chore(release): publish new version

- @standardnotes/api-gateway@1.19.6
 - @standardnotes/auth-server@1.29.0
 - @standardnotes/common@1.33.0
 - @standardnotes/domain-events-infra@1.8.11
 - @standardnotes/domain-events@2.60.5
 - @standardnotes/event-store@1.3.16
 - @standardnotes/files-server@1.6.0
 - @standardnotes/predicates@1.4.2
 - @standardnotes/scheduler-server@1.10.30
 - @standardnotes/security@1.3.3
 - @standardnotes/syncing-server@1.8.6

packages/analytics/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.29.1](https://github.com/standardnotes/server/compare/@standardnotes/analytics@1.29.0...@standardnotes/analytics@1.29.1) (2022-09-16)
+
+### Bug Fixes
+
+* **auth:** change remaining subscription time stats to percentage ([5eb957c](https://github.com/standardnotes/server/commit/5eb957c82a8cc5fdcb6815e2cd30e49cd2b1e8ac))
+
 # [1.29.0](https://github.com/standardnotes/server/compare/@standardnotes/analytics@1.28.0...@standardnotes/analytics@1.29.0) (2022-09-15)
 
 ### Features

packages/analytics/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/analytics",
-  "version": "1.29.0",
+  "version": "1.29.1",
   "engines": {
     "node": ">=14.0.0 <17.0.0"
   },

packages/analytics/src/Domain/Statistics/StatisticsMeasure.ts

@@ -3,7 +3,7 @@ export enum StatisticsMeasure {
   SubscriptionLength = 'subscription-length',
   RegistrationLength = 'registration-length',
   RegistrationToSubscriptionTime = 'registration-to-subscription-time',
-  SubscriptionCancelToExpireTime = 'subscription-cancel-to-expire-time',
+  RemainingSubscriptionTimePercentage = 'remaining-subscription-time-percentage',
   Refunds = 'refunds',
   NotesCountFreeUsers = 'notes-count-free-users',
   NotesCountPaidUsers = 'notes-count-paid-users',

packages/api-gateway/CHANGELOG.md

@@ -3,6 +3,16 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.19.6](https://github.com/standardnotes/api-gateway/compare/@standardnotes/api-gateway@1.19.5...@standardnotes/api-gateway@1.19.6) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/api-gateway
+
+## [1.19.5](https://github.com/standardnotes/api-gateway/compare/@standardnotes/api-gateway@1.19.4...@standardnotes/api-gateway@1.19.5) (2022-09-16)
+
+### Bug Fixes
+
+* **auth:** change remaining subscription time stats to percentage ([5eb957c](https://github.com/standardnotes/api-gateway/commit/5eb957c82a8cc5fdcb6815e2cd30e49cd2b1e8ac))
+
 ## [1.19.4](https://github.com/standardnotes/api-gateway/compare/@standardnotes/api-gateway@1.19.3...@standardnotes/api-gateway@1.19.4) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/api-gateway

packages/api-gateway/bin/report.ts

@@ -94,7 +94,7 @@ const requestReport = async (
     StatisticsMeasure.RegistrationLength,
     StatisticsMeasure.SubscriptionLength,
     StatisticsMeasure.RegistrationToSubscriptionTime,
-    StatisticsMeasure.SubscriptionCancelToExpireTime,
+    StatisticsMeasure.RemainingSubscriptionTimePercentage,
     StatisticsMeasure.NotesCountFreeUsers,
     StatisticsMeasure.NotesCountPaidUsers,
     StatisticsMeasure.FilesCount,

packages/api-gateway/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/api-gateway",
-  "version": "1.19.4",
+  "version": "1.19.6",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/auth/CHANGELOG.md

@@ -3,6 +3,24 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.29.0](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.28.4...@standardnotes/auth-server@1.29.0) (2022-09-19)
+
+### Features
+
+* **files:** add validating remote identifiers ([db15457](https://github.com/standardnotes/server/commit/db15457ce4eb533ec822cf93c3ed83eafe9e64d5))
+
+## [1.28.4](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.28.3...@standardnotes/auth-server@1.28.4) (2022-09-16)
+
+### Bug Fixes
+
+* **auth:** feature service spec ([c207c3f](https://github.com/standardnotes/server/commit/c207c3fc8442eec9b8c3150f09ecccfdd6a5ed50))
+
+## [1.28.3](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.28.2...@standardnotes/auth-server@1.28.3) (2022-09-16)
+
+### Bug Fixes
+
+* **auth:** change remaining subscription time stats to percentage ([5eb957c](https://github.com/standardnotes/server/commit/5eb957c82a8cc5fdcb6815e2cd30e49cd2b1e8ac))
+
 ## [1.28.2](https://github.com/standardnotes/server/compare/@standardnotes/auth-server@1.28.1...@standardnotes/auth-server@1.28.2) (2022-09-16)
 
 ### Bug Fixes

packages/auth/migrations/1663321030000-add_renewed_at_column.ts

@@ -0,0 +1,13 @@
+import { MigrationInterface, QueryRunner } from 'typeorm'
+
+export class addRenewedAtColumn1663321030000 implements MigrationInterface {
+  name = 'addRenewedAtColumn1663321030000'
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query('ALTER TABLE `user_subscriptions` ADD `renewed_at` bigint NULL')
+  }
+
+  public async down(): Promise<void> {
+    return
+  }
+}

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/auth-server",
-  "version": "1.28.2",
+  "version": "1.29.0",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/auth/src/Bootstrap/Container.ts

@@ -130,7 +130,14 @@ import { RedisOfflineSubscriptionTokenRepository } from '../Infra/Redis/RedisOff
 import { CreateOfflineSubscriptionToken } from '../Domain/UseCase/CreateOfflineSubscriptionToken/CreateOfflineSubscriptionToken'
 import { AuthenticateOfflineSubscriptionToken } from '../Domain/UseCase/AuthenticateOfflineSubscriptionToken/AuthenticateOfflineSubscriptionToken'
 import { SubscriptionCancelledEventHandler } from '../Domain/Handler/SubscriptionCancelledEventHandler'
-import { ContentDecoder, ContentDecoderInterface, ProtocolVersion } from '@standardnotes/common'
+import {
+  ContentDecoder,
+  ContentDecoderInterface,
+  ProtocolVersion,
+  Uuid,
+  UuidValidator,
+  ValidatorInterface,
+} from '@standardnotes/common'
 import { GetUserOfflineSubscription } from '../Domain/UseCase/GetUserOfflineSubscription/GetUserOfflineSubscription'
 import { ApiGatewayOfflineAuthMiddleware } from '../Controller/ApiGatewayOfflineAuthMiddleware'
 import { UserEmailChangedEventHandler } from '../Domain/Handler/UserEmailChangedEventHandler'
@@ -559,6 +566,7 @@ export class ContainerConfigLoader {
     container
       .bind<StatisticsStoreInterface>(TYPES.StatisticsStore)
       .toConstantValue(new RedisStatisticsStore(periodKeyGenerator, container.get(TYPES.Redis)))
+    container.bind<ValidatorInterface<Uuid>>(TYPES.UuidValidator).to(UuidValidator)
 
     if (env.get('SNS_TOPIC_ARN', true)) {
       container

packages/auth/src/Bootstrap/Types.ts

@@ -189,6 +189,7 @@ const TYPES = {
   UserSubscriptionService: Symbol.for('UserSubscriptionService'),
   AnalyticsStore: Symbol.for('AnalyticsStore'),
   StatisticsStore: Symbol.for('StatisticsStore'),
+  UuidValidator: Symbol.for('UuidValidator'),
 }
 
 export default TYPES

packages/auth/src/Controller/ValetTokenController.spec.ts

@@ -4,18 +4,23 @@ import { Request, Response } from 'express'
 import { results } from 'inversify-express-utils'
 import { ValetTokenController } from './ValetTokenController'
 import { CreateValetToken } from '../Domain/UseCase/CreateValetToken/CreateValetToken'
+import { Uuid, ValidatorInterface } from '@standardnotes/common'
 
 describe('ValetTokenController', () => {
   let createValetToken: CreateValetToken
+  let uuidValidator: ValidatorInterface<Uuid>
   let request: Request
   let response: Response
 
-  const createController = () => new ValetTokenController(createValetToken)
+  const createController = () => new ValetTokenController(createValetToken, uuidValidator)
 
   beforeEach(() => {
     createValetToken = {} as jest.Mocked<CreateValetToken>
     createValetToken.execute = jest.fn().mockReturnValue({ success: true, valetToken: 'foobar' })
 
+    uuidValidator = {} as jest.Mocked<ValidatorInterface<Uuid>>
+    uuidValidator.validate = jest.fn().mockReturnValue(true)
+
     request = {
       body: {
         operation: 'write',
@@ -42,6 +47,17 @@ describe('ValetTokenController', () => {
     expect(await result.content.readAsStringAsync()).toEqual('{"success":true,"valetToken":"foobar"}')
   })
 
+  it('should not create a valet token if the remote resource identifier is not a valid uuid', async () => {
+    uuidValidator.validate = jest.fn().mockReturnValue(false)
+
+    const httpResponse = <results.JsonResult>await createController().create(request, response)
+    const result = await httpResponse.executeAsync()
+
+    expect(createValetToken.execute).not.toHaveBeenCalled()
+
+    expect(result.statusCode).toEqual(400)
+  })
+
   it('should create a read valet token for read only access session', async () => {
     response.locals.readOnlyAccess = true
     request.body.operation = 'read'

packages/auth/src/Controller/ValetTokenController.ts

@@ -11,12 +11,15 @@ import { CreateValetTokenPayload } from '@standardnotes/responses'
 
 import TYPES from '../Bootstrap/Types'
 import { CreateValetToken } from '../Domain/UseCase/CreateValetToken/CreateValetToken'
-import { ErrorTag } from '@standardnotes/common'
+import { ErrorTag, Uuid, ValidatorInterface } from '@standardnotes/common'
 import { ValetTokenOperation } from '@standardnotes/security'
 
 @controller('/valet-tokens', TYPES.ApiGatewayAuthMiddleware)
 export class ValetTokenController extends BaseHttpController {
-  constructor(@inject(TYPES.CreateValetToken) private createValetKey: CreateValetToken) {
+  constructor(
+    @inject(TYPES.CreateValetToken) private createValetKey: CreateValetToken,
+    @inject(TYPES.UuidValidator) private uuidValitor: ValidatorInterface<Uuid>,
+  ) {
     super()
   }
 
@@ -36,6 +39,20 @@ export class ValetTokenController extends BaseHttpController {
       )
     }
 
+    for (const resource of payload.resources) {
+      if (!this.uuidValitor.validate(resource.remoteIdentifier)) {
+        return this.json(
+          {
+            error: {
+              tag: ErrorTag.ParametersInvalid,
+              message: 'Invalid remote resource identifier.',
+            },
+          },
+          400,
+        )
+      }
+    }
+
     const createValetKeyResponse = await this.createValetKey.execute({
       userUuid: response.locals.user.uuid,
       operation: payload.operation as ValetTokenOperation,

packages/auth/src/Domain/Feature/FeatureService.spec.ts

@@ -82,6 +82,7 @@ describe('FeatureService', () => {
       uuid: 'subscription-1-1-1',
       createdAt: 111,
       updatedAt: 222,
+      renewedAt: null,
       planName: SubscriptionName.PlusPlan,
       endsAt: 555,
       user: Promise.resolve(user),
@@ -95,6 +96,7 @@ describe('FeatureService', () => {
       uuid: 'subscription-2-2-2',
       createdAt: 222,
       updatedAt: 333,
+      renewedAt: null,
       planName: SubscriptionName.ProPlan,
       endsAt: 777,
       user: Promise.resolve(user),
@@ -108,6 +110,7 @@ describe('FeatureService', () => {
       uuid: 'subscription-3-3-3-canceled',
       createdAt: 111,
       updatedAt: 222,
+      renewedAt: null,
       planName: SubscriptionName.PlusPlan,
       endsAt: 333,
       user: Promise.resolve(user),
@@ -121,6 +124,7 @@ describe('FeatureService', () => {
       uuid: 'subscription-4-4-4-canceled',
       createdAt: 111,
       updatedAt: 222,
+      renewedAt: null,
       planName: SubscriptionName.PlusPlan,
       endsAt: 333,
       user: Promise.resolve(user),
@@ -240,6 +244,7 @@ describe('FeatureService', () => {
         uuid: 'subscription-1-1-1',
         createdAt: 111,
         updatedAt: 222,
+        renewedAt: null,
         planName: 'non existing plan name' as SubscriptionName,
         endsAt: 555,
         user: Promise.resolve(user),

packages/auth/src/Domain/Handler/SubscriptionCancelledEventHandler.ts

@@ -27,14 +27,6 @@ export class SubscriptionCancelledEventHandler implements DomainEventHandlerInte
     @inject(TYPES.StatisticsStore) private statisticsStore: StatisticsStoreInterface,
   ) {}
   async handle(event: SubscriptionCancelledEvent): Promise<void> {
-    if (event.payload.offline) {
-      await this.updateOfflineSubscriptionCancelled(event.payload.subscriptionId, event.payload.timestamp)
-
-      return
-    }
-
-    await this.updateSubscriptionCancelled(event.payload.subscriptionId, event.payload.timestamp)
-
     const user = await this.userRepository.findOneByEmail(event.payload.userEmail)
     if (user !== null) {
       const { analyticsId } = await this.getUserAnalyticsId.execute({ userUuid: user.uuid })
@@ -54,14 +46,27 @@ export class SubscriptionCancelledEventHandler implements DomainEventHandlerInte
           Period.ThisMonth,
         ])
 
+        const lastPurchaseTime = lastSubscription.renewedAt ?? lastSubscription.updatedAt
         const remainingSubscriptionTime = lastSubscription.endsAt - event.payload.timestamp
+        const totalSubscriptionTime = lastSubscription.endsAt - lastPurchaseTime
+
+        const remainingSubscriptionPercentage = Math.floor((remainingSubscriptionTime / totalSubscriptionTime) * 100)
+
         await this.statisticsStore.incrementMeasure(
-          StatisticsMeasure.SubscriptionCancelToExpireTime,
-          remainingSubscriptionTime,
+          StatisticsMeasure.RemainingSubscriptionTimePercentage,
+          remainingSubscriptionPercentage,
           [Period.Today, Period.ThisWeek, Period.ThisMonth],
         )
       }
     }
+
+    if (event.payload.offline) {
+      await this.updateOfflineSubscriptionCancelled(event.payload.subscriptionId, event.payload.timestamp)
+
+      return
+    }
+
+    await this.updateSubscriptionCancelled(event.payload.subscriptionId, event.payload.timestamp)
   }
 
   private async updateSubscriptionCancelled(subscriptionId: number, timestamp: number): Promise<void> {

packages/auth/src/Domain/Subscription/UserSubscription.ts

@@ -34,6 +34,13 @@ export class UserSubscription {
   @Index('updated_at')
   declare updatedAt: number
 
+  @Column({
+    name: 'renewed_at',
+    type: 'bigint',
+    nullable: true,
+  })
+  declare renewedAt: number | null
+
   @Column({
     type: 'tinyint',
     width: 1,

packages/auth/src/Infra/MySQL/MySQLUserSubscriptionRepository.spec.ts

@@ -138,7 +138,8 @@ describe('MySQLUserSubscriptionRepository', () => {
 
     expect(updateQueryBuilder.update).toHaveBeenCalled()
     expect(updateQueryBuilder.set).toHaveBeenCalledWith({
-      updatedAt: expect.any(Number),
+      updatedAt: 1000,
+      renewedAt: 1000,
       endsAt: 1000,
     })
     expect(updateQueryBuilder.where).toHaveBeenCalledWith('subscription_id = :subscriptionId', {

packages/auth/src/Infra/MySQL/MySQLUserSubscriptionRepository.ts

@@ -88,13 +88,14 @@ export class MySQLUserSubscriptionRepository implements UserSubscriptionReposito
     return null
   }
 
-  async updateEndsAt(subscriptionId: number, endsAt: number, updatedAt: number): Promise<void> {
+  async updateEndsAt(subscriptionId: number, endsAt: number, timestamp: number): Promise<void> {
     await this.ormRepository
       .createQueryBuilder()
       .update()
       .set({
         endsAt,
-        updatedAt,
+        updatedAt: timestamp,
+        renewedAt: timestamp,
       })
       .where('subscription_id = :subscriptionId', {
         subscriptionId,

packages/common/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.33.0](https://github.com/standardnotes/server/compare/@standardnotes/common@1.32.0...@standardnotes/common@1.33.0) (2022-09-19)
+
+### Features
+
+* **files:** add validating remote identifiers ([db15457](https://github.com/standardnotes/server/commit/db15457ce4eb533ec822cf93c3ed83eafe9e64d5))
+
 # [1.32.0](https://github.com/standardnotes/server/compare/@standardnotes/common@1.31.0...@standardnotes/common@1.32.0) (2022-09-09)
 
 ### Features

packages/common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/common",
-  "version": "1.32.0",
+  "version": "1.33.0",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/common/src/Domain/Validator/UuidValidator.spec.ts

@@ -0,0 +1,34 @@
+import { UuidValidator } from './UuidValidator'
+
+describe('UuidValidator', () => {
+  const createValidator = () => new UuidValidator()
+
+  const validUuids = [
+    '2221101c-1da9-4d2b-9b32-b8be2a8d1c82',
+    'c08f2f29-a74b-42b4-aefd-98af9832391c',
+    'b453fa64-1493-443b-b5bb-bca7b9c696c7',
+  ]
+
+  const invalidUuids = [
+    123,
+    'someone@127.0.0.1',
+    '',
+    null,
+    'b453fa64-1493-443b-b5bb-ca7b9c696c7',
+    'c08f*f29-a74b-42b4-aefd-98af9832391c',
+    'c08f*f29-a74b-42b4-aefd-98af9832391c',
+    '../../escaped.sh',
+  ]
+
+  it('should validate proper uuids', () => {
+    for (const validUuid of validUuids) {
+      expect(createValidator().validate(validUuid)).toBeTruthy()
+    }
+  })
+
+  it('should not validate invalid uuids', () => {
+    for (const invalidUuid of invalidUuids) {
+      expect(createValidator().validate(invalidUuid as string)).toBeFalsy()
+    }
+  })
+})

packages/common/src/Domain/Validator/UuidValidator.ts

@@ -0,0 +1,10 @@
+import { Uuid } from '../DataType/Uuid'
+import { ValidatorInterface } from './ValidatorInterface'
+
+export class UuidValidator implements ValidatorInterface<Uuid> {
+  private readonly UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i
+
+  validate(data: Uuid): boolean {
+    return String(data).toLowerCase().match(this.UUID_REGEX) !== null
+  }
+}

packages/common/src/Domain/Validator/ValidatorInterface.ts

@@ -0,0 +1,3 @@
+export interface ValidatorInterface<T> {
+  validate(data: T): boolean
+}

packages/common/src/Domain/index.ts

@@ -20,3 +20,5 @@ export * from './Role/RoleName'
 export * from './Subscription/SubscriptionName'
 export * from './Type/Either'
 export * from './Type/Only'
+export * from './Validator/UuidValidator'
+export * from './Validator/ValidatorInterface'

packages/domain-events-infra/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.8.11](https://github.com/standardnotes/server/compare/@standardnotes/domain-events-infra@1.8.10...@standardnotes/domain-events-infra@1.8.11) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/domain-events-infra
+
 ## [1.8.10](https://github.com/standardnotes/server/compare/@standardnotes/domain-events-infra@1.8.9...@standardnotes/domain-events-infra@1.8.10) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/domain-events-infra

packages/domain-events-infra/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/domain-events-infra",
-  "version": "1.8.10",
+  "version": "1.8.11",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/domain-events/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [2.60.5](https://github.com/standardnotes/server/compare/@standardnotes/domain-events@2.60.4...@standardnotes/domain-events@2.60.5) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/domain-events
+
 ## [2.60.4](https://github.com/standardnotes/server/compare/@standardnotes/domain-events@2.60.3...@standardnotes/domain-events@2.60.4) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/domain-events

packages/domain-events/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/domain-events",
-  "version": "2.60.4",
+  "version": "2.60.5",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/event-store/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.3.16](https://github.com/standardnotes/server/compare/@standardnotes/event-store@1.3.15...@standardnotes/event-store@1.3.16) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/event-store
+
 ## [1.3.15](https://github.com/standardnotes/server/compare/@standardnotes/event-store@1.3.14...@standardnotes/event-store@1.3.15) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/event-store

packages/event-store/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/event-store",
-  "version": "1.3.15",
+  "version": "1.3.16",
   "description": "Event Store Service",
   "private": true,
   "main": "dist/src/index.js",

packages/files/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.6.0](https://github.com/standardnotes/files/compare/@standardnotes/files-server@1.5.52...@standardnotes/files-server@1.6.0) (2022-09-19)
+
+### Features
+
+* **files:** add validating remote identifiers ([db15457](https://github.com/standardnotes/files/commit/db15457ce4eb533ec822cf93c3ed83eafe9e64d5))
+
 ## [1.5.52](https://github.com/standardnotes/files/compare/@standardnotes/files-server@1.5.51...@standardnotes/files-server@1.5.52) (2022-09-16)
 
 ### Bug Fixes

packages/files/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/files-server",
-  "version": "1.5.52",
+  "version": "1.6.0",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/files/src/Bootstrap/Container.ts

@@ -44,6 +44,7 @@ import {
 import { MarkFilesToBeRemoved } from '../Domain/UseCase/MarkFilesToBeRemoved/MarkFilesToBeRemoved'
 import { AccountDeletionRequestedEventHandler } from '../Domain/Handler/AccountDeletionRequestedEventHandler'
 import { SharedSubscriptionInvitationCanceledEventHandler } from '../Domain/Handler/SharedSubscriptionInvitationCanceledEventHandler'
+import { Uuid, UuidValidator, ValidatorInterface } from '@standardnotes/common'
 
 export class ContainerConfigLoader {
   async load(): Promise<Container> {
@@ -107,6 +108,7 @@ export class ContainerConfigLoader {
         .toConstantValue(new FSFileUploader(container.get(TYPES.FILE_UPLOAD_PATH), container.get(TYPES.Logger)))
       container.bind<FileRemoverInterface>(TYPES.FileRemover).to(FSFileRemover)
     }
+    container.bind<ValidatorInterface<Uuid>>(TYPES.UuidValidator).to(UuidValidator)
 
     if (env.get('SNS_AWS_REGION', true)) {
       container.bind<AWS.SNS>(TYPES.SNS).toConstantValue(

packages/files/src/Bootstrap/Types.ts

@@ -23,6 +23,7 @@ const TYPES = {
   FileUploader: Symbol.for('FileUploader'),
   FileDownloader: Symbol.for('FileDownloader'),
   FileRemover: Symbol.for('FileRemover'),
+  UuidValidator: Symbol.for('UuidValidator'),
 
   // repositories
   UploadRepository: Symbol.for('UploadRepository'),

packages/files/src/Controller/ValetTokenAuthMiddleware.spec.ts

@@ -4,9 +4,11 @@ import { ValetTokenAuthMiddleware } from './ValetTokenAuthMiddleware'
 import { NextFunction, Request, Response } from 'express'
 import { Logger } from 'winston'
 import { TokenDecoderInterface, ValetTokenData } from '@standardnotes/security'
+import { Uuid, ValidatorInterface } from '@standardnotes/common'
 
 describe('ValetTokenAuthMiddleware', () => {
   let tokenDecoder: TokenDecoderInterface<ValetTokenData>
+  let uuidValidator: ValidatorInterface<Uuid>
   let request: Request
   let response: Response
   let next: NextFunction
@@ -15,7 +17,7 @@ describe('ValetTokenAuthMiddleware', () => {
     debug: jest.fn(),
   } as unknown as jest.Mocked<Logger>
 
-  const createMiddleware = () => new ValetTokenAuthMiddleware(tokenDecoder, logger)
+  const createMiddleware = () => new ValetTokenAuthMiddleware(tokenDecoder, uuidValidator, logger)
 
   beforeEach(() => {
     tokenDecoder = {} as jest.Mocked<TokenDecoderInterface<ValetTokenData>>
@@ -32,6 +34,9 @@ describe('ValetTokenAuthMiddleware', () => {
       uploadBytesUsed: 80,
     })
 
+    uuidValidator = {} as jest.Mocked<ValidatorInterface<Uuid>>
+    uuidValidator.validate = jest.fn().mockReturnValue(true)
+
     request = {
       headers: {},
       query: {},
@@ -174,6 +179,30 @@ describe('ValetTokenAuthMiddleware', () => {
     expect(next).not.toHaveBeenCalled()
   })
 
+  it('should not authorize if valet token has an invalid remote resource identifier', async () => {
+    tokenDecoder.decodeToken = jest.fn().mockReturnValue({
+      userUuid: '1-2-3',
+      permittedResources: [
+        {
+          remoteIdentifier: '1-2-3/2-3-4',
+          unencryptedFileSize: 30,
+        },
+      ],
+      permittedOperation: 'write',
+      uploadBytesLimit: -1,
+      uploadBytesUsed: 80,
+    })
+
+    request.headers['x-valet-token'] = 'valet-token'
+
+    uuidValidator.validate = jest.fn().mockReturnValue(false)
+
+    await createMiddleware().handler(request, response, next)
+
+    expect(response.status).toHaveBeenCalledWith(401)
+    expect(next).not.toHaveBeenCalled()
+  })
+
   it('should not authorize if auth valet token is malformed', async () => {
     request.headers['x-valet-token'] = 'valet-token'
 

packages/files/src/Controller/ValetTokenAuthMiddleware.ts

@@ -1,3 +1,4 @@
+import { Uuid, ValidatorInterface } from '@standardnotes/common'
 import { TokenDecoderInterface, ValetTokenData } from '@standardnotes/security'
 import { NextFunction, Request, Response } from 'express'
 import { inject, injectable } from 'inversify'
@@ -9,6 +10,7 @@ import TYPES from '../Bootstrap/Types'
 export class ValetTokenAuthMiddleware extends BaseMiddleware {
   constructor(
     @inject(TYPES.ValetTokenDecoder) private tokenDecoder: TokenDecoderInterface<ValetTokenData>,
+    @inject(TYPES.UuidValidator) private uuidValidator: ValidatorInterface<Uuid>,
     @inject(TYPES.Logger) private logger: Logger,
   ) {
     super()
@@ -45,6 +47,21 @@ export class ValetTokenAuthMiddleware extends BaseMiddleware {
         return
       }
 
+      for (const resource of valetTokenData.permittedResources) {
+        if (!this.uuidValidator.validate(resource.remoteIdentifier)) {
+          this.logger.debug('Invalid remote resource identifier in token.')
+
+          response.status(401).send({
+            error: {
+              tag: 'invalid-auth',
+              message: 'Invalid valet token.',
+            },
+          })
+
+          return
+        }
+      }
+
       if (this.userHasNoSpaceToUpload(valetTokenData)) {
         response.status(403).send({
           error: {

packages/predicates/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.4.2](https://github.com/standardnotes/server/compare/@standardnotes/predicates@1.4.1...@standardnotes/predicates@1.4.2) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/predicates
+
 ## [1.4.1](https://github.com/standardnotes/server/compare/@standardnotes/predicates@1.4.0...@standardnotes/predicates@1.4.1) (2022-09-09)
 
 **Note:** Version bump only for package @standardnotes/predicates

packages/predicates/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/predicates",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/scheduler/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.10.30](https://github.com/standardnotes/server/compare/@standardnotes/scheduler-server@1.10.29...@standardnotes/scheduler-server@1.10.30) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/scheduler-server
+
 ## [1.10.29](https://github.com/standardnotes/server/compare/@standardnotes/scheduler-server@1.10.28...@standardnotes/scheduler-server@1.10.29) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/scheduler-server

packages/scheduler/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/scheduler-server",
-  "version": "1.10.29",
+  "version": "1.10.30",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/security/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.3.3](https://github.com/standardnotes/server/compare/@standardnotes/security@1.3.2...@standardnotes/security@1.3.3) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/security
+
 ## [1.3.2](https://github.com/standardnotes/server/compare/@standardnotes/security@1.3.1...@standardnotes/security@1.3.2) (2022-09-16)
 
 ### Bug Fixes

packages/security/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/security",
-  "version": "1.3.2",
+  "version": "1.3.3",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },

packages/syncing-server/CHANGELOG.md

@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.8.6](https://github.com/standardnotes/syncing-server-js/compare/@standardnotes/syncing-server@1.8.5...@standardnotes/syncing-server@1.8.6) (2022-09-19)
+
+**Note:** Version bump only for package @standardnotes/syncing-server
+
+## [1.8.5](https://github.com/standardnotes/syncing-server-js/compare/@standardnotes/syncing-server@1.8.4...@standardnotes/syncing-server@1.8.5) (2022-09-16)
+
+**Note:** Version bump only for package @standardnotes/syncing-server
+
 ## [1.8.4](https://github.com/standardnotes/syncing-server-js/compare/@standardnotes/syncing-server@1.8.3...@standardnotes/syncing-server@1.8.4) (2022-09-16)
 
 **Note:** Version bump only for package @standardnotes/syncing-server

packages/syncing-server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@standardnotes/syncing-server",
-  "version": "1.8.4",
+  "version": "1.8.6",
   "engines": {
     "node": ">=16.0.0 <17.0.0"
   },