@opengis/fastify-table 1.1.43 → 1.1.45

package/Changelog.md

@@ -1,9 +1,10 @@
 # fastify-table
 
-## 1.1.43 - 21.10.2024
+## 1.1.45 - 22.10.2024
 
 - addHook params refactor
 - add handlebars to utils
+- refactor getAccess for CRUD
 
 ## 1.1.40 - 18.10.2024
 

package/crud/controllers/deleteCrud.js

@@ -1,5 +1,6 @@
-import dataDelete from '../funcs/dataDelete.js';
-import { getTemplate, getAccess, applyHook } from '../../utils.js';
+import {
+  dataDelete, getTemplate, getAccess, applyHook,
+} from '../../utils.js';
 
 export default async function deleteCrud(req) {
   const { user, params = {} } = req || {};
@@ -11,7 +12,7 @@ export default async function deleteCrud(req) {
   }
 
   const { table: del, id } = hookData || req.params || {};
-  const { actions = [], scope, my } = await getAccess(req, del, id) || {};
+  const { actions = [], scope, my } = await getAccess({ table: del, id, user }) || {};
 
   if (!actions.includes('del') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };

package/crud/controllers/insert.js

@@ -4,7 +4,7 @@ import {
 
 export default async function insert(req) {
   const {
-    pg, user, params = {}, body = {},
+    user, params = {}, body = {},
   } = req || {};
   const hookData = await applyHook('preInsert', { table: params?.table, user });
   if (hookData?.message && hookData?.status) {
@@ -13,7 +13,7 @@ export default async function insert(req) {
 
   const { form, table: add } = hookData || req.params || {};
 
-  const { actions = [] } = await getAccess(req, add) || {};
+  const { actions = [] } = await getAccess({ table: add, user }) || {};
 
   if (!actions.includes('edit')) {
     return { message: 'access restricted', status: 403 };

package/crud/controllers/update.js

@@ -4,7 +4,7 @@ import {
 
 export default async function update(req) {
   const {
-    pg, user, params = {}, body = {},
+    user, params = {}, body = {},
   } = req || {};
   const hookData = await applyHook('preUpdate', {
     table: params?.table, id: params?.id, user,
@@ -15,7 +15,7 @@ export default async function update(req) {
 
   const { form, table: edit, id } = hookData || req.params;
 
-  const { actions = [], scope, my } = await getAccess(req, edit, id) || {};
+  const { actions = [], scope, my } = await getAccess({ table: edit, id, user }) || {};
 
   if (!actions.includes('edit') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };

package/crud/funcs/getAccess.js

@@ -1,8 +1,9 @@
 import getMeta from '../../pg/funcs/getMeta.js';
 import getTemplate from '../../table/controllers/utils/getTemplate.js';
 import config from '../../config.js';
+import pgClients from '../../pg/pgClients.js';
 
-const q = `select a.route_id as id, b.actions, b.scope 
+const q = `select a.route_id as id, coalesce(b.actions,array['get']) as actions, b.scope 
 from admin.routes a 
 left join admin.access b on 
   a.route_id=b.route_id
@@ -16,36 +17,39 @@ left join admin.user_roles d on
             then d.expiration > CURRENT_DATE 
             else 1=1 
         end )
-where a.route_id=$1 and $2 in (b.user_uid, d.user_uid)`;
+where $1 in (a.route_id, a.alias) and $2 in (b.user_uid, d.user_uid)`;
 
-export default async function getAccess(req, template, id = null) {
-  if (config.disableAccessRestriction || true) {
-    return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
-  }
-  const { pg, session = {} } = req;
-  const { uid, user_type: userType } = session.passport?.user || {};
-  if (!uid || !template) return null;
+export default async function getAccess({ table, id, user }) {
+  const { client: pg } = pgClients || {};
+  const { uid, user_type: userType } = user || {};
+
+  if (!uid || !table) return null;
 
   if (!pg.pk?.['admin.access']) return null;
 
-  const { table } = await getTemplate('table', template) || {};
-  if (!table) return null;
+  const body = await getTemplate('table', table) || {};
+  if (!body?.table) return null;
+
+  if (config.auth?.disable || user?.user_type?.includes('admin') || body?.public) {
+    return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
+  }
 
-  const { scope = 'my', actions = [] } = await pg.one(q, [template, uid]);
-  // console.log(scope, actions);
+  const { scope = 'my', actions = [] } = await pg.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
 
-  const { columns = [] } = await getMeta(table);
-  const columnList = columns.map((el) => el.name || el).join(',');
+  const { columns = [] } = await getMeta({ table: body?.table });
 
   const query = userType?.includes('admin') ? '1=1' : {
     my: `uid='${uid}'`,
-    responsible: columnList.includes('responsible_id')
+    responsible: columns.map((el) => el?.name || el).includes('responsible_id')
       ? `responsible_id='${uid}'`
       : `uid='${uid}'`,
     all: '1=1',
   }[scope];
 
-  const { my } = pg.pk?.[table] && id ? await pg.one(`select uid=$1 as my from ${table} where ${pg.pk?.[table]}=$2`, [uid, id]) : {};
+  const { my } = pg.pk?.[body?.table] && id
+    ? await pg.query(`select uid=$1 as my from ${body?.table} where ${pg.pk?.[body?.table]}=$2`, [uid, id])
+      .then((res) => res.rows?.[0] || {})
+    : {};
 
   return {
     scope, actions, query, my,

package/crud/funcs/utils/logChanges.js

@@ -1,28 +1,4 @@
-function formatData(fieldType = 'text', value = null) {
-  if (!value) return null;
-  if (fieldType === 'geometry') {
-    return typeof value === 'object' ? `st_astext(st_geomfromgeojson('${JSON.stringify(value)}'::json))` : `st_astext('${value}'::geometry)`;
-  }
-  if (['integer', 'numeric', 'double precision'].includes(fieldType)) {
-    return value || null;
-  }
-  if (fieldType.includes('timestamp') || fieldType === 'date') {
-    if (typeof value === 'object') {
-      return value ? `'${value.toISOString()}'::${fieldType}` : null;
-    }
-    return value ? `'${value}'::${fieldType}` : null;
-  }
-  if (typeof value === 'object' || fieldType.includes('json')) {
-    if (Array.isArray(value)) {
-      return `'${JSON.stringify(value)}'`;
-    }
-    return `'${JSON.stringify(value)}'`;
-  }
-  if (Array.isArray(value)) {
-    return `'{ ${value.join(',')} }'::${fieldType}`;
-  }
-  return `'${value || null}'`;
-}
+import getMeta from '../../../pg/funcs/getMeta.js';
 
 export default async function logChanges({
   pg, table, id, data, uid = 1, type,
@@ -55,13 +31,23 @@ export default async function logChanges({
 
     const old = type !== 'INSERT' ? await pg.query(q, [id]).then((res) => res.rows?.[0] || {}) : {};
 
-    const fieldTypes = fields?.reduce((acc, curr) => Object.assign(acc, { [curr.name]: pg.pgType[curr.dataTypeID] }), {}) || {};
-    const q1 = Object.keys(data || {}).map((el) => `insert into log.table_changes_data(change_id,entity_key,value_old,value_new) 
-      values('${changeId}', '${el}', ${formatData(fieldTypes[el], old[el])}, ${formatData(fieldTypes[el], data[el])}) returning *`).join(';\n');
-    // console.log(q1);
-    const res = await pg.query(q1);
+    const { columns = [] } = await getMeta({ table: 'log.table_changes_data' });
+    const names = columns.map((el) => el.name);
+
+    const res = await Promise.all(Object.keys(data || {}).map(async (el) => {
+      const filterData = Object.entries({
+        change_id: changeId, entity_key: el, value_old: old[el], value_new: data[el], uid,
+      })
+        .filter((el) => el[1] && names.includes(el[0]));
+
+      const insertQuery = `insert into log.table_changes_data (${filterData?.map((key) => `"${key[0]}"`).join(',')}) 
+      values (${filterData?.map((key, i) => `$${i + 1}`).join(',')}) returning *`;
+
+      const { rows = [] } = await pg.query(insertQuery, [...filterData.map((el) => (el[1] && typeof el[1] === 'object' && (!Array.isArray(el[1]) || typeof el[1]?.[0] === 'object') ? JSON.stringify(el[1]) : el[1]))]) || {};
+      return rows[0];
+    }));
 
-    const newData = type === 'DELETE' ? {} : (Array.isArray(res) ? res : [res]).reduce((acc, curr) => Object.assign(acc, { [curr.rows?.[0].entity_key]: curr.rows?.[0].value_new }), {});
+    const newData = type === 'DELETE' ? {} : (Array.isArray(res) ? res : [res]).reduce((acc, curr) => Object.assign(acc, { [curr.entity_key]: curr.value_new }), {});
     // console.log('logChanges OK', type);
     return {
       change_id: changeId, entity_type: table, entity_id: id, uid, change_type: type, old, new: newData,

package/hook/funcs/applyHook.js

@@ -2,7 +2,7 @@ import config from '../../config.js';
 import hookList from './hookList.js';
 
 export default async function applyHook(name, data) {
-  const debug = config.local || config.debug;
+  const { debug } = config;
   if (debug) console.log('applyHook', name);
   if (!hookList[name]?.length) return null;
   const result = {};

package/index.js

@@ -20,7 +20,7 @@ import userPlugin from './user/index.js';
 
 // import pgClients from './pg/pgClients.js';
 
-import { addTemplateDir, execMigrations } from './utils.js';
+import { addTemplateDir, execMigrations, logger } from './utils.js';
 
 async function plugin(fastify, opt) {
   // console.log(opt);
@@ -65,8 +65,14 @@ async function plugin(fastify, opt) {
     return reply.status(error.statusCode || 500).send(config.local ? error.toString() : 'ServerError');
   });
 
+  execMigrations().catch(err => console.log(err));
   // core migrations
-  await execMigrations();
+  /* try {
+
+  }
+  catch (err) {
+    logger.error(err);
+  } */
 
   if (!fastify.funcs) {
     fastify.addHook('onRequest', async (req) => {

package/module/test/table/test.rest_zone.table.json

@@ -1,4 +1,5 @@
 {
+  "public": true,
   "key": "rz_id",
   "table": "itree.rest_zones",
   "query": "verif",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.43",
+  "version": "1.1.45",
   "type": "module",
   "description": "core-plugins",
   "main": "index.js",

package/table/controllers/card.js

@@ -1,14 +1,36 @@
 import getTemplate from './utils/getTemplate.js';
 import getMeta from '../../pg/funcs/getMeta.js';
 import metaFormat from '../funcs/metaFormat/index.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import getAccess from '../../crud/funcs/getAccess.js';
 
 export default async function card(req) {
   const time = Date.now();
   const {
-    pg, params = {}, query = {}, opt = {},
+    pg, user, params = {}, query = {},
   } = req;
 
-  const loadTable = await getTemplate('table', params.table);
+  const hookData = await applyHook('preCard', {
+    table: params?.table, id: params?.id, user,
+  });
+
+  if (hookData?.message && hookData?.status) {
+    return { message: hookData?.message, status: hookData?.status };
+  }
+
+  const {
+    actions = [], scope, my,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  }) || {};
+
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
+  const loadTable = await getTemplate('table', hookData?.table || params.table);
 
   if (!loadTable) { return { message: 'template not found', status: 404 }; }
 
@@ -23,7 +45,7 @@ export default async function card(req) {
   const cols = columns.map((el) => el.name || el).join(',');
   const columnList = dbColumns.map((el) => el.name || el).join(',');
   const sqlTable = sql?.filter?.((el) => !el?.disabled && el?.sql?.replace).map((el, i) => ` left join lateral (${el.sql}) ${el.name || `t${i}`} on 1=1 `)?.join('') || '';
-  const cardSqlFiltered = opt.id || params.id ? cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) : [];
+  const cardSqlFiltered = hookData?.id || params.id ? cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) : [];
   const cardSqlTable = cardSqlFiltered?.length ? cardSqlFiltered.map((el, i) => ` left join lateral (select json_agg(row_to_json(q)) as ${el.name} from (${el.sql})q) ct${i}  on 1=1 `).join('') || '' : '';
 
   const where = [`"${pk}" = $1`, loadTable.query].filter((el) => el);
@@ -33,12 +55,21 @@ export default async function card(req) {
 
   if (query.sql === '1') { return q; }
 
-  const { rows } = await pg.query(q, [opt.id || params.id]);
+  const { rows } = await pg.query(q, [hookData?.id || params.id]);
 
-  await metaFormat({ rows, table: params.table });
+  await metaFormat({ rows, table: hookData?.table || params.table });
 
   const data = meta.card?.length ? meta.card.reduce((acc, curr) => Object.assign(acc, { [columns.find((col) => col.name === curr)?.ua || '']: rows[0][curr] }), {}) : {};
-  return {
+
+  const afterHookData = await applyHook('afterCard', {
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+    payload: {
+      time: Date.now() - time, data,
+    },
+  });
+  return afterHookData || {
     time: Date.now() - time, data,
   };
 }

package/table/controllers/data.js

@@ -5,13 +5,13 @@ import metaFormat from '../funcs/metaFormat/index.js';
 import getAccess from '../../crud/funcs/getAccess.js';
 import setToken from '../../crud/funcs/setToken.js';
 import gisIRColumn from './utils/gisIRColumn.js';
-
-import { applyHook, config } from '../../utils.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import config from '../../config.js';
 
 const maxLimit = 100;
 export default async function dataAPI(req) {
   const {
-    pg, params, query = {}, opt = {}, user,
+    pg, params, query = {}, user,
   } = req;
   const time = Date.now();
 
@@ -24,6 +24,18 @@ export default async function dataAPI(req) {
     return { message: hookData?.message, status: hookData?.status };
   }
 
+  const {
+    actions = [], scope, my, query: access,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  }) || {};
+
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
   const loadTable = await getTemplate('table', hookData?.table || params.table);
 
   if (!loadTable) { return { message: 'template not found', status: 404 }; }
@@ -46,7 +58,7 @@ export default async function dataAPI(req) {
     : '';
   const columnList = dbColumns.map((el) => el.name || el).join(',');
   const sqlTable = sql?.filter?.((el) => !el?.disabled && el?.sql?.replace).map((el, i) => ` left join lateral (${el.sql.replace('{{uid}}', uid)}) ${el.name || `t${i}`} on 1=1 `)?.join('') || '';
-  const cardSqlFiltered = opt?.id || params.id ? (cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) || []) : [];
+  const cardSqlFiltered = hookData?.id || params.id ? (cardSql?.filter?.((el) => !el?.disabled && el?.name && el?.sql?.replace) || []) : [];
   const cardSqlTable = cardSqlFiltered.length ? cardSqlFiltered.map((el, i) => ` left join lateral (select json_agg(row_to_json(q)) as ${el.name} from (${el.sql})q) ct${i}  on 1=1 `).join('') || '' : '';
 
   if (params.id && columnList.includes(params.id)) {
@@ -65,7 +77,7 @@ export default async function dataAPI(req) {
     json: 1,
   }) : {};
 
-  const keyQuery = query.key && loadTable.key && !(opt?.id || params.id) ? `${loadTable.key}=$1` : null;
+  const keyQuery = query.key && loadTable.key && !(hookData?.id || params.id) ? `${loadTable.key}=$1` : null;
 
   const limit = Math.min(maxLimit, +(query.limit || 20));
 
@@ -79,16 +91,15 @@ export default async function dataAPI(req) {
   const queryPolyline = meta?.bbox && query?.polyline ? `ST_Contains(ST_MakePolygon(ST_LineFromEncodedPolyline('${query?.polyline}')),${meta.bbox})` : undefined;
   const bbox = meta?.bbox && queryBbox.filter((el) => !Number.isNaN(el))?.length === 4 ? `${meta.bbox} && 'box(${queryBbox[0]} ${queryBbox[1]},${queryBbox[2]} ${queryBbox[3]})'::box2d ` : undefined;
 
-  const access = await getAccess(req, params.table);
-  const where = [(opt?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, search, access?.query || '1=1', bbox, queryPolyline].filter((el) => el);
+  const where = [(hookData?.id || params.id ? ` "${pk}" = $1` : null), keyQuery, loadTable.query, fData.q, search, access?.query || '1=1', bbox, queryPolyline].filter((el) => el);
   const cardColumns = cardSqlFiltered.length ? `,${cardSqlFiltered.map((el) => el.name)}` : '';
   const q = `select  ${pk ? `"${pk}" as id,` : ''} ${columnList.includes('geom') ? 'st_asgeojson(geom)::json as geom,' : ''} ${query.id || query.key ? '*' : sqlColumns || cols || '*'} ${metaCols} ${cardColumns} from ${table} t ${sqlTable} ${cardSqlTable} where ${where.join(' and ') || 'true'} ${order} ${offset}  limit ${limit}`;
 
   if (query.sql === '1') { return q; }
 
-  const { rows } = await pg.query(q, (opt?.id || params.id ? [opt?.id || params.id] : null) || (query.key && loadTable.key ? [query.key] : []));
+  const { rows } = await pg.query(q, (hookData?.id || params.id ? [hookData?.id || params.id] : null) || (query.key && loadTable.key ? [query.key] : []));
 
-  const total = keyQuery || opt?.id || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t ${sqlTable} where ${where.join(' and ') || 'true'}`).then((el) => (el?.rows[0]?.count || 0) - 0);
+  const total = keyQuery || hookData?.id || params.id ? rows.length : await pg.queryCache(`select count(*) from ${table} t ${sqlTable} where ${where.join(' and ') || 'true'}`).then((el) => (el?.rows[0]?.count || 0) - 0);
 
   await metaFormat({ rows, table: params.table });
   const res = {

package/table/controllers/table.js

@@ -1,7 +1,7 @@
 import getTemplate from './utils/getTemplate.js';
 import getMeta from '../../pg/funcs/getMeta.js';
-
-import { applyHook } from '../../utils.js';
+import applyHook from '../../hook/funcs/applyHook.js';
+import getAccess from '../../crud/funcs/getAccess.js';
 
 export default async function tableAPI(req) {
   const {
@@ -24,6 +24,18 @@ export default async function tableAPI(req) {
     if (!pg.pk?.[hookData?.table || params.table]) { return { message: 'not found', status: 404 }; }
   }
 
+  const {
+    actions = [], scope, my,
+  } = await getAccess({
+    table: hookData?.table || params.table,
+    id: hookData?.id || params?.id,
+    user,
+  }) || {};
+
+  if (!actions.includes('get') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+
   const {
     table, /* columns, */ form,
   } = loadTable;

package/test/api/crud.xss.test.js

@@ -8,9 +8,10 @@ import config from '../config.js';
 
 test('api crud xss', async (t) => {
   const app = await build(t);
-  const session = { passport: { user: { uid: '1' } } };
+  const session = { passport: { user: { uid: '1', user_type: 'admin' } } };
   app.addHook('onRequest', async (req) => {
     req.session = session;
+    req.user = session.passport.user;
   });
   // app.decorateRequest('session', session);
 
@@ -42,10 +43,7 @@ test('api crud xss', async (t) => {
       url: `${prefix}/table/${addTokens[0]}`,
       body: { dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>', dataset_id: '5400000' },
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.ok(rep.status, 409);
+    assert.equal(res?.json()?.status || res?.statusCode, 409);
   });
 
   await t.test('PUT /update', async () => {
@@ -54,19 +52,13 @@ test('api crud xss', async (t) => {
       url: `${prefix}/table/${editTokens[0]}/${editTokens[0]}`,
       body: { editor_id: '11', dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>' },
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.equal(rep.status, 409);
+    assert.equal(res.json()?.status || res?.statusCode, 409);
   });
   await t.test('DELETE /delete', async () => {
     const res = await app.inject({
       method: 'DELETE',
       url: `${prefix}/table/gis.dataset/5400000`,
     });
-
-    const rep = JSON.parse(res?.body);
-    console.log(rep);
-    assert.ok(rep);
+    assert.equal(res?.json()?.status || res?.statusCode, 200);
   });
 });

package/test/api/table.test.js

@@ -11,6 +11,13 @@ const table = 'test.rest_zone.table';
 
 test('api table', async (t) => {
   const app = await build(t);
+
+  const session = { passport: { user: { uid: '1', user_type: 'admin' } } };
+  app.addHook('onRequest', async (req) => {
+    req.session = session;
+    req.user = session.passport.user;
+  });
+
   await init(pgClients.client);
 
   const body = await getTemplate('table', table);