@lenne.tech/nest-server 8.6.24 → 8.6.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "8.6.24",
+  "version": "8.6.25",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -21,7 +21,7 @@
     "docs:ci": "ts-node ./scripts/init-server.ts && npm run docs:boostrap",
     "format": "prettier --write 'src/**/*.ts'",
     "format:staged": "pretty-quick --staged",
-    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
+    "lint": "eslint \"{src,tests}/**/*.ts\" --fix",
     "prestart:prod": "npm run build",
     "reinit": "rimraf package-lock.json && rimraf node_modules && npm cache clean --force && npm i && npm run test:e2e && npm run build",
     "reinit:force": "rimraf package-lock.json && rimraf node_modules && npm cache clean --force && npm i --force && npm run test:e2e",
@@ -77,6 +77,7 @@
     "graphql": "16.5.0",
     "graphql-subscriptions": "2.0.0",
     "graphql-upload": "15.0.2",
+    "js-sha256": "0.9.0",
     "json-to-graphql-query": "2.2.4",
     "light-my-request": "5.0.0",
     "lodash": "4.17.21",

package/src/config.env.ts

@@ -173,7 +173,7 @@ const config: { [env: string]: IServerOptions } = {
  */
 const env = process.env['NODE' + '_ENV'] || 'development';
 const envConfig = config[env] || config.development;
-console.log('Configured for: ' + envConfig.env + (env !== envConfig.env ? ' (requested: ' + env + ')' : ''));
+console.info('Configured for: ' + envConfig.env + (env !== envConfig.env ? ' (requested: ' + env + ')' : ''));
 
 /**
  * Export envConfig as default

package/src/core/common/decorators/restricted.decorator.ts

@@ -4,6 +4,7 @@ import { ProcessType } from '../enums/process-type.enum';
 import { RoleEnum } from '../enums/role.enum';
 import { getIncludedIds } from '../helpers/db.helper';
 import { RequireAtLeastOne } from '../types/required-at-least-one.type';
+import * as _ from 'lodash';
 
 /**
  * Restricted meta key
@@ -57,6 +58,7 @@ export const checkRestricted = (
   data: any,
   user: { id: any; hasRole: (roles: string[]) => boolean },
   options: {
+    checkObjectItself?: boolean;
     dbObject?: any;
     ignoreUndefined?: boolean;
     processType?: ProcessType;
@@ -66,6 +68,7 @@ export const checkRestricted = (
   processedObjects: any[] = []
 ) => {
   const config = {
+    checkObjectItself: false,
     ignoreUndefined: true,
     removeUndefinedFromResultArray: true,
     throwError: true,
@@ -95,95 +98,107 @@ export const checkRestricted = (
 
   // Check function
   const validateRestricted = (restricted) => {
-    let valid = true;
-    if (restricted?.length) {
-      valid = false;
-
-      // Get roles
-      const roles: string[] = [];
-      restricted.forEach((item) => {
-        if (typeof item === 'string') {
-          roles.push(item);
-        } else if (
-          item?.roles?.length &&
-          (config.processType && item.processType ? config.processType === item.processType : true)
-        ) {
-          if (Array.isArray(item.roles)) {
-            roles.push(...item.roles);
-          } else {
-            roles.push(item.roles);
-          }
-        }
-      });
-
-      // Check roles
-      if (roles.length) {
-        if (
-          user?.hasRole?.(roles) ||
-          (user?.id && roles.includes(RoleEnum.S_USER)) ||
-          (roles.includes(RoleEnum.S_CREATOR) && getIncludedIds(config.dbObject?.createdBy, user))
-        ) {
-          valid = true;
+    // Check restrictions
+    if (!restricted?.length) {
+      return true;
+    }
+
+    let valid = false;
+
+    // Get roles
+    const roles: string[] = [];
+    restricted.forEach((item) => {
+      if (typeof item === 'string') {
+        roles.push(item);
+      } else if (
+        item?.roles?.length &&
+        (config.processType && item.processType ? config.processType === item.processType : true)
+      ) {
+        if (Array.isArray(item.roles)) {
+          roles.push(...item.roles);
+        } else {
+          roles.push(item.roles);
         }
       }
+    });
 
-      if (!valid) {
-        // Get groups
-        const groups = restricted.filter((item) => {
-          return (
-            typeof item === 'object' &&
-            // Check if object is valid
-            item.memberOf?.length &&
-            // Check if processType is specified and is valid for current process
-            (config.processType && item.processType ? config.processType === item.processType : true)
-          );
-        }) as { memberOf: string | string[] }[];
-
-        // Check groups
-        if (groups.length) {
-          // Get members from groups
-          const members = [];
-          for (const group of groups) {
-            let properties: string[] = group.memberOf as string[];
-            if (!Array.isArray(group.memberOf)) {
-              properties = [group.memberOf];
-            }
-            for (const property of properties) {
-              const items = config.dbObject?.[property];
-              if (items) {
-                if (Array.isArray(items)) {
-                  members.concat(items);
-                } else {
-                  members.push(items);
-                }
+    // Check roles
+    if (roles.length) {
+      // Prevent access for everyone, including administrators
+      if (roles.includes(RoleEnum.S_NO_ONE)) {
+        return false;
+      }
+
+      // Check access rights
+      if (
+        roles.includes(RoleEnum.S_EVERYONE) ||
+        user?.hasRole?.(roles) ||
+        (user?.id && roles.includes(RoleEnum.S_USER)) ||
+        (roles.includes(RoleEnum.S_CREATOR) && getIncludedIds(config.dbObject?.createdBy, user))
+      ) {
+        valid = true;
+      }
+    }
+
+    if (!valid) {
+      // Get groups
+      const groups = restricted.filter((item) => {
+        return (
+          typeof item === 'object' &&
+          // Check if object is valid
+          item.memberOf?.length &&
+          // Check if processType is specified and is valid for current process
+          (config.processType && item.processType ? config.processType === item.processType : true)
+        );
+      }) as { memberOf: string | string[] }[];
+
+      // Check groups
+      if (groups.length) {
+        // Get members from groups
+        const members = [];
+        for (const group of groups) {
+          let properties: string[] = group.memberOf as string[];
+          if (!Array.isArray(group.memberOf)) {
+            properties = [group.memberOf];
+          }
+          for (const property of properties) {
+            const items = config.dbObject?.[property];
+            if (items) {
+              if (Array.isArray(items)) {
+                members.concat(items);
+              } else {
+                members.push(items);
               }
             }
           }
-
-          // Check if user is a member
-          if (getIncludedIds(members, user)) {
-            valid = true;
-          }
         }
 
-        // Check if there are no limitations
-        if (!roles.length && !groups.length) {
+        // Check if user is a member
+        if (getIncludedIds(members, user)) {
           valid = true;
         }
       }
+
+      // Check if there are no limitations
+      if (!roles.length && !groups.length) {
+        valid = true;
+      }
     }
+
     return valid;
   };
 
   // Check object
-  const objectRestrictions = getRestricted(data.constructor);
-  const objectIsValid = validateRestricted(objectRestrictions);
-  if (!objectIsValid) {
-    // Throw error
-    if (config.throwError) {
-      throw new UnauthorizedException('The current user has no access rights for ' + data.constructor?.name);
+  const objectRestrictions = getRestricted(data.constructor) || [];
+  if (config.checkObjectItself) {
+    const objectIsValid = validateRestricted(objectRestrictions);
+    if (!objectIsValid) {
+      // Throw error
+      if (config.throwError) {
+        throw new UnauthorizedException('The current user has no access rights for ' + data.constructor?.name);
+      }
+      return null;
     }
-    return null;
   }
 
   // Check properties of object
@@ -194,8 +209,9 @@ export const checkRestricted = (
     }
 
     // Check restricted
-    const restricted = getRestricted(data, propertyKey);
-    const valid = validateRestricted(restricted);
+    const restricted = getRestricted(data, propertyKey) || [];
+    const concatenatedRestrictions = _.uniq(objectRestrictions.concat(restricted));
+    const valid = validateRestricted(concatenatedRestrictions);
 
     // Check rights
     if (valid) {
@@ -204,7 +220,11 @@ export const checkRestricted = (
     } else {
       // Throw error
       if (config.throwError) {
-        throw new UnauthorizedException('The current user has no access rights for ' + propertyKey);
+        throw new UnauthorizedException(
+          'The current user has no access rights for ' +
+            propertyKey +
+            (data.constructor?.name ? ' of ' + data.constructor.name : '')
+        );
       }
 
       // Remove property

package/src/core/common/enums/role.enum.ts

@@ -1,26 +1,54 @@
 /**
  * Enums for Resolver @Role and Model @Restricted decorator and for roles property in ServiceOptions
+ *
+ * There are two types of roles. The "normal" roles that can be defined as strings on the user in the `roles` property
+ * and there are special system roles (with the prefix `S_`) that are defined by the current context e.g.
+ * `S_USER` applies to all logged-in users or `S_CREATOR` applies to the creator of a specific object.
+ * The special roles can only be used under certain situations (see below). The "normal" roles can be used anywhere
+ * that involves checking the current user.
+ *
+ * Except for the role `S_NO_ONE` all roles extend the access. If for example the role `ADMIN` is specified for a class
+ * then the accesses to all methods / properties are limited to administrators. If then e.g. for a method of the class
+ * the role `S_USER` is specified, the method is accessible for all users (administrators & all users = all users). All
+ * other methods and properties of the class are still only accessible for administrators.
+ *
+ * The role `S_NO_ONE` is an exception to this behavior. If this role is specified, then no one can access the
+ * associated class or associated methods and properties no matter what other roles were specified for access.
+ * This role should be used thus only for classes, methods or characteristics, which are to be locked for a transition
+ * period but not deleted from the source code completely.
+ *
+ * The roles are divided into different scopes and can be used in `@Roles` or `@Restricted`. The scopes are specified
+ * and explained below.
+ *
  */
 export enum RoleEnum {
   // ===================================================================================================================
-  // Real roles (integrated into user.roles), which can be used via @Restricted for Models (properties),
-  // via @Roles for Resolvers (methods) and via ServiceOptions for Resolver methods.
+  // Real roles (integrated into user.roles), which can be used via @Restricted for Models (classes and properties),
+  // via @Roles for Resolvers (classes and methods) and via ServiceOptions for Resolver methods.
   // ===================================================================================================================
 
   // User must be an administrator (see roles of user)
   ADMIN = 'admin',
 
   // ===================================================================================================================
-  // Special system roles, which can be used via @Restricted for Models (properties), via @Roles for Resolvers (methods)
-  // and via ServiceOptions for Resolver methods. This roles should not be integrated into user.roles!
+  // Special system roles, which can be used via @Restricted for Models (classes and properties), via @Roles for
+  // Resolvers (classes and methods) and via ServiceOptions for Resolver methods. This roles should not be integrated
+  // into user.roles!
   // ===================================================================================================================
 
+  // Everyone, including users who are not logged in, can access (see context user, e.g. @GraphQLUser)
+  S_EVERYONE = 's_everyone',
+
+  // No one has access, not even administrators
+  S_NO_ONE = 's_no_one',
+
   // User must be logged in (see context user, e.g. @GraphQLUser)
   S_USER = 's_user',
 
   // ===================================================================================================================
-  // Special system roles that check rights for DB objects and can be used via @Restricted for Models (properties)
-  // and via ServiceOptions for Resolver methods. These roles should not be integrated in user.roles!
+  // Special system roles that check rights for DB objects and can be used via @Restricted for Models
+  // (classes and properties) and via ServiceOptions for Resolver methods. These roles should not be integrated in
+  // user.roles!
   // ===================================================================================================================
 
   // User must be the creator of the processed object(s) (see createdBy property of object(s))

package/src/core/common/helpers/context.helper.ts

@@ -30,14 +30,14 @@ export function getContextData(context: ExecutionContext): { currentUser: { [key
   try {
     ctx = GqlExecutionContext.create(context)?.getContext();
   } catch (e) {
-    // console.log(e);
+    // console.info(e);
   }
 
   let args: any;
   try {
     args = GqlExecutionContext.create(context)?.getArgs();
   } catch (e) {
-    // console.log(e);
+    // console.info(e);
   }
 
   // Get data

package/src/core/common/helpers/input.helper.ts

@@ -232,7 +232,16 @@ export async function check(
       roles = [roles];
     }
     let valid = false;
+
+    // Prevent access for everyone, including administrators
+    if (roles.includes(RoleEnum.S_NO_ONE)) {
+      throw new UnauthorizedException('No access');
+    }
+
+    // Check access
     if (
+      // check if any user, including users who are not logged in, can access
+      roles.includes(RoleEnum.S_EVERYONE) ||
       // check if user is logged in
       (roles.includes(RoleEnum.S_USER) && user?.id) ||
       // check if the user has at least one of the required roles
@@ -316,6 +325,14 @@ export function filterProperties<T = Record<string, any>>(
     .reduce((res, key) => Object.assign(res, { [key]: obj[key] }), {});
 }
 
+/**
+ * Get plain copy of object
+ * @param element
+ */
+export function getPlain(object: any) {
+  return JSON.parse(JSON.stringify(object));
+}
+
 /**
  * Check if parameter is an array
  */

package/src/core/common/helpers/model.helper.ts

@@ -164,7 +164,8 @@ export function maps<T = Record<string, any>>(
 export function mapClasses<T = Record<string, any>>(
   input: Record<string, any>,
   mapping: Record<string, new (...args: any[]) => any>,
-  target?: T
+  target?: T,
+  options?: { objectIdsToString?: boolean }
 ): T {
   // Check params
   if (!target) {
@@ -174,6 +175,12 @@ export function mapClasses<T = Record<string, any>>(
     return target;
   }
 
+  // Get config
+  const config = {
+    objectIdsToString: true,
+    ...options,
+  };
+
   // Process input
   for (const [prop, mapTarget] of Object.entries(mapping)) {
     if (prop in input) {
@@ -187,7 +194,7 @@ export function mapClasses<T = Record<string, any>>(
           if (value instanceof targetClass) {
             arr.push(value);
           } else if (value instanceof Types.ObjectId) {
-            arr.push(value);
+            config.objectIdsToString ? arr.push(value.toHexString()) : arr.push(value);
           } else if (typeof value === 'object') {
             if (targetClass.map) {
               arr.push(targetClass.map(item));
@@ -203,7 +210,7 @@ export function mapClasses<T = Record<string, any>>(
 
       // Process ObjectId
       else if (value instanceof Types.ObjectId) {
-        target[prop] = value as any;
+        target[prop] = config.objectIdsToString ? value.toHexString() : value;
       }
 
       // Process object
@@ -240,7 +247,8 @@ export function mapClasses<T = Record<string, any>>(
 export async function mapClassesAsync<T = Record<string, any>>(
   input: Record<string, any>,
   mapping: Record<string, new (...args: any[]) => any>,
-  target?: T
+  target?: T,
+  options?: { objectIdsToString?: boolean }
 ): Promise<T> {
   // Check params
   if (!target) {
@@ -250,6 +258,12 @@ export async function mapClassesAsync<T = Record<string, any>>(
     return target;
   }
 
+  // Get config
+  const config = {
+    objectIdsToString: true,
+    ...options,
+  };
+
   // Process input
   for (const [prop, mapTarget] of Object.entries(mapping)) {
     if (prop in input) {
@@ -263,7 +277,7 @@ export async function mapClassesAsync<T = Record<string, any>>(
           if (value instanceof targetClass) {
             arr.push(value);
           } else if (value instanceof Types.ObjectId) {
-            arr.push(value);
+            config.objectIdsToString ? arr.push(value.toHexString()) : arr.push(value);
           } else if (typeof value === 'object') {
             if (targetClass.map) {
               arr.push(await targetClass.map(item));
@@ -279,7 +293,7 @@ export async function mapClassesAsync<T = Record<string, any>>(
 
       // Process ObjectId
       else if (value instanceof Types.ObjectId) {
-        target[prop] = value as any;
+        target[prop] = config.objectIdsToString ? value.toHexString() : value;
       }
 
       // Process object

package/src/core/common/helpers/service.helper.ts

@@ -1,7 +1,9 @@
 import { UnauthorizedException } from '@nestjs/common';
 import * as bcrypt from 'bcrypt';
 import { plainToInstance } from 'class-transformer';
+import { sha256 } from 'js-sha256';
 import * as _ from 'lodash';
+import { Types } from 'mongoose';
 import { RoleEnum } from '../enums/role.enum';
 import { PrepareInputOptions } from '../interfaces/prepare-input-options.interface';
 import { PrepareOutputOptions } from '../interfaces/prepare-output-options.interface';
@@ -80,8 +82,14 @@ export async function prepareInput<T = any>(
 
   // Process array
   if (Array.isArray(input)) {
-    const processedArray = input.map(async (item) => await prepareInput(item, currentUser, options)) as any;
-    return config.getNewArray ? processedArray : input;
+    const processedArray = config.getNewArray ? ([] as T & any[]) : input;
+    for (let i = 0; i <= input.length - 1; i++) {
+      processedArray[i] = await prepareOutput(input[i], options);
+      if (processedArray[i] === undefined && config.removeUndefined) {
+        processedArray.splice(i, 1);
+      }
+    }
+    return processedArray;
   }
 
   // Clone input
@@ -103,8 +111,8 @@ export async function prepareInput<T = any>(
   }
 
   // Remove undefined properties to avoid unwanted overwrites
-  if (config.removeUndefined) {
-    Object.keys(input).forEach((key) => input[key] === undefined && delete input[key]);
+  for (const [key, value] of Object.entries(input)) {
+    value === undefined && delete input[key];
   }
 
   // Process roles
@@ -122,8 +130,15 @@ export async function prepareInput<T = any>(
   }
 
   // Hash password
-  if ((input as Record<string, any>).password) {
-    (input as Record<string, any>).password = await bcrypt.hash((input as any).password, 10);
+  if ((input as any).password) {
+    // Check if the password was transmitted encrypted
+    // If not, the password is encrypted to enable future encrypted and unencrypted transmissions
+    (input as any).password = /^[a-f0-9]{64}$/i.test((input as any).password)
+      ? (input as any).password
+      : sha256((input as any).password);
+
+    // Hash password
+    (input as any).password = await bcrypt.hash((input as any).password, 10);
   }
 
   // Set creator
@@ -149,6 +164,7 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
     [key: string]: any;
     clone?: boolean;
     getNewArray?: boolean;
+    objectIdsToStrings?: boolean;
     removeSecrets?: boolean;
     removeUndefined?: boolean;
     targetModel?: new (...args: any[]) => T;
@@ -158,6 +174,7 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
   const config = {
     clone: false,
     getNewArray: false,
+    objectIdsToStrings: true,
     removeSecrets: true,
     removeUndefined: false,
     targetModel: undefined,
@@ -171,10 +188,14 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
 
   // Process array
   if (Array.isArray(output)) {
-    const processedArray = output.map(async (item, index) => {
-      output[index] = await prepareOutput(item, options);
-    }) as any;
-    return config.getNewArray ? processedArray : output;
+    const processedArray = config.getNewArray ? [] : output;
+    for (let i = 0; i <= output.length - 1; i++) {
+      processedArray[i] = await prepareOutput(output[i], options);
+      if (processedArray[i] === undefined && config.removeUndefined) {
+        processedArray.splice(i, 1);
+      }
+    }
+    return processedArray;
   }
 
   // Clone output
@@ -212,7 +233,18 @@ export async function prepareOutput<T = { [key: string]: any; map: (...args: any
 
   // Remove undefined properties to avoid unwanted overwrites
   if (config.removeUndefined) {
-    Object.keys(output).forEach((key) => output[key] === undefined && delete output[key]);
+    for (const [key, value] of Object.entries(output)) {
+      value === undefined && delete output[key];
+    }
+  }
+
+  // Convert ObjectIds into strings
+  if (config.objectIdsToStrings) {
+    for (const [key, value] of Object.entries(output)) {
+      if (value instanceof Types.ObjectId) {
+        output[key] = value.toHexString();
+      }
+    }
   }
 
   // Return prepared output

package/src/core/common/services/core-cron-jobs.service.ts

@@ -80,7 +80,7 @@ export abstract class CoreCronJobs {
       // check if cron job exists
       if (!this[name]) {
         if (this.config.log) {
-          console.log('Missing cron job function ' + name);
+          console.info('Missing cron job function ' + name);
         }
         continue;
       }
@@ -133,7 +133,7 @@ export abstract class CoreCronJobs {
       );
       this.schedulerRegistry.addCronJob(name, job);
       if (this.config.log && this.schedulerRegistry.getCronJob(name)) {
-        console.log(`CronJob ${name} initialized with "${config.cronTime}"`);
+        console.info(`CronJob ${name} initialized with "${config.cronTime}"`);
       }
     }
   }

package/src/core/common/services/module.service.ts

@@ -107,11 +107,6 @@ export abstract class ModuleService<T extends CoreModel = any> {
       config.input = await this.prepareInput(config.input, opts);
     }
 
-    // Check rights
-    if (config.checkRights && this.checkRights) {
-      await this.checkRights(undefined, config.currentUser as any, config);
-    }
-
     // Get DB object
     if (config.dbObject && config.checkRights && this.checkRights) {
       if (typeof config.dbObject === 'string' || config.dbObject instanceof Types.ObjectId) {
@@ -131,6 +126,11 @@ export abstract class ModuleService<T extends CoreModel = any> {
       config.input = await this.checkRights(config.input, config.currentUser as any, opts);
     }
 
+    // Check roles before processing the service function if they were not already checked during the input check
+    else if (!config.input && config.checkRights && this.checkRights) {
+      await this.checkRights(undefined, config.currentUser as any, config);
+    }
+
     // Run service function
     let result = await serviceFunc(config);
 

package/src/core/common/types/plain-object.type.ts

@@ -0,0 +1,5 @@
+/**
+ * Type for plain object with only properties and no methods
+ * (Replacement for RemoveMethods type)
+ */
+export type PlainObject<T> = { [P in keyof T as T[P] extends (...args: any) => any ? never : P]: T[P] };

package/src/core/common/types/remove-methods.type.ts

@@ -1,4 +1,5 @@
 /**
  * Type for plain object with only properties and no methods
+ * @deprecated Is deprecated, please use the type PlainObject instead
  */
 export type RemoveMethods<T> = { [P in keyof T as T[P] extends (...args: any) => any ? never : P]: T[P] };

package/src/core/modules/auth/guards/roles.guard.ts

@@ -32,6 +32,11 @@ export class RolesGuard extends AuthGuard('jwt') {
         : reflectorRoles[0]
       : reflectorRoles[1];
 
+    // Check if locked
+    if (roles && roles.includes(RoleEnum.S_NO_ONE)) {
+      throw new UnauthorizedException('No access');
+    }
+
     // Check roles
     if (!roles || !roles.some((value) => !!value)) {
       return user;
@@ -42,8 +47,8 @@ export class RolesGuard extends AuthGuard('jwt') {
       // Get args
       const args: any = GqlExecutionContext.create(context).getArgs();
 
-      // Check special user role (user is logged in)
-      if (user && roles.includes(RoleEnum.S_USER)) {
+      // Check special user roles (user is logged in or access is free for any)
+      if ((user && roles.includes(RoleEnum.S_USER)) || roles.includes(RoleEnum.S_EVERYONE)) {
         return user;
       }