chore(release): 0.37.0 [skip ci]

# [0.37.0](https://github.com/sasjs/server/compare/v0.36.0...v0.37.0) (2024-10-29)

### Features

* **stp:** added trigger endpoint ([b0723f1](b0723f1444))

.all-contributorsrc

@@ -0,0 +1,84 @@
+{
+  "projectName": "server",
+  "projectOwner": "sasjs",
+  "repoType": "github",
+  "repoHost": "https://github.com",
+  "files": [
+    "README.md"
+  ],
+  "imageSize": 100,
+  "commit": true,
+  "commitConvention": "angular",
+  "contributors": [
+    {
+      "login": "saadjutt01",
+      "name": "Saad Jutt",
+      "avatar_url": "https://avatars.githubusercontent.com/u/8914650?v=4",
+      "profile": "https://github.com/saadjutt01",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "sabhas",
+      "name": "Sabir Hassan",
+      "avatar_url": "https://avatars.githubusercontent.com/u/82647447?v=4",
+      "profile": "https://github.com/sabhas",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "YuryShkoda",
+      "name": "Yury Shkoda",
+      "avatar_url": "https://avatars.githubusercontent.com/u/25773492?v=4",
+      "profile": "https://www.erudicat.com/",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "medjedovicm",
+      "name": "Mihajlo Medjedovic",
+      "avatar_url": "https://avatars.githubusercontent.com/u/18329105?v=4",
+      "profile": "https://github.com/medjedovicm",
+      "contributions": [
+        "code",
+        "test"
+      ]
+    },
+    {
+      "login": "allanbowe",
+      "name": "Allan Bowe",
+      "avatar_url": "https://avatars.githubusercontent.com/u/4420615?v=4",
+      "profile": "https://4gl.io/",
+      "contributions": [
+        "code",
+        "doc"
+      ]
+    },
+    {
+      "login": "VladislavParhomchik",
+      "name": "Vladislav Parhomchik",
+      "avatar_url": "https://avatars.githubusercontent.com/u/83717836?v=4",
+      "profile": "https://github.com/VladislavParhomchik",
+      "contributions": [
+        "test"
+      ]
+    },
+    {
+      "login": "kknapen",
+      "name": "Koen Knapen",
+      "avatar_url": "https://avatars.githubusercontent.com/u/78609432?v=4",
+      "profile": "https://github.com/kknapen",
+      "contributions": [
+        "userTesting"
+      ]
+    }
+  ],
+  "contributorsPerLine": 7,
+  "skipCi": true
+}

.github/CONTRIBUTING.md

@@ -2,25 +2,22 @@
 
 Contributions are very welcome!  Feel free to raise an issue or start a discussion, for help in getting started.
 
+The app can be deployed using Docker or NodeJS.
 
 ## Configuration
 
-Configuration is made in the `configuration` section of `package.json`:
+Configuration is made using `.env` files (per [README.md](https://github.com/sasjs/server#env-var-configuration) settings), _except_ for one case, when running in NodeJS in production - in which case the path to the SAS executable is made in the `configuration` section of `package.json`.
 
-- Provide path to SAS9 executable.
+The `.env` file should be created in the location(s) below.  Each folder contains a `.env.example` file that may be adjusted and renamed.
+
+* `.env` - the root .env file is used only for Docker deploys.
+* `api/.env` - this is the primary file used in NodeJS deploys
+* `web/.env` - this file is only necessary in NodeJS when running `web` and `api` seperately (on different ports).
 
 
-### Using dockers:
+## Using Docker
 
-There is `.env.example` file present at root of the project. [for Production]
-
-There is `.env.example` file present at `./api` of the project. [for Development]
-
-There is `.env.example` file present at `./web` of the project. [for Development]
-
-Remember to provide enviornment variables.
-
-#### Development
+### Docker Development Mode
 
 Command to run docker for development:
 
@@ -38,7 +35,7 @@ It will build following images if running first time:
 - `mongo-seed-clients` - will be populating client data specified in _./mongo-seed/clients/client.json_
 
 
-#### Production
+### Docker Production Mode
 
 Command to run docker for production:
 
@@ -54,47 +51,45 @@ It will build following images if running first time:
 - `mongo-seed-users` - will be populating user data specified in _./mongo-seed/users/user.json_
 - `mongo-seed-clients` - will be populating client data specified in _./mongo-seed/clients/client.json_
 
-### Using node:
+## Using NodeJS:
 
-#### Development (running api and web seperately):
+Be sure to use v16 or above, and to set your environment variables in the relevant `.env` file(s) - else defaults will be used.
 
-##### API
+### NodeJS Development Mode
 
-Navigate to `./api`
-There is `.env.example` file present at `./api` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
+SASjs Server is split between an API server (serving REST requests) and a WEB Server (everything else).  These can be run together, or on seperate ports.
+
+### NodeJS Dev - Single Port
+
+Here the environment variables should be configured under `api.env`.  Then:
 
 ```
+cd ./web && npm i && npm build
+cd ../api && npm i && npm start
+```
+
+### NodeJS Dev - Seperate Ports
+
+Set the backend variables in `api/.env` and the frontend variables in `web/.env`. Then:
+
+#### API server
+```
+cd api
 npm install
 npm start
 ```
 
-##### Web
-
-Navigate to `./web`
-There is `.env.example` file present at `./web` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
+#### Web Server 
 
 ```
+cd web
 npm install
 npm start
 ```
 
-#### Development (running only api server and have web build served):
+#### NodeJS Production Mode
 
-##### API server also serving Web build files
-
-There is `.env.example` file present at `./api` directory. Remember to provide enviornment variables else default values will be used mentioned in `.env.example` files
-Command to install and run api server.
-
-```
-cd ./web && npm i && npm build && cd ../
-cd ./api && npm i && npm start
-```
-
-#### Production
-
-##### API & WEB
+Update the `.env` file in the *api* folder.  Then:
 
 ```
 npm run server
@@ -105,7 +100,7 @@ This will install/build `web` and install `api`, then start prod server.
 
 ## Executables
 
-Command to generate executables
+In order to generate the final executables:
 
 ```
 cd ./web && npm i && npm build && cd ../
@@ -113,3 +108,7 @@ cd ./api && npm i && npm run exe
 ```
 
 This will install/build web app and install/create executables of sasjs server at root `./executables`
+
+## Releases
+
+To cut a release, run `npm run release` on the main branch, then push the tags (per the console log link)

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [sasjs]

.github/workflows/build.yml

@@ -54,6 +54,10 @@ jobs:
           ACCESS_TOKEN_SECRET: ${{secrets.ACCESS_TOKEN_SECRET}}
           REFRESH_TOKEN_SECRET: ${{secrets.REFRESH_TOKEN_SECRET}}
           AUTH_CODE_SECRET: ${{secrets.AUTH_CODE_SECRET}}
+          SESSION_SECRET: ${{secrets.SESSION_SECRET}}
+          RUN_TIMES: 'sas,js'
+          SAS_PATH: '/some/path/to/sas'
+          NODE_PATH: '/some/path/to/node'
 
       - name: Build Package
         working-directory: ./api

.github/workflows/release.yml

@@ -2,16 +2,26 @@ name: SASjs Server Executable Release
 
 on:
   push:
-    tags:
-      - 'v*.*.*'
+    branches:
+      - main
 
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [lts/*]
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+
       - name: Install Dependencies WEB
         working-directory: ./web
         run: npm ci
@@ -39,10 +49,11 @@ jobs:
           zip macos.zip api-macos
           zip windows.zip api-win.exe
 
+      - name: Install Semantic Release and plugins
+        run: |
+          npm i
+          npm i -g semantic-release
+
       - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            ./executables/linux.zip
-            ./executables/macos.zip
-            ./executables/windows.zip
+        run: |
+          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} semantic-release

.gitignore

@@ -4,9 +4,12 @@ node_modules/
 .DS_Store
 .env*
 sas/
+sasjs_root/
 tmp/
 build/
 sasjsbuild/
+sasjscore/
 certificates/
 executables/
 .env
+api/csp.config.json

.nvmrc

@@ -0,0 +1 @@
+v16.15.1

.releaserc

@@ -0,0 +1,43 @@
+{
+  "branches": [
+    "main"
+  ],
+  "plugins": [
+    "@semantic-release/commit-analyzer",
+    "@semantic-release/release-notes-generator",
+    "@semantic-release/changelog",
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md"
+        ]
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "assets": [
+          {
+            "path": "./executables/linux.zip",
+            "label": "Linux Executable Binary"
+          },
+          {
+            "path": "./executables/macos.zip",
+            "label": "Macos Executable Binary"
+          },
+          {
+            "path": "./executables/windows.zip",
+            "label": "Windows Executable Binary"
+          }
+        ]
+      }
+    ],
+    [
+      "@semantic-release/exec",
+      {
+        "publishCmd": "echo 'publish command'"
+      }
+    ]
+  ]
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 SASjs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## Issue
+
+Link any related issue(s) in this section.
+
+## Intent
+
+What this PR intends to achieve.
+
+## Implementation
+
+What code changes have been made to achieve the intent.
+
+## Checks
+
+- [ ] Code is formatted correctly (`npm run lint:fix`).
+- [ ] Any new functionality has been unit tested.
+- [ ] All unit tests are passing (`npm test`).
+- [ ] All CI checks are green.
+- [ ] Reviewer is assigned.

README.md

@@ -1,29 +1,27 @@
 # SASjs Server
 
-SASjs Server provides a NodeJS wrapper for calling the SAS binary executable. It can be installed on an actual SAS server, or it could even run locally on your desktop. It provides the following functionality:
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+
+[![All Contributors](https://img.shields.io/badge/all_contributors-7-orange.svg?style=flat-square)](#contributors-)
+
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+SASjs Server provides a NodeJS wrapper for calling the SAS binary executable. It can be installed on an actual SAS server, or locally on your desktop. It provides:
 
 - Virtual filesystem for storing SAS programs and other content
 - Ability to execute Stored Programs from a URL
 - Ability to create web apps using simple Desktop SAS
+- REST API with Swagger Docs
 
-One major benefit of using SASjs Server (alongside other components of the SASjs framework such as the [CLI](https://cli.sasjs.io), [Adapter](https://adapter.sasjs.io) and [Core](https://core.sasjs.io) library) is that the projects you create can be very easily ported to SAS 9 (Stored Process server) or Viya (Job Execution server).
+One major benefit of using SASjs Server alongside other components of the SASjs framework such as the [CLI](https://cli.sasjs.io), [Adapter](https://adapter.sasjs.io) and [Core](https://core.sasjs.io) library, is that the projects you create can be very easily ported to SAS 9 (Stored Process server) or Viya (Job Execution server).
 
-SASjs Server is available in two modes - Desktop (without authentication) and Server (with authentiation, and a database)
+SASjs Server is available in two modes - Desktop (without authentication) and Server (with authentication, and a database)
 
-## Desktop Version
+## Installation
 
-### Manual Installation
+Installation can be made programmatically using command line, or by manually downloading and running the executable.
 
-Download the relevant package from the [releases](https://github.com/sasjs/server/releases) page
-
-Next, trigger by double clicking (windows) or executing from commandline.
-
-You are presented with two prompts:
-
-- Location of your `sas.exe` / `sas.sh` executable
-- Path to a filesystem location for Stored Programs and temporary files
-
-## Programmatic Installation
+### Programmatic
 
 Fetch the relevant package from github using `curl`, eg as follows (for linux):
 
@@ -32,36 +30,212 @@ curl -L https://github.com/sasjs/server/releases/latest/download/linux.zip > lin
 unzip linux.zip
 ```
 
-The app can then be launched with `./api-linux` and prompts followed.
+The app can then be launched with `./api-linux` and prompts followed (if ENV vars not set).
+
+### Manual
+
+1. Download the relevant package from the [releases](https://github.com/sasjs/server/releases) page
+2. Trigger by double clicking (windows) or executing from commandline.
+
+You are presented with two prompts (if not set as ENV vars):
+
+- Location of your `sas.exe` / `sas.sh` executable
+- Path to a filesystem location for Stored Programs and temporary files
+
+## ENV Var configuration
 
 When launching the app, it will make use of specific environment variables. These can be set in the following places:
 
-- Configured globally in /etc/environment file
+- Configured globally in `/etc/environment` file
 - Export in terminal or shell script (`export VAR=VALUE`)
-- Prepend in command
+- Prepended in the command
 - Enter in the `.env` file alongside the executable
 
-Example variables:
+Example contents of a `.env` file:
 
 ```
-PORT=5004
+#
+## Core Settings
+#
+
+
+# MODE options: [desktop|server] default: `desktop`
+# Desktop mode is single user and designed for workstation use
+# Server mode is multi-user and suitable for intranet / internet use
+MODE=
+
+# A comma separated string that defines the available runTimes.
+# Priority is given to the runtime that comes first in the string.
+# Possible options at the moment are sas, js, py and r
+
+# This string sets the priority of the available analytic runtimes
+# Valid runtimes are SAS (sas), JavaScript (js), Python (py) and R (r)
+# For each option provided, there should be a corresponding path,
+# eg SAS_PATH, NODE_PATH, PYTHON_PATH or RSCRIPT_PATH
+# Priority is given to runtimes earlier in the string
+# Example options:  [sas,js,py | js,py | sas | sas,js | r | sas,r]
+RUN_TIMES=
+
+# Path to SAS executable (sas.exe / sas.sh)
 SAS_PATH=/path/to/sas/executable.exe
-DRIVE_PATH=./tmp
+
+# Path to Node.js executable
+NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
+
+# Path to Python executable
+PYTHON_PATH=/usr/bin/python
+
+# Path to R executable
+R_PATH=/usr/bin/Rscript
+
+# Path to working directory
+# This location is for SAS WORK, staged files, DRIVE, configuration etc
+SASJS_ROOT=./sasjs_root
+
+
+# This location is for files, sasjs packages and appStreamConfig.json
+DRIVE_LOCATION=./sasjs_root/drive
+
+
+# options: [http|https] default: http
+PROTOCOL=
+
+# default: 5000
+PORT=
+
+# options: [sas9|sasviya]
+# If not present, mocking function is disabled
+MOCK_SERVERTYPE=
+
+# default: /api/mocks
+# Path to mocking folder, for generic responses, it's sub directories should be: sas9, viya, sasjs
+# Server will automatically use subdirectory accordingly
+STATIC_MOCK_LOCATION=
+
+#
+## Additional SAS Options
+#
+
+
+# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
+# Any options set here are automatically applied in the SAS session
+# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
+# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
+SAS_OPTIONS= -NOXCMD
+SASV9_OPTIONS= -NOXCMD
+
+
+#
+## Additional Web Server Options
+#
+
+# ENV variables for PROTOCOL: `https`
+PRIVATE_KEY=privkey.pem (required)
+CERT_CHAIN=certificate.pem (required)
+CA_ROOT=fullchain.pem (optional)
+
+## ENV variables required for MODE: `server`
+DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
+
+# options: [mongodb|cosmos_mongodb] default: mongodb
+DB_TYPE=
+
+# AUTH_PROVIDERS options: [ldap] default: ``
+AUTH_PROVIDERS=
+
+## ENV variables required for AUTH_MECHANISM: `ldap`
+LDAP_URL= <LDAP_SERVER_URL>
+LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
+LDAP_BIND_PASSWORD = <password>
+LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
+LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
+
+# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
+# If enabled, be sure to also configure the WHITELIST of third party servers.
+CORS=
+
+# options: <http://localhost:3000 https://abc.com ...> space separated urls
+WHITELIST=
+
+# HELMET Cross Origin Embedder Policy
+# Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
+# options: [true|false] default: true
+# Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
+HELMET_COEP=
+
+# HELMET Content Security Policy
+# Path to a json file containing HELMET `contentSecurityPolicy` directives
+# Docs: https://helmetjs.github.io/#reference
+#
+# Example config:
+# {
+#   "img-src": ["'self'", "data:"],
+#   "script-src": ["'self'", "'unsafe-inline'"],
+#   "script-src-attr": ["'self'", "'unsafe-inline'"]
+# }
+HELMET_CSP_CONFIG_PATH=./csp.config.json
+
+# To prevent brute force attack on login route we have implemented rate limiter
+# Only valid for MODE: server
+# Following are configurable env variable rate limiter
+
+# After this, access is blocked for 1 day
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY = <number> default: 100;
+
+
+# After this, access is blocked for an hour
+# Store number for 24 days since first fail
+# Once a successful login is attempted, it resets
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP = <number> default: 10;
+
+# Name of the admin user that will be created on startup if not exists already
+# Default is `secretuser`
+ADMIN_USERNAME=secretuser
+
+# Temporary password for the ADMIN_USERNAME, which is in place until the first login
+# Default is `secretpassword`
+ADMIN_PASSWORD_INITIAL=secretpassword
+
+# Specify whether app has to reset the ADMIN_USERNAME's password or not
+# Default is NO. Possible options are YES and NO
+# If ADMIN_PASSWORD_RESET is YES then the ADMIN_USERNAME will be prompted to change the password from ADMIN_PASSWORD_INITIAL on their next login. This will repeat on every server restart, unless the option is removed / set to NO.
+ADMIN_PASSWORD_RESET=NO
+
+# LOG_FORMAT_MORGAN options: [combined|common|dev|short|tiny] default: `common`
+# Docs: https://www.npmjs.com/package/morgan#predefined-formats
+LOG_FORMAT_MORGAN=
+
+# This location is for server logs with classical UNIX logrotate behavior
+LOG_LOCATION=./sasjs_root/logs
+
 ```
 
-Setting these prompts variables will avoid the need for prompts.
+## Persisting the Session
 
-Normally the server process will stop when your terminal dies. To keep it going you can use the npm package [pm2](https://www.npmjs.com/package/pm2) (`npm install pm2@latest -g`) as follows:
+Normally the server process will stop when your terminal dies. To keep it going you can use the following suggested approaches:
+
+1. Linux Background Job
+2. NPM package `pm2`
+
+### Background Job
+
+Trigger the command using NOHUP, redirecting the output commands, eg `nohup ./api-linux > server.log 2>&1 &`.
+
+You can now see the job running using the `jobs` command. To ensure that it will still run when your terminal is closed, execute the `disown` command. To kill it later, use the `kill -9 <pid>` command. You can see your sessions using `top -u <userid>`. Type `c` to see the commands being run against each pid.
+
+### PM2
+
+Install the npm package [pm2](https://www.npmjs.com/package/pm2) (`npm install pm2@latest -g`) and execute, eg as follows:
 
 ```bash
 export SAS_PATH=/opt/sas9/SASHome/SASFoundation/9.4/sasexe/sas
 export PORT=5001
-export DRIVE_PATH=./tmp
+export SASJS_ROOT=./sasjs_root
 
 pm2 start api-linux
 ```
 
-To get the logs (and some usefull commands):
+To get the logs (and some useful commands):
 
 ```bash
 pm2 [list|ls|status]
@@ -83,12 +257,36 @@ Instead of `app_name` you can pass:
 - `all` to act on all processes
 - `id` to act on a specific process id
 
-
-
 ## Server Version
 
-The following credentials can be used for the initial connection to SASjs/server.  It is recommended to change these on first use.
+The following credentials can be used for the initial connection to SASjs/server. It is highly recommended to change these on first use.
 
-* CLIENTID:  `clientID1`
-* USERNAME:  `secretuser`
-* PASSWORD:  `secretpassword`
+- CLIENTID: `clientID1`
+- USERNAME: `secretuser`
+- PASSWORD: `secretpassword`
+
+## Contributors ✨
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="https://github.com/saadjutt01"><img src="https://avatars.githubusercontent.com/u/8914650?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Saad Jutt</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=saadjutt01" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/sabhas"><img src="https://avatars.githubusercontent.com/u/82647447?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Sabir Hassan</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=sabhas" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=sabhas" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://www.erudicat.com/"><img src="https://avatars.githubusercontent.com/u/25773492?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Yury Shkoda</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=YuryShkoda" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/medjedovicm"><img src="https://avatars.githubusercontent.com/u/18329105?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Mihajlo Medjedovic</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=medjedovicm" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://4gl.io/"><img src="https://avatars.githubusercontent.com/u/4420615?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Allan Bowe</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Code">💻</a> <a href="https://github.com/sasjs/server/commits?author=allanbowe" title="Documentation">📖</a></td>
+    <td align="center"><a href="https://github.com/VladislavParhomchik"><img src="https://avatars.githubusercontent.com/u/83717836?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Vladislav Parhomchik</b></sub></a><br /><a href="https://github.com/sasjs/server/commits?author=VladislavParhomchik" title="Tests">⚠️</a></td>
+    <td align="center"><a href="https://github.com/kknapen"><img src="https://avatars.githubusercontent.com/u/78609432?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Koen Knapen</b></sub></a><br /><a href="#userTesting-kknapen" title="User Testing">📓</a></td>
+  </tr>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!

api/.env.example

@@ -1,14 +1,47 @@
 MODE=[desktop|server] default considered as desktop
-CORS=[disable|enable] default considered as disable
+CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
+ALLOWED_DOMAIN=<just domain e.g. example.com >
+WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
+
 PROTOCOL=[http|https] default considered as http
 PRIVATE_KEY=privkey.pem
-FULL_CHAIN=fullchain.pem
-PORT=[5000] default value is 5000
-PORT_WEB=[port for sasjs web component(react)] default value is 3000
-ACCESS_TOKEN_SECRET=<secret>
-REFRESH_TOKEN_SECRET=<secret>
-AUTH_CODE_SECRET=<secret>
-DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
+CERT_CHAIN=certificate.pem
+CA_ROOT=fullchain.pem
 
+PORT=[5000] default value is 5000
+
+HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
+HELMET_COEP=[true|false] if omitted HELMET default will be used
+
+DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
+DB_TYPE=[mongodb|cosmos_mongodb] default considered as mongodb
+
+AUTH_PROVIDERS=[ldap]
+
+LDAP_URL= <LDAP_SERVER_URL>
+LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>
+LDAP_BIND_PASSWORD = <password>
+LDAP_USERS_BASE_DN = <ou=users,dc=cloudron>
+LDAP_GROUPS_BASE_DN = <ou=groups,dc=cloudron>
+
+#default value is 100
+MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY=100
+
+#default value is 10
+MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP=10
+
+ADMIN_USERNAME=secretuser
+ADMIN_PASSWORD_INITIAL=secretpassword
+ADMIN_PASSWORD_RESET=NO
+
+RUN_TIMES=[sas,js,py | js,py | sas | sas,js] default considered as sas
 SAS_PATH=/opt/sas/sas9/SASHome/SASFoundation/9.4/sas
-DRIVE_PATH=./tmp
+NODE_PATH=~/.nvm/versions/node/v16.14.0/bin/node
+PYTHON_PATH=/usr/bin/python
+R_PATH=/usr/bin/Rscript
+
+SASJS_ROOT=./sasjs_root
+DRIVE_LOCATION=./sasjs_root/drive
+
+LOG_FORMAT_MORGAN=common
+LOG_LOCATION=./sasjs_root/logs

api/.nvmrc

@@ -0,0 +1 @@
+v16.15.1

api/.vscode/launch.json

@@ -0,0 +1,13 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch via NPM",
+      "request": "launch",
+      "runtimeArgs": ["run-script", "start"],
+      "runtimeExecutable": "npm",
+      "skipFiles": ["<node_internals>/**"],
+      "type": "pwa-node"
+    }
+  ]
+}

api/csp.config.example.json

@@ -0,0 +1,5 @@
+{
+  "img-src": ["'self'", "data:"],
+  "script-src": ["'self'", "'unsafe-inline'"],
+  "script-src-attr": ["'self'", "'unsafe-inline'"]
+}

api/mocks/sas9/generic/logged-in

@@ -0,0 +1 @@
+You have signed in.

api/mocks/sas9/generic/logged-out

@@ -0,0 +1 @@
+You have signed out.

api/mocks/sas9/generic/login

@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" dir="ltr" class="bg">
+
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="initial-scale=1" />
+</head>
+
+
+<div class="content">
+  <form id="credentials" class="minimal" action="/SASLogon/login?service=http%3A%2F%2Flocalhost:5004%2FSASStoredProcess%2Fj_spring_cas_security_check" method="post">
+    <!--form container-->
+    <input type="hidden" name="lt" value="validtoken" aria-hidden="true" />
+    <input type="hidden" name="execution" value="e2s1" aria-hidden="true" />
+    <input type="hidden" name="_eventId" value="submit" aria-hidden="true" />
+
+    <span class="userid">
+
+      <input id="username" name="username" tabindex="3" aria-labelledby="username1 message1 message2 message3" name="username" placeholder="User ID" type="text" autofocus="true" value="" maxlength="500" autocomplete="off" />
+    </span>
+    <span class="password">
+
+      <input id="password" name="password" tabindex="4" name="password" placeholder="Password" type="password" value="" maxlength="500" autocomplete="off" />
+    </span>
+
+    <button type="submit" class="btn-submit" title="Sign In" tabindex="5" onClick="this.disabled=true;setSubmitUrl(this.form);this.form.submit();return false;">Sign In</button>
+
+
+  </form>
+</div>
+</html>

api/mocks/sas9/generic/public-access-denied

@@ -0,0 +1 @@
+Public access has been denied.

api/mocks/sas9/generic/sas-stored-process

@@ -0,0 +1 @@
+"title": "Log Off SAS Demo User"

api/package.json

@@ -4,29 +4,34 @@
   "description": "Api of SASjs server",
   "main": "./src/server.ts",
   "scripts": {
-    "initial": "npm run swagger && npm run compileSysInit",
+    "initial": "npm run swagger && npm run compileSysInit && npm run copySASjsCore && npm run downloadMacros",
     "prestart": "npm run initial",
     "prebuild": "npm run initial",
-    "start": "nodemon ./src/server.ts",
+    "start": "NODE_ENV=development nodemon ./src/server.ts",
+    "start:prod": "node ./build/src/server.js",
     "build": "rimraf build && tsc",
+    "postbuild": "npm run copy:files",
     "swagger": "tsoa spec",
     "prepare": "[ -d .git ] && git config core.hooksPath ./.git-hooks || true",
     "test": "mkdir -p tmp && mkdir -p ../web/build && jest --silent --coverage",
     "lint:fix": "npx prettier --write \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
     "lint": "npx prettier --check \"src/**/*.{ts,tsx,js,jsx,html,css,sass,less,yml,md,graphql}\"",
-    "package:lib": "npm run build && cp ./package.json build && cp README.md build && cd build && npm version \"5.0.0\" && npm pack",
-    "exe": "npm run build && npm run exe:copy && pkg .",
-    "exe:copy": "npm run public:copy && npm run sasjsbuild:copy && npm run web:copy",
+    "exe": "npm run build && pkg .",
+    "copy:files": "npm run public:copy && npm run sasjsbuild:copy && npm run sas:copy && npm run web:copy",
     "public:copy": "cp -r ./public/ ./build/public/",
     "sasjsbuild:copy": "cp -r ./sasjsbuild/ ./build/sasjsbuild/",
+    "sas:copy": "cp -r ./sas/ ./build/sas/",
     "web:copy": "rimraf web && mkdir web && cp -r ../web/build/ ./web/build/",
-    "compileSysInit": "ts-node ./scripts/compileSysInit.ts"
+    "compileSysInit": "ts-node ./scripts/compileSysInit.ts",
+    "copySASjsCore": "ts-node ./scripts/copySASjsCore.ts",
+    "downloadMacros": "ts-node ./scripts/downloadMacros.ts"
   },
   "bin": "./build/src/server.js",
   "pkg": {
     "assets": [
       "./build/public/**/*",
       "./build/sasjsbuild/**/*",
+      "./build/sas/**/*",
       "./web/build/**/*"
     ],
     "targets": [
@@ -43,45 +48,64 @@
   },
   "author": "4GL Ltd",
   "dependencies": {
-    "@sasjs/core": "4.9.0",
-    "@sasjs/utils": "2.34.1",
+    "@sasjs/core": "^4.40.1",
+    "@sasjs/utils": "3.2.0",
     "bcryptjs": "^2.4.3",
+    "connect-mongo": "^4.6.0",
+    "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "express": "^4.17.1",
+    "express-session": "^1.17.2",
+    "helmet": "^5.0.2",
     "joi": "^17.4.2",
     "jsonwebtoken": "^8.5.1",
+    "ldapjs": "2.3.3",
     "mongoose": "^6.0.12",
-    "mongoose-sequence": "^5.3.1",
     "morgan": "^1.10.0",
-    "multer": "^1.4.3",
-    "swagger-ui-express": "^4.1.6",
-    "tsoa": "3.14.1"
+    "multer": "^1.4.5-lts.1",
+    "rate-limiter-flexible": "2.4.1",
+    "rotating-file-stream": "^3.0.4",
+    "swagger-ui-express": "4.3.0",
+    "unzipper": "^0.10.11",
+    "url": "^0.10.3"
   },
   "devDependencies": {
+    "@types/adm-zip": "^0.5.0",
     "@types/bcryptjs": "^2.4.2",
+    "@types/cookie-parser": "^1.4.2",
     "@types/cors": "^2.8.12",
     "@types/express": "^4.17.12",
+    "@types/express-session": "^1.17.4",
     "@types/jest": "^26.0.24",
     "@types/jsonwebtoken": "^8.5.5",
-    "@types/mongoose-sequence": "^3.0.6",
+    "@types/ldapjs": "^2.2.4",
     "@types/morgan": "^1.9.3",
     "@types/multer": "^1.4.7",
     "@types/node": "^15.12.2",
     "@types/supertest": "^2.0.11",
     "@types/swagger-ui-express": "^4.1.3",
-    "dotenv": "^10.0.0",
+    "@types/unzipper": "^0.10.5",
+    "adm-zip": "^0.5.9",
+    "axios": "0.27.2",
+    "csrf": "^3.1.0",
+    "dotenv": "^16.0.1",
+    "http-headers-validation": "^0.0.1",
     "jest": "^27.0.6",
-    "mongodb-memory-server": "^8.0.0",
+    "mongodb-memory-server": "8.11.4",
+    "nodejs-file-downloader": "4.10.2",
     "nodemon": "^2.0.7",
-    "pkg": "^5.4.1",
+    "pkg": "5.6.0",
     "prettier": "^2.3.1",
     "rimraf": "^3.0.2",
     "supertest": "^6.1.3",
     "ts-jest": "^27.0.3",
     "ts-node": "^10.0.0",
+    "tsoa": "3.14.1",
     "typescript": "^4.3.2"
   },
-  "configuration": {
-    "sasPath": "/opt/sas/sas9/SASHome/SASFoundation/9.4/sas"
+  "nodemonConfig": {
+    "ignore": [
+      "sasjs_root/**/*"
+    ]
   }
 }

api/public/SASjsApi/swagger-ui-init.js

@@ -0,0 +1,50 @@
+window.onload = function () {
+  // Build a system
+  var url = window.location.search.match(/url=([^&]+)/)
+  if (url && url.length > 1) {
+    url = decodeURIComponent(url[1])
+  } else {
+    url = window.location.origin
+  }
+  var options = {
+    customOptions: {
+      url: '/swagger.yaml',
+      requestInterceptor: function (request) {
+        request.credentials = 'include'
+        var cookie = document.cookie
+        var startIndex = cookie.indexOf('XSRF-TOKEN')
+        var csrf = cookie.slice(startIndex + 11).split('; ')[0]
+        request.headers['X-XSRF-TOKEN'] = csrf
+        return request
+      }
+    }
+  }
+  url = options.swaggerUrl || url
+  var urls = options.swaggerUrls
+  var customOptions = options.customOptions
+  var spec1 = options.swaggerDoc
+  var swaggerOptions = {
+    spec: spec1,
+    url: url,
+    urls: urls,
+    dom_id: '#swagger-ui',
+    deepLinking: true,
+    presets: [SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset],
+    plugins: [SwaggerUIBundle.plugins.DownloadUrl],
+    layout: 'StandaloneLayout'
+  }
+  for (var attrname in customOptions) {
+    swaggerOptions[attrname] = customOptions[attrname]
+  }
+  var ui = SwaggerUIBundle(swaggerOptions)
+
+  if (customOptions.oauth) {
+    ui.initOAuth(customOptions.oauth)
+  }
+
+  if (customOptions.authAction) {
+    ui.authActions.authorize(customOptions.authAction)
+  }
+
+  window.ui = ui
+}

api/public/app-streams-script.js

@@ -0,0 +1,49 @@
+const inputElement = document.getElementById('fileId')
+
+document.getElementById('uploadButton').addEventListener('click', function () {
+  inputElement.click()
+})
+
+inputElement.addEventListener(
+  'change',
+  function () {
+    const fileList = this.files /* now you can work with the file list */
+
+    updateFileUploadMessage('Requesting ...')
+
+    const file = fileList[0]
+    const formData = new FormData()
+
+    formData.append('file', file)
+
+    axios
+      .post('/SASjsApi/drive/deploy/upload', formData)
+      .then((res) => res.data)
+      .then((data) => {
+        return (
+          data.message +
+          '\nstreamServiceName: ' +
+          data.streamServiceName +
+          '\nrefreshing page once alert box closes.'
+        )
+      })
+      .then((message) => {
+        alert(message)
+        location.reload()
+      })
+      .catch((error) => {
+        alert(error.response.data)
+        resetFileUpload()
+        updateFileUploadMessage('Upload New App')
+      })
+  },
+  false
+)
+
+function updateFileUploadMessage(message) {
+  document.getElementById('uploadMessage').innerHTML = message
+}
+
+function resetFileUpload() {
+  inputElement.value = null
+}

api/public/sasjs-logo.svg

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 32 32" style="enable-background:new 0 0 32 32;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#F6E40C;}
+</style>
+<rect id="XMLID_1_" width="32" height="32"/>
+<g id="XMLID_654_">
+	<path id="XMLID_656_" class="st0" d="M27.9,17.4c-1.1,0-2.1,0-3,0c-1.2,0-2.3,0-3.5,0c-0.5,0-0.7,0.2-0.6,0.7c0,2.1,0,4.3,0,6.4
+		c0,0.5-0.2,0.8-0.6,1c-2.5,1.4-4.9,2.8-7.3,4.3c-0.4,0.2-0.6,0.2-1,0c-2.4-1.4-4.9-2.9-7.3-4.3c-0.2-0.1-0.5-0.5-0.5-0.7
+		c0-3.2,0-6.4,0-9.6c0-0.1,0-0.1,0.1-0.3c0.3,0,0.5,0,0.8,0c1.9,0,3.7,0,5.6,0c0.6,0,0.7-0.2,0.7-0.7c0-2.1,0-4.2,0-6.4
+		c0-0.5,0.1-0.8,0.6-1.1c2.5-1.4,4.9-2.9,7.3-4.3c0.2-0.1,0.6-0.1,0.9,0c2.5,1.4,5,2.9,7.5,4.4c0.2,0.1,0.4,0.4,0.4,0.6
+		C27.9,10.6,27.9,13.9,27.9,17.4z M20.8,14.8c1.4,0,2.7,0,4,0c0.5,0,0.7-0.2,0.7-0.7c0-1.7,0-3.3,0-5c0-0.5-0.2-0.7-0.6-1
+		c-1.6-0.9-3.2-1.9-4.8-2.8c-0.2-0.1-0.7-0.1-0.9,0c-1.6,0.9-3.2,1.9-4.8,2.8c-0.4,0.2-0.6,0.5-0.6,1c0,3.2,0,6.3,0,9.5
+		c0,1.9,0,1.9-1.9,1.9c-0.4,0-0.6-0.1-0.6-0.6c0-0.6,0-1.3,0-1.9c0-0.5-0.2-0.6-0.6-0.6c-1.1,0-2.2,0-3.3,0c-0.5,0-0.7,0.2-0.7,0.7
+		c0,1.6,0,3.3,0,4.9c0,0.5,0.2,0.8,0.6,1c1.6,0.9,3.2,1.9,4.8,2.8c0.2,0.1,0.7,0.1,0.9,0c1.6-0.9,3.2-1.9,4.8-2.8
+		c0.4-0.2,0.6-0.5,0.6-1c0-3.1,0-6.1,0-9.2c0-1.9,0-1.9,1.9-1.9c0.5,0,0.7,0.2,0.7,0.7C20.8,13.3,20.8,14,20.8,14.8z"/>
+	<path id="XMLID_655_" class="st0" d="M18,2.1l-6.8,3.9V2.7c0-0.3,0.3-0.6,0.6-0.6H18z"/>
+</g>
+</svg>

api/scripts/compileSysInit.ts

@@ -1,27 +1,29 @@
 import path from 'path'
 import {
+  CompileTree,
   createFile,
   loadDependenciesFile,
   readFile,
   SASJsFileType
 } from '@sasjs/utils'
-import { apiRoot, sysInitCompiledPath } from '../src/utils'
+import { apiRoot, sysInitCompiledPath } from '../src/utils/file'
 
 const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')
 
 const compiledSystemInit = async (systemInit: string) =>
-  'options ps=max;\n' +
+  'options ls=max ps=max;\n' +
   (await loadDependenciesFile({
     fileContent: systemInit,
     type: SASJsFileType.job,
     programFolders: [],
     macroFolders: [],
     buildSourceFolder: '',
-    macroCorePath
+    binaryFolders: [],
+    macroCorePath,
+    compileTree: new CompileTree('') // dummy compileTree
   }))
 
 const createSysInitFile = async () => {
-  console.log('macroCorePath', macroCorePath)
   const systemInitContent = await readFile(
     path.join(__dirname, 'systemInit.sas')
   )

api/scripts/copySASjsCore.ts

@@ -0,0 +1,36 @@
+import path from 'path'
+import {
+  asyncForEach,
+  copy,
+  createFile,
+  createFolder,
+  deleteFolder,
+  listFilesInFolder
+} from '@sasjs/utils'
+
+import {
+  apiRoot,
+  sasJSCoreMacros,
+  sasJSCoreMacrosInfo
+} from '../src/utils/file'
+
+const macroCorePath = path.join(apiRoot, 'node_modules', '@sasjs', 'core')
+
+export const copySASjsCore = async () => {
+  await deleteFolder(sasJSCoreMacros)
+  await createFolder(sasJSCoreMacros)
+
+  const foldersToCopy = ['base', 'ddl', 'fcmp', 'lua', 'server']
+
+  await asyncForEach(foldersToCopy, async (coreSubFolder) => {
+    const coreSubFolderPath = path.join(macroCorePath, coreSubFolder)
+
+    await copy(coreSubFolderPath, sasJSCoreMacros)
+  })
+
+  const fileNames = await listFilesInFolder(sasJSCoreMacros)
+
+  await createFile(sasJSCoreMacrosInfo, fileNames.join('\n'))
+}
+
+copySASjsCore()

api/scripts/downloadMacros.ts

@@ -0,0 +1,39 @@
+import axios from 'axios'
+import Downloader from 'nodejs-file-downloader'
+import { createFile, listFilesInFolder } from '@sasjs/utils'
+
+import { sasJSCoreMacros, sasJSCoreMacrosInfo } from '../src/utils/file'
+
+export const downloadMacros = async () => {
+  const url =
+    'https://api.github.com/repos/yabwon/SAS_PACKAGES/contents/SPF/Macros'
+
+  console.info(`Downloading macros from ${url}`)
+
+  await axios
+    .get(url)
+    .then(async (res) => {
+      await downloadFiles(res.data)
+    })
+    .catch((err) => {
+      throw new Error(err)
+    })
+}
+
+const downloadFiles = async function (fileList: any) {
+  for (const file of fileList) {
+    const downloader = new Downloader({
+      url: file.download_url,
+      directory: sasJSCoreMacros,
+      fileName: file.path.replace(/^SPF\/Macros/, ''),
+      cloneFiles: false
+    })
+    await downloader.download()
+  }
+
+  const fileNames = await listFilesInFolder(sasJSCoreMacros)
+
+  await createFile(sasJSCoreMacrosInfo, fileNames.join('\n'))
+}
+
+downloadMacros()

api/scripts/systemInit.sas

@@ -5,23 +5,12 @@
   _before_ any user-provided content.
 
   A number of useful CORE macros are also compiled below, so that they can be
-  available "out of the box".
+  available by default for Stored Programs.
+
+  Note that the full CORE library is available to sessions in SASjs Studio.
 
   <h4> SAS Macros </h4>
-  @li mcf_stpsrv_header.sas
-  @li mf_getuser.sas
-  @li mf_getvarlist.sas
-  @li mf_mkdir.sas
-  @li mf_nobs.sas
-  @li mf_uid.sas
   @li mfs_httpheader.sas
-  @li mp_dirlist.sas
-  @li mp_ds2ddl.sas
-  @li mp_ds2md.sas
-  @li mp_getdbml.sas
-  @li mp_init.sas
-  @li mp_makedata.sas
-  @li mp_zip.sas
-
+  @li ms_webout.sas
 **/
 

api/src/app-modules/configureCors.ts

@@ -0,0 +1,21 @@
+import { Express } from 'express'
+import cors from 'cors'
+import { CorsType } from '../utils'
+
+export const configureCors = (app: Express) => {
+  const { CORS, WHITELIST } = process.env
+
+  if (CORS === CorsType.ENABLED) {
+    const whiteList: string[] = []
+    WHITELIST?.split(' ')
+      ?.filter((url) => !!url)
+      .forEach((url) => {
+        if (url.startsWith('http'))
+          // removing trailing slash of URLs listing for CORS
+          whiteList.push(url.replace(/\/$/, ''))
+      })
+
+    process.logger.info('All CORS Requests are enabled for:', whiteList)
+    app.use(cors({ credentials: true, origin: whiteList }))
+  }
+}

api/src/app-modules/configureExpressSession.ts

@@ -0,0 +1,48 @@
+import { Express, CookieOptions } from 'express'
+import mongoose from 'mongoose'
+import session from 'express-session'
+import MongoStore from 'connect-mongo'
+
+import { DatabaseType, ModeType, ProtocolType } from '../utils'
+
+export const configureExpressSession = (app: Express) => {
+  const { MODE, DB_TYPE } = process.env
+
+  if (MODE === ModeType.Server) {
+    let store: MongoStore | undefined
+
+    if (process.env.NODE_ENV !== 'test') {
+      if (DB_TYPE === DatabaseType.COSMOS_MONGODB) {
+        // COSMOS DB requires specific connection options (compatibility mode)
+        // See: https://www.npmjs.com/package/connect-mongo#set-the-compatibility-mode
+        store = MongoStore.create({
+          client: mongoose.connection!.getClient() as any,
+          autoRemove: 'interval'
+        })
+      } else {
+        store = MongoStore.create({
+          client: mongoose.connection!.getClient() as any
+        })
+      }
+    }
+
+    const { PROTOCOL, ALLOWED_DOMAIN } = process.env
+    const cookieOptions: CookieOptions = {
+      secure: PROTOCOL === ProtocolType.HTTPS,
+      httpOnly: true,
+      sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      domain: ALLOWED_DOMAIN?.trim() || undefined
+    }
+
+    app.use(
+      session({
+        secret: process.secrets.SESSION_SECRET,
+        saveUninitialized: false, // don't create session until something stored
+        resave: false, //don't save session if unmodified
+        store,
+        cookie: cookieOptions
+      })
+    )
+  }
+}

api/src/app-modules/configureLogger.ts

@@ -0,0 +1,33 @@
+import path from 'path'
+import { Express } from 'express'
+import morgan from 'morgan'
+import { createStream } from 'rotating-file-stream'
+import { generateTimestamp } from '@sasjs/utils'
+import { getLogFolder } from '../utils'
+
+export const configureLogger = (app: Express) => {
+  const { LOG_FORMAT_MORGAN } = process.env
+
+  let options
+  if (
+    process.env.NODE_ENV !== 'development' &&
+    process.env.NODE_ENV !== 'test'
+  ) {
+    const timestamp = generateTimestamp()
+    const filename = `${timestamp}.log`
+    const logsFolder = getLogFolder()
+
+    // create a rotating write stream
+    var accessLogStream = createStream(filename, {
+      interval: '1d', // rotate daily
+      path: logsFolder
+    })
+
+    process.logger.info('Writing Logs to :', path.join(logsFolder, filename))
+
+    options = { stream: accessLogStream }
+  }
+
+  // setup the logger
+  app.use(morgan(LOG_FORMAT_MORGAN as string, options))
+}

api/src/app-modules/configureSecurity.ts

@@ -0,0 +1,26 @@
+import { Express } from 'express'
+import { getEnvCSPDirectives } from '../utils/parseHelmetConfig'
+import { HelmetCoepType, ProtocolType } from '../utils'
+import helmet from 'helmet'
+
+export const configureSecurity = (app: Express) => {
+  const { PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } = process.env
+
+  const cspConfigJson: { [key: string]: string[] | null } = getEnvCSPDirectives(
+    HELMET_CSP_CONFIG_PATH
+  )
+  if (PROTOCOL === ProtocolType.HTTP)
+    cspConfigJson['upgrade-insecure-requests'] = null
+
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+          ...cspConfigJson
+        }
+      },
+      crossOriginEmbedderPolicy: HELMET_COEP === HelmetCoepType.TRUE
+    })
+  )
+}

api/src/app-modules/index.ts

@@ -0,0 +1,4 @@
+export * from './configureCors'
+export * from './configureExpressSession'
+export * from './configureLogger'
+export * from './configureSecurity'

api/src/app.ts

@@ -1,36 +1,101 @@
 import path from 'path'
-import express from 'express'
-import morgan from 'morgan'
+import express, { ErrorRequestHandler } from 'express'
+import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
-import cors from 'cors'
 
-import webRouter from './routes/web'
-import apiRouter from './routes/api'
-import { connectDB, getWebBuildFolderPath } from './utils'
+import {
+  copySASjsCore,
+  createWeboutSasFile,
+  getFilesFolder,
+  getPackagesFolder,
+  getWebBuildFolder,
+  instantiateLogger,
+  loadAppStreamConfig,
+  ReturnCode,
+  setProcessVariables,
+  setupFilesFolder,
+  setupPackagesFolder,
+  setupUserAutoExec,
+  verifyEnvVariables
+} from './utils'
+import {
+  configureCors,
+  configureExpressSession,
+  configureLogger,
+  configureSecurity
+} from './app-modules'
+import { folderExists } from '@sasjs/utils'
 
 dotenv.config()
 
+instantiateLogger()
+
+if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
+
 const app = express()
 
-const { MODE, CORS, PORT_WEB } = process.env
-const whiteList = [
-  `http://localhost:${PORT_WEB ?? 3000}`,
-  'https://sas.analytium.co.uk:8343'
-]
-
-if (MODE?.trim() !== 'server' || CORS?.trim() === 'enable') {
-  console.log('All CORS Requests are enabled')
-  app.use(cors({ credentials: true, origin: whiteList }))
+const onError: ErrorRequestHandler = (err, req, res, next) => {
+  process.logger.error(err.stack)
+  res.status(500).send('Something broke!')
 }
 
-app.use(express.json({ limit: '50mb' }))
-app.use(morgan('tiny'))
+export default setProcessVariables().then(async () => {
+  app.use(cookieParser())
+
+  configureLogger(app)
+
+  /***********************************
+   *   Handle security and origin    *
+   ***********************************/
+  configureSecurity(app)
+
+  /***********************************
+   *         Enabling CORS           *
+   ***********************************/
+  configureCors(app)
+
+  /***********************************
+   *         DB Connection &          *
+   *        Express Sessions          *
+   *        With Mongo Store          *
+   ***********************************/
+  configureExpressSession(app)
+
+  app.use(express.json({ limit: '100mb' }))
   app.use(express.static(path.join(__dirname, '../public')))
 
-app.use('/', webRouter)
-app.use('/SASjsApi', apiRouter)
-app.use(express.json({ limit: '50mb' }))
+  // Body parser is used for decoding the formdata on POST request.
+  // Currently only place we use it is SAS9 Mock - POST /SASLogon/login
+  app.use(express.urlencoded({ extended: true }))
 
-app.use(express.static(getWebBuildFolderPath()))
+  await setupUserAutoExec()
 
-export default connectDB().then(() => app)
+  if (!(await folderExists(getFilesFolder()))) await setupFilesFolder()
+
+  if (!(await folderExists(getPackagesFolder()))) await setupPackagesFolder()
+
+  const sasautosPath = path.join(process.driveLoc, 'sas', 'sasautos')
+  if (await folderExists(sasautosPath)) {
+    process.logger.warn(
+      `SASAUTOS was not refreshed. To force a refresh, delete the ${sasautosPath} folder`
+    )
+  } else {
+    await copySASjsCore()
+    await createWeboutSasFile()
+  }
+
+  // loading these modules after setting up variables due to
+  // multer's usage of process var process.driveLoc
+  const { setupRoutes } = await import('./routes/setupRoutes')
+  setupRoutes(app)
+
+  await loadAppStreamConfig()
+
+  // should be served after setting up web route
+  // index.html needs to be injected with some js script.
+  app.use(express.static(getWebBuildFolder()))
+
+  app.use(onError)
+
+  return app
+})

api/src/controllers/auth.ts

@@ -1,14 +1,27 @@
-import { Security, Route, Tags, Example, Post, Body, Query, Hidden } from 'tsoa'
+import express from 'express'
+import {
+  Security,
+  Route,
+  Tags,
+  Example,
+  Post,
+  Patch,
+  Request,
+  Body,
+  Query,
+  Hidden
+} from 'tsoa'
 import jwt from 'jsonwebtoken'
-import User from '../model/User'
 import { InfoJWT } from '../types'
 import {
   generateAccessToken,
-  generateAuthCode,
   generateRefreshToken,
+  getTokensFromDB,
   removeTokensInDB,
   saveTokensInDB
 } from '../utils'
+import Client from '../model/Client'
+import User from '../model/User'
 
 @Route('SASjsApi/auth')
 @Tags('Auth')
@@ -24,20 +37,6 @@ export class AuthController {
   static deleteCode = (userId: number, clientId: string) =>
     delete AuthController.authCodes[userId][clientId]
 
-  /**
-   * @summary Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE
-   *
-   */
-  @Example<AuthorizeResponse>({
-    code: 'someRandomCryptoString'
-  })
-  @Post('/authorize')
-  public async authorize(
-    @Body() body: AuthorizePayload
-  ): Promise<AuthorizeResponse> {
-    return authorize(body)
-  }
-
   /**
    * @summary Accepts client/auth code and returns access/refresh tokens
    *
@@ -76,30 +75,18 @@ export class AuthController {
   public async logout(@Query() @Hidden() data?: InfoJWT) {
     return logout(data!)
   }
+
+  /**
+   * @summary Update user's password.
+   */
+  @Security('bearerAuth')
+  @Patch('updatePassword')
+  public async updatePassword(
+    @Request() req: express.Request,
+    @Body() body: UpdatePasswordPayload
+  ) {
+    return updatePassword(req, body)
   }
-
-const authorize = async (data: any): Promise<AuthorizeResponse> => {
-  const { username, password, clientId } = data
-
-  // Authenticate User
-  const user = await User.findOne({ username })
-  if (!user) throw new Error('Username is not found.')
-
-  const validPass = user.comparePassword(password)
-  if (!validPass) throw new Error('Invalid password.')
-
-  // generate authorization code against clientId
-  const userInfo: InfoJWT = {
-    clientId,
-    userId: user.id
-  }
-  const code = AuthController.saveCode(
-    user.id,
-    clientId,
-    generateAuthCode(userInfo)
-  )
-
-  return { code }
 }
 
 const token = async (data: any): Promise<TokenResponse> => {
@@ -113,8 +100,26 @@ const token = async (data: any): Promise<TokenResponse> => {
 
   AuthController.deleteCode(userInfo.userId, clientId)
 
-  const accessToken = generateAccessToken(userInfo)
-  const refreshToken = generateRefreshToken(userInfo)
+  // get tokens from DB
+  const existingTokens = await getTokensFromDB(userInfo.userId, clientId)
+  if (existingTokens) {
+    return {
+      accessToken: existingTokens.accessToken,
+      refreshToken: existingTokens.refreshToken
+    }
+  }
+
+  const client = await Client.findOne({ clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  const accessToken = generateAccessToken(
+    userInfo,
+    client.accessTokenExpiration
+  )
+  const refreshToken = generateRefreshToken(
+    userInfo,
+    client.refreshTokenExpiration
+  )
 
   await saveTokensInDB(userInfo.userId, clientId, accessToken, refreshToken)
 
@@ -122,8 +127,17 @@ const token = async (data: any): Promise<TokenResponse> => {
 }
 
 const refresh = async (userInfo: InfoJWT): Promise<TokenResponse> => {
-  const accessToken = generateAccessToken(userInfo)
-  const refreshToken = generateRefreshToken(userInfo)
+  const client = await Client.findOne({ clientId: userInfo.clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  const accessToken = generateAccessToken(
+    userInfo,
+    client.accessTokenExpiration
+  )
+  const refreshToken = generateRefreshToken(
+    userInfo,
+    client.refreshTokenExpiration
+  )
 
   await saveTokensInDB(
     userInfo.userId,
@@ -139,30 +153,38 @@ const logout = async (userInfo: InfoJWT) => {
   await removeTokensInDB(userInfo.userId, userInfo.clientId)
 }
 
-interface AuthorizePayload {
-  /**
-   * Username for user
-   * @example "secretuser"
-   */
-  username: string
-  /**
-   * Password for user
-   * @example "secretpassword"
-   */
-  password: string
-  /**
-   * Client ID
-   * @example "clientID1"
-   */
-  clientId: string
+const updatePassword = async (
+  req: express.Request,
+  data: UpdatePasswordPayload
+) => {
+  const { currentPassword, newPassword } = data
+  const userId = req.user?.userId
+  const dbUser = await User.findOne({ id: userId })
+
+  if (!dbUser)
+    throw {
+      code: 404,
+      message: `User not found!`
     }
 
-interface AuthorizeResponse {
-  /**
-   * Authorization code
-   * @example "someRandomCryptoString"
-   */
-  code: string
+  if (dbUser?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update password of user that is created by an external auth provider.'
+    }
+  }
+
+  const validPass = dbUser.comparePassword(currentPassword)
+  if (!validPass)
+    throw {
+      code: 403,
+      message: `Invalid current password!`
+    }
+
+  dbUser.password = User.hashPassword(newPassword)
+  dbUser.needsToUpdatePassword = false
+  await dbUser.save()
 }
 
 interface TokenPayload {
@@ -191,12 +213,25 @@ interface TokenResponse {
   refreshToken: string
 }
 
+interface UpdatePasswordPayload {
+  /**
+   * Current Password
+   * @example "currentPasswordString"
+   */
+  currentPassword: string
+  /**
+   * New Password
+   * @example "newPassword"
+   */
+  newPassword: string
+}
+
 const verifyAuthCode = async (
   clientId: string,
   code: string
 ): Promise<InfoJWT | undefined> => {
-  return new Promise((resolve, reject) => {
-    jwt.verify(code, process.env.AUTH_CODE_SECRET as string, (err, data) => {
+  return new Promise((resolve) => {
+    jwt.verify(code, process.secrets.AUTH_CODE_SECRET, (err, data) => {
       if (err) return resolve(undefined)
 
       const clientInfo: InfoJWT = {

api/src/controllers/authConfig.ts

@@ -0,0 +1,186 @@
+import express from 'express'
+import { Security, Route, Tags, Get, Post, Example } from 'tsoa'
+
+import { LDAPClient, LDAPUser, LDAPGroup, AuthProviderType } from '../utils'
+import { randomBytes } from 'crypto'
+import User from '../model/User'
+import Group from '../model/Group'
+import Permission from '../model/Permission'
+
+@Security('bearerAuth')
+@Route('SASjsApi/authConfig')
+@Tags('Auth_Config')
+export class AuthConfigController {
+  /**
+   * @summary Gives the detail of Auth Mechanism.
+   *
+   */
+  @Example({
+    ldap: {
+      LDAP_URL: 'ldaps://my.ldap.server:636',
+      LDAP_BIND_DN: 'cn=admin,ou=system,dc=cloudron',
+      LDAP_BIND_PASSWORD: 'secret',
+      LDAP_USERS_BASE_DN: 'ou=users,dc=cloudron',
+      LDAP_GROUPS_BASE_DN: 'ou=groups,dc=cloudron'
+    }
+  })
+  @Get('/')
+  public getDetail() {
+    return getAuthConfigDetail()
+  }
+
+  /**
+   * @summary Synchronises LDAP users and groups with internal DB and returns the count of imported users and groups.
+   *
+   */
+  @Example({
+    users: 5,
+    groups: 3
+  })
+  @Post('/synchroniseWithLDAP')
+  public async synchroniseWithLDAP() {
+    return synchroniseWithLDAP()
+  }
+}
+
+const synchroniseWithLDAP = async () => {
+  process.logger.info('Syncing LDAP with internal DB')
+
+  const permissions = await Permission.get({})
+  await Permission.deleteMany()
+  await User.deleteMany({ authProvider: AuthProviderType.LDAP })
+  await Group.deleteMany({ authProvider: AuthProviderType.LDAP })
+
+  const ldapClient = await LDAPClient.init()
+
+  process.logger.info('fetching LDAP users')
+  const users = await ldapClient.getAllLDAPUsers()
+
+  process.logger.info('inserting LDAP users to DB')
+
+  const existingUsers: string[] = []
+  const importedUsers: LDAPUser[] = []
+
+  for (const user of users) {
+    const usernameExists = await User.findOne({ username: user.username })
+    if (usernameExists) {
+      existingUsers.push(user.username)
+      continue
+    }
+
+    const hashPassword = User.hashPassword(randomBytes(64).toString('hex'))
+
+    await User.create({
+      displayName: user.displayName,
+      username: user.username,
+      password: hashPassword,
+      authProvider: AuthProviderType.LDAP,
+      needsToUpdatePassword: false
+    })
+
+    importedUsers.push(user)
+  }
+
+  if (existingUsers.length > 0) {
+    process.logger.info(
+      'Failed to insert following users as they already exist in DB:'
+    )
+    existingUsers.forEach((user) => process.logger.log(`* ${user}`))
+  }
+
+  process.logger.info('fetching LDAP groups')
+  const groups = await ldapClient.getAllLDAPGroups()
+
+  process.logger.info('inserting LDAP groups to DB')
+
+  const existingGroups: string[] = []
+  const importedGroups: LDAPGroup[] = []
+
+  for (const group of groups) {
+    const groupExists = await Group.findOne({ name: group.name })
+    if (groupExists) {
+      existingGroups.push(group.name)
+      continue
+    }
+
+    await Group.create({
+      name: group.name,
+      authProvider: AuthProviderType.LDAP
+    })
+
+    importedGroups.push(group)
+  }
+
+  if (existingGroups.length > 0) {
+    process.logger.info(
+      'Failed to insert following groups as they already exist in DB:'
+    )
+    existingGroups.forEach((group) => process.logger.log(`* ${group}`))
+  }
+
+  process.logger.info('associating users and groups')
+
+  for (const group of importedGroups) {
+    const dbGroup = await Group.findOne({ name: group.name })
+    if (dbGroup) {
+      for (const member of group.members) {
+        const user = importedUsers.find((user) => user.uid === member)
+        if (user) {
+          const dbUser = await User.findOne({ username: user.username })
+          if (dbUser) await dbGroup.addUser(dbUser)
+        }
+      }
+    }
+  }
+
+  process.logger.info('setting permissions')
+
+  for (const permission of permissions) {
+    const newPermission = new Permission({
+      path: permission.path,
+      type: permission.type,
+      setting: permission.setting
+    })
+
+    if (permission.user) {
+      const dbUser = await User.findOne({ username: permission.user.username })
+      if (dbUser) newPermission.user = dbUser._id
+    } else if (permission.group) {
+      const dbGroup = await Group.findOne({ name: permission.group.name })
+      if (dbGroup) newPermission.group = dbGroup._id
+    }
+    await newPermission.save()
+  }
+
+  process.logger.info('LDAP synchronization completed!')
+
+  return {
+    userCount: importedUsers.length,
+    groupCount: importedGroups.length
+  }
+}
+
+const getAuthConfigDetail = () => {
+  const { AUTH_PROVIDERS } = process.env
+
+  const returnObj: any = {}
+
+  if (AUTH_PROVIDERS === AuthProviderType.LDAP) {
+    const {
+      LDAP_URL,
+      LDAP_BIND_DN,
+      LDAP_BIND_PASSWORD,
+      LDAP_USERS_BASE_DN,
+      LDAP_GROUPS_BASE_DN
+    } = process.env
+
+    returnObj.ldap = {
+      LDAP_URL: LDAP_URL ?? '',
+      LDAP_BIND_DN: LDAP_BIND_DN ?? '',
+      LDAP_BIND_PASSWORD: LDAP_BIND_PASSWORD ?? '',
+      LDAP_USERS_BASE_DN: LDAP_USERS_BASE_DN ?? '',
+      LDAP_GROUPS_BASE_DN: LDAP_GROUPS_BASE_DN ?? ''
+    }
+  }
+  return returnObj
+}

api/src/controllers/client.ts

@@ -1,18 +1,27 @@
-import { Security, Route, Tags, Example, Post, Body } from 'tsoa'
+import { Security, Route, Tags, Example, Post, Body, Get } from 'tsoa'
 
-import Client, { ClientPayload } from '../model/Client'
+import Client, {
+  ClientPayload,
+  NUMBER_OF_SECONDS_IN_A_DAY
+} from '../model/Client'
 
 @Security('bearerAuth')
 @Route('SASjsApi/client')
 @Tags('Client')
 export class ClientController {
   /**
-   * @summary Create client with the following attributes: ClientId, ClientSecret. Admin only task.
+   * @summary Admin only task. Create client with the following attributes:
+   * ClientId,
+   * ClientSecret,
+   * accessTokenExpiration (optional),
+   * refreshTokenExpiration (optional)
    *
    */
   @Example<ClientPayload>({
     clientId: 'someFormattedClientID1234',
-    clientSecret: 'someRandomCryptoString'
+    clientSecret: 'someRandomCryptoString',
+    accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+    refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
   })
   @Post('/')
   public async createClient(
@@ -20,10 +29,37 @@ export class ClientController {
   ): Promise<ClientPayload> {
     return createClient(body)
   }
+
+  /**
+   * @summary Admin only task. Returns the list of all the clients
+   */
+  @Example<ClientPayload[]>([
+    {
+      clientId: 'someClientID1234',
+      clientSecret: 'someRandomCryptoString',
+      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+    },
+    {
+      clientId: 'someOtherClientID',
+      clientSecret: 'someOtherRandomCryptoString',
+      accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+      refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+    }
+  ])
+  @Get('/')
+  public async getAllClients(): Promise<ClientPayload[]> {
+    return getAllClients()
+  }
 }
 
-const createClient = async (data: any): Promise<ClientPayload> => {
-  const { clientId, clientSecret } = data
+const createClient = async (data: ClientPayload): Promise<ClientPayload> => {
+  const {
+    clientId,
+    clientSecret,
+    accessTokenExpiration,
+    refreshTokenExpiration
+  } = data
 
   // Checking if client is already in the database
   const clientExist = await Client.findOne({ clientId })
@@ -32,13 +68,27 @@ const createClient = async (data: any): Promise<ClientPayload> => {
   // Create a new client
   const client = new Client({
     clientId,
-    clientSecret
+    clientSecret,
+    accessTokenExpiration,
+    refreshTokenExpiration
   })
 
   const savedClient = await client.save()
 
   return {
     clientId: savedClient.clientId,
-    clientSecret: savedClient.clientSecret
+    clientSecret: savedClient.clientSecret,
+    accessTokenExpiration: savedClient.accessTokenExpiration,
+    refreshTokenExpiration: savedClient.refreshTokenExpiration
   }
 }
+
+const getAllClients = async (): Promise<ClientPayload[]> => {
+  return Client.find({}).select({
+    _id: 0,
+    clientId: 1,
+    clientSecret: 1,
+    accessTokenExpiration: 1,
+    refreshTokenExpiration: 1
+  })
+}

api/src/controllers/code.ts

@@ -1,44 +1,112 @@
 import express from 'express'
 import { Request, Security, Route, Tags, Post, Body } from 'tsoa'
-import { ExecutionController } from './internal'
-import { PreProgramVars } from '../types'
+import { ExecutionController, getSessionController } from './internal'
+import {
+  getPreProgramVariables,
+  getUserAutoExec,
+  ModeType,
+  RunTimeType
+} from '../utils'
 
-interface ExecuteSASCodePayload {
+interface ExecuteCodePayload {
   /**
-   * Code of SAS program
-   * @example "* SAS Code HERE;"
+   * The code to be executed
+   * @example "* Your Code HERE;"
    */
   code: string
+  /**
+   * The runtime for the code - eg SAS, JS, PY or R
+   * @example "js"
+   */
+  runTime: RunTimeType
+}
+
+interface TriggerCodePayload {
+  /**
+   * The code to be executed
+   * @example "* Your Code HERE;"
+   */
+  code: string
+  /**
+   * The runtime for the code - eg SAS, JS, PY or R
+   * @example "sas"
+   */
+  runTime: RunTimeType
+  /**
+   * Amount of minutes after the completion of the job when the session must be
+   * destroyed.
+   * @example 15
+   */
+  expiresAfterMins?: number
+}
+
+interface TriggerCodeResponse {
+  /**
+   * The SessionId is the name of the temporary folder used to store the outputs.
+   * For SAS, this would be the SASWORK folder. Can be used to poll job status.
+   * This session ID should be used to poll job status.
+   * @example "{ sessionId: '20241028074744-54132-1730101664824' }"
+   */
+  sessionId: string
 }
 
 @Security('bearerAuth')
 @Route('SASjsApi/code')
-@Tags('CODE')
+@Tags('Code')
 export class CodeController {
   /**
-   * Execute SAS code.
-   * @summary Run SAS Code and returns log
+   * Execute Code on the Specified Runtime
+   * @summary Run Code and Return Webout Content, Log and Print output
+   * The order of returned parts of the payload is:
+   * 1. Webout (if present)
+   * 2. Logs UUID (used as separator)
+   * 3. Log
+   * 4. Logs UUID (used as separator)
+   * 5. Print (if present and if the runtime is SAS)
+   * Please see @sasjs/server/api/src/controllers/internal/Execution.ts for more information
    */
   @Post('/execute')
-  public async executeSASCode(
+  public async executeCode(
     @Request() request: express.Request,
-    @Body() body: ExecuteSASCodePayload
-  ): Promise<string> {
-    return executeSASCode(request, body)
+    @Body() body: ExecuteCodePayload
+  ): Promise<string | Buffer> {
+    return executeCode(request, body)
+  }
+
+  /**
+   * Trigger Code on the Specified Runtime
+   * @summary Triggers code and returns SessionId immediately - does not wait for job completion
+   */
+  @Post('/trigger')
+  public async triggerCode(
+    @Request() request: express.Request,
+    @Body() body: TriggerCodePayload
+  ): Promise<TriggerCodeResponse> {
+    return triggerCode(request, body)
   }
 }
 
-const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
+const executeCode = async (
+  req: express.Request,
+  { code, runTime }: ExecuteCodePayload
+) => {
+  const { user } = req
+  const userAutoExec =
+    process.env.MODE === ModeType.Server
+      ? user?.autoExec
+      : await getUserAutoExec()
+
   try {
-    const result = await new ExecutionController().executeProgram(
-      code,
-      getPreProgramVariables(req),
-      { ...req.query, _debug: 131 },
-      undefined,
-      true
-    )
+    const { result } = await new ExecutionController().executeProgram({
+      program: code,
+      preProgramVariables: getPreProgramVariables(req),
+      vars: { ...req.query, _debug: 131 },
+      otherArgs: { userAutoExec },
+      runTime: runTime,
+      includePrintOutput: true
+    })
 
-    return result as string
+    return result
   } catch (err: any) {
     throw {
       code: 400,
@@ -49,15 +117,48 @@ const executeSASCode = async (req: any, { code }: ExecuteSASCodePayload) => {
   }
 }
 
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
+const triggerCode = async (
+  req: express.Request,
+  { code, runTime, expiresAfterMins }: TriggerCodePayload
+): Promise<TriggerCodeResponse> => {
+  const { user } = req
+  const userAutoExec =
+    process.env.MODE === ModeType.Server
+      ? user?.autoExec
+      : await getUserAutoExec()
+
+  // get session controller based on runTime
+  const sessionController = getSessionController(runTime)
+
+  // get session
+  const session = await sessionController.getSession()
+
+  // add expiresAfterMins to session if provided
+  if (expiresAfterMins) {
+    // expiresAfterMins.used is set initially to false
+    session.expiresAfterMins = { mins: expiresAfterMins, used: false }
+  }
+
+  try {
+    // call executeProgram method of ExecutionController without awaiting
+    new ExecutionController().executeProgram({
+      program: code,
+      preProgramVariables: getPreProgramVariables(req),
+      vars: { ...req.query, _debug: 131 },
+      otherArgs: { userAutoExec },
+      runTime: runTime,
+      includePrintOutput: true,
+      session // session is provided
+    })
+
+    // return session id
+    return { sessionId: session.id }
+  } catch (err: any) {
+    throw {
+      code: 400,
+      status: 'failure',
+      message: 'Job execution failed.',
+      error: typeof err === 'object' ? err.toString() : err
+    }
   }
 }

api/src/controllers/drive.ts

@@ -1,5 +1,8 @@
+import path from 'path'
+import express, { Express } from 'express'
 import {
   Security,
+  Request,
   Route,
   Tags,
   Example,
@@ -8,35 +11,40 @@ import {
   Response,
   Query,
   Get,
-  Patch
+  Patch,
+  UploadedFile,
+  FormField,
+  Delete,
+  Hidden
 } from 'tsoa'
-import { fileExists, readFile, createFile } from '@sasjs/utils'
+import {
+  fileExists,
+  moveFile,
+  createFolder,
+  deleteFile as deleteFileOnSystem,
+  deleteFolder as deleteFolderOnSystem,
+  folderExists,
+  listFilesInFolder,
+  listSubFoldersInFolder,
+  isFolder,
+  FileTree,
+  isFileTree
+} from '@sasjs/utils'
 import { createFileTree, ExecutionController, getTreeExample } from './internal'
 
-import { FileTree, isFileTree, TreeNode } from '../types'
-import path from 'path'
-import { getTmpFilesFolderPath } from '../utils'
+import { TreeNode } from '../types'
+import { getFilesFolder } from '../utils'
 
 interface DeployPayload {
-  appLoc?: string
+  appLoc: string
+  streamWebFolder?: string
   fileTree: FileTree
 }
-interface FilePayload {
-  /**
-   * Path of the file
-   * @example "/Public/somefolder/some.file"
-   */
-  filePath: string
-  /**
-   * Contents of the file
-   * @example "Contents of the File"
-   */
-  fileContent: string
-}
 
 interface DeployResponse {
   status: string
   message: string
+  streamServiceName?: string
   example?: FileTree
 }
 
@@ -51,11 +59,32 @@ interface GetFileTreeResponse {
   tree: TreeNode
 }
 
-interface UpdateFileResponse {
+interface FileFolderResponse {
   status: string
   message?: string
 }
 
+interface AddFolderPayload {
+  /**
+   * Location of folder
+   * @example "/Public/someFolder"
+   */
+  folderPath: string
+}
+
+interface RenamePayload {
+  /**
+   * Old path of file/folder
+   * @example "/Public/someFolder"
+   */
+  oldPath: string
+  /**
+   * New path of file/folder
+   * @example "/Public/newFolder"
+   */
+  newPath: string
+}
+
 const fileTreeExample = getTreeExample()
 
 const successDeployResponse: DeployResponse = {
@@ -89,57 +118,158 @@ export class DriveController {
   }
 
   /**
-   * @summary Get file from SASjs Drive
-   * @query filePath Location of SAS program
-   * @example filePath "/Public/somefolder/some.file"
+   * Accepts JSON file and zipped compressed JSON file as well.
+   * Compressed file should only contain one JSON file and should have same name
+   * as of compressed file e.g. deploy.JSON should be compressed to deploy.JSON.zip
+   * Any other file or JSON file in zipped will be ignored!
+   *
+   * @summary Creates/updates files within SASjs Drive using uploaded JSON/compressed JSON file.
+   *
    */
-  @Example<GetFileResponse>({
-    status: 'success',
-    fileContent: 'Contents of the File'
-  })
-  @Response<GetFileResponse>(400, 'Unable to get File', {
-    status: 'failure',
-    message: 'File request failed.'
-  })
-  @Get('/file')
-  public async getFile(@Query() filePath: string): Promise<GetFileResponse> {
-    return getFile(filePath)
+  @Example<DeployResponse>(successDeployResponse)
+  @Response<DeployResponse>(400, 'Invalid Format', invalidDeployFormatResponse)
+  @Response<DeployResponse>(500, 'Execution Error', execDeployErrorResponse)
+  @Post('/deploy/upload')
+  public async deployUpload(
+    @UploadedFile() file: Express.Multer.File, // passing here for API docs
+    @Query() @Hidden() body?: DeployPayload // Hidden decorator has be optional
+  ): Promise<DeployResponse> {
+    return deploy(body!)
   }
 
   /**
+   *
+   * @summary Get file from SASjs Drive
+   * @query _filePath Location of SAS program
+   * @example _filePath "/Public/somefolder/some.file"
+   */
+  @Get('/file')
+  public async getFile(
+    @Request() request: express.Request,
+    @Query() _filePath: string
+  ) {
+    return getFile(request, _filePath)
+  }
+
+  /**
+   *
+   * @summary Get folder contents from SASjs Drive
+   * @query _folderPath Location of SAS program
+   * @example _folderPath "/Public/somefolder"
+   */
+  @Get('/folder')
+  public async getFolder(@Query() _folderPath?: string) {
+    return getFolder(_folderPath)
+  }
+
+  /**
+   *
+   * @summary Delete file from SASjs Drive
+   * @query _filePath Location of file
+   * @example _filePath "/Public/somefolder/some.file"
+   */
+  @Delete('/file')
+  public async deleteFile(@Query() _filePath: string) {
+    return deleteFile(_filePath)
+  }
+
+  /**
+   *
+   * @summary Delete folder from SASjs Drive
+   * @query _folderPath Location of folder
+   * @example _folderPath "/Public/somefolder/"
+   */
+  @Delete('/folder')
+  public async deleteFolder(@Query() _folderPath: string) {
+    return deleteFolder(_folderPath)
+  }
+
+  /**
+   * It's optional to either provide `_filePath` in url as query parameter
+   * Or provide `filePath` in body as form field.
+   * But it's required to provide else API will respond with Bad Request.
+   *
    * @summary Create a file in SASjs Drive
+   * @param _filePath Location of file
+   * @example _filePath "/Public/somefolder/some.file.sas"
    *
    */
-  @Example<UpdateFileResponse>({
+  @Example<FileFolderResponse>({
     status: 'success'
   })
-  @Response<UpdateFileResponse>(400, 'File already exists', {
+  @Response<FileFolderResponse>(403, 'File already exists', {
     status: 'failure',
     message: 'File request failed.'
   })
   @Post('/file')
   public async saveFile(
-    @Body() body: FilePayload
-  ): Promise<UpdateFileResponse> {
-    return saveFile(body)
+    @UploadedFile() file: Express.Multer.File,
+    @Query() _filePath?: string,
+    @FormField() filePath?: string
+  ): Promise<FileFolderResponse> {
+    return saveFile((_filePath ?? filePath)!, file)
   }
 
   /**
-   * @summary Modify a file in SASjs Drive
+   * @summary Create an empty folder in SASjs Drive
    *
    */
-  @Example<UpdateFileResponse>({
+  @Example<FileFolderResponse>({
     status: 'success'
   })
-  @Response<UpdateFileResponse>(400, 'Unable to get File', {
+  @Response<FileFolderResponse>(409, 'Folder already exists', {
+    status: 'failure',
+    message: 'Add folder request failed.'
+  })
+  @Post('/folder')
+  public async addFolder(
+    @Body() body: AddFolderPayload
+  ): Promise<FileFolderResponse> {
+    return addFolder(body.folderPath)
+  }
+
+  /**
+   * It's optional to either provide `_filePath` in url as query parameter
+   * Or provide `filePath` in body as form field.
+   * But it's required to provide else API will respond with Bad Request.
+   *
+   * @summary Modify a file in SASjs Drive
+   * @param _filePath Location of SAS program
+   * @example _filePath "/Public/somefolder/some.file.sas"
+   *
+   */
+  @Example<FileFolderResponse>({
+    status: 'success'
+  })
+  @Response<FileFolderResponse>(403, `File doesn't exist`, {
     status: 'failure',
     message: 'File request failed.'
   })
   @Patch('/file')
   public async updateFile(
-    @Body() body: FilePayload
-  ): Promise<UpdateFileResponse> {
-    return updateFile(body)
+    @UploadedFile() file: Express.Multer.File,
+    @Query() _filePath?: string,
+    @FormField() filePath?: string
+  ): Promise<FileFolderResponse> {
+    return updateFile((_filePath ?? filePath)!, file)
+  }
+
+  /**
+   * @summary Renames a file/folder in SASjs Drive
+   *
+   */
+  @Example<FileFolderResponse>({
+    status: 'success'
+  })
+  @Response<FileFolderResponse>(409, 'Folder already exists', {
+    status: 'failure',
+    message: 'rename request failed.'
+  })
+  @Post('/rename')
+  public async rename(
+    @Body() body: RenamePayload
+  ): Promise<FileFolderResponse> {
+    return rename(body.oldPath, body.newPath)
   }
 
   /**
@@ -158,86 +288,287 @@ const getFileTree = () => {
 }
 
 const deploy = async (data: DeployPayload) => {
+  const driveFilesPath = getFilesFolder()
+
+  const appLocParts = data.appLoc.replace(/^\//, '').split('/')
+
+  const appLocPath = path
+    .join(getFilesFolder(), ...appLocParts)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!appLocPath.includes(driveFilesPath)) {
+    throw new Error('appLoc cannot be outside drive.')
+  }
+
   if (!isFileTree(data.fileTree)) {
     throw { code: 400, ...invalidDeployFormatResponse }
   }
 
-  await createFileTree(
-    data.fileTree.members,
-    data.appLoc ? data.appLoc.replace(/^\//, '').split('/') : []
-  ).catch((err) => {
+  await createFileTree(data.fileTree.members, appLocParts).catch((err) => {
     throw { code: 500, ...execDeployErrorResponse, ...err }
   })
 
   return successDeployResponse
 }
 
-const getFile = async (filePath: string): Promise<GetFileResponse> => {
-  try {
+const getFile = async (req: express.Request, filePath: string) => {
+  const driveFilesPath = getFilesFolder()
+
   const filePathFull = path
-      .join(getTmpFilesFolderPath(), filePath)
+    .join(getFilesFolder(), filePath)
     .replace(new RegExp('/', 'g'), path.sep)
 
-    await validateFilePath(filePathFull)
-    const fileContent = await readFile(filePathFull)
-
-    return { status: 'success', fileContent: fileContent }
-  } catch (err: any) {
+  if (!filePathFull.includes(driveFilesPath))
     throw {
       code: 400,
-      status: 'failure',
-      message: 'File request failed.',
-      error: typeof err === 'object' ? err.toString() : err
-    }
-  }
+      status: 'Bad Request',
+      message: `Can't get file outside drive.`
     }
 
-const saveFile = async (body: FilePayload): Promise<GetFileResponse> => {
-  const { filePath, fileContent } = body
-  try {
-    const filePathFull = path
-      .join(getTmpFilesFolderPath(), filePath)
+  if (!(await fileExists(filePathFull)))
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: `File doesn't exist.`
+    }
+
+  const extension = path.extname(filePathFull).toLowerCase()
+  if (extension === '.sas') {
+    req.res?.setHeader('Content-type', 'text/plain')
+  }
+
+  req.res?.sendFile(path.resolve(filePathFull), { dotfiles: 'allow' })
+}
+
+const getFolder = async (folderPath?: string) => {
+  const driveFilesPath = getFilesFolder()
+
+  if (folderPath) {
+    const folderPathFull = path
+      .join(getFilesFolder(), folderPath)
       .replace(new RegExp('/', 'g'), path.sep)
 
-    if (await fileExists(filePathFull)) {
-      throw 'DriveController: File already exists.'
+    if (!folderPathFull.includes(driveFilesPath))
+      throw {
+        code: 400,
+        status: 'Bad Request',
+        message: `Can't get folder outside drive.`
       }
-    await createFile(filePathFull, fileContent)
+
+    if (!(await folderExists(folderPathFull)))
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: `Folder doesn't exist.`
+      }
+
+    if (!(await isFolder(folderPathFull)))
+      throw {
+        code: 400,
+        status: 'Bad Request',
+        message: 'Not a Folder.'
+      }
+
+    const files: string[] = await listFilesInFolder(folderPathFull)
+    const folders: string[] = await listSubFoldersInFolder(folderPathFull)
+    return { files, folders }
+  }
+
+  const files: string[] = await listFilesInFolder(driveFilesPath)
+  const folders: string[] = await listSubFoldersInFolder(driveFilesPath)
+  return { files, folders }
+}
+
+const deleteFile = async (filePath: string) => {
+  const driveFilesPath = getFilesFolder()
+
+  const filePathFull = path
+    .join(getFilesFolder(), filePath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!filePathFull.includes(driveFilesPath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Can't delete file outside drive.`
+    }
+
+  if (!(await fileExists(filePathFull)))
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: `File doesn't exist.`
+    }
+
+  await deleteFileOnSystem(filePathFull)
 
   return { status: 'success' }
-  } catch (err: any) {
-    throw {
-      code: 400,
-      status: 'failure',
-      message: 'File request failed.',
-      error: typeof err === 'object' ? err.toString() : err
-    }
-  }
 }
 
-const updateFile = async (body: FilePayload): Promise<GetFileResponse> => {
-  const { filePath, fileContent } = body
-  try {
-    const filePathFull = path
-      .join(getTmpFilesFolderPath(), filePath)
+const deleteFolder = async (folderPath: string) => {
+  const driveFolderPath = getFilesFolder()
+
+  const folderPathFull = path
+    .join(getFilesFolder(), folderPath)
     .replace(new RegExp('/', 'g'), path.sep)
 
-    await validateFilePath(filePathFull)
-    await createFile(filePathFull, fileContent)
-
-    return { status: 'success' }
-  } catch (err: any) {
+  if (!folderPathFull.includes(driveFolderPath))
     throw {
       code: 400,
-      status: 'failure',
-      message: 'File request failed.',
-      error: typeof err === 'object' ? err.toString() : err
+      status: 'Bad Request',
+      message: `Can't delete folder outside drive.`
     }
+
+  if (!(await folderExists(folderPathFull)))
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: `Folder doesn't exist.`
+    }
+
+  await deleteFolderOnSystem(folderPathFull)
+
+  return { status: 'success' }
+}
+
+const saveFile = async (
+  filePath: string,
+  multerFile: Express.Multer.File
+): Promise<GetFileResponse> => {
+  const driveFilesPath = getFilesFolder()
+
+  const filePathFull = path
+    .join(driveFilesPath, filePath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!filePathFull.includes(driveFilesPath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Can't put file outside drive.`
+    }
+
+  if (await fileExists(filePathFull))
+    throw {
+      code: 409,
+      status: 'Conflict',
+      message: 'File already exists.'
+    }
+
+  const folderPath = path.dirname(filePathFull)
+  await createFolder(folderPath)
+  await moveFile(multerFile.path, filePathFull)
+
+  return { status: 'success' }
+}
+
+const addFolder = async (folderPath: string): Promise<FileFolderResponse> => {
+  const drivePath = getFilesFolder()
+
+  const folderPathFull = path
+    .join(drivePath, folderPath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!folderPathFull.includes(drivePath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Can't put folder outside drive.`
+    }
+
+  if (await folderExists(folderPathFull))
+    throw {
+      code: 409,
+      status: 'Conflict',
+      message: 'Folder already exists.'
+    }
+
+  await createFolder(folderPathFull)
+
+  return { status: 'success' }
+}
+
+const rename = async (
+  oldPath: string,
+  newPath: string
+): Promise<FileFolderResponse> => {
+  const drivePath = getFilesFolder()
+
+  const oldPathFull = path
+    .join(drivePath, oldPath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  const newPathFull = path
+    .join(drivePath, newPath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!oldPathFull.includes(drivePath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Old path can't be outside of drive.`
+    }
+
+  if (!newPathFull.includes(drivePath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `New path can't be outside of drive.`
+    }
+
+  if (await isFolder(oldPathFull)) {
+    if (await folderExists(newPathFull))
+      throw {
+        code: 409,
+        status: 'Conflict',
+        message: 'Folder with new name already exists.'
+      }
+    else moveFile(oldPathFull, newPathFull)
+
+    return { status: 'success' }
+  } else if (await fileExists(oldPathFull)) {
+    if (await fileExists(newPathFull))
+      throw {
+        code: 409,
+        status: 'Conflict',
+        message: 'File with new name already exists.'
+      }
+    else moveFile(oldPathFull, newPathFull)
+    return { status: 'success' }
+  }
+
+  throw {
+    code: 404,
+    status: 'Not Found',
+    message: 'No file/folder found for provided path.'
   }
 }
 
-const validateFilePath = async (filePath: string) => {
-  if (!(await fileExists(filePath))) {
-    throw 'DriveController: File does not exists.'
+const updateFile = async (
+  filePath: string,
+  multerFile: Express.Multer.File
+): Promise<GetFileResponse> => {
+  const driveFilesPath = getFilesFolder()
+
+  const filePathFull = path
+    .join(driveFilesPath, filePath)
+    .replace(new RegExp('/', 'g'), path.sep)
+
+  if (!filePathFull.includes(driveFilesPath))
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Can't modify file outside drive.`
     }
+
+  if (!(await fileExists(filePathFull)))
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: `File doesn't exist.`
+    }
+
+  await moveFile(multerFile.path, filePathFull)
+
+  return { status: 'success' }
 }

api/src/controllers/group.ts

@@ -10,17 +10,18 @@ import {
   Body
 } from 'tsoa'
 
-import Group, { GroupPayload } from '../model/Group'
+import Group, { GroupPayload, PUBLIC_GROUP_NAME } from '../model/Group'
 import User from '../model/User'
+import { AuthProviderType } from '../utils'
 import { UserResponse } from './user'
 
-interface GroupResponse {
+export interface GroupResponse {
   groupId: number
   name: string
   description: string
 }
 
-interface GroupDetailsResponse {
+export interface GroupDetailsResponse {
   groupId: number
   name: string
   description: string
@@ -28,6 +29,11 @@ interface GroupDetailsResponse {
   users: UserResponse[]
 }
 
+interface GetGroupBy {
+  groupId?: number
+  name?: string
+}
+
 @Security('bearerAuth')
 @Route('SASjsApi/group')
 @Tags('Group')
@@ -66,6 +72,18 @@ export class GroupController {
     return createGroup(body)
   }
 
+  /**
+   * @summary Get list of members of a group (userName). All users can request this.
+   * @param name The group's name
+   * @example dcgroup
+   */
+  @Get('by/groupname/{name}')
+  public async getGroupByGroupName(
+    @Path() name: string
+  ): Promise<GroupDetailsResponse> {
+    return getGroup({ name })
+  }
+
   /**
    * @summary Get list of members of a group (userName). All users can request this.
    * @param groupId The group's identifier
@@ -75,7 +93,7 @@ export class GroupController {
   public async getGroup(
     @Path() groupId: number
   ): Promise<GroupDetailsResponse> {
-    return getGroup(groupId)
+    return getGroup({ groupId })
   }
 
   /**
@@ -129,9 +147,15 @@ export class GroupController {
    */
   @Delete('{groupId}')
   public async deleteGroup(@Path() groupId: number) {
-    const { deletedCount } = await Group.deleteOne({ groupId })
-    if (deletedCount) return
-    throw new Error('No Group deleted!')
+    const group = await Group.findOne({ groupId })
+    if (!group)
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: 'Group not found.'
+      }
+
+    return await group.remove()
   }
 }
 
@@ -145,6 +169,15 @@ const createGroup = async ({
   description,
   isActive
 }: GroupPayload): Promise<GroupDetailsResponse> => {
+  // Checking if user is already in the database
+  const groupnameExist = await Group.findOne({ name })
+  if (groupnameExist)
+    throw {
+      code: 409,
+      status: 'Conflict',
+      message: 'Group name already exists.'
+    }
+
   const group = new Group({
     name,
     description,
@@ -162,15 +195,20 @@ const createGroup = async ({
   }
 }
 
-const getGroup = async (groupId: number): Promise<GroupDetailsResponse> => {
+const getGroup = async (findBy: GetGroupBy): Promise<GroupDetailsResponse> => {
   const group = (await Group.findOne(
-    { groupId },
+    findBy,
     'groupId name description isActive users -_id'
   ).populate(
     'users',
-    'id username displayName -_id'
+    'id username displayName isAdmin -_id'
   )) as unknown as GroupDetailsResponse
-  if (!group) throw new Error('Group not found.')
+  if (!group)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Group not found.'
+    }
 
   return {
     groupId: group.groupId,
@@ -199,16 +237,53 @@ const updateUsersListInGroup = async (
   action: 'addUser' | 'removeUser'
 ): Promise<GroupDetailsResponse> => {
   const group = await Group.findOne({ groupId })
-  if (!group) throw new Error('Group not found.')
+  if (!group)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Group not found.'
+    }
+
+  if (group.name === PUBLIC_GROUP_NAME)
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
+    }
+
+  if (group.authProvider)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
 
   const user = await User.findOne({ id: userId })
-  if (!user) throw new Error('User not found.')
+  if (!user)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'User not found.'
+    }
 
-  const updatedGroup = (action === 'addUser'
-    ? await group.addUser(user._id)
-    : await group.removeUser(user._id)) as unknown as GroupDetailsResponse
+  if (user.authProvider)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
 
-  if (!updatedGroup) throw new Error('Unable to update group')
+  const updatedGroup =
+    action === 'addUser'
+      ? await group.addUser(user)
+      : await group.removeUser(user)
+
+  if (!updatedGroup)
+    throw {
+      code: 400,
+      status: 'Bad Request',
+      message: 'Unable to update group.'
+    }
 
   return {
     groupId: updatedGroup.groupId,

api/src/controllers/index.ts

@@ -1,8 +1,12 @@
 export * from './auth'
+export * from './authConfig'
 export * from './client'
 export * from './code'
 export * from './drive'
 export * from './group'
+export * from './info'
+export * from './permission'
 export * from './session'
 export * from './stp'
 export * from './user'
+export * from './web'

api/src/controllers/info.ts

@@ -0,0 +1,58 @@
+import { Route, Tags, Example, Get } from 'tsoa'
+import { getAuthorizedRoutes } from '../utils'
+export interface AuthorizedRoutesResponse {
+  paths: string[]
+}
+
+export interface InfoResponse {
+  mode: string
+  cors: string
+  whiteList: string[]
+  protocol: string
+  runTimes: string[]
+}
+
+@Route('SASjsApi/info')
+@Tags('Info')
+export class InfoController {
+  /**
+   * @summary Get server info (mode, cors, whiteList, protocol).
+   *
+   */
+  @Example<InfoResponse>({
+    mode: 'desktop',
+    cors: 'enable',
+    whiteList: ['http://example.com', 'http://example2.com'],
+    protocol: 'http',
+    runTimes: ['sas', 'js']
+  })
+  @Get('/')
+  public info(): InfoResponse {
+    const response = {
+      mode: process.env.MODE ?? 'desktop',
+      cors:
+        process.env.CORS ||
+        (process.env.MODE === 'server' ? 'disable' : 'enable'),
+      whiteList:
+        process.env.WHITELIST?.split(' ')?.filter((url) => !!url) ?? [],
+      protocol: process.env.PROTOCOL ?? 'http',
+      runTimes: process.runTimes
+    }
+    return response
+  }
+
+  /**
+   * @summary Get the list of available routes to which permissions can be applied.  Used to populate the dialog in the URI Permissions feature.
+   *
+   */
+  @Example<AuthorizedRoutesResponse>({
+    paths: ['/AppStream', '/SASjsApi/stp/execute']
+  })
+  @Get('/authorizedRoutes')
+  public authorizedRoutes(): AuthorizedRoutesResponse {
+    const response = {
+      paths: getAuthorizedRoutes()
+    }
+    return response
+  }
+}

api/src/controllers/internal/Execution.ts

@@ -1,154 +1,160 @@
 import path from 'path'
 import fs from 'fs'
-import { getSessionController } from './'
-import { readFile, fileExists, createFile, moveFile } from '@sasjs/utils'
-import { PreProgramVars, TreeNode } from '../../types'
-import { generateFileUploadSasCode, getTmpFilesFolderPath } from '../../utils'
+import { getSessionController, processProgram } from './'
+import { readFile, fileExists, createFile, readFileBinary } from '@sasjs/utils'
+import { PreProgramVars, Session, TreeNode } from '../../types'
+import {
+  extractHeaders,
+  getFilesFolder,
+  HTTPHeaders,
+  isDebugOn,
+  RunTimeType
+} from '../../utils'
 
 export interface ExecutionVars {
   [key: string]: string | number | undefined
 }
 
-export class ExecutionController {
-  async executeFile(
-    programPath: string,
-    preProgramVariables: PreProgramVars,
-    vars: ExecutionVars,
-    otherArgs?: any,
-    returnJson?: boolean
-  ) {
-    if (!(await fileExists(programPath)))
-      throw 'ExecutionController: SAS file does not exist.'
+export interface ExecuteReturnRaw {
+  httpHeaders: HTTPHeaders
+  result: string | Buffer
+}
 
+interface ExecuteFileParams {
+  programPath: string
+  preProgramVariables: PreProgramVars
+  vars: ExecutionVars
+  otherArgs?: any
+  returnJson?: boolean
+  session?: Session
+  runTime: RunTimeType
+  forceStringResult?: boolean
+}
+
+interface ExecuteProgramParams extends Omit<ExecuteFileParams, 'programPath'> {
+  program: string
+  includePrintOutput?: boolean
+}
+
+export class ExecutionController {
+  async executeFile({
+    programPath,
+    preProgramVariables,
+    vars,
+    otherArgs,
+    returnJson,
+    session,
+    runTime,
+    forceStringResult
+  }: ExecuteFileParams) {
     const program = await readFile(programPath)
 
-    return this.executeProgram(
+    return this.executeProgram({
       program,
       preProgramVariables,
       vars,
       otherArgs,
-      returnJson
-    )
+      returnJson,
+      session,
+      runTime,
+      forceStringResult
+    })
   }
-  async executeProgram(
-    program: string,
-    preProgramVariables: PreProgramVars,
-    vars: ExecutionVars,
-    otherArgs?: any,
-    returnJson?: boolean
-  ) {
-    const sessionController = getSessionController()
 
-    const session = await sessionController.getSession()
+  async executeProgram({
+    program,
+    preProgramVariables,
+    vars,
+    otherArgs,
+    session: sessionByFileUpload,
+    runTime,
+    forceStringResult,
+    includePrintOutput
+  }: ExecuteProgramParams): Promise<ExecuteReturnRaw> {
+    const sessionController = getSessionController(runTime)
+
+    const session =
+      sessionByFileUpload ?? (await sessionController.getSession())
     session.inUse = true
     session.consumed = true
 
     const logPath = path.join(session.path, 'log.log')
-
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
     const weboutPath = path.join(session.path, 'webout.txt')
-    await createFile(weboutPath, '')
+    const tokenFile = path.join(session.path, 'reqHeaders.txt')
 
-    const tokenFile = path.join(session.path, 'accessToken.txt')
+    await createFile(weboutPath, '')
     await createFile(
       tokenFile,
-      preProgramVariables?.accessToken ?? 'accessToken'
+      preProgramVariables?.httpHeaders.join('\n') ?? ''
     )
 
-    const varStatments = Object.keys(vars).reduce(
-      (computed: string, key: string) =>
-        `${computed}%let ${key}=${vars[key]};\n`,
-      ''
+    await processProgram(
+      program,
+      preProgramVariables,
+      vars,
+      session,
+      weboutPath,
+      headersPath,
+      tokenFile,
+      runTime,
+      logPath,
+      otherArgs
     )
 
-    const preProgramVarStatments = `
-%let _sasjs_tokenfile=${tokenFile};
-%let _sasjs_username=${preProgramVariables?.username};
-%let _sasjs_userid=${preProgramVariables?.userId};
-%let _sasjs_displayname=${preProgramVariables?.displayName};
-%let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
-%let _sasjs_apipath=/SASjsApi/stp/execute;
-%let _metaperson=&_sasjs_displayname;
-%let _metauser=&_sasjs_username;
-%let sasjsprocessmode=Stored Program;
-%let sasjs_stpsrv_header_loc=%sysfunc(pathname(work))/../stpsrv_header.txt;
-
-%global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
-%macro _sasjs_server_init();
-  %if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
-  %if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
-%mend;
-%_sasjs_server_init()
-`
-
-    program = `
-/* runtime vars */
-${varStatments}
-filename _webout "${weboutPath}" mod;
-
-/* dynamic user-provided vars */
-${preProgramVarStatments}
-
-/* actual job code */
-${program}`
-
-    // if no files are uploaded filesNamesMap will be undefined
-    if (otherArgs && otherArgs.filesNamesMap) {
-      const uploadSasCode = await generateFileUploadSasCode(
-        otherArgs.filesNamesMap,
-        session.path
-      )
-
-      //If sas code for the file is generated it will be appended to the top of sasCode
-      if (uploadSasCode.length > 0) {
-        program = `${uploadSasCode}` + program
-      }
-    }
-
-    const codePath = path.join(session.path, 'code.sas')
-
-    // Creating this file in a RUNNING session will break out
-    // the autoexec loop and actually execute the program
-    // but - given it will take several milliseconds to create
-    // (which can mean SAS trying to run a partial program, or
-    // failing due to file lock) we first create the file THEN
-    // we rename it.
-    await createFile(codePath + '.bkp', program)
-    await moveFile(codePath + '.bkp', codePath)
-
-    // we now need to poll the session status
-    while (!session.completed) {
-      await delay(50)
-    }
-
     const log = (await fileExists(logPath)) ? await readFile(logPath) : ''
-    const webout = (await fileExists(weboutPath))
-      ? await readFile(weboutPath)
+    const headersContent = (await fileExists(headersPath))
+      ? await readFile(headersPath)
       : ''
+    const httpHeaders: HTTPHeaders = extractHeaders(headersContent)
 
-    const debugValue =
-      typeof vars._debug === 'string' ? parseInt(vars._debug) : vars._debug
+    if (isDebugOn(vars)) {
+      httpHeaders['content-type'] = 'text/plain'
+    }
+
+    const fileResponse: boolean = httpHeaders.hasOwnProperty('content-type')
+
+    const webout = (await fileExists(weboutPath))
+      ? fileResponse && !forceStringResult
+        ? await readFileBinary(weboutPath)
+        : await readFile(weboutPath)
+      : ''
 
     // it should be deleted by scheduleSessionDestroy
     session.inUse = false
 
-    if (returnJson) {
-      return {
-        webout,
-        log:
-          (debugValue && debugValue >= 131) || session.crashed ? log : undefined
-      }
+    const resultParts = []
+
+    // INFO: webout can be a Buffer, that is why it's length should be checked to determine if it is empty
+    if (webout && webout.length !== 0) resultParts.push(webout)
+
+    // INFO: log separator wraps the log from the beginning and the end
+    resultParts.push(process.logsUUID)
+    resultParts.push(log)
+    resultParts.push(process.logsUUID)
+
+    if (includePrintOutput && runTime === RunTimeType.SAS) {
+      const printOutputPath = path.join(session.path, 'output.lst')
+      const printOutput = (await fileExists(printOutputPath))
+        ? await readFile(printOutputPath)
+        : ''
+
+      if (printOutput) resultParts.push(printOutput)
     }
 
-    return (debugValue && debugValue >= 131) || session.crashed
-      ? `<html><body>${webout}<div style="text-align:left"><hr /><h2>SAS Log</h2><pre>${log}</pre></div></body></html>`
-      : webout
+    return {
+      httpHeaders,
+      result:
+        isDebugOn(vars) || session.crashed ? resultParts.join(`\n`) : webout
+    }
   }
 
   buildDirectoryTree() {
     const root: TreeNode = {
       name: 'files',
       relativePath: '',
-      absolutePath: getTmpFilesFolderPath(),
+      absolutePath: getFilesFolder(),
+      isFolder: true,
       children: []
     }
 
@@ -158,15 +164,22 @@ ${program}`
       const currentNode = stack.pop()
 
       if (currentNode) {
+        currentNode.isFolder = fs
+          .statSync(currentNode.absolutePath)
+          .isDirectory()
+
         const children = fs.readdirSync(currentNode.absolutePath)
 
         for (let child of children) {
-          const absoluteChildPath = `${currentNode.absolutePath}/${child}`
+          const absoluteChildPath = path.join(currentNode.absolutePath, child)
+          // relative path will only be used in frontend component
+          // so, no need to convert '/' to platform specific separator
           const relativeChildPath = `${currentNode.relativePath}/${child}`
           const childNode: TreeNode = {
             name: child,
             relativePath: relativeChildPath,
             absolutePath: absoluteChildPath,
+            isFolder: false,
             children: []
           }
           currentNode.children.push(childNode)
@@ -181,5 +194,3 @@ ${program}`
     return root
   }
 }
-
-const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))

api/src/controllers/internal/FileUploadController.ts

@@ -1,14 +1,20 @@
+import { Request, RequestHandler } from 'express'
+import multer from 'multer'
 import { uuidv4 } from '@sasjs/utils'
 import { getSessionController } from '.'
-const multer = require('multer')
+import {
+  executeProgramRawValidation,
+  getRunTimeAndFilePath,
+  RunTimeType
+} from '../../utils'
 
 export class FileUploadController {
   private storage = multer.diskStorage({
-    destination: function (req: any, file: any, cb: any) {
+    destination: function (req: Request, file: any, cb: any) {
       //Sending the intercepted files to the sessions subfolder
-      cb(null, req.sasSession.path)
+      cb(null, req.sasjsSession?.path)
     },
-    filename: function (req: any, file: any, cb: any) {
+    filename: function (req: Request, file: any, cb: any) {
       //req_file prefix + unique hash added to sas request files
       cb(null, `req_file_${uuidv4().replace(/-/gm, '')}`)
     }
@@ -18,14 +24,43 @@ export class FileUploadController {
 
   //It will intercept request and generate unique uuid to be used as a subfolder name
   //that will store the files uploaded
-  public preUploadMiddleware = async (req: any, res: any, next: any) => {
-    let session
+  public preUploadMiddleware: RequestHandler = async (req, res, next) => {
+    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
+    const { error: errB, value: body } = executeProgramRawValidation(req.body)
 
-    const sessionController = getSessionController()
-    session = await sessionController.getSession()
-    session.inUse = true
+    if (errQ && errB) return res.status(400).send(errB.details[0].message)
 
-    req.sasSession = session
+    const programPath = (query?._program ?? body?._program) as string
+
+    let runTime
+
+    try {
+      ;({ runTime } = await getRunTimeAndFilePath(programPath))
+    } catch (err: any) {
+      return res.status(400).send({
+        status: 'failure',
+        message: 'Job execution failed',
+        error: typeof err === 'object' ? err.toString() : err
+      })
+    }
+
+    let sessionController
+    try {
+      sessionController = getSessionController(runTime)
+    } catch (err: any) {
+      return res.status(400).send({
+        status: 'failure',
+        message: err.message,
+        error: typeof err === 'object' ? err.toString() : err
+      })
+    }
+
+    const session = await sessionController.getSession()
+    // marking consumed true, so that it's not available
+    // as readySession for any other request
+    session.consumed = true
+
+    req.sasjsSession = session
 
     next()
   }

api/src/controllers/internal/Session.ts

@@ -3,27 +3,58 @@ import { Session } from '../../types'
 import { promisify } from 'util'
 import { execFile } from 'child_process'
 import {
-  getTmpSessionsFolderPath,
+  getPackagesFolder,
+  getSessionsFolder,
   generateUniqueFileName,
-  sysInitCompiledPath
+  sysInitCompiledPath,
+  RunTimeType
 } from '../../utils'
 import {
   deleteFolder,
   createFile,
   fileExists,
   generateTimestamp,
-  readFile,
-  moveFile
+  readFile
 } from '@sasjs/utils'
 
 const execFilePromise = promisify(execFile)
 
 export class SessionController {
-  private sessions: Session[] = []
+  protected sessions: Session[] = []
 
-  private getReadySessions = (): Session[] =>
+  protected getReadySessions = (): Session[] =>
     this.sessions.filter((sess: Session) => sess.ready && !sess.consumed)
 
+  protected async createSession(): Promise<Session> {
+    const sessionId = generateUniqueFileName(generateTimestamp())
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)
+
+    const creationTimeStamp = sessionId.split('-').pop() as string
+    // death time of session is 15 mins from creation
+    const deathTimeStamp = (
+      parseInt(creationTimeStamp) +
+      15 * 60 * 1000 -
+      1000
+    ).toString()
+
+    const session: Session = {
+      id: sessionId,
+      ready: true,
+      inUse: true,
+      consumed: false,
+      completed: false,
+      creationTimeStamp,
+      deathTimeStamp,
+      path: sessionFolder
+    }
+
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8')
+
+    this.sessions.push(session)
+    return session
+  }
+
   public async getSession() {
     const readySessions = this.getReadySessions()
 
@@ -31,16 +62,19 @@ export class SessionController {
       ? readySessions[0]
       : await this.createSession()
 
-    if (readySessions.length < 2) this.createSession()
+    if (readySessions.length < 3) this.createSession()
 
     return session
   }
+}
 
-  private async createSession(): Promise<Session> {
+export class SASSessionController extends SessionController {
+  protected async createSession(): Promise<Session> {
     const sessionId = generateUniqueFileName(generateTimestamp())
-    const sessionFolder = path.join(getTmpSessionsFolderPath(), sessionId)
+    const sessionFolder = path.join(getSessionsFolder(), sessionId)
 
     const creationTimeStamp = sessionId.split('-').pop() as string
+    // death time of session is 15 mins from creation
     const deathTimeStamp = (
       parseInt(creationTimeStamp) +
       15 * 60 * 1000 -
@@ -58,6 +92,9 @@ export class SessionController {
       path: sessionFolder
     }
 
+    const headersPath = path.join(session.path, 'stpsrv_header.txt')
+    await createFile(headersPath, 'content-type: text/html; charset=utf-8\n')
+
     // we do not want to leave sessions running forever
     // we clean them up after a predefined period, if unused
     this.scheduleSessionDestroy(session)
@@ -67,7 +104,11 @@ export class SessionController {
 
     // the autoexec file is executed on SAS startup
     const autoExecPath = path.join(sessionFolder, 'autoexec.sas')
-    const contentForAutoExec = `/* compiled systemInit */\n${compiledSystemInitContent}\n/* autoexec */\n${autoExecContent}`
+    const contentForAutoExec = `filename packages "${getPackagesFolder()}";
+/* compiled systemInit */
+${compiledSystemInitContent}
+/* autoexec */
+${autoExecContent}`
     await createFile(autoExecPath, contentForAutoExec)
 
     // create empty code.sas as SAS will not start without a SYSIN
@@ -79,25 +120,37 @@ export class SessionController {
     // however we also need a promise so that we can update the
     // session array to say that it has (eventually) finished.
 
-    execFilePromise(process.sasLoc, [
+    // Additional windows specific options to avoid the desktop popups.
+
+    execFilePromise(process.sasLoc!, [
       '-SYSIN',
       codePath,
       '-LOG',
       path.join(session.path, 'log.log'),
+      '-PRINT',
+      path.join(session.path, 'output.lst'),
       '-WORK',
       session.path,
       '-AUTOEXEC',
       autoExecPath,
-      process.platform === 'win32' ? '-nosplash' : ''
+      process.sasLoc!.endsWith('sas.exe') ? '-nologo' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-nosplash' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-icon' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-nodms' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-noterminal' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-nostatuswin' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-NOPRNGETLIST' : '',
+      process.sasLoc!.endsWith('sas.exe') ? '-SASINITIALFOLDER' : '',
+      process.sasLoc!.endsWith('sas.exe') ? session.path : ''
     ])
       .then(() => {
         session.completed = true
-        console.log('session completed', session)
+        process.logger.info('session completed', session)
       })
       .catch((err) => {
         session.completed = true
         session.crashed = err.toString()
-        console.log('session crashed', session.id, session.crashed)
+        process.logger.error('session crashed', session.id, session.crashed)
       })
 
     // we have a triggered session - add to array
@@ -117,12 +170,15 @@ export class SessionController {
     while ((await fileExists(codeFilePath)) && !session.crashed) {}
 
     if (session.crashed)
-      console.log('session crashed! while waiting to be ready', session.crashed)
+      process.logger.error(
+        'session crashed! while waiting to be ready',
+        session.crashed
+      )
 
     session.ready = true
   }
 
-  public async deleteSession(session: Session) {
+  private async deleteSession(session: Session) {
     // remove the temporary files, to avoid buildup
     await deleteFolder(session.path)
 
@@ -133,22 +189,52 @@ export class SessionController {
   }
 
   private scheduleSessionDestroy(session: Session) {
-    setTimeout(async () => {
+    setTimeout(
+      async () => {
         if (session.inUse) {
-        session.deathTimeStamp = session.deathTimeStamp + 1000 * 10
+          // adding 10 more minutes
+          const newDeathTimeStamp =
+            parseInt(session.deathTimeStamp) + 10 * 60 * 1000
+          session.deathTimeStamp = newDeathTimeStamp.toString()
+
+          this.scheduleSessionDestroy(session)
+        } else {
+          const { expiresAfterMins } = session
+
+          // delay session destroy if expiresAfterMins present
+          if (expiresAfterMins && !expiresAfterMins.used) {
+            // calculate session death time using expiresAfterMins
+            const newDeathTimeStamp =
+              parseInt(session.deathTimeStamp) +
+              expiresAfterMins.mins * 60 * 1000
+            session.deathTimeStamp = newDeathTimeStamp.toString()
+
+            // set expiresAfterMins to true to avoid using it again
+            session.expiresAfterMins!.used = true
 
             this.scheduleSessionDestroy(session)
           } else {
             await this.deleteSession(session)
           }
-    }, parseInt(session.deathTimeStamp) - new Date().getTime() - 100)
+        }
+      },
+      parseInt(session.deathTimeStamp) - new Date().getTime() - 100
+    )
   }
 }
 
-export const getSessionController = (): SessionController => {
-  if (process.sessionController) return process.sessionController
+export const getSessionController = (
+  runTime: RunTimeType
+): SessionController => {
+  if (runTime === RunTimeType.SAS) {
+    process.sasSessionController =
+      process.sasSessionController || new SASSessionController()
 
-  process.sessionController = new SessionController()
+    return process.sasSessionController
+  }
+
+  process.sessionController =
+    process.sessionController || new SessionController()
 
   return process.sessionController
 }

api/src/controllers/internal/createJSProgram.ts

@@ -0,0 +1,68 @@
+import { escapeWinSlashes } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadJSCode } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createJSProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) =>
+      `${computed}const ${key} = \`${vars[key]}\`;\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+let _webout = '';
+const weboutPath = '${escapeWinSlashes(weboutPath)}'; 
+const _SASJS_TOKENFILE = '${escapeWinSlashes(tokenFile)}';
+const _SASJS_WEBOUT_HEADERS = '${escapeWinSlashes(headersPath)}';
+const _SASJS_USERNAME = '${preProgramVariables?.username}';
+const _SASJS_USERID = '${preProgramVariables?.userId}';
+const _SASJS_DISPLAYNAME = '${preProgramVariables?.displayName}';
+const _METAPERSON = _SASJS_DISPLAYNAME;
+const _METAUSER = _SASJS_USERNAME;
+const SASJSPROCESSMODE = 'Stored Program';
+`
+
+  const requiredModules = `const fs = require('fs')`
+
+  program = `
+/* runtime vars */
+${varStatments}
+
+/* dynamic user-provided vars */
+${preProgramVarStatments}
+
+/* actual job code */
+${program}
+
+/* write webout file only if webout exists*/
+if (_webout) {
+  fs.writeFile(weboutPath, _webout, function (err) {
+    if (err) throw err;
+  })
+}
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadJsCode = await generateFileUploadJSCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadJsCode.length > 0) {
+      program = `${uploadJsCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}

api/src/controllers/internal/createPythonProgram.ts

@@ -0,0 +1,64 @@
+import { escapeWinSlashes } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadPythonCode } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createPythonProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}${key} = '${vars[key]}';\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+_SASJS_SESSION_PATH = '${escapeWinSlashes(session.path)}';
+_WEBOUT = '${escapeWinSlashes(weboutPath)}'; 
+_SASJS_WEBOUT_HEADERS = '${escapeWinSlashes(headersPath)}';
+_SASJS_TOKENFILE = '${escapeWinSlashes(tokenFile)}';
+_SASJS_USERNAME = '${preProgramVariables?.username}';
+_SASJS_USERID = '${preProgramVariables?.userId}';
+_SASJS_DISPLAYNAME = '${preProgramVariables?.displayName}';
+_METAPERSON = _SASJS_DISPLAYNAME;
+_METAUSER = _SASJS_USERNAME;
+SASJSPROCESSMODE = 'Stored Program';
+`
+
+  const requiredModules = `import os`
+
+  program = `
+# runtime vars
+${varStatments}
+
+# dynamic user-provided vars
+${preProgramVarStatments}
+
+# change working directory to  session folder
+os.chdir(_SASJS_SESSION_PATH)
+
+# actual job code
+${program}
+
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadPythonCode = await generateFileUploadPythonCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadPythonCode.length > 0) {
+      program = `${uploadPythonCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}

api/src/controllers/internal/createRProgram.ts

@@ -0,0 +1,64 @@
+import { escapeWinSlashes } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadRCode } from '../../utils'
+import { ExecutionVars } from '.'
+
+export const createRProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}.${key} <- '${vars[key]}'\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+._SASJS_SESSION_PATH <- '${escapeWinSlashes(session.path)}';
+._WEBOUT <- '${escapeWinSlashes(weboutPath)}'; 
+._SASJS_WEBOUT_HEADERS <- '${escapeWinSlashes(headersPath)}';
+._SASJS_TOKENFILE <- '${escapeWinSlashes(tokenFile)}';
+._SASJS_USERNAME <- '${preProgramVariables?.username}';
+._SASJS_USERID <- '${preProgramVariables?.userId}';
+._SASJS_DISPLAYNAME <- '${preProgramVariables?.displayName}';
+._METAPERSON <- ._SASJS_DISPLAYNAME;
+._METAUSER <- ._SASJS_USERNAME;
+SASJSPROCESSMODE <- 'Stored Program';
+`
+
+  const requiredModules = ``
+
+  program = `
+# runtime vars
+${varStatments}
+
+# dynamic user-provided vars
+${preProgramVarStatments}
+
+# change working directory to  session folder
+setwd(._SASJS_SESSION_PATH)
+
+# actual job code
+${program}
+
+`
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadRCode = await generateFileUploadRCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadRCode.length > 0) {
+      program = `${uploadRCode}\n` + program
+    }
+  }
+  return requiredModules + program
+}

api/src/controllers/internal/createSASProgram.ts

@@ -0,0 +1,76 @@
+import { PreProgramVars, Session } from '../../types'
+import { generateFileUploadSasCode, getMacrosFolder } from '../../utils'
+import { ExecutionVars } from './'
+
+export const createSASProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  otherArgs?: any
+) => {
+  const varStatments = Object.keys(vars).reduce(
+    (computed: string, key: string) => `${computed}%let ${key}=${vars[key]};\n`,
+    ''
+  )
+
+  const preProgramVarStatments = `
+%let _sasjs_tokenfile=${tokenFile};
+%let _sasjs_username=${preProgramVariables?.username};
+%let _sasjs_userid=${preProgramVariables?.userId};
+%let _sasjs_displayname=${preProgramVariables?.displayName};
+%let _sasjs_apiserverurl=${preProgramVariables?.serverUrl};
+%let _sasjs_apipath=/SASjsApi/stp/execute;
+%let _sasjs_webout_headers=${headersPath};
+%let _metaperson=&_sasjs_displayname;
+%let _metauser=&_sasjs_username;
+
+/* the below is here for compatibility and will be removed in a future release */
+%let sasjs_stpsrv_header_loc=&_sasjs_webout_headers;
+
+%let sasjsprocessmode=Stored Program;
+
+%global SYSPROCESSMODE SYSTCPIPHOSTNAME SYSHOSTINFOLONG;
+%macro _sasjs_server_init();
+%if "&SYSPROCESSMODE"="" %then %let SYSPROCESSMODE=&sasjsprocessmode;
+%if "&SYSTCPIPHOSTNAME"="" %then %let SYSTCPIPHOSTNAME=&_sasjs_apiserverurl;
+%mend;
+%_sasjs_server_init()
+
+`
+
+  program = `
+options insert=(SASAUTOS="${getMacrosFolder()}");
+
+/* runtime vars */
+${varStatments}
+filename _webout "${weboutPath}" mod;
+
+/* dynamic user-provided vars */
+${preProgramVarStatments}
+
+/* user autoexec starts */
+${otherArgs?.userAutoExec ?? ''}
+/* user autoexec ends */
+
+/* actual job code */
+${program}`
+
+  // if no files are uploaded filesNamesMap will be undefined
+  if (otherArgs?.filesNamesMap) {
+    const uploadSasCode = await generateFileUploadSasCode(
+      otherArgs.filesNamesMap,
+      session.path
+    )
+
+    // If any files are uploaded, the program needs to be updated with some
+    // dynamically generated variables (pointers) for ease of ingestion
+    if (uploadSasCode.length > 0) {
+      program = `${uploadSasCode}` + program
+    }
+  }
+  return program
+}

api/src/controllers/internal/deploy.ts

@@ -1,19 +1,29 @@
-import { MemberType, FolderMember, ServiceMember, FileTree } from '../../types'
-import { getTmpFilesFolderPath } from '../../utils/file'
-import { createFolder, createFile, asyncForEach } from '@sasjs/utils'
 import path from 'path'
+import { getFilesFolder } from '../../utils/file'
+import {
+  createFolder,
+  createFile,
+  asyncForEach,
+  FolderMember,
+  ServiceMember,
+  FileMember,
+  MemberType,
+  FileTree
+} from '@sasjs/utils'
 
 // REFACTOR: export FileTreeCpntroller
 export const createFileTree = async (
-  members: (FolderMember | ServiceMember)[],
+  members: (FolderMember | ServiceMember | FileMember)[],
   parentFolders: string[] = []
 ) => {
   const destinationPath = path.join(
-    getTmpFilesFolderPath(),
+    getFilesFolder(),
     path.join(...parentFolders)
   )
 
-  await asyncForEach(members, async (member: FolderMember | ServiceMember) => {
+  await asyncForEach(
+    members,
+    async (member: FolderMember | ServiceMember | FileMember) => {
       let name = member.name
 
       if (member.type === MemberType.service) name += '.sas'
@@ -27,11 +37,16 @@ export const createFileTree = async (
           (err) => Promise.reject({ error: err, failedToCreate: name })
         )
       } else {
-      await createFile(path.join(destinationPath, name), member.code).catch(
-        (err) => Promise.reject({ error: err, failedToCreate: name })
-      )
+        const encoding = member.type === MemberType.file ? 'base64' : undefined
+
+        await createFile(
+          path.join(destinationPath, name),
+          member.code,
+          encoding
+        ).catch((err) => Promise.reject({ error: err, failedToCreate: name }))
       }
-  })
+    }
+  )
 
   return Promise.resolve()
 }

api/src/controllers/internal/index.ts

@@ -2,3 +2,8 @@ export * from './deploy'
 export * from './Session'
 export * from './Execution'
 export * from './FileUploadController'
+export * from './createSASProgram'
+export * from './createJSProgram'
+export * from './createPythonProgram'
+export * from './createRProgram'
+export * from './processProgram'

api/src/controllers/internal/processProgram.ts

@@ -0,0 +1,162 @@
+import path from 'path'
+import { WriteStream, createWriteStream } from 'fs'
+import { execFile } from 'child_process'
+import { once } from 'stream'
+import { createFile, moveFile } from '@sasjs/utils'
+import { PreProgramVars, Session } from '../../types'
+import { RunTimeType } from '../../utils'
+import {
+  ExecutionVars,
+  createSASProgram,
+  createJSProgram,
+  createPythonProgram,
+  createRProgram
+} from './'
+
+export const processProgram = async (
+  program: string,
+  preProgramVariables: PreProgramVars,
+  vars: ExecutionVars,
+  session: Session,
+  weboutPath: string,
+  headersPath: string,
+  tokenFile: string,
+  runTime: RunTimeType,
+  logPath: string,
+  otherArgs?: any
+) => {
+  if (runTime === RunTimeType.SAS) {
+    program = await createSASProgram(
+      program,
+      preProgramVariables,
+      vars,
+      session,
+      weboutPath,
+      headersPath,
+      tokenFile,
+      otherArgs
+    )
+
+    const codePath = path.join(session.path, 'code.sas')
+
+    // Creating this file in a RUNNING session will break out
+    // the autoexec loop and actually execute the program
+    // but - given it will take several milliseconds to create
+    // (which can mean SAS trying to run a partial program, or
+    // failing due to file lock) we first create the file THEN
+    // we rename it.
+    await createFile(codePath + '.bkp', program)
+    await moveFile(codePath + '.bkp', codePath)
+
+    // we now need to poll the session status
+    while (!session.completed) {
+      await delay(50)
+    }
+  } else {
+    let codePath: string
+    let executablePath: string
+    switch (runTime) {
+      case RunTimeType.JS:
+        program = await createJSProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.js')
+        executablePath = process.nodeLoc!
+
+        break
+      case RunTimeType.PY:
+        program = await createPythonProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.py')
+        executablePath = process.pythonLoc!
+
+        break
+      case RunTimeType.R:
+        program = await createRProgram(
+          program,
+          preProgramVariables,
+          vars,
+          session,
+          weboutPath,
+          headersPath,
+          tokenFile,
+          otherArgs
+        )
+        codePath = path.join(session.path, 'code.r')
+        executablePath = process.rLoc!
+
+        break
+      default:
+        throw new Error('Invalid runtime!')
+    }
+
+    await createFile(codePath, program)
+
+    // create a stream that will write to console outputs to log file
+    const writeStream = createWriteStream(logPath)
+    // waiting for the open event so that we can have underlying file descriptor
+    await once(writeStream, 'open')
+
+    await execFilePromise(executablePath, [codePath], writeStream)
+      .then(() => {
+        session.completed = true
+        process.logger.info('session completed', session)
+      })
+      .catch((err) => {
+        session.completed = true
+        session.crashed = err.toString()
+        process.logger.error('session crashed', session.id, session.crashed)
+      })
+
+    // copy the code file to log and end write stream
+    writeStream.end(program)
+  }
+}
+
+/**
+ * Promisified child_process.execFile
+ *
+ * @param file - The name or path of the executable file to run.
+ * @param args - List of string arguments.
+ * @param writeStream - Child process stdout and stderr will be piped to it.
+ *
+ * @returns {Promise<{ stdout: string, stderr: string }>}
+ */
+const execFilePromise = (
+  file: string,
+  args: string[],
+  writeStream: WriteStream
+): Promise<{ stdout: string; stderr: string }> => {
+  return new Promise((resolve, reject) => {
+    const child = execFile(file, args, (err, stdout, stderr) => {
+      if (err) reject(err)
+
+      resolve({ stdout, stderr })
+    })
+
+    child.stdout?.on('data', (data) => {
+      writeStream.write(data)
+    })
+
+    child.stderr?.on('data', (data) => {
+      writeStream.write(data)
+    })
+  })
+}
+
+const delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms))

api/src/controllers/mock-sas9.ts

@@ -0,0 +1,283 @@
+import { readFile } from '@sasjs/utils'
+import express from 'express'
+import path from 'path'
+import { Request, Post, Get } from 'tsoa'
+import dotenv from 'dotenv'
+import { ExecutionController } from './internal'
+import {
+  getPreProgramVariables,
+  getRunTimeAndFilePath,
+  makeFilesNamesMap
+} from '../utils'
+import { MulterFile } from '../types/Upload'
+
+dotenv.config()
+
+export interface Sas9Response {
+  content: string
+  redirect?: string
+  error?: boolean
+}
+
+export interface MockFileRead {
+  content: string
+  error?: boolean
+}
+
+export class MockSas9Controller {
+  private loggedIn: string | undefined
+  private mocksPath = process.env.STATIC_MOCK_LOCATION || 'mocks'
+
+  @Get('/SASStoredProcess')
+  public async sasStoredProcess(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    const username = req.query._username?.toString() || undefined
+    const password = req.query._password?.toString() || undefined
+
+    if (username && password) this.loggedIn = req.body.username
+
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    let program = req.query._program?.toString() || undefined
+    const filePath: string[] = program
+      ? program.replace('/', '').split('/')
+      : ['generic', 'sas-stored-process']
+
+    if (program) {
+      return await getMockResponseFromFile([
+        process.cwd(),
+        this.mocksPath,
+        'sas9',
+        ...filePath
+      ])
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      ...filePath
+    ])
+  }
+
+  @Get('/SASStoredProcess/do')
+  public async sasStoredProcessDoGet(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    const username = req.query._username?.toString() || undefined
+    const password = req.query._password?.toString() || undefined
+
+    if (username && password) this.loggedIn = username
+
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    const program = req.query._program ?? req.body?._program
+    const filePath: string[] = ['generic', 'sas-stored-process']
+
+    if (program) {
+      const vars = { ...req.query, ...req.body, _requestMethod: req.method }
+      const otherArgs = {}
+
+      try {
+        const { codePath, runTime } = await getRunTimeAndFilePath(
+          program + '.js'
+        )
+
+        const result = await new ExecutionController().executeFile({
+          programPath: codePath,
+          preProgramVariables: getPreProgramVariables(req),
+          vars: vars,
+          otherArgs: otherArgs,
+          runTime,
+          forceStringResult: true
+        })
+
+        return {
+          content: result.result as string
+        }
+      } catch (err) {
+        process.logger.error('err', err)
+      }
+
+      return {
+        content: 'No webout returned.'
+      }
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      ...filePath
+    ])
+  }
+
+  @Post('/SASStoredProcess/do/')
+  public async sasStoredProcessDoPost(
+    @Request() req: express.Request
+  ): Promise<Sas9Response> {
+    if (!this.loggedIn) {
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+    }
+
+    if (this.isPublicAccount()) {
+      return {
+        content: '',
+        redirect: '/SASLogon/Login'
+      }
+    }
+
+    const program = req.query._program ?? req.body?._program
+    const vars = {
+      ...req.query,
+      ...req.body,
+      _requestMethod: req.method,
+      _driveLoc: process.driveLoc
+    }
+    const filesNamesMap = req.files?.length
+      ? makeFilesNamesMap(req.files as MulterFile[])
+      : null
+    const otherArgs = { filesNamesMap: filesNamesMap }
+    const { codePath, runTime } = await getRunTimeAndFilePath(program + '.js')
+    try {
+      const result = await new ExecutionController().executeFile({
+        programPath: codePath,
+        preProgramVariables: getPreProgramVariables(req),
+        vars: vars,
+        otherArgs: otherArgs,
+        runTime,
+        session: req.sasjsSession,
+        forceStringResult: true
+      })
+
+      return {
+        content: result.result as string
+      }
+    } catch (err) {
+      process.logger.error('err', err)
+    }
+
+    return {
+      content: 'No webout returned.'
+    }
+  }
+
+  @Get('/SASLogon/login')
+  public async loginGet(): Promise<Sas9Response> {
+    if (this.loggedIn) {
+      if (this.isPublicAccount()) {
+        return {
+          content: '',
+          redirect: '/SASStoredProcess/Logoff?publicDenied=true'
+        }
+      } else {
+        return await getMockResponseFromFile([
+          process.cwd(),
+          'mocks',
+          'sas9',
+          'generic',
+          'logged-in'
+        ])
+      }
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'login'
+    ])
+  }
+
+  @Post('/SASLogon/login')
+  public async loginPost(req: express.Request): Promise<Sas9Response> {
+    if (req.body.lt && req.body.lt !== 'validtoken')
+      return {
+        content: '',
+        redirect: '/SASLogon/login'
+      }
+
+    this.loggedIn = req.body.username
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'logged-in'
+    ])
+  }
+
+  @Get('/SASLogon/logout')
+  public async logout(req: express.Request): Promise<Sas9Response> {
+    this.loggedIn = undefined
+
+    if (req.query.publicDenied === 'true') {
+      return await getMockResponseFromFile([
+        process.cwd(),
+        'mocks',
+        'sas9',
+        'generic',
+        'public-access-denied'
+      ])
+    }
+
+    return await getMockResponseFromFile([
+      process.cwd(),
+      'mocks',
+      'sas9',
+      'generic',
+      'logged-out'
+    ])
+  }
+
+  @Get('/SASStoredProcess/Logoff') //publicDenied=true
+  public async logoff(req: express.Request): Promise<Sas9Response> {
+    const params = req.query.publicDenied
+      ? `?publicDenied=${req.query.publicDenied}`
+      : ''
+
+    return {
+      content: '',
+      redirect: '/SASLogon/logout' + params
+    }
+  }
+
+  private isPublicAccount = () => this.loggedIn?.toLowerCase() === 'public'
+}
+
+const getMockResponseFromFile = async (
+  filePath: string[]
+): Promise<MockFileRead> => {
+  const filePathParsed = path.join(...filePath)
+  let error: boolean = false
+
+  let file = await readFile(filePathParsed).catch((err: any) => {
+    const errMsg = `Error reading mocked file on path: ${filePathParsed}\nError: ${err}`
+    process.logger.error(errMsg)
+
+    error = true
+
+    return errMsg
+  })
+
+  return {
+    content: file,
+    error: error
+  }
+}

api/src/controllers/permission.ts

@@ -0,0 +1,368 @@
+import express from 'express'
+import {
+  Security,
+  Route,
+  Tags,
+  Path,
+  Example,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body,
+  Request
+} from 'tsoa'
+
+import Permission from '../model/Permission'
+import User from '../model/User'
+import Group from '../model/Group'
+import { UserResponse } from './user'
+import { GroupDetailsResponse } from './group'
+
+export enum PermissionType {
+  route = 'Route'
+}
+
+export enum PrincipalType {
+  user = 'user',
+  group = 'group'
+}
+
+export enum PermissionSettingForRoute {
+  grant = 'Grant',
+  deny = 'Deny'
+}
+
+interface RegisterPermissionPayload {
+  /**
+   * Name of affected resource
+   * @example "/SASjsApi/code/execute"
+   */
+  path: string
+  /**
+   * Type of affected resource
+   * @example "Route"
+   */
+  type: PermissionType
+  /**
+   * The indication of whether (and to what extent) access is provided
+   * @example "Grant"
+   */
+  setting: PermissionSettingForRoute
+  /**
+   * Indicates the type of principal
+   * @example "user"
+   */
+  principalType: PrincipalType
+  /**
+   * The id of user or group to which a rule is assigned.
+   * @example 123
+   */
+  principalId: number
+}
+
+interface UpdatePermissionPayload {
+  /**
+   * The indication of whether (and to what extent) access is provided
+   * @example "Grant"
+   */
+  setting: PermissionSettingForRoute
+}
+
+export interface PermissionDetailsResponse {
+  permissionId: number
+  path: string
+  type: string
+  setting: string
+  user?: UserResponse
+  group?: GroupDetailsResponse
+}
+
+@Security('bearerAuth')
+@Route('SASjsApi/permission')
+@Tags('Permission')
+export class PermissionController {
+  /**
+   * Get the list of permission rules applicable the authenticated user.
+   * If the user is an admin, all rules are returned.
+   *
+   * @summary Get the list of permission rules. If the user is admin, all rules are returned.
+   *
+   */
+  @Example<PermissionDetailsResponse[]>([
+    {
+      permissionId: 123,
+      path: '/SASjsApi/code/execute',
+      type: 'Route',
+      setting: 'Grant',
+      user: {
+        id: 1,
+        username: 'johnSnow01',
+        displayName: 'John Snow',
+        isAdmin: false
+      }
+    },
+    {
+      permissionId: 124,
+      path: '/SASjsApi/code/execute',
+      type: 'Route',
+      setting: 'Grant',
+      group: {
+        groupId: 1,
+        name: 'DCGroup',
+        description: 'This group represents Data Controller Users',
+        isActive: true,
+        users: []
+      }
+    }
+  ])
+  @Get('/')
+  public async getAllPermissions(
+    @Request() request: express.Request
+  ): Promise<PermissionDetailsResponse[]> {
+    return getAllPermissions(request)
+  }
+
+  /**
+   * @summary Create a new permission. Admin only.
+   *
+   */
+  @Example<PermissionDetailsResponse>({
+    permissionId: 123,
+    path: '/SASjsApi/code/execute',
+    type: 'Route',
+    setting: 'Grant',
+    user: {
+      id: 1,
+      username: 'johnSnow01',
+      displayName: 'John Snow',
+      isAdmin: false
+    }
+  })
+  @Post('/')
+  public async createPermission(
+    @Body() body: RegisterPermissionPayload
+  ): Promise<PermissionDetailsResponse> {
+    return createPermission(body)
+  }
+
+  /**
+   * @summary Update permission setting. Admin only
+   * @param permissionId The permission's identifier
+   * @example permissionId 1234
+   */
+  @Example<PermissionDetailsResponse>({
+    permissionId: 123,
+    path: '/SASjsApi/code/execute',
+    type: 'Route',
+    setting: 'Grant',
+    user: {
+      id: 1,
+      username: 'johnSnow01',
+      displayName: 'John Snow',
+      isAdmin: false
+    }
+  })
+  @Patch('{permissionId}')
+  public async updatePermission(
+    @Path() permissionId: number,
+    @Body() body: UpdatePermissionPayload
+  ): Promise<PermissionDetailsResponse> {
+    return updatePermission(permissionId, body)
+  }
+
+  /**
+   * @summary Delete a permission. Admin only.
+   * @param permissionId The user's identifier
+   * @example permissionId 1234
+   */
+  @Delete('{permissionId}')
+  public async deletePermission(@Path() permissionId: number) {
+    return deletePermission(permissionId)
+  }
+}
+
+const getAllPermissions = async (
+  req: express.Request
+): Promise<PermissionDetailsResponse[]> => {
+  const { user } = req
+
+  if (user?.isAdmin) return await Permission.get({})
+  else {
+    const permissions: PermissionDetailsResponse[] = []
+
+    const dbUser = await User.findOne({ id: user?.userId })
+    if (!dbUser)
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: 'User not found.'
+      }
+
+    permissions.push(...(await Permission.get({ user: dbUser._id })))
+
+    for (const group of dbUser.groups) {
+      permissions.push(...(await Permission.get({ group })))
+    }
+
+    return permissions
+  }
+}
+
+const createPermission = async ({
+  path,
+  type,
+  setting,
+  principalType,
+  principalId
+}: RegisterPermissionPayload): Promise<PermissionDetailsResponse> => {
+  const permission = new Permission({
+    path,
+    type,
+    setting
+  })
+
+  let user: UserResponse | undefined
+  let group: GroupDetailsResponse | undefined
+
+  switch (principalType) {
+    case PrincipalType.user: {
+      const userInDB = await User.findOne({ id: principalId })
+      if (!userInDB)
+        throw {
+          code: 404,
+          status: 'Not Found',
+          message: 'User not found.'
+        }
+
+      if (userInDB.isAdmin)
+        throw {
+          code: 400,
+          status: 'Bad Request',
+          message: 'Can not add permission for admin user.'
+        }
+
+      const alreadyExists = await Permission.findOne({
+        path,
+        type,
+        user: userInDB._id
+      })
+
+      if (alreadyExists)
+        throw {
+          code: 409,
+          status: 'Conflict',
+          message:
+            'Permission already exists with provided Path, Type and User.'
+        }
+
+      permission.user = userInDB._id
+
+      user = {
+        id: userInDB.id,
+        username: userInDB.username,
+        displayName: userInDB.displayName,
+        isAdmin: userInDB.isAdmin
+      }
+      break
+    }
+    case PrincipalType.group: {
+      const groupInDB = await Group.findOne({ groupId: principalId })
+      if (!groupInDB)
+        throw {
+          code: 404,
+          status: 'Not Found',
+          message: 'Group not found.'
+        }
+
+      const alreadyExists = await Permission.findOne({
+        path,
+        type,
+        group: groupInDB._id
+      })
+      if (alreadyExists)
+        throw {
+          code: 409,
+          status: 'Conflict',
+          message:
+            'Permission already exists with provided Path, Type and Group.'
+        }
+
+      permission.group = groupInDB._id
+
+      group = {
+        groupId: groupInDB.groupId,
+        name: groupInDB.name,
+        description: groupInDB.description,
+        isActive: groupInDB.isActive,
+        users: groupInDB.populate({
+          path: 'users',
+          select: 'id username displayName isAdmin -_id',
+          options: { limit: 15 }
+        }) as unknown as UserResponse[]
+      }
+      break
+    }
+    default:
+      throw {
+        code: 400,
+        status: 'Bad Request',
+        message: 'Invalid principal type. Valid types are user or group.'
+      }
+  }
+
+  const savedPermission = await permission.save()
+
+  return {
+    permissionId: savedPermission.permissionId,
+    path: savedPermission.path,
+    type: savedPermission.type,
+    setting: savedPermission.setting,
+    user,
+    group
+  }
+}
+
+const updatePermission = async (
+  id: number,
+  data: UpdatePermissionPayload
+): Promise<PermissionDetailsResponse> => {
+  const { setting } = data
+
+  const updatedPermission = (await Permission.findOneAndUpdate(
+    { permissionId: id },
+    { setting },
+    { new: true }
+  )
+    .select({
+      _id: 0,
+      permissionId: 1,
+      path: 1,
+      type: 1,
+      setting: 1
+    })
+    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .populate({
+      path: 'group',
+      select: 'groupId name description -_id'
+    })) as unknown as PermissionDetailsResponse
+  if (!updatedPermission)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Permission not found.'
+    }
+
+  return updatedPermission
+}
+
+const deletePermission = async (id: number) => {
+  const permission = await Permission.findOne({ permissionId: id })
+  if (!permission)
+    throw {
+      code: 404,
+      status: 'Not Found',
+      message: 'Permission not found.'
+    }
+  await Permission.deleteOne({ permissionId: id })
+}

api/src/controllers/session.ts

@@ -2,6 +2,10 @@ import express from 'express'
 import { Request, Security, Route, Tags, Example, Get } from 'tsoa'
 import { UserResponse } from './user'
 
+interface SessionResponse extends UserResponse {
+  needsToUpdatePassword: boolean
+}
+
 @Security('bearerAuth')
 @Route('SASjsApi/session')
 @Tags('Session')
@@ -13,18 +17,21 @@ export class SessionController {
   @Example<UserResponse>({
     id: 123,
     username: 'johnusername',
-    displayName: 'John'
+    displayName: 'John',
+    isAdmin: false
   })
   @Get('/')
   public async session(
     @Request() request: express.Request
-  ): Promise<UserResponse> {
+  ): Promise<SessionResponse> {
     return session(request)
   }
 }
 
-const session = (req: any) => ({
-  id: req.user.id,
-  username: req.user.username,
-  displayName: req.user.displayName
+const session = (req: express.Request) => ({
+  id: req.user!.userId,
+  username: req.user!.username,
+  displayName: req.user!.displayName,
+  isAdmin: req.user!.isAdmin,
+  needsToUpdatePassword: req.user!.needsToUpdatePassword
 })

api/src/controllers/stp.ts

@@ -1,22 +1,47 @@
 import express from 'express'
-import path from 'path'
 import { Request, Security, Route, Tags, Post, Body, Get, Query } from 'tsoa'
-import { ExecutionController, ExecutionVars } from './internal'
-import { PreProgramVars } from '../types'
-import { getTmpFilesFolderPath, makeFilesNamesMap } from '../utils'
+import {
+  ExecutionController,
+  ExecutionVars,
+  getSessionController
+} from './internal'
+import {
+  getPreProgramVariables,
+  makeFilesNamesMap,
+  getRunTimeAndFilePath
+} from '../utils'
+import { MulterFile } from '../types/Upload'
 
-interface ExecuteReturnJsonPayload {
+interface ExecutePostRequestPayload {
   /**
    * Location of SAS program
    * @example "/Public/somefolder/some.file"
    */
   _program?: string
 }
-interface ExecuteReturnJsonResponse {
-  status: string
-  _webout: string
-  log?: string
-  message?: string
+
+interface TriggerProgramPayload {
+  /**
+   * Location of SAS program
+   * @example "/Public/somefolder/some.file"
+   */
+  _program: string
+  /**
+   * Amount of minutes after the completion of the program when the session must be
+   * destroyed.
+   * @example 15
+   */
+  expiresAfterMins?: number
+}
+
+interface TriggerProgramResponse {
+  /**
+   * The SessionId is the name of the temporary folder used to store the outputs.
+   * For SAS, this would be the SASWORK folder. Can be used to poll program status.
+   * This session ID should be used to poll program status.
+   * @example "{ sessionId: '20241028074744-54132-1730101664824' }"
+   */
+  sessionId: string
 }
 
 @Security('bearerAuth')
@@ -24,62 +49,108 @@ interface ExecuteReturnJsonResponse {
 @Tags('STP')
 export class STPController {
   /**
-   * Trigger a SAS program using it's location in the _program parameter.
-   * Enable debugging using the _debug parameter.
-   * Additional URL parameters are turned into SAS macro variables.
-   * Any files provided are placed into the session and
-   * corresponding _WEBIN_XXX variables are created.
-   * @summary Execute Stored Program, return raw content
-   * @query _program Location of SAS program
-   * @example _program "/Public/somefolder/some.file"
+   * Trigger a Stored Program using the _program URL parameter.
+   *
+   * Accepts additional URL parameters (converted to session variables)
+   * and file uploads.  For more details, see docs:
+   *
+   * https://server.sasjs.io/storedprograms
+   *
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of Stored Program in SASjs Drive.
+   * @param _debug Optional query param for setting debug mode (returns the session log in the response body).
+   * @example _program "/Projects/myApp/some/program"
+   * @example _debug 131
    */
   @Get('/execute')
-  public async executeReturnRaw(
+  public async executeGetRequest(
     @Request() request: express.Request,
-    @Query() _program: string
-  ): Promise<string> {
-    return executeReturnRaw(request, _program)
+    @Query() _program: string,
+    @Query() _debug?: number
+  ): Promise<string | Buffer> {
+    let vars = request.query as ExecutionVars
+    if (_debug) {
+      vars = {
+        ...vars,
+        _debug
+      }
+    }
+
+    return execute(request, _program, vars)
   }
 
   /**
-   * Trigger a SAS program using it's location in the _program parameter.
-   * Enable debugging using the _debug parameter.
-   * Additional URL parameters are turned into SAS macro variables.
-   * Any files provided are placed into the session and
-   * corresponding _WEBIN_XXX variables are created.
-   * @summary Execute Stored Program, return JSON
-   * @query _program Location of SAS program
-   * @example _program "/Public/somefolder/some.file"
+   * Trigger a Stored Program using the _program URL parameter.
+   *
+   * Accepts URL parameters and file uploads.  For more details, see docs:
+   *
+   * https://server.sasjs.io/storedprograms
+   *
+   *
+   * @summary Execute a Stored Program, returns _webout and (optionally) log.
+   * @param _program Location of code in SASjs Drive
+   * @example _program "/Projects/myApp/some/program"
    */
   @Post('/execute')
-  public async executeReturnJson(
+  public async executePostRequest(
     @Request() request: express.Request,
-    @Body() body?: ExecuteReturnJsonPayload,
+    @Body() body?: ExecutePostRequestPayload,
     @Query() _program?: string
-  ): Promise<ExecuteReturnJsonResponse> {
+  ): Promise<string | Buffer> {
     const program = _program ?? body?._program
-    return executeReturnJson(request, program!)
+    const vars = { ...request.query, ...request.body }
+    const filesNamesMap = request.files?.length
+      ? makeFilesNamesMap(request.files as MulterFile[])
+      : null
+    const otherArgs = { filesNamesMap: filesNamesMap }
+
+    return execute(request, program!, vars, otherArgs)
+  }
+
+  /**
+   * Trigger Program on the Specified Runtime
+   * @summary Triggers program and returns SessionId immediately - does not wait for program completion
+   * @param _program Location of code in SASjs Drive
+   * @example _program "/Projects/myApp/some/program"
+   * @param expiresAfterMins Amount of minutes after the completion of the program when the session must be destroyed
+   * @example expiresAfterMins 15
+   */
+  @Post('/trigger')
+  public async triggerProgram(
+    @Request() request: express.Request,
+    @Body() body: TriggerProgramPayload
+  ): Promise<TriggerProgramResponse> {
+    return triggerProgram(request, body)
   }
 }
 
-const executeReturnRaw = async (
+const execute = async (
   req: express.Request,
-  _program: string
-): Promise<string> => {
-  const query = req.query as ExecutionVars
-  const sasCodePath =
-    path
-      .join(getTmpFilesFolderPath(), _program)
-      .replace(new RegExp('/', 'g'), path.sep) + '.sas'
-
+  _program: string,
+  vars: ExecutionVars,
+  otherArgs?: any
+): Promise<string | Buffer> => {
   try {
-    const result = await new ExecutionController().executeFile(
-      sasCodePath,
-      getPreProgramVariables(req),
-      query
+    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
+
+    const { result, httpHeaders } = await new ExecutionController().executeFile(
+      {
+        programPath: codePath,
+        runTime,
+        preProgramVariables: getPreProgramVariables(req),
+        vars,
+        otherArgs,
+        session: req.sasjsSession
+      }
     )
 
-    return result as string
+    req.res?.header(httpHeaders)
+
+    if (result instanceof Buffer) {
+      ;(req as any).sasHeaders = httpHeaders
+    }
+
+    return result
   } catch (err: any) {
     throw {
       code: 400,
@@ -90,30 +161,42 @@ const executeReturnRaw = async (
   }
 }
 
-const executeReturnJson = async (
-  req: any,
-  _program: string
-): Promise<ExecuteReturnJsonResponse> => {
-  const sasCodePath =
-    path
-      .join(getTmpFilesFolderPath(), _program)
-      .replace(new RegExp('/', 'g'), path.sep) + '.sas'
-
-  const filesNamesMap = req.files?.length ? makeFilesNamesMap(req.files) : null
-
+const triggerProgram = async (
+  req: express.Request,
+  { _program, expiresAfterMins }: TriggerProgramPayload
+): Promise<TriggerProgramResponse> => {
   try {
-    const { webout, log } = (await new ExecutionController().executeFile(
-      sasCodePath,
-      getPreProgramVariables(req),
-      { ...req.query, ...req.body },
-      { filesNamesMap: filesNamesMap },
-      true
-    )) as { webout: string; log: string }
-    return {
-      status: 'success',
-      _webout: webout,
-      log
+    const vars = { ...req.body }
+    const filesNamesMap = req.files?.length
+      ? makeFilesNamesMap(req.files as MulterFile[])
+      : null
+    const otherArgs = { filesNamesMap: filesNamesMap }
+    const { codePath, runTime } = await getRunTimeAndFilePath(_program)
+
+    // get session controller based on runTime
+    const sessionController = getSessionController(runTime)
+
+    // get session
+    const session = await sessionController.getSession()
+
+    // add expiresAfterMins to session if provided
+    if (expiresAfterMins) {
+      // expiresAfterMins.used is set initially to false
+      session.expiresAfterMins = { mins: expiresAfterMins, used: false }
     }
+
+    // call executeFile method of ExecutionController without awaiting
+    new ExecutionController().executeFile({
+      programPath: codePath,
+      runTime,
+      preProgramVariables: getPreProgramVariables(req),
+      vars,
+      otherArgs,
+      session
+    })
+
+    // return session id
+    return { sessionId: session.id }
   } catch (err: any) {
     throw {
       code: 400,
@@ -123,16 +206,3 @@ const executeReturnJson = async (
     }
   }
 }
-
-const getPreProgramVariables = (req: any): PreProgramVars => {
-  const host = req.get('host')
-  const protocol = req.protocol + '://'
-  const { user, accessToken } = req
-  return {
-    username: user.username,
-    userId: user.userId,
-    displayName: user.displayName,
-    serverUrl: protocol + host,
-    accessToken
-  }
-}

api/src/controllers/user.ts

@@ -1,3 +1,4 @@
+import express from 'express'
 import {
   Security,
   Route,
@@ -10,23 +11,35 @@ import {
   Patch,
   Delete,
   Body,
-  Hidden
+  Hidden,
+  Request
 } from 'tsoa'
+import { desktopUser } from '../middlewares'
 
 import User, { UserPayload } from '../model/User'
+import {
+  getUserAutoExec,
+  updateUserAutoExec,
+  ModeType,
+  ALL_USERS_GROUP
+} from '../utils'
+import { GroupController, GroupResponse } from './group'
 
 export interface UserResponse {
   id: number
   username: string
   displayName: string
+  isAdmin: boolean
 }
 
-interface UserDetailsResponse {
+export interface UserDetailsResponse {
   id: number
   displayName: string
   username: string
   isActive: boolean
   isAdmin: boolean
+  autoExec?: string
+  groups?: GroupResponse[]
 }
 
 @Security('bearerAuth')
@@ -41,12 +54,14 @@ export class UserController {
     {
       id: 123,
       username: 'johnusername',
-      displayName: 'John'
+      displayName: 'John',
+      isAdmin: false
     },
     {
       id: 456,
       username: 'starkusername',
-      displayName: 'Stark'
+      displayName: 'Stark',
+      isAdmin: true
     }
   ])
   @Get('/')
@@ -73,13 +88,68 @@ export class UserController {
   }
 
   /**
+   * Only Admin or user itself will get user autoExec code.
+   * @summary Get user properties - such as group memberships, userName, displayName.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Get('by/username/{username}')
+  public async getUserByUsername(
+    @Request() req: express.Request,
+    @Path() username: string
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
+
+    const { user } = req
+    const getAutoExec = user!.isAdmin || user!.username == username
+    return getUser({ username }, getAutoExec)
+  }
+
+  /**
+   * Only Admin or user itself will get user autoExec code.
    * @summary Get user properties - such as group memberships, userName, displayName.
    * @param userId The user's identifier
    * @example userId 1234
    */
   @Get('{userId}')
-  public async getUser(@Path() userId: number): Promise<UserDetailsResponse> {
-    return getUser(userId)
+  public async getUser(
+    @Request() req: express.Request,
+    @Path() userId: number
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop) return getDesktopAutoExec()
+
+    const { user } = req
+    const getAutoExec = user!.isAdmin || user!.userId == userId
+    return getUser({ id: userId }, getAutoExec)
+  }
+
+  /**
+   * @summary Update user properties - such as displayName. Can be performed either by admins, or the user in question.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Example<UserDetailsResponse>({
+    id: 1234,
+    displayName: 'John Snow',
+    username: 'johnSnow01',
+    isAdmin: false,
+    isActive: true
+  })
+  @Patch('by/username/{username}')
+  public async updateUserByUsername(
+    @Path() username: string,
+    @Body() body: UserPayload
+  ): Promise<UserDetailsResponse> {
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop)
+      return updateDesktopAutoExec(body.autoExec ?? '')
+
+    return updateUser({ username }, body)
   }
 
   /**
@@ -99,7 +169,26 @@ export class UserController {
     @Path() userId: number,
     @Body() body: UserPayload
   ): Promise<UserDetailsResponse> {
-    return updateUser(userId, body)
+    const { MODE } = process.env
+
+    if (MODE === ModeType.Desktop)
+      return updateDesktopAutoExec(body.autoExec ?? '')
+
+    return updateUser({ id: userId }, body)
+  }
+
+  /**
+   * @summary Delete a user. Can be performed either by admins, or the user in question.
+   * @param username The User's username
+   * @example username "johnSnow01"
+   */
+  @Delete('by/username/{username}')
+  public async deleteUserByUsername(
+    @Path() username: string,
+    @Body() body: { password?: string },
+    @Query() @Hidden() isAdmin: boolean = false
+  ) {
+    return deleteUser({ username }, isAdmin, body)
   }
 
   /**
@@ -113,21 +202,25 @@ export class UserController {
     @Body() body: { password?: string },
     @Query() @Hidden() isAdmin: boolean = false
   ) {
-    return deleteUser(userId, isAdmin, body)
+    return deleteUser({ id: userId }, isAdmin, body)
   }
 }
 
 const getAllUsers = async (): Promise<UserResponse[]> =>
   await User.find({})
-    .select({ _id: 0, id: 1, username: 1, displayName: 1 })
+    .select({ _id: 0, id: 1, username: 1, displayName: 1, isAdmin: 1 })
     .exec()
 
 const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
 
   // Checking if user is already in the database
   const usernameExist = await User.findOne({ username })
-  if (usernameExist) throw new Error('Username already exists.')
+  if (usernameExist)
+    throw {
+      code: 409,
+      message: 'Username already exists.'
+    }
 
   // Hash passwords
   const hashPassword = User.hashPassword(password)
@@ -138,48 +231,112 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {
     username,
     password: hashPassword,
     isAdmin,
-    isActive
+    isActive,
+    autoExec
   })
 
   const savedUser = await user.save()
 
+  const groupController = new GroupController()
+  const allUsersGroup = await groupController
+    .getGroupByGroupName(ALL_USERS_GROUP.name)
+    .catch(() => {})
+
+  if (allUsersGroup) {
+    await groupController.addUserToGroup(allUsersGroup.groupId, savedUser.id)
+  }
+
   return {
     id: savedUser.id,
     displayName: savedUser.displayName,
     username: savedUser.username,
     isActive: savedUser.isActive,
-    isAdmin: savedUser.isAdmin
+    isAdmin: savedUser.isAdmin,
+    autoExec: savedUser.autoExec
   }
 }
 
-const getUser = async (id: number): Promise<UserDetailsResponse> => {
-  const user = await User.findOne({ id })
-    .select({
-      _id: 0,
-      id: 1,
-      username: 1,
-      displayName: 1,
-      isAdmin: 1,
-      isActive: 1
-    })
-    .exec()
-  if (!user) throw new Error('User is not found.')
+interface GetUserBy {
+  id?: number
+  username?: string
+}
 
-  return user
+const getUser = async (
+  findBy: GetUserBy,
+  getAutoExec: boolean
+): Promise<UserDetailsResponse> => {
+  const user = (await User.findOne(
+    findBy,
+    `id displayName username isActive isAdmin autoExec -_id`
+  ).populate(
+    'groups',
+    'groupId name description -_id'
+  )) as unknown as UserDetailsResponse
+
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }
+
+  return {
+    id: user.id,
+    displayName: user.displayName,
+    username: user.username,
+    isActive: user.isActive,
+    isAdmin: user.isAdmin,
+    autoExec: getAutoExec ? (user.autoExec ?? '') : undefined,
+    groups: user.groups
+  }
+}
+
+const getDesktopAutoExec = async () => {
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec: await getUserAutoExec()
+  }
 }
 
 const updateUser = async (
-  id: number,
-  data: UserPayload
+  findBy: GetUserBy,
+  data: Partial<UserPayload>
 ): Promise<UserDetailsResponse> => {
-  const { displayName, username, password, isAdmin, isActive } = data
+  const { displayName, username, password, isAdmin, isActive, autoExec } = data
 
-  const params: any = { displayName, isAdmin, isActive }
+  const params: any = { displayName, isAdmin, isActive, autoExec }
+
+  const user = await User.findOne(findBy)
+
+  if (username && username !== user?.username && user?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update username of user that is created by an external auth provider.'
+    }
+  }
+
+  if (displayName && displayName !== user?.displayName && user?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update display name of user that is created by an external auth provider.'
+    }
+  }
 
   if (username) {
     // Checking if user is already in the database
     const usernameExist = await User.findOne({ username })
-    if (usernameExist?.id != id) throw new Error('Username already exists.')
+    if (usernameExist) {
+      if (
+        (findBy.id && usernameExist.id != findBy.id) ||
+        (findBy.username && usernameExist.username != findBy.username)
+      )
+        throw {
+          code: 409,
+          message: 'Username already exists.'
+        }
+    }
     params.username = username
   }
 
@@ -188,33 +345,53 @@ const updateUser = async (
     params.password = User.hashPassword(password)
   }
 
-  const updatedUser = await User.findOneAndUpdate({ id }, params, { new: true })
-    .select({
-      _id: 0,
-      id: 1,
-      username: 1,
-      displayName: 1,
-      isAdmin: 1,
-      isActive: 1
-    })
-    .exec()
-  if (!updatedUser) throw new Error('Unable to update user')
+  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })
 
-  return updatedUser
+  if (!updatedUser)
+    throw {
+      code: 404,
+      message: `Unable to find user with ${findBy.id || findBy.username}`
+    }
+
+  return {
+    id: updatedUser.id,
+    username: updatedUser.username,
+    displayName: updatedUser.displayName,
+    isAdmin: updatedUser.isAdmin,
+    isActive: updatedUser.isActive,
+    autoExec: updatedUser.autoExec
+  }
+}
+
+const updateDesktopAutoExec = async (autoExec: string) => {
+  await updateUserAutoExec(autoExec)
+  return {
+    ...desktopUser,
+    id: desktopUser.userId,
+    autoExec
+  }
 }
 
 const deleteUser = async (
-  id: number,
+  findBy: GetUserBy,
   isAdmin: boolean,
   { password }: { password?: string }
 ) => {
-  const user = await User.findOne({ id })
-  if (!user) throw new Error('User is not found.')
+  const user = await User.findOne(findBy)
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }
 
   if (!isAdmin) {
     const validPass = user.comparePassword(password!)
-    if (!validPass) throw new Error('Invalid password.')
+    if (!validPass)
+      throw {
+        code: 401,
+        message: 'Invalid password.'
+      }
   }
 
-  await User.deleteOne({ id })
+  await User.deleteOne(findBy)
 }

api/src/controllers/web.ts

@@ -0,0 +1,209 @@
+import path from 'path'
+import express from 'express'
+import { Request, Route, Tags, Post, Body, Get, Example } from 'tsoa'
+import { readFile, convertSecondsToHms } from '@sasjs/utils'
+
+import User from '../model/User'
+import Client from '../model/Client'
+import {
+  getWebBuildFolder,
+  generateAuthCode,
+  RateLimiter,
+  AuthProviderType,
+  LDAPClient
+} from '../utils'
+import { InfoJWT } from '../types'
+import { AuthController } from './auth'
+
+@Route('/')
+@Tags('Web')
+export class WebController {
+  /**
+   * @summary Render index.html
+   *
+   */
+  @Get('/')
+  public async home() {
+    return home()
+  }
+
+  /**
+   * @summary Accept a valid username/password
+   *
+   */
+  @Post('/SASLogon/login')
+  public async login(
+    @Request() req: express.Request,
+    @Body() body: LoginPayload
+  ) {
+    return login(req, body)
+  }
+
+  /**
+   * @summary Accept a valid username/password, plus a CLIENT_ID, and return an AUTH_CODE
+   *
+   */
+  @Example<AuthorizeResponse>({
+    code: 'someRandomCryptoString'
+  })
+  @Post('/SASLogon/authorize')
+  public async authorize(
+    @Request() req: express.Request,
+    @Body() body: AuthorizePayload
+  ): Promise<AuthorizeResponse> {
+    return authorize(req, body.clientId)
+  }
+
+  /**
+   * @summary Destroy the session stored in cookies
+   *
+   */
+  @Get('/SASLogon/logout')
+  public async logout(@Request() req: express.Request) {
+    return new Promise((resolve) => {
+      req.session.destroy(() => {
+        resolve(true)
+      })
+    })
+  }
+}
+
+const home = async () => {
+  const indexHtmlPath = path.join(getWebBuildFolder(), 'index.html')
+
+  // Attention! Cannot use fileExists here,
+  // due to limitation after building executable
+  const content = await readFile(indexHtmlPath)
+
+  return content
+}
+
+const login = async (
+  req: express.Request,
+  { username, password }: LoginPayload
+) => {
+  // Authenticate User
+  const user = await User.findOne({ username })
+
+  let validPass = false
+
+  if (user) {
+    if (
+      process.env.AUTH_PROVIDERS === AuthProviderType.LDAP &&
+      user.authProvider === AuthProviderType.LDAP
+    ) {
+      const ldapClient = await LDAPClient.init()
+      validPass = await ldapClient
+        .verifyUser(username, password)
+        .catch(() => false)
+    } else {
+      validPass = user.comparePassword(password)
+    }
+  }
+
+  // code to prevent brute force attack
+
+  const rateLimiter = RateLimiter.getInstance()
+
+  if (!validPass) {
+    const retrySecs = await rateLimiter.consume(req.ip, user?.username)
+    if (retrySecs > 0) throw errors.tooManyRequests(retrySecs)
+  }
+
+  if (!user) throw errors.userNotFound
+  if (!validPass) throw errors.invalidPassword
+
+  // Reset on successful authorization
+  rateLimiter.resetOnSuccess(req.ip, user.username)
+
+  req.session.loggedIn = true
+  req.session.user = {
+    userId: user.id,
+    clientId: 'web_app',
+    username: user.username,
+    displayName: user.displayName,
+    isAdmin: user.isAdmin,
+    isActive: user.isActive,
+    autoExec: user.autoExec,
+    needsToUpdatePassword: user.needsToUpdatePassword
+  }
+
+  return {
+    loggedIn: true,
+    user: {
+      id: user.id,
+      username: user.username,
+      displayName: user.displayName,
+      isAdmin: user.isAdmin,
+      needsToUpdatePassword: user.needsToUpdatePassword
+    }
+  }
+}
+
+const authorize = async (
+  req: express.Request,
+  clientId: string
+): Promise<AuthorizeResponse> => {
+  const userId = req.session.user?.userId
+  if (!userId) throw new Error('Invalid userId.')
+
+  const client = await Client.findOne({ clientId })
+  if (!client) throw new Error('Invalid clientId.')
+
+  // generate authorization code against clientId
+  const userInfo: InfoJWT = {
+    clientId,
+    userId
+  }
+  const code = AuthController.saveCode(
+    userId,
+    clientId,
+    generateAuthCode(userInfo)
+  )
+
+  return { code }
+}
+
+interface LoginPayload {
+  /**
+   * Username for user
+   * @example "secretuser"
+   */
+  username: string
+  /**
+   * Password for user
+   * @example "secretpassword"
+   */
+  password: string
+}
+
+interface AuthorizePayload {
+  /**
+   * Client ID
+   * @example "clientID1"
+   */
+  clientId: string
+}
+
+interface AuthorizeResponse {
+  /**
+   * Authorization code
+   * @example "someRandomCryptoString"
+   */
+  code: string
+}
+
+const errors = {
+  invalidPassword: {
+    code: 401,
+    message: 'Invalid Password.'
+  },
+  userNotFound: {
+    code: 401,
+    message: 'Username is not found.'
+  },
+  tooManyRequests: (seconds: number) => ({
+    code: 429,
+    message: `Too Many Requests! Retry after ${convertSecondsToHms(seconds)}`
+  })
+}

api/src/middlewares/authenticateToken.ts

@@ -1,42 +1,88 @@
+import { RequestHandler, Request, Response, NextFunction } from 'express'
 import jwt from 'jsonwebtoken'
-import { verifyTokenInDB } from '../utils'
+import { csrfProtection } from './'
+import {
+  fetchLatestAutoExec,
+  ModeType,
+  verifyTokenInDB,
+  isAuthorizingRoute,
+  isPublicRoute,
+  publicUser
+} from '../utils'
+import { desktopUser } from './desktop'
+import { authorize } from './authorize'
 
-export const authenticateAccessToken = (req: any, res: any, next: any) => {
-  authenticateToken(
+export const authenticateAccessToken: RequestHandler = async (
   req,
   res,
-    next,
-    process.env.ACCESS_TOKEN_SECRET as string,
+  next
+) => {
+  const { MODE } = process.env
+  if (MODE === ModeType.Desktop) {
+    req.user = desktopUser
+    return next()
+  }
+
+  const nextFunction = isAuthorizingRoute(req)
+    ? () => authorize(req, res, next)
+    : next
+
+  // if request is coming from web and has valid session
+  // it can be validated.
+  if (req.session?.loggedIn) {
+    if (req.session.user) {
+      const user = await fetchLatestAutoExec(req.session.user)
+
+      if (user) {
+        if (user.isActive) {
+          req.user = user
+          return csrfProtection(req, res, nextFunction)
+        } else return res.sendStatus(401)
+      }
+    }
+    return res.sendStatus(401)
+  }
+
+  await authenticateToken(
+    req,
+    res,
+    nextFunction,
+    process.secrets.ACCESS_TOKEN_SECRET,
     'accessToken'
   )
 }
 
-export const authenticateRefreshToken = (req: any, res: any, next: any) => {
-  authenticateToken(
+export const authenticateRefreshToken: RequestHandler = async (
+  req,
+  res,
+  next
+) => {
+  await authenticateToken(
     req,
     res,
     next,
-    process.env.REFRESH_TOKEN_SECRET as string,
+    process.secrets.REFRESH_TOKEN_SECRET,
     'refreshToken'
   )
 }
 
-const authenticateToken = (
-  req: any,
-  res: any,
-  next: any,
+const authenticateToken = async (
+  req: Request,
+  res: Response,
+  next: NextFunction,
   key: string,
   tokenType: 'accessToken' | 'refreshToken'
 ) => {
   const { MODE } = process.env
-  if (MODE?.trim() !== 'server') {
+  if (MODE === ModeType.Desktop) {
     req.user = {
-      userId: '1234',
+      userId: 1234,
       clientId: 'desktopModeClientId',
       username: 'desktopModeUsername',
       displayName: 'desktopModeDisplayName',
       isAdmin: true,
-      isActive: true
+      isActive: true,
+      needsToUpdatePassword: false
     }
     req.accessToken = 'desktopModeAccessToken'
     return next()
@@ -44,12 +90,12 @@ const authenticateToken = (
 
   const authHeader = req.headers['authorization']
   const token = authHeader?.split(' ')[1]
-  if (!token) return res.sendStatus(401)
 
-  jwt.verify(token, key, async (err: any, data: any) => {
-    if (err) return res.sendStatus(401)
+  try {
+    if (!token) throw 'Unauthorized'
+
+    const data: any = jwt.verify(token, key)
 
-    // verify this valid token's entry in DB
     const user = await verifyTokenInDB(
       data?.userId,
       data?.clientId,
@@ -62,8 +108,16 @@ const authenticateToken = (
         req.user = user
         if (tokenType === 'accessToken') req.accessToken = token
         return next()
-      } else return res.sendStatus(401)
+      } else throw 'Unauthorized'
+    }
+
+    throw 'Unauthorized'
+  } catch (error) {
+    if (await isPublicRoute(req)) {
+      req.user = publicUser
+      return next()
+    }
+
+    res.sendStatus(401)
   }
-    return res.sendStatus(401)
-  })
 }

api/src/middlewares/authorize.ts

@@ -0,0 +1,87 @@
+import { RequestHandler } from 'express'
+import User from '../model/User'
+import Permission from '../model/Permission'
+import {
+  PermissionSettingForRoute,
+  PermissionType
+} from '../controllers/permission'
+import { getPath, isPublicRoute, TopLevelRoutes } from '../utils'
+
+export const authorize: RequestHandler = async (req, res, next) => {
+  const { user } = req
+
+  if (!user) return res.sendStatus(401)
+
+  // no need to check for permissions when user is admin
+  if (user.isAdmin) return next()
+
+  // no need to check for permissions when route is Public
+  if (await isPublicRoute(req)) return next()
+
+  const dbUser = await User.findOne({ id: user.userId })
+  if (!dbUser) return res.sendStatus(401)
+
+  const path = getPath(req)
+  const { baseUrl } = req
+  const topLevelRoute =
+    TopLevelRoutes.find((route) => baseUrl.startsWith(route)) || baseUrl
+
+  // find permission w.r.t user
+  const permission = await Permission.findOne({
+    path,
+    type: PermissionType.route,
+    user: dbUser._id
+  })
+
+  if (permission) {
+    if (permission.setting === PermissionSettingForRoute.grant) return next()
+    else return res.sendStatus(401)
+  }
+
+  // find permission w.r.t user on top level
+  const topLevelPermission = await Permission.findOne({
+    path: topLevelRoute,
+    type: PermissionType.route,
+    user: dbUser._id
+  })
+
+  if (topLevelPermission) {
+    if (topLevelPermission.setting === PermissionSettingForRoute.grant)
+      return next()
+    else return res.sendStatus(401)
+  }
+
+  let isPermissionDenied = false
+
+  // find permission w.r.t user's groups
+  for (const group of dbUser.groups) {
+    const groupPermission = await Permission.findOne({
+      path,
+      type: PermissionType.route,
+      group
+    })
+
+    if (groupPermission) {
+      if (groupPermission.setting === PermissionSettingForRoute.grant) {
+        return next()
+      } else {
+        isPermissionDenied = true
+      }
+    }
+  }
+
+  if (!isPermissionDenied) {
+    // find permission w.r.t user's groups on top level
+    for (const group of dbUser.groups) {
+      const groupPermission = await Permission.findOne({
+        path: topLevelRoute,
+        type: PermissionType.route,
+        group
+      })
+      if (groupPermission?.setting === PermissionSettingForRoute.grant)
+        return next()
+    }
+  }
+
+  return res.sendStatus(401)
+}

api/src/middlewares/bruteForceProtection.ts

@@ -0,0 +1,22 @@
+import { RequestHandler } from 'express'
+import { convertSecondsToHms } from '@sasjs/utils'
+import { RateLimiter } from '../utils'
+
+export const bruteForceProtection: RequestHandler = async (req, res, next) => {
+  const ip = req.ip
+  const username = req.body.username
+
+  const rateLimiter = RateLimiter.getInstance()
+
+  const retrySecs = await rateLimiter.check(ip, username)
+
+  if (retrySecs > 0) {
+    res
+      .status(429)
+      .send(`Too Many Requests! Retry after ${convertSecondsToHms(retrySecs)}`)
+
+    return
+  }
+
+  next()
+}

api/src/middlewares/csrfProtection.ts

@@ -0,0 +1,32 @@
+import { RequestHandler } from 'express'
+import csrf from 'csrf'
+
+const csrfTokens = new csrf()
+const secret = csrfTokens.secretSync()
+
+export const generateCSRFToken = () => csrfTokens.create(secret)
+
+export const csrfProtection: RequestHandler = (req, res, next) => {
+  if (req.method === 'GET') return next()
+
+  // Reads the token from the following locations, in order:
+  // req.body.csrf_token - typically generated by the body-parser module.
+  // req.query.csrf_token - a built-in from Express.js to read from the URL query string.
+  // req.headers['csrf-token'] - the CSRF-Token HTTP request header.
+  // req.headers['xsrf-token'] - the XSRF-Token HTTP request header.
+  // req.headers['x-csrf-token'] - the X-CSRF-Token HTTP request header.
+  // req.headers['x-xsrf-token'] - the X-XSRF-Token HTTP request header.
+
+  const token =
+    req.body?.csrf_token ||
+    req.query?.csrf_token ||
+    req.headers['csrf-token'] ||
+    req.headers['xsrf-token'] ||
+    req.headers['x-csrf-token'] ||
+    req.headers['x-xsrf-token']
+
+  if (!csrfTokens.verify(secret, token)) {
+    return res.status(400).send('Invalid CSRF token!')
+  }
+  next()
+}

api/src/middlewares/desktop.ts

@@ -1,18 +1,38 @@
-export const desktopRestrict = (req: any, res: any, next: any) => {
+import { RequestHandler, Request } from 'express'
+import { userInfo } from 'os'
+import { RequestUser } from '../types'
+import { ModeType } from '../utils'
+
+const regexUser = /^\/SASjsApi\/user\/[0-9]*$/ // /SASjsApi/user/1
+
+const allowedInDesktopMode: { [key: string]: RegExp[] } = {
+  GET: [regexUser],
+  PATCH: [regexUser]
+}
+
+const reqAllowedInDesktopMode = (request: Request): boolean => {
+  const { method, originalUrl: url } = request
+
+  return !!allowedInDesktopMode[method]?.find((urlRegex) => urlRegex.test(url))
+}
+
+export const desktopRestrict: RequestHandler = (req, res, next) => {
   const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
+
+  if (MODE === ModeType.Desktop) {
+    if (!reqAllowedInDesktopMode(req))
       return res.status(403).send('Not Allowed while in Desktop Mode.')
+  }
 
   next()
 }
-export const desktopUsername = (req: any, res: any, next: any) => {
-  const { MODE } = process.env
-  if (MODE?.trim() !== 'server')
-    return res.status(200).send({
+
+export const desktopUser: RequestUser = {
   userId: 12345,
-      username: 'DESKTOPusername',
-      displayName: 'DESKTOP User'
-    })
-
-  next()
+  clientId: 'desktop_app',
+  username: userInfo().username,
+  displayName: userInfo().username,
+  isAdmin: true,
+  isActive: true,
+  needsToUpdatePassword: false
 }

api/src/middlewares/index.ts

@@ -1,4 +1,7 @@
 export * from './authenticateToken'
+export * from './authorize'
+export * from './csrfProtection'
 export * from './desktop'
 export * from './verifyAdmin'
 export * from './verifyAdminIfNeeded'
+export * from './bruteForceProtection'

api/src/middlewares/multer.ts

@@ -0,0 +1,72 @@
+import path from 'path'
+import { Request } from 'express'
+import multer, { FileFilterCallback, Options } from 'multer'
+import { blockFileRegex, getUploadsFolder } from '../utils'
+
+const fieldNameSize = 300
+const fileSize = 104857600 // 100 MB
+
+const storage = multer.diskStorage({
+  destination: getUploadsFolder(),
+  filename: function (
+    _req: Request,
+    file: Express.Multer.File,
+    callback: (error: Error | null, filename: string) => void
+  ) {
+    callback(
+      null,
+      file.fieldname + path.extname(file.originalname) + '-' + Date.now()
+    )
+  }
+})
+
+const limits: Options['limits'] = {
+  fieldNameSize,
+  fileSize
+}
+
+const fileFilter: Options['fileFilter'] = (
+  req: Request,
+  file: Express.Multer.File,
+  callback: FileFilterCallback
+) => {
+  const fileExtension = path.extname(file.originalname)
+  const shouldBlockUpload = blockFileRegex.test(file.originalname)
+  if (shouldBlockUpload) {
+    return callback(
+      new Error(`File extension '${fileExtension}' not acceptable.`)
+    )
+  }
+
+  const uploadFileSize = parseInt(req.headers['content-length'] ?? '')
+  if (uploadFileSize > fileSize) {
+    return callback(
+      new Error(
+        `File size is over limit. File limit is: ${fileSize / 1024 / 1024} MB`
+      )
+    )
+  }
+
+  callback(null, true)
+}
+
+const options: Options = { storage, limits, fileFilter }
+
+const multerInstance = multer(options)
+
+export const multerSingle = (fileName: string, arg: any) => {
+  const [req, res, next] = arg
+  const upload = multerInstance.single(fileName)
+
+  upload(req, res, function (err) {
+    if (err instanceof multer.MulterError) {
+      return res.status(500).send(err.message)
+    } else if (err) {
+      return res.status(400).send(err.message)
+    }
+    // Everything went fine.
+    next()
+  })
+}
+
+export default multerInstance

api/src/middlewares/verifyAdmin.ts

@@ -1,6 +1,9 @@
-export const verifyAdmin = (req: any, res: any, next: any) => {
+import { RequestHandler } from 'express'
+import { ModeType } from '../utils'
+
+export const verifyAdmin: RequestHandler = (req, res, next) => {
   const { MODE } = process.env
-  if (MODE?.trim() !== 'server') return next()
+  if (MODE === ModeType.Desktop) return next()
 
   const { user } = req
   if (!user?.isAdmin) return res.status(401).send('Admin account required')

api/src/middlewares/verifyAdminIfNeeded.ts

@@ -1,9 +1,22 @@
-export const verifyAdminIfNeeded = (req: any, res: any, next: any) => {
-  const { user } = req
-  const userId = parseInt(req.params.userId)
+import { RequestHandler } from 'express'
 
-  if (!user.isAdmin && user.userId !== userId) {
+// This middleware checks if a non-admin user trying to
+// access information of other user
+export const verifyAdminIfNeeded: RequestHandler = (req, res, next) => {
+  const { user } = req
+
+  if (!user?.isAdmin) {
+    let adminAccountRequired: boolean = true
+
+    if (req.params.userId) {
+      adminAccountRequired = user?.userId !== parseInt(req.params.userId)
+    } else if (req.params.username) {
+      adminAccountRequired = user?.username !== req.params.username
+    }
+
+    if (adminAccountRequired)
       return res.status(401).send('Admin account required')
   }
+
   next()
 }

api/src/model/Client.ts

@@ -1,5 +1,6 @@
 import mongoose, { Schema } from 'mongoose'
 
+export const NUMBER_OF_SECONDS_IN_A_DAY = 86400
 export interface ClientPayload {
   /**
    * Client ID
@@ -11,6 +12,16 @@ export interface ClientPayload {
    * @example "someRandomCryptoString"
    */
   clientSecret: string
+  /**
+   * Number of seconds after which access token will expire. Default is 86400 (1 day)
+   * @example 86400
+   */
+  accessTokenExpiration?: number
+  /**
+   * Number of seconds after which access token will expire. Default is 2592000 (30 days)
+   * @example 2592000
+   */
+  refreshTokenExpiration?: number
 }
 
 const ClientSchema = new Schema<ClientPayload>({
@@ -21,6 +32,14 @@ const ClientSchema = new Schema<ClientPayload>({
   clientSecret: {
     type: String,
     required: true
+  },
+  accessTokenExpiration: {
+    type: Number,
+    default: NUMBER_OF_SECONDS_IN_A_DAY
+  },
+  refreshTokenExpiration: {
+    type: Number,
+    default: NUMBER_OF_SECONDS_IN_A_DAY * 30
   }
 })
 

api/src/model/Configuration.ts

@@ -0,0 +1,45 @@
+import mongoose, { Schema } from 'mongoose'
+
+export interface ConfigurationType {
+  /**
+   * SecretOrPrivateKey to sign Access Token
+   * @example "someRandomCryptoString"
+   */
+  ACCESS_TOKEN_SECRET: string
+  /**
+   * SecretOrPrivateKey to sign Refresh Token
+   * @example "someRandomCryptoString"
+   */
+  REFRESH_TOKEN_SECRET: string
+  /**
+   * SecretOrPrivateKey to sign Auth Code
+   * @example "someRandomCryptoString"
+   */
+  AUTH_CODE_SECRET: string
+  /**
+   * Secret used to sign the session cookie
+   * @example "someRandomCryptoString"
+   */
+  SESSION_SECRET: string
+}
+
+const ConfigurationSchema = new Schema<ConfigurationType>({
+  ACCESS_TOKEN_SECRET: {
+    type: String,
+    required: true
+  },
+  REFRESH_TOKEN_SECRET: {
+    type: String,
+    required: true
+  },
+  AUTH_CODE_SECRET: {
+    type: String,
+    required: true
+  },
+  SESSION_SECRET: {
+    type: String,
+    required: true
+  }
+})
+
+export default mongoose.model('Configuration', ConfigurationSchema)

api/src/model/Counter.ts

@@ -0,0 +1,15 @@
+import mongoose, { Schema } from 'mongoose'
+
+const CounterSchema = new Schema({
+  id: {
+    type: String,
+    required: true,
+    unique: true
+  },
+  seq: {
+    type: Number,
+    required: true
+  }
+})
+
+export default mongoose.model('Counter', CounterSchema)

api/src/model/Group.ts

@@ -1,5 +1,9 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { Schema, model, Document, Model } from 'mongoose'
+import { GroupDetailsResponse } from '../controllers'
+import User, { IUser } from './User'
+import { AuthProviderType, getSequenceNextValue } from '../utils'
+
+export const PUBLIC_GROUP_NAME = 'Public'
 
 export interface GroupPayload {
   /**
@@ -23,61 +27,91 @@ interface IGroupDocument extends GroupPayload, Document {
   groupId: number
   isActive: boolean
   users: Schema.Types.ObjectId[]
+  authProvider?: AuthProviderType
 }
 
 interface IGroup extends IGroupDocument {
-  addUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
-  removeUser(userObjectId: Schema.Types.ObjectId): Promise<IGroup>
+  addUser(user: IUser): Promise<GroupDetailsResponse>
+  removeUser(user: IUser): Promise<GroupDetailsResponse>
+  hasUser(user: IUser): boolean
 }
 interface IGroupModel extends Model<IGroup> {}
 
 const groupSchema = new Schema<IGroupDocument>({
   name: {
     type: String,
-    required: true
+    required: true,
+    unique: true
+  },
+  groupId: {
+    type: Number,
+    unique: true
   },
   description: {
     type: String,
     default: 'Group description.'
   },
+  authProvider: {
+    type: String,
+    enum: AuthProviderType
+  },
   isActive: {
     type: Boolean,
     default: true
   },
   users: [{ type: Schema.Types.ObjectId, ref: 'User' }]
 })
-groupSchema.plugin(AutoIncrement, { inc_field: 'groupId' })
 
 // Hooks
+groupSchema.pre('save', async function () {
+  if (this.isNew) {
+    this.groupId = await getSequenceNextValue('groupId')
+  }
+})
+
 groupSchema.post('save', function (group: IGroup, next: Function) {
   group.populate('users', 'id username displayName -_id').then(function () {
     next()
   })
 })
 
+// pre remove hook to remove all references of group from users
+groupSchema.pre('remove', async function () {
+  const userIds = this.users
+  await Promise.all(
+    userIds.map(async (userId) => {
+      const user = await User.findById(userId)
+      user?.removeGroup(this._id)
+    })
+  )
+})
+
 // Instance Methods
-groupSchema.method(
-  'addUser',
-  async function (userObjectId: Schema.Types.ObjectId) {
+groupSchema.method('addUser', async function (user: IUser) {
+  const userObjectId = user._id
   const userIdIndex = this.users.indexOf(userObjectId)
   if (userIdIndex === -1) {
     this.users.push(userObjectId)
+    user.addGroup(this._id)
   }
   this.markModified('users')
   return this.save()
-  }
-)
-groupSchema.method(
-  'removeUser',
-  async function (userObjectId: Schema.Types.ObjectId) {
+})
+groupSchema.method('removeUser', async function (user: IUser) {
+  const userObjectId = user._id
   const userIdIndex = this.users.indexOf(userObjectId)
   if (userIdIndex > -1) {
     this.users.splice(userIdIndex, 1)
+    user.removeGroup(this._id)
   }
   this.markModified('users')
   return this.save()
-  }
-)
+})
+groupSchema.method('hasUser', function (user: IUser) {
+  const userObjectId = user._id
+  const userIdIndex = this.users.indexOf(userObjectId)
+  return userIdIndex > -1
+})
 
 export const Group: IGroupModel = model<IGroup, IGroupModel>(
   'Group',

api/src/model/Permission.ts

@@ -0,0 +1,82 @@
+import { Schema, model, Document, Model } from 'mongoose'
+import { PermissionDetailsResponse } from '../controllers'
+import { getSequenceNextValue } from '../utils'
+
+interface GetPermissionBy {
+  user?: Schema.Types.ObjectId
+  group?: Schema.Types.ObjectId
+}
+
+interface IPermissionDocument extends Document {
+  path: string
+  type: string
+  setting: string
+  permissionId: number
+  user: Schema.Types.ObjectId
+  group: Schema.Types.ObjectId
+}
+
+interface IPermission extends IPermissionDocument {}
+
+interface IPermissionModel extends Model<IPermission> {
+  get(getBy: GetPermissionBy): Promise<PermissionDetailsResponse[]>
+}
+
+const permissionSchema = new Schema<IPermissionDocument>({
+  permissionId: {
+    type: Number,
+    unique: true
+  },
+  path: {
+    type: String,
+    required: true
+  },
+  type: {
+    type: String,
+    required: true
+  },
+  setting: {
+    type: String,
+    required: true
+  },
+  user: { type: Schema.Types.ObjectId, ref: 'User' },
+  group: { type: Schema.Types.ObjectId, ref: 'Group' }
+})
+
+// Hooks
+permissionSchema.pre('save', async function () {
+  if (this.isNew) {
+    this.permissionId = await getSequenceNextValue('permissionId')
+  }
+})
+
+// Static Methods
+permissionSchema.static('get', async function (getBy: GetPermissionBy): Promise<
+  PermissionDetailsResponse[]
+> {
+  return (await this.find(getBy)
+    .select({
+      _id: 0,
+      permissionId: 1,
+      path: 1,
+      type: 1,
+      setting: 1
+    })
+    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .populate({
+      path: 'group',
+      select: 'groupId name description -_id',
+      populate: {
+        path: 'users',
+        select: 'id username displayName isAdmin -_id',
+        options: { limit: 15 }
+      }
+    })) as unknown as PermissionDetailsResponse[]
+})
+
+export const Permission: IPermissionModel = model<
+  IPermission,
+  IPermissionModel
+>('Permission', permissionSchema)
+
+export default Permission

api/src/model/User.ts

@@ -1,6 +1,6 @@
-import mongoose, { Schema, model, Document, Model } from 'mongoose'
-const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { Schema, model, Document, Model } from 'mongoose'
 import bcrypt from 'bcryptjs'
+import { AuthProviderType, getSequenceNextValue } from '../utils'
 
 export interface UserPayload {
   /**
@@ -27,18 +27,29 @@ export interface UserPayload {
    * @example "true"
    */
   isActive?: boolean
+  /**
+   * User-specific auto-exec code
+   * @example ""
+   */
+  autoExec?: string
 }
 
 interface IUserDocument extends UserPayload, Document {
+  _id: Schema.Types.ObjectId
   id: number
   isAdmin: boolean
   isActive: boolean
+  needsToUpdatePassword: boolean
+  autoExec: string
   groups: Schema.Types.ObjectId[]
   tokens: [{ [key: string]: string }]
+  authProvider?: AuthProviderType
 }
 
-interface IUser extends IUserDocument {
+export interface IUser extends IUserDocument {
   comparePassword(password: string): boolean
+  addGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
+  removeGroup(groupObjectId: Schema.Types.ObjectId): Promise<IUser>
 }
 interface IUserModel extends Model<IUser> {
   hashPassword(password: string): string
@@ -54,10 +65,18 @@ const userSchema = new Schema<IUserDocument>({
     required: true,
     unique: true
   },
+  id: {
+    type: Number,
+    unique: true
+  },
   password: {
     type: String,
     required: true
   },
+  authProvider: {
+    type: String,
+    enum: AuthProviderType
+  },
   isAdmin: {
     type: Boolean,
     default: false
@@ -66,6 +85,13 @@ const userSchema = new Schema<IUserDocument>({
     type: Boolean,
     default: true
   },
+  needsToUpdatePassword: {
+    type: Boolean,
+    default: true
+  },
+  autoExec: {
+    type: String
+  },
   groups: [{ type: Schema.Types.ObjectId, ref: 'Group' }],
   tokens: [
     {
@@ -84,7 +110,15 @@ const userSchema = new Schema<IUserDocument>({
     }
   ]
 })
-userSchema.plugin(AutoIncrement, { inc_field: 'id' })
+
+// Hooks
+userSchema.pre('save', async function (next) {
+  if (this.isNew) {
+    this.id = await getSequenceNextValue('id')
+  }
+
+  next()
+})
 
 // Static Methods
 userSchema.static('hashPassword', (password: string): string => {
@@ -97,6 +131,28 @@ userSchema.method('comparePassword', function (password: string): boolean {
   if (bcrypt.compareSync(password, this.password)) return true
   return false
 })
+userSchema.method(
+  'addGroup',
+  async function (groupObjectId: Schema.Types.ObjectId) {
+    const groupIdIndex = this.groups.indexOf(groupObjectId)
+    if (groupIdIndex === -1) {
+      this.groups.push(groupObjectId)
+    }
+    this.markModified('groups')
+    return this.save()
+  }
+)
+userSchema.method(
+  'removeGroup',
+  async function (groupObjectId: Schema.Types.ObjectId) {
+    const groupIdIndex = this.groups.indexOf(groupObjectId)
+    if (groupIdIndex > -1) {
+      this.groups.splice(groupIdIndex, 1)
+    }
+    this.markModified('groups')
+    return this.save()
+  }
+)
 
 export const User: IUserModel = model<IUser, IUserModel>('User', userSchema)
 

api/src/routes/api/auth.ts

@@ -1,58 +1,38 @@
 import express from 'express'
 
 import { AuthController } from '../../controllers/'
-import Client from '../../model/Client'
 
 import {
   authenticateAccessToken,
   authenticateRefreshToken
 } from '../../middlewares'
 
-import {
-  authorizeValidation,
-  getDesktopFields,
-  tokenValidation
-} from '../../utils'
+import { tokenValidation, updatePasswordValidation } from '../../utils'
 import { InfoJWT } from '../../types'
 
 const authRouter = express.Router()
+const controller = new AuthController()
 
-const clientIDs = new Set()
-
-export const populateClients = async () => {
-  const result = await Client.find()
-  clientIDs.clear()
-  result.forEach((r) => {
-    clientIDs.add(r.clientId)
-  })
-}
-
-authRouter.post('/authorize', async (req, res) => {
-  const { error, value: body } = authorizeValidation(req.body)
+authRouter.patch(
+  '/updatePassword',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: body } = updatePasswordValidation(req.body)
     if (error) return res.status(400).send(error.details[0].message)
 
-  const { clientId } = body
-
-  // Verify client ID
-  if (!clientIDs.has(clientId)) {
-    return res.status(403).send('Invalid clientId.')
-  }
-
-  const controller = new AuthController()
     try {
-    const response = await controller.authorize(body)
-
-    res.send(response)
+      await controller.updatePassword(req, body)
+      res.sendStatus(204)
     } catch (err: any) {
-    res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
-})
+  }
+)
 
 authRouter.post('/token', async (req, res) => {
   const { error, value: body } = tokenValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)
 
-  const controller = new AuthController()
   try {
     const response = await controller.token(body)
 
@@ -62,10 +42,12 @@ authRouter.post('/token', async (req, res) => {
   }
 })
 
-authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
-  const userInfo: InfoJWT = req.user
+authRouter.post('/refresh', authenticateRefreshToken, async (req, res) => {
+  const userInfo: InfoJWT = {
+    userId: req.user!.userId!,
+    clientId: req.user!.clientId!
+  }
 
-  const controller = new AuthController()
   try {
     const response = await controller.refresh(userInfo)
 
@@ -75,10 +57,12 @@ authRouter.post('/refresh', authenticateRefreshToken, async (req: any, res) => {
   }
 })
 
-authRouter.delete('/logout', authenticateAccessToken, async (req: any, res) => {
-  const userInfo: InfoJWT = req.user
+authRouter.delete('/logout', authenticateAccessToken, async (req, res) => {
+  const userInfo: InfoJWT = {
+    userId: req.user!.userId!,
+    clientId: req.user!.clientId!
+  }
 
-  const controller = new AuthController()
   try {
     await controller.logout(userInfo)
   } catch (e) {}

api/src/routes/api/authConfig.ts

@@ -0,0 +1,25 @@
+import express from 'express'
+import { AuthConfigController } from '../../controllers'
+const authConfigRouter = express.Router()
+
+authConfigRouter.get('/', async (req, res) => {
+  const controller = new AuthConfigController()
+  try {
+    const response = controller.getDetail()
+    res.send(response)
+  } catch (err: any) {
+    res.status(500).send(err.toString())
+  }
+})
+
+authConfigRouter.post('/synchroniseWithLDAP', async (req, res) => {
+  const controller = new AuthConfigController()
+  try {
+    const response = await controller.synchroniseWithLDAP()
+    res.send(response)
+  } catch (err: any) {
+    res.status(500).send(err.toString())
+  }
+})
+
+export default authConfigRouter

api/src/routes/api/client.ts

@@ -1,6 +1,7 @@
 import express from 'express'
 import { ClientController } from '../../controllers'
 import { registerClientValidation } from '../../utils'
+import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
 
 const clientRouter = express.Router()
 
@@ -17,4 +18,19 @@ clientRouter.post('/', async (req, res) => {
   }
 })
 
+clientRouter.get(
+  '/',
+  authenticateAccessToken,
+  verifyAdmin,
+  async (req, res) => {
+    const controller = new ClientController()
+    try {
+      const response = await controller.getAllClients()
+      res.send(response)
+    } catch (err: any) {
+      res.status(403).send(err.toString())
+    }
+  }
+)
+
 export default clientRouter

api/src/routes/api/code.ts

@@ -1,5 +1,5 @@
 import express from 'express'
-import { runSASValidation } from '../../utils'
+import { runCodeValidation, triggerCodeValidation } from '../../utils'
 import { CodeController } from '../../controllers/'
 
 const runRouter = express.Router()
@@ -7,11 +7,35 @@ const runRouter = express.Router()
 const controller = new CodeController()
 
 runRouter.post('/execute', async (req, res) => {
-  const { error, value: body } = runSASValidation(req.body)
+  const { error, value: body } = runCodeValidation(req.body)
   if (error) return res.status(400).send(error.details[0].message)
 
   try {
-    const response = await controller.executeSASCode(req, body)
+    const response = await controller.executeCode(req, body)
+
+    if (response instanceof Buffer) {
+      res.writeHead(200, (req as any).sasHeaders)
+      return res.end(response)
+    }
+
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
+runRouter.post('/trigger', async (req, res) => {
+  const { error, value: body } = triggerCodeValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.triggerCode(req, body)
+
+    res.status(200)
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code

api/src/routes/api/drive.ts

@@ -1,13 +1,43 @@
 import express from 'express'
+import { deleteFile, readFile } from '@sasjs/utils'
+
+import { publishAppStream } from '../appStream'
+
+import { multerSingle } from '../../middlewares/multer'
 import { DriveController } from '../../controllers/'
-import { getFileDriveValidation, updateFileDriveValidation } from '../../utils'
+import {
+  deployValidation,
+  extractJSONFromZip,
+  extractName,
+  fileBodyValidation,
+  fileParamValidation,
+  folderBodyValidation,
+  folderParamValidation,
+  isZipFile,
+  renameBodyValidation
+} from '../../utils'
+
+const controller = new DriveController()
 
 const driveRouter = express.Router()
 
 driveRouter.post('/deploy', async (req, res) => {
-  const controller = new DriveController()
+  const { error, value: body } = deployValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
   try {
-    const response = await controller.deploy(req.body)
+    const response = await controller.deploy(body)
+
+    if (body.streamWebFolder) {
+      const { streamServiceName } = await publishAppStream(
+        body.appLoc,
+        body.streamWebFolder,
+        body.streamServiceName,
+        body.streamLogo
+      )
+      response.streamServiceName = streamServiceName
+    }
+
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code
@@ -18,59 +48,239 @@ driveRouter.post('/deploy', async (req, res) => {
   }
 })
 
+driveRouter.post(
+  '/deploy/upload',
+  (...arg) => multerSingle('file', arg),
+  async (req, res) => {
+    if (!req.file) return res.status(400).send('"file" is not present.')
+
+    let fileContent: string = ''
+
+    const { value: zipFile } = isZipFile(req.file)
+    if (zipFile) {
+      fileContent = await extractJSONFromZip(zipFile)
+      const fileInZip = extractName(zipFile.originalname)
+
+      if (!fileContent) {
+        deleteFile(req.file.path)
+        return res
+          .status(400)
+          .send(
+            `No content present in ${fileInZip} of compressed file ${zipFile.originalname}`
+          )
+      }
+    } else {
+      fileContent = await readFile(req.file.path)
+    }
+
+    let jsonContent
+    try {
+      jsonContent = JSON.parse(fileContent)
+    } catch (err) {
+      deleteFile(req.file.path)
+      return res.status(400).send('File containing invalid JSON content.')
+    }
+
+    const { error, value: body } = deployValidation(jsonContent)
+    if (error) {
+      deleteFile(req.file.path)
+      return res.status(400).send(error.details[0].message)
+    }
+
+    try {
+      const response = await controller.deployUpload(req.file, body)
+
+      if (body.streamWebFolder) {
+        const { streamServiceName } = await publishAppStream(
+          body.appLoc,
+          body.streamWebFolder,
+          body.streamServiceName,
+          body.streamLogo
+        )
+        response.streamServiceName = streamServiceName
+      }
+
+      res.send(response)
+    } catch (err: any) {
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err)
+    } finally {
+      deleteFile(req.file.path)
+    }
+  }
+)
+
 driveRouter.get('/file', async (req, res) => {
-  const { error, value: query } = getFileDriveValidation(req.query)
-  if (error) return res.status(400).send(error.details[0].message)
+  const { error: errQ, value: query } = fileParamValidation(req.query)
+
+  if (errQ) return res.status(400).send(errQ.details[0].message)
 
-  const controller = new DriveController()
   try {
-    const response = await controller.getFile(query.filePath)
-    res.send(response)
+    await controller.getFile(req, query._filePath)
   } catch (err: any) {
     const statusCode = err.code
 
     delete err.code
 
-    res.status(statusCode).send(err)
+    res.status(statusCode).send(err.message)
   }
 })
 
-driveRouter.post('/file', async (req, res) => {
-  const { error, value: body } = updateFileDriveValidation(req.body)
-  if (error) return res.status(400).send(error.details[0].message)
+driveRouter.get('/folder', async (req, res) => {
+  const { error: errQ, value: query } = folderParamValidation(req.query)
+
+  if (errQ) return res.status(400).send(errQ.details[0].message)
 
-  const controller = new DriveController()
   try {
-    const response = await controller.saveFile(body)
+    const response = await controller.getFolder(query._folderPath)
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code
 
     delete err.code
 
-    res.status(statusCode).send(err)
+    res.status(statusCode).send(err.message)
   }
 })
 
-driveRouter.patch('/file', async (req, res) => {
-  const { error, value: body } = updateFileDriveValidation(req.body)
-  if (error) return res.status(400).send(error.details[0].message)
+driveRouter.delete('/file', async (req, res) => {
+  const { error: errQ, value: query } = fileParamValidation(req.query)
+
+  if (errQ) return res.status(400).send(errQ.details[0].message)
 
-  const controller = new DriveController()
   try {
-    const response = await controller.updateFile(body)
+    const response = await controller.deleteFile(query._filePath)
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code
 
     delete err.code
 
-    res.status(statusCode).send(err)
+    res.status(statusCode).send(err.message)
+  }
+})
+
+driveRouter.delete('/folder', async (req, res) => {
+  const { error: errQ, value: query } = folderParamValidation(req.query, true)
+
+  if (errQ) return res.status(400).send(errQ.details[0].message)
+
+  try {
+    const response = await controller.deleteFolder(query._folderPath)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err.message)
+  }
+})
+
+driveRouter.post(
+  '/file',
+  (...arg) => multerSingle('file', arg),
+  async (req, res) => {
+    const { error: errQ, value: query } = fileParamValidation(req.query)
+    const { error: errB, value: body } = fileBodyValidation(req.body)
+
+    if (errQ && errB) {
+      if (req.file) await deleteFile(req.file.path)
+      return res.status(400).send(errQ.details[0].message)
+    }
+
+    if (!req.file) return res.status(400).send('"file" is not present.')
+
+    try {
+      const response = await controller.saveFile(
+        req.file,
+        query._filePath,
+        body.filePath
+      )
+      res.send(response)
+    } catch (err: any) {
+      await deleteFile(req.file.path)
+
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
+    }
+  }
+)
+
+driveRouter.post('/folder', async (req, res) => {
+  const { error, value: body } = folderBodyValidation(req.body)
+
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.addFolder(body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err.message)
+  }
+})
+
+driveRouter.patch(
+  '/file',
+  (...arg) => multerSingle('file', arg),
+  async (req, res) => {
+    const { error: errQ, value: query } = fileParamValidation(req.query)
+    const { error: errB, value: body } = fileBodyValidation(req.body)
+
+    if (errQ && errB) {
+      if (req.file) await deleteFile(req.file.path)
+      return res.status(400).send(errQ.details[0].message)
+    }
+
+    if (!req.file) return res.status(400).send('"file" is not present.')
+
+    try {
+      const response = await controller.updateFile(
+        req.file,
+        query._filePath,
+        body.filePath
+      )
+      res.send(response)
+    } catch (err: any) {
+      await deleteFile(req.file.path)
+
+      const statusCode = err.code
+
+      delete err.code
+
+      res.status(statusCode).send(err.message)
+    }
+  }
+)
+
+driveRouter.post('/rename', async (req, res) => {
+  const { error, value: body } = renameBodyValidation(req.body)
+
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.rename(body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err.message)
   }
 })
 
 driveRouter.get('/fileTree', async (req, res) => {
-  const controller = new DriveController()
   try {
     const response = await controller.getFileTree()
     res.send(response)

api/src/routes/api/group.ts

@@ -1,7 +1,7 @@
 import express from 'express'
 import { GroupController } from '../../controllers/'
 import { authenticateAccessToken, verifyAdmin } from '../../middlewares'
-import { registerGroupValidation } from '../../utils'
+import { getGroupValidation, registerGroupValidation } from '../../utils'
 
 const groupRouter = express.Router()
 
@@ -18,7 +18,7 @@ groupRouter.post(
       const response = await controller.createGroup(body)
       res.send(response)
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
   }
 )
@@ -29,35 +29,57 @@ groupRouter.get('/', authenticateAccessToken, async (req, res) => {
     const response = await controller.getAllGroups()
     res.send(response)
   } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
   }
 })
 
-groupRouter.get('/:groupId', authenticateAccessToken, async (req: any, res) => {
+groupRouter.get('/:groupId', authenticateAccessToken, async (req, res) => {
   const { groupId } = req.params
 
   const controller = new GroupController()
   try {
-    const response = await controller.getGroup(groupId)
+    const response = await controller.getGroup(parseInt(groupId))
     res.send(response)
   } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
   }
 })
 
+groupRouter.get(
+  '/by/groupname/:name',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: params } = getGroupValidation(req.params)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const { name } = params
+
+    const controller = new GroupController()
+    try {
+      const response = await controller.getGroupByGroupName(name)
+      res.send(response)
+    } catch (err: any) {
+      res.status(err.code).send(err.message)
+    }
+  }
+)
+
 groupRouter.post(
   '/:groupId/:userId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId, userId } = req.params
 
     const controller = new GroupController()
     try {
-      const response = await controller.addUserToGroup(groupId, userId)
+      const response = await controller.addUserToGroup(
+        parseInt(groupId),
+        parseInt(userId)
+      )
       res.send(response)
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
   }
 )
@@ -66,15 +88,18 @@ groupRouter.delete(
   '/:groupId/:userId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId, userId } = req.params
 
     const controller = new GroupController()
     try {
-      const response = await controller.removeUserFromGroup(groupId, userId)
+      const response = await controller.removeUserFromGroup(
+        parseInt(groupId),
+        parseInt(userId)
+      )
       res.send(response)
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
   }
 )
@@ -83,15 +108,15 @@ groupRouter.delete(
   '/:groupId',
   authenticateAccessToken,
   verifyAdmin,
-  async (req: any, res) => {
+  async (req, res) => {
     const { groupId } = req.params
 
     const controller = new GroupController()
     try {
-      await controller.deleteGroup(groupId)
+      await controller.deleteGroup(parseInt(groupId))
       res.status(200).send('Group Deleted!')
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
   }
 )

api/src/routes/api/index.ts

@@ -5,10 +5,10 @@ import swaggerUi from 'swagger-ui-express'
 import {
   authenticateAccessToken,
   desktopRestrict,
-  desktopUsername,
   verifyAdmin
 } from '../../middlewares'
 
+import infoRouter from './info'
 import driveRouter from './drive'
 import stpRouter from './stp'
 import codeRouter from './code'
@@ -17,10 +17,13 @@ import groupRouter from './group'
 import clientRouter from './client'
 import authRouter from './auth'
 import sessionRouter from './session'
+import permissionRouter from './permission'
+import authConfigRouter from './authConfig'
 
 const router = express.Router()
 
-router.use('/session', desktopUsername, authenticateAccessToken, sessionRouter)
+router.use('/info', infoRouter)
+router.use('/session', authenticateAccessToken, sessionRouter)
 router.use('/auth', desktopRestrict, authRouter)
 router.use(
   '/client',
@@ -34,12 +37,36 @@ router.use('/group', desktopRestrict, groupRouter)
 router.use('/stp', authenticateAccessToken, stpRouter)
 router.use('/code', authenticateAccessToken, codeRouter)
 router.use('/user', desktopRestrict, userRouter)
+router.use(
+  '/permission',
+  desktopRestrict,
+  authenticateAccessToken,
+  permissionRouter
+)
+
+router.use(
+  '/authConfig',
+  desktopRestrict,
+  authenticateAccessToken,
+  verifyAdmin,
+  authConfigRouter
+)
+
 router.use(
   '/',
   swaggerUi.serve,
   swaggerUi.setup(undefined, {
     swaggerOptions: {
-      url: '/swagger.yaml'
+      url: '/swagger.yaml',
+      requestInterceptor: (request: any) => {
+        request.credentials = 'include'
+
+        const cookie = document.cookie
+        const startIndex = cookie.indexOf('XSRF-TOKEN')
+        const csrf = cookie.slice(startIndex + 11).split('; ')[0]
+        request.headers['X-XSRF-TOKEN'] = csrf
+        return request
+      }
     }
   })
 )

api/src/routes/api/info.ts

@@ -0,0 +1,26 @@
+import express from 'express'
+import { InfoController } from '../../controllers'
+
+const infoRouter = express.Router()
+
+infoRouter.get('/', async (req, res) => {
+  const controller = new InfoController()
+  try {
+    const response = controller.info()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+infoRouter.get('/authorizedRoutes', async (req, res) => {
+  const controller = new InfoController()
+  try {
+    const response = controller.authorizedRoutes()
+    res.send(response)
+  } catch (err: any) {
+    res.status(403).send(err.toString())
+  }
+})
+
+export default infoRouter

api/src/routes/api/permission.ts

@@ -0,0 +1,69 @@
+import express from 'express'
+import { PermissionController } from '../../controllers/'
+import { verifyAdmin } from '../../middlewares'
+import {
+  registerPermissionValidation,
+  updatePermissionValidation
+} from '../../utils'
+
+const permissionRouter = express.Router()
+const controller = new PermissionController()
+
+permissionRouter.get('/', async (req, res) => {
+  try {
+    const response = await controller.getAllPermissions(req)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.post('/', verifyAdmin, async (req, res) => {
+  const { error, value: body } = registerPermissionValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.createPermission(body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.patch('/:permissionId', verifyAdmin, async (req: any, res) => {
+  const { permissionId } = req.params
+
+  const { error, value: body } = updatePermissionValidation(req.body)
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.updatePermission(permissionId, body)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+    delete err.code
+    res.status(statusCode).send(err.message)
+  }
+})
+
+permissionRouter.delete(
+  '/:permissionId',
+  verifyAdmin,
+  async (req: any, res) => {
+    const { permissionId } = req.params
+
+    try {
+      await controller.deletePermission(permissionId)
+      res.status(200).send('Permission Deleted!')
+    } catch (err: any) {
+      const statusCode = err.code
+      delete err.code
+      res.status(statusCode).send(err.message)
+    }
+  }
+)
+export default permissionRouter

api/src/routes/api/spec/auth.spec.ts

@@ -8,7 +8,6 @@ import {
   ClientController,
   AuthController
 } from '../../../controllers/'
-import { populateClients } from '../auth'
 import { InfoJWT } from '../../../types'
 import {
   generateAccessToken,
@@ -18,11 +17,6 @@ import {
   verifyTokenInDB
 } from '../../../utils'
 
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
-
 const clientId = 'someclientID'
 const clientSecret = 'someclientSecret'
 const user = {
@@ -35,16 +29,18 @@ const user = {
 }
 
 describe('auth', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   const userController = new UserController()
   const clientController = new ClientController()
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
     await clientController.createClient({ clientId, clientSecret })
-    await populateClients()
   })
 
   afterAll(async () => {
@@ -53,114 +49,6 @@ describe('auth', () => {
     await mongoServer.stop()
   })
 
-  describe('authorize', () => {
-    afterEach(async () => {
-      const collections = mongoose.connection.collections
-      const collection = collections['users']
-      await collection.deleteMany({})
-    })
-
-    it('should respond with authorization code', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId
-        })
-        .expect(200)
-
-      expect(res.body).toHaveProperty('code')
-    })
-
-    it('should respond with Bad Request if username is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          password: user.password,
-          clientId
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"username" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Bad Request if password is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          clientId
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"password" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Bad Request if clientId is missing', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password
-        })
-        .expect(400)
-
-      expect(res.text).toEqual(`"clientId" is required`)
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if username is incorrect', async () => {
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Error: Username is not found.')
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if password is incorrect', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: 'WrongPassword',
-          clientId
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Error: Invalid password.')
-      expect(res.body).toEqual({})
-    })
-
-    it('should respond with Forbidden if clientId is incorrect', async () => {
-      await userController.createUser(user)
-
-      const res = await request(app)
-        .post('/SASjsApi/auth/authorize')
-        .send({
-          username: user.username,
-          password: user.password,
-          clientId: 'WrongClientID'
-        })
-        .expect(403)
-
-      expect(res.text).toEqual('Invalid clientId.')
-      expect(res.body).toEqual({})
-    })
-  })
-
   describe('token', () => {
     const userInfo: InfoJWT = {
       clientId,

api/src/routes/api/spec/client.spec.ts

@@ -5,11 +5,7 @@ import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, ClientController } from '../../../controllers/'
 import { generateAccessToken, saveTokensInDB } from '../../../utils'
-
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
+import { NUMBER_OF_SECONDS_IN_A_DAY } from '../../../model/Client'
 
 const client = {
   clientId: 'someclientID',
@@ -28,26 +24,19 @@ const newClient = {
 }
 
 describe('client', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
+  let adminAccessToken: string
   const userController = new UserController()
   const clientController = new ClientController()
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
-  })
 
-  afterAll(async () => {
-    await con.connection.dropDatabase()
-    await con.connection.close()
-    await mongoServer.stop()
-  })
-
-  describe('create', () => {
-    let adminAccessToken: string
-
-    beforeAll(async () => {
     const dbUser = await userController.createUser(adminUser)
     adminAccessToken = generateAccessToken({
       clientId: client.clientId,
@@ -61,6 +50,13 @@ describe('client', () => {
     )
   })
 
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('create', () => {
     afterEach(async () => {
       const collections = mongoose.connection.collections
       const collection = collections['clients']
@@ -159,4 +155,80 @@ describe('client', () => {
       expect(res.body).toEqual({})
     })
   })
+
+  describe('get', () => {
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['clients']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with an array of all clients', async () => {
+      await clientController.createClient(newClient)
+      await clientController.createClient({
+        clientId: 'clientID',
+        clientSecret: 'clientSecret'
+      })
+
+      const res = await request(app)
+        .get('/SASjsApi/client')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const expected = [
+        {
+          clientId: 'newClientID',
+          clientSecret: 'newClientSecret',
+          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+        },
+        {
+          clientId: 'clientID',
+          clientSecret: 'clientSecret',
+          accessTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY,
+          refreshTokenExpiration: NUMBER_OF_SECONDS_IN_A_DAY * 30
+        }
+      ]
+
+      expect(res.body).toEqual(expected)
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app).get('/SASjsApi/client').send().expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbideen if access token is not of an admin account', async () => {
+      const user = {
+        displayName: 'User 2',
+        username: 'username2',
+        password: '12345678',
+        isAdmin: false,
+        isActive: true
+      }
+      const dbUser = await userController.createUser(user)
+      const accessToken = generateAccessToken({
+        clientId: client.clientId,
+        userId: dbUser.id
+      })
+      await saveTokensInDB(
+        dbUser.id,
+        client.clientId,
+        accessToken,
+        'refreshToken'
+      )
+
+      const res = await request(app)
+        .get('/SASjsApi/client')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+  })
 })

api/src/routes/api/spec/files/sample.exe

@@ -0,0 +1 @@
+some code of sas

api/src/routes/api/spec/files/sample.sas

@@ -0,0 +1 @@
+some code of sas

api/src/routes/api/spec/group.spec.ts

@@ -4,12 +4,13 @@ import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
 import { UserController, GroupController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
-
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  AuthProviderType
+} from '../../../utils'
+import Group, { PUBLIC_GROUP_NAME } from '../../../model/Group'
+import User from '../../../model/User'
 
 const clientId = 'someclientID'
 const adminUser = {
@@ -28,19 +29,28 @@ const user = {
 }
 
 const group = {
-  name: 'DCGroup1',
+  name: 'dcgroup1',
   description: 'DC group for testing purposes.'
 }
 
+const PUBLIC_GROUP = {
+  name: PUBLIC_GROUP_NAME,
+  description:
+    'A special group that can be used to bypass authentication for particular routes.'
+}
+
 const userController = new UserController()
 const groupController = new GroupController()
 
 describe('group', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
   let adminAccessToken: string
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
 
@@ -72,6 +82,32 @@ describe('group', () => {
       expect(res.body.users).toEqual([])
     })
 
+    it('should respond with Conflict when group already exists with same name', async () => {
+      await groupController.createGroup(group)
+
+      const res = await request(app)
+        .post('/SASjsApi/group')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send(group)
+        .expect(409)
+
+      expect(res.text).toEqual('Group name already exists.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request when group name does not match the group name schema', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/group')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...group, name: 'Wrong Group Name' })
+        .expect(400)
+
+      expect(res.text).toEqual(
+        '"name" must only contain alpha-numeric characters'
+      )
+      expect(res.body).toEqual({})
+    })
+
     it('should respond with Unauthorized if access token is not present', async () => {
       const res = await request(app).post('/SASjsApi/group').send().expect(401)
 
@@ -127,14 +163,51 @@ describe('group', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it(`should delete group's reference from users' groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser1 = await userController.createUser({
+        ...user,
+        username: 'deletegroup1'
+      })
+      const dbUser2 = await userController.createUser({
+        ...user,
+        username: 'deletegroup2'
+      })
+
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser1.id)
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser2.id)
+
+      await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res1 = await request(app)
+        .get(`/SASjsApi/user/${dbUser1.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res1.body.groups).toEqual([])
+
+      const res2 = await request(app)
+        .get(`/SASjsApi/user/${dbUser2.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res2.body.groups).toEqual([])
+    })
+
+    it('should respond with Not Found if groupId is incorrect', async () => {
       const res = await request(app)
         .delete(`/SASjsApi/group/1234`)
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: No Group deleted!')
+      expect(res.text).toEqual('Group not found.')
       expect(res.body).toEqual({})
     })
 
@@ -218,16 +291,76 @@ describe('group', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
       const res = await request(app)
         .get('/SASjsApi/group/1234')
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
       expect(res.body).toEqual({})
     })
+
+    describe('by group name', () => {
+      it('should respond with group', async () => {
+        const { name } = await groupController.createGroup(group)
+
+        const res = await request(app)
+          .get(`/SASjsApi/group/by/groupname/${name}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.name).toEqual(group.name)
+        expect(res.body.description).toEqual(group.description)
+        expect(res.body.isActive).toEqual(true)
+        expect(res.body.users).toEqual([])
+      })
+
+      it('should respond with group when access token is not of an admin account', async () => {
+        const accessToken = await generateSaveTokenAndCreateUser({
+          ...user,
+          username: 'getbyname' + user.username
+        })
+
+        const { name } = await groupController.createGroup(group)
+
+        const res = await request(app)
+          .get(`/SASjsApi/group/by/groupname/${name}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.groupId).toBeTruthy()
+        expect(res.body.name).toEqual(group.name)
+        expect(res.body.description).toEqual(group.description)
+        expect(res.body.isActive).toEqual(true)
+        expect(res.body.users).toEqual([])
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/group/by/groupname/dcgroup')
+          .send()
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Not Found if groupname is incorrect', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/group/by/groupname/randomCharacters')
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(404)
+
+        expect(res.text).toEqual('Group not found.')
+        expect(res.body).toEqual({})
+      })
+    })
   })
 
   describe('getAll', () => {
@@ -247,8 +380,8 @@ describe('group', () => {
       expect(res.body).toEqual([
         {
           groupId: expect.anything(),
-          name: 'DCGroup1',
-          description: 'DC group for testing purposes.'
+          name: group.name,
+          description: group.description
         }
       ])
     })
@@ -269,8 +402,8 @@ describe('group', () => {
       expect(res.body).toEqual([
         {
           groupId: expect.anything(),
-          name: 'DCGroup1',
-          description: 'DC group for testing purposes.'
+          name: group.name,
+          description: group.description
         }
       ])
     })
@@ -311,6 +444,34 @@ describe('group', () => {
       ])
     })
 
+    it(`should add group to user's groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'addUserToGroup'
+      })
+
+      await request(app)
+        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.groups).toEqual([
+        {
+          groupId: expect.anything(),
+          name: group.name,
+          description: group.description
+        }
+      ])
+    })
+
     it('should respond with group without duplicating user', async () => {
       const dbGroup = await groupController.createGroup(group)
       const dbUser = await userController.createUser({
@@ -364,28 +525,86 @@ describe('group', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
       const res = await request(app)
         .post('/SASjsApi/group/123/123')
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
       const dbGroup = await groupController.createGroup(group)
       const res = await request(app)
         .post(`/SASjsApi/group/${dbGroup.groupId}/123`)
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
       expect(res.body).toEqual({})
     })
+
+    it('should respond with Bad Request when adding user to Public group', async () => {
+      const dbGroup = await groupController.createGroup(PUBLIC_GROUP)
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'publicUser'
+      })
+
+      const res = await request(app)
+        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(400)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
+      )
+    })
+
+    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
+      const dbGroup = await Group.create({
+        ...group,
+        authProvider: AuthProviderType.LDAP
+      })
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'ldapGroupUser'
+      })
+
+      const res = await request(app)
+        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
+    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await User.create({
+        ...user,
+        username: 'ldapUser',
+        authProvider: AuthProviderType.LDAP
+      })
+
+      const res = await request(app)
+        .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
   })
 
   describe('RemoveUser', () => {
@@ -414,6 +633,69 @@ describe('group', () => {
       expect(res.body.users).toEqual([])
     })
 
+    it(`should remove group from user's groups array`, async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'removeGroupFromUser'
+      })
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+
+      await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.groups).toEqual([])
+    })
+
+    it('should respond with Method Not Allowed if group is created by an external authProvider', async () => {
+      const dbGroup = await Group.create({
+        ...group,
+        authProvider: AuthProviderType.LDAP
+      })
+      const dbUser = await userController.createUser({
+        ...user,
+        username: 'removeLdapGroupUser'
+      })
+
+      const res = await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
+    it('should respond with Method Not Allowed if user is created by an external authProvider', async () => {
+      const dbGroup = await groupController.createGroup(group)
+      const dbUser = await User.create({
+        ...user,
+        username: 'removeLdapUser',
+        authProvider: AuthProviderType.LDAP
+      })
+
+      const res = await request(app)
+        .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(405)
+
+      expect(res.text).toEqual(
+        `Can't add/remove user to group created by external auth provider.`
+      )
+    })
+
     it('should respond with Unauthorized if access token is not present', async () => {
       const res = await request(app)
         .delete('/SASjsApi/group/123/123')
@@ -440,26 +722,26 @@ describe('group', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if groupId is incorrect', async () => {
+    it('should respond with Not Found if groupId is incorrect', async () => {
       const res = await request(app)
         .delete('/SASjsApi/group/123/123')
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: Group not found.')
+      expect(res.text).toEqual('Group not found.')
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
       const dbGroup = await groupController.createGroup(group)
       const res = await request(app)
         .delete(`/SASjsApi/group/${dbGroup.groupId}/123`)
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: User not found.')
+      expect(res.text).toEqual('User not found.')
       expect(res.body).toEqual({})
     })
   })

api/src/routes/api/spec/info.spec.ts

@@ -0,0 +1,20 @@
+import { Express } from 'express'
+import request from 'supertest'
+import appPromise from '../../../app'
+
+describe('Info', () => {
+  let app: Express
+
+  beforeAll(async () => {
+    app = await appPromise
+  })
+
+  it('should should return configured information of the server instance', async () => {
+    const res = await request(app).get('/SASjsApi/info').expect(200)
+
+    expect(res.body.mode).toEqual('server')
+    expect(res.body.cors).toEqual('disable')
+    expect(res.body.whiteList).toEqual([])
+    expect(res.body.protocol).toEqual('http')
+  })
+})

api/src/routes/api/spec/permission.spec.ts

@@ -0,0 +1,596 @@
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import {
+  DriveController,
+  UserController,
+  GroupController,
+  PermissionController,
+  PrincipalType,
+  PermissionType,
+  PermissionSettingForRoute
+} from '../../../controllers/'
+import {
+  UserDetailsResponse,
+  PermissionDetailsResponse
+} from '../../../controllers'
+import { generateAccessToken, saveTokensInDB } from '../../../utils'
+
+const deployPayload = {
+  appLoc: 'string',
+  streamWebFolder: 'string',
+  fileTree: {
+    members: [
+      {
+        name: 'string',
+        type: 'folder',
+        members: [
+          'string',
+          {
+            name: 'string',
+            type: 'service',
+            code: 'string'
+          }
+        ]
+      }
+    ]
+  }
+}
+
+const clientId = 'someclientID'
+const adminUser = {
+  displayName: 'Test Admin',
+  username: 'testAdminUsername',
+  password: '12345678',
+  isAdmin: true,
+  isActive: true
+}
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+const permission = {
+  path: '/SASjsApi/code/execute',
+  type: PermissionType.route,
+  setting: PermissionSettingForRoute.grant,
+  principalType: PrincipalType.user
+}
+
+const group = {
+  name: 'DCGroup1',
+  description: 'DC group for testing purposes.'
+}
+
+const userController = new UserController()
+const groupController = new GroupController()
+const permissionController = new PermissionController()
+
+describe('permission', () => {
+  let app: Express
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  let adminAccessToken: string
+  let dbUser: UserDetailsResponse
+
+  beforeAll(async () => {
+    app = await appPromise
+
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+
+    adminAccessToken = await generateSaveTokenAndCreateUser()
+    dbUser = await userController.createUser(user)
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('create', () => {
+    afterEach(async () => {
+      await deleteAllPermissions()
+    })
+
+    it('should respond with new permission when principalType is user', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...permission, principalId: dbUser.id })
+        .expect(200)
+
+      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.path).toEqual(permission.path)
+      expect(res.body.type).toEqual(permission.type)
+      expect(res.body.setting).toEqual(permission.setting)
+      expect(res.body.user).toBeTruthy()
+    })
+
+    it('should respond with new permission when principalType is group', async () => {
+      const dbGroup = await groupController.createGroup(group)
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'group',
+          principalId: dbGroup.groupId
+        })
+        .expect(200)
+
+      expect(res.body.permissionId).toBeTruthy()
+      expect(res.body.path).toEqual(permission.path)
+      expect(res.body.type).toEqual(permission.type)
+      expect(res.body.setting).toEqual(permission.setting)
+      expect(res.body.group).toBeTruthy()
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .send(permission)
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized if access token is not of an admin account', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(accessToken, { type: 'bearer' })
+        .send(permission)
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if path is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          path: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"path" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if path is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          path: '/some/random/api/endpoint'
+        })
+        .expect(400)
+
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if type is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          type: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"type" must be [Route]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if type is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          type: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"type" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          setting: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"setting" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          setting: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalType is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"principalType" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principal type is not valid', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"principalType" must be one of [user, group]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalId is missing', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: undefined
+        })
+        .expect(400)
+
+      expect(res.text).toEqual(`"principalId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if principalId is not a number', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: 'someCharacters'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"principalId" must be a number')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if adding permission for admin user', async () => {
+      const adminUser = await userController.createUser({
+        ...user,
+        username: 'adminUser',
+        isAdmin: true
+      })
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: adminUser.id
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Can not add permission for admin user.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Not Found (404) if user is not found', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalId: 123
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('User not found.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Not Found (404) if group is not found', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          ...permission,
+          principalType: 'group',
+          principalId: 123
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('Group not found.')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Conflict (409) if permission already exists', async () => {
+      await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+
+      const res = await request(app)
+        .post('/SASjsApi/permission')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...permission, principalId: dbUser.id })
+        .expect(409)
+
+      expect(res.text).toEqual(
+        'Permission already exists with provided Path, Type and User.'
+      )
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('update', () => {
+    let dbPermission: PermissionDetailsResponse | undefined
+    beforeAll(async () => {
+      dbPermission = await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+    })
+
+    afterEach(async () => {
+      await deleteAllPermissions()
+    })
+
+    it('should respond with updated permission', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ setting: PermissionSettingForRoute.deny })
+        .expect(200)
+
+      expect(res.body.setting).toEqual('Deny')
+    })
+
+    it('should respond with Unauthorized if access token is not present', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Unauthorized')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Unauthorized if access token is not of an admin account', async () => {
+      const accessToken = await generateSaveTokenAndCreateUser({
+        ...user,
+        username: 'update' + user.username
+      })
+
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+
+      expect(res.text).toEqual('Admin account required')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is missing', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(400)
+
+      expect(res.text).toEqual(`"setting" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if setting is  invalid', async () => {
+      const res = await request(app)
+        .patch(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          setting: 'invalid'
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('"setting" must be one of [Grant, Deny]')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with not found (404) if permission with provided id does not exist', async () => {
+      const res = await request(app)
+        .patch('/SASjsApi/permission/123')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({
+          setting: PermissionSettingForRoute.deny
+        })
+        .expect(404)
+
+      expect(res.text).toEqual('Permission not found.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('delete', () => {
+    it('should delete permission', async () => {
+      const dbPermission = await permissionController.createPermission({
+        ...permission,
+        principalId: dbUser.id
+      })
+      const res = await request(app)
+        .delete(`/SASjsApi/permission/${dbPermission?.permissionId}`)
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.text).toEqual('Permission Deleted!')
+    })
+
+    it('should respond with not found (404) if permission with provided id does not exists', async () => {
+      const res = await request(app)
+        .delete('/SASjsApi/permission/123')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(404)
+
+      expect(res.text).toEqual('Permission not found.')
+    })
+  })
+
+  describe('get', () => {
+    beforeAll(async () => {
+      await permissionController.createPermission({
+        ...permission,
+        path: '/test-1',
+        principalId: dbUser.id
+      })
+      await permissionController.createPermission({
+        ...permission,
+        path: '/test-2',
+        principalId: dbUser.id
+      })
+    })
+
+    it('should give a list of all permissions when user is admin', async () => {
+      const res = await request(app)
+        .get('/SASjsApi/permission/')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toHaveLength(2)
+    })
+
+    it(`should give a list of user's own  permissions when user is not admin`, async () => {
+      const nonAdminUser = await userController.createUser({
+        ...user,
+        username: 'get' + user.username
+      })
+      const accessToken = await generateAndSaveToken(nonAdminUser.id)
+      await permissionController.createPermission({
+        path: '/test-1',
+        type: PermissionType.route,
+        principalType: PrincipalType.user,
+        principalId: nonAdminUser.id,
+        setting: PermissionSettingForRoute.grant
+      })
+
+      const permissionCount = 1
+
+      const res = await request(app)
+        .get('/SASjsApi/permission/')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body).toHaveLength(permissionCount)
+    })
+  })
+
+  describe('verify', () => {
+    beforeAll(async () => {
+      await permissionController.createPermission({
+        ...permission,
+        path: '/SASjsApi/drive/deploy',
+        principalId: dbUser.id
+      })
+    })
+
+    beforeEach(() => {
+      jest
+        .spyOn(DriveController.prototype, 'deploy')
+        .mockImplementation((deployPayload) =>
+          Promise.resolve({
+            status: 'success',
+            message: 'Files deployed successfully to @sasjs/server.'
+          })
+        )
+    })
+
+    afterEach(() => {
+      jest.resetAllMocks()
+    })
+
+    it('should create files in SASJS drive', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      await request(app)
+        .get('/SASjsApi/drive/deploy')
+        .auth(accessToken, { type: 'bearer' })
+        .send(deployPayload)
+        .expect(200)
+    })
+
+    it('should respond unauthorized', async () => {
+      const accessToken = await generateAndSaveToken(dbUser.id)
+
+      await request(app)
+        .get('/SASjsApi/drive/deploy/upload')
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(401)
+    })
+  })
+})
+
+const generateSaveTokenAndCreateUser = async (
+  someUser?: any
+): Promise<string> => {
+  const dbUser = await userController.createUser(someUser ?? adminUser)
+
+  return generateAndSaveToken(dbUser.id)
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const adminAccessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, adminAccessToken, 'refreshToken')
+  return adminAccessToken
+}
+
+const deleteAllPermissions = async () => {
+  const { collections } = mongoose.connection
+  const collection = collections['permissions']
+  await collection.deleteMany({})
+}

api/src/routes/api/spec/stp.spec.ts

@@ -0,0 +1,506 @@
+import path from 'path'
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import {
+  UserController,
+  PermissionController,
+  PermissionType,
+  PermissionSettingForRoute,
+  PrincipalType
+} from '../../../controllers/'
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  getFilesFolder,
+  RunTimeType,
+  generateUniqueFileName,
+  getSessionsFolder
+} from '../../../utils'
+import { createFile, generateTimestamp, deleteFolder } from '@sasjs/utils'
+import {
+  SessionController,
+  SASSessionController
+} from '../../../controllers/internal'
+import * as ProcessProgramModule from '../../../controllers/internal/processProgram'
+import { Session } from '../../../types'
+
+const clientId = 'someclientID'
+
+const user = {
+  displayName: 'Test User',
+  username: 'testUsername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+const sampleSasProgram = '%put hello world!;'
+const sampleJsProgram = `console.log('hello world!/')`
+const samplePyProgram = `print('hello world!/')`
+
+const filesFolder = getFilesFolder()
+const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+let app: Express
+let accessToken: string
+
+describe('stp', () => {
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const userController = new UserController()
+  const permissionController = new PermissionController()
+
+  beforeAll(async () => {
+    app = await appPromise
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+    const dbUser = await userController.createUser(user)
+    accessToken = await generateAndSaveToken(dbUser.id)
+    await permissionController.createPermission({
+      path: '/SASjsApi/stp/execute',
+      type: PermissionType.route,
+      principalType: PrincipalType.user,
+      principalId: dbUser.id,
+      setting: PermissionSettingForRoute.grant
+    })
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('execute', () => {
+    describe('get', () => {
+      describe('with runtime js', () => {
+        const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when both js and sas program are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.SAS],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should throw error when js program is not present but sas program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime py', () => {
+        const testFilesFolder = `test-stp-${generateTimestamp()}`
+
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when python, js and sas programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should throw error when py program is not present but js or sas program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and js programs are present', async () => {
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
+        })
+
+        it('should throw error when sas program do not exit but js exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime js and sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS, RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when both js and sas program are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should execute sas program when js program is not present but sas program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime py and sas', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY, RunTimeType.SAS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when both python and sas program are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should execute sas program when python program is not present but sas program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.SAS], 200, RunTimeType.SAS)
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime sas and js', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and js programs  exist', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute js program when sas program is not present but js program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.JS], 200, RunTimeType.JS)
+        })
+
+        it('should throw error when both sas and js programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime sas and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when both sas and python programs exist', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute python program when sas program is not present but python program exists', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when both sas and python programs do not exist', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime sas, js and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.SAS, RunTimeType.JS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute sas program when it exists, no matter js and python programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute js program when sas program is absent but js and python programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.PY],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should execute python program when both sas and js programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime js, sas and py', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.JS, RunTimeType.SAS, RunTimeType.PY]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute js program when it exists, no matter sas and python programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.JS, RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.JS
+          )
+        })
+
+        it('should execute sas program when js program is absent but sas and python programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.PY],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute python program when both sas and js programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.PY], 200, RunTimeType.PY)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+
+      describe('with runtime py, sas and js', () => {
+        beforeAll(() => {
+          process.runTimes = [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS]
+        })
+
+        beforeEach(() => {
+          jest.resetModules() // it clears the cache
+          setupMocks()
+        })
+
+        afterEach(async () => {
+          jest.resetAllMocks()
+          await deleteFolder(path.join(filesFolder, testFilesFolder))
+        })
+
+        it('should execute python program when it exists, no matter sas and js programs exist or not', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.PY, RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.PY
+          )
+        })
+
+        it('should execute sas program when python program is absent but sas and js programs are present', async () => {
+          await makeRequestAndAssert(
+            [RunTimeType.SAS, RunTimeType.JS],
+            200,
+            RunTimeType.SAS
+          )
+        })
+
+        it('should execute js program when both sas and python programs are not present', async () => {
+          await makeRequestAndAssert([RunTimeType.JS], 200, RunTimeType.JS)
+        })
+
+        it('should throw error when no program exists', async () => {
+          await makeRequestAndAssert([], 400)
+        })
+      })
+    })
+  })
+})
+
+const makeRequestAndAssert = async (
+  programTypes: RunTimeType[],
+  expectedStatusCode: number,
+  expectedRuntime?: RunTimeType
+) => {
+  const programPath = path.join(testFilesFolder, 'program')
+  for (const programType of programTypes) {
+    if (programType === RunTimeType.JS)
+      await createFile(
+        path.join(filesFolder, `${programPath}.js`),
+        sampleJsProgram
+      )
+    else if (programType === RunTimeType.PY)
+      await createFile(
+        path.join(filesFolder, `${programPath}.py`),
+        samplePyProgram
+      )
+    else if (programType === RunTimeType.SAS)
+      await createFile(
+        path.join(filesFolder, `${programPath}.sas`),
+        sampleSasProgram
+      )
+  }
+
+  await request(app)
+    .get(`/SASjsApi/stp/execute?_program=${programPath}`)
+    .auth(accessToken, { type: 'bearer' })
+    .send()
+    .expect(expectedStatusCode)
+
+  if (expectedRuntime)
+    expect(ProcessProgramModule.processProgram).toHaveBeenCalledWith(
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expect.anything(),
+      expectedRuntime,
+      expect.anything(),
+      undefined
+    )
+}
+
+const generateAndSaveToken = async (userId: number) => {
+  const accessToken = generateAccessToken({
+    clientId,
+    userId
+  })
+  await saveTokensInDB(userId, clientId, accessToken, 'refreshToken')
+  return accessToken
+}
+
+const setupMocks = async () => {
+  jest
+    .spyOn(SASSessionController.prototype, 'getSession')
+    .mockImplementation(mockedGetSession)
+
+  jest
+    .spyOn(SASSessionController.prototype, 'getSession')
+    .mockImplementation(mockedGetSession)
+
+  jest
+    .spyOn(ProcessProgramModule, 'processProgram')
+    .mockImplementation(() => Promise.resolve())
+}
+
+const mockedGetSession = async () => {
+  const sessionId = generateUniqueFileName(generateTimestamp())
+  const sessionFolder = path.join(getSessionsFolder(), sessionId)
+
+  const creationTimeStamp = sessionId.split('-').pop() as string
+  // death time of session is 15 mins from creation
+  const deathTimeStamp = (
+    parseInt(creationTimeStamp) +
+    15 * 60 * 1000 -
+    1000
+  ).toString()
+
+  const session: Session = {
+    id: sessionId,
+    ready: true,
+    inUse: true,
+    consumed: false,
+    completed: false,
+    creationTimeStamp,
+    deathTimeStamp,
+    path: sessionFolder
+  }
+
+  return session
+}

api/src/routes/api/spec/user.spec.ts

@@ -3,37 +3,41 @@ import mongoose, { Mongoose } from 'mongoose'
 import { MongoMemoryServer } from 'mongodb-memory-server'
 import request from 'supertest'
 import appPromise from '../../../app'
-import { UserController } from '../../../controllers/'
-import { generateAccessToken, saveTokensInDB } from '../../../utils'
-
-let app: Express
-appPromise.then((_app) => {
-  app = _app
-})
+import { UserController, GroupController } from '../../../controllers/'
+import {
+  generateAccessToken,
+  saveTokensInDB,
+  AuthProviderType
+} from '../../../utils'
+import User from '../../../model/User'
 
 const clientId = 'someclientID'
 const adminUser = {
   displayName: 'Test Admin',
-  username: 'testAdminUsername',
+  username: 'testadminusername',
   password: '12345678',
   isAdmin: true,
   isActive: true
 }
 const user = {
   displayName: 'Test User',
-  username: 'testUsername',
+  username: 'testusername',
   password: '87654321',
   isAdmin: false,
-  isActive: true
+  isActive: true,
+  autoExec: 'some sas code for auto exec;'
 }
 
 const controller = new UserController()
 
 describe('user', () => {
+  let app: Express
   let con: Mongoose
   let mongoServer: MongoMemoryServer
 
   beforeAll(async () => {
+    app = await appPromise
+
     mongoServer = await MongoMemoryServer.create()
     con = await mongoose.connect(mongoServer.getUri())
   })
@@ -66,6 +70,21 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+    })
+
+    it('should respond with new user having username as lowercase', async () => {
+      const res = await request(app)
+        .post('/SASjsApi/user')
+        .auth(adminAccessToken, { type: 'bearer' })
+        .send({ ...user, username: user.username.toUpperCase() })
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
     })
 
     it('should respond with Unauthorized if access token is not present', async () => {
@@ -96,16 +115,16 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
       await controller.createUser(user)
 
       const res = await request(app)
         .post('/SASjsApi/user')
         .auth(adminAccessToken, { type: 'bearer' })
         .send(user)
-        .expect(403)
+        .expect(409)
 
-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
       expect(res.body).toEqual({})
     })
 
@@ -212,6 +231,36 @@ describe('user', () => {
         .expect(400)
     })
 
+    it('should respond with Method Not Allowed, when updating username of user created by an external auth provider', async () => {
+      const dbUser = await User.create({
+        ...user,
+        authProvider: AuthProviderType.LDAP
+      })
+      const accessToken = await generateAndSaveToken(dbUser!.id)
+      const newUsername = 'newUsername'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser!.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ username: newUsername })
+        .expect(405)
+    })
+
+    it('should respond with Method Not Allowed, when updating displayName of user created by an external auth provider', async () => {
+      const dbUser = await User.create({
+        ...user,
+        authProvider: AuthProviderType.LDAP
+      })
+      const accessToken = await generateAndSaveToken(dbUser!.id)
+      const newDisplayName = 'My new display Name'
+
+      await request(app)
+        .patch(`/SASjsApi/user/${dbUser!.id}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send({ displayName: newDisplayName })
+        .expect(405)
+    })
+
     it('should respond with Unauthorized if access token is not present', async () => {
       const res = await request(app)
         .patch('/SASjsApi/user/1234')
@@ -240,22 +289,118 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if username is already present', async () => {
+    it('should respond with Conflict if username is already present', async () => {
       const dbUser1 = await controller.createUser(user)
       const dbUser2 = await controller.createUser({
         ...user,
-        username: 'randomUser'
+        username: 'randomuser'
       })
 
       const res = await request(app)
         .patch(`/SASjsApi/user/${dbUser1.id}`)
         .auth(adminAccessToken, { type: 'bearer' })
         .send({ username: dbUser2.username })
-        .expect(403)
+        .expect(409)
 
-      expect(res.text).toEqual('Error: Username already exists.')
+      expect(res.text).toEqual('Username already exists.')
       expect(res.body).toEqual({})
     })
+
+    describe('by username', () => {
+      it('should respond with updated user when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const newDisplayName = 'My new display Name'
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send({ ...user, displayName: newDisplayName })
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(newDisplayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+      })
+
+      it('should respond with updated user when user himself requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+        const newDisplayName = 'My new display Name'
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({
+            displayName: newDisplayName,
+            username: user.username,
+            password: user.password
+          })
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(newDisplayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+      })
+
+      it('should respond with Bad Request, only admin can update isAdmin/isActive', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+        const newDisplayName = 'My new display Name'
+
+        await request(app)
+          .patch(`/SASjsApi/user/by/username/${user.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ ...user, displayName: newDisplayName })
+          .expect(400)
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .patch('/SASjsApi/user/by/username/1234')
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomUser'
+        })
+        const accessToken = await generateAndSaveToken(dbUser2.id)
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/${dbUser1.id}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Admin account required')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Conflict if username is already present', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomuser'
+        })
+
+        const res = await request(app)
+          .patch(`/SASjsApi/user/by/username/${dbUser1.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send({ username: dbUser2.username })
+          .expect(409)
+
+        expect(res.text).toEqual('Username already exists.')
+        expect(res.body).toEqual({})
+      })
+    })
   })
 
   describe('delete', () => {
@@ -336,7 +481,7 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden when user himself requests and password is incorrect', async () => {
+    it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
       const dbUser = await controller.createUser(user)
       const accessToken = await generateAndSaveToken(dbUser.id)
 
@@ -344,11 +489,94 @@ describe('user', () => {
         .delete(`/SASjsApi/user/${dbUser.id}`)
         .auth(accessToken, { type: 'bearer' })
         .send({ password: 'incorrectpassword' })
-        .expect(403)
+        .expect(401)
 
-      expect(res.text).toEqual('Error: Invalid password.')
+      expect(res.text).toEqual('Invalid password.')
       expect(res.body).toEqual({})
     })
+
+    describe('by username', () => {
+      it('should respond with OK when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with OK when user himself requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ password: user.password })
+          .expect(200)
+
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Bad Request when user himself requests and password is missing', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(400)
+
+        expect(res.text).toEqual(`"password" is required`)
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not present', async () => {
+        const res = await request(app)
+          .delete('/SASjsApi/user/by/username/RandomUsername')
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when access token is not of an admin account or himself', async () => {
+        const dbUser1 = await controller.createUser(user)
+        const dbUser2 = await controller.createUser({
+          ...user,
+          username: 'randomUser'
+        })
+        const accessToken = await generateAndSaveToken(dbUser2.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser1.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send(user)
+          .expect(401)
+
+        expect(res.text).toEqual('Admin account required')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Unauthorized when user himself requests and password is incorrect', async () => {
+        const dbUser = await controller.createUser(user)
+        const accessToken = await generateAndSaveToken(dbUser.id)
+
+        const res = await request(app)
+          .delete(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send({ password: 'incorrectpassword' })
+          .expect(401)
+
+        expect(res.text).toEqual('Invalid password.')
+        expect(res.body).toEqual({})
+      })
+    })
   })
 
   describe('get', () => {
@@ -362,7 +590,26 @@ describe('user', () => {
       await deleteAllUsers()
     })
 
-    it('should respond with user', async () => {
+    it('should respond with user autoExec when same user requests', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+      const accessToken = await generateAndSaveToken(userId)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups).toEqual([])
+    })
+
+    it('should respond with user autoExec when admin user requests', async () => {
       const dbUser = await controller.createUser(user)
       const userId = dbUser.id
 
@@ -376,6 +623,8 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups).toEqual([])
     })
 
     it('should respond with user when access token is not of an admin account', async () => {
@@ -397,6 +646,35 @@ describe('user', () => {
       expect(res.body.displayName).toEqual(user.displayName)
       expect(res.body.isAdmin).toEqual(user.isAdmin)
       expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toBeUndefined()
+      expect(res.body.groups).toEqual([])
+    })
+
+    it('should respond with user along with associated groups', async () => {
+      const dbUser = await controller.createUser(user)
+      const userId = dbUser.id
+      const accessToken = await generateAndSaveToken(userId)
+
+      const group = {
+        name: 'DCGroup1',
+        description: 'DC group for testing purposes.'
+      }
+      const groupController = new GroupController()
+      const dbGroup = await groupController.createGroup(group)
+      await groupController.addUserToGroup(dbGroup.groupId, dbUser.id)
+
+      const res = await request(app)
+        .get(`/SASjsApi/user/${userId}`)
+        .auth(accessToken, { type: 'bearer' })
+        .send()
+        .expect(200)
+
+      expect(res.body.username).toEqual(user.username)
+      expect(res.body.displayName).toEqual(user.displayName)
+      expect(res.body.isAdmin).toEqual(user.isAdmin)
+      expect(res.body.isActive).toEqual(user.isActive)
+      expect(res.body.autoExec).toEqual(user.autoExec)
+      expect(res.body.groups.length).toBeGreaterThan(0)
     })
 
     it('should respond with Unauthorized if access token is not present', async () => {
@@ -409,18 +687,98 @@ describe('user', () => {
       expect(res.body).toEqual({})
     })
 
-    it('should respond with Forbidden if userId is incorrect', async () => {
+    it('should respond with Not Found if userId is incorrect', async () => {
       await controller.createUser(user)
 
       const res = await request(app)
         .get('/SASjsApi/user/1234')
         .auth(adminAccessToken, { type: 'bearer' })
         .send()
-        .expect(403)
+        .expect(404)
 
-      expect(res.text).toEqual('Error: User is not found.')
+      expect(res.text).toEqual('User is not found.')
       expect(res.body).toEqual({})
     })
+
+    describe('by username', () => {
+      it('should respond with user autoExec when same user requests', async () => {
+        const dbUser = await controller.createUser(user)
+        const userId = dbUser.id
+        const accessToken = await generateAndSaveToken(userId)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toEqual(user.autoExec)
+      })
+
+      it('should respond with user autoExec when admin user requests', async () => {
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toEqual(user.autoExec)
+      })
+
+      it('should respond with user when access token is not of an admin account', async () => {
+        const accessToken = await generateSaveTokenAndCreateUser({
+          ...user,
+          username: 'randomUser'
+        })
+
+        const dbUser = await controller.createUser(user)
+
+        const res = await request(app)
+          .get(`/SASjsApi/user/by/username/${dbUser.username}`)
+          .auth(accessToken, { type: 'bearer' })
+          .send()
+          .expect(200)
+
+        expect(res.body.username).toEqual(user.username)
+        expect(res.body.displayName).toEqual(user.displayName)
+        expect(res.body.isAdmin).toEqual(user.isAdmin)
+        expect(res.body.isActive).toEqual(user.isActive)
+        expect(res.body.autoExec).toBeUndefined()
+      })
+
+      it('should respond with Unauthorized if access token is not present', async () => {
+        const res = await request(app)
+          .get('/SASjsApi/user/by/username/randomUsername')
+          .send()
+          .expect(401)
+
+        expect(res.text).toEqual('Unauthorized')
+        expect(res.body).toEqual({})
+      })
+
+      it('should respond with Not Found if username is incorrect', async () => {
+        await controller.createUser(user)
+
+        const res = await request(app)
+          .get('/SASjsApi/user/by/username/randomUsername')
+          .auth(adminAccessToken, { type: 'bearer' })
+          .send()
+          .expect(404)
+
+        expect(res.text).toEqual('User is not found.')
+        expect(res.body).toEqual({})
+      })
+    })
   })
 
   describe('getAll', () => {
@@ -447,12 +805,14 @@ describe('user', () => {
         {
           id: expect.anything(),
           username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
+          isAdmin: adminUser.isAdmin
         },
         {
           id: expect.anything(),
           username: user.username,
-          displayName: user.displayName
+          displayName: user.displayName,
+          isAdmin: user.isAdmin
         }
       ])
     })
@@ -473,12 +833,14 @@ describe('user', () => {
         {
           id: expect.anything(),
           username: adminUser.username,
-          displayName: adminUser.displayName
+          displayName: adminUser.displayName,
+          isAdmin: adminUser.isAdmin
         },
         {
           id: expect.anything(),
           username: 'randomUser',
-          displayName: user.displayName
+          displayName: user.displayName,
+          isAdmin: user.isAdmin
         }
       ])
     })

api/src/routes/api/spec/web.spec.ts

@@ -0,0 +1,286 @@
+import { Express } from 'express'
+import mongoose, { Mongoose } from 'mongoose'
+import { MongoMemoryServer } from 'mongodb-memory-server'
+import request from 'supertest'
+import appPromise from '../../../app'
+import { UserController, ClientController } from '../../../controllers/'
+
+const clientId = 'someclientID'
+const clientSecret = 'someclientSecret'
+const user = {
+  id: 1234,
+  displayName: 'Test User',
+  username: 'testusername',
+  password: '87654321',
+  isAdmin: false,
+  isActive: true
+}
+
+describe('web', () => {
+  let app: Express
+  let con: Mongoose
+  let mongoServer: MongoMemoryServer
+  const userController = new UserController()
+  const clientController = new ClientController()
+
+  beforeAll(async () => {
+    app = await appPromise
+
+    mongoServer = await MongoMemoryServer.create()
+    con = await mongoose.connect(mongoServer.getUri())
+    await clientController.createClient({ clientId, clientSecret })
+  })
+
+  afterAll(async () => {
+    await con.connection.dropDatabase()
+    await con.connection.close()
+    await mongoServer.stop()
+  })
+
+  describe('home', () => {
+    it('should respond with CSRF Token', async () => {
+      const res = await request(app).get('/').expect(200)
+
+      expect(res.text).toMatch(
+        /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/
+      )
+    })
+  })
+
+  describe('SASLogon/authorize', () => {
+    let csrfToken: string
+    let authCookies: string
+
+    beforeAll(async () => {
+      ;({ csrfToken } = await getCSRF(app))
+
+      await userController.createUser(user)
+
+      const credentials = {
+        username: user.username,
+        password: user.password
+      }
+
+      ;({ authCookies } = await performLogin(app, credentials, csrfToken))
+    })
+
+    afterAll(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with authorization code', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({ clientId })
+
+      expect(res.body).toHaveProperty('code')
+    })
+
+    it('should respond with Bad Request if CSRF Token is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .send({ clientId })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if clientId is missing', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({})
+        .expect(400)
+
+      expect(res.text).toEqual(`"clientId" is required`)
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Forbidden if clientId is incorrect', async () => {
+      const res = await request(app)
+        .post('/SASLogon/authorize')
+        .set('Cookie', [authCookies].join('; '))
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          clientId: 'WrongClientID'
+        })
+        .expect(403)
+
+      expect(res.text).toEqual('Error: Invalid clientId.')
+      expect(res.body).toEqual({})
+    })
+  })
+
+  describe('SASLogon/login', () => {
+    let csrfToken: string
+
+    beforeAll(async () => {
+      ;({ csrfToken } = await getCSRF(app))
+    })
+
+    afterEach(async () => {
+      const collections = mongoose.connection.collections
+      const collection = collections['users']
+      await collection.deleteMany({})
+    })
+
+    it('should respond with successful login', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(200)
+
+      expect(res.body.loggedIn).toBeTruthy()
+      expect(res.body.user).toEqual({
+        id: expect.any(Number),
+        username: user.username,
+        displayName: user.displayName,
+        isAdmin: user.isAdmin,
+        needsToUpdatePassword: true
+      })
+    })
+
+    it('should respond with too many requests when attempting with invalid password for a same user too many times', async () => {
+      await userController.createUser(user)
+
+      const promises: request.Test[] = []
+
+      const maxConsecutiveFailsByUsernameAndIp = Number(
+        process.env.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
+      )
+
+      Array(maxConsecutiveFailsByUsernameAndIp + 1)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: user.username,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)
+
+      expect(res.text).toContain('Too Many Requests!')
+    })
+
+    it('should respond with too many requests when attempting with invalid credentials for different users but with same ip too many times', async () => {
+      await userController.createUser(user)
+
+      const promises: request.Test[] = []
+
+      const maxWrongAttemptsByIpPerDay = Number(
+        process.env.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY
+      )
+
+      Array(maxWrongAttemptsByIpPerDay + 1)
+        .fill(0)
+        .map((_, i) => {
+          promises.push(
+            request(app)
+              .post('/SASLogon/login')
+              .set('x-xsrf-token', csrfToken)
+              .send({
+                username: `user${i}`,
+                password: 'invalid-password'
+              })
+          )
+        })
+
+      await Promise.all(promises)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', csrfToken)
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(429)
+
+      expect(res.text).toContain('Too Many Requests!')
+    })
+
+    it('should respond with Bad Request if CSRF Token is not present', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+
+    it('should respond with Bad Request if CSRF Token is invalid', async () => {
+      await userController.createUser(user)
+
+      const res = await request(app)
+        .post('/SASLogon/login')
+        .set('x-xsrf-token', 'INVALID_CSRF_TOKEN')
+        .send({
+          username: user.username,
+          password: user.password
+        })
+        .expect(400)
+
+      expect(res.text).toEqual('Invalid CSRF token!')
+      expect(res.body).toEqual({})
+    })
+  })
+})
+
+const getCSRF = async (app: Express) => {
+  // make request to get CSRF
+  const { text } = await request(app).get('/')
+
+  return { csrfToken: extractCSRF(text) }
+}
+
+const performLogin = async (
+  app: Express,
+  credentials: { username: string; password: string },
+  csrfToken: string
+) => {
+  const { header } = await request(app)
+    .post('/SASLogon/login')
+    .set('x-xsrf-token', csrfToken)
+    .send(credentials)
+
+  return { authCookies: header['set-cookie'].join() }
+}
+
+const extractCSRF = (text: string) =>
+  /<script>document.cookie = 'XSRF-TOKEN=(.*); Max-Age=86400; SameSite=Strict; Path=\/;'<\/script>/.exec(
+    text
+  )![1]

api/src/routes/api/stp.ts

@@ -1,5 +1,8 @@
 import express from 'express'
-import { executeProgramRawValidation } from '../../utils'
+import {
+  executeProgramRawValidation,
+  triggerProgramValidation
+} from '../../utils'
 import { STPController } from '../../controllers/'
 import { FileUploadController } from '../../controllers/internal'
 
@@ -13,7 +16,17 @@ stpRouter.get('/execute', async (req, res) => {
   if (error) return res.status(400).send(error.details[0].message)
 
   try {
-    const response = await controller.executeReturnRaw(req, query._program)
+    const response = await controller.executeGetRequest(
+      req,
+      query._program,
+      query._debug
+    )
+
+    if (response instanceof Buffer) {
+      res.writeHead(200, (req as any).sasHeaders)
+      return res.end(response)
+    }
+
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code
@@ -28,18 +41,26 @@ stpRouter.post(
   '/execute',
   fileUploadController.preUploadMiddleware,
   fileUploadController.getMulterUploadObject().any(),
-  async (req: any, res: any) => {
-    const { error: errQ, value: query } = executeProgramRawValidation(req.query)
-    const { error: errB, value: body } = executeProgramRawValidation(req.body)
+  async (req, res: any) => {
+    // below validations are moved to preUploadMiddleware
+    // const { error: errQ, value: query } = executeProgramRawValidation(req.query)
+    // const { error: errB, value: body } = executeProgramRawValidation(req.body)
 
-    if (errQ && errB) return res.status(400).send(errB.details[0].message)
+    // if (errQ && errB) return res.status(400).send(errB.details[0].message)
 
     try {
-      const response = await controller.executeReturnJson(
+      const response = await controller.executePostRequest(
         req,
-        body,
-        query?._program
+        req.body,
+        req.query?._program as string
       )
+
+      // TODO: investigate if this code is required
+      // if (response instanceof Buffer) {
+      //   res.writeHead(200, (req as any).sasHeaders)
+      //   return res.end(response)
+      // }
+
       res.send(response)
     } catch (err: any) {
       const statusCode = err.code
@@ -51,4 +72,23 @@ stpRouter.post(
   }
 )
 
+stpRouter.post('/trigger', async (req, res) => {
+  const { error, value: body } = triggerProgramValidation(req.body)
+
+  if (error) return res.status(400).send(error.details[0].message)
+
+  try {
+    const response = await controller.triggerProgram(req, body)
+
+    res.status(200)
+    res.send(response)
+  } catch (err: any) {
+    const statusCode = err.code
+
+    delete err.code
+
+    res.status(statusCode).send(err)
+  }
+})
+
 export default stpRouter

api/src/routes/api/user.ts

@@ -7,6 +7,7 @@ import {
 } from '../../middlewares'
 import {
   deleteUserValidation,
+  getUserValidation,
   registerUserValidation,
   updateUserValidation
 } from '../../utils'
@@ -22,7 +23,7 @@ userRouter.post('/', authenticateAccessToken, verifyAdmin, async (req, res) => {
     const response = await controller.createUser(body)
     res.send(response)
   } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
   }
 })
 
@@ -32,40 +33,115 @@ userRouter.get('/', authenticateAccessToken, async (req, res) => {
     const response = await controller.getAllUsers()
     res.send(response)
   } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
   }
 })
 
-userRouter.get('/:userId', authenticateAccessToken, async (req: any, res) => {
+userRouter.get(
+  '/by/username/:username',
+  authenticateAccessToken,
+  async (req, res) => {
+    const { error, value: params } = getUserValidation(req.params)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const { username } = params
+
+    const controller = new UserController()
+    try {
+      const response = await controller.getUserByUsername(req, username)
+      res.send(response)
+    } catch (err: any) {
+      res.status(err.code).send(err.message)
+    }
+  }
+)
+
+userRouter.get('/:userId', authenticateAccessToken, async (req, res) => {
   const { userId } = req.params
 
   const controller = new UserController()
   try {
-    const response = await controller.getUser(userId)
+    const response = await controller.getUser(req, parseInt(userId))
     res.send(response)
   } catch (err: any) {
-    res.status(403).send(err.toString())
+    res.status(err.code).send(err.message)
   }
 })
 
+userRouter.patch(
+  '/by/username/:username',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req, res) => {
+    const { user } = req
+    const { error: errorUsername, value: params } = getUserValidation(
+      req.params
+    )
+    if (errorUsername)
+      return res.status(400).send(errorUsername.details[0].message)
+
+    const { username } = params
+
+    // only an admin can update `isActive` and `isAdmin` fields
+    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      const response = await controller.updateUserByUsername(username, body)
+      res.send(response)
+    } catch (err: any) {
+      res.status(err.code).send(err.message)
+    }
+  }
+)
+
 userRouter.patch(
   '/:userId',
   authenticateAccessToken,
   verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
     const { user } = req
     const { userId } = req.params
 
     // only an admin can update `isActive` and `isAdmin` fields
-    const { error, value: body } = updateUserValidation(req.body, user.isAdmin)
+    const { error, value: body } = updateUserValidation(req.body, user!.isAdmin)
     if (error) return res.status(400).send(error.details[0].message)
 
     const controller = new UserController()
     try {
-      const response = await controller.updateUser(userId, body)
+      const response = await controller.updateUser(parseInt(userId), body)
       res.send(response)
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
+    }
+  }
+)
+
+userRouter.delete(
+  '/by/username/:username',
+  authenticateAccessToken,
+  verifyAdminIfNeeded,
+  async (req, res) => {
+    const { user } = req
+    const { error: errorUsername, value: params } = getUserValidation(
+      req.params
+    )
+    if (errorUsername)
+      return res.status(400).send(errorUsername.details[0].message)
+
+    const { username } = params
+
+    // only an admin can delete user without providing password
+    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
+    if (error) return res.status(400).send(error.details[0].message)
+
+    const controller = new UserController()
+    try {
+      await controller.deleteUserByUsername(username, data, user!.isAdmin)
+      res.status(200).send('Account Deleted!')
+    } catch (err: any) {
+      res.status(err.code).send(err.message)
     }
   }
 )
@@ -74,20 +150,20 @@ userRouter.delete(
   '/:userId',
   authenticateAccessToken,
   verifyAdminIfNeeded,
-  async (req: any, res) => {
+  async (req, res) => {
     const { user } = req
     const { userId } = req.params
 
     // only an admin can delete user without providing password
-    const { error, value: data } = deleteUserValidation(req.body, user.isAdmin)
+    const { error, value: data } = deleteUserValidation(req.body, user!.isAdmin)
     if (error) return res.status(400).send(error.details[0].message)
 
     const controller = new UserController()
     try {
-      await controller.deleteUser(userId, data, user.isAdmin)
+      await controller.deleteUser(parseInt(userId), data, user!.isAdmin)
       res.status(200).send('Account Deleted!')
     } catch (err: any) {
-      res.status(403).send(err.toString())
+      res.status(err.code).send(err.message)
     }
   }
 )