lib/application.js

// Copyright IBM Corp. 2013,2019. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT

/*!
 * Module dependencies.
 */

'use strict';
const g = require('./globalize');
const DataSource = require('loopback-datasource-juggler').DataSource;
const Registry = require('./registry');
const assert = require('assert');
const fs = require('fs');
const extend = require('util')._extend;
const RemoteObjects = require('strong-remoting');
const classify = require('underscore.string/classify');
const camelize = require('underscore.string/camelize');
const path = require('path');
const util = require('util');

/**
 * The `App` object represents a Loopback application.
 *
 * The App object extends [Express](http:https://expressjs.com/api.html#express) and
 * supports Express middleware. See
 * [Express documentation](http:https://expressjs.com/) for details.
 *
 * ```js
 * var loopback = require('loopback');
 * var app = loopback();
 *
 * app.get('/', function(req, res){
 *   res.send('hello world');
 * });
 *
 * app.listen(3000);
 * ```
 *
 * @class LoopBackApplication
 * @header var app = loopback()
 */
function App() {
  // this is a dummy placeholder for jsdox
}

/*!
 * Export the app prototype.
 */

const app = module.exports = {};

/**
 * Lazily load a set of [remote objects](http:https://apidocs.strongloop.com/strong-remoting/#remoteobjectsoptions).
 *
 * **NOTE:** Calling `app.remotes()` more than once returns only a single set of remote objects.
 * @returns {RemoteObjects}
 */

app.remotes = function() {
  if (this._remotes) {
    return this._remotes;
  } else {
    let options = {};

    if (this.get) {
      options = this.get('remoting');
    }

    return (this._remotes = RemoteObjects.create(options));
  }
};

/*!
 * Remove a route by reference.
 */

app.disuse = function(route) {
  if (this.stack) {
    for (let i = 0; i < this.stack.length; i++) {
      if (this.stack[i].route === route) {
        this.stack.splice(i, 1);
      }
    }
  }
};

/**
 * Attach a model to the app. The `Model` will be available on the
 * `app.models` object.
 *
 * Example - Attach an existing model:
 ```js
 * var User = loopback.User;
 * app.model(User);
 *```
 * Example - Attach an existing model, alter some aspects of the model:
 * ```js
 * var User = loopback.User;
 * app.model(User, { dataSource: 'db' });
 *```
 *
 * @param {Object} Model The model to attach.
 * @options {Object} config The model's configuration.
 * @property {String|DataSource} dataSource The `DataSource` to which to attach the model.
 * @property {Boolean} [public] Whether the model should be exposed via REST API.
 * @property {Object} [relations] Relations to add/update.
 * @end
 * @returns {ModelConstructor} the model class
 */

app.model = function(Model, config) {
  let isPublic = true;
  const registry = this.registry;

  if (typeof Model === 'string') {
    const msg = 'app.model(modelName, settings) is no longer supported. ' +
      'Use app.registry.createModel(modelName, definition) and ' +
      'app.model(ModelCtor, config) instead.';
    throw new Error(msg);
  }

  if (arguments.length > 1) {
    config = config || {};
    configureModel(Model, config, this);
    isPublic = config.public !== false;
  } else {
    assert(Model.prototype instanceof Model.registry.getModel('Model'),
      Model.modelName + ' must be a descendant of loopback.Model');
  }

  const modelName = Model.modelName;
  this.models[modelName] =
    this.models[classify(modelName)] =
      this.models[camelize(modelName)] = Model;

  this.models().push(Model);

  if (isPublic && Model.sharedClass) {
    this.remotes().defineObjectType(Model.modelName, function(data) {
      return new Model(data);
    });
    this.remotes().addClass(Model.sharedClass);
    if (Model.settings.trackChanges && Model.Change) {
      this.remotes().addClass(Model.Change.sharedClass);
    }
    clearHandlerCache(this);
    this.emit('modelRemoted', Model.sharedClass);
  }

  const self = this;
  Model.on('remoteMethodDisabled', function(model, methodName) {
    clearHandlerCache(self);
    self.emit('remoteMethodDisabled', model, methodName);
  });
  Model.on('remoteMethodAdded', function(model) {
    clearHandlerCache(self);
    self.emit('remoteMethodAdded', model);
  });

  Model.shared = isPublic;
  Model.app = this;
  Model.emit('attached', this);
  return Model;
};

/**
 * Remove all references to a previously registered Model.
 *
 * The method emits "modelDeleted" event as a counter-part to "modelRemoted"
 * event.
 *
 * @param {String} modelName The name of the model to remove.
 */
app.deleteModelByName = function(modelName) {
  const ModelCtor = this.models[modelName];
  delete this.models[modelName];
  delete this.models[classify(modelName)];
  delete this.models[camelize(modelName)];

  if (ModelCtor) {
    ModelCtor.removeAllListeners();

    const ix = this._models.indexOf(ModelCtor);
    if (ix > -1) {
      this._models.splice(ix, 1);
    }
  }

  const remotes = this.remotes();
  remotes.deleteClassByName(modelName);
  remotes.deleteTypeByName(modelName);

  if (ModelCtor && ModelCtor.dataSource) {
    ModelCtor.dataSource.deleteModelByName(modelName);
  } else {
    this.registry.modelBuilder.deleteModelByName(modelName);
  }

  clearHandlerCache(this);

  this.emit('modelDeleted', ModelCtor || modelName);
};

/**
 * Get the models exported by the app. Returns only models defined using `app.model()`
 *
 * There are two ways to access models:
 *
 * 1.  Call `app.models()` to get a list of all models.
 *
 * ```js
 * var models = app.models();
 *
 * models.forEach(function(Model) {
 *  console.log(Model.modelName); // color
 * });
 * ```
 *
 * 2. Use `app.models` to access a model by name.
 * `app.models` has properties for all defined models.
 *
 * The following example illustrates accessing the `Product` and `CustomerReceipt` models
 * using the `models` object.
 *
 * ```js
 * var loopback = require('loopback');
 *  var app = loopback();
 *  app.boot({
 *   dataSources: {
 *     db: {connector: 'memory'}
 *   }
 * });
 *
 * var productModel = app.registry.createModel('product');
 * app.model(productModel, {dataSource: 'db'});
 * var customerReceiptModel = app.registry.createModel('customer-receipt');
 * app.model(customerReceiptModel, {dataSource: 'db'});
 *
 * // available based on the given name
 * var Product = app.models.Product;
 *
 * // also available as camelCase
 * var product = app.models.product;
 *
 * // multi-word models are avaiable as pascal cased
 * var CustomerReceipt = app.models.CustomerReceipt;
 *
 * // also available as camelCase
 * var customerReceipt = app.models.customerReceipt;
 * ```
 *
 * @returns {Array} Array of model classes.
 */

app.models = function() {
  return this._models || (this._models = []);
};

/**
 * Define a DataSource.
 *
 * @param {String} name The data source name
 * @param {Object} config The data source config
 */
app.dataSource = function(name, config) {
  try {
    const ds = dataSourcesFromConfig(name, config, this.connectors, this.registry);
    this.dataSources[name] =
    this.dataSources[classify(name)] =
    this.dataSources[camelize(name)] = ds;
    ds.app = this;
    return ds;
  } catch (err) {
    if (err.message) {
      err.message = g.f('Cannot create data source %s: %s',
        JSON.stringify(name), err.message);
    }
    throw err;
  }
};

/**
 * Register a connector.
 *
 * When a new data-source is being added via `app.dataSource`, the connector
 * name is looked up in the registered connectors first.
 *
 * Connectors are required to be explicitly registered only for applications
 * using browserify, because browserify does not support dynamic require,
 * which is used by LoopBack to automatically load the connector module.
 *
 * @param {String} name Name of the connector, e.g. 'mysql'.
 * @param {Object} connector Connector object as returned
 *   by `require('loopback-connector-{name}')`.
 */
app.connector = function(name, connector) {
  this.connectors[name] =
  this.connectors[classify(name)] =
  this.connectors[camelize(name)] = connector;
};

/**
 * Get all remote objects.
 * @returns {Object} [Remote objects](http:https://apidocs.strongloop.com/strong-remoting/#remoteobjectsoptions).
 */

app.remoteObjects = function() {
  const result = {};

  this.remotes().classes().forEach(function(sharedClass) {
    result[sharedClass.name] = sharedClass.ctor;
  });

  return result;
};

/*!
 * Get a handler of the specified type from the handler cache.
 * @triggers `mounted` events on shared class constructors (models)
 */

app.handler = function(type, options) {
  const handlers = this._handlers || (this._handlers = {});
  if (handlers[type]) {
    return handlers[type];
  }

  const remotes = this.remotes();
  const handler = this._handlers[type] = remotes.handler(type, options);

  remotes.classes().forEach(function(sharedClass) {
    sharedClass.ctor.emit('mounted', app, sharedClass, remotes);
  });

  return handler;
};

/**
 * An object to store dataSource instances.
 */

app.dataSources = app.datasources = {};

/**
 * Enable app wide authentication.
 */

app.enableAuth = function(options) {
  const AUTH_MODELS = ['User', 'AccessToken', 'ACL', 'Role', 'RoleMapping'];

  const remotes = this.remotes();
  const app = this;

  if (options && options.dataSource) {
    const appModels = app.registry.modelBuilder.models;
    AUTH_MODELS.forEach(function(m) {
      const Model = app.registry.findModel(m);
      if (!Model) {
        throw new Error(
          g.f('Authentication requires model %s to be defined.', m),
        );
      }

      if (Model.dataSource || Model.app) return;

      // Find descendants of Model that are attached,
      // for example "Customer" extending "User" model
      for (const name in appModels) {
        const candidate = appModels[name];
        const isSubclass = candidate.prototype instanceof Model;
        const isAttached = !!candidate.dataSource || !!candidate.app;
        if (isSubclass && isAttached) return;
      }

      app.model(Model, {
        dataSource: options.dataSource,
        public: m === 'User',
      });
    });
  }

  remotes.authorization = function(ctx, next) {
    const method = ctx.method;
    const req = ctx.req;
    const Model = method.ctor;
    const modelInstance = ctx.instance;

    const modelId = modelInstance && modelInstance.id ||
      // replacement for deprecated req.param()
      (req.params && req.params.id !== undefined ? req.params.id :
        req.body && req.body.id !== undefined ? req.body.id :
          req.query && req.query.id !== undefined ? req.query.id :
            undefined);

    const modelName = Model.modelName;

    const modelSettings = Model.settings || {};
    let errStatusCode = modelSettings.aclErrorStatus || app.get('aclErrorStatus') || 401;
    if (!req.accessToken) {
      errStatusCode = 401;
    }

    if (Model.checkAccess) {
      Model.checkAccess(
        req.accessToken,
        modelId,
        method,
        ctx,
        function(err, allowed) {
          if (err) {
            console.log(err);
            next(err);
          } else if (allowed) {
            next();
          } else {
            const messages = {
              403: {
                message: g.f('Access Denied'),
                code: 'ACCESS_DENIED',
              },
              404: {
                message: (g.f('could not find %s with id %s', modelName, modelId)),
                code: 'MODEL_NOT_FOUND',
              },
              401: {
                message: g.f('Authorization Required'),
                code: 'AUTHORIZATION_REQUIRED',
              },
            };

            const e = new Error(messages[errStatusCode].message || messages[403].message);
            e.statusCode = errStatusCode;
            e.code = messages[errStatusCode].code || messages[403].code;
            next(e);
          }
        },
      );
    } else {
      next();
    }
  };

  this._verifyAuthModelRelations();

  this.isAuthEnabled = true;
};

app._verifyAuthModelRelations = function() {
  // Allow unit-tests (but also LoopBack users) to disable the warnings
  if (this.get('_verifyAuthModelRelations') === false) return;

  const AccessToken = this.registry.findModel('AccessToken');
  const User = this.registry.findModel('User');
  this.models().forEach(Model => {
    if (Model === AccessToken || Model.prototype instanceof AccessToken) {
      scheduleVerification(Model, verifyAccessTokenRelations);
    }

    if (Model === User || Model.prototype instanceof User) {
      scheduleVerification(Model, verifyUserRelations);
    }
  });

  function scheduleVerification(Model, verifyFn) {
    if (Model.dataSource) {
      verifyFn(Model);
    } else {
      Model.on('attached', () => verifyFn(Model));
    }
  }

  function verifyAccessTokenRelations(Model) {
    const belongsToUser = Model.relations && Model.relations.user;
    if (belongsToUser) return;

    const relationsConfig = Model.settings.relations || {};
    const userName = (relationsConfig.user || {}).model;
    if (userName) {
      console.warn(
        'The model %j configures "belongsTo User-like models" relation ' +
          'with target model %j. However, the model %j is not attached to ' +
          'the application and therefore cannot be used by this relation. ' +
          'This typically happens when the application has a custom ' +
          'custom User subclass, but does not fix AccessToken relations ' +
          'to use this new model.\n' +
          'Learn more at http:https://ibm.biz/setup-loopback-auth',
        Model.modelName, userName, userName,
      );
      return;
    }

    console.warn(
      'The model %j does not have "belongsTo User-like model" relation ' +
        'configured.\n' +
        'Learn more at http:https://ibm.biz/setup-loopback-auth',
      Model.modelName,
    );
  }

  function verifyUserRelations(Model) {
    const hasManyTokens = Model.relations && Model.relations.accessTokens;

    if (hasManyTokens) {
      // display a temp warning message for users using multiple users config
      if (hasManyTokens.polymorphic) {
        console.warn(
          'The app configuration follows the multiple user models setup ' +
            'as described in http:https://ibm.biz/setup-loopback-auth',
          'The built-in role resolver $owner is not currently compatible ' +
            'with this configuration and should not be used in production.',
        );
      }
      return;
    }

    const relationsConfig = Model.settings.relations || {};
    const accessTokenName = (relationsConfig.accessTokens || {}).model;
    if (accessTokenName) {
      console.warn(
        'The model %j configures "hasMany AccessToken-like models" relation ' +
          'with target model %j. However, the model %j is not attached to ' +
          'the application and therefore cannot be used by this relation. ' +
          'This typically happens when the application has a custom ' +
          'AccessToken subclass, but does not fix User relations to use this ' +
          'new model.\n' +
          'Learn more at http:https://ibm.biz/setup-loopback-auth',
        Model.modelName, accessTokenName, accessTokenName,
      );
      return;
    }

    console.warn(
      'The model %j does not have "hasMany AccessToken-like models" relation ' +
        'configured.\n' +
        'Learn more at http:https://ibm.biz/setup-loopback-auth',
      Model.modelName,
    );
  }
};

app.boot = function(options) {
  throw new Error(
    g.f('{{`app.boot`}} was removed, use the new module {{loopback-boot}} instead'),
  );
};

function dataSourcesFromConfig(name, config, connectorRegistry, registry) {
  let connectorPath;

  assert(typeof config === 'object',
    'can not create data source without config object');

  if (typeof config.connector === 'string') {
    const connectorName = config.connector;
    if (connectorRegistry[connectorName]) {
      config.connector = connectorRegistry[connectorName];
    } else {
      connectorPath = path.join(__dirname, 'connectors', connectorName + '.js');

      if (fs.existsSync(connectorPath)) {
        config.connector = require(connectorPath);
      }
    }
    if (config.connector && typeof config.connector === 'object' && !config.connector.name)
      config.connector.name = connectorName;
  }

  return registry.createDataSource(name, config);
}

function configureModel(ModelCtor, config, app) {
  assert(ModelCtor.prototype instanceof ModelCtor.registry.getModel('Model'),
    ModelCtor.modelName + ' must be a descendant of loopback.Model');

  let dataSource = config.dataSource;

  if (dataSource) {
    if (typeof dataSource === 'string') {
      dataSource = app.dataSources[dataSource];
    }

    assert(
      dataSource instanceof DataSource,
      ModelCtor.modelName + ' is referencing a dataSource that does not exist: "' +
      config.dataSource + '"',
    );
  }

  config = extend({}, config);
  config.dataSource = dataSource;

  app.registry.configureModel(ModelCtor, config);
}

function clearHandlerCache(app) {
  app._handlers = undefined;
}

/**
 * Listen for connections and update the configured port.
 *
 * When there are no parameters or there is only one callback parameter,
 * the server will listen on `app.get('host')` and `app.get('port')`.
 *
 * For example, to listen on host/port configured in app config:
 * ```js
 * app.listen();
 * ```
 *
 * Otherwise all arguments are forwarded to `http.Server.listen`.
 *
 * For example, to listen on the specified port and all hosts, and ignore app config.
 * ```js
 * app.listen(80);
 * ```
 *
 * The function also installs a `listening` callback that calls
 * `app.set('port')` with the value returned by `server.address().port`.
 * This way the port param contains always the real port number, even when
 * listen was called with port number 0.
 *
 * @param {Function} [cb] If specified, the callback is added as a listener
 *   for the server's "listening" event.
 * @returns {http.Server} A node `http.Server` with this application configured
 *   as the request handler.
 */
app.listen = function(cb) {
  const self = this;

  const server = require('http').createServer(this);

  server.on('listening', function() {
    self.set('port', this.address().port);

    let listeningOnAll = false;
    let host = self.get('host');
    if (!host) {
      listeningOnAll = true;
      host = this.address().address;
      self.set('host', host);
    } else if (host === '0.0.0.0' || host === '::') {
      listeningOnAll = true;
    }

    if (!self.get('url')) {
      if (listeningOnAll) {
        // We are replacing it with localhost to build a URL
        // that can be copied and pasted into the browser.
        host = 'localhost';
      }
      const url = 'http:https://' + host + ':' + self.get('port') + '/';
      self.set('url', url);
    }
  });

  const useAppConfig =
    arguments.length === 0 ||
      (arguments.length == 1 && typeof arguments[0] == 'function');

  if (useAppConfig) {
    let port = this.get('port');
    // NOTE(bajtos) port:undefined no longer works on node@6,
    // we must pass port:0 explicitly
    if (port === undefined) port = 0;
    server.listen(port, this.get('host'), cb);
  } else {
    server.listen.apply(server, arguments);
  }

  return server;
};