@digitaldefiance/node-express-suite 3.6.14 → 3.6.16

package/src/middlewares/authenticate-crypto.ts

@@ -1,216 +0,0 @@
-import { SecureString } from '@digitaldefiance/ecies-lib';
-import { Member as BackendMember } from '@digitaldefiance/node-ecies-lib';
-import {
-  AccountStatus,
-  getSuiteCoreTranslation,
-  InvalidCredentialsError,
-  SuiteCoreStringKey,
-} from '@digitaldefiance/suite-core-lib';
-import { NextFunction, Request, Response } from 'express';
-import { ClientSession, Types } from '@digitaldefiance/mongoose-types';
-import { ServiceKeys } from '../container';
-import { IUserDocument } from '../documents/user';
-import { BaseModelName } from '../enumerations';
-import { InvalidPasswordError } from '../errors';
-import { IApplication } from '../interfaces/application';
-import { withTransaction } from '../utils';
-
-/**
- * Middleware to authenticate crypto operations requiring private key access
- * Expects mnemonic or password in request body for fresh authentication
- */
-export async function authenticateCrypto<
-  I extends Types.ObjectId | string = Types.ObjectId,
-  TAccountStatus extends string = AccountStatus,
->(
-  application: IApplication,
-  req: Request,
-  res: Response,
-  next: NextFunction,
-  activeStatusValue: TAccountStatus = AccountStatus.Active as TAccountStatus,
-): Promise<Response | void> {
-  if (!req.user) {
-    return res.status(401).send(
-      // amazonq-ignore-next-line false positive, hardcoded string
-      getSuiteCoreTranslation(SuiteCoreStringKey.Validation_InvalidToken),
-    );
-  }
-
-  // Try validatedBody first (if validation has run), then fall back to raw body
-  // Note: This middleware runs BEFORE validation, so validatedBody may not exist yet
-  const validatedBody = (req as Request & { validatedBody?: unknown })
-    .validatedBody as Record<string, unknown> | undefined;
-  const rawBody = req.body as Record<string, unknown> | undefined;
-  const sourceBody = validatedBody ?? rawBody;
-
-  if (!sourceBody) {
-    return res.status(400).send({
-      // amazonq-ignore-next-line false positive, hardcoded string
-      message: getSuiteCoreTranslation(
-        SuiteCoreStringKey.Validation_MnemonicOrPasswordRequired,
-      ),
-    });
-  }
-
-  const mnemonic =
-    typeof sourceBody['mnemonic'] === 'string'
-      ? (sourceBody['mnemonic'] as string)
-      : undefined;
-  const password =
-    // amazonq-ignore-next-line false positive
-    typeof sourceBody['password'] === 'string'
-      ? (sourceBody['password'] as string)
-      : undefined;
-  if (!mnemonic && !password) {
-    return res.status(400).send({
-      // amazonq-ignore-next-line false positive, hardcoded string
-      message: getSuiteCoreTranslation(
-        SuiteCoreStringKey.Validation_MnemonicOrPasswordRequired,
-      ),
-    });
-  }
-  const UserModel = application.getModel<IUserDocument<string, I>>(
-    BaseModelName.User,
-  );
-  const userService = application.services.get(ServiceKeys.USER) as {
-    loginWithMnemonic: (
-      email: string,
-      mnemonic: SecureString,
-      session?: ClientSession,
-    ) => Promise<any>;
-    loginWithPassword: (
-      email: string,
-      password: string,
-      session?: ClientSession,
-    ) => Promise<any>;
-  };
-
-  try {
-    return await withTransaction<Response | void>(
-      application.db.connection,
-      application.environment.mongo.useTransactions,
-      undefined,
-      async (sess: ClientSession | undefined) => {
-        const userDoc = await UserModel.findById(req.user!.id)
-          .session(sess ?? null)
-          .exec();
-
-        if (!userDoc || userDoc.accountStatus !== activeStatusValue) {
-          return res.status(403).send(
-            // amazonq-ignore-next-line false positive, hardcoded string
-            getSuiteCoreTranslation(SuiteCoreStringKey.Validation_UserNotFound),
-          );
-        }
-
-        // Ensure we're only authenticating the currently logged-in user
-        if (userDoc._id.toString() !== req.user!.id) {
-          return res.status(403).send(
-            // amazonq-ignore-next-line false positive, hardcoded string
-            getSuiteCoreTranslation(
-              SuiteCoreStringKey.Validation_InvalidCredentials,
-            ),
-          );
-        }
-
-        let loginResult: {
-          userDoc: IUserDocument;
-          userMember: BackendMember;
-          adminMember: BackendMember;
-        };
-
-        if (mnemonic) {
-          // Authenticate with mnemonic
-          const userMnemonic = new SecureString(mnemonic);
-          try {
-            loginResult = await userService.loginWithMnemonic(
-              userDoc.email,
-              userMnemonic,
-              sess,
-            );
-          } finally {
-            userMnemonic.dispose();
-          }
-        } else if (password) {
-          // Authenticate with password
-          loginResult = await userService.loginWithPassword(
-            userDoc.email,
-            password,
-            sess,
-          );
-        } else {
-          // Should not happen due to earlier guard; keeps TypeScript happy
-          return res.status(400).send({
-            // amazonq-ignore-next-line false positive, hardcoded string
-            message: getSuiteCoreTranslation(
-              SuiteCoreStringKey.Validation_MnemonicOrPasswordRequired,
-            ),
-          });
-        }
-
-        // Double-check authenticated user matches logged-in user
-        if (loginResult.userDoc._id.toString() !== req.user!.id) {
-          return res.status(403).send(
-            // amazonq-ignore-next-line false positive, hardcoded string
-            getSuiteCoreTranslation(
-              SuiteCoreStringKey.Validation_InvalidCredentials,
-            ),
-          );
-        }
-
-        // Attach the fully authenticated member (with private key) to the request
-        req.eciesUser = loginResult.userMember;
-        // Do not attach the admin user to the request; it's a process-wide singleton
-        // and must not be disposed as part of request cleanup.
-
-        next();
-        return;
-      },
-      {
-        timeoutMs: application.environment.mongo.transactionTimeout,
-      },
-    );
-  } catch (err) {
-    if (
-      err instanceof InvalidCredentialsError ||
-      err instanceof InvalidPasswordError
-    ) {
-      // amazonq-ignore-next-line false positive
-      console.error(
-        'Crypto authentication failed:',
-        `userId=${String(req.user?.id || 'unknown').replace(
-          /[\r\n]/g,
-          '',
-        )} hasPassword=${!!password} hasMnemonic=${!!mnemonic}`,
-      );
-      return res.status(401).send({
-        // amazonq-ignore-next-line false positive, hardcoded string
-        message: getSuiteCoreTranslation(
-          SuiteCoreStringKey.Validation_InvalidCredentials,
-        ),
-      });
-    }
-    const sanitizedErr =
-      err instanceof Error
-        ? err.message.replace(/[\r\n]/g, ' ')
-        : String(err).replace(/[\r\n]/g, ' ');
-    console.error(
-      `${getSuiteCoreTranslation(
-        SuiteCoreStringKey.Error_UnexpectedErrorInAuthenticateCrypto,
-      )}:`,
-      sanitizedErr,
-    );
-    if (err instanceof Error && err.stack) {
-      console.error(
-        `${getSuiteCoreTranslation(SuiteCoreStringKey.Common_StackTrace)}:`,
-        err.stack,
-      );
-    }
-    return res.status(500).send({
-      // amazonq-ignore-next-line false positive, hardcoded string
-      message: getSuiteCoreTranslation(
-        SuiteCoreStringKey.Common_UnexpectedError,
-      ),
-      error: err,
-    });
-  }
-}

package/src/middlewares/authenticate-token.ts

@@ -1,150 +0,0 @@
-import type { Timezone as TimezoneType } from '@digitaldefiance/i18n-lib';
-import { GlobalActiveContext } from '@digitaldefiance/i18n-lib';
-import {
-  AccountStatus,
-  getSuiteCoreTranslation,
-  ITokenRole,
-  ITokenUser,
-  SuiteCoreStringKey,
-} from '@digitaldefiance/suite-core-lib';
-import { NextFunction, Request, Response } from 'express';
-import { IncomingHttpHeaders } from 'http';
-import { ClientSession, Types } from '@digitaldefiance/mongoose-types';
-import { IUserDocument } from '../documents/user';
-import { BaseModelName } from '../enumerations/base-model-name';
-import { TokenExpiredError } from '../errors/token-expired';
-import { IApplication } from '../interfaces/application';
-import { JwtService } from '../services/jwt';
-import { RequestUserService } from '../services/request-user';
-import { RoleService } from '../services/role';
-import { withTransaction } from '../utils';
-
-// Type for Timezone constructor
-type TimezoneConstructor = new (tz: string) => TimezoneType;
-
-// Helper to create Timezone from the same module instance as GlobalActiveContext
-function createTimezone(tz: string): TimezoneType {
-  const context = GlobalActiveContext.getInstance();
-  const TimezoneConstructor = context.adminTimezone
-    .constructor as TimezoneConstructor;
-  return new TimezoneConstructor(tz);
-}
-
-/**
- * Find the auth token in the headers
- * @param headers The headers
- * @returns The auth token
- */
-export function findAuthToken(headers: IncomingHttpHeaders): string | null {
-  const authHeader = headers['Authorization'] || headers['authorization'];
-  if (authHeader && typeof authHeader === 'string') {
-    const parts = authHeader.split(' ');
-    if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
-      return parts[1];
-    }
-  }
-  return null;
-}
-
-/**
- * Middleware to authenticate a token
- * @param application The application
- * @param req The request
- * @param res The response
- * @param next The next function
- * @returns The response
- */
-export async function authenticateToken<
-  I extends Types.ObjectId | string = Types.ObjectId,
-  D extends Date = Date,
-  TTokenRole extends ITokenRole<I, D> = ITokenRole<I, D>,
-  TTokenUser extends ITokenUser = ITokenUser,
-  TApplication extends IApplication = IApplication,
->(
-  application: TApplication,
-  req: Request,
-  res: Response,
-  next: NextFunction,
-): Promise<Response> {
-  const UserModel = application.getModel<IUserDocument<string, I>>(
-    BaseModelName.User,
-  );
-  const token = findAuthToken(req.headers);
-  if (token == null) {
-    return res
-      .status(401)
-      .send(
-        getSuiteCoreTranslation(SuiteCoreStringKey.Validation_InvalidToken),
-      );
-  }
-
-  try {
-    return await withTransaction<Response>(
-      application.db.connection,
-      application.environment.mongo.useTransactions,
-      undefined,
-      async (sess: ClientSession | undefined) => {
-        const jwtService = new JwtService<
-          I,
-          D,
-          TTokenRole,
-          TTokenUser,
-          TApplication
-        >(application);
-        const user: TTokenUser | null = await jwtService.verifyToken(token);
-        if (user === null) {
-          return res.status(403).send(
-            // amazonq-ignore-next-line false positive, hardcoded string
-            getSuiteCoreTranslation(SuiteCoreStringKey.Validation_UserNotFound),
-          );
-        }
-        const userDoc = await UserModel.findById(user.userId)
-          .select('-password')
-          .session(sess ?? null)
-          .exec();
-        if (!userDoc || userDoc.accountStatus !== AccountStatus.Active) {
-          return res.status(403).send(
-            // amazonq-ignore-next-line false positive, hardcoded string
-            getSuiteCoreTranslation(SuiteCoreStringKey.Validation_UserNotFound),
-          );
-        }
-        const roleService = new RoleService<I, D, TTokenRole>(application);
-        const roles = await roleService.getUserRoles(userDoc._id as I, sess);
-        const tokenRoles = roleService.rolesToTokenRoles(roles);
-        req.user = RequestUserService.makeRequestUserDTO(userDoc, tokenRoles);
-        const context = GlobalActiveContext.getInstance();
-        context.userLanguage = userDoc.siteLanguage ?? context.userLanguage;
-        context.setLanguageContextSpace('user');
-        context.userTimezone = createTimezone(userDoc.timezone);
-        next();
-        return res;
-      },
-      {
-        timeoutMs: application.environment.mongo.transactionTimeout,
-      },
-    );
-  } catch (err) {
-    if (err instanceof TokenExpiredError) {
-      return res.status(401).send({
-        message: getSuiteCoreTranslation(
-          SuiteCoreStringKey.Validation_TokenExpired,
-        ),
-        error: err,
-      });
-    } else if (err instanceof Error && err.name === 'JsonWebTokenError') {
-      return res.status(400).send({
-        message: getSuiteCoreTranslation(
-          SuiteCoreStringKey.Validation_InvalidToken,
-        ),
-        error: err,
-      });
-    } else {
-      return res.status(500).send({
-        message: getSuiteCoreTranslation(
-          SuiteCoreStringKey.Common_UnexpectedError,
-        ),
-        error: err,
-      });
-    }
-  }
-}

package/src/middlewares/cleanup-crypto.ts

@@ -1,37 +0,0 @@
-import { NextFunction, Request, Response } from 'express';
-
-/**
- * Middleware to clean up crypto resources after request completion
- * Should be used after crypto operations to ensure private keys are disposed
- */
-export function cleanupCrypto(
-  req: Request,
-  res: Response,
-  next: NextFunction,
-): void {
-  // Store original end function
-  const originalEnd = res.end;
-
-  // Override end function to cleanup before response
-  const wrappedEnd = function (this: Response, ...args: unknown[]) {
-    // Cleanup eciesUser if it exists
-    if (req.eciesUser) {
-      try {
-        // Dispose of sensitive cryptographic material
-        req.eciesUser.dispose();
-        req.eciesUser = undefined;
-      } catch (error) {
-        console.error('Error cleaning up crypto resources:', error);
-      }
-    }
-    // Do not dispose system user here; it may be a process-wide singleton
-
-    // Call original end function
-    // Type assertion needed because we're wrapping the end function
-    return originalEnd.apply(this, args as Parameters<typeof originalEnd>);
-  } as typeof res.end;
-
-  res.end = wrappedEnd;
-
-  next();
-}

package/src/middlewares/set-global-context-language.ts

@@ -1,24 +0,0 @@
-// src/middlewares/injectMongooseContext.ts
-
-import {
-  GlobalActiveContext,
-  LanguageRegistry,
-} from '@digitaldefiance/i18n-lib';
-import { NextFunction, Request, Response } from 'express';
-
-export function setGlobalContextLanguageFromRequest(
-  req: Request,
-  res: Response,
-  next: NextFunction,
-) {
-  // Use fallback chain: accept-language -> user preference -> site default
-  const language = LanguageRegistry.getMatchingLanguageCode(
-    req.headers['accept-language'] as string,
-    req.user?.siteLanguage as string,
-  );
-
-  const context = GlobalActiveContext.getInstance();
-  context.setUserLanguage(language);
-  context.setLanguageContextSpace('user');
-  next();
-}

package/src/middlewares.ts

@@ -1,105 +0,0 @@
-import cors from 'cors';
-import { randomBytes } from 'crypto';
-import {
-  Application,
-  json,
-  NextFunction,
-  Request,
-  Response,
-  urlencoded,
-} from 'express';
-import helmet, { HelmetOptions } from 'helmet';
-import { IncomingMessage, ServerResponse } from 'http';
-import { ISimpleCSPDef, isSimpleCSPDef } from './interfaces/csp-definition';
-import { SuiteCoreStringKey, TranslatableSuiteError } from '@digitaldefiance/suite-core-lib';
-
-export const corsOptionsDelegate = (corsWhitelist: string[]) => {
-  return (
-    req: cors.CorsRequest,
-    callback: (
-      error: Error | null,
-      options: cors.CorsOptions | undefined,
-    ) => void,
-  ) => {
-    let corsOptions: cors.CorsOptions;
-    const origin = req.headers.origin;
-    if (
-      origin &&
-      corsWhitelist.find((w: string | RegExp) => {
-        if (w instanceof RegExp) {
-          return w.test(origin);
-        } else {
-          return w === origin;
-        }
-      })
-    ) {
-      corsOptions = { origin: true };
-    } else {
-      corsOptions = { origin: false };
-    }
-    callback(null, corsOptions);
-  };
-};
-
-
-export const isHelmetOptions = (obj: any): boolean => {
-  // A very basic check; in real scenarios, you might want to be more thorough
-  return obj && typeof obj === 'object' && (
-    ('contentSecurityPolicy' in obj) ||
-    ('crossOriginEmbedderPolicy' in obj) ||
-    ('crossOriginOpenerPolicy' in obj) ||
-    ('crossOriginResourcePolicy' in obj) ||
-    ('originAgentCluster' in obj) ||
-    ('referrerPolicy' in obj));
-}
-
-export const initMiddleware = (
-    app: Application,
-    corsWhitelist: string[],
-    csp: ISimpleCSPDef | HelmetOptions,
-  ): void => {
-    // Helmet helps you secure your Express apps by setting various HTTP headers
-    // CSP nonce
-    app.use((req: Request, res: Response, next: NextFunction) => {
-      res.locals['cspNonce'] = randomBytes(32).toString('hex');
-      next();
-    });
-    if (isSimpleCSPDef(csp)) {
-      app.use(
-        helmet({
-          contentSecurityPolicy: {
-            directives: {
-              defaultSrc: ["'self'", ...csp.defaultSrc],
-              imgSrc: ["'self'", 'data:', 'blob:', ...csp.imgSrc],
-              connectSrc: ["'self'", ...csp.connectSrc],
-              scriptSrc: [
-                "'self'",
-                //"'unsafe-inline'",
-                "'strict-dynamic'",
-                (req: IncomingMessage, res: ServerResponse) =>
-                  `'nonce-${(res as Response).locals['cspNonce']}'`,
-                ...csp.scriptSrc,
-              ],
-              styleSrc: [
-                "'self'",
-                // "'unsafe-inline'",
-                ...csp.styleSrc,
-              ],
-              fontSrc: ["'self'", ...csp.fontSrc],
-              frameSrc: ["'self'", ...csp.frameSrc],
-            },
-          },
-        }),
-      );
-    } else if (isHelmetOptions(csp)) {
-      app.use(helmet(csp));
-    } else {
-      throw new TranslatableSuiteError(SuiteCoreStringKey.Error_InvalidCspOrHelmetOptionsProvided);
-    }
-    // Enable CORS
-    app.use(cors(corsOptionsDelegate(corsWhitelist)));
-    // Parse incoming requests with JSON payloads
-    app.use(json());
-    // Parse incoming requests with urlencoded payloads
-    app.use(urlencoded({ extended: true }));
-  };

package/src/model-registry.ts

@@ -1,75 +0,0 @@
-import { Model, Document as MongooseDocument, Schema } from '@digitaldefiance/mongoose-types';
-import { IBaseDocument } from './documents/base';
-import { InvalidModelError } from './errors';
-
-export type ModelRegistration<T, U extends IBaseDocument<T>> = {
-  modelName: string;
-  schema: Schema;
-  model: Model<U>;
-  collection: string;
-  discriminators?: unknown;
-};
-
-class ModelRegistry {
-  protected static _instance: ModelRegistry;
-  protected _models: Map<string, ModelRegistration<any, IBaseDocument<any>>> =
-    new Map();
-
-  private constructor() {}
-
-  public static get instance(): ModelRegistry {
-    if (!ModelRegistry._instance) {
-      ModelRegistry._instance = new ModelRegistry();
-    }
-    return ModelRegistry._instance;
-  }
-
-  public register<T, U extends IBaseDocument<T>>(
-    registration: ModelRegistration<T, U>,
-  ): void {
-    this._models.set(
-      registration.modelName,
-      registration as ModelRegistration<T, U>,
-    );
-  }
-
-  public get<T, U extends IBaseDocument<T>>(
-    modelName: string,
-  ): ModelRegistration<T, U> {
-    const result = this._models.get(modelName) as ModelRegistration<T, U>;
-    if (result === undefined) {
-      throw new InvalidModelError(modelName);
-    }
-    return result;
-  }
-
-  public getTypedModel<TDoc extends MongooseDocument>(
-    modelName: string,
-  ): Model<TDoc> {
-    const result = this._models.get(modelName);
-    if (result === undefined) {
-      throw new InvalidModelError(modelName);
-    }
-    return result.model as Model<TDoc>;
-  }
-
-  public getTypedSchema<TDoc extends MongooseDocument>(
-    modelName: string,
-  ): Schema<TDoc> {
-    const result = this._models.get(modelName);
-    if (result === undefined) {
-      throw new InvalidModelError(modelName);
-    }
-    return result.schema as Schema<TDoc>;
-  }
-
-  public has(modelName: string): boolean {
-    return this._models.has(modelName);
-  }
-
-  public list(): string[] {
-    return Array.from(this._models.keys());
-  }
-}
-
-export { ModelRegistry };

package/src/models/email-token.ts

@@ -1,16 +0,0 @@
-import { Connection, Schema, Types } from '@digitaldefiance/mongoose-types';
-import { IEmailTokenDocument } from '../documents/email-token';
-import { BaseModelName } from '../enumerations';
-import { SchemaCollection } from '../enumerations/schema-collection';
-import { EmailTokenSchema } from '../schemas/email-token';
-
-export function EmailTokenModel(
-  connection: Connection,
-  modelName: string = BaseModelName.EmailToken,
-  collection: string = SchemaCollection.EmailToken,
-  schema: Schema = EmailTokenSchema,
-) {
-  return connection.model(modelName, schema, collection);
-}
-
-export default EmailTokenModel;

package/src/models/mnemonic.ts

@@ -1,16 +0,0 @@
-import { Connection, Schema, Types } from '@digitaldefiance/mongoose-types';
-import { IMnemonicDocument } from '../documents/mnemonic';
-import { BaseModelName } from '../enumerations';
-import { SchemaCollection } from '../enumerations/schema-collection';
-import { MnemonicSchema } from '../schemas/mnemonic';
-
-export function MnemonicModel(
-  connection: Connection,
-  modelName: string = BaseModelName.Mnemonic,
-  collection: string = SchemaCollection.Mnemonic,
-  schema: Schema = MnemonicSchema,
-) {
-  return connection.model(modelName, schema, collection);
-}
-
-export default MnemonicModel;

package/src/models/role.ts

@@ -1,16 +0,0 @@
-import { Connection, Schema, Types } from '@digitaldefiance/mongoose-types';
-import { IRoleDocument } from '../documents/role';
-import { BaseModelName } from '../enumerations';
-import { SchemaCollection } from '../enumerations/schema-collection';
-import { RoleSchema } from '../schemas/role';
-
-export function RoleModel(
-  connection: Connection,
-  modelName: string = BaseModelName.Role,
-  collection: string = SchemaCollection.Role,
-  schema: Schema = RoleSchema,
-) {
-  return connection.model(modelName, schema, collection);
-}
-
-export default RoleModel;

package/src/models/used-direct-login-token.ts

@@ -1,16 +0,0 @@
-import { Connection, Schema, Types } from '@digitaldefiance/mongoose-types';
-import { IUsedDirectLoginTokenDocument } from '../documents/used-direct-login-token';
-import { BaseModelName } from '../enumerations';
-import { SchemaCollection } from '../enumerations/schema-collection';
-import { UsedDirectLoginTokenSchema } from '../schemas/used-direct-login-token';
-
-export function UsedDirectLoginTokenModel(
-  connection: Connection,
-  modelName: string = BaseModelName.UsedDirectLoginToken,
-  collection: string = SchemaCollection.UsedDirectLoginToken,
-  schema: Schema = UsedDirectLoginTokenSchema,
-) {
-  return connection.model(modelName, schema, collection);
-}
-
-export default UsedDirectLoginTokenModel;

package/src/models/user-role.ts

@@ -1,14 +0,0 @@
-import { Connection, Model, Schema, Types } from '@digitaldefiance/mongoose-types';
-import { IUserRoleDocument } from '../documents/user-role';
-import { BaseModelName } from '../enumerations';
-import { SchemaCollection } from '../enumerations/schema-collection';
-import { UserRoleSchema } from '../schemas/user-role';
-
-export default function UserRoleModel(
-  connection: Connection,
-  modelName: string = BaseModelName.UserRole,
-  collection: string = SchemaCollection.UserRole,
-  schema: Schema = UserRoleSchema,
-): Model<any> {
-  return connection.model(modelName, schema, collection);
-}