npm - @opengis/fastify-table - Versions diffs - 1.5.8 → 1.5.9 - Mend

@opengis/fastify-table 1.5.8 → 1.5.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/config.js +0 -1
package/dist/server/migrations/properties.sql +1 -1
package/dist/server/plugins/policy/funcs/checkPolicy.js +50 -71
package/package.json +2 -2

package/dist/config.js CHANGED Viewed

@@ -11,7 +11,6 @@ const { skipKeys = ["windir"] } = config;
 Object.assign(config, {
     storageList: {},
     allTemplates: config?.allTemplates || {},
-    skipCheckPolicyRoutes: [],
     env: process.env?.NODE_ENV,
 });
 if (process.env?.NODE_ENV && existsSync(`.env.${process.env.NODE_ENV}`)) {

package/dist/server/migrations/properties.sql CHANGED Viewed

@@ -6,7 +6,7 @@ CREATE EXTENSION if not exists pg_trgm SCHEMA public VERSION "1.5";
 -- drop old
 DROP TABLE IF EXISTS admin.user_properties;
 DROP TABLE IF EXISTS admin.table_properties;
-DROP SCHEMA IF EXISTS setting cascade;
+-- DROP SCHEMA IF EXISTS setting cascade;
 CREATE TABLE IF NOT EXISTS admin.properties();
 ALTER TABLE admin.properties DROP CONSTRAINT IF EXISTS admin_properties_property_id_pkey;

package/dist/server/plugins/policy/funcs/checkPolicy.js CHANGED Viewed

@@ -1,10 +1,14 @@
 import { config, logger } from "../../../../utils.js";
 import block from "../sqlInjection.js";
-const { skipCheckPolicyRoutes = [] } = config;
-const skipCheckPolicy = (path) => skipCheckPolicyRoutes.find((el) => path.includes(el));
 export default function checkPolicy(req, reply) {
     const { originalUrl: path, hostname, query, params, headers, method, routeOptions, unittest, } = req;
-    if (config.local || unittest || config.env === "test") {
+    // ! skip locally, skip tests
+    if (config.local || unittest || process.env.NODE_ENV === "test") {
+        return null;
+    }
+    // ! skip non-API Requests
+    const isApi = ["/files/", "/api/", "/api-user/", "/logger", "/file/"].filter((el) => path.includes(el)).length;
+    if (!isApi) {
         return null;
     }
     const body = JSON.stringify(req?.body || {}).substring(30);
@@ -13,26 +17,28 @@ export default function checkPolicy(req, reply) {
         config.admin ||
         hostname.startsWith("admin");
     const user = req.user || req.session?.passport?.user;
-    const isUser = config?.debug || !!user;
     const isServer = process.argv[2];
-    const { policy = [] } = (routeOptions?.config ||
-        {});
-    /*= == 0.Check superadmin access  === */
-    if (policy.includes("admin") &&
-        user?.user_type !== "admin" &&
-        !config.auth?.disable) {
-        logger.file("policy/access", {
+    const { role, allowSite, // ?
+    allowSql, // ?
+    policy = [], } = (routeOptions?.config || {});
+    const requireReferer = policy?.includes?.("referer") ||
+        routeOptions?.config
+            ?.requireReferer; // ?
+    const isRole = (role && user?.user_type !== role) ||
+        (policy.includes("admin") && user?.user_type !== "admin");
+    // ! role
+    if (isRole) {
+        logger.file("policy/role", {
             path,
             method,
             params,
             query,
             body,
-            message: "access restricted: not admin",
             uid: user?.uid,
         });
         return reply.status(403).send("access restricted: 0");
     }
-    /*= == 1.File injection  === */
+    // ! file injection
     if (JSON.stringify(params || {})?.includes("../") ||
         JSON.stringify(query || {})?.includes("../") ||
         path?.includes("../")) {
@@ -42,18 +48,19 @@ export default function checkPolicy(req, reply) {
             params,
             query,
             body,
-            message: "access restricted: 1",
             uid: user?.uid,
         });
         return reply.status(403).send("access restricted: 1");
     }
-    /* === 1.1 File  === */
+    // ! invalid file extension
     const allowExtPublic = [".png", ".jpg", ".svg"];
     const ext = path.toLowerCase().substr(-4);
-    if (path.includes("files/") && allowExtPublic.includes(ext))
+    if (path.includes("files/") && allowExtPublic.includes(ext)) {
         return null;
-    /* === 2.SQL Injection policy: no-sql === */
-    if (!policy.includes("no-sql")) {
+    }
+    const noSql = Array.isArray(policy) ? policy.includes("no-sql") : allowSql;
+    // ! sql injection
+    if (!noSql) {
         // skip polyline param - data filter (geometry bounds)
         const stopWords = block.filter((el) => path.replace(query.polyline, "").includes(el));
         if (stopWords?.length) {
@@ -64,17 +71,11 @@ export default function checkPolicy(req, reply) {
                 query,
                 body,
                 stopWords,
-                message: "access restricted: 2",
                 uid: user?.uid,
             });
             return reply.status(403).send("access restricted: 2");
         }
     }
-    /* policy: skip if not API */
-    const isApi = ["/files/", "/api/", "/api-user/", "/logger", "/file/"].filter((el) => path.includes(el)).length;
-    if (!isApi) {
-        return null;
-    }
     const validToken = (req.ip === "193.239.152.181" ||
         req.ip === "127.0.0.1" ||
         req.ip?.startsWith?.("192.168.") ||
@@ -87,76 +88,55 @@ export default function checkPolicy(req, reply) {
             user_type: req.ip === "193.239.152.181" || config.debug ? "admin" : "regular",
         };
     }
-    /* === policy: public === */
-    if (policy.includes("public") ||
-        skipCheckPolicy(path) ||
-        !config.pg ||
-        config.auth?.disable ||
-        config.local ||
-        config.debug) {
-        return null;
-    }
-    /* === 0. policy: unauthorized access from admin URL === */
-    if (!validToken && !user?.uid && isAdmin && !policy.includes("public")) {
-        logger.file("policy/unauthorized", {
+    // ! referer
+    if (requireReferer && !headers?.referer?.includes?.(hostname)) {
+        logger.file("policy/referer", {
             path,
             method,
             params,
             query,
             body,
-            token: headers?.token,
-            userId: headers?.uid,
-            ip: req.ip,
-            headers,
-            message: "unauthorized",
+            uid: user?.uid,
         });
-        return reply.status(401).send("unauthorized");
+        return reply.status(403).send("access restricted: 4");
+    }
+    const isPublic = Array.isArray(policy)
+        ? policy.includes("public")
+        : policy === "L0";
+    // ! public / token
+    if (isPublic || validToken || config.debug) {
+        return null;
     }
-    /* === 3. policy: user === */
-    if (!validToken &&
-        !user &&
-        policy.includes("user") &&
-        !skipCheckPolicy(path)) {
+    const requireUser = Array.isArray(policy)
+        ? policy.includes("user")
+        : ["L1", "L2", "L3"].includes(policy);
+    // ! user required, but not logged in
+    if (requireUser && !user) {
         logger.file("policy/user", {
             path,
             method,
             params,
             query,
             body,
-            message: "access restricted: 3",
         });
         return reply.status(403).send("access restricted: 3");
     }
-    /* === 4. policy: referer === */
-    if (!validToken &&
-        !headers?.referer?.includes?.(hostname) &&
-        policy.includes("referer")) {
-        logger.file("policy/referer", {
+    const isSite = (Array.isArray(policy) ? policy.includes("site") : allowSite) && !isAdmin; // ? new policy level?
+    // ! site
+    if (!isSite && false) {
+        logger.file("policy/site", {
             path,
             method,
             params,
             query,
             body,
-            message: "access restricted: 4",
+            message: "access restricted: 5",
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 4");
-    }
-    /* === 5. policy: site auth === */
-    /*  if (!validToken && !policy.includes("site") && !isAdmin) {
-        logger.file("policy/site", {
-          path,
-          method,
-          params,
-          query,
-          body,
-          message: "access restricted: 5",
-          uid: user?.uid,
-        });
         return reply.status(403).send("access restricted: 5");
-      }*/
-    /* === 6. base policy: block non-public api w/ out authorization  === */
-    if (!validToken && isAdmin && !config.debug && user?.uid && isServer) {
+    }
+    // ! any API by default
+    if (isAdmin && !config.debug && user?.uid && isServer) {
         logger.file("policy/api", {
             path,
             method,
@@ -168,6 +148,5 @@ export default function checkPolicy(req, reply) {
         });
         return reply.status(403).send("access restricted: 6");
     }
-    // console.log(headers);
     return null;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.5.8",
+  "version": "1.5.9",
   "type": "module",
   "description": "core-plugins",
   "keywords": [
@@ -29,7 +29,7 @@
     "test": "node --test",
     "compress": "node compress.js",
     "dev1": "set NODE_ENV=local&& node server.js",
-    "dev": "bun start",
+    "dev": "NODE_ENV=production bun start",
     "start": "bun server"
   },
   "dependencies": {