@volcanicminds/backend 2.2.20 → 2.3.1

package/lib/api/users/controller/user.ts

@@ -90,7 +90,40 @@ export async function isAdmin(req: FastifyRequest, reply: FastifyReply) {
   return reply.send({ isAdmin: user?.getId() && req.hasRole(roles.admin) })
 }
 
-export async function resetMfa(req: FastifyRequest, reply: FastifyReply) {
+export async function block(req: FastifyRequest, reply: FastifyReply) {
+  if (!req.server['userManager'].isImplemented()) {
+    throw new Error('Not implemented')
+  }
+
+  if (!req.hasRole(roles.admin) && !req.hasRole(roles.backoffice)) {
+    return reply.status(403).send({ statusCode: 403, code: 'ROLE_NOT_ALLOWED', message: 'Not allowed to block a user' })
+  }
+
+  const { id: userId } = req.parameters()
+  const { reason } = req.data()
+
+  let user = await req.server['userManager'].blockUserById(userId, reason, req.runner)
+  user = await req.server['userManager'].resetExternalId(user.getId(), req.runner)
+  return { ok: !!user.getId() }
+}
+
+export async function unblock(req: FastifyRequest, reply: FastifyReply) {
+  if (!req.server['userManager'].isImplemented()) {
+    throw new Error('Not implemented')
+  }
+
+  if (!req.hasRole(roles.admin) && !req.hasRole(roles.backoffice)) {
+    return reply
+      .status(403)
+      .send({ statusCode: 403, code: 'ROLE_NOT_ALLOWED', message: 'Not allowed to unblock a user' })
+  }
+
+  const { id: userId } = req.parameters()
+  const user = await req.server['userManager'].unblockUserById(userId, req.runner)
+  return { ok: !!user.getId() }
+}
+
+export async function resetMfaByAdmin(req: FastifyRequest, reply: FastifyReply) {
   const { id } = req.parameters()
 
   if (!req.hasRole(roles.admin)) {
@@ -102,10 +135,44 @@ export async function resetMfa(req: FastifyRequest, reply: FastifyReply) {
   }
 
   try {
-    await req.server['userManager'].disableMfa(id)
+    await req.server['userManager'].disableMfa(id, req.runner)
     return { ok: true }
   } catch (error) {
     req.log.error(error)
     return reply.status(500).send(new Error('Failed to reset MFA'))
   }
 }
+
+export async function resetPasswordByAdmin(req: FastifyRequest, reply: FastifyReply) {
+  // Check if feature is enabled via config
+  if (config.options?.allow_admin_change_password_users !== true) {
+    return reply.status(404).send()
+  }
+
+  if (!req.hasRole(roles.admin)) {
+    return reply.status(403).send(new Error('Only admins can reset user passwords'))
+  }
+
+  const { id } = req.parameters()
+  if (!id) {
+    return reply.status(400).send(new Error('Missing user id'))
+  }
+
+  const { password } = req.data()
+  if (!password) {
+    return reply.status(400).send(new Error('Missing password in request body'))
+  }
+
+  try {
+    const user = await req.server['userManager'].retrieveUserById(id)
+    if (!user) {
+      return reply.status(404).send(new Error('User not found'))
+    }
+
+    await req.server['userManager'].resetPassword(user, password)
+    return { ok: true }
+  } catch (error) {
+    req.log.error(error)
+    return reply.status(500).send(new Error('Failed to reset password'))
+  }
+}

package/lib/api/users/routes.ts

@@ -180,20 +180,76 @@ export default {
         }
       }
     },
+    {
+      method: 'POST',
+      path: '/:id/block',
+      roles: [roles.admin, roles.backoffice],
+      handler: 'user.block',
+      middlewares: ['global.isAuthenticated'],
+      config: {
+        title: 'Block a user by id',
+        description: 'Block a user by id',
+        params: { $ref: 'onlyIdSchema#' },
+        body: { $ref: 'blockBodySchema#' },
+        response: {
+          200: { $ref: 'defaultResponse#' }
+        }
+      }
+    },
+    {
+      method: 'POST',
+      path: '/:id/unblock',
+      roles: [roles.admin, roles.backoffice],
+      handler: 'user.unblock',
+      middlewares: ['global.isAuthenticated'],
+      config: {
+        title: 'Unblock a user by id',
+        description: 'Unblock a user by id',
+        params: { $ref: 'onlyIdSchema#' },
+        response: {
+          200: { $ref: 'defaultResponse#' }
+        }
+      }
+    },
     {
       method: 'POST',
       path: '/:id/mfa/reset',
       roles: [roles.admin],
-      handler: 'user.resetMfa',
+      handler: 'user.resetMfaByAdmin',
       middlewares: ['global.isAuthenticated'],
       config: {
-        title: 'Reset MFA for user',
+        title: 'Reset MFA for specific user',
         description: 'Disable MFA for a specific user (Admin only)',
         params: { $ref: 'globalParamsSchema#' },
         response: {
           200: { $ref: 'defaultResponse#' }
         }
       }
+    },
+    {
+      method: 'POST',
+      path: '/:id/password/reset',
+      roles: [roles.admin],
+      handler: 'user.resetPasswordByAdmin',
+      middlewares: ['global.isAuthenticated'],
+      config: {
+        title: 'Reset password for specific user',
+        description:
+          'Admin can reset password for a specific user. Requires config option allow_admin_change_password_users to be enabled.',
+        params: { $ref: 'globalParamsSchema#' },
+        body: {
+          type: 'object',
+          required: ['password'],
+          properties: {
+            password: { type: 'string', minLength: 6 }
+          }
+        },
+        response: {
+          200: { $ref: 'defaultResponse#' }
+        }
+      }
     }
   ]
+
+
 }

package/lib/config/general.ts

@@ -3,11 +3,18 @@ export default {
   options: {
     allow_multiple_admin: false,
     admin_can_change_passwords: false,
+    allow_admin_change_password_users: false,
     reset_external_id_on_login: false,
     scheduler: false,
     embedded_auth: true,
     mfa_policy: process.env.MFA_POLICY || 'OPTIONAL', // OPTIONAL, MANDATORY, ONE_WAY
     mfa_admin_forced_reset_email: null,
-    mfa_admin_forced_reset_until: null
+    mfa_admin_forced_reset_until: null,
+    multi_tenant: {
+      enabled: false,
+      resolver: 'subdomain', // subdomain, header, query
+      header_key: 'x-tenant-id',
+      query_key: 'tid'
+    }
   }
 }

package/lib/config/plugins.ts

@@ -61,5 +61,13 @@ export default [
     name: 'rawBody',
     enable: false,
     options: {}
+  },
+  {
+    name: 'cookie',
+    enable: process.env.AUTH_MODE === 'COOKIE',
+    options: {
+      secret: process.env.COOKIE_SECRET,
+      parseOptions: {}
+    }
   }
 ]

package/lib/defaults/managers.ts

@@ -0,0 +1,88 @@
+
+import { 
+  UserManagement, 
+  TokenManagement, 
+  DataBaseManagement, 
+  MfaManagement, 
+  TransferManagement,
+  TenantManagement,
+  TransferCallback
+} from '../../types/global.js'
+import { FastifyReply, FastifyRequest } from 'fastify'
+
+// Default implementations that throw errors or return not implemented
+export const defaultTenantManager: TenantManagement = {
+  isImplemented() { return false },
+  resolveTenant(_req) { throw new Error('Not implemented') },
+  switchContext(_tenant, _db?) { throw new Error('Not implemented') },
+  createTenant(_data) { throw new Error('Not implemented') },
+  deleteTenant(_id) { throw new Error('Not implemented') }
+}
+
+export const defaultUserManager: UserManagement = {
+  isImplemented() { return false },
+  isValidUser(_data: unknown) { throw new Error('Not implemented.') },
+  createUser(_data: unknown) { throw new Error('Not implemented.') },
+  deleteUser(_data: unknown) { throw new Error('Not implemented.') },
+  resetExternalId(_data: unknown) { throw new Error('Not implemented.') },
+  updateUserById(_id: string, _user: unknown) { throw new Error('Not implemented.') },
+  retrieveUserById(_id: string) { throw new Error('Not implemented.') },
+  retrieveUserByEmail(_email: string) { throw new Error('Not implemented.') },
+  retrieveUserByConfirmationToken(_code: string) { throw new Error('Not implemented.') },
+  retrieveUserByResetPasswordToken(_code: string) { throw new Error('Not implemented.') },
+  retrieveUserByUsername(_username: string) { throw new Error('Not implemented.') },
+  retrieveUserByExternalId(_externalId: string) { throw new Error('Not implemented.') },
+  retrieveUserByPassword(_email: string, _password: string) { throw new Error('Not implemented.') },
+  changePassword(_email: string, _password: string, _oldPassword: string) { throw new Error('Not implemented.') },
+  forgotPassword(_email: string) { throw new Error('Not implemented.') },
+  userConfirmation(_user: unknown) { throw new Error('Not implemented.') },
+  resetPassword(_user: unknown, _password: string) { throw new Error('Not implemented.') },
+  blockUserById(_id: string, _reason: string) { throw new Error('Not implemented.') },
+  unblockUserById(_data: unknown) { throw new Error('Not implemented.') },
+  countQuery(_data: unknown) { throw new Error('Not implemented.') },
+  findQuery(_data: unknown) { throw new Error('Not implemented.') },
+  disableUserById(_id: string) { throw new Error('Not implemented.') },
+  saveMfaSecret(_userId: string, _secret: string) { throw new Error('Not implemented.') },
+  retrieveMfaSecret(_userId: string) { throw new Error('Not implemented.') },
+  enableMfa(_userId: string) { throw new Error('Not implemented.') },
+  disableMfa(_userId: string) { throw new Error('Not implemented.') },
+  forceDisableMfaForAdmin(_email: string) { throw new Error('Not implemented.') }
+}
+
+export const defaultTokenManager: TokenManagement = {
+  isImplemented() { return false },
+  isValidToken(_data: unknown) { throw new Error('Not implemented.') },
+  createToken(_data: unknown) { throw new Error('Not implemented.') },
+  resetExternalId(_id: string) { throw new Error('Not implemented.') },
+  updateTokenById(_id: string, _token: unknown) { throw new Error('Not implemented.') },
+  retrieveTokenById(_id: string) { throw new Error('Not implemented.') },
+  retrieveTokenByExternalId(_id: string) { throw new Error('Not implemented.') },
+  blockTokenById(_id: string, _reason: string) { throw new Error('Not implemented.') },
+  unblockTokenById(_id: string) { throw new Error('Not implemented.') },
+  countQuery(_data: unknown) { throw new Error('Not implemented.') },
+  findQuery(_data: unknown) { throw new Error('Not implemented.') },
+  removeTokenById(_id: string) { throw new Error('Not implemented.') }
+}
+
+export const defaultDataBaseManager: DataBaseManagement = {
+  isImplemented() { return false },
+  synchronizeSchemas() { throw new Error('Not implemented.') },
+  retrieveBy(_entityName, _entityId) { throw new Error('Not implemented.') },
+  addChange(_entityName, _entityId, _status, _userId, _contents, _changeEntity) { throw new Error('Not implemented.') }
+}
+
+export const defaultMfaManager: MfaManagement = {
+  generateSetup(_appName: string, _email: string) { throw new Error('Not implemented.') },
+  verify(_token: string, _secret: string) { throw new Error('Not implemented.') }
+}
+
+export const defaultTransferManager: TransferManagement = {
+  isImplemented() { return false },
+  getPath() { throw new Error('Not implemented.') },
+  getServer() { throw new Error('Not implemented.') },
+  onUploadCreate(_callback: TransferCallback) { throw new Error('Not implemented.') },
+  onUploadFinish(_callback: TransferCallback) { throw new Error('Not implemented.') },
+  onUploadTerminate(_callback: TransferCallback) { throw new Error('Not implemented.') },
+  handle(_req: FastifyRequest, _res: FastifyReply) { throw new Error('Not implemented.') },
+  isValid(_req: FastifyRequest) { throw new Error('Not implemented.') }
+}

package/lib/hooks/onRequest.ts

@@ -23,6 +23,63 @@ const normalizeRoles = (rolesArray: any[] | undefined): string[] => {
 export default async (req, reply) => {
   if (log.i) req.startedAt = new Date()
 
+  const { multi_tenant } = global.config?.options || {}
+
+  if (multi_tenant?.enabled) {
+    let tenantSlug: string | undefined
+
+    if (multi_tenant.resolver === 'subdomain') {
+      const host = req.headers.host || ''
+      const parts = host.split('.')
+      if (parts.length >= 2) {
+        // FIXME: Improve subdomain extraction strategy. Currently assumes [slug].[domain].[tld] or [slug].localhost
+        if (parts[0] !== 'www') {
+          tenantSlug = parts[0]
+        }
+      }
+    } else if (multi_tenant.resolver === 'header') {
+      tenantSlug = req.headers[multi_tenant?.header_key || 'x-tenant-id'] as string
+    } else if (multi_tenant.resolver === 'query') {
+      tenantSlug = (req.query as any)[multi_tenant?.query_key || 'tid']
+    }
+
+    if (!tenantSlug) {
+      return reply.code(400).send({ statusCode: 400, error: 'Tenant ID missing', message: 'Tenant ID is required' })
+    }
+
+    if (!global.repository?.tenants) {
+      log.error('Multi-tenant enabled but global.repository.tenants not found')
+      return reply.code(500).send({ statusCode: 500, error: 'Internal Server Error' })
+    }
+
+    const tenant = await global.repository.tenants.findOneBy({ slug: tenantSlug })
+
+    if (!tenant) {
+      return reply
+        .code(404)
+        .send({ statusCode: 404, error: 'Tenant Not Found', message: `Tenant '${tenantSlug}' not found` })
+    }
+
+    if (tenant.status !== 'active') {
+      return reply.code(403).send({ statusCode: 403, error: 'Tenant Inactive', message: 'Tenant is not active' })
+    }
+
+    // Tenant Context Setup
+    const runner = global.connection.createQueryRunner()
+    await runner.connect()
+
+    // Validate schema name safety
+    if (!/^[a-z0-9_]+$/i.test(tenant.schema)) {
+      await runner.release()
+      return reply.code(400).send({ statusCode: 400, error: 'Invalid Schema Name' })
+    }
+
+    await runner.query(`SET search_path TO "${tenant.schema}", "public"`)
+
+    req.runner = runner
+    req.tenant = tenant
+  }
+
   req.data = () => getData(req)
   req.parameters = () => getParams(req)
 
@@ -49,15 +106,44 @@ export default async (req, reply) => {
     req.roles = () => [roles.public.code]
     req.hasRole = (r: Role) => req.roles().includes(r?.code)
 
-    const auth = req.headers?.authorization || ''
     const cfg = req.routeOptions?.config || req.routeConfig || {}
-    const [prefix, bearerToken] = auth.split(' ')
+    const AUTH_MODE = process.env.AUTH_MODE || 'BEARER'
+
+    let bearerToken: string | undefined
+
+    if (AUTH_MODE === 'COOKIE') {
+      const cookieToken = req.cookies['auth_token']
+      if (cookieToken) {
+        const unsigned = req.unsignCookie(cookieToken)
+        if (unsigned.valid && unsigned.value) {
+          bearerToken = unsigned.value
+        }
+      }
+    } else {
+      const auth = req.headers?.authorization || ''
+      const [prefix, token] = auth.split(' ')
+      if (prefix === 'Bearer' && token != null) {
+        bearerToken = token
+      }
+    }
 
-    if (prefix === 'Bearer' && bearerToken != null) {
+    if (bearerToken) {
       try {
         const tokenData = reply.server.jwt.verify(bearerToken)
 
-        // --- MFA GATEKEEPER ---
+        // Validate Tenant Access
+        const { multi_tenant } = global.config?.options || {}
+        if (multi_tenant?.enabled && req.tenant && tokenData.tid) {
+          if (tokenData.tid !== req.tenant.id) {
+            return reply.status(403).send({
+              statusCode: 403,
+              code: 'TENANT_MISMATCH',
+              message: 'Token does not belong to this tenant'
+            })
+          }
+        }
+
+        // MFA Gatekeeper Check
         if (tokenData.role === 'pre-auth-mfa') {
           const currentUrl = req.routeOptions.url || req.raw.url
           const isAllowed = MFA_SETUP_WHITELIST.some((url) => currentUrl.endsWith(url))
@@ -137,3 +223,5 @@ export default async (req, reply) => {
     }
   }
 }
+
+

package/lib/hooks/onResponse.ts

@@ -1,4 +1,10 @@
 export default async (req, reply) => {
+  if (req.runner) {
+    if (!req.runner.isReleased) {
+      await req.runner.release()
+    }
+  }
+
   let extraMessage = ''
   if (log.i && req.startedAt) {
     const elapsed: number = new Date().getTime() - req.startedAt.getTime()

package/lib/loader/general.ts

@@ -8,11 +8,16 @@ export async function load() {
     options: {
       allow_multiple_admin: false,
       admin_can_change_passwords: false,
+      allow_admin_change_password_users: false,
       reset_external_id_on_login: false,
       scheduler: false,
       embedded_auth: true,
       mfa_admin_forced_reset_email: undefined,
-      mfa_admin_forced_reset_until: undefined
+      mfa_admin_forced_reset_until: undefined,
+      multi_tenant: {
+        enabled: false,
+        query_key: 'tid'
+      }
     }
   }
 

package/lib/loader/tenant.ts

@@ -0,0 +1,79 @@
+import { FastifyInstance } from 'fastify'
+import { TenantManagement } from '../../types/global.js'
+
+export async function apply(server: FastifyInstance) {
+  const { multi_tenant } = global.config.options || {}
+
+  // Se multi-tenant non è abilitato, usciamo subito
+  if (!multi_tenant?.enabled) {
+    if (log.d) log.debug('Multi-Tenant: Disabled by configuration')
+    return
+  }
+
+  if (log.i) log.info('Multi-Tenant: 🟢 Enabled')
+
+  // Hook globale per la risoluzione del tenant
+  // Deve essere eseguito all'inizio della richiesta
+  server.addHook('onRequest', async (req, reply) => {
+    // Recuperiamo il gestore tenant iniettato o di default
+    const tm = server['tenantManager'] as TenantManagement
+
+    // Controllo critico: se è abilitato il MT, DEVE esserci un manager implementato
+    if (!tm || !tm.isImplemented()) {
+      const errorMsg = 'Multi-Tenant enabled but no TenantManager provided/implemented!'
+      if (log.f) log.fatal(errorMsg)
+      throw new Error(errorMsg) 
+    }
+
+    try {
+      // 1. Risoluzione Tenant
+      const tenant = await tm.resolveTenant(req)
+      
+      if (!tenant) {
+        if (log.w) log.warn(`Multi-Tenant: Tenant resolution failed for request ${req.id}`)
+        return reply.code(404).send({ 
+          statusCode: 404, 
+          error: 'Not Found', 
+          message: 'Tenant not found or resolution failed' 
+        })
+      }
+
+      // 2. Setup Contesto
+      req.tenant = tenant
+      if (log.t) log.trace(`Multi-Tenant: Context switched to ${tenant.slug || tenant.id}`)
+
+      // 3. Creazione QueryRunner (Context-Chain Root)
+      // Questo è il cuore della "Golden Solution": ogni richiesta ha il suo QueryRunner isolato
+      const dataSource = global.connection
+      if (dataSource) {
+        const qr = dataSource.createQueryRunner()
+        await qr.connect()
+        
+        // Assegnamo il manager del QueryRunner alla richiesta
+        req.db = qr.manager
+
+        // 4. Switch Schema su QUESTO QueryRunner
+        // Passiamo il manager affinché il TenantManager possa eseguire "SET search_path" su questa connessione specifica
+        await tm.switchContext(tenant, qr.manager)
+
+        // 5. Cleanup: Rilascio del QueryRunner alla fine della richiesta
+        reply.raw.on('finish', async () => {
+          if (!qr.isReleased) {
+            await qr.release()
+          }
+        })
+      } else {
+        if (log.w) log.warn('Multi-Tenant: Global connection not found! Skipping DB context creation.')
+      }
+
+    } catch (err: unknown) {
+      const message = err instanceof Error ? err.message : String(err)
+      if (log.e) log.error(`Multi-Tenant Error: ${message}`)
+      return reply.code(500).send({ 
+        statusCode: 500, 
+        error: 'Internal Server Error', 
+        message: 'Tenant Context Switch Failed' 
+      })
+    }
+  })
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@volcanicminds/backend",
-  "version": "2.2.20",
+  "version": "2.3.1",
   "type": "module",
   "codename": "rome",
   "license": "MIT",
@@ -65,6 +65,7 @@
     "@apollo/server": "^5.2.0",
     "@as-integrations/fastify": "^3.1.0",
     "@fastify/compress": "^8.3.0",
+    "@fastify/cookie": "^11.0.2",
     "@fastify/cors": "^11.2.0",
     "@fastify/helmet": "^13.0.2",
     "@fastify/jwt": "^10.0.0",