@api-client/core 0.19.42 → 0.20.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@api-client/core",
   "description": "The API Client's core client library. Works in NodeJS and in a ES enabled browser.",
-  "version": "0.19.42",
+  "version": "0.20.1",
   "license": "UNLICENSED",
   "exports": {
     "./browser.js": {

package/src/modeling/RuntimeApiModel.ts

@@ -8,6 +8,7 @@ import { SemanticType } from './Semantics.js'
 import type { DomainEntity } from './DomainEntity.js'
 import type { DomainProperty } from './DomainProperty.js'
 import { AccessRule, AccessRuleExecutionPhase } from './rules/AccessRule.js'
+import { Exception } from '../exceptions/exception.js'
 
 /**
  * Identifies a specific exposed entity and its action kind.
@@ -93,6 +94,19 @@ export class RuntimeApiModel extends ApiModel {
    */
   #actionRulesCache = new WeakMap<Action, ActionRulesCache>()
 
+  /**
+   * Cached session properties for fast runtime lookup.
+   */
+  readonly #sessionProperties = new Map<string, DomainProperty>()
+
+  /**
+   * Returns a readonly map of session properties.
+   * Note, it creates a copy of the cached map to prevent modification of the internal state.
+   */
+  public get sessionProperties(): ReadonlyMap<string, DomainProperty> {
+    return new Map(this.#sessionProperties)
+  }
+
   constructor(schema: RuntimeApiModelSchema, domainSchema: DataDomainSchema) {
     super(schema, domainSchema)
 
@@ -102,6 +116,20 @@ export class RuntimeApiModel extends ApiModel {
 
     this.#cacheEntitiesAndProperties()
     this.#precomputeAccessRules()
+    this.#precomputeSessionProperties()
+  }
+
+  #precomputeSessionProperties(): void {
+    if (!this.session || !this.domain) {
+      return
+    }
+    for (const prop of this.session.properties) {
+      const domainProperty = this.domain.findProperty(prop.key, prop.domain)
+      if (!domainProperty) {
+        throw new Exception(`Session property ${prop.key} not found in domain`)
+      }
+      this.#sessionProperties.set(prop.key, domainProperty)
+    }
   }
 
   #precomputeAccessRules(): void {

package/src/modeling/helpers/runtime.ts

@@ -0,0 +1,12 @@
+// Only here all NodeJS runtime helpers are allowed
+
+import crypto from 'node:crypto'
+
+/**
+ * Deterministically truncates long PostgreSQL identifiers to the 63-byte limit.
+ */
+export function truncateIdentifier(name: string): string {
+  if (name.length <= 63) return name
+  const hash = crypto.createHash('md5').update(name).digest('hex').substring(0, 8)
+  return `${name.substring(0, 54)}_${hash}`
+}

package/src/modeling/types.ts

@@ -356,12 +356,11 @@ export interface SessionConfiguration {
    */
   secret: string
   /**
-   * The properties from the `User` entity to be encoded into the session payload (JWT/cookie).
+   * The properties to be set on the session `User` object.
    * These properties become available in the `request.auth` object at runtime.
-   *
-   * In practice, these are the ids of the properties in the `User` entity.
+   * The properties are coming from the `User` entity (marked by the Semantic model).
    */
-  properties: string[]
+  properties: AssociationTarget[]
   /**
    * The cookie-based session transport configuration.
    */

package/src/modeling/validation/api_model_rules.ts

@@ -231,7 +231,7 @@ export function validateApiModelSecurity(model: ApiModel): ApiModelValidationIte
             break
           }
         }
-        if (roleProp && !model.session.properties.includes(roleProp.key)) {
+        if (roleProp && !model.session.properties.find((p) => p.key === roleProp?.key)) {
           issues.push({
             code: createCode('API', 'MISSING_RBAC_SESSION_PROPERTY'),
             message: 'The user role must be included in the session data for permissions to work.',

package/tests/unit/modeling/RuntimeApiModel.spec.ts

@@ -153,6 +153,64 @@ test.group('RuntimeApiModel', () => {
     assert.equal(runtimeModel.cachedProperties.username?.key, usernameProp.key)
   }).tags(['@modeling', '@runtime'])
 
+  test('precomputes session properties correctly', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const modelNode = domain.addModel({ key: 'users' })
+    const userEntity = modelNode.addEntity({ info: { name: 'User' }, semantics: [{ id: SemanticType.User }] })
+    const prop1 = userEntity.addProperty({ info: { name: 'Prop1' } })
+    const prop2 = userEntity.addProperty({ info: { name: 'Prop2' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+      session: {
+        properties: [{ key: prop1.key, domain: domain.key }, { key: prop2.key }],
+      },
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema as any, domain.toJSON())
+
+    assert.equal(runtimeModel.sessionProperties.size, 2)
+    assert.equal(runtimeModel.sessionProperties.get(prop1.key)?.key, prop1.key)
+    assert.equal(runtimeModel.sessionProperties.get(prop2.key)?.key, prop2.key)
+  }).tags(['@modeling', '@runtime'])
+
+  test('throws exception if session property is missing from domain', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+    const modelNode = domain.addModel({ key: 'users' })
+    const userEntity = modelNode.addEntity({ info: { name: 'User' }, semantics: [{ id: SemanticType.User }] })
+    userEntity.addProperty({ info: { name: 'Prop1' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+      session: {
+        properties: [{ key: 'missing-prop' }],
+      },
+    }
+
+    assert.throws(
+      () => new RuntimeApiModel(schema as any, domain.toJSON()),
+      'Session property missing-prop not found in domain'
+    )
+  }).tags(['@modeling', '@runtime'])
+
+  test('handles missing session configuration gracefully', ({ assert }) => {
+    const domain = new DataDomain({ info: { version: '1.0.0' } })
+
+    const schema = {
+      key: 'api-1',
+      info: { name: 'Test API' },
+      routingMap: {},
+    }
+
+    const runtimeModel = new RuntimeApiModel(schema as any, domain.toJSON())
+
+    assert.equal(runtimeModel.sessionProperties.size, 0)
+  }).tags(['@modeling', '@runtime'])
+
   test('evaluateAccess - rejects if any mandatory rule fails', async ({ assert }) => {
     const domain = new DataDomain({ info: { version: '1.0.0' } })
     const baseModel = new ApiModel(

package/tests/unit/modeling/api_model.spec.ts

@@ -53,7 +53,7 @@ test.group('ApiModel.createSchema()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'public' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -72,7 +72,7 @@ test.group('ApiModel.createSchema()', () => {
     assert.deepEqual(schema.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(schema.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(schema.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(schema.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(schema.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(schema.accessRule, [{ type: 'public' }])
     assert.deepEqual(schema.rateLimiting, { rules: [] })
     assert.equal(schema.termsOfService, 'https://example.com/terms')
@@ -132,7 +132,7 @@ test.group('ApiModel.constructor()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'allowPublic' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -150,7 +150,7 @@ test.group('ApiModel.constructor()', () => {
     assert.deepEqual(model.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(model.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(model.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(model.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(model.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(model.accessRule, [new AllowPublicAccessRule(model)])
     assert.deepEqual(model.rateLimiting, new RateLimitingConfiguration())
     assert.equal(model.termsOfService, 'https://example.com/terms')
@@ -289,7 +289,7 @@ test.group('ApiModel.toJSON()', () => {
       dependencyList: [{ key: 'domain1', version: '1.0.0' }],
       authentication: { strategy: 'UsernamePassword' },
       authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
-      session: { secret: 'secret', properties: ['email'] },
+      session: { secret: 'secret', properties: [{ key: 'email' }] },
       accessRule: [{ type: 'allowPublic' }],
       rateLimiting: { rules: [] },
       termsOfService: 'https://example.com/terms',
@@ -308,7 +308,7 @@ test.group('ApiModel.toJSON()', () => {
     assert.deepEqual(json.dependencyList, [{ key: 'domain1', version: '1.0.0' }])
     assert.deepEqual(json.authentication, { strategy: 'UsernamePassword' })
     assert.deepEqual(json.authorization, { strategy: 'RBAC' })
-    assert.deepEqual(json.session, { secret: 'secret', properties: ['email'] })
+    assert.deepEqual(json.session, { secret: 'secret', properties: [{ key: 'email' }] })
     assert.deepEqual(json.accessRule, [{ type: 'allowPublic' }])
     assert.deepEqual(json.rateLimiting, { rules: [] })
     assert.equal(json.termsOfService, 'https://example.com/terms')

package/tests/unit/modeling/generators/OasGenerator.spec.ts

@@ -129,7 +129,7 @@ test.group('OasGenerator', (group) => {
     }
     api.accessRule = [new AllowAuthenticatedAccessRule(api)]
     api.session = {
-      properties: [email.key],
+      properties: [{ key: email.key }],
       secret: 'test-secret',
       cookie: {
         enabled: true,

package/tests/unit/modeling/helpers/runtime.spec.ts

@@ -0,0 +1,48 @@
+import { test } from '@japa/runner'
+import { truncateIdentifier } from '../../../../src/modeling/helpers/runtime.js'
+
+test.group('modeling / helpers / runtime', () => {
+  test('returns the original identifier if it is exactly 63 characters long', ({ assert }) => {
+    const input = 'a'.repeat(63)
+    const result = truncateIdentifier(input)
+    assert.equal(result, input)
+    assert.equal(result.length, 63)
+  }).tags(['@modeling', '@helpers'])
+
+  test('returns the original identifier if it is less than 63 characters long', ({ assert }) => {
+    const input = 'short_identifier'
+    const result = truncateIdentifier(input)
+    assert.equal(result, input)
+    assert.equal(result.length, 16)
+  }).tags(['@modeling', '@helpers'])
+
+  test('truncates identifier to 63 characters if it is longer', ({ assert }) => {
+    const input = 'a'.repeat(64)
+    const result = truncateIdentifier(input)
+    assert.equal(result.length, 63)
+    assert.notEqual(result, input)
+  }).tags(['@modeling', '@helpers'])
+
+  test('generates deterministic hash for the same long identifier', ({ assert }) => {
+    const input = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long'
+    const result1 = truncateIdentifier(input)
+    const result2 = truncateIdentifier(input)
+    assert.equal(result1, result2)
+  }).tags(['@modeling', '@helpers'])
+
+  test('generates different hashes for different long identifiers', ({ assert }) => {
+    const input1 = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long_1'
+    const input2 = 'very_long_identifier_that_exceeds_the_limit_of_63_characters_which_is_too_long_2'
+    const result1 = truncateIdentifier(input1)
+    const result2 = truncateIdentifier(input2)
+    assert.notEqual(result1, result2)
+  }).tags(['@modeling', '@helpers'])
+
+  test('truncates keeping the first 54 characters', ({ assert }) => {
+    const prefix = 'this_is_exactly_54_characters_long_string_prefix_hello'
+    const input = `${prefix}_and_some_more_characters_to_exceed_63`
+    const result = truncateIdentifier(input)
+    assert.isTrue(result.startsWith(`${prefix}_`))
+    assert.equal(result.length, 63)
+  }).tags(['@modeling', '@helpers'])
+})

package/tests/unit/modeling/validation/api_model_rules.spec.ts

@@ -67,7 +67,7 @@ test.group('ApiModel Validation', () => {
         authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
         session: {
           secret: 'super-secret',
-          properties: ['id', 'role'],
+          properties: [{ key: 'id' }, { key: 'role' }],
           cookie: {
             enabled: true,
             kind: 'cookie',
@@ -401,7 +401,7 @@ test.group('ApiModel Validation', () => {
         authorization: { strategy: 'RBAC' } as RolesBasedAccessControl,
         session: {
           secret: 'super-secret',
-          properties: ['id', 'role'],
+          properties: [{ key: 'id' }, { key: 'role' }],
           cookie: {
             enabled: true,
             kind: 'cookie',