npm - @volcanicminds/backend - Versions diffs - 2.2.21 → 2.3.2 - Mend

@volcanicminds/backend 2.2.21 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

package/README.md +19 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -169
package/dist/index.js.map +1 -1
package/dist/lib/api/auth/controller/auth.d.ts +0 -9
package/dist/lib/api/auth/controller/auth.d.ts.map +1 -1
package/dist/lib/api/auth/controller/auth.js +32 -75
package/dist/lib/api/auth/controller/auth.js.map +1 -1
package/dist/lib/api/auth/routes.d.ts +0 -45
package/dist/lib/api/auth/routes.d.ts.map +1 -1
package/dist/lib/api/auth/routes.js +1 -32
package/dist/lib/api/auth/routes.js.map +1 -1
package/dist/lib/api/tool/controller/tool.d.ts.map +1 -1
package/dist/lib/api/tool/controller/tool.js +4 -0
package/dist/lib/api/tool/controller/tool.js.map +1 -1
package/dist/lib/api/users/controller/user.d.ts +10 -1
package/dist/lib/api/users/controller/user.d.ts.map +1 -1
package/dist/lib/api/users/controller/user.js +56 -2
package/dist/lib/api/users/controller/user.js.map +1 -1
package/dist/lib/api/users/routes.d.ts +67 -0
package/dist/lib/api/users/routes.d.ts.map +1 -1
package/dist/lib/api/users/routes.js +55 -2
package/dist/lib/api/users/routes.js.map +1 -1
package/dist/lib/config/general.d.ts +7 -0
package/dist/lib/config/general.d.ts.map +1 -1
package/dist/lib/config/general.js +8 -1
package/dist/lib/config/general.js.map +1 -1
package/dist/lib/defaults/managers.d.ts +8 -0
package/dist/lib/defaults/managers.d.ts.map +1 -0
package/dist/lib/defaults/managers.js +71 -0
package/dist/lib/defaults/managers.js.map +1 -0
package/dist/lib/hooks/onRequest.d.ts.map +1 -1
package/dist/lib/hooks/onRequest.js +54 -2
package/dist/lib/hooks/onRequest.js.map +1 -1
package/dist/lib/hooks/onResponse.d.ts.map +1 -1
package/dist/lib/hooks/onResponse.js +5 -0
package/dist/lib/hooks/onResponse.js.map +1 -1
package/dist/lib/loader/general.d.ts.map +1 -1
package/dist/lib/loader/general.js +6 -1
package/dist/lib/loader/general.js.map +1 -1
package/dist/lib/loader/tenant.d.ts +3 -0
package/dist/lib/loader/tenant.d.ts.map +1 -0
package/dist/lib/loader/tenant.js +67 -0
package/dist/lib/loader/tenant.js.map +1 -0
package/lib/api/auth/controller/auth.ts +35 -81
package/lib/api/auth/routes.ts +4 -33
package/lib/api/tool/controller/tool.ts +5 -0
package/lib/api/users/controller/user.ts +69 -2
package/lib/api/users/routes.ts +58 -2
package/lib/config/general.ts +8 -1
package/lib/defaults/managers.ts +88 -0
package/lib/hooks/onRequest.ts +72 -7
package/lib/hooks/onResponse.ts +6 -0
package/lib/loader/general.ts +6 -1
package/lib/loader/tenant.ts +86 -0
package/package.json +1 -1

package/lib/hooks/onRequest.ts CHANGED Viewed

@@ -23,6 +23,63 @@ const normalizeRoles = (rolesArray: any[] | undefined): string[] => {
 export default async (req, reply) => {
   if (log.i) req.startedAt = new Date()
+  const { multi_tenant } = global.config?.options || {}
+  if (multi_tenant?.enabled) {
+    let tenantSlug: string | undefined
+    if (multi_tenant.resolver === 'subdomain') {
+      const host = req.headers.host || ''
+      const parts = host.split('.')
+      if (parts.length >= 2) {
+        // FIXME: Improve subdomain extraction strategy. Currently assumes [slug].[domain].[tld] or [slug].localhost
+        if (parts[0] !== 'www') {
+          tenantSlug = parts[0]
+        }
+      }
+    } else if (multi_tenant.resolver === 'header') {
+      tenantSlug = req.headers[multi_tenant?.header_key || 'x-tenant-id'] as string
+    } else if (multi_tenant.resolver === 'query') {
+      tenantSlug = (req.query as any)[multi_tenant?.query_key || 'tid']
+    }
+    if (!tenantSlug) {
+      return reply.code(400).send({ statusCode: 400, error: 'Tenant ID missing', message: 'Tenant ID is required' })
+    }
+    if (!global.connection) {
+      log.error('Multi-tenant enabled but global.connection not found')
+      return reply.code(500).send({ statusCode: 500, error: 'Internal Server Error' })
+    }
+    const tenant = await global.connection.getRepository(global.entity.Tenant).findOneBy({ slug: tenantSlug })
+    if (!tenant) {
+      return reply
+        .code(404)
+        .send({ statusCode: 404, error: 'Tenant Not Found', message: `Tenant '${tenantSlug}' not found` })
+    }
+    if (tenant.status !== 'active') {
+      return reply.code(403).send({ statusCode: 403, error: 'Tenant Inactive', message: 'Tenant is not active' })
+    }
+    // Tenant Context Setup
+    const runner = global.connection.createQueryRunner()
+    await runner.connect()
+    // Validate schema name safety
+    if (!/^[a-z0-9_]+$/i.test(tenant.schema)) {
+      await runner.release()
+      return reply.code(400).send({ statusCode: 400, error: 'Invalid Schema Name' })
+    }
+    await runner.query(`SET search_path TO "${tenant.schema}", "public"`)
+    req.runner = runner
+    req.tenant = tenant
+  }
   req.data = () => getData(req)
   req.parameters = () => getParams(req)
@@ -55,9 +112,7 @@ export default async (req, reply) => {
     let bearerToken: string | undefined
     if (AUTH_MODE === 'COOKIE') {
-      // COOKIE MODE: ONLY Check Cookie
       const cookieToken = req.cookies['auth_token']
-      // If cookie is signed:
       if (cookieToken) {
         const unsigned = req.unsignCookie(cookieToken)
         if (unsigned.valid && unsigned.value) {
@@ -65,7 +120,6 @@ export default async (req, reply) => {
         }
       }
     } else {
-      // BEARER MODE: ONLY Check Header
       const auth = req.headers?.authorization || ''
       const [prefix, token] = auth.split(' ')
       if (prefix === 'Bearer' && token != null) {
@@ -77,7 +131,19 @@ export default async (req, reply) => {
       try {
         const tokenData = reply.server.jwt.verify(bearerToken)
-        // --- MFA GATEKEEPER ---
+        // Validate Tenant Access
+        const { multi_tenant } = global.config?.options || {}
+        if (multi_tenant?.enabled && req.tenant && tokenData.tid) {
+          if (tokenData.tid !== req.tenant.id) {
+            return reply.status(403).send({
+              statusCode: 403,
+              code: 'TENANT_MISMATCH',
+              message: 'Token does not belong to this tenant'
+            })
+          }
+        }
+        // MFA Gatekeeper Check
         if (tokenData.role === 'pre-auth-mfa') {
           const currentUrl = req.routeOptions.url || req.raw.url
           const isAllowed = MFA_SETUP_WHITELIST.some((url) => currentUrl.endsWith(url))
@@ -143,9 +209,6 @@ export default async (req, reply) => {
           })
         }
       }
-    } else {
-      // No token found, but maybe route is public?
-      // If route requires roles and no token, it will be caught by permissions check below (bearerToken is null)
     }
     if (cfg.requiredRoles?.length > 0) {
@@ -160,3 +223,5 @@ export default async (req, reply) => {
     }
   }
 }

package/lib/hooks/onResponse.ts CHANGED Viewed

@@ -1,4 +1,10 @@
 export default async (req, reply) => {
+  if (req.runner) {
+    if (!req.runner.isReleased) {
+      await req.runner.release()
+    }
+  }
   let extraMessage = ''
   if (log.i && req.startedAt) {
     const elapsed: number = new Date().getTime() - req.startedAt.getTime()

package/lib/loader/general.ts CHANGED Viewed

@@ -8,11 +8,16 @@ export async function load() {
     options: {
       allow_multiple_admin: false,
       admin_can_change_passwords: false,
+      allow_admin_change_password_users: false,
       reset_external_id_on_login: false,
       scheduler: false,
       embedded_auth: true,
       mfa_admin_forced_reset_email: undefined,
-      mfa_admin_forced_reset_until: undefined
+      mfa_admin_forced_reset_until: undefined,
+      multi_tenant: {
+        enabled: false,
+        query_key: 'tid'
+      }
     }
   }

package/lib/loader/tenant.ts ADDED Viewed

@@ -0,0 +1,86 @@
+import { FastifyInstance } from 'fastify'
+import { TenantManagement } from '../../types/global.js'
+export async function apply(server: FastifyInstance) {
+  const { multi_tenant } = global.config.options || {}
+  // Se multi-tenant non è abilitato, usciamo subito e iniettiamo il contesto single-tenant
+  if (!multi_tenant?.enabled) {
+    if (log.i) log.info('Multi-Tenant: Disabled — using single-tenant DB context')
+    server.addHook('onRequest', async (req) => {
+      const dataSource = global.connection
+      if (dataSource) {
+        req.db = dataSource.manager
+      }
+    })
+    return
+  }
+  if (log.i) log.info('Multi-Tenant: 🟢 Enabled')
+  // Hook globale per la risoluzione del tenant
+  // Deve essere eseguito all'inizio della richiesta
+  server.addHook('onRequest', async (req, reply) => {
+    // Recuperiamo il gestore tenant iniettato o di default
+    const tm = server['tenantManager'] as TenantManagement
+    // Controllo critico: se è abilitato il MT, DEVE esserci un manager implementato
+    if (!tm || !tm.isImplemented()) {
+      const errorMsg = 'Multi-Tenant enabled but no TenantManager provided/implemented!'
+      if (log.f) log.fatal(errorMsg)
+      throw new Error(errorMsg)
+    }
+    try {
+      // 1. Risoluzione Tenant
+      const tenant = await tm.resolveTenant(req)
+      if (!tenant) {
+        if (log.w) log.warn(`Multi-Tenant: Tenant resolution failed for request ${req.id}`)
+        return reply.code(404).send({
+          statusCode: 404,
+          error: 'Not Found',
+          message: 'Tenant not found or resolution failed'
+        })
+      }
+      // 2. Setup Contesto
+      req.tenant = tenant
+      if (log.t) log.trace(`Multi-Tenant: Context switched to ${tenant.slug || tenant.id}`)
+      // 3. Creazione QueryRunner (Context-Chain Root)
+      // Questo è il cuore della "Golden Solution": ogni richiesta ha il suo QueryRunner isolato
+      const dataSource = global.connection
+      if (dataSource) {
+        const qr = dataSource.createQueryRunner()
+        await qr.connect()
+        // Assegnamo il manager del QueryRunner alla richiesta
+        req.db = qr.manager
+        // 4. Switch Schema su QUESTO QueryRunner
+        // Passiamo il manager affinché il TenantManager possa eseguire "SET search_path" su questa connessione specifica
+        await tm.switchContext(tenant, qr.manager)
+        // 5. Cleanup: Rilascio del QueryRunner alla fine della richiesta
+        reply.raw.on('finish', async () => {
+          if (!qr.isReleased) {
+            await qr.release()
+          }
+        })
+      } else {
+        if (log.w) log.warn('Multi-Tenant: Global connection not found! Skipping DB context creation.')
+      }
+    } catch (err: unknown) {
+      const message = err instanceof Error ? err.message : String(err)
+      if (log.e) log.error(`Multi-Tenant Error: ${message}`)
+      return reply.code(500).send({
+        statusCode: 500,
+        error: 'Internal Server Error',
+        message: 'Tenant Context Switch Failed'
+      })
+    }
+  })
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@volcanicminds/backend",
-  "version": "2.2.21",
+  "version": "2.3.2",
   "type": "module",
   "codename": "rome",
   "license": "MIT",