nitro-web 0.0.165 → 0.0.167

package/client/app.tsx

@@ -219,14 +219,10 @@ function getRouter({ settings, config }: { settings: Settings, config: Config })
             }
             for (const key of route.middleware) {
               const error = settings.middleware[key](route, exposedStoreData || {})
+              // Note: the redirect uses the new pathname for query string values, e.g. '?example=value'. We also can't use the 
+              // current pathname, as this doesn't exist on page refresh.
               if (error && error.redirect) {
-                // Redirect() will use the new pathname instead of the current one for values without a pathname causing guard 
-                // redirect loops! We assume these query string redirects are intended to be relative to the current path.
-                if (error.redirect.startsWith('?')) {
-                  return redirect(window.location.pathname + error.redirect)
-                } else {
-                  return redirect(error.redirect)
-                }
+                return redirect(error.redirect)
               }
             }
             return null
@@ -286,7 +282,7 @@ function catchRedirectLoop(request: Request, routeName: string) {
     lastRedirectTimesForSameUrl.push(Date.now())
     if (lastRedirectTimesForSameUrl.length > 5 && (Date.now() < lastRedirectTime + 100)) {
       throw new Error(
-        `Nitro: A redirect loop has been detected for route '${routeName}'. This ismost likely due to a redirect loop caused by your middleware.`
+        `Nitro: A redirect loop has been detected for route '${routeName}'. This is most likely due to a redirect loop caused by your middleware. Consider triggered by redirect values without a pathname, e.g. '?example=value'.`
       )
     }
   } else {

package/client/store.ts

@@ -39,9 +39,9 @@ function beforeUpdate<T extends Store>(newStore: T) {
     delete newStore.jwt
   }
 
-  // E.g. Cookie matching handy for rare issues, e.g. signout > signin (to a different user on another tab)
+  // Send the requesting user id in the headers for the server to check (see, ./server/router.js:isValidUser() for more details)
   if (newStore?.user?._id) {
-    axios().defaults.headers.authid = newStore?.user?._id
+    axios().defaults.headers.requestingUserId = newStore?.user?._id
   }
   return newStore
 }

package/components/partials/not-found.tsx

@@ -1,7 +1,11 @@
 export function NotFound() {
   return (
-    <div class="pt-14 text-center" style={{'minHeight': '300px'}}>
-      Sorry, nothing found.
+    <div style={{'minHeight': '300px'}}>
+      <span class="h1">Page Not Found</span><br />
+      <br />
+      The page you&apos;re looking for doesn&apos;t exist or has moved.<br />
+      <br />
+      <Link to="/">Go back home</Link> or check the URL and try again.
     </div>
   )
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nitro-web",
-  "version": "0.0.165",
+  "version": "0.0.167",
   "repository": "github:boycce/nitro-web",
   "homepage": "https://boycce.github.io/nitro-web/",
   "description": "Nitro is a battle-tested, modular base project to turbocharge your projects, styled using Tailwind 🚀",

package/server/index.js

@@ -18,7 +18,7 @@ async function setupDefaultModels(db) {
 export { userModel, companyModel, setupDefaultModels }
 
 // Export router
-export { setupRouter, middleware } from './router.js'
+export { setupRouter, middleware, isValidUserOrRespond, isAdminUser } from './router.js'
 
 // Export email utility
 export { sendEmail } from './email/index.js'

package/server/router.js

@@ -374,42 +374,58 @@ export const middleware = {
 
 
   isAdmin: (req, res, next) => {
-    // Still need to remove cookie matching in favour of uid..
-    // E.g. Cookie matching handy for rare issues, e.g. signout > signin (to a different user on another tab)
-    const user = req.user
-    let cookieMatch = user && (!req.headers.authid || user._id?.toString() == req.headers.authid)
-    if (cookieMatch && user && (user.type?.match(/admin/) || user.isAdmin)) next()
-    else if (user && (user.type?.match(/admin/) || user.isAdmin)) res.unauthorized('Invalid cookie, please refresh your browser')
-    else if (user) res.unauthorized('You are not authorised to make this request.')
-    else res.unauthorized('Please sign in first.')
+    if (!isValidUserOrRespond(req, res)) return
+    else if (!isAdminUser(req)) res.unauthorized('You are not authorised to make this request.')
+    else next()
   },
-  // isCompanyOwner: (req, res, next) => {
-  //   let user = req.user || { companies: [] }
-  //   let cid = req.params.cid
-  //   let company = user.companies.find((o) => o._id.toString() == cid)
-  //   let companyUser = company?.users?.find((o) => o._id.toString() == user._id?.toString())
-  //   if (!user._id) return res.unauthorized('Please sign in first.')
-  //   else if (!company || !companyUser) res.unauthorized('You are not authorised to make this request.')
-  //   else if (companyUser.type != 'owner') res.unauthorized('Only owners can make this request.')
-  //   else next()
-  // },
-  // isCompanyUser: (req, res, next) => {
-  //   let user = req.user || { companies: [] }
-  //   let cid = req.params.cid
-  //   let company = user.companies.find((o) => o._id.toString() == cid)
-  //   if (!user._id) return res.unauthorized('Please sign in first.')
-  //   else if (!company) res.unauthorized('You are not authorised to make this request.')
-  //   else next()
-  // },
   isUser: (req, res, next) => {
-    // todo: need to double check that uid is always defined
-    let uid = req.params.uid
-    if (req.user && (typeof uid == 'undefined' || req.user._id?.toString() == uid)) next()
-    else if (req.user) res.unauthorized('You are not authorised to make this request.')
-    else res.unauthorized('Please sign in first.')
+    if (!isValidUserOrRespond(req, res)) return
+    else next()
+  },
+  isParamUser: (req, res, next) => {
+    const isParamUser = req.user?._id?.toString() == req.params.uid
+    if (!isValidUserOrRespond(req, res)) return
+    else if (!isParamUser && !isAdminUser(req)) res.unauthorized('You are not authorised to make this request.')
+    else next() 
   },
   isDevelopment: (req, res, next) => {
     if (configLocal.env !== 'development') res.error('This API endpoint is only available in development')
     else next()
   },
+  isCompanyUser: (req, res, next) => {
+    if (!isValidParamCompanyUserOrRespond(req)) return
+    else next()
+  },
+  isCompanyOwner: (req, res, next) => {
+    if (!isValidParamCompanyUserOrRespond(req, true)) return
+    else next()
+  },
+}
+
+export function isAdminUser(req) {
+  return (req.user?.type?.match(/admin/) || req.user?.isAdmin) ? true : false
+}
+
+export function isValidUserOrRespond(req, res) {
+  // Check if the user is logged in, and that the requesting user is the same as the user, the requesting user might be outdated.
+  // E.g. new tab > signout > signin to a different user, now old tab needs to refresh.
+  if (!req.user) {
+    res.unauthorized('Please sign in first.')
+    return false
+  } else if (req.headers.requestingUserId && req.user._id?.toString() != req.headers.requestingUserId) {
+    res.unauthorized('Invalid session, please refresh your browser.')
+    return false
+  } else {
+    return true
+  }
+}
+
+function isValidParamCompanyUserOrRespond(req, res, checkIsOwner = false) {
+  const _company = req.user?.company?._id?.toString() == req.params.cid ? req.user.company : false
+  const company = _company || req.user?.companies?.find((o) => o._id.toString() == req.params.cid)
+  const isCompanyOwner = company?.users?.find((o) => o._id.toString() == req.user?._id?.toString() && o.type === 'owner')
+  if (!isValidUserOrRespond(req, res)) return
+  else if (!isAdminUser(req) && !company) res.unauthorized('You are not authorised to make this request.')
+  else if (!isAdminUser(req) && checkIsOwner && !isCompanyOwner) res.unauthorized('Only owners can make this request.')
+  else return true
 }

package/types/server/index.d.ts

@@ -13,5 +13,5 @@ import userModel from './models/user.js';
 import companyModel from './models/company.js';
 export function setupDefaultModels(db: any): Promise<void>;
 export { userModel, companyModel };
-export { setupRouter, middleware } from "./router.js";
+export { setupRouter, middleware, isValidUserOrRespond, isAdminUser } from "./router.js";
 //# sourceMappingURL=index.d.ts.map

package/types/server/router.d.ts

@@ -1,4 +1,6 @@
 export function setupRouter(config: any): Promise<http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>>;
+export function isAdminUser(req: any): boolean;
+export function isValidUserOrRespond(req: any, res: any): boolean;
 /** @type {MiddlewareConfig} */
 export const middleware: MiddlewareConfig;
 export type Request = express.Request & {

package/types/server/router.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../server/router.js"],"names":[],"mappings":"AAmCA,wHA6HC;AAgKD,+BAA+B;AAC/B,yBADW,gBAAgB,CA8F1B;sBA/YY,OAAO,CAAC,OAAO,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,GAAoB,CAAC;CAC7B;uBACS,OAAO,CAAC,QAAQ,GAAG;IAC3B,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACjE,YAAY,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACvD,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACpD,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACnD,WAAW,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;CACvD;+BACS;IACR,KAAK,EAAE,MAAM,EAAE,CAAC;IACpB,CAAK,GAAG,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,UAAU,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC;CACnF;iBA1Ba,MAAM;oBAIH,SAAS"}
+{"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../server/router.js"],"names":[],"mappings":"AAmCA,wHA6HC;AAoPD,+CAEC;AAED,kEAYC;AApGD,+BAA+B;AAC/B,yBADW,gBAAgB,CAkF1B;sBAnYY,OAAO,CAAC,OAAO,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,GAAoB,CAAC;CAC7B;uBACS,OAAO,CAAC,QAAQ,GAAG;IAC3B,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACjE,YAAY,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACvD,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACpD,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACnD,WAAW,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;CACvD;+BACS;IACR,KAAK,EAAE,MAAM,EAAE,CAAC;IACpB,CAAK,GAAG,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,UAAU,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC;CACnF;iBA1Ba,MAAM;oBAIH,SAAS"}