UNPKG

database-proxy

Version:

Through a set of access control rules configuration database access to realize the client directly access the database via HTTP.

github.com/labring/laf

labring/laf

68 lines (67 loc) 2.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.QueryHandler = void 0; const security_1 = require("../../utils/security"); const constraint_1 = require("../../utils/constraint"); /** * 对 query 对象进行验证 * 1. 如果配置为数组,则代表只允许数组内的字段名做为查询条件,如 ['id', 'status'] * 2. 如果配置为对象,也只允许使用对象内的字段名做为查询条件,并对每个字段做约束性检查 * @param config 验证器配置,可为数组或对象 * @param context 上下文 * @returns */ const QueryHandler = async function (config, context) { // 缺省时,直接通过 if (config === undefined) { return null; } const { query } = context.params; if (!query) return 'query is undefined'; if (typeof query !== 'object') return 'query must be an object'; // 数组代表只允许出现的字段 if (config instanceof Array) { return checkWithArray(config, context); } // 如果是对象,则 key 为字段名,值为字段约束条件 if (typeof config === 'object') { return checkWithObject(config, context); } return 'config error: config must be an array or object'; }; exports.QueryHandler = QueryHandler; /** * 如果配置规则为数组,则代表限定的 query 字段列表 * @param fields 允许的字段 * @param context 上下文 * @returns */ function checkWithArray(fields, context) { const { query } = context.params; const input_fields = security_1.SecurityUtil.resolveFieldFromQuery(query); const error = security_1.SecurityUtil.isAllowedFields(input_fields, fields); return error; } /** * 如果配置为对象,则对其中每个字段进行约束检查 * @param object 字段及其约束 * @param context 上下文 * @returns */ async function checkWithObject(object, context) { const { query } = context.params; const input_fields = security_1.SecurityUtil.resolveFieldFromQuery(query); const allow_fields = Object.keys(object); let error = security_1.SecurityUtil.isAllowedFields(input_fields, allow_fields); if (error) return error; const constraint = new constraint_1.Constraint(context, query); for (const field of allow_fields) { error = await constraint.constraintField(field, object[field]); if (error) return error; } return null; }