@opengis/fastify-table 2.4.6 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/module/core/select/core.user_mentioned.sql +1 -1
- package/dist/server/migrations/oauth.sql.sql +77 -0
- package/dist/server/plugins/hook/index.js +39 -0
- package/dist/server/plugins/migration/index.d.ts +3 -0
- package/dist/server/plugins/migration/index.d.ts.map +1 -0
- package/dist/server/plugins/migration/index.js +5 -0
- package/dist/server/routes/auth/controllers/2factor/generate.js +38 -0
- package/dist/server/routes/auth/controllers/2factor/toggle.js +39 -0
- package/dist/server/routes/logger/controllers/utils/checkUserAccess.js +22 -0
- package/dist/server/routes/logger/controllers/utils/getRootDir.js +25 -0
- package/dist/server/routes/widget/index.js +6 -6
- package/dist/server/types/errors.d.ts +14 -0
- package/dist/server/types/errors.d.ts.map +1 -0
- package/dist/server/types/errors.js +4 -0
- package/package.json +1 -1
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
select uid, coalesce(sur_name,'')||coalesce(' '||user_name,'') as text, email from admin.users
|
|
1
|
+
select uid, coalesce(sur_name,'')||coalesce(' '||user_name,'') as text, email from admin.users
|
|
2
2
|
where enabled order by coalesce(sur_name,'')||coalesce(' '||user_name,'')
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
CREATE schema if not exists oauth;
|
|
2
|
+
|
|
3
|
+
CREATE TABLE if not exists oauth.clients (
|
|
4
|
+
client_id text PRIMARY KEY DEFAULT next_id(), -- ID клієнта (публічний ідентифікатор)
|
|
5
|
+
client_secret_hash text, -- Хеш секрету (NULL для public-клієнтів)
|
|
6
|
+
name text NOT NULL, -- Назва застосунку
|
|
7
|
+
type text NOT NULL CHECK (type IN ('public','confidential')),
|
|
8
|
+
token_endpoint_auth_method text NOT NULL CHECK (token_endpoint_auth_method IN ('client_secret_basic','client_secret_post','private_key_jwt','none')),
|
|
9
|
+
owner_user_id text, -- Власник/адміністратор клієнта (посилання на users.id or other id)
|
|
10
|
+
|
|
11
|
+
redirect_uris text[], -- Дозволені redirect_uri
|
|
12
|
+
grant_types text[] CHECK (case when grant_types is not null then grant_types <@ ARRAY['authorization_code','refresh_token','client_credentials','device_code']::text[] else true end),
|
|
13
|
+
require_pkce boolean NOT NULL DEFAULT true,
|
|
14
|
+
scopes text[],
|
|
15
|
+
allowed_cors_origins text[],
|
|
16
|
+
jwks jsonb, -- Вбудований JWK Set (опційно)
|
|
17
|
+
|
|
18
|
+
created_at timestamptz NOT NULL DEFAULT now(),
|
|
19
|
+
updated_at timestamptz NOT NULL DEFAULT now()
|
|
20
|
+
);
|
|
21
|
+
|
|
22
|
+
CREATE TABLE if not exists oauth.tokens (
|
|
23
|
+
id text PRIMARY KEY DEFAULT next_id(),
|
|
24
|
+
token_type text NOT NULL CHECK (token_type IN ('access','refresh')),
|
|
25
|
+
token_hash text NOT NULL UNIQUE, -- Argon2/bcrypt/SCrypt (хеш у застосунку)
|
|
26
|
+
token_hint text, -- останні 6-8 символів для діагностики (необов’язково)
|
|
27
|
+
jti text UNIQUE, -- JWT ID, якщо токен — JWT
|
|
28
|
+
client_id text NOT NULL REFERENCES oauth.clients(client_id) ON DELETE CASCADE,
|
|
29
|
+
user_id text, -- NULL для client_credentials
|
|
30
|
+
issuer text, -- iss
|
|
31
|
+
scopes text[],
|
|
32
|
+
claims jsonb, -- додаткові клейми
|
|
33
|
+
issued_at timestamptz NOT NULL DEFAULT now(),
|
|
34
|
+
expires_at timestamptz NOT NULL,
|
|
35
|
+
revoked_at timestamptz,
|
|
36
|
+
revocation_reason text,
|
|
37
|
+
ip inet -- IP видачі/використання (опційно)
|
|
38
|
+
);
|
|
39
|
+
|
|
40
|
+
COMMENT ON SCHEMA oauth IS 'Schema for OAuth2 / OpenID Connect clients and tokens';
|
|
41
|
+
|
|
42
|
+
-- Comments for oauth.clients
|
|
43
|
+
COMMENT ON TABLE oauth.clients IS 'OAuth 2.0 clients (applications) that can request tokens';
|
|
44
|
+
|
|
45
|
+
COMMENT ON COLUMN oauth.clients.client_id IS 'Client identifier (public ID, generated by next_id())';
|
|
46
|
+
COMMENT ON COLUMN oauth.clients.client_secret_hash IS 'Hashed client secret (NULL for public clients)';
|
|
47
|
+
COMMENT ON COLUMN oauth.clients.name IS 'Name of the application/client';
|
|
48
|
+
COMMENT ON COLUMN oauth.clients.type IS 'Client type: public or confidential';
|
|
49
|
+
COMMENT ON COLUMN oauth.clients.token_endpoint_auth_method IS 'Authentication method at token endpoint (client_secret_basic, client_secret_post, private_key_jwt, none)';
|
|
50
|
+
COMMENT ON COLUMN oauth.clients.owner_user_id IS 'Owner/administrator of the client (reference to users.id or external id)';
|
|
51
|
+
COMMENT ON COLUMN oauth.clients.redirect_uris IS 'Allowed redirect URIs';
|
|
52
|
+
COMMENT ON COLUMN oauth.clients.grant_types IS 'Allowed grant types (authorization_code, refresh_token, client_credentials, device_code)';
|
|
53
|
+
COMMENT ON COLUMN oauth.clients.require_pkce IS 'Whether PKCE is required (default true)';
|
|
54
|
+
COMMENT ON COLUMN oauth.clients.scopes IS 'Allowed OAuth2 scopes';
|
|
55
|
+
COMMENT ON COLUMN oauth.clients.allowed_cors_origins IS 'Allowed CORS origins for browser-based apps';
|
|
56
|
+
COMMENT ON COLUMN oauth.clients.jwks IS 'Embedded JSON Web Key Set (optional)';
|
|
57
|
+
COMMENT ON COLUMN oauth.clients.created_at IS 'Creation timestamp';
|
|
58
|
+
COMMENT ON COLUMN oauth.clients.updated_at IS 'Last update timestamp';
|
|
59
|
+
|
|
60
|
+
-- Comments for oauth.tokens
|
|
61
|
+
COMMENT ON TABLE oauth.tokens IS 'Issued OAuth 2.0 tokens (access or refresh)';
|
|
62
|
+
|
|
63
|
+
COMMENT ON COLUMN oauth.tokens.id IS 'Internal token ID (generated by next_id())';
|
|
64
|
+
COMMENT ON COLUMN oauth.tokens.token_type IS 'Type of token: access or refresh';
|
|
65
|
+
COMMENT ON COLUMN oauth.tokens.token_hash IS 'Secure hash of the token (Argon2/bcrypt/SCrypt)';
|
|
66
|
+
COMMENT ON COLUMN oauth.tokens.token_hint IS 'Optional hint (last 6–8 characters of token) for diagnostics';
|
|
67
|
+
COMMENT ON COLUMN oauth.tokens.jti IS 'JWT ID if token is a JWT (unique)';
|
|
68
|
+
COMMENT ON COLUMN oauth.tokens.client_id IS 'Reference to oauth.clients (issuing client)';
|
|
69
|
+
COMMENT ON COLUMN oauth.tokens.user_id IS 'User ID if bound to user (NULL for client_credentials flow)';
|
|
70
|
+
COMMENT ON COLUMN oauth.tokens.issuer IS 'Token issuer (iss claim)';
|
|
71
|
+
COMMENT ON COLUMN oauth.tokens.scopes IS 'Granted OAuth2 scopes for this token';
|
|
72
|
+
COMMENT ON COLUMN oauth.tokens.claims IS 'Additional claims (JSONB)';
|
|
73
|
+
COMMENT ON COLUMN oauth.tokens.issued_at IS 'Timestamp when issued';
|
|
74
|
+
COMMENT ON COLUMN oauth.tokens.expires_at IS 'Timestamp when token expires';
|
|
75
|
+
COMMENT ON COLUMN oauth.tokens.revoked_at IS 'Timestamp when revoked';
|
|
76
|
+
COMMENT ON COLUMN oauth.tokens.revocation_reason IS 'Reason for revocation (if any)';
|
|
77
|
+
COMMENT ON COLUMN oauth.tokens.ip IS 'IP address of issuance/usage (optional)';
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import config from "../../../config.js";
|
|
2
|
+
export const hookList = {};
|
|
3
|
+
export async function applyHook(name, data) {
|
|
4
|
+
if (config.trace)
|
|
5
|
+
console.log("applyHook", name);
|
|
6
|
+
if (!hookList[name]?.length)
|
|
7
|
+
return null;
|
|
8
|
+
const result = {};
|
|
9
|
+
await Promise.all(hookList[name].map(async (hook) => {
|
|
10
|
+
const hookData = await hook({ ...data, config });
|
|
11
|
+
if (hookData) {
|
|
12
|
+
if (config.trace)
|
|
13
|
+
console.log("applyHook", name, hookData);
|
|
14
|
+
Object.assign(result, hookData);
|
|
15
|
+
}
|
|
16
|
+
})).catch((err) => {
|
|
17
|
+
console.error("applyHook", name, err.toString());
|
|
18
|
+
});
|
|
19
|
+
if (Object.keys(result).length) {
|
|
20
|
+
return result;
|
|
21
|
+
}
|
|
22
|
+
return null;
|
|
23
|
+
}
|
|
24
|
+
export function addHook(name, fn) {
|
|
25
|
+
if (!hookList[name]) {
|
|
26
|
+
hookList[name] = [];
|
|
27
|
+
}
|
|
28
|
+
if (config.trace)
|
|
29
|
+
console.log("addHook", name);
|
|
30
|
+
hookList[name].push(fn);
|
|
31
|
+
}
|
|
32
|
+
export function applyHookSync(name, data) {
|
|
33
|
+
if (!hookList[name]?.length)
|
|
34
|
+
return null;
|
|
35
|
+
if (config.trace)
|
|
36
|
+
console.log("applyHookSync", name);
|
|
37
|
+
const hookData = hookList[name].map((hook) => hook(data))[0];
|
|
38
|
+
return hookData;
|
|
39
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../server/plugins/migration/index.ts"],"names":[],"mappings":"AAEA,iBAAe,MAAM,kBAEpB;AAED,eAAe,MAAM,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import config from "../../../../../config.js";
|
|
2
|
+
import pgClients from "../../../../plugins/pg/pgClients.js";
|
|
3
|
+
import { generate } from "./providers/totp.js";
|
|
4
|
+
/**
|
|
5
|
+
* Генерація secret для двохфакторної авторизації користувача
|
|
6
|
+
*
|
|
7
|
+
* @method GET
|
|
8
|
+
* @summary Генерація user secret для двохфакторної авторизації
|
|
9
|
+
* @priority 3
|
|
10
|
+
* @alias generate
|
|
11
|
+
* @type api
|
|
12
|
+
* @tag auth
|
|
13
|
+
* @requires 2fa
|
|
14
|
+
* @errors 500
|
|
15
|
+
* @returns {Number} status Номер помилки
|
|
16
|
+
* @returns {String|Object} error Опис помилки
|
|
17
|
+
* @returns {String|Object} message Повідомлення про успішне виконання або об'єкт з параметрами
|
|
18
|
+
*/
|
|
19
|
+
export default async function generateFunction({ pg = pgClients.client, user = {} }, reply) {
|
|
20
|
+
if (!user?.uid) {
|
|
21
|
+
return reply.status(401).send("unauthorized");
|
|
22
|
+
}
|
|
23
|
+
const { uid } = user;
|
|
24
|
+
if (!config?.auth?.["2factor"]) {
|
|
25
|
+
return reply.status(400).send("2fa not enabled");
|
|
26
|
+
}
|
|
27
|
+
if (!config.pg) {
|
|
28
|
+
return reply.status(400).send("empty pg");
|
|
29
|
+
}
|
|
30
|
+
if (!uid) {
|
|
31
|
+
return reply.status(401).send("access restricted: unauthorized");
|
|
32
|
+
}
|
|
33
|
+
const res = await generate({ pg, uid });
|
|
34
|
+
if (res?.enabled) {
|
|
35
|
+
return reply.status(400).send("already created 2fa");
|
|
36
|
+
}
|
|
37
|
+
return reply.status(200).send(res);
|
|
38
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import config from '../../../../../config.js';
|
|
2
|
+
import pgClients from '../../../../plugins/pg/pgClients.js';
|
|
3
|
+
import { toggle } from './providers/totp.js';
|
|
4
|
+
/**
|
|
5
|
+
* Включення/виключення двохфакторної авторизації для користувача
|
|
6
|
+
*
|
|
7
|
+
* @method GET
|
|
8
|
+
* @summary Включення/виключення двохфакторної авторизації
|
|
9
|
+
* @priority 2
|
|
10
|
+
* @alias toggle
|
|
11
|
+
* @type api
|
|
12
|
+
* @tag auth
|
|
13
|
+
* @requires 2fa
|
|
14
|
+
* @errors 500
|
|
15
|
+
* @returns {Number} status Номер помилки
|
|
16
|
+
* @returns {String|Object} error Опис помилки
|
|
17
|
+
* @returns {String|Object} message Повідомлення про успішне виконання або об'єкт з параметрами
|
|
18
|
+
*/
|
|
19
|
+
export default async function toggleFunction(req, reply) {
|
|
20
|
+
const { pg = pgClients.client, session = {}, query = {}, } = req;
|
|
21
|
+
const { uid } = session?.passport?.user || {};
|
|
22
|
+
const { code, enable } = query;
|
|
23
|
+
if (!config.pg) {
|
|
24
|
+
return reply.status(400).send('empty pg');
|
|
25
|
+
}
|
|
26
|
+
if (!uid) {
|
|
27
|
+
return reply.status(401).send('access restricted: unauthorized');
|
|
28
|
+
}
|
|
29
|
+
if (!code) {
|
|
30
|
+
return reply.status(400).send('param "code" is required');
|
|
31
|
+
}
|
|
32
|
+
if (!Object.hasOwn(query, 'enable')) {
|
|
33
|
+
return reply.status(400).send('param "enable" is required');
|
|
34
|
+
}
|
|
35
|
+
const data = await toggle({
|
|
36
|
+
pg, code, enable: enable === 'true', uid,
|
|
37
|
+
});
|
|
38
|
+
return reply.status(200).send(data);
|
|
39
|
+
}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import config from "../../../../../config.js";
|
|
2
|
+
const { accessToken = "0NWcGQxKRP8AsRxD" } = config.auth || {};
|
|
3
|
+
/**
|
|
4
|
+
*
|
|
5
|
+
* @summary check user access to logger interface - per admin user type or user group
|
|
6
|
+
* @returns {Object} message, status
|
|
7
|
+
*/
|
|
8
|
+
export default function checkUserAccess({ user = {}, token, }) {
|
|
9
|
+
if (token && token === accessToken) {
|
|
10
|
+
return { message: "access granted", status: 200 };
|
|
11
|
+
}
|
|
12
|
+
// console.log(user);
|
|
13
|
+
if (!user.user_type?.includes?.("admin") &&
|
|
14
|
+
!config?.local &&
|
|
15
|
+
!config.auth?.disable) {
|
|
16
|
+
return { message: "access restricted", status: 403 };
|
|
17
|
+
}
|
|
18
|
+
/* if (!['admin', 'superadmin']?.includes(user.user_type) && count === '0') {
|
|
19
|
+
return { message: 'access restricted', status: 403 };
|
|
20
|
+
} */
|
|
21
|
+
return { message: "access granted", status: 200 };
|
|
22
|
+
}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
/* eslint-disable no-console */
|
|
2
|
+
import fs from "node:fs";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
import config from "../../../../../config.js";
|
|
5
|
+
// import { existsSync } from 'fs';
|
|
6
|
+
let logDir = null;
|
|
7
|
+
export default function getRootDir() {
|
|
8
|
+
// absolute / relative path
|
|
9
|
+
if (logDir)
|
|
10
|
+
return logDir;
|
|
11
|
+
const file = ["config.json", "/data/local/config.json"].find((el) => fs.existsSync(el) ? el : null);
|
|
12
|
+
const root = file === "config.json" ? process.cwd() : "/data/local";
|
|
13
|
+
logDir = config.logDir || path.join(root, config.log?.dir || "log");
|
|
14
|
+
console.log({ logDir });
|
|
15
|
+
return logDir;
|
|
16
|
+
// windows debug support
|
|
17
|
+
/* const customLogDir = process.cwd().includes(':') ? 'c:/data/local' : '/data/local';
|
|
18
|
+
// docker default path
|
|
19
|
+
if (existsSync(customLogDir)) {
|
|
20
|
+
return path.join(customLogDir, config.folder || '', 'log');
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
// non-docker default path
|
|
24
|
+
return path.join(config.root || '/data/local', config.folder || '', 'log'); */
|
|
25
|
+
}
|
|
@@ -40,7 +40,7 @@ addHook("onWidgetSet", onWidgetSet);
|
|
|
40
40
|
const policy = "L0";
|
|
41
41
|
const params = { config: { tags, policy }, schema: tableSchema };
|
|
42
42
|
export default function route(app) {
|
|
43
|
-
app.get("/widget/:type/:entityType/:objectid", params, async (req) => {
|
|
43
|
+
app.get("/v2/widget/:type/:entityType/:objectid", params, async (req) => {
|
|
44
44
|
const result = await widgetEntityGet({
|
|
45
45
|
type: req.params.type,
|
|
46
46
|
entityType: req.params.entityType,
|
|
@@ -51,7 +51,7 @@ export default function route(app) {
|
|
|
51
51
|
}, req.pg);
|
|
52
52
|
return result;
|
|
53
53
|
});
|
|
54
|
-
app.post("/widget/:type/:entityType/:objectid", params, async (req) => {
|
|
54
|
+
app.post("/v2/widget/:type/:entityType/:objectid", params, async (req) => {
|
|
55
55
|
if (["gallery", "file"].includes(req.params.type) &&
|
|
56
56
|
req.headers["content-type"]?.startsWith("multipart/form-data")) {
|
|
57
57
|
const file = await uploadMultiPart(req);
|
|
@@ -74,7 +74,7 @@ export default function route(app) {
|
|
|
74
74
|
}, req.pg);
|
|
75
75
|
return result;
|
|
76
76
|
});
|
|
77
|
-
app.put("/widget/:type/:entityType/:objectid/:id", params, async (req) => {
|
|
77
|
+
app.put("/v2/widget/:type/:entityType/:objectid/:id", params, async (req) => {
|
|
78
78
|
if (["gallery", "file"].includes(req.params.type) &&
|
|
79
79
|
req.headers["content-type"]?.startsWith("multipart/form-data")) {
|
|
80
80
|
const file = await uploadMultiPart(req);
|
|
@@ -99,7 +99,7 @@ export default function route(app) {
|
|
|
99
99
|
}, req.pg);
|
|
100
100
|
return result;
|
|
101
101
|
});
|
|
102
|
-
app.delete("/widget/:type/:entityType/:objectid/:id", params, async (req) => {
|
|
102
|
+
app.delete("/v2/widget/:type/:entityType/:objectid/:id", params, async (req) => {
|
|
103
103
|
const result = await widgetEntityDel({
|
|
104
104
|
type: req.params.type,
|
|
105
105
|
entityType: req.params.entityType,
|
|
@@ -111,8 +111,8 @@ export default function route(app) {
|
|
|
111
111
|
return result;
|
|
112
112
|
});
|
|
113
113
|
app.get("/widget/:type/:objectid", params, widgetGet);
|
|
114
|
-
app.post("/widget/:type/:objectid", params, widgetSet);
|
|
115
|
-
app.put("/widget/:type/:objectid/:id", params, widgetSet);
|
|
114
|
+
app.post("/widget/:type/:objectid/:id?", params, widgetSet);
|
|
115
|
+
// app.put("/widget/:type/:objectid/:id", params, widgetSet);
|
|
116
116
|
app.delete("/widget/:type/:objectid/:id", params, widgetDel);
|
|
117
117
|
app.put("/file-edit/:id", params, fileEdit);
|
|
118
118
|
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
import createError from "@fastify/error";
|
|
2
|
+
export declare const NotFoundError: createError.FastifyErrorConstructor<{
|
|
3
|
+
code: "NOT_FOUND_ERROR";
|
|
4
|
+
statusCode: 404;
|
|
5
|
+
}, [any?, any?, any?]>;
|
|
6
|
+
export declare const BadRequestError: createError.FastifyErrorConstructor<{
|
|
7
|
+
code: "BAD_REQUEST_ERROR";
|
|
8
|
+
statusCode: 400;
|
|
9
|
+
}, [any?, any?, any?]>;
|
|
10
|
+
export declare const PayloadTooLargeError: createError.FastifyErrorConstructor<{
|
|
11
|
+
code: "PAYLOAD_TOO_LARGE_ERROR";
|
|
12
|
+
statusCode: 413;
|
|
13
|
+
}, [any?, any?, any?]>;
|
|
14
|
+
//# sourceMappingURL=errors.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../server/types/errors.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,gBAAgB,CAAC;AACzC,eAAO,MAAM,aAAa;;;sBAIzB,CAAC;AACF,eAAO,MAAM,eAAe;;;sBAI3B,CAAC;AACF,eAAO,MAAM,oBAAoB;;;sBAIhC,CAAC"}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import createError from "@fastify/error";
|
|
2
|
+
export const NotFoundError = createError("NOT_FOUND_ERROR", "Resource not found: %s", 404);
|
|
3
|
+
export const BadRequestError = createError("BAD_REQUEST_ERROR", "Bad request: %s", 400);
|
|
4
|
+
export const PayloadTooLargeError = createError("PAYLOAD_TOO_LARGE_ERROR", "Payload Too Large: %s", 413);
|