Merge branch 'development'

package.json

@@ -32,6 +32,7 @@
     "@nestjs/swagger": "^4.7.12",
     "axios": "^0.21.2",
     "bcrypt": "^5.0.0",
+    "class-transformer": "^0.5.1",
     "dot": "^1.1.3",
     "dotenv": "^8.2.0",
     "fastify-cookie": "^5.1.0",

public/src/interfaces/User.ts

@@ -33,5 +33,5 @@ export interface UserData {
   email: string;
   lastName: string;
   firstName: string;
-  isAdmin: boolean;
+  isAdmin?: boolean;
 }

public/src/pages/main/Userprofile.tsx

@@ -8,8 +8,7 @@ import AuthLayout from '../auth/AuthLayout';
 const defaultUserData: UserData = {
   email: '',
   firstName: '',
-  lastName: '',
-  isAdmin: false
+  lastName: ''
 };
 
 export const Userprofile = () => {

src/app.controller.ts

@@ -38,10 +38,6 @@ import {
 @Controller('/api')
 @ApiTags('App controller')
 export class AppController {
-  private static readonly XML_ENTITY_INJECTION = '<!DOCTYPE replace [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>'.toLowerCase();
-  private static readonly XML_ENTITY_INJECTION_RESPONSE = `root:x:0:0:root:/root:/bin/bash
-  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin`;
-
   private readonly logger = new Logger(AppController.name);
 
   constructor(private readonly configService: ConfigService) {}
@@ -89,18 +85,13 @@ export class AppController {
   })
   @Header('content-type', 'text/xml')
   async xml(@Query('xml') xml: string): Promise<string> {
-    if (xml?.toLowerCase() === AppController.XML_ENTITY_INJECTION) {
-      return AppController.XML_ENTITY_INJECTION_RESPONSE;
-    }
-
     const xmlDoc = parseXml(xml, {
       dtdload: true,
-      noent: false,
+      noent: true,
       doctype: true,
       dtdvalid: true,
       errors: true,
     });
-
     this.logger.debug(xmlDoc);
     this.logger.debug(xmlDoc.getDtd());
 

src/auth/auth.controller.ts

@@ -16,7 +16,6 @@ import { createHash, randomBytes } from 'crypto';
 import {
   ApiBadRequestResponse,
   ApiCreatedResponse,
-  ApiForbiddenResponse,
   ApiOkResponse,
   ApiOperation,
   ApiResponse,
@@ -256,14 +255,13 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
     description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
   })
@@ -320,16 +318,15 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
+    description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
-    description: 'invalid credentials',
   })
   async validateWithWeakKeyJwt(): Promise<JwtValidationResponse> {
     return {
@@ -381,16 +378,15 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
+    description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
-    description: 'invalid credentials',
   })
   async validateWithJKUJwt(): Promise<JwtValidationResponse> {
     return {
@@ -442,16 +438,15 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
+    description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
-    description: 'invalid credentials',
   })
   async validateWithJWKJwt(): Promise<JwtValidationResponse> {
     return {
@@ -503,16 +498,15 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
+    description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
-    description: 'invalid credentials',
   })
   async validateWithX5CJwt(): Promise<JwtValidationResponse> {
     return {
@@ -564,16 +558,15 @@ export class AuthController {
   @ApiOkResponse({
     type: JwtValidationResponse,
   })
-  @ApiForbiddenResponse({
+  @ApiUnauthorizedResponse({
+    description: 'invalid credentials',
     schema: {
       type: 'object',
       properties: {
-        statusCode: { type: 'number' },
-        message: { type: 'string' },
         error: { type: 'string' },
+        location: { type: 'string' },
       },
     },
-    description: 'invalid credentials',
   })
   async validateWithX5UJwt(): Promise<JwtValidationResponse> {
     return {

src/auth/auth.guard.ts

@@ -26,15 +26,18 @@ export class AuthGuard implements CanActivate {
 
       const request: FastifyRequest = context.switchToHttp().getRequest();
       const token = request.headers[AuthGuard.AUTH_HEADER] as string;
+
       if (!token || token.length == 0) {
         const token = request.cookies[AuthGuard.AUTH_HEADER];
 
-        return token
-          ? !!(await this.authService.validateToken(
-              token,
-              JwtProcessorType.BEARER,
-            ))
-          : false;
+        if (token) {
+          return !!(await this.authService.validateToken(
+            token,
+            JwtProcessorType.BEARER,
+          ));
+        } else {
+          throw new UnauthorizedException();
+        }
       } else if (this.checkIsBearer(token)) {
         return !!(await this.authService.validateToken(
           token.substring(7),
@@ -45,7 +48,6 @@ export class AuthGuard implements CanActivate {
           JwTypeMetadataField,
           context.getHandler(),
         );
-
         return !!(await this.authService.validateToken(token, processorType));
       }
     } catch (err) {

src/auth/jwt/jwt.token.with.sql.kid.processor.ts

@@ -22,7 +22,7 @@ export class JwtTokenWithSqlKIDProcessor extends JwtTokenProcessor {
       this.key,
       header.kid,
     );
-    this.log.debug(`Executing key fetchign qury: ${query}`);
+    this.log.debug(`Executing key fetching query: ${query}`);
     const keyRow: { key: string } = await this.em
       .getConnection()
       .execute(query);

src/auth/jwt/jwt.token.with.x5c.key.processor.ts

@@ -14,7 +14,7 @@ export class JwtTokenWithX5CKeyProcessor extends JwtTokenProcessor {
       return payload;
     }
     const keys = header.x5c;
-    this.log.debug(`Taking keys from from ${JSON.stringify(keys)}`);
+    this.log.debug(`Taking keys from ${JSON.stringify(keys)}`);
     return decode(token, keys[0], false, header.alg);
   }
 

src/users/api/UserDto.ts

@@ -1,4 +1,5 @@
-import { ApiProperty } from '@nestjs/swagger';
+import { ApiHideProperty, ApiProperty } from '@nestjs/swagger';
+import { Exclude } from 'class-transformer';
 
 export class UserDto {
   @ApiProperty()
@@ -10,11 +11,25 @@ export class UserDto {
   @ApiProperty()
   lastName: string;
 
-  @ApiProperty()
-  isAdmin: boolean;
+  @Exclude()
+  @ApiHideProperty()
+  isAdmin?: boolean;
 
-  @ApiProperty()
-  password: string;
+  @Exclude()
+  @ApiHideProperty()
+  password?: string;
+
+  @Exclude()
+  id: number;
+
+  @Exclude()
+  photo: Buffer;
+
+  @Exclude()
+  updatedAt: Date;
+
+  @Exclude()
+  createdAt: Date;
 
   constructor(
     params: {