@flowerforce/flowerbase 1.7.5 → 1.7.6-beta.1

package/README.md

@@ -265,8 +265,132 @@ Example
 ```
 If you're configuring the project from scratch, you can skip ahead to the [Build](#build) step.
 
---------
+## 🔐 7 Client-Side Field Level Encryption (CSFLE)
 
+Flowerbase supports MongoDB Client-Side Field Level Encryption. When enabled, sensitive fields are encrypted by the MongoDB driver before writing to MongoDB and decrypted automatically when reading.
+
+What Flowerbase does for you:
+
+- Loads all `encryption.json` files under `data_sources/mongodb-atlas/**`.
+- Builds the MongoDB `schemaMap` automatically from those files.
+- Resolves each `keyAlias` in your schemas to a real Data Encryption Key (DEK) `keyId`.
+- Ensures DEKs exist in the key vault (creates them if missing).
+- Configures Fastify MongoDB plugin `autoEncryption` with the generated `schemaMap`.
+
+### 1. Install encryption drivers
+
+Refer to the official MongoDB documentation for CSFLE installation requirements: https://www.mongodb.com/docs/manual/core/csfle/install.
+
+It is recommended to use the [**Automatic Encryption Shared Library**](https://www.mongodb.com/docs/manual/core/csfle/reference/install-library/?encryption-component=crypt_shared#std-label-csfle-reference-shared-library-download) instead of mongocryptd.
+
+Note that the project should also install [mongodb-client-encryption](https://www.npmjs.com/package/mongodb-client-encryption), matching the mongodb driver version.
+
+### 2. Add encryption schema files
+
+Create one `encryption.json` per collection you want to encrypt:
+
+Path example:
+
+```text
+src/data_sources/mongodb-atlas/<database>/<collection>/encryption.json
+```
+
+Example:
+
+```json
+{
+  "database": "appDb",
+  "collection": "records",
+  "schema": {
+    "bsonType": "object",
+    "encryptMetadata": {
+      "keyAlias": "root-key"
+    },
+    "properties": {
+      "protectedField1": {
+        "encrypt": {
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+        }
+      },
+      "protectedField2": {
+        "encrypt": {
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+          "keyAlias": "deep-key"
+        }
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `encryptMetadata.keyAlias` applies as default key for that object level.
+- `encrypt.keyAlias` overrides key selection for a specific field.
+- If a field has `encrypt` but no `keyAlias`, MongoDB uses nearest `encryptMetadata`.
+
+### 3. Pass `mongodbEncryptionConfig` to `initialize()`
+
+`initialize()` accepts `mongodbEncryptionConfig` to configure KMS providers and key vault settings.
+
+#### Local KMS provider example (development)
+
+```ts
+import { initialize } from "@flowerforce/flowerbase";
+
+await initialize({
+  projectId: "my-project-id",
+  mongodbUrl: process.env.MONGODB_URL,
+  jwtSecret: process.env.JWT_SECRET,
+  mongodbEncryptionConfig: {
+    kmsProviders: [
+      {
+        provider: "local",
+        keyAlias: "root-key",
+        config: {
+          // 96-byte local master key encoded as base64
+          key: process.env.LOCAL_MASTER_KEY_BASE64,
+        },
+      },
+      {
+        provider: "local",
+        keyAlias: "deep-key",
+        config: { key: process.env.LOCAL_MASTER_KEY_BASE64 },
+      },
+    ],
+    keyVaultDb: "encryption",
+    keyVaultCollection: "__keyVault",
+    extraOptions: {
+      // Optional: path to crypt shared library
+      // cryptSharedLibPath: '/opt/mongo_crypt_v1/lib/mongo_crypt_v1.so'
+    },
+  },
+});
+```
+
+#### AWS KMS provider example
+
+```ts
+mongodbEncryptionConfig: {
+  kmsProviders: [
+    {
+      provider: "aws",
+      keyAlias: "root-key",
+      config: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      },
+      masterKey: {
+        key: process.env.AWS_KMS_KEY_ARN,
+        region: process.env.AWS_REGION,
+      },
+    },
+  ];
+}
+```
+---
 
 <a id="migration"></a>
 ## 🔄 [Migration Guide](#migration) - Migrating Your Realm Project

package/dist/auth/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAgBzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA0LxD"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../src/auth/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAgBzC;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,eAAe,iBA2LxD"}

package/dist/auth/controller.js

@@ -30,16 +30,17 @@ const unauthorizedSessionError = {
 function authController(app) {
     return __awaiter(this, void 0, void 0, function* () {
         const { authCollection, userCollection, refreshTokensCollection } = constants_1.AUTH_CONFIG;
-        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const authDb = app.mongo.client.db(constants_1.AUTH_DB_NAME);
+        const customUserDb = app.mongo.client.db(constants_1.DB_NAME);
         const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         try {
-            yield db.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+            yield authDb.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
         }
         catch (error) {
             console.error('Failed to ensure refresh token TTL index', error);
         }
         try {
-            yield db.collection(authCollection).createIndex({ email: 1 }, {
+            yield authDb.collection(authCollection).createIndex({ email: 1 }, {
                 unique: true
             });
         }
@@ -64,11 +65,11 @@ function authController(app) {
                 if (req.user.typ !== 'access') {
                     throw new Error('Access token required');
                 }
-                const authUser = yield db
+                const authUser = yield authDb
                     .collection(authCollection)
                     .findOne({ _id: bson_1.ObjectId.createFromHexString(req.user.id) });
                 const customData = userCollection && constants_1.AUTH_CONFIG.user_id_field
-                    ? yield db
+                    ? yield customUserDb
                         .collection(userCollection)
                         .findOne({ [constants_1.AUTH_CONFIG.user_id_field]: req.user.id })
                     : null;
@@ -112,7 +113,7 @@ function authController(app) {
                 }
                 const refreshToken = authHeader.slice('Bearer '.length).trim();
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
-                const storedToken = yield db.collection(refreshTokensCollection).findOne({
+                const storedToken = yield authDb.collection(refreshTokensCollection).findOne({
                     tokenHash: refreshTokenHash,
                     revokedAt: null,
                     expiresAt: { $gt: new Date() }
@@ -121,13 +122,13 @@ function authController(app) {
                     res.code(401).send(unauthorizedSessionError);
                     return;
                 }
-                const auth_user = yield (db === null || db === void 0 ? void 0 : db.collection(authCollection).findOne({ _id: new this.mongo.ObjectId(req.user.sub) }));
+                const auth_user = yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(authCollection).findOne({ _id: new this.mongo.ObjectId(req.user.sub) }));
                 if (!auth_user) {
                     res.code(401).send(unauthorizedSessionError);
                     return;
                 }
                 const user = userCollection && constants_1.AUTH_CONFIG.user_id_field
-                    ? (yield db.collection(userCollection).findOne({ [constants_1.AUTH_CONFIG.user_id_field]: req.user.sub }))
+                    ? (yield customUserDb.collection(userCollection).findOne({ [constants_1.AUTH_CONFIG.user_id_field]: req.user.sub }))
                     : {};
                 res.status(201);
                 return {
@@ -154,7 +155,7 @@ function authController(app) {
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
                 const now = new Date();
                 const expiresAt = new Date(Date.now() + refreshTokenTtlMs);
-                const updateResult = yield db.collection(refreshTokensCollection).findOneAndUpdate({ tokenHash: refreshTokenHash }, {
+                const updateResult = yield authDb.collection(refreshTokensCollection).findOneAndUpdate({ tokenHash: refreshTokenHash }, {
                     $set: {
                         revokedAt: now,
                         expiresAt
@@ -171,7 +172,7 @@ function authController(app) {
                     }
                 }
                 if (userId && authCollection) {
-                    yield db.collection(authCollection).updateOne({ _id: userId }, { $set: { lastLogoutAt: now } });
+                    yield authDb.collection(authCollection).updateOne({ _id: userId }, { $set: { lastLogoutAt: now } });
                 }
                 return { status: 'ok' };
             });

package/dist/auth/plugins/jwt.js

@@ -51,7 +51,7 @@ exports.default = (0, fastify_plugin_1.default)(function (fastify, opts) {
                 if (((_a = request.user) === null || _a === void 0 ? void 0 : _a.typ) !== 'access') {
                     return;
                 }
-                const db = (_c = (_b = fastify.mongo) === null || _b === void 0 ? void 0 : _b.client) === null || _c === void 0 ? void 0 : _c.db(constants_1.DB_NAME);
+                const db = (_c = (_b = fastify.mongo) === null || _b === void 0 ? void 0 : _b.client) === null || _c === void 0 ? void 0 : _c.db(constants_1.AUTH_DB_NAME);
                 if (!db) {
                     fastify.log.warn('Mongo client unavailable while checking logout state');
                     return;

package/dist/auth/providers/anon-user/controller.js

@@ -22,7 +22,7 @@ const utils_1 = require("../../utils");
  */
 function anonUserController(app) {
     return __awaiter(this, void 0, void 0, function* () {
-        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const db = app.mongo.client.db(constants_1.AUTH_DB_NAME);
         const { authCollection, refreshTokensCollection } = constants_1.AUTH_CONFIG;
         const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         const anonUserTtlSeconds = constants_1.DEFAULT_CONFIG.ANON_USER_TTL_SECONDS;

package/dist/auth/providers/custom-function/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AASzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBAiHlE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAUzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBAqIlE"}

package/dist/auth/providers/custom-function/controller.js

@@ -10,6 +10,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.customFunctionController = customFunctionController;
+const mongodb_1 = require("mongodb");
 const constants_1 = require("../../../constants");
 const state_1 = require("../../../state");
 const context_1 = require("../../../utils/context");
@@ -25,7 +26,8 @@ function customFunctionController(app) {
     return __awaiter(this, void 0, void 0, function* () {
         const functionsList = state_1.StateManager.select('functions');
         const services = state_1.StateManager.select('services');
-        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const authDb = app.mongo.client.db(constants_1.AUTH_DB_NAME);
+        const customUserDb = app.mongo.client.db(constants_1.DB_NAME);
         const { authCollection, refreshTokensCollection, userCollection, user_id_field } = constants_1.AUTH_CONFIG;
         const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         /**
@@ -39,7 +41,7 @@ function customFunctionController(app) {
             schema: schema_1.LOGIN_SCHEMA
         }, function (req, reply) {
             return __awaiter(this, void 0, void 0, function* () {
-                var _a, _b;
+                var _a, _b, _c;
                 const customFunctionProvider = (_a = constants_1.AUTH_CONFIG.authProviders) === null || _a === void 0 ? void 0 : _a['custom-function'];
                 if (!customFunctionProvider || customFunctionProvider.disabled) {
                     throw new Error('Custom function authentication disabled');
@@ -75,13 +77,32 @@ function customFunctionController(app) {
                     reply.code(401).send({ message: 'Unauthorized' });
                     return;
                 }
-                const authUser = yield db.collection(authCollection).findOne({ email: authResult.id });
+                const email = (_c = authResult.email) !== null && _c !== void 0 ? _c : authResult.id;
+                let authUser = yield authDb.collection(authCollection).findOne({ email });
                 if (!authUser) {
-                    reply.code(401).send({ message: 'Unauthorized' });
-                    return;
+                    const authUserId = new mongodb_1.ObjectId();
+                    yield authDb.collection(authCollection).insertOne({
+                        _id: authUserId,
+                        email,
+                        status: 'confirmed',
+                        createdAt: new Date(),
+                        custom_data: {},
+                        identities: [
+                            {
+                                id: authResult.id.toString(),
+                                provider_id: authResult.id.toString(),
+                                provider_type: 'custom-function',
+                                provider_data: { email }
+                            }
+                        ]
+                    });
+                    authUser = {
+                        _id: authUserId,
+                        email
+                    };
                 }
                 const user = user_id_field && userCollection
-                    ? yield db
+                    ? yield customUserDb
                         .collection(userCollection)
                         .findOne({ [user_id_field]: authUser._id.toString() })
                     : {};
@@ -92,7 +113,7 @@ function customFunctionController(app) {
                 };
                 const refreshToken = this.createRefreshToken(currentUserData);
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
-                yield db.collection(refreshTokensCollection).insertOne({
+                yield authDb.collection(refreshTokensCollection).insertOne({
                     userId: authUser._id,
                     tokenHash: refreshTokenHash,
                     createdAt: new Date(),

package/dist/auth/providers/local-userpass/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAqCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAoXjE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAqCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAqXjE"}

package/dist/auth/providers/local-userpass/controller.js

@@ -40,7 +40,8 @@ function localUserPassController(app) {
         const { authCollection, userCollection, user_id_field } = constants_1.AUTH_CONFIG;
         const { resetPasswordCollection } = constants_1.AUTH_CONFIG;
         const { refreshTokensCollection } = constants_1.AUTH_CONFIG;
-        const db = app.mongo.client.db(constants_1.DB_NAME);
+        const authDb = app.mongo.client.db(constants_1.AUTH_DB_NAME);
+        const customUserDb = app.mongo.client.db(constants_1.DB_NAME);
         const resetPasswordTtlSeconds = constants_1.DEFAULT_CONFIG.RESET_PASSWORD_TTL_SECONDS;
         const rateLimitWindowMs = constants_1.DEFAULT_CONFIG.AUTH_RATE_LIMIT_WINDOW_MS;
         const loginMaxAttempts = constants_1.DEFAULT_CONFIG.AUTH_LOGIN_MAX_ATTEMPTS;
@@ -49,20 +50,20 @@ function localUserPassController(app) {
         const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         const resolveLocalUserpassProvider = () => { var _a; return (_a = constants_1.AUTH_CONFIG.authProviders) === null || _a === void 0 ? void 0 : _a['local-userpass']; };
         try {
-            yield db.collection(resetPasswordCollection).createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds });
+            yield authDb.collection(resetPasswordCollection).createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds });
         }
         catch (error) {
             console.error('Failed to ensure reset password TTL index', error);
         }
         try {
-            yield db.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+            yield authDb.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
         }
         catch (error) {
             console.error('Failed to ensure refresh token TTL index', error);
         }
         const handleResetPasswordRequest = (email, password, extraArguments) => __awaiter(this, void 0, void 0, function* () {
             const { resetPasswordConfig } = constants_1.AUTH_CONFIG;
-            const authUser = yield db.collection(authCollection).findOne({
+            const authUser = yield authDb.collection(authCollection).findOne({
                 email
             });
             if (!authUser) {
@@ -70,7 +71,7 @@ function localUserPassController(app) {
             }
             const token = (0, crypto_1.generateToken)();
             const tokenId = (0, crypto_1.generateToken)();
-            yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).updateOne({ email }, { $set: { token, tokenId, email, createdAt: new Date() } }, { upsert: true }));
+            yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).updateOne({ email }, { $set: { token, tokenId, email, createdAt: new Date() } }, { upsert: true }));
             if (!resetPasswordConfig.runResetFunction && !resetPasswordConfig.resetFunctionName) {
                 throw new Error(utils_1.AUTH_ERRORS.MISSING_RESET_FUNCTION);
             }
@@ -156,7 +157,7 @@ function localUserPassController(app) {
                 res.status(429).send({ message: 'Too many requests' });
                 return;
             }
-            const existing = yield db.collection(authCollection).findOne({
+            const existing = yield authDb.collection(authCollection).findOne({
                 confirmationToken: req.body.token,
                 confirmationTokenId: req.body.tokenId
             });
@@ -165,7 +166,7 @@ function localUserPassController(app) {
                 throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
             }
             if (existing.status !== 'confirmed') {
-                yield db.collection(authCollection).updateOne({ _id: existing._id }, {
+                yield authDb.collection(authCollection).updateOne({ _id: existing._id }, {
                     $set: { status: 'confirmed' },
                     $unset: { confirmationToken: '', confirmationTokenId: '' }
                 });
@@ -193,7 +194,7 @@ function localUserPassController(app) {
                     res.status(429).send({ message: 'Too many requests' });
                     return;
                 }
-                const authUser = yield db.collection(authCollection).findOne({
+                const authUser = yield authDb.collection(authCollection).findOne({
                     email: req.body.username
                 });
                 if (!authUser) {
@@ -204,7 +205,7 @@ function localUserPassController(app) {
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_CREDENTIALS);
                 }
                 const user = user_id_field && userCollection
-                    ? yield db
+                    ? yield customUserDb
                         .collection(userCollection)
                         .findOne({ [user_id_field]: authUser._id.toString() })
                     : {};
@@ -215,7 +216,7 @@ function localUserPassController(app) {
                 }
                 const refreshToken = this.createRefreshToken(userWithCustomData);
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
-                yield db.collection(refreshTokensCollection).insertOne({
+                yield authDb.collection(refreshTokensCollection).insertOne({
                     userId: authUser._id,
                     tokenHash: refreshTokenHash,
                     createdAt: new Date(),
@@ -298,7 +299,7 @@ function localUserPassController(app) {
                     return { message: 'Too many requests' };
                 }
                 const { token, tokenId, password } = req.body;
-                const resetRequest = yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).findOne({ token, tokenId }));
+                const resetRequest = yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).findOne({ token, tokenId }));
                 if (!resetRequest) {
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
                 }
@@ -307,16 +308,16 @@ function localUserPassController(app) {
                     Number.isNaN(createdAt.getTime()) ||
                     Date.now() - createdAt.getTime() > resetPasswordTtlSeconds * 1000;
                 if (isExpired) {
-                    yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id }));
+                    yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id }));
                     throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
                 }
                 const hashedPassword = yield (0, crypto_1.hashPassword)(password);
-                yield db.collection(authCollection).updateOne({ email: resetRequest.email }, {
+                yield authDb.collection(authCollection).updateOne({ email: resetRequest.email }, {
                     $set: {
                         password: hashedPassword
                     }
                 });
-                yield (db === null || db === void 0 ? void 0 : db.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id }));
+                yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id }));
             });
         });
     });

package/dist/auth/utils.d.ts

@@ -150,6 +150,7 @@ export declare enum AUTH_ERRORS {
 }
 export interface AuthConfig {
     auth_collection?: string;
+    auth_database?: string;
     'api-key': ApiKey;
     'local-userpass': LocalUserpass;
     'custom-function': CustomFunction;

package/dist/auth/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}

package/dist/constants.d.ts

@@ -33,10 +33,15 @@ export declare const DEFAULT_CONFIG: {
         origin: string;
         methods: ALLOWED_METHODS[];
     };
+    MONGODB_ENCRYPTION_CONFIG: {
+        keyVaultDb: string;
+        keyVaultCollection: string;
+    };
 };
 export declare const API_VERSION: string;
 export declare const HTTPS_SCHEMA: string;
 export declare const DB_NAME: string;
+export declare const AUTH_DB_NAME: string;
 type AuthProviders = Record<string, {
     disabled?: boolean;
     config?: unknown;
@@ -62,5 +67,11 @@ export declare const S3_CONFIG: {
     ACCESS_KEY_ID: string | undefined;
     SECRET_ACCESS_KEY: string | undefined;
 };
+/**
+ * Name of the MongoDB client to use for change streams.
+ * This may be a separate instance because streams do not work
+ * when the main client has auto encryption enabled.
+ */
+export declare const CHANGESTREAM = "changestream";
 export {};
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCsB,eAAe,EAAE;;CAEjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AAEpC,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAID,eAAO,MAAM,SAAS;;;CAGrB,CAAA"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCsB,eAAe,EAAE;;;;;;CAMjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AACpC,eAAO,MAAM,YAAY,QAAiC,CAAA;AAE1D,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,YAAY,iBAAiB,CAAA"}

package/dist/constants.js

@@ -12,7 +12,7 @@ var __rest = (this && this.__rest) || function (s, e) {
 };
 var _a, _b, _c, _d, _e, _f, _g, _h;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.S3_CONFIG = exports.AUTH_CONFIG = exports.DB_NAME = exports.HTTPS_SCHEMA = exports.API_VERSION = exports.DEFAULT_CONFIG = void 0;
+exports.CHANGESTREAM = exports.S3_CONFIG = exports.AUTH_CONFIG = exports.AUTH_DB_NAME = exports.DB_NAME = exports.HTTPS_SCHEMA = exports.API_VERSION = exports.DEFAULT_CONFIG = void 0;
 const utils_1 = require("./auth/utils");
 const parseBoolean = (value) => {
     if (!value)
@@ -25,8 +25,8 @@ const monitEnabledEnv = process.env.MONIT_ENABLED;
 const monitEnabled = typeof monitEnabledEnv === 'string'
     ? parseBoolean(monitEnabledEnv)
     : false;
-const { database_name, collection_name = 'users', user_id_field = 'id', on_user_creation_function_name } = (0, utils_1.loadCustomUserData)();
-const _j = (0, utils_1.loadAuthConfig)(), { auth_collection = 'auth_users' } = _j, configuration = __rest(_j, ["auth_collection"]);
+const { database_name = 'main', collection_name = 'users', user_id_field = 'id', on_user_creation_function_name } = (0, utils_1.loadCustomUserData)();
+const _j = (0, utils_1.loadAuthConfig)(), { auth_collection = 'auth_users', auth_database } = _j, configuration = __rest(_j, ["auth_collection", "auth_database"]);
 exports.DEFAULT_CONFIG = {
     PORT: Number(process.env.PORT) || 3000,
     MONGODB_URL: process.env.MONGODB_URL || '',
@@ -63,11 +63,16 @@ exports.DEFAULT_CONFIG = {
     CORS_OPTIONS: {
         origin: "*",
         methods: ["GET", "POST", "PUT", "DELETE"]
+    },
+    MONGODB_ENCRYPTION_CONFIG: {
+        keyVaultDb: "encryption",
+        keyVaultCollection: "__keyVault"
     }
 };
 exports.API_VERSION = `/api/client/${exports.DEFAULT_CONFIG.API_VERSION}`;
 exports.HTTPS_SCHEMA = exports.DEFAULT_CONFIG.HTTPS_SCHEMA;
 exports.DB_NAME = database_name;
+exports.AUTH_DB_NAME = auth_database !== null && auth_database !== void 0 ? auth_database : database_name;
 // TODO spostare nell'oggetto providers anche le altre configurazioni
 exports.AUTH_CONFIG = {
     authCollection: auth_collection,
@@ -88,3 +93,9 @@ exports.S3_CONFIG = {
     ACCESS_KEY_ID: process.env.S3_ACCESS_KEY_ID,
     SECRET_ACCESS_KEY: process.env.S3_SECRET_ACCESS_KEY
 };
+/**
+ * Name of the MongoDB client to use for change streams.
+ * This may be a separate instance because streams do not work
+ * when the main client has auto encryption enabled.
+ */
+exports.CHANGESTREAM = "changestream";

package/dist/features/encryption/interface.d.ts

@@ -0,0 +1,36 @@
+import type { UUID } from "mongodb";
+export type EncryptionSchemaProperty = EncryptionSchema | {
+    encrypt: {
+        algorithm: string;
+        bsonType: string;
+        keyAlias?: string;
+    };
+};
+export type EncryptionSchema = {
+    bsonType: "object";
+    properties: Record<string, EncryptionSchemaProperty>;
+    encryptMetadata?: {
+        keyAlias: string;
+    };
+};
+export type MappedEncryptionSchemaProperty = MappedEncryptionSchema | {
+    encrypt: {
+        algorithm: string;
+        bsonType: string;
+        keyId?: [UUID];
+    };
+};
+export type MappedEncryptionSchema = {
+    bsonType: "object";
+    properties: Record<string, MappedEncryptionSchemaProperty>;
+    encryptMetadata?: {
+        keyId: [UUID];
+    };
+};
+export type EncryptionSchemaFile = {
+    database: string;
+    collection: string;
+    schema: EncryptionSchema;
+};
+export type EncryptionSchemas = Record<string, EncryptionSchema>;
+//# sourceMappingURL=interface.d.ts.map

package/dist/features/encryption/interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/features/encryption/interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAEnC,MAAM,MAAM,wBAAwB,GAChC,gBAAgB,GAChB;IACA,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,MAAM,CAAA;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;KAClB,CAAA;CACF,CAAA;AAEH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAA;IACpD,eAAe,CAAC,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAC;CACH,CAAA;AAGD,MAAM,MAAM,8BAA8B,GACtC,sBAAsB,GACtB;IACA,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,CAAA;KACf,CAAA;CACF,CAAA;AAEH,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,8BAA8B,CAAC,CAAA;IAC1D,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,CAAC,IAAI,CAAC,CAAA;KACd,CAAC;CACH,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA"}

package/dist/features/encryption/interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/features/encryption/utils.d.ts

@@ -0,0 +1,9 @@
+import { EncryptionSchemas } from "./interface";
+/**
+ * @experimental
+ * Schemas used for Client-Side Level Encryption configuration.
+ *
+ * **Important:** These schemas do not perform JSON validation.
+ */
+export declare const loadEncryptionSchemas: (rootDir?: string) => Promise<EncryptionSchemas>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/features/encryption/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/encryption/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAwB,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAErE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAU,gBAAuB,KAAG,OAAO,CAAC,iBAAiB,CAW9F,CAAA"}

package/dist/features/encryption/utils.js

@@ -0,0 +1,34 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadEncryptionSchemas = void 0;
+const node_path_1 = __importDefault(require("node:path"));
+const utils_1 = require("../../utils");
+/**
+ * @experimental
+ * Schemas used for Client-Side Level Encryption configuration.
+ *
+ * **Important:** These schemas do not perform JSON validation.
+ */
+const loadEncryptionSchemas = (...args_1) => __awaiter(void 0, [...args_1], void 0, function* (rootDir = process.cwd()) {
+    const schemasRoot = node_path_1.default.join(rootDir, 'data_sources', 'mongodb-atlas');
+    const files = (0, utils_1.recursivelyCollectFiles)(schemasRoot);
+    const schemaFiles = files.filter((x) => x.endsWith('encryption.json'));
+    return schemaFiles.reduce((acc, filePath) => {
+        const { collection, database, schema } = (0, utils_1.readJsonContent)(filePath);
+        acc[`${database}.${collection}`] = schema;
+        return acc;
+    }, {});
+});
+exports.loadEncryptionSchemas = loadEncryptionSchemas;

package/dist/features/rules/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/rules/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,KAAK,EAAe,MAAM,aAAa,CAAA;AAEhD,eAAO,MAAM,SAAS,GAAU,gBAAuB,KAAG,OAAO,CAAC,KAAK,CAsCtE,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/rules/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,EAAe,MAAM,aAAa,CAAA;AAEhD,eAAO,MAAM,SAAS,GAAU,gBAAuB,KAAG,OAAO,CAAC,KAAK,CA6BtE,CAAA"}