@rpcbase/server 0.380.0 → 0.382.0

package/src/access-control/hooks/query_pre_delete.js

@@ -1,30 +0,0 @@
-/* @flow */
-const apply_policies = require("../apply_policies")
-
-
-module.exports = (schema) => async function(next) {
-  const model_name = this.model.modelName
-  const collection_name = this.model.collection.name
-
-  console.log("DELETE PLUGIN GET OPTIONS", this.getOptions())
-
-  const operation = "delete"
-
-  if (this.op !== "findOneAndDelete") {
-    throw new Error(`in pre_delete unknown operation: ${this.op}`)
-  }
-
-  const user_id = this.options.ctx.req.session.user_id
-
-  const filter = this.getFilter()
-  const doc = await this.model.findOne(filter)
-
-  // check if user has permission to delete
-  const err = await apply_policies({collection_name, model_name, operation, user_id, doc})
-  if (err) {
-    console.error(err)
-    return
-  }
-
-  next()
-}

package/src/access-control/index.js

@@ -1,6 +0,0 @@
-/* @flow */
-const mongoose_plugin = require("./mongoose_plugin")
-
-module.exports = (mongoose) => {
-  mongoose.plugin(mongoose_plugin)
-}

package/src/access-control/mongoose_plugin.js

@@ -1,136 +0,0 @@
-const assert = require("assert")
-const debug = require("debug")
-
-const get_added_fields = require("./get_added_fields")
-const apply_policies = require("./apply_policies")
-
-// hooks
-const query_pre_delete = require("./hooks/query_pre_delete")
-
-
-const log = debug("rb:acl")
-
-const QUERY = {document: false, query: true}
-const DOC_OPTIONS = {document: true, query: false}
-
-const get_query_middleware = (op) => (schema) => async function(next, save_options) {
-
-  // TODO: this is wrong (AND BREAKS ACL)
-  // when no save options, it's a sub schema, we don't want acl on those
-  // if (!save_options) {
-  //   next()
-  //   console.log("has returned")
-  //   return
-  // }
-
-  const collection_name = this.model.collection.name
-  const model_name = this.model.modelName
-
-  assert(model_name, "cannot find model_name for query")
-  assert(collection_name, "cannot find collection_name for query")
-
-  const options = this.getOptions()
-  const user_id = options.ctx?.req?.session?.user_id
-
-  // console
-
-  // client requests should always be authenticated?
-  if (options.is_client && !user_id) {
-    throw new Error("expected user_id in client request")
-  }
-  // skip if no ctx::user_id (=> is from admin)
-  else if (!user_id) {
-    log("mongoose_plugin: NO USER ID, skipping")
-    return next()
-  }
-
-  const errors = await apply_policies({collection_name, model_name, operation: "read", user_id, doc: this})
-
-  if (errors?.length > 0) {
-    throw new AggregateError(errors, "access-control policies error")
-  }
-
-  log("access-control will continue")
-  next()
-}
-
-
-// https://mongoosejs.com/docs/middleware.html#types-of-middleware
-const mongoose_plugin = async function(schema, options) {
-  // TODO: should strict be true here??
-  schema.options.strict = false
-  // TODO:
-  // DANGER: strictQuery to true silently DROPS filter params
-  // which can be a critical security risk
-  schema.options.strictQuery = false
-
-  // TODO: acl should be explicitly on by default and only if set to false in schema definition we remove it
-  if (!schema.options.isSubSchema && schema.options.acl !== false) {
-    // Add Access Control fields to top level schemas
-    schema.add(get_added_fields())
-  }
-
-  // Queries
-  schema.pre("find", QUERY, get_query_middleware("find")(schema))
-  schema.pre("findOne", QUERY, get_query_middleware("findOne")(schema))
-  // TODO: add countDocuments, estimatedDocumentCount
-  // aggregate
-  schema.pre("findOneAndDelete", QUERY, query_pre_delete(schema))
-
-  // Documents create and save
-  schema.pre("save", DOC_OPTIONS, async function(next, save_options) {
-    if (this.$isSubdocument) {
-      return next()
-    }
-
-    const model_name = this.constructor.modelName
-    assert(model_name, "doc pre save model_name is undefined")
-
-    const collection_name = this.constructor.collection.name
-    assert(collection_name, "doc pre save collection_name is undefined")
-
-    const {ctx} = save_options
-
-    // when no context, assume admin mode and authorize op
-    if (!ctx) {
-      this._created_at = new Date
-      next()
-    }
-
-    const user_id = ctx.req.session?.user_id
-
-    const fields = this.modifiedPaths({includeChildren: true})
-
-    const doc = this
-    // Create
-    if (this.isNew) {
-      const err = await apply_policies({collection_name, model_name, operation: "create", fields, user_id, doc})
-      if (err) {
-        console.warn(err)
-        return
-      }
-      if (!this._owners.includes(user_id)) {
-        this._owners.push(user_id)
-      }
-      this._created_by = user_id
-      this._created_at = new Date
-      next()
-    }
-    // Update
-    else {
-      const err = await apply_policies({collection_name, model_name, operation: "update", fields, user_id, doc})
-      if (err) {
-        console.warn(err)
-        return
-      }
-      next()
-    }
-  })
-
-  schema.pre("remove", DOC_OPTIONS, function(next) {
-    console.log("schema pre REMOVE", this)
-    next()
-  })
-}
-
-module.exports = mongoose_plugin

package/src/api/index.js

@@ -1,6 +0,0 @@
-/* @flow */
-const stored_values = require("./stored-values")
-
-module.exports = (app) => {
-  stored_values(app)
-}

package/src/api/stored-values/get_stored_values.js

@@ -1,41 +0,0 @@
-/* @flow */
-const assert = require("assert")
-
-const UserStoredValues = require("../../models/UserStoredValues")
-
-
-const get_projection = (payload) => {
-  const projection = {}
-
-  payload.forEach((key) => {
-    projection[key] = 1
-  })
-
-  return projection
-}
-
-const get_stored_values = async(payload, ctx) => {
-  const {user_id} = ctx.req.session
-  expect(user_id).toBeMongoId()
-
-  const projection = get_projection(payload)
-
-  const storage_doc = await UserStoredValues.findOne(
-    {_owners: {$in: [user_id]}},
-    projection,
-    {ctx},
-  )
-
-  assert(storage_doc, `unable to retrieve storage_doc for user: ${user_id}`)
-
-  const result = {
-    values: payload.map((k) => storage_doc.get(k)),
-  }
-
-  return {
-    status: "ok",
-    ...result,
-  }
-}
-
-module.exports = get_stored_values

package/src/api/stored-values/index.js

@@ -1,8 +0,0 @@
-/* @flow */
-const get_stored_values = require("./get_stored_values")
-const set_stored_values = require("./set_stored_values")
-
-module.exports = (app) => {
-  app.handler("/rb-api/v1/stored-values/get", get_stored_values)
-  app.handler("/rb-api/v1/stored-values/set", set_stored_values)
-}

package/src/api/stored-values/set_stored_values.js

@@ -1,31 +0,0 @@
-/* @flow */
-const assert = require("assert")
-
-const UserStoredValues = require("../../models/UserStoredValues")
-
-
-const set_stored_values = async(payload, ctx) => {
-  const {values} = payload
-
-  const {user_id} = ctx.req.session
-  expect(user_id).toBeMongoId()
-
-  const updates = Object.create(null)
-
-  values.forEach(({key, value}) => {
-    updates[key] = value
-  })
-
-  const res = await UserStoredValues.updateOne(
-    {_owners: {$in: [user_id]}},
-    {$set: updates},
-    {ctx}
-  )
-
-  // TODO: this breaks on signup???
-  // assert(res.modifiedCount === 1, `unable to update user stored values`)
-
-  return {status: "ok"}
-}
-
-module.exports = set_stored_values

package/src/auth/check_session.js

@@ -1,43 +0,0 @@
-/* @flow */
-const debug = require("debug")
-
-const User = require("../models/User")
-
-const log = debug("rb:auth")
-log.useColors = true
-
-
-const has_session_store = process.env.RB_SESSION_STORE === "yes"
-
-// TODO: we must separate the check session from the check user exists
-const check_session = async(payload, ctx) => {
-  const {req} = ctx
-
-  log("session:", req.session)
-
-  let is_signed_in = !!req.session.user_id
-
-  log("is_signed_in:", is_signed_in)
-
-  // check if user exists
-  let user
-  try {
-    user = await User.findOne({_id: req.session.user_id}, {_id: 1})
-  } catch (err) {
-    log("find_user_err:", err)
-  }
-  if (!user) {
-    is_signed_in = false
-    req.session.destroy?.(/* TODO: this should take callback */)
-  }
-
-  // TODO: check if user is disabled or blocked
-
-  return {
-    status: "ok",
-    is_signed_in,
-    user_id: req.session?.user_id,
-  }
-}
-
-module.exports = check_session