@flowerforce/flowerbase 1.7.6-beta.1 → 1.7.6-beta.10

package/src/auth/providers/custom-function/controller.ts

@@ -128,15 +128,20 @@ export async function customFunctionController(app: FastifyInstance) {
           ...(user || {})
         }
       }
+      const now = new Date()
       const refreshToken = this.createRefreshToken(currentUserData)
       const refreshTokenHash = hashToken(refreshToken)
       await authDb.collection(refreshTokensCollection).insertOne({
         userId: authUser._id,
         tokenHash: refreshTokenHash,
-        createdAt: new Date(),
+        createdAt: now,
         expiresAt: new Date(Date.now() + refreshTokenTtlMs),
         revokedAt: null
       })
+      await authDb.collection(authCollection!).updateOne(
+        { _id: authUser._id },
+        { $set: { lastLoginAt: now } }
+      )
       return {
         access_token: this.createAccessToken(currentUserData),
         refresh_token: refreshToken,

package/src/auth/providers/local-userpass/__tests__/controller.test.ts

@@ -0,0 +1,200 @@
+jest.mock('../../../../constants', () => ({
+  AUTH_CONFIG: {
+    authCollection: 'auth_users',
+    refreshTokensCollection: 'refresh_tokens',
+    resetPasswordCollection: 'reset_password_requests',
+    userCollection: 'users',
+    user_id_field: 'id',
+    authProviders: {
+      'local-userpass': {
+        disabled: false
+      }
+    },
+    resetPasswordConfig: {
+      runResetFunction: true,
+      resetFunctionName: 'customReset'
+    }
+  },
+  AUTH_DB_NAME: 'test-auth-db',
+  DB_NAME: 'test-db',
+  DEFAULT_CONFIG: {
+    RESET_PASSWORD_TTL_SECONDS: 3600,
+    AUTH_RATE_LIMIT_WINDOW_MS: 60000,
+    AUTH_LOGIN_MAX_ATTEMPTS: 5,
+    AUTH_REGISTER_MAX_ATTEMPTS: 5,
+    AUTH_RESET_MAX_ATTEMPTS: 5,
+    REFRESH_TOKEN_TTL_DAYS: 1
+  }
+}))
+
+jest.mock('../../../../state', () => ({
+  StateManager: {
+    select: jest.fn((key: string) => {
+      if (key === 'functions') {
+        return {
+          customReset: { name: 'customReset', code: 'exports = async () => ({ status: "success" })' }
+        }
+      }
+      if (key === 'services') {
+        return {}
+      }
+      return {}
+    })
+  }
+}))
+
+jest.mock('../../../../utils/context', () => ({
+  GenerateContext: jest.fn()
+}))
+
+jest.mock('../../../../utils/crypto', () => ({
+  comparePassword: jest.fn(),
+  generateToken: jest.fn(() => 'generated-token'),
+  hashPassword: jest.fn(async (password: string) => `hashed:${password}`),
+  hashToken: jest.fn(() => 'hashed-token')
+}))
+
+import { AUTH_ERRORS } from '../../../utils'
+import { localUserPassController } from '../controller'
+import { GenerateContext } from '../../../../utils/context'
+import { hashPassword } from '../../../../utils/crypto'
+
+describe('localUserPassController reset call', () => {
+  const buildApp = () => {
+    let resetCallHandler:
+      | ((req: { body: { email: string; password: string; arguments?: unknown[] }; ip: string }, res: { status: jest.Mock }) => Promise<unknown>)
+      | undefined
+
+    const authUsersCollection = {
+      findOne: jest.fn().mockResolvedValue({
+        _id: 'auth-user-1',
+        email: 'john@doe.com',
+        password: 'old-hash'
+      }),
+      updateOne: jest.fn().mockResolvedValue({ acknowledged: true })
+    }
+    const resetCollection = {
+      createIndex: jest.fn().mockResolvedValue('ok'),
+      updateOne: jest.fn().mockResolvedValue({ acknowledged: true }),
+      deleteOne: jest.fn().mockResolvedValue({ acknowledged: true }),
+      findOne: jest.fn()
+    }
+    const refreshCollection = {
+      createIndex: jest.fn().mockResolvedValue('ok'),
+      insertOne: jest.fn()
+    }
+    const usersCollection = {
+      findOne: jest.fn()
+    }
+    const db = {
+      collection: jest.fn((name: string) => {
+        if (name === 'auth_users') return authUsersCollection
+        if (name === 'reset_password_requests') return resetCollection
+        if (name === 'refresh_tokens') return refreshCollection
+        if (name === 'users') return usersCollection
+        return {}
+      })
+    }
+    const app = {
+      mongo: { client: { db: jest.fn().mockReturnValue(db) } },
+      post: jest.fn((path: string, _opts: unknown, handler: typeof resetCallHandler) => {
+        if (path === '/reset/call') {
+          resetCallHandler = handler
+        }
+      })
+    }
+
+    return { app, authUsersCollection, resetCollection, resetCallHandlerRef: () => resetCallHandler }
+  }
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('hashes and applies the password when the custom reset function returns success', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'success' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+    const result = await resetCallHandlerRef()?.(
+      {
+        body: { email: 'john@doe.com', password: 'new-secret', arguments: ['extra'] },
+        ip: '127.0.0.1'
+      },
+      res
+    )
+
+    expect(GenerateContext).toHaveBeenCalledWith(expect.objectContaining({
+      args: [
+        {
+          token: 'generated-token',
+          tokenId: 'generated-token',
+          email: 'john@doe.com',
+          password: 'new-secret',
+          username: 'john@doe.com'
+        },
+        'extra'
+      ],
+      runAsSystem: true
+    }))
+    expect(hashPassword).toHaveBeenCalledWith('new-secret')
+    expect(authUsersCollection.updateOne).toHaveBeenCalledWith(
+      { email: 'john@doe.com' },
+      { $set: { password: 'hashed:new-secret' } }
+    )
+    expect(resetCollection.deleteOne).toHaveBeenCalledWith({ email: 'john@doe.com' })
+    expect(res.status).toHaveBeenCalledWith(202)
+    expect(result).toEqual({ status: 'success' })
+  })
+
+  it('returns pending without changing the password when the custom reset function returns pending', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'pending' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+    const result = await resetCallHandlerRef()?.(
+      {
+        body: { email: 'john@doe.com', password: 'new-secret' },
+        ip: '127.0.0.1'
+      },
+      res
+    )
+
+    expect(hashPassword).not.toHaveBeenCalled()
+    expect(authUsersCollection.updateOne).not.toHaveBeenCalledWith(
+      { email: 'john@doe.com' },
+      expect.objectContaining({ $set: { password: expect.any(String) } })
+    )
+    expect(resetCollection.deleteOne).not.toHaveBeenCalled()
+    expect(res.status).toHaveBeenCalledWith(202)
+    expect(result).toEqual({ status: 'pending' })
+  })
+
+  it('rejects the request when the custom reset function returns fail', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'fail' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+
+    await expect(
+      resetCallHandlerRef()?.(
+        {
+          body: { email: 'john@doe.com', password: 'new-secret' },
+          ip: '127.0.0.1'
+        },
+        res
+      )
+    ).rejects.toThrow(AUTH_ERRORS.INVALID_RESET_PARAMS)
+
+    expect(hashPassword).not.toHaveBeenCalled()
+    expect(authUsersCollection.updateOne).not.toHaveBeenCalled()
+    expect(resetCollection.deleteOne).not.toHaveBeenCalled()
+    expect(res.status).not.toHaveBeenCalled()
+  })
+})

package/src/auth/providers/local-userpass/controller.ts

@@ -5,7 +5,12 @@ import handleUserRegistration from '../../../shared/handleUserRegistration'
 import { PROVIDER } from '../../../shared/models/handleUserRegistration.model'
 import { StateManager } from '../../../state'
 import { GenerateContext } from '../../../utils/context'
-import { comparePassword, generateToken, hashPassword, hashToken } from '../../../utils/crypto'
+import {
+  comparePassword,
+  generateToken,
+  hashPassword,
+  hashToken
+} from '../../../utils/crypto'
 import {
   AUTH_ENDPOINTS,
   AUTH_ERRORS,
@@ -27,6 +32,8 @@ import {
 
 const rateLimitStore = new Map<string, number[]>()
 
+type ResetFunctionResult = { status?: 'success' | 'pending' | 'fail' }
+
 const isRateLimited = (key: string, maxAttempts: number, windowMs: number) => {
   const now = Date.now()
   const existing = rateLimitStore.get(key) ?? []
@@ -53,21 +60,23 @@ export async function localUserPassController(app: FastifyInstance) {
   const resetMaxAttempts = DEFAULT_CONFIG.AUTH_RESET_MAX_ATTEMPTS
   const refreshTokenTtlMs = DEFAULT_CONFIG.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000
   const resolveLocalUserpassProvider = () => AUTH_CONFIG.authProviders?.['local-userpass']
+  const invalidPasswordError = {
+    error: 'unauthorized',
+    error_code: 'InvalidPassword'
+  } as const
 
   try {
-    await authDb.collection(resetPasswordCollection).createIndex(
-      { createdAt: 1 },
-      { expireAfterSeconds: resetPasswordTtlSeconds }
-    )
+    await authDb
+      .collection(resetPasswordCollection)
+      .createIndex({ createdAt: 1 }, { expireAfterSeconds: resetPasswordTtlSeconds })
   } catch (error) {
     console.error('Failed to ensure reset password TTL index', error)
   }
 
   try {
-    await authDb.collection(refreshTokensCollection).createIndex(
-      { expiresAt: 1 },
-      { expireAfterSeconds: 0 }
-    )
+    await authDb
+      .collection(refreshTokensCollection)
+      .createIndex({ expiresAt: 1 }, { expireAfterSeconds: 0 })
   } catch (error) {
     console.error('Failed to ensure refresh token TTL index', error)
   }
@@ -105,8 +114,10 @@ export async function localUserPassController(app: FastifyInstance) {
       const services = StateManager.select('services')
       const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
       const baseArgs = { token, tokenId, email, password, username: email }
-      const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs]
-      await GenerateContext({
+      const args = Array.isArray(extraArguments)
+        ? [baseArgs, ...extraArguments]
+        : [baseArgs]
+      const response = (await GenerateContext({
         args,
         app,
         rules: {},
@@ -114,11 +125,41 @@ export async function localUserPassController(app: FastifyInstance) {
         currentFunction,
         functionName: resetPasswordConfig.resetFunctionName,
         functionsList,
-        services
-      })
-      return
+        services,
+        runAsSystem: true
+      })) as ResetFunctionResult
+      const resetStatus = response?.status
+
+      if (resetStatus === 'success') {
+        if (!password) {
+          throw new Error(AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE)
+        }
+
+        const hashedPassword = await hashPassword(password)
+        await authDb.collection(authCollection!).updateOne(
+          { email },
+          {
+            $set: {
+              password: hashedPassword
+            }
+          }
+        )
+        await authDb?.collection(resetPasswordCollection).deleteOne({ email })
+        return { status: 'success' as const }
+      }
+
+      if (resetStatus === 'pending') {
+        return { status: 'pending' as const }
+      }
+
+      if (resetStatus === 'fail') {
+        throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
+      }
+
+      throw new Error(AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE)
     }
 
+    return { status: 'pending' as const }
   }
 
   /**
@@ -147,12 +188,18 @@ export async function localUserPassController(app: FastifyInstance) {
 
       let result
       try {
-        result = await handleUserRegistration(app, { run_as_system: true, provider: PROVIDER.LOCAL_USERPASS })({
+        result = await handleUserRegistration(app, {
+          run_as_system: true,
+          provider: PROVIDER.LOCAL_USERPASS
+        })({
           email: req.body.email.toLowerCase(),
           password: req.body.password
         })
       } catch (error) {
-        if (error instanceof Error && error.message === 'This email address is already used') {
+        if (
+          error instanceof Error &&
+          error.message === 'This email address is already used'
+        ) {
           res.status(409).send({
             error: 'name already in use',
             error_code: 'AccountNameInUse'
@@ -195,10 +242,10 @@ export async function localUserPassController(app: FastifyInstance) {
         return
       }
 
-      const existing = await authDb.collection(authCollection!).findOne({
+      const existing = (await authDb.collection(authCollection!).findOne({
         confirmationToken: req.body.token,
         confirmationTokenId: req.body.tokenId
-      }) as { _id: ObjectId; status?: string } | null
+      })) as { _id: ObjectId; status?: string } | null
 
       if (!existing) {
         res.status(500)
@@ -247,23 +294,22 @@ export async function localUserPassController(app: FastifyInstance) {
       })
 
       if (!authUser) {
-        throw new Error(AUTH_ERRORS.INVALID_CREDENTIALS)
+        res.status(401)
+        return invalidPasswordError
       }
 
-      const passwordMatches = await comparePassword(
-        req.body.password,
-        authUser.password
-      )
+      const passwordMatches = await comparePassword(req.body.password, authUser.password)
 
       if (!passwordMatches) {
-        throw new Error(AUTH_ERRORS.INVALID_CREDENTIALS)
+        res.status(401)
+        return invalidPasswordError
       }
 
       const user =
         user_id_field && userCollection
           ? await customUserDb
-            .collection(userCollection)
-            .findOne({ [user_id_field]: authUser._id.toString() })
+              .collection(userCollection)
+              .findOne({ [user_id_field]: authUser._id.toString() })
           : {}
       delete authUser?.password
 
@@ -283,15 +329,19 @@ export async function localUserPassController(app: FastifyInstance) {
         throw new Error(AUTH_ERRORS.USER_NOT_CONFIRMED)
       }
 
+      const now = new Date()
       const refreshToken = this.createRefreshToken(userWithCustomData)
       const refreshTokenHash = hashToken(refreshToken)
       await authDb.collection(refreshTokensCollection).insertOne({
         userId: authUser._id,
         tokenHash: refreshTokenHash,
-        createdAt: new Date(),
+        createdAt: now,
         expiresAt: new Date(Date.now() + refreshTokenTtlMs),
         revokedAt: null
       })
+      await authDb
+        .collection(authCollection!)
+        .updateOne({ _id: authUser._id }, { $set: { lastLoginAt: now } })
 
       return {
         access_token: this.createAccessToken(userWithCustomData),
@@ -347,15 +397,13 @@ export async function localUserPassController(app: FastifyInstance) {
         res.status(429)
         return { message: 'Too many requests' }
       }
-      await handleResetPasswordRequest(
+      const result = await handleResetPasswordRequest(
         req.body.email,
         req.body.password,
         req.body.arguments
       )
       res.status(202)
-      return {
-        status: 'ok'
-      }
+      return result
     }
   )
 
@@ -392,12 +440,15 @@ export async function localUserPassController(app: FastifyInstance) {
       }
 
       const createdAt = resetRequest.createdAt ? new Date(resetRequest.createdAt) : null
-      const isExpired = !createdAt ||
+      const isExpired =
+        !createdAt ||
         Number.isNaN(createdAt.getTime()) ||
         Date.now() - createdAt.getTime() > resetPasswordTtlSeconds * 1000
 
       if (isExpired) {
-        await authDb?.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id })
+        await authDb
+          ?.collection(resetPasswordCollection)
+          .deleteOne({ _id: resetRequest._id })
         throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
       }
       const hashedPassword = await hashPassword(password)
@@ -410,7 +461,9 @@ export async function localUserPassController(app: FastifyInstance) {
         }
       )
 
-      await authDb?.collection(resetPasswordCollection).deleteOne({ _id: resetRequest._id })
+      await authDb
+        ?.collection(resetPasswordCollection)
+        .deleteOne({ _id: resetRequest._id })
     }
   )
 }

package/src/auth/providers/local-userpass/dtos.ts

@@ -19,13 +19,18 @@ export type ErrorResponseDto = {
   message: string
 }
 
+export type InvalidPasswordResponseDto = {
+  error: 'unauthorized'
+  error_code: 'InvalidPassword'
+}
+
 export interface RegistrationDto {
   Body: RegisterUserDto
 }
 
 export interface LoginDto {
   Body: LoginUserDto
-  Reply: LoginSuccessDto | ErrorResponseDto
+  Reply: LoginSuccessDto | ErrorResponseDto | InvalidPasswordResponseDto
 }
 
 export interface ResetPasswordSendDto {

package/src/auth/utils.ts

@@ -117,6 +117,7 @@ export enum AUTH_ERRORS {
   INVALID_TOKEN = 'Invalid refresh token provided',
   INVALID_RESET_PARAMS = 'Invalid token or tokenId provided',
   MISSING_RESET_FUNCTION = 'Missing reset function',
+  INVALID_RESET_FUNCTION_RESPONSE = 'Invalid reset function response',
   USER_NOT_CONFIRMED = 'User not confirmed'
 }
 

package/src/features/endpoints/__tests__/utils.test.ts

@@ -0,0 +1,65 @@
+import { GenerateContext } from '../../../utils/context'
+import { generateHandler } from '../utils'
+
+jest.mock('../../../utils/context', () => ({
+  GenerateContext: jest.fn()
+}))
+
+const mockedGenerateContext = jest.mocked(GenerateContext)
+
+describe('generateHandler', () => {
+  beforeEach(() => {
+    mockedGenerateContext.mockReset()
+  })
+
+  it('allows endpoint functions to set custom response headers', async () => {
+    mockedGenerateContext.mockImplementation(async ({ args }) => {
+      const [, response] = args as [
+        { body: { text: () => string; rawBody: Buffer | string | undefined } },
+        {
+          setStatusCode: (code: number) => void
+          setHeader: (name: string, value: string | number | readonly string[]) => void
+          setBody: (body: unknown) => void
+        }
+      ]
+
+      response.setStatusCode(201)
+      response.setHeader('Content-Type', 'application/json')
+      response.setHeader('Cache-Control', 'no-store')
+      response.setBody(JSON.stringify({ ok: true }))
+
+      return { ignored: true }
+    })
+
+    const handler = generateHandler({
+      app: {} as any,
+      currentFunction: { code: 'module.exports = function () {}' } as any,
+      functionName: 'endpointHandler',
+      functionsList: {
+        endpointHandler: { code: 'module.exports = function () {}' }
+      } as any,
+      http_method: 'POST',
+      rulesList: {} as any
+    })
+
+    const res = {
+      status: jest.fn(),
+      header: jest.fn(),
+      send: jest.fn((body) => body)
+    } as any
+
+    const response = await handler({
+      body: { hello: 'world' },
+      headers: { accept: 'application/json' },
+      query: { page: '1' },
+      rawBody: '{"hello":"world"}',
+      user: { id: 'user-1' }
+    } as any, res)
+
+    expect(res.status).toHaveBeenCalledWith(201)
+    expect(res.header).toHaveBeenCalledWith('Content-Type', 'application/json')
+    expect(res.header).toHaveBeenCalledWith('Cache-Control', 'no-store')
+    expect(res.send).toHaveBeenCalledWith(JSON.stringify({ ok: true }))
+    expect(response).toBe(JSON.stringify({ ok: true }))
+  })
+})

package/src/features/endpoints/utils.ts

@@ -138,6 +138,9 @@ export const generateHandler = ({
         setStatusCode: (code: number) => {
           res.status(code)
         },
+        setHeader: (name: string, value: string | number | readonly string[]) => {
+          res.header(name, value)
+        },
         setBody: (body: unknown) => {
           customResponseBody.data = body
         }

package/src/features/functions/__tests__/watch-filter.test.ts

@@ -1,5 +1,9 @@
 import { ObjectId } from 'mongodb'
-import { mapWatchFilterToChangeStreamMatch, mapWatchFilterToDocumentQuery } from '../controller'
+import {
+  mapWatchFilterToChangeStreamMatch,
+  mapWatchFilterToDocumentQuery,
+  shouldSkipReadabilityLookupForChange
+} from '../controller'
 
 describe('watch filter mapping', () => {
   it('keeps change-event fields untouched and prefixes only document fields', () => {
@@ -113,4 +117,10 @@ describe('watch filter mapping', () => {
     expect(documentQuery._id).toEqual(id)
     expect(documentQuery.operationType).toBeUndefined()
   })
+
+  it('skips readability lookup only for delete change events', () => {
+    expect(shouldSkipReadabilityLookupForChange({ operationType: 'delete' } as any)).toBe(true)
+    expect(shouldSkipReadabilityLookupForChange({ operationType: 'update' } as any)).toBe(false)
+    expect(shouldSkipReadabilityLookupForChange({ operationType: 'insert' } as any)).toBe(false)
+  })
 })

package/src/features/functions/controller.ts

@@ -315,6 +315,9 @@ const isReadableDocumentResult = (value: unknown) =>
   !Array.isArray(value) &&
   Object.keys(value as Record<string, unknown>).length > 0
 
+export const shouldSkipReadabilityLookupForChange = (change: Document) =>
+  change.operationType === 'delete'
+
 /**
  * > Creates a pre handler for every query
  * @param app -> the fastify instance
@@ -524,6 +527,11 @@ export const functionsController: FunctionController = async (
             (change as { fullDocument?: { _id?: unknown } })?.fullDocument?._id
           if (typeof docId === 'undefined') return
 
+          if (shouldSkipReadabilityLookupForChange(change)) {
+            subscriberRes.write(`data: ${serializeEjson(change)}\n\n`)
+            return
+          }
+
           const readQuery = subscriber.documentFilter
             ? ({ $and: [subscriber.documentFilter, { _id: docId }] } as Document)
             : ({ _id: docId } as Document)

package/src/features/rules/interface.ts

@@ -1,4 +1,6 @@
 import { Document } from 'mongodb'
+export type PermissionExpression = boolean | Record<string, unknown>
+
 export interface Filter {
   name: string
   query: Record<string, unknown>
@@ -9,11 +11,11 @@ export type Projection = Record<string, 0 | 1>
 export interface Role {
   name: string
   apply_when: Record<string, unknown>
-  insert: boolean
-  delete: boolean
-  search: boolean
-  read: boolean
-  write: boolean
+  insert: PermissionExpression
+  delete: PermissionExpression
+  search: PermissionExpression
+  read: PermissionExpression
+  write: PermissionExpression
 }
 
 export interface RulesConfig {
@@ -21,7 +23,6 @@ export interface RulesConfig {
   collection: string
   filters: Filter[]
   roles: Role[]
-
 }
 
 export type Rules = Record<string, RulesConfig>
@@ -38,21 +39,21 @@ export type AggregationPipelineStage =
   | { $unionWith: UnionWithStage }
 
 export interface LookupStage {
-  from: string;
-  localField?: string;
-  foreignField?: string;
-  as: string;
-  let?: Record<string, unknown>;
-  pipeline?: AggregationPipelineStage[];
+  from: string
+  localField?: string
+  foreignField?: string
+  as: string
+  let?: Record<string, unknown>
+  pipeline?: AggregationPipelineStage[]
 }
 
 export type AggregationPipeline = Document[]
 
 export type UnionWithStage = string | UnionWithNestedStage
-type UnionWithNestedStage = { coll: string, pipeline: AggregationPipelineStage[] }
+type UnionWithNestedStage = { coll: string; pipeline: AggregationPipelineStage[] }
 
 export enum STAGES_TO_SEARCH {
-  LOOKUP = "$lookup",
-  UNION_WITH = "$unionWith",
-  FACET = "$facet"
-}
+  LOOKUP = '$lookup',
+  UNION_WITH = '$unionWith',
+  FACET = '$facet'
+}