kuzzle 2.17.8 → 2.19.0

package/lib/api/request/kuzzleRequest.d.ts

@@ -258,6 +258,9 @@ export declare class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -266,9 +269,29 @@ export declare class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name: string, def?: [] | undefined): any[];
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name: string, def?: [] | undefined): any[];
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -277,14 +300,39 @@ export declare class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name: string, def?: JSONObject | undefined): JSONObject;
+    /**
+     * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
+     * or is valid regarding a given custom format (example : YYYY-MM-DD).
+     *
+     * @param name parameter name.
+     * @param format optional parameter to check if the date is valid regarding a format. If not set, the format checked
+     * is ISO8601.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getDate(name: string, format?: string): string;
+    /**
+     * Gets a parameter from a request arguments and returns it to timestamp format.
+     *
+     * @param name parameter name.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getTimestamp(name: string): number;
     /**
      * Returns the index specified in the request
      */
-    getIndex(): string;
+    getIndex({ required }?: {
+        required?: boolean;
+    }): string;
     /**
      * Returns the collection specified in the request
      */
-    getCollection(): string;
+    getCollection({ required }?: {
+        required?: boolean;
+    }): string;
     /**
      * Returns the index and collection specified in the request
      */
@@ -322,8 +370,8 @@ export declare class KuzzleRequest {
      */
     getUser(): User | null;
     /**
-    * Returns the search body query according to the http method
-    */
+     * Returns the search body query according to the http method
+     */
     getSearchBody(): JSONObject;
     /**
      * Returns the search params.
@@ -353,6 +401,7 @@ export declare class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getBoolean;
     /**
@@ -398,8 +447,13 @@ export declare class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getObject;
+    /**
+     * Throw `missing_argument` when this one is required
+     */
+    private checkRequired;
 }
 export declare class Request extends KuzzleRequest {
 }

package/lib/api/request/kuzzleRequest.js

@@ -42,8 +42,14 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Request = exports.KuzzleRequest = void 0;
+const safeObject_1 = require("../../util/safeObject");
+const lodash_1 = require("lodash");
+const moment_1 = __importDefault(require("moment"));
 const uuid = __importStar(require("uuid"));
 const nanoid_1 = require("nanoid");
 const requestInput_1 = require("./requestInput");
@@ -53,8 +59,6 @@ const errors_1 = require("../../kerror/errors");
 const kerror = __importStar(require("../../kerror"));
 const types_1 = require("../../types");
 const assert = __importStar(require("../../util/assertType"));
-const safeObject_1 = require("../../util/safeObject");
-const lodash_1 = require("lodash");
 const assertionError = kerror.wrap('api', 'assert');
 // private properties
 // \u200b is a zero width space, used to masquerade console.log output
@@ -224,7 +228,9 @@ class KuzzleRequest {
         }
         this.status = options.status || 200;
         if (options.headers) {
-            this.response.setHeaders(options.headers);
+            this.response.configure({
+                headers: options.headers
+            });
         }
         if (options.raw !== undefined) {
             this.response.raw = options.raw;
@@ -461,7 +467,7 @@ class KuzzleRequest {
      * @param name parameter name
      */
     getBoolean(name) {
-        return this._getBoolean(this.input.args, name, name);
+        return this._getBoolean(this.input.args, name, name, true);
     }
     /**
      * Gets a parameter from a request arguments and checks that it is a number
@@ -505,6 +511,9 @@ class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -513,11 +522,56 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name, def = undefined) {
-        return this._getArray(this.input.args, name, name, def);
+        return this._getArray(this.input.args, name, name, def, true);
+    }
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name, def = undefined) {
+        const value = (0, lodash_1.get)(this.input.args, name, def);
+        if (value === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (Array.isArray(value)) {
+            return value;
+        }
+        if (typeof value !== 'string') {
+            throw assertionError.get('invalid_type', name, 'array');
+        }
+        // If we are using the HTTP protocol and we have a string instead of an Array
+        // we try to parse it as JSON
+        if (this.context.connection.protocol === 'http') {
+            try {
+                const parsedValue = JSON.parse(value);
+                if (Array.isArray(parsedValue)) {
+                    return parsedValue;
+                }
+            }
+            catch (e) {
+                // Do nothing, let the code continue
+            }
+        }
+        return value.split(',');
     }
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -526,27 +580,65 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name, def = undefined) {
-        return this._getObject(this.input.args, name, name, def);
+        return this._getObject(this.input.args, name, name, def, true);
+    }
+    /**
+     * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
+     * or is valid regarding a given custom format (example : YYYY-MM-DD).
+     *
+     * @param name parameter name.
+     * @param format optional parameter to check if the date is valid regarding a format. If not set, the format checked
+     * is ISO8601.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getDate(name, format) {
+        const args = this.input.args;
+        if (args[name] === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (format && !(0, moment_1.default)(args[name], format, true).isValid()) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        if (!(0, moment_1.default)(args[name], moment_1.default.ISO_8601).isValid()) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        return this.getString(name);
+    }
+    /**
+     * Gets a parameter from a request arguments and returns it to timestamp format.
+     *
+     * @param name parameter name.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getTimestamp(name) {
+        const args = this.input.args;
+        if (args[name] === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if ((0, moment_1.default)(args[name], true).isValid() === false) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        return this.getInteger(name);
     }
     /**
      * Returns the index specified in the request
      */
-    getIndex() {
+    getIndex({ required = true } = {}) {
         const index = this.input.args.index;
-        if (!index) {
-            throw assertionError.get('missing_argument', 'index');
-        }
-        return index;
+        this.checkRequired(index, 'index', required);
+        return index ? String(index) : null;
     }
     /**
      * Returns the collection specified in the request
      */
-    getCollection() {
+    getCollection({ required = true } = {}) {
         const collection = this.input.args.collection;
-        if (!collection) {
-            throw assertionError.get('missing_argument', 'collection');
-        }
-        return collection;
+        this.checkRequired(collection, 'collection', required);
+        return collection ? String(collection) : null;
     }
     /**
      * Returns the index and collection specified in the request
@@ -603,7 +695,7 @@ class KuzzleRequest {
         if (typeof id !== 'string') {
             throw assertionError.get('invalid_type', '_id', 'string');
         }
-        return id;
+        return String(id);
     }
     /**
      * Returns the current user kuid
@@ -624,20 +716,14 @@ class KuzzleRequest {
         return null;
     }
     /**
-    * Returns the search body query according to the http method
-    */
+     * Returns the search body query according to the http method
+     */
     getSearchBody() {
         if (this.context.connection.protocol !== 'http'
             || this.context.connection.misc.verb !== 'GET') {
             return this.getBody({});
         }
-        const searchBody = this.getString('searchBody', '{}');
-        try {
-            return JSON.parse(searchBody);
-        }
-        catch (err) {
-            throw assertionError.get('invalid_argument', err.message);
-        }
+        return this.getObject('searchBody', {});
     }
     /**
      * Returns the search params.
@@ -690,16 +776,17 @@ class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getBoolean(obj, name, errorName) {
+    _getBoolean(obj, name, errorName, querystring = false) {
         let value = (0, lodash_1.get)(obj, name);
         // In HTTP, booleans are flags: if it's in the querystring, it's set,
         // whatever its value.
         // If a user needs to unset the option, they need to remove it from the
         // querystring.
-        if (this.context.connection.protocol === 'http') {
+        if (this.context.connection.protocol === 'http' && querystring) {
             value = value !== undefined;
-            obj[name] = value;
+            (0, lodash_1.set)(obj, name, value);
         }
         else if (value === undefined || value === null) {
             value = false;
@@ -776,12 +863,30 @@ class KuzzleRequest {
      * @param errorName name to use in error messages
      * @param def default value
      */
-    _getArray(obj, name, errorName, def = undefined) {
+    _getArray(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!Array.isArray(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if (Array.isArray(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'array');
         }
         return value;
@@ -793,17 +898,44 @@ class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getObject(obj, name, errorName, def = undefined) {
+    _getObject(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!(0, safeObject_1.isPlainObject)(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if ((0, safeObject_1.isPlainObject)(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'object');
         }
         return value;
     }
+    /**
+     * Throw `missing_argument` when this one is required
+     */
+    checkRequired(arg, argName, required) {
+        if (required && !arg) {
+            throw assertionError.get('missing_argument', argName);
+        }
+    }
 }
 exports.KuzzleRequest = KuzzleRequest;
 class Request extends KuzzleRequest {

package/lib/api/request/requestResponse.js

@@ -49,6 +49,11 @@ const assert = __importStar(require("../../util/assertType"));
 // \u200b is a zero width space, used to masquerade console.log output
 const _request = 'request\u200b';
 const _headers = 'headers\u200b';
+const _userHeaders = 'userHeaders\u200b'; // List of headers to be sent in the response
+// List of headers that should not be present in the body of the response
+const restrictedHeaders = [
+    'set-cookie',
+];
 class Headers {
     constructor() {
         this.namesMap = new Map();
@@ -150,6 +155,7 @@ class RequestResponse {
         this.raw = false;
         this[_request] = request;
         this[_headers] = new Headers();
+        this[_userHeaders] = new Set();
         Object.seal(this);
     }
     /**
@@ -254,6 +260,9 @@ class RequestResponse {
     configure(options = {}) {
         if (options.headers) {
             this.setHeaders(options.headers);
+            for (const key of Object.keys(options.headers)) {
+                this[_userHeaders].add(key.toLowerCase());
+            }
         }
         if (options.status) {
             this.status = options.status;
@@ -316,6 +325,21 @@ class RequestResponse {
                 status: this.status,
             };
         }
+        const filteredHeaders = {};
+        for (const name of this[_userHeaders]) {
+            filteredHeaders[name] = this.getHeader(name);
+        }
+        /**
+         * Remove headers that are not allowed to be sent to the client in the response's body
+         * For example "set-cookie" headers should only be visible by the browser,
+         * otherwise they may leak information about the server's cookies, since the browser will
+         * not be able to restrict them to the domain of the request.
+        */
+        for (const header of restrictedHeaders) {
+            if (filteredHeaders[header] !== undefined) {
+                filteredHeaders[header] = undefined;
+            }
+        }
         return {
             content: {
                 action: this.action,
@@ -323,6 +347,7 @@ class RequestResponse {
                 controller: this.controller,
                 deprecations: this.deprecations,
                 error: this.error,
+                headers: filteredHeaders,
                 index: this.index,
                 node: this.node,
                 requestId: this.requestId,

package/lib/cluster/idCardHandler.js

@@ -98,7 +98,7 @@ class ClusterIdCardHandler {
     async createIdCard() {
         let reserved = false;
         do {
-            this.nodeId = (0, name_generator_1.generateRandomName)('knode');
+            this.nodeId = name_generator_1.NameGenerator.generateRandomName({ prefix: 'knode' });
             this.nodeIdKey = `${REDIS_PREFIX}${this.nodeId}`;
             this.idCard = new IdCard({
                 birthdate: Date.now(),

package/lib/config/default.config.js

@@ -105,6 +105,9 @@ const defaultConfig = {
         }
     },
     security: {
+        debug: {
+            native_debug_protocol: false
+        },
         restrictedProfileIds: ['default'],
         jwt: {
             algorithm: 'HS256',

package/lib/config/documentEventAliases.d.ts

@@ -0,0 +1,7 @@
+interface EventAliases {
+    list: Record<string, unknown>;
+    namespace: string;
+    notBefore: string[];
+}
+export declare const documentEventAliases: EventAliases;
+export {};

package/lib/config/documentEventAliases.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,16 +19,29 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-module.exports = {
-  list: {
-    'delete': ['delete', 'deleteByQuery', 'mDelete'],
-    'get': ['get', 'mGet', 'search'],
-    'update': ['update', 'mUpdate', 'updateByQuery', 'upsert'],
-    'write': ['create', 'createOrReplace', 'mCreate', 'mCreateOrReplace', 'mReplace', 'replace']
-  },
-  namespace: 'generic:document',
-  notBefore: ['search', 'deleteByQuery', 'updateByQuery'],
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.documentEventAliases = void 0;
+const documentController_1 = __importDefault(require("../api/controllers/documentController"));
+function filter(obj, expectValue) {
+    const result = [];
+    for (const [action, event] of Object.entries(obj)) {
+        if (event === expectValue) {
+            result.push(action);
+        }
+    }
+    return result;
+}
+exports.documentEventAliases = {
+    list: {
+        delete: filter(documentController_1.default.actions, 'delete'),
+        get: filter(documentController_1.default.actions, 'get'),
+        update: filter(documentController_1.default.actions, 'update'),
+        write: filter(documentController_1.default.actions, 'write'),
+    },
+    namespace: 'generic:document',
+    notBefore: ['search', 'deleteByQuery', 'updateByQuery', 'export'],
+};
+//# sourceMappingURL=documentEventAliases.js.map

package/lib/core/backend/backend.d.ts

@@ -168,6 +168,10 @@ export declare class Backend {
      * EmbeddedSDK instance
      */
     get sdk(): EmbeddedSDK;
+    /**
+     * Cluster node ID
+     */
+    get nodeId(): string;
     private get _instanceProxy();
     /**
      * Try to read the current commit hash.

package/lib/core/backend/backend.js

@@ -243,6 +243,15 @@ class Backend {
         }
         return this._sdk;
     }
+    /**
+     * Cluster node ID
+     */
+    get nodeId() {
+        if (!this.started) {
+            throw runtimeError.get('unavailable_before_start', 'nodeId');
+        }
+        return this._kuzzle.id;
+    }
     get _instanceProxy() {
         return {
             api: this._controllers,

package/lib/core/backend/backendController.d.ts

@@ -86,5 +86,11 @@ export declare class BackendController extends ApplicationManager {
      * @param controller Controller class
      */
     use(controller: Controller): void;
-    private _add;
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    private add;
 }

package/lib/core/backend/backendController.js

@@ -42,11 +42,15 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BackendController = void 0;
 const inflector_1 = require("../../util/inflector");
 const kerror = __importStar(require("../../kerror"));
 const index_1 = require("./index");
+const plugin_1 = __importDefault(require("../plugin/plugin"));
 const assertionError = kerror.wrap('plugin', 'assert');
 const runtimeError = kerror.wrap('plugin', 'runtime');
 class BackendController extends index_1.ApplicationManager {
@@ -74,7 +78,8 @@ class BackendController extends index_1.ApplicationManager {
         if (this._application.started) {
             throw runtimeError.get('already_started', 'controller');
         }
-        this._add(name, definition);
+        plugin_1.default.checkControllerDefinition(name, definition);
+        this.add(name, definition);
     }
     /**
      * Uses a new controller class.
@@ -147,6 +152,7 @@ class BackendController extends index_1.ApplicationManager {
             controller.name = inflector_1.Inflector.kebabCase(controller.constructor.name)
                 .replace('-controller', '');
         }
+        plugin_1.default.checkControllerDefinition(controller.name, controller.definition);
         for (const [action, definition] of Object.entries(controller.definition.actions)) {
             if (typeof definition.handler !== 'function') {
                 throw assertionError.get('invalid_controller_definition', controller.name, `Handler for action "${action}" is not a function.`);
@@ -158,9 +164,15 @@ class BackendController extends index_1.ApplicationManager {
                 definition.handler = definition.handler.bind(controller);
             }
         }
-        this._add(controller.name, controller.definition);
+        this.add(controller.name, controller.definition);
     }
-    _add(name, definition) {
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    add(name, definition) {
         if (this._application._controllers[name]) {
             throw assertionError.get('invalid_controller_definition', name, 'A controller with this name already exists');
         }