first

src/middlewares/1707895706666-start.ts

@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class Start1707895706666 implements MigrationInterface {
+    name = 'Start1707895706666'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`CREATE TABLE \`entity_base\` (\`id\` varchar(36) NOT NULL, \`createdAt\` datetime(6) NOT NULL COMMENT 'สร้างข้อมูลเมื่อ' DEFAULT CURRENT_TIMESTAMP(6), \`createdUserId\` varchar(40) NOT NULL COMMENT 'User Id ที่สร้างข้อมูล' DEFAULT '00000000-0000-0000-0000-000000000000', \`lastUpdatedAt\` datetime(6) NOT NULL COMMENT 'แก้ไขข้อมูลล่าสุดเมื่อ' DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), \`lastUpdateUserId\` varchar(40) NOT NULL COMMENT 'User Id ที่แก้ไขข้อมูล' DEFAULT '00000000-0000-0000-0000-000000000000', \`createdFullName\` varchar(200) NOT NULL COMMENT 'ชื่อ User ที่สร้างข้อมูล' DEFAULT 'string', \`lastUpdateFullName\` varchar(200) NOT NULL COMMENT 'ชื่อ User ที่แก้ไขข้อมูลล่าสุด' DEFAULT 'string', PRIMARY KEY (\`id\`)) ENGINE=InnoDB`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`DROP TABLE \`entity_base\``);
+    }
+
+}

src/middlewares/auth.ts

@@ -0,0 +1,88 @@
+import * as express from "express";
+import { createDecoder, createVerifier } from "fast-jwt";
+
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+import { addLogSequence } from "../interfaces/utils";
+import { RequestWithUser } from "./user";
+
+if (!process.env.AUTH_PUBLIC_KEY && !process.env.AUTH_REALM_URL) {
+  throw new Error("Require keycloak AUTH_PUBLIC_KEY or AUTH_REALM_URL.");
+}
+if (process.env.AUTH_PUBLIC_KEY && process.env.AUTH_REALM_URL && !process.env.AUTH_PREFERRED_MODE) {
+  throw new Error(
+    "AUTH_PREFFERRED must be specified if AUTH_PUBLIC_KEY and AUTH_REALM_URL is provided.",
+  );
+}
+
+const jwtVerify = createVerifier({
+  key: async () => {
+    return `-----BEGIN PUBLIC KEY-----\n${process.env.AUTH_PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
+  },
+});
+
+const jwtDecode = createDecoder();
+
+export async function expressAuthentication(
+  request: RequestWithUser,
+  securityName: string,
+  _scopes?: string[],
+) {
+  if (process.env.NODE_ENV !== "production" && process.env.AUTH_BYPASS) {
+    return { preferred_username: "bypassed" };
+  }
+
+  if (securityName !== "bearerAuth") throw new Error("ไม่ทราบวิธีการยืนยันตัวตน");
+
+  const token = request.headers["authorization"]?.includes("Bearer ")
+    ? request.headers["authorization"].split(" ")[1]
+    : request.headers["authorization"];
+
+  if (!token) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบข้อมูลสำหรับยืนยันตัวตน");
+
+  let payload: Record<string, any> = {};
+
+  switch (process.env.AUTH_PREFERRED_MODE) {
+    case "online":
+      payload = await verifyOnline(token);
+      break;
+    case "offline":
+      payload = await verifyOffline(token);
+      break;
+    default:
+      if (process.env.AUTH_REALM_URL) payload = await verifyOnline(token);
+      if (process.env.AUTH_PUBLIC_KEY) payload = await verifyOffline(token);
+      break;
+  }
+  if (!request.app.locals.logData) {
+    request.app.locals.logData = {};
+  }
+
+  // addLogSequence(request, {
+  //   action: "database",
+  //   status: "success",
+  //   description: "Query Data.",
+  // });
+  request.app.locals.logData.userId = payload.sub;
+  request.app.locals.logData.userName = payload.name;
+  request.app.locals.logData.user = payload.preferred_username;
+
+  return payload;
+}
+
+async function verifyOffline(token: string) {
+  const payload = await jwtVerify(token).catch((_) => null);
+  if (!payload) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+  return payload;
+}
+
+async function verifyOnline(token: string) {
+  const res = await fetch(`${process.env.AUTH_REALM_URL}/protocol/openid-connect/userinfo`, {
+    headers: { authorization: `Bearer ${token}` },
+  }).catch((e) => console.error(e));
+
+  if (!res) throw new Error("ไม่สามารถเข้าถึงระบบยืนยันตัวตน");
+  if (!res.ok) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+
+  return await jwtDecode(token);
+}

src/middlewares/error.ts

@@ -0,0 +1,36 @@
+import { NextFunction, Request, Response } from "express";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+import { ValidateError } from "tsoa";
+
+function error(error: Error, _req: Request, res: Response, _next: NextFunction) {
+  const logData = _req.app.locals.logData.sequence?.at(-1);
+  if (logData) {
+    logData.status = "error";
+    logData.description = error.message;
+  }
+
+  if (error instanceof HttpError) {
+    return res.status(error.status).json({
+      status: error.status,
+      message: error.message,
+    });
+  }
+
+  if (error instanceof ValidateError) {
+    return res.status(error.status).json({
+      status: HttpStatus.UNPROCESSABLE_ENTITY,
+      message: "Validation error(s).",
+      detail: error.fields,
+    });
+  }
+
+  console.error("Exception Caught:" + error);
+
+  return res.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
+    status: HttpStatus.INTERNAL_SERVER_ERROR,
+    message: error.message,
+  });
+}
+
+export default error;

src/middlewares/logs.ts

@@ -0,0 +1,80 @@
+import { NextFunction, Request, Response } from "express";
+import { Client } from "@elastic/elasticsearch";
+import permission from "../interfaces/permission";
+
+if (!process.env.ELASTICSEARCH_INDEX) {
+  throw new Error("Require ELASTICSEARCH_INDEX to store log.");
+}
+
+const ELASTICSEARCH_INDEX = process.env.ELASTICSEARCH_INDEX;
+
+const LOG_LEVEL_MAP: Record<string, number> = {
+  debug: 4,
+  info: 3,
+  warning: 2,
+  error: 1,
+  none: 0,
+};
+
+const elasticsearch = new Client({
+  node: `${process.env.ELASTICSEARCH_PROTOCOL}://${process.env.ELASTICSEARCH_HOST}:${process.env.ELASTICSEARCH_PORT}`,
+});
+
+async function logMiddleware(req: Request, res: Response, next: NextFunction) {
+  if (!req.url.startsWith("/api/")) return next();
+
+  let data: any;
+
+  const originalJson = res.json;
+
+  res.json = function (v: any) {
+    data = v;
+    return originalJson.call(this, v);
+  };
+
+  const timestamp = new Date().toISOString();
+  const start = performance.now();
+
+  req.app.locals.logData = {};
+
+  res.on("finish", async () => {
+    if (!req.url.startsWith("/api/")) return;
+
+    const level = LOG_LEVEL_MAP[process.env.LOG_LEVEL ?? "debug"] || 4;
+
+    if (level === 1 && res.statusCode < 500) return;
+    if (level === 2 && res.statusCode < 400) return;
+    if (level === 3 && res.statusCode < 200) return;
+    let token: any; 
+    token = req.headers['authorization']
+    
+    const rootId = await new permission().checkOrg(token,req.app.locals.logData.userId);
+
+    const obj = {
+      logType: res.statusCode >= 500 ? "error" : res.statusCode >= 400 ? "warning" : "info",
+      ip: req.ip,
+      rootId: rootId?rootId.orgRootId:null,
+      systemName: "evaluation",
+      startTimeStamp: timestamp,
+      endTimeStamp: new Date().toISOString(),
+      processTime: performance.now() - start,
+      host: req.hostname,
+      method: req.method,
+      endpoint: req.url,
+      responseCode: String(res.statusCode === 304 ? 200 : res.statusCode),
+      responseDescription: data?.message,
+      input: (level === 4 && JSON.stringify(req.body, null, 2)) || undefined,
+      output: (level === 4 && JSON.stringify(data, null, 2)) || undefined,
+      ...req.app.locals.logData,
+    };
+
+    elasticsearch.index({
+      index: ELASTICSEARCH_INDEX,
+      document: obj,
+    });
+  });
+
+  return next();
+}
+
+export default logMiddleware;

src/middlewares/user.ts

@@ -0,0 +1,13 @@
+import type { Request } from "express";
+
+export type RequestWithUser = Request & {
+  user: {
+    sub: string;
+    name: string;
+    given_name: string;
+    familiy_name: string;
+    preferred_username: string;
+    email: string;
+    role: string[];
+  };
+};