npm - prostgles-server - Versions diffs - 2.0.264 → 2.0.267 - Mend

prostgles-server 2.0.264 → 2.0.267

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/DboBuilder/runSQL.d.ts +6 -0
package/dist/DboBuilder/runSQL.d.ts.map +1 -0
package/dist/DboBuilder/runSQL.js +104 -0
package/dist/DboBuilder/runSQL.js.map +1 -0
package/dist/DboBuilder.d.ts +3 -4
package/dist/DboBuilder.d.ts.map +1 -1
package/dist/DboBuilder.js +22 -185
package/dist/DboBuilder.js.map +1 -1
package/dist/QueryBuilder.d.ts +3 -1
package/dist/QueryBuilder.d.ts.map +1 -1
package/lib/DboBuilder/runSQL.d.ts +6 -0
package/lib/DboBuilder/runSQL.d.ts.map +1 -0
package/lib/DboBuilder/runSQL.js +103 -0
package/lib/DboBuilder/runSQL.ts +109 -0
package/lib/DboBuilder.d.ts +3 -4
package/lib/DboBuilder.d.ts.map +1 -1
package/lib/DboBuilder.js +22 -185
package/lib/DboBuilder.ts +26 -215
package/package.json +2 -2
package/tests/client/PID.txt +1 -1
package/tests/server/package-lock.json +3 -3

package/lib/DboBuilder.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import * as Bluebird from "bluebird";
 // declare global { export interface Promise<T> extends Bluebird<T> {} }
 import * as pgPromise from 'pg-promise';
-const { ParameterizedQuery: PQ } = require('pg-promise');
+import { canRunSQL, runSQL } from "./DboBuilder/runSQL";
 import pg = require('pg-promise/typescript/pg-subset');
 import {
     ColumnInfo, ValidatedColumnInfo, FieldFilter, SelectParams, SubscribeParams,
@@ -1091,6 +1091,14 @@ export class ViewHandler {
             }
             if(returnQuery) return (_query as unknown as any[]);
+            if(returnType === "statement"){
+                if(!(await canRunSQL(this.dboBuilder.prostgles, localParams))){
+                    throw `Not allowed:  {returnType: "statement"} requires sql privileges `
+                }
+                return _query as unknown as any[];
+            }
             if(["row", "value"].includes(returnType!)) {
                 return (this.t || this.db).oneOrNone(_query).then(data => {
                     return (data && returnType === "value")? Object.values(data)[0] : data;
@@ -1247,7 +1255,7 @@ export class ViewHandler {
         /* Local update allow all. TODO -> FIX THIS */
         if(!ff && !tableRule) filterFields = "*";
-        const parseFullFilter = async (f: any, parentFilter: any = null, checkForeignTablePublished = true): Promise<string> => {
+        const parseFullFilter = async (f: any, parentFilter: any = null, isForcedFilterBypass: boolean): Promise<string> => {
             if(!f) throw "Invalid/missing group filter provided";
             let result = "";
             let keys = getKeys(f);
@@ -1262,21 +1270,21 @@ export class ViewHandler {
             if(group && group.length){
                 const operand = $and? " AND " : " OR ";
-                let conditions = (await Promise.all(group.map(async gf => await parseFullFilter(gf, group, checkForeignTablePublished)))).filter(c => c);
+                let conditions = (await Promise.all(group.map(async gf => await parseFullFilter(gf, group, isForcedFilterBypass)))).filter(c => c);
                 if(conditions && conditions.length){
                     if(conditions.length === 1) return conditions.join(operand);
                     else return ` ( ${conditions.sort().join(operand)} ) `;
                 }
             } else if(!group) {
+                /** forcedFilters do not get checked against publish and are treated as server-side requests */
                 result = await this.getCondition({
                     filter: { ...f },
                     select,
                     allowed_colnames: this.parseFieldFilter(filterFields),
                     tableAlias,
-                    localParams,
-                    tableRules: tableRule,
-                    checkForeignTablePublished
+                    localParams: isForcedFilterBypass? undefined : localParams,
+                    tableRules: isForcedFilterBypass? undefined : tableRule
                 });
             }
             return result;
@@ -1286,8 +1294,8 @@ export class ViewHandler {
         /* A forced filter condition will not check if the existsJoined filter tables have been published */
-        const forcedFilterCond = forcedFilter? await parseFullFilter(forcedFilter, null, false) : undefined;
-        const filterCond = await parseFullFilter(filter, null);
+        const forcedFilterCond = forcedFilter? await parseFullFilter(forcedFilter, null, true) : undefined;
+        const filterCond = await parseFullFilter(filter, null, false);
         let cond = [
             forcedFilterCond, filterCond
         ].filter(c => c).join(" AND ");
@@ -1300,7 +1308,7 @@ export class ViewHandler {
         return { where: cond || "", filter: finalFilter };
     }
-    async prepareExistCondition(eConfig: ExistsFilterConfig, localParams: LocalParams | undefined, checkForeignTablePublished = true): Promise<string> {
+    async prepareExistCondition(eConfig: ExistsFilterConfig, localParams: LocalParams | undefined): Promise<string> {
         let res = "";
         const thisTable = this.name;
         const isNotExists = ["$notExists", "$notExistsJoined"].includes(eConfig.existType);
@@ -1377,15 +1385,15 @@ export class ViewHandler {
         let finalWhere = "";
-        console.error("NEED TO ENSURE PUBLISH FILTERS BYPASS THE CHECKS HERE")
         let t2Rules: TableRule | undefined = undefined,
             forcedFilter: AnyObject | undefined,
             filterFields: FieldFilter | undefined,
             tableAlias;
-        /* Check if allowed to view data */
-        if(localParams && checkForeignTablePublished && (localParams.socket || localParams.httpReq) && this.dboBuilder.publishParser){
-            /* Need to think about joining through dissallowed tables */
+        /* Check if allowed to view data - forcedFilters will bypass this check through isForcedFilterBypass */
+        if(localParams && (!localParams?.socket && !localParams?.httpReq)) throw "Unexpected: localParams missing socket/httpReq"
+        if(localParams && (localParams.socket || localParams.httpReq) && this.dboBuilder.publishParser){
             t2Rules = await this.dboBuilder.publishParser.getValidatedRequestRuleWusr({ tableName: t2, command: "find", localParams }) as TableRule;
             if(!t2Rules || !t2Rules.select) throw "Dissallowed";
             ({ forcedFilter, filterFields } = t2Rules.select);
@@ -1420,8 +1428,8 @@ export class ViewHandler {
      *  { fff: 2 } => "fff" = 2
      *  { fff: { $ilike: 'abc' } } => "fff" ilike 'abc'
      */
-    async getCondition(params: { filter: any, select?: SelectItem[], allowed_colnames: string[], tableAlias?: string, localParams?: LocalParams, tableRules?: TableRule, checkForeignTablePublished: boolean }){
-        const { filter, select, allowed_colnames, tableAlias, localParams, tableRules, checkForeignTablePublished = true  } = params;
+    async getCondition(params: { filter: any, select?: SelectItem[], allowed_colnames: string[], tableAlias?: string, localParams?: LocalParams, tableRules?: TableRule }){
+        const { filter, select, allowed_colnames, tableAlias, localParams, tableRules } = params;
         let data = { ... (filter as any) } as any ;
@@ -1491,7 +1499,7 @@ export class ViewHandler {
         let existsCond = "";
         if(existsKeys.length){
-            existsCond = (await Promise.all(existsKeys.map(async k => await this.prepareExistCondition(k, localParams, checkForeignTablePublished)))).join(" AND ");
+            existsCond = (await Promise.all(existsKeys.map(async k => await this.prepareExistCondition(k, localParams)))).join(" AND ");
         }
         /* Computed field queries */
@@ -2439,13 +2447,9 @@ export class TableHandler extends ViewHandler {
 }
-let DATA_TYPES: {oid: string, typname: PG_COLUMN_UDT_DATA_TYPE }[] | undefined;
-let USER_TABLES: { relid: string; relname: string; }[] | undefined;
 import { JOIN_TYPES } from "./Prostgles";
 import { BasicSession } from "./AuthHandler";
 import { DBOFullyTyped, getDBSchema } from "./DBSchemaBuilder";
-import { bool } from "aws-sdk/clients/signer";
 export class DboBuilder {
     tablesOrViews?: TableSchema[];   //TableSchema           TableOrViewInfo
@@ -2651,107 +2655,9 @@ export class DboBuilder {
         return this.joinPaths;
     }
-    runSQL = async (query: string, params: any, options: SQLOptions | undefined, localParams?: LocalParams) => {
-        /** Cache types */
-        DATA_TYPES ??= await this.db.any("SELECT oid, typname FROM pg_type") ?? [];
-        USER_TABLES ??= await this.db.any("SELECT relid, relname FROM pg_catalog.pg_statio_user_tables") ?? [];
-        const canRunSQL = async (localParams?: LocalParams) => {
-            if(!localParams?.socket || !localParams?.httpReq) return true;
-            const { socket } = localParams;
-            const publishParams = await this.prostgles.publishParser!.getPublishParams({ socket });
-            let res = await this.prostgles.opts.publishRawSQL?.(publishParams);
-            return Boolean(res && typeof res === "boolean" || res === "*");
-        }
-        if(!(await canRunSQL(localParams))) throw "Not allowed to run SQL";
-        const { returnType, allowListen }: SQLOptions = options || ({} as any);
-        const { socket } = localParams || {};
-        const db = localParams?.tx?.t || this.db;
-        if(returnType === "noticeSubscription"){
-            if(!socket) throw "Only allowed with client socket"
-            return await this.prostgles.dbEventsManager?.addNotice(socket);
-        } else if(returnType === "statement"){
-            try {
-                return pgp.as.format(query, params);
-            } catch (err){
-                throw (err as any).toString();
-            }
-        } else if(db) {
-            let finalQuery = query + "";
-            if(returnType === "arrayMode" && !["listen ", "notify "].find(c => query.toLowerCase().trim().startsWith(c))){
-                finalQuery = new PQ({ text: pgp.as.format(query, params), rowMode: "array" });
-            }
-            let _qres = await db.result(finalQuery, params)
-            const { fields, rows, command } = _qres;
-            /**
-             * Fallback for watchSchema in case not superuser and cannot add db event listener
-             */
-            const { watchSchema, watchSchemaType } = this.prostgles?.opts || {};
-            if(
-                watchSchema &&
-                (!this.prostgles.isSuperUser || watchSchemaType === "prostgles_queries")
-            ){
-                if(["CREATE", "ALTER", "DROP"].includes(command)){
-                    this.prostgles.onSchemaChange({ command, query })
-                } else if(query) {
-                    const cleanedQuery = query.toLowerCase().replace(/\s\s+/g, ' ');
-                    if(PubSubManager.SCHEMA_ALTERING_QUERIES.some(q => cleanedQuery.includes(q.toLowerCase()))){
-                        this.prostgles.onSchemaChange({ command, query })
-                    }
-                }
-            }
-            if(command === "LISTEN"){
-                if(!allowListen) throw new Error(`Your query contains a LISTEN command. Set { allowListen: true } to get subscription hooks. Or ignore this message`)
-                if(!socket) throw "Only allowed with client socket"
-                return await this.prostgles.dbEventsManager?.addNotify(query, socket);
-            } else if(returnType === "rows") {
-                return rows;
-            } else if(returnType === "row") {
-                return rows[0];
-            } else if(returnType === "value") {
-                return Object.values(rows?.[0] || {})?.[0];
-            } else if(returnType === "values") {
-                return rows.map(r => Object.values(r[0]));
-            } else {
-                let qres: SQLResult<typeof returnType> = {
-                    duration: 0,
-                    ..._qres,
-                    fields: fields?.map(f => {
-                        const dataType = DATA_TYPES!.find(dt => +dt.oid === +f.dataTypeID)?.typname ?? "text",
-                            tableName = USER_TABLES!.find(t => +t.relid === +f.tableID),
-                            tsDataType = postgresToTsType(dataType);
-                        return {
-                            ...f,
-                            tsDataType,
-                            dataType,
-                            udt_name: dataType,
-                            tableName: tableName?.relname
-                        }
-                    }) ?? []
-                };
-                return qres;
-            }
-        } else console.error("db missing");
+    private runSQL = async (query: string, params: any, options: SQLOptions | undefined, localParams?: LocalParams) => {
+        return runSQL.bind(this)(query, params, options, localParams);
     }
     async build(): Promise<DBHandlerServer>{
         this.tablesOrViews = await getTablesForSchemaPostgresSQL(this.db);
@@ -2820,101 +2726,6 @@ export class DboBuilder {
         if(!this.dbo.sql){
             this.dbo.sql = this.runSQL;
-            // this.dbo.sql = async (query: string, params: any, options: SQLOptions | undefined, localParams?: LocalParams) => {
-            //     const canRunSQL = async (localParams?: LocalParams) => {
-            //         if(!localParams?.socket || !localParams?.httpReq) return true;
-            //         const { socket } = localParams;
-            //         const publishParams = await this.prostgles.publishParser!.getPublishParams({ socket });
-            //         let res = await this.prostgles.opts.publishRawSQL?.(publishParams);
-            //         return Boolean(res && typeof res === "boolean" || res === "*");
-            //     }
-            //     if(!(await canRunSQL(localParams))) throw "Not allowed to run SQL";
-            //     const { returnType, allowListen }: SQLOptions = options || ({} as any);
-            //     const { socket } = localParams || {};
-            //     if(returnType === "noticeSubscription"){
-            //         if(!socket) throw "Only allowed with client socket"
-            //         return await this.prostgles.dbEventsManager?.addNotice(socket);
-            //     } else if(returnType === "statement"){
-            //         try {
-            //             return pgp.as.format(query, params);
-            //         } catch (err){
-            //             throw (err as any).toString();
-            //         }
-            //     } else if(this.db) {
-            //         let finalQuery = query + "";
-            //         if(returnType === "arrayMode" && !["listen ", "notify "].find(c => query.toLowerCase().trim().startsWith(c))){
-            //             finalQuery = new PQ({ text: pgp.as.format(query, params), rowMode: "array" });
-            //         }
-            //         let _qres = await this.db.result(finalQuery, params)
-            //         const { fields, rows, command } = _qres;
-            //         /**
-            //          * Fallback for watchSchema in case not superuser and cannot add db event listener
-            //          */
-            //         const { watchSchema, watchSchemaType } = this.prostgles?.opts || {};
-            //         if(
-            //             watchSchema &&
-            //             (!this.prostgles.isSuperUser || watchSchemaType === "prostgles_queries")
-            //         ){
-            //             if(["CREATE", "ALTER", "DROP"].includes(command)){
-            //                 this.prostgles.onSchemaChange({ command, query })
-            //             } else if(query) {
-            //                 const cleanedQuery = query.toLowerCase().replace(/\s\s+/g, ' ');
-            //                 if(PubSubManager.SCHEMA_ALTERING_QUERIES.some(q => cleanedQuery.includes(q.toLowerCase()))){
-            //                     this.prostgles.onSchemaChange({ command, query })
-            //                 }
-            //             }
-            //         }
-            //         if(command === "LISTEN"){
-            //             if(!allowListen) throw new Error(`Your query contains a LISTEN command. Set { allowListen: true } to get subscription hooks. Or ignore this message`)
-            //             if(!socket) throw "Only allowed with client socket"
-            //             return await this.prostgles.dbEventsManager?.addNotify(query, socket);
-            //         } else if(returnType === "rows") {
-            //             return rows;
-            //         } else if(returnType === "row") {
-            //             return rows[0];
-            //         } else if(returnType === "value") {
-            //             return Object.values(rows?.[0] || {})?.[0];
-            //         } else if(returnType === "values") {
-            //             return rows.map(r => Object.values(r[0]));
-            //         } else {
-            //             let qres: SQLResult<typeof returnType> = {
-            //                 duration: 0,
-            //                 ..._qres,
-            //                 fields: fields?.map(f => {
-            //                     const dataType = DATA_TYPES.find(dt => +dt.oid === +f.dataTypeID)?.typname ?? "text",
-            //                         tableName = USER_TABLES.find(t => +t.relid === +f.tableID),
-            //                         tsDataType = postgresToTsType(dataType);
-            //                     return {
-            //                         ...f,
-            //                         tsDataType,
-            //                         dataType,
-            //                         udt_name: dataType,
-            //                         tableName: tableName?.relname
-            //                     }
-            //                 }) ?? []
-            //             };
-            //             return qres;
-            //         }
-            //     } else console.error("db missing");
-            // }
         } else {
             console.warn(`Could not create dbo.sql handler because there is already a table named "sql"`)
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "prostgles-server",
-  "version": "2.0.264",
+  "version": "2.0.267",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -31,7 +31,7 @@
     "check-disk-space": "^3.3.1",
     "file-type": "^17.1.4",
     "pg-promise": "^10.11.1",
-    "prostgles-types": "^1.5.170",
+    "prostgles-types": "^1.5.174",
     "sharp": "^0.30.7"
   },
   "devDependencies": {

package/tests/client/PID.txt CHANGED Viewed

	@@ -1 +1 @@
1	- ~~14126~~
1	+ 14047

package/tests/server/package-lock.json CHANGED Viewed

@@ -21,7 +21,7 @@
     },
     "../..": {
       "name": "prostgles-server",
-      "version": "2.0.263",
+      "version": "2.0.266",
       "license": "MIT",
       "dependencies": {
         "@aws-sdk/client-s3": "^3.121.0",
@@ -31,7 +31,7 @@
         "check-disk-space": "^3.3.1",
         "file-type": "^17.1.4",
         "pg-promise": "^10.11.1",
-        "prostgles-types": "^1.5.170",
+        "prostgles-types": "^1.5.174",
         "sharp": "^0.30.7"
       },
       "devDependencies": {
@@ -1375,7 +1375,7 @@
         "check-disk-space": "^3.3.1",
         "file-type": "^17.1.4",
         "pg-promise": "^10.11.1",
-        "prostgles-types": "^1.5.170",
+        "prostgles-types": "^1.5.174",
         "sharp": "^0.30.7",
         "typescript": "^4.7.4"
       }