@oneuptime/common 10.5.8 → 10.5.9

package/Server/API/DashboardAPI.ts

@@ -26,6 +26,219 @@ import ForbiddenException from "../../Types/Exception/ForbiddenException";
 import JSONFunctions from "../../Types/JSONFunctions";
 import TelemetryAttributeService from "../Services/TelemetryAttributeService";
 import TelemetryType from "../../Types/Telemetry/TelemetryType";
+import { JSONObject } from "../../Types/JSON";
+import AggregateBy from "../Types/AnalyticsDatabase/AggregateBy";
+import AggregatedResult from "../../Types/BaseDatabase/AggregatedResult";
+import SortOrder from "../../Types/BaseDatabase/SortOrder";
+import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
+import Metric from "../../Models/AnalyticsModels/Metric";
+import MetricType from "../../Models/DatabaseModels/MetricType";
+import MetricService from "../Services/MetricService";
+import MetricTypeService from "../Services/MetricTypeService";
+import PositiveNumber from "../../Types/PositiveNumber";
+import BaseModel from "../../Models/DatabaseModels/DatabaseBaseModel/DatabaseBaseModel";
+import AnalyticsDataModel from "../../Models/AnalyticsModels/AnalyticsBaseModel/AnalyticsBaseModel";
+import Incident from "../../Models/DatabaseModels/Incident";
+import Alert from "../../Models/DatabaseModels/Alert";
+import Monitor from "../../Models/DatabaseModels/Monitor";
+import Host from "../../Models/DatabaseModels/Host";
+import KubernetesResource from "../../Models/DatabaseModels/KubernetesResource";
+import DockerHost from "../../Models/DatabaseModels/DockerHost";
+import DockerResource from "../../Models/DatabaseModels/DockerResource";
+import Span from "../../Models/AnalyticsModels/Span";
+import Log from "../../Models/AnalyticsModels/Log";
+import IncidentService from "../Services/IncidentService";
+import AlertService from "../Services/AlertService";
+import MonitorService from "../Services/MonitorService";
+import HostService from "../Services/HostService";
+import KubernetesResourceService from "../Services/KubernetesResourceService";
+import DockerHostService from "../Services/DockerHostService";
+import DockerResourceService from "../Services/DockerResourceService";
+import SpanService from "../Services/SpanService";
+import LogService from "../Services/LogService";
+
+/*
+ * Registry of the non-metric widgets a public dashboard may render. The
+ * `select` is the FIXED set of columns the corresponding widget displays —
+ * the public list endpoint ignores any client-supplied select and uses this,
+ * so an anonymous viewer can only ever read these columns (and only for the
+ * dashboard's own project). Adding a widget to a public dashboard is the
+ * owner's explicit opt-in to exposing these columns.
+ */
+interface PublicDashboardResourceConfig {
+  modelType: { new (): BaseModel | AnalyticsDataModel };
+  service: {
+    findBy: (findBy: any) => Promise<Array<BaseModel | AnalyticsDataModel>>;
+  };
+  select: JSONObject;
+}
+
+const DEFAULT_DASHBOARD_RESOURCE_LIMIT: number = 100;
+
+const PUBLIC_DASHBOARD_RESOURCES: Record<
+  string,
+  PublicDashboardResourceConfig
+> = {
+  incident: {
+    modelType: Incident,
+    service: IncidentService,
+    select: {
+      _id: true,
+      title: true,
+      createdAt: true,
+      currentIncidentState: { name: true, color: true },
+      incidentSeverity: { name: true, color: true },
+    },
+  },
+  alert: {
+    modelType: Alert,
+    service: AlertService,
+    select: {
+      _id: true,
+      title: true,
+      createdAt: true,
+      currentAlertState: { name: true, color: true },
+      alertSeverity: { name: true, color: true },
+    },
+  },
+  monitor: {
+    modelType: Monitor,
+    service: MonitorService,
+    select: {
+      _id: true,
+      name: true,
+      monitorType: true,
+      currentMonitorStatus: { name: true, color: true },
+    },
+  },
+  host: {
+    modelType: Host,
+    service: HostService,
+    select: {
+      _id: true,
+      name: true,
+      hostIdentifier: true,
+      otelCollectorStatus: true,
+      osType: true,
+      osVersion: true,
+      cpuCores: true,
+      totalMemoryBytes: true,
+      lastSeenAt: true,
+    },
+  },
+  "kubernetes-resource": {
+    modelType: KubernetesResource,
+    service: KubernetesResourceService,
+    select: {
+      _id: true,
+      name: true,
+      namespaceKey: true,
+      kind: true,
+      phase: true,
+      isReady: true,
+      hasMemoryPressure: true,
+      hasDiskPressure: true,
+      hasPidPressure: true,
+      containerCount: true,
+      latestCpuPercent: true,
+      latestMemoryBytes: true,
+      controllerDeploymentName: true,
+      controllerCronJobName: true,
+      resourceCreationTimestamp: true,
+      lastSeenAt: true,
+      kubernetesClusterId: true,
+      kubernetesCluster: { name: true },
+    },
+  },
+  "docker-host": {
+    modelType: DockerHost,
+    service: DockerHostService,
+    select: {
+      _id: true,
+      name: true,
+      otelCollectorStatus: true,
+      containersRunning: true,
+      containersStopped: true,
+      containersPaused: true,
+      osType: true,
+      osVersion: true,
+    },
+  },
+  "docker-container": {
+    modelType: DockerResource,
+    service: DockerResourceService,
+    select: {
+      _id: true,
+      name: true,
+      imageName: true,
+      state: true,
+      latestCpuPercent: true,
+      latestMemoryBytes: true,
+      dockerHostId: true,
+      dockerHost: { name: true },
+    },
+  },
+  "docker-image": {
+    modelType: DockerResource,
+    service: DockerResourceService,
+    select: {
+      _id: true,
+      name: true,
+      containerId: true,
+      dockerHostId: true,
+      dockerHost: { name: true },
+    },
+  },
+  "docker-network": {
+    modelType: DockerResource,
+    service: DockerResourceService,
+    select: {
+      _id: true,
+      name: true,
+      state: true,
+      dockerHostId: true,
+      dockerHost: { name: true },
+    },
+  },
+  "docker-volume": {
+    modelType: DockerResource,
+    service: DockerResourceService,
+    select: {
+      _id: true,
+      name: true,
+      state: true,
+      dockerHostId: true,
+      dockerHost: { name: true },
+    },
+  },
+  span: {
+    modelType: Span,
+    service: SpanService,
+    select: {
+      startTime: true,
+      name: true,
+      statusCode: true,
+      durationUnixNano: true,
+      traceId: true,
+      spanId: true,
+      kind: true,
+      serviceId: true,
+    },
+  },
+  log: {
+    modelType: Log,
+    service: LogService,
+    select: {
+      time: true,
+      severityText: true,
+      body: true,
+      serviceId: true,
+      traceId: true,
+      spanId: true,
+      attributes: true,
+    },
+  },
+};
 
 export default class DashboardAPI extends BaseAPI<
   Dashboard,
@@ -392,6 +605,268 @@ export default class DashboardAPI extends BaseAPI<
       },
     );
 
+    /*
+     * Public metric-type lookup for dashboard charts.
+     *
+     * The private `/metric-type/get-list` CRUD route requires a logged-in
+     * session with Telemetry read permission; public dashboards have no
+     * session, so the shared chart code used to fall through to it, 401 →
+     * the global API error handler redirected the viewer to /accounts/login.
+     * Mirror it here scoped to the dashboard's owning projectId.
+     * Authorization reuses DashboardService.hasReadAccess (public flag, IP
+     * whitelist, master password) — never falls back to project-wide read.
+     */
+    this.router.post(
+      `${new this.entityType()
+        .getCrudApiPath()
+        ?.toString()}/metric-types/:dashboardId`,
+      UserMiddleware.getUserMiddleware,
+      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
+        try {
+          const dashboardId: ObjectID = new ObjectID(
+            req.params["dashboardId"] as string,
+          );
+
+          const accessResult: {
+            hasReadAccess: boolean;
+            error?: NotAuthenticatedException | ForbiddenException;
+          } = await DashboardService.hasReadAccess({
+            dashboardId,
+            req,
+          });
+
+          if (!accessResult.hasReadAccess) {
+            throw (
+              accessResult.error ||
+              new BadDataException("Access denied to this dashboard.")
+            );
+          }
+
+          const dashboard: Dashboard | null =
+            await DashboardService.findOneById({
+              id: dashboardId,
+              select: {
+                _id: true,
+                projectId: true,
+                dashboardViewConfig: true,
+              },
+              props: {
+                isRoot: true,
+              },
+            });
+
+          if (!dashboard || !dashboard.projectId) {
+            throw new NotFoundException("Dashboard not found");
+          }
+
+          /*
+           * Only expose metric types the dashboard actually charts, so a
+           * public viewer cannot enumerate the owning project's full metric
+           * catalog.
+           */
+          const allowedMetricNames: Set<string> =
+            DashboardAPI.collectDashboardMetricNames(
+              dashboard.dashboardViewConfig,
+            );
+
+          if (allowedMetricNames.size === 0) {
+            return Response.sendJsonObjectResponse(req, res, {
+              metricTypes: [],
+            });
+          }
+
+          const metricTypes: Array<MetricType> = await MetricTypeService.findBy(
+            {
+              query: {
+                projectId: dashboard.projectId,
+              },
+              select: {
+                name: true,
+                unit: true,
+              },
+              skip: 0,
+              limit: LIMIT_PER_PROJECT,
+              sort: {
+                name: SortOrder.Ascending,
+              },
+              props: {
+                isRoot: true,
+              },
+            },
+          );
+
+          return Response.sendJsonObjectResponse(req, res, {
+            metricTypes: metricTypes
+              .filter((metricType: MetricType) => {
+                return Boolean(
+                  metricType.name && allowedMetricNames.has(metricType.name),
+                );
+              })
+              .map((metricType: MetricType) => {
+                return {
+                  name: metricType.name || "",
+                  unit: metricType.unit || "",
+                };
+              }),
+          });
+        } catch (err) {
+          next(err);
+        }
+      },
+    );
+
+    /*
+     * Public metric aggregation for dashboard charts/values/gauges/tables.
+     *
+     * Mirrors the private `/metrics/aggregate` route (which requires a
+     * logged-in session). The client-supplied projectId is IGNORED and the
+     * aggregation is pinned to the dashboard's owning projectId, so a public
+     * viewer can only read metrics belonging to this dashboard's project and
+     * never another tenant's. Authorization reuses
+     * DashboardService.hasReadAccess.
+     */
+    this.router.post(
+      `${new this.entityType()
+        .getCrudApiPath()
+        ?.toString()}/metrics-aggregate/:dashboardId`,
+      UserMiddleware.getUserMiddleware,
+      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
+        try {
+          const dashboardId: ObjectID = new ObjectID(
+            req.params["dashboardId"] as string,
+          );
+
+          const accessResult: {
+            hasReadAccess: boolean;
+            error?: NotAuthenticatedException | ForbiddenException;
+          } = await DashboardService.hasReadAccess({
+            dashboardId,
+            req,
+          });
+
+          if (!accessResult.hasReadAccess) {
+            throw (
+              accessResult.error ||
+              new BadDataException("Access denied to this dashboard.")
+            );
+          }
+
+          if (!req.body || !req.body["aggregateBy"]) {
+            throw new BadDataException("aggregateBy is required.");
+          }
+
+          const dashboard: Dashboard | null =
+            await DashboardService.findOneById({
+              id: dashboardId,
+              select: {
+                _id: true,
+                projectId: true,
+                dashboardViewConfig: true,
+              },
+              props: {
+                isRoot: true,
+              },
+            });
+
+          if (!dashboard || !dashboard.projectId) {
+            throw new NotFoundException("Dashboard not found");
+          }
+
+          const aggregateBy: AggregateBy<Metric> = {
+            ...(JSONFunctions.deserialize(
+              req.body["aggregateBy"] as JSONObject,
+            ) as unknown as AggregateBy<Metric>),
+            /*
+             * Run as root: authorization is already enforced by hasReadAccess
+             * above and the project scope is pinned below.
+             */
+            props: {
+              isRoot: true,
+            },
+          };
+
+          /*
+           * Restrict aggregation to the metric names this dashboard actually
+           * charts. Without this, a public viewer who knows the dashboard ID
+           * could aggregate any metric in the owning project. Variable
+           * interpolation only rewrites attribute filters, never the metric
+           * name, so the stored view config is an exact allowlist.
+           */
+          const allowedMetricNames: Set<string> =
+            DashboardAPI.collectDashboardMetricNames(
+              dashboard.dashboardViewConfig,
+            );
+          const requestedMetricName: unknown = aggregateBy.query
+            ? (aggregateBy.query as Record<string, unknown>)["name"]
+            : undefined;
+
+          if (
+            typeof requestedMetricName !== "string" ||
+            !allowedMetricNames.has(requestedMetricName)
+          ) {
+            throw new BadDataException(
+              "This metric is not part of this dashboard.",
+            );
+          }
+
+          /*
+           * Security: never trust a client-supplied projectId on a public,
+           * unauthenticated endpoint. Pin the aggregation to the dashboard's
+           * project before it reaches the database service.
+           */
+          aggregateBy.query = {
+            ...(aggregateBy.query || {}),
+            projectId: dashboard.projectId,
+          };
+
+          const aggregateResult: AggregatedResult =
+            await MetricService.aggregateBy(aggregateBy);
+
+          const responseBody: JSONObject = {
+            ...(aggregateResult as unknown as JSONObject),
+          };
+
+          return Response.sendJsonObjectResponse(req, res, responseBody);
+        } catch (err) {
+          next(err);
+        }
+      },
+    );
+
+    /*
+     * Public resource lists for non-metric dashboard widgets (incident /
+     * alert / monitor / trace / log / kubernetes / docker / host lists).
+     *
+     * Each widget renders a fixed set of columns; the server pins the select
+     * to exactly those columns (see PUBLIC_DASHBOARD_RESOURCES) and forces the
+     * project scope to the dashboard's project, so a public viewer can only
+     * read the data the widget was built to show, for this dashboard's
+     * project. Authorization reuses DashboardService.hasReadAccess.
+     */
+    this.router.post(
+      `${new this.entityType()
+        .getCrudApiPath()
+        ?.toString()}/resource-list/:dashboardId/:resourceType`,
+      UserMiddleware.getUserMiddleware,
+      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
+        try {
+          const resourceType: string = req.params["resourceType"] as string;
+          const config: PublicDashboardResourceConfig | undefined =
+            PUBLIC_DASHBOARD_RESOURCES[resourceType];
+
+          if (!config) {
+            throw new BadDataException(
+              `Unsupported dashboard resource type: ${resourceType}`,
+            );
+          }
+
+          await DashboardAPI.servePublicResourceList({ req, res, config });
+        } catch (err) {
+          next(err);
+        }
+      },
+    );
+
     this.router.post(
       `${new this.entityType()
         .getCrudApiPath()
@@ -469,6 +944,147 @@ export default class DashboardAPI extends BaseAPI<
     );
   }
 
+  /*
+   * Walk a stored dashboard view config and collect every metric name it
+   * references (chart/value/gauge/table widgets all carry their metric in a
+   * `metricName` field somewhere under their query config). Used to build an
+   * allowlist for the public metric endpoints so an anonymous viewer can only
+   * read the metrics this dashboard was built to show.
+   */
+  private static collectDashboardMetricNames(
+    dashboardViewConfig: unknown,
+  ): Set<string> {
+    const metricNames: Set<string> = new Set<string>();
+
+    const walk: (node: unknown) => void = (node: unknown): void => {
+      if (!node || typeof node !== "object") {
+        return;
+      }
+
+      if (Array.isArray(node)) {
+        for (const item of node) {
+          walk(item);
+        }
+        return;
+      }
+
+      const obj: Record<string, unknown> = node as Record<string, unknown>;
+
+      const metricName: unknown = obj["metricName"];
+      if (typeof metricName === "string" && metricName.trim().length > 0) {
+        metricNames.add(metricName);
+      }
+
+      for (const key of Object.keys(obj)) {
+        walk(obj[key]);
+      }
+    };
+
+    walk(dashboardViewConfig);
+
+    return metricNames;
+  }
+
+  /*
+   * Shared handler for the public resource-list endpoint. Loads the
+   * dashboard, enforces read access, pins the query to the dashboard's
+   * project, and lists the resource using the registry's FIXED select.
+   */
+  private static async servePublicResourceList(data: {
+    req: ExpressRequest;
+    res: ExpressResponse;
+    config: PublicDashboardResourceConfig;
+  }): Promise<void> {
+    const { req, res, config } = data;
+
+    const dashboardId: ObjectID = new ObjectID(
+      req.params["dashboardId"] as string,
+    );
+
+    const accessResult: {
+      hasReadAccess: boolean;
+      error?: NotAuthenticatedException | ForbiddenException;
+    } = await DashboardService.hasReadAccess({ dashboardId, req });
+
+    if (!accessResult.hasReadAccess) {
+      throw (
+        accessResult.error ||
+        new BadDataException("Access denied to this dashboard.")
+      );
+    }
+
+    const dashboard: Dashboard | null = await DashboardService.findOneById({
+      id: dashboardId,
+      select: {
+        _id: true,
+        projectId: true,
+      },
+      props: {
+        isRoot: true,
+      },
+    });
+
+    if (!dashboard || !dashboard.projectId) {
+      throw new NotFoundException("Dashboard not found");
+    }
+
+    const query: JSONObject =
+      req.body && req.body["query"]
+        ? (JSONFunctions.deserialize(
+            req.body["query"] as JSONObject,
+          ) as JSONObject)
+        : {};
+
+    /*
+     * Security: pin to the dashboard's project; never trust a client-supplied
+     * projectId on a public, unauthenticated endpoint.
+     */
+    (query as Record<string, unknown>)["projectId"] = dashboard.projectId;
+
+    const sort: JSONObject =
+      req.body && req.body["sort"]
+        ? (JSONFunctions.deserialize(
+            req.body["sort"] as JSONObject,
+          ) as JSONObject)
+        : {};
+
+    const requestedLimit: number = req.query["limit"]
+      ? parseInt(req.query["limit"] as string, 10)
+      : DEFAULT_DASHBOARD_RESOURCE_LIMIT;
+    const limit: number = Math.min(
+      Number.isFinite(requestedLimit) && requestedLimit > 0
+        ? requestedLimit
+        : DEFAULT_DASHBOARD_RESOURCE_LIMIT,
+      LIMIT_PER_PROJECT,
+    );
+
+    const requestedSkip: number = req.query["skip"]
+      ? parseInt(req.query["skip"] as string, 10)
+      : 0;
+    const skip: number =
+      Number.isFinite(requestedSkip) && requestedSkip > 0 ? requestedSkip : 0;
+
+    const list: Array<BaseModel | AnalyticsDataModel> =
+      await config.service.findBy({
+        query: query,
+        select: config.select,
+        sort: sort,
+        limit: limit,
+        skip: skip,
+        props: {
+          isRoot: true,
+        },
+      });
+
+    return Response.sendEntityArrayResponse(
+      req,
+      res,
+      list,
+      new PositiveNumber(list.length),
+      config.modelType,
+    );
+  }
+
   private static getFileAsBase64JSONObject(
     file: any,
   ): { file: string; fileType: string } | null {

package/Server/Infrastructure/Postgres/SchemaMigrations/1780317745887-AddDeliveryTrackingToSmsLog.ts

@@ -0,0 +1,39 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddDeliveryTrackingToSmsLog1780317745887
+  implements MigrationInterface
+{
+  public name: string = "AddDeliveryTrackingToSmsLog1780317745887";
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" ADD "errorCode" character varying(100)`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" ADD "statusCallbackToken" character varying(100)`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" ADD "userOnCallLogTimelineId" uuid`,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_SmsLog_userOnCallLogTimelineId" ON "SmsLog" ("userOnCallLogTimelineId") `,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" ADD CONSTRAINT "FK_SmsLog_userOnCallLogTimelineId" FOREIGN KEY ("userOnCallLogTimelineId") REFERENCES "UserOnCallLogTimeline"("_id") ON DELETE CASCADE ON UPDATE NO ACTION`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" DROP CONSTRAINT "FK_SmsLog_userOnCallLogTimelineId"`,
+    );
+    await queryRunner.query(`DROP INDEX "IDX_SmsLog_userOnCallLogTimelineId"`);
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" DROP COLUMN "userOnCallLogTimelineId"`,
+    );
+    await queryRunner.query(
+      `ALTER TABLE "SmsLog" DROP COLUMN "statusCallbackToken"`,
+    );
+    await queryRunner.query(`ALTER TABLE "SmsLog" DROP COLUMN "errorCode"`);
+  }
+}

package/Server/Infrastructure/Postgres/SchemaMigrations/Index.ts

@@ -360,6 +360,7 @@ import { AddLabelGroupByToGroupingRules1779971548393 } from "./1779971548393-Add
 import { AddTransportTypeToProjectSmtpConfig1779975064262 } from "./1779975064262-AddTransportTypeToProjectSmtpConfig";
 import { AddSmtpTransportTypeToGlobalConfig1779976190561 } from "./1779976190561-AddSmtpTransportTypeToGlobalConfig";
 import { MigrationName1779980428744 } from "./1779980428744-MigrationName";
+import { AddDeliveryTrackingToSmsLog1780317745887 } from "./1780317745887-AddDeliveryTrackingToSmsLog";
 
 export default [
   InitialMigration,
@@ -724,4 +725,5 @@ export default [
   AddTransportTypeToProjectSmtpConfig1779975064262,
   AddSmtpTransportTypeToGlobalConfig1779976190561,
   MigrationName1779980428744,
+  AddDeliveryTrackingToSmsLog1780317745887,
 ];