@saltcorn/server 0.9.0-beta.0 → 0.9.0-beta.10

package/app.js

@@ -69,6 +69,39 @@ const disabledCsurf = (req, res, next) => {
   next();
 };
 
+const noCsrfLookup = (state) => {
+  if (!state.plugin_routes) return null;
+  else {
+    const result = new Set();
+    for (const [plugin, routes] of Object.entries(state.plugin_routes)) {
+      for (const url of routes
+        .filter((r) => r.noCsrf === true)
+        .map((r) => r.url)) {
+        result.add(url);
+      }
+    }
+    return result;
+  }
+};
+
+const prepPluginRouter = (pluginRoutes) => {
+  const router = express.Router();
+  for (const [plugin, routes] of Object.entries(pluginRoutes)) {
+    for (const route of routes) {
+      switch (route.method) {
+        case "post":
+          router.post(route.url, error_catcher(route.callback));
+          break;
+        case "get":
+        default:
+          router.get(route.url, error_catcher(route.callback));
+          break;
+      }
+    }
+  }
+  return router;
+};
+
 // todo console.log app instance info when app stxarts - avoid to show secrets (password, etc)
 
 /**
@@ -95,17 +128,23 @@ const getApp = async (opts = {}) => {
   app.use(helmet());
   // TODO ch find a better solution
   app.use(cors());
+  const bodyLimit = getState().getConfig("body_limit");
   app.use(
     express.json({
-      limit: "5mb",
+      limit: bodyLimit ? `${bodyLimit}kb` : "5mb",
       verify: (req, res, buf) => {
         req.rawBody = buf;
       },
     })
   );
-  // extenetede url encoding in use
+  const urlencodedLimit = getState().getConfig("url_encoded_limit");
+  // extended url encoding in use
   app.use(
-    express.urlencoded({ limit: "5mb", extended: true, parameterLimit: 50000 })
+    express.urlencoded({
+      limit: urlencodedLimit ? `${urlencodedLimit}kb` : "5mb",
+      extended: true,
+      parameterLimit: 50000,
+    })
   );
 
   // cookies
@@ -300,21 +339,34 @@ const getApp = async (opts = {}) => {
   app.use("/scapi", scapi);
 
   const csurf = csrf();
-  if (!opts.disableCsrf)
+  let noCsrf = null;
+  if (!opts.disableCsrf) {
+    noCsrf = noCsrfLookup(getState());
     app.use(function (req, res, next) {
       if (
+        noCsrf?.has(req.url) ||
         (req.smr &&
           (req.url.startsWith("/api/") ||
             req.url === "/auth/login-with/jwt" ||
             req.url === "/auth/signup")) ||
-        jwt_extractor(req)
+        jwt_extractor(req) ||
+        req.url === "/auth/callback/saml"
       )
         return disabledCsurf(req, res, next);
       csurf(req, res, next);
     });
-  else app.use(disabledCsurf);
+  } else app.use(disabledCsurf);
 
   mountRoutes(app);
+  // mount plugin router with a callback for changes
+  let pluginRouter = prepPluginRouter(getState().plugin_routes || {});
+  getState().routesChangedCb = () => {
+    pluginRouter = prepPluginRouter(getState().plugin_routes || {});
+    noCsrf = noCsrfLookup(getState());
+  };
+  app.use((req, res, next) => {
+    pluginRouter(req, res, next);
+  });
   // set tenant homepage as / root
   app.get("/", error_catcher(homepage));
   // /robots.txt

package/auth/routes.js

@@ -228,7 +228,7 @@ const loginWithJwt = async (email, password, saltcornApp, res, req) => {
   const loginFn = async () => {
     const publicUserLink = getState().getConfig("public_user_link");
     const jwt_secret = db.connectObj.jwt_secret;
-    if (email && password) {
+    if (email !== undefined && password !== undefined) {
       // with credentials
       const user = await User.findOne({ email });
       if (user && user.checkPassword(password)) {
@@ -1202,25 +1202,21 @@ const loginCallback = (req, res) => () => {
   }
 };
 
-/**
- * @name get/callback/:method
- * @function
- * @memberof module:auth/routes~routesRouter
- */
-router.get(
-  "/callback/:method",
-  error_catcher(async (req, res, next) => {
-    const { method } = req.params;
-    const auth = getState().auth_methods[method];
-    if (auth) {
-      passport.authenticate(method, { failureRedirect: "/auth/login" })(
-        req,
-        res,
-        loginCallback(req, res)
-      );
-    }
-  })
-);
+const callbackFn = async (req, res, next) => {
+  const { method } = req.params;
+  const auth = getState().auth_methods[method];
+  if (auth) {
+    passport.authenticate(method, { failureRedirect: "/auth/login" })(
+      req,
+      res,
+      loginCallback(req, res)
+    );
+  }
+};
+
+router.get("/callback/:method", error_catcher(callbackFn));
+
+router.post("/callback/:method", error_catcher(callbackFn));
 
 /**
  * @param {object} req

package/errors.js

@@ -46,10 +46,10 @@ module.exports =
             ? text(err.message)
             : req.__("An error occurred")
         );
-    } else
-      res
-        .status(code)
-        .sendWrap(
+    } else {
+      const _res = res.status(code);
+      if (_res.sendWrap)
+        _res.sendWrap(
           req.__(headline),
           devmode ? pre(text(err.stack)) : h3(req.__(headline)),
           role === 1 && !devmode ? pre(text(err.message)) : "",
@@ -61,4 +61,15 @@ module.exports =
               )
             : ""
         );
+      else
+        _res.send(
+          `<h2>${
+            err.message
+              ? err.message
+              : req.__
+              ? req.__("An error occurred")
+              : "An error occurred"
+          }</h2>`
+        );
+    }
   };

package/help/Actions.tmd

@@ -0,0 +1,9 @@
+The action chosen will determine what happens when the trigger occurs. 
+After you have chosen an action, there will be further configuration of that action.
+
+The available actions, some of which are only accessible when the trigger is 
+table-related, are: 
+
+{{# for (const [name, action] of Object.entries(scState.actions)) { }}
+* `{{name}}`: {{action.description||""}}
+{{# } }}

package/help/Extra state formula.tmd

@@ -0,0 +1,62 @@
+{{# const srcTable = Table.findOne({ name: query.srcTable }) }}
+{{# const view = View.findOne({ name: query.view_name }) }}
+{{# const destTable = Table.findOne({ id: view.table_id }) }}
+
+The extra state formula when embedding or linking to a view is used
+to influence the row that will be included in that views display, 
+in addition to any selection based on a chosen relationship.
+
+The formula takes the form of a JavaScript object where the object 
+keys are fields (variable names) on the table of the embedded view,
+and the values are the JavaScript expressions for those fields which set the criteria 
+for the rows to be included. For example, if you would like to display 
+all rows where the Active field is true you would use this as the extra
+state formula: `{ active: true }`. This is an object where the only
+key is `active` and its value is `true`. You can have more than one 
+key, for example: 
+
+```
+{ active: true, age: {gt: 21}, manager: user.id }
+``` 
+(See below for using the `user` variable and greater-than filters)
+
+The keys you can use are the variable names on the {{destTable.name}} table:
+
+| Field | Variable name | Type |
+| ----- | ------------- | ---- |
+{{# for (const field of destTable.fields) { }} | {{ field.label }} | `{{ field.name }}` | {{ field.pretty_type }} | 
+{{# } }}
+
+In the value expressions (to the right of the colon) you can use 
+literals (e.g. 17 for numbers or true for booleans; string literals 
+must be enclosed in quotes (single, double or 
+[backtick](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals))). 
+You can also as the value use a more complex JavaScript expression.
+
+You can refer to the logged in user using the variable name user. 
+This is an object and you must use the dot to access user fields,
+e.g. user.id for the logged in users id. A very common scenario 
+is to restrict rows to show to those that belong to the current user. 
+If you have a key to users field called `theUser`, you would use this 
+as the extra state formula: `{theUser: user.id}`
+
+The user object has other fields than the primary key identifier.
+For your login session the user object is:
+
+```
+{{JSON.stringify(user, null, 2)}}
+```
+{{# const userkey = oneOf(Object.keys(user)) }}
+
+For example to use the `{{userkey}}` field on the user object, write `user.{{userkey}}`
+{{# if(srcTable) { }}
+You can also use variables from the currently displayed row in the value expressions, 
+in this case the table {{srcTable.name}}:
+
+| Field | Variable name | Type |
+| ----- | ------------- | ---- |
+{{# for (const field of srcTable.fields) { }} | {{ field.label }} | `{{ field.name }}` | {{ field.pretty_type }} | 
+{{# } }}
+
+{{# } }}
+

package/help/Field views.tmd

@@ -0,0 +1,22 @@
+{{# const table = Table.findOne({ name: query.table_name }) }}
+{{# const mode = query.mode }}
+{{# const field = table.getField(query.field_name) }}
+{{# const fvsObj = field.type === "Key" ? scState.keyFieldviews : field.type === "File" ? scState.fileviews : field.type?.fieldviews || {} }}
+{{# const allFVs = Object.entries(fvsObj) }}
+{{# const myFVs = mode==='filter' ? allFVs.filter(([nm,fv])=>fv.isFilter || fv.isEdit) : mode==='edit' ? allFVs.filter(([nm,fv])=>!fv.isFilter || fv.isEdit) : mode==='show'||mode==='list' ? allFVs.filter(([nm,fv])=>!fv.isFilter && !fv.isEdit) : allFVs }}
+
+The field view determines how a field value is shown to the user and how the 
+user can interact with (or edit, in Edit views) that value. The available 
+field views are determined by the field type and the view pattern. 
+
+Some field views have configuration options which can be used to further 
+customize how the value is displayed or how the user interacts with it. 
+This configuration options will appear in the field settings below the 
+field view choice.
+
+In the table {{ table.name }} the field {{ field.label }} of type 
+{{ field.pretty_type }} has the following available field views:
+
+{{# for (const [name, fv] of myFVs) { }}
+* {{name}}{{mode==='edit' && !fv.isEdit? ` [Not editable]`:''}}: {{fv.description||undefined}}
+{{# } }}

package/help/JavaScript action code.tmd

@@ -0,0 +1,161 @@
+Here you can enter the code that needs to run when this trigger occurs. 
+The action can manipulate rows in the database, manipulate files, interact 
+with remote APIs, or issue directives for the user's display.
+
+Your code can use await at the top level, and should do so whenever calling 
+database queries or other aynchronous code (see example below)
+
+The variable `table` is the associated table (if any; note lowercase). If you want to access a different table,
+use the `Table` variable (note uppercase) to access the Table class of tables (see 
+[documentation for Table class](https://saltcorn.github.io/saltcorn/classes/_saltcorn_data.models.Table-1.html))
+
+Example:
+
+```
+await table.insertRow({name: "Alex", age: 43})
+const otherTable = Table.findOne({name: "Orders"})
+await otherTable.deleteRows({id: order})
+```
+
+In addition to `table` and `Table`, you can use other functions/variables:
+
+#### `console`
+
+Use this to print to the terminal.
+
+Example: `console.log("Hello world")`
+
+#### `Actions`
+
+Use `Actions.{ACTION NAME}` to run an action.
+
+Your available action names are: {{ Object.keys(scState.actions).join(", ") }}
+
+Example: 
+
+```
+await Actions.set_user_language({language: "fr"})
+```
+
+#### `sleep`
+
+A small utility function to sleep for certain number of milliseconds. Use this with await
+
+Example: `await sleep(1000)`
+
+#### `require`
+
+Use require to access NPM packages listed under your [Development settings](/admin/dev)
+
+Example: `const _ = require("underscore")`
+
+#### `fetch` and `fetchJSON`
+
+Use these to make HTTP API calls. `fetch` is the standard JavaScript `fetch` (provided by 
+[node-fetch](https://www.npmjs.com/package/node-fetch#common-usage)). `fetchJSON` performs a fetch 
+and then reads its reponse to JSON
+
+Example: 
+
+```
+const response = await fetch('https://api.github.com/users/github');
+const data = await response.json();
+```
+
+which is the same as
+
+```
+const data = await fetchJSON('https://api.github.com/users/github');
+```
+
+## Return directives
+
+Your code can with its return value give directives to the current page. 
+Valid return values are:
+
+#### `notify`
+
+Send a pop-up notification indicating success to the user
+
+Example: `return { notify: "Order completed!" }`
+
+#### `error`
+
+Send a pop-up notification indicating error to the user.
+
+Example: `return { error: "Invalid command!" }`
+
+If this is triggered by an Edit view with the SubmitWithAjax, 
+halt navigation and stay on page. This can be used for complex validation logic, 
+When added as an Insert or Update trigger. If you delete the inserted row, You 
+may also need to clear the returned id in order to allow the user to continue editing.
+
+Example:
+
+```
+if(amount>cash_on_hand) {
+  await table.deleteRows({ id })
+  return { 
+    error: "Invalid order!",
+    id: null 
+  }
+}
+```
+
+#### `goto`
+
+Navigate to a different URL: 
+
+Example: `return { goto: "https://saltcorn.com" }`
+
+Add `target: "_blank"` to open in a new tab.
+
+#### `reload_page`
+
+Request a page reload with the existing URL.
+
+Example: `return { reload_page: true }`
+
+#### `popup`
+
+Open a URL in a popup: 
+
+Example: 
+
+```
+return { popup: `/view/Orders?id=${parent}` }
+```
+
+#### `download`
+
+Download a file to the client browser.
+
+Example:
+
+```
+return { download: {
+    mimetype: "text/csv",
+    blob: filecontents
+  }
+}
+```
+
+#### `set_fields`
+
+If triggered from an edit view, set fields dynamically in the form. The 
+value should be an object with keys that are field variable names.
+
+Example:
+
+```
+return { set_fields: {
+    zidentifier: `${name.toUpperCase()}-${id}`
+  }
+}
+```
+
+#### `eval_js`
+
+Execute JavaScript in the browser.
+
+Example: `return { eval_js: 'alert("Hello world")' }`

package/help/Table formula constraint.tmd

@@ -1,3 +1,5 @@
+{{# const table = Table.findOne({ name: query.table }) }}
+
 The constraint formula should be a JavaScript expression which evaluates to a 
 boolean (true or false). If the formula evaluates to false then the row is not
 valid and will not be accepted in the table. If you are editing an existing row 
@@ -6,14 +8,14 @@ to the user.
 
 Some examples: 
 
-{{# for (const fml of table.getFormulaExamples("Bool")) { }} * `{{= fml}}`
+{{# for (const fml of table.getFormulaExamples("Bool")) { }} * `{{ fml}}`
 {{# } }}
 
-This formula can use any of the fields in table {{= table.name }} as variables:
+This formula can use any of the fields in table {{ table.name }} as variables:
 
 | Field | Variable name | Type |
 | ----- | ------------- | ---- |
-{{# for (const field of table.fields) { }} | {{= field.label }} | `{{= field.name }}` | {{= field.pretty_type }} | 
+{{# for (const field of table.fields) { }} | {{ field.label }} | `{{ field.name }}` | {{ field.pretty_type }} | 
 {{# } }}
 
 
@@ -32,7 +34,7 @@ The first-order join fields you can use in the constraint formula are:
 
 {{# for (const field of table.fields.filter(f=>f.is_fkey && f.reftable_name)) { }}
 {{#  const reftable = Table.findOne( field.reftable_name); }}
-* Through {{=field.label}} key field: {{= table.fields.map(jf=>`\`${field.name}.${jf.name}\``).join(", ") }}
+* Through {{field.label}} key field: {{ reftable.fields.map(jf=>`\`${field.name}.${jf.name}\``).join(", ") }}
 
 
 {{# } }}

package/help/View patterns.tmd

@@ -0,0 +1,35 @@
+The view pattern is a fundamental concept in Saltcorn that determines how 
+the view will relate to the database table and the overall behavior of the 
+view. A view will always follow one specific view pattern, and will require 
+further configuration according to which view pattern is chosen. This 
+configuration could be as simple as making a few choices, or it could be as 
+complicated as specifying a layout using drag and drop. In addition most view 
+patterns require choosing a single table, which it can use as a source or 
+destination of data, although in many cases data from other tables can be 
+brought in using table relationships.
+
+There are fundamental view patterns in Saltcorn that you will use in 
+every application:
+
+* A List view shows a tabular grid of multiple rows in a table. You can define 
+  its columns which can be data from this or related tables, action buttons or 
+  links to other views.
+
+* An Edit view is a form that can be used to create a new row or edit an existing 
+  row in a table.
+
+* A Show view shows a single existing row in the table. The row must be specified 
+  either by linking or embedding from another view or page.
+
+* A Filter view does not display any data from the table but can be used to set 
+  up user interface elements that determine which rows are shown in other views 
+  on the same page. 
+
+* A Feed view is configured by another view which shows a single row and will 
+  repeat this view for all available rows.
+
+The additional view patterns available in your system are:
+{{# const vts = Object.values(scState.viewtemplates).filter(vt=>!["List","Show","Edit","Filter","Feed",].includes(vt.name))}}
+{{# for (const vt of vts) { }} 
+* {{ vt.name }}{{vt.description ? `: ${vt.description}` : ""}}
+{{# } }}

package/help/Where formula.tmd

@@ -0,0 +1,30 @@
+{{# const srcTable = Table.findOne({ name: query.table_name }) }}
+{{# const field = srcTable.getField(query.field_name) }}
+{{# const refTable = Table.findOne(field.reftable_name) }}
+
+The where formula allows you to restrict the options provided. This can be 
+done according to a static criterion, all according to a dynamic criterion 
+that depends on the value of another form field. 
+
+The formula should take the form of a JavaScript boolean expression such as
+`a === b` or `x>y && w==1` etc.
+
+In this expression you can use variables from the target table from which 
+you are selecting values, here {{ refTable.name }}. These can accessed by 
+their variable nmame. The fields on the table {{ refTable.name }} are:
+
+| Field | Variable name | Type |
+| ----- | ------------- | ---- |
+{{# for (const field of refTable.fields) { }} | {{ field.label }} | `{{ field.name }}` | {{ field.pretty_type }} | 
+{{# } }}
+
+You can also use variables from the current form. In that case the options will
+respond dynamically to the state of the form fields. These form variables must be proceeded by 
+a `$`:
+
+| Field | Variable name | Type |
+| ----- | ------------- | ---- |
+{{# for (const field of srcTable.fields) { }} | {{ field.label }} | `${{ field.name }}` | {{ field.pretty_type }} | 
+{{# } }}
+
+You can mix the two types of variables, as in `a == $b`

package/help/index.js

@@ -1,4 +1,5 @@
 const Table = require("@saltcorn/data/models/table");
+const View = require("@saltcorn/data/models/view");
 const File = require("@saltcorn/data/models/file");
 const _ = require("underscore");
 const fs = require("fs").promises;
@@ -6,10 +7,12 @@ const MarkdownIt = require("markdown-it"),
   md = new MarkdownIt();
 
 const { pre } = require("@saltcorn/markup/tags");
-
+const path = require("path");
+const { getState } = require("@saltcorn/data/db/state");
+const { oneOf } = require("@saltcorn/types/generators");
 const get_md_file = async (topic) => {
   try {
-    const fp = require.resolve(`./${File.normalise(topic)}.tmd`);
+    const fp = path.join(__dirname, `${File.normalise(topic)}.tmd`);
     const fileBuf = await fs.readFile(fp);
     return fileBuf.toString();
   } catch (e) {
@@ -17,20 +20,26 @@ const get_md_file = async (topic) => {
   }
 };
 
-_.templateSettings = {
-  evaluate: /\{\{#(.+?)\}\}/g,
-  interpolate: /\{\{=(.+?)\}\}/g,
+md.renderer.rules.table_open = function (tokens, idx) {
+  return '<table class="help-md">';
 };
 
 const get_help_markup = async (topic, query, req) => {
   try {
-    const context = { user: req.user, Table };
-    if (query.table) {
-      context.table = Table.findOne({ name: query.table });
-    }
+    const context = {
+      user: req.user,
+      Table,
+      View,
+      scState: getState(),
+      query,
+      oneOf,
+    };
     const mdTemplate = await get_md_file(topic);
     if (!mdTemplate) return { markup: "Topic not found" };
-    const template = _.template(mdTemplate);
+    const template = _.template(mdTemplate, {
+      evaluate: /\{\{#(.+?)\}\}/g,
+      interpolate: /\{\{([^#].+?)\}\}/g,
+    });
     const mdTopic = template(context);
     const markup = md.render(mdTopic);
     return { markup };

package/load_plugins.js

@@ -176,9 +176,10 @@ const loadAllPlugins = async () => {
  * @param plugin
  * @param force
  * @param noSignalOrDB
+ * @param manager - optional plugin manager
  * @returns {Promise<void>}
  */
-const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
+const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB, manager) => {
   const tenants_unsafe_plugins = getRootState().getConfig(
     "tenants_unsafe_plugins",
     false
@@ -200,7 +201,8 @@ const loadAndSaveNewPlugin = async (plugin, force, noSignalOrDB) => {
   }
   const { version, plugin_module, location } = await requirePlugin(
     plugin,
-    force
+    force,
+    manager,
   );
 
   // install dependecies