npm - @simitgroup/simpleapp-generator - Versions diffs - 2.0.2-s-alpha → 2.0.2-u-alpha - Mend

@simitgroup/simpleapp-generator 2.0.2-s-alpha → 2.0.2-u-alpha

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/ReleaseNote.md CHANGED Viewed

@@ -1,3 +1,13 @@
+[2.0.2u-alpha]
+1. Enforced strict Keycloak token validation on backend (via AuthGuard + UserContext), returning clear 401 for invalid/expired tokens
+2. Blocked user creation when required JWT claims are missing (e.g. uid, email)
+3. Improved frontend session handling: refresh-token failures and consistently redirect to login on 401
+[2.0.2t-alpha]
+1. Fix define type on service file
 [2.0.2s-alpha]
 1. Reduce expired-token issues

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@simitgroup/simpleapp-generator",
-  "version": "2.0.2s-alpha",
+  "version": "2.0.2u-alpha",
   "description": "frontend nuxtjs and backend nests code generator using jsonschema.",
   "main": "dist/index.js",
   "scripts": {

package/templates/basic/nest/service.ts.eta CHANGED Viewed

@@ -93,7 +93,7 @@ export class <%= it.typename %>Service extends SimpleAppService<schema.<%= it.ty
           // <%~ JSON.stringify(fml) %>
           //const tmp = jsonpath.query(vdata,fieldpath).filter((item:string)=>item!='')
             jsonpath.apply($data, '<%~ fml.jsonPath %>', function ($item: schema.<%= fml?.paramType || it.typename %>) {
-                return (<%~ fml.formula %>) as schema.<%= fml?.paramType || it.typename %>;
+                return <%~ fml.formula %>
             })
         <%}) %>
       <%} %>

package/templates/nest/src/simple-app/_core/features/auth/keycloak/keycloak.guard.ts.eta CHANGED Viewed

@@ -6,22 +6,26 @@
  */
 import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { ResourceGuard } from 'nest-keycloak-connect';
+import { AuthGuard, ResourceGuard } from 'nest-keycloak-connect';
+import type { Request } from 'express';
 @Injectable()
 export class CustomKeycloakGuard implements CanActivate {
   constructor(
     private reflector: Reflector,
+    private authGuard: AuthGuard,
     private resourceGuard: ResourceGuard,
   ) {}
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const request = context.switchToHttp().getRequest();
+    const request = context.switchToHttp().getRequest<Request>();
     //graphql no http request, exclude from capability of x-apikey
     if (request?.headers) {
-      const apiKey = request.headers['x-apikey'];
-      const apiSecret = request.headers['x-apisecret'];
+      const apiKeyHeader = request.headers['x-apikey'];
+      const apiSecretHeader = request.headers['x-apisecret'];
+      const apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;
+      const apiSecret = Array.isArray(apiSecretHeader) ? apiSecretHeader[0] : apiSecretHeader;
       // validate apikey and apisecret at middleware level, reach here mean approved as robot
       if (apiKey && apiSecret) {
         return true;
@@ -30,8 +34,15 @@ export class CustomKeycloakGuard implements CanActivate {
     // If API key is not present, fall back to Keycloak authentication
     try {
-      const canActivate = await this.resourceGuard.canActivate(context);
-      return canActivate;
+      // validate and authenticate the token with keycloak
+      const authCanActivate = await this.authGuard.canActivate(context);
+      if (!authCanActivate) {
+        throw new UnauthorizedException('Invalid Keycloak token');
+      }
+      // then enforce resource and role based access control
+      const resourceCanActivate = await this.resourceGuard.canActivate(context);
+      return resourceCanActivate;
     } catch (error) {
       throw new UnauthorizedException('Invalid API key or Keycloak token');
     }

package/templates/nuxt/server/api/auth/[...].ts.eta CHANGED Viewed

@@ -107,6 +107,7 @@ export default NuxtAuthHandler({
                 return {
                     ...token,
                     accessToken: null,
+                    refreshToken: null,
                     expiresAt: 0,
                     error: "RefreshAccessTokenError"
                   };
@@ -126,6 +127,13 @@ export default NuxtAuthHandler({
             // console.log("session", session);
             // Send properties to the client, like an access_token from a provider.
             const sessiondata:any = {...session}
+            if (!token.accessToken || token['error'] === 'RefreshAccessTokenError') {
+                sessiondata.accessToken = null;
+                sessiondata.error = token['error'] ?? 'MissingAccessToken';
+                return sessiondata;
+            }
             sessiondata.accessToken = <string>token.accessToken;
             return sessiondata;
         },

package/templates/nuxt/server/api/profile/[...].ts.eta CHANGED Viewed

@@ -135,7 +135,13 @@ export default defineEventHandler(async (event:any) => {
             }else{
                 if (error.response?.status && error.response.status == 401) {
-                    return sendRedirect(event, '/login', 401)
+                    // return sendRedirect(event, "/login", 401);
+                    reject({
+                        statusMessage: error.response.statusText,
+                        statusCode: 401,
+                        data: error.response.data,
+                    });
+                    return;
                 }
                 reject({
                     statusMessage: error.response.statusText,