Move conversion of Errors from AuthService to TokenStrategy.
This is necessary to correctly test the validateToken method.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The former length of 64 bytes (512-bit) is transformed into base64url (a 6-bit code) ~86 characters long. This is too long for bcrypt as it ignores any characters beyond the 72th.
This fix therefore reduces the amount of generated bytes to 54 (as 72*6/8 = 54) characters. This ensures that removing one character from the token the hash won't be the same anymore.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Catch all NotInDbErrors and TokenNotValidError and transform them to UnauthorizedException with the correct message.
This prevents nest from telling the api user that an internal server error has happened and instead display the correct http error code 401.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This should make the translation from env var name to config name and vice versa more consistent.
Fixes#751
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The problem was that replace only replaces the first occurrence of a string and not all as is needed for this function.
tsconfig.json needed lib to be set to esnext or the replaceAll function won't be available…
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This should prevent problem with the AuthToken purge on Sundays, as the service is either running on sunday or will be restarted there after.
Also move base64url comment to right function
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This should prevent problem with the AuthToken purge on Sundays, as the service is either running on sunday or will be restarted there after.
Also move base64url comment to right function
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is a very high ceiling unlikely to hinder legitimate usage, but should prevent possible attack vectors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Add number type alias TimestampMillis
Remove solved ToDos
Change AuthToken and AuthTokenDto to use Date
Rename authService unit tests
Signed-off-by: Philip Molares <philip.molares@udo.edu>
adds auth service
adds auth module
adds token-auth strategy
adds token-auth to all public api calls
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Since the auth token will be stored in hashed form in the db, we need to hash each provided auth token in order to search in the db for them.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
adds private api
adds AuthTokenDto and AuthTokenWithSecretDto
adds necessary methods in the users service
adds RandomnessError
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Since the auth token will be stored in hashed form in the db, we need to hash each provided auth token in order to search in the db for them.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
adds private api
adds AuthTokenDto and AuthTokenWithSecretDto
adds necessary methods in the users service
adds RandomnessError
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Add labels to most Joi objects
Convert all auth variable insert names to upper case to prevent inconsistent naming of the variables
Rewrite auth errors to correctly point out the problematic variable
Add tests for the config utils functions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As explained in https://github.com/nestjs/swagger/issues/32#issuecomment-716169471, it's possible to register swagger metadata in custom decorators by providing an array of `enhancers`.
We now add metadata with the `MarkdownBody` decorator: The request needs a `body` with content-type `text/markdown`.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit adds proper error handling and returns 404 when a note does not exist.
Previously, we leaked the `NotInDBError` and sent a 500 status code.
Signed-off-by: David Mehren <git@herrmehren.de>
These were planned to be parsed at runtime from the note-content in the database, but having to run a markdown parser in the backend was found to be a bad idea. Now the frontend (that already implements the parsing logic) has to set title, description and tags.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
The NotePermissionsUpdateDto was not updated when group permissions were introduced.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
As the `saveFile` method only really uses the files `Buffer`, this commit changes the signature so it directly gets a `Buffer` instead of a complicated `MulterFile` object. This also simplifies testing.
Signed-off-by: David Mehren <git@herrmehren.de>
`serve-static` does not work with `createTestingModule` and is not recommended when "just" serving a few images.
See https://github.com/nestjs/serve-static/issues/240
Signed-off-by: David Mehren <git@herrmehren.de>
Add debug logging to `saveFile` method and throw the proper errors when problems with the mime type are encountered
Signed-off-by: David Mehren <git@herrmehren.de>
We use `fs.unlink` instead of `fs.rm`, as the latter is only available in the fsPromises API since Node 14.14
Signed-off-by: David Mehren <git@herrmehren.de>
This service is responsible for operations regarding uploaded media. It should perform save, get and delete operations with the configured backend.
The service also checks, if the mime type of the uploaded media is allowed.
Signed-off-by: David Mehren <git@herrmehren.de>
It turned out that saving the file extension in a separate field is not necessary. Instead, the extension is saved in the complete filename in the `id` field.
Signed-off-by: David Mehren <git@herrmehren.de>
This backend stores uploaded media into files on the local filesystem.
This commit also adds a `BackendType` enum, which can be used to distinguish different media backends.
Signed-off-by: David Mehren <git@herrmehren.de>
which puts the markdown text directly to a variable in the route function.
Content-type of the http request is checked to be text/markdown because we dealing with markdown. Technically by now there can be any content which can be encoded. There could be features in the software which do not work properly if the text can't be parsed as markdown.
Signed-off-by: Yannick Bungers <git@innay.de>
ConsoleLoggerService is based on the default Nest LoggerService, but adds the ability to give context about the function that is logging something. It also removes the `[Nest]` string and the PID at the beginning of each log line.
NestConsoleLoggerService is a wrapper around ConsoleLoggerService and makes it possible to use our implementation as a default Nest LoggerService
Signed-off-by: David Mehren <git@herrmehren.de>
It might be handy to have access to the original `Note` after creating one, so the creation and conversion to a `NoteDto` is now split.
Signed-off-by: David Mehren <git@herrmehren.de>
The precision of sqlites datetime() timestamp is only one second (see https://www.sqlite.org/lang_datefunc.html). Therefore we could not order revisions of one note that were created in the same second. To remedy this, the primary key was changed to a monotonically increasing number, which solves the ordering problem.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit also introduces the `getNoteDtoByIdOrAlias` method, that converts a `Note` entity to a `NoteDto`
Signed-off-by: David Mehren <git@herrmehren.de>
The `create()` function did not initialize all arrays, which caused them to be `undefined` instead of empty.
Signed-off-by: David Mehren <git@herrmehren.de>
TypeORM does not like having application code in the constructor (https://github.com/typeorm/typeorm/issues/1772#issuecomment-514787854), therefore that is moved into a new `create() static method. Additionally, the constructor is now `private`, which enforces the use of the new method.
Signed-off-by: David Mehren <git@herrmehren.de>
NestJS does not support content-types other than application/json.
Therefore we need to directly access the request object to get the raw body content.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit implements the User entity according to the database schema and adds the Identity and AuthToken entities.
Signed-off-by: David Mehren <git@herrmehren.de>
This entity implements the Session interface from connect-typeorm, which we will later use to store session data from express-session.
Signed-off-by: David Mehren <git@herrmehren.de>
We now use the new permissions split in users and groups. Also the note now knows the colors of its authors.
Signed-off-by: David Mehren <git@herrmehren.de>
