sumba 1.0.26 → 1.0.28

package/bajo/hook/waibu-mpa@pre-parsing.js

@@ -1,6 +1,7 @@
 import checkUserId from '../../lib/check-user-id.js'
 import checkTheme from '../../lib/check-theme.js'
 import checkIconset from '../../lib/check-iconset.js'
+import checkRole from '../../lib/check-role.js'
 
 const preParsing = {
   level: 10,
@@ -10,6 +11,7 @@ const preParsing = {
     await checkTheme.call(this, req, reply)
     await checkIconset.call(this, req, reply)
     await checkUserId.call(this, req, reply, 'waibuMpa')
+    await checkRole.call(this, req, reply, 'waibuMpa')
     req.menu = req.menu ?? {}
     if (req.user) {
       req.menu.user = [

package/bajo/hook/waibu-rest-api@pre-parsing.js

@@ -1,9 +1,11 @@
 import checkUserId from '../../lib/check-user-id.js'
+import checkRole from '../../lib/check-role.js'
 
 const onRequest = {
   level: 10,
   handler: async function (req, reply) {
     await checkUserId.call(this, req, reply, 'waibuRestApi')
+    await checkRole.call(this, req, reply, 'waibuRestApi')
   }
 }
 

package/bajo/hook/waibu-static@pre-parsing.js

@@ -1,9 +1,11 @@
 import checkUserId from '../../lib/check-user-id.js'
+import checkRole from '../../lib/check-role.js'
 
 const onRequest = {
   level: 10,
   handler: async function (req, reply) {
     await checkUserId.call(this, req, reply, 'waibuStatic')
+    await checkRole.call(this, req, reply, 'waibuStatic')
   }
 }
 

package/bajo/hook/waibu@after-app-boot.js

@@ -1,13 +1,17 @@
 import collectRoutes from '../../lib/collect-routes.js'
+import collectRoles from '../../lib/collect-roles.js'
 
 async function afterAppBoot () {
   this.log.trace('collectingRouteGuards')
   await collectRoutes.call(this, 'secure')
   await collectRoutes.call(this, 'anonymous')
   this.log.trace('secureRoutes%d', this.secureRoutes.length)
-  this.log.trace('secureInvRoutes%d', this.secureInvRoutes.length)
+  this.log.trace('secureNegRoutes%d', this.secureNegRoutes.length)
   this.log.trace('anonRoutes%d', this.anonymousRoutes.length)
-  this.log.trace('anonInvRoutes%d', this.anonymousInvRoutes.length)
+  this.log.trace('anonNegRoutes%d', this.anonymousNegRoutes.length)
+  this.log.trace('collectingRoleGuards')
+  await collectRoles.call(this)
+  this.log.trace('roles%d', this.roles.length)
 }
 
 export default afterAppBoot

package/bajo/intl/en-US.json

@@ -61,9 +61,9 @@
   "warningMemberOnly%s": "Please authenticate yourself first, because the <a href=\"%s\">page<a> your're trying to access is a member only page",
   "collectingRouteGuards": "Collecting route guards:",
   "secureRoutes%d": "- Secure routes: %d",
-  "secureInvRoutes%d": "- Secure, inverted routes: %d",
+  "secureNegRoutes%d": "- Secure, negated routes: %d",
   "anonRoutes%d": "- Anonymous routes: %d",
-  "anonInvRoutes%d": "- Anonymous, inverted routes: %d",
+  "anonNegRoutes%d": "- Anonymous, negated routes: %d",
   "replies": "Replies",
   "compose": "Compose",
   "yourReply": "Your Reply",
@@ -74,6 +74,10 @@
   "emailSent": "An email has been sent to your address",
   "forgotPasswordLink": "Forgot Password Link",
   "forgotPasswordChanged": "Password Successfully Changed",
+  "collectingRoleGuards": "Collecting role guards:",
+  "roles%d": "- Roles: %d",
+  "negRoles%d": "- Negated Roles: %d",
+  "permissionDenied": "Permission Denied",
   "field": {
     "currentPassword": "Current Password",
     "newPassword": "New Password",

package/bajo/intl/id.json

@@ -61,9 +61,9 @@
   "warningMemberOnly%s": "Silahkan melalukan otentikasi terlebih dahulu karena <a href=\"%s\">halaman<a> yang akan Anda akses adalah salah satu halaman khusus anggota saja",
   "collectingRouteGuards": "Mengoleksi pertahanan jalur:",
   "secureRoutes%d": "- Jalur aman: %d",
-  "secureInvRoutes%d": "- Jalur aman, terbalik: %d",
+  "secureNegRoutes%d": "- Jalur aman, dinegasikan: %d",
   "anonRoutes%d": "- Jalur anonim: %d",
-  "anonInvRoutes%d": "- Jalur anonim, terbalik: %d",
+  "anonNegRoutes%d": "- Jalur anonim, dinegasikan: %d",
   "conversation": "Percakapan",
   "replies": "Balas Berbalas",
   "compose": "Tulis",
@@ -75,6 +75,10 @@
   "emailSent": "Sebuah surel telah dikirim ke alamat Anda",
   "forgotPasswordLink": "Tautan Lupa Kata Sandi",
   "forgotPasswordChanged": "Kata Sandi Sukses Diubah",
+  "collectingRoleGuards": "Mengoleksi pertahanan peran:",
+  "roles%d": "- Peran: %d",
+  "negRoles%d": "- Peran, dinegasikan: %d",
+  "permissionDenied": "Permisi Ditolak",
   "field": {
     "currentPassword": "Kata Sandi Saat Ini",
     "newPassword": "Kata Sandi Baru",

package/bajo/method/check-paths/by-guard.js

@@ -0,0 +1,11 @@
+function byGuard ({ guards, paths }) {
+  const { outmatch } = this.app.bajo.lib
+  const matcher = outmatch(guards)
+  let guarded
+  for (const path of paths) {
+    if (!guarded) guarded = matcher(path)
+  }
+  return guarded
+}
+
+export default byGuard

package/bajo/method/check-paths/by-role.js

@@ -0,0 +1,19 @@
+function byRole ({ paths = [], method = 'GET', roles = [], guards = [] }) {
+  const { includes } = this.app.bajo
+  const { outmatch } = this.app.bajo.lib
+
+  for (const item of guards) {
+    const matchPath = outmatch(item.path)
+    for (const path of paths) {
+      if (matchPath(path)) {
+        const matchMethods = outmatch(item.methods)
+        if (matchMethods(method)) {
+          if (item.values.length === 0) return item
+          if (includes(roles, item.values)) return item
+        }
+      }
+    }
+  }
+}
+
+export default byRole

package/bajo/method/check-paths/by-routes.js

@@ -0,0 +1,15 @@
+function byRoutes ({ paths = [], method = 'GET', guards = [] }) {
+  const { outmatch } = this.app.bajo.lib
+
+  for (const item of guards) {
+    const matchPath = outmatch(item.path)
+    for (const path of paths) {
+      if (matchPath(path)) {
+        const matchMethods = outmatch(item.values)
+        if (matchMethods(method)) return item
+      }
+    }
+  }
+}
+
+export default byRoutes

package/bajo/method/get-user.js

@@ -1,5 +1,3 @@
-const unsafeFields = ['password']
-
 async function getUser (rec, safe = true) {
   const { recordGet } = this.app.dobo
   const { omit, isPlainObject } = this.app.bajo.lib._
@@ -7,7 +5,7 @@ async function getUser (rec, safe = true) {
   let user
   if (isPlainObject(rec)) user = rec
   else user = await recordGet('SumbaUser', rec, { noHook: true })
-  return safe ? omit(user, unsafeFields) : user
+  return safe ? omit(user, this.unsafeUserFields) : user
 }
 
 export default getUser

package/bajo/method/unsafe-user-fields.js

@@ -0,0 +1 @@
+export default ['password']

package/bajoTemplate/partial/_mail/user-signup-success.html

@@ -1,4 +1,4 @@
-<p>Welcome and thank your for joining us in <%= _get(_rel, 'site.title', 'our website') %>.
+<p>Welcome and thank your for joining us in <%= _meta.site.title %>.
 Please click the following link to activate your account:</p>
 
 <p><% const url = _meta.hostHeader + _routePath("sumba:/user/activation") + "?key=" + token %>

package/bajoTemplate/partial/_mail/user-signup-success.id.html

@@ -1,4 +1,4 @@
-<p>Selamat datang dan telah bergabung di <%= _get(_rel, 'site.title', 'situs kami') %>. Selanjutnya,
+<p>Selamat datang dan telah bergabung di <%= _meta.site.title %>. Selanjutnya,
 silahkan mengklik link dibawah ini untuk melakukan aktivasi akun anda:</p>
 
 <p><% const url = _meta.hostHeader + _routePath("sumba:/user/activation") + "?key=" + token %>

package/dobo/feature/role-id.js

@@ -0,0 +1,19 @@
+async function roleId (opts = {}) {
+  return {
+    properties: [{
+      name: 'roleId',
+      type: 'string',
+      maxLength: 50,
+      rel: {
+        site: {
+          schema: 'SumbaSite',
+          propName: 'id',
+          type: 'one-to-one'
+        }
+      },
+      index: true
+    }]
+  }
+}
+
+export default roleId

package/dobo/feature/site-id.js

@@ -6,9 +6,9 @@ async function siteId (opts = {}) {
       maxLength: 50,
       rel: {
         site: {
-          schema: 'SumbaSite',
+          schema: 'SumbaUser',
           propName: 'id',
-          fields: 'all'
+          type: 'one-on-many'
         }
       },
       index: true

package/dobo/feature/user-id.js

@@ -6,7 +6,11 @@ async function userId (opts = {}) {
       type: 'string',
       maxLength: 50,
       rel: {
-        user: 'SumbaUser:id'
+        site: {
+          schema: 'SumbaSite',
+          propName: 'id',
+          type: 'one-on-one'
+        }
       },
       index: true
     }]

package/dobo/fixture/role-user.json

@@ -0,0 +1,5 @@
+[{
+  "userId": "?:SumbaUser::username:admin",
+  "roleId": "?:SumbaRole::alias:administrator",
+  "siteId": "?:SumbaSite::alias:default"
+}]

package/dobo/fixture/role.json

@@ -0,0 +1,6 @@
+[{
+  "alias": "administrator",
+  "name": "Administrator",
+  "siteId": "?:SumbaSite::alias:default",
+  "status": "ENABLED"
+}]

package/dobo/schema/role-user.json

@@ -0,0 +1,15 @@
+{
+  "properties": [
+  ],
+  "indexes": [{
+    "fields": ["userId", "siteId", "id"],
+    "unique": true
+  }],
+  "feature": {
+    "createdAt": true,
+    "updatedAt": true,
+    "sumba.siteId": true,
+    "sumba.userId": true,
+    "sumba.roleId": true
+  }
+}

package/dobo/schema/role.json

@@ -0,0 +1,19 @@
+{
+  "properties": [
+    "alias::20::true",
+    "name::50:true:true"
+  ],
+  "indexes": [{
+    "fields": ["alias", "siteId"],
+    "unique": true
+  }],
+  "feature": {
+    "createdAt": true,
+    "updatedAt": true,
+    "sumba.siteId": true,
+    "sumba.status": {
+      "default": "ENABLED",
+      "values": ["ENABLED", "DISABLED"]
+    }
+  }
+}

package/lib/check-role.js

@@ -0,0 +1,32 @@
+import { pathsToCheck } from './check-user-id.js'
+
+async function mergeRoles (req) {
+  const { map } = this.app.bajo.lib._
+  const { recordFindAll } = this.app.dobo
+  req.user.roles = []
+  const query = { userId: req.user.id, siteId: req.site.id }
+  const userRoles = await recordFindAll('SumbaRoleUser', { query })
+  if (userRoles.length === 0) return
+  delete query.userId
+  query.id = { $in: map(userRoles, 'id'), status: 'ENABLED' }
+  const roles = await recordFindAll('SumbaRole', { query })
+  if (roles.length > 0) req.user.roles.push(...map(roles, 'alias'))
+}
+
+async function checkRole (req, reply, source) {
+  if (!req.user) return
+  const { map } = this.app.bajo.lib._
+  await mergeRoles.call(this, req)
+  const paths = pathsToCheck.call(this, req, true)
+  const match = this.checkPathsByRole({ paths, method: req.method, roles: req.user.roles, guards: this.roles })
+  if (match) return
+  const negMatch = this.checkPathsByRole({ paths, method: req.method, roles: req.user.roles, guards: this.negRoles })
+  if (negMatch) return
+  const guards = map(this.roles, r => r.path)
+  // fallback
+  const guarded = this.checkPathsByGuard({ paths, guards })
+  if (!guarded) return
+  throw this.error('permissionDenied')
+}
+
+export default checkRole

package/lib/check-user-id.js

@@ -1,51 +1,26 @@
-async function checker (req, container) {
-  const { outmatch } = this.app.bajo.lib
-  const { get } = this.app.bajo.lib._
-
-  let match
-  for (const item of container) {
-    let path = item.path
-    const isI18n = get(this.app[item.source], 'config.i18n.detectors', []).includes('path')
-    if (isI18n) path = `/${req.lang}${path}`
-    const matchPath = outmatch(path, { separator: false })
-    const checks = [req.routeOptions.url, req.url]
-    for (const check of checks) {
-      if (matchPath(check)) {
-        const matchMethods = outmatch(item.methods)
-        if (matchMethods(req.method)) {
-          match = item
-          break
-        }
-      }
-    }
-    if (match) break
-  }
-  return match
-}
-
-async function anonymous (req) {
-  const { omit } = this.app.bajo.lib._
-  const { getUser } = this
-  const { routePath } = this.app.waibu
-
-  if (!req.session) return
-  if (req.session.user) {
-    const match = await checker.call(this, req, this.anonymousRoutes)
-    if (match) {
-      const redir = routePath(this.config.redirect.signout, req)
-      req.session.ref = req.url
-      throw this.error('_redirect', { redirect: redir })
-    }
-    req.user = omit(await getUser(req.session.user.id), ['password', 'token'])
+export function pathsToCheck (req, withHome) {
+  const { uniq, without } = this.app.bajo.lib._
+  const checks = uniq(without([req.routeOptions.url, req.url], undefined, null))
+  /*
+  if (withHome) {
+    const homePath = get(this, 'app.waibu.config.home.path')
+    const homeForward = get(this, 'app.waibu.config.home.forward')
+    if (homePath && homeForward) checks.unshift('/')
   }
+  */
+  return checks
 }
 
-async function misc (req) {
-  const { omit } = this.app.bajo.lib._
-  const { getUser } = this
-  if (!req.session) return
-  if (req.session.user) {
-    req.user = omit(await getUser(req.session.user.id), ['password', 'token'])
+async function setUser (req) {
+  const { get } = this.app.bajo.lib._
+  const id = get(req, 'session.user.id')
+  if (!id) return
+  try {
+    const user = await this.getUser(id)
+    if (user) req.user = user
+    else req.session.user = null
+  } catch (err) {
+    req.session.user = null
   }
 }
 
@@ -55,38 +30,56 @@ async function mergeSetting (req) {
 
 async function checkUserId (req, reply, source) {
   const { isEmpty, camelCase } = this.app.bajo.lib._
+  const { routePath } = this.app.waibu
 
   const ctx = this.app[source].instance
   if (!req.routeOptions.url) {
-    await misc.call(this, req)
+    if (!req.session) return
+    await setUser.call(this, req)
     return
   }
-  const match = await checker.call(this, req, this.secureRoutes)
-  if (!match) {
-    await anonymous.call(this, req)
-    return
+
+  const paths = pathsToCheck.call(this, req)
+  let securePath = await this.checkPathsByRoutes({ paths, method: req.method, guards: this.secureRoutes })
+  if (securePath) {
+    const neg = await this.checkPathsByRoutes({ paths, method: req.method, guards: this.secureNegRoutes })
+    if (neg) securePath = undefined
   }
-  // excluded ?
-  const xmatch = await checker.call(this, req, this.secureInvRoutes)
-  if (xmatch) {
-    await anonymous.call(this, req)
+  let anonymousPath = await this.checkPathsByRoutes({ paths, method: req.method, guards: this.anonymousRoutes })
+  if (anonymousPath) {
+    const neg = await this.checkPathsByRoutes({ paths, method: req.method, guards: this.anonymousNegRoutes })
+    if (neg) anonymousPath = undefined
+  }
+  if (!securePath && !anonymousPath) {
+    if (req.session && req.session.user) await setUser.call(this, req)
     return
   }
-  const authMethods = this.config.auth[match.source].methods ?? []
-  if (isEmpty(authMethods)) throw this.error('noAuthMethod', { statusCode: 500 })
-  let success
-  for (const m of authMethods) {
-    const handler = this[camelCase(`verify ${m}`)]
-    if (!handler) throw this.error('invalidAuthMethod%s', m, { statusCode: 500 })
-    const check = await handler(req, reply, source, ctx)
-    if (check) {
-      success = check
-      break
+  if (anonymousPath) {
+    if (!req.session) return // can't check, so don't care
+    if (!req.session.user) return // not authenticated, why bother
+    req.session.ref = req.url
+    return reply.redirectTo(routePath(this.config.redirect.signout))
+  }
+  if (securePath) {
+    if (req.session && req.session.user) {
+      await setUser.call(this, req)
+      return
+    }
+    const authMethods = this.config.auth[securePath.source].methods ?? []
+    if (isEmpty(authMethods)) throw this.error('noAuthMethod', { statusCode: 500 })
+    let success
+    for (const m of authMethods) {
+      const handler = this[camelCase(`verify ${m}`)]
+      if (!handler) throw this.error('invalidAuthMethod%s', m, { statusCode: 500 })
+      const check = await handler(req, reply, source, ctx)
+      if (check) {
+        success = check
+        break
+      }
     }
+    if (!success) throw this.error('accessDenied', { statusCode: 401 })
+    await mergeSetting.call(this, req)
   }
-  if (!success) throw this.error('accessDenied', { statusCode: 401 })
-  await mergeSetting.call(this, req)
-  return success
 }
 
 export default checkUserId

package/lib/collect-roles.js

@@ -0,0 +1,44 @@
+async function collect ({ file, ns, dir }) {
+  const { readConfig } = this.app.bajo
+  const { routePath } = this.app.waibu
+  const { camelCase, isString, find } = this.app.bajo.lib._
+
+  const roles = await readConfig(file, { ignoreError: true })
+  const [item] = file.replace(dir, '').split('@')
+  let [source, subNs] = item.split('.').map(s => camelCase(s))
+  subNs = subNs ? `.${subNs}` : ''
+  for (const k in roles) {
+    const values = isString(roles[k]) ? [roles[k]] : roles[k]
+    let [path, methods] = k.split(':')
+    const isNeg = path[0] === '!'
+    if (isNeg) path = path.slice(1)
+    path = routePath(`${ns}${subNs}:${path}`)
+    const item = {
+      source,
+      path,
+      methods: methods.split(','),
+      values
+    }
+    const guards = this[isNeg ? 'negRoles' : 'roles']
+    if (find(guards, { path })) continue
+    guards.push(item)
+  }
+}
+
+async function collectRoles () {
+  const { eachPlugins } = this.app.bajo
+
+  this.roles = this.roles ?? []
+  this.negRoles = this.negRoles ?? []
+  const items = []
+  if (this.app.waibuStatic) items.push('waibuStatic.asset', 'waibuStatic.virtual', 'waibu-static.asset', 'waibu-static.virtual')
+  if (this.app.waibuRestApi) items.push('waibuRestApi', 'waibu-rest-api')
+  if (this.app.waibuMpa) items.push('waibuMpa', 'waibu-mpa')
+  const pattern = `{${items.join(',')}}@roles.*`
+  const me = this
+  await eachPlugins(async function ({ file, ns, dir }) {
+    await collect.call(me, { file, ns, dir })
+  }, { glob: pattern, prefix: this.name })
+}
+
+export default collectRoles

package/lib/collect-routes.js

@@ -1,45 +1,26 @@
-const indexes = []
-const invIndexes = []
-
 async function collect (type, { file, ns, dir }) {
   const { readConfig } = this.app.bajo
-  const { routeDir } = this.app.waibu
-  const { trim, camelCase } = this.app.bajo.lib._
-  const { hash } = this.app.bajoExtra
+  const { routePath } = this.app.waibu
+  const { camelCase, isString, find } = this.app.bajo.lib._
 
   const routes = await readConfig(file, { ignoreError: true })
-  let source = camelCase(trim(file.replace(dir, '').split('@')[0], '/'))
-  let prefixHandler = routeDir
-  if (this.app.waibuStatic && source.startsWith('waibuStatic')) {
-    const { assetDir, virtualDir } = this.app.waibuStatic
-    const parts = source.split('.')
-    source = parts[0]
-    prefixHandler = parts[1] === 'virtual' ? virtualDir : assetDir
-  }
-  for (let k in routes) {
-    const v = routes[k]
-    const prefix = prefixHandler(ns, source)
-    const inverted = k[0] === '!'
-    if (inverted) k = k.slice(1)
-    if (k[0] !== '/') k = '/' + k
+  const [item] = file.replace(dir, '').split('@')
+  let [source, subNs] = item.split('.').map(s => camelCase(s))
+  subNs = subNs ? `.${subNs}` : ''
+
+  for (let path in routes) {
+    const values = isString(routes[path]) ? routes[path].split(',') : routes[path]
+    const isNeg = path[0] === '!'
+    if (isNeg) path = path.slice(1)
+    path = routePath(`${ns}${subNs}:${path}`)
     const item = {
-      path: `${prefix}${k}`,
-      methods: v,
-      ns,
-      source
-    }
-    const index = await hash(item)
-    if (inverted && type === 'secure') {
-      if (!invIndexes.includes(index)) {
-        this[`${type}InvRoutes`].push(item)
-        invIndexes.push(index)
-      }
-    } else {
-      if (!indexes.includes(index)) {
-        this[`${type}Routes`].push(item)
-        indexes.push(index)
-      }
+      source,
+      path,
+      values
     }
+    const guards = this[`${type}${isNeg ? 'Neg' : ''}Routes`]
+    if (find(guards, { path })) continue
+    guards.push(item)
   }
 }
 
@@ -47,7 +28,7 @@ async function collectRoutes (type) {
   const { eachPlugins } = this.app.bajo
 
   this[`${type}Routes`] = this[`${type}Routes`] ?? []
-  this[`${type}InvRoutes`] = this[`${type}InvRoutes`] ?? []
+  this[`${type}NegRoutes`] = this[`${type}NegRoutes`] ?? []
   const items = []
   if (this.app.waibuStatic) items.push('waibuStatic.asset', 'waibuStatic.virtual', 'waibu-static.asset', 'waibu-static.virtual')
   if (this.app.waibuRestApi) items.push('waibuRestApi', 'waibu-rest-api')
@@ -57,8 +38,6 @@ async function collectRoutes (type) {
   await eachPlugins(async function ({ file, ns, dir }) {
     await collect.call(me, type, { file, ns, dir })
   }, { glob: pattern, prefix: this.name })
-  indexes.splice(0)
-  invIndexes.splice(0)
 }
 
 export default collectRoutes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sumba",
-  "version": "1.0.26",
+  "version": "1.0.28",
   "description": "Bajo Framework's Biz Suite",
   "main": "index.js",
   "scripts": {