Security upgrades

lib/atna-audit.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC.
  * All rights reserved.
  *
@@ -12,7 +12,7 @@ const fs = require('fs')
 const ATNA = require('atna-audit')
 const ATNAAuditConfig = require('./config').getConf('atnaAudit')
 
-let connDetail = {
+const connDetail = {
   interface: ATNAAuditConfig.interface,
   host: ATNAAuditConfig.host,
   port: ATNAAuditConfig.port
@@ -32,25 +32,25 @@ if (ATNAAuditConfig.certOptions.ca) {
 
 exports.buildPIXmAuditMsg = (ctx) => {
   // event
-  var eventID = new ATNA.construct.Code(110112, 'Query', 'DCM')
-  var typeCode = new ATNA.construct.Code('ITI-83', 'Mobile Patient Identifier Cross-reference Query', 'IHE Transactions')
-  var eIdent = new ATNA.construct.EventIdentification(ATNA.constants.EVENT_ACTION_EXECUTE, new Date(), ATNA.constants.OUTCOME_SUCCESS, eventID, typeCode)
+  const eventID = new ATNA.construct.Code(110112, 'Query', 'DCM')
+  const typeCode = new ATNA.construct.Code('ITI-83', 'Mobile Patient Identifier Cross-reference Query', 'IHE Transactions')
+  const eIdent = new ATNA.construct.EventIdentification(ATNA.constants.EVENT_ACTION_EXECUTE, new Date(), ATNA.constants.OUTCOME_SUCCESS, eventID, typeCode)
 
   // Active Participant - System
-  var sysRoleCode = new ATNA.construct.Code(110153, 'Source', 'DCM')
-  var sysParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', false, ctx.requestorIp, ATNA.constants.NET_AP_TYPE_IP, [sysRoleCode])
+  const sysRoleCode = new ATNA.construct.Code(110153, 'Source', 'DCM')
+  const sysParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', false, ctx.requestorIp, ATNA.constants.NET_AP_TYPE_IP, [sysRoleCode])
 
   // Active Participant - User
-  var userRoleCodeDef = new ATNA.construct.Code(110152, 'DCM', 'Destination')
-  var userParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', true, null, null, [userRoleCodeDef])
+  const userRoleCodeDef = new ATNA.construct.Code(110152, 'DCM', 'Destination')
+  const userParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', true, null, null, [userRoleCodeDef])
 
   // Audit Source
-  var sourceTypeCode = new ATNA.construct.Code(ATNA.constants.AUDIT_SRC_TYPE_WEB_SERVER, '', '')
-  var sourceIdent = new ATNA.construct.AuditSourceIdentification(null, ctx.authenticatedUser, sourceTypeCode)
+  const sourceTypeCode = new ATNA.construct.Code(ATNA.constants.AUDIT_SRC_TYPE_WEB_SERVER, '', '')
+  const sourceIdent = new ATNA.construct.AuditSourceIdentification(null, ctx.authenticatedUser, sourceTypeCode)
 
   // Participant Object
-  var objIdTypeCode = new ATNA.construct.Code('ITI-83', 'Mobile Patient Identifier Cross-reference Query', 'IHE Transactions')
-  var participantObj = new ATNA.construct.ParticipantObjectIdentification(
+  const objIdTypeCode = new ATNA.construct.Code('ITI-83', 'Mobile Patient Identifier Cross-reference Query', 'IHE Transactions')
+  const participantObj = new ATNA.construct.ParticipantObjectIdentification(
     ctx.fullUrl,
     ATNA.constants.OBJ_TYPE_SYS_OBJ,
     ATNA.constants.OBJ_TYPE_CODE_ROLE_QUERY,
@@ -62,8 +62,8 @@ exports.buildPIXmAuditMsg = (ctx) => {
     ctx.headers
   )
 
-  var audit = new ATNA.construct.AuditMessage(eIdent, [sysParticipant, userParticipant], [participantObj], [sourceIdent])
-  var xml = audit.toXML()
+  const audit = new ATNA.construct.AuditMessage(eIdent, [sysParticipant, userParticipant], [participantObj], [sourceIdent])
+  const xml = audit.toXML()
 
   const syslog = ATNA.construct.wrapInSyslog(xml)
 
@@ -72,25 +72,25 @@ exports.buildPIXmAuditMsg = (ctx) => {
 
 exports.buildPDQmAuditMsg = (ctx) => {
   // event
-  var eventID = new ATNA.construct.Code(110112, 'Query', 'DCM')
-  var typeCode = new ATNA.construct.Code('ITI-78', 'Mobile Patient Demographics Query', 'IHE Transactions')
-  var eIdent = new ATNA.construct.EventIdentification(ATNA.constants.EVENT_ACTION_EXECUTE, new Date(), ATNA.constants.OUTCOME_SUCCESS, eventID, typeCode)
+  const eventID = new ATNA.construct.Code(110112, 'Query', 'DCM')
+  const typeCode = new ATNA.construct.Code('ITI-78', 'Mobile Patient Demographics Query', 'IHE Transactions')
+  const eIdent = new ATNA.construct.EventIdentification(ATNA.constants.EVENT_ACTION_EXECUTE, new Date(), ATNA.constants.OUTCOME_SUCCESS, eventID, typeCode)
 
   // Active Participant - System
-  var sysRoleCode = new ATNA.construct.Code(110153, 'Source', 'DCM')
-  var sysParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', false, ctx.requestorIp, ATNA.constants.NET_AP_TYPE_IP, [sysRoleCode])
+  const sysRoleCode = new ATNA.construct.Code(110153, 'Source', 'DCM')
+  const sysParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', false, ctx.requestorIp, ATNA.constants.NET_AP_TYPE_IP, [sysRoleCode])
 
   // Active Participant - User
-  var userRoleCodeDef = new ATNA.construct.Code(110152, 'DCM', 'Destination')
-  var userParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', true, null, null, [userRoleCodeDef])
+  const userRoleCodeDef = new ATNA.construct.Code(110152, 'DCM', 'Destination')
+  const userParticipant = new ATNA.construct.ActiveParticipant(ctx.authenticatedUser, '', true, null, null, [userRoleCodeDef])
 
   // Audit Source
-  var sourceTypeCode = new ATNA.construct.Code(ATNA.constants.AUDIT_SRC_TYPE_WEB_SERVER, '', '')
-  var sourceIdent = new ATNA.construct.AuditSourceIdentification(null, ctx.authenticatedUser, sourceTypeCode)
+  const sourceTypeCode = new ATNA.construct.Code(ATNA.constants.AUDIT_SRC_TYPE_WEB_SERVER, '', '')
+  const sourceIdent = new ATNA.construct.AuditSourceIdentification(null, ctx.authenticatedUser, sourceTypeCode)
 
   // Participant Object
-  var objIdTypeCode = new ATNA.construct.Code('ITI-78', 'Mobile Patient Demographics Query', 'IHE Transactions')
-  var participantObj = new ATNA.construct.ParticipantObjectIdentification(
+  const objIdTypeCode = new ATNA.construct.Code('ITI-78', 'Mobile Patient Demographics Query', 'IHE Transactions')
+  const participantObj = new ATNA.construct.ParticipantObjectIdentification(
     ctx.fullUrl,
     ATNA.constants.OBJ_TYPE_SYS_OBJ,
     ATNA.constants.OBJ_TYPE_CODE_ROLE_QUERY,
@@ -102,8 +102,8 @@ exports.buildPDQmAuditMsg = (ctx) => {
     ctx.headers
   )
 
-  var audit = new ATNA.construct.AuditMessage(eIdent, [sysParticipant, userParticipant], [participantObj], [sourceIdent])
-  var xml = audit.toXML()
+  const audit = new ATNA.construct.AuditMessage(eIdent, [sysParticipant, userParticipant], [participantObj], [sourceIdent])
+  const xml = audit.toXML()
 
   const syslog = ATNA.construct.wrapInSyslog(xml)
 

lib/config.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC.
  * All rights reserved.
  *

lib/constants.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC.
  * All rights reserved.
  *

lib/custom-api/password-helper.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC. All rights reserved.
  *
  * This source code is licensed under the BSD-style license found in the

lib/custom-api/session.js

@@ -68,7 +68,7 @@ module.exports = exports = mongo => {
       if (err) {
         return callback(err)
       }
-      db.collection('user').findOne({email}, callback)
+      db.collection('user').findOne({ email }, callback)
     })
   }
 
@@ -143,7 +143,7 @@ module.exports = exports = mongo => {
             return next(err)
           }
           logger.info(`Created session for user ${req.body.email}`)
-          res.status(201).send({token})
+          res.status(201).send({ token })
         })
       })
     }

lib/custom-api/user.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC.
  * All rights reserved.
  *
@@ -34,13 +34,13 @@ const handleErrorAndBadRequest = (err, badRequest, res) => {
 }
 
 module.exports = (mongo) => {
-  let authorization = Authorization(mongo)
-  let fhirCommon = FhirCommon(mongo)
+  const authorization = Authorization(mongo)
+  const fhirCommon = FhirCommon(mongo)
   const hooks = Hooks()
 
-  let setPasswordHashForUser = (user) => {
+  const setPasswordHashForUser = (user) => {
     if (user.password) {
-      let saltHash = passwordHelper.generateSaltedHash(user.password)
+      const saltHash = passwordHelper.generateSaltedHash(user.password)
       user.hash = saltHash.hash
       user.salt = saltHash.salt
       delete user.password
@@ -56,8 +56,8 @@ module.exports = (mongo) => {
           return callback(err)
         }
 
-        let c = db.collection('user')
-        c.findOne({email: defaultUser.email}, (err, user) => {
+        const c = db.collection('user')
+        c.findOne({ email: defaultUser.email }, (err, user) => {
           if (err) {
             return callback(err)
           }
@@ -103,8 +103,8 @@ module.exports = (mongo) => {
             return res.status(500).send(fhirCommon.internalServerErrorOutcome())
           }
 
-          let c = db.collection('user')
-          c.findOne({email: req.params.email}, {fields: {salt: 1, locked: 1}}, (err, user) => {
+          const c = db.collection('user')
+          c.findOne({ email: req.params.email }, { fields: { salt: 1, locked: 1 } }, (err, user) => {
             if (err) {
               logger.error(err)
               return res.status(500).send(fhirCommon.internalServerErrorOutcome())
@@ -170,8 +170,8 @@ module.exports = (mongo) => {
               return res.status(500).send(fhirCommon.internalServerErrorOutcome())
             }
 
-            let c = db.collection('user')
-            c.findOne({email: req.params.email}, {fields: {email: 1, type: 1, resource: 1}}, (err, user) => {
+            const c = db.collection('user')
+            c.findOne({ email: req.params.email }, { fields: { email: 1, type: 1, resource: 1 } }, (err, user) => {
               if (err) {
                 logger.error(err)
                 return res.status(500).send(fhirCommon.internalServerErrorOutcome())
@@ -204,7 +204,7 @@ module.exports = (mongo) => {
           return res.status(badRequest.httpStatus).send(badRequest.resource)
         }
 
-        let query = { $and: [] }
+        const query = { $and: [] }
 
         if (req.query.resource) {
           query.$and.push({ resource: req.query.resource })
@@ -225,7 +225,7 @@ module.exports = (mongo) => {
               return res.status(500).send(fhirCommon.internalServerErrorOutcome())
             }
 
-            let c = db.collection('user')
+            const c = db.collection('user')
             c.findOne(query, { password: 0, hash: 0, salt: 0 }, (err, user) => {
               if (err) {
                 logger.error(err)
@@ -262,8 +262,8 @@ module.exports = (mongo) => {
               return res.status(500).send(fhirCommon.internalServerErrorOutcome())
             }
 
-            let c = db.collection('user')
-            c.findOne({email: req.body.email}, {fields: {email: 1}}, (err, user) => {
+            const c = db.collection('user')
+            c.findOne({ email: req.body.email }, { fields: { email: 1 } }, (err, user) => {
               if (err) {
                 logger.error(err)
                 return res.status(500).send(fhirCommon.internalServerErrorOutcome())
@@ -341,8 +341,8 @@ module.exports = (mongo) => {
               return res.status(500).send(fhirCommon.internalServerErrorOutcome())
             }
 
-            let c = db.collection('user')
-            c.findOne({email: req.params.email}, {fields: {email: 1}}, (err, user) => {
+            const c = db.collection('user')
+            c.findOne({ email: req.params.email }, { fields: { email: 1 } }, (err, user) => {
               if (err) {
                 logger.error(err)
                 return res.status(500).send(fhirCommon.internalServerErrorOutcome())
@@ -353,7 +353,7 @@ module.exports = (mongo) => {
               }
 
               setPasswordHashForUser(req.body)
-              c.updateOne({_id: user._id}, {$set: req.body}, (err) => {
+              c.updateOne({ _id: user._id }, { $set: req.body }, (err) => {
                 if (err) {
                   logger.error(err)
                   return res.status(500).send(fhirCommon.internalServerErrorOutcome())

lib/fhir/common.js

@@ -144,12 +144,14 @@ module.exports = exports = (mongo) => {
         return
       }
 
+      // eslint-disable-next-line array-callback-return
       _.castArray(property).map((prop) => {
         if (nextProperty[0]) {
           evaluateProperties(prop[nextProperty[0]], nextProperty.slice(1))
         } else {
           if (!prop.reference) {
             // No reference
+            // eslint-disable-next-line array-callback-return
             return
           }
           promises.push(new Promise((resolve, reject) => {
@@ -191,7 +193,7 @@ module.exports = exports = (mongo) => {
     const itemReference = itemList.slice(1)
 
     const promises = results
-      .filter(item => item['resourceType'] === itemResource)
+      .filter(item => item.resourceType === itemResource)
       .map(item => new Promise((resolve, reject) => {
         resolveNestedProperties(item, itemReference, (err, data) => {
           if (err) {
@@ -224,7 +226,7 @@ module.exports = exports = (mongo) => {
 
         let mappings = searchParamsMap[itemResource][itemReference]
         if (!Array.isArray(mappings)) {
-          mappings = [ mappings ]
+          mappings = [mappings]
         }
 
         resolve(mappings.map((mapping) => `${itemResource}.${mapping.path}`))
@@ -254,9 +256,9 @@ module.exports = exports = (mongo) => {
     })
 
     return Promise.all(promises).then((res) => {
-      let flattenedRes = [].concat.apply([], res)
+      const flattenedRes = [].concat.apply([], res)
 
-      for (var i = flattenedRes.length - 1; i >= 0; i--) {
+      for (let i = flattenedRes.length - 1; i >= 0; i--) {
         if (flattenedRes[i] == null) {
           flattenedRes.splice(i, 1) // remove null values from the result set
         }
@@ -296,7 +298,7 @@ module.exports = exports = (mongo) => {
     }
 
     // Get a reference to the module for searching by the resource type
-    let module = moduleLoader.getMatchingModule(resourceType)
+    const module = moduleLoader.getMatchingModule(resourceType)
 
     // Build a query for each result
     const queryPromises = results.map((result) => {
@@ -330,7 +332,7 @@ module.exports = exports = (mongo) => {
           }
           resolve(db)
         })
-      }).then(db => db.collection(resourceType).find({$or: queries}).toArray())
+      }).then(db => db.collection(resourceType).find({ $or: queries }).toArray())
     })
   }
 
@@ -520,7 +522,7 @@ module.exports = exports = (mongo) => {
      * @param {Object} list The array of json objects as the search context
      */
     containsObject: (obj, list) => {
-      var i
+      let i
       for (i = 0; i < list.length; i++) {
         if (_.isEqual(list[i], obj)) {
           return true
@@ -602,7 +604,7 @@ module.exports = exports = (mongo) => {
        * @return {Object}          a reference to the original resource.
        */
       resolveReferences: function resolveReferences (resource, oldRef, newRef) {
-        for (let prop in resource) {
+        for (const prop in resource) {
           if (prop === 'reference' && resource[prop] === oldRef) {
             resource[prop] = newRef
           } else if (typeof resource[prop] === 'object') {

lib/fhir/core.js

@@ -1,4 +1,4 @@
- /**
+/**
  * Copyright (c) 2017-present, Jembi Health Systems NPC.
  * All rights reserved.
  *
@@ -195,7 +195,7 @@ module.exports = (mongo, modules) => {
 
         let fhirModule = modules[resourceType]
         if (!fhirModule) {
-          fhirModule = modules['Default']
+          fhirModule = modules.Default
         }
         hooks.executeBeforeHooks('search', fhirModule, ctx, resourceType, (err, badRequest) => {
           if (err || badRequest) {
@@ -351,11 +351,11 @@ module.exports = (mongo, modules) => {
               return callback(err)
             }
 
-            let query = [
+            const query = [
               { $limit: 1 },
               { $lookup: { from: resourceType, pipeline: [], as: 'top' } },
               { $lookup: { from: `${resourceType}_history`, pipeline: [], as: 'history' } },
-              { $project: { all: { $setUnion: [ '$top', '$history' ] } } },
+              { $project: { all: { $setUnion: ['$top', '$history'] } } },
               { $unwind: '$all' },
               { $replaceRoot: { newRoot: '$all' } }
             ]
@@ -371,7 +371,7 @@ module.exports = (mongo, modules) => {
               query[2].$lookup.pipeline.push(matchClause)
             }
 
-            let cntQuery = query.slice(0, query.length)
+            const cntQuery = query.slice(0, query.length)
             cntQuery.push({ $count: 'total' })
 
             query.push({ $sort: { '_transforms.meta.lastUpdated': -1 } })
@@ -383,7 +383,7 @@ module.exports = (mongo, modules) => {
               }
 
               const c = db.collection(resourceType)
-              c.aggregate(cntQuery, (err, total) => {
+              c.aggregate(cntQuery).toArray((err, total) => {
                 if (err) {
                   return callback(err)
                 }
@@ -563,7 +563,7 @@ module.exports = (mongo, modules) => {
 
               const op = config.getConf('operations:updateCreate')
               if (typeof op !== 'boolean') {
-                logger.debug(`'operations:updateCreate' is not a boolean value`)
+                logger.debug('\'operations:updateCreate\' is not a boolean value')
               }
 
               if ((typeof op === 'string') && (op === 'true')) {
@@ -759,7 +759,7 @@ module.exports = (mongo, modules) => {
           return callback(null, fhirCommon.buildHTTPOutcome(400, 'error', 'invalid', 'Match operation not supported on resource type'))
         }
 
-        const matchModule = modules['Matching']
+        const matchModule = modules.Matching
 
         matchModule.match(resourceType, resource, count, (err, badRequest, results, certainMatchFlag) => {
           if (err || badRequest) {