npm - @ozdao/martyrs - Versions diffs - 0.2.564 → 0.2.565 - Mend

@ozdao/martyrs 0.2.564 → 0.2.565

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/src/modules/core/controllers/classes/abac/abac.adapter.express.js CHANGED Viewed

@@ -4,191 +4,273 @@ export default class ABACExpressAdapter {
     this.abac = abac;
   }
+  /**
+   * Основной middleware - разделен на составные части
+   */
   middleware(resource, action, options = {}) {
+    const middlewares = [];
+    // 1. Access control
+    middlewares.push(this._accessMiddleware(resource, action, options));
+    // 2. Field validation (если включена)
+    if (options.checkFields) {
+      middlewares.push(this._fieldsValidationMiddleware(resource, action, options));
+    }
+    return middlewares;
+  }
+  /**
+   * Middleware проверки доступа
+   * @private
+   */
+  _accessMiddleware(resource, action, options = {}) {
     return async (req, res, next) => {
       try {
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params,
-          },
-          params: req.params,
-          customPolicies: options.policies || {},
-          options
-        };
+        const context = this._buildContext(req, resource, action, options);
         const accessResult = await this.abac.checkAccess(context, context.customPolicies);
         if (!accessResult.allow) {
-          return res.status(403).json({
-            error: {
-              code: 'ACCESS_DENIED',
-              message: accessResult.reason
-            }
-          });
+          return this._sendAccessDenied(res, accessResult.reason);
         }
-        // Проверка полей если включена
-        if (options.checkFields) {
-          const fieldsResult = await this.abac.checkFields(context, req.body, action);
-          if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
-            return res.status(400).json({
-              error: {
-                code: 'FIELD_VALIDATION_ERROR',
-                fields: fieldsResult.errors
-              }
-            });
-          }
-          // Заменяем body отфильтрованными данными
-          req.body = fieldsResult.allowed;
-          req.abacFieldsResult = fieldsResult;
-        }
+        // Сохраняем результат для последующих middleware
+        req.abacContext = context;
+        req.abacAccessResult = accessResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error('ABAC middleware error', {
+          resource,
+          action,
+          error: error.message,
+          stack: error.stack
+        });
+        return this._sendError(res);
+      }
+    };
+  }
+  /**
+   * Middleware проверки полей
+   * @private
+   */
+  _fieldsValidationMiddleware(resource, action, options = {}) {
+    return async (req, res, next) => {
+      try {
+        const context = req.abacContext || this._buildContext(req, resource, action, options);
+        const fieldsResult = await this.abac.checkFields(context, req.body, action);
+        if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
+          return this._sendFieldError(res, fieldsResult.errors);
+        }
+        // Заменяем body отфильтрованными данными
+        req.body = fieldsResult.allowed;
+        req.abacFieldsResult = fieldsResult;
         next();
       } catch (error) {
-        console.error('ABAC middleware error:', error);
-        res.status(500).json({
-          error: {
-            code: 'INTERNAL_ERROR',
-            message: 'Access control error'
-          }
+        this.abac.logger?.error('Fields middleware error', {
+          resource,
+          action,
+          error: error.message
         });
+        if (options.passErrors) {
+          next(error);
+        } else {
+          return this._sendError(res);
+        }
       }
     };
   }
+  /**
+   * Построение контекста
+   * @private
+   */
+  _buildContext(req, resource, action, options = {}) {
+    return {
+      user: req.userId,
+      resource,
+      action,
+      req,
+      // НЕ смешиваем body и query - передаем структурированно
+      data: {
+        body: req.body || {},
+        query: req.query || {},
+        params: req.params || {}
+      },
+      params: req.params,
+      customPolicies: options.policies || {},
+      options
+    };
+  }
+  /**
+   * Policy middleware
+   */
   policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
     return async (req, res, next) => {
       try {
-        const context = {
-          user: req.userId,
-          resource: options.resource || 'custom',
-          action: options.action || 'access',
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params,
-          },
-          params: req.params,
+        const context = this._buildContext(
+          req,
+          options.resource || 'custom',
+          options.action || 'access',
           options
-        };
+        );
         const result = await this.abac.checkPolicies(context, policyNames, customPolicies);
         if (!result.allow) {
-          return res.status(403).json({
-            error: {
-              code: 'POLICY_DENIED',
-              message: result.reason
-            }
-          });
+          return this._sendPolicyDenied(res, result.reason);
         }
+        req.abacPolicyResult = result;
         next();
       } catch (error) {
-        console.error('Policy middleware error:', error);
-        res.status(500).json({
-          error: {
-            code: 'INTERNAL_ERROR',
-            message: 'Policy check error'
-          }
+        this.abac.logger?.error('Policy middleware error', {
+          policies: policyNames,
+          error: error.message
         });
+        return this._sendError(res);
       }
     };
   }
+  /**
+   * Fields middleware для проверки/трансформации полей
+   */
   fieldsMiddleware(resource, options = {}) {
     return async (req, res, next) => {
       try {
         // Определяем action из метода запроса
-        const methodActionMap = {
-          'GET': 'read',
-          'POST': 'create',
-          'PUT': 'update',
-          'PATCH': 'update',
-          'DELETE': 'delete'
-        };
-        const action = options.action || methodActionMap[req.method] || 'access';
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params,
-          },
-          params: req.params,
-          options
-        };
+        const action = options.action || this._getActionFromMethod(req.method);
+        const context = this._buildContext(req, resource, action, options);
         // Определяем какие данные проверять
-        let dataToCheck = req.body;
-        // Для GET запросов проверяем query параметры
-        if (req.method === 'GET' && options.checkQuery) {
-          dataToCheck = req.query;
-        }
-        // Для ответов проверяем res.locals.data
-        if (options.checkResponse && res.locals.data) {
-          dataToCheck = res.locals.data;
-        }
+        let dataToCheck = this._getDataToCheck(req, res, options);
         const fieldsResult = await this.abac.checkFields(context, dataToCheck, action);
         // Обработка ошибок
         if (fieldsResult.errors.length > 0) {
           if (options.strictMode) {
-            return res.status(400).json({
-              error: {
-                code: 'FIELD_VALIDATION_ERROR',
-                fields: fieldsResult.errors
-              }
-            });
+            return this._sendFieldError(res, fieldsResult.errors);
           }
           // В нестрогом режиме логируем ошибки
-          console.warn('Field validation errors:', fieldsResult.errors);
+          this.abac.logger?.warn('Field validation errors', {
+            resource,
+            action,
+            errors: fieldsResult.errors
+          });
         }
         // Применяем результаты
-        if (req.method === 'GET' && options.checkQuery) {
-          req.query = fieldsResult.allowed;
-        } else if (options.checkResponse && res.locals.data) {
-          res.locals.data = fieldsResult.transformed || fieldsResult.allowed;
-        } else {
-          req.body = fieldsResult.allowed;
-        }
+        this._applyFieldsResult(req, res, options, fieldsResult);
-        // Сохраняем результат для дальнейшего использования
+        // Сохраняем результат
         req.abacFieldsResult = fieldsResult;
         next();
       } catch (error) {
-        console.error('Fields middleware error:', error);
+        this.abac.logger?.error('Fields middleware error', {
+          resource,
+          error: error.message
+        });
         if (options.passErrors) {
           next(error);
         } else {
-          res.status(500).json({
-            error: {
-              code: 'INTERNAL_ERROR',
-              message: 'Field check error'
-            }
-          });
+          return this._sendError(res);
         }
       }
     };
   }
+  /**
+   * Получение action из HTTP метода
+   * @private
+   */
+  _getActionFromMethod(method) {
+    const methodActionMap = {
+      'GET': 'read',
+      'POST': 'create',
+      'PUT': 'update',
+      'PATCH': 'update',
+      'DELETE': 'delete'
+    };
+    return methodActionMap[method] || 'access';
+  }
+  /**
+   * Определение данных для проверки
+   * @private
+   */
+  _getDataToCheck(req, res, options) {
+    if (req.method === 'GET' && options.checkQuery) {
+      return req.query;
+    }
+    if (options.checkResponse && res.locals.data) {
+      return res.locals.data;
+    }
+    return req.body;
+  }
+  /**
+   * Применение результатов проверки полей
+   * @private
+   */
+  _applyFieldsResult(req, res, options, fieldsResult) {
+    if (req.method === 'GET' && options.checkQuery) {
+      req.query = fieldsResult.allowed;
+    } else if (options.checkResponse && res.locals.data) {
+      res.locals.data = fieldsResult.transformed || fieldsResult.allowed;
+    } else {
+      req.body = fieldsResult.allowed;
+    }
+  }
+  /**
+   * Отправка ошибок - унифицированные методы
+   * @private
+   */
+  _sendAccessDenied(res, reason) {
+    return res.status(403).json({
+      error: {
+        code: 'ACCESS_DENIED',
+        message: reason
+      }
+    });
+  }
+  _sendPolicyDenied(res, reason) {
+    return res.status(403).json({
+      error: {
+        code: 'POLICY_DENIED',
+        message: reason
+      }
+    });
+  }
+  _sendFieldError(res, errors) {
+    return res.status(400).json({
+      error: {
+        code: 'FIELD_VALIDATION_ERROR',
+        fields: errors
+      }
+    });
+  }
+  _sendError(res) {
+    return res.status(500).json({
+      error: {
+        code: 'INTERNAL_ERROR',
+        message: 'Access control error'
+      }
+    });
+  }
 }

package/src/modules/core/controllers/classes/abac/abac.adapter.ws.js CHANGED Viewed

@@ -4,81 +4,234 @@ export default class ABACWebSocketAdapter {
     this.abac = abac;
   }
+  /**
+   * WebSocket handler для проверки доступа
+   * @param {string} moduleName - Имя модуля
+   * @param {Object} [options] - Опции
+   * @returns {Function} Handler функция
+   */
   handler(moduleName, options = {}) {
     return async (ws, message) => {
       try {
         const { action = 'access', resource = moduleName } = options;
-        const context = {
-          user: ws.userId,
-          resource,
-          action,
-          data: message,
-          socket: ws,
-          customPolicies: options.policies || {}
-        };
+        const context = this._buildContext(ws, resource, action, message, options);
         const accessResult = await this.abac.checkAccess(context, context.customPolicies);
         if (!accessResult.allow) {
-          ws.send(JSON.stringify({
-            type: 'error',
-            error: {
-              code: 'ACCESS_DENIED',
-              message: accessResult.reason
-            }
-          }));
+          await this._sendError(ws, 'ACCESS_DENIED', accessResult.reason);
           return false;
         }
+        // Проверка полей если включена
+        if (options.checkFields && message) {
+          const fieldsResult = await this.abac.checkFields(context, message, action);
+          if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
+            await this._sendError(ws, 'FIELD_VALIDATION_ERROR', 'Field validation failed', {
+              fields: fieldsResult.errors
+            });
+            return false;
+          }
+          // Возвращаем отфильтрованные данные
+          return {
+            allowed: true,
+            data: fieldsResult.transformed || fieldsResult.allowed,
+            fieldsResult
+          };
+        }
         return true;
       } catch (error) {
-        console.error('WebSocket access control error:', error);
-        ws.send(JSON.stringify({
-          type: 'error',
-          error: {
-            code: 'INTERNAL_ERROR',
-            message: 'Access control error'
-          }
-        }));
+        this.abac.logger?.error('WebSocket access control error', {
+          module: moduleName,
+          error: error.message,
+          stack: error.stack
+        });
+        await this._sendError(ws, 'INTERNAL_ERROR', 'Access control error');
         return false;
       }
     };
   }
-  // Метод для RPC вызовов через WebSocket
+  /**
+   * RPC handler для вызовов через WebSocket
+   * @param {string} module - Модуль
+   * @param {string} method - Метод
+   * @param {Object} [options] - Опции
+   * @returns {Function} RPC handler
+   */
   rpcHandler(module, method, options = {}) {
-    return async (params, context) => {
-      const abacContext = {
-        user: context.userId,
-        resource: module,
-        action: method,
-        data: params,
-        socket: context.ws,
-        customPolicies: options.policies || {}
-      };
+    return async (params, rpcContext) => {
+      try {
+        const context = this._buildRPCContext(rpcContext, module, method, params, options);
+        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
+        if (!accessResult.allow) {
+          throw new RPCError('ACCESS_DENIED', accessResult.reason);
+        }
-      const accessResult = await this.abac.checkAccess(abacContext, abacContext.customPolicies);
-      if (!accessResult.allow) {
-        throw new Error(accessResult.reason);
+        // Проверка полей если нужно
+        if (options.checkFields && params) {
+          const fieldsResult = await this.abac.checkFields(context, params, method);
+          if (fieldsResult.errors.length > 0) {
+            if (options.strictFieldsMode) {
+              throw new RPCError(
+                'FIELD_VALIDATION_ERROR',
+                `Fields validation failed: ${fieldsResult.errors.map(e => e.path).join(', ')}`
+              );
+            }
+            // Логируем ошибки в нестрогом режиме
+            this.abac.logger?.warn('RPC field validation errors', {
+              module,
+              method,
+              errors: fieldsResult.errors
+            });
+          }
+          // Возвращаем трансформированные данные
+          return fieldsResult.transformed || fieldsResult.allowed;
+        }
+        return params;
+      } catch (error) {
+        // Пробрасываем RPC ошибки как есть
+        if (error instanceof RPCError) {
+          throw error;
+        }
+        this.abac.logger?.error('RPC access control error', {
+          module,
+          method,
+          error: error.message,
+          stack: error.stack
+        });
+        throw new RPCError('INTERNAL_ERROR', 'Access control error');
       }
+    };
+  }
-      // Проверка полей если нужно
-      if (options.checkFields && params) {
-        const fieldsResult = await this.abac.checkFields(abacContext, params, method);
-        if (fieldsResult.denied.length > 0) {
-          if (options.strictFieldsMode) {
-            throw new Error(`Fields access denied: ${fieldsResult.denied.map(d => d.path).join(', ')}`);
-          }
-          // Возвращаем только разрешенные поля
-          return fieldsResult.allowed;
+  /**
+   * Middleware для обработки WebSocket сообщений
+   * @param {Object} [options] - Опции
+   * @returns {Function} Middleware функция
+   */
+  messageMiddleware(options = {}) {
+    return async (ws, message, next) => {
+      try {
+        const { resource = 'message', action = 'send' } = options;
+        const context = this._buildContext(ws, resource, action, message, options);
+        const accessResult = await this.abac.checkAccess(context, options.policies || {});
+        if (!accessResult.allow) {
+          await this._sendError(ws, 'ACCESS_DENIED', accessResult.reason);
+          return;
         }
-        // Возвращаем трансформированные данные если есть
-        return fieldsResult.transformed || params;
+        // Сохраняем результат в контексте WS
+        ws.abacContext = context;
+        ws.abacAccessResult = accessResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error('WebSocket middleware error', {
+          error: error.message
+        });
+        await this._sendError(ws, 'INTERNAL_ERROR', 'Access control error');
+      }
+    };
+  }
+  /**
+   * Построение контекста для WebSocket
+   * @private
+   */
+  _buildContext(ws, resource, action, data, options) {
+    return {
+      user: ws.userId || ws.user?.id,
+      resource,
+      action,
+      data: data || {},
+      socket: ws,
+      customPolicies: options.policies || {},
+      options,
+      // Дополнительная информация о соединении
+      connectionInfo: {
+        id: ws.id,
+        remoteAddress: ws._socket?.remoteAddress,
+        protocol: ws.protocol,
+        readyState: ws.readyState
       }
+    };
+  }
-      return params;
+  /**
+   * Построение контекста для RPC
+   * @private
+   */
+  _buildRPCContext(rpcContext, module, method, params, options) {
+    return {
+      user: rpcContext.userId || rpcContext.user?.id,
+      resource: module,
+      action: method,
+      data: params || {},
+      socket: rpcContext.ws,
+      customPolicies: options.policies || {},
+      options,
+      rpcInfo: {
+        id: rpcContext.id,
+        module,
+        method,
+        timestamp: new Date().toISOString()
+      }
     };
   }
+  /**
+   * Отправка ошибки через WebSocket
+   * @private
+   */
+  async _sendError(ws, code, message, details = {}) {
+    if (ws.readyState !== 1) { // WebSocket.OPEN
+      return;
+    }
+    try {
+      const errorMessage = JSON.stringify({
+        type: 'error',
+        error: {
+          code,
+          message,
+          ...details
+        },
+        timestamp: new Date().toISOString()
+      });
+      ws.send(errorMessage);
+    } catch (error) {
+      this.abac.logger?.error('Failed to send WebSocket error', {
+        originalError: { code, message },
+        sendError: error.message
+      });
+    }
+  }
+}
+/**
+ * Класс для RPC ошибок
+ */
+class RPCError extends Error {
+  constructor(code, message, details = {}) {
+    super(message);
+    this.name = 'RPCError';
+    this.code = code;
+    this.details = details;
+  }
 }