@flowerforce/flowerbase 1.8.1 → 1.8.2

package/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 1.8.2 (2026-03-31)
+
+
+### 🩹 Fixes
+
+- apply_when ([f2bcef2](https://github.com/flowerforce/flowerbase/commit/f2bcef2))
+
+- forwarded host ([#52](https://github.com/flowerforce/flowerbase/pull/52))
+
 ## 1.8.1 (2026-03-27)
 
 

package/README.md

@@ -557,6 +557,45 @@ MONIT_ALLOW_EDIT=true
 - If `MONIT_ALLOWED_IPS` is set, only those IPs can reach `/monit` (ensure `req.ip` reflects your proxy setup / `trustProxy`).
 - You can disable **invoke** or **edit** with `MONIT_ALLOW_INVOKE=false` and/or `MONIT_ALLOW_EDIT=false`.
 
+### 🔐 Reverse Proxy and SSL Termination
+
+When Flowerbase runs behind Nginx or HAProxy with SSL termination, make sure the proxy forwards the public scheme/host/port headers.
+
+Flowerbase uses these headers for `GET /api/client/<version>/app/:appId/location`, and Realm-style clients use that response to build auth URLs (including `/login`).
+
+- Header priority for host and scheme is: `Forwarded` first, then `X-Forwarded-*`, then `Host`.
+- If `X-Forwarded-Port` is set and host has no explicit port, Flowerbase appends it.
+
+#### Nginx
+
+```nginx
+location / {
+  proxy_pass http://flowerbase_upstream;
+  proxy_set_header Host $http_host;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Host $http_host;
+  proxy_set_header X-Forwarded-Port $server_port;
+}
+```
+
+#### HAProxy
+
+```haproxy
+frontend fe_https
+  bind *:443 ssl crt /etc/haproxy/certs/site.pem
+  mode http
+  default_backend be_flowerbase
+
+backend be_flowerbase
+  mode http
+  server app1 127.0.0.1:3000 check
+  http-request set-header Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
+  http-request set-header X-Forwarded-Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Port %[dst_port]
+```
+
 
 <a id="build"></a>
 ## 🚀 Build & Deploy the Server

package/dist/utils/initializer/exposeRoutes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBAqF1D,CAAA"}
+{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAmCzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBA2F1D,CAAA"}

package/dist/utils/initializer/exposeRoutes.js

@@ -15,6 +15,36 @@ const utils_1 = require("../../auth/utils");
 const constants_1 = require("../../constants");
 const handleUserRegistration_model_1 = require("../../shared/models/handleUserRegistration.model");
 const crypto_1 = require("../crypto");
+const parseFirstHeaderValue = (header) => {
+    var _a;
+    if (!header)
+        return undefined;
+    const raw = Array.isArray(header) ? header[0] : header;
+    return ((_a = raw === null || raw === void 0 ? void 0 : raw.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim()) || undefined;
+};
+const parseForwardedHeader = (header) => {
+    var _a;
+    if (!header)
+        return {};
+    const segment = (_a = header.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim();
+    if (!segment)
+        return {};
+    const tokens = segment.split(';').map((item) => item.trim());
+    const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='));
+    const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='));
+    const clean = (value) => value === null || value === void 0 ? void 0 : value.replace(/^"|"$/g, '');
+    return {
+        proto: clean(protoToken === null || protoToken === void 0 ? void 0 : protoToken.split('=')[1]),
+        host: clean(hostToken === null || hostToken === void 0 ? void 0 : hostToken.split('=')[1])
+    };
+};
+const hasExplicitPort = (host) => {
+    if (/^\[[^\]]+]\:\d+$/.test(host))
+        return true;
+    if (/^[^:]+\:\d+$/.test(host))
+        return true;
+    return false;
+};
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -27,12 +57,16 @@ const exposeRoutes = (fastify) => __awaiter(void 0, void 0, void 0, function* ()
                 tags: ['System']
             }
         }, (req) => __awaiter(void 0, void 0, void 0, function* () {
-            var _a, _b, _c;
-            const schema = (_a = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _a !== void 0 ? _a : 'http';
-            const headerHost = (_b = req.headers.host) !== null && _b !== void 0 ? _b : 'localhost:3000';
-            const hostname = headerHost.split(':')[0];
-            const port = (_c = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _c !== void 0 ? _c : 3000;
-            const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`;
+            var _a, _b, _c, _d, _e, _f, _g;
+            const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded));
+            const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto']);
+            const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host']);
+            const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port']);
+            const schema = (_c = (_b = (_a = forwarded.proto) !== null && _a !== void 0 ? _a : forwardedProto) !== null && _b !== void 0 ? _b : constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _c !== void 0 ? _c : 'http';
+            let host = (_f = (_e = (_d = forwarded.host) !== null && _d !== void 0 ? _d : forwardedHost) !== null && _e !== void 0 ? _e : req.headers.host) !== null && _f !== void 0 ? _f : `localhost:${(_g = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _g !== void 0 ? _g : 3000}`;
+            if (forwardedPort && !hasExplicitPort(host)) {
+                host = `${host}:${forwardedPort}`;
+            }
             const wsSchema = 'wss';
             return {
                 deployment_model: 'LOCAL',

package/dist/utils/roles/machines/write/B/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/B/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AAGxC,eAAO,MAAM,aAAa,EAAE,MAgE3B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/B/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AAGxC,eAAO,MAAM,aAAa,EAAE,MAmE3B,CAAA"}

package/dist/utils/roles/machines/write/B/index.js

@@ -44,6 +44,9 @@ exports.STEP_B_STATES = {
         });
         const check = yield (0, commonValidators_1.evaluateTopLevelPermissionsFn)(context, 'write');
         if (check) {
+            if (context.params.type === 'write') {
+                return endValidation({ success: true });
+            }
             return next('evaluateTopLevelInsert');
         }
         if (check === false) {

package/dist/utils/rules-matcher/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAmEvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAoNxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAyDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAmEvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAkOxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAyDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}

package/dist/utils/rules-matcher/utils.js

@@ -212,6 +212,13 @@ const rulesMatcherUtils = {
                 return true;
             return block['$or'].some((item) => rulesMatcherUtils.checkRule(item, data, options));
         }
+        if (!Array.isArray(block) && block && typeof block === 'object') {
+            const keys = Object.keys(block);
+            const hasLogicalOperators = keys.some((key) => key === '$and' || key === '$or');
+            if (!hasLogicalOperators && keys.length > 1) {
+                return keys.every((key) => rulesMatcherUtils.checkRule({ [key]: block[key] }, data, options));
+            }
+        }
         const res = rulesMatcherUtils.rule(block, data, options);
         return res.valid;
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.1",
+  "version": "1.8.2",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/utils/__tests__/WRITE_STEP_B_STATES.test.ts

@@ -77,9 +77,9 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 
-  it('routes to insert check when write=true', async () => {
+  it('ends validation when write=true on update requests', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    const context = {} as MachineContext
+    const context = { params: { type: 'write' } } as MachineContext
     await evaluateTopLevelWrite({
       context,
       endValidation,
@@ -87,13 +87,12 @@ describe('WRITE STEP_B_STATES', () => {
       next,
       initialStep: null
     })
-    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
   })
 
-  it('routes to insert check when write=true and field-level rules exist', async () => {
+  it('routes to insert check when write=true on insert requests', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
-    const context = {} as MachineContext
+    const context = { params: { type: 'insert' } } as MachineContext
     await evaluateTopLevelWrite({
       context,
       endValidation,

package/src/utils/__tests__/exposeRoutes.test.ts

@@ -38,7 +38,10 @@ describe('exposeRoutes', () => {
     const appId = 'it'
     const response = await config.app!.inject({
       method: 'GET',
-      url: `${API_VERSION}/app/${appId}/location`
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'localhost:3000'
+      }
     })
 
     expect(response.statusCode).toBe(200)
@@ -50,6 +53,28 @@ describe('exposeRoutes', () => {
     })
   })
 
+  it('GET location should prioritize forwarded host and port', async () => {
+    const appId = 'it'
+    const response = await config.app!.inject({
+      method: 'GET',
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'internal-flowerbase:3000',
+        'x-forwarded-proto': 'https',
+        'x-forwarded-host': 'api.example.com',
+        'x-forwarded-port': '8443'
+      }
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(JSON.parse(response.body)).toEqual({
+      deployment_model: 'LOCAL',
+      location: 'IE',
+      hostname: 'https://api.example.com:8443',
+      ws_hostname: 'wss://api.example.com:8443'
+    })
+  })
+
   it('exposeRoutes should handle errors in the catch block', async () => {
     const mockedApp = Fastify()
     // Forced fail on get method

package/src/utils/__tests__/rulesMatcherUtils.test.ts

@@ -9,7 +9,8 @@ const {
   getPath,
   forceNumber,
   getDefaultStringValue,
-  getTypeOf
+  getTypeOf,
+  checkRule
 } = rulesMatcherUtils
 
 describe('rulesMatcherUtils', () => {
@@ -64,4 +65,33 @@ describe('rulesMatcherUtils', () => {
     expect(getPath('^data.name')).toBe('data.name')
     expect(getPath('$data.name')).toBe('$data.name')
   })
+
+  it('evaluates plain objects with multiple keys as AND conditions', () => {
+    const data = {
+      '%%root': { accountId: 'acc-1' },
+      '%%user': { custom_data: { accountId: 'acc-1', role: 'admin' } }
+    }
+
+    expect(
+      checkRule(
+        {
+          '%%root.accountId': '$ref:%%user.custom_data.accountId',
+          '%%user.custom_data.role': 'admin'
+        } as any,
+        data,
+        {}
+      )
+    ).toBe(true)
+
+    expect(
+      checkRule(
+        {
+          '%%root.accountId': '$ref:%%user.custom_data.accountId',
+          '%%user.custom_data.role': 'staff'
+        } as any,
+        data,
+        {}
+      )
+    ).toBe(false)
+  })
 })

package/src/utils/initializer/exposeRoutes.ts

@@ -6,6 +6,34 @@ import { API_VERSION, AUTH_CONFIG, AUTH_DB_NAME, DEFAULT_CONFIG } from '../../co
 import { PROVIDER } from '../../shared/models/handleUserRegistration.model'
 import { hashPassword } from '../crypto'
 
+const parseFirstHeaderValue = (header: string | string[] | undefined): string | undefined => {
+  if (!header) return undefined
+  const raw = Array.isArray(header) ? header[0] : header
+  return raw?.split(',')[0]?.trim() || undefined
+}
+
+const parseForwardedHeader = (header: string | undefined): { proto?: string; host?: string } => {
+  if (!header) return {}
+  const segment = header.split(',')[0]?.trim()
+  if (!segment) return {}
+
+  const tokens = segment.split(';').map((item) => item.trim())
+  const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='))
+  const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='))
+  const clean = (value?: string) => value?.replace(/^"|"$/g, '')
+
+  return {
+    proto: clean(protoToken?.split('=')[1]),
+    host: clean(hostToken?.split('=')[1])
+  }
+}
+
+const hasExplicitPort = (host: string): boolean => {
+  if (/^\[[^\]]+]\:\d+$/.test(host)) return true
+  if (/^[^:]+\:\d+$/.test(host)) return true
+  return false
+}
+
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -18,11 +46,17 @@ export const exposeRoutes = async (fastify: FastifyInstance) => {
         tags: ['System']
       }
     }, async (req) => {
-      const schema = DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
-      const headerHost = req.headers.host ?? 'localhost:3000'
-      const hostname = headerHost.split(':')[0]
-      const port = DEFAULT_CONFIG?.PORT ?? 3000
-      const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`
+      const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded))
+      const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto'])
+      const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host'])
+      const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port'])
+      const schema = forwarded.proto ?? forwardedProto ?? DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
+      let host = forwarded.host ?? forwardedHost ?? req.headers.host ?? `localhost:${DEFAULT_CONFIG?.PORT ?? 3000}`
+
+      if (forwardedPort && !hasExplicitPort(host)) {
+        host = `${host}:${forwardedPort}`
+      }
+
       const wsSchema = 'wss'
 
       return {

package/src/utils/roles/machines/write/B/index.ts

@@ -37,6 +37,9 @@ export const STEP_B_STATES: States = {
     })
     const check = await evaluateTopLevelPermissionsFn(context, 'write')
     if (check) {
+      if (context.params.type === 'write') {
+        return endValidation({ success: true })
+      }
       return next('evaluateTopLevelInsert')
     }
     if (check === false) {

package/src/utils/rules-matcher/utils.ts

@@ -267,6 +267,20 @@ const rulesMatcherUtils: RulesMatcherUtils = {
       )
     }
 
+    if (!Array.isArray(block) && block && typeof block === 'object') {
+      const keys = Object.keys(block)
+      const hasLogicalOperators = keys.some((key) => key === '$and' || key === '$or')
+      if (!hasLogicalOperators && keys.length > 1) {
+        return keys.every((key) =>
+          rulesMatcherUtils.checkRule(
+            { [key]: (block as Record<string, unknown>)[key] } as any,
+            data,
+            options
+          )
+        )
+      }
+    }
+
     const res = rulesMatcherUtils.rule(block, data, options)
     return res.valid
   },