chore(merge): Merge branch 'master' into authentication-with-jwt

api/src/routes/api/auth.ts

@@ -0,0 +1,100 @@
+import express from 'express'
+import mongoose from 'mongoose'
+
+import AuthController from '../../controllers/auth'
+import Client from '../../model/Client'
+
+import {
+  authenticateAccessToken,
+  authenticateRefreshToken
+} from '../../middlewares'
+
+import { authorizeValidation, tokenValidation } from '../../utils'
+import { InfoJWT } from '../../types'
+
+const authRouter = express.Router()
+
+const clientIDs = new Set()
+
+export const populateClients = async () => {
+  const result = await Client.find()
+  clientIDs.clear()
+  result.forEach((r) => {
+    clientIDs.add(r.clientId)
+  })
+}
+
+export const connectDB = () => {
+  // NOTE: when exporting app.js as agent for supertest
+  // we should exlcude connecting to the real database
+  if (process.env.NODE_ENV !== 'test') {
+    mongoose.connect(process.env.DB_CONNECT as string, async (err) => {
+      if (err) throw err
+
+      console.log('Connected to db!')
+
+      await populateClients()
+    })
+  }
+}
+
+authRouter.post('/authorize', async (req, res) => {
+  const { error, value: body } = authorizeValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  const { clientId } = body
+
+  // Verify client ID
+  if (!clientIDs.has(clientId)) {
+    return res.status(403).send('Invalid clientId.')
+  }
+
+  const controller = new AuthController()
+  try {
+    const response = await controller.authorize(body)
+
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+authRouter.post('/token', async (req, res) => {
+  const { error, value: body } = tokenValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  const controller = new AuthController()
+  try {
+    const response = await controller.token(body)
+
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
+  const userInfo: InfoJWT = req.user
+
+  const controller = new AuthController()
+  try {
+    const response = await controller.refresh(userInfo)
+
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+authRouter.delete('/logout', authenticateAccessToken, async (req: any, res) => {
+  const userInfo: InfoJWT = req.user
+
+  const controller = new AuthController()
+  try {
+    await controller.logout(userInfo)
+  } catch (e) {}
+
+  res.sendStatus(204)
+})
+
+export default authRouter

api/src/routes/api/client.ts

@@ -0,0 +1,20 @@
+import express from 'express'
+import ClientController from '../../controllers/client'
+import { registerClientValidation } from '../../utils'
+
+const clientRouter = express.Router()
+
+clientRouter.post('/', async (req, res) => {
+  const { error, value: body } = registerClientValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  const controller = new ClientController()
+  try {
+    const response = await controller.createClient(body)
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+export default clientRouter

api/src/routes/api/drive.ts

@@ -0,0 +1,74 @@
+import express from 'express'
+import path from 'path'
+import {
+  DriveController,
+  ExecutionController
+} from '../../controllers'
+import { isFileQuery } from '../../types'
+import { getTmpFilesFolderPath } from '../../utils'
+
+const driveRouter = express.Router()
+
+driveRouter.post('/deploy', async (req, res) => {
+  const controller = new DriveController()
+  try {
+    const response = await controller.deploy(req.body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
+driveRouter.get('/file', async (req, res) => {
+  if (isFileQuery(req.query)) {
+    const filePath = path
+      .join(getTmpFilesFolderPath(), req.query.filePath)
+      .replace(new RegExp('/', 'g'), path.sep)
+    await new DriveController()
+      .readFile(filePath)
+      .then((fileContent) => {
+        res.status(200).send({ status: 'success', fileContent: fileContent })
+      })
+      .catch((err) => {
+        res.status(400).send({
+          status: 'failure',
+          message: 'File request failed.',
+          ...(typeof err === 'object' ? err : { details: err })
+        })
+      })
+  } else {
+    res.status(400).send({
+      status: 'failure',
+      message: 'Invalid Request: Expected parameter filePath was not provided'
+    })
+  }
+})
+
+driveRouter.patch('/file', async (req, res) => {
+  const filePath = path
+    .join(getTmpFilesFolderPath(), req.body.filePath)
+    .replace(new RegExp('/', 'g'), path.sep)
+  await new DriveController()
+    .updateFile(filePath, req.body.fileContent)
+    .then(() => {
+      res.status(200).send({ status: 'success' })
+    })
+    .catch((err) => {
+      res.status(400).send({
+        status: 'failure',
+        message: 'File request failed.',
+        ...(typeof err === 'object' ? err : { details: err })
+      })
+    })
+})
+
+driveRouter.get('/fileTree', async (req, res) => {
+  const tree = new ExecutionController().buildDirectorytree()
+  res.status(200).send({ status: 'success', tree })
+})
+
+export default driveRouter

api/src/routes/api/group.ts

@@ -0,0 +1,97 @@
+import express from 'express'
+import GroupController from '../../controllers/group'
+import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
+import { registerGroupValidation } from '../../utils'
+import userRouter from './user'
+
+const groupRouter = express.Router()
+
+groupRouter.post(
+  '/',
+  authenticateAccessToken,
+  verifyAdmin,
+  async (req, res) => {
+    const { error, value: body } = registerGroupValidation(req.body)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new GroupController()
+    try {
+      const response = await controller.createGroup(body)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+groupRouter.get('/', authenticateAccessToken, async (req, res) => {
+  const controller = new GroupController()
+  try {
+    const response = await controller.getAllGroups()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+groupRouter.get('/:groupId', authenticateAccessToken, async (req: any, res) => {
+  const { groupId } = req.params
+
+  const controller = new GroupController()
+  try {
+    const response = await controller.getGroup(groupId)
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+groupRouter.post(
+  '/:groupId/:userId',
+  authenticateAccessToken,
+  async (req: any, res) => {
+    const { groupId, userId } = req.params
+
+    const controller = new GroupController()
+    try {
+      const response = await controller.addUserToGroup(groupId, userId)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+groupRouter.delete(
+  '/:groupId/:userId',
+  authenticateAccessToken,
+  async (req: any, res) => {
+    const { groupId, userId } = req.params
+
+    const controller = new GroupController()
+    try {
+      const response = await controller.removeUserFromGroup(groupId, userId)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+groupRouter.delete(
+  '/:groupId',
+  authenticateAccessToken,
+  async (req: any, res) => {
+    const { groupId } = req.params
+
+    const controller = new GroupController()
+    try {
+      await controller.deleteGroup(groupId)
+      res.status(200).send('Group Deleted!')
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+export default groupRouter

api/src/routes/api/index.ts

@@ -0,0 +1,35 @@
+import express from 'express'
+import dotenv from 'dotenv'
+import swaggerUi from 'swagger-ui-express'
+
+import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
+
+import driveRouter from './drive'
+import stpRouter from './stp'
+import userRouter from './user'
+import groupRouter from './group'
+import clientRouter from './client'
+import authRouter, { connectDB } from './auth'
+
+dotenv.config()
+connectDB()
+
+const router = express.Router()
+
+router.use('/drive', authenticateAccessToken, driveRouter)
+router.use('/stp', authenticateAccessToken, stpRouter)
+router.use('/user', userRouter)
+router.use('/group', groupRouter)
+router.use('/client', authenticateAccessToken, verifyAdmin, clientRouter)
+router.use('/auth', authRouter)
+router.use(
+  '/',
+  swaggerUi.serve,
+  swaggerUi.setup(undefined, {
+    swaggerOptions: {
+      url: '/swagger.yaml'
+    }
+  })
+)
+
+export default router

api/src/routes/api/spec/auth.spec.ts

@@ -0,0 +1,349 @@
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import app from '../../../app'
+import UserController from '../../../controllers/user'
+import ClientController from '../../../controllers/client'
+import AuthController, {
+  generateAccessToken,
+  generateAuthCode,
+  generateRefreshToken
+} from '../../../controllers/auth'
+import { populateClients } from '../auth'
+import { InfoJWT } from '../../../types'
+import { saveTokensInDB, verifyTokenInDB } from '../../../utils'
+
+const clientId = 'someclientID'
+const clientSecret = 'someclientSecret'
+const user = {
+  id: 1234,
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+describe('auth', () => {
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const userController = new UserController()
+  const clientController = new ClientController()
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+    await clientController.createClient({ clientId, clientSecret })
+    await populateClients()
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('authorize', () => {
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with authorization code', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          password: user.password,
+          clientId
+        })
+        .expect(200)
+
+      expect(res.body).toHaveProperty('code')
+    })
+
+    it('should respond with Bad Request if username is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          password: user.password,
+          clientId
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"username" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if password is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          clientId
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"password" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if username is incorrect', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          password: user.password,
+          clientId
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Username is not found.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if password is incorrect', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          password: 'WrongPassword',
+          clientId
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is incorrect', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/authorize')
+        .send({
+          username: user.username,
+          password: user.password,
+          clientId: 'WrongClientID'
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Invalid clientId.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('token', () => {
+    const userInfo: InfoJWT = {
+      clientId,
+      userId: user.id
+    }
+    beforeAll(async () => {
+      await userController.createUser(user)
+    })
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with access and refresh tokens', async () => {
+      const code = AuthController.saveCode(
+        userInfo.userId,
+        userInfo.clientId,
+        generateAuthCode(userInfo)
+      )
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/token')
+        .send({
+          clientId,
+          code
+        })
+        .expect(200)
+
+      expect(res.body).toHaveProperty('accessToken')
+      expect(res.body).toHaveProperty('refreshToken')
+    })
+
+    it('should respond with Bad Request if code is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/token')
+        .send({
+          clientId
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"code" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const code = AuthController.saveCode(
+        userInfo.userId,
+        userInfo.clientId,
+        generateAuthCode(userInfo)
+      )
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/token')
+        .send({
+          code
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if code is invalid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/token')
+        .send({
+          clientId,
+          code: 'InvalidCode'
+        })
+        .expect(403)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is invalid', async () => {
+      const code = AuthController.saveCode(
+        userInfo.userId,
+        userInfo.clientId,
+        generateAuthCode(userInfo)
+      )
+
+      const res = await request(app)
+        .post('/SASjsApi/auth/token')
+        .send({
+          clientId: 'WrongClientID',
+          code
+        })
+        .expect(403)
+
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('refresh', () => {
+    let refreshToken: string
+    let currentUser: any
+
+    beforeEach(async () => {
+      currentUser = await userController.createUser(user)
+      refreshToken = generateRefreshToken({
+        clientId,
+        userId: currentUser.id
+      })
+      await saveTokensInDB(
+        currentUser.id,
+        clientId,
+        'accessToken',
+        refreshToken
+      )
+    })
+
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with new access and refresh tokens', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/auth/refresh')
+        .auth(refreshToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toHaveProperty('accessToken')
+      expect(res.body).toHaveProperty('refreshToken')
+
+      // cannot use same refresh again
+      const resWithError = await request(app)
+        .post('/SASjsApi/auth/refresh')
+        .auth(refreshToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(resWithError.body).toEqual({})
+    })
+  })
+
+  describe('logout', () => {
+    let accessToken: string
+    let currentUser: any
+
+    beforeEach(async () => {
+      currentUser = await userController.createUser(user)
+      accessToken = generateAccessToken({
+        clientId,
+        userId: currentUser.id
+      })
+
+      await saveTokensInDB(
+        currentUser.id,
+        clientId,
+        accessToken,
+        'refreshToken'
+      )
+    })
+
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond no content and remove access/refresh tokens from DB', async () => {
+      const res = await request(app)
+        .delete('/SASjsApi/auth/logout')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(204)
+
+      expect(res.body).toEqual({})
+
+      expect(
+        await verifyTokenInDB(
+          currentUser.id,
+          clientId,
+          accessToken,
+          'accessToken'
+        )
+      ).toBeUndefined()
+    })
+  })
+})

api/src/routes/api/spec/client.spec.ts

@@ -0,0 +1,159 @@
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import app from '../../../app'
+import UserController from '../../../controllers/user'
+import ClientController from '../../../controllers/client'
+import { generateAccessToken } from '../../../controllers/auth'
+import { saveTokensInDB } from '../../../utils'
+
+const client = {
+  clientId: 'someclientID',
+  clientSecret: 'someclientSecret'
+}
+const adminUser = {
+  displayName: 'Test Admin',
+  username: 'testAdminUsername',
+  password: '12345678',
+  isAdmin: true,
+  isActive: true
+}
+const newClient = {
+  clientId: 'newClientID',
+  clientSecret: 'newClientSecret'
+}
+
+describe('client', () => {
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const userController = new UserController()
+  const clientController = new ClientController()
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('create', () => {
+    let adminAccessToken: string
+    let dbUser: any
+
+    beforeAll(async () => {
+      dbUser = await userController.createUser(adminUser)
+      adminAccessToken = generateAccessToken({
+        clientId: client.clientId,
+        userId: dbUser.id
+      })
+      await saveTokensInDB(
+        dbUser.id,
+        client.clientId,
+        adminAccessToken,
+        'refreshToken'
+      )
+    })
+
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['clients']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with new client', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(newClient)
+        .expect(200)
+
+      expect(res.body.clientId).toEqual(newClient.clientId)
+      expect(res.body.clientSecret).toEqual(newClient.clientSecret)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .send(newClient)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbideen if access token is not of an admin account', async () => {
+      const user = {
+        displayName: 'User 1',
+        username: 'username1',
+        password: '12345678',
+        isAdmin: false,
+        isActive: true
+      }
+      const dbUser = await userController.createUser(user)
+      const accessToken = generateAccessToken({
+        clientId: client.clientId,
+        userId: dbUser.id
+      })
+      await saveTokensInDB(
+        dbUser.id,
+        client.clientId,
+        accessToken,
+        'refreshToken'
+      )
+
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .auth(accessToken, { type: 'bearer' })
+        .send(newClient)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is already present', async () => {
+      await clientController.createClient(newClient)
+
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(newClient)
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Client ID already exists.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...newClient,
+          clientId: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientSecret is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...newClient,
+          clientSecret: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientSecret" is required`)
+      expect(res.body).toEqual({})
+    })
+  })
+})

api/src/routes/api/spec/drive.spec.ts

@@ -0,0 +1,155 @@
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import app from '../../../app'
+import { getTreeExample } from '../../../controllers/deploy'
+import UserController from '../../../controllers/user'
+import { getTmpFilesFolderPath } from '../../../utils/file'
+import { folderExists, fileExists, readFile, deleteFolder } from '@sasjs/utils'
+import path from 'path'
+import { generateAccessToken } from '../../../controllers/auth'
+import { saveTokensInDB } from '../../../utils'
+import { FolderMember, ServiceMember } from '../../../types'
+
+const clientId = 'someclientID'
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+describe('files', () => {
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const controller = new UserController()
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+  describe('deploy', () => {
+    let accessToken: string
+    let dbUser: any
+
+    beforeAll(async () => {
+      dbUser = await controller.createUser(user)
+      accessToken = generateAccessToken({
+        clientId,
+        userId: dbUser.id
+      })
+      await saveTokensInDB(dbUser.id, clientId, accessToken, 'refreshToken')
+    })
+    const shouldFailAssertion = async (payload: any) => {
+      const res = await request(app)
+        .post('/SASjsApi/drive/deploy')
+        .auth(accessToken, { type: 'bearer' })
+        .send(payload)
+
+      expect(res.statusCode).toEqual(400)
+      expect(res.body).toEqual({
+        status: 'failure',
+        message: 'Provided not supported data format.',
+        example: getTreeExample()
+      })
+    }
+
+    it('should respond with payload example if valid payload was not provided', async () => {
+      await shouldFailAssertion(null)
+      await shouldFailAssertion(undefined)
+      await shouldFailAssertion('data')
+      await shouldFailAssertion({})
+      await shouldFailAssertion({
+        userId: 1,
+        title: 'test is cool'
+      })
+      await shouldFailAssertion({
+        membersWRONG: []
+      })
+      await shouldFailAssertion({
+        members: {}
+      })
+      await shouldFailAssertion({
+        members: [
+          {
+            nameWRONG: 'jobs',
+            type: 'folder',
+            members: []
+          }
+        ]
+      })
+      await shouldFailAssertion({
+        members: [
+          {
+            name: 'jobs',
+            type: 'WRONG',
+            members: []
+          }
+        ]
+      })
+      await shouldFailAssertion({
+        members: [
+          {
+            name: 'jobs',
+            type: 'folder',
+            members: [
+              {
+                name: 'extract',
+                type: 'folder',
+                members: [
+                  {
+                    name: 'makedata1',
+                    type: 'service',
+                    codeWRONG: '%put Hello World!;'
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      })
+    })
+
+    it('should respond with payload example if valid payload was not provided', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/drive/deploy')
+        .auth(accessToken, { type: 'bearer' })
+        .send({ fileTree: getTreeExample() })
+
+      expect(res.statusCode).toEqual(200)
+      expect(res.text).toEqual(
+        '{"status":"success","message":"Files deployed successfully to @sasjs/server."}'
+      )
+      await expect(folderExists(getTmpFilesFolderPath())).resolves.toEqual(true)
+
+      const testJobFolder = path.join(
+        getTmpFilesFolderPath(),
+        'jobs',
+        'extract'
+      )
+      await expect(folderExists(testJobFolder)).resolves.toEqual(true)
+
+      const exampleService = getExampleService()
+      const testJobFile = path.join(testJobFolder, exampleService.name) + '.sas'
+
+      console.log(`[testJobFile]`, testJobFile)
+
+      await expect(fileExists(testJobFile)).resolves.toEqual(true)
+
+      await expect(readFile(testJobFile)).resolves.toEqual(exampleService.code)
+
+      await deleteFolder(getTmpFilesFolderPath())
+    })
+  })
+})
+
+const getExampleService = (): ServiceMember =>
+  ((getTreeExample().members[0] as FolderMember).members[0] as FolderMember)
+    .members[0] as ServiceMember

api/src/routes/api/spec/user.spec.ts

@@ -0,0 +1,514 @@
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import app from '../../../app'
+import UserController from '../../../controllers/user'
+import { generateAccessToken } from '../../../controllers/auth'
+import { saveTokensInDB } from '../../../utils'
+
+const clientId = 'someclientID'
+const adminUser = {
+  displayName: 'Test Admin',
+  username: 'testAdminUsername',
+  password: '12345678',
+  isAdmin: true,
+  isActive: true
+}
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+const controller = new UserController()
+
+describe('user', () => {
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+
+  beforeAll(async () => {
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('create', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with new user', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized if access token is not of an admin account', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = generateAccessToken({
+        clientId,
+        userId: dbUser.id
+      })
+      await saveTokensInDB(dbUser.id, clientId, accessToken, 'refreshToken')
+
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if username is already present', async () => {
+      await controller.createUser(user)
+
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if username is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...user,
+          username: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"username" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if password is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...user,
+          password: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"password" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if displayName is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...user,
+          displayName: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"displayName" is required`)
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('update', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with updated user when admin user requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const newDisplayName = 'My new display Name'
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...user, displayName: newDisplayName })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(newDisplayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with updated user when user himself requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+      const newDisplayName = 'My new display Name'
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({
+          displayName: newDisplayName,
+          username: user.username,
+          password: user.password
+        })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(newDisplayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+      const newDisplayName = 'My new display Name'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ ...user, displayName: newDisplayName })
+        .expect(400)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .patch('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+      const accessToken = await generateAndSaveToken(dbUser2.id)
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if username is already present', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const res = await request(app)
+        .patch(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ username: dbUser2.username })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('delete', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with OK when admin user requests', async () => {
+      const dbUser = await controller.createUser(user)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with OK when user himself requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ password: user.password })
+        .expect(200)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request when user himself requests and password is missing', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(400)
+
+      expect(res.text).toEqual(`"password" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not present', async () => {
+      const res = await request(app)
+        .delete('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+      const dbUser1 = await controller.createUser(user)
+      const dbUser2 = await controller.createUser({
+        ...user,
+        username: 'randomUser'
+      })
+      const accessToken = await generateAndSaveToken(dbUser2.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+      const dbUser = await controller.createUser(user)
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .delete(`/SASjsApi/user/${dbUser.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ password: 'incorrectpassword' })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('get', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with user', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with user when access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/user/1234')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if userId is incorrect', async () => {
+      await controller.createUser(user)
+
+      const res = await request(app)
+        .get('/SASjsApi/user/1234')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(403)
+
+      expect(res.text).toEqual('Error: User is not found.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('getAll', () => {
+    let adminAccessToken: string
+
+    beforeEach(async () => {
+      adminAccessToken = await generateSaveTokenAndCreateUser()
+    })
+
+    afterEach(async () => {
+      await deleteAllUsers()
+    })
+
+    it('should respond with all users', async () => {
+      await controller.createUser(user)
+
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body).toEqual([
+        {
+          id: expect.anything(),
+          username: adminUser.username,
+          displayName: adminUser.displayName
+        },
+        {
+          id: expect.anything(),
+          username: user.username,
+          displayName: user.displayName
+        }
+      ])
+    })
+
+    it('should respond with all users when access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'randomUser'
+      })
+
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .auth(accessToken, { type: 'bearer' })
+        .send(user)
+        .expect(200)
+
+      expect(res.body).toEqual([
+        {
+          id: expect.anything(),
+          username: adminUser.username,
+          displayName: adminUser.displayName
+        },
+        {
+          id: expect.anything(),
+          username: 'randomUser',
+          displayName: user.displayName
+        }
+      ])
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/user')
+        .send(user)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+  })
+})
+
+const generateSaveTokenAndCreateUser = async (
+  someUser?: any
+): Promise<string> => {
+  const dbUser = await controller.createUser(someUser ?? adminUser)
+
+  return generateAndSaveToken(dbUser.id)
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const adminAccessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
+  return adminAccessToken
+}
+
+const deleteAllUsers = async () => {
+  const { collections } = mongoose.connection
+  const collection = collections['users']
+  await collection.deleteMany({})
+}

api/src/routes/api/stp.ts

@@ -0,0 +1,93 @@
+import express from 'express'
+import { isExecutionQuery } from '../../types'
+import path from 'path'
+import { getTmpFilesFolderPath, makeFilesNamesMap } from '../../utils'
+import { ExecutionController, FileUploadController } from '../../controllers'
+
+const stpRouter = express.Router()
+
+const fileUploadController = new FileUploadController()
+
+stpRouter.get('/execute', async (req, res) => {
+  if (isExecutionQuery(req.query)) {
+    let sasCodePath =
+      path
+        .join(getTmpFilesFolderPath(), req.query._program)
+        .replace(new RegExp('/', 'g'), path.sep) + '.sas'
+
+    await new ExecutionController()
+      .execute(sasCodePath, undefined, undefined, { ...req.query })
+      .then((result: {}) => {
+        res.status(200).send(result)
+      })
+      .catch((err: {} | string) => {
+        res.status(400).send({
+          status: 'failure',
+          message: 'Job execution failed.',
+          ...(typeof err === 'object' ? err : { details: err })
+        })
+      })
+  } else {
+    res.status(400).send({
+      status: 'failure',
+      message: `Please provide the location of SAS code`
+    })
+  }
+})
+
+stpRouter.post(
+  '/execute',
+  fileUploadController.preuploadMiddleware,
+  fileUploadController.getMulterUploadObject().any(),
+  async (req: any, res: any) => {
+    let _program
+    if (isExecutionQuery(req.query)) {
+      _program = req.query._program
+    } else if (isExecutionQuery(req.body)) {
+      _program = req.body._program
+    }
+
+    if (_program) {
+      let sasCodePath =
+        path
+          .join(getTmpFilesFolderPath(), _program)
+          .replace(new RegExp('/', 'g'), path.sep) + '.sas'
+
+      let filesNamesMap = null
+
+      if (req.files && req.files.length > 0) {
+        filesNamesMap = makeFilesNamesMap(req.files)
+      }
+
+      await new ExecutionController()
+        .execute(
+          sasCodePath,
+          undefined,
+          req.sasSession,
+          { ...req.query, ...req.body },
+          { filesNamesMap: filesNamesMap },
+          true
+        )
+        .then((result: {}) => {
+          res.status(200).send({
+            status: 'success',
+            ...result
+          })
+        })
+        .catch((err: {} | string) => {
+          res.status(400).send({
+            status: 'failure',
+            message: 'Job execution failed.',
+            ...(typeof err === 'object' ? err : { details: err })
+          })
+        })
+    } else {
+      res.status(400).send({
+        status: 'failure',
+        message: `Please provide the location of SAS code`
+      })
+    }
+  }
+)
+
+export default stpRouter

api/src/routes/api/user.ts

@@ -0,0 +1,95 @@
+import express from 'express'
+import UserController from '../../controllers/user'
+import {
+  authenticateAccessToken,
+  verifyAdmin,
+  verifyAdminIfNeeded
+} from '../../middlewares'
+import {
+  deleteUserValidation,
+  registerUserValidation,
+  updateUserValidation
+} from '../../utils'
+
+const userRouter = express.Router()
+
+userRouter.post('/', authenticateAccessToken, verifyAdmin, async (req, res) => {
+  const { error, value: body } = registerUserValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  const controller = new UserController()
+  try {
+    const response = await controller.createUser(body)
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+userRouter.get('/', authenticateAccessToken, async (req, res) => {
+  const controller = new UserController()
+  try {
+    const response = await controller.getAllUsers()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+userRouter.get('/:userId', authenticateAccessToken, async (req: any, res) => {
+  const { userId } = req.params
+
+  const controller = new UserController()
+  try {
+    const response = await controller.getUser(userId)
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+userRouter.patch(
+  '/:userId',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req: any, res) => {
+    const { user } = req
+    const { userId } = req.params
+
+    // only an admin can update `isActive` and `isAdmin` fields
+    const { error, value: body } = updateUserValidation(req.body, user.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      const response = await controller.updateUser(userId, body)
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+userRouter.delete(
+  '/:userId',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req: any, res) => {
+    const { user } = req
+    const { userId } = req.params
+
+    // only an admin can delete user without providing password
+    const { error, value: data } = deleteUserValidation(req.body, user.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      await controller.deleteUser(userId, data, user.isAdmin)
+      res.status(200).send('Account Deleted!')
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
+export default userRouter

api/src/routes/web/index.ts

@@ -0,0 +1,8 @@
+import express from 'express'
+import webRouter from './web'
+
+const router = express.Router()
+
+router.use('/', webRouter)
+
+export default router

api/src/routes/web/web.ts

@@ -0,0 +1,13 @@
+import express from 'express'
+import { isExecutionQuery } from '../../types'
+import path from 'path'
+import { getTmpFilesFolderPath, getWebBuildFolderPath } from '../../utils'
+import { ExecutionController } from '../../controllers'
+
+const webRouter = express.Router()
+
+webRouter.get('/', async (_, res) => {
+  res.sendFile(path.join(getWebBuildFolderPath(), 'index.html'))
+})
+
+export default webRouter