🚀 Release/7.1.0

.github/workflows/formsflow-forms-cd.yml

@@ -37,7 +37,7 @@ jobs:
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ matrix.name }}-${{ github.sha }}

README.md

@@ -35,6 +35,7 @@ To know more about form.io, go to  <https://form.io>.
 |`MULTI_TENANCY_ENABLED`|To enable multit tenancy |true / false|`false`
 |`FORMIO_DEFAULT_PROJECT_URL`:triangular_flag_on_post:|forms-flow-forms default url||`http://{your-ip-address}:3001`
 |`FORMIO_JWT_SECRET`|forms-flow-forms jwt secret| |`--- change me now ---`|
+|`FORMIO_JWT_EXPIRE`|forms-flow-forms jwt expire time| |`240`|
 
 **Additionally, you may want to change these**
 

VERSION

@@ -1 +1 @@
-v7.0.0
+v7.1.0

formsflow-forms-ChangeLog.md

@@ -9,7 +9,13 @@
 - `Untested Features`: Newly introduced features or components that are yet to be thoroughly tested.
 - `Upcoming Features`: Planned features or enhancements that will be available in future releases.
 - `Known Issues`: Existing issues or problems that are acknowledged and will be addressed in subsequent updates.
-
+
+# Version 7.1.0
+### Added
+- Added FORMIO_JWT_EXPIRE env for handling token expire time
+- Added tenant_key in logger
+- Added New /submissions POST API Allows listing submissions by passing submissionIds in the request body. Ensures access control by verifying form access before returning submissions.
+
 # Version 7.0.0
 ### Added
 - Added the formIds query parameter in the /form endpoint to retrieve form components, accessible only to admin users.

index.js

@@ -46,8 +46,9 @@ module.exports = function(config) {
   router.formio.config.schema = require('./package.json').schema;
 
   router.formio.log = (event, req, ...info) => {
+    const tenantKey = req.token && req.token.tenantKey;
     const result = router.formio.hook.alter('log', event, req, ...info);
-    logger.info(event, ...info);
+    logger.info(event,{tenantKey: tenantKey, info: info});
     if (result) {
       log(event, ...info);
     }
@@ -213,12 +214,10 @@ module.exports = function(config) {
       if (!router.formio.hook.invoke('init', 'config', router.formio)) {
         router.use('/config.json', router.formio.middleware.configHandler);
       }
-
       // Authorize all urls based on roles and permissions.
       if (!router.formio.hook.invoke('init', 'perms', router.formio)) {
         router.use(router.formio.middleware.permissionHandler);
       }
-
       let mongoUrl = config.mongo;
       let mongoConfig = config.mongoConfig ? JSON.parse(config.mongoConfig) : {};
       if (!mongoConfig.hasOwnProperty('connectTimeoutMS')) {
@@ -299,6 +298,8 @@ module.exports = function(config) {
         const formListingByPathNameTitle = require('./src/resources/FormListingByPathTitleName');
         router.get('/forms/search',formListingByPathNameTitle.getFormsByTitleOrPathOrName(router));
 
+        const submissionList = require('./src/resources/SubmissionList').getAllSubmissions(router);
+        router.post('/submissions',router.formio.middleware.tokenVerify,submissionList);
         // Return the form components.
         router.get('/form/:formId/components', function(req, res, next) {
           router.formio.resources.form.model.findOne({_id: req.params.formId}, function(err, form) {

sample.env

@@ -19,6 +19,7 @@
 FORMIO_DEFAULT_PROJECT_URL=http://{your-ip-address}:3001
 
 #FORMIO_JWT_SECRET=--- change me now ---
+#FORMIO_JWT_EXPIRE=240
 #MULTI_TENANCY_ENABLED=false
 #NO_INSTALL=1
 

src/authentication/index.js

@@ -49,13 +49,13 @@ module.exports = (router) => {
     } = jwtConfig;
 
     // changed the secret and expire to the env
-
-
+    const expireMinutes = Number(process.env.FORMIO_JWT_EXPIRE) || expireTime || 240;
+    const expiresInSeconds = expireMinutes * 60;
     return jwt.sign(payload, customSecret ||process.env.FORMIO_JWT_SECRET||secret , {
-      expiresIn: (expireTime ||240) * 60,
+      expiresIn: expiresInSeconds,
     });
   };
-  // Number(process.env.FORMIO_JWT_EXPIRE)|| todo 
+
   /**
    * Checks to see if a decoded token is allowed to access this path.
    * @param req

src/middleware/alias.js

@@ -46,7 +46,7 @@ module.exports = function(router) {
     // If this is normal request, then pass this middleware.
     /* eslint-disable no-useless-escape */
     //this custom endpoint written for formsflow
-    const customEndpoint = new Set(["checkpoint", "forms/search"])
+    const customEndpoint = new Set(["checkpoint", "forms/search", "submissions"])
     if (!alias || alias.match(/^(form$|form[\?\/])/) || alias === 'spec.json' || customEndpoint.has(alias) || alias ===  'config.json') {
       return next();
     }

src/middleware/handleFormsList.js

@@ -1,30 +1,50 @@
 "use strict";
+
+const { ObjectId } = require('../util/util');
+
 require('dotenv').config();
+
 /**
  * Middleware function to handle /form route.
  *
  * @param router
  *
  * @returns {Function}
  */
+
 module.exports = function (router) {
-  return function (req, res, next) { 
-    // If the request is for the /form route, and it is a GET request, then we need to check
-    if(req.path === "/form" && req.method === "GET"){
-      if(!req.isAdmin) return res.sendStatus(401)
-      if(req.query.formIds){
-        req.query._id = { $in: req.query.formIds.split(",")}
-        delete req.query.formIds
+  return async function (req, res, next) {
+    // Only check access for GET requests to /form route
+    if (req.path === "/form" && req.method === "GET") {
+      const query = {};
+
+      if(!req.user?.roles){
+        return res.sendStatus(401);
       }
+      // If specific formIds are provided, include them in query
+      if (req.query.formIds) {
+        query._id = { $in: req.query.formIds.split(",") };
+        delete req.query.formIds;
+      }
+      if(!req.isAdmin){
+        // Ensure role-based access check
+        query.access = {
+          $elemMatch: {
+            'type': 'read_all',
+            'roles': { $in: req.user.roles }
+          }
+        }
+      }
+
       if(process.env.MULTI_TENANCY_ENABLED == "true" && !req.isAdmin){
         if(!req.token?.tenantKey){
-          return res.json([])
+          return res.sendStatus(401);
         }
         req.query.tenantKey = req.token.tenantKey
       }
+      // Merge any additional query parameters
+      req.query = { ...query, ...req.query };
     }
-    next()
+    next();
   };
 };
-
-

src/middleware/permissionHandler.js

@@ -727,9 +727,13 @@ module.exports = function(router) {
 
     // Check for whitelisted paths.
     let skip = false;
+    const url = req.url.split('?')[0];
+    // skipping permission check for this route and it will do manually where route define
+    if(req.method === "POST" && url == "/submissions"){
+      skip = true;
+    }
     if (req.method === 'GET') {
-      const whitelist = ['/health', '/current', '/logout', '/access', '/token', '/recaptcha'];
-      const url = req.url.split('?')[0];
+    const whitelist = ['/health', '/current', '/logout', '/access', '/token', '/recaptcha'];
       skip = _.some(whitelist, function(path) {
         if ((url === path) || (url === hook.alter('path', path, req))) {
           return true;

src/resources/SubmissionList.js

@@ -0,0 +1,61 @@
+const { ObjectId } = require("../util/util");
+
+module.exports = {
+  getAllSubmissions: (router) =>
+    async function (req, res, next) {
+      try { 
+        const userRoles = req.user.roles.map((id) => ObjectId(id)); 
+
+        // submissionIds taking from req.body
+        const submissionIds = req.body.submissionIds
+          ? req.body.submissionIds.map((id) => ObjectId(id.trim()))
+          : []; 
+
+          const pipeline = [
+            {
+              $match: {
+                _id: { $in: submissionIds }, // Filter by submission IDs
+              },
+            },
+            {
+              $lookup: {
+                from: "forms",
+                localField: "form",
+                foreignField: "_id",
+                as: "formDetails",
+              },
+            },
+            {
+              $unwind: "$formDetails",
+            },
+            {
+              $match: {
+                $or: [
+                  {
+                    "formDetails.submissionAccess": {
+                      $elemMatch: {
+                        type: "read_all",
+                        roles: { $in: userRoles },
+                      },
+                    },
+                  },
+                  {
+                    owner: ObjectId(req.user._id), // User must be the owner for read_own
+                  },
+                ],
+              },
+            },
+            {
+              "$project":{
+                formDetails:0
+              }
+            }
+          ];
+        // mongo query execute
+        const result = await router.formio.resources.submission.model.aggregate(pipeline)
+        res.json(result)
+      } catch (error) {
+        next(error);
+      }
+    },
+};

src/util/logger.js

@@ -25,11 +25,29 @@ const logFolder = process.env.LOG_FOLDER || "./logs"
 const archivedFolder = logFolder+"/archived"
 const logFile = "formio-%DATE%.log"
 //Using the printf format.
-const customFormat = printf(({ level, label, timestamp, ...meta}) => {
-    const args = meta[Symbol.for('splat')];
-     if(args) meta.message = util.format(meta.message, ...args);
-     meta.message = formatObjectsAndArrays(meta.message);
-  return `${timestamp} [${label}] ${level}: ${meta.message}`;
+
+const customFormat = printf(({ level, label, timestamp, ...meta }) => {
+  const args = meta[Symbol.for('splat')] || [];
+  let tenantKey;
+  let formattedArgs = args;
+
+  // Extract tenantKey if first arg is an object with tenantKey
+  if (args[0] && typeof args[0] === 'object' && args[0].tenantKey) {
+    tenantKey = args[0].tenantKey;
+    formattedArgs = args[0].info || [];
+  }
+
+  // Format the message
+  if (formattedArgs.length > 0) {
+    meta.message = util.format(meta.message, ...formattedArgs);
+  }
+
+  meta.message = formatObjectsAndArrays(meta.message);
+
+  // Build the log string
+  const tenantPart = tenantKey ? ` [tenantKey: ${tenantKey}]` : '';
+  const log = `${timestamp} [${label}]${tenantPart} ${level}: ${meta.message}`;
+  return log;
 });