@opengis/fastify-table 1.0.8 → 1.0.10

package/{changelog.md → Changelog.md}

@@ -1,5 +1,26 @@
 # fastify-table
 
+## 1.0.9 - 29.04.2024
+
+- crud token support
+- security - xss restriction
+
+## 1.0.8 - 29.04.2024
+
+- filter fix
+
+## 1.0.7 - 26.04.2024
+
+- code optimization
+
+## 1.0.6 - 25.04.2024
+
+- code optimization
+
+## 1.0.5 - 24.04.2024
+
+- code optimization
+
 ## 1.0.4 - 20.04.2024
 
 - data api - order

package/config.js

@@ -1,3 +1,11 @@
-// import pg from './pg'
-const config = { allTemplates: {} };
+import fs from 'fs';
+
+const config = fs.existsSync('config.json')
+  ? JSON.parse(fs.readFileSync('config.json'))
+  : {};
+
+Object.assign(config, {
+  allTemplates: config?.allTemplates || {},
+});
+
 export default config;

package/crud/controllers/insert.js

@@ -1,9 +1,28 @@
 import dataInsert from '../funcs/dataInsert.js';
+import getIdByToken from '../funcs/getIdByToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
 
 export default async function insert(req) {
   const { table } = req.params || {};
   if (!table) return { status: 404, message: 'table is required' };
 
-  const res = await dataInsert({ table, data: req.body });
+  const { funcs, session, params } = req;
+  const tokenDataString = await getIdByToken({
+    funcs, session, token: params.table, mode: 'a', json: 0,
+  });
+
+  const { form, add } = JSON.parse(tokenDataString || '{}');
+
+  const formData = form ? await getTemplate('form', form) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const res = await dataInsert({ table: add || table, data: req.body });
   return res;
 }

package/crud/controllers/update.js

@@ -1,10 +1,29 @@
 import dataUpdate from '../funcs/dataUpdate.js';
+import getIdByToken from '../funcs/getIdByToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
 
 export default async function update(req) {
   const { table, id } = req.params || {};
-  if (!table) return { status: 404, message: 'table is required' };
-  if (!id) return { status: 404, message: 'id is required' };
+  if (!req.params?.table) return { message: 'table is required', status: 404 };
+  if (!id) return { message: 'id is required', status: 404 };
 
-  const res = await dataUpdate({ table, id, data: req.body });
+  const { funcs, session, params } = req;
+  const tokenDataString = await getIdByToken({
+    funcs, session, token: params.table, mode: 'w', json: 0,
+  });
+
+  const tokenData = JSON.parse(tokenDataString || '{}');
+
+  const formData = tokenData?.form ? await getTemplate('form', tokenData.form) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const res = await dataUpdate({ table: tokenData?.table || table, id: tokenData?.id || id, data: req.body });
   return res;
 }

package/crud/controllers/utils/checkXSS.js

@@ -0,0 +1,45 @@
+/* import sqlInjection from '../../../policy/funcs/sqlInjection.js'; */
+import xssInjection from './xssInjection.js';
+
+/* const checkList = xssInjection.concat(sqlInjection); */
+
+// RTE - rich text editor
+
+function checkXSS({ body, schema = {} }) {
+  const data = typeof body === 'string' ? body : JSON.stringify(body);
+  const stopWords = xssInjection.filter((el) => data.toLowerCase().includes(el));
+
+  // check sql injection
+  const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/gi);
+  if (stopSpecialSymbols?.length) stopSpecialSymbols?.forEach((el) => stopWords.push(el));
+
+  // escape arrows on non-RTE
+  Object.keys(body)
+    .filter((key) => ['<', '>'].find((el) => body[key].includes(el))
+  && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
+    ?.forEach((key) => {
+      Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
+    });
+  // try { } catch (err) { return { error: err.toString() }; }
+
+  if (!stopWords.length) return { body };
+
+  const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
+
+  // check RTE
+  /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));
+  richTextFields.filter((key) => !checkList.find((el) => body[key].includes(el)))?.forEach((key) => {
+    disabledCheckFields.push(key);
+  }); */
+
+  const field = Object.keys(body)
+    ?.find((key) => body[key]
+        && !disabledCheckFields.includes(key)
+        && body[key].toLowerCase().includes(stopWords[0]));
+  if (field) {
+    return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body };
+  }
+  return { body };
+}
+
+export default checkXSS;

package/crud/controllers/utils/xssInjection.js

@@ -0,0 +1,72 @@
+const xssInjection = [
+  'onkeypress=',
+  'onkeyup=',
+  'ondblclick=',
+  'onerror=',
+  'onmouseover=',
+  '<meta',
+  '<script',
+  'vascript:',
+  'onkeydown=',
+  'onmousedown=',
+  'onmouseenter=',
+  'onmouseleave=',
+  'onmousemove=',
+  'onmouseout=',
+  'onmouseup=',
+  'onmousewheel=',
+  'onpaste=',
+  'onscroll=',
+  'onwheel=',
+  'javascript:',
+  '\\x',
+  'eval(',
+  'onmouseover=',
+  'action=',
+  'xlink:',
+  'allowscriptaccess',
+  'href=',
+  'behavior:',
+  'onreadystatechange=',
+  'onstart=',
+  'offline=',
+  'onabort=',
+  'onafterprint=',
+  'onbeforeonload=',
+  'onbeforeprint=',
+  'onblur=',
+  'oncanplay=',
+  'oncanplaythrough=',
+  'onchange=',
+  'onclick=',
+  'oncontextmenu=',
+  'ondblclick=',
+  'ondrag=',
+  'ondragend=',
+  'ondragenter=',
+  'ondragleave=',
+  'ondragover=',
+  'ondragstart=',
+  'ondrop=',
+  'ondurationchange=',
+  'onemptied=',
+  'onended=',
+  'onerror=',
+  'onfocus=',
+  'onformchange=',
+  'onforminput=',
+  'onhaschange=',
+  'oninput=',
+  'oninvalid=',
+  'onkeydown=',
+  'onkeypress=',
+  'onkeyup=',
+  'onload=',
+  'onloadeddata=',
+  'onloadedmetadata=',
+  'onloadstart=',
+  'alert(',
+  'script:',
+];
+
+export default xssInjection;

package/crud/funcs/dataInsert.js

@@ -18,7 +18,7 @@ export default async function dataInsert({ table, data }) {
     values  (${filterData?.map((key, i) => `$${i + 1}`).join(',')}) 
     
     returning *`;
-  //  console.log(updateDataset);
+  await pg.query('DROP TRIGGER if exists dataset_before_update_insert ON gis.dataset');
   const res = await pg.one(insertQuery, [...filterData.map((el) => (typeof el[1] === 'object' ? JSON.stringify(el[1]) : el[1]))]) || {};
   return res;
 }

package/crud/funcs/getIdByToken.js

@@ -0,0 +1,29 @@
+import getRedis from '../../redis/funcs/getRedis.js';
+
+function sprintf(str, ...args) {
+  return str.replace(/%s/g, () => args.shift());
+}
+
+const keys = {
+  r: '%s:token:view:%s',
+  a: '%s:token:add:%s',
+  w: '%s:token:edit:%s',
+  e: '%s:token:exec:%s',
+};
+
+async function getIdByToken({
+  funcs, session, token, mode = 'r', json,
+}) {
+  if (mode === 'r') return token;
+
+  const { config } = funcs;
+  const { uid } = session?.passport?.user || (config.local ? { uid: '1' } : {});
+
+  const rclient2 = getRedis({ db: 2, funcs });
+
+  const key = sprintf(keys[mode], config?.pg?.database, uid);
+  const id = await rclient2.hget(key, token);
+  return json && id[0] === '{' ? JSON.parse(id) : id;
+}
+
+export default getIdByToken;

package/crud/funcs/setTokenById.js

@@ -0,0 +1,55 @@
+import { createHash, randomUUID } from 'crypto';
+
+import getRedis from '../../redis/funcs/getRedis.js';
+
+const generateCodes = (ids, userToken) => {
+  const token = userToken || randomUUID();
+  const notNullIds = ids.filter((el) => el);
+  const obj = {};
+  const codes = notNullIds.reduce((acc, id) => {
+    const newToken = createHash('sha1').update(token + id).digest('base64url').replace(/-/g, '');
+    acc[newToken] = id; obj[id] = newToken;
+    return acc;
+  }, {});
+  return { codes, obj };
+};
+
+function setTokenById({
+  funcs, ids: idsOrigin, mode = 'r', session, referer, array,
+}) {
+  const { config } = funcs;
+  const { uid } = session?.passport?.user || (config.local ? { uid: '1' } : {});
+
+  const rclient2 = getRedis({ db: 2, funcs });
+  const rclient5 = getRedis({ db: 5, funcs });
+
+  if (!uid) return { user: 'empty' };
+  if (!Object.keys(idsOrigin).length) return { ids: 'empty' };
+
+  const ids = idsOrigin.map((el) => (typeof el === 'object' ? JSON.stringify(el) : el));
+  // update/delete
+
+  if (mode === 'r') return null;
+
+  // TODO generate salt
+  const { codes, obj } = generateCodes(ids, uid);
+
+  if (!Object.keys(codes).length) return { ids: 'empty' };
+
+  rclient2.hmset(`${config.pg.database}:token:${{
+    e: 'exec', r: 'view', w: 'edit', a: 'add',
+  }[mode]}:${uid}`, codes);
+
+  // log token for debug. add extra data - uid, mode, date
+  const dt = new Date().toISOString();
+  const codesLog = Object.keys(codes).reduce((acc, key) => {
+    acc[key] = `{"referer": "${referer}" ,"uid":"${uid}","mode":"${mode}","date":"${dt}",${codes[key].substr(1)}`;
+    return acc;
+  }, {});
+  rclient5.hmset(`${config.pg.database}:token:edit`, codesLog); // 'EX', 64800
+
+  // TODO дополнительно писать в hset token -> uid
+  return array ? Object.values(obj) : obj;
+}
+
+export default setTokenById;

package/index.js

@@ -7,12 +7,22 @@ import redisPlugin from './redis/index.js';
 import pgPlugin from './pg/index.js';
 import tablePlugin from './table/index.js';
 import crudPlugin from './crud/index.js';
+import policyPlugin from './policy/index.js';
 
 async function plugin(fastify, opt) {
   // console.log(opt);
   config.pg = opt.pg;
   config.redis = opt.redis;
 
+  // independent npm start / unit test
+  if (!fastify.config) {
+    fastify.decorate('config', config);
+  }
+  if (!fastify.funcs) {
+    fastify.decorateRequest('funcs', fastify);
+  }
+
+  policyPlugin(fastify);
   redisPlugin(fastify);
   await pgPlugin(fastify, opt);
   tablePlugin(fastify, opt);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "type": "module",
   "description": "core-plugins",
   "main": "index.js",

package/policy/funcs/checkPolicy.js

@@ -0,0 +1,74 @@
+import block from './sqlInjection.js';
+
+/**
+ * Middleware func
+ *
+ * @type function
+ * @alias checkPolicy
+ * @summary Функція дозволяє налаштувати доступ до сайту або API для адмін. та публічної частини веб-ресурсу
+ * @param {String} path - назва апі
+ * @returns {object|null} Returns object
+ */
+
+export default function checkPolicy(req) {
+  const {
+    originalUrl: path, hostname, query, params, headers: hs, log, sid = 35, funcs = {},
+  } = req;
+  const user = req.user || req.session?.passport?.user;
+
+  const { config } = funcs;
+  const isUser = config.debug || !!user;
+
+  const isServer = process.argv[2];
+  const { policy = [] } = req.routeOptions?.config || {};
+
+  /*= == 1.File injection  === */
+  if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
+    log.warn({
+      name: 'injection/file', params, query, message: 'access restricted: 1',
+    });
+    return { message: 'access restricted: 1', status: 403 };
+  }
+
+  /*= == 1.1 File  === */
+  const allowExtPublic = ['.png', '.jpg', '.svg'];
+  const ext = path.toLowerCase().substr(-4);
+  if (path.includes('files/') && allowExtPublic.includes(ext)) return null;
+
+  /*= == 2.SQL Injection policy: no-sql === */
+  if (!policy.includes('no-sql')) {
+    const stopWords = block.filter((el) => path.includes(el));
+    if (stopWords?.length) {
+      log.warn({ name: 'injection/sql', stopWords, message: 'access restricted: 2' });
+      return { message: 'access restricted: 2', status: 403 };
+    }
+  }
+  /* Check is Not API */
+  const isApi = ['/files/', '/api/format/', '/api-user/', '/logger', '/file/'].filter((el) => path.includes(el)).length;
+  if (!isApi) return null;
+
+  /*= == 3. policy: referer === */
+  if (!hs?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
+    log.warn({ name: 'referer', message: 'access restricted: 3' });
+    return { message: 'access restricted: 3', status: 403 };
+  }
+
+  /*= == policy: public === */
+  if (policy.includes('public')) {
+    return null;
+  }
+
+  /*= == 4. policy: site auth === */
+  if (!policy.includes('site') && sid === 1 && isUser && !config.local && !config.debug) {
+    log.warn({ name: 'site', message: 'access restricted: 4' });
+    return { message: 'access restricted: 4', status: 403 };
+  }
+
+  /*= == 5. base policy: block api  === */
+  if (sid === 35 && !isUser && isServer && !config.local && !config.debug) {
+    log.warn({ name: 'api', message: 'access restricted: 5' });
+    return { message: 'access restricted: 5', status: 403 };
+  }
+
+  return null;
+}

package/policy/funcs/sqlInjection.js

@@ -0,0 +1,33 @@
+const sqlInjection = [
+  '()',
+  '^',
+  '*',
+  'like ',
+  '@variable',
+  '@@variable',
+  'group by ',
+  'union ',
+  'select ',
+  'having ',
+  'as injectx',
+  'where ',
+  'rlike ',
+  'if(',
+  'sleep(',
+  'waitfor delay',
+  'benchmark(',
+  'pg_sleep(',
+  "'\\\"",
+  'randomblob(',
+  'order by ',
+  'union all ',
+  '+or',
+  'or ',
+  'and ',
+  "'' ",
+  '"""  ',
+  '<script',
+  'javascript:',
+]
+
+export default sqlInjection;

package/policy/index.js

@@ -0,0 +1,14 @@
+// import fp from 'fastify-plugin';
+
+import checkPolicy from './funcs/checkPolicy.js';
+
+async function plugin(fastify) {
+  fastify.addHook('onRequest', async (request, reply) => {
+    const hookData = checkPolicy(request);
+    if (hookData?.status && hookData?.message) {
+      return reply.status(hookData?.status).send(hookData.message);
+    }
+  });
+}
+
+export default plugin;

package/redis/index.js

@@ -8,7 +8,7 @@ function close(fastify) {
 }
 
 async function plugin(fastify) {
-  const client = getRedis({ db: 0 });
+  const client = getRedis({ db: 0, funcs: fastify });
   client.getJSON = client.get;
   fastify.decorate('rclient', client);
   fastify.decorate('getRedis', getRedis);

package/server/templates/form/test.dataset.form.json

@@ -0,0 +1,412 @@
+{
+  "label_style": "vertical",
+  "saveButton": false,
+  "schema": {
+    "dataset_name": {
+      "type": "Text",
+      "ua": "Назва набору українською",
+      "validators": [
+        "required"
+      ],
+      "col": 12
+    },
+    "enabled": {
+      "type": "Switcher",
+      "ua": "On / Off",
+      "col": 3
+    },
+    "home_is": {
+      "ua": "Виводити на публічці",
+      "type": "Switcher",
+      "col": 2
+    },
+    "isadmin": {
+      "type": "Switcher",
+      "ua": "Admin only",
+      "col": 3
+    },
+    "is_map": {
+      "type": "Switcher",
+      "ua": "Наявність переходу на карту",
+      "col": 3
+    },
+    "is_register": {
+      "type": "Switcher",
+      "ua": "Наявність переходу до реєстру",
+      "col": 3
+    },
+    "table_name": {
+      "type": "Text",
+      "ua": "Назва таблиці в БД"
+    },
+    "pk": {
+      "type": "Text",
+      "ua": "Primary key",
+      "validators": [
+        "required"
+      ]
+    },
+    "query": {
+      "type": "Text",
+      "ru": "Запит до таблиці",
+      "ua": "Запит до таблиці"
+    },
+    "order_by": {
+      "type": "Text",
+      "ua": "Умова на сортування"
+    },
+    "group_id": {
+      "type": "Autocomplete",
+      "data": "gis.category.select",
+      "ua": "Група"
+    },
+    "service_type": {
+      "type": "Select2",
+      "data": "dataset.service_type",
+      "col": 12,
+      "ua": "Тип сервісу"
+    },
+    "setting.popup": {
+      "type": "Text",
+      "ua": "Popup"
+    },
+    "setting.card": {
+      "type": "Text",
+      "ua": "Шаблон"
+    },
+    "geom": {
+      "type": "Geom",
+      "ua": "Баунд"
+    },
+    "export_columns": {
+      "type": "Tags",
+      "data1": "column.list.select",
+      "parent": "table_name",
+      "ua": "Колонки для экспорту"
+    },
+    "column_list": {
+      "type": "DataTable",
+      "font-size": "10",
+      "ua": "Колонки",
+      "import": true,
+      "height": 600,
+      "colModel": [
+        {
+          "name": "name",
+          "type": "Text",
+          "ua": "Назва колонки в БД"
+        },
+        {
+          "name": "ua",
+          "type": "Text",
+          "ua": "Назва колонки українською",
+          "validators": [
+            "required"
+          ]
+        },
+        {
+          "name": "meta",
+          "type": "Autocomplete",
+          "data": "gis.meta_type",
+          "ua": "Meta",
+          "hide_column": true,
+          "column_hide": true
+        },
+        {
+          "name": "format",
+          "type": "Autocomplete",
+          "data": "gis.column_list_type",
+          "default": "text",
+          "ua": "Тип колонки",
+          "validators": [
+            "required"
+          ]
+        },
+        {
+          "name": "data",
+          "ua": "Класифікатор",
+          "ru": "Класификатор",
+          "en": "Domen"
+        },
+        {
+          "name": "values",
+          "type": "DataTable",
+          "hide_column": true,
+          "column_hide": true,
+          "ua": "Домени",
+          "help": "Використовується для створення випадаючих списків",
+          "colModel": [
+            {
+              "name": "ua",
+              "ua": "Назва домена"
+            },
+            {
+              "name": "color",
+              "ua": "Колір"
+            },
+            {
+              "name": "icon",
+              "ua": "Іконка"
+            }
+          ]
+        },
+        {
+          "name": "hidden_table_public",
+          "type": "Switcher",
+          "ua": "Приховати поле в прев'ю",
+          "i": "Чи приховати поле при перегляді об'єктів набора"
+        },
+        {
+          "name": "hidden_public",
+          "type": "Switcher",
+          "ua": "Приховати поле в картоці об'єкта"
+        }
+      ]
+    },
+    "filter_list": {
+      "type": "DataTable",
+      "height": 600,
+      "import": true,
+      "title": false,
+      "colModel": [
+        {
+          "name": "name",
+          "type": "Text",
+          "ua": "Колонка"
+        },
+        {
+          "name": "type",
+          "edittype": "Autocomplete",
+          "ua": "Формат",
+          "data": "gis.filter_type"
+        },
+        {
+          "name": "data",
+          "ua": "Класифікатор",
+          "ru": "Класификатор",
+          "width": 30,
+          "en": "Domen"
+        },
+        {
+          "name": "disabled",
+          "width": 10,
+          "ru": "Відключити",
+          "ua": "Відключити",
+          "type": "Switcher",
+          "col": 2
+        },
+        {
+          "name": "ua",
+          "width": 30,
+          "ua": "Назва українською"
+        }
+      ]
+    },
+    "style.geometry_type": {
+      "type": "Autocomplete",
+      "ua": "Тип геометрії",
+      "default": "point",
+      "validators": [
+        "required"
+      ],
+      "options": [
+        {
+          "id": "point",
+          "text": "Точкові об'єкти"
+        },
+        {
+          "id": "line",
+          "text": "Лінійні об'єкти"
+        },
+        {
+          "id": "polygon",
+          "text": "Полігональні об'єкти"
+        }
+      ],
+      "behavior": {
+        "point": {
+          "show": "style.as_icon,style.icon,style.pointFillColor,style.pointFillOpacity,style.pointStrokeColor,style.pointStrokeOpacity,style.pointStrokeWidth,style.radius,style.pointWidth,style.pointHeight",
+          "hide": "style.line_dotted,style.color,style.weight,style.fillColor,style.fillOpacity"
+        },
+        "line": {
+          "show": "style.line_dotted,style.color,style.weight",
+          "hide": "style.as_icon,style.icon,style.pointFillColor,style.pointFillOpacity,style.pointStrokeColor,style.pointStrokeOpacity,style.pointStrokeWidth,style.radius,style.pointWidth,style.pointHeight,style.fillColor,style.fillOpacity"
+        },
+        "polygon": {
+          "show": "style.fillColor,style.fillOpacity",
+          "hide": "style.as_icon,style.icon,style.pointFillColor,style.pointFillOpacity,style.pointStrokeColor,style.pointStrokeOpacity,style.pointStrokeWidth,style.radius,style.pointWidth,style.pointHeight,style.line_dotted,style.color,style.weight"
+        }
+      }
+    },
+    "style.as_icon": {
+      "type": "Autocomplete",
+      "ua": "Відображення іконкою",
+      "default": "yes",
+      "options": [
+        {
+          "id": "yes",
+          "text": "Так"
+        },
+        {
+          "id": "no",
+          "text": "Ні"
+        }
+      ],
+      "behavior": {
+        "yes": {
+          "show": "style.icon",
+          "hide": "style.fillColor,style.fillOpacity,style.pointFillColor,style.pointFillOpacity,style.pointHeight,style.pointWidth,style.radius,style.pointStrokeWidth,style.pointStrokeOpacity,style.pointStrokeColor"
+        },
+        "no": {
+          "show": "style.fillColor,style.fillOpacity,style.pointFillColor,style.pointFillOpacity,style.pointHeight,style.pointWidth,style.radius,style.pointStrokeWidth,style.pointStrokeOpacity,style.pointStrokeColor",
+          "hide": "style.icon"
+        }
+      }
+    },
+    "style.icon": {
+      "type": "Text",
+      "ru": "Иконка",
+      "ua": "Іконка",
+      "help": "Приклад pin-l-bar+AA0000+2+2+4+20+20.png повна інструкція <a target='_blank' href='/api-user/marker_icon/'>/marker_icon/</a>"
+    },
+    "style.pointFillColor": {
+      "type": "colorpicker",
+      "ru": "Цвет точки",
+      "ua": "Колір точки",
+      "help": "Приклади: #aaa, red, #fa5050. По замовчуванню blue."
+    },
+    "style.pointFillOpacity": {
+      "type": "Number",
+      "ru": "Прозрачность точки",
+      "ua": "Прозорість точки",
+      "help": "Значення від 0.0 до 1.0. По замовчуванню 1.0."
+    },
+    "style.pointStrokeColor": {
+      "type": "colorpicker",
+      "ru": "Цвет контура",
+      "ua": "Колір контуру",
+      "help": "Приклади: #aaa, red, #fa5050. По замовчуванню black."
+    },
+    "style.pointStrokeOpacity": {
+      "type": "Number",
+      "ru": "Прозрачность контура",
+      "ua": "Прозорість контуру",
+      "help": "Значення від 0.0 до 1.0. По замовчуванню 1.0."
+    },
+    "style.pointStrokeWidth": {
+      "type": "Number",
+      "ru": "Ширина контура",
+      "ua": "Ширина контуру",
+      "help": "По замовчуванню 1."
+    },
+    "style.radius": {
+      "type": "Text",
+      "ru": "Radius",
+      "ua": "Radius",
+      "help": "По замовчуванню 10."
+    },
+    "style.pointWidth": {
+      "type": "Number",
+      "ru": "Ширина точки",
+      "ua": "Ширина точки",
+      "help": "По замовчуванню 10."
+    },
+    "style.pointHeight": {
+      "type": "Number",
+      "ru": "Высота точки",
+      "ua": "Висота точки",
+      "help": "По замовчуванню 10."
+    },
+    "style.fillColor": {
+      "type": "colorpicker",
+      "ru": "Цвет полигонов",
+      "ua": "Колір полігонів",
+      "help": "Приклади: #aaa, red, #fa5050."
+    },
+    "style.fillOpacity": {
+      "type": "Number",
+      "ru": "Прозрачность полигонов",
+      "ua": "Прозорість полігонів",
+      "help": "Значення від 0.0 до 1.0. По замовчуванню 1.0."
+    },
+    "style.color": {
+      "type": "colorpicker",
+      "ru": "Цвет линий",
+      "ua": "Колір ліній",
+      "help": "Приклади: #aaa, red, #fa5050."
+    },
+    "style.weight": {
+      "type": "Number",
+      "ru": "Ширина линий",
+      "ua": "Ширина ліній",
+      "help": "Значення в px. По замовчуванню 1.0."
+    },
+    "style.line_dotted": {
+      "type": "Text",
+      "ru": "Пунктирная линия",
+      "ua": "Пунктирна лінія",
+      "help": "Приклад: '10, 5', де значення задається з двох чисел через кому: перше - довжина пунктиру в px, а друге - відстань між пунктирами, в px. По замовчуванню відключено."
+    }
+  },
+  "fieldsets": [
+    {
+      "legend": "Основні налаштування",
+      "ua": "Основні налаштування",
+      "fields": [
+        "dataset_name",
+        "group_id",
+        "table_name",
+        "pk",
+        "query",
+        "service_type",
+        "enabled",
+        "isadmin",
+        "is_map",
+        "is_register",
+        "setting.popup",
+        "setting.card",
+        "geom"
+      ]
+    },
+    {
+      "legend": "Колонки",
+      "ru": "Колонки",
+      "ua": "Колонки",
+      "fields": [
+        "column_list",
+        "export_columns"
+      ]
+    },
+    {
+      "legend": "Фільтри",
+      "ru": "Фильтры",
+      "ua": "Фільтри",
+      "fields": [
+        "filter_list"
+      ]
+    },
+    {
+      "legend": "Стилі",
+      "ru": "Стили",
+      "ua": "Стилі",
+      "fields": [
+        "style.geometry_type",
+        "style.as_icon",
+        "style.icon",
+        "style.pointFillColor",
+        "style.pointFillOpacity",
+        "style.pointStrokeColor",
+        "style.pointStrokeOpacity",
+        "style.pointStrokeWidth",
+        "style.radius",
+        "style.pointWidth",
+        "style.pointHeight",
+        "style.line_dotted",
+        "style.color",
+        "style.weight",
+        "style.fillColor",
+        "style.fillOpacity"
+      ]
+    }
+  ]
+}

package/table/controllers/data.js

@@ -1,6 +1,7 @@
 import getTemplate from './utils/getTemplate.js';
 import getFilterSQL from '../funcs/getFilterSQL/index.js';
 import getMeta from '../../pg/funcs/getMeta.js';
+import metaFormat from '../funcs/metaFormat/index.js';
 
 const maxLimit = 100;
 export default async function data(req) {
@@ -49,6 +50,7 @@ export default async function data(req) {
 
   const total = keyQuery || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t where ${where.join(' and ') || 'true'}`).then((el) => el?.rows[0]?.count);
 
+  await metaFormat({ rows, table: params.table });
   return {
     time: Date.now() - time, total, pk, form, rows, meta, columns, filters,
   };

package/table/controllers/filter.js

@@ -3,6 +3,7 @@ import getSelect from './utils/getSelect.js';
 
 export default async function filter(req) {
   const time = Date.now();
+
   const {
     params,
   } = req;
@@ -12,7 +13,14 @@ export default async function filter(req) {
   const filters = loadTable?.filters || loadTable?.filterList || [];
   await Promise.all(filters.filter((el) => el.data).map(async (el) => {
     const cls = await getSelect(el.data);
-    Object.assign(el, { options: cls?.arr });
+    if (!cls?.arr || !loadTable.table) return;
+    const countArr = await req.pg.queryCache(`select ${el.id}::text as id,count(*) from ${loadTable.table} group by ${el.id}`);
+
+    const options = countArr.rows.map(cel => {
+      const data = cls?.arr.find(c => c.id === cel.id);
+      return { ...cel, ...data };
+    });
+    Object.assign(el, { options });
   }));
   return {
     time: Date.now() - time,

package/table/funcs/metaFormat/index.js

@@ -0,0 +1,28 @@
+import getTemplate from '../../controllers/utils/getTemplate.js';
+import getSelect from '../../controllers/utils/getSelect.js';
+import pg from '../../../pg/pgClients.js';
+
+export default async function metaFormat({ rows, table }) {
+  const loadTable = await getTemplate('table', table);
+  const selectCols = loadTable.columns?.filter((e) => e.data);
+
+  // cls & select format
+
+  await Promise.all(selectCols?.map(async (attr) => {
+    const val = [...new Set(rows?.map((el) => el[attr.name]).flat())];
+    if (!val.filter((el) => el).length) return null;
+    const cls = await getSelect(attr.data);
+    if (!cls?.arr && !cls?.sql) return null;
+
+    const data = cls.arr || await pg.client.query(`with c(id,text) as (${cls.sql}) select * from c where id = any('{${val}}')`).then(el => el.rows);
+
+    const clsAr = data.reduce((p, el) => ({ ...p, [el.id.toString()]: el.text }), {});
+    rows.forEach(el => {
+      Object.assign(el, { [`${attr.name}_text`]: clsAr[el[attr.name]] || el[attr.name] });
+    });
+
+    return null;
+  }));
+
+  return rows;
+}

package/table/index.js

@@ -2,9 +2,12 @@ import suggest from './controllers/suggest.js';
 import data from './controllers/data.js';
 import filter from './controllers/filter.js';
 import form from './controllers/form.js';
+import metaFormat from './funcs/metaFormat/index.js';
 
 async function plugin(fastify, config = {}) {
   const prefix = config.prefix || '/api';
+  fastify.decorate('metaFormat', metaFormat);
+
   fastify.get(`${prefix}/suggest/:data`, {}, suggest);
   fastify.get(`${prefix}/data/:table/:id?`, {}, data); // vs.crm.data.api с node
   fastify.get(`${prefix}/filter/:table`, {}, filter);

package/test/api/crud.test.js

@@ -2,15 +2,17 @@ import { test } from 'node:test';
 import assert from 'node:assert';
 
 import build from '../../helper.js';
-import pgClients from '../../pg/pgClients.js';
+
+import config from '../config.js';
 
 test('api crud', async (t) => {
   const app = await build(t);
+  const prefix = config.prefix || '/api';
 
   await t.test('POST /insert', async () => {
     const res = await app.inject({
       method: 'POST',
-      url: '/api/crud/gis.dataset',
+      url: `${prefix}/crud/gis.dataset`,
       body: { dataset_name: '111', dataset_id: '5400000' },
     });
 
@@ -24,20 +26,20 @@ test('api crud', async (t) => {
   await t.test('PUT /update', async () => {
     const res = await app.inject({
       method: 'PUT',
-      url: '/api/crud/gis.dataset/5400000',
+      url: `${prefix}/crud/gis.dataset/5400000`,
       body: { editor_id: '11' },
     });
 
     const rep = JSON.parse(res?.body);
     // rep.dataset_id
     // console.log(rep);
-    assert.equal(rep.editor_id, '11')
+    assert.equal(rep.editor_id, '11');
   });
 
   await t.test('DELETE /delete', async () => {
     const res = await app.inject({
       method: 'DELETE',
-      url: '/api/crud/gis.dataset/5400000',
+      url: `${prefix}/crud/gis.dataset/5400000`,
     });
 
     const rep = JSON.parse(res?.body);

package/test/api/crud.xss.test.js

@@ -0,0 +1,70 @@
+import { test } from 'node:test';
+import assert from 'node:assert';
+
+import build from '../../helper.js';
+
+import setTokenById from '../../crud/funcs/setTokenById.js';
+import config from '../config.js';
+
+test('api crud xss', async (t) => {
+  const app = await build(t);
+  const session = { passport: { user: { uid: '1' } } };
+  app.decorateRequest('session', session);
+
+  const prefix = config.prefix || '/api';
+
+  let addTokens;
+  let editTokens;
+
+  // before
+  t.test('setTokenById', async () => {
+    addTokens = setTokenById({
+      funcs: { config },
+      ids: [JSON.stringify({ add: 'gis.dataset', form: 'test.dataset.form' })],
+      mode: 'a',
+      session,
+      array: 1,
+    });
+    editTokens = setTokenById({
+      funcs: { config },
+      ids: [JSON.stringify({ id: '5400000', table: 'gis.dataset', form: 'test.dataset.form' })],
+      mode: 'w',
+      session,
+      array: 1,
+    });
+    assert.ok(addTokens.length === 1 && editTokens.length === 1, 'invalid token');
+  });
+
+  await t.test('POST /insert', async () => {
+    const res = await app.inject({
+      method: 'POST',
+      url: `${prefix}/crud/${addTokens[0]}`,
+      body: { dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>', dataset_id: '5400000' },
+    });
+
+    const rep = JSON.parse(res?.body);
+
+    assert.ok(rep.status, 409);
+  });
+
+  await t.test('PUT /update', async () => {
+    const res = await app.inject({
+      method: 'PUT',
+      url: `${prefix}/crud/${editTokens[0]}/${editTokens[0]}`,
+      body: { editor_id: '11', dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>' },
+    });
+
+    const rep = JSON.parse(res?.body);
+
+    assert.equal(rep.status, 409);
+  });
+  await t.test('DELETE /delete', async () => {
+    const res = await app.inject({
+      method: 'DELETE',
+      url: `${prefix}/crud/gis.dataset/5400000`,
+    });
+
+    const rep = JSON.parse(res?.body);
+    assert.ok(rep);
+  });
+});

package/test/funcs/crud.test.js

@@ -1,6 +1,5 @@
 import { test } from 'node:test';
 import assert from 'node:assert';
-import '../config.js';
 
 import pgClients from '../../pg/pgClients.js';
 import rclient from '../../redis/client.js';
@@ -13,15 +12,18 @@ import isFileExists from '../../crud/funcs/isFileExists.js';
 import getOpt from '../../crud/funcs/getOpt.js';
 import setOpt from '../../crud/funcs/setOpt.js';
 
-test('funcs crud', async (t) => {
+import getIdByToken from '../../crud/funcs/getIdByToken.js';
+import setTokenById from '../../crud/funcs/setTokenById.js';
+import config from '../config.js';
 
+test('funcs crud', async (t) => {
   await t.test('getOpt/setOpt', async () => {
     const opt = await setOpt({ table: 'gis.dataset' });
     const data = await getOpt(opt);
     // console.log(data);
     assert.equal(data.table, 'gis.dataset');
   });
-  
+
   const id = (Math.random() * 10000).toFixed();
   await t.test('dataInsert', async () => {
     const data = await dataInsert({ table: 'gis.dataset', data: { dataset_id: id, dataset_name: '222' } });
@@ -39,10 +41,34 @@ test('funcs crud', async (t) => {
   });
 
   await t.test('isFileExists', async () => {
-    const data = await isFileExists({filepath: '../../crud/funcs/isFileExists.js'});
+    const data = await isFileExists({ filepath: '../../crud/funcs/isFileExists.js' });
     assert.equal(data, false);
   });
 
+  let tokens;
+  const session = { passport: { user: { uid: '1' } } };
+  const tokenData = JSON.stringify({ add: 'gis.dataset', form: 'test.dataset.form' });
+
+  await t.test('setTokenById', async () => {
+    tokens = setTokenById({
+      funcs: { config },
+      ids: [tokenData],
+      mode: 'a',
+      session,
+      array: 1,
+    });
+    assert.equal(tokens.length, 1);
+  });
+  await t.test('getIdByToken', async () => {
+    const data = await getIdByToken({
+      funcs: { config },
+      session,
+      token: tokens[0],
+      mode: 'a',
+    });
+    assert.equal(data, tokenData);
+  });
+
   // pgClients.client.query('delete from gis.dataset where dataset_id=$1', [id]);
   t.after(() => {
     pgClients.client?.end();

package/test/templates/cls/itree.recommend.json

@@ -0,0 +1,26 @@
+[
+  {
+    "id": "3",
+    "text": "Заміна",
+    "en": "Replacement",
+    "color": "#B8860B"
+  },
+  {
+    "id": "2",
+    "text": "Видалення",
+    "en": "Removal",
+    "color": "#8B0000"
+  },
+  {
+    "id": "1",
+    "text": "Обрізка",
+    "en": "Cutting",
+    "color": "#DEB887"
+  },
+  {
+    "id": "4",
+    "text": "Відсутні",
+    "en": "None",
+    "color": "#2E8B57"
+  }
+]

package/test/templates/cls/itree.type_plant.json

@@ -0,0 +1,65 @@
+[
+  {
+    "id": "4",
+    "text": "Газони",
+    "en": "Lawns",
+    "icon": "/assets/image/icon/60936458728884429/3f714a00-6dec-11ea-b853-074b5683525e.svg",
+    "color": "#87a96b",
+    "data": "lawns"
+  },
+  {
+    "id": "8",
+    "text": "Пам’ятка природи",
+    "en": "Landmark",
+    "color": "blue",
+    "data": "landmark"
+  },
+  {
+    "id": "7",
+    "text": "Пеньок",
+    "en": "Stump",
+    "icon": "/assets/image/icon/2322523888191276250/52ec1310-0d2b-11eb-ab6a-23ffd484ced7.svg",
+    "color": "#63594C",
+    "data": "stump"
+  },
+  {
+    "id": "2",
+    "text": "Дерева",
+    "en": "Tree",
+    "icon": "/assets/image/icon/2202400955901674510/ba471bb0-5b13-11ea-9003-07912ed5d347.svg",
+    "color": "#66cd00",
+    "data": "tree"
+  },
+  {
+    "id": "6",
+    "text": "Лунка",
+    "en": "Digger",
+    "icon": "/assets/image/icon/2322523536775709909/50634550-0d2b-11eb-ab6a-23ffd484ced7.svg",
+    "color": "#cdb79e",
+    "data": "digger"
+  },
+  {
+    "id": "1",
+    "text": "Кущі",
+    "en": "Bush",
+    "icon": "/assets/image/icon/2202401113020302354/c62b1580-5b13-11ea-9003-07912ed5d347.svg",
+    "color": "#556b2f",
+    "data": "bush"
+  },
+  {
+    "id": "3",
+    "text": "Живопліт",
+    "en": "Hedge",
+    "icon": "/assets/image/icon/59524404264212563/dd365ec0-6e6d-11ea-bc2a-d3dca36653f0.svg",
+    "color": "#9fa91f",
+    "data": "hedge"
+  },
+  {
+    "id": "5",
+    "text": "Квітники",
+    "en": "Flowers",
+    "icon": "/assets/image/icon/2254649206885057992/e961fa00-5b13-11ea-9003-07912ed5d347.svg",
+    "color": "#ff7f24",
+    "data": "flowers"
+  }
+]

package/test/templates/select/contact_id.sql

@@ -0,0 +1 @@
+select contact_id, coalesce(last_name,'')||' '||coalesce(first_name,'') from crm_acc.crm_contact order by last_name

package/test/templates/table/green_space.table.json

@@ -274,9 +274,9 @@
   ],
   "filterInline": [
     {
-      "label": "Дата",
-      "id": "cdate",
-      "type": "Date"
+      "label": "Інвентарний номер",
+      "id": "invent_number",
+      "type": "Text"
     }
   ],
   "filterCustom": [