@naturalcycles/backend-lib 5.2.0 → 5.4.0

package/dist/admin/secureHeaderMiddleware.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createSecureHeaderMiddleware = void 0;
 const js_lib_1 = require("@naturalcycles/js-lib");
+const nodejs_lib_1 = require("@naturalcycles/nodejs-lib");
 const adminMiddleware_1 = require("./adminMiddleware");
 /**
  * Secures the endpoint by requiring a secret header to be present.
@@ -21,7 +22,7 @@ function requireSecureHeaderOrAdmin(cfg, reqPermissions) {
             return next();
         // Header provided - don't check for Admin
         if (providedHeader) {
-            if (!secureHeaderValue || providedHeader === secureHeaderValue)
+            if (!secureHeaderValue || (0, nodejs_lib_1.timingSafeStringEqual)(providedHeader, secureHeaderValue))
                 return next();
             return next(new js_lib_1.AppError('secureHeader or adminToken is required', {
                 backendResponseStatusCode: 401,

package/dist/db/httpDBRequestHandler.js

@@ -49,25 +49,25 @@ function httpDBRequestHandler(db) {
     //
     // })
     // getByIds
-    router.put('/getByIds', (0, __1.reqValidation)('body', getByIdsInputSchema), async (req, res) => {
-        const { table, ids, opt } = req.body;
+    router.put('/getByIds', async (req, res) => {
+        const { table, ids, opt } = __1.validateRequest.body(req, getByIdsInputSchema);
         res.json(await db.getByIds(table, ids, opt));
     });
     // runQuery
-    router.put('/runQuery', (0, __1.reqValidation)('body', runQueryInputSchema), async (req, res) => {
-        const { query, opt } = req.body;
+    router.put('/runQuery', async (req, res) => {
+        const { query, opt } = __1.validateRequest.body(req, runQueryInputSchema);
         const q = db_lib_1.DBQuery.fromPlainObject(query);
         res.json(await db.runQuery(q, opt));
     });
     // runQueryCount
-    router.put('/runQueryCount', (0, __1.reqValidation)('body', runQueryInputSchema), async (req, res) => {
-        const { query, opt } = req.body;
+    router.put('/runQueryCount', async (req, res) => {
+        const { query, opt } = __1.validateRequest.body(req, runQueryInputSchema);
         const q = db_lib_1.DBQuery.fromPlainObject(query);
         res.json(await db.runQueryCount(q, opt));
     });
     // saveBatch
-    router.put('/saveBatch', (0, __1.reqValidation)('body', saveBatchInputSchema), async (req, res) => {
-        const { table, rows, opt } = req.body;
+    router.put('/saveBatch', async (req, res) => {
+        const { table, rows, opt } = __1.validateRequest.body(req, saveBatchInputSchema);
         await db.saveBatch(table, rows, opt);
         res.end();
     });
@@ -77,8 +77,8 @@ function httpDBRequestHandler(db) {
     //   res.json(await db.deleteByIds(table, ids, opt))
     // })
     // deleteByQuery
-    router.put('/deleteByQuery', (0, __1.reqValidation)('body', runQueryInputSchema), async (req, res) => {
-        const { query, opt } = req.body;
+    router.put('/deleteByQuery', async (req, res) => {
+        const { query, opt } = __1.validateRequest.body(req, runQueryInputSchema);
         const q = db_lib_1.DBQuery.fromPlainObject(query);
         res.json(await db.deleteByQuery(q, opt));
     });

package/dist/deploy/deployGae.js

@@ -35,7 +35,7 @@ async function deployGae(opt = {}) {
     }, {
         name: 'deploy',
         maxAttempts: 2,
-        delay: 30000,
+        delay: 30_000,
         // todo: this doesn't work, as the error is different from what is logged.
         // We shoud somehow capture the logged text
         predicate: err => (0, js_lib_1._anyToError)(err).message.includes('operation is already in progress'),

package/dist/index.d.ts

@@ -20,7 +20,7 @@ export * from './server/notFoundMiddleware';
 export * from './server/okMiddleware';
 export * from './server/basicAuthMiddleware';
 export * from './server/requestTimeoutMiddleware';
-export * from './server/validation/reqValidationMiddleware';
+export * from './server/validation/validateRequest';
 export * from './server/simpleRequestLoggerMiddleware';
 export * from './server/serverStatusMiddleware';
 export * from './server/validation/validateMiddleware';

package/dist/index.js

@@ -25,7 +25,7 @@ tslib_1.__exportStar(require("./server/notFoundMiddleware"), exports);
 tslib_1.__exportStar(require("./server/okMiddleware"), exports);
 tslib_1.__exportStar(require("./server/basicAuthMiddleware"), exports);
 tslib_1.__exportStar(require("./server/requestTimeoutMiddleware"), exports);
-tslib_1.__exportStar(require("./server/validation/reqValidationMiddleware"), exports);
+tslib_1.__exportStar(require("./server/validation/validateRequest"), exports);
 tslib_1.__exportStar(require("./server/simpleRequestLoggerMiddleware"), exports);
 tslib_1.__exportStar(require("./server/serverStatusMiddleware"), exports);
 tslib_1.__exportStar(require("./server/validation/validateMiddleware"), exports);

package/dist/server/basicAuthMiddleware.js

@@ -9,7 +9,7 @@ function basicAuthMiddleware(cfg) {
         const hash = (req.headers.authorization || '').split(' ')[1];
         if (hash) {
             const [login, password] = (0, js_lib_1._split)((0, nodejs_lib_1.base64ToString)(hash), ':', 2);
-            if (login && password && cfg.loginPasswordMap[login] === password) {
+            if (login && password && (0, nodejs_lib_1.timingSafeStringEqual)(cfg.loginPasswordMap[login], password)) {
                 return next();
             }
         }

package/dist/server/serverStatsMiddleware.js

@@ -88,7 +88,7 @@ function serverStatsMiddleware() {
             if (res.statusCode) {
                 serverStatsMap[endpoint][getStatusFamily(res.statusCode)]++;
             }
-            if (now - lastCleanup > 60000) {
+            if (now - lastCleanup > 60_000) {
                 lastCleanup = now;
                 cleanupServerStats();
             }

package/dist/server/startServer.js

@@ -62,7 +62,7 @@ class BackendServer {
         const shutdownTimeout = setTimeout(() => {
             console.log((0, nodejs_lib_1.boldGrey)('Forceful shutdown after timeout'));
             process.exit(0);
-        }, this.cfg.forceShutdownTimeout ?? 10000);
+        }, this.cfg.forceShutdownTimeout ?? 10_000);
         try {
             await Promise.all([
                 this.server && new Promise(r => this.server.close(r)),

package/dist/server/validation/validateMiddleware.d.ts

@@ -1,7 +1,7 @@
 import { JsonSchema, JsonSchemaBuilder } from '@naturalcycles/js-lib';
 import { AjvSchema, AjvValidationError } from '@naturalcycles/nodejs-lib';
 import { BackendRequestHandler } from '../server.model';
-import { ReqValidationOptions } from './reqValidationMiddleware';
+import { ReqValidationOptions } from './validateRequest';
 export declare function validateBody(schema: JsonSchema | JsonSchemaBuilder | AjvSchema, opt?: ReqValidationOptions<AjvValidationError>): BackendRequestHandler;
 export declare function validateParams(schema: JsonSchema | JsonSchemaBuilder | AjvSchema, opt?: ReqValidationOptions<AjvValidationError>): BackendRequestHandler;
 export declare function validateQuery(schema: JsonSchema | JsonSchemaBuilder | AjvSchema, opt?: ReqValidationOptions<AjvValidationError>): BackendRequestHandler;

package/dist/server/validation/{reqValidationMiddleware.d.ts → validateRequest.d.ts}

@@ -1,5 +1,5 @@
 import { AnySchema, JoiValidationError } from '@naturalcycles/nodejs-lib';
-import { BackendRequest, BackendRequestHandler } from '../server.model';
+import { BackendRequest } from '../server.model';
 export interface ReqValidationOptions<ERR extends Error> {
     /**
      * Pass a 'dot-paths' (e.g `pw`, or `input.pw`) that needs to be redacted from the output, in case of error.
@@ -12,7 +12,6 @@ export interface ReqValidationOptions<ERR extends Error> {
      */
     report?: boolean | ((err: ERR) => boolean);
 }
-export declare function reqValidation(reqProperty: 'body' | 'params' | 'query', schema: AnySchema, opt?: ReqValidationOptions<JoiValidationError>): BackendRequestHandler;
 declare class ValidateRequest {
     body<T>(req: BackendRequest, schema: AnySchema<T>, opt?: ReqValidationOptions<JoiValidationError>): T;
     query<T>(req: BackendRequest, schema: AnySchema<T>, opt?: ReqValidationOptions<JoiValidationError>): T;

package/dist/server/validation/{reqValidationMiddleware.js → validateRequest.js}

@@ -1,32 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateRequest = exports.reqValidation = void 0;
+exports.validateRequest = void 0;
 const js_lib_1 = require("@naturalcycles/js-lib");
 const nodejs_lib_1 = require("@naturalcycles/nodejs-lib");
 const REDACTED = 'REDACTED';
-function reqValidation(reqProperty, schema, opt = {}) {
-    const reportPredicate = typeof opt.report === 'function' ? opt.report : () => opt.report;
-    return (req, res, next) => {
-        const { value, error } = (0, nodejs_lib_1.getValidationResult)(req[reqProperty], schema, `request ${reqProperty}`);
-        if (error) {
-            const report = reportPredicate(error);
-            if (opt.redactPaths) {
-                redact(opt.redactPaths, req[reqProperty], error);
-                error.data.joiValidationErrorItems.length = 0; // clears the array
-                delete error.data.annotation;
-            }
-            return next(new js_lib_1.AppError(error.message, {
-                backendResponseStatusCode: 400,
-                report,
-                ...error.data,
-            }));
-        }
-        // mutate req to replace the property with the value, converted by Joi
-        req[reqProperty] = value;
-        next();
-    };
-}
-exports.reqValidation = reqValidation;
 /**
  * Mutates error
  */

package/dist/server/validation/zodValidateMiddleware.d.ts

@@ -1,6 +1,6 @@
 import { ZodSchema, ZodValidationError } from '@naturalcycles/js-lib';
 import { BackendRequestHandler } from '../server.model';
-import { ReqValidationOptions } from './reqValidationMiddleware';
+import { ReqValidationOptions } from './validateRequest';
 /**
  * Validates req property (body, params or query).
  * Supports Joi schema or AjvSchema (from nodejs-lib).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naturalcycles/backend-lib",
-  "version": "5.2.0",
+  "version": "5.4.0",
   "scripts": {
     "prepare": "husky",
     "dev": "APP_ENV=dev nodemon",
@@ -36,7 +36,7 @@
     "yargs": "^17.0.0"
   },
   "devDependencies": {
-    "@naturalcycles/bench-lib": "^1.0.7",
+    "@naturalcycles/bench-lib": "^2.0.0",
     "@naturalcycles/dev-lib": "^13.0.0",
     "@sentry/node": "^7.0.0",
     "@types/ejs": "^3.0.0",

package/src/admin/secureHeaderMiddleware.ts

@@ -1,4 +1,5 @@
 import { AppError } from '@naturalcycles/js-lib'
+import { timingSafeStringEqual } from '@naturalcycles/nodejs-lib'
 import { BackendRequestHandler } from '../server/server.model'
 import { AdminMiddleware, RequireAdminCfg, requireAdminPermissions } from './adminMiddleware'
 import { BaseAdminService } from './base.admin.service'
@@ -41,7 +42,8 @@ function requireSecureHeaderOrAdmin(
 
     // Header provided - don't check for Admin
     if (providedHeader) {
-      if (!secureHeaderValue || providedHeader === secureHeaderValue) return next()
+      if (!secureHeaderValue || timingSafeStringEqual(providedHeader, secureHeaderValue))
+        return next()
 
       return next(
         new AppError('secureHeader or adminToken is required', {

package/src/db/httpDBRequestHandler.ts

@@ -12,7 +12,7 @@ import {
 } from '@naturalcycles/db-lib/dist/validation'
 import { ObjectWithId } from '@naturalcycles/js-lib'
 import { anyObjectSchema, arraySchema, objectSchema, stringSchema } from '@naturalcycles/nodejs-lib'
-import { BackendRouter, getDefaultRouter, reqValidation } from '..'
+import { BackendRouter, getDefaultRouter, validateRequest } from '..'
 
 export interface GetByIdsInput {
   table: string
@@ -84,28 +84,28 @@ export function httpDBRequestHandler(db: CommonDB): BackendRouter {
   // })
 
   // getByIds
-  router.put('/getByIds', reqValidation('body', getByIdsInputSchema), async (req, res) => {
-    const { table, ids, opt } = req.body as GetByIdsInput
+  router.put('/getByIds', async (req, res) => {
+    const { table, ids, opt } = validateRequest.body(req, getByIdsInputSchema)
     res.json(await db.getByIds(table, ids, opt))
   })
 
   // runQuery
-  router.put('/runQuery', reqValidation('body', runQueryInputSchema), async (req, res) => {
-    const { query, opt } = req.body as RunQueryInput
+  router.put('/runQuery', async (req, res) => {
+    const { query, opt } = validateRequest.body(req, runQueryInputSchema)
     const q = DBQuery.fromPlainObject(query)
     res.json(await db.runQuery(q, opt))
   })
 
   // runQueryCount
-  router.put('/runQueryCount', reqValidation('body', runQueryInputSchema), async (req, res) => {
-    const { query, opt } = req.body as RunQueryInput
+  router.put('/runQueryCount', async (req, res) => {
+    const { query, opt } = validateRequest.body(req, runQueryInputSchema)
     const q = DBQuery.fromPlainObject(query)
     res.json(await db.runQueryCount(q, opt))
   })
 
   // saveBatch
-  router.put('/saveBatch', reqValidation('body', saveBatchInputSchema), async (req, res) => {
-    const { table, rows, opt } = req.body as SaveBatchInput
+  router.put('/saveBatch', async (req, res) => {
+    const { table, rows, opt } = validateRequest.body(req, saveBatchInputSchema)
     await db.saveBatch(table, rows, opt)
     res.end()
   })
@@ -117,8 +117,8 @@ export function httpDBRequestHandler(db: CommonDB): BackendRouter {
   // })
 
   // deleteByQuery
-  router.put('/deleteByQuery', reqValidation('body', runQueryInputSchema), async (req, res) => {
-    const { query, opt } = req.body as RunQueryInput
+  router.put('/deleteByQuery', async (req, res) => {
+    const { query, opt } = validateRequest.body(req, runQueryInputSchema)
     const q = DBQuery.fromPlainObject(query)
     res.json(await db.deleteByQuery(q, opt))
   })

package/src/index.ts

@@ -20,7 +20,7 @@ export * from './server/notFoundMiddleware'
 export * from './server/okMiddleware'
 export * from './server/basicAuthMiddleware'
 export * from './server/requestTimeoutMiddleware'
-export * from './server/validation/reqValidationMiddleware'
+export * from './server/validation/validateRequest'
 export * from './server/simpleRequestLoggerMiddleware'
 export * from './server/serverStatusMiddleware'
 export * from './server/validation/validateMiddleware'

package/src/server/basicAuthMiddleware.ts

@@ -1,5 +1,5 @@
 import { _split, StringMap } from '@naturalcycles/js-lib'
-import { base64ToString } from '@naturalcycles/nodejs-lib'
+import { base64ToString, timingSafeStringEqual } from '@naturalcycles/nodejs-lib'
 import { BackendRequestHandler } from './server.model'
 
 export interface BasicAuthMiddlewareCfg {
@@ -21,7 +21,7 @@ export function basicAuthMiddleware(cfg: BasicAuthMiddlewareCfg): BackendRequest
     const hash = (req.headers.authorization || '').split(' ')[1]
     if (hash) {
       const [login, password] = _split(base64ToString(hash), ':', 2)
-      if (login && password && cfg.loginPasswordMap[login] === password) {
+      if (login && password && timingSafeStringEqual(cfg.loginPasswordMap[login], password)) {
         return next()
       }
     }

package/src/server/validation/validateMiddleware.ts

@@ -1,7 +1,7 @@
 import { JsonSchema, JsonSchemaBuilder, _get, AppError } from '@naturalcycles/js-lib'
 import { AjvSchema, AjvValidationError } from '@naturalcycles/nodejs-lib'
 import { BackendRequestHandler } from '../server.model'
-import { ReqValidationOptions } from './reqValidationMiddleware'
+import { ReqValidationOptions } from './validateRequest'
 
 const REDACTED = 'REDACTED'
 

package/src/server/validation/{reqValidationMiddleware.ts → validateRequest.ts}

@@ -1,6 +1,6 @@
 import { _get, AppError } from '@naturalcycles/js-lib'
 import { AnySchema, getValidationResult, JoiValidationError } from '@naturalcycles/nodejs-lib'
-import { BackendRequest, BackendRequestHandler } from '../server.model'
+import { BackendRequest } from '../server.model'
 
 const REDACTED = 'REDACTED'
 
@@ -18,40 +18,6 @@ export interface ReqValidationOptions<ERR extends Error> {
   report?: boolean | ((err: ERR) => boolean)
 }
 
-export function reqValidation(
-  reqProperty: 'body' | 'params' | 'query',
-  schema: AnySchema,
-  opt: ReqValidationOptions<JoiValidationError> = {},
-): BackendRequestHandler {
-  const reportPredicate =
-    typeof opt.report === 'function' ? opt.report : () => opt.report as boolean | undefined
-
-  return (req, res, next) => {
-    const { value, error } = getValidationResult(req[reqProperty], schema, `request ${reqProperty}`)
-    if (error) {
-      const report = reportPredicate(error)
-
-      if (opt.redactPaths) {
-        redact(opt.redactPaths, req[reqProperty], error)
-        error.data.joiValidationErrorItems.length = 0 // clears the array
-        delete error.data.annotation
-      }
-
-      return next(
-        new AppError(error.message, {
-          backendResponseStatusCode: 400,
-          report,
-          ...error.data,
-        }),
-      )
-    }
-
-    // mutate req to replace the property with the value, converted by Joi
-    req[reqProperty] = value
-    next()
-  }
-}
-
 /**
  * Mutates error
  */

package/src/server/validation/zodValidateMiddleware.ts

@@ -1,6 +1,6 @@
 import { _get, AppError, ZodSchema, ZodValidationError, zSafeValidate } from '@naturalcycles/js-lib'
 import { BackendRequestHandler } from '../server.model'
-import { ReqValidationOptions } from './reqValidationMiddleware'
+import { ReqValidationOptions } from './validateRequest'
 
 const REDACTED = 'REDACTED'