npm - @opengis/fastify-table - Versions diffs - 2.1.13 → 2.1.15 - Mend

@opengis/fastify-table 2.1.13 → 2.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/server/plugins/auth/funcs/jwt.d.ts CHANGED Viewed

@@ -1,7 +1,10 @@
 export declare function scryptHash(code: string): Promise<string>;
 export declare function scryptVerify(stored: string, code: string): Promise<boolean>;
-export declare function sign(uid: string, secret?: any, exp?: number): string;
-export declare function verify(token: string, secret?: any): boolean;
+export declare function sign(uid: string, secret: string, exp: number | undefined, ip: string): string;
+export declare function verify(token: string, secret: string, ip: string): false | {
+    payload: any;
+    header: any;
+};
 declare const _default: null;
 export default _default;
 //# sourceMappingURL=jwt.d.ts.map

package/dist/server/plugins/auth/funcs/jwt.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/jwt.ts"],"names":[],"mappings":"~~AAkBA~~,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,mBAI5C;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,oBAI9D;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,~~MAAY~~,EAAE,GAAG,~~SAAQ~~,~~UAoBhE~~;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,~~MAAY~~,~~WA2BvD~~;;AAED,wBAAoB"}
1	+ {"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/jwt.ts"],"names":[],"mappings":"AAmBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,mBAI5C;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,oBAI9D;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,oBAAQ,EAAE,EAAE,EAAE,MAAM,UAsBxE;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM;;;EA8B/D;;AAED,wBAAoB"}

package/dist/server/plugins/auth/funcs/jwt.js CHANGED Viewed

@@ -5,7 +5,7 @@ const scryptAsync = util.promisify(scrypt);
 const { jwtSecret = "65450754381cfaf768eeb4bb33326529b48a40ffdb6e15d84dc224dff527166f", } = config.auth || {};
 const jwtHeader = Buffer.from(JSON.stringify({
     alg: "HS256",
-    typ: "JWT",
+    type: "JWT",
 })).toString("base64");
 export async function scryptHash(code) {
     const salt = randomBytes(16).toString("hex");
@@ -17,42 +17,45 @@ export async function scryptVerify(stored, code) {
     const derived = (await scryptAsync(code, salt, 64));
     return keyHex === derived.toString("hex");
 }
-export function sign(uid, secret = jwtSecret, exp = 90000) {
+export function sign(uid, secret, exp = 90000, ip) {
     if (typeof uid !== "string")
         throw new Error("uid must be a string");
-    if (secret && typeof secret !== "string")
+    if (secret && typeof secret !== "string") {
         throw new Error("secret must be a string");
+    }
     if (typeof exp !== "number")
         throw new Error("exp must be a number");
     const jwtPayload = Buffer.from(JSON.stringify({
+        ip,
         uid,
-        exp,
+        expires: Date.now() + exp,
         created: Date.now(),
     })).toString("base64");
     const jwtEncrypted = [jwtHeader, jwtPayload].join(".");
-    const signature = createHmac("sha256", secret)
+    const signature = createHmac("sha256", secret || jwtSecret)
         .update(jwtEncrypted)
         .digest("base64");
     return `${jwtEncrypted}.${signature}`;
 }
-export function verify(token, secret = jwtSecret) {
+export function verify(token, secret, ip) {
     if (!token)
         throw new Error("not enough params: token");
-    if (!secret)
+    if (secret && typeof secret !== "string") {
         throw new Error("not enough params: secret");
+    }
     const split = token.split(".");
     const signature = split[2];
     try {
         const header = JSON.parse(Buffer.from(split[0], "base64").toString());
         const payload = JSON.parse(Buffer.from(split[1], "base64").toString());
-        const jwtHeader = Buffer.from(JSON.stringify(header)).toString("base64");
-        const jwtPayload = Buffer.from(JSON.stringify(payload)).toString("base64");
-        const jwtEncryptedExpected = [jwtHeader, jwtPayload].join(".");
-        const expectedSignature = createHmac("sha256", secret)
+        const jwtEncryptedExpected = [split[0], split[1]].join(".");
+        const expectedSignature = createHmac("sha256", secret || jwtSecret)
             .update(jwtEncryptedExpected)
             .digest("base64");
-        if (signature === expectedSignature) {
-            return true;
+        if (signature === expectedSignature &&
+            payload.expires > Date.now() &&
+            payload.ip === ip) {
+            return { payload, header };
         }
         return false;
     }

package/dist/server/plugins/policy/funcs/checkPermissions.js CHANGED Viewed

@@ -21,7 +21,7 @@ export default async function checkPermissions(req) {
         permissions?.length &&
         permissions.length ===
             permissions.filter(([key, value]) => userPermissions[key]?.includes(value)).length;
-    if (!havePermission) {
+    if (!user?.user_type?.includes?.("admin") && !havePermission) {
         logger.file("policy/permissions", {
             path,
             method,

package/dist/server/routes/auth/controllers/jwt/authorize.js CHANGED Viewed

@@ -52,10 +52,10 @@ export default async function authorize(req, reply) {
         return reply.code(404).send({ error: "user not found", code: 404 });
     }
     const href1 = await authorizeUser(user, req, "jwt", expireMsec);
+    const ip = getIp(req);
     // Generate authorization code
-    const code = sign(userId, secret, expireMsec);
+    const code = sign(userId, secret, expireMsec, ip);
     const tokenHash = await scryptHash(code);
-    const ip = getIp(req);
     // disable access via old tokens
     if (pg.pk?.["oauth.tokens"]) {
         await pg.query("update oauth.tokens set revoked_at = now(), revocation_reason='refresh' where client_id=$1", [client_id]);

package/dist/server/routes/auth/controllers/jwt/token.js CHANGED Viewed

@@ -32,10 +32,10 @@ export default async function oauthToken(req, reply) {
             .query(q, [client_id, "private_key_jwt"])
             .then((el) => el.rows?.[0] || {})
         : {};
-    const isCodeValid = verify(code, secret);
+    const ip = getIp(req);
+    const isCodeValid = verify(code, secret, ip);
     const q1 = "select token_hash, expires_at, ip from oauth.tokens where client_id=$1 and revoked_at is null and expires_at > now()";
     const { token_hash: stored, expires_at, ip: storedIp, } = await pg.query(q1, [client_id]).then((el) => el.rows?.[0] || {});
-    const ip = getIp(req);
     if (storedIp !== ip) {
         return reply
             .code(403)

package/dist/server/routes/table/functions/getData.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAkFzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,YAAY,EACrB,QAAgB,GACjB,EAAE;IACD,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,MAAM,CAAC,EAAE,YAAY,EACrB,MAAM,CAAC,EAAE,GAAG,~~gBA42Bb~~"}
1	+ {"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAkFzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,YAAY,EACrB,QAAgB,GACjB,EAAE;IACD,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,MAAM,CAAC,EAAE,YAAY,EACrB,MAAM,CAAC,EAAE,GAAG,gBAk3Bb"}

package/dist/server/routes/table/functions/getData.js CHANGED Viewed

@@ -163,7 +163,11 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
         tokenData?.public ||
         params?.public ||
         false;
-    if (!ispublic && !user?.uid && !called) {
+    if (!ispublic &&
+        !user?.uid &&
+        !called &&
+        !accessQueryParam &&
+        !actionsParam) {
         return reply.status(401).send({ error: "unauthorized", code: 401 });
     }
     if (!ispublic && !actions.includes("view") && !config?.local && !called) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "2.1.13",
+  "version": "2.1.15",
   "type": "module",
   "description": "core-plugins",
   "keywords": [