@opengis/fastify-table 2.1.19 → 2.2.0

package/dist/helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helper.d.ts","sourceRoot":"","sources":["../helper.ts"],"names":[],"mappings":"AAGA,OAAO,MAAM,MAAM,aAAa,CAAC;AAGjC,OAAO,EAAE,SAAS,EAAkB,MAAM,YAAY,CAAC;AAEvD,QAAA,MAAQ,MAAM,KAAoB,CAAC;AAInC,wBAAsB,KAAK,kBAI1B;AAGD,wBAAsB,QAAQ,kBAW7B;AAED,wBAAsB,KAAK,iBAU1B;AAED,OAAO,EAEL,MAAM,EACN,MAAM,EACN,SAAS,GACV,CAAC"}
+{"version":3,"file":"helper.d.ts","sourceRoot":"","sources":["../helper.ts"],"names":[],"mappings":"AAGA,OAAO,MAAM,MAAM,aAAa,CAAC;AAGjC,OAAO,EAAE,SAAS,EAAkB,MAAM,YAAY,CAAC;AAEvD,QAAA,MAAQ,MAAM,KAAoB,CAAC;AAInC,wBAAsB,KAAK,kBAI1B;AAGD,wBAAsB,QAAQ,kBAW7B;AAED,wBAAsB,KAAK,iBAyB1B;AAED,OAAO,EAEL,MAAM,EACN,MAAM,EACN,SAAS,GACV,CAAC"}

package/dist/helper.js

@@ -23,6 +23,9 @@ export async function build() {
     if (!app) {
         app = Fastify({ logger: false });
         app.register(appService, config);
+        app.get("/jwt-scoped", { config: { auth: "user-jwt", scope: "sumdu" } }, (req) => req.headers.authorization);
+        app.get("/jwt-scoped2", { config: { auth: "user-jwt", scope: "dzk" } }, (req) => req.headers.authorization);
+        app.get("/jwt-unscoped", { config: { auth: "user-jwt" } }, (req) => req.headers.authorization);
         app.addHook("onRequest", async (req) => {
             req.user = req.user || { uid: "1", user_type: "admin" };
         });

package/dist/server/migrations/oauth.sql

@@ -0,0 +1,80 @@
+CREATE schema if not exists oauth;
+
+CREATE TABLE if not exists oauth.clients (
+  client_id              text PRIMARY KEY DEFAULT next_id(),   -- ID клієнта (публічний ідентифікатор)
+  client_secret_hash     text,                                 -- Хеш секрету (NULL для public-клієнтів)
+  name                   text NOT NULL,                        -- Назва застосунку
+  type                   text NOT NULL CHECK (type IN ('public','confidential')),
+  token_endpoint_auth_method text NOT NULL CHECK (token_endpoint_auth_method IN ('client_secret_basic','client_secret_post','private_key_jwt','none')),
+  owner_user_id          text,                                 -- Власник/адміністратор клієнта (посилання на users.id or other id)
+
+  redirect_uris          text[],         					   -- Дозволені redirect_uri  
+  grant_types            text[]  CHECK (case when grant_types is not null then grant_types <@ ARRAY['authorization_code','refresh_token','client_credentials','device_code']::text[] else true end),
+  require_pkce           boolean NOT NULL DEFAULT true,
+  scopes         text[],  
+  allowed_cors_origins   text[],
+  jwks                   jsonb,                                -- Вбудований JWK Set (опційно)  
+
+  created_at             timestamptz NOT NULL DEFAULT now(),
+  updated_at             timestamptz NOT NULL DEFAULT now(),
+  allowed_ips            text[]
+);
+
+CREATE TABLE if not exists oauth.tokens (
+  id                     text PRIMARY KEY DEFAULT next_id(),
+  token_type             text NOT NULL CHECK (token_type IN ('access','refresh')),
+  token_hash             text NOT NULL UNIQUE,                  -- Argon2/bcrypt/SCrypt (хеш у застосунку)
+  token_hint             text,                                  -- останні 6-8 символів для діагностики (необов’язково)
+  jti                    text UNIQUE,                           -- JWT ID, якщо токен — JWT
+  client_id              text NOT NULL REFERENCES oauth.clients(client_id) ON DELETE CASCADE,
+  user_id                text,                                  -- NULL для client_credentials    
+  issuer                 text,                                  -- iss
+  scopes                 text[],
+  claims                 jsonb,                                 -- додаткові клейми
+  issued_at              timestamptz NOT NULL DEFAULT now(),
+  expires_at             timestamptz NOT NULL,
+  revoked_at             timestamptz,
+  revocation_reason      text,
+  ip                     inet                                  -- IP видачі/використання (опційно)  
+);
+
+COMMENT ON SCHEMA oauth IS 'Schema for OAuth2 / OpenID Connect clients and tokens';
+
+-- Comments for oauth.clients
+COMMENT ON TABLE oauth.clients IS 'OAuth 2.0 clients (applications) that can request tokens';
+
+COMMENT ON COLUMN oauth.clients.client_id IS 'Client identifier (public ID, generated by next_id())';
+COMMENT ON COLUMN oauth.clients.client_secret_hash IS 'Hashed client secret (NULL for public clients)';
+COMMENT ON COLUMN oauth.clients.name IS 'Name of the application/client';
+COMMENT ON COLUMN oauth.clients.type IS 'Client type: public or confidential';
+COMMENT ON COLUMN oauth.clients.token_endpoint_auth_method IS 'Authentication method at token endpoint (client_secret_basic, client_secret_post, private_key_jwt, none)';
+COMMENT ON COLUMN oauth.clients.owner_user_id IS 'Owner/administrator of the client (reference to users.id or external id)';
+COMMENT ON COLUMN oauth.clients.redirect_uris IS 'Allowed redirect URIs';
+COMMENT ON COLUMN oauth.clients.grant_types IS 'Allowed grant types (authorization_code, refresh_token, client_credentials, device_code)';
+COMMENT ON COLUMN oauth.clients.require_pkce IS 'Whether PKCE is required (default true)';
+COMMENT ON COLUMN oauth.clients.scopes IS 'Allowed OAuth2 scopes';
+COMMENT ON COLUMN oauth.clients.allowed_cors_origins IS 'Allowed CORS origins for browser-based apps';
+COMMENT ON COLUMN oauth.clients.jwks IS 'Embedded JSON Web Key Set (optional)';
+COMMENT ON COLUMN oauth.clients.created_at IS 'Creation timestamp';
+COMMENT ON COLUMN oauth.clients.updated_at IS 'Last update timestamp';
+
+-- Comments for oauth.tokens
+COMMENT ON TABLE oauth.tokens IS 'Issued OAuth 2.0 tokens (access or refresh)';
+
+COMMENT ON COLUMN oauth.tokens.id IS 'Internal token ID (generated by next_id())';
+COMMENT ON COLUMN oauth.tokens.token_type IS 'Type of token: access or refresh';
+COMMENT ON COLUMN oauth.tokens.token_hash IS 'Secure hash of the token (Argon2/bcrypt/SCrypt)';
+COMMENT ON COLUMN oauth.tokens.token_hint IS 'Optional hint (last 6–8 characters of token) for diagnostics';
+COMMENT ON COLUMN oauth.tokens.jti IS 'JWT ID if token is a JWT (unique)';
+COMMENT ON COLUMN oauth.tokens.client_id IS 'Reference to oauth.clients (issuing client)';
+COMMENT ON COLUMN oauth.tokens.user_id IS 'User ID if bound to user (NULL for client_credentials flow)';
+COMMENT ON COLUMN oauth.tokens.issuer IS 'Token issuer (iss claim)';
+COMMENT ON COLUMN oauth.tokens.scopes IS 'Granted OAuth2 scopes for this token';
+COMMENT ON COLUMN oauth.tokens.claims IS 'Additional claims (JSONB)';
+COMMENT ON COLUMN oauth.tokens.issued_at IS 'Timestamp when issued';
+COMMENT ON COLUMN oauth.tokens.expires_at IS 'Timestamp when token expires';
+COMMENT ON COLUMN oauth.tokens.revoked_at IS 'Timestamp when revoked';
+COMMENT ON COLUMN oauth.tokens.revocation_reason IS 'Reason for revocation (if any)';
+COMMENT ON COLUMN oauth.tokens.ip IS 'IP address of issuance/usage (optional)';
+
+alter table oauth.clients add column if not exists allowed_ips text[];

package/dist/server/plugins/auth/funcs/authorizeUser.js

@@ -26,7 +26,7 @@ export default async function authorizeUser(user, req, authType = "creds-user",
     const ip = getIp(req);
     Object.assign(user, { auth_type: authType, ip });
     // fastify/passport
-    await req.login(user);
+    await req.login?.(user);
     const st = (req.body?.keep || req.query?.keep) === "on"
         ? sessionTimeoutKeep
         : sessionTimeout;

package/dist/server/plugins/auth/funcs/jwt.d.ts

@@ -1,9 +1,30 @@
 export declare function scryptHash(code: string): Promise<string>;
 export declare function scryptVerify(stored: string, code: string): Promise<boolean>;
-export declare function sign(uid: string, secret: string, exp: number | undefined, ip: string): string;
-export declare function verify(token: string, secret: string, ip: string): false | {
+export declare function sign(uid: string, secret: string, exp?: number, scopes?: string[]): string;
+export declare function verify(token: string, secret: string, scope?: string): {
+    valid: boolean;
+    error: string;
+    payload?: undefined;
+    header?: undefined;
+    stack?: undefined;
+} | {
+    valid: boolean;
     payload: any;
     header: any;
+    error?: undefined;
+    stack?: undefined;
+} | {
+    valid: boolean;
+    payload: any;
+    header: any;
+    error: string;
+    stack?: undefined;
+} | {
+    valid: boolean;
+    error: any;
+    stack: any;
+    payload?: undefined;
+    header?: undefined;
 };
 declare const _default: null;
 export default _default;

package/dist/server/plugins/auth/funcs/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/jwt.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,mBAI5C;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,oBAI9D;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,oBAAQ,EAAE,EAAE,EAAE,MAAM,UAsBxE;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM;;;EA8B/D;;AAED,wBAAoB"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/auth/funcs/jwt.ts"],"names":[],"mappings":"AAkBA,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,mBAI5C;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,oBAI9D;AAED,wBAAgB,IAAI,CAClB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,EACd,GAAG,SAAQ,EACX,MAAM,CAAC,EAAE,MAAM,EAAE,UAuBlB;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;EA+CnE;;AAED,wBAAoB"}

package/dist/server/plugins/auth/funcs/jwt.js

@@ -17,7 +17,7 @@ export async function scryptVerify(stored, code) {
     const derived = (await scryptAsync(code, salt, 64));
     return keyHex === derived.toString("hex");
 }
-export function sign(uid, secret, exp = 90000, ip) {
+export function sign(uid, secret, exp = 90000, scopes) {
     if (typeof uid !== "string")
         throw new Error("uid must be a string");
     if (secret && typeof secret !== "string") {
@@ -26,8 +26,8 @@ export function sign(uid, secret, exp = 90000, ip) {
     if (typeof exp !== "number")
         throw new Error("exp must be a number");
     const jwtPayload = Buffer.from(JSON.stringify({
-        ip,
         uid,
+        scopes,
         expires: Date.now() + exp,
         created: Date.now(),
     })).toString("base64");
@@ -37,11 +37,18 @@ export function sign(uid, secret, exp = 90000, ip) {
         .digest("base64");
     return `${jwtEncrypted}.${signature}`;
 }
-export function verify(token, secret, ip) {
-    if (!token)
-        throw new Error("not enough params: token");
+export function verify(token, secret, scope) {
+    if (!token) {
+        return { valid: false, error: "not enough params: token" };
+    }
+    if (typeof token !== "string") {
+        return { valid: false, error: "invalid params: token" };
+    }
     if (secret && typeof secret !== "string") {
-        throw new Error("not enough params: secret");
+        return { valid: false, error: "invalid params: secret" };
+    }
+    if (scope && typeof scope !== "string") {
+        return { valid: false, error: "invalid params: scope" };
     }
     const split = token.split(".");
     const signature = split[2];
@@ -52,15 +59,20 @@ export function verify(token, secret, ip) {
         const expectedSignature = createHmac("sha256", secret || jwtSecret)
             .update(jwtEncryptedExpected)
             .digest("base64");
-        if (signature === expectedSignature &&
-            payload.expires > Date.now() &&
-            payload.ip === ip) {
-            return { payload, header };
+        const isScopeValid = !scope || !payload.scopes || payload.scopes?.includes?.(scope);
+        if (signature === expectedSignature && isScopeValid) {
+            return { valid: true, payload, header };
         }
-        return false;
+        console.log("JWT: invalid token", payload, scope);
+        return {
+            valid: false,
+            payload,
+            header,
+            error: signature !== expectedSignature ? "invalid signature" : "invalid scope",
+        };
     }
     catch (err) {
-        return false;
+        return { valid: false, error: err.toString(), stack: err.stack };
     }
 }
 export default null;

package/dist/server/plugins/policy/funcs/checkJWT.d.ts

@@ -4,9 +4,13 @@ export default function checkJWT(req: ExtendedRequest): Promise<{
     code: number;
     token?: undefined;
     valid?: undefined;
+    payload?: undefined;
+    redirectURIs?: undefined;
 } | {
-    token: string;
+    token: any;
     valid: boolean;
+    payload: any;
+    redirectURIs: any;
     error?: undefined;
     code?: undefined;
 } | null>;

package/dist/server/plugins/policy/funcs/checkJWT.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"checkJWT.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkJWT.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAMhC,wBAA8B,QAAQ,CAAC,GAAG,EAAE,eAAe;;;;;;;;;;UA4D1D"}
+{"version":3,"file":"checkJWT.d.ts","sourceRoot":"","sources":["../../../../../server/plugins/policy/funcs/checkJWT.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,eAAe,EAEhB,MAAM,wBAAwB,CAAC;AAMhC,wBAA8B,QAAQ,CAAC,GAAG,EAAE,eAAe;;;;;;;;;;;;;;UAkG1D"}

package/dist/server/plugins/policy/funcs/checkJWT.js

@@ -1,6 +1,6 @@
 import getIP from "./getIP.js";
 import logger from "../../logger/getLogger.js";
-import { verify } from "../../auth/funcs/jwt.js";
+import { scryptVerify, verify } from "../../auth/funcs/jwt.js";
 export default async function checkJWT(req) {
     const { originalUrl: path, headers, method, routeOptions, pg } = req;
     const ip = getIP(req);
@@ -9,13 +9,16 @@ export default async function checkJWT(req) {
     const requireUser = Array.isArray(policy)
         ? policy.includes("user")
         : ["L1", "L2", "L3"].includes(policy || "");
-    const requireJWT = auth === "user-jwt";
+    const requireJWT = auth === "user-jwt" || req.url === "/oauth/token";
     const user = req.user || req.session?.passport?.user;
     // skip entirely if not required via API config or alternative exists
     if (!requireJWT || (requireUser && user)) {
         return null;
     }
-    const jwtToken = headers.authorization?.split(" ")?.[1];
+    const code = req.body ? req.body.code : req.query.code;
+    const jwtToken = req.url === "/oauth/token" && code
+        ? code
+        : headers.authorization?.split(" ")?.[1];
     // restict access if header is not provided at all
     if (!jwtToken) {
         logger.file("policy/jwt", {
@@ -27,22 +30,51 @@ export default async function checkJWT(req) {
         });
         return { error: "unauthorized", code: 401 };
     }
-    const secret = pg && scope
+    if (!pg) {
+        return { error: "empty pg", code: 400 };
+    }
+    const { clientId, tokenHash, isRevoked, isExpired } = await pg
+        .query('select client_id as "clientId", token_hash as "tokenHash", revoked_at is not null as "isRevoked", expires_at <= now() as "isExpired" from oauth.tokens where ip=$1 and token_hint=$2', [ip, jwtToken.slice(-6)])
+        .then((el) => el.rows?.[0] || {});
+    if (requireJWT && tokenHash && (isExpired || isRevoked)) {
+        logger.file("policy/jwt", {
+            path,
+            method,
+            message: isRevoked ? "token is revoked" : "token is expired",
+            ip,
+            uid: user?.uid,
+        });
+        return { error: "forbidden", code: 403 };
+    }
+    const isValid = await scryptVerify(tokenHash || "", jwtToken);
+    if (requireJWT && !isValid) {
+        logger.file("policy/jwt", {
+            path,
+            method,
+            message: tokenHash ? "scrypt verification failed" : "token not found",
+            ip,
+            uid: user?.uid,
+        });
+        return { error: "forbidden", code: 403 };
+    }
+    const q = `select client_secret_hash as "secret", redirect_uris as "redirectURIs" from oauth.clients where client_id=$1 and token_endpoint_auth_method=$2`;
+    const { secret, redirectURIs } = pg?.pk?.["oauth.clients"]
         ? await pg
-            .query(`select client_secret_hash from oauth.clients where name=$1 and token_endpoint_auth_method=$2`, [scope, "private_key_jwt"])
-            .then((el) => el?.rows?.[0]?.client_secret_hash)
-        : null;
-    const isJWTValid = verify(jwtToken, secret, ip);
+            .query(q, [clientId, "private_key_jwt"])
+            .then((el) => el.rows?.[0] || {})
+        : {};
+    const { valid, error, payload } = verify(jwtToken, secret, scope);
     // restrict access if token is invalid
-    if (requireJWT && !isJWTValid) {
+    if (requireJWT && !valid) {
         logger.file("policy/jwt", {
             path,
             method,
             message: "forbidden",
+            error,
             ip,
             uid: user?.uid,
         });
         return { error: "forbidden", code: 403 };
     }
-    return { token: jwtToken, valid: true };
+    return { token: jwtToken, valid: true, payload, redirectURIs };
 }

package/dist/server/routes/auth/controllers/core/logout.js

@@ -8,7 +8,7 @@ async function logout(req, reply) {
         return reply.redirect("/");
     }
     await req.session?.destroy?.();
-    reply.clearCookie("session_auth");
+    reply?.clearCookie?.("session_auth");
     // Shield session from resurrection
     Object.defineProperty(req, "session", {
         value: null,

package/dist/server/routes/auth/controllers/jwt/authorize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../../../../../server/routes/auth/controllers/jwt/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAyBvC,wBAA8B,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,kBAmHpE"}
+{"version":3,"file":"authorize.d.ts","sourceRoot":"","sources":["../../../../../../server/routes/auth/controllers/jwt/authorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAyBvC,wBAA8B,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,kBAuHpE"}

package/dist/server/routes/auth/controllers/jwt/authorize.js

@@ -27,10 +27,11 @@ export default async function authorize(req, reply) {
             .code(400)
             .send({ error: "not enough query params: client_id", code: 400 });
     }
-    const q = `select owner_user_id, client_secret_hash, redirect_uris from oauth.clients where client_id=$1 and token_endpoint_auth_method=$2 and ${scope ? "$1=any(scopes)" : "1=1"}`;
-    const { owner_user_id: userId, client_secret_hash: secret, redirect_uris = [], } = pg.pk?.["oauth.clients"]
+    const ip = getIp(req);
+    const q = `select * from oauth.clients where client_id=$1 and token_endpoint_auth_method=$2 and (allowed_ips is null or $3=any(allowed_ips)) and ${scope ? "$4=any(scopes)" : "1=1"} order by allowed_ips nulls last limit 1`;
+    const { owner_user_id: userId, client_secret_hash: secret, redirect_uris = [], scopes, allowed_ips: allowedIPs = [], } = pg.pk?.["oauth.clients"]
         ? await pg
-            .query(q, [client_id, "private_key_jwt"])
+            .query(q, [client_id, "private_key_jwt", ip, scope].filter(Boolean))
             .then((el) => el.rows?.[0] || {})
         : {};
     if (!userId) {
@@ -54,9 +55,8 @@ export default async function authorize(req, reply) {
     const href1 = req.method === "POST"
         ? null
         : await authorizeUser(user, req, "jwt", expireMsec);
-    const ip = getIp(req);
     // Generate authorization code
-    const code = sign(userId, secret, expireMsec, ip);
+    const code = sign(userId, secret, expireMsec, scopes);
     const tokenHash = await scryptHash(code);
     // disable access via old tokens
     if (pg.pk?.["oauth.tokens"]) {
@@ -92,6 +92,7 @@ export default async function authorize(req, reply) {
             code,
             expire: expireMsec,
             redirect_uri: href,
+            scopes,
         });
     }
     if (payload.noredirect || process.env.NODE_ENV === "test") {

package/dist/server/routes/auth/controllers/jwt/token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../../../../server/routes/auth/controllers/jwt/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAmB5D,wBAA8B,UAAU,CACtC,GAAG,EAAE,eAAe,EACpB,KAAK,EAAE,YAAY,kBAmHpB"}
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../../../../server/routes/auth/controllers/jwt/token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAsB5D,wBAA8B,UAAU,CACtC,GAAG,EAAE,eAAe,EACpB,KAAK,EAAE,YAAY,kBAwEpB"}

package/dist/server/routes/auth/controllers/jwt/token.js

@@ -1,6 +1,6 @@
-import { verify, scryptVerify } from "../../../../plugins/auth/funcs/jwt.js";
 import pgClients from "../../../../plugins/pg/pgClients.js";
 import authorizeUser from "../../../../plugins/auth/funcs/authorizeUser.js";
+import checkJWT from "../../../../plugins/policy/funcs/checkJWT.js";
 const expireMsec = 1000 * 60 * 60;
 const getIp = (req) => (req.headers?.["x-real-ip"] ||
     req.headers?.["x-forwarded-for"] ||
@@ -9,6 +9,7 @@ const getIp = (req) => (req.headers?.["x-real-ip"] ||
     "")
     .split(":")
     .pop();
+// todo: use checkJWT instead
 export default async function oauthToken(req, reply) {
     const { pg = pgClients.client, query, body } = req;
     const payload = req.method === "POST" ? body : query;
@@ -26,56 +27,24 @@ export default async function oauthToken(req, reply) {
             .code(400)
             .send({ error: "not enough params: code", code: 400 });
     }
-    const q = `select owner_user_id, client_secret_hash, redirect_uris from oauth.clients where client_id=$1 and token_endpoint_auth_method=$2`;
-    const { owner_user_id: userId, client_secret_hash: secret, redirect_uris = [], } = pg.pk?.["oauth.clients"]
-        ? await pg
-            .query(q, [client_id, "private_key_jwt"])
-            .then((el) => el.rows?.[0] || {})
-        : {};
-    const ip = getIp(req);
-    const isCodeValid = verify(code, secret, ip);
-    const q1 = "select token_hash, expires_at, ip from oauth.tokens where client_id=$1 and revoked_at is null and expires_at > now()";
-    const { token_hash: stored, expires_at, ip: storedIp, } = await pg.query(q1, [client_id]).then((el) => el.rows?.[0] || {});
-    if (storedIp !== ip) {
-        return reply
-            .code(403)
-            .send({ error: "access restricted: wrong IP address", code: 403 });
-    }
-    if (!stored) {
-        return reply
-            .code(403)
-            .send({ error: "access restricted: code expired", code: 403 });
-    }
-    const isValid = await scryptVerify(stored, code);
-    if (!isValid) {
-        return reply
-            .code(403)
-            .send({ error: "access restricted: stored code mismatch", code: 403 });
-    }
-    if (!isCodeValid) {
-        return reply
-            .code(403)
-            .send({ error: "access restricted: invalid code", code: 403 });
-    }
-    if (!userId) {
-        return reply.code(400).send({ error: "invalid client id", code: 400 });
+    const { valid, payload: jwtPayload, redirectURIs, error, } = (await checkJWT(req)) || {};
+    if (!valid) {
+        return reply.code(401).send({ error, code: 401 });
     }
-    if (redirect_uri &&
-        Array.isArray(redirect_uris) &&
-        !redirect_uris.includes(redirect_uri)) {
+    if (redirect_uri && !(redirectURIs || []).includes(redirect_uri)) {
         return reply.code(400).send({ error: "invalid redirect_uri", code: 400 });
     }
     const user = pg.pk?.["admin.users"]
         ? await pg
             .query("select * from admin.users where uid=$1 and enabled limit 1", [
-            userId,
+            jwtPayload.uid,
         ])
             .then((el) => el.rows[0])
         : null;
     if (!user) {
         return reply.code(404).send({ error: "user not found", code: 404 });
     }
-    const expire = expires_at ? expires_at - Date.now() : expireMsec;
+    const expire = Math.min(jwtPayload.expires - jwtPayload.created || expireMsec, expireMsec);
     const href1 = await authorizeUser(user, req, "jwt", expire);
     const backUrl = redirect_uri ? `${redirect_uri}?code=${code}` : "";
     const href = redirect_uri && !redirect_uri.includes("?")

package/dist/server/routes/table/functions/getData.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAkFzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,YAAY,EACrB,QAAgB,GACjB,EAAE;IACD,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,MAAM,CAAC,EAAE,YAAY,EACrB,MAAM,CAAC,EAAE,GAAG,gBAk3Bb"}
+{"version":3,"file":"getData.d.ts","sourceRoot":"","sources":["../../../../../server/routes/table/functions/getData.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAkFzD,wBAA8B,OAAO,CACnC,EACE,EAAqB,EACrB,MAAM,EACN,KAAK,EACL,EAAE,EACF,OAAY,EACZ,KAAU,EACV,IAAS,EACT,YAAY,EACZ,YAAY,EACZ,KAAY,EACZ,UAAU,EACV,OAAO,EAAE,YAAY,EACrB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,EAAE,YAAY,EACrB,QAAgB,GACjB,EAAE;IACD,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,MAAM,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACxD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,EACD,MAAM,CAAC,EAAE,YAAY,EACrB,MAAM,CAAC,EAAE,GAAG,gBAo3Bb"}

package/dist/server/routes/table/functions/getData.js

@@ -128,9 +128,9 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
     if (!pg) {
         return reply.status(500).send("empty pg");
     }
-    const pkey = pg.pk?.[paramsTable] ||
-        pg.pk?.[paramsTable.replace(/"/g, "")] ||
-        (await getMeta({ pg, table: paramsTable }))?.pk;
+    const pkey = pg.pk?.[resources[paramsTable] || paramsTable] ||
+        pg.pk?.[resources[paramsTable] || paramsTable.replace(/"/g, "")] ||
+        (await getMeta({ pg, table: resources[paramsTable] || paramsTable }))?.pk;
     if (!loadTable &&
         !(tokenData?.table && pg.pk?.[tokenData?.table]) &&
         !(called && pkey)) {
@@ -244,7 +244,7 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
     if (objectId && columnList.includes(objectId)) {
         return gisIRColumn({
             pg,
-            layer: paramsTable,
+            layer: resources[paramsTable] || paramsTable,
             column: objectId,
             sql: query?.sql,
             filter: query?.filter,
@@ -264,7 +264,9 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
     const fData = checkFilter
         ? await getFilterSQL({
             pg,
-            table: loadTable ? tokenData?.table || paramsTable : table1,
+            table: loadTable
+                ? tokenData?.table || resources[paramsTable] || paramsTable
+                : table1,
             filter: query?.filter,
             search: query?.search,
             searchColumn,
@@ -600,7 +602,7 @@ export default async function dataAPI({ pg = pgClients.client, params, table, id
     }
     const route = pg.tlist?.includes?.("admin.routes")
         ? await pg
-            .query("select route_id as path, title from admin.routes where enabled and alias=$1 limit 1", [paramsTable])
+            .query("select route_id as path, title from admin.routes where enabled and alias=$1 limit 1", [resources[paramsTable] || paramsTable])
             .then((el) => el.rows?.[0] || {})
         : {};
     const res = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "2.1.19",
+  "version": "2.2.0",
   "type": "module",
   "description": "core-plugins",
   "keywords": [
@@ -31,6 +31,8 @@
     "build": "tsc -b --clean && tsc && copyfiles server/plugins/grpc/utils/*.proto dist && copyfiles server/migrations/*.sql dist && copyfiles server/templates/**/*.html dist && copyfiles server/templates/**/*.hbs dist && copyfiles script/* dist && copyfiles -u 2 module/core/*/* dist/module/core",
     "prod": "NODE_ENV=production bun dist/server",
     "patch": "npm version patch && git push && npm publish",
+    "minor": "npm version minor && git push && npm publish",
+    "major": "npm version major && git push && npm publish",
     "lint": "eslint . --ext .vue,.js,.jsx,.cjs,.mjs,.ts,.tsx,.cts,.mts --fix --ignore-path .gitignore",
     "test": "npx vitest run",
     "compress": "node compress.js",