@opengis/fastify-table 1.1.120 → 1.1.122

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/server/plugins/pg/funcs/getMeta.js +7 -6
  3. package/server/plugins/policy/funcs/checkPolicy.js +29 -16
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@opengis/fastify-table",
3
- "version": "1.1.120",
3
+ "version": "1.1.122",
4
4
  "type": "module",
5
5
  "description": "core-plugins",
6
6
  "keywords": ["fastify", "table", "crud", "pg", "backend" ],
package/server/plugins/pg/funcs/getMeta.js CHANGED
@@ -9,18 +9,19 @@ export default async function getMeta(opt) {
9
9
 
10
10
  if (data[table]) return data[table];
11
11
 
12
- if (!pg.tlist?.includes(table)) {
12
+ if (!pg.tlist?.includes(table.replace(/"/g, ''))) {
13
13
  return { error: `${table} - not found`, status: 400 };
14
14
  }
15
15
 
16
- const { fields } = await pg.query(`select * from ${table} where $1=$1 limit 0`, [1]);
17
- const pks1 = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1 FROM pg_constraint c
18
- left join pg_attribute a on c.conrelid=a.attrelid and a.attnum = c.conkey[1] WHERE c.contype='p'::"char" and c.conrelid::regclass = $1::regclass`, [table])
19
- .then(el => el.rows[0]?.pks1 || {});
16
+ const { fields = [] } = await pg.query(`select * from ${table} limit 0`);
17
+ const { pks1 = {} } = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1
18
+ FROM pg_constraint c
19
+ left join pg_attribute a on c.conrelid=a.attrelid and a.attnum = c.conkey[1]
20
+ WHERE c.contype='p'::"char" and c.conrelid::regclass = $1::regclass`, [table]).then(el => el.rows?.[0] || {});
20
21
 
21
22
  const pk = table.startsWith('public.') ? pks1[table.replace('public.', '')] : pks1[table];
22
23
 
23
- const geomAttr = fields.find((el) => pg.pgType[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
24
+ const geomAttr = fields.find((el) => pg.pgType?.[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
24
25
 
25
26
  const res = {
26
27
  pk, columns: fields, geom: geomAttr, view: pg.relkinds?.[table] === 'v',
package/server/plugins/policy/funcs/checkPolicy.js CHANGED
@@ -1,4 +1,4 @@
1
- import { config } from '@opengis/fastify-table/utils.js';
1
+ import { config, logger } from '@opengis/fastify-table/utils.js';
2
2
  import block from '../sqlInjection.js';
3
3
 
4
4
  /**
@@ -13,27 +13,29 @@ import block from '../sqlInjection.js';
13
13
 
14
14
  export default function checkPolicy(req) {
15
15
  const {
16
- originalUrl: path, hostname, query, params, headers: hs, log, sid = 35,
16
+ originalUrl: path, hostname, query, params, headers, method, session, routeOptions,
17
17
  } = req;
18
- const user = req.user || req.session?.passport?.user;
18
+ const body = JSON.stringify(req?.body || {}).substring(30);
19
+ const isAdmin = process.env.NODE_ENV === 'admin' || hostname.split(':').shift() === config.adminDomain || hostname.startsWith('admin');
20
+ const user = req.user || session?.passport?.user;
19
21
 
20
22
  const isUser = config?.debug || !!user;
21
23
 
22
24
  const isServer = process.argv[2];
23
- const { policy = [] } = req.routeOptions?.config || {};
25
+ const { policy = [] } = routeOptions?.config || {};
24
26
 
25
27
  /*= == 0.Check superadmin access === */
26
28
  if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
27
- log.warn('api/superadmin', {
28
- path, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: 0',
29
+ logger.file('access', {
30
+ path, method, params, query, body, message: 'access restricted: not superadmin', uid: user?.uid,
29
31
  });
30
32
  return { message: 'access restricted: 0', status: 403 };
31
33
  }
32
34
 
33
35
  /*= == 1.File injection === */
34
36
  if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
35
- log.warn('injection/file', {
36
- path, params, query, message: 'access restricted: 1',
37
+ logger.file('injection/file', {
38
+ path, method, params, query, body, message: 'access restricted: 1', uid: user?.uid,
37
39
  });
38
40
  return { message: 'access restricted: 1', status: 403 };
39
41
  }
@@ -48,7 +50,9 @@ export default function checkPolicy(req) {
48
50
  // skip polyline param - data filter (geometry bounds)
49
51
  const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
50
52
  if (stopWords?.length) {
51
- log.warn('injection/sql', { stopWords, message: 'access restricted: 2', path });
53
+ logger.file('injection/sql', {
54
+ path, method, params, query, body, stopWords, message: 'access restricted: 2', uid: user?.uid,
55
+ });
52
56
  return { message: 'access restricted: 2', status: 403 };
53
57
  }
54
58
  }
@@ -65,26 +69,35 @@ export default function checkPolicy(req) {
65
69
 
66
70
  /* === 3. policy: user === */
67
71
  if (!user && policy.includes('user') && false) {
68
- log.warn('policy/user', { message: 'access restricted: 3', path });
72
+ logger.file('policy/user', {
73
+ path, method, params, query, body, message: 'access restricted: 3',
74
+ });
69
75
  return { message: 'access restricted: 3', status: 403 };
70
76
  }
71
77
 
72
78
  /* === 4. policy: referer === */
73
- if (!hs?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
74
- log.warn('policy/referer', { message: 'access restricted: 4', uid: user?.uid });
79
+ if (!headers?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
80
+ logger.file('policy/referer', {
81
+ path, method, params, query, body, message: 'access restricted: 4', uid: user?.uid,
82
+ });
75
83
  return { message: 'access restricted: 4', status: 403 };
76
84
  }
77
85
 
78
86
  /* === 5. policy: site auth === */
79
- if (!policy.includes('site') && sid === 1 && isUser && !config.local && !config.debug) {
80
- log.warn('policy/site', { message: 'access restricted: 5', path, uid: user?.uid });
87
+ if (!policy.includes('site') && !isAdmin && !config.local && !config.debug
88
+ && !['/auth/redirect', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
89
+ logger.file('policy/site', {
90
+ path, method, params, query, body, message: 'access restricted: 5', uid: user?.uid,
91
+ });
81
92
  return { message: 'access restricted: 5', status: 403 };
82
93
  }
83
94
 
84
95
  /* === 6. base policy: block api, except login === */
85
- if (sid === 35 && !isUser && isServer && !config.local && !config.debug
96
+ if (isAdmin && !isUser && isServer && !config.local && !config.debug
86
97
  && !path.startsWith(`${config.prefix || '/api'}/login`)) {
87
- log.warn('policy/api', { message: 'access restricted: 6', path, uid: user?.uid });
98
+ logger.file('policy/api', {
99
+ path, method, params, query, body, message: 'access restricted: 6', uid: user?.uid,
100
+ });
88
101
  return { message: 'access restricted: 6', status: 403 };
89
102
  }
90
103