fhirsmith 0.7.1 → 0.7.3

package/extension-tracker/readme.md

@@ -0,0 +1,63 @@
+# FHIRsmith Extension Tracker Module
+
+Tracks extensions, profiles, and extension usage across FHIR Implementation Guides. IGs submit data via POST, and the module provides browsable views of the collected data.
+
+## Configuration
+
+```json
+"ext-tracker": {
+  "enabled": true,
+  "database": "/var/fhir/data/extension-tracker.db",
+  "url": "/ext-tracker"
+}
+```
+
+- **database**: path to the SQLite database file (auto-created if missing)
+- **url** (optional): URL base to mount at (defaults to `/ext-tracker`)
+
+## POST — Submit IG Data
+
+POST JSON to the module root. Required fields: `package`, `version`, `fhirVersion`. Optional: `jurisdiction`, `extensions`, `profiles`, `usage`.
+
+```
+POST /ext-tracker
+Content-Type: application/json
+
+{
+  "package": "hl7.fhir.uv.tx-ecosystem",
+  "version": "1.9.1",
+  "fhirVersion": "5.0.0",
+  "jurisdiction": "001",
+  "extensions": [
+    { "url": "http://example.org/ext", "title": "My Extension", "types": ["string"] }
+  ],
+  "profiles": {
+    "Patient": [
+      { "url": "http://example.org/profile", "title": "My Profile" }
+    ]
+  },
+  "usage": {
+    "http://example.org/ext": ["Patient", "Patient.name"]
+  }
+}
+```
+
+Submitting a new version for an existing package replaces the old data entirely — only the latest submission per package is kept.
+
+Duplicate types in extensions are automatically deduplicated.
+
+## GET — Browse Data
+
+- `/ext-tracker` — Summary dashboard with package list
+- `/ext-tracker/extensions` — All extensions, filterable by `?package=`
+- `/ext-tracker/profiles` — All profiles, filterable by `?resource=` and `?package=`
+- `/ext-tracker/usage` — Extension usage, filterable by `?url=` and `?location=`
+- `/ext-tracker/package/:name` — Detail page for a specific package
+
+## Dependencies
+
+Requires `better-sqlite3` (`npm install better-sqlite3`).
+
+## Database
+
+The SQLite database is auto-created on first run with five tables: `packages`, `extensions`, `extension_types`, `profiles`, and `usages`. Foreign keys cascade deletes, so removing a package cleans up all related data.

package/folder/folder.js

@@ -0,0 +1,305 @@
+const express = require('express');
+const fs = require('fs');
+const path = require('path');
+const USERS_FILE = '.users.json';
+const MAX_UPLOAD_BYTES = 10 * 1024 * 1024; // 10 MB
+const SAFE_NAME = /^[a-zA-Z0-9._-]+$/;
+const AUTH_FAIL_DELAY_MS = 5000;
+
+function escapeHtml(str) {
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+class FolderModule {
+  constructor(stats) {
+    this.folders = [];
+    this.stats = stats;
+  }
+
+  initialize(config, app) {
+    this.folders = [];
+
+    const folderConfigs = config.folders || [];
+    for (const fc of folderConfigs) {
+      if (fc.enabled === false) {
+        continue;
+      }
+      if (!fc.folder || !fc.url || !fc.name) {
+        console.log(`Folder config entry missing required fields (name, folder, url) - skipping`);
+        continue;
+      }
+      const rootDir = path.resolve(fc.folder);
+      if (!fs.existsSync(rootDir)) {
+        console.log(`Folder path ${rootDir} does not exist - skipping "${fc.name}"`);
+        continue;
+      }
+
+      const urlBase = fc.url.startsWith('/') ? fc.url : '/' + fc.url;
+      const router = express.Router();
+
+      // GET - serve files and directory listings
+      router.get(urlBase + '/{*subpath}', (req, res) => {
+        this.handleGet(req, res, rootDir, urlBase);
+      });
+      router.get(urlBase, (req, res) => {
+        this.handleGet(req, res, rootDir, urlBase);
+      });
+
+      // PUT - upload with basic auth (express.raw captures body before any global JSON parser)
+      router.put(urlBase + '/{*subpath}', express.raw({ type: '*/*', limit: MAX_UPLOAD_BYTES }), (req, res) => {
+        this.handlePut(req, res, rootDir, urlBase);
+      });
+
+      app.use('/', router);
+      this.folders.push({ name: fc.name, folder: rootDir, url: urlBase });
+      console.log(`Folder module: serving "${fc.name}" from ${rootDir} at ${urlBase}`);
+    }
+
+    if (this.folders.length === 0) {
+      console.log('Folder module: no folders configured');
+    }
+  }
+
+  handleGet(req, res, rootDir, urlBase) {
+    this.stats.countRequest('search', 0);
+    const subPath = req.path.substring(urlBase.length) || '/';
+    const safePath = path.normalize(subPath);
+    if (safePath.includes('..')) {
+      return res.status(403).send('Forbidden');
+    }
+
+    const fullPath = path.join(rootDir, safePath);
+
+    // never serve .users.json
+    if (path.basename(fullPath) === '.users.json') {
+      return res.status(403).send('Forbidden');
+    }
+
+    if (!fs.existsSync(fullPath)) {
+      return res.status(404).send('Not found');
+    }
+
+    const stat = fs.statSync(fullPath);
+    if (stat.isFile()) {
+      return res.sendFile(fullPath);
+    }
+
+    if (stat.isDirectory()) {
+      return this.sendDirectoryListing(res, fullPath, req.path);
+    }
+
+    return res.status(404).send('Not found');
+  }
+
+  sendDirectoryListing(res, dirPath, requestPath) {
+    const start = Date.now();
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    const urlPath = requestPath.endsWith('/') ? requestPath : requestPath + '/';
+
+    // separate dirs and files, exclude .users.json
+    const dirs = entries.filter(e => e.isDirectory()).sort((a, b) => a.name.localeCompare(b.name));
+    const files = entries.filter(e => e.isFile() && e.name !== '.users.json').sort((a, b) => a.name.localeCompare(b.name));
+
+    const safeRequestPath = escapeHtml(requestPath);
+    let html = `<html><head><title>Index of ${safeRequestPath}</title></head><body>`;
+    html += `<h1>Index of ${safeRequestPath}</h1><pre>`;
+
+    // parent directory link (if not at mount root)
+    if (requestPath.split('/').filter(Boolean).length > 1) {
+      html += `<a href="${urlPath}..">../</a>\n`;
+    }
+
+    for (const dir of dirs) {
+      const safeDirName = escapeHtml(dir.name);
+      html += `<a href="${urlPath}${encodeURIComponent(dir.name)}/">${safeDirName}/</a>\n`;
+    }
+
+    for (const file of files) {
+      const stat = fs.statSync(path.join(dirPath, file.name));
+      const size = this.formatSize(stat.size);
+      const safeFileName = escapeHtml(file.name);
+      html += `<a href="${urlPath}${encodeURIComponent(file.name)}">${safeFileName}</a>${' '.repeat(Math.max(1, 60 - file.name.length))}${size}\n`;
+    }
+
+    html += '</pre></body></html>';
+    this.stats.countRequest('folder', Date.now() - start);
+    res.type('html').send(html);
+  }
+
+  formatSize(bytes) {
+    if (bytes < 1024) return bytes + ' B';
+    if (bytes < 1024 * 1024) return (bytes / 1024).toFixed(1) + ' KB';
+    if (bytes < 1024 * 1024 * 1024) return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
+    return (bytes / (1024 * 1024 * 1024)).toFixed(1) + ' GB';
+  }
+
+  handlePut(req, res, rootDir, urlBase) {
+    this.stats.countRequest('submit', 0);
+    const subPath = req.path.substring(urlBase.length);
+    const safePath = path.normalize(subPath);
+    if (safePath.includes('..')) {
+      return res.status(403).send('Forbidden');
+    }
+
+    const fullPath = path.join(rootDir, safePath);
+
+    // must be a file path, not a directory
+    if (safePath === '/' || safePath === '') {
+      return res.status(400).send('Cannot PUT to directory root');
+    }
+
+    // validate every path segment: alphanumeric, dots, dashes, underscores only
+    // split on both / and \ since path.normalize uses \ on Windows
+    const segments = safePath.split(/[/\\]/).filter(Boolean);
+    for (const seg of segments) {
+      if (!SAFE_NAME.test(seg)) {
+        return res.status(400).send('Invalid path: names may only contain letters, numbers, dots, dashes and underscores');
+      }
+    }
+
+    // only allow .zip files
+    const filename = path.basename(fullPath);
+    if (!filename.toLowerCase().endsWith('.zip')) {
+      return res.status(400).send('Only .zip files may be uploaded');
+    }
+
+    // check content-length before reading body
+    const contentLength = parseInt(req.headers['content-length'], 10);
+    if (contentLength > MAX_UPLOAD_BYTES) {
+      return res.status(413).send(`File too large (limit ${MAX_UPLOAD_BYTES / 1024 / 1024} MB)`);
+    }
+
+    // authenticate
+    const credentials = this.parseBasicAuth(req);
+    if (!credentials) {
+      res.set('WWW-Authenticate', 'Basic realm="Folder Upload"');
+      return res.status(401).send('Authentication required');
+    }
+
+    if (!this.checkUser(rootDir, path.dirname(fullPath), credentials.username, credentials.password)) {
+      // deliberate delay to slow down brute-force attempts
+      return setTimeout(() => {
+        res.set('WWW-Authenticate', 'Basic realm="Folder Upload"');
+        res.status(403).send('Access denied');
+      }, AUTH_FAIL_DELAY_MS);
+    }
+
+    this.getBody(req).then(body => {
+      // double-check actual body size
+      if (body.length > MAX_UPLOAD_BYTES) {
+        return res.status(413).send(`File too large (limit ${MAX_UPLOAD_BYTES / 1024 / 1024} MB)`);
+      }
+
+      // ensure parent directory exists
+      const parentDir = path.dirname(fullPath);
+      if (!fs.existsSync(parentDir)) {
+        fs.mkdirSync(parentDir, { recursive: true });
+      }
+
+      // write the file
+      fs.writeFileSync(fullPath, body);
+
+      // if it's main.zip or master.zip, also save as default.zip
+      const basename = path.basename(fullPath).toLowerCase();
+      if (basename === 'main.zip' || basename === 'master.zip') {
+        const defaultPath = path.join(parentDir, 'default.zip');
+        fs.copyFileSync(fullPath, defaultPath);
+      }
+
+      return res.status(200).send('OK');
+    }).catch(err => {
+      console.log(`Folder module: PUT error for ${fullPath}: ${err.message}`);
+      return res.status(500).send('Upload failed');
+    });
+  }
+
+  // get request body as a Buffer, whether or not global middleware already parsed it
+  getBody(req) {
+    // if global middleware already parsed it, use that
+    if (Buffer.isBuffer(req.body)) {
+      return Promise.resolve(req.body);
+    }
+    if (req.body && typeof req.body === 'object') {
+      return Promise.resolve(Buffer.from(JSON.stringify(req.body)));
+    }
+    if (req.body) {
+      return Promise.resolve(Buffer.from(req.body));
+    }
+    // no middleware parsed it — read from stream
+    return new Promise((resolve, reject) => {
+      const chunks = [];
+      req.on('data', chunk => chunks.push(chunk));
+      req.on('end', () => resolve(Buffer.concat(chunks)));
+      req.on('error', reject);
+    });
+  }
+
+  parseBasicAuth(req) {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Basic ')) {
+      return null;
+    }
+    const decoded = Buffer.from(header.substring(6), 'base64').toString('utf-8');
+    const colon = decoded.indexOf(':');
+    if (colon < 0) {
+      return null;
+    }
+    return {
+      username: decoded.substring(0, colon),
+      password: decoded.substring(colon + 1)
+    };
+  }
+
+  // walk up from the target directory to rootDir looking for .users.json
+  checkUser(rootDir, dir, username, password) {
+    let current = path.resolve(dir);
+    const root = path.resolve(rootDir);
+
+    while (true) {
+      const usersPath = path.join(current, USERS_FILE);
+      if (fs.existsSync(usersPath)) {
+        try {
+          const users = JSON.parse(fs.readFileSync(usersPath, 'utf-8'));
+          if (users[username] && users[username] === password) {
+            return true;
+          }
+        } catch (e) {
+          // malformed json, keep walking up
+        }
+      }
+
+      if (current === root) {
+        break;
+      }
+
+      const parent = path.dirname(current);
+      if (parent === current) {
+        break;  // filesystem root - stop
+      }
+      current = parent;
+    }
+
+    return false;
+  }
+
+  shutdown() {
+    // nothing to clean up
+  }
+
+  getStatus() {
+    return {
+      folders: this.folders.map(f => ({
+        name: f.name,
+        folder: f.folder,
+        url: f.url
+      }))
+    };
+  }
+}
+
+module.exports = FolderModule;

package/folder/readme.md

@@ -0,0 +1,57 @@
+# FHIRsmith Folder Module
+
+Serves static files from one or more directories, with optional authenticated upload via PUT.
+
+## Configuration
+
+Add a `folder` entry under `modules` in your config, following the standard FHIRsmith module pattern:
+
+```json
+"folder": {
+"enabled": true,
+"folders": [
+{ "name": "packages", "folder": "/var/fhir/packages", "url": "/packages" },
+{ "name": "igs", "folder": "/var/fhir/igs", "url": "/igs", "enabled": false }
+]
+}
+```
+
+The top-level `enabled` controls whether the module loads at all. Each folder entry also supports its own `enabled: false` to disable individual folders without removing them from the config.
+
+- **name**: display name (used in status and logging)
+- **folder**: absolute path to the directory to serve
+- **url**: URL path to mount at
+- **enabled** (optional): set to `false` to skip this entry
+
+Directories that don't exist at startup are skipped with a warning. Zero folders is valid.
+
+## GET — File Serving
+
+Any GET request under the configured URL serves files directly. If the path is a directory, it returns an HTML listing showing subdirectories first, then files with sizes.
+
+## PUT — Authenticated Upload
+
+PUT writes a file to the path specified in the URL. The parent directory is created automatically if it doesn't exist.
+
+All PUT requests require HTTP Basic authentication. Credentials are checked against `.users.json` files (see below).
+
+Special case: uploading `main.zip` or `master.zip` automatically creates a copy named `default.zip` in the same directory.
+
+## .users.json
+
+Authentication for PUT is controlled by `.users.json` files placed anywhere in the served directory tree. Format is a simple JSON object mapping usernames to passwords:
+
+```json
+{
+  "grahame": "secretpassword",
+  "ci-bot": "buildtoken123"
+}
+```
+
+When a PUT comes in, the module walks up from the target directory to the folder root looking for a `.users.json` file. The first one found that contains a matching username and password grants access. If no match is found at any level, the request is rejected with 403.
+
+This means you can put a `.users.json` at the root to cover everything, or use per-subdirectory files to grant more specific access. `.users.json` files are never served by GET.
+
+## Dependencies
+
+No additional npm dependencies required.

package/library/html-server.js

@@ -100,20 +100,26 @@ class HtmlServer {
   }
 
   sendErrorResponse(res, templateName, error, statusCode = 500) {
+    if (res.headersSent) {
+      this.log.error('[HtmlServer] Cannot send error response - headers already sent:', error.message || error);
+      return;
+    }
     const errorContent = `
       <div class="alert alert-danger">
         <h4>Error</h4>
         <p>${escape(error.message || error)}</p>
       </div>
     `;
-    
+
     try {
       const html = this.renderPage(templateName, 'Error', errorContent);
       res.status(statusCode).setHeader('Content-Type', 'text/html');
       res.send(html);
     } catch (renderError) {
       this.log.error('[HtmlServer] Error rendering error page:', renderError);
-      res.status(statusCode).send(`<h1>Error</h1><p>Failed to render error page: ${escape(renderError.message)}</p>`);
+      if (!res.headersSent) {
+        res.status(statusCode).send(`<h1>Error</h1><p>Failed to render error page: ${escape(renderError.message)}</p>`);
+      }
     }
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fhirsmith",
-  "version": "0.7.1",
+  "version": "0.7.3",
   "description": "A Node.js server that provides a collection of tools to serve the FHIR ecosystem",
   "main": "server.js",
   "engines": {
@@ -32,6 +32,7 @@
     "axios": "^1.13.4",
     "base45": "^3.0.0",
     "bcrypt": "^6.0.0",
+    "better-sqlite3": "^12.8.0",
     "cbor": "^9.0.1",
     "chalk": "^4.1.2",
     "chokidar": "^4.0.3",
@@ -47,6 +48,7 @@
     "fhir-validator-wrapper": "1.2.2",
     "fhirpath": "^4.8.3",
     "fs-extra": "^11.3.3",
+    "ini": "^6.0.0",
     "inquirer": "^8.2.5",
     "liquidjs": "^10.24.0",
     "lusca": "^1.7.0",
@@ -116,4 +118,4 @@
     "url": "https://github.com/HealthIntersections/fhirsmith/issues"
   },
   "homepage": "https://github.com/HealthIntersections/fhirsmith#readme"
-}
+}

package/packages/packages.js

@@ -1721,10 +1721,10 @@ class PackagesModule {
             }
 
             const dependency = row.Dependency;
-            const hashIndex = dependency.indexOf('#');
-            if (hashIndex > 0) {
-              const depName = dependency.substring(0, hashIndex);
-              const depVersion = dependency.substring(hashIndex + 1);
+            const atIndex = dependency.indexOf('@');
+            if (atIndex > 0) {
+              const depName = dependency.substring(0, atIndex);
+              const depVersion = dependency.substring(atIndex + 1);
               deps[row.PackageVersionKey][depName] = depVersion;
             }
           }
@@ -2493,10 +2493,10 @@ class PackagesModule {
             }
 
             // Extract dependency name and version
-            const hashIndex = dependency.indexOf('#');
-            if (hashIndex > 0) {
-              const depName = dependency.substring(0, hashIndex);
-              const depVersion = dependency.substring(hashIndex + 1);
+            const atIndex = dependency.indexOf('@');
+            if (atIndex > 0) {
+              const depName = dependency.substring(0, atIndex);
+              const depVersion = dependency.substring(atIndex + 1);
               const depMajorMinor = this.getMajorMinorVersion(depVersion);
               const depRef = `${depName}#${depMajorMinor}`;