@saltcorn/server 0.7.2-beta.0 → 0.7.2-beta.10

package/app.js

@@ -30,7 +30,6 @@ const {
 } = require("./routes/utils.js");
 const { getAllTenants } = require("@saltcorn/admin-models/models/tenant");
 const path = require("path");
-const fileUpload = require("express-fileupload");
 const helmet = require("helmet");
 const wrapper = require("./wrapper");
 const csrf = require("csurf");
@@ -40,13 +39,35 @@ const is = require("contractis/is");
 const Trigger = require("@saltcorn/data/models/trigger");
 const s3storage = require("./s3storage");
 const TotpStrategy = require("passport-totp").Strategy;
+const JwtStrategy = require("passport-jwt").Strategy;
+const ExtractJwt = require("passport-jwt").ExtractJwt;
+const cors = require("cors");
+
 const locales = Object.keys(available_languages);
 // i18n configuration
 const i18n = new I18n({
   locales,
   directory: path.join(__dirname, "locales"),
 });
-// todo console.log app instance info when app starts - avoid to show secrets (password, etc)
+// jwt config
+const jwt_secret = db.connectObj.jwt_secret;
+const jwt_extractor = ExtractJwt.fromExtractors([
+  ExtractJwt.fromAuthHeaderWithScheme("jwt"),
+  ExtractJwt.fromUrlQueryParameter("jwt"),
+]);
+const jwtOpts = {
+  jwtFromRequest: jwt_extractor,
+  secretOrKey: jwt_secret,
+  issuer: "saltcorn@saltcorn",
+  audience: "saltcorn-mobile-app",
+};
+
+const disabledCsurf = (req, res, next) => {
+  req.csrfToken = () => "";
+  next();
+};
+
+// todo console.log app instance info when app stxarts - avoid to show secrets (password, etc)
 
 /**
  * @param {object} [opts = {}]
@@ -68,6 +89,8 @@ const getApp = async (opts = {}) => {
   // https://www.npmjs.com/package/helmet
   // helmet is secure app by adding HTTP headers
   app.use(helmet());
+  // TODO ch find a better solution
+  app.use(cors());
   app.use(
     express.json({
       limit: "5mb",
@@ -93,7 +116,14 @@ const getApp = async (opts = {}) => {
   app.use(getSessionStore());
 
   app.use(passport.initialize());
-  app.use(passport.session());
+  app.use(passport.authenticate(["jwt", "session"]));
+  app.use((req, res, next) => {
+    if (jwt_extractor(req) && req.cookies && req.cookies["connect.sid"])
+      throw new Error(
+        "Don't set a session cookie and JSON Web Token at the same time."
+      );
+    next();
+  });
   app.use(flash());
 
   //static serving
@@ -192,6 +222,23 @@ const getApp = async (opts = {}) => {
       }
     })
   );
+  passport.use(
+    new JwtStrategy(jwtOpts, (jwt_payload, done) => {
+      User.findOne({ email: jwt_payload.sub }).then((u) => {
+        if (u) {
+          return done(null, {
+            email: u.email,
+            id: u.id,
+            role_id: u.role_id,
+            language: u.language,
+            tenant: db.getTenantSchema(),
+          });
+        } else {
+          return done(null, { role_id: 10 });
+        }
+      });
+    })
+  );
   passport.use(
     new TotpStrategy(function (user, done) {
       // setup function, supply key and period to done callback
@@ -217,14 +264,22 @@ const getApp = async (opts = {}) => {
   const csurf = csrf();
   if (!opts.disableCsrf)
     app.use(function (req, res, next) {
-      if (req.url.startsWith("/api/")) return next();
+      if (
+        req.url.startsWith("/api/") ||
+        req.url === "/auth/login-with/jwt" ||
+        jwt_extractor(req)
+      )
+        return disabledCsurf(req, res, next);
       csurf(req, res, next);
     });
-  else
-    app.use((req, res, next) => {
-      req.csrfToken = () => "";
-      next();
-    });
+  else app.use(disabledCsurf);
+
+  app.use(function (req, res, next) {
+    if (req.headers["x-saltcorn-client"] === "mobile-app") {
+      req.smr = true; // saltcorn-mobile-request
+    }
+    return next();
+  });
 
   mountRoutes(app);
   // set tenant homepage as / root

package/auth/routes.js

@@ -61,6 +61,8 @@ const fs = require("fs");
 const base32 = require("thirty-two");
 const qrcode = require("qrcode");
 const totp = require("notp").totp;
+const jwt = require("jsonwebtoken");
+
 /**
  * @type {object}
  * @const
@@ -197,6 +199,24 @@ const getAuthLinks = (current, noMethods) => {
   return links;
 };
 
+const loginWithJwt = async (req, res) => {
+  const { email, password } = req.query;
+  const user = await User.findOne({ email });
+  if (user && user.checkPassword(password)) {
+    const jwt_secret = db.connectObj.jwt_secret;
+    const token = jwt.sign(
+      {
+        sub: email,
+        role_id: user.role_id,
+        iss: "saltcorn@saltcorn",
+        aud: "saltcorn-mobile-app",
+      },
+      jwt_secret
+    );
+    res.json(token);
+  }
+};
+
 /**
  * @name get/login
  * @function
@@ -973,15 +993,19 @@ router.get(
   "/login-with/:method",
   error_catcher(async (req, res, next) => {
     const { method } = req.params;
-    const auth = getState().auth_methods[method];
-    if (auth) {
-      passport.authenticate(method, auth.parameters)(req, res, next);
+    if (method === "jwt") {
+      await loginWithJwt(req, res);
     } else {
-      req.flash(
-        "danger",
-        req.__("Unknown authentication method %s", text(method))
-      );
-      res.redirect("/");
+      const auth = getState().auth_methods[method];
+      if (auth) {
+        passport.authenticate(method, auth.parameters)(req, res, next);
+      } else {
+        req.flash(
+          "danger",
+          req.__("Unknown authentication method %s", text(method))
+        );
+        res.redirect("/");
+      }
     }
   })
 );
@@ -1014,7 +1038,7 @@ router.post(
 );
 
 /**
- * @param {object}} req
+ * @param {object} req
  * @param {object} res
  * @returns {void}
  */
@@ -1212,14 +1236,14 @@ const userSettings = async ({ req, res, pwform, user }) => {
                           href: "/auth/twofa/disable/totp",
                           class: "btn btn-danger mt-2",
                         },
-                        "Disable"
+                        req.__("Disable TWA")
                       )
                     : a(
                         {
                           href: "/auth/twofa/setup/totp",
                           class: "btn btn-primary mt-2",
                         },
-                        "Enable"
+                        req.__("Enable TWA")
                       )
                 ),
               ],
@@ -1541,7 +1565,7 @@ router.get(
       contents: [
         h4(req.__("1. Scan this QR code in your Authenticator app")),
         img({ src: image }),
-        p("Or enter this code:"),
+        p(req.__("Or enter this code:")),
         code(pre(encodedKey.toString())),
         h4(
           req.__(
@@ -1669,7 +1693,7 @@ const randomKey = function (len) {
     chars = "abcdefghijklmnopqrstuvwxyz0123456789",
     charlen = chars.length;
 
-  for (var i = 0; i < len; ++i) {
+  for (let i = 0; i < len; ++i) {
     buf.push(chars[getRandomInt(0, charlen - 1)]);
   }
 

package/load_plugins.js

@@ -13,35 +13,39 @@ const fs = require("fs");
 const proc = require("child_process");
 const tmp = require("tmp-promise");
 
+const staticDependencies = {
+  "@saltcorn/markup": require("@saltcorn/markup"),
+  "@saltcorn/markup/tags": require("@saltcorn/markup/tags"),
+  "@saltcorn/markup/layout": require("@saltcorn/markup/layout"),
+  "@saltcorn/markup/helpers": require("@saltcorn/markup/helpers"),
+  "@saltcorn/markup/layout_utils": require("@saltcorn/markup/layout_utils"),
+  "@saltcorn/data": require("@saltcorn/data"),
+  "@saltcorn/data/db": require("@saltcorn/data/db"),
+  "@saltcorn/data/utils": require("@saltcorn/data/utils"),
+  "@saltcorn/data/db/state": require("@saltcorn/data/db/state"),
+  "@saltcorn/data/plugin-helper": require("@saltcorn/data/plugin-helper"),
+  "@saltcorn/data/plugin-testing": require("@saltcorn/data/plugin-testing"),
+  "@saltcorn/data/models/field": require("@saltcorn/data/models/field"),
+  "@saltcorn/data/models/fieldrepeat": require("@saltcorn/data/models/fieldrepeat"),
+  "@saltcorn/data/models/table": require("@saltcorn/data/models/table"),
+  "@saltcorn/data/models/form": require("@saltcorn/data/models/form"),
+  "@saltcorn/data/models/view": require("@saltcorn/data/models/view"),
+  "@saltcorn/data/models/page": require("@saltcorn/data/models/page"),
+  "@saltcorn/data/models/file": require("@saltcorn/data/models/file"),
+  "@saltcorn/data/models/user": require("@saltcorn/data/models/user"),
+  "@saltcorn/data/models/layout": require("@saltcorn/data/models/layout"),
+  "@saltcorn/data/models/expression": require("@saltcorn/data/models/expression"),
+  "@saltcorn/data/models/workflow": require("@saltcorn/data/models/workflow"),
+};
+
 /**
  * Create plugin manager with default list of core plugins
  * @type {PluginManager}
  */
-const manager = new PluginManager({
+const defaultManager = new PluginManager({
   staticDependencies: {
     contractis: require("contractis"),
-    "@saltcorn/markup": require("@saltcorn/markup"),
-    "@saltcorn/markup/tags": require("@saltcorn/markup/tags"),
-    "@saltcorn/markup/layout": require("@saltcorn/markup/layout"),
-    "@saltcorn/markup/helpers": require("@saltcorn/markup/helpers"),
-    "@saltcorn/markup/layout_utils": require("@saltcorn/markup/layout_utils"),
-    "@saltcorn/data": require("@saltcorn/data"),
-    "@saltcorn/data/db": require("@saltcorn/data/db"),
-    "@saltcorn/data/utils": require("@saltcorn/data/utils"),
-    "@saltcorn/data/db/state": require("@saltcorn/data/db/state"),
-    "@saltcorn/data/plugin-helper": require("@saltcorn/data/plugin-helper"),
-    "@saltcorn/data/plugin-testing": require("@saltcorn/data/plugin-testing"),
-    "@saltcorn/data/models/field": require("@saltcorn/data/models/field"),
-    "@saltcorn/data/models/fieldrepeat": require("@saltcorn/data/models/fieldrepeat"),
-    "@saltcorn/data/models/table": require("@saltcorn/data/models/table"),
-    "@saltcorn/data/models/form": require("@saltcorn/data/models/form"),
-    "@saltcorn/data/models/view": require("@saltcorn/data/models/view"),
-    "@saltcorn/data/models/page": require("@saltcorn/data/models/page"),
-    "@saltcorn/data/models/file": require("@saltcorn/data/models/file"),
-    "@saltcorn/data/models/user": require("@saltcorn/data/models/user"),
-    "@saltcorn/data/models/layout": require("@saltcorn/data/models/layout"),
-    "@saltcorn/data/models/expression": require("@saltcorn/data/models/expression"),
-    "@saltcorn/data/models/workflow": require("@saltcorn/data/models/workflow"),
+    ...staticDependencies,
   },
 });
 
@@ -73,9 +77,8 @@ const loadPlugin = async (plugin, force) => {
 };
 
 /**
- *
+ * Git pull or clone
  * @param plugin
- * @param force
  */
 const gitPullOrClone = async (plugin) => {
   await fs.promises.mkdir("git_plugins", { recursive: true });
@@ -102,9 +105,16 @@ const gitPullOrClone = async (plugin) => {
   if (plugin.deploy_private_key) await fs.promises.unlink(keyfnm);
   return dir;
 };
-
-const requirePlugin = async (plugin, force) => {
+/**
+ * Install plugin
+ * @param plugin - plugin name
+ * @param force - force flag
+ * @param manager - plugin manager
+ * @returns {Promise<{plugin_module: *}|{plugin_module: any}>}
+ */
+const requirePlugin = async (plugin, force, manager = defaultManager) => {
   const installed_plugins = (await manager.list()).map((p) => p.name);
+  // todo as idea is to make list of mandatory plugins configurable
   if (
     ["@saltcorn/base-plugin", "@saltcorn/sbadmin2"].includes(plugin.location)
   ) {
@@ -160,6 +170,7 @@ const loadAllPlugins = async () => {
  * Load Plugin and its dependencies and save into local installation
  * @param plugin
  * @param force
+ * @param noSignalOrDB
  * @returns {Promise<void>}
  */
 const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
@@ -207,4 +218,5 @@ module.exports = {
   loadAllPlugins,
   loadPlugin,
   requirePlugin,
+  staticDependencies,
 };

package/locales/da.json

@@ -487,7 +487,7 @@
 	"Role to create tenants": "Role to create tenants",
 	"Minimum user role required to create a new tenant": "Minimum user role required to create a new tenant",
 	"Create tenant warning": "Create tenant warning",
-	"Show a warning to users creating a tenant disclaiming warrenty of availability or security": "Show a warning to users creating a tenant disclaiming warrenty of availability or security",
+	"Show a warning to users creating a tenant disclaiming warranty of availability or security": "Show a warning to users creating a tenant disclaiming warranty of availability or security",
 	"Multitenancy settings": "Multitenancy settings",
 	"Actions available": "Actions available",
 	"Event types": "Event types",