npm - nitro-web - Versions diffs - 0.0.166 → 0.0.167 - Mend

nitro-web 0.0.166 → 0.0.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/client/store.ts +2 -2
package/components/partials/not-found.tsx +6 -2
package/package.json +1 -1
package/server/index.js +1 -1
package/server/router.js +47 -31
package/types/server/index.d.ts +1 -1
package/types/server/router.d.ts +2 -0
package/types/server/router.d.ts.map +1 -1

package/client/store.ts CHANGED Viewed

@@ -39,9 +39,9 @@ function beforeUpdate<T extends Store>(newStore: T) {
     delete newStore.jwt
   }
-  // E.g. Cookie matching handy for rare issues, e.g. signout > signin (to a different user on another tab)
+  // Send the requesting user id in the headers for the server to check (see, ./server/router.js:isValidUser() for more details)
   if (newStore?.user?._id) {
-    axios().defaults.headers.authid = newStore?.user?._id
+    axios().defaults.headers.requestingUserId = newStore?.user?._id
   }
   return newStore
 }

package/components/partials/not-found.tsx CHANGED Viewed

@@ -1,7 +1,11 @@
 export function NotFound() {
   return (
-    <div class="pt-14 text-center" style={{'minHeight': '300px'}}>
-      Sorry, nothing found.
+    <div style={{'minHeight': '300px'}}>
+      <span class="h1">Page Not Found</span><br />
+      <br />
+      The page you&apos;re looking for doesn&apos;t exist or has moved.<br />
+      <br />
+      <Link to="/">Go back home</Link> or check the URL and try again.
     </div>
   )
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nitro-web",
-  "version": "0.0.166",
+  "version": "0.0.167",
   "repository": "github:boycce/nitro-web",
   "homepage": "https://boycce.github.io/nitro-web/",
   "description": "Nitro is a battle-tested, modular base project to turbocharge your projects, styled using Tailwind 🚀",

package/server/index.js CHANGED Viewed

@@ -18,7 +18,7 @@ async function setupDefaultModels(db) {
 export { userModel, companyModel, setupDefaultModels }
 // Export router
-export { setupRouter, middleware } from './router.js'
+export { setupRouter, middleware, isValidUserOrRespond, isAdminUser } from './router.js'
 // Export email utility
 export { sendEmail } from './email/index.js'

package/server/router.js CHANGED Viewed

@@ -374,42 +374,58 @@ export const middleware = {
   isAdmin: (req, res, next) => {
-    // Still need to remove cookie matching in favour of uid..
-    // E.g. Cookie matching handy for rare issues, e.g. signout > signin (to a different user on another tab)
-    const user = req.user
-    let cookieMatch = user && (!req.headers.authid || user._id?.toString() == req.headers.authid)
-    if (cookieMatch && user && (user.type?.match(/admin/) || user.isAdmin)) next()
-    else if (user && (user.type?.match(/admin/) || user.isAdmin)) res.unauthorized('Invalid cookie, please refresh your browser')
-    else if (user) res.unauthorized('You are not authorised to make this request.')
-    else res.unauthorized('Please sign in first.')
+    if (!isValidUserOrRespond(req, res)) return
+    else if (!isAdminUser(req)) res.unauthorized('You are not authorised to make this request.')
+    else next()
   },
-  // isCompanyOwner: (req, res, next) => {
-  //   let user = req.user || { companies: [] }
-  //   let cid = req.params.cid
-  //   let company = user.companies.find((o) => o._id.toString() == cid)
-  //   let companyUser = company?.users?.find((o) => o._id.toString() == user._id?.toString())
-  //   if (!user._id) return res.unauthorized('Please sign in first.')
-  //   else if (!company || !companyUser) res.unauthorized('You are not authorised to make this request.')
-  //   else if (companyUser.type != 'owner') res.unauthorized('Only owners can make this request.')
-  //   else next()
-  // },
-  // isCompanyUser: (req, res, next) => {
-  //   let user = req.user || { companies: [] }
-  //   let cid = req.params.cid
-  //   let company = user.companies.find((o) => o._id.toString() == cid)
-  //   if (!user._id) return res.unauthorized('Please sign in first.')
-  //   else if (!company) res.unauthorized('You are not authorised to make this request.')
-  //   else next()
-  // },
   isUser: (req, res, next) => {
-    // todo: need to double check that uid is always defined
-    let uid = req.params.uid
-    if (req.user && (typeof uid == 'undefined' || req.user._id?.toString() == uid)) next()
-    else if (req.user) res.unauthorized('You are not authorised to make this request.')
-    else res.unauthorized('Please sign in first.')
+    if (!isValidUserOrRespond(req, res)) return
+    else next()
+  },
+  isParamUser: (req, res, next) => {
+    const isParamUser = req.user?._id?.toString() == req.params.uid
+    if (!isValidUserOrRespond(req, res)) return
+    else if (!isParamUser && !isAdminUser(req)) res.unauthorized('You are not authorised to make this request.')
+    else next()
   },
   isDevelopment: (req, res, next) => {
     if (configLocal.env !== 'development') res.error('This API endpoint is only available in development')
     else next()
   },
+  isCompanyUser: (req, res, next) => {
+    if (!isValidParamCompanyUserOrRespond(req)) return
+    else next()
+  },
+  isCompanyOwner: (req, res, next) => {
+    if (!isValidParamCompanyUserOrRespond(req, true)) return
+    else next()
+  },
+}
+export function isAdminUser(req) {
+  return (req.user?.type?.match(/admin/) || req.user?.isAdmin) ? true : false
+}
+export function isValidUserOrRespond(req, res) {
+  // Check if the user is logged in, and that the requesting user is the same as the user, the requesting user might be outdated.
+  // E.g. new tab > signout > signin to a different user, now old tab needs to refresh.
+  if (!req.user) {
+    res.unauthorized('Please sign in first.')
+    return false
+  } else if (req.headers.requestingUserId && req.user._id?.toString() != req.headers.requestingUserId) {
+    res.unauthorized('Invalid session, please refresh your browser.')
+    return false
+  } else {
+    return true
+  }
+}
+function isValidParamCompanyUserOrRespond(req, res, checkIsOwner = false) {
+  const _company = req.user?.company?._id?.toString() == req.params.cid ? req.user.company : false
+  const company = _company || req.user?.companies?.find((o) => o._id.toString() == req.params.cid)
+  const isCompanyOwner = company?.users?.find((o) => o._id.toString() == req.user?._id?.toString() && o.type === 'owner')
+  if (!isValidUserOrRespond(req, res)) return
+  else if (!isAdminUser(req) && !company) res.unauthorized('You are not authorised to make this request.')
+  else if (!isAdminUser(req) && checkIsOwner && !isCompanyOwner) res.unauthorized('Only owners can make this request.')
+  else return true
 }

package/types/server/index.d.ts CHANGED Viewed

@@ -13,5 +13,5 @@ import userModel from './models/user.js';
 import companyModel from './models/company.js';
 export function setupDefaultModels(db: any): Promise<void>;
 export { userModel, companyModel };
-export { setupRouter, middleware } from "./router.js";
+export { setupRouter, middleware, isValidUserOrRespond, isAdminUser } from "./router.js";
 //# sourceMappingURL=index.d.ts.map

package/types/server/router.d.ts CHANGED Viewed

@@ -1,4 +1,6 @@
 export function setupRouter(config: any): Promise<http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>>;
+export function isAdminUser(req: any): boolean;
+export function isValidUserOrRespond(req: any, res: any): boolean;
 /** @type {MiddlewareConfig} */
 export const middleware: MiddlewareConfig;
 export type Request = express.Request & {

package/types/server/router.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../server/router.js"],"names":[],"mappings":"AAmCA,wHA6HC;~~AAgKD~~,+BAA+B;AAC/B,yBADW,gBAAgB,~~CA8F1B~~;~~sBA/YY~~,OAAO,CAAC,OAAO,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,GAAoB,CAAC;CAC7B;uBACS,OAAO,CAAC,QAAQ,GAAG;IAC3B,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACjE,YAAY,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACvD,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACpD,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACnD,WAAW,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;CACvD;+BACS;IACR,KAAK,EAAE,MAAM,EAAE,CAAC;IACpB,CAAK,GAAG,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,UAAU,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC;CACnF;iBA1Ba,MAAM;oBAIH,SAAS"}
1	+ {"version":3,"file":"router.d.ts","sourceRoot":"","sources":["../../server/router.js"],"names":[],"mappings":"AAmCA,wHA6HC;AAoPD,+CAEC;AAED,kEAYC;AApGD,+BAA+B;AAC/B,yBADW,gBAAgB,CAkF1B;sBAnYY,OAAO,CAAC,OAAO,GAAG;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,GAAoB,CAAC;CAC7B;uBACS,OAAO,CAAC,QAAQ,GAAG;IAC3B,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IACjE,YAAY,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACvD,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACpD,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;IACnD,WAAW,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,EAAE,KAAK,IAAI,CAAC;CACvD;+BACS;IACR,KAAK,EAAE,MAAM,EAAE,CAAC;IACpB,CAAK,GAAG,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,UAAU,KAAK,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC;CACnF;iBA1Ba,MAAM;oBAIH,SAAS"}