@flowerforce/flowerbase 1.8.1-beta.1 → 1.8.1-beta.3

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.8.1 (2026-03-27)
+
+
+### 🩹 Fixes
+
+- add config FUNCTION_CALL_BODY_LIMIT ([5f6ec70](https://github.com/flowerforce/flowerbase/commit/5f6ec70))
+
 ## 1.8.0 (2026-03-20)
 
 

package/README.md

@@ -484,6 +484,7 @@ Ensure the following environment variables are set in your .env file or deployme
 | `PORT`                 | The port on which the server will run.                                      | `3000`                                             |
 | `MONGODB_URL`          | MongoDB connection URI, including username, password, and database name.    | `mongodb+srv://user:pass@cluster.mongodb.net/mydb` |
 | `JWT_SECRET`           | Secret used to sign and verify JWT tokens (choose a strong secret).         | `supersecretkey123!`                               |
+| `FUNCTION_CALL_BODY_LIMIT_BYTES` | Max request body size in bytes for `POST /api/client/<version>/app/:appId/functions/call`. | `52428800` |
 | `HOST`                 | The host address the server binds to (usually `0.0.0.0` for public access). | `0.0.0.0`                                          |
 | `API_VERSION`          | API version used in client base path.                                       | `v2.0`                                             |
 | `HTTPS_SCHEMA`         | The schema for your server requests (usually `https` or `http`).            | `http`                                             |
@@ -518,6 +519,7 @@ PROJECT_ID=your-project-id
 PORT=3000
 MONGODB_URL=mongodb+srv://username:password@cluster.mongodb.net/dbname
 JWT_SECRET=your-jwt-secret
+FUNCTION_CALL_BODY_LIMIT_BYTES=52428800
 HOST=0.0.0.0
 API_VERSION=v2.0
 HTTPS_SCHEMA=http
@@ -555,6 +557,45 @@ MONIT_ALLOW_EDIT=true
 - If `MONIT_ALLOWED_IPS` is set, only those IPs can reach `/monit` (ensure `req.ip` reflects your proxy setup / `trustProxy`).
 - You can disable **invoke** or **edit** with `MONIT_ALLOW_INVOKE=false` and/or `MONIT_ALLOW_EDIT=false`.
 
+### 🔐 Reverse Proxy and SSL Termination
+
+When Flowerbase runs behind Nginx or HAProxy with SSL termination, make sure the proxy forwards the public scheme/host/port headers.
+
+Flowerbase uses these headers for `GET /api/client/<version>/app/:appId/location`, and Realm-style clients use that response to build auth URLs (including `/login`).
+
+- Header priority for host and scheme is: `Forwarded` first, then `X-Forwarded-*`, then `Host`.
+- If `X-Forwarded-Port` is set and host has no explicit port, Flowerbase appends it.
+
+#### Nginx
+
+```nginx
+location / {
+  proxy_pass http://flowerbase_upstream;
+  proxy_set_header Host $http_host;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Host $http_host;
+  proxy_set_header X-Forwarded-Port $server_port;
+}
+```
+
+#### HAProxy
+
+```haproxy
+frontend fe_https
+  bind *:443 ssl crt /etc/haproxy/certs/site.pem
+  mode http
+  default_backend be_flowerbase
+
+backend be_flowerbase
+  mode http
+  server app1 127.0.0.1:3000 check
+  http-request set-header Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
+  http-request set-header X-Forwarded-Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Port %[dst_port]
+```
+
 
 <a id="build"></a>
 ## 🚀 Build & Deploy the Server

package/dist/constants.d.ts

@@ -3,6 +3,7 @@ export declare const DEFAULT_CONFIG: {
     PORT: number;
     MONGODB_URL: string;
     JWT_SECRET: string;
+    FUNCTION_CALL_BODY_LIMIT_BYTES: number;
     API_VERSION: string;
     HTTPS_SCHEMA: string;
     HOST: string;

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCsB,eAAe,EAAE;;;;;;CAMjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AACpC,eAAO,MAAM,YAAY,QAAiC,CAAA;AAE1D,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,YAAY,iBAAiB,CAAA"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,IAAI,CAAA;AAsBpC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoCsB,eAAe,EAAE;;;;;;CAMjE,CAAA;AACD,eAAO,MAAM,WAAW,QAA8C,CAAA;AACtE,eAAO,MAAM,YAAY,QAA8B,CAAA;AACvD,eAAO,MAAM,OAAO,QAAgB,CAAA;AACpC,eAAO,MAAM,YAAY,QAAiC,CAAA;AAE1D,KAAK,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC,CAAA;AAE7E,eAAO,MAAM,WAAW;;;;;;;mBAOqB,aAAa;;;;;;;;;CAOzD,CAAA;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,YAAY,iBAAiB,CAAA"}

package/dist/constants.js

@@ -31,6 +31,7 @@ exports.DEFAULT_CONFIG = {
     PORT: Number(process.env.PORT) || 3000,
     MONGODB_URL: process.env.MONGODB_URL || '',
     JWT_SECRET: process.env.JWT_SECRET || '',
+    FUNCTION_CALL_BODY_LIMIT_BYTES: Number(process.env.FUNCTION_CALL_BODY_LIMIT_BYTES) || 50 * 1024 * 1024,
     API_VERSION: process.env.API_VERSION || 'v2.0',
     HTTPS_SCHEMA: process.env.HTTPS_SCHEMA || 'https',
     HOST: process.env.HOST || '0.0.0.0',

package/dist/features/functions/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../src/features/functions/controller.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAIvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAmHhD,eAAO,MAAM,iCAAiC,GAAI,OAAO,OAAO,KAAG,OA0BlE,CAAA;AAID,eAAO,MAAM,6BAA6B,GAAI,OAAO,OAAO,KAAG,OAgD9D,CAAA;AAqHD,eAAO,MAAM,oCAAoC,GAAI,QAAQ,QAAQ,YAClC,CAAA;AAEnC;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,EAAE,kBAyRjC,CAAA"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../src/features/functions/controller.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAKvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAA;AAmHhD,eAAO,MAAM,iCAAiC,GAAI,OAAO,OAAO,KAAG,OA0BlE,CAAA;AAID,eAAO,MAAM,6BAA6B,GAAI,OAAO,OAAO,KAAG,OAgD9D,CAAA;AAqHD,eAAO,MAAM,oCAAoC,GAAI,QAAQ,QAAQ,YAClC,CAAA;AAEnC;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,EAAE,kBA0RjC,CAAA"}

package/dist/features/functions/controller.js

@@ -22,6 +22,7 @@ var __rest = (this && this.__rest) || function (s, e) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.functionsController = exports.shouldSkipReadabilityLookupForChange = exports.mapWatchFilterToDocumentQuery = exports.mapWatchFilterToChangeStreamMatch = void 0;
 const bson_1 = require("bson");
+const constants_1 = require("../../constants");
 const services_1 = require("../../services");
 const context_1 = require("../../utils/context");
 const utils_1 = require("./utils");
@@ -273,6 +274,7 @@ exports.shouldSkipReadabilityLookupForChange = shouldSkipReadabilityLookupForCha
 const functionsController = (app_1, _a) => __awaiter(void 0, [app_1, _a], void 0, function* (app, { functionsList, rules }) {
     app.addHook('preHandler', app.jwtAuthentication);
     app.post('/call', {
+        bodyLimit: constants_1.DEFAULT_CONFIG.FUNCTION_CALL_BODY_LIMIT_BYTES,
         schema: {
             tags: ['Functions']
         }

package/dist/utils/initializer/exposeRoutes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBAqF1D,CAAA"}
+{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAmCzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBA2F1D,CAAA"}

package/dist/utils/initializer/exposeRoutes.js

@@ -15,6 +15,36 @@ const utils_1 = require("../../auth/utils");
 const constants_1 = require("../../constants");
 const handleUserRegistration_model_1 = require("../../shared/models/handleUserRegistration.model");
 const crypto_1 = require("../crypto");
+const parseFirstHeaderValue = (header) => {
+    var _a;
+    if (!header)
+        return undefined;
+    const raw = Array.isArray(header) ? header[0] : header;
+    return ((_a = raw === null || raw === void 0 ? void 0 : raw.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim()) || undefined;
+};
+const parseForwardedHeader = (header) => {
+    var _a;
+    if (!header)
+        return {};
+    const segment = (_a = header.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim();
+    if (!segment)
+        return {};
+    const tokens = segment.split(';').map((item) => item.trim());
+    const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='));
+    const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='));
+    const clean = (value) => value === null || value === void 0 ? void 0 : value.replace(/^"|"$/g, '');
+    return {
+        proto: clean(protoToken === null || protoToken === void 0 ? void 0 : protoToken.split('=')[1]),
+        host: clean(hostToken === null || hostToken === void 0 ? void 0 : hostToken.split('=')[1])
+    };
+};
+const hasExplicitPort = (host) => {
+    if (/^\[[^\]]+]\:\d+$/.test(host))
+        return true;
+    if (/^[^:]+\:\d+$/.test(host))
+        return true;
+    return false;
+};
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -27,12 +57,16 @@ const exposeRoutes = (fastify) => __awaiter(void 0, void 0, void 0, function* ()
                 tags: ['System']
             }
         }, (req) => __awaiter(void 0, void 0, void 0, function* () {
-            var _a, _b, _c;
-            const schema = (_a = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _a !== void 0 ? _a : 'http';
-            const headerHost = (_b = req.headers.host) !== null && _b !== void 0 ? _b : 'localhost:3000';
-            const hostname = headerHost.split(':')[0];
-            const port = (_c = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _c !== void 0 ? _c : 3000;
-            const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`;
+            var _a, _b, _c, _d, _e, _f, _g;
+            const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded));
+            const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto']);
+            const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host']);
+            const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port']);
+            const schema = (_c = (_b = (_a = forwarded.proto) !== null && _a !== void 0 ? _a : forwardedProto) !== null && _b !== void 0 ? _b : constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _c !== void 0 ? _c : 'http';
+            let host = (_f = (_e = (_d = forwarded.host) !== null && _d !== void 0 ? _d : forwardedHost) !== null && _e !== void 0 ? _e : req.headers.host) !== null && _f !== void 0 ? _f : `localhost:${(_g = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _g !== void 0 ? _g : 3000}`;
+            if (forwardedPort && !hasExplicitPort(host)) {
+                host = `${host}:${forwardedPort}`;
+            }
             const wsSchema = 'wss';
             return {
                 deployment_model: 'LOCAL',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.1-beta.1",
+  "version": "1.8.1-beta.3",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/constants.ts

@@ -25,6 +25,7 @@ export const DEFAULT_CONFIG = {
   PORT: Number(process.env.PORT) || 3000,
   MONGODB_URL: process.env.MONGODB_URL || '',
   JWT_SECRET: process.env.JWT_SECRET || '',
+  FUNCTION_CALL_BODY_LIMIT_BYTES: Number(process.env.FUNCTION_CALL_BODY_LIMIT_BYTES) || 50 * 1024 * 1024,
   API_VERSION: process.env.API_VERSION || 'v2.0',
   HTTPS_SCHEMA: process.env.HTTPS_SCHEMA || 'https',
   HOST: process.env.HOST || '0.0.0.0',

package/src/features/functions/__tests__/controller.test.ts

@@ -0,0 +1,60 @@
+import Fastify, { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'
+import { GenerateContext } from '../../../utils/context'
+import { functionsController } from '../controller'
+
+jest.mock('../../../utils/context', () => ({
+  GenerateContext: jest.fn()
+}))
+
+describe('functionsController', () => {
+  let app: FastifyInstance
+
+  beforeEach(async () => {
+    app = Fastify()
+
+    app.decorate('jwtAuthentication', async (request: FastifyRequest, _reply: FastifyReply) => {
+      ;(request as any).user = {
+        id: '507f191e810c19729de860ea',
+        typ: 'access'
+      }
+    })
+
+    ;(GenerateContext as jest.Mock).mockResolvedValue({ ok: true })
+
+    await app.register(functionsController, {
+      functionsList: {
+        largePayloadEcho: {
+          code: 'exports = () => ({ ok: true })'
+        }
+      },
+      rules: {}
+    })
+    await app.ready()
+  })
+
+  afterEach(async () => {
+    await app.close()
+    jest.clearAllMocks()
+  })
+
+  it('accepts payloads larger than Fastify default body limit on POST /call', async () => {
+    const largeValue = 'x'.repeat(2 * 1024 * 1024)
+
+    const response = await app.inject({
+      method: 'POST',
+      url: '/call',
+      payload: {
+        name: 'largePayloadEcho',
+        arguments: [{ largeValue }]
+      }
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(JSON.parse(response.body)).toEqual({ ok: true })
+    expect(GenerateContext).toHaveBeenCalledWith(
+      expect.objectContaining({
+        args: [{ largeValue }]
+      })
+    )
+  })
+})

package/src/features/functions/controller.ts

@@ -2,6 +2,7 @@ import type { ServerResponse } from 'http'
 import { EJSON, ObjectId } from 'bson'
 import type { FastifyRequest } from 'fastify'
 import type { Document } from 'mongodb'
+import { DEFAULT_CONFIG } from '../../constants'
 import { services } from '../../services'
 import { GenerateContext } from '../../utils/context'
 import { Base64Function, FunctionCallBase64Dto, FunctionCallDto } from './dtos'
@@ -331,6 +332,7 @@ export const functionsController: FunctionController = async (
   app.addHook('preHandler', app.jwtAuthentication)
 
   app.post<{ Body: FunctionCallDto }>('/call', {
+    bodyLimit: DEFAULT_CONFIG.FUNCTION_CALL_BODY_LIMIT_BYTES,
     schema: {
       tags: ['Functions']
     }

package/src/utils/__tests__/exposeRoutes.test.ts

@@ -38,7 +38,10 @@ describe('exposeRoutes', () => {
     const appId = 'it'
     const response = await config.app!.inject({
       method: 'GET',
-      url: `${API_VERSION}/app/${appId}/location`
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'localhost:3000'
+      }
     })
 
     expect(response.statusCode).toBe(200)
@@ -50,6 +53,28 @@ describe('exposeRoutes', () => {
     })
   })
 
+  it('GET location should prioritize forwarded host and port', async () => {
+    const appId = 'it'
+    const response = await config.app!.inject({
+      method: 'GET',
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'internal-flowerbase:3000',
+        'x-forwarded-proto': 'https',
+        'x-forwarded-host': 'api.example.com',
+        'x-forwarded-port': '8443'
+      }
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(JSON.parse(response.body)).toEqual({
+      deployment_model: 'LOCAL',
+      location: 'IE',
+      hostname: 'https://api.example.com:8443',
+      ws_hostname: 'wss://api.example.com:8443'
+    })
+  })
+
   it('exposeRoutes should handle errors in the catch block', async () => {
     const mockedApp = Fastify()
     // Forced fail on get method

package/src/utils/initializer/exposeRoutes.ts

@@ -6,6 +6,34 @@ import { API_VERSION, AUTH_CONFIG, AUTH_DB_NAME, DEFAULT_CONFIG } from '../../co
 import { PROVIDER } from '../../shared/models/handleUserRegistration.model'
 import { hashPassword } from '../crypto'
 
+const parseFirstHeaderValue = (header: string | string[] | undefined): string | undefined => {
+  if (!header) return undefined
+  const raw = Array.isArray(header) ? header[0] : header
+  return raw?.split(',')[0]?.trim() || undefined
+}
+
+const parseForwardedHeader = (header: string | undefined): { proto?: string; host?: string } => {
+  if (!header) return {}
+  const segment = header.split(',')[0]?.trim()
+  if (!segment) return {}
+
+  const tokens = segment.split(';').map((item) => item.trim())
+  const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='))
+  const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='))
+  const clean = (value?: string) => value?.replace(/^"|"$/g, '')
+
+  return {
+    proto: clean(protoToken?.split('=')[1]),
+    host: clean(hostToken?.split('=')[1])
+  }
+}
+
+const hasExplicitPort = (host: string): boolean => {
+  if (/^\[[^\]]+]\:\d+$/.test(host)) return true
+  if (/^[^:]+\:\d+$/.test(host)) return true
+  return false
+}
+
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -18,11 +46,17 @@ export const exposeRoutes = async (fastify: FastifyInstance) => {
         tags: ['System']
       }
     }, async (req) => {
-      const schema = DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
-      const headerHost = req.headers.host ?? 'localhost:3000'
-      const hostname = headerHost.split(':')[0]
-      const port = DEFAULT_CONFIG?.PORT ?? 3000
-      const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`
+      const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded))
+      const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto'])
+      const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host'])
+      const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port'])
+      const schema = forwarded.proto ?? forwardedProto ?? DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
+      let host = forwarded.host ?? forwardedHost ?? req.headers.host ?? `localhost:${DEFAULT_CONFIG?.PORT ?? 3000}`
+
+      if (forwardedPort && !hasExplicitPort(host)) {
+        host = `${host}:${forwardedPort}`
+      }
+
       const wsSchema = 'wss'
 
       return {