@opengis/fastify-table 2.0.91 → 2.0.92

package/dist/server/plugins/auth/funcs/authorizeUser.js

@@ -101,7 +101,7 @@ export default async function authorizeUser(user, req, authType = "creds-user",
     // by default, disable 2factor for id.gov.ua auth
     const check = authType === "govid" ? config.auth?.["2factor"]?.govid : true;
     if (user?.twofa && check) {
-        return ("/2factor?redirect=" +
+        return (`${config.auth?.link?.["2fa"]?.login || "/2factor"}?redirect=` +
             (href ||
                 config.auth?.redirectAfter ||
                 (redirectUrl.startsWith("/") ? redirectUrl : "/")));

package/dist/server/plugins/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAYxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,wBAAsB,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,iBA8GxE;AAED,iBAAS,MAAM,CAAC,OAAO,EAAE,eAAe,QAgCvC;AAED,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAYxD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAMtD,wBAAsB,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,iBA+HxE;AAED,iBAAS,MAAM,CAAC,OAAO,EAAE,eAAe,QAgCvC;AAED,eAAe,MAAM,CAAC"}

package/dist/server/plugins/auth/index.js

@@ -9,7 +9,13 @@ const fastifyPassport = new Authenticator();
 const { prefix = "/api" } = config;
 export async function onRequest(req, reply) {
     const { hostname, headers, routeOptions } = req;
-    const { policy = [] } = routeOptions?.config || {};
+    const { config: routeConfig, method, handler, url } = routeOptions || {};
+    const { policy } = routeConfig;
+    const isApi = method && url && typeof handler === "function" && url !== "*";
+    // handle non-api at vite/vike
+    if (!isApi) {
+        return null;
+    }
     // proxy from old apps to editor, bi etc.
     const validToken = (req.ip === "193.239.152.181" ||
         req.ip === "127.0.0.1" ||
@@ -59,6 +65,9 @@ export async function onRequest(req, reply) {
         !req.url.includes(loginPageUrl) &&
         !req.url.includes(".") &&
         !req.url.includes("@")) {
+        if (isApi) {
+            return reply.status(401).send({ error: "unauthorized", code: 401 });
+        }
         return reply.redirect(`${loginPageUrl}` + `?redirect=${req.url}`);
     }
     // by default, disable 2factor for id.gov.ua auth
@@ -79,17 +88,24 @@ export async function onRequest(req, reply) {
     if (req.user?.uid &&
         req.user?.twofa &&
         // config.auth?.["2factor"] &&
-        !isPublic &&
+        // !isPublic &&
         (routeOptions?.method || "GET") === "GET" &&
         !req.session?.secondFactorPassed &&
         !ispasswd &&
         !config.auth?.disableRedirect &&
         !config.auth?.disable &&
         check &&
-        checkEnv()) {
-        if (!req.url.startsWith(login2faPage)) {
-            return reply.redirect(login2faPage);
+        checkEnv() &&
+        !req.url.startsWith(login2faPage) &&
+        !routeOptions.url?.includes?.("/logout") &&
+        !routeOptions.url?.includes?.("/2fa") &&
+        !routeOptions.url?.includes?.("/assets")) {
+        if (isApi) {
+            return reply
+                .status(403)
+                .send({ error: "access restricted: twofa", code: 403 });
         }
+        return reply.redirect(login2faPage);
     }
     return null;
 }

package/dist/server/plugins/policy/funcs/checkPolicy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"checkPolicy.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAKhC,MAAM,CAAC,OAAO,UAAU,WAAW,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,oSA+K5E"}
+{"version":3,"file":"checkPolicy.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAKhC,MAAM,CAAC,OAAO,UAAU,WAAW,CAAC,GAAG,EAAE,eAAe,EAAE,KAAK,EAAE,YAAY,oSAwL5E"}

package/dist/server/plugins/policy/funcs/checkPolicy.js

@@ -9,8 +9,11 @@ export default function checkPolicy(req, reply) {
         user?.user_type !== "viewer") {
         return null;
     }
-    // ! skip non-API Requests
-    const isApi = routeOptions.method && routeOptions.url && routeOptions.handler;
+    // ! skip non-API Requests, handle with vite/vike
+    const isApi = routeOptions.method &&
+        routeOptions.url &&
+        typeof routeOptions.handler === "function" &&
+        routeOptions.url !== "*";
     if (!isApi) {
         return null;
     }
@@ -42,7 +45,7 @@ export default function checkPolicy(req, reply) {
             method,
             userRole: user.user_type,
         });
-        return reply.status(403).send("access restricted: 0");
+        return reply.status(403).send({ error: "access restricted: 0", code: 403 });
     }
     // ! role
     if (isRole) {
@@ -56,7 +59,7 @@ export default function checkPolicy(req, reply) {
             body,
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 0");
+        return reply.status(403).send({ error: "access restricted: 0", code: 403 });
     }
     // ! file injection
     if (JSON.stringify(params || {})?.includes("../") ||
@@ -70,7 +73,7 @@ export default function checkPolicy(req, reply) {
             body,
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 1");
+        return reply.status(409).send({ error: "access restricted: 1", code: 409 });
     }
     // ! invalid file extension
     if (path.includes("files/") && allowExtPublic.includes(ext)) {
@@ -88,7 +91,7 @@ export default function checkPolicy(req, reply) {
             stopWords,
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 2");
+        return reply.status(409).send({ error: "access restricted: 2", code: 409 });
     }
     // ! user required, but not logged in
     if (requireUser && !user) {
@@ -99,7 +102,7 @@ export default function checkPolicy(req, reply) {
             query,
             body,
         });
-        return reply.status(403).send("access restricted: 3");
+        return reply.status(401).send({ error: "access restricted: 3", code: 401 });
     }
     // ! referer
     if (requireReferer && !headers?.referer?.includes?.(hostname)) {
@@ -111,14 +114,17 @@ export default function checkPolicy(req, reply) {
             body,
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 4");
+        return reply.status(403).send({ error: "access restricted: 4", code: 403 });
     }
     // ! public / token
     if (isPublic || config.debug) {
         return null;
     }
     // ! block any API for admin panel (without authorization)
-    if (isAdmin && !config.debug && !user?.uid) {
+    if (isAdmin &&
+        !req.url?.includes?.("/assets") &&
+        !config.debug &&
+        !user?.uid) {
         logger.file("policy/api", {
             path,
             method,
@@ -128,7 +134,7 @@ export default function checkPolicy(req, reply) {
             message: "access restricted: 6",
             uid: user?.uid,
         });
-        return reply.status(403).send("access restricted: 6");
+        return reply.status(403).send({ error: "access restricted: 6", code: 403 });
     }
     return null;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "2.0.91",
+  "version": "2.0.92",
   "type": "module",
   "description": "core-plugins",
   "keywords": [