@carbonorm/carbonnode 6.0.19 → 6.1.0

package/src/executors/SqlExecutor.ts

@@ -27,6 +27,43 @@ import { getLogContext, LogLevel, logWithLevel } from "../utils/logLevel";
 
 const SQL_ALLOWLIST_BLOCKED_CODE = "SQL_ALLOWLIST_BLOCKED";
 
+const fillRandomBytes = (bytes: Uint8Array): void => {
+    const cryptoRef = (globalThis as { crypto?: Crypto }).crypto;
+    if (!cryptoRef || typeof cryptoRef.getRandomValues !== "function") {
+        throw new Error("Secure random source unavailable: crypto.getRandomValues is required for UUID generation.");
+    }
+    cryptoRef.getRandomValues(bytes);
+};
+
+const generateUuidV7 = (): string => {
+    const bytes = new Uint8Array(16);
+    const random = new Uint8Array(10);
+    fillRandomBytes(random);
+
+    const timestampMs = Date.now();
+    bytes[0] = Math.floor(timestampMs / 1099511627776) & 0xff; // 2^40
+    bytes[1] = Math.floor(timestampMs / 4294967296) & 0xff; // 2^32
+    bytes[2] = Math.floor(timestampMs / 16777216) & 0xff; // 2^24
+    bytes[3] = Math.floor(timestampMs / 65536) & 0xff; // 2^16
+    bytes[4] = Math.floor(timestampMs / 256) & 0xff; // 2^8
+    bytes[5] = timestampMs & 0xff;
+
+    // RFC 9562 UUIDv7 layout
+    bytes[6] = 0x70 | (random[0] & 0x0f); // version 7 + rand_a high bits
+    bytes[7] = random[1]; // rand_a low bits
+    bytes[8] = 0x80 | (random[2] & 0x3f); // variant + rand_b high bits
+    bytes[9] = random[3];
+    bytes[10] = random[4];
+    bytes[11] = random[5];
+    bytes[12] = random[6];
+    bytes[13] = random[7];
+    bytes[14] = random[8];
+    bytes[15] = random[9];
+
+    const hex = Array.from(bytes, (byte) => byte.toString(16).padStart(2, "0")).join("");
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+};
+
 export type SqlAllowListBlockedError = Error & {
     code: typeof SQL_ALLOWLIST_BLOCKED_CODE;
     tableName?: string;
@@ -72,6 +109,157 @@ const createSqlAllowListBlockedError = (args: {
 export class SqlExecutor<
     G extends OrmGenerics
 > extends Executor<G> {
+    private getPostRequestRows(): Record<string, any>[] {
+        const request = this.request as any;
+        if (!request) return [];
+
+        if (Array.isArray(request)) {
+            return request as Record<string, any>[];
+        }
+
+        if (
+            Array.isArray(request.dataInsertMultipleRows)
+            && request.dataInsertMultipleRows.length > 0
+        ) {
+            return request.dataInsertMultipleRows as Record<string, any>[];
+        }
+
+        const verb = C6C.REPLACE in request ? C6C.REPLACE : C6C.INSERT;
+        if (verb in request && request[verb] && typeof request[verb] === "object") {
+            return [request[verb] as Record<string, any>];
+        }
+
+        if (typeof request === "object") {
+            return [request as Record<string, any>];
+        }
+
+        return [];
+    }
+
+    private getTypeValidationForColumn(shortKey: string, fullKey: string): Record<string, any> | undefined {
+        const validation = (this.config.restModel as any)?.TYPE_VALIDATION;
+        if (!validation || typeof validation !== "object") return undefined;
+        return validation[shortKey] ?? validation[fullKey];
+    }
+
+    private isUuidLikePrimaryColumn(columnDef: Record<string, any> | undefined): boolean {
+        if (!columnDef || typeof columnDef !== "object") return false;
+        if (columnDef.AUTO_INCREMENT === true) return false;
+
+        const mysqlType = String(columnDef.MYSQL_TYPE ?? "").toLowerCase();
+        const maxLength = String(columnDef.MAX_LENGTH ?? "").trim();
+
+        if (mysqlType.includes("uuid")) return true;
+
+        const isBinary16 = mysqlType.includes("binary")
+            && (maxLength === "16" || /\b16\b/.test(mysqlType) || mysqlType === "binary");
+        const isUuidString = (mysqlType.includes("char") || mysqlType.includes("varchar"))
+            && (maxLength === "32" || maxLength === "36");
+
+        return isBinary16 || isUuidString;
+    }
+
+    private hasDefinedValue(value: unknown): boolean {
+        if (value === undefined || value === null) return false;
+        if (typeof value === "string" && value.trim() === "") return false;
+        return true;
+    }
+
+    private generatePrimaryUuidValue(columnDef: Record<string, any>): string {
+        const mysqlType = String(columnDef.MYSQL_TYPE ?? "").toLowerCase();
+        const maxLength = String(columnDef.MAX_LENGTH ?? "").trim();
+        const uuid = generateUuidV7();
+
+        // BINARY(16) and CHAR/VARCHAR(32) commonly persist UUIDs as 32-hex.
+        if (mysqlType.includes("binary") || maxLength === "32") {
+            return uuid.replace(/-/g, "").toUpperCase();
+        }
+
+        return uuid;
+    }
+
+    private assignMissingPostPrimaryUuids(): void {
+        if (this.config.requestMethod !== C6C.POST) return;
+
+        const rows = this.getPostRequestRows();
+        if (rows.length === 0) return;
+
+        const columns = this.config.restModel.COLUMNS as Record<string, string>;
+        const tableName = this.config.restModel.TABLE_NAME as string;
+        const primaryShorts = this.config.restModel.PRIMARY_SHORT ?? [];
+
+        const primaryColumns = primaryShorts
+            .map((shortKey) => {
+                const fullKey = Object.keys(columns).find((key) => columns[key] === shortKey)
+                    ?? `${tableName}.${shortKey}`;
+                const columnDef = this.getTypeValidationForColumn(shortKey, fullKey);
+                return { shortKey, fullKey, columnDef };
+            })
+            .filter(({ columnDef }) => this.isUuidLikePrimaryColumn(columnDef));
+
+        if (primaryColumns.length === 0) return;
+
+        for (const row of rows) {
+            if (!row || typeof row !== "object") continue;
+
+            const useQualifiedKeyByDefault = Object.keys(row).some((key) => key.includes("."));
+
+            for (const primaryColumn of primaryColumns) {
+                const existing = row[primaryColumn.shortKey] ?? row[primaryColumn.fullKey];
+                if (this.hasDefinedValue(existing)) continue;
+
+                const generated = this.generatePrimaryUuidValue(primaryColumn.columnDef!);
+                if (Object.prototype.hasOwnProperty.call(row, primaryColumn.shortKey)) {
+                    row[primaryColumn.shortKey] = generated;
+                    continue;
+                }
+                if (Object.prototype.hasOwnProperty.call(row, primaryColumn.fullKey)) {
+                    row[primaryColumn.fullKey] = generated;
+                    continue;
+                }
+
+                row[useQualifiedKeyByDefault ? primaryColumn.fullKey : primaryColumn.shortKey] = generated;
+            }
+        }
+    }
+
+    private buildPostResponseRows(insertId?: number | string): Record<string, unknown>[] {
+        const rows = this.getPostRequestRows();
+        if (rows.length === 0) return [];
+
+        const columns = this.config.restModel.COLUMNS as Record<string, string>;
+        const validColumns = new Set(Object.values(columns));
+        const pkShorts = this.config.restModel.PRIMARY_SHORT ?? [];
+        const now = new Date().toISOString();
+
+        return rows.map((row, index) => {
+            const normalized = this.normalizeRequestPayload(row ?? {});
+
+            if (validColumns.has("changed_at") && normalized.changed_at === undefined) {
+                normalized.changed_at = now;
+            }
+            if (validColumns.has("created_at") && normalized.created_at === undefined) {
+                normalized.created_at = now;
+            }
+            if (validColumns.has("updated_at") && normalized.updated_at === undefined) {
+                normalized.updated_at = now;
+            }
+
+            // When DB generated PK is numeric/autoincrement, expose it for the single-row insert.
+            if (
+                index === 0
+                && insertId !== undefined
+                && insertId !== null
+                && pkShorts.length === 1
+                && !this.hasDefinedValue(normalized[pkShorts[0]])
+            ) {
+                normalized[pkShorts[0]] = insertId;
+            }
+
+            return normalized;
+        });
+    }
+
     private resolveSqlLogMethod(method: iRestMethods, sql: string): string {
         const token = sql.trim().split(/\s+/, 1)[0]?.toUpperCase();
         if (token) return token;
@@ -112,6 +300,8 @@ export class SqlExecutor<
             throw e;
         }
 
+        this.assignMissingPostPrimaryUuids();
+
         const logContext = getLogContext(this.config, this.request);
         logWithLevel(
             LogLevel.DEBUG,
@@ -248,6 +438,7 @@ export class SqlExecutor<
             C6C.REPLACE,
             "dataInsertMultipleRows",
             "cacheResults",
+            "skipReactBootstrap",
             "fetchDependencies",
             "debug",
             "success",
@@ -340,7 +531,7 @@ export class SqlExecutor<
             }
 
             if (value !== undefined) {
-                pkValues[pkShort] = value;
+                pkValues[pkShort] = this.unwrapPrimaryKeyValue(value);
             }
         }
 
@@ -351,6 +542,29 @@ export class SqlExecutor<
         return Object.keys(pkValues).length > 0 ? pkValues : null;
     }
 
+    private unwrapPrimaryKeyValue(value: any): any {
+        if (!Array.isArray(value)) return value;
+
+        if (value.length === 2) {
+            const [head, tail] = value;
+            if (head === C6C.EQUAL) {
+                return this.unwrapPrimaryKeyValue(tail);
+            }
+            if (head === C6C.LIT || head === C6C.PARAM) {
+                return tail;
+            }
+        }
+
+        if (value.length === 3) {
+            const [, operator, right] = value;
+            if (operator === C6C.EQUAL) {
+                return this.unwrapPrimaryKeyValue(right);
+            }
+        }
+
+        return value;
+    }
+
     private extractPrimaryKeyValuesFromData(data: any): Record<string, any> | null {
         if (!data) return null;
         const row = Array.isArray(data) ? data[0] : data;
@@ -549,6 +763,9 @@ export class SqlExecutor<
         const logContext = getLogContext(this.config, this.request);
         const cacheResults = method === C6C.GET
             && (this.request.cacheResults ?? true);
+        const cacheAllowListStatus: SqlAllowListStatus = this.config.sqlAllowListPath
+            ? "allowed"
+            : "not verified";
 
         const cacheRequestData = cacheResults
             ? JSON.parse(JSON.stringify(this.request ?? {}))
@@ -560,7 +777,13 @@ export class SqlExecutor<
 
         const evictFromCache =
             method === C6C.GET && cacheResults && cacheRequestData
-                ? () => evictCacheEntry(method, tableName, cacheRequestData, logContext)
+                ? () => evictCacheEntry(
+                    method,
+                    tableName,
+                    cacheRequestData,
+                    logContext,
+                    cacheAllowListStatus,
+                )
                 : undefined;
 
         if (cacheResults) {
@@ -568,7 +791,8 @@ export class SqlExecutor<
                 method,
                 tableName,
                 cacheRequestData,
-                logContext
+                logContext,
+                cacheAllowListStatus,
             );
             if (cachedRequest) {
                 const cachedData = (await cachedRequest).data;
@@ -611,12 +835,14 @@ export class SqlExecutor<
         setCache(method, tableName, cacheRequestData, {
             requestArgumentsSerialized,
             request: cacheRequest,
+            allowListStatus: cacheAllowListStatus,
         });
 
         const cacheResponse = await cacheRequest;
         setCache(method, tableName, cacheRequestData, {
             requestArgumentsSerialized,
             request: cacheRequest,
+            allowListStatus: cacheAllowListStatus,
             response: cacheResponse,
             final: true,
         });
@@ -695,7 +921,9 @@ export class SqlExecutor<
         return {
             affected: result.affectedRows as number,
             insertId: result.insertId as number,
-            rest: [],
+            rest: method === C6C.POST
+                ? this.buildPostResponseRows(result.insertId as number | string | undefined)
+                : [],
             sql: { sql: sqlExecution.sql, values: sqlExecution.values },
         } as DetermineResponseDataType<G['RequestMethod'], G['RestTableInterface']>;
     }

package/src/index.ts

@@ -19,6 +19,7 @@ export * from "./handlers/ExpressHandler";
 export * from "./orm/queryHelpers";
 export * from "./orm/builders/AggregateBuilder";
 export * from "./orm/builders/ConditionBuilder";
+export * from "./orm/builders/ExpressionSerializer";
 export * from "./orm/builders/JoinBuilder";
 export * from "./orm/builders/PaginationBuilder";
 export * from "./orm/queries/DeleteQueryBuilder";

package/src/orm/builders/AggregateBuilder.ts

@@ -1,9 +1,18 @@
 import {Executor} from "../../executors/Executor";
 import {OrmGenerics} from "../../types/ormGenerics";
-import {C6C} from "../../constants/C6Constants";
+import {SQL_KNOWN_FUNCTIONS} from "../../types/mysqlTypes";
 import {getLogContext, LogLevel, logWithLevel} from "../../utils/logLevel";
+import {
+    iSerializedExpression,
+    serializeSqlExpression,
+    tSqlParams,
+} from "./ExpressionSerializer";
 
-export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G>{
+const KNOWN_FUNCTION_LOOKUP = new Set(
+    SQL_KNOWN_FUNCTIONS.map((name) => String(name).toUpperCase()),
+);
+
+export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G> {
     protected selectAliases: Set<string> = new Set<string>();
 
     // Overridden in ConditionBuilder where alias tracking is available.
@@ -12,130 +21,82 @@ export abstract class AggregateBuilder<G extends OrmGenerics> extends Executor<G
         // no-op placeholder for subclasses that do not implement alias validation
     }
 
-    buildAggregateField(field: string | any[], params?: any[] | Record<string, any>): string {
-        if (typeof field === 'string') {
-            this.assertValidIdentifier(field, 'SELECT field');
-            return field;
-        }
+    protected isReferenceExpression(value: string): boolean {
+        if (typeof value !== 'string') return false;
 
-        if (!Array.isArray(field) || field.length === 0) {
-            throw new Error('Invalid SELECT field entry');
-        }
-
-        // If the array represents a tuple/literal list (e.g., [lng, lat]) rather than a
-        // function call like [FN, ...args], serialize the list as a comma-separated
-        // literal sequence so parent calls (like ORDER BY FN(<here>)) can embed it.
-        const isNumericString = (s: string) => /^-?\d+(?:\.\d+)?$/.test(String(s).trim());
-        if (typeof field[0] !== 'string' || isNumericString(field[0])) {
-            return field
-                .map((arg) => {
-                    if (Array.isArray(arg)) return this.buildAggregateField(arg, params);
-                    return String(arg);
-                })
-                .join(', ');
-        }
+        const trimmed = value.trim();
+        if (trimmed.length === 0) return false;
 
-        let [fn, ...args] = field;
-        let alias: string | undefined;
+        if (trimmed === '*') return true;
 
-        if (args.length >= 2 && String(args[args.length - 2]).toUpperCase() === 'AS') {
-            alias = String(args.pop());
-            args.pop();
+        if (/^[A-Za-z_][A-Za-z0-9_]*\.\*$/.test(trimmed)) {
+            this.assertValidIdentifier(trimmed, 'SQL reference');
+            return true;
         }
 
-        const F = String(fn).toUpperCase();
-        const isGeomFromText = F === C6C.ST_GEOMFROMTEXT.toUpperCase();
-
-        if (args.length === 1 && Array.isArray(args[0])) {
-            args = args[0];
+        if (/^[A-Za-z_][A-Za-z0-9_]*\.[A-Za-z_][A-Za-z0-9_]*$/.test(trimmed)) {
+            this.assertValidIdentifier(trimmed, 'SQL reference');
+            return true;
         }
 
-        // Parameter placeholder helper: [C6C.PARAM, value]
-        if (F === C6C.PARAM) {
-            if (!params) {
-                throw new Error('PARAM requires parameter tracking.');
-            }
-            const value = args[0];
-            // Use empty column context; ORDER/SELECT literals have no column typing.
-            // @ts-ignore addParam is provided by ConditionBuilder in our hierarchy.
-            return this.addParam(params, '', value);
+        if (/^[A-Za-z_][A-Za-z0-9_]*$/.test(trimmed) && this.selectAliases.has(trimmed)) {
+            return true;
         }
 
-        if (F === C6C.SUBSELECT) {
-            if (!params) {
-                throw new Error('Scalar subselects in SELECT require parameter tracking.');
-            }
-            const subRequest = args[0];
-            const subSql = (this as any).buildScalarSubSelect?.(subRequest, params);
-            if (!subSql) {
-                throw new Error('Failed to build scalar subselect.');
-            }
-
-            let expr = subSql;
-            if (alias) {
-                this.selectAliases.add(alias);
-                expr += ` AS ${alias}`;
-            }
-
-            logWithLevel(
-                LogLevel.DEBUG,
-                getLogContext(this.config, this.request),
-                console.log,
-                `[SELECT] ${expr}`,
-            );
-
-            return expr;
-        }
+        return false;
+    }
 
-        const identifierPathRegex = /^[A-Za-z_][A-Za-z0-9_]*\.[A-Za-z_][A-Za-z0-9_]*$/;
+    protected isKnownFunction(functionName: string): boolean {
+        return KNOWN_FUNCTION_LOOKUP.has(functionName.trim().toUpperCase());
+    }
 
-        const argList = args
-            .map((arg, index) => {
-                if (Array.isArray(arg)) return this.buildAggregateField(arg, params);
-                if (typeof arg === 'string') {
-                    if (identifierPathRegex.test(arg)) {
-                        this.assertValidIdentifier(arg, 'SELECT expression');
-                        return arg;
+    protected serializeExpression(
+        expression: any,
+        params?: tSqlParams,
+        context: string = 'SQL expression',
+        contextColumn?: string,
+    ): iSerializedExpression {
+        return serializeSqlExpression(expression, {
+            params,
+            context,
+            contextColumn,
+            hooks: {
+                assertValidIdentifier: (identifier: string, hookContext: string) => {
+                    this.assertValidIdentifier(identifier, hookContext);
+                },
+                isReference: (value: string) => this.isReferenceExpression(value),
+                addParam: (target: tSqlParams, column: string, value: any) => {
+                    const addParam = (this as any).addParam;
+                    if (typeof addParam !== 'function') {
+                        throw new Error('Expression literal binding requires addParam support.');
                     }
-                    // Treat numeric-looking strings as literals, not identifier paths
-                    if (isNumericString(arg)) return arg;
-
-                    if (isGeomFromText && index === 0) {
-                        const trimmed = arg.trim();
-                        const alreadyQuoted = trimmed.startsWith("'") && trimmed.endsWith("'") && trimmed.length >= 2;
-                        if (alreadyQuoted) {
-                            return trimmed;
-                        }
-                        const escaped = arg.replace(/'/g, "''");
-                        return `'${escaped}'`;
+                    return addParam.call(this, target, column, value);
+                },
+                buildScalarSubSelect: (subRequest: any, target: tSqlParams) => {
+                    const builder = (this as any).buildScalarSubSelect;
+                    if (typeof builder !== 'function') {
+                        throw new Error('Scalar subselects require SelectQueryBuilder context.');
                     }
+                    return builder.call(this, subRequest, target);
+                },
+                onAlias: (alias: string) => {
+                    this.selectAliases.add(alias);
+                },
+                isKnownFunction: (functionName: string) => this.isKnownFunction(functionName),
+            },
+        });
+    }
 
-                    return arg;
-                }
-                return String(arg);
-            })
-            .join(', ');
-
-        let expr: string;
-
-        if (F === 'DISTINCT') {
-            expr = `DISTINCT ${argList}`;
-        } else {
-            expr = `${F}(${argList})`;
-        }
-
-        if (alias) {
-            this.selectAliases.add(alias);
-            expr += ` AS ${alias}`;
-        }
+    buildAggregateField(field: string | any[], params?: tSqlParams): string {
+        const serialized = this.serializeExpression(field, params, 'SELECT expression');
 
         logWithLevel(
             LogLevel.DEBUG,
             getLogContext(this.config, this.request),
             console.log,
-            `[SELECT] ${expr}`,
+            `[SELECT] ${serialized.sql}`,
         );
 
-        return expr;
+        return serialized.sql;
     }
 }