@intranefr/superbackend 1.4.3

package/src/services/featureFlags.service.js

@@ -0,0 +1,202 @@
+const crypto = require('crypto');
+const GlobalSetting = require('../models/GlobalSetting');
+
+const FEATURE_FLAG_PREFIX = 'FEATURE_FLAG.';
+
+const stripPrefix = (key) => {
+  if (!key) return key;
+  return key.startsWith(FEATURE_FLAG_PREFIX) ? key.slice(FEATURE_FLAG_PREFIX.length) : key;
+};
+
+const normalizeArray = (value) => {
+  if (!value) return [];
+  if (Array.isArray(value)) return value.map(String);
+  return [String(value)];
+};
+
+const normalizeDefinition = ({ key, raw }) => {
+  const description = raw?.description ? String(raw.description) : '';
+  const enabled = Boolean(raw?.enabled);
+
+  let rolloutPercentage = Number(raw?.rolloutPercentage ?? 0);
+  if (Number.isNaN(rolloutPercentage)) rolloutPercentage = 0;
+  rolloutPercentage = Math.max(0, Math.min(100, rolloutPercentage));
+
+  return {
+    key,
+    description,
+    enabled,
+    rolloutPercentage,
+    allowListUserIds: normalizeArray(raw?.allowListUserIds),
+    allowListOrgIds: normalizeArray(raw?.allowListOrgIds),
+    denyListUserIds: normalizeArray(raw?.denyListUserIds),
+    denyListOrgIds: normalizeArray(raw?.denyListOrgIds),
+    payload: raw?.payload ?? null,
+  };
+};
+
+const computeBucket = ({ flagKey, subjectId }) => {
+  const input = `${flagKey}:${subjectId}`;
+  const hash = crypto.createHash('sha256').update(input).digest('hex');
+  const int = parseInt(hash.slice(0, 8), 16);
+  return int % 100;
+};
+
+const evaluateDefinition = ({ def, userId, orgId, anonId }) => {
+  const userIdStr = userId ? String(userId) : null;
+  const orgIdStr = orgId ? String(orgId) : null;
+  const anonIdStr = anonId ? String(anonId) : null;
+
+  const deny =
+    (userIdStr && def.denyListUserIds.includes(userIdStr)) ||
+    (orgIdStr && def.denyListOrgIds.includes(orgIdStr));
+  if (deny) {
+    return { key: def.key, enabled: false };
+  }
+
+  const allow =
+    (userIdStr && def.allowListUserIds.includes(userIdStr)) ||
+    (orgIdStr && def.allowListOrgIds.includes(orgIdStr));
+  if (allow) {
+    return { key: def.key, enabled: true, payload: def.payload };
+  }
+
+  if (def.enabled) {
+    return { key: def.key, enabled: true, payload: def.payload };
+  }
+
+  if (def.rolloutPercentage > 0) {
+    const subjectId = orgIdStr || userIdStr || anonIdStr;
+    if (!subjectId) {
+      return { key: def.key, enabled: false };
+    }
+
+    const bucket = computeBucket({ flagKey: def.key, subjectId });
+    const enabled = bucket < def.rolloutPercentage;
+    return enabled
+      ? { key: def.key, enabled: true, payload: def.payload }
+      : { key: def.key, enabled: false };
+  }
+
+  return { key: def.key, enabled: false };
+};
+
+const loadAllDefinitions = async () => {
+  const settings = await GlobalSetting.find({
+    key: { $regex: `^${FEATURE_FLAG_PREFIX}` },
+    type: 'json',
+  })
+    .sort({ key: 1 })
+    .lean();
+
+  return settings
+    .map((s) => {
+      let raw;
+      try {
+        raw = s?.value ? JSON.parse(s.value) : {};
+      } catch {
+        raw = {};
+      }
+
+      const key = stripPrefix(s.key);
+      return normalizeDefinition({ key, raw: { ...raw, description: raw?.description ?? s.description } });
+    });
+};
+
+const evaluateAllForRequest = async ({ userId, orgId, anonId }) => {
+  const defs = await loadAllDefinitions();
+  return defs.map((def) => evaluateDefinition({ def, userId, orgId, anonId }));
+};
+
+const flagsArrayToMap = (flagsArray) => {
+  const out = {};
+  (flagsArray || []).forEach((f) => {
+    if (!f || !f.key) return;
+    out[f.key] = {
+      enabled: Boolean(f.enabled),
+      ...(Object.prototype.hasOwnProperty.call(f, 'payload') ? { payload: f.payload } : {}),
+    };
+  });
+  return out;
+};
+
+const parseCookies = (cookieHeader) => {
+  const cookies = {};
+  if (!cookieHeader) return cookies;
+
+  cookieHeader.split(';').forEach((part) => {
+    const idx = part.indexOf('=');
+    if (idx === -1) return;
+    const k = part.slice(0, idx).trim();
+    const v = part.slice(idx + 1).trim();
+    if (!k) return;
+    cookies[k] = decodeURIComponent(v);
+  });
+
+  return cookies;
+};
+
+const ensureAnonIdCookie = (req, res) => {
+  const cookies = parseCookies(req.headers?.cookie);
+  const existing = cookies.saas_anon_id;
+  if (existing) return existing;
+
+  const generated = crypto.randomBytes(16).toString('hex');
+  if (res && typeof res.setHeader === 'function') {
+    const cookie = `saas_anon_id=${encodeURIComponent(generated)}; Path=/; Max-Age=31536000; SameSite=Lax`;
+    res.setHeader('Set-Cookie', cookie);
+  }
+  return generated;
+};
+
+function createFeatureFlagsEjsMiddleware(opts = {}) {
+  const enabled = opts.enabled !== false;
+  const includeForApi = Boolean(opts.includeForApi);
+
+  return async (req, res, next) => {
+    try {
+      if (!enabled) return next();
+
+      const isApi = String(req.originalUrl || req.url || '').startsWith('/api/');
+      if (isApi && !includeForApi) return next();
+
+      const accept = String(req.headers?.accept || '');
+      const isHtml = accept.includes('text/html') || accept.includes('*/*') || !accept;
+      if (!isHtml) return next();
+
+      const orgId = req.query.orgId || req.headers['x-org-id'] || null;
+      const anonId =
+        req.query.anonId ||
+        req.headers['x-anon-id'] ||
+        ensureAnonIdCookie(req, res);
+
+      const flagsArray = await evaluateAllForRequest({ userId: null, orgId, anonId });
+      const flags = flagsArrayToMap(flagsArray);
+
+      res.locals.featureFlags = flags;
+      res.locals.ff = (key, defaultValue = false) => {
+        if (!key) return defaultValue;
+        const entry = flags[String(key)];
+        return typeof entry?.enabled === 'boolean' ? entry.enabled : defaultValue;
+      };
+      res.locals.ffPayload = (key, defaultValue = null) => {
+        if (!key) return defaultValue;
+        const entry = flags[String(key)];
+        return Object.prototype.hasOwnProperty.call(entry || {}, 'payload') ? entry.payload : defaultValue;
+      };
+
+      next();
+    } catch (e) {
+      next(e);
+    }
+  };
+}
+
+module.exports = {
+  FEATURE_FLAG_PREFIX,
+  stripPrefix,
+  loadAllDefinitions,
+  evaluateAllForRequest,
+  flagsArrayToMap,
+  createFeatureFlagsEjsMiddleware,
+};

package/src/services/forms.service.js

@@ -0,0 +1,214 @@
+const FormSubmission = require('../models/FormSubmission');
+const JsonConfig = require('../models/JsonConfig');
+const auditService = require('./audit.service');
+const emailService = require('./email.service');
+const webhookService = require('./webhook.service');
+const jsonConfigsService = require('./jsonConfigs.service');
+
+/**
+ * Forms Service
+ * Manages form definitions (stored in JsonConfigs) and submissions
+ */
+class FormsService {
+  /**
+   * Get all form definitions
+   */
+  async getForms() {
+    const config = await JsonConfig.findOne({ slug: 'form-definitions' });
+    if (!config) return [];
+    try {
+      return JSON.parse(config.jsonRaw || '[]');
+    } catch (e) {
+      console.error('[FormsService] Error parsing jsonRaw in getForms:', e);
+      return [];
+    }
+  }
+
+  /**
+   * Get a specific form definition by ID
+   */
+  async getFormById(formId) {
+    const forms = await this.getForms();
+    return forms.find(f => f.id === formId);
+  }
+
+  /**
+   * Save a form definition
+   */
+  async saveForm(formData) {
+    console.log('[FormsService] saveForm start', formData);
+    let config = await JsonConfig.findOne({ slug: 'form-definitions' });
+    
+    let forms = [];
+    if (config) {
+      try {
+        forms = JSON.parse(config.jsonRaw || '[]');
+      } catch (e) {
+        console.error('[FormsService] Error parsing jsonRaw:', e);
+      }
+    }
+
+    const index = forms.findIndex(f => f.id === formData.id);
+    if (index >= 0) {
+      forms[index] = { ...forms[index], ...formData, updatedAt: new Date() };
+    } else {
+      forms.push({ 
+        ...formData, 
+        id: formData.id || `form_${Date.now()}`,
+        createdAt: new Date(),
+        updatedAt: new Date()
+      });
+    }
+
+    const jsonRaw = JSON.stringify(forms);
+
+    if (config) {
+      await jsonConfigsService.updateJsonConfig(config._id, { jsonRaw });
+    } else {
+      await jsonConfigsService.createJsonConfig({
+        title: 'Form Definitions',
+        alias: 'form-definitions',
+        jsonRaw,
+        publicEnabled: false
+      });
+      // Note: createJsonConfig generates a unique slug based on title, 
+      // but we want 'form-definitions' as the lookup key (slug or alias).
+      // Since createJsonConfig handles unique slug generation, we set alias to 'form-definitions'.
+    }
+
+    console.log('[FormsService] Form definition saved');
+    return formData;
+  }
+
+  /**
+   * Delete a form definition
+   */
+  async deleteForm(formId) {
+    const config = await JsonConfig.findOne({ slug: 'form-definitions' });
+    if (config) {
+      try {
+        let forms = JSON.parse(config.jsonRaw || '[]');
+        forms = forms.filter(f => f.id !== formId);
+        config.jsonRaw = JSON.stringify(forms);
+        await config.save();
+      } catch (e) {
+        console.error('[FormsService] Error during deleteForm:', e);
+      }
+    }
+  }
+
+  /**
+   * Handle form submission
+   */
+  async submitForm(formId, fields, meta = {}) {
+    const formConfig = await this.getFormById(formId);
+    if (!formConfig) {
+      throw new Error('Form not found');
+    }
+
+    const submission = new FormSubmission({
+      formKey: formId,
+      actorType: meta.actorType || 'anonymous',
+      actorId: meta.actorId || 'guest',
+      userId: meta.userId || null,
+      fields: fields,
+      meta: {
+        ip: meta.ip,
+        userAgent: meta.userAgent,
+        referer: meta.referer,
+        organizationId: meta.organizationId || meta.orgId || formConfig.organizationId
+      }
+    });
+
+    await submission.save();
+
+    // Trigger Generic Webhooks
+    const orgId = submission.meta.organizationId;
+    if (orgId) {
+      webhookService.emit('form.submitted', {
+        submissionId: submission._id,
+        formId,
+        fields,
+        meta: submission.meta
+      }, orgId);
+    }
+
+    // Trigger Legacy per-form Webhook
+    if (formConfig.webhookUrl) {
+      this.triggerWebhook(formConfig.webhookUrl, submission);
+    }
+
+    // Trigger Email Notification
+    if (formConfig.notifyEmail) {
+      this.sendNotification(formConfig.notifyEmail, formConfig.name, fields);
+    }
+
+    // Audit Log
+    await auditService.createAuditEvent({
+      action: 'FORM_SUBMISSION',
+      entityType: 'FormSubmission',
+      entityId: submission._id,
+      actorType: submission.actorType,
+      actorId: submission.actorId,
+      meta: { 
+        formId, 
+        email: fields.email,
+        organizationId: orgId
+      }
+    });
+
+    return submission;
+  }
+
+  /**
+   * Get submissions for a form
+   */
+  async getSubmissions(query = {}, options = {}) {
+    const { limit = 50, offset = 0 } = options;
+    const filter = {};
+    if (query.formId) filter.formKey = query.formId;
+
+    const entries = await FormSubmission.find(filter)
+      .sort({ createdAt: -1 })
+      .limit(limit)
+      .skip(offset);
+
+    const total = await FormSubmission.countDocuments(filter);
+
+    return {
+      entries,
+      pagination: { total, limit, offset }
+    };
+  }
+
+  /**
+   * Trigger external webhook (async)
+   */
+  triggerWebhook(url, data) {
+    fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data)
+    }).catch(err => console.error(`[FormsService] Webhook failed for ${url}:`, err.message));
+  }
+
+  /**
+   * Send email notification (async)
+   */
+  sendNotification(to, formName, data) {
+    emailService.sendEmail({
+      to,
+      subject: `New Submission: ${formName}`,
+      text: `New form submission received for ${formName}.\n\nData:\n${JSON.stringify(data, null, 2)}`
+    }).catch(err => console.error(`[FormsService] Email notification failed:`, err.message));
+  }
+
+  /**
+   * Delete a form submission
+   */
+  async deleteSubmission(submissionId) {
+    await FormSubmission.findByIdAndDelete(submissionId);
+  }
+}
+
+module.exports = new FormsService();

package/src/services/globalSettings.service.js

@@ -0,0 +1,49 @@
+const GlobalSetting = require('../models/GlobalSetting');
+const { decryptString } = require('../utils/encryption');
+
+const settingsCache = new Map();
+const CACHE_TTL = 60000;
+
+async function getSettingValue(key, defaultValue = null) {
+  const cached = settingsCache.get(key);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.value;
+  }
+
+  try {
+    const setting = await GlobalSetting.findOne({ key }).lean();
+    if (!setting) {
+      settingsCache.set(key, { value: defaultValue, timestamp: Date.now() });
+      return defaultValue;
+    }
+
+    let value;
+    if (setting.type === 'encrypted') {
+      try {
+        const payload = JSON.parse(setting.value);
+        value = decryptString(payload);
+      } catch (e) {
+        console.error(`Error decrypting setting ${key}:`, e);
+        value = defaultValue;
+      }
+    } else {
+      value = setting.value;
+    }
+
+    settingsCache.set(key, { value, timestamp: Date.now() });
+    return value;
+  } catch (error) {
+    console.error(`Error fetching setting ${key}:`, error);
+    settingsCache.set(key, { value: defaultValue, timestamp: Date.now() });
+    return defaultValue;
+  }
+}
+
+function clearSettingsCache() {
+  settingsCache.clear();
+}
+
+module.exports = {
+  getSettingValue,
+  clearSettingsCache,
+};

package/src/services/headlessApiTokens.service.js

@@ -0,0 +1,158 @@
+const HeadlessApiToken = require('../models/HeadlessApiToken');
+const { generateApiTokenPlaintext, hashToken, timingSafeEqualHex } = require('./headlessCrypto.service');
+
+const VALID_OPERATIONS = new Set(['create', 'read', 'update', 'delete']);
+
+function normalizeOperations(ops) {
+  const list = Array.isArray(ops) ? ops : [];
+  const normalized = list
+    .map((o) => String(o || '').trim().toLowerCase())
+    .filter((o) => o);
+
+  for (const op of normalized) {
+    if (!VALID_OPERATIONS.has(op)) {
+      const err = new Error(`Invalid operation: ${op}`);
+      err.code = 'VALIDATION';
+      throw err;
+    }
+  }
+
+  return Array.from(new Set(normalized));
+}
+
+function normalizePermissions(perms) {
+  const list = Array.isArray(perms) ? perms : [];
+  return list
+    .map((p) => {
+      const modelCode = String(p?.modelCode || '').trim();
+      const operations = normalizeOperations(p?.operations);
+      return { modelCode, operations };
+    })
+    .filter((p) => p.modelCode);
+}
+
+async function createApiToken({ name, permissions, ttlSeconds }) {
+  const normalizedName = String(name || '').trim();
+  if (!normalizedName) {
+    const err = new Error('name is required');
+    err.code = 'VALIDATION';
+    throw err;
+  }
+
+  const plaintext = generateApiTokenPlaintext();
+  const tokenHash = hashToken(plaintext);
+  const expiresAt = ttlSeconds ? new Date(Date.now() + Number(ttlSeconds) * 1000) : null;
+
+  const doc = await HeadlessApiToken.create({
+    name: normalizedName,
+    tokenHash,
+    permissions: normalizePermissions(permissions),
+    expiresAt,
+    isActive: true,
+    lastUsedAt: null,
+  });
+
+  return { token: plaintext, item: doc.toObject() };
+}
+
+async function listApiTokens() {
+  return HeadlessApiToken.find({}).sort({ createdAt: -1 }).lean();
+}
+
+async function getApiTokenById(id) {
+  return HeadlessApiToken.findById(id).lean();
+}
+
+async function updateApiToken(id, updates) {
+  const doc = await HeadlessApiToken.findById(id);
+  if (!doc) {
+    const err = new Error('API token not found');
+    err.code = 'NOT_FOUND';
+    throw err;
+  }
+
+  if (updates.name !== undefined) {
+    const normalizedName = String(updates.name || '').trim();
+    if (!normalizedName) {
+      const err = new Error('name is required');
+      err.code = 'VALIDATION';
+      throw err;
+    }
+    doc.name = normalizedName;
+  }
+
+  if (updates.permissions !== undefined) {
+    doc.permissions = normalizePermissions(updates.permissions);
+  }
+
+  if (updates.isActive !== undefined) {
+    doc.isActive = Boolean(updates.isActive);
+  }
+
+  if (updates.ttlSeconds !== undefined) {
+    const ttlSeconds = updates.ttlSeconds;
+    doc.expiresAt = ttlSeconds ? new Date(Date.now() + Number(ttlSeconds) * 1000) : null;
+  }
+
+  await doc.save();
+  return doc.toObject();
+}
+
+async function deleteApiToken(id) {
+  const doc = await HeadlessApiToken.findById(id);
+  if (!doc) {
+    const err = new Error('API token not found');
+    err.code = 'NOT_FOUND';
+    throw err;
+  }
+  await HeadlessApiToken.deleteOne({ _id: id });
+  return { success: true };
+}
+
+async function authenticateApiToken(plaintextToken) {
+  const provided = String(plaintextToken || '').trim();
+  if (!provided) return null;
+
+  const tokenHash = hashToken(provided);
+
+  const candidates = await HeadlessApiToken.find({ isActive: true }).select(
+    'tokenHash permissions expiresAt isActive lastUsedAt',
+  );
+
+  const match = candidates.find((c) => timingSafeEqualHex(c.tokenHash, tokenHash));
+  if (!match) return null;
+
+  if (match.expiresAt && new Date(match.expiresAt).getTime() <= Date.now()) {
+    return null;
+  }
+
+  match.lastUsedAt = new Date();
+  await match.save();
+
+  return match.toObject();
+}
+
+function tokenAllowsOperation(tokenDoc, modelCode, operation) {
+  if (!tokenDoc || !tokenDoc.permissions) return false;
+  const op = String(operation || '').trim().toLowerCase();
+  if (!VALID_OPERATIONS.has(op)) return false;
+
+  const code = String(modelCode || '').trim();
+  if (!code) return false;
+
+  const perm = (tokenDoc.permissions || []).find((p) => p.modelCode === code);
+  if (!perm) return false;
+
+  return Array.isArray(perm.operations) && perm.operations.includes(op);
+}
+
+module.exports = {
+  VALID_OPERATIONS,
+  createApiToken,
+  listApiTokens,
+  getApiTokenById,
+  updateApiToken,
+  deleteApiToken,
+  authenticateApiToken,
+  tokenAllowsOperation,
+};

package/src/services/headlessCrypto.service.js

@@ -0,0 +1,31 @@
+const crypto = require('crypto');
+
+function base64UrlEncode(buf) {
+  return buf
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function generateApiTokenPlaintext() {
+  const raw = crypto.randomBytes(32);
+  return `hcms_${base64UrlEncode(raw)}`;
+}
+
+function hashToken(plaintext) {
+  return crypto.createHash('sha256').update(String(plaintext)).digest('hex');
+}
+
+function timingSafeEqualHex(a, b) {
+  const aBuf = Buffer.from(String(a), 'hex');
+  const bBuf = Buffer.from(String(b), 'hex');
+  if (aBuf.length !== bBuf.length) return false;
+  return crypto.timingSafeEqual(aBuf, bBuf);
+}
+
+module.exports = {
+  generateApiTokenPlaintext,
+  hashToken,
+  timingSafeEqualHex,
+};