
+          config.dbObject = dbObject;
         }
       }
-      return config.dbObject;
-    };
-
-    // Get owner IDs
-    let ownerIds = undefined;
-    if (config.checkRights && this.checkRights) {
-      ownerIds = getStringIds(config.ownerIds);
-      if (!ownerIds?.length) {
-        ownerIds = (await getDbObject())?.ownerIds;
-      }
     }
 
     // Check rights for input
     if (config.input && config.checkRights && this.checkRights) {
-      const opts: any = { creator: (await getDbObject())?.createdBy, ownerIds, roles: config.roles };
+      const opts: any = { dbObject: config.dbObject, processType: ProcessType.INPUT, roles: config.roles };
       if (config.inputType) {
         opts.metatype = config.resultType;
       }
@@ -137,7 +125,12 @@ export abstract class ModuleService<T extends CoreModel = any> {
 
     // Check output rights
     if (config.checkRights && this.checkRights) {
-      const opts: any = { creator: (await getDbObject())?.createdBy, ownerIds, roles: config.roles, throwError: false };
+      const opts: any = {
+        dbObject: config.dbObject,
+        processType: ProcessType.OUTPUT,
+        roles: config.roles,
+        throwError: false,
+      };
       if (config.resultType) {
         opts.metatype = config.resultType;
       }

package/src/core/common/types/require-only-one.type.ts

@@ -0,0 +1,6 @@
+/**
+ * Require only one of the optional properties
+ * See https://stackoverflow.com/a/49725198
+ */
+export type RequireOnlyOne<T, Keys extends keyof T = keyof T> = Pick<T, Exclude<keyof T, Keys>> &
+  { [K in Keys]-?: Required<Pick<T, K>> & Partial<Record<Exclude<Keys, K>, undefined>> }[Keys];

package/src/core/common/types/required-at-least-one.type.ts

@@ -0,0 +1,6 @@
+/**
+ * Require at least on of optional properties
+ * See https://stackoverflow.com/a/49725198
+ */
+export type RequireAtLeastOne<T, Keys extends keyof T = keyof T> = Pick<T, Exclude<keyof T, Keys>> &
+  { [K in Keys]-?: Required<Pick<T, K>> & Partial<Pick<T, Exclude<Keys, K>>> }[Keys];

package/src/core.module.ts

@@ -1,8 +1,7 @@
 import { DynamicModule, Global, Module, UnauthorizedException } from '@nestjs/common';
-import { APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
+import { APP_PIPE } from '@nestjs/core';
 import { GraphQLModule } from '@nestjs/graphql';
 import { merge } from './core/common/helpers/config.helper';
-import { CheckResponseInterceptor } from './core/common/interceptors/check-response.interceptor';
 import { IServerOptions } from './core/common/interfaces/server-options.interface';
 import { MapAndValidatePipe } from './core/common/pipes/map-and-validate.pipe';
 import { ConfigService } from './core/common/services/config.service';
@@ -19,8 +18,6 @@ import { ApolloDriver, ApolloDriverConfig } from '@nestjs/apollo';
  * - MongooseModule
  * - GraphQL
  * - ConfigService
- * - CheckInput
- * - CheckResponse
  *
  * and sets the following services as globals:
  * - ConfigService
@@ -99,21 +96,6 @@ export class CoreModule {
         useValue: new ConfigService(config),
       },
 
-      // [Global] The CheckResponseInterceptor restricts the response to the properties
-      // that are permitted for the current user
-      {
-        provide: APP_INTERCEPTOR,
-        useClass: CheckResponseInterceptor,
-      },
-
-      // [Global] The CheckInputPipe checks the permissibility of individual properties of inputs for the resolvers
-      // in relation to the current user, replaces MapAndValidatePipe
-      // Does not work yet, because context is missing: https://github.com/nestjs/graphql/issues/325
-      // {
-      //   provide: APP_PIPE,
-      //   useClass: CheckInputPipe,
-      // },
-
       // [Global] Map plain objects to metatype and validate
       {
         provide: APP_PIPE,

package/src/index.ts

@@ -15,6 +15,7 @@ export * from './core/common/decorators/restricted.decorator';
 export * from './core/common/decorators/roles.decorator';
 export * from './core/common/enums/comparison-operator.enum';
 export * from './core/common/enums/logical-operator.enum';
+export * from './core/common/enums/process-type.enum';
 export * from './core/common/enums/role.enum';
 export * from './core/common/enums/sort-order.emum';
 export * from './core/common/helpers/config.helper';
@@ -54,6 +55,8 @@ export * from './core/common/types/core-model-constructor.type';
 export * from './core/common/types/field-selection.type';
 export * from './core/common/types/ids.type';
 export * from './core/common/types/plain-input.type';
+export * from './core/common/types/require-only-one.type';
+export * from './core/common/types/required-at-least-one.type';
 export * from './core/common/types/string-or-object-id.type';
 
 // =====================================================================================================================

package/src/server/modules/user/user.model.ts

@@ -1,8 +1,8 @@
 import { Field, ObjectType } from '@nestjs/graphql';
+import { Prop, Schema as MongooseSchema, SchemaFactory } from '@nestjs/mongoose';
+import { Document, Schema } from 'mongoose';
 import { CoreUserModel } from '../../../core/modules/user/core-user.model';
 import { PersistenceModel } from '../../common/models/persistence.model';
-import { Prop, Schema as MongooseSchema, SchemaFactory } from '@nestjs/mongoose';
-import { Schema, Document } from 'mongoose';
 
 export type UserDocument = User & Document;