staart / api Goto Github PK
View Code? Open in Web Editor NEW๐๐ ๏ธ SaaS backend & API framework based on @nestjs
Home Page: https://staart.js.org/api
License: MIT License
๐๐ ๏ธ SaaS backend & API framework based on @nestjs
Home Page: https://staart.js.org/api
License: MIT License
express-brute
has a moderate vulnerability, and we should use something else until v2 is out: AdamPflug/express-brute#83
I just install Staart and i get this error when i register the first user.
{"error":"From is required"}
I think is linked to problem with email. It is normal that the row primaryEmail have int(12) in staart-users ?
Use rsmq to queue ongoing Nodemailer messages if Redis is available, otherwise directly send!
Altough it is easy to understand from the config.ts file which options are available, i always really like an example configuration file for clarity
Hi @AnandChowdhary ,
At the moment the permissions hierarchy isn't well enforced as for example: when creating a new user on a organisation a manager can create an owner - so at any point anyone with permissions to CRUD team members can escalate themselves to owner by inviting one of their other email addresses. Would it be a reasonable idea to add some logic which says that users can only invite new members to a team with a permission level of lower than their own permission level, unless they are a team owner in which case that logic doesn't apply (i.e they can create other owners too)? This would mean say.. a business owner authorises/creates all new manager accounts, a manager authorises/creates all new 'basic employee' accounts? A business owner can add other business owners as they see fit, but a manager cannot add another manager or escalate himself or others to owner.
Also the edit member ui on that page is broken, I was thinking of coming back to that after I discussed the permissions with you.
Hi @AnandChowdhary
Thanks for your great implementation! One area I was wondering about is the ability to merge 2 user accounts belonging to the same user. There are 2 scenarios in which a merge can apply.
You already have this covered through the email record resolution.
Two or more user records would have been created by then. so it would be great to have to ability to allow the user to merge into one of the user records.
Coincidentally, I found a saas app with similar concept but I'm not convinced that their approach works in consolidating user data. From their steps, I guess they only map an email back to the first user. But that still leave the second user as a disconnected record.
https://help.clubhouse.io/hc/en-us/articles/211154966-Merging-User-Accounts-in-Clubhouse
Would love to hear your thoughts!
Hi Anand, here is the behaviour we're seeing now
User registers and verifies email - works fine now
User tries to login - immediately presented with a "You dont have permission to perform this action"....
Press F5 to refresh and it looks like the user is logged in -
However, when I start to click on the user icon the top right and select team or user settings - it keeps presenting us with this "You dont have permission".
Must be something we are not doing?
Invite a team member whose email address is let's say, [email protected]
Invitation is sent successfully.
Delete that team member from the list.
Invite the same team member again ie use [email protected]. Error: An account with this email already exists
Regular expressions could be for Name (only alpha letters), Password (strong password with special characters, minimum length), Domain name (occurrence of dot) etc.
Better if we display the Password Strength meter.
I have this error after fresh install
Backup error Typejoi_1.default.validate is not a function
Click on "Login" and enter your email -> A magic link goes to your email to log you in
Send emails to uses based on things like "card about to expire"
hello
I've tried to install. First the use my template buttom gave an error about files being more than 10mb so I downloaded to my desktop and went through the manual process to get it setup;
I get this error though and npm run build stage. Any ideas?
root@staartsaas:/srv/staartapp# sudo npm run build
[email protected] build /srv/staartapp
touch .env && mkdir -p dist && cp .env dist/.env && npm run generate-routes && tsc && cp -r lfs dist/src
[email protected] generate-routes /srv/staartapp
node setup/controllers.js
โ error Error in setup [Error: ENOENT: no such file or directory, scandir '/srv/staartapp/src/controllers'] {
errno: -2,
code: 'ENOENT',
syscall: 'scandir',
path: '/srv/staartapp/src/controllers'
}
Email domain: Enter your company's domain, eg. oswaldlabs.com
We'll allow people with emails from this domain to join this organization automatically
Do not allow the public domains to be included in this list like gmail, hotmail, rediffmail, and many others.
Currently, TypeScript with Babel throws this warning during compilation:
โ pending Compiling TypeScript
.staart/src/__staart.ts(2,34): error TS7016: Could not find a declaration file for module 'regenerator-runtime'. '/Users/smoujami/projects/dukketta/staart/migration/api/.staart/node_modules/regenerator-runtime/runtime.js' implicitly has an 'any' type.
Try `npm install @types/regenerator-runtime` if it exists or add a new declaration (.d.ts) file containing `declare module 'regenerator-runtime';`
โ success Listening on 8080
Here is the error during yarn install
using Node 10:
error [email protected]: The engine "node" is incompatible with this module. Expected version ">= 12.10.0". Got "10.19.0"
Hi there,
I am working on extending some business logic so that resellers can be supported. In this case a Reseller can create a org, invite the end customer to be the org owner and then the reseller picks up the bill with billing disabled for the end user.
I noticed references to the naming of a role as reseller. I am curious if others are already doing something similar are if there are plans to build in reseller logic and roles which I can work on rather than starting from scratch.
In a Redis queue, if an email fails to send or an ElasticSearch record fails to be added, put it in an "error" queue and try again. If it still doesn't work, discard it and log the error
Instead of querying, using entities and TypeORM
As per the suggestion of @victorlap, methods which create a new organization/user/membership/etc., should return the newly created object.
This, combined with the right HTTP status code 201
, can be better than just returning { created: true }
.
Would be great if you could add a getting started guide for developing on staart ui with the staart backend wired up, maybe docker?
Under the GDPR, it's a good idea to delete logs periodically, especially when they have information like IP address and user agent.
We use the same logs as both server logs for admins and API key logs for end users, and they can be limited to the past 3 months. A cron job to delete all logs before 3 months can run every day or every week etc.
Release: 1.0.130
I get an error REFERRER_CHECK_FAIL error when verifying the JWT Token.
Contents of apiKeyToken.referrerRestrictions
:
0:"staart-demo.o15y.com"
1:"localhost"
2:"oswaldlabs.com"
3:"staart-ui.o15y.now.sh"
It tries to match 127.0.0.1 but fails.
What I don't understand is how and where these are set, since I can't find them searching the codebase.
For instance, Settings > Name Just Enter the whitespace characters and it allows them.
I believe we need to trim almost every input field.
Make a @staart/scripts
package that contains something like react-scripts
, which has all the scripts about generating controllers, updates, etc.
Leaving this for any user who comes across this (using MySQL 8.0=<). Be aware that the backend might throw the following error:
Error: ER_NOT_SUPPORTED_AUTH_MODE: Client does not support authentication protocol requested by server; consider upgrading MySQL client
You'll have to switch over to mysql_native_password
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
FLUSH PRIVILEGES;
I have noticed that this leaks email hashes to gravatar. Given Gravatar is quite a old service, I wonder if it better to just allow users to upload thier own profile images (or not).
Invite a team member [email protected]
A verification link is sent successfully and he verifies the link.
He is taken to a Login page where he is asked to enter a password but he doesn't have any password so far.
Probable Solution: Create another page where he can set his "new" password.
Check if user is admin and redeploy
Tables that have username
, like organization and user, already have a human-readable key (apart from autoincrementing ID).
cuid
as the column name and default value cuid()
cuid
unless a better one is availablecuid
instead of JWT etc.Hi there,
Thank you for all your work so far on this project.
I have come across a few issues with some security features that are included not functioning.
For example;
IP address restrictions - These are not actually restricting access to specified IP ranges (For example on the team view).
Invalidate session - Does not seem to 'log you out of this session in the next few minutes'.
The view for editing a users permissions with relation to a team also seems to not exist. Has anyone else come across these issues? If not I will examine in further detail and submit a PR for fixes, but I don't want to waste time if this is a known issue and someone else is working on a fix or it is a common config issue my side.
Hi
Looks like the work is in progress. Good job!
I believe an important feature is missing, There should be a flag in config file, namely, Trial Period. Let us say, we set it to 15 days. So the app should be accessible for free for that period.
Also, the system should notify (by email and instant notification both) that your subscription is about to expire in DAYS_LEFT time.
Thanks
Parse controllers for joiValidate
functions, HTTP verbs, and TypeDoc comments to generate a schema
Use the same Redis queue for storing logs in ElasticSearch and calling webhooks
Use a Node.js caching library (like node-cache or node-cache-manager) for JWT invalidation, etc., instead of Redis directly, with Redis as the primary kv-store with in-memory as fallback
Hi @AnandChowdhary I am a logo designer.
I contribute to open source projects that do not have logo. I have designed a logo for staart. The logo idea also represents the function of the software. What do you think?
Hi @AnandChowdhary
It took me a while to get the app set up locally after the recent updates. The issue was that all xhr requests were failing because CORS couldn't be enabled even with proper config.
curl -v 'http://localhost:8080/v1/auth/login' -X OPTIONS -H 'Access-Control-Request-Method: POST'
--
< HTTP/1.1 200 OK
< X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Download-Options: noopen
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Api-Version: 1.3.147
< X-RateLimit-Limit-Type: public
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 59
< Date: Mon, 16 Mar 2020 17:36:24 GMT
< X-RateLimit-Reset: 1584380244
< Allow: POST
< Content-Type: text/html; charset=utf-8
< Content-Length: 4
< ETag: W/"4-Yf+Bwwqjx254r+pisuO9HfpJ6FQ"
< X-Response-Time: 6.500ms
< Connection: keep-alive
didn't return the necessary headers to allow requests to be sent from the UI.
My .env
config:
# Remove CORS headers without API key
DISALLOW_OPEN_CORS = false
Upon close inspection, it looks like the value false was coming in as a string so it failed the condition here: https://github.com/staart/packages/blob/master/packages/server/index.ts#L52
Also a side issue during compilation:
โ pending Compiling TypeScript
.staart/src/__staart.ts(2,34): error TS7016: Could not find a declaration file for module 'regenerator-runtime'. '/Users/smoujami/projects/dukketta/staart/migration/api/.staart/node_modules/regenerator-runtime/runtime.js' implicitly has an 'any' type.
Try `npm install @types/regenerator-runtime` if it exists or add a new declaration (.d.ts) file containing `declare module 'regenerator-runtime';`
โ success Listening on 8080
When performing actions like deleting your account, deleting your team, canceling a subscription, etc., the popup should ask for the user's password, and the API should check for password
.
A helper function can be built and used:@Middleware(ConfirmPassword)
There is some mention of a super user login, from what I can see this seems to allow this user to login and access all 'teams' is that correct?
Is there any plan to create a admin dashboard where members of the team can view summery data and make changes on behalf of users?
@AnandChowdhary
My requests are hanging.
curl -X POST http://localhost:8080/v1/auth/login -H 'Content-Type: application/json' -d '{"email":"[email protected]","password":"..."}'
Not sure if this is work in progress for the migration to Nest, but currently returning payload causes requests to time out. Using the latest in master.
Overnightjs expects this response:
@Post()
private handler(req: Request, res: Response) {
return res.status(200).json({
message: 'test',
});
}
but the current code returns the raw payload:
@Post()
private handler(req: Request, res: Response) {
return {
message: 'test',
}
}
Instead of sending in a CORS *, allow API keys to have a list of allowed referrers, and only allow those in Access-Control-Allow-Origin
Is there way to debug why the frontend is not sending the signup emails? We're sure we've got Production access setup in AWS and the email is verified and the keys are correct.
When using getPaginatedData()
, add support for ?q=Hello&after=2489
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.