This allows us to handle the possible errors due to non-integer numbers with joi and return more precise error messages.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
validate HD_DOMAIN and HD_RENDERER_ORIGIN with the uri validator of Joi. This should prevent the problem described in #2150.
Fixes#2150
See also: https://joi.dev/api/#stringurioptions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The email address should only be available
in /me routes.
This commit splits the email address into a new FullUserInfoDto.
Signed-off-by: David Mehren <git@herrmehren.de>
This now correctly returns the dto if it is provided. Previously it would return () => undefined, when the dto was not defined, which crashed some internal logic in nestjs.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This decorator gets a list of http codes and possible descriptions and adds all necessary decorator internally to the method or the class. This will prevent long OpenApi annotations and keep the controllers shorter.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The constructor of an exception filter must be given
an instance of HttpAdapterHost, otherwise it will crash at runtime.
This can be reproduced by GETing /.
Reference: https://docs.nestjs.com/exception-filters#inheritance
Signed-off-by: David Mehren <git@herrmehren.de>
With these additional annotations the openapi docs under `/apidoc` and `/private/apidoc` will be improved by adding errors that the requests can return
Signed-off-by: Philip Molares <philip.molares@udo.edu>
As the public api is nearly completely protected by the TokenAuthGuard it seems unnecessarily verbose to add the guard to every method in the controllers, when an annotation at the top of the controller would be sufficient.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This filters all error that the controller will throw and either maps
them to the correct HttpException if they are internal errors like
NotInDBError, or just leaves them be if they are not part in the map.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Because this mapping will now be done with the ErrorExceptionMapping class, the mapping will be omitted in the interceptor.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The ErrorExceptionMapping class maps internal error to nestjs's appropriate HttpException.
The object returned by those HttpExceptions is now changed to include the name of the intern error code and error message instead of statusCode and error message as is default. This makes it possible to more easily programmatically distinguish between two errors that map to the same HttpException and only differ in the error message.
The statusCode was unnecessary, because any user of the api gets this information already by which HttpException was used.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
It's not really necessary to tell the user via get that this id is forbidden, it will not be there and as such NotInDBError is the correct message to the user
Signed-off-by: Philip Molares <philip.molares@udo.edu>
These test files are only autogenerated and don't have any benefit. Any behaviour one would test with them are (or at least should) already be covered by our e2e tests.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
To minimize type errors, when the config objects are changed, this commit introduces types to the mock config object accordingly.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit separates the app config object from a new note config object. This was done to separate different concerns in different config files. Especially if the number of settings that are about notes increase, it is a good idea to keep them separate from the app config.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
This is part of an effort to consistently not embed Group objects
in API responses. Names are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
This is part of an effort to consistently not embed User objects
in API responses. Usernames are returned instead.
Signed-off-by: David Mehren <git@herrmehren.de>
By checking the "old" password of the user prior to a password change, the
password change function is more secured against abuse.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This change removes the customAuthNames property and redefines the
authProviders property of the frontend-config DTO. Instead of an
map from auth providers to their enabled-state (boolean), there is
now an array that just includes the configured auth providers while
also having the identifier and providerName of custom auth providers.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
express-session always creates an `request.session` object, so only
checking if that exists is not sufficient.
Signed-off-by: David Mehren <git@herrmehren.de>
This extracts the note inserted with the get note interceptor into the request to be used by the controller service.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This is necessary, because of the order of operations in nestjs, the validation pipe is not able to get the note as the noteIdOrAlias will be transformed by the get note pipe after the validation did run.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This commit removes all previous calls to the permissions service at the beginning of the controller methods to the permissions guard. This should make the code a bit cleaner and remove boilerplate code.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This guard protects resources and let's users only access them if they hold the correct permission
Signed-off-by: Philip Molares <philip.molares@udo.edu>
This enum makes it possible which permissions a user needs to hold to access a specific resource
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The parameters of the permission checking methods were missing a null value for not set user. This is the case if user is not logged in and operating as guest.
Signed-off-by: Yannick Bungers <git@innay.de>
To make the create method easier to use in conjunction
with the authentication framework, this commit changes the type of
the `owner` parameter from `User | undefined` to `User | null`.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines,
this commit removes the default value from the `primary` parameter.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines,
this commit removes the default value from the `syncSource` parameter.
An Identity will be created as sync source,
when the associated account is created using an external provider.
Signed-off-by: David Mehren <git@herrmehren.de>
To make the create method more consistent with the
guidelines, this commit adds the `special` flag to
the parameters.
As this function will only be used to create the two hard-coded groups
and to handle API requests at one or two places, adding the parameter
should not be too problematic.
Signed-off-by: David Mehren <git@herrmehren.de>
This was done to give better typings to the function signatures of entities `create` methods.
It also ensures that each field that should be set to `null` is set to `null` and doesn't leave that up to the typeorm handlers.
See: #1641
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The previously used HTTP error 400 'Bad Request' is not really
applicable here, as the client did not send a malformed message.
Signed-off-by: David Mehren <git@herrmehren.de>