@opengis/fastify-table 2.0.90 → 2.0.92
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/server/plugins/auth/funcs/authorizeUser.js +1 -1
- package/dist/server/plugins/auth/index.d.ts.map +1 -1
- package/dist/server/plugins/auth/index.js +21 -5
- package/dist/server/plugins/policy/funcs/checkPolicy.d.ts.map +1 -1
- package/dist/server/plugins/policy/funcs/checkPolicy.js +16 -10
- package/dist/server/routes/table/functions/getData.d.ts.map +1 -1
- package/dist/server/routes/table/functions/getData.js +6 -3
- package/package.json +1 -1
|
@@ -101,7 +101,7 @@ export default async function authorizeUser(user, req, authType = "creds-user",
|
|
|
101
101
|
// by default, disable 2factor for id.gov.ua auth
|
|
102
102
|
const check = authType === "govid" ? config.auth?.["2factor"]?.govid : true;
|
|
103
103
|
if (user?.twofa && check) {
|
|
104
|
-
return ("/2factor?redirect
|
|
104
|
+
return (`${config.auth?.link?.["2fa"]?.login || "/2factor"}?redirect=` +
|
|
105
105
|
(href ||
|
|
106
106
|
config.auth?.redirectAfter ||
|
|
107
107
|
(redirectUrl.startsWith("/") ? redirectUrl : "/")));
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAYxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,wBAAsB,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAYxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,wBAAsB,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,iBA+HxE;AAED,iBAAS,MAAM,CAAC,OAAO,EAAE,eAAe,QAgCvC;AAED,eAAe,MAAM,CAAC"}
|
|
@@ -9,7 +9,13 @@ const fastifyPassport = new Authenticator();
|
|
|
9
9
|
const { prefix = "/api" } = config;
|
|
10
10
|
export async function onRequest(req, reply) {
|
|
11
11
|
const { hostname, headers, routeOptions } = req;
|
|
12
|
-
const {
|
|
12
|
+
const { config: routeConfig, method, handler, url } = routeOptions || {};
|
|
13
|
+
const { policy } = routeConfig;
|
|
14
|
+
const isApi = method && url && typeof handler === "function" && url !== "*";
|
|
15
|
+
// handle non-api at vite/vike
|
|
16
|
+
if (!isApi) {
|
|
17
|
+
return null;
|
|
18
|
+
}
|
|
13
19
|
// proxy from old apps to editor, bi etc.
|
|
14
20
|
const validToken = (req.ip === "193.239.152.181" ||
|
|
15
21
|
req.ip === "127.0.0.1" ||
|
|
@@ -59,6 +65,9 @@ export async function onRequest(req, reply) {
|
|
|
59
65
|
!req.url.includes(loginPageUrl) &&
|
|
60
66
|
!req.url.includes(".") &&
|
|
61
67
|
!req.url.includes("@")) {
|
|
68
|
+
if (isApi) {
|
|
69
|
+
return reply.status(401).send({ error: "unauthorized", code: 401 });
|
|
70
|
+
}
|
|
62
71
|
return reply.redirect(`${loginPageUrl}` + `?redirect=${req.url}`);
|
|
63
72
|
}
|
|
64
73
|
// by default, disable 2factor for id.gov.ua auth
|
|
@@ -79,17 +88,24 @@ export async function onRequest(req, reply) {
|
|
|
79
88
|
if (req.user?.uid &&
|
|
80
89
|
req.user?.twofa &&
|
|
81
90
|
// config.auth?.["2factor"] &&
|
|
82
|
-
!isPublic &&
|
|
91
|
+
// !isPublic &&
|
|
83
92
|
(routeOptions?.method || "GET") === "GET" &&
|
|
84
93
|
!req.session?.secondFactorPassed &&
|
|
85
94
|
!ispasswd &&
|
|
86
95
|
!config.auth?.disableRedirect &&
|
|
87
96
|
!config.auth?.disable &&
|
|
88
97
|
check &&
|
|
89
|
-
checkEnv()
|
|
90
|
-
|
|
91
|
-
|
|
98
|
+
checkEnv() &&
|
|
99
|
+
!req.url.startsWith(login2faPage) &&
|
|
100
|
+
!routeOptions.url?.includes?.("/logout") &&
|
|
101
|
+
!routeOptions.url?.includes?.("/2fa") &&
|
|
102
|
+
!routeOptions.url?.includes?.("/assets")) {
|
|
103
|
+
if (isApi) {
|
|
104
|
+
return reply
|
|
105
|
+
.status(403)
|
|
106
|
+
.send({ error: "access restricted: twofa", code: 403 });
|
|
92
107
|
}
|
|
108
|
+
return reply.redirect(login2faPage);
|
|
93
109
|
}
|
|
94
110
|
return null;
|
|
95
111
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"checkPolicy.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAKhC,MAAM,CAAC,OAAO,UAAU,WAAW,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"checkPolicy.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAKhC,MAAM,CAAC,OAAO,UAAU,WAAW,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,oSAwL5E"}
|
|
@@ -9,8 +9,11 @@ export default function checkPolicy(req, reply) {
|
|
|
9
9
|
user?.user_type !== "viewer") {
|
|
10
10
|
return null;
|
|
11
11
|
}
|
|
12
|
-
// ! skip non-API Requests
|
|
13
|
-
const isApi = routeOptions.method &&
|
|
12
|
+
// ! skip non-API Requests, handle with vite/vike
|
|
13
|
+
const isApi = routeOptions.method &&
|
|
14
|
+
routeOptions.url &&
|
|
15
|
+
typeof routeOptions.handler === "function" &&
|
|
16
|
+
routeOptions.url !== "*";
|
|
14
17
|
if (!isApi) {
|
|
15
18
|
return null;
|
|
16
19
|
}
|
|
@@ -42,7 +45,7 @@ export default function checkPolicy(req, reply) {
|
|
|
42
45
|
method,
|
|
43
46
|
userRole: user.user_type,
|
|
44
47
|
});
|
|
45
|
-
return reply.status(403).send("access restricted: 0");
|
|
48
|
+
return reply.status(403).send({ error: "access restricted: 0", code: 403 });
|
|
46
49
|
}
|
|
47
50
|
// ! role
|
|
48
51
|
if (isRole) {
|
|
@@ -56,7 +59,7 @@ export default function checkPolicy(req, reply) {
|
|
|
56
59
|
body,
|
|
57
60
|
uid: user?.uid,
|
|
58
61
|
});
|
|
59
|
-
return reply.status(403).send("access restricted: 0");
|
|
62
|
+
return reply.status(403).send({ error: "access restricted: 0", code: 403 });
|
|
60
63
|
}
|
|
61
64
|
// ! file injection
|
|
62
65
|
if (JSON.stringify(params || {})?.includes("../") ||
|
|
@@ -70,7 +73,7 @@ export default function checkPolicy(req, reply) {
|
|
|
70
73
|
body,
|
|
71
74
|
uid: user?.uid,
|
|
72
75
|
});
|
|
73
|
-
return reply.status(
|
|
76
|
+
return reply.status(409).send({ error: "access restricted: 1", code: 409 });
|
|
74
77
|
}
|
|
75
78
|
// ! invalid file extension
|
|
76
79
|
if (path.includes("files/") && allowExtPublic.includes(ext)) {
|
|
@@ -88,7 +91,7 @@ export default function checkPolicy(req, reply) {
|
|
|
88
91
|
stopWords,
|
|
89
92
|
uid: user?.uid,
|
|
90
93
|
});
|
|
91
|
-
return reply.status(
|
|
94
|
+
return reply.status(409).send({ error: "access restricted: 2", code: 409 });
|
|
92
95
|
}
|
|
93
96
|
// ! user required, but not logged in
|
|
94
97
|
if (requireUser && !user) {
|
|
@@ -99,7 +102,7 @@ export default function checkPolicy(req, reply) {
|
|
|
99
102
|
query,
|
|
100
103
|
body,
|
|
101
104
|
});
|
|
102
|
-
return reply.status(
|
|
105
|
+
return reply.status(401).send({ error: "access restricted: 3", code: 401 });
|
|
103
106
|
}
|
|
104
107
|
// ! referer
|
|
105
108
|
if (requireReferer && !headers?.referer?.includes?.(hostname)) {
|
|
@@ -111,14 +114,17 @@ export default function checkPolicy(req, reply) {
|
|
|
111
114
|
body,
|
|
112
115
|
uid: user?.uid,
|
|
113
116
|
});
|
|
114
|
-
return reply.status(403).send("access restricted: 4");
|
|
117
|
+
return reply.status(403).send({ error: "access restricted: 4", code: 403 });
|
|
115
118
|
}
|
|
116
119
|
// ! public / token
|
|
117
120
|
if (isPublic || config.debug) {
|
|
118
121
|
return null;
|
|
119
122
|
}
|
|
120
123
|
// ! block any API for admin panel (without authorization)
|
|
121
|
-
if (isAdmin &&
|
|
124
|
+
if (isAdmin &&
|
|
125
|
+
!req.url?.includes?.("/assets") &&
|
|
126
|
+
!config.debug &&
|
|
127
|
+
!user?.uid) {
|
|
122
128
|
logger.file("policy/api", {
|
|
123
129
|
path,
|
|
124
130
|
method,
|
|
@@ -128,7 +134,7 @@ export default function checkPolicy(req, reply) {
|
|
|
128
134
|
message: "access restricted: 6",
|
|
129
135
|
uid: user?.uid,
|
|
130
136
|
});
|
|
131
|
-
return reply.status(403).send("access restricted: 6");
|
|
137
|
+
return reply.status(403).send({ error: "access restricted: 6", code: 403 });
|
|
132
138
|
}
|
|
133
139
|
return null;
|
|
134
140
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AA4DzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,YAAY,GACtB,EAAE;IACD,EAAE,EAAE,UAAU,CAAC;IACf,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB,EACD,KAAK,EAAE,YAAY,EACnB,MAAM,CAAC,EAAE,GAAG,
|
|
1
|
+
{"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AA4DzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,YAAY,GACtB,EAAE;IACD,EAAE,EAAE,UAAU,CAAC;IACf,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB,EACD,KAAK,EAAE,YAAY,EACnB,MAAM,CAAC,EAAE,GAAG,gBAg0Bb"}
|
|
@@ -113,11 +113,14 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
|
|
|
113
113
|
id: objectId,
|
|
114
114
|
user,
|
|
115
115
|
}, pg));
|
|
116
|
-
if (!actions.includes("view") && !config?.local && !called) {
|
|
117
|
-
return reply.status(403).send("access restricted");
|
|
118
|
-
}
|
|
119
116
|
const body = loadTable || hookData || tokenData;
|
|
120
117
|
const { table: table1, columns = [], sql, cardSql, form, meta, sqlColumns, public: ispublic, editable = false, } = loadTable || hookData || tokenData || params || { table };
|
|
118
|
+
if (!ispublic && !user?.uid && !called) {
|
|
119
|
+
return reply.status(401).send({ error: "unauthorized", code: 401 });
|
|
120
|
+
}
|
|
121
|
+
if (!actions.includes("view") && !config?.local && !called) {
|
|
122
|
+
return reply.status(403).send({ error: "access restricted", code: 403 });
|
|
123
|
+
}
|
|
121
124
|
/* const filters = ((body?.filter_list || [])
|
|
122
125
|
.concat(body?.filterInline || [])
|
|
123
126
|
.concat(body?.filterCustom || [])
|