@opengis/fastify-table 1.1.78 → 1.1.79

package/server/plugins/policy/funcs/checkPolicy.js

@@ -1,92 +1,92 @@
-import { config } from '@opengis/fastify-table/utils.js';
-import block from '../sqlInjection.js';
-
-/**
- * Middleware func
- *
- * @type function
- * @alias checkPolicy
- * @summary Функція дозволяє налаштувати доступ до сайту або API для адмін. та публічної частини веб-ресурсу
- * @param {String} path - назва апі
- * @returns {object|null} Returns object
- */
-
-export default function checkPolicy(req) {
-  const {
-    originalUrl: path, hostname, query, params, headers: hs, log, sid = 35,
-  } = req;
-  const user = req.user || req.session?.passport?.user;
-
-  const isUser = config?.debug || !!user;
-
-  const isServer = process.argv[2];
-  const { policy = [] } = req.routeOptions?.config || {};
-
-  /*= == 0.Check superadmin access  === */
-  if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
-    log.warn('api/superadmin', {
-      path, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: 0',
-    });
-    return { message: 'access restricted: 0', status: 403 };
-  }
-
-  /*= == 1.File injection  === */
-  if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
-    log.warn('injection/file', {
-      path, params, query, message: 'access restricted: 1',
-    });
-    return { message: 'access restricted: 1', status: 403 };
-  }
-
-  /* === 1.1 File  === */
-  const allowExtPublic = ['.png', '.jpg', '.svg'];
-  const ext = path.toLowerCase().substr(-4);
-  if (path.includes('files/') && allowExtPublic.includes(ext)) return null;
-
-  /* === 2.SQL Injection policy: no-sql === */
-  if (!policy.includes('no-sql')) {
-    // skip polyline param - data filter (geometry bounds)
-    const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
-    if (stopWords?.length) {
-      log.warn('injection/sql', { stopWords, message: 'access restricted: 2', path });
-      return { message: 'access restricted: 2', status: 403 };
-    }
-  }
-  /* policy: skip if not API */
-  const isApi = ['/files/', '/api/format/', '/api', '/api-user/', '/logger', '/file/'].filter((el) => path.includes(el)).length;
-  if (!isApi) {
-    return null;
-  }
-
-  /* === policy: public === */
-  if (policy.includes('public')) {
-    return null;
-  }
-
-  /* === 3. policy: user === */
-  if (!user && policy.includes('user') && false) {
-    log.warn('policy/user', { message: 'access restricted: 3', path });
-    return { message: 'access restricted: 3', status: 403 };
-  }
-
-  /* === 4. policy: referer === */
-  if (!hs?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
-    log.warn('policy/referer', { message: 'access restricted: 4', uid: user?.uid });
-    return { message: 'access restricted: 4', status: 403 };
-  }
-
-  /* === 5. policy: site auth === */
-  if (!policy.includes('site') && sid === 1 && isUser && !config.local && !config.debug) {
-    log.warn('policy/site', { message: 'access restricted: 5', path, uid: user?.uid });
-    return { message: 'access restricted: 5', status: 403 };
-  }
-
-  /* === 6. base policy: block api, except login  === */
-  if (sid === 35 && !isUser && isServer && !config.local && !config.debug
-    && !path.startsWith(`${config.prefix || '/api'}/login`)) {
-    log.warn('policy/api', { message: 'access restricted: 6', path, uid: user?.uid });
-    return { message: 'access restricted: 6', status: 403 };
-  }
-
-  return null;
-}
+import { config } from '@opengis/fastify-table/utils.js';
+import block from '../sqlInjection.js';
+
+/**
+ * Middleware func
+ *
+ * @type function
+ * @alias checkPolicy
+ * @summary Функція дозволяє налаштувати доступ до сайту або API для адмін. та публічної частини веб-ресурсу
+ * @param {String} path - назва апі
+ * @returns {object|null} Returns object
+ */
+
+export default function checkPolicy(req) {
+  const {
+    originalUrl: path, hostname, query, params, headers: hs, log, sid = 35,
+  } = req;
+  const user = req.user || req.session?.passport?.user;
+
+  const isUser = config?.debug || !!user;
+
+  const isServer = process.argv[2];
+  const { policy = [] } = req.routeOptions?.config || {};
+
+  /*= == 0.Check superadmin access  === */
+  if (policy.includes('superadmin') && user?.user_type !== 'superadmin') {
+    log.warn('api/superadmin', {
+      path, params, query, body: JSON.stringify(req?.body || {}).substring(30), message: 'access restricted: 0',
+    });
+    return { message: 'access restricted: 0', status: 403 };
+  }
+
+  /*= == 1.File injection  === */
+  if (JSON.stringify(params || {})?.includes('../') || JSON.stringify(query || {})?.includes('../') || path?.includes('../')) {
+    log.warn('injection/file', {
+      path, params, query, message: 'access restricted: 1',
+    });
+    return { message: 'access restricted: 1', status: 403 };
+  }
+
+  /* === 1.1 File  === */
+  const allowExtPublic = ['.png', '.jpg', '.svg'];
+  const ext = path.toLowerCase().substr(-4);
+  if (path.includes('files/') && allowExtPublic.includes(ext)) return null;
+
+  /* === 2.SQL Injection policy: no-sql === */
+  if (!policy.includes('no-sql')) {
+    // skip polyline param - data filter (geometry bounds)
+    const stopWords = block.filter((el) => path.replace(query.polyline, '').includes(el));
+    if (stopWords?.length) {
+      log.warn('injection/sql', { stopWords, message: 'access restricted: 2', path });
+      return { message: 'access restricted: 2', status: 403 };
+    }
+  }
+  /* policy: skip if not API */
+  const isApi = ['/files/', '/api/format/', '/api', '/api-user/', '/logger', '/file/'].filter((el) => path.includes(el)).length;
+  if (!isApi) {
+    return null;
+  }
+
+  /* === policy: public === */
+  if (policy.includes('public')) {
+    return null;
+  }
+
+  /* === 3. policy: user === */
+  if (!user && policy.includes('user') && false) {
+    log.warn('policy/user', { message: 'access restricted: 3', path });
+    return { message: 'access restricted: 3', status: 403 };
+  }
+
+  /* === 4. policy: referer === */
+  if (!hs?.referer?.includes?.(hostname) && policy.includes('referer') && !config.local && !config.debug) {
+    log.warn('policy/referer', { message: 'access restricted: 4', uid: user?.uid });
+    return { message: 'access restricted: 4', status: 403 };
+  }
+
+  /* === 5. policy: site auth === */
+  if (!policy.includes('site') && sid === 1 && isUser && !config.local && !config.debug) {
+    log.warn('policy/site', { message: 'access restricted: 5', path, uid: user?.uid });
+    return { message: 'access restricted: 5', status: 403 };
+  }
+
+  /* === 6. base policy: block api, except login  === */
+  if (sid === 35 && !isUser && isServer && !config.local && !config.debug
+    && !path.startsWith(`${config.prefix || '/api'}/login`)) {
+    log.warn('policy/api', { message: 'access restricted: 6', path, uid: user?.uid });
+    return { message: 'access restricted: 6', status: 403 };
+  }
+
+  return null;
+}

package/server/plugins/policy/funcs/checkXSS.js

@@ -31,7 +31,7 @@ function checkXSS({ body, schema = {} }) {
   }); */
 
   const field = Object.keys(body)
-    ?.find((key) => body[key]
+    ?.find((key) => body[key]?.toLowerCase
         && !disabledCheckFields.includes(key)
         && body[key].toLowerCase().includes(stopWords[0]));
   if (field) {

package/server/plugins/policy/index.js

@@ -1,12 +1,12 @@
-import checkPolicy from './funcs/checkPolicy.js';
-
-async function plugin(fastify) {
-  fastify.addHook('preParsing', async (request, reply) => {
-    const hookData = checkPolicy(request);
-    if (hookData?.status && hookData?.message) {
-      return reply.status(hookData?.status).send(hookData.message);
-    }
-  });
-}
-
-export default plugin;
+import checkPolicy from './funcs/checkPolicy.js';
+
+async function plugin(fastify) {
+  fastify.addHook('preParsing', async (request, reply) => {
+    const hookData = checkPolicy(request);
+    if (hookData?.status && hookData?.message) {
+      return reply.status(hookData?.status).send(hookData.message);
+    }
+  });
+}
+
+export default plugin;

package/server/plugins/policy/sqlInjection.js

@@ -1,33 +1,33 @@
-const sqlInjection = [
-  '()',
-  '^',
-  '*',
-  'like ',
-  '@variable',
-  '@@variable',
-  'group by ',
-  'union ',
-  'select ',
-  'having ',
-  'as injectx',
-  'where ',
-  'rlike ',
-  'if(',
-  'sleep(',
-  'waitfor delay',
-  'benchmark(',
-  'pg_sleep(',
-  "'\\\"",
-  'randomblob(',
-  'order by ',
-  'union all ',
-  '+or',
-  'or ',
-  'and ',
-  "'' ",
-  '"""  ',
-  '<script',
-  'javascript:',
-];
-
-export default sqlInjection;
+const sqlInjection = [
+  '()',
+  '^',
+  '*',
+  'like ',
+  '@variable',
+  '@@variable',
+  'group by ',
+  'union ',
+  'select ',
+  'having ',
+  'as injectx',
+  'where ',
+  'rlike ',
+  'if(',
+  'sleep(',
+  'waitfor delay',
+  'benchmark(',
+  'pg_sleep(',
+  "'\\\"",
+  'randomblob(',
+  'order by ',
+  'union all ',
+  '+or',
+  'or ',
+  'and ',
+  "'' ",
+  '"""  ',
+  '<script',
+  'javascript:',
+];
+
+export default sqlInjection;

package/server/plugins/redis/client.js

@@ -1,8 +1,8 @@
-import redisClients from './funcs/redisClients.js';
-import getRedis from './funcs/getRedis.js';
-
-if (!redisClients[0]) {
-  getRedis({ db: 0 });
-}
-
-export default redisClients[0];
+import redisClients from './funcs/redisClients.js';
+import getRedis from './funcs/getRedis.js';
+
+if (!redisClients[0]) {
+  getRedis({ db: 0 });
+}
+
+export default redisClients[0];

package/server/plugins/redis/funcs/redisClients.js

@@ -1,3 +1,3 @@
-const redisClients = {};
-
-export default redisClients;
+const redisClients = {};
+
+export default redisClients;

package/server/plugins/redis/index.js

@@ -1,17 +1,17 @@
-// import redis from './client.js';
-import redisClients from './funcs/redisClients.js';
-
-function close(fastify) {
-  // redis.quit();
-  Object.keys(redisClients).forEach((key) => redisClients[key].quit());
-}
-
-async function plugin(fastify) {
-  // const client = getRedis({ db: 0 });
-  // client.getJSON = client.get;
-  // fastify.decorate('rclient', client);
-  // fastify.decorate('getRedis', getRedis);
-  fastify.addHook('onClose', close);
-}
-
-export default plugin;
+// import redis from './client.js';
+import redisClients from './funcs/redisClients.js';
+
+function close(fastify) {
+  // redis.quit();
+  Object.keys(redisClients).forEach((key) => redisClients[key].quit());
+}
+
+async function plugin(fastify) {
+  // const client = getRedis({ db: 0 });
+  // client.getJSON = client.get;
+  // fastify.decorate('rclient', client);
+  // fastify.decorate('getRedis', getRedis);
+  fastify.addHook('onClose', close);
+}
+
+export default plugin;

package/server/plugins/table/funcs/addTemplateDir.js

@@ -1,8 +1,8 @@
-import userTemplateDir from './userTemplateDir.js';
-
-export default function addTemplateDir(dir) {
-  if (dir) {
-    userTemplateDir.push(dir);
-  }
-  return userTemplateDir;
-}
+import userTemplateDir from './userTemplateDir.js';
+
+export default function addTemplateDir(dir) {
+  if (dir) {
+    userTemplateDir.push(dir);
+  }
+  return userTemplateDir;
+}

package/server/plugins/table/funcs/getFilterSQL/index.js

@@ -1,96 +1,96 @@
-import getTemplate from '../getTemplate.js';
-import pgClients from '../../../pg/pgClients.js';
-
-// import { getTemplate, pgClients } from '../../../../../utils.js';
-
-// filter util
-import getTableSql from './util/getTableSql.js';
-import getFilterQuery from './util/getFilterQuery.js';
-import getOptimizedQuery from './util/getOptimizedQuery.js';
-
-async function getFilterSQL({
-  table, filter, pg = pgClients.client, search, filterList, query, custom, state,
-}) {
-  if (!table) return { error: 'param table is required', status: 400 };
-
-  const body = await getTemplate('table', table);
-
-  const sqlList = body?.sql?.length
-    ? body?.sql?.filter((el) => !el.disabled && el?.sql?.replace)
-      .map((el, i) => {
-        Object.assign(el, { name: el.name || `t${i + 1}` });
-        return ` left join lateral (${el.filter ? el.sql.replace(/limit 1/ig, '') : el.sql}) as ${el.name} on 1=1 `;
-      }).join(' ')
-    : '';
-  const fieldQuery = `select * from ${body?.table || table} ${sqlList ? ` t ${sqlList}` : ''} where 1=1 limit 0`;
-  const { fields = [] } = await pg.query(fieldQuery);
-
-  const { fields: fieldsModel } = body?.table && pg.pk[body?.table] ? await pg.query(`select * from ${body.table} limit 0`) : {};
-
-  const autoSearchColumn = fields?.filter((el) => pg.pgType?.[el.dataTypeID] === 'text')?.map((el) => el.name).join(',');
-  const searchColumn = body?.search_column || autoSearchColumn;
-  const fieldsList = (fieldsModel || fields)?.map((el) => el.name);
-  try {
-    const tableSQL = await getTableSql({
-      pg, body, table, fields,
-    });
-    const sval = `ilike '%${decodeURIComponent(search).replace(/'/g, "''")}%'`;
-    const searchQuery = search && searchColumn
-      ? ` (${searchColumn.split(',')?.map((name) => {
-        const { pk } = tableSQL.find((el) => el.name === name) || {};
-        return pk && !fieldsList.includes(name) ? `${pk} in (select ${pk} from (${fieldQuery})q where ${name} ${sval})` : `${name} ${sval}`;
-      }).join(' or ')} )` : '';
-
-    const filterList1 = await Promise.all((filterList || (body?.filter_list || []).concat(body?.filterInline || []).concat(body?.filterCustom || []).concat(body?.filterState || []).concat(body?.filterList || [])
-      .concat(body?.filters || [])) /* .concat(extraFilters || []).concat(customFilters || []) */
-
-      ?.map(async (el) => {
-        if (!el?.data) return el;
-        const cls = await getTemplate(['cls', 'select'], el.data);
-        if (Array.isArray(cls) && cls?.length) {
-          Object.assign(el, { options: cls });
-        }
-        else if (typeof (cls?.sql || cls) === 'string') {
-          Object.assign(el, { sql: cls?.sql || cls });
-        }
-        return el;
-      }));
-
-    const filters = getFilterQuery({
-      pg,
-      filter,
-      table,
-      tableSQL,
-      fields,
-      filterList: filterList1,
-    });
-
-    // filter
-    const customQuery = body?.filterCustom?.length && custom ? body.filterCustom?.find((el) => el.name === custom)?.sql : null;
-    const stateQuery = body?.filterState?.length && state ? body.filterState?.find((el) => el.name === state)?.sql : null;
-
-    const filterQuery = filters?.filter((el) => el.query)?.map((el) => `${el.query} `).join(' and ');
-    const q = [body?.query, query, searchQuery, filterQuery, stateQuery, customQuery].filter((el) => el).join(' and ');
-
-    // table
-    const modelQuery = body?.model || body?.table || table;
-    const optimizedSQL = `select * from ${getOptimizedQuery({ body, table, q })} `;
-    const tableCount = getOptimizedQuery({ body, table, q }, true);
-    // console.log(optimizedSQL);
-    return {
-      filterList,
-
-      q,
-      optimizedSQL,
-      tableCount,
-      table: modelQuery,
-      // filter parts
-      searchQuery,
-    };
-  }
-  catch (err) {
-    throw new Error(err.toString());
-  }
-}
-
-export default getFilterSQL;
+import getTemplate from '../getTemplate.js';
+import pgClients from '../../../pg/pgClients.js';
+
+// import { getTemplate, pgClients } from '../../../../../utils.js';
+
+// filter util
+import getTableSql from './util/getTableSql.js';
+import getFilterQuery from './util/getFilterQuery.js';
+import getOptimizedQuery from './util/getOptimizedQuery.js';
+
+async function getFilterSQL({
+  table, filter, pg = pgClients.client, search, filterList, query, custom, state,
+}) {
+  if (!table) return { error: 'param table is required', status: 400 };
+
+  const body = await getTemplate('table', table);
+
+  const sqlList = body?.sql?.length
+    ? body?.sql?.filter((el) => !el.disabled && el?.sql?.replace)
+      .map((el, i) => {
+        Object.assign(el, { name: el.name || `t${i + 1}` });
+        return ` left join lateral (${el.filter ? el.sql.replace(/limit 1/ig, '') : el.sql}) as ${el.name} on 1=1 `;
+      }).join(' ')
+    : '';
+  const fieldQuery = `select * from ${body?.table || table} ${sqlList ? ` t ${sqlList}` : ''} where 1=1 limit 0`;
+  const { fields = [] } = await pg.query(fieldQuery);
+
+  const { fields: fieldsModel } = body?.table && pg.pk[body?.table] ? await pg.query(`select * from ${body.table} limit 0`) : {};
+
+  const autoSearchColumn = fields?.filter((el) => pg.pgType?.[el.dataTypeID] === 'text')?.map((el) => el.name).join(',');
+  const searchColumn = body?.search_column || autoSearchColumn;
+  const fieldsList = (fieldsModel || fields)?.map((el) => el.name);
+  try {
+    const tableSQL = await getTableSql({
+      pg, body, table, fields,
+    });
+    const sval = `ilike '%${decodeURIComponent(search).replace(/'/g, "''")}%'`;
+    const searchQuery = search && searchColumn
+      ? ` (${searchColumn.split(',')?.map((name) => {
+        const { pk } = tableSQL.find((el) => el.name === name) || {};
+        return pk && !fieldsList.includes(name) ? `${pk} in (select ${pk} from (${fieldQuery})q where ${name} ${sval})` : `${name} ${sval}`;
+      }).join(' or ')} )` : '';
+
+    const filterList1 = await Promise.all((filterList || (body?.filter_list || []).concat(body?.filterInline || []).concat(body?.filterCustom || []).concat(body?.filterState || []).concat(body?.filterList || [])
+      .concat(body?.filters || [])) /* .concat(extraFilters || []).concat(customFilters || []) */
+
+      ?.map(async (el) => {
+        if (!el?.data) return el;
+        const cls = await getTemplate(['cls', 'select'], el.data);
+        if (Array.isArray(cls) && cls?.length) {
+          Object.assign(el, { options: cls });
+        }
+        else if (typeof (cls?.sql || cls) === 'string') {
+          Object.assign(el, { sql: cls?.sql || cls });
+        }
+        return el;
+      }));
+
+    const filters = getFilterQuery({
+      pg,
+      filter,
+      table,
+      tableSQL,
+      fields,
+      filterList: filterList1,
+    });
+
+    // filter
+    const customQuery = body?.filterCustom?.length && custom ? body.filterCustom?.find((el) => el.name === custom)?.sql : null;
+    const stateQuery = body?.filterState?.length && state ? body.filterState?.find((el) => el.name === state)?.sql : null;
+
+    const filterQuery = filters?.filter((el) => el.query)?.map((el) => `${el.query} `).join(' and ');
+    const q = [body?.query, query, searchQuery, filterQuery, stateQuery, customQuery].filter((el) => el).join(' and ');
+
+    // table
+    const modelQuery = body?.model || body?.table || table;
+    const optimizedSQL = `select * from ${getOptimizedQuery({ body, table, q })} `;
+    const tableCount = getOptimizedQuery({ body, table, q }, true);
+    // console.log(optimizedSQL);
+    return {
+      filterList,
+
+      q,
+      optimizedSQL,
+      tableCount,
+      table: modelQuery,
+      // filter parts
+      searchQuery,
+    };
+  }
+  catch (err) {
+    throw new Error(err.toString());
+  }
+}
+
+export default getFilterSQL;