@stamhoofd/backend 2.74.0 → 2.75.0

package/src/services/EventNotificationService.ts

@@ -0,0 +1,201 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { EventNotification, Member, MemberResponsibilityRecord, Organization, Platform, sendEmailTemplate, User } from '@stamhoofd/models';
+import { EmailTemplateType, PermissionLevel, Recipient, RecordCategory, Replacement } from '@stamhoofd/structures';
+import { Formatter } from '@stamhoofd/utility';
+import { AdminPermissionChecker } from '../helpers/AdminPermissionChecker';
+import { Context } from '../helpers/Context';
+import { AuthenticatedStructures } from '../helpers/AuthenticatedStructures';
+
+export class EventNotificationService {
+    static async validateType(notification: EventNotification) {
+        const platform = await Platform.getSharedPrivateStruct();
+        const type = platform.config.eventNotificationTypes.find(t => t.id === notification.typeId);
+
+        if (!type) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                message: 'Invalid type',
+                human: Context.i18n.$t('4d8be2b1-559a-4c16-a76f-67a8ba85de7f'),
+                field: 'typeId',
+            });
+        }
+
+        return type;
+    }
+
+    static async cleanAnswers(notification: EventNotification) {
+        const type = await this.validateType(notification);
+        const struct = await AuthenticatedStructures.eventNotification(notification);
+        const patchedStruct = RecordCategory.removeOldAnswers(type.recordCategories, struct);
+        notification.recordAnswers = patchedStruct.getRecordAnswers();
+    }
+
+    static async getSubmitterRecipients(notification: EventNotification): Promise<Recipient[]> {
+        // Send the email to all users with full permissions + the submitter + the creator
+        const type = await this.validateType(notification);
+        const responsibilityIds = type.contactResponsibilityIds;
+        const organizationId = notification.organizationId;
+        const platform = await Platform.getSharedPrivateStruct();
+
+        const recipients: Recipient[] = [];
+
+        if (responsibilityIds.length) {
+            // Query all users with the responsibility
+            const records = await MemberResponsibilityRecord.select()
+                .where('organizationId', organizationId)
+                .andWhere('responsibilityId', responsibilityIds)
+                .andWhere(MemberResponsibilityRecord.whereActive)
+                .fetch();
+            const memberIds = records.map(r => r.memberId);
+            const members = await Member.getByIDs(...memberIds);
+
+            for (const member of members) {
+                if (!member.details.email) {
+                    continue;
+                }
+                recipients.push(Recipient.create({
+                    firstName: member.details.firstName,
+                    lastName: member.details.lastName,
+                    email: member.details.email,
+                }));
+            }
+        }
+
+        if (notification.submittedBy) {
+            const user = await User.getByID(notification.submittedBy);
+            if (user && user.verified) {
+                const p = new AdminPermissionChecker(user, platform);
+
+                if (await p.canAccessEventNotification(notification, PermissionLevel.Write)) {
+                    recipients.push(Recipient.create({
+                        firstName: user.firstName,
+                        lastName: user.lastName,
+                        email: user.email,
+                    }));
+                }
+            }
+        }
+
+        if (notification.createdBy) {
+            const user = await User.getByID(notification.createdBy);
+            if (user && user.verified) {
+                const p = new AdminPermissionChecker(user, platform);
+
+                if (await p.canAccessEventNotification(notification, PermissionLevel.Write)) {
+                    recipients.push(Recipient.create({
+                        firstName: user.firstName,
+                        lastName: user.lastName,
+                        email: user.email,
+                    }));
+                }
+            }
+        }
+
+        // Remove duplicates
+        const emails = new Set<string>();
+        const filteredRecipients: Recipient[] = [];
+        for (const recipient of recipients) {
+            if (!emails.has(recipient.email)) {
+                emails.add(recipient.email);
+                filteredRecipients.push(recipient);
+            }
+        }
+
+        return filteredRecipients;
+    }
+
+    static async getReviewerRecipients(notification: EventNotification): Promise<Recipient[]> {
+        // Find all users that have permission to review this notification
+        const platformAdmins = await User.getPlatformAdmins();
+        const recipients: Recipient[] = [];
+        const platform = await Platform.getSharedPrivateStruct();
+
+        for (const user of platformAdmins) {
+            const p = new AdminPermissionChecker(user, platform);
+
+            if (await p.canReviewEventNotification(notification)) {
+                recipients.push(Recipient.create({
+                    firstName: user.firstName,
+                    lastName: user.lastName,
+                    email: user.email,
+                }));
+            }
+        }
+
+        return recipients;
+    }
+
+    static async getEmailReplacements(notification: EventNotification, forReviewers = false) {
+        const organization = await Organization.getByID(notification.organizationId);
+        if (!organization) {
+            throw new Error('Organization not found');
+        }
+        const events = EventNotification.events.isLoaded(notification) ? notification.events : await EventNotification.events.load(notification);
+        const type = await this.validateType(notification);
+        let submitterName = 'Anoniem';
+
+        if (notification.submittedBy) {
+            const user = await User.getByID(notification.submittedBy);
+            if (user) {
+                submitterName = user.name ?? user.email;
+            }
+        }
+
+        return [
+            Replacement.create({
+                token: 'eventName',
+                value: events.map(e => e.name).join(', '),
+            }),
+            Replacement.create({
+                token: 'organizationName',
+                value: organization.name,
+            }),
+            Replacement.create({
+                token: 'reviewUrl',
+                value: forReviewers ? Context.i18n.localizedDomains.adminUrl + '/kampmeldingen/' + encodeURIComponent(notification.id) : (events.length === 0 ? organization.getBaseStructure().dashboardUrl : (organization.getBaseStructure().dashboardUrl + '/activiteiten/' + events[0].id + '/' + Formatter.slug(type.title))),
+            }),
+            Replacement.create({
+                token: 'dateRange',
+                value: Formatter.dateRange(notification.startDate, notification.endDate, undefined, false),
+            }),
+            Replacement.create({
+                token: 'submitterName',
+                value: submitterName,
+            }),
+            Replacement.create({
+                token: 'feedbackText',
+                html: notification.feedbackText ? `<p class="pre-wrap"><em>${Formatter.escapeHtml(notification.feedbackText)}</em></p>` : `<p class="pre-wrap"><em>${Formatter.escapeHtml($t('4c3149b3-e02a-4071-bf21-941711e0238d'))}</em></p>`,
+            }),
+        ];
+    }
+
+    static async sendSubmitterEmail(type: EmailTemplateType, notification: EventNotification) {
+        if (notification.endDate < new Date()) {
+            // Ignore
+            return;
+        }
+        await sendEmailTemplate(null, {
+            recipients: await this.getSubmitterRecipients(notification),
+            template: {
+                type,
+            },
+            defaultReplacements: await this.getEmailReplacements(notification),
+            type: 'transactional',
+        });
+    }
+
+    static async sendReviewerEmail(type: EmailTemplateType, notification: EventNotification) {
+        if (notification.endDate < new Date()) {
+            // Ignore
+            return;
+        }
+        await sendEmailTemplate(null, {
+            recipients: await this.getReviewerRecipients(notification),
+            template: {
+                type,
+            },
+            defaultReplacements: await this.getEmailReplacements(notification, true),
+            type: 'transactional',
+        });
+    }
+};

package/src/services/FileSignService.ts

@@ -0,0 +1,227 @@
+import { DecodedRequest, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { File } from '@stamhoofd/structures';
+import AWS from 'aws-sdk';
+import * as jose from 'jose';
+import chalk from 'chalk';
+
+/**
+ * This service creates signed urls for valid files
+ */
+export class FileSignService {
+    static s3 = new AWS.S3({
+        endpoint: STAMHOOFD.SPACES_ENDPOINT,
+        accessKeyId: STAMHOOFD.SPACES_KEY,
+        secretAccessKey: STAMHOOFD.SPACES_SECRET,
+    });
+
+    static async load() {
+        /**
+         * Note the algorithm is only used for signing. For verification the algorithm inside the public keys are used
+         */
+        const alg = STAMHOOFD.FILE_SIGNING_ALG || 'ES256';
+
+        if (!STAMHOOFD.FILE_SIGNING_PUBLIC_KEY || !STAMHOOFD.FILE_SIGNING_PRIVATE_KEY) {
+            if (STAMHOOFD.environment !== 'development') {
+                throw new Error('Missing environment variables for file signing. Please make sure FILE_SIGNING_PUBLIC_KEY, FILE_SIGNING_PRIVATE_KEY and FILE_SIGNING_ALG are set.');
+            }
+
+            console.warn(chalk.yellow('File signing is disabled because the environment variables are not set. Please make sure FILE_SIGNING_PUBLIC_KEY, FILE_SIGNING_PRIVATE_KEY and FILE_SIGNING_ALG are set.'));
+
+            const { publicKey, privateKey } = await jose.generateKeyPair(alg);
+
+            const exportedPublicKey = await jose.exportJWK(publicKey);
+            const exportedPrivateKey = await jose.exportJWK(privateKey);
+
+            console.log('Example keys you can use in your development environment:');
+            console.log('FILE_SIGNING_PUBLIC_KEY:', JSON.stringify(exportedPublicKey));
+            console.log('FILE_SIGNING_ALG:', JSON.stringify(exportedPrivateKey));
+
+            return;
+        }
+
+        const privateKey = await jose.importJWK(STAMHOOFD.FILE_SIGNING_PRIVATE_KEY!);
+
+        // Support for multiple public keys (in case we need to rotate keys)
+        const jwks = jose.createLocalJWKSet({
+            keys: [
+                STAMHOOFD.FILE_SIGNING_PUBLIC_KEY!,
+            ],
+        });
+
+        File.verifyFile = async (file) => {
+            if (!file.signature) {
+                return false;
+            }
+
+            try {
+                const { payload, protectedHeader } = await jose.compactVerify(file.signature, jwks);
+
+                // Check if payload matches the file
+                const decoded = (new TextDecoder().decode(payload));
+                if (decoded !== file.signPayload) {
+                    console.error('Invalid payload:', decoded);
+                    return false;
+                }
+
+                return true;
+            }
+            catch (e) {
+                if (e instanceof jose.errors.JWSSignatureVerificationFailed) {
+                    return false;
+                }
+                console.error('Failed to verify file:', e);
+                return false;
+            }
+        };
+
+        File.signFile = async (file) => {
+            if (!STAMHOOFD.FILE_SIGNING_PRIVATE_KEY) {
+                return;
+            }
+            const jws = await new jose.CompactSign(
+                new TextEncoder().encode(file.signPayload),
+            )
+                .setProtectedHeader({ alg })
+                .sign(privateKey);
+
+            file.signature = jws;
+        };
+    }
+
+    static async fillSignedUrl(file: File, duration = 60 * 60) {
+        if (!file.isPrivate) {
+            if (file.signedUrl) {
+                console.error('Warning: public file has a signed url');
+                // this will not be encoded because of the file encode implementation
+            }
+            return;
+        }
+
+        // Only created signed urls for files that were generated by our own server
+        if (!await file.verify()) {
+            console.error('Failed to verify file:', file.id);
+            return;
+        }
+
+        console.log('Signing file:', file.id);
+
+        if (file.signedUrl) {
+            console.error('Warning: file already signed');
+        }
+
+        try {
+            const url = await this.s3.getSignedUrlPromise('getObject', {
+                Bucket: STAMHOOFD.SPACES_BUCKET,
+                Key: file.path,
+                Expires: duration,
+            });
+
+            console.log('Signed url:', url);
+
+            return new File({
+                ...file,
+                signedUrl: url,
+            });
+        }
+        catch (e) {
+            console.error('Failed to sign file:', e);
+            return file;
+        }
+    }
+
+    static async fillSignedUrlsForStruct(data: any) {
+        if (data instanceof File) {
+            return await this.fillSignedUrl(data);
+        }
+
+        if (Array.isArray(data)) {
+            for (let i = 0; i < data.length; i++) {
+                const value = data[i];
+                const r = await this.fillSignedUrlsForStruct(value);
+                if (r !== undefined) {
+                    data[i] = r;
+                }
+            }
+            return;
+        }
+
+        if (data instanceof Map) {
+            for (const [key, value] of data.entries()) {
+                const r = await this.fillSignedUrlsForStruct(value);
+
+                if (r !== undefined) {
+                    data.set(key, r);
+                    continue;
+                }
+            }
+            return;
+        }
+
+        // Loop all keys and search for File objects + replace them with the signed variant
+        if (typeof data === 'object' && data !== null) {
+            for (const key in data) {
+                const r = await this.fillSignedUrlsForStruct(data[key]);
+                if (r !== undefined) {
+                    data[key] = r;
+                }
+            }
+            return;
+        }
+    }
+
+    static async verifyFilesInStruct(data: any) {
+        if (data instanceof File) {
+            if (!data.isPrivate) {
+                return;
+            }
+
+            // Clear all incoming signed urls
+            data.signedUrl = null;
+
+            if (!await data.verify()) {
+                // This is the first level of defence - it prevents the server from storing untrusted files
+                // but in the case this check is bypassed, we still need to check the signature when creating signed urls
+                throw new SimpleError({
+                    code: 'invalid_signature',
+                    message: 'Invalid signature for file',
+                    human: $t('Je probeert een bestand up te loaden dat niet door ons is gegenereerd. Probeer het opnieuw.'),
+                });
+            }
+            return;
+        }
+
+        if (Array.isArray(data)) {
+            for (const value of data) {
+                await this.verifyFilesInStruct(value);
+            }
+            return;
+        }
+
+        if (data instanceof Map) {
+            for (const [key, value] of data.entries()) {
+                await this.verifyFilesInStruct(value);
+            }
+            return;
+        }
+
+        // Loop all keys and search for File objects + replace them with the signed variant
+        if (typeof data === 'object' && data !== null) {
+            for (const key in data) {
+                await this.verifyFilesInStruct(data[key]);
+            }
+            return;
+        }
+    }
+
+    static async handleResponse(request: Request, response: Response) {
+        const r = await this.fillSignedUrlsForStruct(response.body);
+        if (r !== undefined) {
+            response.body = r;
+        }
+    }
+
+    static async handleDecodedRequest(decodedRequest: DecodedRequest<unknown, unknown, unknown>, _endpoint) {
+        await this.verifyFilesInStruct(decodedRequest.body);
+    }
+}

package/src/sql-filters/event-notifications.ts

@@ -0,0 +1,39 @@
+import { SQL, SQLFilterDefinitions, baseSQLFilterCompilers, createSQLColumnFilterCompiler, createSQLJoinedRelationFilterCompiler, createSQLRelationFilterCompiler } from '@stamhoofd/sql';
+import { eventFilterCompilers } from './events';
+import { organizationFilterCompilers } from './organizations';
+
+export const organizationJoin = SQL.join('organizations').where(SQL.column('organizations', 'id'), SQL.column('event_notifications', 'organizationId'));
+
+export const eventNotificationsFilterCompilers: SQLFilterDefinitions = {
+    ...baseSQLFilterCompilers,
+    id: createSQLColumnFilterCompiler('id'),
+    typeId: createSQLColumnFilterCompiler('typeId'),
+    periodId: createSQLColumnFilterCompiler('periodId'),
+    organizationId: createSQLColumnFilterCompiler('organizationId'),
+    startDate: createSQLColumnFilterCompiler('startDate'),
+    endDate: createSQLColumnFilterCompiler('endDate'),
+    submittedAt: createSQLColumnFilterCompiler('submittedAt'),
+    createdAt: createSQLColumnFilterCompiler('createdAt'),
+    status: createSQLColumnFilterCompiler('status'),
+    organization: createSQLJoinedRelationFilterCompiler(
+        organizationJoin,
+        organizationFilterCompilers,
+    ),
+    events: createSQLRelationFilterCompiler(
+        SQL.select()
+            .from(
+                SQL.table('events'),
+            ).join(
+                SQL.join(
+                    SQL.table('_event_notifications_events'),
+                ).where(
+                    SQL.column('_event_notifications_events', 'eventsId'),
+                    SQL.column('events', 'id'),
+                ),
+            ).where(
+                SQL.column('_event_notifications_events', 'event_notificationsId'),
+                SQL.column('event_notifications', 'id'),
+            ),
+        eventFilterCompilers,
+    ),
+};

package/src/sql-filters/organizations.ts

@@ -22,7 +22,7 @@ import { SetupStepType } from '@stamhoofd/structures';
 export const organizationFilterCompilers: SQLFilterDefinitions = {
     ...baseSQLFilterCompilers,
     id: createSQLExpressionFilterCompiler(SQL.column('organizations', 'id')),
-    uriPadded: createSQLExpressionFilterCompiler(SQL.lpad(SQL.column('organizations', 'uri'), 100, '0')),
+    uriPadded: createSQLExpressionFilterCompiler(SQL.lpad(SQL.column('organizations', 'uri'), 10, '0')),
     uri: createSQLExpressionFilterCompiler(SQL.column('organizations', 'uri')),
     name: createSQLExpressionFilterCompiler(
         SQL.column('organizations', 'name'),

package/src/sql-sorters/event-notifications.ts

@@ -0,0 +1,96 @@
+import { SQLResultNamespacedRow } from '@simonbackx/simple-database';
+import { SQL, SQLOrderBy, SQLOrderByDirection, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Formatter } from '@stamhoofd/utility';
+import { organizationJoin } from '../sql-filters/event-notifications';
+
+export const eventNotificationsSorters: SQLSortDefinitions<SQLResultNamespacedRow> = {
+    // WARNING! TEST NEW SORTERS THOROUGHLY!
+    // Try to avoid creating sorters on fields that er not 1:1 with the database, that often causes pagination issues if not thought through
+    // An example: sorting on 'name' is not a good idea, because it is a concatenation of two fields.
+    // You might be tempted to use ORDER BY firstName, lastName, but that will not work as expected and it needs to be ORDER BY CONCAT(firstName, ' ', lastName)
+    // Why? Because ORDER BY firstName, lastName produces a different order dan ORDER BY CONCAT(firstName, ' ', lastName) if there are multiple people with spaces in the first name
+    // And that again causes issues with pagination because the next query will append a filter of name > 'John Doe' - causing duplicate and/or skipped results
+    // What if you need mapping? simply map the sorters in the frontend: name -> firstname, lastname, age -> birthDay, etc.
+
+    'id': {
+        getValue(a) {
+            return a['event_notifications'].id;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('id'),
+                direction,
+            });
+        },
+    },
+    'status': {
+        getValue(a) {
+            return a['event_notifications'].status;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('status'),
+                direction,
+            });
+        },
+    },
+    'startDate': {
+        getValue(a) {
+            return Formatter.dateTimeIso(a['event_notifications'].startDate as Date, 'UTC');
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('startDate'),
+                direction,
+            });
+        },
+    },
+    'endDate': {
+        getValue(a) {
+            return Formatter.dateTimeIso(a['event_notifications'].endDate as Date, 'UTC');
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('endDate'),
+                direction,
+            });
+        },
+    },
+    'submittedAt': {
+        getValue(a) {
+            return a['event_notifications'].submittedAt !== null ? Formatter.dateTimeIso(a['event_notifications'].submittedAt as Date, 'UTC') : null;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('submittedAt'),
+                direction,
+            });
+        },
+    },
+    'organization.name': {
+        getValue(a) {
+            return a.organizations.name;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('organizations', 'name'),
+                direction,
+            });
+        },
+        join: organizationJoin,
+        select: [SQL.column('organizations', 'name')],
+    },
+    'organization.uriPadded': {
+        getValue(a) {
+            return (a.organizations.uri as string).padStart(10, '0');
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.lpad(SQL.column('organizations', 'uri'), 10, '0'),
+                direction,
+            });
+        },
+        join: organizationJoin,
+        select: [SQL.column('organizations', 'uri')],
+    },
+};

package/src/sql-sorters/events.ts

@@ -35,7 +35,7 @@ export const eventSorters: SQLSortDefinitions<Event> = {
     },
     startDate: {
         getValue(a) {
-            return Formatter.dateTimeIso(a.startDate);
+            return Formatter.dateTimeIso(a.startDate, 'UTC');
         },
         toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
             return new SQLOrderBy({
@@ -46,7 +46,7 @@ export const eventSorters: SQLSortDefinitions<Event> = {
     },
     endDate: {
         getValue(a) {
-            return Formatter.dateTimeIso(a.endDate);
+            return Formatter.dateTimeIso(a.endDate, 'UTC');
         },
         toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
             return new SQLOrderBy({

package/src/sql-sorters/organizations.ts

@@ -45,11 +45,11 @@ export const organizationSorters: SQLSortDefinitions<Organization> = {
     },
     uriPadded: {
         getValue(a) {
-            return a.uri.padStart(100, '0');
+            return a.uri.padStart(10, '0');
         },
         toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
             return new SQLOrderBy({
-                column: SQL.lpad(SQL.column('uri'), 100, '0'),
+                column: SQL.lpad(SQL.column('uri'), 10, '0'),
                 direction,
             });
         },