@goatlab/node-backend 0.2.5 → 0.4.0

package/dist/server/middleware/productionError.middleware.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeErrorForProduction = sanitizeErrorForProduction;
+exports.productionErrorHandler = productionErrorHandler;
+exports.asyncErrorHandler = asyncErrorHandler;
+const js_utils_1 = require("@goatlab/js-utils");
+/**
+ * Sanitize error messages for production environment
+ * Prevents leaking sensitive information in error responses
+ */
+function sanitizeErrorForProduction(error) {
+    const isProduction = process.env.NODE_ENV === 'prod';
+    if (!isProduction) {
+        return error; // In development, return full error details
+    }
+    // Clone the error to avoid mutating the original
+    const sanitizedError = { ...error };
+    // For 5xx errors, hide internal details
+    if (error.data?.httpStatusCode && error.data.httpStatusCode >= 500) {
+        sanitizedError.message = 'Internal Server Error';
+        sanitizedError.stack = undefined;
+        // Keep only safe data
+        sanitizedError.data = {
+            httpStatusCode: error.data.httpStatusCode,
+            errorId: error.data.errorId,
+            timestamp: new Date().toISOString()
+        };
+    }
+    else if (error.data?.httpStatusCode && error.data.httpStatusCode >= 400) {
+        // For 4xx errors, keep the message but remove stack traces
+        sanitizedError.stack = undefined;
+        // Remove any potentially sensitive data
+        if (sanitizedError.data) {
+            const { httpStatusCode, errorId, message, code } = sanitizedError.data;
+            sanitizedError.data = {
+                httpStatusCode,
+                errorId,
+                message: message || sanitizedError.message,
+                code,
+                timestamp: new Date().toISOString()
+            };
+        }
+    }
+    return sanitizedError;
+}
+/**
+ * Production-ready error handler middleware
+ * Ensures no sensitive information is leaked in error responses
+ */
+function productionErrorHandler() {
+    return (err, req, res, next) => {
+        // If headers are already sent, delegate to default Express error handler
+        if (res.headersSent) {
+            return next(err);
+        }
+        // Convert to error object
+        const error = js_utils_1.Errors.anyToError(err);
+        const httpError = error;
+        // Sanitize the error for production
+        const sanitizedError = sanitizeErrorForProduction(httpError);
+        // Set default status code if not provided
+        const statusCode = sanitizedError.data?.httpStatusCode || 500;
+        // Log the original error (for debugging)
+        if (statusCode >= 500) {
+            console.error('Server error:', {
+                error: err,
+                request: {
+                    method: req.method,
+                    url: req.originalUrl,
+                    ip: req.ip,
+                    userAgent: req.get('user-agent')
+                }
+            });
+        }
+        // Send sanitized response
+        res.status(statusCode).json({
+            error: {
+                message: sanitizedError.message,
+                code: sanitizedError.data?.code,
+                errorId: sanitizedError.data?.errorId,
+                timestamp: sanitizedError.data?.timestamp || new Date().toISOString()
+            }
+        });
+    };
+}
+/**
+ * Async error wrapper to catch errors in async route handlers
+ */
+function asyncErrorHandler(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res, next)).catch(next);
+    };
+}
+//# sourceMappingURL=productionError.middleware.js.map

package/dist/server/middleware/productionError.middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"productionError.middleware.js","sourceRoot":"","sources":["../../../src/server/middleware/productionError.middleware.ts"],"names":[],"mappings":";;AASA,gEAyCC;AAMD,wDAwCC;AAKD,8CAIC;AAvGD,gDAA0C;AAG1C;;;GAGG;AACH,SAAgB,0BAA0B,CACxC,KAA+B;IAE/B,MAAM,YAAY,GAAI,OAAO,CAAC,GAAG,CAAC,QAAwB,KAAK,MAAM,CAAA;IAErE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAA,CAAC,4CAA4C;IAC3D,CAAC;IAED,iDAAiD;IACjD,MAAM,cAAc,GAAG,EAAE,GAAG,KAAK,EAAE,CAAA;IAEnC,wCAAwC;IACxC,IAAI,KAAK,CAAC,IAAI,EAAE,cAAc,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,CAAC;QACnE,cAAc,CAAC,OAAO,GAAG,uBAAuB,CAAA;QAChD,cAAc,CAAC,KAAK,GAAG,SAAS,CAAA;QAEhC,sBAAsB;QACtB,cAAc,CAAC,IAAI,GAAG;YACpB,cAAc,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc;YACzC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAA;IACH,CAAC;SAAM,IAAI,KAAK,CAAC,IAAI,EAAE,cAAc,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,CAAC;QAC1E,2DAA2D;QAC3D,cAAc,CAAC,KAAK,GAAG,SAAS,CAAA;QAEhC,wCAAwC;QACxC,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;YACxB,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,cAAc,CAAC,IAAI,CAAA;YACtE,cAAc,CAAC,IAAI,GAAG;gBACpB,cAAc;gBACd,OAAO;gBACP,OAAO,EAAE,OAAO,IAAI,cAAc,CAAC,OAAO;gBAC1C,IAAI;gBACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB;IACpC,OAAO,CAAC,GAAQ,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACnE,yEAAyE;QACzE,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAA;QAClB,CAAC;QAED,0BAA0B;QAC1B,MAAM,KAAK,GAAG,iBAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACpC,MAAM,SAAS,GAAG,KAAiC,CAAA;QAEnD,oCAAoC;QACpC,MAAM,cAAc,GAAG,0BAA0B,CAAC,SAAS,CAAC,CAAA;QAE5D,0CAA0C;QAC1C,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,EAAE,cAAc,IAAI,GAAG,CAAA;QAE7D,yCAAyC;QACzC,IAAI,UAAU,IAAI,GAAG,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,eAAe,EAAE;gBAC7B,KAAK,EAAE,GAAG;gBACV,OAAO,EAAE;oBACP,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,GAAG,CAAC,WAAW;oBACpB,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC;iBACjC;aACF,CAAC,CAAA;QACJ,CAAC;QAED,0BAA0B;QAC1B,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;YAC1B,KAAK,EAAE;gBACL,OAAO,EAAE,cAAc,CAAC,OAAO;gBAC/B,IAAI,EAAE,cAAc,CAAC,IAAI,EAAE,IAAI;gBAC/B,OAAO,EAAE,cAAc,CAAC,IAAI,EAAE,OAAO;gBACrC,SAAS,EAAE,cAAc,CAAC,IAAI,EAAE,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACtE;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,EAAY;IAC5C,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACzD,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjD,CAAC,CAAA;AACH,CAAC"}

package/dist/server/middleware/security.middleware.d.ts

@@ -0,0 +1,28 @@
+import type { CorsOptions } from 'cors';
+import type { HelmetOptions } from 'helmet';
+import type { RateLimitRequestHandler } from 'express-rate-limit';
+import rateLimit from 'express-rate-limit';
+/**
+ * Get CORS configuration based on environment
+ */
+export declare function getCorsOptions(): CorsOptions;
+/**
+ * Get Helmet configuration for enhanced security headers
+ */
+export declare function getHelmetOptions(): HelmetOptions;
+/**
+ * Create rate limiter with default configuration
+ */
+export declare function createRateLimiter(options?: Partial<Parameters<typeof rateLimit>[0]>): RateLimitRequestHandler;
+/**
+ * Create stricter rate limiter for authentication endpoints
+ */
+export declare function createAuthRateLimiter(): RateLimitRequestHandler;
+/**
+ * Create rate limiter for API endpoints
+ */
+export declare function createApiRateLimiter(): RateLimitRequestHandler;
+/**
+ * Additional security headers not covered by Helmet
+ */
+export declare function additionalSecurityHeaders(): (req: any, res: any, next: any) => void;

package/dist/server/middleware/security.middleware.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCorsOptions = getCorsOptions;
+exports.getHelmetOptions = getHelmetOptions;
+exports.createRateLimiter = createRateLimiter;
+exports.createAuthRateLimiter = createAuthRateLimiter;
+exports.createApiRateLimiter = createApiRateLimiter;
+exports.additionalSecurityHeaders = additionalSecurityHeaders;
+const express_rate_limit_1 = require("express-rate-limit");
+/**
+ * Get CORS configuration based on environment
+ */
+function getCorsOptions() {
+    const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',').map(origin => origin.trim()) || [];
+    // In development, allow localhost origins
+    if (process.env.NODE_ENV !== 'prod' && allowedOrigins.length === 0) {
+        allowedOrigins.push('http://localhost:3000', 'http://localhost:3001', 'http://localhost:5173');
+    }
+    return {
+        origin: (origin, callback) => {
+            // Allow requests with no origin (like mobile apps or Postman)
+            if (!origin && process.env.NODE_ENV !== 'prod') {
+                return callback(null, true);
+            }
+            if (!origin || allowedOrigins.includes(origin)) {
+                callback(null, true);
+            }
+            else {
+                callback(new Error('Not allowed by CORS'));
+            }
+        },
+        credentials: true,
+        methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+        allowedHeaders: ['Content-Type', 'Authorization', 'X-Request-ID'],
+        exposedHeaders: [
+            'X-Request-ID',
+            'X-RateLimit-Limit',
+            'X-RateLimit-Remaining',
+            'X-RateLimit-Reset'
+        ],
+        maxAge: 86400, // 24 hours
+        optionsSuccessStatus: 200 // Some legacy browsers choke on 204
+    };
+}
+/**
+ * Get Helmet configuration for enhanced security headers
+ */
+function getHelmetOptions() {
+    const isDevelopment = process.env.NODE_ENV !== 'prod';
+    return {
+        contentSecurityPolicy: isDevelopment
+            ? false
+            : {
+                directives: {
+                    defaultSrc: ["'self'"],
+                    scriptSrc: ["'self'", "'unsafe-inline'"], // Consider removing unsafe-inline in production
+                    styleSrc: ["'self'", "'unsafe-inline'"],
+                    imgSrc: ["'self'", 'data:', 'https:'],
+                    connectSrc: ["'self'"],
+                    fontSrc: ["'self'"],
+                    objectSrc: ["'none'"],
+                    mediaSrc: ["'self'"],
+                    frameSrc: ["'none'"],
+                    baseUri: ["'self'"],
+                    formAction: ["'self'"],
+                    frameAncestors: ["'none'"],
+                    upgradeInsecureRequests: []
+                }
+            },
+        hsts: {
+            maxAge: 31536000, // 1 year
+            includeSubDomains: true,
+            preload: true
+        },
+        noSniff: true,
+        xssFilter: true,
+        referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+        permittedCrossDomainPolicies: false,
+        hidePoweredBy: true,
+        ieNoOpen: true,
+        frameguard: { action: 'deny' }
+    };
+}
+/**
+ * Create rate limiter with default configuration
+ */
+function createRateLimiter(options) {
+    return (0, express_rate_limit_1.default)({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 100, // Limit each IP to 100 requests per windowMs
+        message: 'Too many requests from this IP, please try again later.',
+        standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+        legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+        skipSuccessfulRequests: false,
+        // Skip rate limiting validation errors in test environment
+        validate: process.env.NODE_ENV === 'test' ? false : undefined,
+        handler: (_req, res) => {
+            res.status(429).json({
+                error: {
+                    code: 'RATE_LIMIT_EXCEEDED',
+                    message: 'Too many requests, please try again later.',
+                    retryAfter: res.getHeader('Retry-After')
+                }
+            });
+        },
+        ...options
+    });
+}
+/**
+ * Create stricter rate limiter for authentication endpoints
+ */
+function createAuthRateLimiter() {
+    return createRateLimiter({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 5, // Limit each IP to 5 requests per windowMs
+        skipSuccessfulRequests: true, // Don't count successful requests
+        message: 'Too many authentication attempts, please try again later.'
+    });
+}
+/**
+ * Create rate limiter for API endpoints
+ */
+function createApiRateLimiter() {
+    const maxRequests = process.env.API_RATE_LIMIT
+        ? parseInt(process.env.API_RATE_LIMIT, 10)
+        : 100;
+    return createRateLimiter({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: maxRequests,
+        message: 'API rate limit exceeded, please try again later.'
+    });
+}
+/**
+ * Additional security headers not covered by Helmet
+ */
+function additionalSecurityHeaders() {
+    return (req, res, next) => {
+        // Permissions Policy (formerly Feature Policy)
+        res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), accelerometer=()');
+        // Additional security headers
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('X-XSS-Protection', '1; mode=block');
+        // Clear site data on logout (if logout endpoint)
+        if (req.path === '/logout' || req.path === '/api/logout') {
+            res.setHeader('Clear-Site-Data', '"cache", "cookies", "storage"');
+        }
+        next();
+    };
+}
+//# sourceMappingURL=security.middleware.js.map

package/dist/server/middleware/security.middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.middleware.js","sourceRoot":"","sources":["../../../src/server/middleware/security.middleware.ts"],"names":[],"mappings":";;AAQA,wCAsCC;AAKD,4CAoCC;AAKD,8CAuBC;AAKD,sDAOC;AAKD,oDAUC;AAKD,8DAoBC;AApKD,2DAA0C;AAE1C;;GAEG;AACH,SAAgB,cAAc;IAC5B,MAAM,cAAc,GAClB,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAA;IAE5E,0CAA0C;IAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,cAAc,CAAC,IAAI,CACjB,uBAAuB,EACvB,uBAAuB,EACvB,uBAAuB,CACxB,CAAA;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE;YAC3B,8DAA8D;YAC9D,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAC/C,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;YAC7B,CAAC;YAED,IAAI,CAAC,MAAM,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;YACtB,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAA;YAC5C,CAAC;QACH,CAAC;QACD,WAAW,EAAE,IAAI;QACjB,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC;QAC7D,cAAc,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,cAAc,CAAC;QACjE,cAAc,EAAE;YACd,cAAc;YACd,mBAAmB;YACnB,uBAAuB;YACvB,mBAAmB;SACpB;QACD,MAAM,EAAE,KAAK,EAAE,WAAW;QAC1B,oBAAoB,EAAE,GAAG,CAAC,oCAAoC;KAC/D,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAA;IAErD,OAAO;QACL,qBAAqB,EAAE,aAAa;YAClC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC;gBACE,UAAU,EAAE;oBACV,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,SAAS,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,gDAAgD;oBAC1F,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;oBACvC,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC;oBACrC,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,OAAO,EAAE,CAAC,QAAQ,CAAC;oBACnB,SAAS,EAAE,CAAC,QAAQ,CAAC;oBACrB,QAAQ,EAAE,CAAC,QAAQ,CAAC;oBACpB,QAAQ,EAAE,CAAC,QAAQ,CAAC;oBACpB,OAAO,EAAE,CAAC,QAAQ,CAAC;oBACnB,UAAU,EAAE,CAAC,QAAQ,CAAC;oBACtB,cAAc,EAAE,CAAC,QAAQ,CAAC;oBAC1B,uBAAuB,EAAE,EAAE;iBAC5B;aACF;QACL,IAAI,EAAE;YACJ,MAAM,EAAE,QAAQ,EAAE,SAAS;YAC3B,iBAAiB,EAAE,IAAI;YACvB,OAAO,EAAE,IAAI;SACd;QACD,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,IAAI;QACf,cAAc,EAAE,EAAE,MAAM,EAAE,iCAAiC,EAAE;QAC7D,4BAA4B,EAAE,KAAK;QACnC,aAAa,EAAE,IAAI;QACnB,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;KAC/B,CAAA;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,OAAkD;IAElD,OAAO,IAAA,4BAAS,EAAC;QACf,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,GAAG,EAAE,6CAA6C;QACvD,OAAO,EAAE,yDAAyD;QAClE,eAAe,EAAE,IAAI,EAAE,sDAAsD;QAC7E,aAAa,EAAE,KAAK,EAAE,sCAAsC;QAC5D,sBAAsB,EAAE,KAAK;QAC7B,2DAA2D;QAC3D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAC7D,OAAO,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,4CAA4C;oBACrD,UAAU,EAAE,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC;iBACzC;aACF,CAAC,CAAA;QACJ,CAAC;QACD,GAAG,OAAO;KACX,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB;IACnC,OAAO,iBAAiB,CAAC;QACvB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,CAAC,EAAE,2CAA2C;QACnD,sBAAsB,EAAE,IAAI,EAAE,kCAAkC;QAChE,OAAO,EAAE,2DAA2D;KACrE,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc;QAC5C,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,CAAC;QAC1C,CAAC,CAAC,GAAG,CAAA;IAEP,OAAO,iBAAiB,CAAC;QACvB,QAAQ,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QACvC,GAAG,EAAE,WAAW;QAChB,OAAO,EAAE,kDAAkD;KAC5D,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,yBAAyB;IACvC,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;QACvC,+CAA+C;QAC/C,GAAG,CAAC,SAAS,CACX,oBAAoB,EACpB,iGAAiG,CAClG,CAAA;QAED,8BAA8B;QAC9B,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAA;QAClD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAA;QACxC,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAA;QAElD,iDAAiD;QACjD,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;YACzD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,+BAA+B,CAAC,CAAA;QACnE,CAAC;QAED,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;AACH,CAAC"}

package/dist/server/services/secrets/examples/container-preload.example.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/services/secrets/examples/container-preload.example.js

@@ -0,0 +1,148 @@
+"use strict";
+// Example: Using SecretService with preloading in Container
+Object.defineProperty(exports, "__esModule", { value: true });
+const Container_1 = require("../../../../container/Container");
+const secret_service_1 = require("../secret.service");
+// Define your service factories (mock for example)
+const factories = {
+    secrets: (secret_service_1.SecretService),
+    database: class MockDatabaseService {
+        tenantId;
+        config;
+        constructor(tenantId, config) {
+            this.tenantId = tenantId;
+            this.config = config;
+        }
+        async connect() { console.log('Connected to DB'); }
+        async query(sql) { return []; }
+    },
+    api: class MockApiService {
+        tenantId;
+        config;
+        constructor(tenantId, config) {
+            this.tenantId = tenantId;
+            this.config = config;
+        }
+        async getUser(userId, apiKey) { return { id: userId }; }
+        async processData(apiKey) { return { processed: true }; }
+    }
+};
+// Create container with preloading pattern
+const container = new Container_1.Container(factories, async (preload, meta) => {
+    // Create secret service instance
+    const secretService = preload.secrets(meta.tenantId, {
+        provider: 'FILE', // or 'VAULT', 'ENV'
+        location: meta.secretsLocation,
+        encryptionKey: meta.encryptionKey,
+        vaultConfig: meta.vaultConfig
+    });
+    // Preload secrets before using them
+    await secretService.preload();
+    // Now we can use synchronous methods to get secrets
+    const dbConnectionString = secretService.getSecretSync('DB_CONNECTION_STRING');
+    const jwtSecret = secretService.getSecretSync('JWT_SECRET');
+    // Create other services using the preloaded secrets
+    const database = preload.database(meta.tenantId, meta.tenantId, {
+        connectionString: dbConnectionString
+    });
+    const api = preload.api(meta.tenantId, meta.tenantId, {
+        database,
+        jwtSecret
+    });
+    return {
+        secrets: secretService,
+        database,
+        api
+    };
+});
+// Usage example
+async function processRequest(tenantMeta, userId) {
+    await container.bootstrap(tenantMeta, async () => {
+        const { api, secrets } = container.context;
+        // Secrets are already preloaded, so we can use sync methods
+        const apiKey = secrets.getSecretSync('API_KEY');
+        // Use services
+        const user = await api.getUser(userId, apiKey);
+        return user;
+    });
+}
+// Example with multiple providers
+async function multiProviderExample() {
+    // FILE provider for development
+    const devTenant = {
+        tenantId: 'dev-tenant',
+        secretsLocation: '/secrets/dev.json',
+        encryptionKey: 'dev-encryption-key-32chars'
+    };
+    // VAULT provider for production
+    const prodTenant = {
+        tenantId: 'prod-tenant',
+        secretsLocation: 'production/secrets',
+        encryptionKey: 'prod-encryption-key-32chars',
+        vaultConfig: {
+            endpoint: 'https://vault.company.com',
+            token: process.env.VAULT_TOKEN
+        }
+    };
+    // ENV provider for CI/CD
+    const ciTenant = {
+        tenantId: 'ci-tenant',
+        secretsLocation: 'CI', // Will look for CI_API_KEY, CI_DB_CONNECTION_STRING, etc.
+        encryptionKey: 'ci-encryption-key-32chars'
+    };
+}
+// Example with automatic invalidation (FILE provider)
+async function fileWatchingExample() {
+    const container = new Container_1.Container(factories, async (preload, meta) => {
+        const secretService = preload.secrets(meta.tenantId, {
+            provider: 'FILE',
+            location: meta.secretsLocation,
+            encryptionKey: meta.encryptionKey,
+            cacheTTL: 60000 // 1 minute cache
+        });
+        // Enable automatic reload on file changes
+        await secretService.preload();
+        // Secrets will automatically reload if the file changes
+        return { secrets: secretService };
+    });
+    // The secret service will watch for file changes and reload automatically
+}
+// Example with batch operations
+async function batchTenantProcessing() {
+    const tenants = [
+        { tenantId: 'tenant1', secretsLocation: '/secrets/tenant1.json', encryptionKey: 'key1' },
+        { tenantId: 'tenant2', secretsLocation: '/secrets/tenant2.json', encryptionKey: 'key2' },
+        { tenantId: 'tenant3', secretsLocation: '/secrets/tenant3.json', encryptionKey: 'key3' }
+    ];
+    const results = await container.bootstrapBatch(tenants.map(meta => ({
+        metadata: meta,
+        fn: async () => {
+            const { secrets, api } = container.context;
+            // Each tenant has its own preloaded secrets
+            const apiKey = secrets.getSecretSync('API_KEY');
+            // Process tenant data
+            return api.processData(apiKey);
+        }
+    })), {
+        concurrency: 5,
+        continueOnError: true,
+        onProgress: (completed, total) => {
+            console.log(`Processed ${completed}/${total} tenants`);
+        }
+    });
+    // Check results
+    for (const result of results) {
+        if (result.status === 'success') {
+            console.log(`Tenant ${result.metadata.tenantId} processed successfully`);
+        }
+        else {
+            console.error(`Tenant ${result.metadata.tenantId} failed:`, result.error);
+        }
+    }
+}
+// Cleanup when done
+async function cleanup() {
+    // Dispose all services (including secret watchers)
+    await container.disposeAll();
+}
+//# sourceMappingURL=container-preload.example.js.map

package/dist/server/services/secrets/examples/container-preload.example.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"container-preload.example.js","sourceRoot":"","sources":["../../../../../src/server/services/secrets/examples/container-preload.example.ts"],"names":[],"mappings":";AAAA,4DAA4D;;AAE5D,+DAA2D;AAC3D,sDAAiD;AAgCjD,mDAAmD;AACnD,MAAM,SAAS,GAAG;IAChB,OAAO,EAAE,CAAA,8BAAyB,CAAA;IAClC,QAAQ,EAAE,MAAM,mBAAmB;QACb;QAA0B;QAA9C,YAAoB,QAAgB,EAAU,MAAW;YAArC,aAAQ,GAAR,QAAQ,CAAQ;YAAU,WAAM,GAAN,MAAM,CAAK;QAAG,CAAC;QAC7D,KAAK,CAAC,OAAO,KAAK,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA,CAAC,CAAC;QAClD,KAAK,CAAC,KAAK,CAAC,GAAW,IAAI,OAAO,EAAE,CAAA,CAAC,CAAC;KACvC;IACD,GAAG,EAAE,MAAM,cAAc;QACH;QAA0B;QAA9C,YAAoB,QAAgB,EAAU,MAAW;YAArC,aAAQ,GAAR,QAAQ,CAAQ;YAAU,WAAM,GAAN,MAAM,CAAK;QAAG,CAAC;QAC7D,KAAK,CAAC,OAAO,CAAC,MAAc,EAAE,MAAc,IAAI,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAA,CAAC,CAAC;QACvE,KAAK,CAAC,WAAW,CAAC,MAAc,IAAI,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA,CAAC,CAAC;KACjE;CACF,CAAA;AAED,2CAA2C;AAC3C,MAAM,SAAS,GAAG,IAAI,qBAAS,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAgB,EAAE,EAAE;IAC7E,iCAAiC;IACjC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE;QACnD,QAAQ,EAAE,MAAM,EAAE,oBAAoB;QACtC,QAAQ,EAAE,IAAI,CAAC,eAAe;QAC9B,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,WAAW,EAAE,IAAI,CAAC,WAAW;KAC9B,CAAC,CAAA;IAEF,oCAAoC;IACpC,MAAM,aAAa,CAAC,OAAO,EAAE,CAAA;IAE7B,oDAAoD;IACpD,MAAM,kBAAkB,GAAG,aAAa,CAAC,aAAa,CAAC,sBAAsB,CAAC,CAAA;IAC9E,MAAM,SAAS,GAAG,aAAa,CAAC,aAAa,CAAC,YAAY,CAAC,CAAA;IAE3D,oDAAoD;IACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE;QAC9D,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,CAAA;IAEF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE;QACpD,QAAQ;QACR,SAAS;KACV,CAAC,CAAA;IAEF,OAAO;QACL,OAAO,EAAE,aAAa;QACtB,QAAQ;QACR,GAAG;KACJ,CAAA;AACH,CAAC,CAAC,CAAA;AAEF,gBAAgB;AAChB,KAAK,UAAU,cAAc,CAAC,UAAsB,EAAE,MAAc;IAClE,MAAM,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,SAAS,CAAC,OAAO,CAAA;QAE1C,4DAA4D;QAC5D,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;QAE/C,eAAe;QACf,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;QAC9C,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,kCAAkC;AAClC,KAAK,UAAU,oBAAoB;IACjC,gCAAgC;IAChC,MAAM,SAAS,GAAe;QAC5B,QAAQ,EAAE,YAAY;QACtB,eAAe,EAAE,mBAAmB;QACpC,aAAa,EAAE,4BAA4B;KAC5C,CAAA;IAED,gCAAgC;IAChC,MAAM,UAAU,GAAe;QAC7B,QAAQ,EAAE,aAAa;QACvB,eAAe,EAAE,oBAAoB;QACrC,aAAa,EAAE,6BAA6B;QAC5C,WAAW,EAAE;YACX,QAAQ,EAAE,2BAA2B;YACrC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,WAAY;SAChC;KACF,CAAA;IAED,yBAAyB;IACzB,MAAM,QAAQ,GAAe;QAC3B,QAAQ,EAAE,WAAW;QACrB,eAAe,EAAE,IAAI,EAAE,0DAA0D;QACjF,aAAa,EAAE,2BAA2B;KAC3C,CAAA;AACH,CAAC;AAED,sDAAsD;AACtD,KAAK,UAAU,mBAAmB;IAChC,MAAM,SAAS,GAAG,IAAI,qBAAS,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAgB,EAAE,EAAE;QAC7E,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE;YACnD,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,IAAI,CAAC,eAAe;YAC9B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,QAAQ,EAAE,KAAK,CAAC,iBAAiB;SAClC,CAAC,CAAA;QAEF,0CAA0C;QAC1C,MAAM,aAAa,CAAC,OAAO,EAAE,CAAA;QAE7B,wDAAwD;QACxD,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,CAAA;IACnC,CAAC,CAAC,CAAA;IAEF,0EAA0E;AAC5E,CAAC;AAED,gCAAgC;AAChC,KAAK,UAAU,qBAAqB;IAClC,MAAM,OAAO,GAAiB;QAC5B,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,EAAE;QACxF,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,EAAE;QACxF,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,EAAE;KACzF,CAAA;IAED,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,cAAc,CAC5C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,QAAQ,EAAE,IAAI;QACd,EAAE,EAAE,KAAK,IAAI,EAAE;YACb,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,OAAO,CAAA;YAE1C,4CAA4C;YAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,CAAA;YAE/C,sBAAsB;YACtB,OAAO,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,CAAA;QAChC,CAAC;KACF,CAAC,CAAC,EACH;QACE,WAAW,EAAE,CAAC;QACd,eAAe,EAAE,IAAI;QACrB,UAAU,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE;YAC/B,OAAO,CAAC,GAAG,CAAC,aAAa,SAAS,IAAI,KAAK,UAAU,CAAC,CAAA;QACxD,CAAC;KACF,CACF,CAAA;IAED,gBAAgB;IAChB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,QAAQ,CAAC,QAAQ,yBAAyB,CAAC,CAAA;QAC1E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,UAAU,MAAM,CAAC,QAAQ,CAAC,QAAQ,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAA;QAC3E,CAAC;IACH,CAAC;AACH,CAAC;AAED,oBAAoB;AACpB,KAAK,UAAU,OAAO;IACpB,mDAAmD;IACnD,MAAM,SAAS,CAAC,UAAU,EAAE,CAAA;AAC9B,CAAC"}

package/dist/server/services/secrets/index.d.ts

@@ -0,0 +1 @@
+export { SecretService, SecretServiceConfig, SecretProvider, VaultConfig } from './secret.service';

package/dist/server/services/secrets/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretService = void 0;
+var secret_service_1 = require("./secret.service");
+Object.defineProperty(exports, "SecretService", { enumerable: true, get: function () { return secret_service_1.SecretService; } });
+//# sourceMappingURL=index.js.map

package/dist/server/services/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/server/services/secrets/index.ts"],"names":[],"mappings":";;;AAAA,mDAAkG;AAAzF,+GAAA,aAAa,OAAA"}

package/dist/server/services/secrets/secret.service.d.ts

@@ -5,17 +5,44 @@ export interface VaultConfig {
     mount?: string;
     namespace?: string;
 }
+export interface SecretServiceConfig {
+    provider: SecretProvider;
+    location: string;
+    encryptionKey: string;
+    vaultConfig?: VaultConfig;
+    cacheTTL?: number;
+}
 export declare class SecretService<SecretType> {
     provider: SecretProvider;
     location: string;
     encryptionKey: string;
     vaultConfig?: VaultConfig;
-    constructor({ provider, location, encryptionKey, vaultConfig }: {
-        provider: SecretProvider;
-        location: string;
-        encryptionKey: string;
-        vaultConfig?: VaultConfig;
-    });
+    cacheTTL: number;
+    protected preloadedSecrets?: SecretType;
+    protected isPreloaded: boolean;
+    private fileWatcher?;
+    constructor(config: SecretServiceConfig);
+    /**
+     * Preload secrets asynchronously for synchronous access later
+     * This method loads secrets once and stores them in the instance
+     */
+    preload(): Promise<void>;
+    /**
+     * Invalidate preloaded secrets and stop file watching
+     */
+    invalidate(): Promise<void>;
+    /**
+     * Set up file watching for automatic invalidation
+     */
+    private setupFileWatcher;
+    /**
+     * Load secrets asynchronously with decryption for all providers
+     */
+    private loadSecretsAsync;
+    private isCacheValid;
+    private setCache;
+    private getCache;
+    loadSecretsFromFileAsync(): Promise<SecretType>;
     loadSecretsFromFile(): SecretType;
     loadSecretsFromGCP(): SecretType;
     loadEncryptionKeyFromGCP(): string;
@@ -24,9 +51,24 @@ export declare class SecretService<SecretType> {
     storeSecretsToVault(secrets: Partial<SecretType>): Promise<void>;
     loadSecrets(): SecretType | Promise<SecretType>;
     loadEncryptionKey(): string;
+    getSecretAsync(secretName: keyof SecretType): Promise<string>;
+    getSecretJsonAsync<T = any>(secretName: keyof SecretType): Promise<T>;
     getSecret(secretName: keyof SecretType): Promise<string>;
     getSecretJson<T = any>(secretName: keyof SecretType): Promise<T>;
+    /**
+     * Get a secret synchronously (requires preload() to be called first)
+     */
     getSecretSync(secretName: keyof SecretType): string;
+    /**
+     * Get a JSON secret synchronously (requires preload() to be called first)
+     */
     getSecretJsonSync<T = any>(secretName: keyof SecretType): T;
+    getSecretSyncLegacy(secretName: keyof SecretType): string;
+    getSecretJsonSyncLegacy<T = any>(secretName: keyof SecretType): T;
     static clearCache(): void;
+    static cleanupExpiredCache(): void;
+    /**
+     * Clean up resources (file watchers, etc.) when service is no longer needed
+     */
+    dispose(): void;
 }