@flowerforce/flowerbase 1.7.6-beta.0 → 1.7.6-beta.10

package/README.md

@@ -265,8 +265,132 @@ Example
 ```
 If you're configuring the project from scratch, you can skip ahead to the [Build](#build) step.
 
---------
+## 🔐 7 Client-Side Field Level Encryption (CSFLE)
 
+Flowerbase supports MongoDB Client-Side Field Level Encryption. When enabled, sensitive fields are encrypted by the MongoDB driver before writing to MongoDB and decrypted automatically when reading.
+
+What Flowerbase does for you:
+
+- Loads all `encryption.json` files under `data_sources/mongodb-atlas/**`.
+- Builds the MongoDB `schemaMap` automatically from those files.
+- Resolves each `keyAlias` in your schemas to a real Data Encryption Key (DEK) `keyId`.
+- Ensures DEKs exist in the key vault (creates them if missing).
+- Configures Fastify MongoDB plugin `autoEncryption` with the generated `schemaMap`.
+
+### 1. Install encryption drivers
+
+Refer to the official MongoDB documentation for CSFLE installation requirements: https://www.mongodb.com/docs/manual/core/csfle/install.
+
+It is recommended to use the [**Automatic Encryption Shared Library**](https://www.mongodb.com/docs/manual/core/csfle/reference/install-library/?encryption-component=crypt_shared#std-label-csfle-reference-shared-library-download) instead of mongocryptd.
+
+Note that the project should also install [mongodb-client-encryption](https://www.npmjs.com/package/mongodb-client-encryption), matching the mongodb driver version.
+
+### 2. Add encryption schema files
+
+Create one `encryption.json` per collection you want to encrypt:
+
+Path example:
+
+```text
+src/data_sources/mongodb-atlas/<database>/<collection>/encryption.json
+```
+
+Example:
+
+```json
+{
+  "database": "appDb",
+  "collection": "records",
+  "schema": {
+    "bsonType": "object",
+    "encryptMetadata": {
+      "keyAlias": "root-key"
+    },
+    "properties": {
+      "protectedField1": {
+        "encrypt": {
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+        }
+      },
+      "protectedField2": {
+        "encrypt": {
+          "bsonType": "string",
+          "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+          "keyAlias": "deep-key"
+        }
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `encryptMetadata.keyAlias` applies as default key for that object level.
+- `encrypt.keyAlias` overrides key selection for a specific field.
+- If a field has `encrypt` but no `keyAlias`, MongoDB uses nearest `encryptMetadata`.
+
+### 3. Pass `mongodbEncryptionConfig` to `initialize()`
+
+`initialize()` accepts `mongodbEncryptionConfig` to configure KMS providers and key vault settings.
+
+#### Local KMS provider example (development)
+
+```ts
+import { initialize } from "@flowerforce/flowerbase";
+
+await initialize({
+  projectId: "my-project-id",
+  mongodbUrl: process.env.MONGODB_URL,
+  jwtSecret: process.env.JWT_SECRET,
+  mongodbEncryptionConfig: {
+    kmsProviders: [
+      {
+        provider: "local",
+        keyAlias: "root-key",
+        config: {
+          // 96-byte local master key encoded as base64
+          key: process.env.LOCAL_MASTER_KEY_BASE64,
+        },
+      },
+      {
+        provider: "local",
+        keyAlias: "deep-key",
+        config: { key: process.env.LOCAL_MASTER_KEY_BASE64 },
+      },
+    ],
+    keyVaultDb: "encryption",
+    keyVaultCollection: "__keyVault",
+    extraOptions: {
+      // Optional: path to crypt shared library
+      // cryptSharedLibPath: '/opt/mongo_crypt_v1/lib/mongo_crypt_v1.so'
+    },
+  },
+});
+```
+
+#### AWS KMS provider example
+
+```ts
+mongodbEncryptionConfig: {
+  kmsProviders: [
+    {
+      provider: "aws",
+      keyAlias: "root-key",
+      config: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      },
+      masterKey: {
+        key: process.env.AWS_KMS_KEY_ARN,
+        region: process.env.AWS_REGION,
+      },
+    },
+  ];
+}
+```
+---
 
 <a id="migration"></a>
 ## 🔄 [Migration Guide](#migration) - Migrating Your Realm Project

package/dist/auth/providers/anon-user/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/anon-user/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,eAAe,iBAwE5D"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/anon-user/controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,eAAe,iBAyE5D"}

package/dist/auth/providers/anon-user/controller.js

@@ -54,6 +54,7 @@ function anonUserController(app) {
                     email: anonEmail,
                     status: 'confirmed',
                     createdAt: now,
+                    lastLoginAt: now,
                     custom_data: {},
                     identities: [
                         {

package/dist/auth/providers/custom-function/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAUzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBA2IlE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/custom-function/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAUzC;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,eAAe,iBA0IlE"}

package/dist/auth/providers/custom-function/controller.js

@@ -38,10 +38,7 @@ function customFunctionController(app) {
          * @returns {Promise<Object>} A promise resolving with access and refresh tokens.
          */
         app.post(utils_1.AUTH_ENDPOINTS.LOGIN, {
-            schema: schema_1.LOGIN_SCHEMA,
-            errorHandler: (_error, _request, reply) => {
-                reply.code(500).send({ message: 'Internal Server Error' });
-            }
+            schema: schema_1.LOGIN_SCHEMA
         }, function (req, reply) {
             return __awaiter(this, void 0, void 0, function* () {
                 var _a, _b, _c;
@@ -114,23 +111,23 @@ function customFunctionController(app) {
                     user_data: Object.assign(Object.assign({}, (user || {})), { id: authUser._id.toString(), email: authUser.email }),
                     custom_data: Object.assign({}, (user || {}))
                 };
+                const now = new Date();
                 const refreshToken = this.createRefreshToken(currentUserData);
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
                 yield authDb.collection(refreshTokensCollection).insertOne({
                     userId: authUser._id,
                     tokenHash: refreshTokenHash,
-                    createdAt: new Date(),
+                    createdAt: now,
                     expiresAt: new Date(Date.now() + refreshTokenTtlMs),
                     revokedAt: null
                 });
-                const accessToken = this.createAccessToken(currentUserData);
-                const responsePayload = {
-                    access_token: accessToken,
+                yield authDb.collection(authCollection).updateOne({ _id: authUser._id }, { $set: { lastLoginAt: now } });
+                return {
+                    access_token: this.createAccessToken(currentUserData),
                     refresh_token: refreshToken,
                     device_id: '',
                     user_id: authUser._id.toString()
                 };
-                reply.code(200).send(responsePayload);
             });
         });
     });

package/dist/auth/providers/local-userpass/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAqCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAqXjE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AA4CzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAmajE"}

package/dist/auth/providers/local-userpass/controller.js

@@ -49,14 +49,22 @@ function localUserPassController(app) {
         const resetMaxAttempts = constants_1.DEFAULT_CONFIG.AUTH_RESET_MAX_ATTEMPTS;
         const refreshTokenTtlMs = constants_1.DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000;
         const resolveLocalUserpassProvider = () => { var _a; return (_a = constants_1.AUTH_CONFIG.authProviders) === null || _a === void 0 ? void 0 : _a['local-userpass']; };
+        const invalidPasswordError = {
+            error: 'unauthorized',
+            error_code: 'InvalidPassword'
+        };
         try {
-            yield authDb.collection(resetPasswordCollection).createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds });
+            yield authDb
+                .collection(resetPasswordCollection)
+                .createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds });
         }
         catch (error) {
             console.error('Failed to ensure reset password TTL index', error);
         }
         try {
-            yield authDb.collection(refreshTokensCollection).createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+            yield authDb
+                .collection(refreshTokensCollection)
+                .createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 });
         }
         catch (error) {
             console.error('Failed to ensure refresh token TTL index', error);
@@ -80,8 +88,10 @@ function localUserPassController(app) {
                 const services = state_1.StateManager.select('services');
                 const currentFunction = functionsList[resetPasswordConfig.resetFunctionName];
                 const baseArgs = { token, tokenId, email, password, username: email };
-                const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs];
-                yield (0, context_1.GenerateContext)({
+                const args = Array.isArray(extraArguments)
+                    ? [baseArgs, ...extraArguments]
+                    : [baseArgs];
+                const response = (yield (0, context_1.GenerateContext)({
                     args,
                     app,
                     rules: {},
@@ -89,10 +99,32 @@ function localUserPassController(app) {
                     currentFunction,
                     functionName: resetPasswordConfig.resetFunctionName,
                     functionsList,
-                    services
-                });
-                return;
+                    services,
+                    runAsSystem: true
+                }));
+                const resetStatus = response === null || response === void 0 ? void 0 : response.status;
+                if (resetStatus === 'success') {
+                    if (!password) {
+                        throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE);
+                    }
+                    const hashedPassword = yield (0, crypto_1.hashPassword)(password);
+                    yield authDb.collection(authCollection).updateOne({ email }, {
+                        $set: {
+                            password: hashedPassword
+                        }
+                    });
+                    yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).deleteOne({ email }));
+                    return { status: 'success' };
+                }
+                if (resetStatus === 'pending') {
+                    return { status: 'pending' };
+                }
+                if (resetStatus === 'fail') {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
+                }
+                throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE);
             }
+            return { status: 'pending' };
         });
         /**
          * Endpoint for user registration.
@@ -116,13 +148,17 @@ function localUserPassController(app) {
             }
             let result;
             try {
-                result = yield (0, handleUserRegistration_1.default)(app, { run_as_system: true, provider: handleUserRegistration_model_1.PROVIDER.LOCAL_USERPASS })({
+                result = yield (0, handleUserRegistration_1.default)(app, {
+                    run_as_system: true,
+                    provider: handleUserRegistration_model_1.PROVIDER.LOCAL_USERPASS
+                })({
                     email: req.body.email.toLowerCase(),
                     password: req.body.password
                 });
             }
             catch (error) {
-                if (error instanceof Error && error.message === 'This email address is already used') {
+                if (error instanceof Error &&
+                    error.message === 'This email address is already used') {
                     res.status(409).send({
                         error: 'name already in use',
                         error_code: 'AccountNameInUse'
@@ -157,10 +193,10 @@ function localUserPassController(app) {
                 res.status(429).send({ message: 'Too many requests' });
                 return;
             }
-            const existing = yield authDb.collection(authCollection).findOne({
+            const existing = (yield authDb.collection(authCollection).findOne({
                 confirmationToken: req.body.token,
                 confirmationTokenId: req.body.tokenId
-            });
+            }));
             if (!existing) {
                 res.status(500);
                 throw new Error(utils_1.AUTH_ERRORS.INVALID_TOKEN);
@@ -198,11 +234,13 @@ function localUserPassController(app) {
                     email: req.body.username
                 });
                 if (!authUser) {
-                    throw new Error(utils_1.AUTH_ERRORS.INVALID_CREDENTIALS);
+                    res.status(401);
+                    return invalidPasswordError;
                 }
                 const passwordMatches = yield (0, crypto_1.comparePassword)(req.body.password, authUser.password);
                 if (!passwordMatches) {
-                    throw new Error(utils_1.AUTH_ERRORS.INVALID_CREDENTIALS);
+                    res.status(401);
+                    return invalidPasswordError;
                 }
                 const user = user_id_field && userCollection
                     ? yield customUserDb
@@ -214,15 +252,19 @@ function localUserPassController(app) {
                 if (authUser && authUser.status !== 'confirmed') {
                     throw new Error(utils_1.AUTH_ERRORS.USER_NOT_CONFIRMED);
                 }
+                const now = new Date();
                 const refreshToken = this.createRefreshToken(userWithCustomData);
                 const refreshTokenHash = (0, crypto_1.hashToken)(refreshToken);
                 yield authDb.collection(refreshTokensCollection).insertOne({
                     userId: authUser._id,
                     tokenHash: refreshTokenHash,
-                    createdAt: new Date(),
+                    createdAt: now,
                     expiresAt: new Date(Date.now() + refreshTokenTtlMs),
                     revokedAt: null
                 });
+                yield authDb
+                    .collection(authCollection)
+                    .updateOne({ _id: authUser._id }, { $set: { lastLoginAt: now } });
                 return {
                     access_token: this.createAccessToken(userWithCustomData),
                     refresh_token: refreshToken,
@@ -271,11 +313,9 @@ function localUserPassController(app) {
                     res.status(429);
                     return { message: 'Too many requests' };
                 }
-                yield handleResetPasswordRequest(req.body.email, req.body.password, req.body.arguments);
+                const result = yield handleResetPasswordRequest(req.body.email, req.body.password, req.body.arguments);
                 res.status(202);
-                return {
-                    status: 'ok'
-                };
+                return result;
             });
         });
         /**

package/dist/auth/providers/local-userpass/dtos.d.ts

@@ -15,12 +15,16 @@ export type LoginSuccessDto = {
 export type ErrorResponseDto = {
     message: string;
 };
+export type InvalidPasswordResponseDto = {
+    error: 'unauthorized';
+    error_code: 'InvalidPassword';
+};
 export interface RegistrationDto {
     Body: RegisterUserDto;
 }
 export interface LoginDto {
     Body: LoginUserDto;
-    Reply: LoginSuccessDto | ErrorResponseDto;
+    Reply: LoginSuccessDto | ErrorResponseDto | InvalidPasswordResponseDto;
 }
 export interface ResetPasswordSendDto {
     Body: {

package/dist/auth/providers/local-userpass/dtos.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,GAAG,gBAAgB,CAAA;CAC1C;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;KACd,CAAA;CACF;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,MAAM,CAAA;QAChB,SAAS,CAAC,EAAE,OAAO,EAAE,CAAA;KACtB,CAAA;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;CACF"}
+{"version":3,"file":"dtos.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/dtos.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG;IACvC,KAAK,EAAE,cAAc,CAAA;IACrB,UAAU,EAAE,iBAAiB,CAAA;CAC9B,CAAA;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,eAAe,CAAA;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,eAAe,GAAG,gBAAgB,GAAG,0BAA0B,CAAA;CACvE;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;KACd,CAAA;CACF;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,QAAQ,EAAE,MAAM,CAAA;QAChB,SAAS,CAAC,EAAE,OAAO,EAAE,CAAA;KACtB,CAAA;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAA;CACF;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAA;QACb,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;CACF"}

package/dist/auth/utils.d.ts

@@ -146,6 +146,7 @@ export declare enum AUTH_ERRORS {
     INVALID_TOKEN = "Invalid refresh token provided",
     INVALID_RESET_PARAMS = "Invalid token or tokenId provided",
     MISSING_RESET_FUNCTION = "Missing reset function",
+    INVALID_RESET_FUNCTION_RESPONSE = "Invalid reset function response",
     USER_NOT_CONFIRMED = "User not confirmed"
 }
 export interface AuthConfig {

package/dist/auth/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,+BAA+B,oCAAoC;IACnE,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}

package/dist/auth/utils.js

@@ -115,6 +115,7 @@ var AUTH_ERRORS;
     AUTH_ERRORS["INVALID_TOKEN"] = "Invalid refresh token provided";
     AUTH_ERRORS["INVALID_RESET_PARAMS"] = "Invalid token or tokenId provided";
     AUTH_ERRORS["MISSING_RESET_FUNCTION"] = "Missing reset function";
+    AUTH_ERRORS["INVALID_RESET_FUNCTION_RESPONSE"] = "Invalid reset function response";
     AUTH_ERRORS["USER_NOT_CONFIRMED"] = "User not confirmed";
 })(AUTH_ERRORS || (exports.AUTH_ERRORS = AUTH_ERRORS = {}));
 const resolveAppPath = () => { var _a, _b, _c; return (_c = (_a = process.env.FLOWERBASE_APP_PATH) !== null && _a !== void 0 ? _a : (_b = require.main) === null || _b === void 0 ? void 0 : _b.path) !== null && _c !== void 0 ? _c : process.cwd(); };

package/dist/constants.d.ts

@@ -33,6 +33,10 @@ export declare const DEFAULT_CONFIG: {
         origin: string;
         methods: ALLOWED_METHODS[];
     };
+    MONGODB_ENCRYPTION_CONFIG: {
+        keyVaultDb: string;
+        keyVaultCollection: string;
+    };
 };
 export declare const API_VERSION: string;
 export declare const HTTPS_SCHEMA: string;
@@ -63,5 +67,11 @@ export declare const S3_CONFIG: {
     ACCESS_KEY_ID: string | undefined;
     SECRET_ACCESS_KEY: string | undefined;
 };
+/**
+ * Name of the MongoDB client to use for change streams.
+ * This may be a separate instance because streams do not work
+ * when the main client has auto encryption enabled.
+ */
+export declare const CHANGESTREAM = "changestream";
 export {};
 //# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCsB,eAAe,EAAE;;CAEjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AACpC,eAAO,MAAM,YAAY,QAAiC,CAAA;AAE1D,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAID,eAAO,MAAM,SAAS;;;CAGrB,CAAA"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCsB,eAAe,EAAE;;;;;;CAMjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AACpC,eAAO,MAAM,YAAY,QAAiC,CAAA;AAE1D,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,YAAY,iBAAiB,CAAA"}

package/dist/constants.js

@@ -12,7 +12,7 @@ var __rest = (this && this.__rest) || function (s, e) {
 };
 var _a, _b, _c, _d, _e, _f, _g, _h;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.S3_CONFIG = exports.AUTH_CONFIG = exports.AUTH_DB_NAME = exports.DB_NAME = exports.HTTPS_SCHEMA = exports.API_VERSION = exports.DEFAULT_CONFIG = void 0;
+exports.CHANGESTREAM = exports.S3_CONFIG = exports.AUTH_CONFIG = exports.AUTH_DB_NAME = exports.DB_NAME = exports.HTTPS_SCHEMA = exports.API_VERSION = exports.DEFAULT_CONFIG = void 0;
 const utils_1 = require("./auth/utils");
 const parseBoolean = (value) => {
     if (!value)
@@ -63,6 +63,10 @@ exports.DEFAULT_CONFIG = {
     CORS_OPTIONS: {
         origin: "*",
         methods: ["GET", "POST", "PUT", "DELETE"]
+    },
+    MONGODB_ENCRYPTION_CONFIG: {
+        keyVaultDb: "encryption",
+        keyVaultCollection: "__keyVault"
     }
 };
 exports.API_VERSION = `/api/client/${exports.DEFAULT_CONFIG.API_VERSION}`;
@@ -89,3 +93,9 @@ exports.S3_CONFIG = {
     ACCESS_KEY_ID: process.env.S3_ACCESS_KEY_ID,
     SECRET_ACCESS_KEY: process.env.S3_SECRET_ACCESS_KEY
 };
+/**
+ * Name of the MongoDB client to use for change streams.
+ * This may be a separate instance because streams do not work
+ * when the main client has auto encryption enabled.
+ */
+exports.CHANGESTREAM = "changestream";

package/dist/features/encryption/interface.d.ts

@@ -0,0 +1,36 @@
+import type { UUID } from "mongodb";
+export type EncryptionSchemaProperty = EncryptionSchema | {
+    encrypt: {
+        algorithm: string;
+        bsonType: string;
+        keyAlias?: string;
+    };
+};
+export type EncryptionSchema = {
+    bsonType: "object";
+    properties: Record<string, EncryptionSchemaProperty>;
+    encryptMetadata?: {
+        keyAlias: string;
+    };
+};
+export type MappedEncryptionSchemaProperty = MappedEncryptionSchema | {
+    encrypt: {
+        algorithm: string;
+        bsonType: string;
+        keyId?: [UUID];
+    };
+};
+export type MappedEncryptionSchema = {
+    bsonType: "object";
+    properties: Record<string, MappedEncryptionSchemaProperty>;
+    encryptMetadata?: {
+        keyId: [UUID];
+    };
+};
+export type EncryptionSchemaFile = {
+    database: string;
+    collection: string;
+    schema: EncryptionSchema;
+};
+export type EncryptionSchemas = Record<string, EncryptionSchema>;
+//# sourceMappingURL=interface.d.ts.map

package/dist/features/encryption/interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/features/encryption/interface.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAEnC,MAAM,MAAM,wBAAwB,GAChC,gBAAgB,GAChB;IACA,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,MAAM,CAAA;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;KAClB,CAAA;CACF,CAAA;AAEH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAA;IACpD,eAAe,CAAC,EAAE;QAChB,QAAQ,EAAE,MAAM,CAAA;KACjB,CAAC;CACH,CAAA;AAGD,MAAM,MAAM,8BAA8B,GACtC,sBAAsB,GACtB;IACA,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAA;QACjB,QAAQ,EAAE,MAAM,CAAA;QAChB,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,CAAA;KACf,CAAA;CACF,CAAA;AAEH,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,8BAA8B,CAAC,CAAA;IAC1D,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,CAAC,IAAI,CAAC,CAAA;KACd,CAAC;CACH,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAA"}

package/dist/features/encryption/interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/features/encryption/utils.d.ts

@@ -0,0 +1,9 @@
+import { EncryptionSchemas } from "./interface";
+/**
+ * @experimental
+ * Schemas used for Client-Side Level Encryption configuration.
+ *
+ * **Important:** These schemas do not perform JSON validation.
+ */
+export declare const loadEncryptionSchemas: (rootDir?: string) => Promise<EncryptionSchemas>;
+//# sourceMappingURL=utils.d.ts.map

package/dist/features/encryption/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/encryption/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAwB,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAErE;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAU,gBAAuB,KAAG,OAAO,CAAC,iBAAiB,CAW9F,CAAA"}

package/dist/features/encryption/utils.js

@@ -0,0 +1,34 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadEncryptionSchemas = void 0;
+const node_path_1 = __importDefault(require("node:path"));
+const utils_1 = require("../../utils");
+/**
+ * @experimental
+ * Schemas used for Client-Side Level Encryption configuration.
+ *
+ * **Important:** These schemas do not perform JSON validation.
+ */
+const loadEncryptionSchemas = (...args_1) => __awaiter(void 0, [...args_1], void 0, function* (rootDir = process.cwd()) {
+    const schemasRoot = node_path_1.default.join(rootDir, 'data_sources', 'mongodb-atlas');
+    const files = (0, utils_1.recursivelyCollectFiles)(schemasRoot);
+    const schemaFiles = files.filter((x) => x.endsWith('encryption.json'));
+    return schemaFiles.reduce((acc, filePath) => {
+        const { collection, database, schema } = (0, utils_1.readJsonContent)(filePath);
+        acc[`${database}.${collection}`] = schema;
+        return acc;
+    }, {});
+});
+exports.loadEncryptionSchemas = loadEncryptionSchemas;

package/dist/features/endpoints/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/endpoints/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAE9D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CA+B9E,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,GAC3B,KAAK,eAAe,EACpB,SAAS,UAAU,CAAC,OAAO,eAAe,CAAC,EAC3C,UAAU,MAAM;;;;;;;CAkDhB,CAAA;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,kEAM7B,qBAAqB,MACR,KAAK,cAAc,EAAE,KAAK,YAAY,gBA6CrD,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/endpoints/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAE9D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CA+B9E,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,GAC3B,KAAK,eAAe,EACpB,SAAS,UAAU,CAAC,OAAO,eAAe,CAAC,EAC3C,UAAU,MAAM;;;;;;;CAkDhB,CAAA;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,kEAM7B,qBAAqB,MACR,KAAK,cAAc,EAAE,KAAK,YAAY,gBAgDrD,CAAA"}

package/dist/features/endpoints/utils.js

@@ -135,6 +135,9 @@ const generateHandler = ({ app, currentFunction, functionName, functionsList, ru
                 setStatusCode: (code) => {
                     res.status(code);
                 },
+                setHeader: (name, value) => {
+                    res.header(name, value);
+                },
                 setBody: (body) => {
                     customResponseBody.data = body;
                 }

package/dist/features/functions/controller.d.ts

@@ -1,6 +1,8 @@
+import type { Document } from 'mongodb';
 import { FunctionController } from './interface';
 export declare const mapWatchFilterToChangeStreamMatch: (value: unknown) => unknown;
 export declare const mapWatchFilterToDocumentQuery: (value: unknown) => unknown;
+export declare const shouldSkipReadabilityLookupForChange: (change: Document) => boolean;
 /**
  * > Creates a pre handler for every query
  * @param app -> the fastify instance

package/dist/features/functions/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../src/features/functions/controller.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAmHhD,eAAO,MAAM,iCAAiC,GAAI,OAAO,OAAO,KAAG,OA0BlE,CAAA;AAID,eAAO,MAAM,6BAA6B,GAAI,OAAO,OAAO,KAAG,OAgD9D,CAAA;AAqHD;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,EAAE,kBAoRjC,CAAA"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../src/features/functions/controller.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAIvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAmHhD,eAAO,MAAM,iCAAiC,GAAI,OAAO,OAAO,KAAG,OA0BlE,CAAA;AAID,eAAO,MAAM,6BAA6B,GAAI,OAAO,OAAO,KAAG,OAgD9D,CAAA;AAqHD,eAAO,MAAM,oCAAoC,GAAI,QAAQ,QAAQ,YAClC,CAAA;AAEnC;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,EAAE,kBAyRjC,CAAA"}

package/dist/features/functions/controller.js

@@ -20,7 +20,7 @@ var __rest = (this && this.__rest) || function (s, e) {
     return t;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.functionsController = exports.mapWatchFilterToDocumentQuery = exports.mapWatchFilterToChangeStreamMatch = void 0;
+exports.functionsController = exports.shouldSkipReadabilityLookupForChange = exports.mapWatchFilterToDocumentQuery = exports.mapWatchFilterToChangeStreamMatch = void 0;
 const bson_1 = require("bson");
 const services_1 = require("../../services");
 const context_1 = require("../../utils/context");
@@ -262,6 +262,8 @@ const isReadableDocumentResult = (value) => !!value &&
     typeof value === 'object' &&
     !Array.isArray(value) &&
     Object.keys(value).length > 0;
+const shouldSkipReadabilityLookupForChange = (change) => change.operationType === 'delete';
+exports.shouldSkipReadabilityLookupForChange = shouldSkipReadabilityLookupForChange;
 /**
  * > Creates a pre handler for every query
  * @param app -> the fastify instance
@@ -431,6 +433,10 @@ const functionsController = (app_1, _a) => __awaiter(void 0, [app_1, _a], void 0
                     const docId = (_b = (_a = change === null || change === void 0 ? void 0 : change.documentKey) === null || _a === void 0 ? void 0 : _a._id) !== null && _b !== void 0 ? _b : (_c = change === null || change === void 0 ? void 0 : change.fullDocument) === null || _c === void 0 ? void 0 : _c._id;
                     if (typeof docId === 'undefined')
                         return;
+                    if ((0, exports.shouldSkipReadabilityLookupForChange)(change)) {
+                        subscriberRes.write(`data: ${serializeEjson(change)}\n\n`);
+                        return;
+                    }
                     const readQuery = subscriber.documentFilter
                         ? { $and: [subscriber.documentFilter, { _id: docId }] }
                         : { _id: docId };