refactor authentication and user modules to typescript

CHANGELOG.md

@@ -17,12 +17,23 @@ MAGE adheres to [Semantic Versioning](http://semver.org/).
 - The `MAGE_MONGO_TLS_INSECURE` env var avoids issues with [self-signed certs](https://github.com/Automattic/mongoose/issues/9147).
 - [GARS](https://github.com/ngageoint/gars-js) grid overlay
 - [MGRS](https://github.com/ngageoint/mgrs-js) grid overlay
+- Add support for sorting observations by `timestamp`: `GET /api/observations?sort=timestamp+(asc|desc)`
 
 ##### Bug fixes
 - Single observation download bug
 - Protect against disabling all authentications.
 - Problem with OAuth web login
 
+##### Benign API Changes
+- `/api/events/{eventId}/observations`
+  - Remove support for `geometry` query parameter
+  - Remove support for `fields` query parameter
+- `/api/events/{eventId}/observations/{observationId}`
+  - Remove support for unnecessary observation query parameters
+- `/api/devices`
+  - Remove support for `sort` query parameter
+  - Remove support for `expand` query parameter
+
 ## [6.2.12](https://github.com/ngageoint/mage-server/releases/tag/6.2.12)
 ### Service
 #### Security

docs/development/mongoose.md

@@ -0,0 +1,38 @@
+# Mongoose Development Guidelines and Patterns
+
+## Types
+* DocType vs. Entity
+* Entity with JsonObject mapped to DocType causes TS error
+  _Type instantiation is excessively deep and possibly infinite.ts(2589)_
+  because of JsonObject recursive type definition
+```
+export type FeedServiceDocument = Omit<FeedService, 'id' | 'serviceType'> & {
+  _id: mongoose.Types.ObjectId
+  serviceType: mongoose.Types.ObjectId
+  // config: any
+}
+export type FeedServiceModel = Model<FeedServiceDocument>
+export const FeedServiceSchema = new mongoose.Schema<FeedServiceDocument, FeedServiceModel>(
+  {
+    serviceType: { type: mongoose.SchemaTypes.ObjectId, required: true, ref: FeedsModels.FeedServiceTypeIdentity },
+    title: { type: String, required: true },
+    summary: { type: String, required: false },
+    config: { type: Object, required: false },
+  },
+  {
+    toJSON: {
+      getters: true,
+      versionKey: false,
+      transform: (doc: FeedServiceDocument, json: any & FeedService): void => {
+        delete json._id
+        json.serviceType = doc.serviceType.toHexString()
+      }
+    }
+  })
+```
+
+```
+var o: ObservationDocument = null
+var l: mongoose.LeanDocument<ObservationDocument> = null
+o = l
+```

docs/domain.md

@@ -44,6 +44,9 @@ Many MAGE customers have enterprise data sources available to them that are rele
 
 ## Core Terms
 
+### User
+A user is a human that interacts with the Mage application to support or accomplish a business goal.
+
 ### Feature
 A feature represents a physical object or occurrence that has spatial and/or temporal attributes.  A spatial attribute is the geographic location and shape of a feature and includes single points, (e.g. latitude and longitude), and geographic geometry structures such as lines and polygon shapes.  A temporal attribute could be a single instantaneous timestamp (e.g., 1 January 2020 at 10:35:40.555 AM) or a temporal duration (e.g., 2020-01-01 through 2020-01-31).  See **feature** from https://www.ogc.org/ogc/glossary/f.
 
@@ -97,13 +100,13 @@ An event is a scope to manage users, the data they collect, and the data they ar
 An event defines the observation data participants can submit.  Events may define one or more forms into which participants enter observation data about a subject.  Each form defines one or more form fields of varying types into which a participant enters a data value of the field's type, such as a date, text, number, email, etc.  An event may impose validation rules on submitted observations, such as minimum and/or maximum number of entries for a given form.  Form fields may impose validation rules on individual data values, such as required vs. optional, minimum and/or maximum numeric values, text input patterns, or allowed attachment media types.
 
 ### Participant
-A participant is a user that has access to the data associated with a specific event, as well as to submit observations for the event.
+A participant is a user that has access to the data associated with a specific event, as well as access to submit observations for the event.
 
 ### Field Participant
 A field participant is a participant of an event that is actively collecting observations for the event using a mobile device.
 
 ### Monitor
-A monitor is a participant of an event that is not actively collecting data for the event in the field.
+A monitor is a user that has access to view data associated with an event, but not to create or modify data for the event.
 
 ### Location
 A location is the reported geospatial position of a field participant.  Locations, therefore, only exist within the scope of an event.

package.json

@@ -5,7 +5,7 @@
   "version": "6.3.0-beta.6",
   "files": [],
   "scripts": {
-    "postinstall": "npm-run-all service:ci web-app:ci image.service:ci nga-msi:ci",
+    "install:clean": "npm-run-all service:ci web-app:ci image.service:ci nga-msi:ci",
     "install:resolve": "npm-run-all service:install web-app:install image.service:install nga-msi:install",
     "build": "npm-run-all service:build web-app:build image.service:build nga-msi:build instance:build",
     "pack-all": "npm-run-all service:pack web-app:pack image.service:pack nga-msi:pack",

service/functionalTests/security/devices.security.test.ts

@@ -0,0 +1,39 @@
+import { expect } from 'chai'
+
+describe('device management security', function() {
+
+  describe('removing a device', function() {
+
+    it('invalidates associated sessions', async function() {
+      expect.fail('todo')
+    })
+
+    it('prevents the owning user from authenticating with the device', async function() {
+      expect.fail('todo')
+    })
+  })
+
+  /**
+   * AKA, set `registered` to `false`.
+   */
+  describe('disabling a device', function() {
+
+    it('invalidates associated sessions', async function() {
+      expect.fail('todo')
+    })
+
+    it('prevents the owning user from authenticating with the device', async function() {
+      expect.fail('todo')
+    })
+  })
+
+  /**
+   * AKA, approving; set `registered` to `true`.
+   */
+  describe('enabling', function() {
+
+    it('allows the owning user to authenticate with the device', async function() {
+      expect.fail('todo')
+    })
+  })
+})

service/functionalTests/security/users.security.test.ts

@@ -0,0 +1,15 @@
+import { expect } from 'chai'
+
+describe('user management security', function() {
+
+  describe('disabling a user account', function() {
+
+    it('prevents the user from authenticating', async function() {
+      expect.fail('todo')
+    })
+
+    it('invalidates associated sessions', async function() {
+      expect.fail('todo')
+    })
+  })
+})

service/package.json

@@ -90,6 +90,7 @@
     "@fluffy-spoon/substitute": "^1.196.0",
     "@types/archiver": "^5.3.4",
     "@types/async": "^3.0.5",
+    "@types/base-64": "^1.0.2",
     "@types/bson": "^1.0.11",
     "@types/busboy": "^1.5.0",
     "@types/chai": "^4.2.19",
@@ -99,12 +100,17 @@
     "@types/express-serve-static-core": "~4.17.0",
     "@types/fs-extra": "^8.0.1",
     "@types/json2csv": "~4.5.0",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/lodash": "^4.17.6",
     "@types/mocha": "^7.0.2",
     "@types/multer": "^1.4.7",
     "@types/node": "^18.18.4",
     "@types/node-fetch": "^2.5.4",
     "@types/passport": "^1.0.3",
+    "@types/passport-http-bearer": "^1.0.41",
+    "@types/passport-local": "^1.0.38",
+    "@types/passport-oauth2": "^1.4.17",
+    "@types/passport-openidconnect": "^0.1.3",
     "@types/sinon": "^9.0.4",
     "@types/sinon-chai": "^3.2.4",
     "@types/superagent": "^8.1.3",