@flowerforce/flowerbase 1.2.0 → 1.2.1-beta.11

package/src/features/triggers/utils.ts

@@ -7,6 +7,41 @@ import { readJsonContent } from '../../utils'
 import { GenerateContext } from '../../utils/context'
 import { HandlerParams, Trigger, Triggers } from './interface'
 
+const registerOnClose = (
+  app: HandlerParams['app'],
+  handler: () => Promise<void> | void,
+  label: string
+) => {
+  if (app.server) {
+    app.server.once('close', () => {
+      Promise.resolve(handler()).catch((error) => {
+        console.error(`${label} close error`, error)
+      })
+    })
+    return
+  }
+
+  try {
+    app.addHook('onClose', async () => {
+      try {
+        await handler()
+      } catch (error) {
+        console.error(`${label} close error`, error)
+      }
+    })
+  } catch (error) {
+    console.error(`${label} hook registration error`, error)
+  }
+}
+
+const shouldIgnoreStreamError = (error: unknown) => {
+  const err = error as { name?: string; message?: string }
+  if (err?.name === 'MongoClientClosedError') return true
+  if (err?.message?.includes('client was closed')) return true
+  if (err?.message?.includes('Client is closed')) return true
+  return false
+}
+
 /**
  * Loads trigger files from the specified directory and returns them as an array of objects.
  * Each object contains the file name and the parsed JSON content.
@@ -54,7 +89,7 @@ const handleCronTrigger = async ({
   services,
   app
 }: HandlerParams) => {
-  cron.schedule(config.schedule, async () => {
+  const task = cron.schedule(config.schedule, async () => {
     await GenerateContext({
       args: [],
       app,
@@ -65,6 +100,7 @@ const handleCronTrigger = async ({
       services
     })
   })
+  registerOnClose(app, () => task.stop(), 'Scheduled trigger')
 }
 
 const handleAuthenticationTrigger = async ({
@@ -75,51 +111,113 @@ const handleAuthenticationTrigger = async ({
   app
 }: HandlerParams) => {
   const { database } = config
+  const authCollection = AUTH_CONFIG.authCollection ?? 'auth_users'
+  const collection = app.mongo.client.db(database || DB_NAME).collection(authCollection)
   const pipeline = [
     {
       $match: {
-        operationType: { $in: ['insert'] }
+        operationType: { $in: ['insert', 'update', 'replace'] }
       }
     }
   ]
-  const changeStream = app.mongo.client
-    .db(database || DB_NAME)
-    .collection(AUTH_CONFIG.authCollection)
-    .watch(pipeline, {
-      fullDocument: 'whenAvailable'
-    })
+  const changeStream = collection.watch(pipeline, {
+    fullDocument: 'whenAvailable'
+  })
+  changeStream.on('error', (error) => {
+    if (shouldIgnoreStreamError(error)) return
+    console.error('Authentication trigger change stream error', error)
+  })
   changeStream.on('change', async function (change) {
-    const document = change['fullDocument' as keyof typeof change] as Record<
-      string,
-      string
-    > //TODO -> define user type
-
-    if (document) {
-      delete document.password
-
-      const currentUser = { ...document }
-      delete currentUser.password
-      await GenerateContext({
-        args: [{
-          user: {
-            ...currentUser,
-            id: currentUser._id.toString(),
-            data: {
-              _id: currentUser._id.toString(),
-              email: currentUser.email
-            }
-          }
-        }],
-        app,
-        rules: StateManager.select("rules"),
-        user: {},  // TODO from currentUser ??
-        currentFunction: triggerHandler,
-        functionsList,
-        services,
-        runAsSystem: true
-      })
+    const operationType = change['operationType' as keyof typeof change] as string | undefined
+    const documentKey = change['documentKey' as keyof typeof change] as
+      | { _id?: unknown }
+      | undefined
+    const fullDocument = change['fullDocument' as keyof typeof change] as
+      | Record<string, unknown>
+      | null
+    if (!documentKey?._id) {
+      return
+    }
+
+    const updateDescription = change[
+      'updateDescription' as keyof typeof change
+    ] as { updatedFields?: Record<string, unknown> } | undefined
+    const updatedStatus = updateDescription?.updatedFields?.status
+    let confirmedCandidate = false
+    let confirmedDocument =
+      fullDocument as Record<string, unknown> | null
+
+    if (operationType === 'update') {
+      if (updatedStatus === 'confirmed') {
+        confirmedCandidate = true
+      } else if (updatedStatus === undefined) {
+        const fetched = await collection.findOne({
+          _id: documentKey._id
+        }) as Record<string, unknown> | null
+        confirmedDocument = fetched ?? confirmedDocument
+        confirmedCandidate = (confirmedDocument as { status?: string } | null)?.status === 'confirmed'
+      }
+    } else {
+      confirmedCandidate = (confirmedDocument as { status?: string } | null)?.status === 'confirmed'
+    }
+
+    if (!confirmedCandidate) {
+      return
+    }
+
+    const updateResult = await collection.findOneAndUpdate(
+      {
+        _id: documentKey._id,
+        status: 'confirmed',
+        on_user_creation_triggered_at: { $exists: false }
+      },
+      {
+        $set: {
+          on_user_creation_triggered_at: new Date()
+        }
+      },
+      {
+        returnDocument: 'after'
+      }
+    )
+
+    const document =
+      (updateResult?.value as Record<string, unknown> | null) ?? confirmedDocument
+    if (!document) {
+      return
     }
+
+    delete (document as { password?: unknown }).password
+
+    const currentUser = { ...document }
+    delete (currentUser as { password?: unknown }).password
+    await GenerateContext({
+      args: [{
+        user: {
+          ...currentUser,
+          id: (currentUser as { _id: { toString: () => string } })._id.toString(),
+          data: {
+            _id: (currentUser as { _id: { toString: () => string } })._id.toString(),
+            email: (currentUser as { email?: string }).email
+          }
+        }
+      }],
+      app,
+      rules: StateManager.select("rules"),
+      user: {},  // TODO from currentUser ??
+      currentFunction: triggerHandler,
+      functionsList,
+      services,
+      runAsSystem: true
+    })
   })
+  registerOnClose(
+    app,
+    async () => {
+      await changeStream.close()
+    },
+    'Authentication trigger'
+  )
 }
 
 /**
@@ -175,6 +273,10 @@ const handleDataBaseTrigger = async ({
       ? 'whenAvailable'
       : undefined
   })
+  changeStream.on('error', (error) => {
+    if (shouldIgnoreStreamError(error)) return
+    console.error('Database trigger change stream error', error)
+  })
   changeStream.on('change', async function ({ clusterTime, ...change }) {
     await GenerateContext({
       args: [change],
@@ -186,7 +288,13 @@ const handleDataBaseTrigger = async ({
       services
     })
   })
-  // TODO -> gestire close dello stream
+  registerOnClose(
+    app,
+    async () => {
+      await changeStream.close()
+    },
+    'Database trigger'
+  )
 }
 
 export const TRIGGER_HANDLERS = {

package/src/index.ts

@@ -14,12 +14,22 @@ import { exposeRoutes } from './utils/initializer/exposeRoutes'
 import { registerPlugins } from './utils/initializer/registerPlugins'
 export * from './model'
 
+
+export type ALLOWED_METHODS = "GET" | "POST" | "PUT" | "DELETE"
+
+export type CorsConfig = {
+  origin: string
+  methods: ALLOWED_METHODS[]
+}
+
 export type InitializeConfig = {
   projectId: string
   mongodbUrl?: string
   jwtSecret?: string
   port?: number
   host?: string
+  corsConfig?: CorsConfig
+  basePath?: string
 }
 
 /**
@@ -35,26 +45,38 @@ export async function initialize({
   host = DEFAULT_CONFIG.HOST,
   jwtSecret = DEFAULT_CONFIG.JWT_SECRET,
   port = DEFAULT_CONFIG.PORT,
-  mongodbUrl = DEFAULT_CONFIG.MONGODB_URL
+  mongodbUrl = DEFAULT_CONFIG.MONGODB_URL,
+  corsConfig = DEFAULT_CONFIG.CORS_OPTIONS,
+  basePath
 }: InitializeConfig) {
+  if (!jwtSecret || jwtSecret.trim().length === 0) {
+    throw new Error('JWT secret missing: set JWT_SECRET or pass jwtSecret to initialize()')
+  }
+
+  const resolvedBasePath = basePath ?? require.main?.path ?? process.cwd()
   const fastify = Fastify({
     logger: !!DEFAULT_CONFIG.ENABLE_LOGGER
   })
 
-  const basePath = require.main?.path
-  console.log("BASE PATH", basePath)
+  const isTest = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined
+  const logInfo = (...args: unknown[]) => {
+    if (!isTest) {
+      console.log(...args)
+    }
+  }
 
-  console.log("CURRENT PORT", port)
-  console.log("CURRENT HOST", host)
+  logInfo("BASE PATH", resolvedBasePath)
+  logInfo("CURRENT PORT", port)
+  logInfo("CURRENT HOST", host)
 
-  const functionsList = await loadFunctions(basePath)
-  console.log("Functions LOADED")
-  const triggersList = await loadTriggers(basePath)
-  console.log("Triggers LOADED")
-  const endpointsList = await loadEndpoints(basePath)
-  console.log("Endpoints LOADED")
-  const rulesList = await loadRules(basePath)
-  console.log("Rules LOADED")
+  const functionsList = await loadFunctions(resolvedBasePath)
+  logInfo("Functions LOADED")
+  const triggersList = await loadTriggers(resolvedBasePath)
+  logInfo("Triggers LOADED")
+  const endpointsList = await loadEndpoints(resolvedBasePath)
+  logInfo("Endpoints LOADED")
+  const rulesList = await loadRules(resolvedBasePath)
+  logInfo("Rules LOADED")
 
   const stateConfig = {
     functions: functionsList,
@@ -78,7 +100,33 @@ export async function initialize({
       deepLinking: false
     },
     uiHooks: {
-      onRequest: function (request, reply, next) { next() },
+      onRequest: function (request, reply, next) {
+        const swaggerUser = DEFAULT_CONFIG.SWAGGER_UI_USER
+        const swaggerPassword = DEFAULT_CONFIG.SWAGGER_UI_PASSWORD
+        if (!swaggerUser && !swaggerPassword) {
+          next()
+          return
+        }
+        const authHeader = request.headers.authorization
+        if (!authHeader || !authHeader.startsWith('Basic ')) {
+          reply
+            .code(401)
+            .header('WWW-Authenticate', 'Basic realm="Swagger UI"')
+            .send({ message: 'Unauthorized' })
+          return
+        }
+        const encoded = authHeader.slice('Basic '.length)
+        const decoded = Buffer.from(encoded, 'base64').toString('utf8')
+        const [user, pass] = decoded.split(':')
+        if (user !== swaggerUser || pass !== swaggerPassword) {
+          reply
+            .code(401)
+            .header('WWW-Authenticate', 'Basic realm="Swagger UI"')
+            .send({ message: 'Unauthorized' })
+          return
+        }
+        next()
+      },
       preHandler: function (request, reply, next) { next() }
     },
     staticCSP: true,
@@ -91,18 +139,19 @@ export async function initialize({
     register: fastify.register,
     mongodbUrl,
     jwtSecret,
-    functionsList
+    functionsList,
+    corsConfig
   })
 
-  console.log('Plugins registration COMPLETED')
+  logInfo('Plugins registration COMPLETED')
   await exposeRoutes(fastify)
-  console.log('APP Routes registration COMPLETED')
+  logInfo('APP Routes registration COMPLETED')
   await registerFunctions({ app: fastify, functionsList, rulesList })
-  console.log('Functions registration COMPLETED')
+  logInfo('Functions registration COMPLETED')
   await generateEndpoints({ app: fastify, functionsList, endpointsList, rulesList })
-  console.log('HTTP Endpoints registration COMPLETED')
+  logInfo('HTTP Endpoints registration COMPLETED')
   fastify.ready(() => {
-    console.log("FASTIFY IS READY")
+    logInfo("FASTIFY IS READY")
     if (triggersList?.length > 0) activateTriggers({ fastify, triggersList, functionsList })
   })
   await fastify.listen({ port, host })

package/src/services/mongodb-atlas/__tests__/findOneAndUpdate.test.ts

@@ -0,0 +1,95 @@
+import { Document, ObjectId } from 'mongodb'
+import MongoDbAtlas from '..'
+import { Role, Rules } from '../../../features/rules/interface'
+
+const createAppWithCollection = (collection: Record<string, unknown>) => ({
+  mongo: {
+    client: {
+      db: jest.fn().mockReturnValue({
+        collection: jest.fn().mockReturnValue(collection)
+      })
+    }
+  }
+})
+
+const createRules = (roleOverrides: Partial<Role> = {}): Rules => ({
+  todos: {
+    database: 'db',
+    collection: 'todos',
+    filters: [],
+    roles: [
+      {
+        name: 'owner',
+        apply_when: {},
+        insert: true,
+        delete: true,
+        search: true,
+        read: true,
+        write: true,
+        ...roleOverrides
+      }
+    ]
+  }
+})
+
+describe('mongodb-atlas findOneAndUpdate', () => {
+  it('applies write/read validation and returns the updated document', async () => {
+    const id = new ObjectId()
+    const existingDoc = { _id: id, title: 'Old', userId: 'user-1' }
+    const updatedDoc = { _id: id, title: 'New', userId: 'user-1' }
+    const findOne = jest.fn().mockResolvedValue(existingDoc)
+    const aggregate = jest.fn().mockReturnValue({
+      toArray: jest.fn().mockResolvedValue([updatedDoc])
+    })
+    const findOneAndUpdate = jest.fn().mockResolvedValue(updatedDoc)
+    const collection = {
+      collectionName: 'todos',
+      findOne,
+      aggregate,
+      findOneAndUpdate
+    }
+
+    const app = createAppWithCollection(collection)
+    const operators = MongoDbAtlas(app as any, {
+      rules: createRules(),
+      user: { id: 'user-1' }
+    })
+      .db('db')
+      .collection('todos')
+
+    const result = await operators.findOneAndUpdate({ _id: id }, { $set: { title: 'New' } })
+
+    expect(findOne).toHaveBeenCalled()
+    expect(aggregate).toHaveBeenCalled()
+    expect(findOneAndUpdate).toHaveBeenCalledWith(
+      { $and: [{ _id: id }] },
+      { $set: { title: 'New' } }
+    )
+    expect(result).toEqual(updatedDoc)
+  })
+
+  it('rejects updates when write permission is denied', async () => {
+    const id = new ObjectId()
+    const existingDoc = { _id: id, title: 'Old', userId: 'user-1' }
+    const findOne = jest.fn().mockResolvedValue(existingDoc)
+    const findOneAndUpdate = jest.fn()
+    const collection = {
+      collectionName: 'todos',
+      findOne,
+      findOneAndUpdate
+    }
+
+    const app = createAppWithCollection(collection)
+    const operators = MongoDbAtlas(app as any, {
+      rules: createRules({ write: false }),
+      user: { id: 'user-1' }
+    })
+      .db('db')
+      .collection('todos')
+
+    await expect(
+      operators.findOneAndUpdate({ _id: id }, { title: 'Denied' } as Document)
+    ).rejects.toThrow('Update not permitted')
+    expect(findOneAndUpdate).not.toHaveBeenCalled()
+  })
+})

package/src/services/mongodb-atlas/__tests__/utils.test.ts

@@ -0,0 +1,141 @@
+import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline } from '../utils'
+import { Role } from '../../../utils/roles/interface'
+
+describe('MongoDB Atlas aggregate helpers', () => {
+  describe('ensureClientPipelineStages', () => {
+    it('allows safe stages', () => {
+      expect(() =>
+        ensureClientPipelineStages([{ $match: { active: true } }])
+      ).not.toThrow()
+    })
+
+    it('throws when unsupported stage is used', () => {
+      expect(() =>
+        ensureClientPipelineStages([{ $replaceRoot: { newRoot: '$$ROOT' } }])
+      ).toThrow('Stage $replaceRoot is not allowed in client aggregate pipelines')
+    })
+
+    it('recurses into nested lookups and facets without throwing', () => {
+      const pipeline = [
+        {
+          $lookup: {
+            from: 'other',
+            localField: 'ref',
+            foreignField: '_id',
+            as: 'joined',
+            pipeline: [
+              {
+                $facet: {
+                  safe: [{ $match: { foo: 'bar' } }]
+                }
+              }
+            ]
+          }
+        }
+      ]
+
+      expect(() => ensureClientPipelineStages(pipeline)).not.toThrow()
+    })
+  })
+
+  describe('getHiddenFieldsFromRulesConfig', () => {
+    it('returns fields marked as unreadable', () => {
+      const roles: Role[] = [
+        {
+          name: 'demo',
+          apply_when: {},
+          insert: true,
+          delete: true,
+          search: true,
+          read: true,
+          write: true,
+          fields: {
+            secret: { read: false, write: false },
+            visible: { read: true, write: false }
+          },
+          additional_fields: {
+            hiddenExtra: { read: false, write: false }
+          }
+        }
+      ]
+
+      const hidden = getHiddenFieldsFromRulesConfig({
+        roles
+      })
+
+      expect(hidden).toEqual(expect.arrayContaining(['secret', 'hiddenExtra']))
+      expect(hidden).not.toContain('visible')
+    })
+  })
+
+  describe('prependUnsetStage', () => {
+    it('inserts an $unset stage when hidden fields are present', () => {
+      const pipeline = [{ $match: { active: true } }]
+      const result = prependUnsetStage(pipeline, ['password', 'secret'])
+
+      expect(result[0]).toEqual({ $unset: ['password', 'secret'] })
+      expect(result[1]).toEqual(pipeline[0])
+    })
+
+    it('returns original pipeline if no hidden fields exist', () => {
+      const pipeline = [{ $match: { active: true } }]
+      expect(prependUnsetStage(pipeline, [])).toEqual(pipeline)
+    })
+  })
+
+  describe('applyAccessControlToPipeline', () => {
+    it('prepends hidden-field $unset inside lookup pipelines for client requests', () => {
+      const rules = {
+        main: {
+          filters: [],
+          roles: []
+        },
+        other: {
+          filters: [],
+          roles: [
+            {
+              name: 'lookup-role',
+              apply_when: {},
+              insert: true,
+              delete: true,
+              search: true,
+              read: true,
+              write: true,
+              fields: {
+                secretField: { read: false, write: false }
+              },
+              additional_fields: {
+                secretAux: { read: false, write: false }
+              }
+            }
+          ]
+        }
+      }
+
+      const pipeline = [
+        {
+          $lookup: {
+            from: 'other',
+            localField: 'ref',
+            foreignField: '_id',
+            as: 'joined',
+            pipeline: [{ $match: { active: true } }]
+          }
+        }
+      ]
+
+      const sanitized = applyAccessControlToPipeline(
+        pipeline,
+        rules,
+        {},
+        'main',
+        { isClientPipeline: true }
+      )
+
+      const lookupPipeline = sanitized[0].$lookup.pipeline
+      expect(lookupPipeline?.[0]).toEqual({
+        $unset: ['secretField', 'secretAux']
+      })
+    })
+  })
+})