@flowerforce/flowerbase 1.2.1-beta.2 → 1.2.1-beta.20

package/src/index.ts

@@ -49,24 +49,34 @@ export async function initialize({
   corsConfig = DEFAULT_CONFIG.CORS_OPTIONS,
   basePath
 }: InitializeConfig) {
+  if (!jwtSecret || jwtSecret.trim().length === 0) {
+    throw new Error('JWT secret missing: set JWT_SECRET or pass jwtSecret to initialize()')
+  }
+
   const resolvedBasePath = basePath ?? require.main?.path ?? process.cwd()
   const fastify = Fastify({
     logger: !!DEFAULT_CONFIG.ENABLE_LOGGER
   })
 
-  console.log("BASE PATH", resolvedBasePath)
+  const isTest = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined
+  const logInfo = (...args: unknown[]) => {
+    if (!isTest) {
+      console.log(...args)
+    }
+  }
 
-  console.log("CURRENT PORT", port)
-  console.log("CURRENT HOST", host)
+  logInfo("BASE PATH", resolvedBasePath)
+  logInfo("CURRENT PORT", port)
+  logInfo("CURRENT HOST", host)
 
   const functionsList = await loadFunctions(resolvedBasePath)
-  console.log("Functions LOADED")
+  logInfo("Functions LOADED")
   const triggersList = await loadTriggers(resolvedBasePath)
-  console.log("Triggers LOADED")
+  logInfo("Triggers LOADED")
   const endpointsList = await loadEndpoints(resolvedBasePath)
-  console.log("Endpoints LOADED")
+  logInfo("Endpoints LOADED")
   const rulesList = await loadRules(resolvedBasePath)
-  console.log("Rules LOADED")
+  logInfo("Rules LOADED")
 
   const stateConfig = {
     functions: functionsList,
@@ -90,7 +100,33 @@ export async function initialize({
       deepLinking: false
     },
     uiHooks: {
-      onRequest: function (request, reply, next) { next() },
+      onRequest: function (request, reply, next) {
+        const swaggerUser = DEFAULT_CONFIG.SWAGGER_UI_USER
+        const swaggerPassword = DEFAULT_CONFIG.SWAGGER_UI_PASSWORD
+        if (!swaggerUser && !swaggerPassword) {
+          next()
+          return
+        }
+        const authHeader = request.headers.authorization
+        if (!authHeader || !authHeader.startsWith('Basic ')) {
+          reply
+            .code(401)
+            .header('WWW-Authenticate', 'Basic realm="Swagger UI"')
+            .send({ message: 'Unauthorized' })
+          return
+        }
+        const encoded = authHeader.slice('Basic '.length)
+        const decoded = Buffer.from(encoded, 'base64').toString('utf8')
+        const [user, pass] = decoded.split(':')
+        if (user !== swaggerUser || pass !== swaggerPassword) {
+          reply
+            .code(401)
+            .header('WWW-Authenticate', 'Basic realm="Swagger UI"')
+            .send({ message: 'Unauthorized' })
+          return
+        }
+        next()
+      },
       preHandler: function (request, reply, next) { next() }
     },
     staticCSP: true,
@@ -107,15 +143,15 @@ export async function initialize({
     corsConfig
   })
 
-  console.log('Plugins registration COMPLETED')
+  logInfo('Plugins registration COMPLETED')
   await exposeRoutes(fastify)
-  console.log('APP Routes registration COMPLETED')
+  logInfo('APP Routes registration COMPLETED')
   await registerFunctions({ app: fastify, functionsList, rulesList })
-  console.log('Functions registration COMPLETED')
+  logInfo('Functions registration COMPLETED')
   await generateEndpoints({ app: fastify, functionsList, endpointsList, rulesList })
-  console.log('HTTP Endpoints registration COMPLETED')
+  logInfo('HTTP Endpoints registration COMPLETED')
   fastify.ready(() => {
-    console.log("FASTIFY IS READY")
+    logInfo("FASTIFY IS READY")
     if (triggersList?.length > 0) activateTriggers({ fastify, triggersList, functionsList })
   })
   await fastify.listen({ port, host })

package/src/services/mongodb-atlas/__tests__/findOneAndUpdate.test.ts

@@ -0,0 +1,95 @@
+import { Document, ObjectId } from 'mongodb'
+import MongoDbAtlas from '..'
+import { Role, Rules } from '../../../features/rules/interface'
+
+const createAppWithCollection = (collection: Record<string, unknown>) => ({
+  mongo: {
+    client: {
+      db: jest.fn().mockReturnValue({
+        collection: jest.fn().mockReturnValue(collection)
+      })
+    }
+  }
+})
+
+const createRules = (roleOverrides: Partial<Role> = {}): Rules => ({
+  todos: {
+    database: 'db',
+    collection: 'todos',
+    filters: [],
+    roles: [
+      {
+        name: 'owner',
+        apply_when: {},
+        insert: true,
+        delete: true,
+        search: true,
+        read: true,
+        write: true,
+        ...roleOverrides
+      }
+    ]
+  }
+})
+
+describe('mongodb-atlas findOneAndUpdate', () => {
+  it('applies write/read validation and returns the updated document', async () => {
+    const id = new ObjectId()
+    const existingDoc = { _id: id, title: 'Old', userId: 'user-1' }
+    const updatedDoc = { _id: id, title: 'New', userId: 'user-1' }
+    const findOne = jest.fn().mockResolvedValue(existingDoc)
+    const aggregate = jest.fn().mockReturnValue({
+      toArray: jest.fn().mockResolvedValue([updatedDoc])
+    })
+    const findOneAndUpdate = jest.fn().mockResolvedValue(updatedDoc)
+    const collection = {
+      collectionName: 'todos',
+      findOne,
+      aggregate,
+      findOneAndUpdate
+    }
+
+    const app = createAppWithCollection(collection)
+    const operators = MongoDbAtlas(app as any, {
+      rules: createRules(),
+      user: { id: 'user-1' }
+    })
+      .db('db')
+      .collection('todos')
+
+    const result = await operators.findOneAndUpdate({ _id: id }, { $set: { title: 'New' } })
+
+    expect(findOne).toHaveBeenCalled()
+    expect(aggregate).toHaveBeenCalled()
+    expect(findOneAndUpdate).toHaveBeenCalledWith(
+      { $and: [{ _id: id }] },
+      { $set: { title: 'New' } }
+    )
+    expect(result).toEqual(updatedDoc)
+  })
+
+  it('rejects updates when write permission is denied', async () => {
+    const id = new ObjectId()
+    const existingDoc = { _id: id, title: 'Old', userId: 'user-1' }
+    const findOne = jest.fn().mockResolvedValue(existingDoc)
+    const findOneAndUpdate = jest.fn()
+    const collection = {
+      collectionName: 'todos',
+      findOne,
+      findOneAndUpdate
+    }
+
+    const app = createAppWithCollection(collection)
+    const operators = MongoDbAtlas(app as any, {
+      rules: createRules({ write: false }),
+      user: { id: 'user-1' }
+    })
+      .db('db')
+      .collection('todos')
+
+    await expect(
+      operators.findOneAndUpdate({ _id: id }, { title: 'Denied' } as Document)
+    ).rejects.toThrow('Update not permitted')
+    expect(findOneAndUpdate).not.toHaveBeenCalled()
+  })
+})

package/src/services/mongodb-atlas/index.ts

@@ -1,5 +1,13 @@
 import isEqual from 'lodash/isEqual'
-import { Collection, Document, EventsDescription, WithId } from 'mongodb'
+import {
+  Collection,
+  Document,
+  EventsDescription,
+  Filter as MongoFilter,
+  FindOneAndUpdateOptions,
+  UpdateFilter,
+  WithId
+} from 'mongodb'
 import { checkValidation } from '../../utils/roles/machines'
 import { getWinningRole } from '../../utils/roles/machines/utils'
 import { CRUD_OPERATIONS, GetOperatorsFunction, MongodbAtlasFunction } from './model'
@@ -305,6 +313,96 @@ const getOperators: GetOperatorsFunction = (
     }
     return collection.updateOne(query, data, options)
   },
+  /**
+   * Finds and updates a single document with role-based validation and access control.
+   *
+   * @param {Filter<Document>} query - The MongoDB query used to match the document to update.
+   * @param {UpdateFilter<Document> | Partial<Document>} data - The update operations or replacement document.
+   * @param {FindOneAndUpdateOptions} [options] - Optional settings for the findOneAndUpdate operation.
+   * @returns {Promise<FindAndModifyResult<Document>>} The result of the findOneAndUpdate operation.
+   *
+   * @throws {Error} If the user is not authorized to update the document.
+   */
+  findOneAndUpdate: async (
+    query: MongoFilter<Document>,
+    data: UpdateFilter<Document> | Document[],
+    options?: FindOneAndUpdateOptions
+  ) => {
+    if (!run_as_system) {
+      checkDenyOperation(normalizedRules, collection.collectionName, CRUD_OPERATIONS.UPDATE)
+      const formattedQuery = getFormattedQuery(filters, query, user)
+      const safeQuery = Array.isArray(formattedQuery)
+        ? normalizeQuery(formattedQuery)
+        : formattedQuery
+
+      const result = await collection.findOne({ $and: safeQuery })
+
+      if (!result) {
+        throw new Error('Update not permitted')
+      }
+
+      const winningRole = getWinningRole(result, user, roles)
+      const hasOperators = Object.keys(data).some((key) => key.startsWith('$'))
+      const pipeline = [
+        {
+          $match: { $and: safeQuery }
+        },
+        {
+          $limit: 1
+        },
+        ...Object.entries(data).map(([key, value]) => ({ [key]: value }))
+      ]
+      const [docToCheck] = hasOperators
+        ? await collection.aggregate(pipeline).toArray()
+        : ([data] as [Document])
+
+      const { status, document } = winningRole
+        ? await checkValidation(
+          winningRole,
+          {
+            type: 'write',
+            roles,
+            cursor: docToCheck,
+            expansions: {}
+          },
+          user
+        )
+        : fallbackAccess(docToCheck)
+
+      const areDocumentsEqual = isEqual(document, docToCheck)
+      if (!status || !areDocumentsEqual) {
+        throw new Error('Update not permitted')
+      }
+
+      const updateResult = options
+        ? await collection.findOneAndUpdate({ $and: safeQuery }, data, options)
+        : await collection.findOneAndUpdate({ $and: safeQuery }, data)
+      if (!updateResult) {
+        return updateResult
+      }
+
+      const readRole = getWinningRole(updateResult, user, roles)
+      const readResult = readRole
+        ? await checkValidation(
+          readRole,
+          {
+            type: 'read',
+            roles,
+            cursor: updateResult,
+            expansions: {}
+          },
+          user
+        )
+        : fallbackAccess(updateResult)
+
+      const sanitizedDoc = readResult.status ? (readResult.document ?? updateResult) : {}
+      return sanitizedDoc
+    }
+
+    return options
+      ? collection.findOneAndUpdate(query, data, options)
+      : collection.findOneAndUpdate(query, data)
+  },
   /**
    * Finds documents in a MongoDB collection with optional role-based access control and post-query validation.
    *
@@ -481,7 +579,7 @@ const getOperators: GetOperatorsFunction = (
     return collection.watch(pipeline, options)
   },
   //TODO -> add filter & rules in aggregate
-  aggregate: async (pipeline = [], options, isClient) => {
+  aggregate: (pipeline = [], options, isClient) => {
     if (run_as_system || !isClient) {
       return collection.aggregate(pipeline, options)
     }

package/src/services/mongodb-atlas/model.ts

@@ -1,5 +1,13 @@
 import { FastifyInstance } from 'fastify'
-import { Collection, Document, FindCursor, WithId } from 'mongodb'
+import {
+  Collection,
+  Document,
+  Filter as MongoFilter,
+  FindCursor,
+  FindOneAndUpdateOptions,
+  UpdateFilter,
+  WithId
+} from 'mongodb'
 import { User } from '../../auth/dtos'
 import { Filter, Rules } from '../../features/rules/interface'
 import { Role } from '../../utils/roles/interface'
@@ -50,11 +58,16 @@ export type GetOperatorsFunction = (
   updateOne: (
     ...params: Parameters<Method<'updateOne'>>
   ) => ReturnType<Method<'updateOne'>>
+  findOneAndUpdate: (
+    filter: MongoFilter<Document>,
+    update: UpdateFilter<Document> | Document[],
+    options?: FindOneAndUpdateOptions
+  ) => Promise<Document | null>
   find: (...params: Parameters<Method<'find'>>) => FindCursor
   watch: (...params: Parameters<Method<'watch'>>) => ReturnType<Method<'watch'>>
   aggregate: (
     ...params: [...Parameters<Method<'aggregate'>>, isClient: boolean]
-  ) => Promise<ReturnType<Method<'aggregate'>>>
+  ) => ReturnType<Method<'aggregate'>>
   insertMany: (
     ...params: Parameters<Method<'insertMany'>>
   ) => ReturnType<Method<'insertMany'>>
@@ -73,4 +86,4 @@ export enum CRUD_OPERATIONS {
   UPDATE = "UPDATE",
   DELETE = "DELETE"
 
-}
+}

package/src/shared/handleUserRegistration.ts

@@ -1,5 +1,7 @@
 import { AUTH_CONFIG, DB_NAME } from "../constants"
-import { hashPassword } from "../utils/crypto"
+import { StateManager } from "../state"
+import { GenerateContext } from "../utils/context"
+import { generateToken, hashPassword } from "../utils/crypto"
 import { HandleUserRegistration } from "./models/handleUserRegistration.model"
 
 /**
@@ -17,6 +19,10 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
     }
 
     const { authCollection } = AUTH_CONFIG
+    const localUserpassConfig = AUTH_CONFIG.localUserpassConfig
+    const autoConfirm = localUserpassConfig?.autoConfirm === true
+    const runConfirmationFunction = localUserpassConfig?.runConfirmationFunction === true
+    const confirmationFunctionName = localUserpassConfig?.confirmationFunctionName
     const mongo = app?.mongo
     const db = mongo.client.db(DB_NAME)
     const hashedPassword = await hashPassword(password)
@@ -29,7 +35,7 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
     const result = await db?.collection(authCollection!).insertOne({
         email,
         password: hashedPassword,
-        status: skipUserCheck ? 'confirmed' : 'pending',
+        status: skipUserCheck || autoConfirm ? 'confirmed' : 'pending',
         createdAt: new Date(),
         custom_data: {
             // TODO: aggiungere dati personalizzati alla registrazione
@@ -58,6 +64,81 @@ const handleUserRegistration: HandleUserRegistration = (app, opt) => async ({ em
         }
     )
 
+    if (!result?.insertedId || skipUserCheck || autoConfirm) {
+        return result
+    }
+
+    if (!runConfirmationFunction) {
+        throw new Error('Missing confirmation function')
+    }
+
+    if (!confirmationFunctionName) {
+        throw new Error('Missing confirmation function name')
+    }
+
+    const functionsList = StateManager.select('functions')
+    const services = StateManager.select('services')
+    const confirmationFunction = functionsList[confirmationFunctionName]
+    if (!confirmationFunction) {
+        throw new Error(`Confirmation function not found: ${confirmationFunctionName}`)
+    }
+
+    const token = generateToken()
+    const tokenId = generateToken()
+    await db?.collection(authCollection!).updateOne(
+        { _id: result.insertedId },
+        {
+            $set: {
+                confirmationToken: token,
+                confirmationTokenId: tokenId
+            }
+        }
+    )
+
+    type ConfirmationResult = { status?: 'success' | 'pending' | 'fail' }
+    let confirmationStatus: ConfirmationResult['status'] = 'fail'
+    try {
+        const response = await GenerateContext({
+            args: [{
+                token,
+                tokenId,
+                username: email
+            }],
+            app,
+            rules: {},
+            user: {},
+            currentFunction: confirmationFunction,
+            functionsList,
+            services,
+            runAsSystem: true
+        }) as ConfirmationResult
+        confirmationStatus = response?.status ?? 'fail'
+    } catch {
+        confirmationStatus = 'fail'
+    }
+
+    if (confirmationStatus === 'success') {
+        await db?.collection(authCollection!).updateOne(
+            { _id: result.insertedId },
+            {
+                $set: { status: 'confirmed' },
+                $unset: { confirmationToken: '', confirmationTokenId: '' }
+            }
+        )
+        return result
+    }
+
+    if (confirmationStatus === 'pending') {
+        return result
+    }
+
+    await db?.collection(authCollection!).updateOne(
+        { _id: result.insertedId },
+        {
+            $set: { status: 'failed' },
+            $unset: { confirmationToken: '', confirmationTokenId: '' }
+        }
+    )
     return result
 
 }

package/src/shared/models/handleUserRegistration.model.ts

@@ -28,5 +28,6 @@ export type HandleUserRegistration = (
 
 export enum PROVIDER {
   LOCAL_USERPASS = "local-userpass",
-  CUSTOM_FUNCTION = "custom-function"
+  CUSTOM_FUNCTION = "custom-function",
+  ANON_USER = "anon-user"
 }

package/src/utils/__tests__/registerPlugins.test.ts

@@ -3,6 +3,7 @@ import fastifyMongodb from '@fastify/mongodb'
 import { authController } from '../../auth/controller'
 import jwtAuthPlugin from '../../auth/plugins/jwt'
 import fastifyRawBody from 'fastify-raw-body'
+import { anonUserController } from '../../auth/providers/anon-user/controller'
 import { customFunctionController } from '../../auth/providers/custom-function/controller'
 import { localUserPassController } from '../../auth/providers/local-userpass/controller'
 import { Functions } from '../../features/functions/interface'
@@ -36,7 +37,7 @@ describe('registerPlugins', () => {
     })
 
     // Check Plugins Registration
-    expect(registerMock).toHaveBeenCalledTimes(7)
+    expect(registerMock).toHaveBeenCalledTimes(8)
     expect(registerMock).toHaveBeenCalledWith(cors, {
       origin: '*',
       methods: ['POST', 'GET']
@@ -63,6 +64,9 @@ describe('registerPlugins', () => {
     expect(registerMock).toHaveBeenCalledWith(customFunctionController, {
       prefix: `${MOCKED_API_VERSION}/app/:appId/auth/providers/custom-function`
     })
+    expect(registerMock).toHaveBeenCalledWith(anonUserController, {
+      prefix: `${MOCKED_API_VERSION}/app/:appId/auth/providers/anon-user`
+    })
   })
 
   it('should handle errors in the catch block', async () => {