@opengis/fastify-table 1.1.121 → 1.1.123
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/server/plugins/crud/funcs/utils/logChanges.js +1 -1
- package/server/plugins/pg/funcs/getMeta.js +10 -7
- package/server/plugins/policy/funcs/checkPolicy.js +14 -11
- package/server/routes/crud/index.js +5 -4
- package/server/routes/logger/index.js +1 -1
- package/server/routes/table/index.js +7 -6
package/package.json
CHANGED
|
@@ -26,7 +26,7 @@ export default async function logChanges({
|
|
|
26
26
|
|
|
27
27
|
const { fields = [] } = await pg.query(`select * from ${table} limit 0`);
|
|
28
28
|
const columnList = fields.map((el) => el?.name);
|
|
29
|
-
const q = `select ${Object.keys(data || {}).filter((el) => columnList.includes(el)).join(',') || '*'} from ${table} where ${pg.pk?.[table]}=$1`;
|
|
29
|
+
const q = `select ${Object.keys(data || {}).filter((el) => columnList.includes(el)).map(el => `"${el.replace(/'/g, "''")}"`).join(',') || '*'} from ${table} where ${pg.pk?.[table]}=$1`;
|
|
30
30
|
// console.log(q, type, id);
|
|
31
31
|
|
|
32
32
|
const old = type !== 'INSERT' ? await pg.query(q, [id]).then((res) => res.rows?.[0] || {}) : {};
|
|
@@ -9,18 +9,21 @@ export default async function getMeta(opt) {
|
|
|
9
9
|
|
|
10
10
|
if (data[table]) return data[table];
|
|
11
11
|
|
|
12
|
-
if (!pg.tlist?.includes(table)) {
|
|
12
|
+
if (!pg.tlist?.includes(table.replace(/"/g, ''))) {
|
|
13
13
|
return { error: `${table} - not found`, status: 400 };
|
|
14
14
|
}
|
|
15
15
|
|
|
16
|
-
const { fields } = await pg.query(`select * from ${table}
|
|
17
|
-
const pks1 = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1
|
|
18
|
-
|
|
19
|
-
.
|
|
16
|
+
const { fields = [] } = await pg.query(`select * from ${table} limit 0`);
|
|
17
|
+
const { pks1 = {} } = await pg.query(`SELECT json_object_agg(c.conrelid::regclass, a.attname) as pks1
|
|
18
|
+
FROM pg_constraint c
|
|
19
|
+
left join pg_attribute a on c.conrelid=a.attrelid and a.attnum = c.conkey[1]
|
|
20
|
+
WHERE c.contype='p'::"char" and c.conrelid::regclass = $1::regclass`, [table]).then(el => el.rows?.[0] || {});
|
|
20
21
|
|
|
21
|
-
const pk = table.startsWith('public.')
|
|
22
|
+
const pk = table.startsWith('public.')
|
|
23
|
+
? (pks1[table.replace('public.', '')] || pks1[table.replace('public.', '').replace(/"/g, '')])
|
|
24
|
+
: (pks1[table] || pks1[table.replace(/"/g, '')]);
|
|
22
25
|
|
|
23
|
-
const geomAttr = fields.find((el) => pg.pgType[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
|
|
26
|
+
const geomAttr = fields.find((el) => pg.pgType?.[el.dataTypeID] === 'geometry')?.name; // change geometry text to geometry code
|
|
24
27
|
|
|
25
28
|
const res = {
|
|
26
29
|
pk, columns: fields, geom: geomAttr, view: pg.relkinds?.[table] === 'v',
|
|
@@ -13,20 +13,21 @@ import block from '../sqlInjection.js';
|
|
|
13
13
|
|
|
14
14
|
export default function checkPolicy(req) {
|
|
15
15
|
const {
|
|
16
|
-
originalUrl: path, hostname, query, params, headers, method,
|
|
16
|
+
originalUrl: path, hostname, query, params, headers, method, session, routeOptions,
|
|
17
17
|
} = req;
|
|
18
|
-
const
|
|
19
|
-
const
|
|
18
|
+
const body = JSON.stringify(req?.body || {}).substring(30);
|
|
19
|
+
const isAdmin = process.env.NODE_ENV === 'admin' || hostname.split(':').shift() === config.adminDomain || hostname.startsWith('admin');
|
|
20
|
+
const user = req.user || session?.passport?.user;
|
|
20
21
|
|
|
21
22
|
const isUser = config?.debug || !!user;
|
|
22
23
|
|
|
23
24
|
const isServer = process.argv[2];
|
|
24
|
-
const { policy = [] } =
|
|
25
|
+
const { policy = [] } = routeOptions?.config || {};
|
|
25
26
|
|
|
26
27
|
/*= == 0.Check superadmin access === */
|
|
27
28
|
if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
|
|
28
29
|
logger.file('access', {
|
|
29
|
-
path, method, params, query, body
|
|
30
|
+
path, method, params, query, body, message: 'access restricted: not superadmin', uid: user?.uid,
|
|
30
31
|
});
|
|
31
32
|
return { message: 'access restricted: 0', status: 403 };
|
|
32
33
|
}
|
|
@@ -34,7 +35,7 @@ export default function checkPolicy(req) {
|
|
|
34
35
|
/*= == 1.File injection === */
|
|
35
36
|
if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
|
|
36
37
|
logger.file('injection/file', {
|
|
37
|
-
path, method, params, query, message: 'access restricted: 1', uid: user?.uid,
|
|
38
|
+
path, method, params, query, body, message: 'access restricted: 1', uid: user?.uid,
|
|
38
39
|
});
|
|
39
40
|
return { message: 'access restricted: 1', status: 403 };
|
|
40
41
|
}
|
|
@@ -50,7 +51,7 @@ export default function checkPolicy(req) {
|
|
|
50
51
|
const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
|
|
51
52
|
if (stopWords?.length) {
|
|
52
53
|
logger.file('injection/sql', {
|
|
53
|
-
path, method, stopWords, message: 'access restricted: 2', uid: user?.uid,
|
|
54
|
+
path, method, params, query, body, stopWords, message: 'access restricted: 2', uid: user?.uid,
|
|
54
55
|
});
|
|
55
56
|
return { message: 'access restricted: 2', status: 403 };
|
|
56
57
|
}
|
|
@@ -68,14 +69,16 @@ export default function checkPolicy(req) {
|
|
|
68
69
|
|
|
69
70
|
/* === 3. policy: user === */
|
|
70
71
|
if (!user && policy.includes('user') && false) {
|
|
71
|
-
logger.file('policy/user', {
|
|
72
|
+
logger.file('policy/user', {
|
|
73
|
+
path, method, params, query, body, message: 'access restricted: 3',
|
|
74
|
+
});
|
|
72
75
|
return { message: 'access restricted: 3', status: 403 };
|
|
73
76
|
}
|
|
74
77
|
|
|
75
78
|
/* === 4. policy: referer === */
|
|
76
79
|
if (!headers?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
|
|
77
80
|
logger.file('policy/referer', {
|
|
78
|
-
path, method, message: 'access restricted: 4', uid: user?.uid,
|
|
81
|
+
path, method, params, query, body, message: 'access restricted: 4', uid: user?.uid,
|
|
79
82
|
});
|
|
80
83
|
return { message: 'access restricted: 4', status: 403 };
|
|
81
84
|
}
|
|
@@ -84,7 +87,7 @@ export default function checkPolicy(req) {
|
|
|
84
87
|
if (!policy.includes('site') && !isAdmin && !config.local && !config.debug
|
|
85
88
|
&& !['/auth/redirect', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
|
|
86
89
|
logger.file('policy/site', {
|
|
87
|
-
path, method, message: 'access restricted: 5', uid: user?.uid,
|
|
90
|
+
path, method, params, query, body, message: 'access restricted: 5', uid: user?.uid,
|
|
88
91
|
});
|
|
89
92
|
return { message: 'access restricted: 5', status: 403 };
|
|
90
93
|
}
|
|
@@ -93,7 +96,7 @@ export default function checkPolicy(req) {
|
|
|
93
96
|
if (isAdmin && !isUser && isServer && !config.local && !config.debug
|
|
94
97
|
&& !path.startsWith(`${config.prefix || '/api'}/login`)) {
|
|
95
98
|
logger.file('policy/api', {
|
|
96
|
-
path, method, message: 'access restricted: 6', uid: user?.uid,
|
|
99
|
+
path, method, params, query, body, message: 'access restricted: 6', uid: user?.uid,
|
|
97
100
|
});
|
|
98
101
|
return { message: 'access restricted: 6', status: 403 };
|
|
99
102
|
}
|
|
@@ -12,10 +12,11 @@ const tableSchema = {
|
|
|
12
12
|
|
|
13
13
|
async function plugin(fastify, config = {}) {
|
|
14
14
|
const prefix = config.prefix || '/api';
|
|
15
|
-
|
|
16
|
-
fastify.
|
|
17
|
-
fastify.
|
|
18
|
-
fastify.
|
|
15
|
+
const policy = ['public'];
|
|
16
|
+
fastify.put(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, update);
|
|
17
|
+
fastify.delete(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, deleteCrud);
|
|
18
|
+
fastify.post(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, insert);
|
|
19
|
+
fastify.get(`${prefix}/table/:table/:id?`, { config: { policy }, schema: tableSchema }, table);
|
|
19
20
|
}
|
|
20
21
|
|
|
21
22
|
export default plugin;
|
|
@@ -11,7 +11,7 @@ const loggerSchema = {
|
|
|
11
11
|
};
|
|
12
12
|
|
|
13
13
|
async function plugin(fastify) {
|
|
14
|
-
fastify.get('/logger-file/*', { schema: loggerSchema }, loggerFile);
|
|
14
|
+
fastify.get('/logger-file/*', { config: { policy: ['site'] }, schema: loggerSchema }, loggerFile);
|
|
15
15
|
}
|
|
16
16
|
|
|
17
17
|
export default plugin;
|
|
@@ -14,15 +14,16 @@ import {
|
|
|
14
14
|
|
|
15
15
|
async function plugin(fastify, config = {}) {
|
|
16
16
|
const prefix = config.prefix || '/api';
|
|
17
|
-
|
|
18
|
-
fastify.get(`${prefix}/data
|
|
17
|
+
const policy = ['public'];
|
|
18
|
+
fastify.get(`${prefix}/suggest/:data`, { config: { policy }, schema: suggestSchema }, suggest);
|
|
19
|
+
fastify.get(`${prefix}/data/:table/:id?`, { config: { policy }, schema: tableSchema }, data); // vs.crm.data.api с node
|
|
19
20
|
|
|
20
|
-
fastify.get(`${prefix}/card/:table/:id`, { schema: tableSchema }, card);
|
|
21
|
-
fastify.get(`${prefix}/search`, { schema: searchSchema }, search);
|
|
21
|
+
fastify.get(`${prefix}/card/:table/:id`, { config: { policy }, schema: tableSchema }, card);
|
|
22
|
+
fastify.get(`${prefix}/search`, { config: { policy }, schema: searchSchema }, search);
|
|
22
23
|
|
|
23
24
|
fastify.get(`${prefix}/templates`, () => loadTemplatePath);
|
|
24
|
-
fastify.get(`${prefix}/filter/:table`, { schema: filterSchema }, filter);
|
|
25
|
-
fastify.get(`${prefix}/form/:form`, { schema: formSchema }, form);
|
|
25
|
+
fastify.get(`${prefix}/filter/:table`, { config: { policy }, schema: filterSchema }, filter);
|
|
26
|
+
fastify.get(`${prefix}/form/:form`, { config: { policy }, schema: formSchema }, form);
|
|
26
27
|
}
|
|
27
28
|
|
|
28
29
|
export default plugin;
|