npm - @opengis/fastify-table - Versions diffs - 1.1.120 → 1.1.121 - Mend

@opengis/fastify-table 1.1.120 → 1.1.121

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/server/plugins/policy/funcs/checkPolicy.js +24 -14

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.120",
+  "version": "1.1.121",
   "type": "module",
   "description": "core-plugins",
   "keywords": ["fastify", "table", "crud", "pg", "backend" ],

package/server/plugins/policy/funcs/checkPolicy.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { config } from '@opengis/fastify-table/utils.js';
+import { config, logger } from '@opengis/fastify-table/utils.js';
 import block from '../sqlInjection.js';
 /**
@@ -13,8 +13,9 @@ import block from '../sqlInjection.js';
 export default function checkPolicy(req) {
   const {
-    originalUrl: path, hostname, query, params, headers: hs, log, sid = 35,
+    originalUrl: path, hostname, query, params, headers, method,
   } = req;
+  const isAdmin = process.env.NODE_ENV === 'admin';
   const user = req.user || req.session?.passport?.user;
   const isUser = config?.debug || !!user;
@@ -24,16 +25,16 @@ export default function checkPolicy(req) {
   /*= == 0.Check superadmin access  === */
   if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
-    log.warn('api/superadmin', {
-      path, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: 0',
+    logger.file('access', {
+      path, method, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: not superadmin', uid: user?.uid,
     });
     return { message: 'access restricted: 0', status: 403 };
   }
   /*= == 1.File injection  === */
   if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
-    log.warn('injection/file', {
-      path, params, query, message: 'access restricted: 1',
+    logger.file('injection/file', {
+      path, method, params, query, message: 'access restricted: 1', uid: user?.uid,
     });
     return { message: 'access restricted: 1', status: 403 };
   }
@@ -48,7 +49,9 @@ export default function checkPolicy(req) {
     // skip polyline param - data filter (geometry bounds)
     const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
     if (stopWords?.length) {
-      log.warn('injection/sql', { stopWords, message: 'access restricted: 2', path });
+      logger.file('injection/sql', {
+        path, method, stopWords, message: 'access restricted: 2', uid: user?.uid,
+      });
       return { message: 'access restricted: 2', status: 403 };
     }
   }
@@ -65,26 +68,33 @@ export default function checkPolicy(req) {
   /* === 3. policy: user === */
   if (!user && policy.includes('user') && false) {
-    log.warn('policy/user', { message: 'access restricted: 3', path });
+    logger.file('policy/user', { path, method, message: 'access restricted: 3' });
     return { message: 'access restricted: 3', status: 403 };
   }
   /* === 4. policy: referer === */
-  if (!hs?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
-    log.warn('policy/referer', { message: 'access restricted: 4', uid: user?.uid });
+  if (!headers?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
+    logger.file('policy/referer', {
+      path, method, message: 'access restricted: 4', uid: user?.uid,
+    });
     return { message: 'access restricted: 4', status: 403 };
   }
   /* === 5. policy: site auth === */
-  if (!policy.includes('site') && sid === 1 && isUser && !config.local && !config.debug) {
-    log.warn('policy/site', { message: 'access restricted: 5', path, uid: user?.uid });
+  if (!policy.includes('site') && !isAdmin && !config.local && !config.debug
+  && !['/auth/redirect', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
+    logger.file('policy/site', {
+      path, method, message: 'access restricted: 5', uid: user?.uid,
+    });
     return { message: 'access restricted: 5', status: 403 };
   }
   /* === 6. base policy: block api, except login  === */
-  if (sid === 35 && !isUser && isServer && !config.local && !config.debug
+  if (isAdmin && !isUser && isServer && !config.local && !config.debug
     && !path.startsWith(`${config.prefix || '/api'}/login`)) {
-    log.warn('policy/api', { message: 'access restricted: 6', path, uid: user?.uid });
+    logger.file('policy/api', {
+      path, method, message: 'access restricted: 6', uid: user?.uid,
+    });
     return { message: 'access restricted: 6', status: 403 };
   }