@flowerforce/flowerbase 1.2.1-beta.2 → 1.2.1-beta.21

package/dist/utils/context/index.js

@@ -14,10 +14,100 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GenerateContext = GenerateContext;
 const node_module_1 = require("node:module");
+const node_path_1 = __importDefault(require("node:path"));
+const node_url_1 = require("node:url");
 const vm_1 = __importDefault(require("vm"));
 const bson_1 = require("bson");
 const state_1 = require("../../state");
 const helpers_1 = require("./helpers");
+const dynamicImport = new Function('specifier', 'return import(specifier)');
+const transformImportsToRequire = (code) => {
+    let importIndex = 0;
+    const lines = code.split(/\r?\n/);
+    return lines
+        .map((line) => {
+        const trimmed = line.trim();
+        if (/^import\s+type\s+/.test(trimmed)) {
+            return '';
+        }
+        const sideEffectMatch = trimmed.match(/^import\s+['"]([^'"]+)['"]\s*;?$/);
+        if (sideEffectMatch) {
+            return `require('${sideEffectMatch[1]}')`;
+        }
+        const match = trimmed.match(/^import\s+(.+?)\s+from\s+['"]([^'"]+)['"]\s*;?$/);
+        if (!match)
+            return line;
+        const [, importClause, source] = match;
+        const clause = importClause.trim();
+        if (clause.startsWith('{') && clause.endsWith('}')) {
+            const named = clause.slice(1, -1).trim();
+            return `const { ${named} } = require('${source}')`;
+        }
+        const namespaceMatch = clause.match(/^\*\s+as\s+(\w+)$/);
+        if (namespaceMatch) {
+            return `const ${namespaceMatch[1]} = require('${source}')`;
+        }
+        if (clause.includes(',')) {
+            const [defaultPart, restRaw] = clause.split(',', 2);
+            const defaultName = defaultPart.trim();
+            const rest = restRaw.trim();
+            const tmpName = `__fb_import_${importIndex++}`;
+            const linesOut = [`const ${tmpName} = require('${source}')`];
+            if (defaultName) {
+                linesOut.push(`const ${defaultName} = ${tmpName}`);
+            }
+            if (rest.startsWith('{') && rest.endsWith('}')) {
+                const named = rest.slice(1, -1).trim();
+                linesOut.push(`const { ${named} } = ${tmpName}`);
+            }
+            else {
+                const nsMatch = rest.match(/^\*\s+as\s+(\w+)$/);
+                if (nsMatch) {
+                    linesOut.push(`const ${nsMatch[1]} = ${tmpName}`);
+                }
+            }
+            return linesOut.join('\n');
+        }
+        return `const ${clause} = require('${source}')`;
+    })
+        .join('\n');
+};
+const wrapEsmModule = (code) => {
+    const prelude = [
+        'const __fb_module = { exports: {} };',
+        'let exports = __fb_module.exports;',
+        'let module = __fb_module;',
+        'const __fb_require = globalThis.__fb_require;',
+        'const require = __fb_require;',
+        'const __filename = globalThis.__fb_filename;',
+        'const __dirname = globalThis.__fb_dirname;'
+    ].join('\n');
+    const trailer = [
+        'globalThis.__fb_module = __fb_module;',
+        'globalThis.__fb_exports = exports;'
+    ].join('\n');
+    return `${prelude}\n${code}\n${trailer}`;
+};
+const resolveImportTarget = (specifier, customRequire) => {
+    try {
+        const resolved = customRequire.resolve(specifier);
+        if (resolved.startsWith('node:'))
+            return resolved;
+        if (node_path_1.default.isAbsolute(resolved)) {
+            return (0, node_url_1.pathToFileURL)(resolved).href;
+        }
+        return resolved;
+    }
+    catch (_a) {
+        return specifier;
+    }
+};
+const shouldFallbackFromVmModules = (error) => {
+    if (!error || typeof error !== 'object')
+        return false;
+    const code = error.code;
+    return code === 'ERR_VM_MODULES_DISABLED' || code === 'ERR_VM_MODULES_NOT_SUPPORTED';
+};
 /**
  * > Used to generate the current context
  * @testable
@@ -36,7 +126,7 @@ function GenerateContext(_a) {
         const functionsQueue = state_1.StateManager.select("functionsQueue");
         const functionToRun = Object.assign({ run_as_system: runAsSystem }, currentFunction);
         const run = () => __awaiter(this, void 0, void 0, function* () {
-            var _a, _b;
+            var _a, _b, _c;
             const contextData = (0, helpers_1.generateContextData)({
                 user,
                 services,
@@ -47,21 +137,98 @@ function GenerateContext(_a) {
                 GenerateContext,
                 request
             });
+            const isExportedFunction = (value) => typeof value === 'function';
+            const getDefaultExport = (value) => {
+                if (!value || typeof value !== 'object')
+                    return undefined;
+                if (!('default' in value))
+                    return undefined;
+                const maybeDefault = value.default;
+                return isExportedFunction(maybeDefault) ? maybeDefault : undefined;
+            };
+            const resolveExport = (ctx) => {
+                var _a, _b, _c, _d, _e;
+                const moduleExports = (_b = (_a = ctx.module) === null || _a === void 0 ? void 0 : _a.exports) !== null && _b !== void 0 ? _b : (_c = ctx.__fb_module) === null || _c === void 0 ? void 0 : _c.exports;
+                if (isExportedFunction(moduleExports))
+                    return moduleExports;
+                const contextExports = (_d = ctx.exports) !== null && _d !== void 0 ? _d : ctx.__fb_exports;
+                if (isExportedFunction(contextExports))
+                    return contextExports;
+                return (_e = getDefaultExport(moduleExports)) !== null && _e !== void 0 ? _e : getDefaultExport(contextExports);
+            };
+            const sandboxModule = { exports: {} };
             try {
                 const entryFile = (_b = (_a = require.main) === null || _a === void 0 ? void 0 : _a.filename) !== null && _b !== void 0 ? _b : process.cwd();
                 const customRequire = (0, node_module_1.createRequire)(entryFile);
-                vm_1.default.runInContext(functionToRun.code, vm_1.default.createContext(Object.assign(Object.assign({}, contextData), { require: customRequire, exports,
-                    module, __filename: __filename, __dirname: __dirname })));
+                const vmContext = vm_1.default.createContext(Object.assign(Object.assign({}, contextData), { require: customRequire, exports: sandboxModule.exports, module: sandboxModule, __filename,
+                    __dirname, __fb_require: customRequire, __fb_filename: __filename, __fb_dirname: __dirname }));
+                const vmModules = vm_1.default;
+                const hasStaticImport = /\bimport\s+/.test(functionToRun.code);
+                let usedVmModules = false;
+                if (hasStaticImport && vmModules.SourceTextModule && vmModules.SyntheticModule) {
+                    try {
+                        const moduleCache = new Map();
+                        const loadModule = (specifier) => __awaiter(this, void 0, void 0, function* () {
+                            const importTarget = resolveImportTarget(specifier, customRequire);
+                            const cached = moduleCache.get(importTarget);
+                            if (cached)
+                                return cached;
+                            const namespace = yield dynamicImport(importTarget);
+                            const exportNames = Object.keys(namespace);
+                            if ('default' in namespace && !exportNames.includes('default')) {
+                                exportNames.push('default');
+                            }
+                            const syntheticModule = new vmModules.SyntheticModule(exportNames, function () {
+                                for (const name of exportNames) {
+                                    this.setExport(name, namespace[name]);
+                                }
+                            }, { context: vmContext, identifier: importTarget });
+                            moduleCache.set(importTarget, syntheticModule);
+                            return syntheticModule;
+                        });
+                        const importModuleDynamically = ((specifier) => loadModule(specifier));
+                        const sourceModule = new vmModules.SourceTextModule(wrapEsmModule(functionToRun.code), {
+                            context: vmContext,
+                            identifier: entryFile,
+                            initializeImportMeta: (meta) => {
+                                meta.url = (0, node_url_1.pathToFileURL)(entryFile).href;
+                            },
+                            importModuleDynamically
+                        });
+                        yield sourceModule.link(loadModule);
+                        yield sourceModule.evaluate();
+                        usedVmModules = true;
+                    }
+                    catch (error) {
+                        if (!shouldFallbackFromVmModules(error)) {
+                            throw error;
+                        }
+                    }
+                }
+                if (!usedVmModules) {
+                    const codeToRun = functionToRun.code.includes('import ')
+                        ? transformImportsToRequire(functionToRun.code)
+                        : functionToRun.code;
+                    vm_1.default.runInContext(codeToRun, vmContext);
+                }
+                sandboxModule.exports = (_c = resolveExport(vmContext)) !== null && _c !== void 0 ? _c : sandboxModule.exports;
             }
-            catch (e) {
-                console.log(e);
+            catch (error) {
+                console.error(error);
+                throw error;
             }
             if (deserializeArgs) {
-                return yield module.exports(...bson_1.EJSON.deserialize(args));
+                return yield sandboxModule.exports(...bson_1.EJSON.deserialize(args));
             }
-            return yield module.exports(...args);
+            return yield sandboxModule.exports(...args);
         });
-        const res = yield functionsQueue.add(run, enqueue);
-        return res;
+        try {
+            const res = yield functionsQueue.add(run, enqueue);
+            return res;
+        }
+        catch (error) {
+            console.error(error);
+            throw error;
+        }
     });
 }

package/dist/utils/context/interface.d.ts

@@ -18,7 +18,7 @@ export interface GenerateContextParams {
 }
 type ContextRequest = Pick<FastifyRequest, "ips" | "host" | "hostname" | "url" | "method" | "ip" | "id">;
 export interface GenerateContextDataParams extends Omit<GenerateContextParams, 'args'> {
-    GenerateContext: (params: GenerateContextParams) => Promise<void>;
+    GenerateContext: (params: GenerateContextParams) => Promise<unknown>;
 }
 export {};
 //# sourceMappingURL=interface.d.ts.map

package/dist/utils/context/interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/utils/context/interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AACzD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,eAAe,CAAA;IACpB,eAAe,EAAE,QAAQ,CAAA;IACzB,aAAa,EAAE,SAAS,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;IACZ,IAAI,EAAE,IAAI,CAAA;IACV,QAAQ,EAAE,QAAQ,CAAA;IAClB,IAAI,EAAE,SAAS,CAAA;IACf,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,OAAO,CAAC,EAAE,cAAc,CAAA;CACzB;AAED,KAAK,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,QAAQ,GAAG,IAAI,GAAG,IAAI,CAAC,CAAA;AACxG,MAAM,WAAW,yBAA0B,SAAQ,IAAI,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACpF,eAAe,EAAE,CAAC,MAAM,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;CAClE"}
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/utils/context/interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AACzD,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,KAAK,EAAE,MAAM,gCAAgC,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AAEnD,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,eAAe,CAAA;IACpB,eAAe,EAAE,QAAQ,CAAA;IACzB,aAAa,EAAE,SAAS,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;IACZ,IAAI,EAAE,IAAI,CAAA;IACV,QAAQ,EAAE,QAAQ,CAAA;IAClB,IAAI,EAAE,SAAS,CAAA;IACf,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,OAAO,CAAC,EAAE,cAAc,CAAA;CACzB;AAED,KAAK,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,QAAQ,GAAG,IAAI,GAAG,IAAI,CAAC,CAAA;AACxG,MAAM,WAAW,yBAA0B,SAAQ,IAAI,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACpF,eAAe,EAAE,CAAC,MAAM,EAAE,qBAAqB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;CACrE"}

package/dist/utils/crypto/index.d.ts

@@ -16,4 +16,5 @@ export declare const comparePassword: (plaintext: string, storedPassword: string
  * @param length -> the token length
  */
 export declare const generateToken: (length?: number) => string;
+export declare const hashToken: (token: string) => string;
 //# sourceMappingURL=index.d.ts.map

package/dist/utils/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto/index.ts"],"names":[],"mappings":"AAKA;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,WAAW,MAAM,oBAInD,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAU,WAAW,MAAM,EAAE,gBAAgB,MAAM,qBAU9E,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,eAAW,WAExC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/crypto/index.ts"],"names":[],"mappings":"AAKA;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,WAAW,MAAM,oBAInD,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAU,WAAW,MAAM,EAAE,gBAAgB,MAAM,qBAU9E,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAI,eAAW,WAExC,CAAA;AAED,eAAO,MAAM,SAAS,GAAI,OAAO,MAAM,WAEtC,CAAA"}

package/dist/utils/crypto/index.js

@@ -12,7 +12,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateToken = exports.comparePassword = exports.hashPassword = void 0;
+exports.hashToken = exports.generateToken = exports.comparePassword = exports.hashPassword = void 0;
 const node_crypto_1 = __importDefault(require("node:crypto"));
 const node_util_1 = require("node:util");
 const scrypt = (0, node_util_1.promisify)(node_crypto_1.default.scrypt);
@@ -47,7 +47,11 @@ exports.comparePassword = comparePassword;
  * > Generate a random token
  * @param length -> the token length
  */
-const generateToken = (length = 32) => {
+const generateToken = (length = 64) => {
     return node_crypto_1.default.randomBytes(length).toString('hex');
 };
 exports.generateToken = generateToken;
+const hashToken = (token) => {
+    return node_crypto_1.default.createHash('sha256').update(token).digest('hex');
+};
+exports.hashToken = hashToken;

package/dist/utils/initializer/exposeRoutes.js

@@ -28,7 +28,7 @@ const exposeRoutes = (fastify) => __awaiter(void 0, void 0, void 0, function* ()
             const headerHost = (_b = req.headers.host) !== null && _b !== void 0 ? _b : 'localhost:3000';
             const hostname = headerHost.split(':')[0];
             const port = (_c = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _c !== void 0 ? _c : 3000;
-            const host = `${hostname}:${port}`;
+            const host = port === 8080 ? hostname : `${hostname}:${port}`;
             const wsSchema = 'wss';
             return {
                 deployment_model: 'LOCAL',

package/dist/utils/initializer/registerPlugins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registerPlugins.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/registerPlugins.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAMnC,OAAO,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAA;AAE9D,KAAK,gBAAgB,GAAG,eAAe,CAAC,UAAU,CAAC,CAAA;AAGnD,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,SAAS,CAAA;IACxB,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB,CAAA;AAQD;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAU,gEAMnC,qBAAqB,kBAsBvB,CAAA"}
+{"version":3,"file":"registerPlugins.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/registerPlugins.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAOnC,OAAO,EAAE,SAAS,EAAE,MAAM,oCAAoC,CAAA;AAE9D,KAAK,gBAAgB,GAAG,eAAe,CAAC,UAAU,CAAC,CAAA;AAGnD,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,SAAS,CAAA;IACxB,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB,CAAA;AAQD;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAU,gEAMnC,qBAAqB,kBAsBvB,CAAA"}

package/dist/utils/initializer/registerPlugins.js

@@ -18,8 +18,9 @@ const mongodb_1 = __importDefault(require("@fastify/mongodb"));
 const fastify_raw_body_1 = __importDefault(require("fastify-raw-body"));
 const controller_1 = require("../../auth/controller");
 const jwt_1 = __importDefault(require("../../auth/plugins/jwt"));
-const controller_2 = require("../../auth/providers/custom-function/controller");
-const controller_3 = require("../../auth/providers/local-userpass/controller");
+const controller_2 = require("../../auth/providers/anon-user/controller");
+const controller_3 = require("../../auth/providers/custom-function/controller");
+const controller_4 = require("../../auth/providers/local-userpass/controller");
 const constants_1 = require("../../constants");
 /**
  * > Used to register all plugins
@@ -104,17 +105,24 @@ const getRegisterConfig = (_a) => __awaiter(void 0, [_a], void 0, function* ({ m
         },
         {
             pluginName: 'localUserPassController',
-            plugin: controller_3.localUserPassController,
+            plugin: controller_4.localUserPassController,
             options: {
                 prefix: `${constants_1.API_VERSION}/app/:appId/auth/providers/local-userpass`
             }
         },
         {
             pluginName: 'customFunctionController',
-            plugin: controller_2.customFunctionController,
+            plugin: controller_3.customFunctionController,
             options: {
                 prefix: `${constants_1.API_VERSION}/app/:appId/auth/providers/custom-function`
             }
+        },
+        {
+            pluginName: 'anonUserController',
+            plugin: controller_2.anonUserController,
+            options: {
+                prefix: `${constants_1.API_VERSION}/app/:appId/auth/providers/anon-user`
+            }
         }
     ];
 });

package/dist/utils/roles/helpers.js

@@ -52,5 +52,6 @@ const evaluateComplexExpression = (condition, params, user) => __awaiter(void 0,
         functionsList,
         services: services_1.services
     });
-    return key === '%%true' ? response : !response;
+    const isTruthy = Boolean(response);
+    return key === '%%true' ? isTruthy : !isTruthy;
 });

package/dist/utils/rules-matcher/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAIvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAmNxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAsDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAIvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAsNxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAsDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}

package/dist/utils/rules-matcher/utils.js

@@ -128,6 +128,9 @@ const rulesMatcherUtils = {
     },
     forceArray: (a) => (Array.isArray(a) ? a : [a]),
     getPath: (path, prefix) => {
+        if (typeof path !== 'string' || path.length === 0) {
+            return '';
+        }
         if (path.indexOf('^') === 0) {
             return (0, trimStart_1.default)(path, '^');
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.2.1-beta.2",
+  "version": "1.2.1-beta.21",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -25,7 +25,6 @@
     "@fastify/mongodb": "^9.0.1",
     "@fastify/swagger": "^9.5.1",
     "@fastify/swagger-ui": "^5.2.3",
-    "@sendgrid/mail": "^8.1.4",
     "aws-sdk": "^2.1692.0",
     "bson": "^6.8.0",
     "dotenv": "^16.4.7",

package/src/auth/controller.ts

@@ -1,6 +1,7 @@
 import { ObjectId } from 'bson'
 import { FastifyInstance } from 'fastify'
-import { AUTH_CONFIG, DB_NAME } from '../constants'
+import { AUTH_CONFIG, DB_NAME, DEFAULT_CONFIG } from '../constants'
+import { hashToken } from '../utils/crypto'
 import { SessionCreatedDto } from './dtos'
 import { AUTH_ENDPOINTS, AUTH_ERRORS } from './utils'
 
@@ -12,9 +13,19 @@ const HANDLER_TYPE = 'preHandler'
  * @param {FastifyInstance} app - The Fastify instance.
  */
 export async function authController(app: FastifyInstance) {
-  const { authCollection, userCollection } = AUTH_CONFIG
+  const { authCollection, userCollection, refreshTokensCollection } = AUTH_CONFIG
 
   const db = app.mongo.client.db(DB_NAME)
+  const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
+
+  try {
+    await db.collection(refreshTokensCollection).createIndex(
+      { expiresAt: 1 },
+      { expireAfterSeconds: 0 }
+    )
+  } catch (error) {
+    console.error('Failed to ensure refresh token TTL index', error)
+  }
 
   app.addHook(HANDLER_TYPE, app.jwtAuthentication)
 
@@ -59,6 +70,21 @@ export async function authController(app: FastifyInstance) {
         throw new Error(AUTH_ERRORS.INVALID_TOKEN)
       }
 
+      const authHeader = req.headers.authorization
+      if (!authHeader?.startsWith('Bearer ')) {
+        throw new Error(AUTH_ERRORS.INVALID_TOKEN)
+      }
+      const refreshToken = authHeader.slice('Bearer '.length).trim()
+      const refreshTokenHash = hashToken(refreshToken)
+      const storedToken = await db.collection(refreshTokensCollection).findOne({
+        tokenHash: refreshTokenHash,
+        revokedAt: null,
+        expiresAt: { $gt: new Date() }
+      })
+      if (!storedToken) {
+        throw new Error(AUTH_ERRORS.INVALID_TOKEN)
+      }
+
       const auth_user = await db
         ?.collection(authCollection)
         .findOne({ _id: new this.mongo.ObjectId(req.user.sub) })
@@ -75,7 +101,10 @@ export async function authController(app: FastifyInstance) {
       return {
         access_token: this.createAccessToken({
           ...auth_user,
-          user_data: user
+          user_data: {
+            ...user,
+            id: req.user.sub
+          }
         })
       }
     }
@@ -85,8 +114,45 @@ export async function authController(app: FastifyInstance) {
      */
   app.delete(
     AUTH_ENDPOINTS.SESSION,
-    async function () {
-      return { status: "ok" }
+    async function (req, res) {
+      const authHeader = req.headers.authorization
+      if (!authHeader?.startsWith('Bearer ')) {
+        res.status(204)
+        return
+      }
+      const refreshToken = authHeader.slice('Bearer '.length).trim()
+      const refreshTokenHash = hashToken(refreshToken)
+      const now = new Date()
+      const expiresAt = new Date(Date.now() + refreshTokenTtlMs)
+      const updateResult = await db.collection(refreshTokensCollection).findOneAndUpdate(
+        { tokenHash: refreshTokenHash },
+        {
+          $set: {
+            revokedAt: now,
+            expiresAt
+          }
+        },
+        { returnDocument: 'after' }
+      )
+
+      const fromToken = req.user?.sub
+      let userId = updateResult?.value?.userId
+      if (!userId && fromToken) {
+        try {
+          userId = new ObjectId(fromToken)
+        } catch {
+          userId = fromToken
+        }
+      }
+
+      if (userId && authCollection) {
+        await db.collection(authCollection).updateOne(
+          { _id: userId },
+          { $set: { lastLogoutAt: now } }
+        )
+      }
+
+      return { status: 'ok' }
     }
   )
 }

package/src/auth/plugins/jwt.test.ts

@@ -0,0 +1,93 @@
+jest.mock('node:diagnostics_channel', () => {
+  const createChannel = () => ({
+    publish: jest.fn(),
+    subscribe: jest.fn()
+  })
+  return {
+    channel: jest.fn(createChannel),
+    tracingChannel: () => ({
+      asyncStart: createChannel(),
+      asyncEnd: createChannel(),
+      error: createChannel()
+    })
+  }
+})
+
+import fastify, { FastifyInstance, FastifyReply } from 'fastify'
+import jwtAuthPlugin from './jwt'
+import { ObjectId } from 'bson'
+
+const SECRET = 'test-secret'
+
+const createAccessRequest = (payload: { typ: 'access'; sub: string; iat: number }) => {
+  const request: Record<string, unknown> = {}
+  request.jwtVerify = jest.fn(async () => {
+    request.user = payload
+  })
+  return request
+}
+
+describe('jwtAuthentication', () => {
+  let app: FastifyInstance
+
+  beforeEach(async () => {
+    app = fastify()
+    await app.register(jwtAuthPlugin, { secret: SECRET })
+    await app.ready()
+  })
+
+  afterEach(async () => {
+    await app.close()
+  })
+
+  const setupMongo = (userPayload: { _id: ObjectId; lastLogoutAt?: Date }) => {
+    const findOneMock = jest.fn().mockResolvedValue(userPayload)
+    const collectionMock = { findOne: findOneMock }
+    const dbMock = { collection: jest.fn().mockReturnValue(collectionMock) }
+    const mongoMock = { client: { db: jest.fn().mockReturnValue(dbMock) } }
+    ;(app as any).mongo = mongoMock
+  }
+
+  const createReply = () => {
+    return {
+      code: jest.fn().mockReturnThis(),
+      send: jest.fn()
+    } as unknown as FastifyReply
+  }
+
+  it('allows access tokens issued after the last logout', async () => {
+    const userId = new ObjectId()
+    const nowSeconds = Math.floor(Date.now() / 1000)
+    setupMongo({ _id: userId, lastLogoutAt: new Date((nowSeconds - 30) * 1000) })
+
+    const request = createAccessRequest({
+      typ: 'access',
+      sub: userId.toHexString(),
+      iat: nowSeconds
+    })
+    const reply = createReply()
+
+    await app.jwtAuthentication(request as any, reply)
+
+    expect(reply.code).not.toHaveBeenCalled()
+    expect(reply.send).not.toHaveBeenCalled()
+  })
+
+  it('rejects access tokens issued before the last logout', async () => {
+    const userId = new ObjectId()
+    const nowSeconds = Math.floor(Date.now() / 1000)
+    setupMongo({ _id: userId, lastLogoutAt: new Date((nowSeconds + 30) * 1000) })
+
+    const request = createAccessRequest({
+      typ: 'access',
+      sub: userId.toHexString(),
+      iat: nowSeconds
+    })
+    const reply = createReply()
+
+    await app.jwtAuthentication(request as any, reply)
+
+    expect(reply.code).toHaveBeenCalledWith(401)
+    expect(reply.send).toHaveBeenCalledWith({ message: 'Unauthorized' })
+  })
+})