chore(vendor): update @lightbasenl/backend

_This PR is created by sync and will be force-pushed daily. Overwriting any manual changes done to this PR._

- Allow custom function to check 2fa enabled (lightbasenl/platform-components#1352) (lightbasenl/platform-components@f69c14a)
- feat(backend): various fixes for the TypeScript migration (lightbasenl/platform-components@9f6c1b0)
- feat(backend): support passing user props to authTestCreateUser (lightbasenl/platform-components@a7f7fad)
- chore(deps): Bump @xmldom/xmldom from 0.9.4 to 0.9.5 in the production group (lightbasenl/platform-components#1348) (lightbasenl/platform-components@4204470)
- chore(deps): Bump rate-limiter-flexible from 5.0.3 to 5.0.4 in the production group (lightbasenl/platform-components#1346) (lightbasenl/platform-components@822c961)
- chore(deps): Bump @xmldom/xmldom from 0.9.3 to 0.9.4 in the production group (lightbasenl/platform-components#1344) (lightbasenl/platform-components@5e34679)
- fix(feature-flag): allow updating 'userValues' (lightbasenl/platform-components@bb290dd)
- fix(feature-flag): use correct sql connection for fetching session (lightbasenl/platform-components@33e27e8)
- chore(deps): bump xmldom (lightbasenl/platform-components@b1d5ba6)
- chore: replace lint setup with @lightbase/eslint-config (lightbasenl/platform-components@c8e7656)
- feat!(backend): feature flags per user (lightbasenl/platform-components#1341) (lightbasenl/platform-components@075e8cd)
- feat(backend): add hook to be called in `authRequireUser` on a successful check (lightbasenl/platform-components@90f5223)
- chore: make compatible with new and old lint configs (lightbasenl/platform-components@445035b)
- chore(deps): Bump @lightbase/pull-through-cache from 0.2.0 to 0.2.1 in the production group (lightbasenl/platform-components#1326) (lightbasenl/platform-components@83e6a49)
- chore(backend): remove duplicate check on `requiredPermissions` (lightbasenl/platform-components@387fa87)
- feat(backend): support `oneOfRequiredPermissions` (lightbasenl/platform-components@f78adcc)
- feat(feature-flag,multitenant): report cache events as Sentry metric (lightbasenl/platform-components@22ebc13)- Failed to execute `npx compas lint`. Sync is not able to correct this, so human checks and fixes are necessary for this PR.

gen/index.js

@@ -1,4 +1,10 @@
 import { storeGetStructure } from "@compas/store";
+import { featureFlagDefinition, permissions } from "../src/constants.js";
+import { extendWithAuthCustom } from "./auth.js";
+import { extendWithDatabase } from "./database.js";
+import { extendWithMail } from "./mail.js";
+import { extendWithScaffold } from "./scaffold.js";
+import { extendWithType } from "./type.js";
 import {
   authPermissions,
   extendWithAuthAnonymousBased,
@@ -9,12 +15,6 @@ import {
   extendWithFeatureFlag,
   extendWithManagement,
 } from "@lightbasenl/backend";
-import { featureFlagDefinition, permissions } from "../src/constants.js";
-import { extendWithAuthCustom } from "./auth.js";
-import { extendWithDatabase } from "./database.js";
-import { extendWithMail } from "./mail.js";
-import { extendWithScaffold } from "./scaffold.js";
-import { extendWithType } from "./type.js";
 
 /**
  * Extend with compas additional/optional package  structures

scripts/queue.js

@@ -10,12 +10,6 @@ import {
   queueWorkerCreate,
   queueWorkerRegisterCronJobs,
 } from "@compas/store";
-import {
-  authEventNames,
-  authJobNames,
-  authPasswordBasedInvalidateResetTokens,
-  managementInvalidateUsers,
-} from "@lightbasenl/backend";
 import {
   authAnonymousBasedUserRegisteredEvent,
   authPasswordBasedEmailUpdatedEvent,
@@ -29,6 +23,12 @@ import { injectServices } from "../src/service.js";
 import { serviceLogger } from "../src/services/logger.js";
 import { sql } from "../src/services/postgres.js";
 import { bucketName, s3Client } from "../src/services/s3.js";
+import {
+  authEventNames,
+  authJobNames,
+  authPasswordBasedInvalidateResetTokens,
+  managementInvalidateUsers,
+} from "@lightbasenl/backend";
 
 mainFn(import.meta, main);
 

src/auth/jobs.js

@@ -36,7 +36,7 @@ export async function authAnonymousBasedUserRegisteredEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -87,7 +87,7 @@ export async function authPasswordBasedUserRegisteredEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -139,7 +139,7 @@ export async function authPasswordBasedForgotPasswordEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -180,7 +180,7 @@ export async function authPasswordBasedPasswordUpdatedEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -228,7 +228,7 @@ export async function authPasswordBasedEmailUpdatedEvent(event, sql, { data }) {
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -269,7 +269,7 @@ export async function authPasswordBasedLoginVerifiedEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);
@@ -310,7 +310,7 @@ export async function authPasswordBasedPasswordResetEvent(
   }
 
   // TODO(platform): Act
-  // eslint-disable-next-line no-unused-vars
+
   const x = 5;
 
   eventStop(event);

src/mail/events.js

@@ -42,7 +42,7 @@ export async function mailSendGeneric(event, email, payload) {
  * @param {function(MailAddressHeaders, T): MailTemplateResponse} template
  * @param {MailAddressHeaders} addresses
  * @param {T} [payload={}]
- * @param {import("@types/nodemailer").Attachment[]} [attachments]
+ * @param {Array<import("@types/nodemailer").Attachment>} [attachments]
  * @returns {Promise<void>}
  */
 async function mailSend(
@@ -92,9 +92,9 @@ async function mailSend(
  * Construct a mail header object for nodemailer
  *
  * @param {MailAddress} from
- * @param {MailAddress|MailAddress[]} to
- * @param {MailAddress[]|undefined} [cc]
- * @param {MailAddress[]|undefined} [bcc]
+ * @param {MailAddress | Array<MailAddress>} to
+ * @param {Array<MailAddress> | undefined} [cc]
+ * @param {Array<MailAddress> | undefined} [bcc]
  * @returns {MailAddressHeaders}
  */
 function constructMailAddressHeaders(from, to, cc, bcc) {

src/scaffold/controller.js

@@ -1,7 +1,7 @@
 import { newEventFromEvent } from "@compas/stdlib";
-import { authCreateUser, multitenantRequireTenant } from "@lightbasenl/backend";
 import { scaffoldHandlers } from "../generated/application/scaffold/controller.js";
 import { sql } from "../services/postgres.js";
+import { authCreateUser, multitenantRequireTenant } from "@lightbasenl/backend";
 
 // TODO(platform): remove this;
 scaffoldHandlers.createUser = async (ctx) => {

src/services/app.js

@@ -1,7 +1,7 @@
 import { createBodyParser, getApp } from "@compas/server";
-import { backendGetConfig } from "@lightbasenl/backend";
 import { router } from "../generated/application/common/router.js";
 import { serviceLogger } from "./logger.js";
+import { backendGetConfig } from "@lightbasenl/backend";
 
 /**
  * @type {Application}

src/services/core.js

@@ -5,7 +5,7 @@ import { AppError, environment } from "@compas/stdlib";
  * This method should be used as guard during startup to ensure non-unexpected
  * code paths are hit during runtime.
  *
- * @param {string[]} requiredEnvironmentVariables
+ * @param {Array<string>} requiredEnvironmentVariables
  * @returns {void}
  */
 export function ensureEnvironmentVars(requiredEnvironmentVariables) {

src/services/lpc.js

@@ -1,11 +1,11 @@
 import { newEvent } from "@compas/stdlib";
+import { buildMandatoryRoles, permissions } from "../constants.js";
+import { serviceLogger } from "./logger.js";
 import {
   authPermissions,
   backendInit,
   backendInitServices,
 } from "@lightbasenl/backend";
-import { buildMandatoryRoles, permissions } from "../constants.js";
-import { serviceLogger } from "./logger.js";
 
 /**
  * @returns {Promise<void>}

src/testing.js

@@ -4,10 +4,6 @@ import {
   cleanupTestPostgresDatabase,
   objectStorageRemoveBucket,
 } from "@compas/store";
-import {
-  authInjectTokenInterceptors,
-  multitenantInjectAxios,
-} from "@lightbasenl/backend";
 import axios from "axios";
 import { axiosInterceptErrorAndWrapWithAppError } from "./generated/application/common/api-client.js";
 import {
@@ -25,6 +21,10 @@ import {
   serviceS3EnsureBuckets,
   serviceS3Init,
 } from "./services/s3.js";
+import {
+  authInjectTokenInterceptors,
+  multitenantInjectAxios,
+} from "@lightbasenl/backend";
 
 /**
  * Initialize all services based on an empty database and fresh s3 bucket.

vendor/backend/README.md

@@ -200,6 +200,7 @@ erDiagram
         string description
         string name
         generic tenantValues
+        generic userValues
         date createdAt
         date updatedAt
     }

vendor/backend/package.json

@@ -13,10 +13,10 @@
   ],
   "scripts": {},
   "dependencies": {
-    "@lightbase/pull-through-cache": "0.1.2",
-    "@xmldom/xmldom": "0.8.10",
+    "@lightbase/pull-through-cache": "0.2.1",
+    "@xmldom/xmldom": "0.9.5",
     "bcrypt": "5.1.1",
-    "rate-limiter-flexible": "5.0.3",
+    "rate-limiter-flexible": "5.0.4",
     "speakeasy": "2.0.0",
     "xml-crypto": "6.0.0",
     "xpath": "0.0.34"
@@ -30,5 +30,5 @@
     "url": "https://github.com/lightbasenl/platform-components.git",
     "directory": "packages/backend"
   },
-  "gitHead": "b335a6c8aa6f5e14489b582b02b6fa45beda00b6"
+  "gitHead": "6b423e921666ab44ef95cc1bbdf771664d0f2014"
 }

vendor/backend/src/auth/anonymous-based/controller.js

@@ -79,7 +79,7 @@ export async function applyAnonymousBasedController(settings) {
 
       const set2FACheck =
         typeof settings.determineTwoStepFunction === "function" &&
-        (settings.determineTwoStepFunction(user) ?? {});
+        ((await settings.determineTwoStepFunction(ctx, user)) ?? {});
 
       const newSessionResult = await sessionStoreCreate(
         newEventFromEvent(ctx.event),

vendor/backend/src/auth/apply.js

@@ -17,10 +17,29 @@ import { applyTotpProviderController } from "./totp-provider/controller.js";
 
 /**
  * @typedef {(
- *     user: QueryResultAuthUser
- *   ) => AuthDetermineTwoStepResult} AuthDetermineTwoStepCheckFunction
+ *     ctx: import("koa").ExtendableContext, user: QueryResultAuthUser
+ *   ) => Promise<AuthDetermineTwoStepResult>|AuthDetermineTwoStepResult}
+ *   AuthDetermineTwoStepCheckFunction
  */
 
+/**
+ * @type {AuthDetermineTwoStepCheckFunction}
+ */
+export const authDefaultDetermineTwoStepFunction = (ctx, user) => {
+  if (!isNil(user?.totpSettings?.verifiedAt)) {
+    return {
+      type: "checkTwoStep",
+      twoStepType: "totpProvider",
+    };
+  } else if (!isNil(user?.passwordLogin?.otpEnabledAt)) {
+    // TODO: what should happen if the user didn't login via passwordLogin?
+    return {
+      type: "checkTwoStep",
+      twoStepType: "passwordBasedOtp",
+    };
+  }
+};
+
 /**
  * Apply the auth package with the provided settings.
  * Make sure to call `routerClearMemoizedHandlers` when calling `applyAuth` again on the
@@ -37,24 +56,9 @@ export async function applyAuth({
   keycloakBased,
   passwordBased,
   totpProvider,
+  determineTwoStepFunction,
 }) {
-  /**
-   * @type {AuthDetermineTwoStepCheckFunction}
-   */
-  const determineTwoStepFunction = (user) => {
-    if (!isNil(user?.totpSettings?.verifiedAt)) {
-      return {
-        type: "checkTwoStep",
-        twoStepType: "totpProvider",
-      };
-    } else if (!isNil(user?.passwordLogin?.otpEnabledAt)) {
-      // TODO: what should happen if the user didn't login via passwordLogin?
-      return {
-        type: "checkTwoStep",
-        twoStepType: "passwordBasedOtp",
-      };
-    }
-  };
+  determineTwoStepFunction ??= authDefaultDetermineTwoStepFunction;
 
   await applyAuthController();
   await applySessionController({});

vendor/backend/src/auth/digid-based/controller.js

@@ -153,7 +153,7 @@ export async function applyDigidBasedController(settings) {
 
       const set2FACheck =
         typeof settings.determineTwoStepFunction === "function" &&
-        (settings.determineTwoStepFunction(user) ?? {});
+        ((await settings.determineTwoStepFunction(ctx, user)) ?? {});
 
       const newSessionResult = await sessionStoreCreate(
         newEventFromEvent(ctx.event),

vendor/backend/src/auth/digid-based/events.js

@@ -15,7 +15,7 @@ import {
   uuid,
 } from "@compas/stdlib";
 import { queueWorkerAddJob } from "@compas/store";
-import xmldom from "@xmldom/xmldom";
+import xmldom, { MIME_TYPE } from "@xmldom/xmldom";
 import axios from "axios";
 import xmlCrypto from "xml-crypto";
 import xpath from "xpath";
@@ -362,7 +362,10 @@ export async function authDigidBasedResolveArtifact(
     );
   }
 
-  const doc = new xmldom.DOMParser().parseFromString(xmlResponse);
+  const doc = new xmldom.DOMParser().parseFromString(
+    xmlResponse,
+    MIME_TYPE.XML_APPLICATION,
+  );
   const [mainStatus, subStatus, subSubStatus] = xpath.select(
     "//*[local-name(.)='StatusCode']/@Value",
     doc,
@@ -534,7 +537,10 @@ async function authDigidBasedGetSignatureForPayload(
 async function authDigidBasedVerifySignaturesForXmlPayload(event, payload) {
   eventStart(event, "authDigidBased.verifySignaturesForXmlPayload");
 
-  const doc = new xmldom.DOMParser().parseFromString(payload);
+  const doc = new xmldom.DOMParser().parseFromString(
+    payload,
+    MIME_TYPE.XML_APPLICATION,
+  );
   const signatures = xpath.select("//*[local-name(.)='Signature']", doc);
   if (signatures.length === 0) {
     throw AppError.serverError({