@opengis/fastify-table 1.1.43 → 1.1.44

package/Changelog.md

@@ -1,9 +1,10 @@
 # fastify-table
 
-## 1.1.43 - 21.10.2024
+## 1.1.44 - 21.10.2024
 
 - addHook params refactor
 - add handlebars to utils
+- refactor getAccess for CRUD
 
 ## 1.1.40 - 18.10.2024
 

package/crud/controllers/deleteCrud.js

@@ -1,5 +1,6 @@
-import dataDelete from '../funcs/dataDelete.js';
-import { getTemplate, getAccess, applyHook } from '../../utils.js';
+import {
+  dataDelete, getTemplate, getAccess, applyHook,
+} from '../../utils.js';
 
 export default async function deleteCrud(req) {
   const { user, params = {} } = req || {};
@@ -11,7 +12,7 @@ export default async function deleteCrud(req) {
   }
 
   const { table: del, id } = hookData || req.params || {};
-  const { actions = [], scope, my } = await getAccess(req, del, id) || {};
+  const { actions = [], scope, my } = await getAccess({ table: del, id, user }) || {};
 
   if (!actions.includes('del') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };

package/crud/controllers/insert.js

@@ -4,7 +4,7 @@ import {
 
 export default async function insert(req) {
   const {
-    pg, user, params = {}, body = {},
+    user, params = {}, body = {},
   } = req || {};
   const hookData = await applyHook('preInsert', { table: params?.table, user });
   if (hookData?.message && hookData?.status) {
@@ -13,7 +13,7 @@ export default async function insert(req) {
 
   const { form, table: add } = hookData || req.params || {};
 
-  const { actions = [] } = await getAccess(req, add) || {};
+  const { actions = [] } = await getAccess({ table: add, user }) || {};
 
   if (!actions.includes('edit')) {
     return { message: 'access restricted', status: 403 };

package/crud/controllers/update.js

@@ -4,7 +4,7 @@ import {
 
 export default async function update(req) {
   const {
-    pg, user, params = {}, body = {},
+    user, params = {}, body = {},
   } = req || {};
   const hookData = await applyHook('preUpdate', {
     table: params?.table, id: params?.id, user,
@@ -15,7 +15,7 @@ export default async function update(req) {
 
   const { form, table: edit, id } = hookData || req.params;
 
-  const { actions = [], scope, my } = await getAccess(req, edit, id) || {};
+  const { actions = [], scope, my } = await getAccess({ table: edit, id, user }) || {};
 
   if (!actions.includes('edit') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };

package/crud/funcs/getAccess.js

@@ -1,8 +1,9 @@
 import getMeta from '../../pg/funcs/getMeta.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
 import config from '../../config.js';
+import pgClients from '../../pg/pgClients.js';
 
-const q = `select a.route_id as id, b.actions, b.scope 
+const q = `select a.route_id as id, coalesce(b.actions,array['get']) as actions, b.scope 
 from admin.routes a 
 left join admin.access b on 
   a.route_id=b.route_id
@@ -16,36 +17,39 @@ left join admin.user_roles d on
             then d.expiration > CURRENT_DATE 
             else 1=1 
         end )
-where a.route_id=$1 and $2 in (b.user_uid, d.user_uid)`;
+where $1 in (a.route_id, a.alias) and $2 in (b.user_uid, d.user_uid)`;
 
-export default async function getAccess(req, template, id = null) {
-  if (config.disableAccessRestriction || true) {
+export default async function getAccess({ table, id, user }) {
+  if (config.auth?.disable || user?.user_type?.includes('admin')) {
     return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
   }
-  const { pg, session = {} } = req;
-  const { uid, user_type: userType } = session.passport?.user || {};
-  if (!uid || !template) return null;
+
+  const { client: pg } = pgClients || {};
+  const { uid, user_type: userType } = user || {};
+
+  if (!uid || !table) return null;
 
   if (!pg.pk?.['admin.access']) return null;
 
-  const { table } = await getTemplate('table', template) || {};
-  if (!table) return null;
+  const body = await getTemplate('table', table) || {};
+  if (!body?.table) return null;
 
-  const { scope = 'my', actions = [] } = await pg.one(q, [template, uid]);
-  // console.log(scope, actions);
+  const { scope = 'my', actions = [] } = await pg.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
 
-  const { columns = [] } = await getMeta(table);
-  const columnList = columns.map((el) => el.name || el).join(',');
+  const { columns = [] } = await getMeta({ table: body?.table });
 
   const query = userType?.includes('admin') ? '1=1' : {
     my: `uid='${uid}'`,
-    responsible: columnList.includes('responsible_id')
+    responsible: columns.map((el) => el?.name || el).includes('responsible_id')
       ? `responsible_id='${uid}'`
       : `uid='${uid}'`,
     all: '1=1',
   }[scope];
 
-  const { my } = pg.pk?.[table] && id ? await pg.one(`select uid=$1 as my from ${table} where ${pg.pk?.[table]}=$2`, [uid, id]) : {};
+  const { my } = pg.pk?.[body?.table] && id
+    ? await pg.query(`select uid=$1 as my from ${body?.table} where ${pg.pk?.[body?.table]}=$2`, [uid, id])
+      .then((res) => res.rows?.[0] || {})
+    : {};
 
   return {
     scope, actions, query, my,

package/index.js

@@ -20,7 +20,7 @@ import userPlugin from './user/index.js';
 
 // import pgClients from './pg/pgClients.js';
 
-import { addTemplateDir, execMigrations } from './utils.js';
+import { addTemplateDir, execMigrations, logger } from './utils.js';
 
 async function plugin(fastify, opt) {
   // console.log(opt);
@@ -65,8 +65,14 @@ async function plugin(fastify, opt) {
     return reply.status(error.statusCode || 500).send(config.local ? error.toString() : 'ServerError');
   });
 
+  execMigrations().catch(err => console.log(err));
   // core migrations
-  await execMigrations();
+  /* try {
+
+  }
+  catch (err) {
+    logger.error(err);
+  } */
 
   if (!fastify.funcs) {
     fastify.addHook('onRequest', async (req) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.43",
+  "version": "1.1.44",
   "type": "module",
   "description": "core-plugins",
   "main": "index.js",

package/table/controllers/card.js

@@ -1,14 +1,35 @@
 import getTemplate from './utils/getTemplate.js';
 import getMeta from '../../pg/funcs/getMeta.js';
 import metaFormat from '../funcs/metaFormat/index.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import getAccess from '../../crud/funcs/getAccess.js';
 
 export default async function card(req) {
   const time = Date.now();
   const {
-    pg, params = {}, query = {}, opt = {},
+    pg, user, params = {}, query = {},
   } = req;
 
-  const loadTable = await getTemplate('table', params.table);
+  const hookData = await applyHook('preCard', {
+    table: params?.table, id: params?.id, user,
+  });
+
+  if (hookData?.message && hookData?.status) {
+    return { message: hookData?.message, status: hookData?.status };
+  }
+
+  const {
+    actions = [], scope, my,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  });
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
+  const loadTable = await getTemplate('table', hookData?.table || params.table);
 
   if (!loadTable) { return { message: 'template not found', status: 404 }; }
 
@@ -23,7 +44,7 @@ export default async function card(req) {
   const cols = columns.map((el) => el.name || el).join(',');
   const columnList = dbColumns.map((el) => el.name || el).join(',');
   const sqlTable = sql?.filter?.((el) => !el?.disabled && el?.sql?.replace).map((el, i) => ` left join lateral (${el.sql}) ${el.name || `t${i}`} on 1=1 `)?.join('') || '';
-  const cardSqlFiltered = opt.id || params.id ? cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) : [];
+  const cardSqlFiltered = hookData?.id || params.id ? cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) : [];
   const cardSqlTable = cardSqlFiltered?.length ? cardSqlFiltered.map((el, i) => ` left join lateral (select json_agg(row_to_json(q)) as ${el.name} from (${el.sql})q) ct${i}  on 1=1 `).join('') || '' : '';
 
   const where = [`"${pk}" = $1`, loadTable.query].filter((el) => el);
@@ -33,12 +54,21 @@ export default async function card(req) {
 
   if (query.sql === '1') { return q; }
 
-  const { rows } = await pg.query(q, [opt.id || params.id]);
+  const { rows } = await pg.query(q, [hookData?.id || params.id]);
 
-  await metaFormat({ rows, table: params.table });
+  await metaFormat({ rows, table: hookData?.table || params.table });
 
   const data = meta.card?.length ? meta.card.reduce((acc, curr) => Object.assign(acc, { [columns.find((col) => col.name === curr)?.ua || '']: rows[0][curr] }), {}) : {};
-  return {
+
+  const afterHookData = await applyHook('afterCard', {
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+    payload: {
+      time: Date.now() - time, data,
+    },
+  });
+  return afterHookData || {
     time: Date.now() - time, data,
   };
 }

package/table/controllers/data.js

@@ -5,13 +5,13 @@ import metaFormat from '../funcs/metaFormat/index.js';
 import getAccess from '../../crud/funcs/getAccess.js';
 import setToken from '../../crud/funcs/setToken.js';
 import gisIRColumn from './utils/gisIRColumn.js';
-
-import { applyHook, config } from '../../utils.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import config from '../../config.js';
 
 const maxLimit = 100;
 export default async function dataAPI(req) {
   const {
-    pg, params, query = {}, opt = {}, user,
+    pg, params, query = {}, user,
   } = req;
   const time = Date.now();
 
@@ -24,6 +24,17 @@ export default async function dataAPI(req) {
     return { message: hookData?.message, status: hookData?.status };
   }
 
+  const {
+    actions = [], scope, my, query: access,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  });
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
   const loadTable = await getTemplate('table', hookData?.table || params.table);
 
   if (!loadTable) { return { message: 'template not found', status: 404 }; }
@@ -46,7 +57,7 @@ export default async function dataAPI(req) {
     : '';
   const columnList = dbColumns.map((el) => el.name || el).join(',');
   const sqlTable = sql?.filter?.((el) => !el?.disabled && el?.sql?.replace).map((el, i) => ` left join lateral (${el.sql.replace('{{uid}}', uid)}) ${el.name || `t${i}`} on 1=1 `)?.join('') || '';
-  const cardSqlFiltered = opt?.id || params.id ? (cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) || []) : [];
+  const cardSqlFiltered = hookData?.id || params.id ? (cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) || []) : [];
   const cardSqlTable = cardSqlFiltered.length ? cardSqlFiltered.map((el, i) => ` left join lateral (select json_agg(row_to_json(q)) as ${el.name} from (${el.sql})q) ct${i}  on 1=1 `).join('') || '' : '';
 
   if (params.id && columnList.includes(params.id)) {
@@ -65,7 +76,7 @@ export default async function dataAPI(req) {
     json: 1,
   }) : {};
 
-  const keyQuery = query.key && loadTable.key && !(opt?.id || params.id) ? `${loadTable.key}=$1` : null;
+  const keyQuery = query.key && loadTable.key && !(hookData?.id || params.id) ? `${loadTable.key}=$1` : null;
 
   const limit = Math.min(maxLimit, +(query.limit || 20));
 
@@ -79,16 +90,15 @@ export default async function dataAPI(req) {
   const queryPolyline = meta?.bbox && query?.polyline ? `ST_Contains(ST_MakePolygon(ST_LineFromEncodedPolyline('${query?.polyline}')),${meta.bbox})` : undefined;
   const bbox = meta?.bbox && queryBbox.filter((el) => !Number.isNaN(el))?.length === 4 ? `${meta.bbox} && 'box(${queryBbox[0]} ${queryBbox[1]},${queryBbox[2]} ${queryBbox[3]})'::box2d ` : undefined;
 
-  const access = await getAccess(req, params.table);
-  const where = [(opt?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, search, access?.query || '1=1', bbox, queryPolyline].filter((el) => el);
+  const where = [(hookData?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, search, access?.query || '1=1', bbox, queryPolyline].filter((el) => el);
   const cardColumns = cardSqlFiltered.length ? `,${cardSqlFiltered.map((el) => el.name)}` : '';
   const q = `select  ${pk ? `"${pk}" as id,` : ''} ${columnList.includes('geom') ? 'st_asgeojson(geom)::json as geom,' : ''} ${query.id || query.key ? '*' : sqlColumns || cols || '*'} ${metaCols} ${cardColumns} from ${table} t ${sqlTable} ${cardSqlTable} where ${where.join(' and ') || 'true'} ${order} ${offset}  limit ${limit}`;
 
   if (query.sql === '1') { return q; }
 
-  const { rows } = await pg.query(q, (opt?.id || params.id ? [opt?.id || params.id] : null) || (query.key && loadTable.key ? [query.key] : []));
+  const { rows } = await pg.query(q, (hookData?.id || params.id ? [hookData?.id || params.id] : null) || (query.key && loadTable.key ? [query.key] : []));
 
-  const total = keyQuery || opt?.id || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t ${sqlTable} where ${where.join(' and ') || 'true'}`).then((el) => (el?.rows[0]?.count || 0) - 0);
+  const total = keyQuery || hookData?.id || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t ${sqlTable} where ${where.join(' and ') || 'true'}`).then((el) => (el?.rows[0]?.count || 0) - 0);
 
   await metaFormat({ rows, table: params.table });
   const res = {

package/table/controllers/table.js

@@ -1,7 +1,7 @@
 import getTemplate from './utils/getTemplate.js';
 import getMeta from '../../pg/funcs/getMeta.js';
-
-import { applyHook } from '../../utils.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import getAccess from '../../crud/funcs/getAccess.js';
 
 export default async function tableAPI(req) {
   const {
@@ -24,6 +24,17 @@ export default async function tableAPI(req) {
     if (!pg.pk?.[hookData?.table || params.table]) { return { message: 'not found', status: 404 }; }
   }
 
+  const {
+    actions = [], scope, my,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  });
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
   const {
     table, /* columns, */ form,
   } = loadTable;

package/test/api/crud.xss.test.js

@@ -8,9 +8,10 @@ import config from '../config.js';
 
 test('api crud xss', async (t) => {
   const app = await build(t);
-  const session = { passport: { user: { uid: '1' } } };
+  const session = { passport: { user: { uid: '1', user_type: 'admin' } } };
   app.addHook('onRequest', async (req) => {
     req.session = session;
+    req.user = session.passport.user;
   });
   // app.decorateRequest('session', session);
 
@@ -42,10 +43,7 @@ test('api crud xss', async (t) => {
       url: `${prefix}/table/${addTokens[0]}`,
       body: { dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>', dataset_id: '5400000' },
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.ok(rep.status, 409);
+    assert.equal(res?.json()?.status || res?.statusCode, 409);
   });
 
   await t.test('PUT /update', async () => {
@@ -54,19 +52,13 @@ test('api crud xss', async (t) => {
       url: `${prefix}/table/${editTokens[0]}/${editTokens[0]}`,
       body: { editor_id: '11', dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>' },
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.equal(rep.status, 409);
+    assert.equal(res.json()?.status || res?.statusCode, 409);
   });
   await t.test('DELETE /delete', async () => {
     const res = await app.inject({
       method: 'DELETE',
       url: `${prefix}/table/gis.dataset/5400000`,
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.ok(rep);
+    assert.equal(res?.json()?.status || res?.statusCode, 200);
   });
 });