@opengis/fastify-table 1.1.150 → 1.1.151

package/config.js

@@ -5,6 +5,7 @@ const config = fileName ? JSON.parse(fs.readFileSync(fileName)) : {};
 
 Object.assign(config, {
   allTemplates: config?.allTemplates || {},
+  skipCheckPolicyRoutes: [],
 });
 
 export default config;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.150",
+  "version": "1.1.151",
   "type": "module",
   "description": "core-plugins",
   "keywords": [
@@ -27,16 +27,16 @@
   },
   "dependencies": {
     "@fastify/sensible": "^5.0.0",
-    "@fastify/url-data": "^5.4.0",
-    "@opengis/fastify-hb": "^1.4.8",
+    "@fastify/url-data": "5.4.0",
+    "@opengis/fastify-hb": "1.4.8",
     "fastify": "^4.26.1",
     "fastify-plugin": "^4.0.0",
-    "ioredis": "^5.3.2",
-    "js-yaml": "^4.1.0",
-    "pg": "^8.11.3",
-    "pino": "^9.5.0",
-    "pino-abstract-transport": "^2.0.0",
-    "uglify-js": "^3.19.3"
+    "ioredis": "5.3.2",
+    "js-yaml": "4.1.0",
+    "pg": "8.11.3",
+    "pino": "9.5.0",
+    "pino-abstract-transport": "2.0.0",
+    "uglify-js": "3.19.3"
   },
   "devDependencies": {
     "@panzoom/panzoom": "^4.5.1",

package/server/plugins/policy/funcs/checkPolicy.js

@@ -1,6 +1,7 @@
 import { config, logger } from '../../../../utils.js';
 import block from '../sqlInjection.js';
 
+const { prefix = '/api', skipCheckPolicyRoutes = [] } = config;
 /**
  * Middleware func
  *
@@ -11,7 +12,7 @@ import block from '../sqlInjection.js';
  * @returns {object|null} Returns object
  */
 
-export default function checkPolicy(req) {
+export default function checkPolicy(req, reply) {
   const {
     originalUrl: path, hostname, query, params, headers, method, session, routeOptions, unittest,
   } = req;
@@ -27,10 +28,10 @@ export default function checkPolicy(req) {
 
   /*= == 0.Check superadmin access  === */
   if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
-    logger.file('access', {
+    logger.file('policy/access', {
       path, method, params, query, body, message: 'access restricted: not superadmin', uid: user?.uid,
     });
-    return { message: 'access restricted: 0', status: 403 };
+    return reply.status(403).send('access restricted: 0');
   }
 
   /*= == 1.File injection  === */
@@ -38,7 +39,7 @@ export default function checkPolicy(req) {
     logger.file('injection/file', {
       path, method, params, query, body, message: 'access restricted: 1', uid: user?.uid,
     });
-    return { message: 'access restricted: 1', status: 403 };
+    return reply.status(403).send('access restricted: 1');
   }
 
   /* === 1.1 File  === */
@@ -54,11 +55,11 @@ export default function checkPolicy(req) {
       logger.file('injection/sql', {
         path, method, params, query, body, stopWords, message: 'access restricted: 2', uid: user?.uid,
       });
-      return { message: 'access restricted: 2', status: 403 };
+      return reply.status(403).send('access restricted: 2');
     }
   }
   /* policy: skip if not API */
-  const isApi = ['/files/', '/api/format/', '/api', '/api-user/', '/logger', '/file/'].filter((el) => path.includes(el)).length;
+  const isApi = ['/files/', '/api/', '/api-user/', '/logger', '/file/'].filter((el) => path.includes(el)).length;
   if (!isApi) {
     return null;
   }
@@ -68,12 +69,23 @@ export default function checkPolicy(req) {
     return null;
   }
 
+  /* === 0. policy: unauthorized access from admin URL === */
+  if (!user?.uid && !config.auth?.disable && isAdmin && !policy.includes('public') && !skipCheckPolicyRoutes.filter((el) => el).find(el => req.url.includes(el))) {
+    if (!req.url.startsWith(prefix) && req.url.startsWith('/api')) {
+      return reply.redirect(config?.auth?.redirect || '/login');
+    }
+    logger.file('policy/unauthorized', {
+      path, method, params, query, body, message: 'unauthorized',
+    });
+    return reply.status(401).send('unauthorized');
+  }
+
   /* === 3. policy: user === */
-  if (!user && policy.includes('user') && false) {
+  if (!user && policy.includes('user')) {
     logger.file('policy/user', {
       path, method, params, query, body, message: 'access restricted: 3',
     });
-    return { message: 'access restricted: 3', status: 403 };
+    return reply.status(403).send('access restricted: 3');
   }
 
   /* === 4. policy: referer === */
@@ -81,7 +93,7 @@ export default function checkPolicy(req) {
     logger.file('policy/referer', {
       path, method, params, query, body, message: 'access restricted: 4', uid: user?.uid,
     });
-    return { message: 'access restricted: 4', status: 403 };
+    return reply.status(403).send('access restricted: 4');
   }
 
   /* === 5. policy: site auth === */
@@ -90,7 +102,7 @@ export default function checkPolicy(req) {
     logger.file('policy/site', {
       path, method, params, query, body, message: 'access restricted: 5', uid: user?.uid,
     });
-    return { message: 'access restricted: 5', status: 403 };
+    return reply.status(403).send('access restricted: 5');
   }
 
   /* === 6. base policy: block api, except login  === */
@@ -99,7 +111,7 @@ export default function checkPolicy(req) {
     logger.file('policy/api', {
       path, method, params, query, body, message: 'access restricted: 6', uid: user?.uid,
     });
-    return { message: 'access restricted: 6', status: 403 };
+    return reply.status(403).send('access restricted: 6');
   }
 
   return null;

package/server/plugins/policy/index.js

@@ -2,9 +2,9 @@ import checkPolicy from './funcs/checkPolicy.js';
 
 async function plugin(fastify) {
   fastify.addHook('preParsing', async (request, reply) => {
-    const hookData = checkPolicy(request);
-    if (hookData?.status && hookData?.message) {
-      return reply.status(hookData?.status).send(hookData.message);
+    const resp = checkPolicy(request, reply);
+    if (resp) {
+      return resp;
     }
   });
 }