@saltcorn/server 0.8.3-alpha.2 → 0.8.3-beta.1

package/auth/admin.js

@@ -1102,7 +1102,7 @@ router.post(
     const { id } = req.params;
     const u = await User.findOne({ id });
     if (u) {
-      u.relogin(req);
+      await u.relogin(req);
       req.flash(
         "success",
         req.__(

package/auth/routes.js

@@ -17,6 +17,7 @@ const {
   loggedIn,
   csrfField,
   setTenant,
+  is_relative_url,
 } = require("../routes/utils.js");
 const { getState } = require("@saltcorn/data/db/state");
 const { send_reset_email } = require("./resetpw");
@@ -323,18 +324,21 @@ router.get("/logout", async (req, res, next) => {
     await user.updateLastMobileLogin(null);
     res.json({ success: true });
   } else if (req.logout) {
-    req.logout();
-    if (req.session.destroy)
-      req.session.destroy((err) => {
-        if (err) return next(err);
-        req.logout();
-        res.redirect("/auth/login");
-      });
-    else {
-      req.logout();
-      req.session = null;
-      res.redirect("/auth/login");
-    }
+    req.logout(function (err) {
+      if (req.session.destroy)
+        req.session.destroy((err) => {
+          if (err) return next(err);
+          req.logout(() => {
+            res.redirect("/auth/login");
+          });
+        });
+      else {
+        req.logout(function (err) {
+          req.session = null;
+          res.redirect("/auth/login");
+        });
+      }
+    });
   }
 });
 
@@ -392,7 +396,7 @@ router.get(
     else if (result) {
       req.flash("success", req.__("Email verified"));
       const u = await User.findForSession({ email });
-      if (u) u.relogin(req);
+      if (u) await u.relogin(req);
     }
     res.redirect("/");
   })
@@ -1075,7 +1079,7 @@ router.post(
     }
     if (getState().get2FApolicy(req.user) === "Mandatory") {
       res.redirect("/auth/twofa/setup/totp");
-    } else if (req.body.dest) {
+    } else if (req.body.dest && is_relative_url(req.body.dest)) {
       res.redirect(decodeURIComponent(req.body.dest));
     } else res.redirect("/");
   })
@@ -1445,15 +1449,15 @@ router.get(
   error_catcher(async (req, res) => {
     const user = await User.findOne({ id: req.user.id });
     if (!user) {
-      req.logout();
-      req.flash("danger", req.__("Must be logged in first"));
-      res.redirect("/auth/login");
-      return;
-    }
-    res.sendWrap(
-      req.__("User settings") || "User settings",
-      await userSettings({ req, res, pwform: changPwForm(req), user })
-    );
+      req.logout(() => {
+        req.flash("danger", req.__("Must be logged in first"));
+        res.redirect("/auth/login");
+      });
+    } else
+      res.sendWrap(
+        req.__("User settings") || "User settings",
+        await userSettings({ req, res, pwform: changPwForm(req), user })
+      );
   })
 );
 
@@ -1615,7 +1619,7 @@ router.all(
       const user = await User.findForSession({ id: req.user.id });
       await user.set_to_verified();
       req.flash("success", req.__("User verified"));
-      user.relogin(req);
+      await user.relogin(req);
     }
     if (wfres.verified === false) {
       req.flash("danger", req.__("User verification failed"));
@@ -1842,7 +1846,7 @@ router.post(
   }),
   error_catcher(async (req, res) => {
     const user = await User.findForSession({ id: req.user.pending_user.id });
-    user.relogin(req);
+    await user.relogin(req);
     Trigger.emitEvent("Login", null, user);
     res.redirect("/");
   })

package/auth/testhelp.js

@@ -233,4 +233,5 @@ module.exports = {
   notAuthorized,
   respondJsonWith,
   toSucceedWithImage,
+  resToLoginCookie,
 };

package/locales/da.json

@@ -679,5 +679,9 @@
 	"Trigger": "Trigger",
 	"All entities": "All entities",
 	"no tags": "no tags",
-	"Add tag": "Add tag"
+	"Add tag": "Add tag",
+	"Pages are the web pages of your application built with a drag-and-drop builder. They have static content, and by embedding views, dynamic content.": "Pages are the web pages of your application built with a drag-and-drop builder. They have static content, and by embedding views, dynamic content.",
+	"Triggers run actions in response to events.": "Triggers run actions in response to events.",
+	"No triggers": "No triggers",
+	"Code": "Code"
 }

package/package.json

@@ -1,18 +1,18 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.8.3-alpha.2",
+  "version": "0.8.3-beta.1",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
-    "@saltcorn/base-plugin": "0.8.3-alpha.2",
-    "@saltcorn/builder": "0.8.3-alpha.2",
-    "@saltcorn/data": "0.8.3-alpha.2",
-    "@saltcorn/admin-models": "0.8.3-alpha.2",
-    "@saltcorn/filemanager": "0.8.3-alpha.2",
-    "@saltcorn/markup": "0.8.3-alpha.2",
-    "@saltcorn/sbadmin2": "0.8.3-alpha.2",
+    "@saltcorn/base-plugin": "0.8.3-beta.1",
+    "@saltcorn/builder": "0.8.3-beta.1",
+    "@saltcorn/data": "0.8.3-beta.1",
+    "@saltcorn/admin-models": "0.8.3-beta.1",
+    "@saltcorn/filemanager": "0.8.3-beta.1",
+    "@saltcorn/markup": "0.8.3-beta.1",
+    "@saltcorn/sbadmin2": "0.8.3-beta.1",
     "@socket.io/cluster-adapter": "^0.1.0",
     "@socket.io/sticky": "^1.0.1",
     "aws-sdk": "^2.1037.0",
@@ -41,16 +41,16 @@
     "node-fetch": "2.6.9",
     "node-watch": "^0.7.2",
     "notp": "2.0.3",
-    "passport": "^0.4.1",
+    "passport": "^0.6.0",
     "passport-custom": "^1.1.1",
     "passport-http-bearer": "^1.0.1",
     "passport-jwt": "4.0.1",
     "passport-totp": "0.0.2",
     "pg": "^8.2.1",
     "pluralize": "^8.0.0",
-    "qrcode": "1.5.0",
+    "qrcode": "1.5.1",
     "resize-with-sharp-or-jimp": "0.1.6",
-    "socket.io": "4.2.0",
+    "socket.io": "4.6.0",
     "thirty-two": "1.0.2",
     "tmp-promise": "^3.0.2",
     "uuid": "^8.2.0",

package/routes/actions.js

@@ -5,7 +5,12 @@
  * @subcategory routes
  */
 const Router = require("express-promise-router");
-const { isAdmin, error_catcher, addOnDoneRedirect } = require("./utils.js");
+const {
+  isAdmin,
+  error_catcher,
+  addOnDoneRedirect,
+  is_relative_url,
+} = require("./utils.js");
 const { getState } = require("@saltcorn/data/db/state");
 const Trigger = require("@saltcorn/data/models/trigger");
 const { getTriggerList } = require("./common_lists");
@@ -524,7 +529,8 @@ router.post(
       }
       req.flash("success", "Action configuration saved");
       res.redirect(
-        req.query.on_done_redirect
+        req.query.on_done_redirect &&
+          is_relative_url(req.query.on_done_redirect)
           ? `/${req.query.on_done_redirect}`
           : "/actions/"
       );

package/routes/admin.js

@@ -603,7 +603,7 @@ router.post(
         snap.created
       ).fromNow()}`
     );
-    res.redirect(`/${type}edit`);
+    res.redirect(/^[a-z]+$/g.test(type) ? `/${type}edit` : "/");
   })
 );
 router.get(
@@ -1820,18 +1820,21 @@ router.post(
       await db.deleteWhere("users");
       await db.deleteWhere("_sc_roles", { not: { id: { in: [1, 4, 8, 10] } } });
       if (db.reset_sequence) await db.reset_sequence("users");
-      req.logout();
-      if (req.session.destroy)
-        req.session.destroy((err) => {
-          req.logout();
-        });
-      else {
-        req.logout();
-        req.session = null;
-      }
-      // todo make configurable - redirect to create first user
-      // redirect to create first user
-      res.redirect(`/auth/create_first_user`);
+      req.logout(function (err) {
+        if (req.session.destroy)
+          req.session.destroy((err) => {
+            req.logout(() => {
+              res.redirect(`/auth/create_first_user`);
+            });
+          });
+        else {
+          req.logout(() => {
+            req.session = null; // todo make configurable - redirect to create first user
+            // redirect to create first user
+            res.redirect(`/auth/create_first_user`);
+          });
+        }
+      });
     } else {
       req.flash(
         "success",

package/routes/delete.js

@@ -6,7 +6,7 @@
 
 const Router = require("express-promise-router");
 
-const { error_catcher } = require("./utils.js");
+const { error_catcher, is_relative_url } = require("./utils.js");
 const Table = require("@saltcorn/data/models/table");
 
 /**
@@ -52,6 +52,9 @@ router.post(
       req.flash("error", e.message);
     }
     if (req.xhr) res.send("OK");
-    else res.redirect(redirect || `/list/${table.name}`);
+    else
+      res.redirect(
+        (is_relative_url(redirect) && redirect) || `/list/${table.name}`
+      );
   })
 );

package/routes/edit.js

@@ -6,7 +6,7 @@
 
 const Router = require("express-promise-router");
 
-const { error_catcher } = require("./utils.js");
+const { error_catcher, is_relative_url } = require("./utils.js");
 const Table = require("@saltcorn/data/models/table");
 
 /**
@@ -46,6 +46,9 @@ router.post(
 
     if (req.xhr) res.send("OK");
     else if (req.get("referer")) res.redirect(req.get("referer"));
-    else res.redirect(redirect || `/list/${table.name}`);
+    else
+      res.redirect(
+        (is_relative_url(redirect) && redirect) || `/list/${table.name}`
+      );
   })
 );

package/routes/pageedit.js

@@ -21,7 +21,12 @@ const { add_to_menu } = require("@saltcorn/admin-models/models/pack");
 const db = require("@saltcorn/data/db");
 const { getPageList } = require("./common_lists");
 
-const { isAdmin, error_catcher, addOnDoneRedirect } = require("./utils.js");
+const {
+  isAdmin,
+  error_catcher,
+  addOnDoneRedirect,
+  is_relative_url,
+} = require("./utils.js");
 const {
   mkTable,
   renderForm,
@@ -422,9 +427,10 @@ router.post(
   error_catcher(async (req, res) => {
     const { pagename } = req.params;
 
-    let redirectTarget = req.query.on_done_redirect
-      ? `/${req.query.on_done_redirect}`
-      : "/pageedit";
+    let redirectTarget =
+      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+        ? `/${req.query.on_done_redirect}`
+        : "/pageedit";
     const page = await Page.findOne({ name: pagename });
     if (!page) {
       req.flash("error", req.__(`Page %s not found`, pagename));

package/routes/utils.js

@@ -250,13 +250,13 @@ const getGitRevision = () => db.connectObj.git_commit;
  * @returns {session|cookieSession}
  */
 const getSessionStore = () => {
-  if (getState().getConfig("cookie_sessions", false)) {
+  /*if (getState().getConfig("cookie_sessions", false)) {
     return cookieSession({
       keys: [db.connectObj.session_secret || is.str.generate()],
       maxAge: 30 * 24 * 60 * 60 * 1000,
       sameSite: "strict",
     });
-  } else if (db.isSQLite) {
+  } else*/ if (db.isSQLite) {
     var SQLiteStore = require("connect-sqlite3")(session);
     return session({
       store: new SQLiteStore({ db: "sessions.sqlite" }),
@@ -295,6 +295,11 @@ const addOnDoneRedirect = (oldPath, req) => {
   return oldPath;
 };
 
+//https://stackoverflow.com/a/38979205/19839414
+const is_relative_url = (url) => {
+  return typeof url === "string" && !url.includes(":/") && !url.includes("//");
+};
+
 module.exports = {
   sqlsanitize,
   csrfField,
@@ -308,4 +313,5 @@ module.exports = {
   setTenant,
   get_tenant_from_req,
   addOnDoneRedirect,
+  is_relative_url,
 };

package/tests/auth.test.js

@@ -12,6 +12,7 @@ const {
   toSucceed,
   resetToFixtures,
   toNotInclude,
+  resToLoginCookie,
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const { getState } = require("@saltcorn/data/db/state");
@@ -99,14 +100,15 @@ describe("user settings", () => {
   it("should change language", async () => {
     const app = await getApp({ disableCsrf: true });
     const loginCookie = await getAdminLoginCookie();
-    await request(app)
+    const res = await request(app)
       .post("/auth/setlanguage")
       .set("Cookie", loginCookie)
       .send("locale=it")
       .expect(toRedirect("/auth/settings"));
+    const newCookie = resToLoginCookie(res);
     await request(app)
       .get("/auth/settings")
-      .set("Cookie", loginCookie)
+      .set("Cookie", newCookie)
       .expect(toInclude("Cambia password"));
   });
 });