backend-manager 4.1.2 → 4.2.0

package/src/manager/helpers/assistant.js

@@ -69,7 +69,7 @@ function tryUrl(self) {
           : `${protocol}://${host}/${self.meta.name}`;
       }
     } else if (projectType === 'custom') {
-      return `@@@TODO`;
+      return `@TODO`;
     }
 
     return '';
@@ -598,22 +598,44 @@ function _attachHeaderProperties(self, options, error) {
 BackendAssistant.prototype.authenticate = async function (options) {
   const self = this;
 
-  let admin = self.ref.admin;
-  let functions = self.ref.functions;
-  let req = self.ref.req;
-  let res = self.ref.res;
-  let data = self.request.data;
+  // Shortcuts
+  const admin = self.ref.admin;
+  const functions = self.ref.functions;
+  const req = self.ref.req;
+  const res = self.ref.res;
+  const data = self.request.data;
+
+  // Get stored backendManagerKey
+  const BACKEND_MANAGER_KEY = self.Manager?.config?.backend_manager?.key || '';
+
+  // Build the ID token from the request
   let idToken;
+  let backendManagerKey;
+  // let user;
 
+  // Set options
   options = options || {};
   options.resolve = typeof options.resolve === 'undefined' ? true : options.resolve;
+  options.debug = typeof options.debug === 'undefined' ? false : options.debug;
 
   function _resolve(user) {
+    // Resolve the properties
     user = user || {};
     user.authenticated = typeof user.authenticated === 'undefined'
       ? false
       : user.authenticated;
 
+    // Validate BACKEND_MANAGER_KEY
+    if (backendManagerKey && backendManagerKey === BACKEND_MANAGER_KEY) {
+      // Update roles
+      user.roles = user.roles || {};
+      user.roles.admin = true;
+
+      // Set authenticated
+      user.authenticated = true;
+    }
+
+    // Resolve the user
     if (options.resolve) {
       self.request.user = self.resolveAccount(user);
       return self.request.user;
@@ -622,91 +644,102 @@ BackendAssistant.prototype.authenticate = async function (options) {
     }
   }
 
-  if (req?.headers?.authorization && req?.headers?.authorization?.startsWith('Bearer ')) {
+  // Get shortcuts
+  const authHeader = req?.headers?.authorization || '';
+
+  // Extract the BEM token
+  // Having this is separate from the ID token allows for the user to be authenticated as an ADMIN
+  if (options.backendManagerKey || data.backendManagerKey) {
+    // Read token from backendManagerKey or authenticationToken or apiKey
+    backendManagerKey = options.backendManagerKey || data.backendManagerKey;
+
+    // Log the token
+    self.log('Found "backendManagerKey" parameter', backendManagerKey);
+  }
+
+  // Extract the token / API key
+  // This is the main token that will be used to authenticate the user (it can be a JWT or a user's API key)
+  if (authHeader.startsWith('Bearer ')) {
     // Read the ID Token from the Authorization header.
-    idToken = req.headers.authorization.split('Bearer ')[1];
+    idToken = authHeader.split('Bearer ')[1];
+
+    // Log the token
     self.log('Found "Authorization" header', idToken);
   } else if (req?.cookies?.__session) {
     // Read the ID Token from cookie.
     idToken = req.cookies.__session;
+
+    // Log the token
     self.log('Found "__session" cookie', idToken);
-  } else if (data.backendManagerKey || data.authenticationToken) {
-    // Check with custom BEM Token
-    let storedApiKey;
+  } else if (
+    options.authenticationToken || data.authenticationToken
+    || options.apiKey || data.apiKey
+  ) {
+    // Read token OR API Key from options or data
+    idToken = options.authenticationToken || data.authenticationToken
+    || options.apiKey || data.apiKey;
+
+    // Log the token
+    self.log('Found "authenticationToken" parameter', idToken);
+  } else {
+    // No token found
+    return _resolve(self.request.user);
+  }
+
+  // Check if the token is a JWT
+  if (isJWT(idToken)) {
+    // Check with firebase
     try {
-      // Disabled this 5/11/24 because i dont know why we would need to do functions.config() if we already have the Manager
-      // const workingConfig = self.Manager?.config || functions.config();
-      storedApiKey = self.Manager?.config?.backend_manager?.key || '';
-    } catch (e) {
-      // Do nothing
-    }
+      const decodedIdToken = await admin.auth().verifyIdToken(idToken);
 
-    // Set idToken as working token of either backendManagerKey or authenticationToken
-    idToken = data.backendManagerKey || data.authenticationToken;
+      // Log the token
+      if (options.debug) {
+        self.log('JWT token decoded', decodedIdToken.email, decodedIdToken.user_id);
+      }
 
-    // Log the token
-    self.log('Found "backendManagerKey" or "authenticationToken" parameter', {storedApiKey: storedApiKey, idToken: idToken});
+      // Get the user
+      await admin.firestore().doc(`users/${decodedIdToken.user_id}`)
+      .get()
+      .then((doc) => {
+        // Set the user
+        if (doc.exists) {
+          self.request.user = Object.assign({}, self.request.user, doc.data());
+          self.request.user.authenticated = true;
+          self.request.user.auth.uid = decodedIdToken.user_id;
+          self.request.user.auth.email = decodedIdToken.email;
+        }
+
+        // Log the user
+        if (options.debug) {
+          self.log('Found user doc', self.request.user)
+        }
+      })
 
-    // Check if the token is correct
-    if (storedApiKey && (storedApiKey === data.backendManagerKey || storedApiKey === data.authenticationToken)) {
-      self.request.user.authenticated = true;
-      self.request.user.roles.admin = true;
+      // Return the user
       return _resolve(self.request.user);
-    }
-  } else if (options.apiKey || data.apiKey) {
-    const apiKey = options.apiKey || data.apiKey;
-    self.log('Found "options.apiKey"', apiKey);
+    } catch (error) {
+      self.error('Error while verifying JWT:', error);
 
-    if (apiKey.includes('test')) {
+      // Return the user
       return _resolve(self.request.user);
     }
-
+  } else {
+    // Query by API key
     await admin.firestore().collection(`users`)
-      .where('api.privateKey', '==', apiKey)
+      .where('api.privateKey', '==', idToken)
       .get()
-      .then(function(querySnapshot) {
-        querySnapshot.forEach(function(doc) {
+      .then((querySnapshot) => {
+        querySnapshot.forEach((doc) => {
           self.request.user = doc.data();
+          self.request.user = Object.assign({}, self.request.user, doc.data());
           self.request.user.authenticated = true;
         });
       })
-      .catch(function(error) {
+      .catch((error) => {
         console.error('Error getting documents: ', error);
       });
 
-    return _resolve(self.request.user);
-  } else {
-    // self.log('No Firebase ID token was able to be extracted.',
-    //   'Make sure you authenticate your request by providing either the following HTTP header:',
-    //   'Authorization: Bearer <Firebase ID Token>',
-    //   'or by passing a "__session" cookie',
-    //   'or by passing backendManagerKey or authenticationToken in the body or query');
-
-    return _resolve(self.request.user);
-  }
-
-  // Check with firebase
-  try {
-    const decodedIdToken = await admin.auth().verifyIdToken(idToken);
-    if (options.debug) {
-      self.log('Token correctly decoded', decodedIdToken.email, decodedIdToken.user_id);
-    }
-    await admin.firestore().doc(`users/${decodedIdToken.user_id}`)
-    .get()
-    .then(async function (doc) {
-      if (doc.exists) {
-        self.request.user = Object.assign({}, self.request.user, doc.data());
-      }
-      self.request.user.authenticated = true;
-      self.request.user.auth.uid = decodedIdToken.user_id;
-      self.request.user.auth.email = decodedIdToken.email;
-      if (options.debug) {
-        self.log('Found user doc', self.request.user)
-      }
-    })
-    return _resolve(self.request.user);
-  } catch (error) {
-    self.error('Error while verifying Firebase ID token:', error);
+    // Return the user
     return _resolve(self.request.user);
   }
 };
@@ -726,7 +759,7 @@ BackendAssistant.prototype.parseRepo = function (repo) {
   }
 
   // Remove unnecessary parts
-  repoSplit = repoSplit.filter(function(value, index, arr){
+  repoSplit = repoSplit.filter((value, index, arr) => {
     return value !== 'http:'
       && value !== 'https:'
       && value !== ''
@@ -1034,6 +1067,21 @@ BackendAssistant.prototype.parseMultipartFormData = function (options) {
   });
 }
 
+const isJWT = (token) => {
+  // Ensure the token has three parts separated by dots
+  const parts = token.split('.');
+
+  try {
+    // Decode the header (first part) to verify it is JSON
+    const header = JSON.parse(Buffer.from(parts[0], 'base64').toString('utf8'));
+    // Check for expected JWT keys in the header
+    return header.alg && header.typ === 'JWT';
+  } catch (err) {
+    // If parsing fails, it's not a valid JWT
+    return false;
+  }
+};
+
 // Not sure what this is for? But it has a good serializer code
 // Disabled 2024-03-21 because there was another stringify() function that i was intending to use but it was actually using this
 // It was adding escaped quotes to strings

package/src/manager/helpers/settings.js

@@ -62,7 +62,7 @@ Settings.prototype.resolve = function (assistant, schema, settings, options) {
   // console.log('---self.settings', self.settings);
 
   // Iterate each key and check for some things
-  processSchema(schema, (path, schemaNode) => {
+  iterateSchema(schema, (path, schemaNode) => {
     const originalValue = _.get(settings, path);
     const resolvedValue = _.get(self.settings, path);
     let replaceValue = undefined;
@@ -154,7 +154,7 @@ Settings.prototype.constant = function (name, options) {
   }
 };
 
-function processSchema(schema, fn, path) {
+function iterateSchema(schema, fn, path) {
   path = path || '';
 
   // Base case: Check if the current level has 'types' and 'default', indicating metadata
@@ -167,7 +167,7 @@ function processSchema(schema, fn, path) {
   // Recursive case: Iterate through nested keys if we're not at a metadata node
   Object.keys(schema).forEach(key => {
     const nextPath = path ? `${path}.${key}` : key;
-    processSchema(schema[key], fn, nextPath);
+    iterateSchema(schema[key], fn, nextPath);
   });
 }
 

package/src/manager/index.js

@@ -871,11 +871,11 @@ Manager.prototype.setupFunctions = function (exporter, options) {
   .auth.user()
   .onDelete(async (user, context) => self._process((new (require(`${core}/events/auth/on-delete.js`))()).init(self, { user: user, context: context})));
 
-  exporter.bm_subOnWrite =
+  exporter.bm_notificationsOnWrite =
   self.libraries.functions
   .runWith({memory: '256MB', timeoutSeconds: 60})
-  .firestore.document('notifications/subscriptions/all/{token}')
-  .onWrite(async (change, context) => self._process((new (require(`${core}/events/firestore/on-subscription.js`))()).init(self, { change: change, context: context, })));
+  .firestore.document('notifications/{token}')
+  .onWrite(async (change, context) => self._process((new (require(`${core}/events/firestore/notifications/on-write.js`))()).init(self, { change: change, context: context, })));
 
   // Setup cron jobs
   exporter.bm_cronDaily =

package/templates/backend-manager-tests.js

@@ -126,24 +126,24 @@ describe("BackendManager Tests", () => {
   describe("notifications", () => {
     it("unauthenticated can subscribe", async () => {
       const db = auth(accounts.unauthenticated);
-      const doc = db.doc(`notifications/subscriptions/all/token`);
+      const doc = db.doc(`notifications/token`);
       await firebase.assertSucceeds(doc.set({token: 'token'}));
     });
     it("authenticated can subscribe", async () => {
       const db = auth(accounts.regular);
-      const doc = db.doc(`notifications/subscriptions/all/token`);
+      const doc = db.doc(`notifications/token`);
       await firebase.assertSucceeds(doc.set({token: 'token'}));
     });
 
     it("unauthenticated can read subscription by token", async () => {
       const db = auth(accounts.unauthenticated);
-      const doc = db.doc(`notifications/subscriptions/all/token`);
+      const doc = db.doc(`notifications/token`);
       await firebase.assertSucceeds(doc.get());
     });
 
     it("authenticated can read subscription by token", async () => {
       const db = auth(accounts.regular);
-      const doc = db.doc(`notifications/subscriptions/all/token`);
+      const doc = db.doc(`notifications/token`);
       await firebase.assertSucceeds(doc.get());
     });
 

package/templates/firestore.rules

@@ -9,7 +9,7 @@ service cloud.firestore {
     match /{document=**} {
       allow read, write: if isAdmin();
     }
-        
+
     // Protect user account data
     match /users/{uid} {
       allow read: if belongsTo(uid);
@@ -17,8 +17,8 @@ service cloud.firestore {
     }
 
     // Protect notification data
-    match /notifications/subscriptions/all/{token} {
-      allow read: if existingData().token == token || belongsTo(existingData().link.user.pk);
+    match /notifications/{token} {
+      allow read: if existingData().token == token || belongsTo(existingData().owner.uid);
       allow update: if existingData().token == token;
       allow create: if true;
     }
@@ -40,7 +40,7 @@ service cloud.firestore {
     }
     function belongsTo(identity) {
       return isAuthenticated() && (authUid() == identity || authEmail() == identity);
-      // eventually include a check for (existingData().link.email == identity)...(in case its a doc owned by a user that's not actually user doc)
+      // eventually include a check for (existingData().owner.uid == identity)...(in case its a doc owned by a user that's not actually user doc)
     }
 
     function getRoles() {