@memberjunction/server 0.9.0

package/src/auth/index.ts

@@ -0,0 +1,117 @@
+import { JwtHeader, SigningKeyCallback } from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import { auth0Domain, auth0WebClientID, configInfo, tenantID, webClientID } from '../config';
+import { UserCache } from '@memberjunction/sqlserver-dataprovider';
+import { DataSource } from 'typeorm';
+import { Metadata, UserInfo } from '@memberjunction/core';
+import { NewUserBase } from './newUsers';
+import { MJGlobal } from '@memberjunction/global';
+
+const issuers = {
+  azure: `https://login.microsoftonline.com/${tenantID}/v2.0`,
+  auth0: `https://${auth0Domain}/`,
+};
+
+export const validationOptions = {
+  [issuers.auth0]: {
+    audience: auth0WebClientID,
+    jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
+  },
+  [issuers.azure]: {
+    audience: webClientID,
+    jwksUri: `https://login.microsoftonline.com/${tenantID}/discovery/v2.0/keys`,
+  },
+};
+
+export class UserPayload {
+  aio?: string;
+  aud?: string;
+  exp?: number;
+  iat?: number;
+  iss?: string;
+  name?: string;
+  nbf?: number;
+  nonce?: string;
+  oid?: string;
+  preferred_username?: string;
+  rh?: string;
+  sub?: string;
+  tid?: string;
+  uti?: string;
+  ver?: string;
+  // what about an array of roles???
+}
+
+export const getSigningKeys = (issuer: string) => (header: JwtHeader, cb: SigningKeyCallback) => {
+  const jwksUri = validationOptions[issuer].jwksUri;
+
+  jwksClient({ jwksUri })
+    .getSigningKey(header.kid)
+    .then((key) => {
+      cb(null, 'publicKey' in key ? key.publicKey : key.rsaPublicKey);
+    })
+    .catch((err) => console.error(err));
+};
+
+export const verifyUserRecord = async (email?: string, firstName?: string, lastName?: string, requestDomain?: string, dataSource?: DataSource, attemptCacheUpdateIfNeeded: boolean = true): Promise<UserInfo | undefined> => {
+  if (!email) return undefined;
+
+  let user = UserCache.Instance.Users.find((u) => {
+    if (!u.Email || u.Email.trim() === '') {
+      // this condition should never occur. If it doesn throw a console error including the user id
+      // DB requires non-null but this is just an extra check and we could in theory have a blank string in the DB
+      console.error(`SYSTEM METADATA ISSUE: User ${u.ID} has no email address`);
+      return false;
+    }
+    else
+      return u.Email.toLowerCase().trim() === email.toLowerCase().trim()
+  });
+
+  if (!user) {
+    if (configInfo.userHandling.autoCreateNewUsers && firstName && lastName && requestDomain) {
+      // check to see if the domain that we have a request coming in from matches one of the domains in the autoCreateNewUsersDomains setting
+      const domainMatch: boolean = configInfo.userHandling.newUserAuthorizedDomains.some((domain) => domain.toLowerCase().trim() === requestDomain.toLowerCase().trim());
+      if (domainMatch) {
+        // we have a domain from the request that matches one of the domains provided by the configuration, so we will create a new user
+        console.warn(`User ${email} not found in cache. Attempting to create a new user...`);
+        const newUserCreator: NewUserBase = <NewUserBase>MJGlobal.Instance.ClassFactory.CreateInstance(NewUserBase); // this will create the object that handles creating the new user for us
+        const newUser = await newUserCreator.createNewUser(firstName, lastName, email);
+        if (newUser) {
+          // new user worked! we already have the stuff we need for the cache, so no need to go to the DB now, just create a new UserInfo object and use the return value from the createNewUser method
+          // to init it, including passing in the role list for the user.
+          const initData: any  = newUser.GetAll();
+          initData.UserRoles = configInfo.userHandling.newUserRoles.map((role) => { return { UserID: initData.ID, RoleName: role } });
+          user = new UserInfo(Metadata.Provider, initData);
+          UserCache.Instance.Users.push(user);
+          console.warn(`   >>> New user ${email} created successfully!`);
+        }
+      }
+      else {
+        console.warn(`User ${email} not found in cache. Request domain '${requestDomain}' does not match any of the domains in the newUserAuthorizedDomains setting. NOT creating a new user.`);
+      }
+    }
+    if(!user && configInfo.userHandling.updateCacheWhenNotFound && dataSource && attemptCacheUpdateIfNeeded) {
+      // if we get here that means in the above, if we were attempting to create a new user, it did not work, or it wasn't attempted and we have a config that asks us to auto update the cache
+      console.warn(`User ${email} not found in cache. Updating cache in attempt to find the user...`);
+  
+      const startTime: number = Date.now();
+      await UserCache.Instance.Refresh(dataSource);
+      const endTime: number = Date.now();
+      const elapsed: number = endTime - startTime;
+  
+      // if elapsed time is less than the delay setting, wait for the additional time to achieve the full delay
+      // the below also makes sure we never go more than a 30 second total delay
+      const delay = configInfo.userHandling.updateCacheWhenNotFoundDelay ? (configInfo.userHandling.updateCacheWhenNotFoundDelay < 30000 ? configInfo.userHandling.updateCacheWhenNotFoundDelay : 30000) : 0;
+      if (elapsed < delay)
+        await new Promise(resolve => setTimeout(resolve, delay - elapsed));
+  
+      const finalTime: number = Date.now();
+      const finalElapsed: number = finalTime - startTime;
+  
+      console.log(`   UserCache updated in ${elapsed}ms, total elapsed time of ${finalElapsed}ms including delay of ${delay}ms (if needed). Attempting to find the user again via recursive call to verifyUserRecord()`);
+      return verifyUserRecord(email, firstName, lastName, requestDomain, dataSource, false) // try one more time but do not update cache next time if not found
+    }
+  }
+
+  return user;
+};

package/src/auth/newUsers.ts

@@ -0,0 +1,56 @@
+import { LogError, Metadata } from "@memberjunction/core";
+import { RegisterClass } from "@memberjunction/global";
+import { UserCache } from "@memberjunction/sqlserver-dataprovider";
+import { configInfo } from "../config";
+
+@RegisterClass(NewUserBase)
+export class NewUserBase {
+    public async createNewUser(firstName: string, lastName: string, email: string, linkedRecordType: string = 'None', linkedEntityId?: number, linkedEntityRecordId?: number) {
+        try {
+            const md = new Metadata();
+            const contextUser = UserCache.Instance.Users.find(u => u.Email.trim().toLowerCase() === configInfo?.userHandling?.contextUserForNewUserCreation?.trim().toLowerCase())
+            if (!contextUser) {
+                LogError(`Failed to load context user ${configInfo?.userHandling?.contextUserForNewUserCreation}, if you've not specified this on your config.json you must do so. This is the user that is contextually used for creating a new user record dynamically.`);
+                return undefined;
+            }
+            const u = await md.GetEntityObject('Users', contextUser) // To-Do - change this to be a different defined user for the user creation process
+            u.NewRecord();
+            u.Name = email;
+            u.IsActive = true;
+            u.FirstName = firstName;
+            u.LastName = lastName;
+            u.Email = email;
+            u.Type = 'User';
+            u.LinkedRecordType = linkedRecordType;
+            if (linkedEntityId)
+                u.LinkedEntityID = linkedEntityId;
+            if (linkedEntityRecordId)
+                u.LinkedEntityRecordID = linkedEntityRecordId;
+
+            if (await u.Save()) {
+                // user created, now create however many roles we need to create for this user based on the config settings
+                const ur = await md.GetEntityObject('User Roles', contextUser);
+                let bSuccess: boolean = true;
+                for (const role of configInfo.userHandling.newUserRoles) {
+                    ur.NewRecord();
+                    ur.UserID = u.ID;
+                    ur.RoleName = role;
+                    bSuccess = bSuccess && await ur.Save();
+                }
+                if (!bSuccess) {
+                    LogError(`Failed to create roles for newly created user ${firstName} ${lastName} ${email}`);
+                    return undefined;
+                }
+            }
+            else {
+                LogError(`Failed to create new user ${firstName} ${lastName} ${email}`);
+                return undefined;
+            }
+            return u;        
+        }
+        catch (e) {
+            LogError(e);
+            return undefined;
+        }
+    }
+}

package/src/cache.ts

@@ -0,0 +1,10 @@
+import { LRUCache } from 'lru-cache';
+
+const oneHourMs = 60 * 60 * 1000;
+
+export const authCache = new LRUCache({
+  max: 50000,
+  ttl: oneHourMs,
+  ttlAutopurge: false,
+});
+

package/src/config.ts

@@ -0,0 +1,67 @@
+import env from 'env-var';
+import fs from 'fs';
+import path from 'path';
+import { z } from 'zod';
+
+export const nodeEnv = env.get('NODE_ENV').asString();
+
+export const dbHost = env.get('DB_HOST').required().asString();
+export const dbPort = env.get('DB_PORT').default('1433').asPortNumber();
+export const dbUsername = env.get('DB_USERNAME').required().asString();
+export const dbPassword = env.get('DB_PASSWORD').required().asString();
+export const dbDatabase = env.get('DB_DATABASE').required().asString();
+
+export const graphqlPort = env.get('PORT').default('4000').asPortNumber();
+export const graphqlRootPath = env.get('ROOT_PATH').default('/').asString();
+
+export const webClientID = env.get('WEB_CLIENT_ID').asString();
+export const tenantID = env.get('TENANT_ID').asString();
+
+export const enableIntrospection = env.get('ENABLE_INTROSPECTION').default('false').asBool();
+export const websiteRunFromPackage = env.get('WEBSITE_RUN_FROM_PACKAGE').asIntPositive();
+export const userEmailMap = env.get('USER_EMAIL_MAP').default('{}').asJsonObject() as Record<string, string>;
+
+export const auth0Domain = env.get('AUTH0_DOMAIN').asString();
+export const auth0WebClientID = env.get('AUTH0_CLIENT_ID').asString();
+export const auth0ClientSecret = env.get('AUTH0_CLIENT_SECRET').asString();
+
+export const mj_core_schema = env.get('MJ_CORE_SCHEMA').asString();
+
+export const configFile = env.get('CONFIG_FILE').asString();
+
+const userHandlingInfoSchema = z.object({
+  autoCreateNewUsers: z.boolean(),
+  newUserAuthorizedDomains: z.array(z.string()),
+  newUserRoles: z.array(z.string()),
+  updateCacheWhenNotFound: z.boolean(),
+  updateCacheWhenNotFoundDelay: z.number(),
+  contextUserForNewUserCreation: z.string(),
+});
+
+const databaseSettingsInfoSchema = z.object({
+  connectionTimeout: z.number(),
+  requestTimeout: z.number(),
+  metadataCacheRefreshInterval: z.number(),
+});
+
+const configInfoSchema = z.object({
+  userHandling: userHandlingInfoSchema,
+  databaseSettings: databaseSettingsInfoSchema,
+});
+
+export type UserHandlingInfo = z.infer<typeof userHandlingInfoSchema>;
+export type DatabaseSettingsInfo = z.infer<typeof databaseSettingsInfoSchema>;
+export type ConfigInfo = z.infer<typeof configInfoSchema>;
+
+export const configInfo: ConfigInfo = loadConfig();
+
+export function loadConfig() {
+  const configPath = configFile ?? path.resolve('..', 'config.json');
+
+  if (!fs.existsSync(configPath)) {
+    throw new Error(`Config file ${configPath} does not exist.`);
+  }
+
+  const configData = fs.readFileSync(configPath, 'utf-8');
+  return configInfoSchema.parse(JSON.parse(configData));
+}

package/src/context.ts

@@ -0,0 +1,105 @@
+import { IncomingMessage } from 'http';
+import * as url from 'url';
+import { JwtPayload, VerifyOptions, decode, verify } from 'jsonwebtoken';
+import 'reflect-metadata';
+import { Subject, firstValueFrom } from 'rxjs';
+import { AuthenticationError, AuthorizationError } from 'type-graphql';
+import { DataSource } from 'typeorm';
+import { getSigningKeys, validationOptions, verifyUserRecord } from './auth';
+import { authCache } from './cache';
+import { userEmailMap } from './config';
+import { UserPayload } from './types';
+
+const verifyAsync = async (
+  issuer: string,
+  options: VerifyOptions,
+  token: string
+): Promise<JwtPayload> =>
+  new Promise((resolve, reject) => {
+    verify(token, getSigningKeys(issuer), options, (err, jwt) => {
+      if (jwt && typeof jwt !== 'string' && !err) {
+        const payload = jwt.payload ?? jwt;
+
+        console.log(
+          `Valid token: ${payload.name} (${
+            payload.email ? payload.email : payload.preferred_username
+          })`
+        ); // temporary fix to check preferred_username if email is not present
+        resolve(payload);
+      } else {
+        console.warn('Invalid token');
+        reject(err);
+      }
+    });
+  });
+
+export const getUserPayload = async (
+  bearerToken: string,
+  sessionId = 'default',
+  dataSource: DataSource,
+  requestDomain?: string
+): Promise<UserPayload> => {
+  try {
+    const token = bearerToken.replace('Bearer ', '');
+
+    if (!token) {
+      console.warn('No token to validate');
+      throw new AuthenticationError('Missing token');
+    }
+
+    const payload = decode(token);
+    if (!payload || typeof payload === 'string') {
+      throw new AuthenticationError('Invalid token payload');
+    }
+
+    if (!authCache.has(token)) {
+      const issuer = payload.iss;
+      if (!issuer) {
+        console.warn('No issuer claim on token');
+        throw new AuthenticationError('Missing issuer claim on token');
+      }
+
+      await verifyAsync(issuer, validationOptions[issuer], token);
+      authCache.set(token, true);
+    }
+
+    const email = payload?.email
+      ? userEmailMap[payload?.email] ?? payload?.email
+      : payload?.preferred_username; // temporary fix to check preferred_username if email is not present
+    const fullName = payload?.name;
+    const firstName = payload?.given_name || fullName?.split(' ')[0];
+    const lastName = payload?.family_name || fullName?.split(' ')[1] || fullName?.split(' ')[0];
+    const userRecord = await verifyUserRecord(email, firstName, lastName, requestDomain, dataSource);
+
+    if (!userRecord) {
+      console.error(`User ${email} not found`); 
+      throw new AuthorizationError();
+    }
+    else if (!userRecord.IsActive) {
+      console.error(`User ${email} found but inactive`);
+      throw new AuthorizationError();
+    }
+
+    return { userRecord, email, sessionId };
+  } catch (e) {
+    return {} as UserPayload;
+  }
+};
+
+export const contextFunction =
+  ({ setupComplete$, dataSource }: { setupComplete$: Subject<unknown>; dataSource: DataSource }) =>
+  async ({ req }: { req: IncomingMessage }) => {
+    await firstValueFrom(setupComplete$); // wait for setup to complete before processing the request
+
+    const sessionIdRaw = req.headers['x-session-id'];
+    const requestDomain = url.parse(req.headers.origin || '')
+    const sessionId = sessionIdRaw ? sessionIdRaw.toString() : '';
+    const bearerToken = req.headers.authorization ?? '';
+
+    const userPayload = await getUserPayload(bearerToken, sessionId, dataSource, requestDomain?.hostname ? requestDomain.hostname : undefined);
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    console.log((req as any).body?.operationName);
+
+    return { dataSource, userPayload };
+  };

package/src/directives/Public.ts

@@ -0,0 +1,42 @@
+import { FieldMapper, MapperKind, getDirective, mapSchema } from '@graphql-tools/utils';
+import { GraphQLFieldResolver, defaultFieldResolver } from 'graphql';
+import { AuthorizationError, Directive } from 'type-graphql';
+import { AppContext, DirectiveBuilder } from '../types';
+
+const DIRECTIVE_NAME = 'Public';
+
+export function Public(): PropertyDecorator & MethodDecorator & ClassDecorator;
+export function Public(): PropertyDecorator | MethodDecorator | ClassDecorator {
+  return (targetOrPrototype, propertyKey, descriptor) =>
+    Directive(`@${DIRECTIVE_NAME}`)(targetOrPrototype, propertyKey, descriptor);
+}
+
+export const publicDirective: DirectiveBuilder = {
+  typeDefs: `directive @${DIRECTIVE_NAME} on FIELD_DEFINITION`,
+  transformer: (schema) => {
+    const fieldMapper: FieldMapper = (fieldConfig) => {
+      const directive = getDirective(schema, fieldConfig, DIRECTIVE_NAME)?.[0];
+      if (directive) {
+        return fieldConfig;
+      } else {
+        // `@Public` directive not present, so will require auth
+        const { resolve = defaultFieldResolver } = fieldConfig;
+        const directiveResolver: GraphQLFieldResolver<unknown, AppContext> = async (
+          source,
+          args,
+          context,
+          info
+        ) => {
+          // eslint-disable-next-line
+          if (!context?.userPayload?.userRecord?.IsActive) {
+            throw new AuthorizationError();
+          }
+          return await resolve(source, args, context, info);
+        };
+
+        return { ...fieldConfig, resolve: directiveResolver };
+      }
+    };
+    return mapSchema(schema, { [MapperKind.OBJECT_FIELD]: fieldMapper });
+  },
+};

package/src/directives/index.ts

@@ -0,0 +1 @@
+export * from './Public';

package/src/index.ts

@@ -0,0 +1,103 @@
+import dotenv from 'dotenv';
+
+dotenv.config();
+
+import { expressMiddleware } from '@apollo/server/express4';
+import { mergeSchemas } from '@graphql-tools/schema';
+import { Metadata } from '@memberjunction/core';
+import { setupSQLServerClient, SQLServerProviderConfigData } from '@memberjunction/sqlserver-dataprovider';
+import { json } from 'body-parser';
+import cors from 'cors';
+import express from 'express';
+import { globSync } from 'fast-glob';
+import { useServer } from 'graphql-ws/lib/use/ws';
+import { createServer } from 'node:http';
+import 'reflect-metadata';
+import { ReplaySubject } from 'rxjs';
+import { BuildSchemaOptions, buildSchemaSync, GraphQLTimestamp } from 'type-graphql';
+import { DataSource } from 'typeorm';
+import { WebSocketServer } from 'ws';
+import buildApolloServer from './apolloServer';
+import { configInfo, graphqlPort, graphqlRootPath, mj_core_schema, websiteRunFromPackage } from './config';
+import { contextFunction, getUserPayload } from './context';
+import { publicDirective } from './directives';
+import orm from './orm';
+
+const cacheRefreshInterval = configInfo.databaseSettings.metadataCacheRefreshInterval;
+
+export { configInfo } from './config';
+export { NewUserBase } from './auth/newUsers';
+export { MaxLength } from 'class-validator';
+export * from './types';
+export * from './directives';
+export * from 'type-graphql';
+
+export const serve = async (resolverPaths: Array<string>) => {
+  const dataSource = new DataSource(orm);
+  const setupComplete$ = new ReplaySubject(1);
+  dataSource
+    .initialize()
+    .then(async () => {
+      const config = new SQLServerProviderConfigData(dataSource, '', mj_core_schema, cacheRefreshInterval);
+      await setupSQLServerClient(config); // datasource is already initialized, so we can setup the client right away
+      const md = new Metadata();
+      console.log(`Data Source has been initialized. ${md?.Entities ? md.Entities.length : 0} entities loaded.`);
+
+      setupComplete$.next(true);
+    })
+    .catch((err) => {
+      console.error('Error during Data Source initialization', err);
+    });
+    
+  const paths = resolverPaths.flatMap((path) => globSync(path));
+  const dynamicModules = await Promise.all(paths.map((modulePath) => import(modulePath.replace(/\.[jt]s$/, ''))));
+  const resolvers = dynamicModules.flatMap((module) =>
+    Object.values(module).filter((value) => typeof value === 'function')
+  ) as BuildSchemaOptions['resolvers'];
+
+  const schema = publicDirective.transformer(
+    mergeSchemas({
+      schemas: [
+        buildSchemaSync({
+          resolvers,
+          validate: false,
+          scalarsMap: [{ type: Date, scalar: GraphQLTimestamp }],
+          emitSchemaFile: websiteRunFromPackage !== 1,
+        }),
+      ],
+      typeDefs: [publicDirective.typeDefs],
+    })
+  );
+
+  const app = express();
+  const httpServer = createServer(app);
+
+  const webSocketServer = new WebSocketServer({ server: httpServer, path: graphqlRootPath });
+  const serverCleanup = useServer(
+    {
+      schema,
+      context: async ({ connectionParams }) => {
+        const userPayload = await getUserPayload(String(connectionParams?.Authorization), undefined, dataSource);
+        return { userPayload };
+      },
+    },
+    webSocketServer
+  );
+
+  const apolloServer = buildApolloServer({ schema }, { httpServer, serverCleanup });
+  await apolloServer.start();
+
+  app.use(
+    graphqlRootPath,
+    cors<cors.CorsRequest>(),
+    json(),
+    expressMiddleware(apolloServer, {
+      context: contextFunction({ setupComplete$, dataSource }),
+    })
+  );
+
+  await new Promise<void>((resolve) => httpServer.listen({ port: graphqlPort }, resolve));
+  console.log(`🚀 Server ready at http://localhost:${graphqlPort}/`);
+};
+
+export default serve;

package/src/orm.ts

@@ -0,0 +1,20 @@
+import path from 'node:path';
+import { configInfo, dbDatabase, dbHost, dbPassword, dbPort, dbUsername } from './config';
+import { DataSourceOptions } from 'typeorm';
+
+const orm: DataSourceOptions = {
+  type: 'mssql',
+  entities: [path.resolve(__dirname, './generated/**')],
+  migrations: [path.resolve(__dirname, './migrations/**')],
+  logging: false,
+  host: dbHost,
+  port: dbPort,
+  username: dbUsername,
+  password: dbPassword,
+  database: dbDatabase,
+  synchronize: false,
+  requestTimeout: configInfo.databaseSettings.requestTimeout,
+  connectionTimeout: configInfo.databaseSettings.connectionTimeout, 
+};
+
+export default orm;

package/src/types.ts

@@ -0,0 +1,19 @@
+import { GraphQLSchema } from 'graphql';
+import { DataSource, QueryRunner } from 'typeorm';
+
+export type UserPayload = {
+  email: string;
+  userRecord: any;
+  sessionId: string;
+};
+
+export type AppContext = {
+  dataSource: DataSource;
+  userPayload: UserPayload;
+  queryRunner?: QueryRunner;
+};
+
+export type DirectiveBuilder = {
+  typeDefs: string;
+  transformer: (schema: GraphQLSchema) => GraphQLSchema;
+};

package/tsconfig.json

@@ -0,0 +1,27 @@
+{
+  "compilerOptions": {
+    "module": "commonjs",
+    "target": "es2020",
+    "outDir": "dist",
+    "rootDir": "src",
+    "sourceMap": true,
+    "experimentalDecorators": true,
+    "resolveJsonModule": true,
+    "esModuleInterop": true,
+    "lib": ["es2020", "esnext.asynciterable"],
+    "moduleResolution": "node",
+    "removeComments": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "strictFunctionTypes": true,
+    "noImplicitThis": true,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "allowSyntheticDefaultImports": true,
+    "emitDecoratorMetadata": true
+  },
+  "exclude": ["node_modules"],
+  "include": ["./src/**/*.ts"]
+}