@flowerforce/flowerbase 1.7.6-beta.4 → 1.7.6-beta.6

package/dist/auth/providers/local-userpass/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAqCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBA0XjE"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../../src/auth/providers/local-userpass/controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAuCzC;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,eAAe,iBAsZjE"}

package/dist/auth/providers/local-userpass/controller.js

@@ -81,7 +81,7 @@ function localUserPassController(app) {
                 const currentFunction = functionsList[resetPasswordConfig.resetFunctionName];
                 const baseArgs = { token, tokenId, email, password, username: email };
                 const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs];
-                yield (0, context_1.GenerateContext)({
+                const response = yield (0, context_1.GenerateContext)({
                     args,
                     app,
                     rules: {},
@@ -89,10 +89,32 @@ function localUserPassController(app) {
                     currentFunction,
                     functionName: resetPasswordConfig.resetFunctionName,
                     functionsList,
-                    services
+                    services,
+                    runAsSystem: true
                 });
-                return;
+                const resetStatus = response === null || response === void 0 ? void 0 : response.status;
+                if (resetStatus === 'success') {
+                    if (!password) {
+                        throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE);
+                    }
+                    const hashedPassword = yield (0, crypto_1.hashPassword)(password);
+                    yield authDb.collection(authCollection).updateOne({ email }, {
+                        $set: {
+                            password: hashedPassword
+                        }
+                    });
+                    yield (authDb === null || authDb === void 0 ? void 0 : authDb.collection(resetPasswordCollection).deleteOne({ email }));
+                    return { status: 'success' };
+                }
+                if (resetStatus === 'pending') {
+                    return { status: 'pending' };
+                }
+                if (resetStatus === 'fail') {
+                    throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_PARAMS);
+                }
+                throw new Error(utils_1.AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE);
             }
+            return { status: 'pending' };
         });
         /**
          * Endpoint for user registration.
@@ -273,11 +295,9 @@ function localUserPassController(app) {
                     res.status(429);
                     return { message: 'Too many requests' };
                 }
-                yield handleResetPasswordRequest(req.body.email, req.body.password, req.body.arguments);
+                const result = yield handleResetPasswordRequest(req.body.email, req.body.password, req.body.arguments);
                 res.status(202);
-                return {
-                    status: 'ok'
-                };
+                return result;
             });
         });
         /**

package/dist/auth/utils.d.ts

@@ -146,6 +146,7 @@ export declare enum AUTH_ERRORS {
     INVALID_TOKEN = "Invalid refresh token provided",
     INVALID_RESET_PARAMS = "Invalid token or tokenId provided",
     MISSING_RESET_FUNCTION = "Missing reset function",
+    INVALID_RESET_FUNCTION_RESPONSE = "Invalid reset function response",
     USER_NOT_CONFIRMED = "User not confirmed"
 }
 export interface AuthConfig {

package/dist/auth/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/auth/utils.ts"],"names":[],"mappings":"AAMA,eAAO,MAAM,cAAc;;;CAA4C,CAAC;AACxE,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;CAexB,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAc7B,CAAA;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;CAgB7B,CAAA;AAED,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;CAWhC,CAAA;AAED,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;CAU/B,CAAA;AAED,eAAO,MAAM,YAAY;;;;;;;;;;;;;;CAAoB,CAAA;AAE7C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;CAe/B,CAAA;AAED,oBAAY,cAAc;IACxB,KAAK,WAAW;IAChB,YAAY,cAAc;IAC1B,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,OAAO,aAAa;IACpB,KAAK,gBAAgB;IACrB,UAAU,gBAAgB;IAC1B,aAAa,WAAW;IACxB,UAAU,sBAAsB;CACjC;AAED,oBAAY,WAAW;IACrB,mBAAmB,wBAAwB;IAC3C,aAAa,mCAAmC;IAChD,oBAAoB,sCAAsC;IAC1D,sBAAsB,2BAA2B;IACjD,+BAA+B,oCAAoC;IACnE,kBAAkB,uBAAuB;CAC1C;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,EAAE,aAAa,CAAA;IAC/B,iBAAiB,EAAE,cAAc,CAAA;IACjC,WAAW,CAAC,EAAE,QAAQ,CAAA;CACvB;AAED,UAAU,MAAM;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AACD,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,cAAc;IACtB,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,iBAAiB,CAAC;IACxB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE;QACN,kBAAkB,EAAE,MAAM,CAAA;KAC3B,CAAA;CACF;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,WAAW,CAAA;IACjB,IAAI,EAAE,WAAW,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,MAAM;IACrB,WAAW,EAAE,OAAO,CAAA;IACpB,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,iBAAiB,EAAE,MAAM,CAAA;IACzB,gBAAgB,EAAE,MAAM,CAAA;IACxB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,aAAa,EAAE,MAAM,CAAA;IACrB,eAAe,EAAE,MAAM,CAAA;IACvB,aAAa,EAAE,MAAM,CAAA;IACrB,8BAA8B,EAAE,MAAM,CAAA;CACvC;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,QAAO,UAuCjC,CAAA;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAO,oBAarC,CAAA;AAED,eAAO,MAAM,gBAAgB,GAAI,eAAW,WAG3C,CAAA"}

package/dist/auth/utils.js

@@ -115,6 +115,7 @@ var AUTH_ERRORS;
     AUTH_ERRORS["INVALID_TOKEN"] = "Invalid refresh token provided";
     AUTH_ERRORS["INVALID_RESET_PARAMS"] = "Invalid token or tokenId provided";
     AUTH_ERRORS["MISSING_RESET_FUNCTION"] = "Missing reset function";
+    AUTH_ERRORS["INVALID_RESET_FUNCTION_RESPONSE"] = "Invalid reset function response";
     AUTH_ERRORS["USER_NOT_CONFIRMED"] = "User not confirmed";
 })(AUTH_ERRORS || (exports.AUTH_ERRORS = AUTH_ERRORS = {}));
 const resolveAppPath = () => { var _a, _b, _c; return (_c = (_a = process.env.FLOWERBASE_APP_PATH) !== null && _a !== void 0 ? _a : (_b = require.main) === null || _b === void 0 ? void 0 : _b.path) !== null && _c !== void 0 ? _c : process.cwd(); };

package/dist/features/endpoints/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/endpoints/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAE9D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CA+B9E,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,GAC3B,KAAK,eAAe,EACpB,SAAS,UAAU,CAAC,OAAO,eAAe,CAAC,EAC3C,UAAU,MAAM;;;;;;;CAkDhB,CAAA;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,kEAM7B,qBAAqB,MACR,KAAK,cAAc,EAAE,KAAK,YAAY,gBA6CrD,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/endpoints/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAKvE,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAE9D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CA+B9E,CAAA;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,GAC3B,KAAK,eAAe,EACpB,SAAS,UAAU,CAAC,OAAO,eAAe,CAAC,EAC3C,UAAU,MAAM;;;;;;;CAkDhB,CAAA;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,kEAM7B,qBAAqB,MACR,KAAK,cAAc,EAAE,KAAK,YAAY,gBAgDrD,CAAA"}

package/dist/features/endpoints/utils.js

@@ -135,6 +135,9 @@ const generateHandler = ({ app, currentFunction, functionName, functionsList, ru
                 setStatusCode: (code) => {
                     res.status(code);
                 },
+                setHeader: (name, value) => {
+                    res.header(name, value);
+                },
                 setBody: (body) => {
                     customResponseBody.data = body;
                 }

package/dist/utils/roles/machines/fieldPermissions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fieldPermissions.d.ts","sourceRoot":"","sources":["../../../../src/utils/roles/machines/fieldPermissions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAGL,IAAI,EACL,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AA4C5C,eAAO,MAAM,0BAA0B,GAAI,OAAO,IAAI,YACN,CAAA;AAEhD,eAAO,MAAM,gCAAgC,GAC3C,SAAS,IAAI,CAAC,cAAc,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC,EACzD,MAAM,MAAM,GAAG,OAAO,EACtB,UAAU;IACR,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB,KACA,OAAO,CAAC,QAAQ,CAyBlB,CAAA"}
+{"version":3,"file":"fieldPermissions.d.ts","sourceRoot":"","sources":["../../../../src/utils/roles/machines/fieldPermissions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAGL,IAAI,EACL,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AA0C5C,eAAO,MAAM,0BAA0B,GAAI,OAAO,IAAI,YACN,CAAA;AAEhD,eAAO,MAAM,gCAAgC,GAC3C,SAAS,IAAI,CAAC,cAAc,EAAE,QAAQ,GAAG,MAAM,GAAG,MAAM,CAAC,EACzD,MAAM,MAAM,GAAG,OAAO,EACtB,UAAU;IACR,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB,KACA,OAAO,CAAC,QAAQ,CA6BlB,CAAA"}

package/dist/utils/roles/machines/fieldPermissions.js

@@ -26,12 +26,9 @@ const getAdditionalFieldPermission = (additionalFields, fieldName) => {
     return undefined;
 };
 const canReadField = (context, permission) => __awaiter(void 0, void 0, void 0, function* () {
-    if (!permission)
-        return false;
-    const read = yield (0, helpers_1.evaluateExpression)(context.params, permission.read, context.user);
-    if (read)
-        return true;
-    return yield (0, helpers_1.evaluateExpression)(context.params, permission.write, context.user);
+    if (!permission || typeof permission.read === 'undefined')
+        return undefined;
+    return yield (0, helpers_1.evaluateExpression)(context.params, permission.read, context.user);
 });
 const canWriteField = (context, permission) => __awaiter(void 0, void 0, void 0, function* () {
     if (!permission)
@@ -53,10 +50,15 @@ const filterDocumentByFieldPermissions = (context, mode, options) => __awaiter(v
         const permission = fieldPermission !== null && fieldPermission !== void 0 ? fieldPermission : getAdditionalFieldPermission(additionalFields, key);
         let allowed = (options === null || options === void 0 ? void 0 : options.defaultAllow) === true;
         if (permission) {
-            allowed =
-                mode === 'read'
-                    ? yield canReadField(context, permission)
-                    : yield canWriteField(context, permission);
+            if (mode === 'read') {
+                const readAllowed = yield canReadField(context, permission);
+                if (typeof readAllowed !== 'undefined') {
+                    allowed = readAllowed;
+                }
+            }
+            else {
+                allowed = yield canWriteField(context, permission);
+            }
         }
         if (allowed) {
             document[key] = value;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.7.6-beta.4",
+  "version": "1.7.6-beta.6",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/providers/local-userpass/__tests__/controller.test.ts

@@ -0,0 +1,200 @@
+jest.mock('../../../../constants', () => ({
+  AUTH_CONFIG: {
+    authCollection: 'auth_users',
+    refreshTokensCollection: 'refresh_tokens',
+    resetPasswordCollection: 'reset_password_requests',
+    userCollection: 'users',
+    user_id_field: 'id',
+    authProviders: {
+      'local-userpass': {
+        disabled: false
+      }
+    },
+    resetPasswordConfig: {
+      runResetFunction: true,
+      resetFunctionName: 'customReset'
+    }
+  },
+  AUTH_DB_NAME: 'test-auth-db',
+  DB_NAME: 'test-db',
+  DEFAULT_CONFIG: {
+    RESET_PASSWORD_TTL_SECONDS: 3600,
+    AUTH_RATE_LIMIT_WINDOW_MS: 60000,
+    AUTH_LOGIN_MAX_ATTEMPTS: 5,
+    AUTH_REGISTER_MAX_ATTEMPTS: 5,
+    AUTH_RESET_MAX_ATTEMPTS: 5,
+    REFRESH_TOKEN_TTL_DAYS: 1
+  }
+}))
+
+jest.mock('../../../../state', () => ({
+  StateManager: {
+    select: jest.fn((key: string) => {
+      if (key === 'functions') {
+        return {
+          customReset: { name: 'customReset', code: 'exports = async () => ({ status: "success" })' }
+        }
+      }
+      if (key === 'services') {
+        return {}
+      }
+      return {}
+    })
+  }
+}))
+
+jest.mock('../../../../utils/context', () => ({
+  GenerateContext: jest.fn()
+}))
+
+jest.mock('../../../../utils/crypto', () => ({
+  comparePassword: jest.fn(),
+  generateToken: jest.fn(() => 'generated-token'),
+  hashPassword: jest.fn(async (password: string) => `hashed:${password}`),
+  hashToken: jest.fn(() => 'hashed-token')
+}))
+
+import { AUTH_ERRORS } from '../../../utils'
+import { localUserPassController } from '../controller'
+import { GenerateContext } from '../../../../utils/context'
+import { hashPassword } from '../../../../utils/crypto'
+
+describe('localUserPassController reset call', () => {
+  const buildApp = () => {
+    let resetCallHandler:
+      | ((req: { body: { email: string; password: string; arguments?: unknown[] }; ip: string }, res: { status: jest.Mock }) => Promise<unknown>)
+      | undefined
+
+    const authUsersCollection = {
+      findOne: jest.fn().mockResolvedValue({
+        _id: 'auth-user-1',
+        email: 'john@doe.com',
+        password: 'old-hash'
+      }),
+      updateOne: jest.fn().mockResolvedValue({ acknowledged: true })
+    }
+    const resetCollection = {
+      createIndex: jest.fn().mockResolvedValue('ok'),
+      updateOne: jest.fn().mockResolvedValue({ acknowledged: true }),
+      deleteOne: jest.fn().mockResolvedValue({ acknowledged: true }),
+      findOne: jest.fn()
+    }
+    const refreshCollection = {
+      createIndex: jest.fn().mockResolvedValue('ok'),
+      insertOne: jest.fn()
+    }
+    const usersCollection = {
+      findOne: jest.fn()
+    }
+    const db = {
+      collection: jest.fn((name: string) => {
+        if (name === 'auth_users') return authUsersCollection
+        if (name === 'reset_password_requests') return resetCollection
+        if (name === 'refresh_tokens') return refreshCollection
+        if (name === 'users') return usersCollection
+        return {}
+      })
+    }
+    const app = {
+      mongo: { client: { db: jest.fn().mockReturnValue(db) } },
+      post: jest.fn((path: string, _opts: unknown, handler: typeof resetCallHandler) => {
+        if (path === '/reset/call') {
+          resetCallHandler = handler
+        }
+      })
+    }
+
+    return { app, authUsersCollection, resetCollection, resetCallHandlerRef: () => resetCallHandler }
+  }
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('hashes and applies the password when the custom reset function returns success', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'success' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+    const result = await resetCallHandlerRef()?.(
+      {
+        body: { email: 'john@doe.com', password: 'new-secret', arguments: ['extra'] },
+        ip: '127.0.0.1'
+      },
+      res
+    )
+
+    expect(GenerateContext).toHaveBeenCalledWith(expect.objectContaining({
+      args: [
+        {
+          token: 'generated-token',
+          tokenId: 'generated-token',
+          email: 'john@doe.com',
+          password: 'new-secret',
+          username: 'john@doe.com'
+        },
+        'extra'
+      ],
+      runAsSystem: true
+    }))
+    expect(hashPassword).toHaveBeenCalledWith('new-secret')
+    expect(authUsersCollection.updateOne).toHaveBeenCalledWith(
+      { email: 'john@doe.com' },
+      { $set: { password: 'hashed:new-secret' } }
+    )
+    expect(resetCollection.deleteOne).toHaveBeenCalledWith({ email: 'john@doe.com' })
+    expect(res.status).toHaveBeenCalledWith(202)
+    expect(result).toEqual({ status: 'success' })
+  })
+
+  it('returns pending without changing the password when the custom reset function returns pending', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'pending' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+    const result = await resetCallHandlerRef()?.(
+      {
+        body: { email: 'john@doe.com', password: 'new-secret' },
+        ip: '127.0.0.1'
+      },
+      res
+    )
+
+    expect(hashPassword).not.toHaveBeenCalled()
+    expect(authUsersCollection.updateOne).not.toHaveBeenCalledWith(
+      { email: 'john@doe.com' },
+      expect.objectContaining({ $set: { password: expect.any(String) } })
+    )
+    expect(resetCollection.deleteOne).not.toHaveBeenCalled()
+    expect(res.status).toHaveBeenCalledWith(202)
+    expect(result).toEqual({ status: 'pending' })
+  })
+
+  it('rejects the request when the custom reset function returns fail', async () => {
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ status: 'fail' })
+    const { app, authUsersCollection, resetCollection, resetCallHandlerRef } = buildApp()
+
+    await localUserPassController(app as never)
+
+    const res = { status: jest.fn() }
+
+    await expect(
+      resetCallHandlerRef()?.(
+        {
+          body: { email: 'john@doe.com', password: 'new-secret' },
+          ip: '127.0.0.1'
+        },
+        res
+      )
+    ).rejects.toThrow(AUTH_ERRORS.INVALID_RESET_PARAMS)
+
+    expect(hashPassword).not.toHaveBeenCalled()
+    expect(authUsersCollection.updateOne).not.toHaveBeenCalled()
+    expect(resetCollection.deleteOne).not.toHaveBeenCalled()
+    expect(res.status).not.toHaveBeenCalled()
+  })
+})

package/src/auth/providers/local-userpass/controller.ts

@@ -27,6 +27,8 @@ import {
 
 const rateLimitStore = new Map<string, number[]>()
 
+type ResetFunctionResult = { status?: 'success' | 'pending' | 'fail' }
+
 const isRateLimited = (key: string, maxAttempts: number, windowMs: number) => {
   const now = Date.now()
   const existing = rateLimitStore.get(key) ?? []
@@ -106,7 +108,7 @@ export async function localUserPassController(app: FastifyInstance) {
       const currentFunction = functionsList[resetPasswordConfig.resetFunctionName]
       const baseArgs = { token, tokenId, email, password, username: email }
       const args = Array.isArray(extraArguments) ? [baseArgs, ...extraArguments] : [baseArgs]
-      await GenerateContext({
+      const response = await GenerateContext({
         args,
         app,
         rules: {},
@@ -114,11 +116,41 @@ export async function localUserPassController(app: FastifyInstance) {
         currentFunction,
         functionName: resetPasswordConfig.resetFunctionName,
         functionsList,
-        services
-      })
-      return
+        services,
+        runAsSystem: true
+      }) as ResetFunctionResult
+      const resetStatus = response?.status
+
+      if (resetStatus === 'success') {
+        if (!password) {
+          throw new Error(AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE)
+        }
+
+        const hashedPassword = await hashPassword(password)
+        await authDb.collection(authCollection!).updateOne(
+          { email },
+          {
+            $set: {
+              password: hashedPassword
+            }
+          }
+        )
+        await authDb?.collection(resetPasswordCollection).deleteOne({ email })
+        return { status: 'success' as const }
+      }
+
+      if (resetStatus === 'pending') {
+        return { status: 'pending' as const }
+      }
+
+      if (resetStatus === 'fail') {
+        throw new Error(AUTH_ERRORS.INVALID_RESET_PARAMS)
+      }
+
+      throw new Error(AUTH_ERRORS.INVALID_RESET_FUNCTION_RESPONSE)
     }
 
+    return { status: 'pending' as const }
   }
 
   /**
@@ -352,15 +384,13 @@ export async function localUserPassController(app: FastifyInstance) {
         res.status(429)
         return { message: 'Too many requests' }
       }
-      await handleResetPasswordRequest(
+      const result = await handleResetPasswordRequest(
         req.body.email,
         req.body.password,
         req.body.arguments
       )
       res.status(202)
-      return {
-        status: 'ok'
-      }
+      return result
     }
   )
 

package/src/auth/utils.ts

@@ -117,6 +117,7 @@ export enum AUTH_ERRORS {
   INVALID_TOKEN = 'Invalid refresh token provided',
   INVALID_RESET_PARAMS = 'Invalid token or tokenId provided',
   MISSING_RESET_FUNCTION = 'Missing reset function',
+  INVALID_RESET_FUNCTION_RESPONSE = 'Invalid reset function response',
   USER_NOT_CONFIRMED = 'User not confirmed'
 }
 

package/src/features/endpoints/__tests__/utils.test.ts

@@ -0,0 +1,65 @@
+import { GenerateContext } from '../../../utils/context'
+import { generateHandler } from '../utils'
+
+jest.mock('../../../utils/context', () => ({
+  GenerateContext: jest.fn()
+}))
+
+const mockedGenerateContext = jest.mocked(GenerateContext)
+
+describe('generateHandler', () => {
+  beforeEach(() => {
+    mockedGenerateContext.mockReset()
+  })
+
+  it('allows endpoint functions to set custom response headers', async () => {
+    mockedGenerateContext.mockImplementation(async ({ args }) => {
+      const [, response] = args as [
+        { body: { text: () => string; rawBody: Buffer | string | undefined } },
+        {
+          setStatusCode: (code: number) => void
+          setHeader: (name: string, value: string | number | readonly string[]) => void
+          setBody: (body: unknown) => void
+        }
+      ]
+
+      response.setStatusCode(201)
+      response.setHeader('Content-Type', 'application/json')
+      response.setHeader('Cache-Control', 'no-store')
+      response.setBody(JSON.stringify({ ok: true }))
+
+      return { ignored: true }
+    })
+
+    const handler = generateHandler({
+      app: {} as any,
+      currentFunction: { code: 'module.exports = function () {}' } as any,
+      functionName: 'endpointHandler',
+      functionsList: {
+        endpointHandler: { code: 'module.exports = function () {}' }
+      } as any,
+      http_method: 'POST',
+      rulesList: {} as any
+    })
+
+    const res = {
+      status: jest.fn(),
+      header: jest.fn(),
+      send: jest.fn((body) => body)
+    } as any
+
+    const response = await handler({
+      body: { hello: 'world' },
+      headers: { accept: 'application/json' },
+      query: { page: '1' },
+      rawBody: '{"hello":"world"}',
+      user: { id: 'user-1' }
+    } as any, res)
+
+    expect(res.status).toHaveBeenCalledWith(201)
+    expect(res.header).toHaveBeenCalledWith('Content-Type', 'application/json')
+    expect(res.header).toHaveBeenCalledWith('Cache-Control', 'no-store')
+    expect(res.send).toHaveBeenCalledWith(JSON.stringify({ ok: true }))
+    expect(response).toBe(JSON.stringify({ ok: true }))
+  })
+})

package/src/features/endpoints/utils.ts

@@ -138,6 +138,9 @@ export const generateHandler = ({
         setStatusCode: (code: number) => {
           res.status(code)
         },
+        setHeader: (name: string, value: string | number | readonly string[]) => {
+          res.header(name, value)
+        },
         setBody: (body: unknown) => {
           customResponseBody.data = body
         }

package/src/utils/__tests__/checkIsValidFieldNameFn.test.ts

@@ -32,8 +32,7 @@ describe('checkIsValidFieldNameFn', () => {
 
     const result = await checkIsValidFieldNameFn(context)
     expect(result).toEqual({
-      name: 'Alice',
-      email: 'alice@example.com'
+      name: 'Alice'
     })
   })
 
@@ -56,8 +55,33 @@ describe('checkIsValidFieldNameFn', () => {
 
     const result = await checkIsValidFieldNameFn(context)
     expect(result).toEqual({
-      phone: '123456789',
-      address: 'Unknown'
+      phone: '123456789'
+    })
+  })
+
+  it('keeps fields readable when top-level read is true and the field only defines write rules', async () => {
+    const mockedRole = {
+      name: 'test',
+      apply_when: { '%%true': true },
+      read: true,
+      fields: {
+        avatar: { write: false },
+        name: { write: true }
+      }
+    } as Role
+    const context = {
+      user: mockUser,
+      role: mockedRole,
+      params: {
+        type: 'read',
+        cursor: { avatar: 'avatar.png', name: 'Alice' }
+      }
+    } as MachineContext
+
+    const result = await checkIsValidFieldNameFn(context)
+    expect(result).toEqual({
+      avatar: 'avatar.png',
+      name: 'Alice'
     })
   })
 

package/src/utils/roles/machines/fieldPermissions.ts

@@ -35,10 +35,8 @@ const canReadField = async (
   context: Pick<MachineContext, 'params' | 'user'>,
   permission?: FieldPermissionExpression
 ) => {
-  if (!permission) return false
-  const read = await evaluateExpression(context.params, permission.read, context.user)
-  if (read) return true
-  return await evaluateExpression(context.params, permission.write, context.user)
+  if (!permission || typeof permission.read === 'undefined') return undefined
+  return await evaluateExpression(context.params, permission.read, context.user)
 }
 
 const canWriteField = async (
@@ -71,10 +69,14 @@ export const filterDocumentByFieldPermissions = async (
     const permission = fieldPermission ?? getAdditionalFieldPermission(additionalFields, key)
     let allowed = options?.defaultAllow === true
     if (permission) {
-      allowed =
-        mode === 'read'
-          ? await canReadField(context, permission)
-          : await canWriteField(context, permission)
+      if (mode === 'read') {
+        const readAllowed = await canReadField(context, permission)
+        if (typeof readAllowed !== 'undefined') {
+          allowed = readAllowed
+        }
+      } else {
+        allowed = await canWriteField(context, permission)
+      }
     }
 
     if (allowed) {