@tiledesk/tiledesk-server 2.10.3 → 2.10.5

package/CHANGELOG.md

@@ -5,6 +5,15 @@
 🚀        IN PRODUCTION                        🚀
 (https://www.npmjs.com/package/@tiledesk/tiledesk-server/v/2.3.77) 
 
+# 2.10.5
+- Fix bug on access chatbot route rules
+- Fix bug update chatbot avatar
+
+# 2.10.4
+- Removed temporary conversation from default query to get all requests
+- Removed draft conversation from requests count
+- Improved security
+
 # 2.10.3
 - Added support for formatType in openai completions
 

package/app.js

@@ -558,8 +558,8 @@ app.use('/:projectid/intents', [passport.authenticate(['basic', 'jwt'], { sessio
 app.use('/:projectid/faqpub', faqpub);
 
 //deprecated
-app.use('/:projectid/faq_kb', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('agent', ['bot','subscription'])], faq_kb);
-app.use('/:projectid/bots', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('agent', ['bot','subscription'])], faq_kb);
+app.use('/:projectid/faq_kb', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken], faq_kb);
+app.use('/:projectid/bots', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken], faq_kb);
 
 
 
@@ -603,7 +603,7 @@ app.use('/:projectid/segments',[passport.authenticate(['basic', 'jwt'], { sessio
 app.use('/:projectid/openai', openai);
 app.use('/:projectid/quotes', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('agent', ['bot','subscription'])], quotes)
 
-app.use('/:projectid/integration', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('agent', ['bot','subscription'])], integration )
+app.use('/:projectid/integration', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('admin', ['bot','subscription'])], integration )
 
 app.use('/:projectid/kbsettings', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('agent', ['bot','subscription'])], kbsettings);
 app.use('/:projectid/kb', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRoleOrTypes('admin', ['bot','subscription'])], kb);

package/errorCodes.js

@@ -0,0 +1,32 @@
+const errorCodes = {
+  AUTH: {
+    BASE_CODE: 10000,
+    ERRORS: {
+      USER_NOT_FOUND: 10001,
+      //AUTH_FAILED: 10002,
+      //PERMISSION_DENIED: 10003,
+      MISSING_VERIFICATION_CODE: 10004,
+      VERIFICATION_CODE_EXPIRED: 10005,
+      VERIFICATION_CODE_OTHER_USER: 10006
+    },
+  },
+  USER: {
+    BASE_CODE: 10000,
+    ERRORS: {
+      USER_NOT_FOUND: 10001,
+      AUTH_FAILED: 10002,
+      PERMISSION_DENIED: 10003,
+    },
+  },
+  PROJECT: {
+    BASE_CODE: 11000,
+    ERRORS: {
+      PROJECT_NOT_FOUND: 11001,
+      CREATE_FAILED: 11002,
+      ACCESS_DENIED: 11003,
+    },
+  },
+  // Aggiungi altre route
+};
+
+module.exports = errorCodes;

package/middleware/has-role.js

@@ -105,10 +105,11 @@ class RoleChecker {
 
         // same route doesnt contains projectid so you can't use that
           // winston.debug("req.params.projectid: " + req.params.projectid);
-          if (!req.params.projectid) {
+          if (!req.params.projectid && !req.projectid) {
             return res.status(400).send({success: false, msg: 'req.params.projectid is not defined.'});
           }
 
+          let projectid = req.params.projectid || req.projectid;
 
         //  winston.info("req.user._id: " + req.user._id);
 
@@ -137,12 +138,12 @@ class RoleChecker {
           // project_user_qui_importante
 
           // JWT_HERE
-          var query = { id_project: req.params.projectid, id_user: req.user._id, status: "active"};
-          let cache_key = req.params.projectid+":project_users:iduser:"+req.user._id
+          var query = { id_project: projectid, id_user: req.user._id, status: "active"};
+          let cache_key = projectid+":project_users:iduser:"+req.user._id
 
           if (req.user.sub && (req.user.sub=="userexternal" || req.user.sub=="guest")) {
-            query = { id_project: req.params.projectid, uuid_user: req.user._id, status: "active"};
-            cache_key = req.params.projectid+":project_users:uuid_user:"+req.user._id
+            query = { id_project: projectid, uuid_user: req.user._id, status: "active"};
+            cache_key = projectid+":project_users:uuid_user:"+req.user._id
           }
           winston.debug("hasRoleOrType query " + JSON.stringify(query));
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tiledesk/tiledesk-server",
   "description": "The Tiledesk server module",
-  "version": "2.10.3",
+  "version": "2.10.5",
   "scripts": {
     "start": "node ./bin/www",
     "pretest": "mongodb-runner start",
@@ -36,7 +36,7 @@
     "@tiledesk-ent/tiledesk-server-visitorcounter": "^1.1.1"
   },
   "dependencies": {
-    "@tiledesk/tiledesk-apps": "^1.0.22",
+    "@tiledesk/tiledesk-apps": "^1.0.25",
     "@tiledesk/tiledesk-chat21-app": "^1.1.8",
     "@tiledesk/tiledesk-chatbot-templates": "^0.1.2",
     "@tiledesk/tiledesk-chatbot-util": "^0.8.33",

package/pubmodules/canned/cannedResponseRoute.js

@@ -2,6 +2,7 @@ var express = require('express');
 var router = express.Router();
 var CannedResponse = require("./cannedResponse");
 var winston = require('../../config/winston');
+const RoleConstants = require('../../models/roleConstants');
 // const CannedResponseEvent = require('../event/CannedResponseEvent');
 
 
@@ -35,8 +36,11 @@ router.post('/', function (req, res) {
   });
 });
 
-router.put('/:cannedResponseid', function (req, res) {
+router.put('/:cannedResponseid', async function (req, res) {
   winston.debug(req.body);
+  let canned_id = req.params.cannedResponseid;
+  let user_role = req.projectuser.role;
+  
   var update = {};
   
   if (req.body.title!=undefined) {
@@ -48,23 +52,86 @@ router.put('/:cannedResponseid', function (req, res) {
   if (req.body.attributes!=undefined) {
     update.attributes = req.body.attributes;
   }
+
+  let canned = await CannedResponse.findById(canned_id).catch((err) => {
+    winston.error("Error finding canned response: ", err);
+    return res.status(500).send({ success: false, error: "General error: cannot find the canned response with id " + canned_id })
+  })
+
+  if (!canned) {
+    winston.verbose("Canned response with id " + canned_id + " not found.");
+    return res.status(404).send({ success: false, error: "Canned response with id " + canned_id + " not found." })
+  }
+
+  /**
+   * Change type from mongoose object to javascript standard object.
+   * Otherwise hasOwnProperty wouldn't works.
+   */
+  canned = canned.toObject();
+
+  if (user_role === RoleConstants.AGENT) {
+    if (canned.createdBy !== req.user.id) {
+      winston.warn("Not allowed. User " + req.user.id + " can't modify a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "You are not allowed to modify a canned response that is not yours."})
+    }
+  }
+  else if (user_role === RoleConstants.OWNER || user_role === RoleConstants.ADMIN) {
+    if (canned.hasOwnProperty('shared') && canned.shared === false) {
+      winston.warn("Not allowed. User " + req.user.id + " can't modify a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "Not allowed to modify a non administration canned response"})
+    }
+  } else {
+    winston.warn("User " + req.user.id + "trying to modify canned with role " + user_role);
+    return res.status(401).send({ success: false, error: "Unauthorized"})
+  }
   
-  
-  CannedResponse.findByIdAndUpdate(req.params.cannedResponseid, update, { new: true, upsert: true }, function (err, updatedCannedResponse) {
+  CannedResponse.findByIdAndUpdate(canned_id, update, { new: true, upsert: true }, function (err, updatedCannedResponse) {
     if (err) {
       winston.error('--- > ERROR ', err);
       return res.status(500).send({ success: false, msg: 'Error updating object.' });
     }
 
-  
-
     // CannedResponseEvent.emit('CannedResponse.update', updatedCannedResponse);
     res.json(updatedCannedResponse);
   });
 });
 
-router.delete('/:cannedResponseid', function (req, res) {
+router.delete('/:cannedResponseid', async function (req, res) {
   winston.debug(req.body);
+  let canned_id = req.params.cannedResponseid;
+  let user_role = req.projectuser.role;
+
+  let canned = await CannedResponse.findById(canned_id).catch((err) => {
+    winston.error("Error finding canned response: ", err);
+    return res.status(500).send({ success: false, error: "General error: cannot find the canned response with id " + canned_id })
+  })
+
+  if (!canned) {
+    winston.verbose("Canned response with id " + canned_id + " not found.");
+    return res.status(404).send({ success: false, error: "Canned response with id " + canned_id + " not found." })
+  }
+
+  /**
+   * Change type from mongoose object to javascript standard object.
+   * Otherwise hasOwnProperty wouldn't works.
+   */
+  canned = canned.toObject();
+  
+  if (user_role === RoleConstants.AGENT) {
+    if (canned.createdBy !== req.user.id) {
+      winston.warn("Not allowed. User " + req.user.id + " can't delete a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "You are not allowed to delete a canned response that is not yours."})
+    }
+  }
+  else if (user_role === RoleConstants.OWNER || user_role === RoleConstants.ADMIN) {
+    if (canned.hasOwnProperty('shared') && canned.shared === false) {
+      winston.warn("Not allowed. User " + req.user.id + " can't delete a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "Not allowed to delete a non administration canned response"})
+    }
+  } else {
+    winston.warn("User " + req.user.id + "trying to delete canned with role " + user_role);
+    return res.status(401).send({ success: false, error: "Unauthorized"})
+  }
 
   CannedResponse.findByIdAndUpdate(req.params.cannedResponseid, {status: 1000}, { new: true, upsert: true }, function (err, updatedCannedResponse) {
     if (err) {
@@ -72,15 +139,46 @@ router.delete('/:cannedResponseid', function (req, res) {
       return res.status(500).send({ success: false, msg: 'Error updating object.' });
     }
 
-   
-
     // CannedResponseEvent.emit('CannedResponse.delete', updatedCannedResponse);
     res.json(updatedCannedResponse);
   });
 });
 
-router.delete('/:cannedResponseid/physical', function (req, res) {
+router.delete('/:cannedResponseid/physical', async function (req, res) {
   winston.debug(req.body);
+  let canned_id = req.params.cannedResponseid;
+
+  let canned = await CannedResponse.findById(canned_id).catch((err) => {
+    winston.error("Error finding canned response: ", err);
+    return res.status(500).send({ success: false, error: "General error: cannot find the canned response with id " + canned_id })
+  })
+
+  if (!canned) {
+    winston.verbose("Canned response with id " + canned_id + " not found.");
+    return res.status(404).send({ success: false, error: "Canned response with id " + canned_id + " not found." })
+  }
+
+  /**
+   * Change type from mongoose object to javascript standard object.
+   * Otherwise hasOwnProperty wouldn't works.
+   */
+  canned = canned.toObject();
+  
+  if (user_role === RoleConstants.AGENT) {
+    if (canned.createdBy !== req.user.id) {
+      winston.warn("Not allowed. User " + req.user.id + " can't delete a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "You are not allowed to delete a canned response that is not yours."})
+    }
+  }
+  else if (user_role === RoleConstants.OWNER || user_role === RoleConstants.ADMIN) {
+    if (canned.hasOwnProperty('shared') && canned.shared === false) {
+      winston.warn("Not allowed. User " + req.user.id + " can't delete a canned response of user " + canned.createdBy);
+      return res.status(403).send({ success: false, error: "Not allowed to delete a non administration canned response"})
+    }
+  } else {
+    winston.warn("User " + req.user.id + "trying to delete canned with role " + user_role);
+    return res.status(401).send({ success: false, error: "Unauthorized"})
+  }
 
   CannedResponse.remove({ _id: req.params.cannedResponseid }, function (err, cannedResponse) {
     if (err) {
@@ -88,15 +186,15 @@ router.delete('/:cannedResponseid/physical', function (req, res) {
       return res.status(500).send({ success: false, msg: 'Error deleting object.' });
     }
 
-  
     // CannedResponseEvent.emit('CannedResponse.delete', CannedResponse);
-
     res.json(cannedResponse);
   });
 });
 
 router.get('/:cannedResponseid', function (req, res) {
   winston.debug(req.body);
+  let user_id = req.user.id;
+  console.log("[Canned] user_id: ", user_id);
 
   CannedResponse.findById(req.params.cannedResponseid, function (err, cannedResponse) {
     if (err) {
@@ -105,6 +203,11 @@ router.get('/:cannedResponseid', function (req, res) {
     if (!cannedResponse) {
       return res.status(404).send({ success: false, msg: 'Object not found.' });
     }
+
+    if (cannedResponse.createdBy !== user_id) {
+      return res.status(403).send({ success: false, msg: 'You are not allowed to get a canned response that is not yours.'})
+    }
+
     res.json(cannedResponse);
   });
 });
@@ -117,6 +220,8 @@ router.get('/', function (req, res) {
     page = req.query.page;
   }
 
+  console.log("req.user._id: ", req.user._id)
+  console.log("req.user.id: ", req.user.id)
   var skip = page * limit;
   winston.debug('CannedResponse ROUTE - SKIP PAGE ', skip);
 

package/pubmodules/pubModulesManager.js

@@ -147,7 +147,7 @@ class PubModulesManager {
         }
 
         if (this.analyticsRoute) {
-            app.use('/:projectid/analytics', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRole('agent')], this.analyticsRoute);
+            app.use('/:projectid/analytics', [passport.authenticate(['basic', 'jwt'], { session: false }), validtoken, roleChecker.hasRole('admin')], this.analyticsRoute);
              winston.info("ModulesManager analytics controller loaded");       
          }
 

package/routes/auth.js

@@ -40,6 +40,7 @@ if (pubKey) {
 }
 
 var recaptcha = require('../middleware/recaptcha');
+const errorCodes = require('../errorCodes');
 
 
 
@@ -76,6 +77,14 @@ router.post('/signup',
     winston.error("Signup validation error. Email or password is missing", {email: req.body.email, password: req.body.password});
     return res.json({ success: false, msg: 'Please pass email and password.' });
   } else {    
+
+    // TODO: move the regex control inside signup method of UserService.
+    // Warning: the pwd used in every test must be changed!
+    const regex = new RegExp(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{8,}$/);
+    if (!regex.test(req.body.password)) {
+      return res.status(403).send({ success: false, message: "The password does not meet the minimum vulnerability requirements"})
+    }
+
     return userService.signup(req.body.email, req.body.password, req.body.firstname, req.body.lastname, false)
       .then( async function (savedUser) {
         
@@ -96,7 +105,16 @@ router.post('/signup',
 
         if (!req.body.disableEmail){
           if (!skipVerificationEmail) {
-            emailService.sendVerifyEmailAddress(savedUser.email, savedUser);
+
+            let verify_email_code = uniqid();
+            console.log("(Auth) verify_email_code: ", verify_email_code);
+
+            let redis_client = req.app.get('redis_client');
+            let key = "emailverify:verify-" + verify_email_code;
+            let obj = { _id: savedUser._id, email: savedUser.email}
+            let value = JSON.stringify(obj);
+            redis_client.set(key, value, { EX: 900} ) 
+            emailService.sendVerifyEmailAddress(savedUser.email, savedUser, verify_email_code);
           }
         }
         
@@ -129,16 +147,16 @@ router.post('/signup',
 
          res.json({ success: true, msg: 'Successfully created new user.', user: userJson });
       }).catch(function (err) {
-
-
       
+        winston.error('Error registering new user', err);
         authEvent.emit("user.signup.error",  {req: req, err:err});       
 
-       
-
+        if (err.code === 11000) {
+          res.status(403).send({ success: false, message: "Email already registered" });
+        } else {
+          res.status(500).send({ success: false, message: "Registration cannot be completed" });
+        }
 
-         winston.error('Error registering new user', err);
-         res.send(err);
       });
   }
 });
@@ -759,11 +777,32 @@ router.get("/google/callback", passport.authenticate("google", { session: false
 // });
 
 // VERIFY EMAIL
-router.put('/verifyemail/:userid', function (req, res) {
+router.put('/verifyemail/:userid/:code', async function (req, res) {
+
 
   winston.debug('VERIFY EMAIL - REQ BODY ', req.body);
-// controlla
-  User.findByIdAndUpdate(req.params.userid, req.body, { new: true, upsert: true }, function (err, findUser) {
+
+  let user_id = req.params.userid;
+  let verify_email_code = req.params.code;
+
+  if (!verify_email_code) {
+    return res.status(401).send({ success: false, error: "Unable to verify email: missing verification code.", error_code: errorCodes.AUTH.ERRORS.MISSING_VERIFICATION_CODE})
+  }
+
+  let redis_client = req.app.get('redis_client');
+  let key = "emailverify:verify-" + verify_email_code;
+  let value = await redis_client.get(key);
+  console.log("(Auth) verify value: ", value);
+  if (!value) {
+    return res.status(401).send({ success: false, error: "Unable to verify email: the verification code is expired or invalid.", error_code: errorCodes.AUTH.ERRORS.VERIFICATION_CODE_EXPIRED})
+  }
+
+  let basic_user = JSON.parse(value);
+  if (user_id !== basic_user._id) {
+    return res.status(401).send({ success: false, error: "Trying to use a verification code from another user.", error_code: errorCodes.AUTH.ERRORS.VERIFICATION_CODE_OTHER_USER})
+  }
+
+  User.findByIdAndUpdate(user_id, req.body, { new: true, upsert: true }, function (err, findUser) {
     if (err) {
       winston.error(err);
       return res.status(500).send({ success: false, msg: err });
@@ -771,7 +810,7 @@ router.put('/verifyemail/:userid', function (req, res) {
     winston.debug(findUser);
     if (!findUser) {
       winston.warn('User not found for verifyemail' );
-      return res.status(404).send({ success: false, msg: 'User not found' });
+      return res.status(404).send({ success: false, msg: 'User not found', error_code: errorCodes.AUTH.ERRORS.USER_NOT_FOUND});
     }
     winston.debug('VERIFY EMAIL - RETURNED USER ', findUser);
 
@@ -857,13 +896,16 @@ router.put('/requestresetpsw', function (req, res) {
 
         //  TODO emit user.update?
           authEvent.emit('user.requestresetpassword', {updatedUser:updatedUser, req:req});
-
           
-
           let userWithoutResetPassword = updatedUser.toJSON();
           delete userWithoutResetPassword.resetpswrequestid;
+          delete userWithoutResetPassword._id;
+          delete userWithoutResetPassword.createdAt;
+          delete userWithoutResetPassword.updatedAt;
+          delete userWithoutResetPassword.__v;
           
-          return res.json({ success: true, user: userWithoutResetPassword });
+          // return res.json({ success: true, user: userWithoutResetPassword });
+          return res.json({ success: true, message: "An email has been sent to reset your password" });
           // }
           // catch (err) {
           //   winston.debug('PSW RESET REQUEST - SEND EMAIL ERR ', err)