@opengis/fastify-table 1.1.119 → 1.1.121
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { config } from '@opengis/fastify-table/utils.js';
|
|
1
|
+
import { config, logger } from '@opengis/fastify-table/utils.js';
|
|
2
2
|
import block from '../sqlInjection.js';
|
|
3
3
|
|
|
4
4
|
/**
|
|
@@ -13,8 +13,9 @@ import block from '../sqlInjection.js';
|
|
|
13
13
|
|
|
14
14
|
export default function checkPolicy(req) {
|
|
15
15
|
const {
|
|
16
|
-
originalUrl: path, hostname, query, params, headers
|
|
16
|
+
originalUrl: path, hostname, query, params, headers, method,
|
|
17
17
|
} = req;
|
|
18
|
+
const isAdmin = process.env.NODE_ENV === 'admin';
|
|
18
19
|
const user = req.user || req.session?.passport?.user;
|
|
19
20
|
|
|
20
21
|
const isUser = config?.debug || !!user;
|
|
@@ -24,16 +25,16 @@ export default function checkPolicy(req) {
|
|
|
24
25
|
|
|
25
26
|
/*= == 0.Check superadmin access === */
|
|
26
27
|
if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
|
|
27
|
-
|
|
28
|
-
path, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted:
|
|
28
|
+
logger.file('access', {
|
|
29
|
+
path, method, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: not superadmin', uid: user?.uid,
|
|
29
30
|
});
|
|
30
31
|
return { message: 'access restricted: 0', status: 403 };
|
|
31
32
|
}
|
|
32
33
|
|
|
33
34
|
/*= == 1.File injection === */
|
|
34
35
|
if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
|
|
35
|
-
|
|
36
|
-
path, params, query, message: 'access restricted: 1',
|
|
36
|
+
logger.file('injection/file', {
|
|
37
|
+
path, method, params, query, message: 'access restricted: 1', uid: user?.uid,
|
|
37
38
|
});
|
|
38
39
|
return { message: 'access restricted: 1', status: 403 };
|
|
39
40
|
}
|
|
@@ -48,7 +49,9 @@ export default function checkPolicy(req) {
|
|
|
48
49
|
// skip polyline param - data filter (geometry bounds)
|
|
49
50
|
const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
|
|
50
51
|
if (stopWords?.length) {
|
|
51
|
-
|
|
52
|
+
logger.file('injection/sql', {
|
|
53
|
+
path, method, stopWords, message: 'access restricted: 2', uid: user?.uid,
|
|
54
|
+
});
|
|
52
55
|
return { message: 'access restricted: 2', status: 403 };
|
|
53
56
|
}
|
|
54
57
|
}
|
|
@@ -65,26 +68,33 @@ export default function checkPolicy(req) {
|
|
|
65
68
|
|
|
66
69
|
/* === 3. policy: user === */
|
|
67
70
|
if (!user && policy.includes('user') && false) {
|
|
68
|
-
|
|
71
|
+
logger.file('policy/user', { path, method, message: 'access restricted: 3' });
|
|
69
72
|
return { message: 'access restricted: 3', status: 403 };
|
|
70
73
|
}
|
|
71
74
|
|
|
72
75
|
/* === 4. policy: referer === */
|
|
73
|
-
if (!
|
|
74
|
-
|
|
76
|
+
if (!headers?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
|
|
77
|
+
logger.file('policy/referer', {
|
|
78
|
+
path, method, message: 'access restricted: 4', uid: user?.uid,
|
|
79
|
+
});
|
|
75
80
|
return { message: 'access restricted: 4', status: 403 };
|
|
76
81
|
}
|
|
77
82
|
|
|
78
83
|
/* === 5. policy: site auth === */
|
|
79
|
-
if (!policy.includes('site') &&
|
|
80
|
-
|
|
84
|
+
if (!policy.includes('site') && !isAdmin && !config.local && !config.debug
|
|
85
|
+
&& !['/auth/redirect', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
|
|
86
|
+
logger.file('policy/site', {
|
|
87
|
+
path, method, message: 'access restricted: 5', uid: user?.uid,
|
|
88
|
+
});
|
|
81
89
|
return { message: 'access restricted: 5', status: 403 };
|
|
82
90
|
}
|
|
83
91
|
|
|
84
92
|
/* === 6. base policy: block api, except login === */
|
|
85
|
-
if (
|
|
93
|
+
if (isAdmin && !isUser && isServer && !config.local && !config.debug
|
|
86
94
|
&& !path.startsWith(`${config.prefix || '/api'}/login`)) {
|
|
87
|
-
|
|
95
|
+
logger.file('policy/api', {
|
|
96
|
+
path, method, message: 'access restricted: 6', uid: user?.uid,
|
|
97
|
+
});
|
|
88
98
|
return { message: 'access restricted: 6', status: 403 };
|
|
89
99
|
}
|
|
90
100
|
|
|
@@ -5,7 +5,7 @@ export default async function cronApi(req) {
|
|
|
5
5
|
params = {}, user = {}, hostname,
|
|
6
6
|
} = req;
|
|
7
7
|
|
|
8
|
-
if ((!user.uid || !user.user_type?.includes('admin')) && !hostname?.includes('
|
|
8
|
+
if ((!user.uid || !user.user_type?.includes('admin')) && !hostname?.includes('local')) {
|
|
9
9
|
return { message: 'access restricted', status: 403 };
|
|
10
10
|
}
|
|
11
11
|
|
|
@@ -106,28 +106,36 @@ export default async function dataAPI(req) {
|
|
|
106
106
|
where ${where.join(' and ') || 'true'}
|
|
107
107
|
${order} ${offset} limit ${limit}`
|
|
108
108
|
.replace(/{{uid}}/g, uid);
|
|
109
|
-
|
|
109
|
+
|
|
110
110
|
// if (user?.user_type === 'superadmin') console.log(q);
|
|
111
111
|
|
|
112
112
|
if (query.sql === '1') { return q; }
|
|
113
113
|
|
|
114
114
|
const { rows } = await pg.query(q, (hookData?.id || params.id ? [hookData?.id || params.id] : null) || (query.key && loadTable.key ? [query.key] : []));
|
|
115
115
|
|
|
116
|
-
const filterWhere = [fData.q, search, bbox, queryPolyline, interfaceQuery].filter((el) => el);
|
|
116
|
+
const filterWhere = [fData.q, search, bbox, queryPolyline, interfaceQuery, loadTable.query].filter((el) => el);
|
|
117
117
|
|
|
118
|
+
const aggregates = dbColumns.map((el) => ({ name: el.name, type: pg.pgType[el.dataTypeID] })).filter((el) => ['numeric', 'double precision'].includes(el.type));
|
|
118
119
|
const qCount = `select
|
|
119
120
|
count(*)::int as total,
|
|
120
|
-
count(*) FILTER(WHERE ${filterWhere.
|
|
121
|
+
count(*) FILTER(WHERE ${filterWhere.join(' and ') || 'true'})::int as filtered
|
|
122
|
+
${aggregates.length ? `,${aggregates.map((el) => `sum(${el.name}) FILTER(WHERE ${filterWhere.join(' and ') || 'true'}) as ${el.name}`).join(',')}` : ''}
|
|
121
123
|
from ${table} t ${sqlTable}
|
|
122
124
|
where ${[loadTable.query, accessQuery].filter(el => el).join(' and ') || 'true'} `
|
|
123
125
|
.replace(/{{uid}}/g, uid);
|
|
124
126
|
|
|
125
|
-
|
|
126
|
-
|
|
127
|
+
if (query.sql === '2') { return qCount; }
|
|
128
|
+
|
|
129
|
+
const counts = keyQuery || hookData?.id || params.id
|
|
130
|
+
? { total: rows.length, filtered: rows.length }
|
|
131
|
+
: await pg.queryCache(qCount, { table: loadTable.table, time: 5 }).then(el => el?.rows[0] || {});
|
|
132
|
+
|
|
133
|
+
const { total, filtered } = counts;
|
|
134
|
+
const agg = Object.keys(counts).filter(el => !['total', 'filtered'].includes(el)).reduce((acc, el) => ({ ...acc, [el]: counts[el] }), {});
|
|
127
135
|
|
|
128
136
|
await metaFormat({ rows, table: hookData?.table || params.table });
|
|
129
137
|
const res = {
|
|
130
|
-
time: Date.now() - time, public: ispublic, card: loadTable.card, actions, total, filtered, count: rows.length, pk, form, rows, meta, columns, filters,
|
|
138
|
+
time: Date.now() - time, public: ispublic, card: loadTable.card, actions, total, filtered, count: rows.length, pk, form, agg, rows, meta, columns, filters,
|
|
131
139
|
};
|
|
132
140
|
|
|
133
141
|
// console.log({ add: loadTable.table, form: loadTable.form });
|