@opengis/fastify-table 1.1.121 → 1.1.122

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.121",
+  "version": "1.1.122",
   "type": "module",
   "description": "core-plugins",
   "keywords": ["fastify", "table", "crud", "pg", "backend" ],

package/server/plugins/pg/funcs/getMeta.js

@@ -9,18 +9,19 @@ export default async function getMeta(opt) {
 
   if (data[table]) return data[table];
 
-  if (!pg.tlist?.includes(table)) {
+  if (!pg.tlist?.includes(table.replace(/"/g, ''))) {
     return { error: `${table} - not found`, status: 400 };
   }
 
-  const { fields } = await pg.query(`select * from ${table} where $1=$1 limit 0`, [1]);
-  const pks1 = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1 FROM pg_constraint c 
-  left join pg_attribute a on c.conrelid=a.attrelid and a.attnum = c.conkey[1] WHERE c.contype='p'::"char" and c.conrelid::regclass = $1::regclass`, [table])
-    .then(el => el.rows[0]?.pks1 || {});
+  const { fields = [] } = await pg.query(`select * from ${table} limit 0`);
+  const { pks1 = {} } = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1 
+  FROM pg_constraint c 
+    left join pg_attribute a on c.conrelid=a.attrelid and a.attnum = c.conkey[1] 
+  WHERE c.contype='p'::"char" and c.conrelid::regclass = $1::regclass`, [table]).then(el => el.rows?.[0] || {});
 
   const pk = table.startsWith('public.') ? pks1[table.replace('public.', '')] : pks1[table];
 
-  const geomAttr = fields.find((el) => pg.pgType[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
+  const geomAttr = fields.find((el) => pg.pgType?.[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
 
   const res = {
     pk, columns: fields, geom: geomAttr, view: pg.relkinds?.[table] === 'v',

package/server/plugins/policy/funcs/checkPolicy.js

@@ -13,20 +13,21 @@ import block from '../sqlInjection.js';
 
 export default function checkPolicy(req) {
   const {
-    originalUrl: path, hostname, query, params, headers, method,
+    originalUrl: path, hostname, query, params, headers, method, session, routeOptions,
   } = req;
-  const isAdmin = process.env.NODE_ENV === 'admin';
-  const user = req.user || req.session?.passport?.user;
+  const body = JSON.stringify(req?.body || {}).substring(30);
+  const isAdmin = process.env.NODE_ENV === 'admin' || hostname.split(':').shift() === config.adminDomain || hostname.startsWith('admin');
+  const user = req.user || session?.passport?.user;
 
   const isUser = config?.debug || !!user;
 
   const isServer = process.argv[2];
-  const { policy = [] } = req.routeOptions?.config || {};
+  const { policy = [] } = routeOptions?.config || {};
 
   /*= == 0.Check superadmin access  === */
   if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
     logger.file('access', {
-      path, method, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: not superadmin', uid: user?.uid,
+      path, method, params, query, body, message: 'access restricted: not superadmin', uid: user?.uid,
     });
     return { message: 'access restricted: 0', status: 403 };
   }
@@ -34,7 +35,7 @@ export default function checkPolicy(req) {
   /*= == 1.File injection  === */
   if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
     logger.file('injection/file', {
-      path, method, params, query, message: 'access restricted: 1', uid: user?.uid,
+      path, method, params, query, body, message: 'access restricted: 1', uid: user?.uid,
     });
     return { message: 'access restricted: 1', status: 403 };
   }
@@ -50,7 +51,7 @@ export default function checkPolicy(req) {
     const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
     if (stopWords?.length) {
       logger.file('injection/sql', {
-        path, method, stopWords, message: 'access restricted: 2', uid: user?.uid,
+        path, method, params, query, body, stopWords, message: 'access restricted: 2', uid: user?.uid,
       });
       return { message: 'access restricted: 2', status: 403 };
     }
@@ -68,14 +69,16 @@ export default function checkPolicy(req) {
 
   /* === 3. policy: user === */
   if (!user && policy.includes('user') && false) {
-    logger.file('policy/user', { path, method, message: 'access restricted: 3' });
+    logger.file('policy/user', {
+      path, method, params, query, body, message: 'access restricted: 3',
+    });
     return { message: 'access restricted: 3', status: 403 };
   }
 
   /* === 4. policy: referer === */
   if (!headers?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
     logger.file('policy/referer', {
-      path, method, message: 'access restricted: 4', uid: user?.uid,
+      path, method, params, query, body, message: 'access restricted: 4', uid: user?.uid,
     });
     return { message: 'access restricted: 4', status: 403 };
   }
@@ -84,7 +87,7 @@ export default function checkPolicy(req) {
   if (!policy.includes('site') && !isAdmin && !config.local && !config.debug
   && !['/auth/redirect', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
     logger.file('policy/site', {
-      path, method, message: 'access restricted: 5', uid: user?.uid,
+      path, method, params, query, body, message: 'access restricted: 5', uid: user?.uid,
     });
     return { message: 'access restricted: 5', status: 403 };
   }
@@ -93,7 +96,7 @@ export default function checkPolicy(req) {
   if (isAdmin && !isUser && isServer && !config.local && !config.debug
     && !path.startsWith(`${config.prefix || '/api'}/login`)) {
     logger.file('policy/api', {
-      path, method, message: 'access restricted: 6', uid: user?.uid,
+      path, method, params, query, body, message: 'access restricted: 6', uid: user?.uid,
     });
     return { message: 'access restricted: 6', status: 403 };
   }