prostgles-server 4.2.160 → 4.2.161

package/lib/Auth/getSafeReturnURL.ts

@@ -0,0 +1,35 @@
+export const getSafeReturnURL = (returnURL: string, returnUrlParamName: string, quiet = false) => {
+  /** Dissalow redirect to other domains */
+  if(returnURL) {
+    const allowedOrigin = "https://localhost";
+    const { origin, pathname, search, searchParams } = new URL(returnURL, allowedOrigin);
+    if(
+      origin !== allowedOrigin ||
+      returnURL !== `${pathname}${search}` ||
+      searchParams.get(returnUrlParamName)
+    ){
+      if(!quiet){
+        console.error(`Unsafe returnUrl: ${returnURL}. Redirecting to /`);
+      }
+      return "/";
+    }
+
+    return returnURL;
+  }
+}
+
+const issue = ([
+  ["https://localhost", "/"],
+  ["//localhost.bad.com", "/"],
+  ["//localhost.com", "/"],
+  ["/localhost/com", "/localhost/com"],
+  ["/localhost/com?here=there", "/localhost/com?here=there"],
+  ["/localhost/com?returnUrl=there", "/"],
+  ["//http://localhost.com", "/"],
+  ["//abc.com", "/"],
+  ["///abc.com", "/"],
+] as const).find(([returnURL, expected]) => getSafeReturnURL(returnURL, "returnUrl", true) !== expected);
+
+if(issue){
+  throw new Error(`getSafeReturnURL failed for ${issue[0]}. Expected: ${issue[1]}`);
+}

package/lib/Auth/sendEmail.ts

@@ -0,0 +1,83 @@
+import { Email, SMTPConfig } from "./AuthTypes";
+import nodemailer from "nodemailer";
+import aws from "@aws-sdk/client-ses";
+import SESTransport from "nodemailer/lib/ses-transport";
+
+type SESTransporter =  nodemailer.Transporter<SESTransport.SentMessageInfo, SESTransport.Options>;
+type SMTPTransporter = nodemailer.Transporter<nodemailer.SentMessageInfo, nodemailer.TransportOptions>;
+type Transporter = SESTransporter | SMTPTransporter;
+
+const transporterCache: Map<string, Transporter> = new Map();
+
+/**
+ * Allows sending emails using nodemailer default config or AWS SES
+ * https://www.nodemailer.com/transports/ses/
+ */
+export const sendEmail = (smptConfig: SMTPConfig, email: Email) => {
+  const configStr = JSON.stringify(smptConfig);
+  const transporter = transporterCache.get(configStr) ?? getTransporter(smptConfig);
+  if(!transporterCache.has(configStr)){
+    transporterCache.set(configStr, transporter);
+  }
+
+  return send(transporter, email);
+}
+
+const getTransporter = (smptConfig: SMTPConfig) => {
+  let transporter: Transporter | undefined;
+  if(smptConfig.type === "aws-ses"){
+    const { 
+      region, 
+      accessKeyId, 
+      secretAccessKey,
+      /**
+       * max 1 messages/second
+       */
+      sendingRate = 1 
+    } = smptConfig;
+    const ses = new aws.SES({
+      apiVersion: "2010-12-01",
+      region,
+      credentials: {
+        accessKeyId,
+        secretAccessKey
+      }
+    });
+
+    transporter = nodemailer.createTransport({
+      SES: { ses, aws },
+      maxConnections: 1,
+      sendingRate 
+    });
+
+  } else {
+    const { user, pass, host, port, secure } = smptConfig;
+    transporter = nodemailer.createTransport({
+      host,
+      port,
+      secure,
+      auth: { user, pass }
+    });
+  }
+
+  return transporter;
+}
+
+const send = (transporter: Transporter, email: Email) => {
+  return new Promise((resolve, reject) => {
+    transporter.once('idle', () => {
+      if (transporter.isIdle()) {
+        transporter.sendMail(
+          email,
+          (err, info) => {
+            if(err){
+              reject(err);
+            } else {
+              resolve(info);
+            }
+          }
+        );
+      }
+    });
+  });
+};

package/lib/Auth/setAuthProviders.ts

@@ -0,0 +1,128 @@
+import type e from "express";
+import { RequestHandler } from "express";
+import { Strategy as FacebookStrategy } from "passport-facebook";
+import { Strategy as GitHubStrategy } from "passport-github2";
+import { Strategy as GoogleStrategy } from "passport-google-oauth20";
+import { Strategy as MicrosoftStrategy } from "passport-microsoft";
+import { AuthSocketSchema, getObjectEntries, isEmpty } from "prostgles-types";
+import { getErrorAsObject } from "../DboBuilder/dboBuilderUtils";
+import { removeExpressRouteByName } from "../FileManager/FileManager";
+import { AUTH_ROUTES_AND_PARAMS, AuthHandler, getLoginClientInfo } from "./AuthHandler";
+import { Auth } from './AuthTypes';
+import { setEmailProvider } from "./setEmailProvider";
+/** For some reason normal import is undefined */
+const passport = require("passport") as typeof import("passport");
+
+export const upsertNamedExpressMiddleware = (app: e.Express, handler: RequestHandler, name: string) => {
+  const funcName = name;
+  Object.defineProperty(handler, "name", { value: funcName });
+  removeExpressRouteByName(app, name);
+  app.use(handler);
+}
+
+export async function setAuthProviders (this: AuthHandler, { registrations, app }: Required<Auth>["expressConfig"]) {
+  if(!registrations) return;
+  const { onProviderLoginFail, onProviderLoginStart, websiteUrl, OAuthProviders } = registrations;
+
+  await setEmailProvider.bind(this)(app);
+
+  if(!OAuthProviders || isEmpty(OAuthProviders)){
+    return;
+  }
+
+  upsertNamedExpressMiddleware(app, passport.initialize(), "prostglesPassportMiddleware");
+
+  getObjectEntries(OAuthProviders).forEach(([providerName, providerConfig]) => {
+
+    if(!providerConfig?.clientID){
+      return;
+    }
+
+    const { authOpts, ...config } = providerConfig;
+    
+    const strategy = providerName === "google" ? GoogleStrategy :
+      providerName === "github" ? GitHubStrategy :
+      providerName === "facebook" ? FacebookStrategy :
+      providerName === "microsoft" ? MicrosoftStrategy : 
+      undefined
+    ;
+
+    const callbackPath = `${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}/callback`;
+    passport.use(
+      new (strategy as typeof GoogleStrategy)(
+        {
+          ...config,
+          callbackURL: `${websiteUrl}${callbackPath}`,
+        },
+        async (accessToken, refreshToken, profile, done) => {
+          // This callback is where you would normally store or retrieve user info from the database
+          return done(null, profile, { accessToken, refreshToken, profile });
+        }
+      )
+    );
+
+    app.get(`${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}`,
+      passport.authenticate(providerName, authOpts ?? {})
+    );
+
+    app.get(
+      callbackPath,
+      async (req, res) => {
+        try {
+          const clientInfo = getLoginClientInfo({ httpReq: req });
+          const db = this.db;
+          const dbo = this.dbo as any;
+          const args = { provider: providerName, req, res, clientInfo, db, dbo };
+          const startCheck = await onProviderLoginStart?.(args);
+          if(startCheck && "error" in startCheck){
+            res.status(500).json({ error: startCheck.error });
+            return;
+          }
+          passport.authenticate(
+            providerName, 
+            {
+              session: false, 
+              failureRedirect: "/login",
+              failWithError: true,
+            },
+            async (error: any, _profile: any, authInfo: any) => {
+              if(error){
+                await onProviderLoginFail?.({ ...args, error });
+                res.status(500).json({
+                  error: "Failed to login with provider",
+                });
+              } else {
+                this.loginThrottledAndSetCookie(req, res, { type: "provider", provider: providerName, ...authInfo })
+                .catch((e: any) => {
+                  res.status(500).json(getErrorAsObject(e));
+                });
+              }
+            } 
+          )(req, res);
+
+        } catch (_e) {
+          res.status(500).json({ error: "Something went wrong" });
+        }
+      }
+    );
+
+  });
+}
+
+export function getProviders(this: AuthHandler): AuthSocketSchema["providers"] | undefined {
+  const { registrations } = this.opts?.expressConfig ?? {}
+  if(!registrations) return undefined;
+  const {  OAuthProviders } = registrations;
+  if(!OAuthProviders || isEmpty(OAuthProviders)) return undefined;
+ 
+  const result: AuthSocketSchema["providers"] = {}
+  getObjectEntries(OAuthProviders).forEach(([providerName, config]) => {
+    if(config?.clientID){
+      result[providerName] = {
+        url: `${AUTH_ROUTES_AND_PARAMS.loginWithProvider}/${providerName}`,
+      }
+    }
+  });
+
+  return result;
+}

package/lib/Auth/setEmailProvider.ts

@@ -0,0 +1,85 @@
+import e from "express";
+import { AUTH_ROUTES_AND_PARAMS, AuthHandler } from "./AuthHandler";
+import { Email, SMTPConfig } from "./AuthTypes";
+import { sendEmail } from "./sendEmail";
+import { promises } from "node:dns";
+
+export async function setEmailProvider(this: AuthHandler, app: e.Express) {
+  
+  const { email, websiteUrl } = this.opts?.expressConfig?.registrations ?? {};
+  if(!email) return;
+  if(websiteUrl){
+    await checkDmarc(websiteUrl);
+  }
+
+  app.post(AUTH_ROUTES_AND_PARAMS.emailSignup, async (req, res) => {
+    const { username, password } = req.body;
+    let validationError = "";
+    if(typeof username !== "string"){
+      validationError = "Invalid username";
+    }
+    if(email.signupType === "withPassword"){
+      const { minPasswordLength = 8 } = email;
+      if(typeof password !== "string"){
+        validationError = "Invalid password";
+      } else if(password.length < minPasswordLength){
+        validationError = `Password must be at least ${minPasswordLength} characters long`;
+      }
+    }
+    if(validationError){
+      res.status(400).json({ error: validationError });
+      return;
+    }
+    try {
+      let emailMessage: undefined | { message: Email; smtp: SMTPConfig };
+      if(email.signupType === "withPassword"){
+        if(email.emailConfirmation){
+          const { onSend, smtp } = email.emailConfirmation;
+          const message = await onSend({ email: username, confirmationUrlPath: `${websiteUrl}${AUTH_ROUTES_AND_PARAMS.confirmEmail}` });
+          emailMessage = { message: { ...message, to: username }, smtp };
+        }
+      } else {
+        const { emailMagicLink } = email;
+        const message = await emailMagicLink.onSend({ email: username, magicLinkPath: `${websiteUrl}${AUTH_ROUTES_AND_PARAMS.magicLinksRoute}` });
+        emailMessage = { message: { ...message, to: username }, smtp: emailMagicLink.smtp };
+      }
+
+      if(emailMessage){
+        await sendEmail(emailMessage.smtp, emailMessage.message);
+        res.json({ msg: "Email sent" });
+      }
+    } catch {
+      res.status(500).json({ error: "Failed to send email" });
+    }
+  });
+
+  if(email.signupType === "withPassword" && email.emailConfirmation){
+    app.get(AUTH_ROUTES_AND_PARAMS.confirmEmailExpressRoute, async (req, res) => {
+      const { id } = req.params ?? {};
+      try {
+        await email.emailConfirmation?.onConfirmed({ confirmationCode: id });
+        res.json({ msg: "Email confirmed" });
+      } catch (_e) {
+        res.status(500).json({ error: "Failed to confirm email" });
+      }
+    });
+  }
+}
+
+const checkDmarc = async (websiteUrl: string) => {
+  const { host, hostname } = new URL(websiteUrl);
+  const ignoredHosts = ["localhost", "127.0.0.1"]
+  if(!hostname || ignoredHosts.includes(hostname)){
+    return;
+  }
+  const dmarc = await promises.resolveTxt(`_dmarc.${host}`);
+  const dmarkTxt = dmarc[0]?.[0];
+  if(
+    !dmarkTxt?.includes("v=DMARC1") ||
+    (!dmarkTxt?.includes("p=reject") && !dmarkTxt?.includes("p=quarantine"))
+  ){
+    throw new Error("DMARC not set to reject/quarantine");
+  } else {
+    console.log("DMARC set to reject")
+  }
+}

package/lib/Auth/setupAuthRoutes.ts

@@ -0,0 +1,161 @@
+import { RequestHandler } from "express";
+import { DBOFullyTyped } from "../DBSchemaBuilder";
+import { AUTH_ROUTES_AND_PARAMS, AuthHandler, getLoginClientInfo, HTTPCODES } from "./AuthHandler";
+import { AuthClientRequest, ExpressReq, ExpressRes, LoginParams } from "./AuthTypes";
+import { setAuthProviders, upsertNamedExpressMiddleware } from "./setAuthProviders";
+
+export async function setupAuthRoutes(this: AuthHandler) {
+  if (!this.opts) return;
+ 
+  const { login, getUser, expressConfig } = this.opts;
+
+  if (!login) {
+    throw "Invalid auth: Provide { sidKeyName: string } ";
+  }
+
+  if (this.sidKeyName === "sid") {
+    throw "sidKeyName cannot be 'sid' due to collision with socket.io";
+  }
+
+  if (!getUser) throw "getUser missing from auth config";
+
+  if (!expressConfig) {
+    return 
+  }
+  const { app, publicRoutes = [], onGetRequestOK, magicLinks, use } = expressConfig;
+  if (publicRoutes.find(r => typeof r !== "string" || !r)) {
+    throw "Invalid or empty string provided within publicRoutes "
+  }
+
+  await setAuthProviders.bind(this)(expressConfig);
+
+  if(use){
+    const prostglesUseMiddleware: RequestHandler = (req, res, next) => {
+      use({ 
+        req, 
+        res, 
+        next, 
+        getUser: () => this.getUser({ httpReq: req }) as any,
+        dbo: this.dbo as DBOFullyTyped, 
+        db: this.db,
+      })
+    };
+    upsertNamedExpressMiddleware(app, prostglesUseMiddleware, "prostglesUseMiddleware");
+  }
+
+  if (magicLinks) {
+    const { check } = magicLinks;
+    if (!check) {
+      throw "Check must be defined for magicLinks";
+    }
+
+    app.get(AUTH_ROUTES_AND_PARAMS.magicLinksExpressRoute, async (req: ExpressReq, res: ExpressRes) => {
+      const { id } = req.params ?? {};
+
+      if (typeof id !== "string" || !id) {
+        res.status(HTTPCODES.BAD_REQUEST).json({ msg: "Invalid magic-link id. Expecting a string" });
+      } else {
+        try {
+          const session = await this.throttledFunc(async () => {
+            return check(id, this.dbo as any, this.db, getLoginClientInfo({ httpReq: req }));
+          });
+          if (!session) {
+            res.status(HTTPCODES.AUTH_ERROR).json({ msg: "Invalid magic-link" });
+          } else {
+            this.setCookieAndGoToReturnURLIFSet(session, { req, res });
+          }
+
+        } catch (e) {
+          res.status(HTTPCODES.AUTH_ERROR).json({ msg: e });
+        }
+      }
+    });
+  }
+
+  app.post(AUTH_ROUTES_AND_PARAMS.login, async (req: ExpressReq, res: ExpressRes) => {
+    try {
+      const loginParams: LoginParams = {
+        type: "username",
+        ...req.body,
+      };
+
+      await this.loginThrottledAndSetCookie(req, res, loginParams);
+    } catch (err) {
+      console.log(err)
+      res.status(HTTPCODES.AUTH_ERROR).json({ err });
+    }
+
+  });
+
+  const onLogout = async (req: ExpressReq, res: ExpressRes) => {
+    const sid = this.validateSid(req?.cookies?.[this.sidKeyName]);
+    if (sid) {
+      try {
+        await this.throttledFunc(() => {
+          return this.opts?.logout?.(req?.cookies?.[this.sidKeyName], this.dbo as any, this.db);
+        })
+      } catch (err) {
+        console.error(err);
+      }
+    }
+    res.redirect("/")
+  }
+  
+  /* Redirect if not logged in and requesting non public content */
+  app.get(AUTH_ROUTES_AND_PARAMS.catchAll, async (req: ExpressReq, res: ExpressRes, next) => {
+
+    const clientReq: AuthClientRequest = { httpReq: req };
+    const getUser = this.getUser;
+    if(this.prostgles.restApi){
+      if(Object.values(this.prostgles.restApi.routes).some(restRoute => this.matchesRoute(restRoute.split("/:")[0], req.path))){
+        next();
+        return;
+      }
+    }
+    try {
+      const returnURL = this.getReturnUrl(req);
+      
+      if(this.matchesRoute(AUTH_ROUTES_AND_PARAMS.logoutGetPath, req.path)){
+        await onLogout(req, res);
+        return;
+      }
+
+      if(this.matchesRoute(AUTH_ROUTES_AND_PARAMS.loginWithProvider, req.path)){
+        next();
+        return;
+      }
+      /**
+       * Requesting a User route
+       */
+      if (this.isUserRoute(req.path)) {
+
+        /* Check auth. Redirect to login if unauthorized */
+        const u = await getUser(clientReq);
+        if (!u) {
+          res.redirect(`${AUTH_ROUTES_AND_PARAMS.login}?returnURL=${encodeURIComponent(req.originalUrl)}`);
+          return;
+        }
+
+        /* If authorized and going to returnUrl then redirect. Otherwise serve file */
+      } else if (returnURL && (await getUser(clientReq))) {
+
+        res.redirect(returnURL);
+        return;
+
+        /** If Logged in and requesting login then redirect to main page */
+      } else if (this.matchesRoute(AUTH_ROUTES_AND_PARAMS.login, req.path) && (await getUser(clientReq))) {
+
+        res.redirect("/");
+        return;
+      }
+
+      onGetRequestOK?.(req, res, { getUser: () => getUser(clientReq), dbo: this.dbo as DBOFullyTyped, db: this.db })
+
+    } catch (error) {
+      console.error(error);
+      const errorMessage = typeof error === "string" ? error : error instanceof Error ? error.message : "";
+      res.status(HTTPCODES.AUTH_ERROR).json({ msg: "Something went wrong when processing your request" + (errorMessage? (": " + errorMessage) : "") });
+    }
+
+  });
+}

package/lib/DBEventsManager.ts

@@ -0,0 +1,178 @@
+import { PostgresNotifListenManager, PrglNotifListener } from "./PostgresNotifListenManager";
+import { DB, PGP } from "./Prostgles";
+import { getKeys, CHANNELS } from "prostgles-types";
+import { PRGLIOSocket } from "./DboBuilder/DboBuilder";
+
+export class DBEventsManager {
+
+  notifies: { 
+    [key: string]: {
+      socketChannel: string;
+      sockets: any[]; 
+      localFuncs: ((payload: string) => void)[];
+      notifMgr: PostgresNotifListenManager;
+    } 
+  } = {};
+
+  notice: {
+    socketChannel: string;
+    socketUnsubChannel: string;
+    sockets: any[];
+  } = {
+    socketChannel: CHANNELS.NOTICE_EV,
+    socketUnsubChannel: CHANNELS.NOTICE_EV + "unsubscribe",
+    sockets: []
+  };
+
+  notifManager?: PostgresNotifListenManager;
+
+  db_pg: DB;
+  pgp: PGP
+  constructor(db_pg: DB, pgp: PGP){
+    this.db_pg = db_pg;
+    this.pgp = pgp;
+  }
+
+  private onNotif: PrglNotifListener = ({ channel, payload }) => {
+
+    // console.log(36, { channel, payload },  Object.keys(this.notifies));
+
+    getKeys(this.notifies)
+      .filter(ch => ch === channel)
+      .map(ch => {
+        const sub = this.notifies[ch]!;
+        
+        sub.sockets.map(s => {
+          s.emit(sub.socketChannel, payload)
+        });
+        sub.localFuncs.map(lf => {
+          lf(payload);
+        })
+      });
+  }
+
+  onNotice = (notice: any) => {
+    if(this.notice && this.notice.sockets.length){
+      this.notice.sockets.map(s => {
+        s.emit(this.notice.socketChannel, notice);
+      })
+    }
+  }
+
+  getNotifChannelName = async (channel: string) => {
+    const c = await this.db_pg.one("SELECT quote_ident($1) as c", channel);
+    return c.c;
+  }
+
+  async addNotify(query: string, socket?: PRGLIOSocket, func?: any): Promise<{
+    socketChannel: string;
+    socketUnsubChannel: string;
+    notifChannel: string;
+    unsubscribe?: () => void;
+  }> {
+    if(typeof query !== "string" || (!socket && !func)){
+      throw "Expecting (query: string, socket?, localFunc?) But received: " + JSON.stringify({ query, socket, func });
+    }
+
+    /* Remove comments */
+    let q = query.trim()
+      .replace(/\/\*[\s\S]*?\*\/|\/\/.*/g,'\n')
+      .split("\n").map(v => v.trim()).filter(v => v && !v.startsWith("--"))
+      .join("\n");
+
+    /* Find the notify channel name */
+    if(!q.toLowerCase().startsWith("listen")){
+      throw "Expecting a LISTEN query but got: " + query;
+    }
+    q = q.slice(7).trim(); // Remove listen
+    if(q.endsWith(";")) q = q.slice(0, -1);
+
+    if(q.startsWith('"') && q.endsWith('"')) {
+      q = q.slice(1, -1);
+    } else {
+      /* Replicate PG by lowercasing identifier if not quoted */
+      q = q.toLowerCase();
+    }
+    q = q.replace(/""/g, `"`);
+
+    const channel = q;    
+    let notifChannel = await this.getNotifChannelName(channel)
+
+    notifChannel = notifChannel.replace(/""/g, `"`);
+    if(notifChannel.startsWith('"')) notifChannel = notifChannel.slice(1, -1);
+
+    const socketChannel = CHANNELS.LISTEN_EV + notifChannel,
+      socketUnsubChannel = socketChannel + "unsubscribe";
+
+    if(!this.notifies[notifChannel]){
+      this.notifies[notifChannel] = {
+        socketChannel,
+        sockets: socket? [socket] : [],
+        localFuncs: func? [func] : [],
+        notifMgr: await PostgresNotifListenManager.create(this.db_pg, this.onNotif, channel)
+      }
+
+    } else {
+      if(socket && !this.notifies[notifChannel]!.sockets.find(s => s.id === socket.id)) {
+        this.notifies[notifChannel]!.sockets.push(socket);
+
+      } else if(func) {
+        this.notifies[notifChannel]!.localFuncs.push(func);
+      }
+    }
+
+    if(socket){
+      socket.removeAllListeners(socketUnsubChannel);
+      socket.on(socketUnsubChannel, ()=>{
+        this.removeNotify(notifChannel, socket);
+      });
+    }
+
+    return {
+      socketChannel,
+      socketUnsubChannel,
+      notifChannel,
+    }
+  }
+
+  removeNotify(channel?: string, socket?: PRGLIOSocket, func?: any){
+    const notifChannel = channel && this.notifies[channel]
+    if(notifChannel){
+      if(socket){
+        notifChannel.sockets = notifChannel.sockets.filter(s => s.id !== socket.id);
+      } else if(func){
+        notifChannel.localFuncs = notifChannel.localFuncs.filter(f => f !== func);
+      }
+
+      /* UNLISTEN if no listeners ?? */
+    }
+
+    if(socket){
+      getKeys(this.notifies).forEach(channel => {
+        this.notifies[channel]!.sockets = this.notifies[channel]!.sockets.filter(s => s.id !== socket.id);
+      })
+    }
+  }
+
+  addNotice(socket: PRGLIOSocket){
+    if(!socket || !socket.id) throw "Expecting a socket obj with id";
+
+    if(!this.notice.sockets.find(s => s.id === socket.id)){
+      this.notice.sockets.push(socket);
+    }
+
+    const { socketChannel, socketUnsubChannel } = this.notice;
+
+    socket.removeAllListeners(socketUnsubChannel);
+    socket.on(socketUnsubChannel, () => {
+      this.removeNotice(socket);
+    });
+
+    return { socketChannel, socketUnsubChannel, }
+  }
+
+  removeNotice(socket: PRGLIOSocket){
+    if(!socket || !socket.id) throw "Expecting a socket obj with id";
+    this.notice.sockets = this.notice.sockets.filter(s => s.id !== socket.id)
+  }
+}