@openneuro/server 4.20.4 → 4.20.6-alpha.2

package/src/libs/authentication/jwt.ts

@@ -1,9 +1,9 @@
-import passport from 'passport'
-import refresh from 'passport-oauth2-refresh'
-import jwt from 'jsonwebtoken'
-import { decrypt } from './crypto'
-import User from '../../models/user'
-import config from '../../config.js'
+import passport from "passport"
+import refresh from "passport-oauth2-refresh"
+import jwt from "jsonwebtoken"
+import { decrypt } from "./crypto"
+import User from "../../models/user"
+import config from "../../config"
 
 interface OpenNeuroTokenProfile {
   sub: string
@@ -24,7 +24,7 @@ export const buildToken = (
   expiresIn,
   options?: { scopes?: string[]; dataset?: string },
 ): string => {
-  const fields: Omit<OpenNeuroTokenProfile, 'iat' | 'exp'> = {
+  const fields: Omit<OpenNeuroTokenProfile, "iat" | "exp"> = {
     sub: user.id,
     email: user.email,
     provider: user.provider,
@@ -33,10 +33,10 @@ export const buildToken = (
   }
   // Allow extensions of the base token format
   if (options) {
-    if (options && 'scopes' in options) {
+    if (options && "scopes" in options) {
       fields.scopes = options.scopes
     }
-    if ('dataset' in options) {
+    if ("dataset" in options) {
       fields.dataset = options.dataset
     }
   }
@@ -46,12 +46,10 @@ export const buildToken = (
 }
 
 // Helper to generate a JWT containing user info
-export const addJWT =
-  config =>
-  (user, expiration = 60 * 60 * 24 * 7) => {
-    const token = buildToken(config, user, expiration)
-    return Object.assign({}, user, { token })
-  }
+export const addJWT = (config) => (user, expiration = 60 * 60 * 24 * 7) => {
+  const token = buildToken(config, user, expiration)
+  return Object.assign({}, user, { token })
+}
 
 /**
  * Generate an upload specific token
@@ -64,7 +62,7 @@ export function generateUploadToken(
   expiresIn = 60 * 60 * 24 * 7,
 ) {
   const options = {
-    scopes: ['dataset:upload'],
+    scopes: ["dataset:upload"],
     dataset: datasetId,
   }
   return buildToken(config, user, expiresIn, options)
@@ -79,14 +77,14 @@ export function generateReviewerToken(
   expiresIn = 60 * 60 * 24 * 365,
 ) {
   const options = {
-    scopes: ['dataset:reviewer'],
+    scopes: ["dataset:reviewer"],
     dataset: datasetId,
   }
   const reviewer = {
     id,
-    email: 'reviewer@openneuro.org',
-    provider: 'OpenNeuro',
-    name: 'Anonymous Reviewer',
+    email: "reviewer@openneuro.org",
+    provider: "OpenNeuro",
+    name: "Anonymous Reviewer",
     admin: false,
   }
   return buildToken(config, reviewer, expiresIn, options)
@@ -99,7 +97,7 @@ export function generateReviewerToken(
  */
 export function generateRepoToken(user, datasetId, expiresIn = 60 * 60 * 24) {
   const options = {
-    scopes: ['dataset:git'],
+    scopes: ["dataset:git"],
     dataset: datasetId,
   }
   return buildToken(config, user, expiresIn, options)
@@ -121,8 +119,17 @@ const requestNewAccessToken = (jwtProvider, refreshToken) =>
  * Extract the JWT from a cookie
  * @param {Object} req
  */
-export const jwtFromRequest = req => {
-  if (req.cookies && req.cookies.accessToken) {
+export const jwtFromRequest = (req) => {
+  if (req.headers?.authorization) {
+    try {
+      return req.headers.authorization.substring(
+        7,
+        req.headers.authorization.length,
+      )
+    } catch (_err) {
+      return null
+    }
+  } else if (req.cookies && req.cookies.accessToken) {
     return req.cookies.accessToken
   } else {
     return null
@@ -133,13 +140,13 @@ export const decodeJWT = (token: string): OpenNeuroTokenProfile => {
   return jwt.decode(token) as OpenNeuroTokenProfile
 }
 
-export const parsedJwtFromRequest = req => {
+export const parsedJwtFromRequest = (req) => {
   const jwt = jwtFromRequest(req)
   if (jwt) return decodeJWT(jwt)
   else return null
 }
 
-const refreshToken = async jwt => {
+const refreshToken = async (jwt) => {
   const user = await User.findOne({ id: jwt.sub, provider: jwt.provider })
   if (user && user.refresh) {
     const refreshToken = decrypt(user.refresh)
@@ -152,7 +159,7 @@ const refreshToken = async jwt => {
 }
 
 // Shared options for Express response.cookie()
-const cookieOptions = { sameSite: 'Lax' }
+const cookieOptions = { sameSite: "Lax" }
 
 // attach user obj to request based on jwt
 // if user does not exist, continue
@@ -163,10 +170,10 @@ export const authenticate = (req, res, next) => {
       const token = await refreshToken(jwt)
       if (token) {
         req.cookies.accessToken = token
-        res.cookie('accessToken', token, cookieOptions)
+        res.cookie("accessToken", token, cookieOptions)
       }
     }
-    passport.authenticate('jwt', { session: false }, (err, user) => {
+    passport.authenticate("jwt", { session: false }, (err, user) => {
       req.login(user, { session: false }, () => next())
     })(req, res, next)
   }
@@ -175,11 +182,11 @@ export const authenticate = (req, res, next) => {
 
 export const authSuccessHandler = (req, res, next) => {
   const redirectPath = req.query.state
-    ? Buffer.from(req.query.state, 'base64').toString()
-    : '/'
+    ? Buffer.from(req.query.state, "base64").toString()
+    : "/"
   if (req.user) {
     // Set the JWT associated with this login on a cookie
-    res.cookie('accessToken', req.user.token, cookieOptions)
+    res.cookie("accessToken", req.user.token, cookieOptions)
     res.redirect(redirectPath)
   } else {
     res.status(401)
@@ -187,6 +194,6 @@ export const authSuccessHandler = (req, res, next) => {
   return next()
 }
 
-export const generateDataladCookie = config => user => {
-  return user ? `accessToken=${addJWT(config)(user).token}` : ''
+export const generateDataladCookie = (config) => (user) => {
+  return user ? `accessToken=${addJWT(config)(user).token}` : ""
 }

package/src/libs/authentication/{orcid.js → orcid.ts}

@@ -1,39 +1,39 @@
-import passport from 'passport'
-import User from '../../models/user'
-import { parsedJwtFromRequest } from './jwt'
+import passport from "passport"
+import User from "../../models/user"
+import { parsedJwtFromRequest } from "./jwt"
 
-export const requestAuth = passport.authenticate('orcid', {
+export const requestAuth = passport.authenticate("orcid", {
   session: false,
 })
 
 export const authCallback = (req, res, next) =>
-  passport.authenticate('orcid', (err, user) => {
+  passport.authenticate("orcid", (err, user) => {
     if (err) {
       if (err.type) {
         return res.redirect(`/error/orcid/${err.type}`)
       } else {
-        return res.redirect('/error/orcid/unknown')
+        return res.redirect("/error/orcid/unknown")
       }
     }
     if (!user) {
-      return res.redirect('/')
+      return res.redirect("/")
     }
     const existingAuth = parsedJwtFromRequest(req)
     if (existingAuth) {
       // Save ORCID to primary account
       User.findOne({ id: existingAuth.sub })
-        .then(userModel => {
+        .then((userModel) => {
           userModel.orcid = user.providerId
           return userModel.save().then(() => {
-            res.redirect('/')
+            res.redirect("/")
           })
         })
-        .catch(err => {
+        .catch((err) => {
           return next(err)
         })
     } else {
       // Complete login with ORCID as primary account
-      req.logIn(user, { session: false }, err => {
+      req.logIn(user, { session: false }, (err) => {
         return next(err)
       })
     }

package/src/libs/authentication/{passport.js → passport.ts}

@@ -1,30 +1,40 @@
-import passport from 'passport'
-import refresh from 'passport-oauth2-refresh'
-import { Strategy as JwtStrategy } from 'passport-jwt'
-import { Strategy as GoogleStrategy } from 'passport-google-oauth20'
-import { Strategy as ORCIDStrategy } from 'passport-orcid'
-import config from '../../config.js'
-import User from '../../models/user'
-import { encrypt } from './crypto'
-import { addJWT, jwtFromRequest } from './jwt'
-import orcid from '../orcid.js'
+import passport from "passport"
+import refresh from "passport-oauth2-refresh"
+import { Strategy as JwtStrategy } from "passport-jwt"
+import { Strategy as GoogleStrategy } from "passport-google-oauth20"
+import { Strategy as ORCIDStrategy } from "passport-orcid"
+import config from "../../config"
+import User from "../../models/user"
+import { encrypt } from "./crypto"
+import { addJWT, jwtFromRequest } from "./jwt"
+import orcid from "../orcid"
 
 const PROVIDERS = {
-  GOOGLE: 'google',
-  ORCID: 'orcid',
+  GOOGLE: "google",
+  ORCID: "orcid",
 }
 
-const loadProfile = profile => {
+interface OauthProfile {
+  email: string
+  name: string
+  provider: string
+  providerId: string
+  orcid?: string
+  refresh?: string
+}
+
+const loadProfile = (profile): OauthProfile | Error => {
   if (profile.provider === PROVIDERS.GOOGLE) {
     // Get the account email from Google profile
     const primaryEmail = profile.emails
-      .filter(email => email.verified === true)
+      .filter((email) => email.verified === true)
       .shift()
     return {
       email: primaryEmail.value,
       name: profile.displayName,
       provider: profile.provider,
       providerId: profile.id,
+      refresh: undefined,
     }
   } else if (profile.provider === PROVIDERS.ORCID) {
     return {
@@ -33,19 +43,21 @@ const loadProfile = profile => {
       provider: profile.provider,
       providerId: profile.orcid,
       orcid: profile.orcid,
+      refresh: undefined,
     }
   } else {
     // Some unknown profile type
-    return new Error('Unhandled profile type.')
+    return new Error("Unhandled profile type.")
   }
 }
 
 export const verifyGoogleUser = (accessToken, refreshToken, profile, done) => {
   const profileUpdate = loadProfile(profile)
-  if (refreshToken && !(profileUpdate instanceof Error))
+  if (refreshToken && !(profileUpdate instanceof Error)) {
     profileUpdate.refresh = encrypt(refreshToken)
+  }
 
-  if ('email' in profileUpdate) {
+  if ("email" in profileUpdate) {
     // Look for an existing user
     User.findOneAndUpdate(
       {
@@ -55,8 +67,12 @@ export const verifyGoogleUser = (accessToken, refreshToken, profile, done) => {
       profileUpdate,
       { upsert: true, new: true, setDefaultsOnInsert: true },
     )
-      .then(user => done(null, addJWT(config)(user.toObject())))
-      .catch(err => done(err, null))
+      .then((user) => {
+        done(null, addJWT(config)(user.toObject()))
+      })
+      .catch((err) => {
+        done(err, null)
+      })
   } else {
     done(profileUpdate, null)
   }
@@ -72,7 +88,7 @@ export const verifyORCIDUser = (
   const token = `${profile.orcid}:${profile.access_token}`
   orcid
     .getProfile(token)
-    .then(info => {
+    .then((info) => {
       profile.info = info
       profile.provider = PROVIDERS.ORCID
       const profileUpdate = loadProfile(profile)
@@ -80,9 +96,9 @@ export const verifyORCIDUser = (
         { providerId: profile.orcid, provider: profile.provider },
         profileUpdate,
         { upsert: true, new: true, setDefaultsOnInsert: true },
-      ).then(user => done(null, addJWT(config)(user.toObject())))
+      ).then((user) => done(null, addJWT(config)(user.toObject())))
     })
-    .catch(err => done(err, null))
+    .catch((err) => done(err, null))
 }
 
 export const setupPassportAuth = () => {
@@ -93,13 +109,13 @@ export const setupPassportAuth = () => {
     const jwtStrategy = new JwtStrategy(
       { secretOrKey: config.auth.jwt.secret, jwtFromRequest },
       (jwt, done) => {
-        if (jwt.scopes?.includes('dataset:indexing')) {
+        if (jwt.scopes?.includes("dataset:indexing")) {
           done(null, {
             admin: false,
             blocked: false,
             indexer: true,
           })
-        } else if (jwt.scopes?.includes('dataset:reviewer')) {
+        } else if (jwt.scopes?.includes("dataset:reviewer")) {
           done(null, {
             admin: false,
             blocked: false,
@@ -109,7 +125,7 @@ export const setupPassportAuth = () => {
         } else {
           // A user must already exist to use a JWT to auth a request
           User.findOne({ id: jwt.sub, provider: jwt.provider })
-            .then(user => {
+            .then((user) => {
               if (user) done(null, user.toObject())
               else done(null, false)
             })
@@ -119,7 +135,7 @@ export const setupPassportAuth = () => {
     )
     passport.use(jwtStrategy)
   } else {
-    throw new Error('JWT_SECRET must be configured to allow authentication.')
+    throw new Error("JWT_SECRET must be configured to allow authentication.")
   }
 
   // Google first
@@ -129,7 +145,7 @@ export const setupPassportAuth = () => {
         clientID: config.auth.google.clientID,
         clientSecret: config.auth.google.clientSecret,
         callbackURL: `${config.url + config.apiPrefix}auth/google/callback`,
-        userProfileURL: 'https://www.googleapis.com/oauth2/v3/userinfo',
+        userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
       },
       verifyGoogleUser,
     )
@@ -141,9 +157,8 @@ export const setupPassportAuth = () => {
   if (config.auth.orcid.clientID && config.auth.orcid.clientSecret) {
     const orcidStrategy = new ORCIDStrategy(
       {
-        sandbox:
-          config.auth.orcid.apiURI &&
-          config.auth.orcid.apiURI.includes('sandbox'),
+        sandbox: config.auth.orcid.apiURI &&
+          config.auth.orcid.apiURI.includes("sandbox"),
         clientID: config.auth.orcid.clientID,
         clientSecret: config.auth.orcid.clientSecret,
         callbackURL: `${config.url + config.apiPrefix}auth/orcid/callback`,

package/src/libs/authentication/{states.js → states.ts}

@@ -1,10 +1,9 @@
 /** Middleware to check for authorization states on top of authentication */
 
-import Dataset from '../../models/dataset'
-import Permission from '../../models/permission'
-import Comment from '../../models/comment'
-import bidsId from '../bidsId'
-import mongoose from 'mongoose'
+import Dataset from "../../models/dataset"
+import Permission from "../../models/permission"
+import Comment from "../../models/comment"
+import mongoose from "mongoose"
 const ObjectID = mongoose.Schema.Types.ObjectId
 
 /**
@@ -17,7 +16,7 @@ export const authenticated = (req, res, next) => {
   if (req.isAuthenticated()) {
     return next()
   } else {
-    return res.status(401).send({ error: 'Not logged in.' })
+    return res.status(401).send({ error: "Not logged in." })
   }
 }
 
@@ -46,10 +45,10 @@ export const superuser = (req, res, next) => {
     if (req.user.admin) {
       return next()
     } else {
-      return res.status(401).send({ error: 'You do not have admin access.' })
+      return res.status(401).send({ error: "You do not have admin access." })
     }
   } else {
-    return res.status(401).send({ error: 'Not logged in.' })
+    return res.status(401).send({ error: "Not logged in." })
   }
 }
 
@@ -61,21 +60,19 @@ export const superuser = (req, res, next) => {
  * the request object.
  */
 export const datasetAccess = (req, res, next) => {
-  let datasetId = req.params.datasetId
+  const datasetId = req.params.datasetId
     ? req.params.datasetId
     : req.query.datasetId
 
-  datasetId = bidsId.decodeId(datasetId) // handle old dataset request methods that encode ids
-
   // check to make sure that the dataset exists
   return Dataset.findOne({ id: datasetId })
     .exec()
-    .then(dataset => {
+    .then((dataset) => {
       // if dataset does not exist, return 404 error
       if (!dataset) {
         return res
           .status(404)
-          .send({ error: 'The dataset you have requested does not exist.' })
+          .send({ error: "The dataset you have requested does not exist." })
       }
 
       // if there is no user option on the request,
@@ -92,19 +89,19 @@ export const datasetAccess = (req, res, next) => {
       // find permissions information for this user & dataset
       Permission.findOne({ datasetId: datasetId, userId: req.user.id })
         .exec()
-        .then(permission => {
+        .then((permission) => {
           if (permission) {
             req.hasAccess = true
             return next()
           } else {
             return res
               .status(401)
-              .send({ error: 'You do not have access to this dataset.' })
+              .send({ error: "You do not have access to this dataset." })
           }
         })
-        .catch(err => res.status(404).send(err))
+        .catch((err) => res.status(404).send(err))
     })
-    .catch(err => res.status(404).send(err))
+    .catch((err) => res.status(404).send(err))
 }
 
 /**
@@ -122,14 +119,14 @@ export const commentAccess = (req, res, next) => {
     _id: new ObjectID(commentId),
   })
     .exec()
-    .then(comment => {
+    .then((comment) => {
       if (comment.user._id === req.user.id) {
         return next()
       } else {
         return res
           .status(401)
-          .send({ error: 'You do not have access to this comment.' })
+          .send({ error: "You do not have access to this comment." })
       }
     })
-    .catch(err => res.status(404).send(err))
+    .catch((err) => res.status(404).send(err))
 }

package/src/libs/{counter.js → counter.ts}

@@ -1,4 +1,4 @@
-import Counter from '../models/counter'
+import Counter from "../models/counter"
 
 /**
  * Counter

package/src/libs/{datalad-service.js → datalad-service.ts}

@@ -1,5 +1,5 @@
-import crypto from 'crypto'
-import config from '../config'
+import crypto from "crypto"
+import config from "../config"
 
 /**
  * Map dataset IDs to a normal distribution of backend workers
@@ -7,8 +7,8 @@ import config from '../config'
  * @param {number} range Integer bound for offset from hash
  */
 export function hashDatasetToRange(dataset, range) {
-  const hash = crypto.createHash('sha1').update(dataset, 'utf8')
-  const hexstring = hash.digest().toString('hex')
+  const hash = crypto.createHash("sha1").update(dataset, "utf8")
+  const hexstring = hash.digest().toString("hex")
   return parseInt(hexstring.substring(32, 40), 16) % range
 }
 

package/src/libs/dataset.ts

@@ -0,0 +1,9 @@
+import { getNext } from "./counter"
+
+/**
+ * Returns the next accession number string
+ */
+export async function getAccessionNumber() {
+  const datasetNumber = (await getNext("datasets")) + 1000
+  return `ds${("000000" + datasetNumber).substr(-6, 6)}`
+}

package/src/libs/doi/__tests__/__snapshots__/doi.spec.ts.snap

@@ -0,0 +1,17 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`DOI minting utils > template() > accepts expected arguments 1`] = `
+"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\"?>
+<resource xmlns:xsi=\\"http://www.w3.org/2001/XMLSchema-instance\\" xmlns=\\"http://datacite.org/schema/kernel-4\\" xsi:schemaLocation=\\"http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4/metadata.xsd\\">
+  <identifier identifierType=\\"DOI\\">12345</identifier>
+  <creators>
+  <creator><creatorName>A. User</creatorName></creator><creator><creatorName>B. User</creatorName></creator>
+  </creators>
+  <titles>
+    <title xml:lang=\\"en-us\\">Test Dataset</title>
+  </titles>
+  <publisher>Openneuro</publisher>
+  <publicationYear>1999</publicationYear>
+  <resourceType resourceTypeGeneral=\\"Dataset\\">fMRI</resourceType>
+</resource>"
+`;

package/src/libs/doi/__tests__/doi.spec.ts

@@ -0,0 +1,25 @@
+import { vi } from "vitest"
+import { formatBasicAuth, template } from "../index.js"
+
+vi.mock("ioredis")
+
+describe("DOI minting utils", () => {
+  describe("auth()", () => {
+    it("returns a base64 basic auth string", () => {
+      const doiConfig = { username: "test", password: "12345" }
+      expect(formatBasicAuth(doiConfig)).toBe("Basic dGVzdDoxMjM0NQ==")
+    })
+  })
+  describe("template()", () => {
+    it("accepts expected arguments", () => {
+      const context = {
+        doi: "12345",
+        creators: ["A. User", "B. User"],
+        title: "Test Dataset",
+        year: "1999",
+        resourceType: "fMRI",
+      }
+      expect(template(context)).toMatchSnapshot()
+    })
+  })
+})

package/src/libs/doi/__tests__/normalize.spec.ts

@@ -1,31 +1,31 @@
-import { vi } from 'vitest'
-import { normalizeDOI } from '../normalize'
+import { vi } from "vitest"
+import { normalizeDOI } from "../normalize"
 
-vi.mock('ioredis')
+vi.mock("ioredis")
 
-describe('DOI normalize utility', () => {
-  it('returns null for non-DOI input', () => {
-    expect(normalizeDOI('Sphinx of black quartz, judge my vow.')).toBe(null)
+describe("DOI normalize utility", () => {
+  it("returns null for non-DOI input", () => {
+    expect(normalizeDOI("Sphinx of black quartz, judge my vow.")).toBe(null)
   })
-  it('returns the raw DOI value from a raw input', () => {
-    expect(normalizeDOI('10.18112/openneuro.ds000001.v1.0.0')).toBe(
-      '10.18112/openneuro.ds000001.v1.0.0',
+  it("returns the raw DOI value from a raw input", () => {
+    expect(normalizeDOI("10.18112/openneuro.ds000001.v1.0.0")).toBe(
+      "10.18112/openneuro.ds000001.v1.0.0",
     )
   })
-  it('returns the raw DOI value from a URI input', () => {
-    expect(normalizeDOI('doi:10.18112/openneuro.ds000001.v1.0.0')).toBe(
-      '10.18112/openneuro.ds000001.v1.0.0',
+  it("returns the raw DOI value from a URI input", () => {
+    expect(normalizeDOI("doi:10.18112/openneuro.ds000001.v1.0.0")).toBe(
+      "10.18112/openneuro.ds000001.v1.0.0",
     )
-    expect(normalizeDOI('DOI:10.18112/openneuro.ds000001.v1.0.0')).toBe(
-      '10.18112/openneuro.ds000001.v1.0.0',
+    expect(normalizeDOI("DOI:10.18112/openneuro.ds000001.v1.0.0")).toBe(
+      "10.18112/openneuro.ds000001.v1.0.0",
     )
   })
-  it('returns the raw DOI value from a URI input', () => {
+  it("returns the raw DOI value from a URI input", () => {
     expect(
-      normalizeDOI('https://doi.org/10.18112/openneuro.ds000001.v1.0.0'),
-    ).toBe('10.18112/openneuro.ds000001.v1.0.0')
+      normalizeDOI("https://doi.org/10.18112/openneuro.ds000001.v1.0.0"),
+    ).toBe("10.18112/openneuro.ds000001.v1.0.0")
     expect(
-      normalizeDOI('HTTPS://DOI.ORG/10.18112/openneuro.ds000001.v1.0.0'),
-    ).toBe('10.18112/openneuro.ds000001.v1.0.0')
+      normalizeDOI("HTTPS://DOI.ORG/10.18112/openneuro.ds000001.v1.0.0"),
+    ).toBe("10.18112/openneuro.ds000001.v1.0.0")
   })
 })