@intranefr/superbackend 1.5.0 → 1.5.2

package/.env.example

@@ -27,6 +27,16 @@ STRIPE_WEBHOOK_SECRET=whsec_...
 ADMIN_USERNAME=admin
 ADMIN_PASSWORD=change-me-in-production
 
+# Internal Cron Basic Auth (for internal APIs)
+INTERNAL_CRON_USERNAME=admin
+INTERNAL_CRON_PASSWORD=change-me-in-production
+
+# Alternative Basic Auth variables (fallbacks)
+BASIC_AUTH_USERNAME=admin
+BASIC_AUTH_PASSWORD=change-me-in-production
+BASIC_AUTH_USER=admin
+BASIC_AUTH_PASS=change-me-in-production
+
 # Emailing
 RESEND_API_KEY=
 
@@ -50,3 +60,8 @@ MAX_FILE_SIZE_HARD_CAP=10485760
 # Encryption key for encrypted settings (new preferred name)
 # SUPERBACKEND_ENCRYPTION_KEY=your-32-byte-encryption-key
 # Legacy fallback: SAASBACKEND_ENCRYPTION_KEY=your-32-byte-encryption-key
+
+# Console Manager
+# Set to 'false' to disable console manager initialization
+# When disabled, console methods are not overridden and no console entries are tracked
+# CONSOLE_MANAGER_ENABLED=true

package/README.md

@@ -23,6 +23,13 @@ Node.js middleware that gives your project backend superpowers. Handles authenti
 - **Webhooks**: Outgoing webhook system for event-driven integrations
 - **Metrics & Activity**: Usage tracking and analytics for business insights
 - **Middleware Mode**: Drop-in Express middleware that preserves your app structure
+- **Workflows System**: Node-based automation with LLM integration, conditionals, and HTTP calls
+- **LLM UI Integration**: AI-powered UI components and conversational interfaces
+- **Admin Scripts & Terminals**: Operational tooling for script execution and terminal management
+- **Migration System**: Database migration and data transfer between environments
+- **Upload Namespaces**: Advanced file organization with customizable storage rules
+- **UI Components**: Project-scoped reusable UI widgets with browser SDK integration
+- **UI Components AI Assistance**: AI-powered generation and iteration of UI component code
 
 ---
 
@@ -85,6 +92,10 @@ See the `docs/features/` directory for detailed guides:
 - [Core Configuration](docs/features/core-configuration.md)
 - [Admin API Usage](docs/features/admin-api-usage.md)
 - [Billing & Subscriptions](docs/features/billing-and-subscriptions.md)
+- [Workflows System](docs/features/workflows-system.md)
+- [LLM UI Integration](docs/features/llm-ui-integration.md)
+- [Migration System](docs/features/migration-system.md)
+- [Upload Namespaces](docs/features/upload-namespaces.md)
 
 ---
 

package/index.js

@@ -62,6 +62,8 @@ const saasbackend = {
     storage: require("./src/services/storage"),
     i18n: require("./src/services/i18n.service"),
     audit: require("./src/services/audit.service"),
+    cacheLayer: require("./src/services/cacheLayer.service"),
+    rbac: require("./src/services/rbac.service"),
     globalSettings: require("./src/services/globalSettings.service"),
     jsonConfigs: require("./src/services/jsonConfigs.service"),
     assets: require("./src/services/assets.service"),
@@ -72,12 +74,24 @@ const saasbackend = {
     forms: require("./src/services/forms.service"),
     webhooks: require("./src/services/webhook.service"),
     workflow: require("./src/services/workflow.service"),
+    healthChecks: require("./src/services/healthChecks.service"),
+    dbBrowser: require("./src/services/dbBrowser.service"),
+    rateLimiter: require("./src/services/rateLimiter.service"),
   },
   models: {
     ActionEvent: require("./src/models/ActionEvent"),
     ActivityLog: require("./src/models/ActivityLog"),
     Asset: require("./src/models/Asset"),
     AuditEvent: require("./src/models/AuditEvent"),
+    CacheEntry: require("./src/models/CacheEntry"),
+    RateLimitCounter: require("./src/models/RateLimitCounter"),
+    RateLimitMetricBucket: require("./src/models/RateLimitMetricBucket"),
+    RbacRole: require("./src/models/RbacRole"),
+    RbacUserRole: require("./src/models/RbacUserRole"),
+    RbacGroup: require("./src/models/RbacGroup"),
+    RbacGroupMember: require("./src/models/RbacGroupMember"),
+    RbacGroupRole: require("./src/models/RbacGroupRole"),
+    RbacGrant: require("./src/models/RbacGrant"),
     EmailLog: require("./src/models/EmailLog"),
     ErrorAggregate: require("./src/models/ErrorAggregate"),
     FormSubmission: require("./src/models/FormSubmission"),
@@ -99,13 +113,22 @@ const saasbackend = {
     Webhook: require("./src/models/Webhook"),
     Workflow: require("./src/models/Workflow"),
     WorkflowExecution: require("./src/models/WorkflowExecution"),
+
+    HealthCheck: require("./src/models/HealthCheck"),
+    HealthCheckRun: require("./src/models/HealthCheckRun"),
+    HealthIncident: require("./src/models/HealthIncident"),
+    HealthAutoHealAttempt: require("./src/models/HealthAutoHealAttempt"),
+
+    ExternalDbConnection: require("./src/models/ExternalDbConnection"),
   },
   helpers: {
     auth: require("./src/middleware/auth"),
     org: require("./src/middleware/org"),
+    rbac: require("./src/middleware/rbac"),
     i18n: require("./src/services/i18n.service"),
     jsonConfigs: require("./src/services/jsonConfigs.service"),
     terminals: require("./src/services/terminalsWs.service"),
+    rateLimiter: require("./src/services/rateLimiter.service"),
   },
 };
 

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@intranefr/superbackend",
-  "version": "1.5.0",
+  "version": "1.5.2",
   "description": "Node.js middleware that gives your project backend superpowers",
   "main": "index.js",
   "scripts": {
     "start": "node server.js",
-    "dev": "nodemon server.js",
+    "dev": "nodemon --verbose --ignore uploads --ignore '*.log' server.js",
     "start:minio": "docker compose -f compose.standalone.yml --profile minio-only up -d minio",
     "minio:envs": "node -e \"console.log(['S3_ENDPOINT=http://localhost:9000','S3_REGION=us-east-1','S3_ACCESS_KEY_ID=minioadmin','S3_SECRET_ACCESS_KEY=minioadmin','S3_BUCKET=saasbackend','S3_FORCE_PATH_STYLE=true'].join('\\n'))\"",
     "build:sdk:error-tracking:browser": "esbuild sdk/error-tracking/browser/src/embed.js --bundle --format=iife --global-name=saasbackendErrorTrackingEmbed --outfile=sdk/error-tracking/browser/dist/embed.iife.js",
@@ -36,14 +36,19 @@
     "bcryptjs": "^2.4.3",
     "cheerio": "^1.0.0-rc.12",
     "cors": "^2.8.5",
+    "cron-parser": "3.5.0",
     "dotenv": "^16.3.1",
     "ejs": "^3.1.9",
     "express": "^4.18.2",
     "jsonwebtoken": "^9.0.2",
+    "marked": "^4.3.0",
     "mongoose": "^8.0.0",
     "multer": "^1.4.5-lts.1",
+    "mysql2": "^3.16.1",
+    "node-cron": "^4.2.1",
     "node-pty": "^1.1.0",
     "openai": "^4.0.0",
+    "redis": "^4.7.1",
     "resend": "^6.4.0",
     "ssh2-sftp-client": "^12.0.1",
     "stripe": "^14.0.0",
@@ -58,6 +63,7 @@
   },
   "jest": {
     "testEnvironment": "node",
+    "testTimeout": 15000,
     "collectCoverageFrom": [
       "src/**/*.js",
       "!src/**/*.test.js"

package/src/admin/endpointRegistry.js

@@ -70,6 +70,75 @@ const endpointRegistry = [
       },
     ],
   },
+  {
+    id: "admin-pages",
+    title: "Pages (Admin)",
+    endpoints: [
+      {
+        id: "pages-context-block-definitions-list",
+        method: "GET",
+        path: "/api/admin/pages/context-block-definitions",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-block-definitions-create",
+        method: "POST",
+        path: "/api/admin/pages/context-block-definitions",
+        auth: "basic",
+        bodyExample: {
+          code: "blog-post-by-slug",
+          label: "Blog post by slug",
+          description: "Used by blog post page",
+          type: "context.db_query",
+          props: {
+            assignTo: "post",
+            model: "BlogPost",
+            op: "findOne",
+            filter: { slug: { $ctx: "params.slug" } },
+          },
+        },
+      },
+      {
+        id: "pages-context-block-definitions-get",
+        method: "GET",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-block-definitions-update",
+        method: "PUT",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+        bodyExample: {
+          label: "Blog post by slug (updated)",
+          description: "Used by blog post page",
+          type: "context.db_query",
+          props: {
+            assignTo: "post",
+            model: "BlogPost",
+            op: "findOne",
+            filter: { slug: { $ctx: "params.slug" } },
+          },
+        },
+      },
+      {
+        id: "pages-context-block-definitions-delete",
+        method: "DELETE",
+        path: "/api/admin/pages/context-block-definitions/:code",
+        auth: "basic",
+      },
+      {
+        id: "pages-context-blocks-ai-generate",
+        method: "POST",
+        path: "/api/admin/pages/ai/context-blocks/generate",
+        auth: "basic",
+        bodyExample: {
+          prompt: "Load the published BlogPost for params.slug into vars.post. Add cache 30s.",
+          blockType: "context.db_query",
+        },
+      },
+    ],
+  },
   {
     id: "ejs-virtual",
     title: "EJS Virtual Codebase",
@@ -295,6 +364,57 @@ const endpointRegistry = [
       },
     ],
   },
+  {
+    id: "rate-limits",
+    title: "Rate Limiter",
+    endpoints: [
+      {
+        id: "rate-limits-list",
+        method: "GET",
+        path: "/api/admin/rate-limits",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-config-get",
+        method: "GET",
+        path: "/api/admin/rate-limits/config",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-config-update",
+        method: "PUT",
+        path: "/api/admin/rate-limits/config",
+        auth: "basic",
+        bodyExample: { jsonRaw: "{\n  \"version\": 1,\n  \"defaults\": {},\n  \"limiters\": {}\n}" },
+      },
+      {
+        id: "rate-limits-metrics",
+        method: "GET",
+        path: "/api/admin/rate-limits/metrics?start=2026-01-01T00:00:00.000Z&end=2026-01-02T00:00:00.000Z",
+        auth: "basic",
+      },
+      {
+        id: "rate-limits-bulk-enabled",
+        method: "POST",
+        path: "/api/admin/rate-limits/bulk-enabled",
+        auth: "basic",
+        bodyExample: { enabled: true, all: true },
+      },
+      {
+        id: "rate-limits-limiter-update",
+        method: "PUT",
+        path: "/api/admin/rate-limits/globalApiLimiter",
+        auth: "basic",
+        bodyExample: { override: { enabled: true, mode: "reportOnly", limit: { max: 60, windowMs: 60000 } } },
+      },
+      {
+        id: "rate-limits-limiter-reset",
+        method: "POST",
+        path: "/api/admin/rate-limits/globalApiLimiter/reset",
+        auth: "basic",
+      },
+    ],
+  },
 ];
 
 module.exports = endpointRegistry;

package/src/controllers/admin.controller.js

@@ -10,6 +10,7 @@ const FormSubmission = require('../models/FormSubmission');
 const asyncHandler = require('../utils/asyncHandler');
 const fs = require('fs');
 const path = require('path');
+const crypto = require('crypto');
 const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
 const { generateAccessToken, generateRefreshToken } = require('../utils/jwt');
 const { retryFailedWebhooks, processWebhookEvent } = require('../utils/webhookRetry');
@@ -17,12 +18,29 @@ const { auditMiddleware } = require('../services/auditLogger');
 
 // Get all users
 const getUsers = asyncHandler(async (req, res) => {
-  const users = await User.find()
-    .select('-passwordHash')
-    .sort({ createdAt: -1 })
-    .limit(100);
+  const { limit, offset } = req.query;
+  
+  const parsedLimit = Math.min(500, Math.max(1, parseInt(limit, 10) || 50));
+  const parsedOffset = Math.max(0, parseInt(offset, 10) || 0);
+  
+  const [users, total] = await Promise.all([
+    User.find()
+      .select('-passwordHash -passwordResetToken -passwordResetExpiry')
+      .sort({ createdAt: -1 })
+      .limit(parsedLimit)
+      .skip(parsedOffset)
+      .lean(),
+    User.countDocuments()
+  ]);
 
-  res.json(users.map(u => u.toJSON()));
+  res.json({
+    users,
+    pagination: {
+      total,
+      limit: parsedLimit,
+      offset: parsedOffset,
+    },
+  });
 });
 
 // Register new user (admin only)
@@ -441,6 +459,71 @@ async function cleanupUserData(userId) {
   }
 }
 
+const generateTokenForEmail = asyncHandler(async (req, res) => {
+  const { email } = req.body;
+  
+  if (!email) {
+    return res.status(400).json({ error: 'Email is required' });
+  }
+
+  // Find or create user
+  let user = await User.findOne({ email: email.toLowerCase() });
+  
+  if (!user) {
+    // Generate random password
+    const randomPassword = crypto.randomBytes(16).toString('hex');
+    
+    // Create user with admin role
+    user = new User({
+      email: email.toLowerCase(),
+      passwordHash: randomPassword,
+      name: email,
+      role: 'admin'  // All auto-created users get admin role
+    });
+    
+    await user.save();
+    
+    // Create default organization automatically
+    const defaultOrgSlug = process.env.POLYBOT_DEFAULT_ORG_SLUG || 'polybot';
+    const defaultOrgName = process.env.POLYBOT_DEFAULT_ORG_NAME || 'Polybot';
+    
+    let org = await Organization.findOne({ slug: defaultOrgSlug });
+    if (!org) {
+      org = new Organization({
+        name: defaultOrgName,
+        slug: defaultOrgSlug,
+        ownerUserId: user._id
+      });
+      await org.save();
+    }
+    
+    // Add user to organization
+    const existingMember = await OrganizationMember.findOne({
+      userId: user._id,
+      orgId: org._id
+    });
+    
+    if (!existingMember) {
+      const member = new OrganizationMember({
+        userId: user._id,
+        orgId: org._id,
+        role: 'admin'
+      });
+      await member.save();
+    }
+  }
+
+  // Generate tokens with 1 second expiry for access, 2 hours for refresh
+  const token = generateAccessToken(user._id, user.role);
+  const refreshToken = generateRefreshToken(user._id);
+
+  res.json({ 
+    token, 
+    refreshToken, 
+    user: user.toJSON() 
+  });
+});
+
 module.exports = {
   getUsers,
   registerUser,
@@ -450,10 +533,11 @@ module.exports = {
   deleteUser,
   reconcileUser,
   generateToken,
+  generateTokenForEmail,
   getWebhookEvents,
   getWebhookEvent,
   retryFailedWebhookEvents,
   retrySingleWebhookEvent,
   getWebhookStats,
-  provisionCoolifyDeploy
+  provisionCoolifyDeploy,
 };

package/src/controllers/adminBlockDefinitions.controller.js

@@ -0,0 +1,127 @@
+const BlockDefinition = require('../models/BlockDefinition');
+
+function parseBool(value, fallback) {
+  if (value === undefined) return fallback;
+  if (typeof value === 'boolean') return value;
+  const v = String(value).trim().toLowerCase();
+  if (v === 'true' || v === '1' || v === 'yes') return true;
+  if (v === 'false' || v === '0' || v === 'no') return false;
+  return fallback;
+}
+
+function normalizeCode(code) {
+  return String(code || '').trim().toLowerCase();
+}
+
+function normalizeFields(fields) {
+  if (!fields) return {};
+  if (typeof fields !== 'object' || Array.isArray(fields)) return null;
+  return fields;
+}
+
+exports.list = async (req, res) => {
+  try {
+    const onlyActive = parseBool(req.query?.active, null);
+    const filter = {};
+    if (onlyActive !== null) filter.isActive = onlyActive;
+
+    const items = await BlockDefinition.find(filter).sort({ updatedAt: -1 }).lean();
+    return res.json({ items });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] list error:', error);
+    return res.status(500).json({ error: 'Failed to list block definitions' });
+  }
+};
+
+exports.create = async (req, res) => {
+  try {
+    const code = normalizeCode(req.body?.code);
+    const label = String(req.body?.label || '').trim();
+    if (!code) return res.status(400).json({ error: 'code is required' });
+    if (!label) return res.status(400).json({ error: 'label is required' });
+
+    const fields = normalizeFields(req.body?.fields);
+    if (fields === null) return res.status(400).json({ error: 'fields must be an object' });
+
+    const doc = await BlockDefinition.create({
+      code,
+      label,
+      description: String(req.body?.description || ''),
+      fields: fields || {},
+      version: Number(req.body?.version || 1) || 1,
+      isActive: parseBool(req.body?.isActive, true),
+    });
+
+    return res.status(201).json({ item: doc.toObject() });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] create error:', error);
+    if (error?.name === 'ValidationError') return res.status(400).json({ error: error.message });
+    if (error?.code === 11000) return res.status(409).json({ error: 'Block already exists' });
+    return res.status(500).json({ error: 'Failed to create block definition' });
+  }
+};
+
+exports.get = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const item = await BlockDefinition.findOne({ code }).lean();
+    if (!item) return res.status(404).json({ error: 'Block not found' });
+    return res.json({ item });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] get error:', error);
+    return res.status(500).json({ error: 'Failed to load block definition' });
+  }
+};
+
+exports.update = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const doc = await BlockDefinition.findOne({ code });
+    if (!doc) return res.status(404).json({ error: 'Block not found' });
+
+    if (req.body?.label !== undefined) {
+      const label = String(req.body.label || '').trim();
+      if (!label) return res.status(400).json({ error: 'label is required' });
+      doc.label = label;
+    }
+
+    if (req.body?.description !== undefined) doc.description = String(req.body.description || '');
+
+    if (req.body?.fields !== undefined) {
+      const fields = normalizeFields(req.body.fields);
+      if (fields === null) return res.status(400).json({ error: 'fields must be an object' });
+      doc.fields = fields;
+    }
+
+    if (req.body?.version !== undefined) {
+      const v = Number(req.body.version);
+      if (!Number.isFinite(v) || v < 1) return res.status(400).json({ error: 'version must be a positive number' });
+      doc.version = v;
+    } else {
+      doc.version = Number(doc.version || 1) + 1;
+    }
+
+    if (req.body?.isActive !== undefined) doc.isActive = Boolean(req.body.isActive);
+
+    await doc.save();
+    return res.json({ item: doc.toObject() });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] update error:', error);
+    if (error?.name === 'ValidationError') return res.status(400).json({ error: error.message });
+    return res.status(500).json({ error: 'Failed to update block definition' });
+  }
+};
+
+exports.remove = async (req, res) => {
+  try {
+    const code = normalizeCode(req.params?.code);
+    const doc = await BlockDefinition.findOne({ code });
+    if (!doc) return res.status(404).json({ error: 'Block not found' });
+
+    await BlockDefinition.deleteOne({ _id: doc._id });
+    return res.json({ success: true });
+  } catch (error) {
+    console.error('[adminBlockDefinitions] remove error:', error);
+    return res.status(500).json({ error: 'Failed to delete block definition' });
+  }
+};

package/src/controllers/adminBlockDefinitionsAi.controller.js

@@ -0,0 +1,54 @@
+const {
+  generateBlockDefinition,
+  proposeBlockDefinitionEdit,
+} = require('../services/blockDefinitionsAi.service');
+
+const { getBasicAuthActor } = require('../services/audit.service');
+
+function handleError(res, err) {
+  const code = err && err.code;
+  if (code === 'VALIDATION') return res.status(400).json({ error: err.message });
+  if (code === 'NOT_FOUND') return res.status(404).json({ error: err.message });
+  if (code === 'AI_INVALID') return res.status(500).json({ error: err.message });
+  return res.status(500).json({ error: err.message || 'Operation failed' });
+}
+
+exports.generate = async (req, res) => {
+  try {
+    const actor = getBasicAuthActor(req);
+    const { prompt, providerKey, model } = req.body || {};
+
+    const result = await generateBlockDefinition({
+      prompt,
+      providerKey,
+      model,
+      actor,
+    });
+
+    return res.json(result);
+  } catch (err) {
+    console.error('[adminBlockDefinitionsAi] generate error', err);
+    return handleError(res, err);
+  }
+};
+
+exports.propose = async (req, res) => {
+  try {
+    const actor = getBasicAuthActor(req);
+    const { code } = req.params;
+    const { prompt, providerKey, model } = req.body || {};
+
+    const result = await proposeBlockDefinitionEdit({
+      code,
+      prompt,
+      providerKey,
+      model,
+      actor,
+    });
+
+    return res.json(result);
+  } catch (err) {
+    console.error('[adminBlockDefinitionsAi] propose error', err);
+    return handleError(res, err);
+  }
+};