kuzzle 2.18.0 → 2.19.1

package/lib/api/request/kuzzleRequest.js

@@ -228,7 +228,9 @@ class KuzzleRequest {
         }
         this.status = options.status || 200;
         if (options.headers) {
-            this.response.setHeaders(options.headers);
+            this.response.configure({
+                headers: options.headers
+            });
         }
         if (options.raw !== undefined) {
             this.response.raw = options.raw;
@@ -465,7 +467,7 @@ class KuzzleRequest {
      * @param name parameter name
      */
     getBoolean(name) {
-        return this._getBoolean(this.input.args, name, name);
+        return this._getBoolean(this.input.args, name, name, true);
     }
     /**
      * Gets a parameter from a request arguments and checks that it is a number
@@ -509,6 +511,9 @@ class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -517,11 +522,56 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name, def = undefined) {
-        return this._getArray(this.input.args, name, name, def);
+        return this._getArray(this.input.args, name, name, def, true);
+    }
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name, def = undefined) {
+        const value = (0, lodash_1.get)(this.input.args, name, def);
+        if (value === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (Array.isArray(value)) {
+            return value;
+        }
+        if (typeof value !== 'string') {
+            throw assertionError.get('invalid_type', name, 'array');
+        }
+        // If we are using the HTTP protocol and we have a string instead of an Array
+        // we try to parse it as JSON
+        if (this.context.connection.protocol === 'http') {
+            try {
+                const parsedValue = JSON.parse(value);
+                if (Array.isArray(parsedValue)) {
+                    return parsedValue;
+                }
+            }
+            catch (e) {
+                // Do nothing, let the code continue
+            }
+        }
+        return value.split(',');
     }
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -530,7 +580,7 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name, def = undefined) {
-        return this._getObject(this.input.args, name, name, def);
+        return this._getObject(this.input.args, name, name, def, true);
     }
     /**
      * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
@@ -577,22 +627,18 @@ class KuzzleRequest {
     /**
      * Returns the index specified in the request
      */
-    getIndex() {
+    getIndex({ required = true } = {}) {
         const index = this.input.args.index;
-        if (!index) {
-            throw assertionError.get('missing_argument', 'index');
-        }
-        return index;
+        this.checkRequired(index, 'index', required);
+        return index ? String(index) : null;
     }
     /**
      * Returns the collection specified in the request
      */
-    getCollection() {
+    getCollection({ required = true } = {}) {
         const collection = this.input.args.collection;
-        if (!collection) {
-            throw assertionError.get('missing_argument', 'collection');
-        }
-        return collection;
+        this.checkRequired(collection, 'collection', required);
+        return collection ? String(collection) : null;
     }
     /**
      * Returns the index and collection specified in the request
@@ -649,7 +695,7 @@ class KuzzleRequest {
         if (typeof id !== 'string') {
             throw assertionError.get('invalid_type', '_id', 'string');
         }
-        return id;
+        return String(id);
     }
     /**
      * Returns the current user kuid
@@ -670,20 +716,14 @@ class KuzzleRequest {
         return null;
     }
     /**
-    * Returns the search body query according to the http method
-    */
+     * Returns the search body query according to the http method
+     */
     getSearchBody() {
         if (this.context.connection.protocol !== 'http'
             || this.context.connection.misc.verb !== 'GET') {
             return this.getBody({});
         }
-        const searchBody = this.getString('searchBody', '{}');
-        try {
-            return JSON.parse(searchBody);
-        }
-        catch (err) {
-            throw assertionError.get('invalid_argument', err.message);
-        }
+        return this.getObject('searchBody', {});
     }
     /**
      * Returns the search params.
@@ -736,16 +776,17 @@ class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getBoolean(obj, name, errorName) {
+    _getBoolean(obj, name, errorName, querystring = false) {
         let value = (0, lodash_1.get)(obj, name);
         // In HTTP, booleans are flags: if it's in the querystring, it's set,
         // whatever its value.
         // If a user needs to unset the option, they need to remove it from the
         // querystring.
-        if (this.context.connection.protocol === 'http') {
+        if (this.context.connection.protocol === 'http' && querystring) {
             value = value !== undefined;
-            obj[name] = value;
+            (0, lodash_1.set)(obj, name, value);
         }
         else if (value === undefined || value === null) {
             value = false;
@@ -822,12 +863,30 @@ class KuzzleRequest {
      * @param errorName name to use in error messages
      * @param def default value
      */
-    _getArray(obj, name, errorName, def = undefined) {
+    _getArray(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!Array.isArray(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if (Array.isArray(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'array');
         }
         return value;
@@ -839,17 +898,44 @@ class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getObject(obj, name, errorName, def = undefined) {
+    _getObject(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!(0, safeObject_1.isPlainObject)(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if ((0, safeObject_1.isPlainObject)(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'object');
         }
         return value;
     }
+    /**
+     * Throw `missing_argument` when this one is required
+     */
+    checkRequired(arg, argName, required) {
+        if (required && !arg) {
+            throw assertionError.get('missing_argument', argName);
+        }
+    }
 }
 exports.KuzzleRequest = KuzzleRequest;
 class Request extends KuzzleRequest {

package/lib/api/request/requestResponse.js

@@ -49,6 +49,11 @@ const assert = __importStar(require("../../util/assertType"));
 // \u200b is a zero width space, used to masquerade console.log output
 const _request = 'request\u200b';
 const _headers = 'headers\u200b';
+const _userHeaders = 'userHeaders\u200b'; // List of headers to be sent in the response
+// List of headers that should not be present in the body of the response
+const restrictedHeaders = [
+    'set-cookie',
+];
 class Headers {
     constructor() {
         this.namesMap = new Map();
@@ -150,6 +155,7 @@ class RequestResponse {
         this.raw = false;
         this[_request] = request;
         this[_headers] = new Headers();
+        this[_userHeaders] = new Set();
         Object.seal(this);
     }
     /**
@@ -254,6 +260,9 @@ class RequestResponse {
     configure(options = {}) {
         if (options.headers) {
             this.setHeaders(options.headers);
+            for (const key of Object.keys(options.headers)) {
+                this[_userHeaders].add(key.toLowerCase());
+            }
         }
         if (options.status) {
             this.status = options.status;
@@ -316,6 +325,21 @@ class RequestResponse {
                 status: this.status,
             };
         }
+        const filteredHeaders = {};
+        for (const name of this[_userHeaders]) {
+            filteredHeaders[name] = this.getHeader(name);
+        }
+        /**
+         * Remove headers that are not allowed to be sent to the client in the response's body
+         * For example "set-cookie" headers should only be visible by the browser,
+         * otherwise they may leak information about the server's cookies, since the browser will
+         * not be able to restrict them to the domain of the request.
+        */
+        for (const header of restrictedHeaders) {
+            if (filteredHeaders[header] !== undefined) {
+                filteredHeaders[header] = undefined;
+            }
+        }
         return {
             content: {
                 action: this.action,
@@ -323,6 +347,7 @@ class RequestResponse {
                 controller: this.controller,
                 deprecations: this.deprecations,
                 error: this.error,
+                headers: filteredHeaders,
                 index: this.index,
                 node: this.node,
                 requestId: this.requestId,

package/lib/cluster/idCardHandler.js

@@ -98,7 +98,7 @@ class ClusterIdCardHandler {
     async createIdCard() {
         let reserved = false;
         do {
-            this.nodeId = (0, name_generator_1.generateRandomName)('knode');
+            this.nodeId = name_generator_1.NameGenerator.generateRandomName({ prefix: 'knode' });
             this.nodeIdKey = `${REDIS_PREFIX}${this.nodeId}`;
             this.idCard = new IdCard({
                 birthdate: Date.now(),

package/lib/config/default.config.js

@@ -105,6 +105,9 @@ const defaultConfig = {
         }
     },
     security: {
+        debug: {
+            native_debug_protocol: false
+        },
         restrictedProfileIds: ['default'],
         jwt: {
             algorithm: 'HS256',

package/lib/config/documentEventAliases.d.ts

@@ -0,0 +1,7 @@
+interface EventAliases {
+    list: Record<string, unknown>;
+    namespace: string;
+    notBefore: string[];
+}
+export declare const documentEventAliases: EventAliases;
+export {};

package/lib/config/documentEventAliases.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,16 +19,29 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-module.exports = {
-  list: {
-    'delete': ['delete', 'deleteByQuery', 'mDelete'],
-    'get': ['get', 'mGet', 'search'],
-    'update': ['update', 'mUpdate', 'updateByQuery', 'upsert'],
-    'write': ['create', 'createOrReplace', 'mCreate', 'mCreateOrReplace', 'mReplace', 'replace']
-  },
-  namespace: 'generic:document',
-  notBefore: ['search', 'deleteByQuery', 'updateByQuery'],
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.documentEventAliases = void 0;
+const documentController_1 = __importDefault(require("../api/controllers/documentController"));
+function filter(obj, expectValue) {
+    const result = [];
+    for (const [action, event] of Object.entries(obj)) {
+        if (event === expectValue) {
+            result.push(action);
+        }
+    }
+    return result;
+}
+exports.documentEventAliases = {
+    list: {
+        delete: filter(documentController_1.default.actions, 'delete'),
+        get: filter(documentController_1.default.actions, 'get'),
+        update: filter(documentController_1.default.actions, 'update'),
+        write: filter(documentController_1.default.actions, 'write'),
+    },
+    namespace: 'generic:document',
+    notBefore: ['search', 'deleteByQuery', 'updateByQuery', 'export'],
+};
+//# sourceMappingURL=documentEventAliases.js.map

package/lib/core/backend/backend.d.ts

@@ -168,6 +168,10 @@ export declare class Backend {
      * EmbeddedSDK instance
      */
     get sdk(): EmbeddedSDK;
+    /**
+     * Cluster node ID
+     */
+    get nodeId(): string;
     private get _instanceProxy();
     /**
      * Try to read the current commit hash.

package/lib/core/backend/backend.js

@@ -243,6 +243,15 @@ class Backend {
         }
         return this._sdk;
     }
+    /**
+     * Cluster node ID
+     */
+    get nodeId() {
+        if (!this.started) {
+            throw runtimeError.get('unavailable_before_start', 'nodeId');
+        }
+        return this._kuzzle.id;
+    }
     get _instanceProxy() {
         return {
             api: this._controllers,

package/lib/core/backend/backendController.d.ts

@@ -86,5 +86,11 @@ export declare class BackendController extends ApplicationManager {
      * @param controller Controller class
      */
     use(controller: Controller): void;
-    private _add;
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    private add;
 }

package/lib/core/backend/backendController.js

@@ -42,11 +42,15 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BackendController = void 0;
 const inflector_1 = require("../../util/inflector");
 const kerror = __importStar(require("../../kerror"));
 const index_1 = require("./index");
+const plugin_1 = __importDefault(require("../plugin/plugin"));
 const assertionError = kerror.wrap('plugin', 'assert');
 const runtimeError = kerror.wrap('plugin', 'runtime');
 class BackendController extends index_1.ApplicationManager {
@@ -74,7 +78,8 @@ class BackendController extends index_1.ApplicationManager {
         if (this._application.started) {
             throw runtimeError.get('already_started', 'controller');
         }
-        this._add(name, definition);
+        plugin_1.default.checkControllerDefinition(name, definition);
+        this.add(name, definition);
     }
     /**
      * Uses a new controller class.
@@ -147,6 +152,7 @@ class BackendController extends index_1.ApplicationManager {
             controller.name = inflector_1.Inflector.kebabCase(controller.constructor.name)
                 .replace('-controller', '');
         }
+        plugin_1.default.checkControllerDefinition(controller.name, controller.definition);
         for (const [action, definition] of Object.entries(controller.definition.actions)) {
             if (typeof definition.handler !== 'function') {
                 throw assertionError.get('invalid_controller_definition', controller.name, `Handler for action "${action}" is not a function.`);
@@ -158,9 +164,15 @@ class BackendController extends index_1.ApplicationManager {
                 definition.handler = definition.handler.bind(controller);
             }
         }
-        this._add(controller.name, controller.definition);
+        this.add(controller.name, controller.definition);
     }
-    _add(name, definition) {
+    /**
+     * Adds the controller definition to the list of application controllers.
+     *
+     * This method also check if the definition is valid to throw with a stacktrace
+     * beginning on the user code adding the controller.
+     */
+    add(name, definition) {
         if (this._application._controllers[name]) {
             throw assertionError.get('invalid_controller_definition', name, 'A controller with this name already exists');
         }

package/lib/core/network/protocols/httpwsProtocol.js

@@ -256,10 +256,15 @@ class HttpWsProtocol extends Protocol {
   }
 
   wsOnUpgradeHandler (res, req, context) {
+    const headers = {};
+    // Extract headers from uWS request
+    req.forEach((header, value) => {
+      headers[header] = value;
+    });
+
     res.upgrade(
       {
-        cookie: req.getHeader('cookie'),
-        origin: req.getHeader('origin'),
+        headers,
       },
       req.getHeader('sec-websocket-key'),
       req.getHeader('sec-websocket-protocol'),
@@ -273,10 +278,7 @@ class HttpWsProtocol extends Protocol {
     const connection = new ClientConnection(
       this.name,
       [ip],
-      {
-        cookie: socket.cookie,
-        origin: socket.origin
-      }
+      socket.headers
     );
 
     this.entryPoint.newConnection(connection);
@@ -553,10 +555,16 @@ class HttpWsProtocol extends Protocol {
     if (type.includes('multipart/form-data')) {
       const parts = uWS.getParts(content, message.headers['content-type']);
       message.content = {};
+      
+      if (! parts) {
+        cb();
+        return;
+      }
 
       for (const part of parts) {
         if (part.data.byteLength > this.maxFormFileSize) {
           cb(HTTP_FILE_TOO_LARGE_ERROR);
+          return;
         }
 
         if (part.filename) {

package/lib/core/plugin/plugin.js

@@ -300,6 +300,13 @@ class Plugin {
         'Controller definition must be an object');
     }
 
+    if (! isPlainObject(definition.actions)) {
+      throw assertionError.get(
+        'invalid_controller_definition',
+        name,
+        'Controller definition "actions" property must be an object');
+    }
+
     for (const [action, actionDefinition] of Object.entries(definition.actions)) {
       const actionProperties = Object.keys(actionDefinition);
 

package/lib/core/shared/sdk/embeddedSdk.d.ts

@@ -6,7 +6,7 @@ interface EmbeddedRealtime extends RealtimeController {
      * and, optionally, user events matching the provided filters will generate
      * real-time notifications.
      *
-     * @see https://docs.kuzzle.io/core/2/guides/main-concepts/6-realtime-engine/
+     * @see https://docs.kuzzle.io/core/2/guides/main-concepts/realtime-engine/
      *
      * @param index Index name
      * @param collection Collection name

package/lib/core/shared/sdk/embeddedSdk.js

@@ -48,11 +48,36 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.EmbeddedSDK = void 0;
 const kuzzle_sdk_1 = require("kuzzle-sdk");
+const lodash_1 = __importDefault(require("lodash"));
 const funnelProtocol_1 = require("./funnelProtocol");
 const safeObject_1 = require("../../../util/safeObject");
 const kerror = __importStar(require("../../../kerror"));
 const impersonatedSdk_1 = __importDefault(require("./impersonatedSdk"));
 const contextError = kerror.wrap('plugin', 'context');
+const forbiddenEmbeddedActions = {
+    'auth': new Set([
+        'checkRights',
+        'createApiKey',
+        'createMyCredentials',
+        'credentialsExist',
+        'deleteApiKey',
+        'getCurrentUser',
+        'getMyCredentials',
+        'getMyRights',
+        'getStrategies',
+        'logout',
+        'refreshToken',
+        'searchApiKeys',
+        'updateMyCredentials',
+        'updateSelf',
+        'validateMyCredentials',
+    ]),
+};
+const warnEmbeddedActions = {
+    'auth': {
+        'login': 'EmbeddedSDK.login is deprecated, use user impersonation instead',
+    }
+};
 /**
  * Kuzzle embedded SDK to make API calls inside applications or plugins.
  */
@@ -91,6 +116,14 @@ class EmbeddedSDK extends kuzzle_sdk_1.Kuzzle {
                 ? false
                 : options.propagate;
         }
+        if (forbiddenEmbeddedActions[request.controller] !== undefined
+            && forbiddenEmbeddedActions[request.controller].has(request.action)) {
+            throw kerror.get('api', 'process', 'forbidden_embedded_sdk_action', request.controller, request.action, ', use user impersonation or security controller instead');
+        }
+        const warning = lodash_1.default.get(warnEmbeddedActions, [request.controller, request.action]);
+        if (warning) {
+            global.kuzzle.log.warn(warning);
+        }
         return super.query(request, options);
     }
 }

package/lib/kerror/codes/0-core.json

@@ -154,6 +154,41 @@
           "class": "GatewayTimeoutError"
         }
       }
+    },
+    "debugger": {
+      "code": 5,
+      "errors": {
+        "not_enabled": {
+          "description": "The debugger is not enabled",
+          "code": 1,
+          "message": "Debugger is not enabled",
+          "class": "PreconditionError"
+        },
+        "monitor_already_running": {
+          "description": "The monitor is already running",
+          "code": 2,
+          "message": "The monitoring of \"%s\" is already running",
+          "class": "PreconditionError"
+        },
+        "monitor_not_running": {
+          "description": "The monitor is not running",
+          "code": 3,
+          "message": "The monitoring of \"%s\" is not running",
+          "class": "PreconditionError"
+        },
+        "native_debug_protocol_usage_denied": {
+          "description": "Usage of the native debug protocol is not allowed",
+          "code": 4,
+          "message": "Usage of the native debug protocol is not allowed",
+          "class": "PreconditionError"
+        },
+        "method_not_found": {
+          "description": "Debugger method not found",
+          "code": 5,
+          "message": "Debugger method \"%s\" not found.",
+          "class": "PreconditionError"
+        }
+      }
     }
   }
 }

package/lib/kerror/codes/2-api.json

@@ -182,6 +182,12 @@
           "code": 13,
           "message": "Rejected: Too many login attempts per second",
           "class": "TooManyRequestsError"
+        },
+        "forbidden_embedded_sdk_action": {
+          "description": "A forbidden EmbdeddedSDK action has been called",
+          "code": 14,
+          "message": "The action %s:%s has been called while it is forbidden in the EmbeddedSDK%s.",
+          "class": "PluginImplementationError"
         }
       }
     }

package/lib/kuzzle/kuzzle.d.ts

@@ -1 +1 @@
-export {};
+export declare const BACKEND_IMPORT_KEY = "backend:init:import";