@objectstack/service-settings 10.3.0 → 11.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -93
- package/dist/index.cjs +184 -5
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +184 -5
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/dist/index.js
CHANGED
|
@@ -1128,7 +1128,15 @@ function registerSettingsRoutes(http, service, opts = {}) {
|
|
|
1128
1128
|
}));
|
|
1129
1129
|
http.put(`${base}/:namespace`, (async (req, res) => {
|
|
1130
1130
|
const ns = req.params.namespace;
|
|
1131
|
-
|
|
1131
|
+
let body = req.body ?? {};
|
|
1132
|
+
if (Object.keys(body).length === 1 && body.values && typeof body.values === "object" && !Array.isArray(body.values)) {
|
|
1133
|
+
const inner = body.values;
|
|
1134
|
+
body = Object.fromEntries(
|
|
1135
|
+
Object.entries(inner).map(
|
|
1136
|
+
([k, v]) => v && typeof v === "object" && !Array.isArray(v) && "value" in v ? [k, v.value] : [k, v]
|
|
1137
|
+
)
|
|
1138
|
+
);
|
|
1139
|
+
}
|
|
1132
1140
|
try {
|
|
1133
1141
|
const ctx = ctxOf(req);
|
|
1134
1142
|
const result = await service.setMany(ns, body, ctx);
|
|
@@ -1257,6 +1265,133 @@ var manifest = {
|
|
|
1257
1265
|
description: "Upper bound guards against denial-of-service via very long password hashing.",
|
|
1258
1266
|
visible: "${data.email_password_enabled !== false}"
|
|
1259
1267
|
},
|
|
1268
|
+
{
|
|
1269
|
+
type: "toggle",
|
|
1270
|
+
key: "password_reject_breached",
|
|
1271
|
+
label: "Reject breached passwords",
|
|
1272
|
+
required: false,
|
|
1273
|
+
default: false,
|
|
1274
|
+
description: "Block passwords found in public breach corpora via Have I Been Pwned (k-anonymity range check; the password is never sent in full).",
|
|
1275
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1276
|
+
},
|
|
1277
|
+
{
|
|
1278
|
+
type: "toggle",
|
|
1279
|
+
key: "password_require_complexity",
|
|
1280
|
+
label: "Require complex passwords",
|
|
1281
|
+
required: false,
|
|
1282
|
+
default: false,
|
|
1283
|
+
description: "Require passwords to mix character classes (uppercase, lowercase, digits, symbols) on sign-up and password change/reset.",
|
|
1284
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1285
|
+
},
|
|
1286
|
+
{
|
|
1287
|
+
type: "number",
|
|
1288
|
+
key: "password_min_classes",
|
|
1289
|
+
label: "Minimum character classes",
|
|
1290
|
+
required: false,
|
|
1291
|
+
default: 3,
|
|
1292
|
+
min: 1,
|
|
1293
|
+
max: 4,
|
|
1294
|
+
description: "How many of the four classes (upper / lower / digit / symbol) a password must include.",
|
|
1295
|
+
visible: "${data.email_password_enabled !== false && data.password_require_complexity === true}"
|
|
1296
|
+
},
|
|
1297
|
+
{
|
|
1298
|
+
type: "number",
|
|
1299
|
+
key: "password_history_count",
|
|
1300
|
+
label: "Password history (no reuse)",
|
|
1301
|
+
required: false,
|
|
1302
|
+
default: 0,
|
|
1303
|
+
min: 0,
|
|
1304
|
+
max: 24,
|
|
1305
|
+
description: "Block reusing this many previous passwords on change/reset. 0 disables the check.",
|
|
1306
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1307
|
+
},
|
|
1308
|
+
{
|
|
1309
|
+
type: "number",
|
|
1310
|
+
key: "password_expiry_days",
|
|
1311
|
+
label: "Password expiry (days)",
|
|
1312
|
+
required: false,
|
|
1313
|
+
default: 0,
|
|
1314
|
+
min: 0,
|
|
1315
|
+
max: 3650,
|
|
1316
|
+
description: "Force a password change after this many days. 0 disables expiry. While expired, the user is blocked from data until they change their password.",
|
|
1317
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1318
|
+
},
|
|
1319
|
+
{
|
|
1320
|
+
type: "group",
|
|
1321
|
+
id: "anti_abuse",
|
|
1322
|
+
label: "Anti-abuse",
|
|
1323
|
+
required: false,
|
|
1324
|
+
description: "Brute-force protection: per-identity account lockout and per-IP rate limiting on auth endpoints."
|
|
1325
|
+
},
|
|
1326
|
+
{
|
|
1327
|
+
type: "number",
|
|
1328
|
+
key: "lockout_threshold",
|
|
1329
|
+
label: "Account lockout threshold",
|
|
1330
|
+
required: false,
|
|
1331
|
+
default: 0,
|
|
1332
|
+
min: 0,
|
|
1333
|
+
max: 20,
|
|
1334
|
+
description: "Lock an account after this many consecutive failed sign-ins. 0 disables lockout. While locked, sign-in is rejected even with the correct password.",
|
|
1335
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1336
|
+
},
|
|
1337
|
+
{
|
|
1338
|
+
type: "number",
|
|
1339
|
+
key: "lockout_duration_minutes",
|
|
1340
|
+
label: "Lockout duration (minutes)",
|
|
1341
|
+
required: false,
|
|
1342
|
+
default: 15,
|
|
1343
|
+
min: 1,
|
|
1344
|
+
max: 1440,
|
|
1345
|
+
description: "How long an account stays locked once the threshold is crossed.",
|
|
1346
|
+
visible: "${data.email_password_enabled !== false && data.lockout_threshold > 0}"
|
|
1347
|
+
},
|
|
1348
|
+
{
|
|
1349
|
+
type: "number",
|
|
1350
|
+
key: "rate_limit_max",
|
|
1351
|
+
label: "Auth rate-limit: max requests",
|
|
1352
|
+
required: false,
|
|
1353
|
+
default: 10,
|
|
1354
|
+
min: 1,
|
|
1355
|
+
max: 1e3,
|
|
1356
|
+
description: "Maximum requests per IP, per window, to the sign-in / sign-up / password-reset endpoints."
|
|
1357
|
+
},
|
|
1358
|
+
{
|
|
1359
|
+
type: "number",
|
|
1360
|
+
key: "rate_limit_window_seconds",
|
|
1361
|
+
label: "Auth rate-limit: window (seconds)",
|
|
1362
|
+
required: false,
|
|
1363
|
+
default: 60,
|
|
1364
|
+
min: 1,
|
|
1365
|
+
max: 3600,
|
|
1366
|
+
description: "Sliding window over which the request cap above is counted."
|
|
1367
|
+
},
|
|
1368
|
+
{
|
|
1369
|
+
type: "group",
|
|
1370
|
+
id: "multi_factor",
|
|
1371
|
+
label: "Multi-factor",
|
|
1372
|
+
required: false,
|
|
1373
|
+
description: "Require members to protect their account with an authenticator app (TOTP)."
|
|
1374
|
+
},
|
|
1375
|
+
{
|
|
1376
|
+
type: "toggle",
|
|
1377
|
+
key: "mfa_required",
|
|
1378
|
+
label: "Require multi-factor authentication",
|
|
1379
|
+
required: false,
|
|
1380
|
+
default: false,
|
|
1381
|
+
description: "Users without an authenticator enrolled are blocked from data once their grace period ends. Enabling this also turns on the two-factor feature so users can enroll.",
|
|
1382
|
+
visible: "${data.email_password_enabled !== false}"
|
|
1383
|
+
},
|
|
1384
|
+
{
|
|
1385
|
+
type: "number",
|
|
1386
|
+
key: "mfa_grace_period_days",
|
|
1387
|
+
label: "MFA grace period (days)",
|
|
1388
|
+
required: false,
|
|
1389
|
+
default: 7,
|
|
1390
|
+
min: 0,
|
|
1391
|
+
max: 90,
|
|
1392
|
+
description: "How long users may defer enrollment before the hard block. 0 blocks immediately.",
|
|
1393
|
+
visible: "${data.mfa_required === true}"
|
|
1394
|
+
},
|
|
1260
1395
|
{
|
|
1261
1396
|
type: "group",
|
|
1262
1397
|
id: "sessions",
|
|
@@ -1284,6 +1419,50 @@ var manifest = {
|
|
|
1284
1419
|
max: 90,
|
|
1285
1420
|
description: "An active session is extended when it is older than this."
|
|
1286
1421
|
},
|
|
1422
|
+
{
|
|
1423
|
+
type: "number",
|
|
1424
|
+
key: "session_idle_timeout_minutes",
|
|
1425
|
+
label: "Idle timeout (minutes)",
|
|
1426
|
+
required: false,
|
|
1427
|
+
default: 0,
|
|
1428
|
+
min: 0,
|
|
1429
|
+
max: 10080,
|
|
1430
|
+
description: "Sign a user out after this many minutes of inactivity. 0 disables."
|
|
1431
|
+
},
|
|
1432
|
+
{
|
|
1433
|
+
type: "number",
|
|
1434
|
+
key: "session_absolute_max_hours",
|
|
1435
|
+
label: "Absolute session lifetime (hours)",
|
|
1436
|
+
required: false,
|
|
1437
|
+
default: 0,
|
|
1438
|
+
min: 0,
|
|
1439
|
+
max: 8760,
|
|
1440
|
+
description: "Force re-authentication this many hours after sign-in, regardless of activity. 0 disables."
|
|
1441
|
+
},
|
|
1442
|
+
{
|
|
1443
|
+
type: "number",
|
|
1444
|
+
key: "max_concurrent_sessions_per_user",
|
|
1445
|
+
label: "Max concurrent sessions per user",
|
|
1446
|
+
required: false,
|
|
1447
|
+
default: 0,
|
|
1448
|
+
min: 0,
|
|
1449
|
+
max: 100,
|
|
1450
|
+
description: "Cap simultaneous signed-in sessions per user; the oldest are signed out past the cap. 0 = unlimited."
|
|
1451
|
+
},
|
|
1452
|
+
{
|
|
1453
|
+
type: "group",
|
|
1454
|
+
id: "network",
|
|
1455
|
+
label: "Network",
|
|
1456
|
+
required: false,
|
|
1457
|
+
description: "Restrict where users can authenticate from."
|
|
1458
|
+
},
|
|
1459
|
+
{
|
|
1460
|
+
type: "textarea",
|
|
1461
|
+
key: "allowed_ip_ranges",
|
|
1462
|
+
label: "Allowed IP ranges",
|
|
1463
|
+
required: false,
|
|
1464
|
+
description: "CIDR ranges or exact IPs (one per line, or comma-separated), e.g. 203.0.113.0/24. When set, sign-in from outside these ranges is rejected. Empty = no restriction. Requires a trusted proxy to set X-Forwarded-For."
|
|
1465
|
+
},
|
|
1287
1466
|
{
|
|
1288
1467
|
type: "group",
|
|
1289
1468
|
id: "social",
|
|
@@ -3205,10 +3384,10 @@ var zhCN = {
|
|
|
3205
3384
|
default_country: { label: "\u9ED8\u8BA4\u56FD\u5BB6/\u5730\u533A", help: "ISO 3166-1 \u4E8C\u4F4D\u4EE3\u7801(\u5982 US\u3001GB\u3001CN)\u3002" },
|
|
3206
3385
|
date_format: { label: "\u65E5\u671F\u683C\u5F0F" },
|
|
3207
3386
|
time_format: { label: "\u65F6\u95F4\u683C\u5F0F", options: { "24h": "24 \u5C0F\u65F6\u5236(14:30)", "12h": "12 \u5C0F\u65F6\u5236(2:30 PM)" } },
|
|
3208
|
-
number_format: { label: "\u6570\u5B57\u683C\u5F0F" },
|
|
3209
|
-
first_day_of_week: { label: "\u6BCF\u5468\u8D77\u59CB\u65E5", options: { monday: "\u5468\u4E00(ISO)", sunday: "\u5468\u65E5", saturday: "\u5468\u516D" } },
|
|
3210
|
-
currency: { label: "\u9ED8\u8BA4\u8D27\u5E01" },
|
|
3211
|
-
fiscal_year_start: { label: "\u8D22\u5E74\u8D77\u59CB\u6708" }
|
|
3387
|
+
number_format: { label: "\u6570\u5B57\u683C\u5F0F", help: "\u7528\u4E8E\u663E\u793A\u6570\u5B57\u7684\u5343\u5206\u4F4D\u4E0E\u5C0F\u6570\u5206\u9694\u7B26\u3002" },
|
|
3388
|
+
first_day_of_week: { label: "\u6BCF\u5468\u8D77\u59CB\u65E5", help: "\u7528\u4F5C\u5468\u5EA6\u5206\u6790\u5206\u6876\u4E0E\u65E5\u5386\u7F51\u683C\u7684\u8D77\u59CB\u57FA\u51C6\u3002", options: { monday: "\u5468\u4E00(ISO)", sunday: "\u5468\u65E5", saturday: "\u5468\u516D" } },
|
|
3389
|
+
currency: { label: "\u9ED8\u8BA4\u8D27\u5E01", help: "\u5F53\u8D27\u5E01\u5B57\u6BB5\u672A\u6307\u5B9A\u5E01\u79CD\u65F6\u5957\u7528\u7684 ISO 4217 \u4EE3\u7801\u3002" },
|
|
3390
|
+
fiscal_year_start: { label: "\u8D22\u5E74\u8D77\u59CB\u6708", help: '\u8D22\u5E74\u7684\u8D77\u59CB\u6708\u4EFD\u2014\u2014\u51B3\u5B9A\u62A5\u8868\u4E2D\u7684"\u672C\u5B63\u5EA6/\u672C\u8D22\u5E74"\u3002' }
|
|
3212
3391
|
}
|
|
3213
3392
|
},
|
|
3214
3393
|
auth: {
|