@opengis/fastify-table 1.0.8 → 1.0.9

package/.eslintrc.cjs

@@ -1,42 +1,42 @@
-/* eslint-env node */
-
-module.exports = {
-  env: {
-    node: true,
-  },
-  root: true,
-  extends: [
-    'eslint:recommended',
-    'airbnb-base',
-
-  ],
-  rules: {
-    'brace-style': [2, 'stroustrup', { allowSingleLine: true }],
-    'vue/max-attributes-per-line': 0,
-    'vue/valid-v-for': 0,
-
-    // allow async-await
-    'generator-star-spacing': 'off',
-
-    // allow paren-less arrow functions
-    'arrow-parens': 0,
-    'one-var': 0,
-    'max-len': 0,
-    'import/first': 0,
-    'import/named': 2,
-    'import/namespace': 2,
-    'import/default': 2,
-    'import/export': 2,
-    'import/extensions': 0,
-    'no-console': ['warn', { allow: ['warn', 'error'] }],
-    'import/no-unresolved': 0,
-    'import/no-extraneous-dependencies': 0,
-    'linebreak-style': ['error', 'unix'],
-    // allow debugger during development
-    'no-debugger': process.env.NODE_ENV === 'production' ? 2 : 0,
-  },
-
-  parserOptions: {
-    ecmaVersion: 'latest',
-  },
-};
+/* eslint-env node */
+
+module.exports = {
+  env: {
+    node: true,
+  },
+  root: true,
+  extends: [
+    'eslint:recommended',
+    'airbnb-base',
+
+  ],
+  rules: {
+    'brace-style': [2, 'stroustrup', { allowSingleLine: true }],
+    'vue/max-attributes-per-line': 0,
+    'vue/valid-v-for': 0,
+
+    // allow async-await
+    'generator-star-spacing': 'off',
+
+    // allow paren-less arrow functions
+    'arrow-parens': 0,
+    'one-var': 0,
+    'max-len': 0,
+    'import/first': 0,
+    'import/named': 2,
+    'import/namespace': 2,
+    'import/default': 2,
+    'import/export': 2,
+    'import/extensions': 0,
+    'no-console': ['warn', { allow: ['warn', 'error'] }],
+    'import/no-unresolved': 0,
+    'import/no-extraneous-dependencies': 0,
+    'linebreak-style': ['error', 'unix'],
+    // allow debugger during development
+    'no-debugger': process.env.NODE_ENV === 'production' ? 2 : 0,
+  },
+
+  parserOptions: {
+    ecmaVersion: 'latest',
+  },
+};

package/Changelog.md

@@ -0,0 +1,47 @@
+# fastify-table
+
+## 1.0.9 - 29.04.2024
+
+- crud token support
+- security - xss restriction
+
+## 1.0.8 - 29.04.2024
+
+- filter fix
+
+## 1.0.7 - 26.04.2024
+
+- code optimization
+
+## 1.0.6 - 25.04.2024
+
+- code optimization
+
+## 1.0.5 - 24.04.2024
+
+- code optimization
+
+## 1.0.4 - 20.04.2024
+
+- data api - order
+- suggest api - db support
+- del api fix  
+
+## 1.0.3 - 17.04.2024
+
+- fix unit test
+
+## 1.0.2 - 14.04.2024
+
+- fix redis
+
+## 1.0.1 - 14.04.2024
+
+- fix redis
+
+## 1.0.0 - 14.04.2024
+
+- crud
+- pg
+- redis
+- table

package/README.md

@@ -1,26 +1,26 @@
-# fastify-table
-
-[![NPM version](https://img.shields.io/npm/v/@opengis/fastify-table)](https://www.npmjs.com/package/@opengis/fastify-table)
-[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)
-
-It standardizes the entire form building process, while taking care of everything from rendering to validation and processing:
-
-- pg
-- redis
-- crud
-
-## Install
-
-```bash
-npm i @opengis/fastify-table
-```
-
-## Usage
-
-```js
-fastify.register(import('@opengis/fastify-table'), config);
-```
-
-## Documenation
-
-For a detailed understanding fastify-table, its features, and how to use them, refer to our [Documentation](https://apidocs.softpro.ua/gis.storage/).
+# fastify-table
+
+[![NPM version](https://img.shields.io/npm/v/@opengis/fastify-table)](https://www.npmjs.com/package/@opengis/fastify-table)
+[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)
+
+It standardizes the entire form building process, while taking care of everything from rendering to validation and processing:
+
+- pg
+- redis
+- crud
+
+## Install
+
+```bash
+npm i @opengis/fastify-table
+```
+
+## Usage
+
+```js
+fastify.register(import('@opengis/fastify-table'), config);
+```
+
+## Documenation
+
+For a detailed understanding fastify-table, its features, and how to use them, refer to our [Documentation](https://apidocs.softpro.ua/gis.storage/).

package/config.js

@@ -1,3 +1,11 @@
-// import pg from './pg'
-const config = { allTemplates: {} };
-export default config;
+import fs from 'fs';
+
+const config = fs.existsSync('config.json')
+  ? JSON.parse(fs.readFileSync('config.json'))
+  : {};
+
+Object.assign(config, {
+  allTemplates: config?.allTemplates || {},
+});
+
+export default config;

package/crud/controllers/deleteCrud.js

@@ -1,10 +1,10 @@
-import dataDelete from '../funcs/dataDelete.js';
-
-export default async function deleteCrud(req) {
-  const { table, id } = req.params || {};
-  if (!table) return { status: 404, message: 'table is required' };
-
-  const data = await dataDelete({ table, id });
-
-  return { rowCount: data.rowCount, msg: !data.rowCount ? data : null };
-}
+import dataDelete from '../funcs/dataDelete.js';
+
+export default async function deleteCrud(req) {
+  const { table, id } = req.params || {};
+  if (!table) return { status: 404, message: 'table is required' };
+
+  const data = await dataDelete({ table, id });
+
+  return { rowCount: data.rowCount, msg: !data.rowCount ? data : null };
+}

package/crud/controllers/insert.js

@@ -1,9 +1,28 @@
-import dataInsert from '../funcs/dataInsert.js';
-
-export default async function insert(req) {
-  const { table } = req.params || {};
-  if (!table) return { status: 404, message: 'table is required' };
-
-  const res = await dataInsert({ table, data: req.body });
-  return res;
-}
+import dataInsert from '../funcs/dataInsert.js';
+import getIdByToken from '../funcs/getIdByToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+
+export default async function insert(req) {
+  const { table } = req.params || {};
+  if (!table) return { status: 404, message: 'table is required' };
+
+  const { funcs, session, params } = req;
+  const tokenDataString = await getIdByToken({
+    funcs, session, token: params.table, mode: 'a', json: 0,
+  });
+
+  const { form, add } = JSON.parse(tokenDataString || '{}');
+
+  const formData = form ? await getTemplate('form', form) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const res = await dataInsert({ table: add || table, data: req.body });
+  return res;
+}

package/crud/controllers/update.js

@@ -1,10 +1,29 @@
-import dataUpdate from '../funcs/dataUpdate.js';
-
-export default async function update(req) {
-  const { table, id } = req.params || {};
-  if (!table) return { status: 404, message: 'table is required' };
-  if (!id) return { status: 404, message: 'id is required' };
-
-  const res = await dataUpdate({ table, id, data: req.body });
-  return res;
-}
+import dataUpdate from '../funcs/dataUpdate.js';
+import getIdByToken from '../funcs/getIdByToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+
+export default async function update(req) {
+  const { table, id } = req.params || {};
+  if (!req.params?.table) return { message: 'table is required', status: 404 };
+  if (!id) return { message: 'id is required', status: 404 };
+
+  const { funcs, session, params } = req;
+  const tokenDataString = await getIdByToken({
+    funcs, session, token: params.table, mode: 'w', json: 0,
+  });
+
+  const tokenData = JSON.parse(tokenDataString || '{}');
+
+  const formData = tokenData?.form ? await getTemplate('form', tokenData.form) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const res = await dataUpdate({ table: tokenData?.table || table, id: tokenData?.id || id, data: req.body });
+  return res;
+}

package/crud/controllers/utils/checkXSS.js

@@ -0,0 +1,45 @@
+/* import sqlInjection from '../../../policy/funcs/sqlInjection.js'; */
+import xssInjection from './xssInjection.js';
+
+/* const checkList = xssInjection.concat(sqlInjection); */
+
+// RTE - rich text editor
+
+function checkXSS({ body, schema = {} }) {
+  const data = typeof body === 'string' ? body : JSON.stringify(body);
+  const stopWords = xssInjection.filter((el) => data.toLowerCase().includes(el));
+
+  // check sql injection
+  const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/gi);
+  if (stopSpecialSymbols?.length) stopSpecialSymbols?.forEach((el) => stopWords.push(el));
+
+  // escape arrows on non-RTE
+  Object.keys(body)
+    .filter((key) => ['<', '>'].find((el) => body[key].includes(el))
+  && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
+    ?.forEach((key) => {
+      Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
+    });
+  // try { } catch (err) { return { error: err.toString() }; }
+
+  if (!stopWords.length) return { body };
+
+  const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
+
+  // check RTE
+  /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));
+  richTextFields.filter((key) => !checkList.find((el) => body[key].includes(el)))?.forEach((key) => {
+    disabledCheckFields.push(key);
+  }); */
+
+  const field = Object.keys(body)
+    ?.find((key) => body[key]
+        && !disabledCheckFields.includes(key)
+        && body[key].toLowerCase().includes(stopWords[0]));
+  if (field) {
+    return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body };
+  }
+  return { body };
+}
+
+export default checkXSS;

package/crud/controllers/utils/xssInjection.js

@@ -0,0 +1,72 @@
+const xssInjection = [
+  'onkeypress=',
+  'onkeyup=',
+  'ondblclick=',
+  'onerror=',
+  'onmouseover=',
+  '<meta',
+  '<script',
+  'vascript:',
+  'onkeydown=',
+  'onmousedown=',
+  'onmouseenter=',
+  'onmouseleave=',
+  'onmousemove=',
+  'onmouseout=',
+  'onmouseup=',
+  'onmousewheel=',
+  'onpaste=',
+  'onscroll=',
+  'onwheel=',
+  'javascript:',
+  '\\x',
+  'eval(',
+  'onmouseover=',
+  'action=',
+  'xlink:',
+  'allowscriptaccess',
+  'href=',
+  'behavior:',
+  'onreadystatechange=',
+  'onstart=',
+  'offline=',
+  'onabort=',
+  'onafterprint=',
+  'onbeforeonload=',
+  'onbeforeprint=',
+  'onblur=',
+  'oncanplay=',
+  'oncanplaythrough=',
+  'onchange=',
+  'onclick=',
+  'oncontextmenu=',
+  'ondblclick=',
+  'ondrag=',
+  'ondragend=',
+  'ondragenter=',
+  'ondragleave=',
+  'ondragover=',
+  'ondragstart=',
+  'ondrop=',
+  'ondurationchange=',
+  'onemptied=',
+  'onended=',
+  'onerror=',
+  'onfocus=',
+  'onformchange=',
+  'onforminput=',
+  'onhaschange=',
+  'oninput=',
+  'oninvalid=',
+  'onkeydown=',
+  'onkeypress=',
+  'onkeyup=',
+  'onload=',
+  'onloadeddata=',
+  'onloadedmetadata=',
+  'onloadstart=',
+  'alert(',
+  'script:',
+];
+
+export default xssInjection;

package/crud/funcs/dataDelete.js

@@ -1,15 +1,15 @@
-import getPG from '../../pg/funcs/getPG.js';
-
-import getMeta from '../../pg/funcs/getMeta.js';
-
-export default async function dataDelete({
-  table, id,
-}) {
-  const pg = getPG({ name: 'client' });
-  const { pk } = await getMeta(table);
-  if (!pg.tlist.includes(table)) return 'table not exist';
-  const delQuery = `delete from ${table} WHERE ${pk} = $1 returning *`;
-  //  console.log(updateDataset);
-  const res = await pg.one(delQuery, [id]) || {};
-  return res;
-}
+import getPG from '../../pg/funcs/getPG.js';
+
+import getMeta from '../../pg/funcs/getMeta.js';
+
+export default async function dataDelete({
+  table, id,
+}) {
+  const pg = getPG({ name: 'client' });
+  const { pk } = await getMeta(table);
+  if (!pg.tlist.includes(table)) return 'table not exist';
+  const delQuery = `delete from ${table} WHERE ${pk} = $1 returning *`;
+  //  console.log(updateDataset);
+  const res = await pg.one(delQuery, [id]) || {};
+  return res;
+}

package/crud/funcs/dataInsert.js

@@ -1,24 +1,24 @@
-import getPG from '../../pg/funcs/getPG.js';
-import getMeta from '../../pg/funcs/getMeta.js';
-
-export default async function dataInsert({ table, data }) {
-  const pg = getPG({ name: 'client' });
-  if (!data) return null;
-  const { columns } = await getMeta(table);
-  if (!columns) return null;
-
-  const names = columns.map((el) => el.name);
-  const filterData = Object.keys(data)
-    .filter((el) => data[el] && names.includes(el)).map((el) => [el, data[el]]);
-
-  const insertQuery = `insert into ${table}
-
-    ( ${filterData?.map((key) => `"${key[0]}"`).join(',')}) 
-
-    values  (${filterData?.map((key, i) => `$${i + 1}`).join(',')}) 
-    
-    returning *`;
-  //  console.log(updateDataset);
-  const res = await pg.one(insertQuery, [...filterData.map((el) => (typeof el[1] === 'object' ? JSON.stringify(el[1]) : el[1]))]) || {};
-  return res;
-}
+import getPG from '../../pg/funcs/getPG.js';
+import getMeta from '../../pg/funcs/getMeta.js';
+
+export default async function dataInsert({ table, data }) {
+  const pg = getPG({ name: 'client' });
+  if (!data) return null;
+  const { columns } = await getMeta(table);
+  if (!columns) return null;
+
+  const names = columns.map((el) => el.name);
+  const filterData = Object.keys(data)
+    .filter((el) => data[el] && names.includes(el)).map((el) => [el, data[el]]);
+
+  const insertQuery = `insert into ${table}
+
+    ( ${filterData?.map((key) => `"${key[0]}"`).join(',')}) 
+
+    values  (${filterData?.map((key, i) => `$${i + 1}`).join(',')}) 
+    
+    returning *`;
+  await pg.query('DROP TRIGGER if exists dataset_before_update_insert ON gis.dataset');
+  const res = await pg.one(insertQuery, [...filterData.map((el) => (typeof el[1] === 'object' ? JSON.stringify(el[1]) : el[1]))]) || {};
+  return res;
+}

package/crud/funcs/getIdByToken.js

@@ -0,0 +1,29 @@
+import getRedis from '../../redis/funcs/getRedis.js';
+
+function sprintf(str, ...args) {
+  return str.replace(/%s/g, () => args.shift());
+}
+
+const keys = {
+  r: '%s:token:view:%s',
+  a: '%s:token:add:%s',
+  w: '%s:token:edit:%s',
+  e: '%s:token:exec:%s',
+};
+
+async function getIdByToken({
+  funcs, session, token, mode = 'r', json,
+}) {
+  if (mode === 'r') return token;
+
+  const { config } = funcs;
+  const { uid } = session?.passport?.user || (config.local ? { uid: '1' } : {});
+
+  const rclient2 = getRedis({ db: 2, funcs });
+
+  const key = sprintf(keys[mode], config?.pg?.database, uid);
+  const id = await rclient2.hget(key, token);
+  return json && id[0] === '{' ? JSON.parse(id) : id;
+}
+
+export default getIdByToken;

package/crud/funcs/isFileExists.js

@@ -1,13 +1,13 @@
-import { access } from 'fs/promises';
-
-const isFileExists = async (filepath) => {
-  try {
-    await access(filepath);
-    return true;
-  }
-  catch (err) {
-    return false;
-  }
-};
-
-export default isFileExists;
+import { access } from 'fs/promises';
+
+const isFileExists = async (filepath) => {
+  try {
+    await access(filepath);
+    return true;
+  }
+  catch (err) {
+    return false;
+  }
+};
+
+export default isFileExists;

package/crud/funcs/setTokenById.js

@@ -0,0 +1,55 @@
+import { createHash, randomUUID } from 'crypto';
+
+import getRedis from '../../redis/funcs/getRedis.js';
+
+const generateCodes = (ids, userToken) => {
+  const token = userToken || randomUUID();
+  const notNullIds = ids.filter((el) => el);
+  const obj = {};
+  const codes = notNullIds.reduce((acc, id) => {
+    const newToken = createHash('sha1').update(token + id).digest('base64url').replace(/-/g, '');
+    acc[newToken] = id; obj[id] = newToken;
+    return acc;
+  }, {});
+  return { codes, obj };
+};
+
+function setTokenById({
+  funcs, ids: idsOrigin, mode = 'r', session, referer, array,
+}) {
+  const { config } = funcs;
+  const { uid } = session?.passport?.user || (config.local ? { uid: '1' } : {});
+
+  const rclient2 = getRedis({ db: 2, funcs });
+  const rclient5 = getRedis({ db: 5, funcs });
+
+  if (!uid) return { user: 'empty' };
+  if (!Object.keys(idsOrigin).length) return { ids: 'empty' };
+
+  const ids = idsOrigin.map((el) => (typeof el === 'object' ? JSON.stringify(el) : el));
+  // update/delete
+
+  if (mode === 'r') return null;
+
+  // TODO generate salt
+  const { codes, obj } = generateCodes(ids, uid);
+
+  if (!Object.keys(codes).length) return { ids: 'empty' };
+
+  rclient2.hmset(`${config.pg.database}:token:${{
+    e: 'exec', r: 'view', w: 'edit', a: 'add',
+  }[mode]}:${uid}`, codes);
+
+  // log token for debug. add extra data - uid, mode, date
+  const dt = new Date().toISOString();
+  const codesLog = Object.keys(codes).reduce((acc, key) => {
+    acc[key] = `{"referer": "${referer}" ,"uid":"${uid}","mode":"${mode}","date":"${dt}",${codes[key].substr(1)}`;
+    return acc;
+  }, {});
+  rclient5.hmset(`${config.pg.database}:token:edit`, codesLog); // 'EX', 64800
+
+  // TODO дополнительно писать в hset token -> uid
+  return array ? Object.values(obj) : obj;
+}
+
+export default setTokenById;

package/helper.js

@@ -1,28 +1,28 @@
-// This file contains code that we reuse
-// between our tests.
-import Fastify from 'fastify';
-import config from './test/config.js';
-import appService from './index.js';
-
-import rclient from './redis/client.js';
-import pgClients from './pg/pgClients.js';
-
-// automatically build and tear down our instance
-async function build(t) {
-  // you can set all the options supported by the fastify CLI command
-  // const argv = [AppPath]
-  process.env.NODE_ENV = 'production';
-  const app = Fastify({ logger: false });
-  app.register(appService, config);
-  // close the app after we are done
-  t.after(() => {
-    // console.log('close app');
-    pgClients.client.end();
-    rclient.quit();
-    app.close();
-  });
-
-  return app;
-}
-
-export default build;
+// This file contains code that we reuse
+// between our tests.
+import Fastify from 'fastify';
+import config from './test/config.js';
+import appService from './index.js';
+
+import rclient from './redis/client.js';
+import pgClients from './pg/pgClients.js';
+
+// automatically build and tear down our instance
+async function build(t) {
+  // you can set all the options supported by the fastify CLI command
+  // const argv = [AppPath]
+  process.env.NODE_ENV = 'production';
+  const app = Fastify({ logger: false });
+  app.register(appService, config);
+  // close the app after we are done
+  t.after(() => {
+    // console.log('close app');
+    pgClients.client.end();
+    rclient.quit();
+    app.close();
+  });
+
+  return app;
+}
+
+export default build;