@flowerforce/flowerbase 1.8.1 → 1.8.3

package/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 1.8.3 (2026-04-02)
+
+
+### 🩹 Fixes
+
+- updateOne options ([5b16467](https://github.com/flowerforce/flowerbase/commit/5b16467))
+
+## 1.8.2 (2026-03-31)
+
+
+### 🩹 Fixes
+
+- apply_when ([f2bcef2](https://github.com/flowerforce/flowerbase/commit/f2bcef2))
+
+- forwarded host ([#52](https://github.com/flowerforce/flowerbase/pull/52))
+
 ## 1.8.1 (2026-03-27)
 
 

package/README.md

@@ -557,6 +557,45 @@ MONIT_ALLOW_EDIT=true
 - If `MONIT_ALLOWED_IPS` is set, only those IPs can reach `/monit` (ensure `req.ip` reflects your proxy setup / `trustProxy`).
 - You can disable **invoke** or **edit** with `MONIT_ALLOW_INVOKE=false` and/or `MONIT_ALLOW_EDIT=false`.
 
+### 🔐 Reverse Proxy and SSL Termination
+
+When Flowerbase runs behind Nginx or HAProxy with SSL termination, make sure the proxy forwards the public scheme/host/port headers.
+
+Flowerbase uses these headers for `GET /api/client/<version>/app/:appId/location`, and Realm-style clients use that response to build auth URLs (including `/login`).
+
+- Header priority for host and scheme is: `Forwarded` first, then `X-Forwarded-*`, then `Host`.
+- If `X-Forwarded-Port` is set and host has no explicit port, Flowerbase appends it.
+
+#### Nginx
+
+```nginx
+location / {
+  proxy_pass http://flowerbase_upstream;
+  proxy_set_header Host $http_host;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Forwarded-Host $http_host;
+  proxy_set_header X-Forwarded-Port $server_port;
+}
+```
+
+#### HAProxy
+
+```haproxy
+frontend fe_https
+  bind *:443 ssl crt /etc/haproxy/certs/site.pem
+  mode http
+  default_backend be_flowerbase
+
+backend be_flowerbase
+  mode http
+  server app1 127.0.0.1:3000 check
+  http-request set-header Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
+  http-request set-header X-Forwarded-Host %[req.hdr(host)]
+  http-request set-header X-Forwarded-Port %[dst_port]
+```
+
 
 <a id="build"></a>
 ## 🚀 Build & Deploy the Server
@@ -577,35 +616,80 @@ Once deployed, you'll receive a public URL (e.g. https://your-app-name.up.exampl
 
 >This URL should be used as the base URL in your frontend application, as explained in the next section.
 
-## 🌐 Frontend Setup – Realm SDK in React (Example)
+## 🌐 Frontend Setup – `@flowerforce/flowerbase-client` (Recommended)
 
-You can use the official `realm-web` SDK to integrate MongoDB Realm into a React application.
-This serves as a sample setup — similar logic can be applied using other official Realm SDKs **(e.g. React Native, Node, or Flutter)**.
-
-### 📦 Install Realm SDK
+For frontend and mobile projects, you can use the dedicated Flowerbase client:
 
 ```bash
-npm install realm-web
+npm install @flowerforce/flowerbase-client
 ```
 
-### ⚙️ Configure Realm in React
-
-Create a file to initialize and export the Realm App instance:
+### ⚙️ Configure client app
 
 ```ts
-// src/realm/realmApp.ts
+import { App, Credentials } from '@flowerforce/flowerbase-client'
 
-import * as Realm from "realm-web";
+const app = new App({
+  id: 'your-app-id',
+  baseUrl: 'https://your-deployed-backend-url.com',
+  timeout: 10000
+})
 
-// Replace with your actual Realm App ID and your deployed backend URL
-const app = new Realm.App({
-  id: "your-realm-app-id", // e.g., my-app-abcde
-  baseUrl: "https://your-deployed-backend-url.com" // e.g., https://your-app-name.up.example.app
-});
+await app.logIn(Credentials.emailPassword('user@example.com', 'secret'))
+```
+
+### 📦 Common client operations
+
+```ts
+const user = app.currentUser
+if (!user) throw new Error('User not logged in')
+
+const profile = await user.functions.getProfile()
 
-export default app;
+const todos = user.mongoClient('mongodb-atlas')
+  .db('my-db')
+  .collection('todos')
 
+await todos.insertOne({ title: 'Ship docs update', done: false })
+const openTodos = await todos.find({ done: false })
 ```
 
->🔗 The baseUrl should point to the backend URL you deployed earlier using Flowerbase.
-This tells the frontend SDK where to send authentication and data requests.
+`@flowerforce/flowerbase-client` supports:
+- local-userpass / anon-user / custom-function authentication
+- function calls (`user.functions.<name>(...)`)
+- MongoDB operations via `user.mongoClient('mongodb-atlas')`
+- change streams with `watch()` async iterator
+- BSON/EJSON interoperability (`ObjectId`, `Date`, etc.)
+
+## 💡 Use Cases by Feature
+
+### 🔐 Authentication
+- Registration and login flows for SaaS dashboards using `local-userpass`.
+- Guest sessions for trial users with `anon-user`, then account upgrade with full registration.
+- Delegated enterprise login with `custom-function` auth when credentials must be validated by external identity logic.
+
+### 🔒 Rules
+- Multi-tenant isolation where each user can only read/write documents of their own workspace.
+- Field-level protection to hide private fields (for example billing or internal notes) from non-admin users.
+
+### ⚙️ Functions
+- Centralized business logic (pricing, counters, workflows) called from web and mobile clients.
+- Privileged server-side tasks invoked with `run_as_system` to perform safe internal operations.
+
+### 🔔 Triggers
+- Audit logging on insert/update/delete events into an activity collection.
+- Scheduled jobs (for example nightly cleanup, reminder generation, data aggregation).
+- Auth lifecycle reactions (welcome email on user creation, cleanup on user deletion).
+
+### 🌐 HTTP Endpoints
+- Public webhook ingestion from third-party systems.
+- Protected custom APIs for backoffice actions not exposed as direct database operations.
+
+### 📡 `flowerbase-client`
+- Real-time UI updates in task boards using `collection.watch()` change streams.
+- Frontend data access with Realm-style API surface to minimize integration complexity.
+- Shared client usage across web and React Native projects with consistent auth/session behavior.
+
+### 🖥 Monitoring UI
+- Live inspection of function invocations, endpoint calls, and trigger executions in staging/production.
+- Fast troubleshooting with event stream filters and user/session search tools.

package/dist/features/functions/utils.d.ts

@@ -18,7 +18,7 @@ export declare const executeQuery: ({ currentMethod, query, update, filter, proj
     countDocuments: () => Promise<number>;
     deleteOne: () => Promise<import("mongodb").DeleteResult>;
     insertOne: () => Promise<import("mongodb").InsertOneResult<Document>>;
-    updateOne: () => Promise<unknown> | import("mongodb").FindCursor<any> | import("mongodb").ChangeStream<Document, Document> | import("mongodb").AggregationCursor<Document>;
+    updateOne: () => Promise<import("mongodb").UpdateResult<Document>>;
     findOneAndUpdate: () => Promise<Document | null>;
     aggregate: () => Promise<Document[]>;
     insertMany: () => Promise<import("mongodb").InsertManyResult<Document>>;

package/dist/features/functions/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/functions/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAGlC,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAE3D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CAwB9E,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAU,2HAYhC,kBAAkB;;;;;;;;;;;;;EAiGpB,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/features/functions/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAGlC,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAE3D;;;GAGG;AACH,eAAO,MAAM,aAAa,GAAU,gBAAuB,KAAG,OAAO,CAAC,SAAS,CAwB9E,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAU,2HAYhC,kBAAkB;;;;;;;;;;;;;EAsGpB,CAAA"}

package/dist/features/functions/utils.js

@@ -100,7 +100,7 @@ const executeQuery = (_a) => __awaiter(void 0, [_a], void 0, function* ({ curren
         countDocuments: () => currentMethod(bson_1.EJSON.deserialize(resolvedQuery), parsedOptions),
         deleteOne: () => currentMethod(bson_1.EJSON.deserialize(resolvedQuery), parsedOptions),
         insertOne: () => currentMethod(bson_1.EJSON.deserialize(document)),
-        updateOne: () => currentMethod(bson_1.EJSON.deserialize(resolvedQuery), bson_1.EJSON.deserialize(resolvedUpdate)),
+        updateOne: () => currentMethod(bson_1.EJSON.deserialize(resolvedQuery), bson_1.EJSON.deserialize(resolvedUpdate), parsedOptions),
         findOneAndUpdate: () => currentMethod(bson_1.EJSON.deserialize(resolvedQuery), bson_1.EJSON.deserialize(resolvedUpdate), parsedOptions),
         aggregate: () => __awaiter(void 0, void 0, void 0, function* () {
             return (yield currentMethod(bson_1.EJSON.deserialize(pipeline), {}, // TODO -> ADD OPTIONS

package/dist/utils/initializer/exposeRoutes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAOzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBAqF1D,CAAA"}
+{"version":3,"file":"exposeRoutes.d.ts","sourceRoot":"","sources":["../../../src/utils/initializer/exposeRoutes.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AAmCzC;;;;GAIG;AACH,eAAO,MAAM,YAAY,GAAU,SAAS,eAAe,kBA2F1D,CAAA"}

package/dist/utils/initializer/exposeRoutes.js

@@ -15,6 +15,36 @@ const utils_1 = require("../../auth/utils");
 const constants_1 = require("../../constants");
 const handleUserRegistration_model_1 = require("../../shared/models/handleUserRegistration.model");
 const crypto_1 = require("../crypto");
+const parseFirstHeaderValue = (header) => {
+    var _a;
+    if (!header)
+        return undefined;
+    const raw = Array.isArray(header) ? header[0] : header;
+    return ((_a = raw === null || raw === void 0 ? void 0 : raw.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim()) || undefined;
+};
+const parseForwardedHeader = (header) => {
+    var _a;
+    if (!header)
+        return {};
+    const segment = (_a = header.split(',')[0]) === null || _a === void 0 ? void 0 : _a.trim();
+    if (!segment)
+        return {};
+    const tokens = segment.split(';').map((item) => item.trim());
+    const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='));
+    const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='));
+    const clean = (value) => value === null || value === void 0 ? void 0 : value.replace(/^"|"$/g, '');
+    return {
+        proto: clean(protoToken === null || protoToken === void 0 ? void 0 : protoToken.split('=')[1]),
+        host: clean(hostToken === null || hostToken === void 0 ? void 0 : hostToken.split('=')[1])
+    };
+};
+const hasExplicitPort = (host) => {
+    if (/^\[[^\]]+]\:\d+$/.test(host))
+        return true;
+    if (/^[^:]+\:\d+$/.test(host))
+        return true;
+    return false;
+};
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -27,12 +57,16 @@ const exposeRoutes = (fastify) => __awaiter(void 0, void 0, void 0, function* ()
                 tags: ['System']
             }
         }, (req) => __awaiter(void 0, void 0, void 0, function* () {
-            var _a, _b, _c;
-            const schema = (_a = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _a !== void 0 ? _a : 'http';
-            const headerHost = (_b = req.headers.host) !== null && _b !== void 0 ? _b : 'localhost:3000';
-            const hostname = headerHost.split(':')[0];
-            const port = (_c = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _c !== void 0 ? _c : 3000;
-            const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`;
+            var _a, _b, _c, _d, _e, _f, _g;
+            const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded));
+            const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto']);
+            const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host']);
+            const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port']);
+            const schema = (_c = (_b = (_a = forwarded.proto) !== null && _a !== void 0 ? _a : forwardedProto) !== null && _b !== void 0 ? _b : constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.HTTPS_SCHEMA) !== null && _c !== void 0 ? _c : 'http';
+            let host = (_f = (_e = (_d = forwarded.host) !== null && _d !== void 0 ? _d : forwardedHost) !== null && _e !== void 0 ? _e : req.headers.host) !== null && _f !== void 0 ? _f : `localhost:${(_g = constants_1.DEFAULT_CONFIG === null || constants_1.DEFAULT_CONFIG === void 0 ? void 0 : constants_1.DEFAULT_CONFIG.PORT) !== null && _g !== void 0 ? _g : 3000}`;
+            if (forwardedPort && !hasExplicitPort(host)) {
+                host = `${host}:${forwardedPort}`;
+            }
             const wsSchema = 'wss';
             return {
                 deployment_model: 'LOCAL',

package/dist/utils/roles/machines/write/B/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/B/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AAGxC,eAAO,MAAM,aAAa,EAAE,MAgE3B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/B/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA;AAGxC,eAAO,MAAM,aAAa,EAAE,MAmE3B,CAAA"}

package/dist/utils/roles/machines/write/B/index.js

@@ -44,6 +44,9 @@ exports.STEP_B_STATES = {
         });
         const check = yield (0, commonValidators_1.evaluateTopLevelPermissionsFn)(context, 'write');
         if (check) {
+            if (context.params.type === 'write') {
+                return endValidation({ success: true });
+            }
             return next('evaluateTopLevelInsert');
         }
         if (check === false) {

package/dist/utils/rules-matcher/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAmEvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAoNxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAyDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils/rules-matcher/utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAe,MAAM,aAAa,CAAA;AAmEvE;;GAEG;AACH,QAAA,MAAM,iBAAiB,EAAE,iBAkOxB,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,SAAS,EAAE,SAyDvB,CAAA;AAID,eAAe,iBAAiB,CAAA"}

package/dist/utils/rules-matcher/utils.js

@@ -212,6 +212,13 @@ const rulesMatcherUtils = {
                 return true;
             return block['$or'].some((item) => rulesMatcherUtils.checkRule(item, data, options));
         }
+        if (!Array.isArray(block) && block && typeof block === 'object') {
+            const keys = Object.keys(block);
+            const hasLogicalOperators = keys.some((key) => key === '$and' || key === '$or');
+            if (!hasLogicalOperators && keys.length > 1) {
+                return keys.every((key) => rulesMatcherUtils.checkRule({ [key]: block[key] }, data, options));
+            }
+        }
         const res = rulesMatcherUtils.rule(block, data, options);
         return res.valid;
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.1",
+  "version": "1.8.3",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/features/functions/__tests__/utils.test.ts

@@ -0,0 +1,33 @@
+import { executeQuery } from '../utils'
+
+describe('executeQuery', () => {
+  it('passes parsed options to updateOne', async () => {
+    const currentMethod = jest.fn().mockResolvedValue({
+      acknowledged: true,
+      matchedCount: 0,
+      modifiedCount: 0,
+      upsertedCount: 1
+    })
+
+    const operators = await executeQuery({
+      currentMethod,
+      query: { ownerUserId: 'user-1' },
+      update: {
+        $set: { locale: 'it-IT' },
+        $setOnInsert: { scope: 'workspace' }
+      },
+      options: { upsert: true }
+    } as any)
+
+    await operators.updateOne()
+
+    expect(currentMethod).toHaveBeenCalledWith(
+      { ownerUserId: 'user-1' },
+      {
+        $set: { locale: 'it-IT' },
+        $setOnInsert: { scope: 'workspace' }
+      },
+      { upsert: true }
+    )
+  })
+})

package/src/features/functions/utils.ts

@@ -122,7 +122,12 @@ export const executeQuery = async ({
       (currentMethod as ReturnType<GetOperatorsFunction>['insertOne'])(
         EJSON.deserialize(document)
       ),
-    updateOne: () => currentMethod(EJSON.deserialize(resolvedQuery), EJSON.deserialize(resolvedUpdate)),
+    updateOne: () =>
+      (currentMethod as ReturnType<GetOperatorsFunction>['updateOne'])(
+        EJSON.deserialize(resolvedQuery),
+        EJSON.deserialize(resolvedUpdate),
+        parsedOptions
+      ),
     findOneAndUpdate: () =>
       (currentMethod as ReturnType<GetOperatorsFunction>['findOneAndUpdate'])(
         EJSON.deserialize(resolvedQuery),

package/src/utils/__tests__/WRITE_STEP_B_STATES.test.ts

@@ -77,9 +77,9 @@ describe('WRITE STEP_B_STATES', () => {
     expect(endValidation).toHaveBeenCalledWith({ success: false })
   })
 
-  it('routes to insert check when write=true', async () => {
+  it('ends validation when write=true on update requests', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    const context = {} as MachineContext
+    const context = { params: { type: 'write' } } as MachineContext
     await evaluateTopLevelWrite({
       context,
       endValidation,
@@ -87,13 +87,12 @@ describe('WRITE STEP_B_STATES', () => {
       next,
       initialStep: null
     })
-    expect(next).toHaveBeenCalledWith('evaluateTopLevelInsert')
+    expect(endValidation).toHaveBeenCalledWith({ success: true })
   })
 
-  it('routes to insert check when write=true and field-level rules exist', async () => {
+  it('routes to insert check when write=true on insert requests', async () => {
     ;(evaluateTopLevelPermissionsFn as jest.Mock).mockResolvedValueOnce(true)
-    ;(checkFieldsPropertyExists as jest.Mock).mockReturnValue(true)
-    const context = {} as MachineContext
+    const context = { params: { type: 'insert' } } as MachineContext
     await evaluateTopLevelWrite({
       context,
       endValidation,

package/src/utils/__tests__/exposeRoutes.test.ts

@@ -38,7 +38,10 @@ describe('exposeRoutes', () => {
     const appId = 'it'
     const response = await config.app!.inject({
       method: 'GET',
-      url: `${API_VERSION}/app/${appId}/location`
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'localhost:3000'
+      }
     })
 
     expect(response.statusCode).toBe(200)
@@ -50,6 +53,28 @@ describe('exposeRoutes', () => {
     })
   })
 
+  it('GET location should prioritize forwarded host and port', async () => {
+    const appId = 'it'
+    const response = await config.app!.inject({
+      method: 'GET',
+      url: `${API_VERSION}/app/${appId}/location`,
+      headers: {
+        host: 'internal-flowerbase:3000',
+        'x-forwarded-proto': 'https',
+        'x-forwarded-host': 'api.example.com',
+        'x-forwarded-port': '8443'
+      }
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(JSON.parse(response.body)).toEqual({
+      deployment_model: 'LOCAL',
+      location: 'IE',
+      hostname: 'https://api.example.com:8443',
+      ws_hostname: 'wss://api.example.com:8443'
+    })
+  })
+
   it('exposeRoutes should handle errors in the catch block', async () => {
     const mockedApp = Fastify()
     // Forced fail on get method

package/src/utils/__tests__/rulesMatcherUtils.test.ts

@@ -9,7 +9,8 @@ const {
   getPath,
   forceNumber,
   getDefaultStringValue,
-  getTypeOf
+  getTypeOf,
+  checkRule
 } = rulesMatcherUtils
 
 describe('rulesMatcherUtils', () => {
@@ -64,4 +65,33 @@ describe('rulesMatcherUtils', () => {
     expect(getPath('^data.name')).toBe('data.name')
     expect(getPath('$data.name')).toBe('$data.name')
   })
+
+  it('evaluates plain objects with multiple keys as AND conditions', () => {
+    const data = {
+      '%%root': { accountId: 'acc-1' },
+      '%%user': { custom_data: { accountId: 'acc-1', role: 'admin' } }
+    }
+
+    expect(
+      checkRule(
+        {
+          '%%root.accountId': '$ref:%%user.custom_data.accountId',
+          '%%user.custom_data.role': 'admin'
+        } as any,
+        data,
+        {}
+      )
+    ).toBe(true)
+
+    expect(
+      checkRule(
+        {
+          '%%root.accountId': '$ref:%%user.custom_data.accountId',
+          '%%user.custom_data.role': 'staff'
+        } as any,
+        data,
+        {}
+      )
+    ).toBe(false)
+  })
 })

package/src/utils/initializer/exposeRoutes.ts

@@ -6,6 +6,34 @@ import { API_VERSION, AUTH_CONFIG, AUTH_DB_NAME, DEFAULT_CONFIG } from '../../co
 import { PROVIDER } from '../../shared/models/handleUserRegistration.model'
 import { hashPassword } from '../crypto'
 
+const parseFirstHeaderValue = (header: string | string[] | undefined): string | undefined => {
+  if (!header) return undefined
+  const raw = Array.isArray(header) ? header[0] : header
+  return raw?.split(',')[0]?.trim() || undefined
+}
+
+const parseForwardedHeader = (header: string | undefined): { proto?: string; host?: string } => {
+  if (!header) return {}
+  const segment = header.split(',')[0]?.trim()
+  if (!segment) return {}
+
+  const tokens = segment.split(';').map((item) => item.trim())
+  const protoToken = tokens.find((item) => item.toLowerCase().startsWith('proto='))
+  const hostToken = tokens.find((item) => item.toLowerCase().startsWith('host='))
+  const clean = (value?: string) => value?.replace(/^"|"$/g, '')
+
+  return {
+    proto: clean(protoToken?.split('=')[1]),
+    host: clean(hostToken?.split('=')[1])
+  }
+}
+
+const hasExplicitPort = (host: string): boolean => {
+  if (/^\[[^\]]+]\:\d+$/.test(host)) return true
+  if (/^[^:]+\:\d+$/.test(host)) return true
+  return false
+}
+
 /**
  * > Used to expose all app routes
  * @param fastify -> the fastify instance
@@ -18,11 +46,17 @@ export const exposeRoutes = async (fastify: FastifyInstance) => {
         tags: ['System']
       }
     }, async (req) => {
-      const schema = DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
-      const headerHost = req.headers.host ?? 'localhost:3000'
-      const hostname = headerHost.split(':')[0]
-      const port = DEFAULT_CONFIG?.PORT ?? 3000
-      const host = process.env.NODE_ENV === "production" ? hostname : `${hostname}:${port}`
+      const forwarded = parseForwardedHeader(parseFirstHeaderValue(req.headers.forwarded))
+      const forwardedProto = parseFirstHeaderValue(req.headers['x-forwarded-proto'])
+      const forwardedHost = parseFirstHeaderValue(req.headers['x-forwarded-host'])
+      const forwardedPort = parseFirstHeaderValue(req.headers['x-forwarded-port'])
+      const schema = forwarded.proto ?? forwardedProto ?? DEFAULT_CONFIG?.HTTPS_SCHEMA ?? 'http'
+      let host = forwarded.host ?? forwardedHost ?? req.headers.host ?? `localhost:${DEFAULT_CONFIG?.PORT ?? 3000}`
+
+      if (forwardedPort && !hasExplicitPort(host)) {
+        host = `${host}:${forwardedPort}`
+      }
+
       const wsSchema = 'wss'
 
       return {

package/src/utils/roles/machines/write/B/index.ts

@@ -37,6 +37,9 @@ export const STEP_B_STATES: States = {
     })
     const check = await evaluateTopLevelPermissionsFn(context, 'write')
     if (check) {
+      if (context.params.type === 'write') {
+        return endValidation({ success: true })
+      }
       return next('evaluateTopLevelInsert')
     }
     if (check === false) {

package/src/utils/rules-matcher/utils.ts

@@ -267,6 +267,20 @@ const rulesMatcherUtils: RulesMatcherUtils = {
       )
     }
 
+    if (!Array.isArray(block) && block && typeof block === 'object') {
+      const keys = Object.keys(block)
+      const hasLogicalOperators = keys.some((key) => key === '$and' || key === '$or')
+      if (!hasLogicalOperators && keys.length > 1) {
+        return keys.every((key) =>
+          rulesMatcherUtils.checkRule(
+            { [key]: (block as Record<string, unknown>)[key] } as any,
+            data,
+            options
+          )
+        )
+      }
+    }
+
     const res = rulesMatcherUtils.rule(block, data, options)
     return res.valid
   },