@radio-garden/ditojs-server 2.85.2-0.5067ad799

package/src/middleware/handleUser.js

@@ -0,0 +1,31 @@
+export function handleUser() {
+  return (ctx, next) => {
+    // Attach a logger instance with the user to the context.
+    ctx.logger = ctx.logger?.child({ user: ctx.state.user }) || null
+
+    // Override `ctx.login()` and `ctx.logout()` with versions that emit events
+    // on the user model:
+    const { login, logout } = ctx
+
+    ctx.login = ctx.logIn = async function (user, options = {}) {
+      await user.$emit('before:login', options)
+      await login.call(this, user, options)
+      await user.$emit('after:login', options)
+    }
+
+    ctx.logout = ctx.logOut = async function (options = {}) {
+      const { user } = ctx.state
+      await user?.$emit('before:logout', options)
+      await logout.call(this, options)
+      // Clear the session after logout, apparently koa-passport doesn't take
+      // care of this itself:
+      // https://stackoverflow.com/questions/55818887/koa-passport-logout-is-not-clearing-session
+      ctx.session = null
+      await user?.$emit('after:logout', options)
+    }
+
+    return next()
+    // Don't set back `ctx.logger` because the context is still valid. It is
+    // used in `logResponse()` of the `logRequests()` middleware, among others.
+  }
+}

package/src/middleware/index.js

@@ -0,0 +1,11 @@
+export * from './attachLogger.js'
+export * from './createTransaction.js'
+export * from './extendContext.js'
+export * from './findRoute.js'
+export * from './handleConnectMiddleware.js'
+export * from './handleError.js'
+export * from './handleRoute.js'
+export * from './handleSession.js'
+export * from './handleUser.js'
+export * from './logRequests.js'
+export * from './setupRequestStorage.js'

package/src/middleware/logRequests.js

@@ -0,0 +1,125 @@
+/*
+ * Middleware inspired by 'koa-logger'. Adapted and extended to our needs.
+ */
+import bytes from 'bytes'
+import pico from 'picocolors'
+import Counter from 'passthrough-counter'
+
+export function logRequests({ ignoreUrlPattern } = {}) {
+  return async (ctx, next) => {
+    if (ignoreUrlPattern && ctx.req.url.match(ignoreUrlPattern)) {
+      return next()
+    }
+    // request
+    const start = performance.now()
+
+    logRequest(ctx)
+
+    try {
+      await next()
+    } catch (err) {
+      logResponse({ ctx, start, err })
+      throw err
+    }
+
+    // Calculate the length of a streaming response by intercepting the stream
+    // with a counter. Only necessary if a content-length header is currently
+    // not set.
+    const {
+      body,
+      response: { length }
+    } = ctx
+
+    let counter
+    if (length === null && body?.readable) {
+      ctx.body = body.pipe((counter = new Counter())).on('error', ctx.onerror)
+    }
+
+    // Log when the response is finished or closed, whichever happens first.
+    const { res } = ctx
+
+    const onfinish = done.bind(null, 'finish')
+    const onclose = done.bind(null, 'close')
+
+    res.once('finish', onfinish)
+    res.once('close', onclose)
+
+    function done() {
+      res.removeListener('finish', onfinish)
+      res.removeListener('close', onclose)
+      logResponse({ ctx, start, length: counter ? counter.length : length })
+    }
+  }
+}
+
+function logRequest(ctx) {
+  const logger = ctx.logger?.child({ name: 'http' })
+  if (logger?.isLevelEnabled('trace')) {
+    logger.trace(
+      { req: ctx.req },
+      `${
+        pico.gray('<--')
+      } ${
+        pico.bold(ctx.method)
+      } ${
+        pico.gray(ctx.originalUrl)
+      }`
+    )
+  }
+}
+
+function logResponse({ ctx, start, length, err }) {
+  const logger = ctx.logger?.child({ name: 'http' })
+  const level = err ? 'warn' : 'info'
+  if (logger?.isLevelEnabled(level)) {
+    // Get the status code of the response
+    const status = err
+      ? err.status || 500
+      : ctx.status || 404
+
+    // Set the color of the status code;
+    const statusRange = (status / 100) | 0
+    const statusColor = colorCodes[statusRange] || colorCodes[0]
+
+    // Get the human readable response length
+    const formattedLength = [204, 205, 304].includes(status)
+      ? ''
+      : length == null
+        ? '-'
+        : bytes(length).toLowerCase()
+
+    const formattedTime = formatTime(start)
+
+    logger[level](
+      { req: ctx.req, res: ctx.res },
+      `${
+        pico.bold(ctx.method)
+      } ${
+        pico.gray(ctx.originalUrl)
+      } ${
+        pico[statusColor](status)
+      } ${
+        pico.gray(formattedTime)
+      } ${
+        pico.gray(formattedLength)
+      }`
+    )
+  }
+}
+
+function formatTime(start) {
+  const delta = performance.now() - start
+  return delta < 10000
+    ? +delta.toFixed(2) + 'ms'
+    : +(delta / 1000).toFixed(2) + 's'
+}
+
+const colorCodes = {
+  7: 'magenta',
+  5: 'red',
+  4: 'yellow',
+  3: 'cyan',
+  2: 'green',
+  1: 'green',
+  0: 'yellow'
+}

package/src/middleware/setupRequestStorage.js

@@ -0,0 +1,14 @@
+export function setupRequestStorage(requestStorage) {
+  return (ctx, next) =>
+    requestStorage.run(
+      {
+        get transaction() {
+          return ctx.transaction
+        },
+        get logger() {
+          return ctx.logger
+        }
+      },
+      next
+    )
+}

package/src/mixins/AssetMixin.js

@@ -0,0 +1,78 @@
+import { mixin } from '@ditojs/utils'
+import { TimeStampedMixin } from './TimeStampedMixin.js'
+
+// Asset models are always to be time-stamped:
+export const AssetMixin = mixin(
+  Model =>
+    class extends TimeStampedMixin(Model) {
+      static properties = {
+        key: {
+          type: 'string',
+          required: true,
+          unique: true,
+          index: true
+        },
+
+        file: {
+          type: 'object',
+          // TODO: Support this on 'object':
+          // required: true
+          properties: {
+            // The unique key within the storage (uuid/v4 + file extension)
+            key: {
+              type: 'string',
+              required: true
+            },
+            // The original filename, and display name when file is shown
+            name: {
+              type: 'string',
+              required: true
+            },
+            // The file's mime-type
+            type: {
+              type: 'string',
+              required: true
+            },
+            // The amount of bytes consumed by the file
+            size: {
+              type: 'integer',
+              required: true
+            },
+            // Use for storages configured for files to be publicly accessible:
+            url: {
+              type: 'string'
+            },
+            // These are only used when the storage defines
+            // `config.readDimensions`:
+            width: {
+              type: 'integer'
+            },
+            height: {
+              type: 'integer'
+            }
+          }
+        },
+
+        storage: {
+          type: 'string',
+          required: true
+        },
+
+        count: {
+          type: 'integer',
+          unsigned: true,
+          default: 0
+        }
+      }
+
+      // @override
+      $parseJson(json) {
+        const { file, storage } = json
+        // Convert `AssetMixin#file` to an `AssetFile` instance:
+        if (file && storage) {
+          this.constructor.app.getStorage(storage)?.convertAssetFile(file)
+        }
+        return json
+      }
+    }
+)

package/src/mixins/SessionMixin.js

@@ -0,0 +1,17 @@
+import { mixin } from '@ditojs/utils'
+
+export const SessionMixin = mixin(
+  Model =>
+    class extends Model {
+      static properties = {
+        id: {
+          type: 'string',
+          primary: true
+        },
+
+        value: {
+          type: 'object'
+        }
+      }
+    }
+)

package/src/mixins/TimeStampedMixin.js

@@ -0,0 +1,41 @@
+import { mixin } from '@ditojs/utils'
+
+export const TimeStampedMixin = mixin(
+  Model =>
+    class extends Model {
+      static properties = {
+        createdAt: {
+          type: 'timestamp',
+          default: 'now()'
+        },
+
+        updatedAt: {
+          type: 'timestamp',
+          default: 'now()'
+        }
+      }
+
+      static scopes = {
+        timeStamped: query =>
+          query
+            .select('createdAt', 'updatedAt')
+      }
+
+      static hooks = {
+        'before:insert'({ inputItems }) {
+          const now = new Date()
+          for (const item of inputItems) {
+            item.createdAt = now
+            item.updatedAt = now
+          }
+        },
+
+        'before:update'({ inputItems }) {
+          const now = new Date()
+          for (const item of inputItems) {
+            item.updatedAt = now
+          }
+        }
+      }
+    }
+)

package/src/mixins/UserMixin.js

@@ -0,0 +1,171 @@
+import bcrypt from 'bcryptjs'
+import passport from 'koa-passport'
+import { Strategy as LocalStrategy } from 'passport-local'
+import { mixin, asArray } from '@ditojs/utils'
+import { AuthenticationError } from '../errors/index.js'
+
+export const UserMixin = mixin(
+  Model =>
+    class extends Model {
+      static options = {
+        usernameProperty: 'username',
+        passwordProperty: 'password',
+        // This option can be used to specify (eager) scopes to be applied when
+        // the user is deserialized from the session.
+        sessionScope: undefined
+      }
+
+      static get properties() {
+        const {
+          usernameProperty,
+          passwordProperty
+        } = this.definition.options
+        return {
+          [usernameProperty]: {
+            type: 'string',
+            required: true
+          },
+
+          // `password` isn't stored, but this is required for validation:
+          [passwordProperty]: {
+            type: 'string',
+            computed: true
+          },
+
+          hash: {
+            type: 'string',
+            hidden: true
+          },
+
+          lastLogin: {
+            type: 'timestamp',
+            nullable: true
+          }
+        }
+      }
+
+      get password() {
+        // Nice try ;)
+        return undefined
+      }
+
+      set password(password) {
+        this.hash = bcrypt.hashSync(password, bcrypt.genSaltSync(10))
+      }
+
+      async $verifyPassword(password) {
+        return bcrypt.compare(password, this.hash)
+      }
+
+      $hasRole(...roles) {
+        // Support an optional `roles` array on the model that can contain roles
+        return this.roles?.find(role => roles.includes(role)) || false
+      }
+
+      $hasOwner(owner) {
+        return this.$is(owner)
+      }
+
+      $isLoggedIn(ctx) {
+        return this.$is(ctx.state.user)
+      }
+
+      static setup() {
+        userClasses[this.name] = this
+        const {
+          usernameProperty,
+          passwordProperty
+        } = this.definition.options
+        passport.use(
+          this.name,
+          new LocalStrategy(
+            {
+              usernameField: usernameProperty,
+              passwordField: passwordProperty,
+              // Wee need the `req` object, so we can get the active database
+              // transaction through `req.ctx.transaction`:
+              passReqToCallback: true
+            },
+            async (req, username, password, done) => {
+              try {
+                const user = await this.sessionQuery(
+                  req.ctx.transaction
+                ).findOne(usernameProperty, username)
+                const res =
+                  user && (await user.$verifyPassword(password))
+                    ? user
+                    : null
+                done(null, res)
+              } catch (err) {
+                done(err)
+              }
+            }
+          )
+        )
+      }
+
+      static async login(ctx, options) {
+        // Unfortunately koa-passport isn't promisified yet so do some wrapping:
+        return new Promise((resolve, reject) => {
+          // Use a custom callback to handle authentication, see:
+          // http://www.passportjs.org/docs/downloads/html/#custom-callback
+          passport.authenticate(
+            this.name,
+            async (err, user, message, status) => {
+              if (err) {
+                reject(err)
+              } else if (user) {
+                try {
+                  await ctx.login(user, options)
+                  resolve(user)
+                } catch (err) {
+                  reject(err)
+                }
+              } else {
+                reject(
+                  new AuthenticationError(
+                    message || 'Password or username is incorrect',
+                    status
+                  )
+                )
+              }
+            }
+          )(ctx)
+        })
+      }
+
+      static sessionQuery(trx) {
+        return this.query(trx).withScope(
+          ...asArray(this.definition.options.sessionScope)
+        )
+      }
+    }
+)
+
+const userClasses = {}
+
+// NOTE: We can't use toCallback() here since passport checks function arity to
+// determine sequence of arguments received, and `req` would not be included:
+passport.serializeUser((req, user, done) => {
+  // To support multiple user model classes, use both the model class name and
+  // id as identifier.
+  const modelName = user?.constructor.name
+  const identifier =
+    modelName && userClasses[modelName]
+      ? `${modelName}-${user.id}`
+      : null
+  done(null, identifier)
+})
+
+passport.deserializeUser(async (req, identifier, done) => {
+  const [modelName, userId] = identifier.split('-')
+  const userClass = userClasses[modelName]
+  try {
+    const user = userClass
+      ? await userClass.sessionQuery(req.ctx.transaction).findById(userId)
+      : null
+    done(null, user)
+  } catch (err) {
+    done(err)
+  }
+})

package/src/mixins/index.js

@@ -0,0 +1,4 @@
+export * from './AssetMixin.js'
+export * from './SessionMixin.js'
+export * from './TimeStampedMixin.js'
+export * from './UserMixin.js'

package/src/models/AssetModel.js

@@ -0,0 +1,4 @@
+import { AssetMixin } from '../mixins/index.js'
+import { Model } from './Model.js'
+
+export const AssetModel = AssetMixin(Model)