Merge remote-tracking branch 'stage' into 'master'

fcv-iteratorIt · fcv-iteratorIt · commit b0a323c69114 · 2025-09-09T07:49:40.000+02:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -62,6 +62,7 @@
         "cookie-parser": "^1.4.5",
         "crypto-js": "^4.2.0",
         "dayjs": "^1.11.13",
+        "helmet": "^8.1.0",
         "kafkajs": "^2.2.4",
         "lodash": "^4.17.20",
         "mqtt": "^4.3.7",
diff --git a/src/auth/api-key.strategy.ts b/src/auth/api-key.strategy.ts
@@ -26,6 +26,9 @@ export class ApiKeyStrategy extends PassportStrategy(HeaderAPIKeyStrategy, ApiKe
     if (!apiKeyDb) {
       throw new UnauthorizedException(ErrorCodes.ApiKeyAuthFailed);
     }
+    if (apiKeyDb.expiresOn < new Date()) {
+      throw new UnauthorizedException(ErrorCodes.ApiKeyExpired);
+    }
 
     // Get the permissions and the UserID from the API Key instead of the user
     const permissions = await this.permissionService.findPermissionGroupedByLevelForApiKey(apiKeyDb.id);
diff --git a/src/controllers/admin-controller/iot-device-payload-decoder-data-target-connection.controller.ts b/src/controllers/admin-controller/iot-device-payload-decoder-data-target-connection.controller.ts
@@ -41,6 +41,7 @@ import { IoTDeviceService } from "@services/device-management/iot-device.service
 import { AuditLog } from "@services/audit-log.service";
 import { ActionType } from "@entities/audit-log-entry";
 import { ApiAuth } from "@auth/swagger-auth-decorator";
+import { AppendCopiedDeviceDto } from "@dto/append-copied-device.dto";
 
 @ApiTags("IoT-Device, PayloadDecoder and DataTarget Connection")
 @Controller("iot-device-payload-decoder-data-target-connection")
@@ -205,6 +206,33 @@ export class IoTDevicePayloadDecoderDataTargetConnectionController {
     }
   }
 
+  @Put("appendCopiedDevice/:id")
+  @ApplicationAdmin()
+  @ApiNotFoundResponse({
+    description: "If the id of the entity doesn't exist",
+  })
+  @ApiBadRequestResponse({
+    description: "If one or more of the id's are invalid references.",
+  })
+  async appendCopiedDevice(
+    @Req() req: AuthenticatedRequest,
+    @Param("id", new ParseIntPipe()) id: number,
+    @Body() dto: AppendCopiedDeviceDto
+  ): Promise<IoTDevicePayloadDecoderDataTargetConnection> {
+    try {
+      const newIotDevice = await this.iotDeviceService.findOne(dto.deviceId);
+      checkIfUserHasAccessToApplication(req, newIotDevice.application.id, ApplicationAccessScope.Write);
+
+      const result = await this.service.appendCopiedDevice(id, newIotDevice, req.user.userId);
+
+      AuditLog.success(ActionType.UPDATE, IoTDevicePayloadDecoderDataTargetConnection.name, req.user.userId, result.id);
+      return result;
+    } catch (err) {
+      AuditLog.fail(ActionType.UPDATE, IoTDevicePayloadDecoderDataTargetConnection.name, req.user.userId, id);
+      throw err;
+    }
+  }
+
   @Delete(":id")
   @ApplicationAdmin()
   @ApiNotFoundResponse({
diff --git a/src/controllers/api-key/api-key.controller.ts b/src/controllers/api-key/api-key.controller.ts
@@ -27,6 +27,7 @@ import {
 } from "@nestjs/common";
 import {
   ApiBadRequestResponse,
+  ApiBearerAuth,
   ApiForbiddenResponse,
   ApiNotFoundResponse,
   ApiOperation,
@@ -38,10 +39,9 @@ import { AuditLog } from "@services/audit-log.service";
 import { OrganizationService } from "@services/user-management/organization.service";
 import { UpdateApiKeyDto } from "@dto/api-key/update-api-key.dto";
 import { checkIfUserHasAccessToOrganization, OrganizationAccessScope } from "@helpers/security-helper";
-import { ApiAuth } from "@auth/swagger-auth-decorator";
 
 @UseGuards(JwtAuthGuard, RolesGuard)
-@ApiAuth()
+@ApiBearerAuth()
 @UserAdmin()
 @ApiForbiddenResponse()
 @ApiUnauthorizedResponse()
diff --git a/src/controllers/user-management/organization.controller.ts b/src/controllers/user-management/organization.controller.ts
@@ -14,14 +14,13 @@ import {
   UseGuards,
 } from "@nestjs/common";
 import {
+  ApiBearerAuth,
   ApiForbiddenResponse,
   ApiNotFoundResponse,
   ApiOperation,
   ApiTags,
   ApiUnauthorizedResponse,
 } from "@nestjs/swagger";
-
-import { JwtAuthGuard } from "@auth/jwt-auth.guard";
 import { ApplicationAdmin, GatewayAdmin, GlobalAdmin, Read, UserAdmin } from "@auth/roles.decorator";
 import { RolesGuard } from "@auth/roles.guard";
 import { DeleteResponseDto } from "@dto/delete-application-response.dto";
@@ -38,21 +37,21 @@ import { OrganizationService } from "@services/user-management/organization.serv
 import { AuditLog } from "@services/audit-log.service";
 import { ActionType } from "@entities/audit-log-entry";
 import { ListAllEntitiesDto } from "@dto/list-all-entities.dto";
-import { ApiAuth } from "@auth/swagger-auth-decorator";
 import { checkIfUserHasAccessToOrganization, OrganizationAccessScope } from "@helpers/security-helper";
-import { PermissionType } from "@enum/permission-type.enum";
+import { ComposeAuthGuard } from "@auth/compose-auth.guard";
 
-@UseGuards(JwtAuthGuard, RolesGuard)
-@ApiAuth()
+@UseGuards(ComposeAuthGuard, RolesGuard)
+@ApiBearerAuth()
 @ApiForbiddenResponse()
 @ApiUnauthorizedResponse()
 @ApiTags("Organization")
 @Controller("organization")
 @GlobalAdmin()
 export class OrganizationController {
-  constructor(private organizationService: OrganizationService) {}
   private readonly logger = new Logger(OrganizationController.name);
 
+  constructor(private organizationService: OrganizationService) {}
+
   @Post()
   @ApiOperation({ summary: "Create a new Organization" })
   async create(
diff --git a/src/controllers/user-management/permission.controller.ts b/src/controllers/user-management/permission.controller.ts
@@ -14,6 +14,7 @@ import {
   UseGuards,
 } from "@nestjs/common";
 import {
+  ApiBearerAuth,
   ApiForbiddenResponse,
   ApiNotFoundResponse,
   ApiOperation,
@@ -49,11 +50,10 @@ import { PermissionRequestAcceptUser } from "@dto/user-management/add-user-to-pe
 import { OrganizationService } from "@services/user-management/organization.service";
 import { Organization } from "@entities/organization.entity";
 import { User } from "@entities/user.entity";
-import { ApiAuth } from "@auth/swagger-auth-decorator";
 import { ListAllPermissionsSlimResponseDto } from "@dto/list-all-permissions-slim-response.dto";
 
 @UseGuards(JwtAuthGuard, RolesGuard)
-@ApiAuth()
+@ApiBearerAuth()
 @ApiForbiddenResponse()
 @ApiUnauthorizedResponse()
 @ApiTags("Permission")
diff --git a/src/controllers/user-management/user.controller.ts b/src/controllers/user-management/user.controller.ts
@@ -15,7 +15,7 @@ import {
   Req,
   UseGuards,
 } from "@nestjs/common";
-import { ApiForbiddenResponse, ApiOperation, ApiTags, ApiUnauthorizedResponse } from "@nestjs/swagger";
+import { ApiBearerAuth, ApiForbiddenResponse, ApiOperation, ApiTags, ApiUnauthorizedResponse } from "@nestjs/swagger";
 import { QueryFailedError } from "typeorm";
 
 import { JwtAuthGuard } from "@auth/jwt-auth.guard";
@@ -41,20 +41,19 @@ import { ListAllEntitiesDto } from "@dto/list-all-entities.dto";
 import { OrganizationService } from "@services/user-management/organization.service";
 import { Organization } from "@entities/organization.entity";
 import { RejectUserDto } from "@dto/user-management/reject-user.dto";
-import { ApiAuth } from "@auth/swagger-auth-decorator";
 
 @UseGuards(JwtAuthGuard, RolesGuard)
 @UserAdmin()
-@ApiAuth()
+@ApiBearerAuth()
 @ApiForbiddenResponse()
 @ApiUnauthorizedResponse()
 @ApiTags("User Management")
 @Controller("user")
 export class UserController {
-  constructor(private userService: UserService, private organizationService: OrganizationService) {}
-
   private readonly logger = new Logger(UserController.name);
 
+  constructor(private userService: UserService, private organizationService: OrganizationService) {}
+
   @Get("minimal")
   @ApiOperation({ summary: "Get all id,names of users" })
   async findAllMinimal(): Promise<ListAllUsersMinimalResponseDto> {
diff --git a/src/entities/api-key.entity.ts b/src/entities/api-key.entity.ts
@@ -23,4 +23,7 @@ export class ApiKey extends DbBaseEntity {
   })
   @JoinColumn()
   systemUser: User;
+
+  @Column({ nullable: true })
+  expiresOn?: Date;
 }
diff --git a/src/entities/dto/api-key/create-api-key.dto.ts b/src/entities/dto/api-key/create-api-key.dto.ts
@@ -1,5 +1,7 @@
 import { ApiProperty } from "@nestjs/swagger";
 import { ArrayNotEmpty, ArrayUnique, IsArray, IsString, Length } from "class-validator";
+import { IsSwaggerOptional } from "@helpers/optional-validator";
+import { ValidateDate } from "@helpers/date.validator";
 
 export class CreateApiKeyDto {
   @ApiProperty({ required: true })
@@ -18,4 +20,8 @@ export class CreateApiKeyDto {
   @ArrayNotEmpty()
   @ArrayUnique()
   permissionIds: number[];
+
+  @IsSwaggerOptional()
+  @ValidateDate()
+  expiresOn?: Date;
 }
diff --git a/src/entities/dto/append-copied-device.dto.ts b/src/entities/dto/append-copied-device.dto.ts
@@ -0,0 +1,8 @@
+import { ApiProperty } from "@nestjs/swagger";
+import { IsNumber } from "class-validator";
+
+export class AppendCopiedDeviceDto {
+  @ApiProperty({ required: true })
+  @IsNumber()
+  deviceId: number;
+}
diff --git a/src/entities/dto/list-all-entities.dto.ts b/src/entities/dto/list-all-entities.dto.ts
@@ -43,5 +43,6 @@ export class ListAllEntitiesDto {
     | "dataTargets"
     | "organizationName"
     | "commentOnLocation"
-    | "statusCheck";
+    | "statusCheck"
+    | "expiresOn";
 }
diff --git a/src/entities/dto/user-management/create-user.dto.ts b/src/entities/dto/user-management/create-user.dto.ts
@@ -1,7 +1,8 @@
-import { Permission } from "@entities/permissions/permission.entity";
 import { IsNotBlank } from "@helpers/is-not-blank.validator";
 import { ApiProperty } from "@nestjs/swagger";
 import { IsEmail, IsString, Length } from "class-validator";
+import { IsSwaggerOptional } from "@helpers/optional-validator";
+import { ValidateDate } from "@helpers/date.validator";
 
 export class CreateUserDto {
   @ApiProperty({ required: true })
@@ -27,4 +28,8 @@ export class CreateUserDto {
 
   @ApiProperty({ required: false })
   permissionIds?: number[];
+
+  @IsSwaggerOptional()
+  @ValidateDate()
+  expiresOn?: Date;
 }
diff --git a/src/entities/enum/error-codes.enum.ts b/src/entities/enum/error-codes.enum.ts
@@ -38,6 +38,7 @@ export enum ErrorCodes {
   DeleteNotAllowedHasLoRaWANDevices = "MESSAGE.DELETE-NOT-ALLOWED-HAS-LORAWAN-DEVICE",
   KOMBITLoginFailed = "MESSAGE.KOMBIT-LOGIN-FAILED",
   ApiKeyAuthFailed = "MESSAGE.API-KEY-AUTH-FAILED",
+  ApiKeyExpired = "MESSAGE.API-KEY-EXPIRED",
   TooMuchData = "MESSAGE.TOO-MUCH-DATA",
   ApplicationDoesNotExist = "MESSAGE.APPLICATION-DOES-NOT-EXIST",
   FailedToCreateOrUpdateIotDevice = "MESSAGE.FAILED-TO-CREATE-OR-UPDATE-IOT-DEVICE",
diff --git a/src/entities/user.entity.ts b/src/entities/user.entity.ts
@@ -50,4 +50,7 @@ export class User extends DbBaseEntity {
 
   @Column({ default: false })
   showWelcomeScreen: boolean;
+
+  @Column({ nullable: true })
+  expiresOn?: Date;
 }
diff --git a/src/main.ts b/src/main.ts
@@ -8,6 +8,7 @@ import * as dotenv from "dotenv";
 import { setupNestJs } from "@loaders/nestjs";
 import { setupSwagger } from "@loaders/swagger";
 import configuration from "@config/configuration";
+import helmet from "helmet";
 
 async function bootstrap() {
   // Load .env file as environment before startup.
@@ -22,6 +23,16 @@ async function bootstrap() {
   };
   const server = express();
 
+  // Set security headers using Helmet
+  server.use(
+    helmet({
+      referrerPolicy: { policy: "no-referrer-when-downgrade" },
+      xFrameOptions: { action: "deny" },
+      hidePoweredBy: true,
+      strictTransportSecurity: { maxAge: 63072000, includeSubDomains: true, preload: true },
+    })
+  );
+
   const app = await setupNestJs(config, server);
   setupSwagger(app, config.SWAGGER_PREFIX);
 
diff --git a/src/migration/1746172231928-AddedExpiresOnToUserAndApiKey.ts b/src/migration/1746172231928-AddedExpiresOnToUserAndApiKey.ts
@@ -0,0 +1,16 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddedExpiresOnToUserAndApiKey1746172231928 implements MigrationInterface {
+    name = 'AddedExpiresOnToUserAndApiKey1746172231928'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "api_key" ADD "expiresOn" TIMESTAMP`);
+        await queryRunner.query(`ALTER TABLE "user" ADD "expiresOn" TIMESTAMP`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "expiresOn"`);
+        await queryRunner.query(`ALTER TABLE "api_key" DROP COLUMN "expiresOn"`);
+    }
+
+}
diff --git a/src/modules/user-management/user.module.ts b/src/modules/user-management/user.module.ts
@@ -1,4 +1,4 @@
-import { Module, forwardRef } from "@nestjs/common";
+import { forwardRef, Module } from "@nestjs/common";
 
 import { SharedModule } from "@modules/shared.module";
 import { PermissionModule } from "@modules/user-management/permission.module";
@@ -9,6 +9,7 @@ import { OrganizationModule } from "./organization.module";
 import { ConfigModule } from "@nestjs/config";
 import configuration from "@config/configuration";
 import { OS2IoTMail } from "@services/os2iot-mail.service";
+import { TemporaryAccessService } from "@services/temporary-access.service";
 
 @Module({
   imports: [
@@ -18,7 +19,7 @@ import { OS2IoTMail } from "@services/os2iot-mail.service";
     forwardRef(() => OrganizationModule),
   ],
   controllers: [UserController],
-  providers: [UserService, UserBootstrapperService, OS2IoTMail],
+  providers: [TemporaryAccessService, UserService, UserBootstrapperService, OS2IoTMail],
   exports: [UserService],
 })
 export class UserModule {}
diff --git a/src/services/api-key-management/api-key.service.ts b/src/services/api-key-management/api-key.service.ts
@@ -5,7 +5,7 @@ import { ListAllApiKeysResponseDto } from "@dto/api-key/list-all-api-keys-respon
 import { ListAllApiKeysDto } from "@dto/api-key/list-all-api-keys.dto";
 import { DeleteResponseDto } from "@dto/delete-application-response.dto";
 import { ApiKey } from "@entities/api-key.entity";
-import { forwardRef, Inject, Injectable, Logger } from "@nestjs/common";
+import { forwardRef, Inject, Injectable } from "@nestjs/common";
 import { InjectRepository } from "@nestjs/typeorm";
 import { PermissionService } from "@services/user-management/permission.service";
 import { Repository } from "typeorm";
@@ -21,7 +21,6 @@ export class ApiKeyService {
     @Inject(forwardRef(() => PermissionService))
     private permissionService: PermissionService
   ) {}
-  private readonly logger = new Logger(ApiKeyService.name, { timestamp: true });
 
   findOne(key: string): Promise<ApiKey> {
     return this.apiKeyRepository.findOne({
@@ -61,7 +60,7 @@ export class ApiKeyService {
     }
 
     if (query.orderOn && query.sort) {
-      dbQuery = dbQuery.orderBy(`api_key.${query.orderOn}`, query.sort.toUpperCase() as "ASC" | "DESC");
+      dbQuery = dbQuery.orderBy(`api_key.${query.orderOn}`, query.sort.toUpperCase() as "ASC" | "DESC", "NULLS LAST");
     }
 
     const [data, count] = await dbQuery.getManyAndCount();
@@ -79,13 +78,15 @@ export class ApiKeyService {
     apiKey.name = dto.name;
     apiKey.updatedBy = userId;
     apiKey.createdBy = userId;
+    apiKey.expiresOn = dto.expiresOn;
 
     // Create the system user
     const systemUser = new User();
     systemUser.active = false;
     systemUser.isSystemUser = true;
     systemUser.passwordHash = uuidv4(); // Random password, user can never log in
     systemUser.name = apiKey.name;
+    systemUser.expiresOn = dto.expiresOn;
     apiKey.systemUser = systemUser;
 
     if (dto.permissionIds?.length > 0) {
@@ -101,6 +102,7 @@ export class ApiKeyService {
     const apiKey = await this.findOneByIdWithRelations(id);
     apiKey.name = dto.name;
     apiKey.updatedBy = userId;
+    apiKey.expiresOn = dto.expiresOn;
 
     if (dto.permissionIds?.length) {
       const permissionsDb = await this.permissionService.findManyByIds(dto.permissionIds);
diff --git a/src/services/device-management/iot-device-payload-decoder-data-target-connection.service.ts b/src/services/device-management/iot-device-payload-decoder-data-target-connection.service.ts
diff --git a/src/services/temporary-access.service.ts b/src/services/temporary-access.service.ts
diff --git a/src/services/user-management/user.service.ts b/src/services/user-management/user.service.ts

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ export class ApiKeyStrategy extends PassportStrategy(HeaderAPIKeyStrategy, ApiKe`
`26`	`26`	`if (!apiKeyDb) {`
`27`	`27`	`throw new UnauthorizedException(ErrorCodes.ApiKeyAuthFailed);`
`28`	`28`	`}`
	`29`	`+ if (apiKeyDb.expiresOn < new Date()) {`
	`30`	`+ throw new UnauthorizedException(ErrorCodes.ApiKeyExpired);`
	`31`	`+ }`
`29`	`32`
`30`	`33`	`// Get the permissions and the UserID from the API Key instead of the user`
`31`	`34`	`const permissions = await this.permissionService.findPermissionGroupedByLevelForApiKey(apiKeyDb.id);`
Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,7 @@ export class ApiKey extends DbBaseEntity {`
`23`	`23`	`})`
`24`	`24`	`@JoinColumn()`
`25`	`25`	`systemUser: User;`
	`26`	`+`
	`27`	`+ @Column({ nullable: true })`
	`28`	`+ expiresOn?: Date;`
`26`	`29`	`}`