signatur 1.0.0 → 1.1.0

package/README.md

@@ -18,17 +18,24 @@ Supported file format include:
 
 ## Configuration
 
-| Name              | Type  | Default                              | Description                                                                                                                                            |
-| ----------------- | ----- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `BASE_URL`        | `str` | `http://localhost:3000`              | The base URL that is going to be used in the construction of external URLs for Signatur.                                                               |
-| `SIGNATUR_KEY`    | `str` | `None`                               | Secret key that should be passed in protected calls so that the server side "trusts" the client side (authentication).                                 |
-| `HEADLESS_URL`    | `str` | `https://headless.stage.hive.pt`     | The base URL to be used to access [Headless](https://github.com/hivesolutions/headless).                                                               |
-| `PRINT_URL`       | `str` | `https://colony-print.stage.hive.pt` | Base URL of the [Colony Print](http://colony-print.hive.pt) service used for both the engraving job and the receipt printing.                          |
-| `PRINT_NODE`      | `str` | `default`                            | Name of the Colony Print node to use when printing the report receipt.                                                                                 |
-| `PRINT_PRINTER`   | `str` | `printer`                            | Name of the printer (within the receipt node) to use when printing the report receipt.                                                                 |
-| `PRINT_KEY`       | `str` | `null`                               | Secret key used to authenticate against Colony Print; shared by both the engraving job and the receipt printing.                                       |
-| `ENGRAVE_NODE`    | `str` | value of `PRINT_NODE`                | Name of the Colony Print node to use when sending an engraving job; falls back to `PRINT_NODE` so existing single-printer deployments keep working.    |
-| `ENGRAVE_PRINTER` | `str` | value of `PRINT_PRINTER`             | Name of the printer (within the engrave node) to use when sending an engraving job; falls back to `PRINT_PRINTER` for the same backward compat reason. |
+| Name                  | Type   | Default                              | Description                                                                                                                                                                                                                     |
+| --------------------- | ------ | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `BASE_URL`            | `str`  | `http://localhost:3000`              | The base URL that is going to be used in the construction of external URLs for Signatur.                                                                                                                                        |
+| `SIGNATUR_KEY`        | `str`  | `None`                               | Secret key that should be passed in protected calls so that the server side "trusts" the client side (authentication).                                                                                                          |
+| `HEADLESS_URL`        | `str`  | `https://headless.stage.hive.pt`     | The base URL to be used to access [Headless](https://github.com/hivesolutions/headless).                                                                                                                                        |
+| `PRINT_URL`           | `str`  | `https://colony-print.stage.hive.pt` | Base URL of the [Colony Print](http://colony-print.hive.pt) service used for both the engraving job and the receipt printing.                                                                                                   |
+| `PRINT_NODE`          | `str`  | `default`                            | Name of the Colony Print node to use when printing the report receipt.                                                                                                                                                          |
+| `PRINT_PRINTER`       | `str`  | `printer`                            | Name of the printer (within the receipt node) to use when printing the report receipt.                                                                                                                                          |
+| `PRINT_KEY`           | `str`  | `null`                               | Secret key used to authenticate against Colony Print; shared by both the engraving job and the receipt printing.                                                                                                                |
+| `ENGRAVE_NODE`        | `str`  | value of `PRINT_NODE`                | Name of the Colony Print node to use when sending an engraving job; falls back to `PRINT_NODE` so existing single-printer deployments keep working.                                                                             |
+| `ENGRAVE_PRINTER`     | `str`  | value of `PRINT_PRINTER`             | Name of the printer (within the engrave node) to use when sending an engraving job; falls back to `PRINT_PRINTER` for the same backward compat reason.                                                                          |
+| `FEATURE_CALLIGRAPHY` | `bool` | `false`                              | Base value of the calligraphy feature flag; when set to a truthy value (`1`, `true`, `yes`, `on`) the calligraphy mode controls render on `/viewport`. May be overridden per session through the `Features` tab on `/settings`. |
+
+## Authentication
+
+Every interactive route is gated behind a session login. The list of valid users lives in `config/users.json` (gitignored, with a `config/users.json.example` checked into the repository) as an array of `{ "username": "...", "password_hash": "$2a$...", "role": "admin" | "user" }` entries; the `role` controls whether the user can reach the admin-only surfaces (`/settings`, `/settings/diagnostics`, `/profiles/*`) or just the basic engraving flow.
+
+New users are added through the `npm run user:add <username> <role>` helper which prompts for the password twice (no echo), bcrypts it at cost 10 and rewrites `config/users.json` in place; the running application picks the change up automatically through `fs.watch` so no restart is required. The bare `/login` and `/logout` routes, the `/info` endpoint, the static assets and the engine `/convert` endpoint (key authenticated through `SIGNATUR_KEY`) stay public.
 
 ## Query Parameters
 

package/app.js

@@ -7,7 +7,6 @@ const process = require("process");
 const bodyParser = require("body-parser");
 const multer = require("multer");
 const JSZip = require("jszip");
-const fetch = require("node-fetch");
 const ejs = require("ejs");
 const util = require("hive-js-util");
 const info = require("./package");
@@ -60,6 +59,39 @@ app.locals.dev = process.env.NODE_ENV !== "production";
 app.use("/static", express.static(path.join(__dirname, "static")));
 app.use(bodyParser.urlencoded({ extended: true }));
 
+// list of public route prefixes that bypass the global require
+// user middleware so the login flow, the favicon and the public
+// info endpoint can be reached without an authenticated session;
+// the engine convert endpoint stays public so colony print can
+// keep posting svgs validated through the existing key header,
+// the static mount falls past express.static for missing assets
+// so it must be public to keep returning a clean 404 instead of
+// redirecting to /login, and the text route is hit by Headless
+// from /receipt and /image without the user's cookie so it must
+// also stay reachable for those rendering flows to work
+const PUBLIC_PATHS = [
+    "/login",
+    "/logout",
+    "/info",
+    "/favicon.ico",
+    "/static",
+    "/convert",
+    "/text"
+];
+
+// global authentication middleware that enforces a logged in
+// user on every interactive route, allowing only the small list
+// of public paths above through; admin only routes apply the
+// `lib.requireAdmin` middleware directly below
+app.use((req, res, next) => {
+    const isPublic = PUBLIC_PATHS.some(prefix => req.path === prefix || req.path.startsWith(prefix + "/"));
+    if (isPublic) {
+        next();
+        return;
+    }
+    lib.requireUser(req, res, next);
+});
+
 // configures the multer middleware that parses the multipart
 // payload of the profile form, accepting only text fields since
 // background images are now managed by the dedicated asset
@@ -91,6 +123,45 @@ app.get("/", (req, res, next) => {
     res.redirect(302, home);
 });
 
+app.get("/login", (req, res, next) => {
+    const theme = req.query.theme || req.session.theme || "";
+    const locale = req.query.locale || req.session.locale || "";
+    const nextUrl = typeof req.query.next === "string" ? req.query.next : "";
+    const error = typeof req.query.error === "string" ? req.query.error : "";
+    res.render("login" + (locale ? `-${locale}` : ""), {
+        theme: theme,
+        next: nextUrl,
+        error: error
+    });
+});
+
+app.post("/login", async (req, res, next) => {
+    async function clojure() {
+        const username = typeof req.body.username === "string" ? req.body.username.trim() : "";
+        const password = typeof req.body.password === "string" ? req.body.password : "";
+        const nextRaw = typeof req.body.next === "string" ? req.body.next : "";
+        const safeNext = nextRaw.startsWith("/") && !nextRaw.startsWith("//") ? nextRaw : "/";
+        const user = await lib.verifyCredentials(username, password);
+        if (!user) {
+            const params = new URLSearchParams();
+            params.set("error", "invalid");
+            if (nextRaw) params.set("next", nextRaw);
+            res.redirect(302, "/login?" + params.toString());
+            return;
+        }
+        req.session.user = user;
+        res.redirect(302, safeNext);
+    }
+    clojure().catch(next);
+});
+
+const handleLogout = (req, res) => {
+    if (req.session) req.session.user = null;
+    res.redirect(302, "/login");
+};
+app.get("/logout", handleLogout);
+app.post("/logout", handleLogout);
+
 app.get("/gateway", (req, res, next) => {
     const fullscreen =
         req.query.fullscreen !== undefined
@@ -144,7 +215,7 @@ app.post("/gateway", (req, res, next) => {
     }
 });
 
-app.get("/settings", (req, res, next) => {
+app.get("/settings", lib.requireAdmin, (req, res, next) => {
     const fullscreen =
         req.query.fullscreen !== undefined
             ? req.query.fullscreen === "1"
@@ -167,12 +238,18 @@ app.get("/settings", (req, res, next) => {
         home: req.session.home === "welcome" ? "welcome" : "gateway",
         showOptions: req.session.show_options !== "0",
         viewportMode: req.session.viewport_mode === "store" ? "store" : "technical",
+        features: lib.resolveFeatures(req.session),
+        featuresBase: lib.conf.FEATURES || {},
+        featuresOverride: Object.keys(lib.FEATURES || {}).reduce((accumulator, name) => {
+            accumulator[name] = req.session["feature_" + name];
+            return accumulator;
+        }, {}),
         next: nextUrl,
         info: info || {}
     });
 });
 
-app.post("/settings", (req, res, next) => {
+app.post("/settings", lib.requireAdmin, (req, res, next) => {
     const theme = req.body.theme || "";
     const locale = req.body.locale || "";
     req.session.theme = theme;
@@ -181,13 +258,27 @@ app.post("/settings", (req, res, next) => {
     req.session.show_options = req.body.show_options === "0" ? "0" : "1";
     req.session.viewport_mode = req.body.viewport_mode === "store" ? "store" : "technical";
 
+    // persists every declared feature flag override sent through the
+    // features tab onto the session, treating `1` / `0` as explicit
+    // overrides and anything else as a clear so the base value from
+    // the matching `FEATURE_<NAME>` env var takes over again
+    for (const name of Object.keys(lib.FEATURES || {})) {
+        const value = req.body["feature_" + name];
+        if (value === "1") req.session["feature_" + name] = "1";
+        else if (value === "0") req.session["feature_" + name] = "0";
+        else delete req.session["feature_" + name];
+    }
+
     // resolves the redirect target from the submitted next field
     // restricting it to local paths so the form cannot be used as
-    // an open redirect
+    // an open redirect, falling back to the bare `/` so the user
+    // lands on the configured home (gateway or welcome) according
+    // to the freshly saved `home` preference instead of being
+    // hardcoded to the welcome screen
     const target =
         typeof req.body.next === "string" && req.body.next.startsWith("/")
             ? req.body.next
-            : "/welcome";
+            : "/";
 
     // persists the fullscreen flag onto the session so that it
     // survives the next request without polluting the redirect
@@ -197,6 +288,18 @@ app.post("/settings", (req, res, next) => {
     res.redirect(302, target);
 });
 
+app.post("/settings/diagnostics", lib.requireAdmin, (req, res, next) => {
+    async function clojure() {
+        const engine = lib.ENGINES.inkscape.singleton();
+        const probes = await engine.probe();
+        const fixturePath = path.join(__dirname, "res", "diagnostic.svg");
+        const svgBuffer = await fs.readFile(fixturePath);
+        const steps = await engine.diagnose(svgBuffer);
+        res.json({ probes: probes, steps: steps });
+    }
+    clojure().catch(next);
+});
+
 app.get("/welcome", (req, res, next) => {
     const fullscreen =
         req.query.fullscreen !== undefined
@@ -214,7 +317,8 @@ app.get("/welcome", (req, res, next) => {
         masterb64: masterb64,
         config: req.session.config || {},
         showOptions: req.session.show_options !== "0",
-        info: info || {}
+        info: info || {},
+        user: req.session.user || null
     });
 });
 
@@ -231,7 +335,7 @@ app.get("/signature", (req, res, next) => {
     res.render("signature" + (locale ? `-${locale}` : ""), {
         fullscreen: fullscreen,
         theme: theme,
-        back: req.session.entry === "welcome" ? "/welcome" : "/"
+        back: "/"
     });
 });
 
@@ -247,6 +351,7 @@ app.get("/viewport", (req, res, next) => {
     req.session.locale = locale;
     req.session.config = req.session.config || {};
     req.session.config.text = req.query.text || req.session.config.text || null;
+    const features = lib.resolveFeatures(req.session);
     res.render("viewport" + (locale ? `-${locale}` : ""), {
         fullscreen: fullscreen,
         theme: theme,
@@ -257,7 +362,9 @@ app.get("/viewport", (req, res, next) => {
         config: req.session.config || {},
         text: lib.deserializeText(req.session.config.text) || null,
         viewportMode: req.session.viewport_mode === "store" ? "store" : "technical",
-        back: req.session.entry === "welcome" ? "/welcome" : "/"
+        features: features,
+        featuresb64: Buffer.from(JSON.stringify(features)).toString("base64"),
+        back: "/"
     });
 });
 
@@ -282,7 +389,7 @@ app.get("/report", (req, res, next) => {
         text: lib.deserializeText(req.session.config.text) || null,
         font: lib.fontText(req.session.config.text) || null,
         localize: (v, f) => lib.localize(v, locale || undefined, f),
-        back: req.session.entry === "welcome" ? "/welcome" : "/"
+        back: "/"
     });
 });
 
@@ -362,11 +469,74 @@ app.post("/convert", (req, res, next) => {
     clojure().catch(next);
 });
 
+app.post("/feedback", (req, res, next) => {
+    async function clojure() {
+        // ensures the feedback feature is currently enabled for the
+        // requester so disabled deployments do not accept submissions
+        const features = lib.resolveFeatures(req.session);
+        if (!features.feedback) {
+            res.status(404).json({ error: "feedback feature is disabled" });
+            return;
+        }
+
+        // validates the satisfaction value against the small set of
+        // allowed multiple choice answers so the on disk payload stays
+        // consistent and easy to aggregate later
+        const allowedSatisfaction = new Set([
+            "very_satisfied",
+            "satisfied",
+            "neutral",
+            "unsatisfied",
+            "very_unsatisfied"
+        ]);
+        const satisfaction = typeof req.body.satisfaction === "string" ? req.body.satisfaction : "";
+        if (!allowedSatisfaction.has(satisfaction)) {
+            res.status(400).json({ error: "invalid satisfaction value" });
+            return;
+        }
+
+        // captures the optional free text notes, trimming any leading
+        // or trailing whitespace and applying a sensible upper bound
+        // so the persisted entries cannot grow unbounded
+        const notesRaw = typeof req.body.notes === "string" ? req.body.notes : "";
+        const notes = notesRaw.trim().slice(0, 2000);
+
+        // builds the entry payload, capturing the contextual fields the
+        // client sends so the feedback can be cross referenced with the
+        // engraving submission it relates to
+        const entry = {
+            id: crypto.randomUUID(),
+            timestamp: new Date().toISOString(),
+            satisfaction: satisfaction,
+            notes: notes,
+            profile: typeof req.body.profile === "string" ? req.body.profile : null,
+            variant: typeof req.body.variant === "string" ? req.body.variant : null,
+            locale: req.session.locale || null
+        };
+
+        // groups the feedback submissions by year, month and day in
+        // separate subdirectories derived from the ISO timestamp so
+        // the on disk layout stays easy to navigate as the number of
+        // entries grows, while each entry remains its own JSON file
+        // named after the generated identifier for easy inspection
+        // and per file aggregation
+        const year = entry.timestamp.slice(0, 4);
+        const month = entry.timestamp.slice(5, 7);
+        const day = entry.timestamp.slice(8, 10);
+        const directoryPath = path.join(__dirname, "data", "feedback", year, month, day);
+        await fs.mkdir(directoryPath, { recursive: true });
+        const entryPath = path.join(directoryPath, `${entry.id}.json`);
+        await fs.writeFile(entryPath, JSON.stringify(entry, null, 4) + "\n", "utf8");
+        res.json({ id: entry.id });
+    }
+    clojure().catch(next);
+});
+
 app.get("/config", (req, res, next) => {
     res.json(req.session.config || {});
 });
 
-app.get("/profiles/manager", (req, res, next) => {
+app.get("/profiles/manager", lib.requireAdmin, (req, res, next) => {
     async function clojure() {
         const fullscreen =
             req.query.fullscreen !== undefined
@@ -426,7 +596,7 @@ app.get("/profiles/manager", (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/validate", profileUpload, (req, res, next) => {
+app.post("/profiles/validate", lib.requireAdmin, profileUpload, (req, res, next) => {
     async function clojure() {
         const editTarget = typeof req.body.edit_target === "string" ? req.body.edit_target : "";
         const { profile, errors } = lib.validateProfileSubmission(
@@ -445,7 +615,7 @@ app.post("/profiles/validate", profileUpload, (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles", profileUpload, (req, res, next) => {
+app.post("/profiles", lib.requireAdmin, profileUpload, (req, res, next) => {
     async function clojure() {
         const profileText = req.body.profile_json || "";
         const inspirationsText = req.body.inspirations_json || "";
@@ -507,7 +677,7 @@ app.post("/profiles", profileUpload, (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/:id/enabled", profileUpload, (req, res, next) => {
+app.post("/profiles/:id/enabled", lib.requireAdmin, profileUpload, (req, res, next) => {
     async function clojure() {
         const id = req.params.id;
         if (!lib.PROFILE_ID_PATTERN.test(id)) {
@@ -546,7 +716,7 @@ app.post("/profiles/:id/enabled", profileUpload, (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/:id/delete", (req, res, next) => {
+app.post("/profiles/:id/delete", lib.requireAdmin, (req, res, next) => {
     async function clojure() {
         const id = req.params.id;
         if (!lib.PROFILE_ID_PATTERN.test(id)) {
@@ -584,7 +754,7 @@ app.post("/profiles/:id/delete", (req, res, next) => {
     clojure().catch(next);
 });
 
-app.get("/profiles/assets", (req, res, next) => {
+app.get("/profiles/assets", lib.requireAdmin, (req, res, next) => {
     async function clojure() {
         const directoryPath = path.join(__dirname, "static", "profiles");
         const files = await fs.readdir(directoryPath);
@@ -594,7 +764,7 @@ app.get("/profiles/assets", (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/assets", assetUpload, (req, res, next) => {
+app.post("/profiles/assets", lib.requireAdmin, assetUpload, (req, res, next) => {
     async function clojure() {
         const errors = [];
 
@@ -651,7 +821,7 @@ app.post("/profiles/assets", assetUpload, (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/assets/:filename/delete", (req, res, next) => {
+app.post("/profiles/assets/:filename/delete", lib.requireAdmin, (req, res, next) => {
     async function clojure() {
         const filename = req.params.filename;
         if (!lib.ASSET_FILENAME_PATTERN.test(filename)) {
@@ -673,7 +843,7 @@ app.post("/profiles/assets/:filename/delete", (req, res, next) => {
     clojure().catch(next);
 });
 
-app.get("/profiles/bundle", (req, res, next) => {
+app.get("/profiles/bundle", lib.requireAdmin, (req, res, next) => {
     async function clojure() {
         const directoryPath = path.join(__dirname, "static", "profiles");
         const files = await fs.readdir(directoryPath);
@@ -709,7 +879,7 @@ app.get("/profiles/bundle", (req, res, next) => {
     clojure().catch(next);
 });
 
-app.post("/profiles/bundle", bundleUpload, (req, res, next) => {
+app.post("/profiles/bundle", lib.requireAdmin, bundleUpload, (req, res, next) => {
     async function clojure() {
         if (!req.file) {
             res.status(400).json({ error: "file is required" });