@opengis/fastify-table 1.2.56 → 1.2.58

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.2.56",
+  "version": "1.2.58",
   "type": "module",
   "description": "core-plugins",
   "keywords": [
@@ -16,7 +16,8 @@
     "index.js",
     "utils.js",
     "config.js",
-    "dblist.js"
+    "dblist.js",
+    "redactionList.js"
   ],
   "scripts": {
     "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore",

package/redactionList.js

@@ -0,0 +1,7 @@
+import fs from 'node:fs';
+
+const redactionList = ['clientSecret', 'clientId'];
+
+const customRedactionList = fs.existsSync('redactionList.json') ? JSON.parse(fs.readFileSync('redactionList.json')) : [];
+
+export default redactionList.concat(customRedactionList);

package/server/plugins/logger/getLogger.js

@@ -1,7 +1,8 @@
 import pino from 'pino';
 // import path from 'node:path';
 
-import { config, getRedis, redactionList } from '../../../utils.js';
+import { config, getRedis } from '../../../utils.js';
+import redactionList from '../../../redactionList.js';
 
 // utils
 import getHooks from './getHooks.js';

package/server/plugins/policy/funcs/checkPolicy.js

@@ -2,6 +2,8 @@ import { config, logger } from '../../../../utils.js';
 import block from '../sqlInjection.js';
 
 const { skipCheckPolicyRoutes = [] } = config;
+
+const skipCheckPolicy = (path) => skipCheckPolicyRoutes.find(el => path.includes(el));
 /**
  * Middleware func
  *
@@ -74,12 +76,12 @@ export default function checkPolicy(req, reply) {
   }
 
   /* === policy: public === */
-  if (policy.includes('public')) {
+  if (policy.includes('public') || skipCheckPolicy(path)) {
     return null;
   }
 
   /* === 0. policy: unauthorized access from admin URL === */
-  if (!validToken && !user?.uid && !config.auth?.disable && isAdmin && !policy.includes('public') && !skipCheckPolicyRoutes.filter((el) => el).find(el => req.url.includes(el))) {
+  if (!validToken && !user?.uid && !config.auth?.disable && isAdmin && !policy.includes('public')) {
     logger.file('policy/unauthorized', {
       path, method, params, query, body, token: headers?.token, userId: headers?.uid, ip: req.ip, headers, message: 'unauthorized',
     });
@@ -87,7 +89,7 @@ export default function checkPolicy(req, reply) {
   }
 
   /* === 3. policy: user === */
-  if (!validToken && !user && policy.includes('user')) {
+  if (!validToken && !user && policy.includes('user') && !skipCheckPolicy(path)) {
     logger.file('policy/user', {
       path, method, params, query, body, message: 'access restricted: 3',
     });
@@ -103,17 +105,15 @@ export default function checkPolicy(req, reply) {
   }
 
   /* === 5. policy: site auth === */
-  if (!validToken && !policy.includes('site') && !isAdmin && !config.local && !config.debug && !unittest
-    && !['/auth/redirect', '/logout', `${config.prefix || '/api'}/login`].find(el => path.includes(el))) {
+  if (!validToken && !policy.includes('site') && !isAdmin && !config.local && !config.debug && !unittest) {
     logger.file('policy/site', {
       path, method, params, query, body, message: 'access restricted: 5', uid: user?.uid,
     });
     return reply.status(403).send('access restricted: 5');
   }
 
-  /* === 6. base policy: block api, except login  === */
-  if (!validToken && isAdmin && !isUser && isServer && !config.local && !config.debug
-    && !path.startsWith(`${config.prefix || '/api'}/login`)) {
+  /* === 6. base policy: block non-public api w/ out authorization  === */
+  if (!validToken && isAdmin && !isUser && isServer && !config.local && !config.debug) {
     logger.file('policy/api', {
       path, method, params, query, body, message: 'access restricted: 6', uid: user?.uid,
     });