@opengis/fastify-table 2.0.56 → 2.0.58

package/dist/server/migrations/0.sql

@@ -59,8 +59,8 @@ if (_returnType != 'text') then
 	end loop;
 
 	raise notice 'reassign default finish: %', _tables;
-	
-else 
+
+else
 	raise notice 'skip default reassign';
 
 		/* CREATE EXTENSION if not exists "uuid-ossp";
@@ -81,7 +81,7 @@ else
 	  COST 100;
 end if;
 
-end $$
+end $$;
 
 CREATE OR REPLACE FUNCTION array_intersect(
 	anyarray,

package/dist/server/plugins/auth/funcs/authorizeUser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorizeUser.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/authorizeUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AA2BtD,wBAA8B,aAAa,CACzC,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,SAAe,EACvB,MAAM,CAAC,EAAE,MAAM,gBAkFhB"}
+{"version":3,"file":"authorizeUser.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/authorizeUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AA4BtD,wBAA8B,aAAa,CACzC,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,GAAG,EACR,QAAQ,SAAe,EACvB,MAAM,CAAC,EAAE,MAAM,gBA+HhB"}

package/dist/server/plugins/auth/funcs/authorizeUser.js

@@ -1,5 +1,6 @@
 import config from "../../../../config.js";
 import logger from "../../logger/getLogger.js";
+import pgClients from "../../pg/pgClients.js";
 import applyHook from "../../hook/applyHook.js";
 import logAuth from "./logAuth.js";
 /*
@@ -18,6 +19,7 @@ const getIp = (req) => (req.headers?.["x-real-ip"] ||
 export default async function authorizeUser(user, req, authType = "creds-user", expire) {
     if (!user?.uid)
         return "/logout";
+    const { pg = pgClients.client } = req;
     Object.assign(user, { auth_type: authType });
     // fastify/passport
     await req.login(user);
@@ -54,10 +56,39 @@ export default async function authorizeUser(user, req, authType = "creds-user",
     })) ||
         {};
     await req.session?.save?.();
-    if (req.method === "POST") {
-        return { message: "ok", status: "200" };
-    }
     const redirectUrl = req.headers?.referer?.match?.(/[?&]redirect=([^&]+)/)?.[1] || "/";
+    const twofaEnabled = config.auth?.["2factor"] && user?.twofa && user.uid && pg;
+    const registered = false; // ? check by created/updated date?
+    if (req.method === "POST" &&
+        (!twofaEnabled || req.session?.secondFactorPassed)) {
+        return {
+            redirectUrl: href ||
+                config.auth?.redirectAfter ||
+                (redirectUrl.startsWith("/") ? redirectUrl : "/"),
+            authType,
+            registered,
+            user: { ...user, password: undefined, salt: undefined },
+        };
+    }
+    if (req.method === "POST" &&
+        twofaEnabled &&
+        !req.session?.secondFactorPassed) {
+        const verified = await pg
+            .query(`select
+          enabled and social_auth_url is not null as verified
+        from admin.users_social_auth
+        where uid = $1
+        and social_auth_type = $2`, [user.uid, "TOTP"])
+            .then((el) => el.rows?.[0]?.verified || false);
+        const redirect2fa = `${config.auth?.link?.["2fa"]?.login || "/2factor"}?redirect=${redirectUrl.startsWith("/") ? redirectUrl : "/"}`;
+        return {
+            redirectUrl: redirect2fa,
+            authType,
+            registered,
+            "2factor": { verified, enabled: !!user?.twofa },
+            user: { ...user, password: undefined, salt: undefined },
+        };
+    }
     // by default, disable 2factor for id.gov.ua auth
     const check = authType === "govid" ? config.auth?.["2factor"]?.govid : true;
     if (config.auth?.["2factor"] && user?.twofa && check) {

package/dist/server/plugins/auth/funcs/loginUser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loginUser.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/loginUser.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAC;AAEvD,wBAA8B,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,kBA+CpE"}
+{"version":3,"file":"loginUser.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/loginUser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAUvC,wBAA8B,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,kBA+CpE"}

package/dist/server/plugins/auth/funcs/loginUser.js

@@ -9,14 +9,14 @@ export default async function loginUser(req, reply) {
     if (!config.pg) {
         return req.method === "GET"
             ? reply.status(302).redirect("/login?confirm=wrong_pass&message=empty pg")
-            : reply.status(400).send({ message: "empty pg" });
+            : reply.status(400).send({ error: "empty pg", code: 400 });
     }
     if (!config.redis) {
         return req.method === "GET"
             ? reply
                 .status(302)
                 .redirect("/login?confirm=wrong_pass&message=empty redis")
-            : reply.status(400).send({ message: "empty redis" });
+            : reply.status(400).send({ error: "empty redis", code: 400 });
     }
     const { user, message = "invalid user" } = (await verifyPassword({
         pg,
@@ -28,19 +28,19 @@ export default async function loginUser(req, reply) {
             ? reply
                 .status(302)
                 .redirect(`/login?confirm=wrong_pass&message=${message}`)
-            : reply.status(400).send({ message });
+            : reply.status(400).send({ error: message, code: 400 });
     }
     if (!user && (req.query?.username || req.body?.username)) {
         return req.method === "GET"
             ? reply
                 .status(302)
                 .redirect(`/login?confirm=wrong_pass&message=${message}`)
-            : reply.status(400).send({ message });
+            : reply.status(400).send({ error: message, code: 400 });
     }
     logger.metrics("user.login");
     const authType = "creds-" + (user.user_type === "admin" ? "admin" : "user");
-    const href = await authorizeUser(user, req, authType); // creds-admin / creds-admin
+    const result = await authorizeUser(user, req, authType); // creds-admin / creds-admin
     return req.method === "GET"
-        ? reply.status(302).redirect(href)
-        : reply.status(200).send(href);
+        ? reply.status(302).redirect(result)
+        : reply.status(200).send(result);
 }

package/dist/server/plugins/auth/index.d.ts

@@ -1,4 +1,6 @@
-import { FastifyInstance } from "fastify";
+import { FastifyInstance, FastifyReply } from "fastify";
+import { ExtendedRequest } from "../../types/core.js";
+export declare function onRequest(req: ExtendedRequest, reply: FastifyReply): Promise<null>;
 declare function plugin(fastify: FastifyInstance): void;
 export default plugin;
 //# sourceMappingURL=index.d.ts.map

package/dist/server/plugins/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAkB1C,iBAAS,MAAM,CAAC,OAAO,EAAE,eAAe,QAuIvC;AAED,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAYxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,wBAAsB,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,iBA6GxE;AAED,iBAAS,MAAM,CAAC,OAAO,EAAE,eAAe,QA6BvC;AAED,eAAe,MAAM,CAAC"}

package/dist/server/plugins/auth/index.js

@@ -7,6 +7,91 @@ import config from "../../../config.js";
 import getRedis from "../redis/funcs/getRedis.js";
 const fastifyPassport = new Authenticator();
 const { prefix = "/api" } = config;
+export async function onRequest(req, reply) {
+    const { hostname, headers, routeOptions } = req;
+    const { policy = [] } = routeOptions?.config || {};
+    // proxy from old apps to editor, bi etc.
+    const validToken = (req.ip === "193.239.152.181" ||
+        req.ip === "127.0.0.1" ||
+        req.ip?.startsWith?.("192.168.") ||
+        config.debug) &&
+        req.headers?.token &&
+        config.auth?.tokens?.includes?.(headers.token);
+    if (validToken && !req?.user?.uid) {
+        req.user = {
+            uid: req.headers?.uid?.toString?.(),
+            user_type: req.headers?.user_type?.toString?.() || "regular",
+        };
+    }
+    const isAdmin = process.env.NODE_ENV === "admin" ||
+        hostname?.split?.(":")?.shift?.() === config.adminDomain ||
+        config.admin ||
+        hostname?.startsWith?.("admin");
+    const isPublic = Array.isArray(policy)
+        ? policy.includes("public")
+        : policy === "L0";
+    if (!req.session?.passport?.user?.uid &&
+        (config.auth?.disable || config.auth?.user) &&
+        !isPublic) {
+        req.session = req.session || {};
+        req.session.passport = req.session.passport || {}; // ensure passport session exists
+        req.session.passport.user = {
+            ...(config.auth?.user || {}),
+            uid: config.auth?.user?.uid?.toString?.() || "1",
+            user_rnokpp: config.auth?.user?.rnokpp,
+            user_type: config.auth?.user?.type || "regular",
+        };
+        req.user = req.session.passport.user;
+    }
+    // ! intentional: null || undefined > undefined
+    req.user = req.user || req.session?.passport?.user || undefined; // fix for user.uid errors, by default user is null, while with express passport it was {}, unauthorized user does not trigger serializer
+    // currently 2factor + auth with passwd file not supported
+    const ispasswd = (existsSync("passwd") && !config.auth?.["2factor"]) || config.auth?.passwd;
+    const loginPageUrl = config.auth?.link?.core?.login || config?.auth?.redirect || "/login";
+    if (!req.user?.uid &&
+        !config.auth?.disable &&
+        isAdmin &&
+        !isPublic &&
+        !config.auth?.disableRedirect &&
+        !req.url.startsWith(prefix) &&
+        !req.url.startsWith("/api") &&
+        !req.url.startsWith(loginPageUrl) &&
+        !req.url.includes(".") &&
+        !req.url.includes("@")) {
+        return reply.redirect(`${loginPageUrl}` + `?redirect=${req.url}`);
+    }
+    // by default, disable 2factor for id.gov.ua auth
+    const check = req.user?.auth_type === "govid" ? config.auth?.["2factor"]?.govid : true;
+    const login2faPage = config.auth?.link?.["2fa"]?.login || "/2factor";
+    // example: 2factor for admin env only, while public env does not require it
+    const checkEnv = () => {
+        if (!config.auth?.["2factorEnv"])
+            return true;
+        if ((config.auth?.["2factorEnv"] &&
+            process.env.NODE_ENV === config.auth?.["2factorEnv"]) ||
+            (config.auth?.["2factorEnv"] === "admin" && isAdmin)) {
+            return true;
+        }
+        return false;
+    };
+    // if 2factor is enabled globally + for user and secondFactorPassed not true => redirect to 2factor login page
+    if (req.user?.uid &&
+        req.user?.twofa &&
+        config.auth?.["2factor"] &&
+        !isPublic &&
+        (routeOptions?.method || "GET") === "GET" &&
+        !req.session?.secondFactorPassed &&
+        !ispasswd &&
+        !config.auth?.disableRedirect &&
+        !config.auth?.disable &&
+        check &&
+        checkEnv()) {
+        if (!req.url.startsWith(login2faPage)) {
+            return reply.redirect(login2faPage);
+        }
+    }
+    return null;
+}
 function plugin(fastify) {
     if (!config.redis) {
         return;
@@ -27,82 +112,6 @@ function plugin(fastify) {
     fastifyPassport.registerUserSerializer(async (user) => ({ user }));
     // deserialize user used to add user info from session store to req
     fastifyPassport.registerUserDeserializer(async (passport) => passport?.user || passport);
-    fastify.addHook("onRequest", async (req, reply) => {
-        const { pg, hostname, headers, routeOptions } = req;
-        const { policy = [] } = routeOptions?.config || {};
-        // proxy from old apps to editor, bi etc.
-        const validToken = (req.ip === "193.239.152.181" ||
-            req.ip === "127.0.0.1" ||
-            req.ip?.startsWith?.("192.168.") ||
-            config.debug) &&
-            req.headers?.token &&
-            config.auth?.tokens?.includes?.(headers.token);
-        if (validToken && !req?.user?.uid) {
-            req.user = {
-                uid: req.headers?.uid?.toString?.(),
-                user_type: req.headers?.user_type?.toString?.() || "regular",
-            };
-        }
-        const isAdmin = process.env.NODE_ENV === "admin" ||
-            hostname?.split?.(":")?.shift?.() === config.adminDomain ||
-            config.admin ||
-            hostname?.startsWith?.("admin");
-        const isPublic = Array.isArray(policy)
-            ? policy.includes("public")
-            : policy === "L0";
-        // if 2factor is enabled globally + for user and secondFactorPassed not true => redirect to 2factor login page
-        const { secondFactorPassed, passport = {} } = req.session || {}; // base login +
-        if (!passport.user?.uid &&
-            (config.auth?.disable || config.auth?.user) &&
-            !isPublic) {
-            req.session = req.session || {};
-            req.session.passport = req.session.passport || {}; // ensure passport session exists
-            req.session.passport.user = {
-                ...(config.auth?.user || {}),
-                uid: config.auth?.user?.uid?.toString?.() || "1",
-                user_rnokpp: config.auth?.user?.rnokpp,
-                user_type: config.auth?.user?.type || "regular",
-            };
-            req.user = req.session.passport.user;
-        }
-        // ! intentional: null || undefined > undefined
-        req.user = req.user || req.session?.passport?.user || undefined; // fix for user.uid errors, by default user is null, while with express passport it was {}, unauthorized user does not trigger serializer
-        if (config.trace && false) {
-            console.log("req.user?.uid", req.user?.uid, "req.session?.passport?.user?.uid", req.session?.passport?.user?.uid, "config.auth", config.auth);
-        }
-        // currently 2factor + auth with passwd file not supported
-        const ispasswd = (existsSync("passwd") && !config.auth?.["2factor"]) ||
-            config.auth?.passwd;
-        if (!passport.user?.uid &&
-            !config.auth?.disable &&
-            isAdmin &&
-            !isPublic &&
-            !config.auth?.disableRedirect &&
-            !req.url.startsWith(prefix) &&
-            !req.url.startsWith("/api") &&
-            !req.url.startsWith("/login") &&
-            !req.url.includes('.') &&
-            !req.url.includes('@')) {
-            return reply.redirect(`${config?.auth?.redirect || "/login"}` + `?redirect=${req.url}`);
-        }
-        // by default, disable 2factor for id.gov.ua auth
-        const check = passport.user?.auth_type === "govid"
-            ? config.auth?.["2factor"]?.govid
-            : true;
-        if (passport.user?.uid &&
-            passport.user?.twofa &&
-            config.auth?.["2factor"] &&
-            !isPublic &&
-            (routeOptions?.method || "GET") === "GET" &&
-            !secondFactorPassed &&
-            !ispasswd &&
-            check) {
-            const href = config.auth?.["2factorRedirect"] || "/2factor";
-            if (!href.includes(req.url)) {
-                return reply.redirect(href);
-            }
-        }
-        return null;
-    });
+    fastify.addHook("onRequest", onRequest);
 }
 export default plugin;

package/dist/server/routes/auth/controllers/2factor/qrcode.d.ts

@@ -0,0 +1,4 @@
+import { FastifyReply } from "fastify";
+import { ExtendedRequest } from "../../../../types/core.js";
+export default function qrCode(req: ExtendedRequest, reply: FastifyReply): Promise<never>;
+//# sourceMappingURL=qrcode.d.ts.map

package/dist/server/routes/auth/controllers/2factor/qrcode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"qrcode.d.ts","sourceRoot":"","sources":["../../../../../../server/routes/auth/controllers/2factor/qrcode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAa5D,wBAA8B,MAAM,CAClC,GAAG,EAAE,eAAe,EACpB,KAAK,EAAE,YAAY,kBAsDpB"}

package/dist/server/routes/auth/controllers/2factor/qrcode.js

@@ -0,0 +1,48 @@
+import qr from "qrcode";
+import config from "../../../../../config.js";
+import pgClients from "../../../../plugins/pg/pgClients.js";
+import { getSecret, generate } from "./providers/totp.js";
+const headers = {
+    "Content-Type": "image/png",
+};
+export default async function qrCode(req, reply) {
+    const { pg = pgClients.client } = req;
+    const { uid } = req.session?.passport?.user || {};
+    if (!uid) {
+        return reply.status(401).send({ error: "unauthorized", code: 401 });
+    }
+    if (!pg || !pg?.pk?.["admin.users"] || !pg?.pk?.["admin.users_social_auth"]) {
+        return reply.status(400).send({
+            error: "db connection / users/users_social_auth tables are required",
+            code: 400,
+        });
+    }
+    const userExists = await pg
+        .query(`select uid from admin.users where uid=$1`, [uid])
+        .then((el) => el.rows?.[0]?.uid);
+    if (!userExists && config.pg) {
+        return reply.status(404).send({ error: "invalid user", code: 404 });
+    }
+    const { enabled, secret } = pg
+        ? await getSecret({ pg, TYPE: "TOTP", uid })
+        : {};
+    const otp = secret
+        ? await pg
+            .query(`select social_auth_url
+  from admin.users_social_auth where uid=$1 and social_auth_type=$2`, [uid, "TOTP"])
+            ?.then((el) => el.rows?.[0]?.social_auth_url)
+        : await generate({ uid, pg });
+    const base64 = otp ? await qr.toDataURL(otp) : undefined;
+    if (enabled && !config.local && !config.debug) {
+        return reply
+            .status(400)
+            .send({ error: "2factor already enabled", code: 400 });
+    }
+    if (!otp || !base64) {
+        return reply.status(500).send({ error: "generation error", code: 500 });
+    }
+    // substring to exclude data:image/png;base64,
+    return reply
+        .headers(headers)
+        .send(Buffer.from(base64.substring(22), "base64"));
+}

package/dist/server/routes/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/routes/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAiC1C,iBAAe,MAAM,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,GAAE,GAAQ,iBA4ExD;AAED,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/routes/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAkC1C,iBAAe,MAAM,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,GAAE,GAAQ,iBA8ExD;AAED,eAAe,MAAM,CAAC"}

package/dist/server/routes/auth/index.js

@@ -18,6 +18,7 @@ import login2faTemplate from "./controllers/page/login2faTemplate.js";
 // jwt
 import oauthAuthorize from "./controllers/jwt/authorize.js";
 import oauthToken from "./controllers/jwt/token.js";
+import qrCode from "./controllers/2factor/qrcode.js";
 const params = { config: { policy: "L0" } };
 async function plugin(app, opt = {}) {
     if (opt.routes === false || config.auth?.customRoutes) {
@@ -70,6 +71,9 @@ async function plugin(app, opt = {}) {
         !config.auth?.customGovId) {
         app.get("/auth/by_data", params, authByData);
     }
+    if (!app.hasRoute({ method: "GET", url: "/2factor/qr" })) {
+        app.get("/2factor/qr", params, qrCode);
+    }
     // pages
     if (!app.hasRoute({ method: "GET", url: "/2factor" }) &&
         !config.auth?.disable &&

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "2.0.56",
+  "version": "2.0.58",
   "type": "module",
   "description": "core-plugins",
   "keywords": [