@dismissible/nestjs-api 0.0.2-canary.8976e84.0 → 0.0.2-canary.c91edbc.0

package/src/app-test.factory.ts

@@ -1,5 +1,6 @@
 import { Test, TestingModuleBuilder } from '@nestjs/testing';
 import { INestApplication } from '@nestjs/common';
+import { FastifyAdapter, NestFastifyApplication } from '@nestjs/platform-fastify';
 import { AppModule, AppModuleOptions } from './app.module';
 import { configureApp } from './app.setup';
 import { PrismaService } from '@dismissible/nestjs-postgres-storage';
@@ -19,10 +20,16 @@ export async function createTestApp(options?: TestAppOptions): Promise<INestAppl
   }
 
   const moduleFixture = await builder.compile();
-  const app = moduleFixture.createNestApplication();
+  const app = moduleFixture.createNestApplication<NestFastifyApplication>(
+    new FastifyAdapter({
+      bodyLimit: 10 * 1024, // 10kb
+    }),
+  );
   await configureApp(app);
   await app.init();
 
+  await app.getHttpAdapter().getInstance().ready();
+
   return app;
 }
 

package/src/app.e2e-spec.ts

@@ -16,8 +16,8 @@ describe('Dismissible API (e2e)', () => {
   });
 
   afterAll(async () => {
-    await app.close();
     await cleanupTestData(app);
+    await app.close();
   });
 
   describe('GET /v1/user/:userId/dismissible-item/:id (get-or-create)', () => {

package/src/app.setup.ts

@@ -1,7 +1,43 @@
 import { INestApplication, ValidationPipe } from '@nestjs/common';
+import { NestFastifyApplication } from '@nestjs/platform-fastify';
+import fastifyHelmet from '@fastify/helmet';
 import { SwaggerConfig, configureAppWithSwagger } from './swagger';
+import { CorsConfig } from './cors';
+import { HelmetConfig } from './helmet';
 
 export async function configureApp(app: INestApplication): Promise<void> {
+  const fastifyApp = app as NestFastifyApplication;
+
+  // Security headers via @fastify/helmet
+  const helmetConfig = app.get(HelmetConfig);
+  if (helmetConfig.enabled) {
+    await fastifyApp.register(fastifyHelmet, {
+      contentSecurityPolicy: helmetConfig.contentSecurityPolicy ?? true,
+      crossOriginEmbedderPolicy: helmetConfig.crossOriginEmbedderPolicy ?? true,
+      hsts: {
+        maxAge: helmetConfig.hstsMaxAge ?? 31536000, // 1 year
+        includeSubDomains: helmetConfig.hstsIncludeSubDomains ?? true,
+        preload: helmetConfig.hstsPreload ?? false,
+      },
+    });
+  }
+
+  // CORS Configuration
+  const corsConfig = app.get(CorsConfig);
+  if (corsConfig.enabled) {
+    app.enableCors({
+      origin: corsConfig.origins ?? ['http://localhost:3000'],
+      methods: corsConfig.methods ?? ['GET', 'POST', 'DELETE', 'OPTIONS'],
+      allowedHeaders: corsConfig.allowedHeaders ?? [
+        'Content-Type',
+        'Authorization',
+        'x-request-id',
+      ],
+      credentials: corsConfig.credentials ?? true,
+      maxAge: corsConfig.maxAge ?? 86400,
+    });
+  }
+
   // Global validation pipe for request validation
   app.useGlobalPipes(
     new ValidationPipe({

package/src/bootstrap.ts

@@ -1,4 +1,5 @@
 import { NestFactory } from '@nestjs/core';
+import { FastifyAdapter, NestFastifyApplication } from '@nestjs/platform-fastify';
 import { AppModule } from './app.module';
 import { ServerConfig } from './server/server.config';
 import { configureApp } from './app.setup';
@@ -13,12 +14,16 @@ export type IBootstrapOptions = {
 };
 
 export async function bootstrap(options?: IBootstrapOptions) {
-  const app = await NestFactory.create(AppModule.forRoot(options));
-
+  const app = await NestFactory.create<NestFastifyApplication>(
+    AppModule.forRoot(options),
+    new FastifyAdapter({
+      bodyLimit: 10 * 1024, // 10kb
+    }),
+  );
   await configureApp(app);
 
   const serverConfig = app.get(ServerConfig);
   const port = serverConfig.port ?? 3000;
-  await app.listen(port);
+  await app.listen(port, '0.0.0.0');
   console.log(`🚀 Application is running on: http://localhost:${port}`);
 }

package/src/config/default-app.config.ts

@@ -1,9 +1,19 @@
 import { ValidateNested } from 'class-validator';
 import { Type } from 'class-transformer';
 import { ServerConfig } from '../server/server.config';
+import { CorsConfig } from '../cors';
+import { HelmetConfig } from '../helmet';
 
 export class DefaultAppConfig {
   @ValidateNested()
   @Type(() => ServerConfig)
   public readonly server!: ServerConfig;
+
+  @ValidateNested()
+  @Type(() => CorsConfig)
+  public readonly cors!: CorsConfig;
+
+  @ValidateNested()
+  @Type(() => HelmetConfig)
+  public readonly helmet!: HelmetConfig;
 }

package/src/cors/cors.config.spec.ts

@@ -0,0 +1,162 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { CorsConfig } from './cors.config';
+
+describe('CorsConfig', () => {
+  describe('enabled', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(CorsConfig, { enabled: 'true' });
+      expect(config.enabled).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(CorsConfig, { enabled: 'false' });
+      expect(config.enabled).toBe(false);
+    });
+
+    it('should keep boolean true as true', () => {
+      const config = plainToInstance(CorsConfig, { enabled: true });
+      expect(config.enabled).toBe(true);
+    });
+
+    it('should keep boolean false as false', () => {
+      const config = plainToInstance(CorsConfig, { enabled: false });
+      expect(config.enabled).toBe(false);
+    });
+  });
+
+  describe('origins', () => {
+    it('should transform comma-separated string to array', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        origins: 'http://localhost:3000,http://localhost:4000',
+      });
+      expect(config.origins).toEqual(['http://localhost:3000', 'http://localhost:4000']);
+    });
+
+    it('should trim whitespace from origins', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        origins: 'http://localhost:3000 , http://localhost:4000 ',
+      });
+      expect(config.origins).toEqual(['http://localhost:3000', 'http://localhost:4000']);
+    });
+
+    it('should handle single origin string', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        origins: 'http://localhost:3000',
+      });
+      expect(config.origins).toEqual(['http://localhost:3000']);
+    });
+
+    it('should keep array as array', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        origins: ['http://localhost:3000', 'http://localhost:4000'],
+      });
+      expect(config.origins).toEqual(['http://localhost:3000', 'http://localhost:4000']);
+    });
+  });
+
+  describe('methods', () => {
+    it('should transform comma-separated string to array', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        methods: 'GET,POST,DELETE',
+      });
+      expect(config.methods).toEqual(['GET', 'POST', 'DELETE']);
+    });
+
+    it('should trim whitespace from methods', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        methods: 'GET , POST , DELETE',
+      });
+      expect(config.methods).toEqual(['GET', 'POST', 'DELETE']);
+    });
+  });
+
+  describe('allowedHeaders', () => {
+    it('should transform comma-separated string to array', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        allowedHeaders: 'Content-Type,Authorization,x-request-id',
+      });
+      expect(config.allowedHeaders).toEqual(['Content-Type', 'Authorization', 'x-request-id']);
+    });
+
+    it('should trim whitespace from headers', () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        allowedHeaders: 'Content-Type , Authorization , x-request-id',
+      });
+      expect(config.allowedHeaders).toEqual(['Content-Type', 'Authorization', 'x-request-id']);
+    });
+  });
+
+  describe('credentials', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(CorsConfig, { enabled: true, credentials: 'true' });
+      expect(config.credentials).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(CorsConfig, { enabled: true, credentials: 'false' });
+      expect(config.credentials).toBe(false);
+    });
+
+    it('should keep boolean values unchanged', () => {
+      const configTrue = plainToInstance(CorsConfig, { enabled: true, credentials: true });
+      const configFalse = plainToInstance(CorsConfig, { enabled: true, credentials: false });
+      expect(configTrue.credentials).toBe(true);
+      expect(configFalse.credentials).toBe(false);
+    });
+  });
+
+  describe('maxAge', () => {
+    it('should transform string to number', () => {
+      const config = plainToInstance(CorsConfig, { enabled: true, maxAge: '86400' });
+      expect(config.maxAge).toBe(86400);
+    });
+
+    it('should keep number unchanged', () => {
+      const config = plainToInstance(CorsConfig, { enabled: true, maxAge: 3600 });
+      expect(config.maxAge).toBe(3600);
+    });
+  });
+
+  describe('validation', () => {
+    it('should pass validation with valid config', async () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+        origins: ['http://localhost:3000'],
+        methods: ['GET', 'POST'],
+        allowedHeaders: ['Content-Type'],
+        credentials: true,
+        maxAge: 86400,
+      });
+
+      const errors = await validate(config);
+      expect(errors).toHaveLength(0);
+    });
+
+    it('should pass validation with only required fields', async () => {
+      const config = plainToInstance(CorsConfig, {
+        enabled: true,
+      });
+
+      const errors = await validate(config);
+      expect(errors).toHaveLength(0);
+    });
+
+    it('should fail validation when enabled is missing', async () => {
+      const config = plainToInstance(CorsConfig, {});
+
+      const errors = await validate(config);
+      expect(errors.length).toBeGreaterThan(0);
+      expect(errors[0].property).toBe('enabled');
+    });
+  });
+});

package/src/cors/cors.config.ts

@@ -0,0 +1,37 @@
+import { IsArray, IsBoolean, IsNumber, IsOptional, IsString } from 'class-validator';
+import { Type } from 'class-transformer';
+import { TransformBoolean, TransformCommaSeparated } from '../utils';
+
+export class CorsConfig {
+  @IsBoolean()
+  @TransformBoolean()
+  public readonly enabled!: boolean;
+
+  @IsArray()
+  @IsString({ each: true })
+  @IsOptional()
+  @TransformCommaSeparated()
+  public readonly origins?: string[];
+
+  @IsArray()
+  @IsString({ each: true })
+  @IsOptional()
+  @TransformCommaSeparated()
+  public readonly methods?: string[];
+
+  @IsArray()
+  @IsString({ each: true })
+  @IsOptional()
+  @TransformCommaSeparated()
+  public readonly allowedHeaders?: string[];
+
+  @IsBoolean()
+  @IsOptional()
+  @TransformBoolean()
+  public readonly credentials?: boolean;
+
+  @IsNumber()
+  @IsOptional()
+  @Type(() => Number)
+  public readonly maxAge?: number;
+}

package/src/cors/index.ts

@@ -0,0 +1 @@
+export * from './cors.config';

package/src/health/health.controller.spec.ts

@@ -1,48 +1,24 @@
-import { mock, Mock } from 'ts-jest-mocker';
 import { HealthController } from './health.controller';
-import { HealthService } from './health.service';
 
 describe('HealthController', () => {
   let controller: HealthController;
-  let healthService: Mock<HealthService>;
 
   beforeEach(() => {
-    healthService = mock<HealthService>({
-      failIfMockNotProvided: false,
-    });
-    controller = new HealthController(healthService);
+    jest.useFakeTimers();
+    jest.setSystemTime(new Date('2024-01-20T15:30:00.000Z'));
+    controller = new HealthController();
   });
 
-  describe('getHealth', () => {
-    it('should return health status from service', () => {
-      const mockHealth = {
-        status: 'ok',
-        timestamp: '2024-01-15T10:00:00.000Z',
-        uptime: 123.45,
-      };
-
-      healthService.getHealth.mockReturnValue(mockHealth);
-
-      const result = controller.getHealth();
-
-      expect(result).toEqual(mockHealth);
-      expect(healthService.getHealth).toHaveBeenCalledTimes(1);
-    });
+  afterEach(() => {
+    jest.useRealTimers();
+  });
 
+  describe('getHealth', () => {
     it('should return the exact response from service', () => {
-      const mockHealth = {
-        status: 'ok',
-        timestamp: '2024-01-20T15:30:00.000Z',
-        uptime: 999.99,
-      };
-
-      healthService.getHealth.mockReturnValue(mockHealth);
-
       const result = controller.getHealth();
 
       expect(result.status).toBe('ok');
       expect(result.timestamp).toBe('2024-01-20T15:30:00.000Z');
-      expect(result.uptime).toBe(999.99);
     });
   });
 });

package/src/health/health.controller.ts

@@ -1,17 +1,16 @@
 import { Controller, Get, HttpCode, HttpStatus } from '@nestjs/common';
-import { HealthService } from './health.service';
 
 @Controller('health')
 export class HealthController {
-  constructor(private readonly healthService: HealthService) {}
-
   @Get()
   @HttpCode(HttpStatus.OK)
   getHealth(): {
     status: string;
     timestamp: string;
-    uptime: number;
   } {
-    return this.healthService.getHealth();
+    return {
+      status: 'ok',
+      timestamp: new Date().toISOString(),
+    };
   }
 }

package/src/health/health.module.ts

@@ -1,10 +1,9 @@
 import { Module } from '@nestjs/common';
 import { HealthController } from './health.controller';
-import { HealthService } from './health.service';
 
 @Module({
   controllers: [HealthController],
-  providers: [HealthService],
-  exports: [HealthService],
+  providers: [],
+  exports: [],
 })
 export class HealthModule {}

package/src/health/index.ts

@@ -1,3 +1,2 @@
 export * from './health.module';
 export * from './health.controller';
-export * from './health.service';

package/src/helmet/helmet.config.spec.ts

@@ -0,0 +1,197 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { HelmetConfig } from './helmet.config';
+
+describe('HelmetConfig', () => {
+  describe('enabled', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: 'true' });
+      expect(config.enabled).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: 'false' });
+      expect(config.enabled).toBe(false);
+    });
+
+    it('should keep boolean true as true', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: true });
+      expect(config.enabled).toBe(true);
+    });
+
+    it('should keep boolean false as false', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: false });
+      expect(config.enabled).toBe(false);
+    });
+  });
+
+  describe('contentSecurityPolicy', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        contentSecurityPolicy: 'true',
+      });
+      expect(config.contentSecurityPolicy).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        contentSecurityPolicy: 'false',
+      });
+      expect(config.contentSecurityPolicy).toBe(false);
+    });
+
+    it('should keep boolean values unchanged', () => {
+      const configTrue = plainToInstance(HelmetConfig, {
+        enabled: true,
+        contentSecurityPolicy: true,
+      });
+      const configFalse = plainToInstance(HelmetConfig, {
+        enabled: true,
+        contentSecurityPolicy: false,
+      });
+      expect(configTrue.contentSecurityPolicy).toBe(true);
+      expect(configFalse.contentSecurityPolicy).toBe(false);
+    });
+  });
+
+  describe('crossOriginEmbedderPolicy', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        crossOriginEmbedderPolicy: 'true',
+      });
+      expect(config.crossOriginEmbedderPolicy).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        crossOriginEmbedderPolicy: 'false',
+      });
+      expect(config.crossOriginEmbedderPolicy).toBe(false);
+    });
+
+    it('should keep boolean values unchanged', () => {
+      const configTrue = plainToInstance(HelmetConfig, {
+        enabled: true,
+        crossOriginEmbedderPolicy: true,
+      });
+      const configFalse = plainToInstance(HelmetConfig, {
+        enabled: true,
+        crossOriginEmbedderPolicy: false,
+      });
+      expect(configTrue.crossOriginEmbedderPolicy).toBe(true);
+      expect(configFalse.crossOriginEmbedderPolicy).toBe(false);
+    });
+  });
+
+  describe('hstsMaxAge', () => {
+    it('should transform string to number', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: true, hstsMaxAge: '31536000' });
+      expect(config.hstsMaxAge).toBe(31536000);
+    });
+
+    it('should keep number unchanged', () => {
+      const config = plainToInstance(HelmetConfig, { enabled: true, hstsMaxAge: 86400 });
+      expect(config.hstsMaxAge).toBe(86400);
+    });
+  });
+
+  describe('hstsIncludeSubDomains', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsIncludeSubDomains: 'true',
+      });
+      expect(config.hstsIncludeSubDomains).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsIncludeSubDomains: 'false',
+      });
+      expect(config.hstsIncludeSubDomains).toBe(false);
+    });
+
+    it('should keep boolean values unchanged', () => {
+      const configTrue = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsIncludeSubDomains: true,
+      });
+      const configFalse = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsIncludeSubDomains: false,
+      });
+      expect(configTrue.hstsIncludeSubDomains).toBe(true);
+      expect(configFalse.hstsIncludeSubDomains).toBe(false);
+    });
+  });
+
+  describe('hstsPreload', () => {
+    it('should transform string "true" to boolean true', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsPreload: 'true',
+      });
+      expect(config.hstsPreload).toBe(true);
+    });
+
+    it('should transform string "false" to boolean false', () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsPreload: 'false',
+      });
+      expect(config.hstsPreload).toBe(false);
+    });
+
+    it('should keep boolean values unchanged', () => {
+      const configTrue = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsPreload: true,
+      });
+      const configFalse = plainToInstance(HelmetConfig, {
+        enabled: true,
+        hstsPreload: false,
+      });
+      expect(configTrue.hstsPreload).toBe(true);
+      expect(configFalse.hstsPreload).toBe(false);
+    });
+  });
+
+  describe('validation', () => {
+    it('should pass validation with valid config', async () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+        contentSecurityPolicy: true,
+        crossOriginEmbedderPolicy: true,
+        hstsMaxAge: 31536000,
+        hstsIncludeSubDomains: true,
+        hstsPreload: false,
+      });
+
+      const errors = await validate(config);
+      expect(errors).toHaveLength(0);
+    });
+
+    it('should pass validation with only required fields', async () => {
+      const config = plainToInstance(HelmetConfig, {
+        enabled: true,
+      });
+
+      const errors = await validate(config);
+      expect(errors).toHaveLength(0);
+    });
+
+    it('should fail validation when enabled is missing', async () => {
+      const config = plainToInstance(HelmetConfig, {});
+
+      const errors = await validate(config);
+      expect(errors.length).toBeGreaterThan(0);
+      expect(errors[0].property).toBe('enabled');
+    });
+  });
+});

package/src/helmet/helmet.config.ts

@@ -0,0 +1,60 @@
+import { IsBoolean, IsNumber, IsOptional } from 'class-validator';
+import { Type } from 'class-transformer';
+import { TransformBoolean } from '../utils';
+
+/**
+ * @see https://helmetjs.github.io/
+ */
+export class HelmetConfig {
+  /**
+   * Whether to enable Helmet middleware
+   */
+  @IsBoolean()
+  @TransformBoolean()
+  public readonly enabled!: boolean;
+
+  /**
+   * Whether to enable Content-Security-Policy header.
+   * @default true
+   */
+  @IsBoolean()
+  @IsOptional()
+  @TransformBoolean()
+  public readonly contentSecurityPolicy?: boolean;
+
+  /**
+   * Whether to enable Cross-Origin-Embedder-Policy header.
+   * @default true
+   */
+  @IsBoolean()
+  @IsOptional()
+  @TransformBoolean()
+  public readonly crossOriginEmbedderPolicy?: boolean;
+
+  /**
+   * HSTS max-age in seconds.
+   * @default 31536000 (1 year)
+   */
+  @IsNumber()
+  @IsOptional()
+  @Type(() => Number)
+  public readonly hstsMaxAge?: number;
+
+  /**
+   * Whether to include subdomains in HSTS header.
+   * @default true
+   */
+  @IsBoolean()
+  @IsOptional()
+  @TransformBoolean()
+  public readonly hstsIncludeSubDomains?: boolean;
+
+  /**
+   * Whether to add HSTS preload directive.
+   * @default false
+   */
+  @IsBoolean()
+  @IsOptional()
+  @TransformBoolean()
+  public readonly hstsPreload?: boolean;
+}

package/src/helmet/index.ts

@@ -0,0 +1 @@
+export * from './helmet.config';