npm - @stamhoofd/backend - Versions diffs - 2.29.0 → 2.30.0 - Mend

@stamhoofd/backend 2.29.0 → 2.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.29.0",
+    "version": "2.30.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -36,14 +36,14 @@
         "@simonbackx/simple-encoding": "2.15.1",
         "@simonbackx/simple-endpoints": "1.14.0",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.29.0",
-        "@stamhoofd/backend-middleware": "2.29.0",
-        "@stamhoofd/email": "2.29.0",
-        "@stamhoofd/models": "2.29.0",
-        "@stamhoofd/queues": "2.29.0",
-        "@stamhoofd/sql": "2.29.0",
-        "@stamhoofd/structures": "2.29.0",
-        "@stamhoofd/utility": "2.29.0",
+        "@stamhoofd/backend-i18n": "2.30.0",
+        "@stamhoofd/backend-middleware": "2.30.0",
+        "@stamhoofd/email": "2.30.0",
+        "@stamhoofd/models": "2.30.0",
+        "@stamhoofd/queues": "2.30.0",
+        "@stamhoofd/sql": "2.30.0",
+        "@stamhoofd/structures": "2.30.0",
+        "@stamhoofd/utility": "2.30.0",
         "archiver": "^7.0.1",
         "aws-sdk": "^2.885.0",
         "axios": "1.6.8",
@@ -60,5 +60,5 @@
         "postmark": "4.0.2",
         "stripe": "^16.6.0"
     },
-    "gitHead": "0579111a61319f41f3789c570e9f494a648bd07c"
+    "gitHead": "969b619ea8a6d82ce94d3ce8faf5694a3a2e4bb3"
 }

package/src/endpoints/global/registration/PatchUserMembersEndpoint.ts CHANGED Viewed

@@ -1,18 +1,30 @@
 import { AutoEncoderPatchType, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from '@simonbackx/simple-encoding';
 import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Document, Member } from '@stamhoofd/models';
+import { Document, Member, mergeTwoMembers, RateLimiter } from '@stamhoofd/models';
 import { MemberWithRegistrationsBlob, MembersBlob } from "@stamhoofd/structures";
 import { AuthenticatedStructures } from '../../../helpers/AuthenticatedStructures';
 import { Context } from '../../../helpers/Context';
 import { MemberUserSyncer } from '../../../helpers/MemberUserSyncer';
 import { PatchOrganizationMembersEndpoint } from '../../global/members/PatchOrganizationMembersEndpoint';
+import { Email } from '@stamhoofd/email';
 type Params = Record<string, never>;
 type Query = undefined;
 type Body = PatchableArrayAutoEncoder<MemberWithRegistrationsBlob>
 type ResponseBody = MembersBlob
+export const securityCodeLimiter = new RateLimiter({
+    limits: [
+        {
+            // Max 10 a day
+            limit: 10,
+            duration: 24 * 60 * 1000 * 60
+        }
+    ]
+});
 /**
  * Allow to add, patch and delete multiple members simultaneously, which is needed in order to sync relational data that is saved encrypted in multiple members (e.g. parents)
  */
@@ -48,43 +60,19 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
             struct.details.cleanData()
             member.details = struct.details
-            // Check for duplicates and prevent creating a duplicate member by a user
-            const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member);
+            const duplicate = await this.checkDuplicate(member, struct.details.securityCode)
             if (duplicate) {
-                // Merge data
-                duplicate.details.merge(member.details)
-                await duplicate.save()
                 addedMembers.push(duplicate)
-                continue;
+                continue
             }
             await member.save()
             addedMembers.push(member)
         }
-        if (addedMembers.length > 0) {
-            // Give access to created members
-            await Member.users.reverse("members").link(user, addedMembers)
-        }
         // Modify members
-        const members = await Member.getMembersWithRegistrationForUser(user)
-        for (const member of addedMembers) {
-            const updatedMember = members.find(m => m.id === member.id);
-            if (updatedMember) {
-                // Make sure we also give access to other parents
-                await MemberUserSyncer.onChangeMember(updatedMember)
-                if (!updatedMember.users.find(u => u.id === user.id)) {
-                    // Also link the user to the member if the email address is missing in the details
-                    await MemberUserSyncer.linkUser(user.email, updatedMember, true)
-                }
-                await Document.updateForMember(updatedMember.id)
-            }
-        }
+        let members = await Member.getMembersWithRegistrationForUser(user)
         for (let struct of request.body.getPatches()) {
             const member = members.find((m) => m.id == struct.id)
@@ -95,6 +83,7 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
                     human: "Je probeert een lid aan te passen die niet (meer) bestaat. Er ging ergens iets mis."
                 })
             }
+            const securityCode = struct.details?.securityCode // will get cleared after the filter
             struct = await Context.auth.filterMemberPatch(member, struct)
             if (struct.details) {
@@ -118,6 +107,17 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
                     field: "details"
                 })
             }
+            const duplicate = await this.checkDuplicate(member, securityCode)
+            if (duplicate) {
+                // Remove the member from the list
+                members.splice(members.findIndex(m => m.id === member.id), 1)
+                // Add new
+                addedMembers.push(duplicate)
+                continue
+            }
             await member.save();
             await MemberUserSyncer.onChangeMember(member)
@@ -125,8 +125,83 @@ export class PatchUserMembersEndpoint extends Endpoint<Params, Query, Body, Resp
             await Document.updateForMember(member.id)
         }
+        // Modify members
+        if (addedMembers.length > 0) {
+            // Give access to created members
+            await Member.users.reverse("members").link(user, addedMembers)
+        }
+        members = await Member.getMembersWithRegistrationForUser(user)
+        for (const member of addedMembers) {
+            const updatedMember = members.find(m => m.id === member.id);
+            if (updatedMember) {
+                // Make sure we also give access to other parents
+                await MemberUserSyncer.onChangeMember(updatedMember)
+                if (!updatedMember.users.find(u => u.id === user.id)) {
+                    // Also link the user to the member if the email address is missing in the details
+                    await MemberUserSyncer.linkUser(user.email, updatedMember, true)
+                }
+                await Document.updateForMember(updatedMember.id)
+            }
+        }
         return new Response(
             await AuthenticatedStructures.membersBlob(members)
         );
     }
+    async checkDuplicate(member: Member, securityCode: string|null|undefined) {
+        // Check for duplicates and prevent creating a duplicate member by a user
+        const duplicate = await PatchOrganizationMembersEndpoint.checkDuplicate(member);
+        if (duplicate) {
+            if (await duplicate.isSafeToMergeDuplicateWithoutSecurityCode()) {
+                console.log("Merging duplicate without security code: allowed for " + duplicate.id)
+            } else if (securityCode) {
+                try {
+                    securityCodeLimiter.track(member.details.name, 1);
+                } catch (e) {
+                    Email.sendWebmaster({
+                        subject: "[Limiet] Limiet bereikt voor aantal beveiligingscodes",
+                        text: "Beste, \nDe limiet werd bereikt voor het aantal beveiligingscodes per dag. \nNaam lid: "+member.details.name+" (ID: "+duplicate.id+")" + "\n\n" + e.message + "\n\nStamhoofd"
+                    })
+                    throw new SimpleError({
+                        code: "too_many_tries",
+                        message: "Too many securityCodes limited",
+                        human: "Oeps! Om spam te voorkomen limiteren we het aantal beveiligingscodes die je kan proberen. Probeer morgen opnieuw.",
+                        field: "details.securityCode"
+                    })
+                }
+                // Entered the security code, so we can link the user to the member
+                if (!duplicate.details.securityCode || securityCode !== duplicate.details.securityCode) {
+                    throw new SimpleError({
+                        code: "invalid_field",
+                        field: 'details.securityCode',
+                        message: "Invalid security code",
+                        human: Context.i18n.$t(`Deze beveiligingscode is ongeldig. Probeer het opnieuw of neem contact op met jouw vereniging om de juiste code te ontvangen.`),
+                        statusCode: 400
+                    })
+                }
+                console.log("Merging duplicate: security code is correct - for " + duplicate.id)
+            } else {
+                throw new SimpleError({
+                    code: "known_member_missing_rights",
+                    message: "Creating known member without sufficient access rights",
+                    human: `${member.details.firstName} is al gekend in ons systeem, maar jouw e-mailadres niet. Om toegang te krijgen heb je de beveiligingscode nodig.`,
+                    statusCode: 400
+                })
+            }
+            // Merge data
+            // NOTE: We use mergeTwoMembers instead of mergeMultipleMembers, because we should never safe 'member' , because that one does not exist in the database
+            await mergeTwoMembers(duplicate, member)
+            return duplicate
+        }
+    }
 }

package/src/helpers/AdminPermissionChecker.ts CHANGED Viewed

@@ -943,6 +943,10 @@ export class AdminPermissionChecker {
             // Notes are not visible for the member.
             data.details.notes = null;
+            if (!(await this.canAccessMember(member, PermissionLevel.Full))) {
+                data.details.securityCode = null;
+            }
             return data;
         }
@@ -968,6 +972,11 @@ export class AdminPermissionChecker {
             }
         }
+        // At least write permissions is required for now to obtain the security code
+        if (!(await this.canAccessMember(member, PermissionLevel.Write))) {
+            cloned.details.securityCode = null
+        }
         return cloned;
     }
@@ -983,6 +992,11 @@ export class AdminPermissionChecker {
             })
         }
+        if (data.details.securityCode !== undefined) {
+            // Unset silently
+            data.details.securityCode = undefined
+        }
         const hasRecordAnswers = !!data.details.recordAnswers;
         const hasNotes = data.details.notes !== undefined;
         const isSetFinancialSupportTrue = data.details.shouldApplyReducedPrice;

package/src/helpers/MemberUserSyncer.ts CHANGED Viewed

@@ -1,6 +1,23 @@
 import { Member, MemberResponsibilityRecord, MemberWithRegistrations, User } from "@stamhoofd/models";
 import { SQL } from "@stamhoofd/sql";
 import { MemberDetails, Permissions, UserPermissions } from "@stamhoofd/structures";
+import crypto from "crypto";
+import basex from "base-x";
+const ALPHABET = '123456789ABCDEFGHJKMNPQRSTUVWXYZ' // Note: we removed 0, O, I and l to make it easier for humans
+const customBase = basex(ALPHABET)
+async function randomBytes(size: number): Promise<Buffer> {
+    return new Promise((resolve, reject) => {
+        crypto.randomBytes(size, (err: Error | null, buf: Buffer) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(buf);
+        });
+    });
+}
 export class MemberUserSyncerStatic {
     /**
@@ -9,12 +26,8 @@ export class MemberUserSyncerStatic {
      * - email addresses have changed
      */
     async onChangeMember(member: MemberWithRegistrations, unlinkUsers: boolean = false) {
-        console.log('onchange member', member.id, 'unlink', unlinkUsers)
         const {userEmails, parentAndUnverifiedEmails} = this.getMemberAccessEmails(member.details)
-        console.log('emails', userEmails, parentAndUnverifiedEmails)
         // Make sure all these users have access to the member
         for (const email of userEmails) {
             // Link users that are found with these email addresses.
@@ -56,6 +69,15 @@ export class MemberUserSyncerStatic {
                 }
             }
         }
+        if (member.details.securityCode === null) {
+            console.log("Generating security code for member "+member.id)
+            const length = 16;
+            const code = customBase.encode(await randomBytes(100)).toUpperCase().substring(0, length);
+            member.details.securityCode = code
+            await member.save()
+        }
     }
     getMemberAccessEmails(details: MemberDetails) {

/package/src/seeds/{1722344161-sync-member-users.ts → 1722344162-sync-member-users.ts} RENAMED Viewed

File without changes