Merge pull request 'Alpha Release 0.1.1 - Hotfix release' (#106) from dev into main

Reviewed-on: #106 Reviewed-by: Philipp Dormann <philipp@philippdormann.de>
2021-01-16 20:32:39 +00:00 · 2021-01-16 20:32:39 +00:00 · 7533c349ef
commit 7533c349ef
parent 38b9a772cd 91569ced40
34 changed files with 1877 additions and 1667 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -90,11 +90,20 @@ trigger:
 kind: pipeline
 type: docker
 name: build:latest
+clone:
+  disable: true

 steps:
+  - name: clone
+    image: alpine/git
+    commands:
+      - git clone $DRONE_REMOTE_URL .
+      - git checkout dev
+      - git merge main
+      - git checkout main
  - name: build latest
+    depends_on: ["clone"]
    image: plugins/docker
-    depends_on: [clone]
    settings:
      username:
        from_secret: DOCKER_REGISTRY_USER
@ -104,6 +113,15 @@ steps:
      tags:
        - latest
      registry: registry.odit.services
+  - name: push merge to repo
+    depends_on: ["clone"]
+    image: appleboy/drone-git-push
+    settings:
+      branch: dev
+      commit: false
+      remote: git@git.odit.services:lfk/backend.git
+      ssh_key:
+        from_secret: GITLAB_SSHKEY

 trigger:
  branch:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,8 +2,32 @@

 All notable changes to this project will be documented in this file. Dates are displayed in UTC.

+#### [v0.1.1](https://git.odit.services/lfk/backend/compare/v0.1.0...v0.1.1)
+
+- 🚀Bumped version to v0.1.1 [`9445c6f`](https://git.odit.services/lfk/backend/commit/9445c6f21e376329b9200664a44a94ba1f1dd463)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`1b9d296`](https://git.odit.services/lfk/backend/commit/1b9d2969ebdca4dca84898b1e8307be7b781b90b)
+- Implemented the /me controller that allows a user to get and update themselves [`8ef5f90`](https://git.odit.services/lfk/backend/commit/8ef5f90abda97a73d5c5a7767a144ac3fb5288c1)
+- Implemented a baisc user checker/getter [`f1db883`](https://git.odit.services/lfk/backend/commit/f1db8836092269966a7f54e69b1f20c171e81b21)
+- Implemented getting own permissions [`4f6e816`](https://git.odit.services/lfk/backend/commit/4f6e81677c81c852e735407295c634b43b317479)
+- Hotfix: Missing relation bug [`6e6979c`](https://git.odit.services/lfk/backend/commit/6e6979cfe3660056cff6b9eabc194852234ac0a6)
+- Hotfix: Missing relation bug [`b167ba0`](https://git.odit.services/lfk/backend/commit/b167ba07f79709a2c3b33c5546c52659c42863f3)
+- automaticly merge main into dev after building a latest image [`02efb9a`](https://git.odit.services/lfk/backend/commit/02efb9a8e55831ecce4109e17b2f07a56e491fd5)
+- User deletion now requires confirmation [`6b7ecd3`](https://git.odit.services/lfk/backend/commit/6b7ecd3044c45b2eed46ee5010bed4dab4f02df9)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`3766899`](https://git.odit.services/lfk/backend/commit/3766899c8393545a89986a98dafd542edc4a1d39)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`6febb99`](https://git.odit.services/lfk/backend/commit/6febb994990b4cab7ee54b0368f74dd95664bfdf)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`de36a24`](https://git.odit.services/lfk/backend/commit/de36a24191a8cdc4ff6b23637ea9f91109b59bbb)
+- Merge pull request 'User self-management feature/100-me_endpoints' (#103) from feature/100-me_endpoints into dev [`a6c7d54`](https://git.odit.services/lfk/backend/commit/a6c7d54fe72ffe23add926afa0be150a7a370099)
+- Created barebones file for the userchecker [`e586a11`](https://git.odit.services/lfk/backend/commit/e586a11e2ad42af9c9bb5d2a47f48e3306fe49b2)
+- Updated descriptions and responses [`fc7b8f4`](https://git.odit.services/lfk/backend/commit/fc7b8f4c16cef0e72b04f096d5a17d4144b5feb7)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`50b893f`](https://git.odit.services/lfk/backend/commit/50b893f5370902ccc40f8bb45ed160103400f529)
+- Moved the me endpoints to /users/me [`f9834b5`](https://git.odit.services/lfk/backend/commit/f9834b5f4d80b11ee5f7773b339dd421341c6e7f)
+- Moved optional param to being optional [`a334adf`](https://git.odit.services/lfk/backend/commit/a334adffc6d07c8ab340263123e00a96f21acecb)
+
 #### [v0.1.0](https://git.odit.services/lfk/backend/compare/v0.0.12...v0.1.0)

+> 15 January 2021
+
+- Merge pull request 'First feature version 0.1.0' (#102) from dev into main [`38b9a77`](https://git.odit.services/lfk/backend/commit/38b9a772cd2d1c1e6298ae449d07db7c555a00e9)
 - Removed useless parts from functions and updated comments [`c05834f`](https://git.odit.services/lfk/backend/commit/c05834f2a13eb838efbf61be803e4e320561718e)
 - Switched tests over to the new id-only schema [`d88fb18`](https://git.odit.services/lfk/backend/commit/d88fb183198e66cadf5290c1ef7b7e4ccedad4f0)
 - 🧾New changelog file version [CI SKIP] [skip ci] [`0e119e4`](https://git.odit.services/lfk/backend/commit/0e119e48340cd0a602a08da727b480aa2fe5500c)
@ -24,6 +48,7 @@ All notable changes to this project will be documented in this file. Dates are d
 - 🧾New changelog file version [CI SKIP] [skip ci] [`dc6ad9c`](https://git.odit.services/lfk/backend/commit/dc6ad9cdd3d8f29ef9a15bf7ac61c7c55c57e9fb)
 - 🧾New changelog file version [CI SKIP] [skip ci] [`d1a0bed`](https://git.odit.services/lfk/backend/commit/d1a0bed00e01a0e9d8ba1165e3c6ca3dd910bd00)
 - Clarified comments [`1b799a6`](https://git.odit.services/lfk/backend/commit/1b799a697305791c3f67ac4a738c7287d1ac553e)
+- 🧾New changelog file version [CI SKIP] [skip ci] [`6184304`](https://git.odit.services/lfk/backend/commit/618430433d03012c2cad5be6021cf1ea8fdf9624)
 - 🧾New changelog file version [CI SKIP] [skip ci] [`8218a45`](https://git.odit.services/lfk/backend/commit/8218a452bdf7550ec1eed2b0045e94ea4ae91d31)
 - 🚀Bumped version to v0.1.0 [`80c5f9b`](https://git.odit.services/lfk/backend/commit/80c5f9b84de355b4408dcffd632589a9a0e4ad2e)
 - 🧾New changelog file version [CI SKIP] [skip ci] [`79f46cb`](https://git.odit.services/lfk/backend/commit/79f46cb745e4cb4bdac7dbb6c6c2b8fdc9867592)
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@odit/lfk-backend",
-  "version": "0.1.0",
+  "version": "0.1.1",
  "main": "src/app.ts",
  "repository": "https://git.odit.services/lfk/backend",
  "author": {
--- a/src/app.ts
+++ b/src/app.ts
@ -5,10 +5,12 @@ import { config, e as errors } from './config';
 import loaders from "./loaders/index";
 import authchecker from "./middlewares/authchecker";
 import { ErrorHandler } from './middlewares/ErrorHandler';
+import UserChecker from './middlewares/UserChecker';

 const CONTROLLERS_FILE_EXTENSION = process.env.NODE_ENV === 'production' ? 'js' : 'ts';
 const app = createExpressServer({
  authorizationChecker: authchecker,
+  currentUserChecker: UserChecker,
  middlewares: [ErrorHandler],
  development: config.development,
  cors: true,
--- a/src/controllers/MeController.ts
+++ b/src/controllers/MeController.ts
@ -0,0 +1,86 @@
+import { Body, CurrentUser, Delete, Get, JsonController, OnUndefined, Put, QueryParam } from 'routing-controllers';
+import { OpenAPI, ResponseSchema } from 'routing-controllers-openapi';
+import { getConnectionManager, Repository } from 'typeorm';
+import { UserDeletionNotConfirmedError, UserIdsNotMatchingError, UsernameContainsIllegalCharacterError, UserNotFoundError } from '../errors/UserErrors';
+import { UpdateUser } from '../models/actions/update/UpdateUser';
+import { User } from '../models/entities/User';
+import { ResponseUser } from '../models/responses/ResponseUser';
+import { ResponseUserPermissions } from '../models/responses/ResponseUserPermissions';
+import { PermissionController } from './PermissionController';
+
+
+@JsonController('/users/me')
+@OpenAPI({ security: [{ "AuthToken": [] }, { "RefreshTokenCookie": [] }] })
+export class MeController {
+	private userRepository: Repository<User>;
+
+	/**
+	 * Gets the repository of this controller's model/entity.
+	 */
+	constructor() {
+		this.userRepository = getConnectionManager().get().getRepository(User);
+	}
+
+	@Get('/')
+	@ResponseSchema(ResponseUser)
+	@ResponseSchema(UserNotFoundError, { statusCode: 404 })
+	@OnUndefined(UserNotFoundError)
+	@OpenAPI({ description: 'Lists all information about yourself.' })
+	async get(@CurrentUser() currentUser: User) {
+		let user = await this.userRepository.findOne({ id: currentUser.id }, { relations: ['permissions', 'groups', 'groups.permissions', 'permissions.principal', 'groups.permissions.principal'] })
+		if (!user) { throw new UserNotFoundError(); }
+		return new ResponseUser(user);
+	}
+
+	@Get('/')
+	@ResponseSchema(ResponseUserPermissions)
+	@ResponseSchema(UserNotFoundError, { statusCode: 404 })
+	@OnUndefined(UserNotFoundError)
+	@OpenAPI({ description: 'Lists all permissions granted to the you sorted into directly granted and inherited as permission response objects.' })
+	async getPermissions(@CurrentUser() currentUser: User) {
+		let user = await this.userRepository.findOne({ id: currentUser.id }, { relations: ['permissions', 'groups', 'groups.permissions', 'permissions.principal', 'groups.permissions.principal'] })
+		if (!user) { throw new UserNotFoundError(); }
+		return new ResponseUserPermissions(user);
+	}
+
+	@Put('/')
+	@ResponseSchema(ResponseUser)
+	@ResponseSchema(UserNotFoundError, { statusCode: 404 })
+	@ResponseSchema(UserIdsNotMatchingError, { statusCode: 406 })
+	@ResponseSchema(UsernameContainsIllegalCharacterError, { statusCode: 406 })
+	@OpenAPI({ description: "Update the yourself. <br> You can't edit your own permissions or group memberships here - Please use the /api/users/:id enpoint instead. <br> Please remember that ids can't be changed." })
+	async put(@CurrentUser() currentUser: User, @Body({ validate: true }) updateUser: UpdateUser) {
+		let oldUser = await this.userRepository.findOne({ id: currentUser.id }, { relations: ['groups'] });
+		updateUser.groups = oldUser.groups.map(g => g.id);
+
+		if (!oldUser) {
+			throw new UserNotFoundError();
+		}
+
+		if (oldUser.id != updateUser.id) {
+			throw new UserIdsNotMatchingError();
+		}
+		await this.userRepository.save(await updateUser.update(oldUser));
+
+		return new ResponseUser(await this.userRepository.findOne({ id: currentUser.id }, { relations: ['permissions', 'groups', 'groups.permissions'] }));
+	}
+
+	@Delete('/')
+	@ResponseSchema(ResponseUser)
+	@ResponseSchema(UserNotFoundError, { statusCode: 404 })
+	@ResponseSchema(UserDeletionNotConfirmedError, { statusCode: 406 })
+	@OpenAPI({ description: 'Delete yourself. <br> You have to confirm your decision by providing the ?force=true query param. <br> If there are any permissions directly granted to you they will get deleted as well.' })
+	async remove(@CurrentUser() currentUser: User, @QueryParam("force") force: boolean) {
+		if (!force) { throw new UserDeletionNotConfirmedError; }
+		if (!currentUser) { return UserNotFoundError; }
+		const responseUser = await this.userRepository.findOne({ id: currentUser.id }, { relations: ['permissions', 'groups', 'groups.permissions'] });;
+
+		const permissionControler = new PermissionController();
+		for (let permission of responseUser.permissions) {
+			await permissionControler.remove(permission.id, true);
+		}
+
+		await this.userRepository.delete(currentUser);
+		return new ResponseUser(responseUser);
+	}
+}
--- a/src/controllers/UserController.ts
+++ b/src/controllers/UserController.ts
@ -1,7 +1,7 @@
 import { Authorized, Body, Delete, Get, JsonController, OnUndefined, Param, Post, Put, QueryParam } from 'routing-controllers';
 import { OpenAPI, ResponseSchema } from 'routing-controllers-openapi';
 import { getConnectionManager, Repository } from 'typeorm';
-import { UserIdsNotMatchingError, UsernameContainsIllegalCharacterError, UserNotFoundError } from '../errors/UserErrors';
+import { UserDeletionNotConfirmedError, UserIdsNotMatchingError, UsernameContainsIllegalCharacterError, UserNotFoundError } from '../errors/UserErrors';
 import { UserGroupNotFoundError } from '../errors/UserGroupErrors';
 import { CreateUser } from '../models/actions/create/CreateUser';
 import { UpdateUser } from '../models/actions/update/UpdateUser';
@ -105,9 +105,11 @@ export class UserController {
 	@Authorized("USER:DELETE")
 	@ResponseSchema(ResponseUser)
 	@ResponseSchema(ResponseEmpty, { statusCode: 204 })
+	@ResponseSchema(UserDeletionNotConfirmedError, { statusCode: 406 })
 	@OnUndefined(204)
-	@OpenAPI({ description: 'Delete the user whose id you provided. <br> If there are any permissions directly granted to the user they will get deleted as well. <br> If no user with this id exists it will just return 204(no content).' })
+	@OpenAPI({ description: 'Delete the user whose id you provided. <br> You have to confirm your decision by providing the ?force=true query param. <br> If there are any permissions directly granted to the user they will get deleted as well. <br> If no user with this id exists it will just return 204(no content).' })
 	async remove(@Param("id") id: number, @QueryParam("force") force: boolean) {
+		if (!force) { throw new UserDeletionNotConfirmedError; }
 		let user = await this.userRepository.findOne({ id: id });
 		if (!user) { return null; }
 		const responseUser = await this.userRepository.findOne({ id: id }, { relations: ['permissions', 'groups', 'groups.permissions'] });;
--- a/src/errors/UserErrors.ts
+++ b/src/errors/UserErrors.ts
@ -60,3 +60,15 @@ export class UserIdsNotMatchingError extends NotAcceptableError {
 	@IsString()
 	message = "The ids don't match!! \n And if you wanted to change a user's id: This isn't allowed!"
 }
+
+/**
+ * Error to throw when two users' ids don't match.
+ * Usually occurs when a user tries to change a user's id.
+ */
+export class UserDeletionNotConfirmedError extends NotAcceptableError {
+	@IsString()
+	name = "UserDeletionNotConfirmedError"
+
+	@IsString()
+	message = "You are trying to delete a user! \n If you're sure about doing this: provide the ?force=true query param."
+}
--- a/src/middlewares/UserChecker.ts
+++ b/src/middlewares/UserChecker.ts
@ -0,0 +1,58 @@
+import cookie from "cookie";
+import * as jwt from "jsonwebtoken";
+import { Action } from 'routing-controllers';
+import { getConnectionManager } from 'typeorm';
+import { config } from '../config';
+import { IllegalJWTError, UserDisabledError, UserNonexistantOrRefreshtokenInvalidError } from '../errors/AuthError';
+import { JwtCreator, JwtUser } from '../jwtcreator';
+import { User } from '../models/entities/User';
+
+/**
+ * TODO:
+ */
+const UserChecker = async (action: Action) => {
+    let jwtPayload = undefined
+    try {
+        let provided_token = "" + action.request.headers["authorization"].replace("Bearer ", "");
+        jwtPayload = <any>jwt.verify(provided_token, config.jwt_secret);
+        jwtPayload = jwtPayload["userdetails"];
+    } catch (error) {
+        jwtPayload = await refresh(action);
+    }
+
+    const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] })
+    if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
+    if (user.enabled == false) { throw new UserDisabledError(); }
+    return user;
+};
+
+/**
+ * Handles soft-refreshing of access-tokens.
+ * @param action Routing-Controllers action object that provides request and response objects among other stuff.
+ */
+const refresh = async (action: Action) => {
+    let refresh_token = undefined;
+    try {
+        refresh_token = cookie.parse(action.request.headers["cookie"])["lfk_backend__refresh_token"];
+    }
+    catch {
+        throw new IllegalJWTError();
+    }
+
+    let jwtPayload = undefined;
+    try {
+        jwtPayload = <any>jwt.verify(refresh_token, config.jwt_secret);
+    } catch (error) {
+        throw new IllegalJWTError();
+    }
+
+    const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions', 'groups', 'groups.permissions'] })
+    if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
+    if (user.enabled == false) { throw new UserDisabledError(); }
+
+    let newAccess = JwtCreator.createAccess(user);
+    action.response.header("authorization", "Bearer " + newAccess);
+
+    return await new JwtUser(user);
+}
+export default UserChecker;
--- a/src/models/actions/update/UpdateUser.ts
+++ b/src/models/actions/update/UpdateUser.ts
@ -76,6 +76,7 @@ export class UpdateUser {
     * Should the user be enabled?
     */
    @IsBoolean()
+    @IsOptional()
    enabled: boolean = true;

    /**
--- a/src/models/entities/User.ts
+++ b/src/models/entities/User.ts
@ -138,8 +138,10 @@ export class User extends Principal {

    if (!this.groups) { return returnPermissions; }
    for (let group of this.groups) {
-      for (let permission of group.permissions) {
-        returnPermissions.push(permission);
+      if (group.permissions) {
+        for (let permission of group.permissions) {
+          returnPermissions.push(permission);
+        }
      }
    }
    return returnPermissions;
@ -159,8 +161,10 @@ export class User extends Principal {

    if (!this.groups) { return returnPermissions; }
    for (let group of this.groups) {
-      for (let permission of group.permissions) {
-        returnPermissions.push(permission.toString());
+      if (group.permissions) {
+        for (let permission of group.permissions) {
+          returnPermissions.push(permission.toString());
+        }
      }
    }
    return Array.from(new Set(returnPermissions));
--- a/src/models/responses/ResponseUser.ts
+++ b/src/models/responses/ResponseUser.ts
@ -92,6 +92,8 @@ export class ResponseUser extends ResponsePrincipal {
        this.profilePic = user.profilePic;
        this.groups = user.groups;
        this.permissions = user.allPermissions;
-        this.groups.forEach(function (g) { delete g.permissions });
+        if (this.groups) {
+            this.groups.forEach(function (g) { delete g.permissions });
+        }
    }
 }