npm - @vue-skuilder/express - Versions diffs - 0.1.24 → 0.1.26 - Mend

@vue-skuilder/express 0.1.24 → 0.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/app-factory.d.ts.map +1 -1
package/dist/app-factory.js +26 -11
package/dist/app-factory.js.map +1 -1
package/dist/attachment-preprocessing/normalize-local.js +31 -4
package/dist/attachment-preprocessing/normalize-local.js.map +1 -1
package/dist/client-requests/pack-requests.d.ts.map +1 -1
package/dist/client-requests/pack-requests.js +14 -10
package/dist/client-requests/pack-requests.js.map +1 -1
package/dist/couchdb/authentication.d.ts +35 -1
package/dist/couchdb/authentication.d.ts.map +1 -1
package/dist/couchdb/authentication.js +87 -52
package/dist/couchdb/authentication.js.map +1 -1
package/dist/peruser.d.ts +14 -0
package/dist/peruser.d.ts.map +1 -0
package/dist/peruser.js +75 -0
package/dist/peruser.js.map +1 -0
package/package.json +4 -4
package/src/app-factory.ts +61 -29
package/src/attachment-preprocessing/normalize-local.ts +38 -4
package/src/client-requests/pack-requests.ts +74 -42
package/src/couchdb/authentication.ts +107 -54
package/src/peruser.ts +80 -0

package/src/couchdb/authentication.ts CHANGED Viewed

@@ -16,76 +16,129 @@ interface CouchSession {
   };
 }
-export async function requestIsAdminAuthenticated(req: VueClientRequest) {
-  logRequest(req);
-  const username = req.body.user;
-  const authCookie: string = req.cookies.AuthSession ? req.cookies.AuthSession : 'null';
-  if (authCookie === 'null') {
-    return false;
-  } else {
-    return await Nano({
-      cookie: 'AuthSession=' + authCookie,
-      url: getCouchURLWithProtocol(),
-    })
-      .session()
-      .then((s: CouchSession) => {
-        logger.info(`AuthUser: ${JSON.stringify(s)}`);
-        const isAdmin = s.userCtx.roles.indexOf('_admin') !== -1;
-        const isLoggedInUser = s.userCtx.name === username;
-        return isAdmin && isLoggedInUser;
-      })
-      .catch((_err) => {
-        return false;
-      });
-  }
-}
-function logRequest(req: VueClientRequest) {
-  logger.info(`${req.body.type} request from ${req.body.user}...`);
-}
+/**
+ * Result of authentication check.
+ * - If authenticated: { authenticated: true, username: string, isAdmin: boolean }
+ * - If not authenticated: { authenticated: false }
+ */
+export type AuthResult =
+  | { authenticated: true; username: string; isAdmin: boolean }
+  | { authenticated: false };
-export async function requestIsAuthenticated(req: VueClientRequest) {
+/**
+ * Get the authenticated user from the request's session cookie or authorization header.
+ * Returns the username from the session - does NOT trust req.body.user.
+ *
+ * This is the secure way to get the authenticated username - callers should use
+ * the returned username rather than trusting user-supplied data.
+ */
+export async function getAuthenticatedUser(
+  req: VueClientRequest
+): Promise<AuthResult> {
   logRequest(req);
   // Studio mode bypass: skip authentication for local development
   if (process.env.NODE_ENV === 'studio') {
     logger.info('Studio mode: bypassing authentication for local development');
-    return true;
+    // In studio mode, trust the body.user since this is local development only
+    const studioUser = req.body.user || 'studio-user';
+    return { authenticated: true, username: studioUser, isAdmin: true };
   }
+  // Check for Basic auth header first
   if (req.headers.authorization) {
-    const auth = Buffer.from(req.headers.authorization.split(' ')[1], 'base64')
-      .toString('ascii')
-      .split(':');
-    const username = auth[0];
-    const password = auth[1];
+    const authHeader = req.headers.authorization;
+    if (authHeader.startsWith('Basic ')) {
+      const auth = Buffer.from(authHeader.split(' ')[1], 'base64')
+        .toString('ascii')
+        .split(':');
+      const username = auth[0];
+      const password = auth[1];
-    const authResult = await Nano({
-      url: getCouchURLWithProtocol(),
-    }).auth(username, password);
+      try {
+        const authResult = await Nano({
+          url: getCouchURLWithProtocol(),
+        }).auth(username, password);
-    return authResult.ok;
+        if (authResult.ok) {
+          // Check if user has admin role by getting session
+          const nano = Nano({
+            url: getCouchURLWithProtocol(),
+          });
+          await nano.auth(username, password);
+          const session = (await nano.session()) as CouchSession;
+          const isAdmin = session.userCtx.roles.includes('_admin');
+          return { authenticated: true, username, isAdmin };
+        }
+      } catch (err) {
+        logger.warn('Basic auth failed:', err);
+      }
+    }
+    return { authenticated: false };
   }
-  const username = req.body.user;
-  const authCookie: string = req.cookies.AuthSession ? req.cookies.AuthSession : 'null';
+  // Check for session cookie
+  const authCookie: string = req.cookies.AuthSession
+    ? req.cookies.AuthSession
+    : 'null';
   if (authCookie === 'null') {
-    return false;
-  } else {
-    return await Nano({
+    return { authenticated: false };
+  }
+  try {
+    const session = (await Nano({
       cookie: 'AuthSession=' + authCookie,
       url: getCouchURLWithProtocol(),
-    })
-      .session()
-      .then((s: CouchSession) => {
-        logger.info(`AuthUser: ${JSON.stringify(s)}`);
-        return s.userCtx.name === username;
-      })
-      .catch((_err) => {
-        return false;
-      });
+    }).session()) as CouchSession;
+    logger.info(`AuthUser: ${JSON.stringify(session)}`);
+    if (session.ok && session.userCtx.name) {
+      const isAdmin = session.userCtx.roles.includes('_admin');
+      return {
+        authenticated: true,
+        username: session.userCtx.name,
+        isAdmin,
+      };
+    }
+    return { authenticated: false };
+  } catch (err) {
+    logger.warn('Session validation failed:', err);
+    return { authenticated: false };
   }
 }
+/**
+ * Check if the request is authenticated (any valid user).
+ * Returns true if authenticated, false otherwise.
+ *
+ * @deprecated Use getAuthenticatedUser() instead to get the actual username
+ */
+export async function requestIsAuthenticated(
+  req: VueClientRequest
+): Promise<boolean> {
+  const result = await getAuthenticatedUser(req);
+  return result.authenticated;
+}
+/**
+ * Check if the request is authenticated as an admin user.
+ * Returns true only if the session has _admin role.
+ *
+ * SECURITY FIX: No longer trusts req.body.user - only checks session role.
+ *
+ * @deprecated Use getAuthenticatedUser() and check isAdmin instead
+ */
+export async function requestIsAdminAuthenticated(
+  req: VueClientRequest
+): Promise<boolean> {
+  const result = await getAuthenticatedUser(req);
+  return result.authenticated && result.isAdmin;
+}
+function logRequest(req: VueClientRequest) {
+  // Log the claimed user for debugging, but note this is NOT trusted
+  logger.info(`${req.body.type} request (claimed user: ${req.body.user})...`);
+}

package/src/peruser.ts ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * Per-user database provisioning daemon.
+ *
+ * Replaces CouchDB's built-in couch_peruser Erlang module, which has a
+ * process leak bug that causes unbounded memory growth:
+ * https://github.com/apache/couchdb/issues/5871
+ *
+ * Watches the _users database changes feed and ensures that every user
+ * has a corresponding userdb-{hex(username)} database with appropriate
+ * security settings. Replays from since=0 on every startup — this is
+ * cheap and removes the need to persist checkpoint state.
+ */
+import { getCouchDB, type SecurityObject } from './couchdb/index.js';
+import logger from './logger.js';
+function hexEncode(str: string): string {
+  let returnStr = '';
+  for (let i = 0; i < str.length; i++) {
+    returnStr += ('000' + str.charCodeAt(i).toString(16)).slice(3);
+  }
+  return returnStr;
+}
+async function ensureUserDB(username: string): Promise<void> {
+  const dbName = `userdb-${hexEncode(username)}`;
+  const server = getCouchDB();
+  try {
+    await server.db.create(dbName);
+    logger.info(`peruser: created ${dbName}`);
+  } catch (e: unknown) {
+    if (
+      e &&
+      typeof e === 'object' &&
+      'statusCode' in e &&
+      (e as { statusCode: number }).statusCode === 412
+    ) {
+      // already exists — expected on replay
+    } else {
+      logger.error(`peruser: error creating ${dbName}:`, e);
+      return;
+    }
+  }
+  const db = server.use(dbName);
+  try {
+    const security: SecurityObject = {
+      admins: { names: [username], roles: [] },
+      members: { names: [username], roles: [] },
+    };
+    await db.insert(security, '_security');
+  } catch (e) {
+    logger.error(`peruser: error setting security on ${dbName}:`, e);
+  }
+}
+export function startPerUserProvisioning(): void {
+  const usersDB = getCouchDB().use('_users');
+  usersDB.changesReader
+    .start({
+      includeDocs: false,
+      since: '0',
+    })
+    .on('change', (change: { id: string; deleted?: boolean }) => {
+      if (!change.id.startsWith('org.couchdb.user:')) return;
+      if (change.deleted) return;
+      const username = change.id.replace('org.couchdb.user:', '');
+      ensureUserDB(username).catch((e) => {
+        logger.error(`peruser: unhandled error for ${username}:`, e);
+      });
+    })
+    .on('error', (err: Error) => {
+      logger.error('peruser: _users changes feed error:', err);
+    });
+  logger.info('peruser: watching _users for new accounts');
+}