@saltcorn/server 0.6.3-beta.0 → 0.6.3

package/app.js

@@ -38,7 +38,7 @@ const { h1 } = require("@saltcorn/markup/tags");
 const is = require("contractis/is");
 const Trigger = require("@saltcorn/data/models/trigger");
 const s3storage = require("./s3storage");
-
+const TotpStrategy = require("passport-totp").Strategy;
 const locales = Object.keys(available_languages);
 // i18n configuration
 const i18n = new I18n({
@@ -148,7 +148,9 @@ const getApp = async (opts = {}) => {
             req.flash("danger", req.__("Incorrect user or password"))
           );
         const mu = await User.authenticate(userobj);
-        if (mu) return done(null, mu.session_object);
+        if (mu && mu._attributes.totp_enabled)
+          return done(null, { pending_user: mu.session_object });
+        else if (mu) return done(null, mu.session_object);
         else {
           const { password, ...nopw } = userobj;
           Trigger.emitEvent("LoginFailed", null, null, nopw);
@@ -188,6 +190,14 @@ const getApp = async (opts = {}) => {
       }
     })
   );
+  passport.use(
+    new TotpStrategy(function (user, done) {
+      // setup function, supply key and period to done callback
+      User.findOne({ id: user.pending_user.id }).then((u) => {
+        return done(null, u._attributes.totp_key, 30);
+      });
+    })
+  );
   passport.serializeUser(function (user, done) {
     done(null, user);
   });

package/auth/roleadmin.js

@@ -85,6 +85,28 @@ const editRoleLayoutForm = (role, layouts, layout_by_role, req) =>
     )
   );
 
+/**
+ * @param {Role} role
+ * @param {Layout[]} layouts
+ * @param {*} layout_by_role
+ * @param {object} req
+ * @returns {Form}
+ */
+const editRole2FAPolicyForm = (role, twofa_policy_by_role, req) =>
+  form(
+    {
+      action: `/roleadmin/setrole2fapolicy/${role.id}`,
+      method: "post",
+    },
+    csrfField(req),
+    select(
+      { name: "policy", onchange: "form.submit()" },
+      ["Optional", "Disabled", "Mandatory"].map((p) =>
+        option({ selected: twofa_policy_by_role[role.id] === p }, p)
+      )
+    )
+  );
+
 /**
  * @param {object} req
  * @returns {Form}
@@ -125,6 +147,7 @@ router.get(
       (l) => l !== "emergency"
     );
     const layout_by_role = getState().getConfig("layout_by_role");
+    const twofa_policy_by_role = getState().getConfig("twofa_policy_by_role");
     send_users_page({
       res,
       req,
@@ -142,6 +165,13 @@ router.get(
                 key: (role) =>
                   editRoleLayoutForm(role, layouts, layout_by_role, req),
               },
+              {
+                label: req.__("2FA policy"),
+                key: (role) =>
+                  role.id === 10
+                    ? ""
+                    : editRole2FAPolicyForm(role, twofa_policy_by_role, req),
+              },
               {
                 label: req.__("Delete"),
                 key: (r) =>
@@ -240,6 +270,26 @@ router.post(
   })
 );
 
+/**
+ * @name post/setrolelayout/:id
+ * @function
+ * @memberof module:auth/roleadmin~roleadminRouter
+ */
+router.post(
+  "/setrole2fapolicy/:id",
+  isAdmin,
+  error_catcher(async (req, res) => {
+    const { id } = req.params;
+    const twofa_policy_by_role = getState().getConfigCopy(
+      "twofa_policy_by_role"
+    );
+    twofa_policy_by_role[+id] = req.body.policy;
+    await getState().setConfig("twofa_policy_by_role", twofa_policy_by_role);
+    req.flash("success", req.__(`Saved 2FA policy for role`));
+
+    res.redirect(`/roleadmin`);
+  })
+);
 const unDeletableRoles = [1, 8, 10];
 /**
  * @name post/delete/:id

package/auth/routes.js

@@ -24,12 +24,14 @@ const { renderForm, post_btn } = require("@saltcorn/markup");
 const passport = require("passport");
 const {
   a,
+  img,
   text,
   table,
   tbody,
   th,
   td,
   tr,
+  h4,
   form,
   select,
   option,
@@ -37,6 +39,8 @@ const {
   i,
   div,
   code,
+  pre,
+  p,
 } = require("@saltcorn/markup/tags");
 const {
   available_languages,
@@ -52,7 +56,9 @@ const { restore_backup } = require("../markup/admin.js");
 const { restore } = require("@saltcorn/data/models/backup");
 const load_plugins = require("../load_plugins");
 const fs = require("fs");
-
+const base32 = require("thirty-two");
+const qrcode = require("qrcode");
+const totp = require("notp").totp;
 /**
  * @type {object}
  * @const
@@ -599,6 +605,8 @@ const signup_login_with_user = (u, req, res) =>
       if (!err) {
         Trigger.emitEvent("Login", null, u);
         if (getState().verifier) res.redirect("/auth/verification-flow");
+        else if (getState().get2FApolicy(u) === "Mandatory")
+          res.redirect("/auth/twofa/setup/totp");
         else res.redirect("/");
       } else {
         req.flash("danger", err);
@@ -920,6 +928,11 @@ router.post(
   error_catcher(async (req, res) => {
     ipLimiter.resetKey(req.ip);
     userLimiter.resetKey(userIdKey(req.body));
+    if (req.user.pending_user) {
+      res.redirect("/auth/twofa/login/totp");
+      return;
+    }
+
     if (req.session.cookie)
       if (req.body.remember) {
         const setDur = +getState().getConfig("cookie_duration_remember", 0);
@@ -932,7 +945,9 @@ router.post(
       }
     Trigger.emitEvent("Login", null, req.user);
     req.flash("success", req.__("Welcome, %s!", req.user.email));
-    res.redirect("/");
+    if (getState().get2FApolicy(req.user) === "Mandatory") {
+      res.redirect("/auth/twofa/setup/totp");
+    } else res.redirect("/");
   })
 );
 
@@ -1095,6 +1110,9 @@ const userSettings = async ({ req, res, pwform, user }) => {
   }
   let apikeycard;
   const min_role_apikeygen = +getState().getConfig("min_role_apikeygen", 1);
+  const twoFaPolicy = getState().get2FApolicy(user);
+  const show2FAPolicy =
+    twoFaPolicy !== "Disabled" || user._attributes.totp_enabled;
   if (user.role_id <= min_role_apikeygen)
     apikeycard = {
       type: "card",
@@ -1163,6 +1181,40 @@ const userSettings = async ({ req, res, pwform, user }) => {
         title: req.__("Change password"),
         contents: renderForm(pwform, req.csrfToken()),
       },
+      ...(show2FAPolicy
+        ? [
+            {
+              type: "card",
+              title: req.__("Two-factor authentication"),
+              contents: [
+                div(
+                  user._attributes.totp_enabled
+                    ? req.__("Two-factor authentication is enabled")
+                    : req.__("Two-factor authentication is disabled")
+                ),
+                div(
+                  user._attributes.totp_enabled
+                    ? post_btn(
+                        "/auth/twofa/disable/totp",
+                        "Disable",
+                        req.csrfToken(),
+                        {
+                          btnClass: "btn-danger mt-2",
+                          req,
+                        }
+                      )
+                    : a(
+                        {
+                          href: "/auth/twofa/setup/totp",
+                          class: "btn btn-primary mt-2",
+                        },
+                        "Enable"
+                      )
+                ),
+              ],
+            },
+          ]
+        : []),
       ...(apikeycard ? [apikeycard] : []),
     ],
   };
@@ -1253,6 +1305,12 @@ router.get(
   loggedIn,
   error_catcher(async (req, res) => {
     const user = await User.findOne({ id: req.user.id });
+    if (!user) {
+      req.logout();
+      req.flash("danger", req.__("Must be logged in first"));
+      res.redirect("/auth/login");
+      return;
+    }
     res.sendWrap(
       req.__("User settings"),
       await userSettings({ req, res, pwform: changPwForm(req), user })
@@ -1436,3 +1494,171 @@ router.all(
     res.redirect(wfres.redirect || "/");
   })
 );
+
+/**
+ * @name get/settings
+ * @function
+ * @memberof module:auth/routes~routesRouter
+ */
+router.get(
+  "/twofa/setup/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+    let key;
+    if (user._attributes.totp_key) key = user._attributes.totp_key;
+    else {
+      key = randomKey(10);
+      user._attributes.totp_key = key;
+      await user.update({ _attributes: user._attributes });
+    }
+
+    const encodedKey = base32.encode(key);
+
+    // generate QR code for scanning into Google Authenticator
+    // reference: https://code.google.com/p/google-authenticator/wiki/KeyUriFormat
+    const site_name = getState().getConfig("site_name");
+    const otpUrl = `otpauth://totp/${
+      user.email
+    }?secret=${encodedKey}&period=30&issuer=${encodeURIComponent(site_name)}`;
+    const image = await qrcode.toDataURL(otpUrl);
+    res.sendWrap(req.__("Setup two-factor authentication"), {
+      type: "card",
+      title: req.__(
+        "Setup two-factor authentication with Time-based One-Time Password (TOTP)"
+      ),
+      contents: [
+        h4(req.__("1. Scan this QR code in your Authenticator app")),
+        img({ src: image }),
+        p("Or enter this code:"),
+        code(pre(encodedKey.toString())),
+        h4(
+          req.__(
+            "2. Enter the six-digit code generated in your Authenticator app"
+          )
+        ),
+        renderForm(totpForm(req), req.csrfToken()),
+      ],
+    });
+  })
+);
+
+router.post(
+  "/twofa/setup/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+
+    if (!user._attributes.totp_key) {
+      //key not set
+      req.flash("danger", req.__("2FA TOTP Key not set"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+
+    const form = totpForm(req);
+    form.validate(req.body);
+    if (form.hasErrors) {
+      req.flash("danger", req.__("Error processing form"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+    const code = `${form.values.totpCode}`;
+    const rv = totp.verify(code, user._attributes.totp_key, {
+      time: 30,
+    });
+    if (!rv) {
+      req.flash("danger", req.__("Could not verify code"));
+      res.redirect("/auth/twofa/setup/totp");
+      return;
+    }
+    user._attributes.totp_enabled = true;
+    await user.update({ _attributes: user._attributes });
+    req.flash(
+      "success",
+      req.__(
+        "Two-factor authentication with Time-based One-Time Password enabled"
+      )
+    );
+
+    res.redirect("/auth/settings");
+  })
+);
+
+router.post(
+  "/twofa/disable/totp",
+  loggedIn,
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.id });
+    user._attributes.totp_enabled = false;
+    delete user._attributes.totp_key;
+    await user.update({ _attributes: user._attributes });
+    req.flash(
+      "success",
+      req.__(
+        "Two-factor authentication with Time-based One-Time Password disabled"
+      )
+    );
+    res.redirect("/auth/settings");
+  })
+);
+const totpForm = (req) =>
+  new Form({
+    action: "/auth/twofa/setup/totp",
+    fields: [
+      {
+        name: "totpCode",
+        label: req.__("Code"),
+        type: "Integer",
+        required: true,
+      },
+    ],
+  });
+
+const randomKey = function (len) {
+  function getRandomInt(min, max) {
+    return Math.floor(Math.random() * (max - min + 1)) + min;
+  }
+  var buf = [],
+    chars = "abcdefghijklmnopqrstuvwxyz0123456789",
+    charlen = chars.length;
+
+  for (var i = 0; i < len; ++i) {
+    buf.push(chars[getRandomInt(0, charlen - 1)]);
+  }
+
+  return buf.join("");
+};
+
+router.get(
+  "/twofa/login/totp",
+  error_catcher(async (req, res) => {
+    const form = new Form({
+      action: "/auth/twofa/login/totp",
+      submitLabel: "Verify",
+      fields: [
+        {
+          name: "code",
+          label: req.__("Code"),
+          type: "Integer",
+          required: true,
+        },
+      ],
+    });
+    res.sendAuthWrap(req.__(`Two-factor authentication`), form, {});
+  })
+);
+
+router.post(
+  "/twofa/login/totp",
+  passport.authenticate("totp", {
+    failureRedirect: "/auth/twofa/login/totp",
+    failureFlash: true,
+  }),
+  error_catcher(async (req, res) => {
+    const user = await User.findOne({ id: req.user.pending_user.id });
+    user.relogin(req);
+    Trigger.emitEvent("Login", null, user);
+    res.redirect("/");
+  })
+);

package/locales/en.json

@@ -845,5 +845,19 @@
 	"User should have this role or higher to generate API keys in their user settings": "User should have this role or higher to generate API keys in their user settings",
 	"API token removed": "API token removed",
 	"Row inclusion formula": "Row inclusion formula",
-	"Only include rows where this formula is true": "Only include rows where this formula is true"
+	"Only include rows where this formula is true": "Only include rows where this formula is true",
+	"Slug": "Slug",
+	"Field that can be used for a prettier URL structure": "Field that can be used for a prettier URL structure",
+	"Setup two-factor authentication": "Setup two-factor authentication",
+	"Setup two-factor authentication with Time-based One-Time Password (TOTP)": "Setup two-factor authentication with Time-based One-Time Password (TOTP)",
+	"1. Scan this QR code in your Authenticator app": "1. Scan this QR code in your Authenticator app",
+	"2. Enter the six-digit code generated in your Authenticator app": "2. Enter the six-digit code generated in your Authenticator app",
+	"Code": "Code",
+	"Two-factor authentication with Time-based One-Time Password enabled": "Two-factor authentication with Time-based One-Time Password enabled",
+	"Two-factor authentication": "Two-factor authentication",
+	"Two-factor authentication is enabled": "Two-factor authentication is enabled",
+	"Two-factor authentication with Time-based One-Time Password disabled": "Two-factor authentication with Time-based One-Time Password disabled",
+	"Two-factor authentication is disabled": "Two-factor authentication is disabled",
+	"Auto save": "Auto save",
+	"Save any changes immediately": "Save any changes immediately"
 }

package/package.json

@@ -1,17 +1,17 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.6.3-beta.0",
+  "version": "0.6.3",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
-    "@saltcorn/base-plugin": "0.6.3-beta.0",
-    "@saltcorn/builder": "0.6.3-beta.0",
-    "@saltcorn/data": "0.6.3-beta.0",
+    "@saltcorn/base-plugin": "0.6.3",
+    "@saltcorn/builder": "0.6.3",
+    "@saltcorn/data": "0.6.3",
     "greenlock-express": "^4.0.3",
-    "@saltcorn/markup": "0.6.3-beta.0",
-    "@saltcorn/sbadmin2": "0.6.3-beta.0",
+    "@saltcorn/markup": "0.6.3",
+    "@saltcorn/sbadmin2": "0.6.3",
     "@socket.io/cluster-adapter": "^0.1.0",
     "@socket.io/sticky": "^1.0.1",
     "connect-flash": "^0.1.1",
@@ -34,13 +34,17 @@
     "moment": "^2.27.0",
     "node-fetch": "2.6.2",
     "node-watch": "^0.7.2",
+    "notp": "2.0.3",
     "passport": "^0.4.1",
     "passport-custom": "^1.1.1",
     "passport-http-bearer": "^1.0.1",
+    "passport-totp": "0.0.2",
     "pg": "^8.2.1",
     "pluralize": "^8.0.0",
+    "qrcode": "1.5.0",
     "socket.io": "4.2.0",
     "tmp-promise": "^3.0.2",
+    "thirty-two": "1.0.2",
     "multer-s3": "^2.10.0",
     "multer": "^1.4.3",
     "aws-sdk": "^2.1037.0",
@@ -75,6 +79,7 @@
       "@saltcorn/sqlite/(.*)": "@saltcorn/sqlite/dist/$1",
       "@saltcorn/db-common/(.*)": "@saltcorn/db-common/dist/$1",
       "@saltcorn/data/(.*)": "@saltcorn/data/dist/$1",
+      "@saltcorn/types/(.*)": "@saltcorn/types/dist/$1",
       "@saltcorn/markup$": "@saltcorn/markup/dist",
       "@saltcorn/markup/(.*)": "@saltcorn/markup/dist/$1"
     }

package/public/gridedit.js

@@ -179,7 +179,9 @@ DateField.prototype = new jsGrid.Field({
     setTimeout(function () {
       flatpickr(insertPicker, {
         enableTime: true,
-        dateFormat: "Y-m-d H:i",
+        dateFormat: "Z",
+        altInput: true,
+        altFormat: "Y-m-d h:i K",
       });
     });
     return insertPicker;
@@ -192,7 +194,9 @@ DateField.prototype = new jsGrid.Field({
     setTimeout(function () {
       flatpickr(editPicker, {
         enableTime: true,
-        dateFormat: "Y-m-d H:i",
+        dateFormat: "Z",
+        altInput: true,
+        altFormat: "Y-m-d h:i K",
       });
     });
     return editPicker;

package/public/saltcorn.js

@@ -30,9 +30,14 @@ function add_repeater(nm) {
 function apply_showif() {
   $("[data-show-if]").each(function (ix, element) {
     var e = $(element);
-    var to_show = new Function("e", "return " + e.attr("data-show-if"));
+    var to_show = new Function(
+      "e",
+      "return " + decodeURIComponent(e.attr("data-show-if"))
+    );
     if (to_show(e))
-      e.show().find("input, textarea, button, select").prop("disabled", false);
+      e.show()
+        .find("input, textarea, button, select")
+        .prop("disabled", e.attr("data-disabled") || false);
     else
       e.hide().find("input, textarea, button, select").prop("disabled", true);
   });
@@ -508,6 +513,33 @@ function ajax_modal(url, opts = {}) {
     },
   });
 }
+
+function saveAndContinue(e) {
+  var form = $(e).closest("form");
+  var url = form.attr("action");
+  var form_data = form.serialize();
+  $.ajax(url, {
+    type: "POST",
+    headers: {
+      "CSRF-Token": _sc_globalCsrf,
+    },
+    data: form_data,
+    success: function (res) {
+      if (res.id && form.find("input[name=id")) {
+        form.append(
+          `<input type="hidden" class="form-control  " name="id" value="${res.id}">`
+        );
+      }
+    },
+    error: function (request) {
+      $("#page-inner-content").html(request.responseText);
+      initialize_page();
+    },
+  });
+
+  return false;
+}
+
 function ajaxSubmitForm(e) {
   var form = $(e).closest("form");
   var url = form.attr("action");

package/restart_watcher.js

@@ -120,6 +120,9 @@ const listenForChanges = (projectDirs, pluginDirs) => {
         (event, file) => {
           console.log("'%s' changed \n re-starting now", file);
           closeWatchers();
+          spawnSync("npm", ["run", "tsc"], {
+            stdio: "inherit",
+          });
           process.exit();
         }
       )

package/routes/admin.js

@@ -769,6 +769,7 @@ router.post(
       for (const file of files) {
         await file.delete();
       }
+      if (db.reset_sequence) await db.reset_sequence("_sc_files");
     }
     if (form.values.plugins) {
       const ps = await Plugin.find();

package/routes/api.js

@@ -65,11 +65,12 @@ const limitFields = (fields) => (r) => {
  * @returns {boolean}
  */
 function accessAllowedRead(req, user, table) {
-  const role = req.isAuthenticated()
-    ? req.user.role_id
-    : user && user.role_id
-    ? user.role_id
-    : 10;
+  const role =
+    req.user && req.user.id
+      ? req.user.role_id
+      : user && user.role_id
+      ? user.role_id
+      : 10;
 
   return role <= table.min_role_read;
 }
@@ -82,11 +83,12 @@ function accessAllowedRead(req, user, table) {
  * @returns {boolean}
  */
 function accessAllowedWrite(req, user, table) {
-  const role = req.isAuthenticated()
-    ? req.user.role_id
-    : user && user.role_id
-    ? user.role_id
-    : 10;
+  const role =
+    req.user && req.user.id
+      ? req.user.role_id
+      : user && user.role_id
+      ? user.role_id
+      : 10;
 
   return role <= table.min_role_write;
 }
@@ -98,11 +100,12 @@ function accessAllowedWrite(req, user, table) {
  * @returns {boolean}
  */
 function accessAllowed(req, user, trigger) {
-  const role = req.isAuthenticated()
-    ? req.user.role_id
-    : user && user.role_id
-    ? user.role_id
-    : 10;
+  const role =
+    req.user && req.user.id
+      ? req.user.role_id
+      : user && user.role_id
+      ? user.role_id
+      : 10;
 
   return role <= trigger.min_role;
 }

package/routes/delete.js

@@ -33,7 +33,7 @@ router.post(
     const { name, id } = req.params;
     const { redirect } = req.query;
     const table = await Table.findOne({ name });
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     try {
       if (role <= table.min_role_write) await table.deleteRows({ id });
       else if (table.ownership_field_id && req.user) {

package/routes/edit.js

@@ -37,7 +37,7 @@ router.post(
     const { name, id, field_name } = req.params;
     const { redirect } = req.query;
     const table = await Table.findOne({ name });
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     if (role <= table.min_role_write) await table.toggleBool(+id, field_name);
     else
       req.flash(

package/routes/fields.js

@@ -26,6 +26,7 @@ const { isAdmin, error_catcher } = require("./utils.js");
 const expressionBlurb = require("../markup/expression_blurb");
 const { readState } = require("@saltcorn/data/plugin-helper");
 const { wizardCardTitle } = require("../markup/forms.js");
+const FieldRepeat = require("@saltcorn/data/models/fieldrepeat");
 
 /**
  * @type {object}
@@ -161,8 +162,9 @@ const translateAttributes = (attrs, req) =>
  * @returns {object}
  */
 const translateAttribute = (attr, req) => {
-  const res = { ...attr };
+  let res = { ...attr };
   if (res.sublabel) res.sublabel = req.__(res.sublabel);
+  if (res.isRepeat) res = new FieldRepeat(res);
   return res;
 };
 
@@ -660,7 +662,15 @@ router.post(
     if (fieldName.includes(".")) {
       const [refNm, targetNm] = fieldName.split(".");
       const ref = fields.find((f) => f.name === refNm);
+      if (!ref) {
+        res.send("");
+        return;
+      }
       const reftable = await Table.findOne({ name: ref.reftable_name });
+      if (!reftable) {
+        res.send("");
+        return;
+      }
       const reffields = await reftable.getFields();
       field = reffields.find((f) => f.name === targetNm);
       row = await reftable.getRow({});

package/routes/files.js

@@ -136,7 +136,7 @@ router.get(
 router.get(
   "/download/:id",
   error_catcher(async (req, res) => {
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     const user_id = req.user && req.user.id;
     const { id } = req.params;
     const file = await File.findOne({ id });
@@ -160,7 +160,7 @@ router.get(
 router.get(
   "/serve/:id",
   error_catcher(async (req, res) => {
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     const user_id = req.user && req.user.id;
     const { id } = req.params;
     let file;
@@ -243,7 +243,7 @@ router.post(
   error_catcher(async (req, res) => {
     let jsonResp = {};
     const min_role_upload = getState().getConfig("min_role_upload", 1);
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     if (role > +min_role_upload) {
       if (!req.xhr) req.flash("warning", req.__("Not authorized"));
       else jsonResp = { error: "Not authorized" };

package/routes/homepage.js

@@ -398,7 +398,7 @@ const welcome_page = async (req) => {
  * @returns {Promise<void>}
  */
 const no_views_logged_in = async (req, res) => {
-  const role = req.isAuthenticated() ? req.user.role_id : 10;
+  const role = req.user && req.user.id ? req.user.role_id : 10;
   if (role > 1 || req.user.tenant !== db.getTenantSchema())
     res.sendWrap(req.__("Hello"), req.__("Welcome to Saltcorn!"));
   else {
@@ -455,25 +455,26 @@ const get_config_response = async (role_id, res, req) => {
   }
 };
 
-/**
- * Function assigned to 'module.exports'.
- * @param {object} req
- * @param {object} res
- * @returns {Promise<void>}
- */
-module.exports = async (req, res) => {
-  const isAuth = req.isAuthenticated();
-  const role_id = req.user ? req.user.role_id : 10;
-  const cfgResp = await get_config_response(role_id, res, req);
-  if (cfgResp) return;
+module.exports =
+  /**
+   * Function assigned to 'module.exports'.
+   * @param {object} req
+   * @param {object} res
+   * @returns {Promise<void>}
+   */
+  async (req, res) => {
+    const isAuth = req.user && req.user.id;
+    const role_id = req.user ? req.user.role_id : 10;
+    const cfgResp = await get_config_response(role_id, res, req);
+    if (cfgResp) return;
 
-  if (!isAuth) {
-    const hasUsers = await User.nonEmpty();
-    if (!hasUsers) {
-      res.redirect("/auth/create_first_user");
-      return;
-    } else res.redirect("/auth/login");
-  } else {
-    await no_views_logged_in(req, res);
-  }
-};
+    if (!isAuth) {
+      const hasUsers = await User.nonEmpty();
+      if (!hasUsers) {
+        res.redirect("/auth/create_first_user");
+        return;
+      } else res.redirect("/auth/login");
+    } else {
+      await no_views_logged_in(req, res);
+    }
+  };

package/routes/index.js

@@ -36,7 +36,7 @@
  * @property {module:routes/utils} utils
  * @property {module:routes/view} view
  * @property {module:routes/viewedit} viewedit
- * 
+ *
  * @category server
  * @subcategory routes
  */
@@ -71,38 +71,39 @@ const useradmin = require("../auth/admin");
 const roleadmin = require("../auth/roleadmin");
 const scapi = require("./scapi");
 
-/**
- * Function assigned to 'module.exports'
- * @returns {void}
- */
-module.exports = (app) => {
-  app.use("/table", table);
-  app.use("/field", field);
-  app.use("/files", files);
-  app.use("/list", list);
-  app.use("/edit", edit);
-  app.use("/config", config);
-  app.use("/plugins", plugins);
-  app.use("/packs", packs);
-  app.use("/menu", menu);
-  app.use("/view", view);
-  app.use("/crashlog", crashlog);
-  app.use("/events", events);
-  app.use("/page", page);
-  app.use("/settings", settings);
-  app.use("/pageedit", pageedit);
-  app.use("/actions", actions);
-  app.use("/eventlog", eventlog);
-  app.use("/library", library);
-  app.use("/site-structure", infoarch);
-  app.use("/search", search);
-  app.use("/admin", admin);
-  app.use("/tenant", tenant);
-  app.use("/api", api);
-  app.use("/viewedit", viewedit);
-  app.use("/delete", del);
-  app.use("/auth", auth);
-  app.use("/useradmin", useradmin);
-  app.use("/roleadmin", roleadmin);
-  app.use("/scapi", scapi);
-};
+module.exports =
+  /**
+   * Function assigned to 'module.exports'
+   * @returns {void}
+   */
+  (app) => {
+    app.use("/table", table);
+    app.use("/field", field);
+    app.use("/files", files);
+    app.use("/list", list);
+    app.use("/edit", edit);
+    app.use("/config", config);
+    app.use("/plugins", plugins);
+    app.use("/packs", packs);
+    app.use("/menu", menu);
+    app.use("/view", view);
+    app.use("/crashlog", crashlog);
+    app.use("/events", events);
+    app.use("/page", page);
+    app.use("/settings", settings);
+    app.use("/pageedit", pageedit);
+    app.use("/actions", actions);
+    app.use("/eventlog", eventlog);
+    app.use("/library", library);
+    app.use("/site-structure", infoarch);
+    app.use("/search", search);
+    app.use("/admin", admin);
+    app.use("/tenant", tenant);
+    app.use("/api", api);
+    app.use("/viewedit", viewedit);
+    app.use("/delete", del);
+    app.use("/auth", auth);
+    app.use("/useradmin", useradmin);
+    app.use("/roleadmin", roleadmin);
+    app.use("/scapi", scapi);
+  };

package/routes/list.js

@@ -155,6 +155,10 @@ const typeToJsGridType = (t, field) => {
     jsgField.editing = false;
     jsgField.inserting = false;
   }
+  if (field.primary_key) {
+    jsgField.inserting = false;
+    jsgField.editing = false;
+  }
   return jsgField;
 };
 

package/routes/page.js

@@ -37,7 +37,7 @@ router.get(
   error_catcher(async (req, res) => {
     const { pagename } = req.params;
 
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     const db_page = await Page.findOne({ name: pagename });
     if (db_page && role <= db_page.min_role) {
       const contents = await db_page.run(req.query, { res, req });
@@ -73,7 +73,7 @@ router.post(
   "/:pagename/action/:rndid",
   error_catcher(async (req, res) => {
     const { pagename, rndid } = req.params;
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     const db_page = await Page.findOne({ name: pagename });
     if (db_page && role <= db_page.min_role) {
       let col;

package/routes/pageedit.js

@@ -157,9 +157,12 @@ const pageBuilderData = async (req, context) => {
   const images = await File.find({ mime_super: "image" });
   const roles = await User.get_roles();
   const stateActions = getState().actions;
-  const actions = Object.entries(stateActions)
-    .filter(([k, v]) => !v.requireRow && !v.disableInBuilder)
-    .map(([k, v]) => k);
+  const actions = [
+    "GoBack",
+    ...Object.entries(stateActions)
+      .filter(([k, v]) => !v.requireRow && !v.disableInBuilder)
+      .map(([k, v]) => k),
+  ];
   const triggers = await Trigger.find({
     when_trigger: { or: ["API call", "Never"] },
   });

package/routes/scapi.js

@@ -44,11 +44,12 @@ module.exports = router;
  * @returns {boolean}
  */
 function accessAllowedRead(req, user) {
-  const role = req.isAuthenticated()
-    ? req.user.role_id
-    : user && user.role_id
-    ? user.role_id
-    : 10;
+  const role =
+    req.user && req.user.id
+      ? req.user.role_id
+      : user && user.role_id
+      ? user.role_id
+      : 10;
 
   if (role === 1) return true;
   return false;

package/routes/utils.js

@@ -49,7 +49,13 @@ function isAdmin(req, res, next) {
     next();
   } else {
     req.flash("danger", req.__("Must be admin"));
-    res.redirect(req.user ? "/" : "/auth/login");
+    res.redirect(
+      req.user && req.user.pending_user
+        ? "/auth/twofa/login/totp"
+        : req.user
+        ? "/"
+        : "/auth/login"
+    );
   }
 }
 

package/routes/view.js

@@ -37,27 +37,28 @@ module.exports = router;
  * @function
  */
 router.get(
-  "/:viewname",
+  ["/:viewname", "/:viewname/*"],
   error_catcher(async (req, res) => {
     const { viewname } = req.params;
-
+    const query = { ...req.query };
     const view = await View.findOne({ name: viewname });
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
-
+    const role = req.user && req.user.id ? req.user.role_id : 10;
     if (!view) {
       req.flash("danger", req.__(`No such view: %s`, text(viewname)));
       res.redirect("/");
       return;
     }
+
+    view.rewrite_query_from_slug(query, req.params);
     if (
       role > view.min_role &&
-      !(await view.authorise_get({ query: req.query, req, ...view }))
+      !(await view.authorise_get({ query, req, ...view }))
     ) {
       req.flash("danger", req.__("Not authorized"));
       res.redirect("/");
       return;
     }
-    const contents = await view.run_possibly_on_page(req.query, req, res);
+    const contents = await view.run_possibly_on_page(query, req, res);
     const title = scan_for_page_title(contents, view.name);
     res.sendWrap(
       title,
@@ -120,7 +121,7 @@ router.post(
   "/:viewname/:route",
   error_catcher(async (req, res) => {
     const { viewname, route } = req.params;
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
 
     const view = await View.findOne({ name: viewname });
     if (!view) {
@@ -142,16 +143,21 @@ router.post(
  * @function
  */
 router.post(
-  "/:viewname",
+  ["/:viewname", "/:viewname/*"],
   error_catcher(async (req, res) => {
     const { viewname } = req.params;
-    const role = req.isAuthenticated() ? req.user.role_id : 10;
+    const role = req.user && req.user.id ? req.user.role_id : 10;
+    const query = { ...req.query };
 
     const view = await View.findOne({ name: viewname });
     if (!view) {
       req.flash("danger", req.__(`No such view: %s`, text(viewname)));
       res.redirect("/");
-    } else if (
+      return;
+    }
+    view.rewrite_query_from_slug(query, req.params);
+
+    if (
       role > view.min_role &&
       !(await view.authorise_post({ body: req.body, req, ...view }))
     ) {
@@ -164,7 +170,7 @@ router.post(
         } does not supply a POST handler`
       );
     } else {
-      await view.runPost(req.query, req.body, { res, req });
+      await view.runPost(query, req.body, { res, req });
     }
   })
 );

package/routes/viewedit.js

@@ -232,12 +232,13 @@ const mapObjectValues = (o, f) =>
  * @param {object} values
  * @returns {Form}
  */
-const viewForm = (req, tableOptions, roles, pages, values) => {
+const viewForm = async (req, tableOptions, roles, pages, values) => {
   const isEdit =
     values && values.id && !getState().getConfig("development_mode", false);
   const hasTable = Object.entries(getState().viewtemplates)
     .filter(([k, v]) => !v.tableless)
     .map(([k, v]) => k);
+  const slugOptions = await Table.allSlugOptions();
   return new Form({
     action: "/viewedit/save",
     submitLabel: req.__("Configure") + " »",
@@ -302,6 +303,19 @@ const viewForm = (req, tableOptions, roles, pages, values) => {
           ...pages.map((p) => ({ value: p.name, label: p.name })),
         ],
       }),
+      new Field({
+        name: "slug",
+        label: req.__("Slug"),
+        sublabel: req.__("Field that can be used for a prettier URL structure"),
+        type: "String",
+        attributes: {
+          calcOptions: [
+            "table_name",
+            mapObjectValues(slugOptions, (lvs) => lvs.map((lv) => lv.label)),
+          ],
+        },
+        showIf: { viewtemplate: hasTable },
+      }),
       ...(isEdit
         ? [
             new Field({
@@ -342,10 +356,15 @@ router.get(
       (t) => t.id === viewrow.table_id || t.name === viewrow.exttable_name
     );
     viewrow.table_name = currentTable && currentTable.name;
+    if (viewrow.slug && currentTable) {
+      const slugOptions = await currentTable.slug_options();
+      const slug = slugOptions.find((so) => so.label === viewrow.slug.label);
+      if (slug) viewrow.slug = slug.label;
+    }
     const tableOptions = tables.map((t) => t.name);
     const roles = await User.get_roles();
     const pages = await Page.find();
-    const form = viewForm(req, tableOptions, roles, pages, viewrow);
+    const form = await viewForm(req, tableOptions, roles, pages, viewrow);
     form.hidden("id");
     res.sendWrap(req.__(`Edit view`), {
       above: [
@@ -380,7 +399,7 @@ router.get(
     const tableOptions = tables.map((t) => t.name);
     const roles = await User.get_roles();
     const pages = await Page.find();
-    const form = viewForm(req, tableOptions, roles, pages);
+    const form = await viewForm(req, tableOptions, roles, pages);
     if (req.query && req.query.table) {
       form.values.table_name = req.query.table;
     }
@@ -417,7 +436,7 @@ router.post(
     const tableOptions = tables.map((t) => t.name);
     const roles = await User.get_roles();
     const pages = await Page.find();
-    const form = viewForm(req, tableOptions, roles, pages);
+    const form = await viewForm(req, tableOptions, roles, pages);
     const result = form.validate(req.body);
 
     const sendForm = (form) => {
@@ -458,11 +477,18 @@ router.post(
         const v = result.success;
         if (v.table_name) {
           const table = await Table.findOne({ name: v.table_name });
-          if (table && table.id) v.table_id = table.id;
-          else if (table && table.external) v.exttable_name = v.table_name;
+          if (table && table.id) {
+            v.table_id = table.id;
+          } else if (table && table.external) v.exttable_name = v.table_name;
         }
+        if (v.table_id) {
+          const table = await Table.findOne({ id: v.table_id });
+          const slugOptions = await table.slug_options();
+          const slug = slugOptions.find((so) => so.label === v.slug);
+          v.slug = slug || null;
+        }
+        const table = await Table.findOne({ name: v.table_name });
         delete v.table_name;
-
         if (req.body.id) {
           await View.update(v, +req.body.id);
         } else {

package/serve.js

@@ -163,9 +163,6 @@ module.exports =
     ...appargs
   } = {}) => {
     if (dev && cluster.isMaster) {
-      spawnSync("npm", ["run", "tsc"], {
-        stdio: "inherit",
-      });
       listenForChanges(getRelevantPackages(), await getPluginDirectories());
     }
     const useNCpus = process.env.SALTCORN_NWORKERS

package/tests/view.test.js

@@ -137,3 +137,41 @@ describe("render view on page", () => {
       .expect(toNotInclude("Herman Melville"));
   });
 });
+
+describe("render view with slug", () => {
+  it("should show with id slug in list", async () => {
+    const view = await View.findOne({ name: "authorshow" });
+    const table = await Table.findOne({ name: "books" });
+    const slugOpts = await table.slug_options();
+    const slugOpt = slugOpts.find((so) => so.label === "/:id");
+    expect(!!slugOpt).toBe(true);
+    View.update({ default_render_page: null, slug: slugOpt }, view.id);
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/view/authorlist")
+      .expect(toInclude(`/view/authorshow/1`));
+    await request(app)
+      .get("/view/authorshow/1")
+      .expect(toInclude(`Herman Melville`));
+  });
+  it("should show with name slug in list", async () => {
+    const view = await View.findOne({ name: "authorshow" });
+    const table0 = await Table.findOne({ name: "books" });
+    const fields = await table0.getFields();
+    const field = fields.find((f) => f.name === "author");
+    await field.update({ is_unique: true });
+    const table = await Table.findOne({ name: "books" });
+
+    const slugOpts = await table.slug_options();
+    const slugOpt = slugOpts.find((so) => so.label === "/slugify-author");
+    expect(!!slugOpt).toBe(true);
+    View.update({ default_render_page: null, slug: slugOpt }, view.id);
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/view/authorlist")
+      .expect(toInclude(`/view/authorshow/herman-melville`));
+    await request(app)
+      .get("/view/authorshow/herman-melville")
+      .expect(toInclude(`Herman Melville`));
+  });
+});

package/wrapper.js

@@ -45,7 +45,7 @@ const get_extra_menu = (role, state, req) => {
 };
 
 const get_menu = (req) => {
-  const isAuth = req.isAuthenticated();
+  const isAuth = req.user && req.user.id;
   const state = getState();
   const role = (req.user || {}).role_id || 10;