npm - aloux-iam - Versions diffs - 1.0.2 → 1.0.4 - Mend

aloux-iam 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/lib/config/utils.js +26 -0
package/lib/controllers/business.js +3 -1
package/lib/controllers/company.js +3 -1
package/lib/controllers/functions.js +4 -3
package/lib/controllers/label.js +4 -3
package/lib/controllers/menu.js +4 -3
package/lib/controllers/permission.js +4 -3
package/lib/controllers/user.js +30 -31
package/lib/models/Business.js +2 -0
package/lib/models/Permission.js +1 -0
package/lib/models/User.js +2 -0
package/lib/router.js +1 -0
package/lib/services/auth.js +1 -2
package/lib/services/user.js +2 -5
package/package.json +1 -1

package/lib/config/utils.js CHANGED Viewed

@@ -106,6 +106,32 @@ self.hashCode = (code) => {
   return crypto.createHash('sha256').update(String(code)).digest('hex');
 };
+// Extrae del body solo los campos definidos en el schema del modelo.
+// Campos de tipo Object libre (ej. data) se aplanan a dot-notation para que
+// $set haga merge en lugar de reemplazar el objeto completo.
+self.pickFromSchema = (Model, body) => {
+  const nonEditable = new Set(Model.schema.options.nonEditable || []);
+  const BASE_BLOCKED = new Set(['_id', '__v', 'createdAt', 'lastUpdate']);
+  const schemaObj = Model.schema.obj;
+  const allowed = Object.keys(schemaObj).filter(k => !BASE_BLOCKED.has(k) && !nonEditable.has(k));
+  const result = {};
+  for (const [k, v] of Object.entries(body)) {
+    if (!allowed.includes(k)) continue;
+    const fieldDef = schemaObj[k];
+    const isFreeObject = (fieldDef === Object || fieldDef?.type === Object) &&
+                         v && typeof v === 'object' && !Array.isArray(v);
+    if (isFreeObject) {
+      for (const [dk, dv] of Object.entries(v)) {
+        result[`${k}.${dk}`] = dv;
+      }
+    } else {
+      result[k] = v;
+    }
+  }
+  return result;
+};
 self.sanitizeSort = (sort, allowedFields) => {
   if (!sort || typeof sort !== 'object' || Array.isArray(sort)) return null;
   const safe = {};

package/lib/controllers/business.js CHANGED Viewed

@@ -143,9 +143,11 @@ self.detail = async (req, res) => {
 self.update = async (req, res) => {
   try {
+    const payload = errorController.pickFromSchema(Business, req.body);
+    payload.lastUpdate = new Date().getTime();
     const update = await Business.updateOne(
       { _id: req.params.BUSINESS_ID },
-      { $set: req.body, lastUpdate: new Date().getTime() }
+      { $set: payload }
     );
     res.status(202).send(update);
   } catch (error) {

package/lib/controllers/company.js CHANGED Viewed

@@ -59,9 +59,11 @@ self.detail = async (req, res) => {
 self.update = async (req, res) => {
   try {
+    const payload = errorController.pickFromSchema(Company, req.body);
+    payload.lastUpdate = new Date().getTime();
     const update = await Company.updateOne(
       { _id: req.params.COMPANY_ID },
-      { $set: req.body, lastUpdate: new Date().getTime() }
+      { $set: payload }
     );
     res.status(202).send(update);
   } catch (error) {

package/lib/controllers/functions.js CHANGED Viewed

@@ -19,9 +19,10 @@ self.update = async (req, res) => {
         const count = await Functions.exists({ _id: req.params.FUNCTION_ID })
         if (!count)
             throw new Error('Upss! No se encontró el registro')
-        req.body.lastUpdate = (new Date()).getTime()
-        await Functions.updateOne({ _id: req.params.FUNCTION_ID }, { $set: req.body })
-        res.status(200).send(req.body)
+        const payload = utils.pickFromSchema(Functions, req.body)
+        payload.lastUpdate = (new Date()).getTime()
+        await Functions.updateOne({ _id: req.params.FUNCTION_ID }, { $set: payload })
+        res.status(200).send(payload)
     } catch (error) {
         utils.responseError(res, error)
     }

package/lib/controllers/label.js CHANGED Viewed

@@ -19,9 +19,10 @@ self.update = async (req, res) => {
     const _id = req.params.LABEL_ID;
     const exists = await Label.exists({ _id });
     if (!exists) throw new Error("Upss! No se encontró el registro");
-    req.body.lastUpdate = new Date().getTime();
-    await Label.updateOne({ _id }, req.body);
-    res.status(200).send(req.body);
+    const payload = utils.pickFromSchema(Label, req.body);
+    payload.lastUpdate = new Date().getTime();
+    await Label.updateOne({ _id }, payload);
+    res.status(200).send(payload);
   } catch (error) {
     utils.responseError(res, error);
   }

package/lib/controllers/menu.js CHANGED Viewed

@@ -20,9 +20,10 @@ self.update = async (req, res) => {
         const count = await Menu.exists({ _id })
         if (!count)
             throw new Error('Upss! No se encontró el registro')
-        req.body.lastUpdate = (new Date()).getTime()
-        await Menu.updateOne({ _id }, { $set: req.body })
-        res.status(200).send(req.body)
+        const payload = utils.pickFromSchema(Menu, req.body)
+        payload.lastUpdate = (new Date()).getTime()
+        await Menu.updateOne({ _id }, { $set: payload })
+        res.status(200).send(payload)
     } catch (error) {
         utils.responseError(res, error)
     }

package/lib/controllers/permission.js CHANGED Viewed

@@ -28,9 +28,10 @@ self.update = async (req, res) => {
         const count = await Permission.exists({ _id })
         if (!count)
             throw new Error('Upss! No se encontró el registro')
-        req.body.lastUpdate = (new Date()).getTime()
-        await Permission.updateOne({ _id }, { $set: req.body })
-        res.status(200).send(req.body)
+        const payload = utils.pickFromSchema(Permission, req.body)
+        payload.lastUpdate = (new Date()).getTime()
+        await Permission.updateOne({ _id }, { $set: payload })
+        res.status(200).send(payload)
     } catch (error) {
         utils.responseError(res, error)
     }

package/lib/controllers/user.js CHANGED Viewed

@@ -10,6 +10,7 @@ const utils = require("../config/utils");
 const _brand = utils.brand;
 const mongoose = require("mongoose");
 const Business = require("../models/Business");
+const Menu = require("../models/Menu");
 const self = module.exports;
 self.createService = async (req, res) => {
@@ -389,18 +390,11 @@ self.getMenu = (user) => {
   // Recorre funciones de un user
   for (let i in user._functions) {
     if (user._functions[i].status === "Activo") {
-      // Recorre permisos de una función && Valida si el menú esta activo
-      for (let j in user._functions[i]._permissions) {
-        const permission = user._functions[i]._permissions[j];
-        if (
-          permission.status === "Activo" &&
-          permission._menu &&
-          permission._menu.status === "Activo"
-        ) {
-          const menu = user._functions[i]._permissions[j]._menu;
+      // Recorre menus asignados a la función
+      for (let j in user._functions[i]._menus) {
+        const menu = user._functions[i]._menus[j];
+        if (menu && menu.status === "Activo") {
           result.push(menu);
-          // Obtiene el menú padre
           if (menu._menu && menu._menu.status === "Activo") {
             result.push(menu._menu);
           }
@@ -455,27 +449,33 @@ self.getMenu = (user) => {
 self.getMe = async (req, res) => {
   try {
     let user = await User.findOne({ _id: req.user._id }, { tokens: 0, pwd: 0 })
-      .populate({
-        path: "_functions",
-        populate: [
-          {
-            path: "_permissions",
-            populate: [
-              {
-                path: "_menu",
-                populate: [
-                  {
-                    path: "_menu",
-                  },
-                ],
-              },
-            ],
-          },
-        ],
-      })
+      .populate({ path: "_functions", populate: { path: "_permissions" } })
       .lean();
-    // Obtener menús y funciones sin repertir y activas
+    const isValidId = (id) => {
+      if (!id || String(id) === "") return false;
+      try { new mongoose.Types.ObjectId(String(id)); return true; } catch { return false; }
+    };
+    for (const fn of user._functions || []) {
+      const validIds = (fn._menus || []).filter(isValidId);
+      if (!validIds.length) { fn._menus = []; continue; }
+      const menus = await Menu.find({ _id: { $in: validIds } }).lean();
+      const parentIds = menus.map(m => m._menu).filter(isValidId);
+      const parentMenus = parentIds.length
+        ? await Menu.find({ _id: { $in: parentIds } }).lean()
+        : [];
+      const parentMap = Object.fromEntries(parentMenus.map(m => [m._id.toString(), m]));
+      for (const menu of menus) {
+        menu._menu = isValidId(menu._menu) ? (parentMap[String(menu._menu)] || null) : null;
+      }
+      fn._menus = menus;
+    }
     user.menus = self.getMenu(user);
     user.permissions = self.getPermission(user);
     for (let i in user._functions) {
@@ -557,7 +557,6 @@ self.recoverpassword = async (req, res) => {
 };
 self.generatecode = () => {
-  const crypto = require("crypto");
   return crypto.randomInt(0, 1000000).toString().padStart(6, '0');
 };

package/lib/models/Business.js CHANGED Viewed

@@ -43,5 +43,7 @@ const businessSchema = mongoose.Schema({
   environment: { type: String, enum: ["dev", "qa", "prod"] },
 });
+businessSchema.set('nonEditable', ['gkey']);
 const Business = mongoose.model("Business", businessSchema);
 module.exports = Business;

package/lib/models/Permission.js CHANGED Viewed

@@ -13,6 +13,7 @@ const permissionSchema = mongoose.Schema({
 });
 permissionSchema.index({ method: 1, endpoint: 1 }, { unique: true });
+permissionSchema.set('nonEditable', ['method', 'endpoint']);
 const Permission = mongoose.model("Permission", permissionSchema);
 module.exports = Permission;

package/lib/models/User.js CHANGED Viewed

@@ -94,6 +94,8 @@ const adminSchema = mongoose.Schema({
   lastUpdate: { type: Number },
 });
+adminSchema.set('nonEditable', ['pwd', 'tokens', 'validateKey']);
 adminSchema.pre("save", async function () {
   const user = this;

package/lib/router.js CHANGED Viewed

@@ -47,6 +47,7 @@ router.put("/iam/auth/reset/password", middleware, auth.resetPass);
 router.post("/iam/auth/send/verify/phone", middleware, auth.verifyPhone);
 router.post("/iam/auth/verify/phone", middleware, auth.validatePhone);
 router.post("/iam/auth/logout", middleware, auth.logout);
+router.post("/iam/auth/logout-all", middleware, auth.logoutAll);
 router.patch("/iam/auth/mail", middleware, auth.mailChange);
 router.post("/iam/auth/validate/mail", middleware, auth.validatEmailChange);

package/lib/services/auth.js CHANGED Viewed

@@ -244,8 +244,7 @@ self.logout = async (req, res) => {
 };
 self.logoutAll = async (req, res) => {
-  req.user.tokens = [];
-  await req.user.save();
+  await User.updateOne({ _id: req.user._id }, { $set: { tokens: [] } });
   res.clearCookie("token");
   return true;
 };

package/lib/services/user.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const jwt = require("jsonwebtoken")
 const User = require('../models/User')
-const { hashToken } = require('../config/utils')
+const { hashToken, pickFromSchema } = require('../config/utils')
 const self = module.exports
 self.create = async (body) => {
@@ -114,10 +114,7 @@ self.update = async (USER_ID, body) => {
     await User.updateOne({ _id }, { 'validateKey.validatePhone.validCodePhone': false })
   }
-  const BLOCKED_FIELDS = ['tokens', 'pwd', 'validateKey', 'createdAt', '_id'];
-  const safeBody = Object.fromEntries(
-    Object.entries(body).filter(([key]) => !BLOCKED_FIELDS.includes(key))
-  );
+  const safeBody = pickFromSchema(User, body);
   safeBody.lastUpdate = new Date().getTime();
   const result = await User.updateOne({ _id }, { $set: safeBody })

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aloux-iam",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Aloux IAM for APIs ",
   "main": "index.js",
   "scripts": {