@tasenor/common-node 1.9.16

package/src/import/index.ts

@@ -0,0 +1,11 @@
+/**
+ * Helpers for text file processing for importing them to some processing system.
+ *
+ * @module tasenor-common-node/src/import
+ */
+export * from './TextFileProcessHandler'
+export * from './TransactionImportConnector'
+export * from './TransactionImportHandler'
+export * from './TransactionRules'
+export * from './TransactionUI'
+export * from './TransferAnalyzer'

package/src/index.ts

@@ -0,0 +1,12 @@
+export * from './cli'
+export * from './database'
+export * from './error'
+export * from './export'
+export * from './import'
+export * from './net'
+export * from './plugins'
+export * from './process'
+export * from './reports'
+export * from './server'
+export * from './system'
+export * from './testing'

package/src/net/crypto.ts

@@ -0,0 +1,69 @@
+import crypto from 'crypto'
+import bcrypt from 'bcrypt'
+import { Crypto, EncryptedUserData, LoginPluginData, Secret, UUID } from '@dataplug/tasenor-common'
+
+/**
+ * Utility to create and check hashes from passwords.
+ */
+export class Password {
+
+  /**
+   * Create one way hash for a password.
+   * @param password A password.
+   * @returns
+   */
+  static async hash(password: string): Promise<string> {
+    const salt = await bcrypt.genSalt(13)
+    const hash = await bcrypt.hash(password, salt)
+    return hash
+  }
+
+  /**
+   * Verify that given hash has been created from the given password.
+   * @param password
+   * @param hash
+   * @returns
+   */
+  static async compare(password: string, hash: string): Promise<boolean> {
+    return await bcrypt.compare(password, hash)
+  }
+}
+
+/**
+ * Generate a random string of the given length.
+ * @param len
+ */
+export function randomString(len = 32): string {
+  const buf = crypto.randomBytes(len / 2)
+  return buf.toString('hex')
+}
+
+/**
+ * Generate UUID.
+ * @returns A string.
+ */
+export function createUuid(): UUID {
+  function randomDigit() {
+    const rand = crypto.randomBytes(1)
+    return (rand[0] % 16).toString(16)
+  }
+
+  return 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.replace(/x/g, randomDigit) as UUID
+}
+
+/**
+ * Encode UI data for user.
+ */
+export async function encryptdata({ plugins, prices, subscriptions }: LoginPluginData): Promise<EncryptedUserData> {
+  const result = {
+    key: await Crypto.generateKey(),
+    data: ''
+  }
+  const data = {
+    plugins,
+    prices,
+    subscriptions
+  }
+  result.data = await Crypto.encrypt(result.key as Secret, JSON.stringify(data))
+  return result
+}

package/src/net/git.ts

@@ -0,0 +1,151 @@
+import { DirectoryPath, Email, error, FilePath, log, Url, warning } from '@dataplug/tasenor-common'
+import simpleGit, { SimpleGit } from 'simple-git'
+import gitUrlParse from 'git-url-parse'
+import fs from 'fs'
+import glob from 'fast-glob'
+import path from 'path'
+import { systemPiped } from '../system'
+
+/**
+ * A git repo storage.
+ */
+export class GitRepo {
+
+  url: Url
+  rootDir: DirectoryPath
+  name: string
+  git: SimpleGit
+
+  constructor(url: Url, rootDir: DirectoryPath) {
+    this.url = url
+    this.name = GitRepo.defaultName(url)
+    this.setDir(rootDir)
+    this.git.outputHandler(function(command, stdout, stderr) {
+      stdout.on('data', (str) => log(`GIT: ${str}`.trim()))
+      stderr.on('data', (str) => warning(`GIT: ${str.toString('utf-8')}`.trim()))
+    })
+  }
+
+  get fullPath() : FilePath {
+    return path.join(this.rootDir, this.name) as FilePath
+  }
+
+  /**
+   * Set the git configuration.
+   */
+  configure(name: string, email: Email) {
+    this.git.addConfig('user.name', name).addConfig('user.email', email)
+  }
+
+  /**
+   * Initialize root path and instantiate Simple Git if path exists.
+   */
+  setDir(rootDir: DirectoryPath) {
+    this.rootDir = rootDir
+    if (fs.existsSync(this.fullPath)) {
+      this.git = simpleGit({ baseDir: this.fullPath })
+    } else {
+      this.git = simpleGit()
+    }
+  }
+
+  /**
+   * Delete all if repo exists.
+   */
+  async clean(): Promise<void> {
+    if (!fs.existsSync(this.fullPath)) {
+      return
+    }
+    await fs.promises.rm(this.fullPath, { recursive: true })
+  }
+
+  /**
+   * Clone the repo if it is not yet there. Return true if the repo is available.
+   */
+  async fetch(): Promise<boolean> {
+    if (fs.existsSync(this.fullPath)) {
+      return true
+    }
+    return this.git.clone(this.url, this.fullPath)
+      .then(() => {
+        this.setDir(this.rootDir)
+        return true
+      })
+      .catch(() => {
+        error(`Git fetch from ${this.url} failed.`)
+        return false
+      })
+  }
+
+  /**
+   * List files from repo returning local relative paths.
+   */
+  glob(pattern: string): string[] {
+    const N = this.fullPath.length
+    return glob.sync(this.fullPath + '/' + pattern).map((s: string) => {
+      if (s.substring(0, N) !== this.fullPath) {
+        throw new Error(`Strage. Glob found a file ${s} from repo ${this.fullPath}.`)
+      }
+      return s.substring(N + 1)
+    })
+  }
+
+  /**
+   * Add, commit and push the given files and/or directories.
+   */
+  async put(message: string, ...subPaths: (FilePath | DirectoryPath)[]): Promise<boolean> {
+    let fail = false
+    await this.git.add(subPaths).catch(err => {
+      error(`Git add failed: ${err}`)
+      fail = true
+    })
+    await this.git.commit(message).catch(err => {
+      error(`Git commit failed: ${err}`)
+      fail = true
+    })
+    await this.git.push().catch(err => {
+      error(`Git push failed: ${err}`)
+      fail = true
+    })
+
+    return fail
+  }
+
+  /**
+   * Gather all repos found from the directory.
+   */
+  static async all(dir: DirectoryPath): Promise<GitRepo[]> {
+    const repos: GitRepo[] = []
+    const dotGits = glob.sync(dir + '/*/.git')
+    for (const dotGit of dotGits) {
+      const dir = path.dirname(dotGit) as DirectoryPath
+      const remote = (await simpleGit(dir).getRemotes(true)).find(r => r.name === 'origin')
+      if (remote) {
+        repos.push(new GitRepo(remote.refs.fetch as Url, dir))
+      }
+    }
+    return repos
+  }
+
+  /**
+   * Extract default name from repo URL.
+   */
+  static defaultName(repo: Url): string {
+    const { pathname } = gitUrlParse(repo)
+    return path.basename(pathname).replace(/\.git/, '')
+  }
+
+  /**
+   * Ensure repo is downloaded and return repo instance.
+   */
+  static async get(repoUrl: Url, parentDir: DirectoryPath, runYarnInstall = false): Promise<GitRepo | undefined> {
+    const repo = new GitRepo(repoUrl, parentDir)
+    const fetched = await repo.fetch()
+
+    if (fetched && runYarnInstall) {
+      await systemPiped(`cd "${repo.fullPath}" && yarn install`)
+    }
+
+    return fetched ? repo : undefined
+  }
+}

package/src/net/index.ts

@@ -0,0 +1,10 @@
+/**
+ * Networking security and middleware implementations.
+ *
+ * @module tasenor-common-node/src/net
+ */
+export * from './crypto'
+export * from './git'
+export * from './middleware'
+export * from './tokens'
+export * from './vault'

package/src/net/middleware.ts

@@ -0,0 +1,261 @@
+import cors from 'cors'
+import express, { Request, Response, RequestHandler, ErrorRequestHandler } from 'express'
+import { error, log, MAX_UPLOAD_SIZE, Secret, Token, TokenAudience, Url } from '@dataplug/tasenor-common'
+import { tokens } from './tokens'
+import { vault } from './vault'
+import helmet from 'helmet'
+import { JwtPayload } from 'jsonwebtoken'
+
+/**
+ * Hide tokens from URL.
+ * @param url
+ */
+export function cleanUrl(url: string): string {
+  return url.replace(/\btoken=[^&]+\b/, 'token=xxxx')
+}
+
+/**
+ * A parameter definition to the initial middleware stack.
+ */
+export interface InitialMiddlewareStackDefinition {
+  origin: Url | '*',
+  api?: Url
+}
+
+/**
+ * Construct standard initial part of stack of commonly shared middlewares.
+ */
+export function tasenorInitialStack(args: InitialMiddlewareStackDefinition): RequestHandler[] {
+  const stack : RequestHandler[] = []
+
+  // Add logger.
+  stack.push((req: Request, res: Response, next: (arg?: Error) => unknown) => {
+    if (req.method !== 'OPTIONS') {
+      let owner
+      const token = tokens.get(req)
+      if (token) {
+        const parsed = tokens.parse(token)
+        if (parsed && parsed.payload) {
+          const payload = parsed.payload as JwtPayload
+          owner = payload.data.owner
+          let aud = payload.aud
+          if (payload.aud === 'refresh') {
+            aud = payload.data.audience
+          }
+          switch (aud) {
+            case 'sites':
+              owner = `Site ${owner}`
+              break
+            case 'bookkeeping':
+              owner = `User ${owner}`
+              break
+          }
+        }
+      }
+      const user = owner ? `${owner} from ${req.ip}` : `${req.ip}`
+      const message = `${user} ${req.method} ${req.hostname} ${cleanUrl(req.originalUrl)}`
+      log(message)
+    }
+    next()
+  })
+
+  // Add cors.
+  stack.push(cors({ origin: args.origin }))
+
+  // Add helmet.
+  let contentSecurityPolicy
+  if (args.api) {
+    const apiOrigin = new URL(args.api).origin
+    contentSecurityPolicy = {
+      useDefaults: true,
+      crossOriginResourcePolicy: { policy: 'same-site' },
+      directives: {
+        defaultSrc: ["'self'", apiOrigin],
+        imgSrc: ["'self'", 'data:', apiOrigin],
+        scriptSrc: ["'self'", "'unsafe-eval'"]
+      }
+    }
+    stack.push(helmet({
+      contentSecurityPolicy
+    }))
+  }
+
+  return stack
+}
+
+/**
+ * Construct standard final part of stack of commonly shared middlewares.
+ */
+export function tasenorFinalStack(): (ErrorRequestHandler | RequestHandler)[] {
+  const stack : (ErrorRequestHandler | RequestHandler)[] = []
+
+  // Add error catcher.
+  stack.push((err: Error, req: Request, res: Response, next: (arg?: Error) => unknown) => {
+    error('Internal error:', err)
+    if (res.headersSent) {
+      return next(err)
+    }
+    res.status(500).send({ message: 'Internal server error.' })
+    const message = `${req.ip} ${req.method} ${req.hostname} ${cleanUrl(req.originalUrl)} => ${res.statusCode}`
+    error(message)
+  })
+
+  return stack
+}
+
+/**
+ * A parameter defintion for construcing standard middleware stack.
+ */
+export interface MiddlewareStackDefinition {
+  url?: boolean,
+  json?: boolean,
+  user?: boolean,
+  admin?: boolean,
+  superuser?: boolean,
+  token?: boolean,
+  uuid?: boolean,
+  audience?: TokenAudience | TokenAudience[],
+  upload?: boolean
+}
+
+/**
+ * A constructor for tasenor middleware stack based on the arguments.
+ *
+ * Each flag adds one or more functions to the stack returned.
+ *
+ * Flags:
+ * - `url` Urlenconder parser.
+ * - `json` JSON body parser.
+ * - `token` Look for token from the request, but do not verify it yet.
+ * - `user` Check that user token is present and for bookkeeper.
+ * - `uuid` Check that UUID header is present and parse owner from the token. Verify signature of the token for ANY audience.
+ * - `admin` Check that the valid bookkeeper user token exists and has admin feat.
+ * - `superuser` Check that the valid bookkeeper user token exists and has superuser feat.
+ * - `audience` The token audience to check token against (user or admin implies 'bookkeeper' unless explicitly given).
+ * - `upload` If set, allow much bigger body for request.
+ *
+ * The output on the res.locals is:
+ *
+ * - `token` Raw token string.
+ * - `auth` Content of the token if verified.
+ * - `user` Name of the owner of the token if verified,
+ * - `uuid` If X-UUID header was found, the value of it.
+ * - `owner` Set when UUID is found and token signed for ANY audience.
+ */
+export function tasenorStack({ url, json, user, uuid, admin, superuser, audience, token, upload }: MiddlewareStackDefinition): RequestHandler[] {
+  const stack: RequestHandler[] = []
+
+  // Set automatic up implications.
+  if (superuser) {
+    admin = true
+    token = true
+  }
+  if (admin) {
+    user = true
+    token = true
+  }
+  if (user && !audience) {
+    audience = 'bookkeeping'
+  }
+  if (audience) {
+    token = true
+  }
+  if (uuid) {
+    token = true
+  }
+
+  // Add some space for upload.
+  const params: Record<string, unknown> = {}
+  if (upload) {
+    params.limit = MAX_UPLOAD_SIZE
+  }
+
+  // Add URL encoding middleware.
+  if (url || (upload && !url && !json)) {
+    stack.push(express.urlencoded({ extended: true, ...params }))
+  }
+
+  // Add JSON middleware.
+  if (json) {
+    stack.push(express.json({ ...params }))
+  }
+
+  // Find the token.
+  if (token) {
+    stack.push(async (req: Request, res: Response, next: (arg?: Error) => unknown) => {
+      res.locals.token = tokens.get(req)
+      next()
+    })
+  }
+
+  // Set the UUID and owner.
+  if (uuid) {
+    stack.push(async (req: Request, res: Response, next: (arg?: Error) => unknown) => {
+      if (!res.locals.token) {
+        error('There is no token in the request and we are looking for UUID.')
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      const uuid = req.headers['x-uuid']
+      if (!uuid) {
+        error('Cannot find UUID from the request.')
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      const parsed = tokens.parse(res.locals.token)
+      if (!parsed) {
+        error(`Cannot parse payload from the token ${res.locals.token}`)
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      const payload: JwtPayload = parsed.payload as JwtPayload
+      const audience = payload.aud as TokenAudience
+      const secret = vault.getPrivateSecret()
+      const ok = tokens.verify(res.locals.token, secret, audience)
+      if (!ok) {
+        error(`Failed to verify token ${res.locals.token} for audience ${audience}.`)
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      res.locals.uuid = uuid
+      res.locals.owner = ok.owner
+      next()
+    })
+  }
+
+  // Add token check middleware.
+  if (audience) {
+    stack.push(async (req: Request, res: Response, next: (arg?: Error) => unknown) => {
+      const token: Token = res.locals.token
+      if (!token) {
+        error(`Request ${req.method} ${cleanUrl(req.originalUrl)} from ${req.ip} has no token.`)
+        res.status(401).send({ message: 'Unauthorized.' })
+        return
+      }
+      const secret: Secret = audience === 'refresh' ? await vault.get('SECRET') as Secret : vault.getPrivateSecret()
+      if (!secret) {
+        error('Cannot find SECRET.')
+        return res.status(500).send({ message: 'Unable to handle authorized requests at the moment.' })
+      }
+      if (!audience) {
+        return res.status(500).send({ message: 'Internal error.' })
+      }
+      const payload = tokens.verify(token, secret, audience)
+      if (!payload) {
+        error(`Request from ${req.ip} has bad token ${token}`)
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      // Check admin.
+      if (admin && !payload.feats.ADMIN && !payload.feats.SUPERUSER) {
+        error(`Request denied for admin access to ${JSON.stringify(payload)}`)
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      // Check superuser.
+      if (superuser && !payload.feats.SUPERUSER) {
+        error(`Request denied for superuser access to ${JSON.stringify(payload)}`)
+        return res.status(403).send({ message: 'Forbidden.' })
+      }
+      res.locals.auth = payload
+      res.locals.user = payload.owner
+      next()
+    })
+  }
+
+  return stack
+}

package/src/net/tokens.ts

@@ -0,0 +1,140 @@
+import { error, TokenPayload, Secret, TokenAudience, Token, RefreshTokenPayload, TokenPair, NormalTokenPayload, REFRESH_TOKEN_EXPIRY_TIME, TOKEN_EXPIRY_TIME, TOKEN_ISSUER } from '@dataplug/tasenor-common'
+import jwt, { Jwt } from 'jsonwebtoken'
+import { create } from 'ts-opaque'
+import { vault } from './vault'
+
+/**
+ * Find a token from the request if available.
+ * @param request A HTTP request.
+ */
+function get(request): Token | undefined {
+  let token
+  if (request.query && request.query.token) {
+    token = request.query.token
+  } else if (request.headers.authorization && /^Bearer /.test(request.headers.authorization)) {
+    token = request.headers.authorization.substr(7)
+  }
+  return token
+}
+
+/**
+ * Sign the payload with the given secret.
+ * @param payload
+ * @param expires
+ * @returns A JSON web token.
+ */
+async function sign(payload: TokenPayload, audience: TokenAudience, expires = 0): Promise<Token> {
+  const secret = audience === 'refresh' ? await vault.get('SECRET') as Secret : vault.getPrivateSecret()
+  if (!secret) {
+    throw new Error('Cannot fins secret to sign token.')
+  }
+  if (!expires) {
+    expires = audience === 'refresh' ? REFRESH_TOKEN_EXPIRY_TIME : TOKEN_EXPIRY_TIME
+  }
+  const options = {
+    audience,
+    expiresIn: expires,
+    issuer: TOKEN_ISSUER
+  }
+
+  const token = create(jwt.sign({ data: payload }, secret, options)) as Token
+  return token
+}
+
+/**
+ * Sign both the normal token and refresh token for it.
+ * @param payload
+ * @param audience
+ * @param expires
+ */
+async function sign2(payload: TokenPayload, audience: TokenAudience, expires = 0): Promise<TokenPair> {
+  const token = await sign(payload, audience, expires)
+  const refresh = await sign({ audience, owner: payload.owner, feats: payload.feats, plugins: payload.plugins }, 'refresh', expires * 2)
+  return { token, refresh }
+}
+
+/**
+ * Check the token validity.
+ * @param token
+ * @param secret
+ * @param quiet If set, do not trigger errors.
+ * @returns Token payload if valid.
+ */
+function verify(token: Token, secret: Secret, audience: TokenAudience | TokenAudience[], quiet = false): TokenPayload | null {
+  if (!secret) throw new Error('Cannot verify token since no secret given.')
+  if (!audience) throw new Error('Cannot verify token since no audience given.')
+
+  function fail(msg: string): void {
+    if (!quiet) error(msg)
+  }
+
+  try {
+    const decoded: jwt.JwtPayload = jwt.verify(token, secret, { audience, issuer: [TOKEN_ISSUER] }) as jwt.JwtPayload
+    if (!decoded) {
+      fail('Cannot decode the token.')
+    } else if (!decoded.data) {
+      fail(`Cannot find any payload from the token ${token}.`)
+    } else {
+      if (!decoded.exp) {
+        fail(`Token content ${decoded} does not have exp-field.`)
+        return null
+      }
+      if (decoded.data.audience) {
+        const data = decoded.data as RefreshTokenPayload
+        if (!data.owner || !data.feats) {
+          fail(`Cannot find proper payload from the refresh token with content ${JSON.stringify(decoded)}.`)
+          return null
+        } else {
+          return data
+        }
+      } else {
+        const data = decoded.data as NormalTokenPayload
+        if (!data.owner || !data.feats) {
+          fail(`Cannot find proper payload from the token with content ${JSON.stringify(decoded)}.`)
+          return null
+        } else {
+          return data
+        }
+      }
+    }
+  } catch (err) {
+    fail(`Token verification failed ${err} for ${JSON.stringify(parse(token))}`)
+  }
+  return null
+}
+
+/**
+ * Parse the payload of the token without verifying.
+ * @param token
+ */
+function parse(token: Token): Jwt | null {
+  const decoded = jwt.decode(token, { json: true, complete: true })
+  return decoded
+}
+
+/**
+ * A checker for token validity.
+ * @param token
+ * @param audience
+ * @param quiet If set, do not trigger errors.
+ */
+async function check(token: Token, audience: TokenAudience, quiet = false): Promise<boolean> {
+  if (!token) {
+    return false
+  }
+  const secret = audience === 'refresh' ? await vault.get('SECRET') as Secret : vault.getPrivateSecret()
+  if (!secret) {
+    return false
+  }
+  const payload = tokens.verify(token as Token, secret, audience, quiet)
+  return !!payload
+}
+
+export const tokens = {
+  check,
+  get,
+  parse,
+  sign,
+  sign2,
+  verify
+}