@opengis/fastify-table 1.1.44 → 1.1.46

package/Changelog.md

@@ -1,6 +1,6 @@
 # fastify-table
 
-## 1.1.44 - 21.10.2024
+## 1.1.46 - 22.10.2024
 
 - addHook params refactor
 - add handlebars to utils

package/crud/controllers/utils/checkXSS.js

@@ -16,15 +16,16 @@ function checkXSS({ body, schema = {} }) {
   // escape arrows on non-RTE
   Object.keys(body)
     .filter((key) => ['<', '>'].find((el) => body[key]?.includes?.(el))
-  && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
+  && !['Summernote', 'Tiny', 'Ace'].includes(schema?.[key]?.type))
     ?.forEach((key) => {
       Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
     });
+
   // try { } catch (err) { return { error: err.toString() }; }
 
   if (!stopWords.length) return { body };
 
-  const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
+  const disabledCheckFields = Object.keys(schema || {})?.filter((el) => schema?.[el]?.xssCheck === false); // exclude specific columns
 
   // check RTE
   /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));

package/crud/funcs/getAccess.js

@@ -20,19 +20,18 @@ left join admin.user_roles d on
 where $1 in (a.route_id, a.alias) and $2 in (b.user_uid, d.user_uid)`;
 
 export default async function getAccess({ table, id, user }) {
-  if (config.auth?.disable || user?.user_type?.includes('admin')) {
-    return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
-  }
-
   const { client: pg } = pgClients || {};
   const { uid, user_type: userType } = user || {};
 
-  if (!uid || !table) return null;
-
-  if (!pg.pk?.['admin.access']) return null;
+  if (!table || !pg.pk?.['admin.access']) return null;
 
   const body = await getTemplate('table', table) || {};
-  if (!body?.table) return null;
+
+  if (config.auth?.disable || user?.user_type?.includes('admin') || body?.public) {
+    return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
+  }
+
+  if (!uid || !body?.table) return null;
 
   const { scope = 'my', actions = [] } = await pg.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
 

package/crud/funcs/utils/logChanges.js

@@ -1,28 +1,4 @@
-function formatData(fieldType = 'text', value = null) {
-  if (!value) return null;
-  if (fieldType === 'geometry') {
-    return typeof value === 'object' ? `st_astext(st_geomfromgeojson('${JSON.stringify(value)}'::json))` : `st_astext('${value}'::geometry)`;
-  }
-  if (['integer', 'numeric', 'double precision'].includes(fieldType)) {
-    return value || null;
-  }
-  if (fieldType.includes('timestamp') || fieldType === 'date') {
-    if (typeof value === 'object') {
-      return value ? `'${value.toISOString()}'::${fieldType}` : null;
-    }
-    return value ? `'${value}'::${fieldType}` : null;
-  }
-  if (typeof value === 'object' || fieldType.includes('json')) {
-    if (Array.isArray(value)) {
-      return `'${JSON.stringify(value)}'`;
-    }
-    return `'${JSON.stringify(value)}'`;
-  }
-  if (Array.isArray(value)) {
-    return `'{ ${value.join(',')} }'::${fieldType}`;
-  }
-  return `'${value || null}'`;
-}
+import getMeta from '../../../pg/funcs/getMeta.js';
 
 export default async function logChanges({
   pg, table, id, data, uid = 1, type,
@@ -55,13 +31,23 @@ export default async function logChanges({
 
     const old = type !== 'INSERT' ? await pg.query(q, [id]).then((res) => res.rows?.[0] || {}) : {};
 
-    const fieldTypes = fields?.reduce((acc, curr) => Object.assign(acc, { [curr.name]: pg.pgType[curr.dataTypeID] }), {}) || {};
-    const q1 = Object.keys(data || {}).map((el) => `insert into log.table_changes_data(change_id,entity_key,value_old,value_new) 
-      values('${changeId}', '${el}', ${formatData(fieldTypes[el], old[el])}, ${formatData(fieldTypes[el], data[el])}) returning *`).join(';\n');
-    // console.log(q1);
-    const res = await pg.query(q1);
+    const { columns = [] } = await getMeta({ table: 'log.table_changes_data' });
+    const names = columns.map((el) => el.name);
+
+    const res = await Promise.all(Object.keys(data || {}).map(async (el) => {
+      const filterData = Object.entries({
+        change_id: changeId, entity_key: el, value_old: old[el], value_new: data[el], uid,
+      })
+        .filter((el) => el[1] && names.includes(el[0]));
+
+      const insertQuery = `insert into log.table_changes_data (${filterData?.map((key) => `"${key[0]}"`).join(',')}) 
+      values (${filterData?.map((key, i) => `$${i + 1}`).join(',')}) returning *`;
+
+      const { rows = [] } = await pg.query(insertQuery, [...filterData.map((el) => (el[1] && typeof el[1] === 'object' && (!Array.isArray(el[1]) || typeof el[1]?.[0] === 'object') ? JSON.stringify(el[1]) : el[1]))]) || {};
+      return rows[0];
+    }));
 
-    const newData = type === 'DELETE' ? {} : (Array.isArray(res) ? res : [res]).reduce((acc, curr) => Object.assign(acc, { [curr.rows?.[0].entity_key]: curr.rows?.[0].value_new }), {});
+    const newData = type === 'DELETE' ? {} : (Array.isArray(res) ? res : [res]).reduce((acc, curr) => Object.assign(acc, { [curr.entity_key]: curr.value_new }), {});
     // console.log('logChanges OK', type);
     return {
       change_id: changeId, entity_type: table, entity_id: id, uid, change_type: type, old, new: newData,

package/hook/funcs/applyHook.js

@@ -2,7 +2,7 @@ import config from '../../config.js';
 import hookList from './hookList.js';
 
 export default async function applyHook(name, data) {
-  const debug = config.local || config.debug;
+  const { debug } = config;
   if (debug) console.log('applyHook', name);
   if (!hookList[name]?.length) return null;
   const result = {};

package/module/test/table/test.rest_zone.table.json

@@ -1,4 +1,5 @@
 {
+  "public": true,
   "key": "rz_id",
   "table": "itree.rest_zones",
   "query": "verif",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.1.44",
+  "version": "1.1.46",
   "type": "module",
   "description": "core-plugins",
   "main": "index.js",

package/table/controllers/card.js

@@ -24,7 +24,8 @@ export default async function card(req) {
     table: hookData?.table || params.table,
     id: hookData?.id || params?.id,
     user,
-  });
+  }) || {};
+
   if (!actions.includes('get') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };
   }

package/table/controllers/data.js

@@ -30,7 +30,8 @@ export default async function dataAPI(req) {
     table: hookData?.table || params.table,
     id: hookData?.id || params?.id,
     user,
-  });
+  }) || {};
+
   if (!actions.includes('get') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };
   }

package/table/controllers/table.js

@@ -30,7 +30,8 @@ export default async function tableAPI(req) {
     table: hookData?.table || params.table,
     id: hookData?.id || params?.id,
     user,
-  });
+  }) || {};
+
   if (!actions.includes('get') || (scope === 'my' && !my)) {
     return { message: 'access restricted', status: 403 };
   }

package/test/api/crud.xss.test.js

@@ -4,7 +4,22 @@ import assert from 'node:assert';
 import build from '../../helper.js';
 
 import setToken from '../../crud/funcs/setToken.js';
+import getToken from '../../crud/funcs/getToken.js';
+import addHook from '../../hook/funcs/addHook.js';
 import config from '../config.js';
+import pgClients from '../../pg/pgClients.js';
+
+addHook('preInsert', async ({ table }) => getToken({
+  mode: 'a', token: table, uid: '1', json: 1,
+}));
+
+addHook('preUpdate', async ({ table }) => getToken({
+  mode: 'w', token: table, uid: '1', json: 1,
+}));
+
+addHook('preDelete', async ({ table }) => getToken({
+  mode: 'w', token: table, uid: '1', json: 1,
+}));
 
 test('api crud xss', async (t) => {
   const app = await build(t);
@@ -13,52 +28,53 @@ test('api crud xss', async (t) => {
     req.session = session;
     req.user = session.passport.user;
   });
-  // app.decorateRequest('session', session);
 
+  const id = 'test';
   const prefix = config.prefix || '/api';
 
-  let addTokens;
-  let editTokens;
-
-  // before
-  t.test('setToken', async () => {
-    addTokens = setToken({
-      ids: [JSON.stringify({ table: 'gis.dataset', form: 'test.dataset.form' })],
+  await t.test('POST /insert', async () => {
+    const addTokens = setToken({
+      ids: [JSON.stringify({ table: 'test.rest_zone.table', form: 'rest_zone.form' })],
       mode: 'a',
       uid: 1,
       array: 1,
     });
-    editTokens = setToken({
-      ids: [JSON.stringify({ id: '5400000', table: 'gis.dataset', form: 'test.dataset.form' })],
-      mode: 'w',
-      uid: 1,
-      array: 1,
-    });
-    assert.ok(addTokens.length === 1 && editTokens.length === 1, 'invalid token');
-  });
-
-  await t.test('POST /insert', async () => {
+    assert.ok(addTokens.length, 'invalid token');
     const res = await app.inject({
       method: 'POST',
       url: `${prefix}/table/${addTokens[0]}`,
-      body: { dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>', dataset_id: '5400000' },
+      body: { rz_id: 'test', composition: '<a onClick="alert("XSS Injection")">xss injection</a>' },
     });
     assert.equal(res?.json()?.status || res?.statusCode, 409);
   });
 
+  const editTokens = setToken({
+    ids: [JSON.stringify({ id, table: 'test.rest_zone.table', form: 'rest_zone.form' })],
+    mode: 'w',
+    uid: 1,
+    array: 1,
+  });
+
   await t.test('PUT /update', async () => {
     const res = await app.inject({
       method: 'PUT',
-      url: `${prefix}/table/${editTokens[0]}/${editTokens[0]}`,
-      body: { editor_id: '11', dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>' },
+      url: `${prefix}/table/${editTokens[0]}`,
+      body: { editor_id: '11', composition: '<a onClick="alert("XSS Injection")">xss injection</a>' },
     });
     assert.equal(res.json()?.status || res?.statusCode, 409);
   });
   await t.test('DELETE /delete', async () => {
     const res = await app.inject({
       method: 'DELETE',
-      url: `${prefix}/table/gis.dataset/5400000`,
+      url: `${prefix}/table/${editTokens[0]}`,
     });
     assert.equal(res?.json()?.status || res?.statusCode, 200);
   });
+
+  // after
+  await t.test('clean up', async () => {
+    const { rowCount } = await pgClients.client.query('delete from itree.rest_zones where composition::text ilike \'%xss injection%\'');
+    const { rowCount: testRows } = await pgClients.client.query('delete from itree.rest_zones where rz_id=\'test\'');
+    console.log('clean up', rowCount, testRows);
+  });
 });

package/test/api/table.test.js

@@ -11,6 +11,13 @@ const table = 'test.rest_zone.table';
 
 test('api table', async (t) => {
   const app = await build(t);
+
+  const session = { passport: { user: { uid: '1', user_type: 'admin' } } };
+  app.addHook('onRequest', async (req) => {
+    req.session = session;
+    req.user = session.passport.user;
+  });
+
   await init(pgClients.client);
 
   const body = await getTemplate('table', table);